# Abusing third-party cloud services in targeted attacks ###### Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) ----- ## Outline ### • Introduction • General comparison of two malware infrastructures #### • Custom • Cloud based ### • Selected APT cases #### • Presentation of the malware operation • Advantages and disadvantages from an attacker perspective ### • Conclusion ----- ## Introduction ### • Cloud services abuse is not something new #### • “C&C-as-a-Service” presentation at VB in 2015 ### • This talk focuses on cloud abuse in the context of targeted attacks that we investigated • Goals: #### • Show different real implementations of cloud abuse • Find how, as defenders, we can leverage this setup to our advantage ----- ## Custom malware infrastructure ### • Developed and maintained by threat actor • Costly #### • Domain name(s), server(s) hosting, data storage, bandwidth … ### • Time consuming #### • Design, implementation and testing of the communication protocol • Installation and maintenance of the C&C server(s) ----- ## Custom malware infrastructure ### • Disadvantages #### • Easier to monitor/block/sinkhole/seize • Higher probability of flaws in the communication protocol • Difficult to assess the reliability in real conditions ### • Advantage #### • You choose to implement whatever funny idea you like ----- ## Cloud malware infrastructure ### • Advantages #### • Developed, maintained and operated by knowledgeable third party • Cheaper (often free) • API • Higher reliability • Harder to block/monitor/seize ### • Disadvantage #### • Constrained by the features the cloud services provide ----- # Selected APT cases ----- ## Patchwork ##### Known targeted countries ----- ## Patchwork Badnews ### • “Badnews” backdoor #### • A mix of both alternatives ###### 3. Connect to C&C ----- ## Patchwork Badnews ### • Hardcoded and encoded (sub 0x01) URL addresses ----- ## Patchwork Badnews ### • Examples of encoded configuration ----- ## Patchwork Badnews ### • Encryption uses XOR & ROL • Versions after November 2017 added a layer of blowfish encryption • C&C is usually a PHP script hosted in a web server without domain name ----- ## Patchwork Badnews #### 185.29.11.59 185.29.11.59 rp3f.strangled.net ----- ## Patchwork Badnews ----- ## Confucius ##### Known targeted countries ----- ## Confucius Swissknife ### • “Swissknife” stealer #### • Uses Dropbox API to upload documents with selected extensions (.pdf, .doc, .docx, .ppt, .pptx, .xls, and .xlsx) ----- ## Confucius Swissknife ### • API key in decompiled code ----- ## Confucius Swissknife ### • File downloader in Python using Dropbox API ----- ## Confucius Swissknife ### • Enumerating the deleted files ----- ## Confucius Swissknife ### • Enumerating the deleted folders ----- ## Confucius pCloud ### • “pCloud” stealer #### • Uses pCloud API to upload documents with selected extensions (.pdf, .doc, .docx, .ppt, .pptx, .xls, and .xlsx) ----- ## Confucius pCloud ### • Using pCloud API to list files ----- ## Confucius pCloud ----- ## Confucius pCloud ----- ## Confucius pCloud ### • Content from attacker’s machine ----- ## Confucius pCloud ----- ## Confucius TweetyChat ### • “TweetyChat”, backdoored Android chat application ###### 1. Register to C&C 3. Upload stolen files 2. Send commands awsAccessKey/awsSecretKey Update AWS credentials 3. Upload SMS, contacts, call logs ----- ## Confucius TweetyChat ### • awsAccessKey and awsSecretKey are not hardcoded • AWS keys are updated through Google Cloud Messaging platform (Firebase Cloud Messaging in newer versions) ----- ## Confucius TweetyChat ### • Google Cloud/ Firebase message receiver • Calling PutObjectRequest to “upload a new object to the specified Amazon S3 bucket” ----- ## Confucius TweetyChat ----- ## Confucius TweetyChat ### • As usual, operators test the malware on their own devices… ----- ## MuddyWater ##### Known targeted countries ----- ## MuddyWater CloudSTATS ### • “CloudSTATS” backdoor ###### 1. Register Put “.reg” file 2. Send command 3. Read command Put “.cmd” file 4. Send command results Put encoded “.res” file ----- ## MuddyWater CloudSTATS ### • “CloudSTATS” backdoor ----- ## MuddyWater CloudSTATS ### • “CloudSTATS” backdoor ----- ## MuddyWater CloudSTATS ### • Hardcoded API keys #### • Check existing folder/victim ----- ## MuddyWater CloudSTATS ### • Asynchronous C&C communication • Files with extensions (cmd, reg, prc, res) ----- ## MuddyWater CloudSTATS ### • .reg file • .res file ----- ## MuddyWater Telegram ### • Android mobile app, Telegram exfiltration ###### 1. Register to C&C 3. Upload stolen information 2. Send commands BotID & ChatID ----- ## MuddyWater Telegram ----- ## MuddyWater Telegram ### • .com.telegram.readto.client.ProcessCommand ----- ## MuddyWater Telegram ### • Timer sending all data once a day • Code for exfiltration all system information ----- ## MuddyWater Telegram ### • Metadata of the Telegram account ----- ## SLUB ##### Country of interest ----- ## SLUB v1 ###### HTTPS request Send stolen files ----- ## SLUB v1 ### • Malware delivered via waterholing of websites related to North Korea • Read gist snippet for commands to execute • ^ and $ encapsulate active commands ----- ## SLUB v1/v2 ### • Hardcoded Slack token • Slack token’s o-auth scopes ----- ## SLUB v1/v2 ### • Exfiltration via file.io, link sent to Slack ----- ## SLUB v2 ### • Newer version from July 2019 #### • GitHub is not used anymore • Operator creates a Slack workspace • A separate channel named - is created in the workspace for each infected machine • Commands to execute sent via messages pinned to a victim-specific channel • Victim machine reads pinned messages from its dedicated channel, parses the message, and executes the requested command ----- ## SLUB v2 ###### HTTP request Check for new Slack token ----- ## SLUB v2 ### • Configuration update • New token between HELLO^, WHAT^ and !!! tokens ----- ## SLUB v1 ### • Gist revisions show activation of specific commands ----- ## SLUB v1/v2 ### • Using Slack API in Python ----- ## SLUB v2 ### • File & exec operations ----- ## SLUB v1/v2 ### • Screenshot upload • Screenshot download (using API key and path to the file) ----- ## SLUB v1 ----- # Conclusion ----- ## Conclusion ### • Abusing cloud service providers is a worldwide trend • Such services can be used for different purposes: #### • To store a reference used by the malware (C&C …) • To store the stolen data • To store all the commands and data ### • This behavior brings benefits not only to the attackers, but also to the defenders, and without the need to “hack back”  ###  ----- ## References ###### • Patchwork: https://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the patchwork-cyberespionage-group/ • Confucius: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering confucius-cyberespionage-operations/ • MuddyWater: https://blog.trendmicro.com/trendlabs-security-intelligence/new powershell-based-backdoor-found-in-turkey-strikingly-similar-to-muddywater-tools/ • https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/ • Slub v1: https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor uses-github-communicates-via-slack/ ###### • Slub v2: https://blog.trendmicro.com/trendlabs-security-intelligence/slub-gets-rid-of- ----- Threats detected and blocked globally by Trend Micro in 2018. Created with real data -----