----- #### Before that I have been a cracker in Europe «underground scene» of Amiga and ----- ----- ----- ----- ----- #### The lack of the patch MS14-068 is a key to understand how deep and how hard ----- ----- #### In seven cases, the exploit, despite successfully detonated, was not able to start the ----- **EVILTOSS** **CHOPSTICK** **can** **allows the** **Complete** **download** **attacker to** **control over** **CHOPSTICK** **extend the** **target** **TROJAN** **control of** **system** **from C&C** **the target** **Vector +** **First** **Dropper** **Second** **Stage** **backdoor** **download** **(EVILTOSS)** **Coreshell** **Dropper** **First C&C** **HTTP POST** **message** **Streams to** **external C2 or** **Dropzone** ----- Attempts to access C2 **Base** ###### : The repeated attempts to communicate externally from infected machines blocked ----- #### One lesson I learn from Sharepoint… it has a horrible Log format. ----- Still under control Still under control Victim 1 Victim 2 C2s Base hosts Washington **Public WAN** Moskow Addis Ababa Kiev Washington **Public WAN** ----- ----- #### The victims have direct access to the abovementioned AD servers because they use ----- ----- #### execution in UserMode with the privileges of the System process. ----- #RSAC ## The Incident ----- ----- ## Patient Zero ###### What’s on Customer “Patient Zero” machine?  The forensic analysis on the «Patient Zero» identified by the Customer showed #### the following suspicious files and registry modifications, but no attempts to expand the focus of the investigation have been made. #RSAC |Registry Keys and Values|Created|Modified| |---|---|---| |HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Network Identification Service\parameters\ServiceDll = C:\Windows\System32\netids.dll|Yes|No| |HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Network Identification Service\parameters\ServiceDllUnloadOnStop = 1|Yes|No| |HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\ntsvcs = Network Identification Service|Yes|No| |HKEY_LOCAL_MACHINE\software\microsoft\windowsNT\currentversion\svchost\ntsvcs\CoInitializeSecurityParam ➝1|Yes|No| #### EVILTOSS backdoor ----- #### Looking at the logs, they have discovered the presence of repeated accesses from ----- #RSAC ## The Methodology ----- #### It involves aggregation of IoCs and their classification to create a “Knowledge Base” of attacks, tools and strategies that could be “reused” in subsequent ----- Malware Incident visibility surface. Network, system Triage planned from System and log indicators. a tailored set of visibility Classification and strategic actions. attribution. ----- ----- ----- _The initial investigation has_ _been limited to MD5 search_ _on Domain machines._ ----- Successful communication recorded after communication #### proactively recorded after expulsion/triage… monitor the #### occurrence of other malicious attacks. ----- IOCs at Network, System and Log level for different platforms and systems. Improved the triage Refocused the malware strategy by moving from analysis on all identified °seek & destroy° to a samples to identify more strategic approach. Actionable IOCs. ----- #RSAC ## Attacker Tools ----- #### : This is a modular implant compiled from a software framework that : Everyone of us knows this tool. In this case, this has been of ----- ----- ----- ## APT 28 Tools ###### EVILTOSS IOCs  At system level the malware modifies the Registry in order to ensure persistence.  It is dropped and executed, usually, from one of these folders: #RSAC |Registry Keys and Values|Created|Modified| |---|---|---| |HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Network Identification Service\parameters\ServiceDll = %EVILTOSS folder%.dll|Yes|No| |HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Network Identification Service\parameters\ServiceDllUnloadOnStop = 1|Yes|No| |HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\ntsvcs = Network Identification Service|Yes|No| |HKEY_LOCAL_MACHINE\software\microsoft\windowsNT\currentversion\svchost\ntsvcs\CoInitializeSecurityParam ➝1|Yes|No| **Yes** **No** **Yes** **No** ➝ **1** **Yes** **No** ----- ----- C2 ack for exfil C2 ack for exfil ----- #### CHOPSTICK main executable creates a “mailslot” in Windows machines and acts as the mailslot server, while its code injected into the other processes acts as a client The RC4 encryption used here also uses a 50 bytes static key plus four-byte random ----- /open/?ags=bBz&ags=qVs5d0kGHtil&oprnd=6ZCuc7XQ&channel=gBDFmj_fJdNk9&itwm=HJxam7mDOyIBftJ6OwEQjGBzyjpQv HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) ----- ## The attack strategy ###### IOC: C2 list #RSAC ######  Thanks to our structured approach we have been able to identify the C2s used by #### the attacker and with them, we have been able to enumerate infected hosts based on network communications. ##### Note: The attacker has ###### URL IP Type ##### used different microsofthelpcenter.info 87.236.215.13 HTTP/HTTPS Main C2 _infrastructures for_ ##### managing infected driversupdate.info 46.19.138.66 HTTPS C2 ##### hosts. |URL|IP|Type| |---|---|---| |microsofthelpcenter.info|87.236.215.13|HTTP/HTTPS Main C2| |driversupdate.info|46.19.138.66|HTTPS C2| |1oo7.net|5.199.171.58|HTTPS C2| |66.172.12.133|66.172.12.133|Coreshell C2| |45.64.105.23|45.64.105.23|Coreshell C2| |176.31.112.10|176.31.112.10|HTTPS C2| |176.31.96.178|176.31.96.178|HTTPS C2| microsofthelpcenter.info 87.236.215.13 HTTP/HTTPS Main C2 driversupdate.info 46.19.138.66 HTTPS C2 1oo7.net 5.199.171.58 HTTPS C2 66.172.12.133 66.172.12.133 Coreshell C2 45.64.105.23 45.64.105.23 Coreshell C2 176.31.112.10 176.31.112.10 HTTPS C2 176.31.96.178 176.31.96.178 HTTPS C2 ----- Peak of attack distribution 300 **Final triage managed by** **our Team** 250 200 First Phase of Initial 150 Attack Spearphishing 100 Patient Zero Last record of infected 50 machine 0 Oct‐14 Nov‐14 Dec‐14 Jan‐15 Feb‐15 Mar‐15 Remediation Apr‐15 May‐15 Jun‐15 APT28 Jul‐15 Aug‐15 Sep‐15 **Initial massive** **First time our** **triage** **methodology has applied** APT28 Remediation ----- #### It could be extremely important to streamline the IR procedures by transforming IOCs to actionable IOCs, that means to evaluate and define which IOC can be reused and It is important to drill and to give IR personnel the chance to learn how to build, use, ### . ----- ###### use IoCs as key element to capabilities updated evaluate the attack surface You should organize the triage in a strategic approach. ###### You should avoid to rely only on technologies ###### You should organize the triage in a strategic approach. ###### You should not approach IR operations in a unstructured way. ----- #RSAC ----- EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries. -----