``` APT3 Uncovered: The code evolution of Pirpi Your functions are showing (and leaving a trail) Micah Yates - @m1k4chu Palo Alto Networks ``` ----- ``` Your functions are showing ###### • Persistent Code Reuse • Finding The Trail • Pirpi.201x vs Operation Clandestine DoubleTap • Just give me all the Pirpi you have • EXEProxy ``` ----- ``` Persistent Code Reuse: function_1 ``` ----- ``` Persistent Code Reuse ###### • What is Pirpi? • Targeted malware delivered via 0-days • (CVE-2010-3962) • (CVE-2014-1776) • (CVE-2014-4113) • (CVE-2014-6332) • (CVE-2015-3113) • (CVE-2015-5119) • Appended to a valid gif • Obfuscated Command and Control • Compromised infrastructure ``` ----- ``` Finding a Trail ###### • Why are you doing this? • It’s fun • You don’t know what you don’t know • Pick 2 binaries by: • Family • Compile Times • File Size • % similarity (ssdeep) ``` ----- ``` It started out with a diff, how did it end up like this? ###### • Inspect Binaries w/ IDA Tools • Bindiff – Hex Rays • IDAScope – Plohmann/Hanel • Bindiff two known Pirpi samples • fb838cda6118a003b97ff3eb2edb7309 • e33804e3e15920021c5174982dd69890 ``` ----- ``` It was only a diff ``` ----- ``` It was only a diff ``` ----- ``` Aside: Putting the FUN in Function ``` ----- ``` Pirpi.201x vs Operation Clandestine DoubleTap ``` ----- ``` Pirpi.201x vs Operation Clandestine DoubleTap ``` ----- ``` Just give me all the Pirpi you have: function_1 Compile MD5 Beacon 2007 01 3f5d79b262472a12e3666118a7cdc2ca www.msnmessengerupdate.com/index31382/f2ae95b93i97.bmp 2008 01 6bdee405ed857320aa8c822ee5e559f2 www.msnmessengerupdate.com/image19582/7e7e7eb7fi7f.gif 2009 03 e22d02796cfb908aaf48e2e058a0890a www.office2008updates.com/dream/dream.php? 2009 10 1fa0813be4b9f23613204c94e74efc9d ini.msnmessengerupdate.net/smart/smartmain.php? 2010 01 914e9c4c54fa210ad6d7ed4f47ec285f ini.office2005updates.net/smart/smartmain.php? 2013 01 44bd652a09a991100d246d8280cac3ac 218.42.147.106/bussinesses/caetrwet/ 2014 04 b48e578f030a7b5bb93a3e9d6d1e2a83 product.sorgerealty.com 2016 04 f683cf9c2a2fdc27abff4897746342c4 ste.mullanclan.com ``` |Compile|MD5|Beacon| |---|---|---| |2007 01|3f5d79b262472a12e3666118a7cdc2ca|www.msnmessengerupdate.com/index31382/f2ae95b93i97.bmp| |2008 01|6bdee405ed857320aa8c822ee5e559f2|www.msnmessengerupdate.com/image19582/7e7e7eb7fi7f.gif| |2009 03|e22d02796cfb908aaf48e2e058a0890a|www.office2008updates.com/dream/dream.php?| |2009 10|1fa0813be4b9f23613204c94e74efc9d|ini.msnmessengerupdate.net/smart/smartmain.php?| |2010 01|914e9c4c54fa210ad6d7ed4f47ec285f|ini.office2005updates.net/smart/smartmain.php?| |2013 01|44bd652a09a991100d246d8280cac3ac|218.42.147.106/bussinesses/caetrwet/| |2014 04|b48e578f030a7b5bb93a3e9d6d1e2a83|product.sorgerealty.com| |2016 04|f683cf9c2a2fdc27abff4897746342c4|ste.mullanclan.com| ``` Compile MD5 2007 01 2008 01 2009 03 2009 10 2013 01 2014 04 2016 04 ``` ----- ``` Just give me all the Pirpi you have: function_1 ``` 100 90 80 70 60 50 40 30 20 10 0 **COMPILE YEAR AND MONTH** ----- ----- ``` function_1 - minor versions ``` 100 90 80 70 60 v6 50 v5 v4 40 v3 v2 30 v1 20 10 0 **COMPILE YEAR AND MONTH** ----- ``` function_1 - minor versionsfunction_1 - minor versions ``` ###### V1 - 2007 MD5: 98011f5b7b957a142f14cbda57a5ea82 ###### V2 - 2008 MD5: 272cb6c16e083ca143d40c63005753a2 ###### V3 – 2006 MD5: acd8d34d8360129df1c8d03f253ba747 ----- ``` function_1 - minor versions ``` ###### V5 - 2016 MD5: ###### V6 - 2017 ###### c006faaf9ad26a0bd3bbd597947da3e1 ###### V4 - 2014 MD5: ###### f683cf9c2a2fdc27abff4897746342c4 ###### 07b4d539a6333d7896493bafd2738321 ----- ``` function_2 ``` ----- ``` function_2 ``` ###### pirpi_version_check 100 90 80 70 60 50 40 30 20 10 0 **COMPILE YEAR AND MONTH** ----- ``` function_3 ``` ----- ``` function_3 ``` ###### pirpi_cmdline_createproc 45 40 35 30 25 20 15 10 5 0 **COMPILE YEAR AND MONTH** ----- ``` EXEProxy ###### • b94bcffcacc65d05e5f508c5bd9c 950c • Contains function_1 • Contains Anti-Disasm • OpenSSL included • Requires cmd line params to run ``` ----- ``` EXEProxy: pirpi_EXEPROXY ``` ###### pirpi_EXEPROXY 9 8 7 6 5 4 3 2 1 0 **COMPILE YEAR AND MONTH** ----- ``` EXEProxy 2: Electric Boogaloo ###### • 4d3874480110ba537b383 ``` ``` 9cb8b416b50 ###### • Contains function_1 • Server tool • Requires Cmd Line Params • No other notable anchor functions ``` ``` ">Ltime %2d:%2d:%2d Disconnect >“ "%2d:%2d:%2d >Cback:“ ">LTime: %2d:%2d:%2d“ ">Cback: %s:%d" "H:%s " "Ok. " "K:%d" ``` ----- ``` EXEProxy 2: Electric Boogaloo ###### • a85f9b4c33061ee724e59291242b9e86 • OpenSSL Server • Contains Public/Private Keys ``` ----- ``` In Summary: ###### • Some families never change • Anchor Functions are Fun! • Use public info • Pirpi malware active since at least 2006 • Unintended findings ``` ----- ###### • Thanks: • Richard Wartell – Palo Alto Networks • Mike Scott – Palo Alto Networks • Biblio: • MITRE: • https://attack.mitre.org/wiki/Software/S0063 • FireEye: • https://www.fireeye.com/blog/threat-research/2010/11/ie-0-day-hupigon-joins-the-party.html • https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html • https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html • https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html • Symantec: • https://www.symantec.com/connect/blogs/new-ie-zero-day-used-targeted-attacks • https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong • http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/Symantec-Buckeye-IOCs.txt • EmergingThreats: • https://rules.emergingthreats.net/changelogs/suricata-1.3.etpro.2015-09-10T21:29:38.txt • (cached by other sites, search for hash 4d3874480110ba537b3839cb8b416b50 and EXEProxy) • Palo Alto Networks: • https://researchcenter.paloaltonetworks.com/2015/07/apt-group-ups-targets-us-government-with-hacking-team``` flash-exploit/ • https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and the-pirpi-payload/ ``` -----