###### CODE BLUE 2015 Revealing the Attack Operations Targeting Japan JPCERT/CC Analysis Center Shusei Tomonaga ###### Revealing the Attack Operations ----- ###### Agenda 1 Introduction 2 Operation A 3 Operation B ----- ###### Agenda 1 Introduction 2 Operation A 3 Operation B ----- ###### Self introduction Shusei Tomonaga Yuu Nakamura Analysis Center at JPCERT Coordination Center Malware analysis, Forensics investigation ----- ###### JPCERT Coordination Center Japan Computer Emergency Response Team Coordination Center ###### Coordination Center Prevention Monitoring Response • Vulnerability • Information gathering • Incident handling information handling & analysis & sharing • NW Traffic Monitoring Early warning information CSIRT establishment support Industrial control system security International collaboration Artifact (e.g. Malware) analysis ###### Prevention • Vulnerability information handling ###### Response • Incident handling ----- ###### Targeted Attacks handled by JPCERT/CC From April to September 2015 ###### 130 organizations ###### Operation A ###### 組織 organizations ### 93 # 93 ###### Operation B 組織 organizations ## 44 ----- ###### Introducing 2 Types of Attack Operations ###### Operation A ###### • Targeting many Japanese organizations since around 2012. • Emdivi • CloudyOmega (Symantec) • BLUE TERMITE (Kaspersky) ###### Operation B ###### • Targeting some Japanese organizations since around 2013. • APT17 (FireEye) ----- ###### Agenda 1 Introduction 2 Operation A 3 Operation B ----- ###### Characteristics of Operation A Attacker’s Infrastructure(Compromised Web sites) Japan Overseas Victim organizations (Public offices, private companies) Targeted emails Widespread emails Watering hole ###### Attacker’s Infrastructure(Compromised Web sites) Japan Overseas ###### Victim organizations (Public offices, private companies) ----- ###### Details of Internal Intrusion Techniques #### Initial Compromise #### Collecting Information #### Lateral Movement ----- ###### Details of Internal Intrusion Techniques #### Initial Compromise #### Collecting Information #### Lateral Movement ----- ###### Attack Patterns Timeline of Attack Vector 2014/05 2014/09 2015/01 2015/05 ###### Timeline of Attack Vector ###### Disguised Icon ###### Document File **(Exploit** **vulnerabilities)** ###### Medical expense, Health insurance ###### Medical expense, Health insurance ###### CVE-2014-7247 ###### Drive-By Download |14/05|Col2|2014/09|2015/01|2015/05|2015/09| |---|---|---|---|---|---| |Medical expense, Health insurance 2014/11 CVE-2014-7247 2015/07 CVE-2015-5119 CVE-2015-5122||dical expense, alth insurance|||| ||Me He||||| ###### CVE-2015-5119 CVE-2015-5122 ###### CVE-2014-7247 ###### • In many attacks, malware are disguised with fake icons, compressed with zip or lzh and attached to emails. Att k i i t i t t l d t d f il ----- ###### Details of Internal Intrusion Techniques #### Initial Compromise #### Collecting Information #### Lateral Movement ----- ###### Investigation of Compromised Environment Uses Legitimate tools provided by MS ###### Active Directory admin tools sent after the compromise ###### • csvde • dsquery ----- ###### Example of Using dsquery Used in some cases targeting specific individuals ----- ###### Collecting Email Account Information Uses free tools (Similar to NirSoft Mail PassView) Attempts to receive emails from outside May lead to new attack emails (correspondence of emails) Infection spreading from organization to organization ----- ###### Collecting Classified / Personal Information ###### Delete Evidence ----- ###### Search Network Drive (1) net use command > net use New connections will be remembered. Status Local Remote Network ------------------------------------------------------------------------------- OK T: ¥¥FILESV01¥SECRET Microsoft Windows Network OK U: ¥¥FILESV02¥SECRET Microsoft Windows Network wmic command > wmic logicaldisk get caption,providername,drivetype,volumename Caption DriveType ProviderName VolumeName C: 3 OS D: 3 Volume T: 4 ¥¥FILESV01¥SECRET Volume U: 4 ¥¥FILESV01¥SECRET Volume ###### DriveType 4 ----- ###### Search Network Drive (2) Combination of netstat Command & nbtstat Command > netstat –an TCP 192.168.xx.xx:49217 192.168.yy.yy:445 ESTABLISHED > nbtstat -a 192.168.yy.yy Port 445 is set as the key Name Type Status to search the access point --------------------------------------------- FILESV01 <00> UNIQUE Registered of file sharing service ----- ###### Search Targeted Data dir command ###### > dir ¥¥FILESV01¥SECRET ¥¥FILESV¥SECRET Directory 2014/07/11 09:16 [DIR] Management of Partner Companies 2014/09/04 11:49 [DIR] Management of Intellectual Property 2014/08/01 09:27 [DIR] Location information ###### Not only searches network drive but also compromised computers ###### > dir c:¥users¥hoge¥*.doc* /s /o-d c:¥users¥hoge¥AppData¥Local¥Temp Directory 2014/07/29 10:19 28,672 20140820.doc 1 File 28,672 bytes c:¥users¥hoge¥Important Information Directory ----- ###### Compress, Download, Delete Evidence Compressed with RAR > winrar.exe a –r –ed –v300m –ta20140101 %TEMP%¥a.rar “¥¥FILESV01¥SECRET¥Management of Intellectual Property” -n*.ppt* -n*.doc* - n*.xls* -n*.jtd Adding ¥¥FILESV01¥SECRET¥Management of Intellectual Property¥Committee List(2015.05.01).docx OK Adding ¥¥FILESV01¥SECRET¥Management of Intellectual Property¥Framework.ppt OK Adding ¥¥FILESV01¥SECRET¥Management of Intellectual Property¥Application List.xlsx OK Adding ¥¥FILESV01¥SECRET¥Management of Intellectual Property¥Design Document.jtd OK ・ ・ Documents are compressed per folder z RAR fil t t C&C d d l t d ----- ###### Details of Internal Intrusion Techniques #### Initial Compromise #### Collecting Information #### Lateral Movement ----- ###### Methods Used to Spread Infection ###### Patterns of spreading infection ###### • Exploiting vulnerabilities (MS14-068 + MS14-058) • Investigating SYSVOL scripts • Password list-based attack • Exploiting Built-in Administrator password • Setting malware in file servers • Exploiting WPAD • Others ----- ###### Exploiting Vulnerabilities (MS14 068 + MS14 058) 1. Escalate privilege (MS14-058) and dump user’s password with mimikatz 2. Exploit MS14-068 vulnerability and gain Domain Admin privileges PC-A Domain 3. Upload mimikatz to DC and dump Controller admin’s passwords ###### 5. Register a task in order to execute malware ###### PC B ----- ###### Investigating SYSVOL Scripts ###### • In some cases, passwords are found in logon script, etc. ###### Key Point ###### Attacker’s Infrastructure 3. Search admin’s password 2. C2 Server ###### Domain 1. Download logon script, Controller compress and archive 6. Malware executes according to the task 4. Copy malware to PC-B 5. Register a task in order PC-B PC-A to execute malware ----- ###### Password List based Attack ###### • Attempts logon by using an approximately 10-30 line password list and the user’s list of Domain Admins • Uses a tool called logon.exe (self-built?) ###### Key Point ###### 4. Register a task PC-B PC A ----- ###### Exploiting Built in Administrator Password ###### • An effective measure when there is no way to exploit Domain environment • Need to hash passwords or dump passwords ###### Key Point ###### PC-B PC-A 2. Pass the hash or net use net use ¥¥PC-B¥IPC$ [password] /u:Administrator ----- ###### Setting Malware in File Servers ###### • Effective when there is no other measure ###### Key Point ----- ###### Exploiting WPAD WPAD (Web Proxy Auto-Discovery) — Turned on by default — Get automatic configuration script from either  URL specified by DHCP server, or  http://wpad/wpad.dat ----- ###### Exploiting WPAD (Step 1: NetBIOS Spoofing) ###### Key Point ###### • Effective in an environment where WPAD is not configured • NetBIOS Spoofing ###### PC-B PC-A ----- ###### Exploiting WPAD (Step 2: Fake WPAD Server) ###### PC-B PC-A ----- ###### Proxy) ###### Attacker’s ###### PC-B PC-A ----- ###### Summary: Methods of Spreading Infection |Method|AD|Privilege Escalation|Note| |---|---|---|---| |MS14-068|Necessary|Unnecessary / Necessary for password dump|Risk exists when DC is unpatched| |SYSVOL Search|Necessary|Unnecessary|| |Brute Force Attack (Password List Attack)|Necessary|Unnecessary|Risk exists when the password is weak| |Abusing Built-in Administrator|Unnecessary|Necessary|Presumes that the password is the same| |Exploiting File Servers|Unnecessary|Unnecessary|Risk exists when the file is disguised to one that many users open| |Exploiting WPAD|Unnecessary|Unnecessary|Situations are limited| ----- ###### DETAILS OF TOOLS AND MALWARE ----- ###### Characteristics of Malware Different types of malware reside depending on the phase and scale of damage of the attack File Form of attack Malware Overview format Emdivi (t17) HTTP BOT EXE Intrude Tools Password dump, etc. EXE, etc. Download (low DLL, usp10jpg frequency data communication) HTTP BOT (highly Lateral Movement Emdivi (t19, sophisticated than EXE t20) t17) BeginX Remote shell tool EXE HTTP BOT (low- GStatus frequency EXE,DLL Conceal? communication) |Malware|Overview|File format|Form of attack| |---|---|---|---| |Emdivi (t17)|HTTP BOT|EXE|Intrude| |Tools|Password dump, etc.|EXE, etc.|| |usp10jpg|Download (low- frequency communication)|DLL, data|Lateral Movement| |Emdivi (t19, t20)|HTTP BOT (highly sophisticated than t17)|EXE|| |BeginX|Remote shell tool|EXE|| ###### Different types of malware reside depending on the ----- |Tools|Col2|Col3| |---|---|---| |Type|Overview|Filename| |Password dump Pass-the-hash|Quarks PwDump|qp.exe, qd.exe, QDump.exe, etc.| ||MimikatzLite|gp.exe| ||Windows credentials Editor|wce.exe, ww.exe| ||Mimikatz|mz.exe, mimikatz.exe, mimikatz.rar (sekurlsa.dll)| |Vulnerability exploitation|MS14-068 (CVE-2014-6324)|ms14-068.exe ms14-068.tar.gz| ||MS14-058 (Privilege escalation) (CVE-2014-4113)|4113.exe| |UAC bypass|UAC bypass tool|msdart.exe, puac.exe, etc.| |Packet transmit|Htran, proxy adaptive Htran|htproxy.exe, etc.| |Mail account theft|Similar to NirSoft Mail PassView|CallMail.exe, outl.exe, etc.| ||Attempt logon based on list|logon.exe| ||WinRAR archiver|yrar.exe, rar,exe, etc.| ###### Type Overview Filename ###### Utility ###### Highly sophisticated dir command dirasd.exe, etc. ----- ###### Emdivi (t17) HTTP BOT with basic functions Repeatedly upgraded the version in the past year and implemented new commands Command Date of Implementation |Command|Date of Implementation| |---|---| |DOABORT|| |DOWNBG|| |GETFILE|| |LOADDLL|| |SETCMD|| |SUSPEND|| |UPLOAD|| |VERSION|| |GOTO|May 2015| ----- ###### Emdivi (t20) Highly Sophisticated Emdivi The number of implemented commands have increased and decreased in the past year. — 18-41 (based on JPCERT/CC’s study) In some cases, the targeted organization’s proxy server address is hard-coded. May only run on specific computers (encryption of data by computer SID) ----- ###### p jpg Download (low-frequency communication) Communication performed once a day Able to specify the day of week of communication Tend to be set to computers that are not infected with Emdivi (secondary infection) DLL Preloading Attack ###### dwmapi.dll, etc. ***.DAT Application ----- ###### Difficulty to detect Usp10jpg Computer Easy to detect due to Attacker’s high-frequency Infected Infrastructure communication with Emdivi May be left undetected due to usp10jpg low-frequency communication ###### Easy to detect due to ----- ###### BeginX Remote Shell Tool BeginX Server — Listens to specific ports and waits for commands — Both UDP and TCP versions available BeginX Client — Client which sends commands to BeginX Server — Controlled via Emdivi ----- ###### Image of Using BeginX Segment Attacker’s (unable to Infrastructure connect to Unable to control by Internet) Emdivi infection BeginX BeginX Server Client Emdivi Able to control via BeginX Computer Infected ith E di i ----- ###### GStatus HTTP BOT different from Emdivi Not found in many organizations, but... Bot Function — Get drive information — Execute arbitrary shell command — Process list — Screen related functions ----- ###### GStatus Web Panel (Admin Screen) ----- ###### ANALYSIS TOOLS emdivi_string_decryptor.py ----- ###### emdivi_string_decryptor.py ###### emdivi_string_decryptor.py ###### • IDAPython • Used to analyze Emdivi • Decode encoded strings ###### Supported version ###### • t17, 19, 20 ----- ###### emdivi_string_decryptor.py Emdivi encoded strings ----- ###### emdivi_string_decryptor.py Difference depending on version string |Col1|Ver 17|Ver 19 or 20|Ver 20| |---|---|---|---| |Encrypt|XxTEA encrypt|XxTEA decrypt|AES decrypt| |Decrypt|XxTEA decrypt|XxTEA encrypt|AES encrypt| ###### Scanf( "%x", Inc_Add( ver17_key ) ) ###### Key ###### MD5( MD5(base64(ver)) + MD5(key_string) ) ###### Inc_Add( ver17_key ) ----- ###### emdivi_string_decryptor.py ----- ###### emdivi_string_decryptor.py ----- ###### DEMO ----- ###### Agenda 1 Introduction 2 Operation A 3 Operation B ----- ###### Attack Techniques ##### Drive-by Download Attack ##### Update Hijacking ##### Domain Name Hijacking ----- ###### Attack Techniques ##### Drive-by Download Attack ##### Update Hijacking ##### Domain Name Hijacking ----- ###### Drive by Download (Watering Hole) Attack Targeted Organization 0. Deface Web site 1. Access to Web site 2. Redirect 4. Malware 3. Download malware Infection ----- ###### Access Control ###### Target name ----- ###### 0 day Exploits ###### CVE-2014-0324 (MS14-012) ###### • Detected around February 2014 • Vulnerability in Internet Explorer ----- ###### Attack Techniques ##### Drive-by Download Attack ##### Update Hijacking ##### Domain Name Hijacking ----- ###### Update Hijacking Method used to alter updated information Targeted 0. Alter updated information Organization 1. Request to update 2. Fake update Information 3. Request to download 5. Malware 4. Download malware Infection ###### Fake Update Server ----- ###### Another Update Hijacking Pattern Method used without changing update server's file Targeted Update Organization Server ----- ###### Another Update Hijacking Pattern Method used without changing update server's file TCP 80 is forwarded by iptables. ###### iptables -t nat -A PREROUTING -i eth0 -s aa.bb.cc.dd -p tcp --dport 80 -j DNAT --to-destination ww.xx.yy.zz:53 ###### Key Point ###### • Update server's file is unchanged • Does not save iptables • Targeted organization sees as if it is communicating with legitimate update server ----- ###### Attack Techniques ##### Drive-by Download Attack ##### Update Hijacking ##### Domain Name Hijacking ----- ###### Domain Name Hijacking 0. Change registration information ###### 0. Change registration information ###### Legitimate Server ###### Attacker’s Infrastructure ###### DNS Server Web Server ###### 1.DNS query Targeted Organization ###### 2.DNS query ###### DNS Server Web Server ----- ###### DETAILS OF MALWARE ----- ###### Routing of only specific DNS queries by using iptables ###### iptables -t nat -A PREROUTING -p udp --dport 53 -m string --from 30 --to 34 --hex-string "|03|AAA" --algo bm -j DNAT -- to-destination aa.bb.cc.dd:54 iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT - -to ww.xx.yy.zz:53 ###### AAA.example.com • Routing of only specific sub domains • Other DNS queries are routed to the legitimate DNS server ###### Key Point ----- ###### Characteristics of Malware ① Uses a different malware before and after the intrusion ② Some malware run in memory only ③ Embedding target organization's internal information ④ Uses code signing certificate in some cases ----- ###### Characteristics of Malware ###### Intrusion Concealing ###### BlackCoffee McRAT Preshin Agtid Hikit Derusbi PlugX ----- ###### Malware (Intrusion) BlackCoffee McRAT Preshin Agtid HTTP bot with basic functions Command List command info command info 0x184004 Execute remote shell 0x184024 0x184008 Run remote shell command 0x184028 0x18400c Create file 0x18402c 0x184010 Load file 0x184030 0x184014 Get drive information 0x184034 0x184018 Create directory 0x184038 0x18401c Search file 0x18403c 0x184020 Delete file |command|info| |---|---| |0x184004|Execute remote shell| |0x184008|Run remote shell command| |0x18400c|Create file| |0x184010|Load file| |0x184014|Get drive information| |0x184018|Create directory| |0x18401c|Search file| |0x184020|Delete file| |command|info| |---|---| |0x184024|Move file| |0x184028|Process list| |0x18402c|Terminate process| |0x184030|Sleep| |0x184034|Install command| |0x184038|Set Sleep Time| |0x18403c|Terminate| ||| ----- ###### IP Address Acquisition Algorithm Get C2 IP address from Web page ###### start: lOve yOu 4 eveR end: Reve 4 uOy evOl ###### Decode ----- ###### Malware (Intrusion) BlackCoffee McRAT Preshin Agtid Plug-in-based malware Command list command number info 0 Send data to server 1 Set TickCount 3 Plug-in registration 4 Allocate Plug-in settings area 5 Set Plug-in settings area 6 Create/Execute plug-in 7 Terminate plug-in 8 Create configuration file 9 |Command list|Col2| |---|---| |command number|info| |0|Send data to server| |1|Set TickCount| |3|Plug-in registration| |4|Allocate Plug-in settings area| |5|Set Plug-in settings area| |6|Create/Execute plug-in| |7|Terminate plug-in| |8|Create configuration file| ----- ###### Malware Running in Memory Only CVE-2013-3918 with McRAT ###### ROP Shellcode skip ----- ###### Malware Running in Memory Only CVE-2013-3918 with McRAT Executes rundll32.exe and injects code McRAT's data below Shellcode is injected Not saved as a file ----- ###### Malware (Intrusion) BlackCoffee McRAT Preshin Agtid Simple HTTP bot with limited functions Command list |ommand list|Col2| |---|---| |command|info| |downonly|Download file| |downexec|Download and Execute file| |-|Run remote shell command| ----- ###### Preshin Controller PHP-based Controller ----- ###### Preshin Controller Example of command execution ----- ###### Malware (Intrusion) BlackCoffee McRAT Preshin Agtid HTTP bot with basic functions Command list |command|info| |---|---| |1|Get disk information| |2|File list| |3|Open file| |4|Upload file| |5|Create file| |7|Load file| |command|info| |---|---| |8|-| |9|Delete file| |10|Delete file/folder| |11|Upload file| |12|Create folder| |13|Move file| ----- ###### Malware (Concealing) Hikit Derusbi PlugX Malware with Rootkit functions Command list command info file File related operation information Send configuration information proxy Enable Proxy settings connect Connect to Hikit proxy shell Run remote shell command socks5 Enable Proxy settings (socks5) exit Terminate |command|info| |---|---| |file|File related operation| |information|Send configuration information| |proxy|Enable Proxy settings| |connect|Connect to Hikit proxy| |shell|Run remote shell command| |socks5|Enable Proxy settings (socks5)| ----- ###### Hikit Configuration Information Hikit has proxy information of the internal network ###### ID Target name Proxy info Rootkit setting ----- ###### Malware (Concealing) Hikit Derusbi PlugX Malware recently often used Command list command info Service/Process related cmd4 operation cmd5 Run remote shell command cmd6 Connect to Derusbi proxy cmd7 File operation cmd8 Terminate cmd9 Create/Delete file |Command|list| |---|---| |command|info| |cmd4|Service/Process related operation| |cmd5|Run remote shell command| |cmd6|Connect to Derusbi proxy| |cmd7|File operation| |cmd8|Terminate| ----- ###### Derusbi Configuration Information Derusbi has proxy information of the internal network ###### ID Proxy info ----- ###### Code Signing Certificate ----- ###### Infrastructure Used by Attackers ----- ###### Linux Backdoor ###### • apache module • Runs a remote shell by sending a keyword ###### mod_rootme ###### mod_rootme source ###### Keyword “Roronoa” ----- ###### Linux Backdoor ###### • Highly sophisticated Linux bot ###### rs_linux ----- ###### ANALYSIS TOOLS apt17scan.py ----- ###### apt17scan.py ###### apt17scan.py ###### • Volatility Plugin • Detect malware in memory dump • Extract malware configuration information ###### Function ###### • apt17scan • derusbiconfig • hikitconfig • agtidconfig ----- ###### apt17scan.py Scan with YARA Search configuration data address Parse configuration data ###### Dump configuration ----- ###### apt17scan.py apt17scan Detecting Malware Agtid Hikit McRAT ###### Agtid ###### Preshin ###### McRAT ###### BlackCoffee ----- ###### apt17scan.py derusbiconfig Dump configuration information for Derusbi ----- ###### apt17scan.py hikitconfig Dump configuration information for Hikit ----- ###### apt17scan.py agtidconfig Dump configuration information for Agtid ----- ###### DEMO ----- ###### How to Download https://github.com/JPCERTCC ----- ###### Thank You! Contact aa-info@jpcert.or.jp https://www.jpcert.or.jp Incident Report info@jpcert.or.jp https://www.jpcert.or.jp/form/ -----