# Hunting for PLATINUM ### Mandiant consulting ----- ## Adrien Bataille #### § Senior Consultant at Mandiant § 10 years experience ###### § Incident Response § Malware analysis § Threat intelligence ----- ## Matias Bevilacqua #### § Principal Consultant at Mandiant § 15+ years experience ###### § Incident Response § 5 years experience on IR/forensics R&D. § 2 years onsite focused on the Middle East threat landscape. ----- ## Disclaimer ###### “Case studies and examples are drawn from our experiences and activities working for a variety of customers, and do not represent our work for any one customer or set of customers. In many cases, facts have been changed to obscure the identity of our customers and individuals associated with our customers.” ----- ## Platinum overview ###### Microsoft Report in April 2016 • Low profile group • Targets - South / Southeast Asia • Custom backdoor and tools • At least four zero-day exploits • Hot-patching technique to inject code Microsoft Blog post in June 2017 • Use of Intel AMT Serial over LAN for communications • OS based firewall bypass • Seen in file transfer tool ----- ## Mandiant case #### § Mandiant called in to investigate suspicious activity on a handful of hosts § Compromise confirmed ###### – Breach attributed to a known threat group (not PLATINUM) – Use of Metasploit, webshells, ZXShell, plink… fairly low-tech and noisy. ----- ## Investigative cycle ###### ◆ Host inspection - HX used for analysis (triage, live response) - HIP for real-time alerting ###### New Investigation IOCs ◆ Network monitoring / analysis - PX network sensors ###### Sweeps and Information Network Analysis - Client network infrastructure **Discovery** ###### Monitoring ◆ Malware reverse engineering (FLARE) ----- ## Suddenly things got interesting… #### § What is this?… ###### C:\Program Files\Common Files\System\temp\alg.exe a -hpqwerty -r -dh ps_dl.dat "C:\Program Files\receptor\” C:\Windows\Temp\alg.exe a -hpqwerty -r -ri3 -dh temp_001.dat agent_config.json ragent_install.log connector- deployment-guide.pdf AgentSetup_HIP_xAgent_Bundled.msi #### § Live response analysis C:\Program Files\7-Zip\Lang\bg.txt C:\Program Files\7-Zip\Lang\br.txt ###### – Unknown malware in folder C:\Program Files\7-Zip\Lang\ C:\Program Files\7-Zip\Lang\bz.txt ###### – Freshly installed C:\Program Files\7-Zip\Lang\ca.txt […] ###### – Regular Powershell event log clearing C:\Program Files\7-Zip\Lang\id.txt C:\Program Files\7-Zip\Lang\iis.txt ###### – Persistence unknown C:\Program Files\7-Zip\Lang\io.txt ###### – Submitted to FLARE for triage, named REDPEPPER C:\Program Files\7-Zip\Lang\ios.txt C:\Program Files\7-Zip\Lang\it.txt C:\Program Files\7-Zip\Lang\iys.txt C:\Program Files\7-Zip\Lang\ja.txt ----- ## REDPEPPER •• C:\Program Files (x86)\7-zip\Lang\bz.txtC:\Program Files (x86)\7-zip\Lang\iis.txt ###### • C:\Program Files (x86)\7-zip\Lang\ios.txt ##### § WMI persistence • C:\Program Files (x86)\7-zip\Lang\iys.txt ###### – Filter “7zip_32” – Consumer triggered on event log message “The Security Center service entered the running state.’” – Base64 encoded powershell loader loading an encrypted shellcode and final payload ##### § Backdoor with statically linked OpenSSL (1.5MB) ###### – 3DES encrypted configuration file – 3DES to HTTP/HTTPS C2 – SSL communications ##### § Working hours and self-delete timer § Evolution of Microsoft’s “adbupd” backdoor ###### – but does not trigger on the YARA rule ----- ###### • C:\Program Files (x86)\7-zip\Lang\bz.txt ## Hunting for REDPEPPER • C:\Program Files (x86)\7-zip\Lang\iis.txt ###### • C:\Program Files (x86)\7-zip\Lang\ios.txt • C:\Program Files (x86)\7-zip\Lang\iys.txt PE metadata Persistence/Loading Real-time • Known bad filenames • WMI filter and consumer • HIP alerts on obfuscated Powershell • Payload has single export name • Search for base64 encoded Powershell “GetStartObjectEx” from “iis.txt” • Encrypted on disk • Requires a special regex audit • Use of custom PE loader – won’t • Resource heavy appear as DLL export in running • EID 104 specific to Powershell: The process Windows PowerShell log file was cleared • Search strings in process address space (noisy) ----- ###### • C:\Program Files (x86)\7-zip\Lang\bz.txt ## Hunting for REDPEPPER • C:\Program Files (x86)\7-zip\Lang\iis.txt ###### • C:\Program Files (x86)\7-zip\Lang\ios.txt • C:\Program Files (x86)\7-zip\Lang\iys.txt #### § Network ###### – C2s from the configuration files – Old user-agents § IE7, IE8, IE9, IE10 § Chrome 14.0.835.187 § Firefox 3.6.13, 4.0, 5.0 ----- ## Continuing the investigation ##### § Hits on WMI and obfuscated PowerShell • C:\Program Files\WinRAR\Formats\tar.txt ###### • C:\Program Files\WinRAR\Formats\bz.txt – REDPEPPER - 64 bit version with different filenames and path • C:\Program Files\WinRAR\Formats\cab.txt – Several unknown hits using a similar loading technique • C:\Program Files\WinRAR\Formats\gz.txt § C:\ProgramData\Apple\setup\BonjourSupport.txt § C:\Program Files\Windows NT\TableTextService\TableTexTServiceDaGG.dll § … ##### § Live response analysis suspects different malware § TableTexTServiceDaGG.dll submitted to FLARE for analysis § Was eventually named REDCURRY ----- ## REDCURRY (“KB”) ##### § Same loading technique as REDPEPPER ###### – WMI persistence – Several base64 encoded files ##### § Final payload this time was packed, and ###### obfuscated ##### § Keylogger, records keystrokes in encrypted ###### files ##### § Found several versions § Encryption keys slightly different per victim (a ###### few bytes) Unpacked disassembly, duh. ##### § Unpacked payload identified as ###### Trojan_Win32_PlaKeylog_B by Microsoft YARA ruleset (PLATINUM) ----- ###### • C:\Program Files\Internet Explorer\F112props.dll ## Hunting for REDCURRY • C:\ProgramData\CyberLink\cbd\tokens.txt ###### • C:\Program Files\Windows NT\TableTextService\TableTexTServiceDaGG.dll PE metadata Persistence/Loading Real-time • Known bad filenames • WMI filter and consumer • HIP alerts on obfuscated Powershell • Payload has four exports • Search for base64 encoded Powershell or (correlation observed to PS Empire) “ExLinkFn”, “ExLinkFnW”, “MZ” header “ExUnlinkFn”, “ExUnlinkFnW” • Requires a special regex audit • Encrypted on disk • Resource heavy • Use of custom PE loader – won’t • EID 104 specific to Powershell: The appear as DLL export in running Windows PowerShell log file was cleared process • Search strings in process address space ----- ## Hunting for more ##### § ShimCache/AmCache sweeps § Simple & inaccurate description: records executed binaries (win) § Good method to find files which may have been be deleted § Hits for some of the preferred filenames of this threat actor § Hits on « alg.exe » => live responses C:\Program Files (x86)\Cisco Systems\VPN Client\cisco_cert_mgr.exe C:\Program Files (x86)\Cisco Systems\VPN Client\cisconetworks.dat C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe #### § Unknown malware found! C:\Program Files (x86)\Cisco Systems\VPN Client\internal.ini […] ###### – C:\Program Files (x86)\Cisco Systems\VPN Client C:\Program Files (x86)\Cisco Systems\VPN Client\qt-mt335.dll – Different loading than REDPEPPER and REDCURRY C:\Program Files (x86)\Cisco Systems\VPN Client\qtwidgets64.dll C:\Program Files (x86)\Cisco Systems\VPN Client\routexchange.dll.mui ###### – Eventually named REDSALT. C:\Program Files (x86)\Cisco Systems\VPN Client\SetMTU.exe C:\Program Files (x86)\Cisco Systems\VPN Client\VAInst64 exe ----- ## REDSALT ##### § Backdoor functionality § Persistence using ACI shims ###### – Shim loads obfuscated 1[st] DLL (95% junk code) – 1[st] DLL decrypts and loads a second DLL (Rijndael) – 2[nd] DLL decrypts and loads resource (optional) which is packed payload ##### § Found several versions ###### – ACI shim and loader tuned for each compromised host – Final payload often the same ##### § Final unpacked payload identified as Trojan_Win32_Plagon by Microsoft YARA rule ----- ## REDSALT ###### •Service, COM, Winlogon events, ACI shims Persistence •Bootkit (pre-Vista)? •File or registry Configuration •Each entry is RC4 encrypted •Key changes for each sample •Encrypted file dropped on the system Active mode •HTTP/HTTPS with configured URLs (Wininet API) •Door knocking - raw sockets wait for a “magic” packet then open ports •Capability of proxying to next host Passive mode •Communications using IPV4/IPV6 or Intel AMT SOL on recent versions •Compatible with “Zc tool” referenced in MS report ----- ## REDSALT – AMT SOL ----- ## REDSALT - interactive mode ----- ## Hunting for REDSALT ###### § Event logs – Program-Telemetry logs for InjectDLL shims are a gold mine – Firewall rule changes (hardcoded names) § Persistence – search for small sdb § Unique export “StartThreadAtWinLogon” – Search in memory – Stack string in 1[st] stage DLL ----- ## Hunting for REDSALT #### § Example event logs for InjectDll shim 500 | Information | Compatibility fix applied to C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe. Fix information: InjectDll, {3432bc96-d181-4529-b261- 1a3964961b6c}, 0x00010206. 500 | Information | Compatibility fix applied to C:\Windows\SysWOW64\netsh.exe. Fix information: InjectDll, {3432bc96-d181-4529-b261-1a3964961b6c}, 0x00040206. 500 | Information | Compatibility fix applied to C:\Windows\SysWOW64\netsh.exe. Fix information: InjectDll, {3432bc96-d181-4529-b261-1a3964961b6c}, 0x00040206. 500 | Information | Compatibility fix applied to C:\Windows\SysWOW64\netsh.exe. Fix information: InjectDll, {3432bc96-d181-4529-b261-1a3964961b6c}, 0x00040206. 500 | Information | Compatibility fix applied to C:\Windows\SysWOW64\netsh.exe. Fix information: InjectDll, {3432bc96-d181-4529-b261-1a3964961b6c}, 0x00040206. 500 | Information | Compatibility fix applied to C:\Windows\SysWOW64\ipconfig.EXE. Fix information: InjectDll, {3432bc96-d181-4529-b261-1a3964961b6c}, 0x00040206. 500 | Information | Compatibility fix applied to C:\Windows\SysWOW64\netstat.EXE. Fix information: InjectDll, {3432bc96-d181-4529-b261-1a3964961b6c}, 0x00040206. 500 | Information | Compatibility fix applied to C:\Windows\SysWOW64\netstat.EXE. Fix information: InjectDll, {3432bc96-d181-4529-b261-1a3964961b6c}, 0x00040206. 500 | Information | Compatibility fix applied to C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE. Fix information: InjectDll, {3432bc96-d181-4529-b261- 1a3964961b6c}, 0x00040206. 500 | Information | Compatibility fix applied to C:\Windows\SysWOW64\systeminfo.EXE. Fix information: InjectDll, {3432bc96-d181-4529-b261-1a3964961b6c}, 0x00040206. 500 | Information | Compatibility fix applied to C:\Windows\SysWOW64\netstat.EXE. Fix information: InjectDll, {3432bc96-d181-4529-b261-1a3964961b6c}, 0x00040206. 500 | Information | Compatibility fix applied to C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE. Fix information: InjectDll, {3432bc96-d181-4529-b261- 1a3964961b6c}, 0x00040206. 500 | Information | Compatibility fix applied to C:\Windows\SysWOW64\systeminfo.EXE. Fix information: InjectDll, {3432bc96-d181-4529-b261-1a3964961b6c}, 0x00040206. 500 | Information | Compatibility fix applied to C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE. Fix information: InjectDll, {3432bc96-d181-4529-b261- 1a3964961b6c}, 0x00040206. 500 | Information | Compatibility fix applied to C:\Windows\SysWOW64\cmd.EXE. Fix information: InjectDll, {3432bc96-d181-4529-b261-1a3964961b6c}, 0x00040206. ----- ## Hunting for REDSALT •• C:\Program Files (x86)\Cisco Systems\VPN Client\qtwidgets64.dllC:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\hpbluetooth32.dll ###### • C:\Program Files\DVD Maker\en-US\WM2CLIP.dll • C:\Program Files\DVD Maker\en-US\WMM4CLIP.dll #### § Stack strings in all first stage DLLs ###### • C:\Program Files (x86)\SnapComms\Client\673\SnapclientSSes.dll #### § Only offset on stack changes • C:\Program Files (x86)\VERITAS\VxPBX\bin\vxlis_64.dll ----- ## Hunting for REDSALT •• C:\Program Files (x86)\Cisco Systems\VPN Client\qtwidgets64.dllC:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\hpbluetooth32.dll ###### • C:\Program Files\DVD Maker\en-US\WM2CLIP.dll • C:\Program Files\DVD Maker\en-US\WMM4CLIP.dll #### § Remove displacement and keep ###### static portion of the instruction • C:\Program Files (x86)\SnapComms\Client\673\SnapclientSSes.dll • C:\Program Files (x86)\VERITAS\VxPBX\bin\vxlis_64.dll displacement dword ptr [ebp + X] value mov r16/r32, imm16/32 $stack string = { C7 45 ?? 53 74 61 72 C7 45 ?? 74 54 68 72 C7 45 ?? 65 61 64 41 C7 45 ?? 74 57 69 6E C7 45 ?? 4C 6F 67 6F } ----- ## REDSALT Encryption ##### § Blowfish § Hardcoded keys K1 and K2 for network communications § C2 key (file and internet) ###### – K = md5(xor(K1, K2)) – K2 is a slight shift from K1 ##### § Door-knocking / Internal initial packets ###### – K = md5(K1) – Configured password for authentication ##### § K1 and K2 unchanged for years according to available samples § Blowfish small block size makes for potential SNORT sigs ###### – More chances to find fixed patterns to hit on ----- |X|Padding bytes|J|O|B|_|N|O|=|| |---|---|---|---|---|---|---|---|---|---| ## Hunting for REDSALT #### § Network C2 comms ###### – Malware looks for content starting with JOB_NO= – Padding at the beginning of the data up to 8 bytes – Compute all possible values for C2 for the first 8 bytes and encrypt with K § 1JOB_NO= § 20JOB_NO § 300JOB_N § ... 0 1 X X+7 X Padding bytes J O B _ N O = 0 0 ----- |X|Padding bytes|Col3|Col4|P|A|S|S|W|O|R|D|:|| |---|---|---|---|---|---|---|---|---|---|---|---|---|---| ||0|0|||||||||||| ## Hunting for REDSALT #### § Network internal comms ###### – Malware looks for content starting with campaign password – Padding at the beginning of the data up to 8 bytes § If known password, compute possible values like for C2 § If unknown password, lucky hit possible J – 8 byte padding: 80000000 § Mistake to put padding zeroes at the beginning 0 1 X X+Y X Padding bytes P A S S W O R D : 0 0 ----- ## Going further ##### § REDPEPPER and REDCURRY use the same custom packer § Sweeping for the packer may yield some results #### § Packer basics ###### – Exports and imports rewritten on DLL load Add A and B Add A and B ###### – Same methodology used for each sample Push A ###### – Registers, constants, instructions change Push added value Push A Push added value Push 0 #### § Some slight patterns Push 0 Push 0x6C6C642E = Push 0x6C6C642E = ”lld.” ”lld.” Push 0x32336C65 = Push 0x32336C65 = ”23le” ”23le” Push 0x6E72656B = Push 0x6E72656B = ”nrek” Always ”nrek” Always true true ----- ## Example YARA rule for ESI ----- ## Hunting for the Packer ##### § Limited resource intensive hunts (nervous client…) ###### – Needed to translate YARA into regex – Limited to PE files only – Limited number of possibilities ##### § Lots of interesting hits found on Exchange servers and Domain Controllers ###### – Older variants of REDSALT, REDCURRY – REDMAIL – REDSAFFRON – pthreadvc3.dll – Vxlogagt.exe ----- ## Wait… REDSALT, REDCURRY again? ##### § REDSALT ###### – COM and Winlogon Events for persistence • C:\Program Files\Common Files\System\mslsf\mslsf64.dll – No first stage DLL with stack strings • C:\Program Files\Common Files\System\mslsf\msvtvc.DLL • C:\Program Files\Veritas\NetBackup\bin\vxlogctl.exe – Firewall IOC would have caught these • C:\Program Files\Veritas\NetBackup\bin\vxlogcfg.exe • C:\Program Files\Veritas\NetBackup\bin\vxlogcfg.dll ##### § REDCURRY ###### – No persistence • C:\Program Files\VMware\VMware Tools\Drivers\memctl\vmaudio.cat – No PowerShell event log clearing • C:\Program Files\Windows Mail\Setup\wabimp.dll – No base64 encoded files – Memory only hunting would have failed too (malware no longer active) § Overall, good example of how difficult it can be to write a generic IOC ----- ###### software that is created by Microsoft, by ## REDMAIL (“GP”) third-party vendors, or by your organization, on an Exchange server. This software can ###### then process email messages that pass § Microsoft Exchange transport agent “msdbagt.dll” through the transport pipeline.” – .NET file specified in Exchange configuration file agents.config – Blended in as “Microsoft Exchange ODB Agent” § Obfuscated .NET calls a packed J DLL “msdbeng.dll” – GP export – process email – PM export – uninstall / delete § Configuration file “ExchPrf.inf” contains a list of targeted email addresses and a blacklist (spam) § Compress and encrypt targeted emails to configured directory on disk – 128 bit AES keys generated using CryptGenRandom() – AES keys encrypted with hardcoded public RSA 1024 bit key § Execute commands in an email from a configured sender as a batch script § First sample in the environment dropped on 2010 (recall first public report identified being MS April 2016) § No exfiltration mechanism what? ----- ###### • C:\Windows\SysWOW64\UCappi.dll • C:\Windows\SysWOW64\UCmappi.dll ## REDSAFFRON • C:\Windows\SysWOW64\Ucmmp.dll ###### • C:\Program Files\Windows Mail\setup\msadco.dll ##### § Found on: ###### – Exchange (2008, 2012) – packed J but not obfuscated – Workstation (2015) – packed and obfuscated, loaded like Redcurry / Redpepper ##### § Main purpose is acting as a malware carrier for data exfiltration and communication ###### between hosts – Interoperate up to 10 utilities/malware – Listening to raw socket “pings” to initiate coms on another port ##### § Configuration file encrypted using ICE § Helper utility – “showcfg”, “updatecfg”, etc. § Sample configurations retrieved ###### – Start keylogger and unrecovered malware – Start keylogger and Redmail, send keylog data and encrypted emails to another workstation running REDSAFFRON ----- ## REDSAFFRON configuration ----- |Random|NetworkEncryptKey| |---|---| |Magic|Flag|Size|Payload| |---|---|---|---| |Random|Magic|Flag|Size|Payload| |---|---|---|---|---| ## REDSAFFRON network encryption ###### Random NetworkEncryptKey GenerateKey() Network Key IV = 0 AES 256 ECB Magic Flag Size Payload Random Magic Flag Size Payload ----- ## REDSAFFRON ##### § Weakness in key generation ###### – Example 32 char NetworkEncryptKey + 16 byte rand() § Only 6096 different possible keys § 4000 possible keys with known rand() bytes – Packets can be brute forced without knowing NetworkEncryptKey or rand() bytes § Search for DWORD decrypted “magic” (0x1E3F2) at offset 16 § Search for DWORD decrypted protocol flags at offset 20 (1, 2, 4, 6, 7, 18, 21, 22) – Suitable for targeted hunting in an engagement, not general detection (SNORT SO rules, Surricata LUAJIT, …) ----- ## Conclusion ##### § Very interesting group with very good opsec ###### – Time triggers to delete malware, secure delete, working hours configs… – References to our engagement found in keylogs… – Op paused when Mandiant arrived § Some malware deleted § Some malware was put on standby § No active malware communications captured – Undetected for 9 years L ##### § Low profile § Take the best out of public knowledge and use it § Not all IOCs are born equal! § Trying to hide will sometimes reveal you J ----- # Thank you -----