----- ----- ----- ----- ----- ----- ----- ----- ## y y ##### • Invisible Attacks • VPN, AD, PtH, PtT • Invisible Network Traffic • Google Drive, Dropbox • Invisible Malware • Task schedule, Wmi, Powershell ----- #### • As seen from the script or fileless malware, they begin to increase ##### dramatically. And the PowerShell can be embedded in a macro and then into a document file in various forms. #### • The leverage of PowerShell or wmi which both built-in in windows ##### system are often used in post-exploitation activities so the fileless threats will be more and more. ----- ## j #### • The following elegant PowerShell can achieve three things in one line: ##### • Detect the architecture (check against the size of the IntPtr object type: x86 ###### or x64bit). ##### • Download binary from website. • Directly run the binary on the fly (use iex command). • Invoke-Expression(iex), Runs commands or expressions on the local computer. ----- ##### • The malicious program is Self-Signed. But hacker added it to the trusted root ###### chain. So the victim will always verify this as valid signature. ----- ----- ----- # p #### • TMPolicy (2) .dll is pretending to be msisip.dll ##### • F:\MyProject\msisip\Release\NvSmartMax.pdb • DLL entry points, and all exported APIs only do one thing ###### • WinExec ("tmpolicy.dll", 0) #### • TMPolicy (1) .dll The original name is tmpolicy.dll ##### • Actually TMPolicy (1) .dll is a PE file(tmpolicy.dll). ----- # y p ###### • The malware will determine whether it’s in the 32-bit or 64-bit windows version and generate the different payload with dll to bypass the security check. • In Windows XP will drop srvlic.dll + fake file • In Windows 7 will drop msTracer.dll + fake file • Fake file is actually a real backdoor module and is usually dropped to : • C:\Documents and Settings\All Users\Application Data\Windows CE\ directory. • C2 Connections : • help.adobeservice.net:80;help.adobeservice.net:8080; • assist.adobeservice.net:443;assist.adobeservice.net:1863; ----- # g ###### • How C:\WINDOWS\system32\srvlic.dll be executed? ----- # g ###### • One of svchost.exe will load srvsvc.dll, and srvsvc.dll tries to load srvlic.dll when LoadLicensingLibrary () is called • C:\Windows\system32\srvlic.dll (Actually, this file does not exist in the system) • The fake srvlic.dll will be loaded by DLL side-loading / path hijacking tricks. • When srvlic.dll is loaded, it will try to read the file "fake" and decrypt as a module file. • The decrypted fake file will be copied to a new memory block, so the srvlic.dll can not be observed by the process explorer. ----- # pp y ----- # pp y ----- # g ###### • Run TMPolicy.exe 1. Drop C:\ProgramData\temp0 file and move to C:\Users\\AppData\Local\Temp\msTracer.dll 2. Move C:\Users\\AppData\Local\Temp\msTracer.dll file to C:\Windows\system32 (theoretically can not be moved to this path, restricted by UAC) 3. When msTracer.dll is loaded, it will try to read the file "fake" and decrypt as a module file C:\ProgramData\Windows CE\fake 4. Create a batch file to eliminate all files ----- # g ###### • SearchIndexer.exe is a Windows Service (WSearch), and it will try to load msfte.dll when loadTracerDLL is called, and if it fails, it will to try to load msTracer.dll. • SearchProtocolHost.exe also has the same vulnerability(Dll Side-loading). • When msTracer.dll is loaded, it will try to read the file "fake" and decrypt as a module file. ----- # yp ##### • But TMPolicy.exe can not move msTracer.dll to system32 because it is ###### protected by UAC. ##### • So, how to place files in system protected areas without triggering UAC? ----- # yp ###### • Bypass the UAC restrictions • makecab.exe /V1 "C:\Users\\AppData\Local\Temp\msTracer.dll" ``` "C:\Users\\AppData\Local\Temp\msTracer.dll.msu“ • wusa.exe /quiet "C:\Users\\AppData\Local\Temp\\msTracer.dll.msu" /extract:C:\Windows\system32 ``` ----- # yp ###### • wusa.exe : Windows Update Standalone Installer • Wusa method, tweaked to work from Windows 7 up to 10th1 10136 ----- # yp yp #### • Each running of TMPolicy.exe will generate different fake files, but after ##### decryption, the contents are all the same. #### • Fake file content = 4Byte Secret Key + Encrypted Content • Secretkey is generated by rand () function. ----- # yp yp #### • Secret Key: First 4 Byte • Cipher = ENCRYPT(Plain, Secret_Key) • Plain = DECRYPT(Cipher, Secret_Key) • Reduced Sequence: 128 Bytes table ``` reduced_sequece = [ 0x03, 0x05, 0x06, 0x07, 0x0A, 0x0C, 0x0E, 0x13, 0x14, 0x18, 0x1B, 0x1C, 0x21, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2B, 0x2D, 0x2F, 0x30, 0x33, 0x35, 0x36, 0x37, 0x38, 0x3F, 0x41, 0x42, 0x45, 0x47, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x50, 0x52, 0x53, 0x55, 0x56, 0x57, 0x5A, 0x5B, 0x5D, 0x5E, 0x60, 0x61, 0x65, 0x66, 0x67, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x70, 0x73, 0x77, 0x7D, 0x7E, 0x7F, 0x82, 0x83, 0x84, 0x8A, 0x8E, 0x91, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x9A, 0x9B, 0x9C, 0xA0, 0xA1, 0xA3, 0xA4, 0xA6, 0xA7, 0xAA, 0xAB, 0xAC, 0xAE, 0xAF, 0xB1, 0xB3, 0xB4, 0xB5, 0xB6, 0xB7, 0xBA, 0xBC, 0xBF, 0xC0, 0xC2, 0xC9, 0xCA, 0xCB, 0xCC, 0xCE, 0xD1, 0xD2, 0xD4, 0xD6, 0xD8, 0xD9, 0xDA, 0xDB, 0xDC, 0xE0, 0xE5, 0xE6, 0xE9, 0xED, 0xEE, 0xF3, 0xF5, 0xF7, 0xFA, 0xFB, 0xFC, 0xFE, ] ``` ----- # yp yp ###### 1. Calculate Chosen Sequence: 4 Bytes ``` • chosen_sequence[ i ] = reduced_sequece[ secret_key[ i ] % 128] 2. Build First Secret Map: 256 Bytes • first_secret_map = [ 0, 1, 2, ..., 255 ] 3. Choice chosen_sequence[ 0 ] ~ chosen_sequence[ 4 ] • first_secret_map rearranged four times with chosen_sequence[0-4] • Build Second Secret Map: 256 Bytes • second_secret_map[ first_secret_map[ i ] ] = i ``` ----- # yp yp ###### • Encryption(substitution ), through the second_secret_map ``` • encrypted_data [ i ] = second_secret_map[ original_data[ i ] ] • Decryption(substitution ), through the reversed_second_secret_map • reversed_second_secret_map[ second_secret_map[ i ] ] = i decrypted_data[ i ] = reversed_second_secret_map[ encrypted_data[ i ] ] ``` ----- ----- ----- ----- ----- ## p #### • 03/11/2014 G DATA SecurityLabs have discovered a spyware ##### campaign. Operation TooHash is a targeted cyber attack on companies and organizations. The aim of the attack is to steal sensitive information from the targeted companies. Using a "spear-phishing" approach” • 2013~ 2014-01-06 ###### • 8d263d5dae035e3d97047171e1cbf841 (102年尾牙、103年春酒精緻菜單.xls) • 7251073c67db6421049ee2baf4f31b62 (李辉简历.doc) • 2ec306ef507402037e9c1eeb81276152 (文件列表.xls) • 6b83319cf336179f2105999fe586242c (Wo.doc) ##### • C2: ###### • *.cnnic-micro.com, *.adobeservice.net, *.intarnetservice.com.,etc ----- ## p - **Hash Values** - 650C58E995A471FA4BE6C49A32F7899B - 4DBD68D3741D46170D2585AAE4336B80 - **IP Address** - **Domain Names** ``` • help.adobeservice.net • help.adobeservice.net ``` - **Network/Host Artifacts** - En/Decode Algorithm, Strings - Connection Protocol, User-agent - **Tools** - TMPolicy.exe - **TTPs** - Spearphishing email - UAC bypass, wusa.exe - Deploy through Anti-Virus - Dll-Slde loading ----- ----- ----- ----- ----- ----- ###### Not able to generate IOCs ## g ###### able to generate IOCs Closed threat intelligence ----- ----- ----- ----- ----- ----- ----- -----