# How to perform long term monitoring of careless threat actors ###### Daniel Lunghi (@thehellu) ----- ## Outline ### • Introduction • Malware analysis and classification • Pivoting on the samples • Pivoting on the infrastructure • Telemetry and links with known threat actors • Bonus • Conclusion ----- ## Introduction ----- ## Introduction ### • This talk focuses on the methodology of long term threat actor monitoring • Examples are based on a Trend Micro investigation published on February 18, 2020 ###### Operation DRBControl - Uncovering a Cyberespionage Campaign Targeting Gambling Companies in Southeast Asia ### • Goals: #### • Establish Tactics, Technics and Procedures (TTP) of a threat actor • Help incident response/detection • Get as much context as possible ----- ## Introduction ### • Investigation started on July 2019, after Talent-Jump technologies brought interesting samples to us • The samples were found in a gambling company in Philippines • No obvious link to a known threat actor ----- # Malware analysis and classification ----- ## Malware analysis and classification ### • Goals: #### • Extract IOCs (domain names, IP addresses, file names, registry keys…) • List the malware features • Find the malware family, if known ### • How: #### • Pick your favorite disassembler • Classification: Yara, TLSH, search engines… ----- ## Malware analysis and classification ### • Initial triaging result: #### • 4 different families, of which 3 are unknown • Only known family was found in October 2019 ### • Let’s focus on “Type 1” malware, but the methodology is the same for other families ----- ## Malware analysis and classification ### • Malware is packed and uses DLL side-loading ----- ## Malware analysis and classification ### • Malware is written using C++, it support plugins, class names can be extracted from RTTI information and are self- explanatory #### • CHPKeylog • CHPScreen • CHPAvi • CHPCmd • CHPExplorer • CHPRegedit ----- ## Malware analysis and classification ### • Samples contain a version number ##### Version number Compilation date 1.0 May 2019 8.0 July 2019 9.0 August 2019 ### • Shows fast development pace of the threat actor |Version number|Compilation date| |---|---| |1.0|May 2019| |8.0|July 2019| |9.0|August 2019| ----- # Pivoting from samples ----- ## Pivoting from samples ### • “Easy” pivoting : unique strings #### • Query on search engine (sandbox results) • “content” modifier on VirusTotal or similar malware repositories • Yara rules for more complex queries • RetroHunt for past malwares ###  Fail, malware is packed ----- ## Pivoting from samples ### • Algorithm for network communication encryption uses a substitution table of 256 bytes • 256 bytes hardcoded in a specific order • Yara rule written, alerting added and RetroHunt launched  New samples found, all relevant ----- ## Pivoting from samples ### • On March 23th, an alert matching this substitution table is raised • The related sample is not a malware  The Yara rule is prone to false positives ----- ## Pivoting from samples ### • We found source code posted on February 27, 2015 on CodeProject.com matching the assembly code  Don’t discard possibility of code reuse, even with few ----- ## Pivoting from samples ### • Metadata in different file formats is also useful #### • VERSIONINFO structure from the PE format contains information on filename, description, version, etc • Documents contain metadata (title, author name, …) ### • In this particular investigation, we could find several related samples by leveraging metadata #### • 2 malware samples had “HaoZipUpdate” as original filename • 4 malicious documents had “Dell_20170514745” as author ----- ## Pivoting from samples #### • Legitimate HaoZipUpdate was patched ----- ## Pivoting from samples ### • Mutexes might be used for correlation #### • SFX archive dropping Trochilus malware named “diskshawin.exe” uses mutexes with unique names (“cc5d64b344700e403e2sse”, “cc5d6b4700e403e2sse” and “cc5d6b4700032eSS”) • A BbsRAT sample named “diskwinshadow.exe” found in a public sandbox report also uses these mutexes • That BbsRAT sample has “bot.googlerenewals.net” as C&C, which is listed in a report from ClearSky on Winnti threat actor ----- # Pivoting from infrastructure ----- ## Pivoting from infrastructure ### • Passive DNS : database of historical links between IP addresses and domain names • Some threat actors reuse their servers or domain names for multiple campaigns • Needs to be handled with caution, it is prone to false positives and false negatives ----- ## Pivoting from infrastructure ### • IP addresses history for domain name update.mircosoftdefender.com as seen on PassiveTotal ----- ## Pivoting from infrastructure ### • Truncated list of domain names history for IP address 43.228.126.172 as seen on PassiveTotal ----- ## Pivoting from infrastructure ### • Some threat actors register their domain names in bulk  Creation Date timestamp for those domains is close • mircosoftdefender.com created on 2018-08-09 at 08:40:27 • By filtering on registrar and name server, we find 3 additional domains created on same date between 08:40 and 08:41 #### • dinohonevice.com • luxespiremag.com • googleusermessage.com ----- ## Pivoting from infrastructure ### • Many more techniques #### • TLS certificate tracking • Correlation through metadata (web server version, hosting provider, HTTP headers …) • Search of domain names/IP addresses on public sandboxes results • HTTP static content tracking ----- ## Pivoting ### • All those techniques needs to be reiterated when new IOCs are found #### Domain name Sample IP address ----- # Telemetry and further links ----- ## Telemetry ### • As an AV, we have telemetry from our customers (if enabled) • Spear-phishing emails sent on May 2019 #### • Different company, also in South-East Asia • Also in gambling/betting industry ###  Confirmation of the targeted industry and location ----- ## Links with known threat actors ### • Links with Winnti #### • Shared mutexes, which means probably code sharing for a dropper • We noticed a binary being downloaded from an IP address by the threat actor: Passive DNS for that IP address showed domains related to Winnti ### • Links with EmissaryPanda/LuckyMouse #### • We found a sample from the HyperBro family, which is used exclusively by this threat actor ----- # Using malware features to our advantage ----- ## Using malware features to our advantage ### • Type 1 malware has a secondary C&C channel ----- ## Using malware features to our advantage ### • To read and write to the repository, the malware uses a hardcoded API key ----- ## Using malware features to our advantage ### • “bin.asc” is a new malware family using Dropbox as C&C (analysis is available in our paper) • 142 different directories, of which 129 contain a “bin.asc” file • ~50 post-exploitation tools found in the repository #### • Mimikatz, Quarks PwDump • Nbtscan • Privilege escalation tools • UAC bypass ----- ## Using malware features to our advantage ----- ## Using malware features to our advantage ### • On March 2020, we noticed a new campaign using Type 1 malware family • After extracting Dropbox API key, we noticed permissions had been modified • Token was not allowed to list directories  Threat actor reacted to our publication ----- # Conclusion ----- ## Conclusion ### • Started from ~20 samples of 4 different malware families, 5 domain names and 3 IP addresses • After the investigation: #### • 8 different malware families • 19 domain names, 9 IP addresses • Tens of different samples • Infection vector found #### • List of post exploitation tools • Victimology confirmed • Links with two known threat actors ----- ## Conclusion ### • Threat intelligence enrich knowledge of a threat actor • It needs access to big amount of data • It requires diverse skills • Each security vendor has its own perspective of the attack  Collaboration is welcome ----- ## Acknowledgements ### • Cédric Pernet and Kenney Lu, my dear colleagues • Our boss Ziv for giving us enough time to dig • Researchers at Talent-Jump technologies for sharing samples • Bernard Pivot ----- Threats detected and blocked globally by Trend Micro in 2018. Created with real data -----