## Visiting The Bear Den ###### A Journey in the Land of (Cyber-)Espionage ##### Joan Calvet Jessy Campos Thomas Dupuy ----- ## Sednit Group ##### • Also know as APT28, Fancy Bear, Sofacy, STRONTIUM, Tsar Team • Group of attackers doing targeted attacks since 2006 • Mainly interested into geopolitics ----- ## Plan ##### • Context • The Week Serge Met The Bear • The Mysterious DOWNDELPH • Speculative Mumblings ----- ###### What kind of group is Sednit? ### CONTEXT ----- ## Who Is The Bear After? (1) #### • We found a list of targets for Sednit phishing campaigns: ##### – Operators used Bitly and “forgot” to set the profile private ###### (feature now removed from Bitly) ##### – Around 4,000 shortened URLs during 6 months in 2015 ----- ## Who Is The Bear After? (2) ##### http://login.accoounts-google.com/url/?continue= cGFyZXBreWl2QGdtYWlsLmNvbQ==&df=UGFraXN0 YW4rRW1iYXNzeStLeWl2&tel=1 ----- ## Who Is The Bear After? (2) ###### parepkyiv@gmail.com ----- ## Who Is The Bear After? (2) ###### parepkyiv@gmail.com ##### http://login.accoounts-google.com/url/?continue= cGFyZXBreWl2QGdtYWlsLmNvbQ==&df=UGFraXN0 YW4rRW1iYXNzeStLeWl2&tel=1 ###### Pakistan+Embassy+Kyiv ----- ## Who Is The Bear After? (2) ###### parepkyiv@gmail.com ----- ## Who Is The Bear After? (3) ###### • Embassies and ministries of more than 40 countries • NATO and EU institutions • “Who’s who” of individuals involved in Eastern Europe politics: – Politicians – Activists – Journalists – Academics – Militaries – … ----- ## The Bear Has Money ##### • A bag full of 0-day exploits: ###### CVE-2015-3043 (Flash) CVE-2015-1701 (Windows LPE) ###### CVE-2015-2590 (Java) CVE-2015-4902 (Java click-to-play bypass) CVE-2015-7645 (Flash) Aug Sep Oct ###### CVE-2015-2424 (Office RCE) Apr May Jun Jul Aug Sep Oct ###### 2015 ----- ## The Bear Can Code ##### • Tens of custom-made software used since 2006: ###### – Droppers – Downloaders – Reconnaissance tools – Long-term spying backdoors – Encryption proxy tool – USB C&C channel – Many helper tools – … ----- ## Disclaimers ###### • Over the last two years we tracked Sednit closely, but of course our visibility is not exhaustive • How do we know it is ONE group? – We don’t – Our Sednit “definition” is based on their toolkit and the related infrastructure • We do not do attribution (but we point out hints that may be used for that) ----- ### THE WEEK SERGE MET THE BEAR ----- ## Who Is Serge? ###### • Code name for an imaginary Sednit target • Serge is a government employee with access to sensitive information • The chain of events in Serge’s attack matches several real cases we investigated • We use it as a textbook case to present (a part of) the Sednit toolkit ----- # Monday, 9:30AM ----- ## Serge Opens an Email ----- ## Legitimate URL Mimicking ----- ## Legitimate URL Mimicking ----- ## Legitimate URL Mimicking ----- ## Legitimate URL Mimicking ----- ## Serge clicks on the URL, and… ----- ## …Serge Meets SEDKIT ###### • Exploit-kit for targeted attacks • Entry-point URLs mimic legitimate URLs • Usually propagated by targeted phishing emails (also seen with hacked website + iframe) • Period of activity: September 2014 - Now ----- ###### Reconnaissance Report Building ----- ###### Reconnaissance Report Building ----- ###### Reconnaissance Report Building ----- ----- ## Crawling Sedkit ----- ## Serge is selected to be exploited… ----- ### … and Visits Sednit Exploits Factory |Vulnerability|Targeted Application|Note| |---|---|---| |CVE-2013-1347|Internet Explorer 8|| |CVE-2013-3897|Internet Explorer 8|| |CVE-2014-1510 + CVE-2014-1511|Firefox|| |CVE-2014-1776|Internet Explorer 11|| |CVE-2014-6332|Internet Explorer|Several versions| |N/A|MacKeeper|| |CVE-2015-2590 + CVE-2015-4902|Java|0-day*| |CVE-2015-3043|Adobe Flash|0-day*| |CVE-2015-5119|Adobe Flash|Hacking Team gift| |CVE-2015-7645|Adobe Flash|0-day*| ----- ### … and Visits Sednit Exploits Factory |Vulnerability|Targeted Application|Note| |---|---|---| |CVE-2013-1347|Internet Explorer 8|| |CVE-2013-3897|Internet Explorer 8|| |CVE-2014-1510 + CVE-2014-1511|Firefox|| |CVE-2014-1776|Internet Explorer 11|| |CVE-2014-6332|Internet Explorer|Several versions| |N/A|MacKeeper|| |CVE-2015-2590 + CVE-2015-4902|Java|0-day*| |CVE-2015-3043|Adobe Flash|0-day*| |CVE-2015-5119|Adobe Flash|Hacking Team gift| |CVE-2015-7645|Adobe Flash|0-day*| ----- ### … and Visits Sednit Exploits Factory |Vulnerability|Targeted Application|Note| |---|---|---| |CVE-2013-1347|Internet Explorer 8|| |CVE-2013-3897|Internet Explorer 8|| |CVE-2014-1510 + CVE-2014-1511|Firefox|| |CVE-2014-1776|Internet Explorer 11|| |CVE-2014-6332|Internet Explorer|Several versions| |N/A|MacKeeper|| |CVE-2015-2590 + CVE-2015-4902|Java|0-day*| |CVE-2015-3043|Adobe Flash|0-day*| |CVE-2015-5119|Adobe Flash|Hacking Team gift| |CVE-2015-7645|Adobe Flash|0-day*| ----- ### … and Visits Sednit Exploits Factory |Vulnerability|Targeted Application|Note| |---|---|---| |CVE-2013-1347|Internet Explorer 8|| |CVE-2013-3897|Internet Explorer 8|| |CVE-2014-1510 + CVE-2014-1511|Firefox|| |CVE-2014-1776|Internet Explorer 11|| |CVE-2014-6332|Internet Explorer|Several versions| |N/A|MacKeeper|| |CVE-2015-2590 + CVE-2015-4902|Java|0-day*| |CVE-2015-3043|Adobe Flash|0-day*| |CVE-2015-5119|Adobe Flash|Hacking Team gift| |CVE-2015-7645|Adobe Flash|0-day*| ----- ### Revamping CVE-2014-6332 ###### (a.k.a. IE “Unicorn bug”) ##### • October 2015: ###### – Re-use of public PoC to disable VBScript “SafeMode” – Next stage binary downloaded by PowerShell ----- ### Revamping CVE-2014-6332 ###### (a.k.a. IE “Unicorn bug”) ##### • October 2015: ###### – Re-use of public PoC to disable VBScript “SafeMode” – Next stage binary downloaded by PowerShell ##### • February 2016: ###### – No more “SafeMode” disabling, direct ROP-based shellcode execution – Around 400 lines of VBScript, mostly custom ----- ----- ----- ## VBScript Framework ###### • Functions: – addToROP() – getROPstringAddress () – Code_section_explorer_7 () – Code_section_explorer_XP() – getNeddedAddresses () – addrToHex () – … ----- ## VBScript Framework ###### • Functions: – addToROP() – getROPstringAddress () – Code_section_explorer_7 () – Code_section_explorer_XP() – getNeddedAddresses () – addrToHex () – … Have you ever seen this somewhere? (cuz we don’t) ----- ## Exploit downloads a payload and… ----- ### Serge Meets SEDUPLOADER ###### (a.k.a. JHUHUGIT, JKEYSKW) ##### • Downloaded by SEDKIT • Two binaries: the dropper and its embedded payload • Deployed as a first-stage component • Period of activity: March 2015 - Now ----- ### SEDUPLOADER DROPPER ###### Workflow ###### Payload Persistence ###### Anti- Analysis ###### Escalating Privileges ###### Payload Dropping ----- ### SEDUPLOADER DROPPER ###### Workflow ###### Anti- Analysis ----- ----- ----- ----- ----- ----- ----- ### SEDUPLOADER DROPPER ###### Workflow ###### Payload Dropping ----- ### SEDUPLOADER DROPPER ###### Workflow Anti- Payload Escalating Payload Analysis Dropping Privileges Persistence ##### • CVE-2015-1701 (0-day) • CVE-2015-2387 ( ) ###### Escalating Privileges ----- ### SEDUPLOADER DROPPER ###### Workflow Anti- Payload Escalating Payload Analysis Dropping Privileges Persistence • Windows COM object hijacking • Shell Icon Overlay COM object • Registry key UserInitMprLogonScript • JavaScript code executed within rundll32.exe • Scheduled tasks, Windows service,… ###### Payload Persistence ----- ### SEDUPLOADER DROPPER ###### Workflow Anti- Payload Escalating Payload Analysis Dropping Privileges Persistence • Windows COM object hijacking • Shell Icon Overlay COM object • Registry key UserInitMprLogonScript • JavaScript code executed within rundll32.exe • Scheduled tasks, Windows service,… ###### Payload Persistence ----- ### SEDUPLOADER DROPPER ###### Workflow Anti- Payload Escalating Payload Analysis Dropping Privileges Persistence • Windows COM object hijacking Win32/COMpfun • Shell Icon Overlay COM object • Registry key UserInitMprLogonScript • JavaScript code executed within rundll32.exe Win32/Poweliks • Scheduled tasks, Windows service,… ###### Payload Persistence ----- ### SEDUPLOADER PAYLOAD ###### Workflow ###### Network Link Establishment ###### Parsing C&C Orders ###### Parsing C&C Orders ----- ### SEDUPLOADER PAYLOAD ###### Workflow ###### Network Link Establishment ----- ### SEDUPLOADER PAYLOAD ###### Workflow ###### Direct Connection ###### Network Link Establishment ----- ### SEDUPLOADER PAYLOAD ###### Workflow ###### Direct Connection ###### Network Link Establishment ----- ### SEDUPLOADER PAYLOAD ###### Workflow ###### Direct Connection ###### Network Link Establishment ###### C&C Successfully ----- ### SEDUPLOADER PAYLOAD ###### Workflow ###### Direct Connection ###### Network Link Establishment ###### C&C Successfully ----- ### SEDUPLOADER PAYLOAD ###### Workflow ###### Direct Connection ###### Via Proxy ###### Network Link Establishment ----- ### SEDUPLOADER PAYLOAD ###### Workflow ###### Direct Connection ###### Via Proxy ###### Network Link Establishment ----- ### SEDUPLOADER PAYLOAD ###### Workflow ###### First Stage Report ----- ### SEDUPLOADER PAYLOAD ###### Workflow ###### Parsing C&C Orders ----- ### East Side Story ###### printf debugging ----- ## Chain of Events ###### Serge opens an email leading to SEDKIT, and then SEDUPLOADER 9:30AM ###### Mon Tue Wed Thu Fri ----- # Monday, 10:00AM ----- ## …Serge meets SEDRECO ##### • Downloaded by SEDUPLOADER • Backdoor with the ability to load external plugins • Usually deployed as a second stage backdoor to spy on the infected computer • Period of activity : 2012 - Now ----- ## Dropper ##### • Drops encrypted configuration ###### – In a file (“msd”) – In the Windows Registry ##### • No configuration linked to the payload ----- ## Configuration Overview ----- ## Configuration Overview ###### XOR KEY ----- ## Configuration Overview ###### XOR KEY FIELD SIZES ----- ### Configuration Overview (Decrypted) ----- ### Configuration Overview (Decrypted) ``` ('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '') ``` ----- ### Configuration Overview (Decrypted) ###### Various timeouts ``` ('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '') ``` ----- ### Configuration Overview (Decrypted) ###### Computer name ``` ('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '') ``` ----- ### Configuration Overview (Decrypted) ###### Keylogger enabled ``` ('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '') ``` ----- ### Configuration Overview (Decrypted) ``` ('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '') ###### C&C servers ``` |softwaresupportsv.com'|Col2|Col3| |---|---|---| ||'updmanager.com'|, '',| ----- ### Configuration Overview (Decrypted) ``` ('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '') ###### Operation name ``` ----- ### Configuration Overview (Decrypted) ``` ('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '') ``` ----- ## Payload ----- ## Payload ----- ## Payload ----- ## Payload ----- ## Payload ----- ## Payload ----- ## Payload ----- ## Payload ----- ## Payload ----- ## Extending The Core (1) ##### • Plugins are DLLs loaded in the same address space • Plugins receive arguments from the core: ----- ## Extending The Core (1) ##### • Plugins are DLLs loaded in the same address space • Plugins receive arguments from the core: ----- ## Extending The Core (1) ##### • Plugins are DLLs loaded in the same address space • Plugins receive arguments from the core: ----- ## Extending The Core (2) ----- ## Extending The Core (2) ###### New command ----- ## Chain of Events ###### Serge opens an email leading to SEDKIT, and then SEDUPLOADER 9:30AM Tue Wed Thu SEDRECO deployment 10:00AM ###### Mon Tue Wed Thu Fri ----- # Monday, 2:00PM ----- ### Serge Meets XAGENT ###### (a.k.a SPLM, CHOPSTICK) • Downloaded by SEDUPLOADER • Modular backdoor developed in C++ with Windows, Linux and iOS versions • Deployed in most Sednit operations, usually after the reconnaissance phase • Period of activity: November 2012 - Now ----- ----- ----- ###### • Linux XAGENT, compiled in July 2015 ----- ###### • Linux XAGENT, compiled in July 2015 • ~ 18,000 lines of code in 59 classes ----- ###### • Linux XAGENT, compiled in July 2015 • ~ 18,000 lines of code in 59 classes • Derives from Windows version: ----- ###### • Linux XAGENT, compiled in July 2015 • ~ 18,000 lines of code in 59 classes • Derives from Windows version: • XAGENT major version 2, but matches the logic of currently distributed binaries (version 3) ----- ## Such Comments ###### <- That’s a lot ----- ----- ----- ----- ----- ----- ----- ## Communication Workflow ###### XAGENT INFECTED COMPUTER ###### C&C SERVER ``` AgentKernel::run() ###### Translates messages from modules for the C&C server Translates messages from the C&C server for modules ``` ###### Channel Controller ###### AgentKernel ###### AgentKernel ###### FSModule ###### Keylogger ###### Unencrypted messages Encrypted messages ###### Channel Controller ###### RemoteShell ###### FSModule ----- ## Communication Workflow ###### XAGENT INFECTED COMPUTER ###### C&C SERVER ``` AgentKernel::run() ###### Translates messages from modules for the C&C server Translates messages from the C&C server for modules ``` ###### Channel Controller ###### AgentKernel ###### AgentKernel ###### FSModule ###### Keylogger ###### Unencrypted messages Encrypted messages ###### Channel Controller ###### RemoteShell ###### FSModule ----- ## Communication Workflow ###### XAGENT INFECTED COMPUTER ###### C&C SERVER ``` AgentKernel::run() ###### Translates messages from modules for the C&C server Translates messages from the C&C server for modules ``` ###### Channel Controller ###### AgentKernel ###### AgentKernel ###### FSModule ###### Keylogger ###### Unencrypted messages Encrypted messages ###### Channel Controller ###### RemoteShell ###### FSModule ----- ## Communication Workflow ###### XAGENT INFECTED COMPUTER ###### C&C SERVER ``` AgentKernel::run() ###### Translates messages from modules for the C&C server Translates messages from the C&C server for modules ``` ###### Channel Controller ###### AgentKernel ###### AgentKernel ###### FSModule ###### Keylogger ###### Unencrypted messages Encrypted messages ###### Channel Controller ###### RemoteShell ###### FSModule ----- ## Communication Workflow ###### XAGENT INFECTED COMPUTER ###### C&C SERVER ``` AgentKernel::run() ###### Translates messages from modules for the C&C server Translates messages from the C&C server for modules ``` ###### Channel Controller ###### AgentKernel ###### AgentKernel ###### FSModule ###### Keylogger ###### Unencrypted messages Encrypted messages ###### Channel Controller ###### RemoteShell ###### FSModule ----- ## Communication Workflow ###### XAGENT INFECTED COMPUTER ###### C&C SERVER ``` AgentKernel::run() ###### Translates messages from modules for the C&C server Translates messages from the C&C server for modules ``` ###### Channel Controller ###### AgentKernel ###### AgentKernel ###### FSModule ###### Keylogger ###### Unencrypted messages Encrypted messages ###### Channel Controller ###### RemoteShell ###### FSModule ----- ## Communication Workflow ###### XAGENT INFECTED COMPUTER ###### C&C SERVER ``` AgentKernel::run() ###### Translates messages from modules for the C&C server Translates messages from the C&C server for modules ``` ###### Channel Controller ###### AgentKernel ###### AgentKernel ###### FSModule ###### Keylogger ###### Unencrypted messages Encrypted messages ###### Channel Controller ###### RemoteShell ###### FSModule ----- ## Communication Workflow ###### XAGENT INFECTED COMPUTER ###### C&C SERVER ``` AgentKernel::run() ###### Translates messages from modules for the C&C server Translates messages from the C&C server for modules ``` ###### Channel Controller ###### AgentKernel ###### AgentKernel ###### FSModule ###### Keylogger ###### Unencrypted messages Encrypted messages ###### Channel Controller ###### RemoteShell ###### FSModule ###### Channel (HTTP or emails) ###### RemoteShell ----- ### Emails Channel (1) ###### Workflow exfil@gmail.com orders@gmail.com XAGENT INFECTED COMPUTER USING MailChannel ###### C&C SERVER ----- ### Emails Channel (1) ###### Workflow exfil@gmail.com SMTPS orders@gmail.com XAGENT INFECTED COMPUTER USING MailChannel ###### C&C SERVER ----- ### Emails Channel (1) ###### Workflow exfil@gmail.com SMTPS POP3S orders@gmail.com XAGENT INFECTED COMPUTER USING MailChannel ###### C&C SERVER ----- ### Emails Channel (1) ###### Workflow exfil@gmail.com SMTPS POP3S SMTPS orders@gmail.com XAGENT INFECTED COMPUTER USING MailChannel ###### C&C SERVER ----- ### Emails Channel (1) ###### Workflow exfil@gmail.com ###### SMTPS POP3S orders@gmail.com XAGENT INFECTED COMPUTER USING MailChannel ###### POP3S SMTPS ###### C&C SERVER ----- ### Emails Channel (1) ###### Workflow exfil@gmail.com ###### SMTPS POP3S orders@gmail.com XAGENT INFECTED COMPUTER USING MailChannel ###### POP3S SMTPS ###### C&C SERVER ###### An email-based C&C protocol needs to provide: 1. A way to distinguish C&C emails from unrelated emails 2 A way to bypass spam filters ----- ### Email Channel (2) ###### P2Scheme, a.k.a “Level 2 Protocol” ----- ### Email Channel (2) ###### P2Scheme, a.k.a “Level 2 Protocol” base64 KEY SUBJ_TOKEN ^ KEY XAGENT_ID ^ KEY ``` 0 5 12 16 ``` |KEY|SUBJ_TOKEN ^ KEY|XAGENT_ID ^ KEY| |---|---|---| ###### base64 ----- ### Email Channel (2) ###### P2Scheme, a.k.a “Level 2 Protocol” base64 KEY SUBJ_TOKEN ^ KEY XAGENT_ID ^ KEY ``` 0 5 12 16 ``` |KEY|SUBJ_TOKEN ^ KEY|XAGENT_ID ^ KEY| |---|---|---| ###### base64 ----- ### Email Channel (3) ###### Georgian Protocol ----- ### Email Channel (3) ###### Georgian Protocol ###### Georgian national ID number ----- ### Email Channel (3) ###### Georgian Protocol ###### Georgian national ID number “Hello” ----- ### Email Channel (3) ###### Georgian Protocol Georgian national ID number “Hello” “detailed” + timestamp ###### Georgian national ID number “Hello” ----- ## Bonus: XAGENT C&C Infrastructure ----- ## Bonus: XAGENT C&C Infrastructure ###### Thank you, Google search engine ----- ## XAGENT Proxy Server ###### • Python code used between April and June 2015 ----- ## XAGENT Proxy Server ###### • Python code used between April and June 2015 • ~ 12,200 lines of code ----- ## XAGENT Proxy Server ###### • Python code used between April and June 2015 • ~ 12,200 lines of code • Translates email protocol from XAGENT into a HTTP protocol for the C&C server: P2Protocol P3Protocol ###### INBOX ###### (over HTTP) ###### XAGENT PROXY BACKEND ----- ## Chain of Events ###### XAGENT deployment 02:00PM Serge opens an email leading to SEDKIT, and then SEDUPLOADER 9:30AM Tue Wed Thu SEDRECO deployment 10:00AM ###### Mon Tue Wed Thu Fri ----- # Next three days… ----- ### Serge Meets Passwords Extractors ##### • SecurityXploded tools (grand classic of Sednit) ###### – Cons: usually detected by AV software ##### • Custom tools, in particular a Windows Live Mail passwords extractor compiled for Serge: ----- ### Serge Meets Windows Passwords Extractors ##### • From registry hives ###### – Deployed with LPE for CVE-2014-4076 ##### • Good ol’ Mimikatz (“pi.log”) ###### – Deployed with LPE for CVE-2015-1701 ----- ## Serge Meets Screenshoter ##### • Custom tool to take screenshots each time the mouse moves ----- ## And… Serge Meets XTUNNEL ##### • Network proxy tool to contact machines normally unreachable from Internet • Period of activity: May 2013 - Now ----- ##### Initial Situation ###### INTERNET INTERNAL NETWORK ###### C&C SERVER SERGE’S COMPUTER ###### (XTUNNEL COMPUTER A INFECTED) (CLEAN) ###### COMPUTER B ----- ##### Encryption Handshake ###### INTERNET INTERNAL NETWORK COMPUTER A (CLEAN) ###### C&C SERVER SERGE’S COMPUTER (XTUNNEL INFECTED) ###### COMPUTER B ----- ##### Encryption Handshake ``` 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87 … ``` ###### INTERNET INTERNAL NETWORK COMPUTER A (CLEAN) ###### C&C SERVER SERGE’S COMPUTER (XTUNNEL INFECTED) ``` D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87 … ``` #### T T ###### COMPUTER B ----- ##### Encryption Handshake #### T ``` 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87 … ``` ``` CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D #### T EE 1D 1C F1.AB 91 87 87 ###### RC4 key COMPUTER B ``` ###### INTERNET INTERNAL NETWORK COMPUTER A (CLEAN) ###### C&C SERVER SERGE’S COMPUTER (XTUNNEL INFECTED) ###### O ----- ##### Encryption Handshake ###### C&C SERVER ``` 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87 … ``` #### T T ###### INTERNET INTERNAL NETWORK COMPUTER A (CLEAN) ######  Offset O in T  Proof of knowledge of T O D5 47 A4 A4.3F 60 6A 0F ``` 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87 … RC4 key SERGE’S COMPUTER (XTUNNEL INFECTED) COMPUTER B ``` ----- ##### Encryption Handshake #### T T ``` 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87 ###### … RC4 Key ``` ###### RC4 key COMPUTER B ###### INTERNET INTERNAL NETWORK COMPUTER A (CLEAN) ###### C&C SERVER “OK” O SERGE’S COMPUTER (XTUNNEL INFECTED) ----- ##### Encryption Handshake ###### RC4-encrypted link COMPUTER B ###### INTERNET INTERNAL NETWORK COMPUTER A (CLEAN) ###### C&C SERVER SERGE’S COMPUTER (XTUNNEL INFECTED) ----- ##### Encryption Handshake ###### TLS encapsulation (added in 2014) COMPUTER B ###### INTERNET INTERNAL NETWORK COMPUTER A (CLEAN) ###### C&C SERVER SERGE’S COMPUTER (XTUNNEL INFECTED) ----- ##### Tunnels Opening ###### INTERNET INTERNAL NETWORK COMPUTER A (CLEAN) ###### C&C SERVER SERGE’S COMPUTER (XTUNNEL INFECTED) ###### COMPUTER B ----- ##### Tunnels Opening ###### INTERNET INTERNAL NETWORK COMPUTER A (CLEAN) ###### C&C SERVER SERGE’S COMPUTER (XTUNNEL INFECTED) ###### COMPUTER B ----- ##### Tunnels Opening ###### Any kind of TCP-based traffic can be tunneled! (PsExec) COMPUTER B ###### INTERNET INTERNAL NETWORK COMPUTER A (CLEAN) ###### C&C SERVER SERGE’S COMPUTER (XTUNNEL INFECTED) ----- ##### Tunnels Opening ###### C&C SERVER ###### INTERNET INTERNAL NETWORK COMPUTER A (CLEAN) ###### Any kind of TCP-based traffic can be tunneled! (PsExec) COMPUTER B ----- ## Code Obfuscation (1) ##### • Starting in July 2015 XTUNNEL code was obfuscated ###### (which is two months after the Sednit attack against the German parliament, where XTUNNEL was used) ----- ## Code Obfuscation (1) ##### • Starting in July 2015 XTUNNEL code was obfuscated ###### (which is two months after the Sednit attack against the German parliament, where XTUNNEL was used) ##### • The obfuscation is a mix of classic syntactic techniques, like insertion of junk code and opaque predicates ----- ## Code Obfuscation (2) ###### BEFORE AFTER ----- ## Code Obfuscation (2) ###### BEFORE AFTER Good toy example for automatic desobfuscation magic? ----- ## Chain of Events ###### XAGENT deployment 02:00PM Serge opens an email leading to SEDKIT, and then SEDUPLOADER 9:30AM ###### Mon Tue Wed Thu Fri ###### SEDRECO deployment 10:00AM ###### Information exfiltration and lateral movements ----- # Friday, 11:00AM ----- ## Long Term Persistence (1) ##### • Special XAGENT copied in Office folder under the name “msi.dll” ----- ## Long Term Persistence (2) ##### • system32\msi.dll is a legitimate Windows DLL needed by Office applications ----- ## Long Term Persistence (2) ##### • system32\msi.dll is a legitimate Windows DLL needed by Office applications • XAGENT msi.dll exports the same function names as the legitimate msi.dll: ----- ## Long Term Persistence (3) ##### • Each time Serge starts Office, XAGENT ``` msi.dll is loaded (search-order hijacking): ###### – Loads real msi.dll from system32 – Fills its export table with the addresses of the real msi.dll functions – Starts XAGENT malicious logic ``` ----- ## Long Term Persistence (3) ##### • Each time Serge starts Office, XAGENT ``` msi.dll is loaded (search-order hijacking): ###### – Loads real msi.dll from system32 – Fills its export table with the addresses of the real msi.dll functions – Starts XAGENT malicious logic ##### • Same technique also seen with LINKINFO.dll dropped in C:\WINDOWS ``` ----- ## Chain of Events ###### XAGENT deployment 02:00PM Serge opens an email leading to SEDKIT, and then SEDUPLOADER 9:30AM ###### Long-term persistence method deployment 11:00AM ###### Mon Tue Wed Thu Fri ###### SEDRECO deployment 10:00AM ###### Information exfiltration and lateral movements ----- ###### What the hell is going on here ?! ### THE MYSTERIOUS DOWNDELPH ----- ### Discovery ###### September 2015 ##### • Classic Sednit dropper • Shows a decoy document ----- ## What Is In This Dropper? ----- ### The Ultimate Boring Component ##### • Delphi downloader, we named it DOWNDELPH (slow clap) • Simple workflow: ###### – Downloads a config (.INI file) – Based on the config, downloads a payload – Executes payload ##### • Persistence method: Run registry key ----- ### The Ultimate Boring Component ##### • Delphi downloader, we named it DOWNDELPH (slow clap) • Simple workflow: ###### – Downloads a config (.INI file) – Based on the config, downloads a payload – Executes payload ##### • Persistence method: Run registry key ----- ### Let The Hunt Begins ##### 2013 DOWNDELPH Sample ###### Dropper ###### DOWNDELPH ----- ### Let The Hunt Begins ##### 2013 DOWNDELPH Sample |He|lper| |---|---| ###### Dropper ###### DOWNDELPH ###### • Infects BIOS-based systems • Tested on Windows XP/7, 32bit/64bit ###### Bootkit Installer ----- ## Not So Boring Component ----- ## Bootkit Installation ``` 1[ST] sector ``` |MBR|Legitimate data| |---|---| ----- ## Bootkit Installation ``` 1[ST] sector 2[ND] sector ``` |Malicious MBR|Original MBR (1-byte XOR)|Hooks (1-byte XOR)|Driver (1-byte XOR + RC4)|Legitimate Data| |---|---|---|---|---| ###### Malicious Original MBR Hooks Driver MBR (1-byte XOR) (1-byte XOR) (1-byte XOR + RC4) [Legitimate Data ] ----- ### Normal Boot Process ###### Windows 7 x64 |BOO|TMGR| |---|---| ###### Original MBR BOOTMGR Winload.exe Real Mode … Kernel Init Protected Mode ----- ### Infected Boot Process ###### Windows 7 x64 |BOO|TMGR| |---|---| ###### Infected MBR BOOTMGR Winload.exe Original MBR Real Mode … Kernel Init Protected Mode ----- ### Infected Boot Process ###### Windows 7 x64 |BOO|TMGR| |---|---| ###### Infected MBR BOOTMGR Winload.exe Original MBR Real Mode … Kernel Init Protected Mode ----- ## Malicious MBR ###### • Hooks INT 13h handler (low-level read/write operations) ----- ## Malicious MBR ###### • Hooks INT 13h handler (low-level read/write operations) • Patches BOOTMGR in memory ----- ## Bootkit Workflow |BOO|TMGR| |---|---| ###### Infected MBR BOOTMGR Winload.exe Original MBR Real Mode … Kernel Init Protected Mode ----- ## Bootkit Workflow |BOO|TMGR| |---|---| |Hook|| |BOO Hook|TMGR| |---|---| ###### Infected MBR BOOTMGR Winload.exe Hook Original MBR Real Mode … Kernel Init Protected Mode ----- ## BOOTMGR Hook ##### • Searches OslArchTransferToKernel() in winload.exe to patch it ###### Before: After: ----- ## Bootkit Workflow |BOO|TMGR| |---|---| |Hook|| ###### Infected MBR BOOTMGR Winload.exe Hook Original MBR Real Mode … Kernel Init Protected Mode ----- ## Bootkit Workflow |BOO|TMGR| |---|---| |Hook|| ###### Infected MBR BOOTMGR Winload.exe Hook Hook Original MBR Real Mode … Kernel Init Protected Mode ----- ## Winload.exe Hook ##### • Locates MmMapIoSpace • Saves some code in ACPI.sys resources section (and makes the section executable) • Hooks ACPI!GsDriverEntry ----- ## Saving Important Information ###### Bootkit physical address ``` 0: kd> db rbx $$ kernel header address 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ.............. b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@....... 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00-00 00 00 00 f8 00 00 00 ................ 00 74 09 00 00 b4 09 cd-21 b8 01 4c cd 21 54 68 .t......!..L.!Th 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$....... 8a 4a 9e 90 ce 2b f0 c3-ce 2b f0 c3 ce 2b f0 c3 .J...+...+...+.. c7 53 73 c3 aa 2b f0 c3-c7 53 63 c3 c5 2b f0 c3 .Ss..+...Sc..+.. ce 2b f1 c3 a2 2b c0 97-8f 00 00 f8 ff ff 30 fc .+...+........0. 04 00 f2 0f 00 00 48 83-ec 28 4c c3 d4 2b f0 c3 ......H..(L..+.. c7 53 62 c3 cf 2b f0 c3-c7 53 64 c3 cf 2b f0 c3 .Sb..+...Sd..+.. c7 53 61 c3 20 cd a2 02-00 f8 ff ff ce 2b f0 c3 .Sa. ........+.. 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00-50 45 00 00 64 86 18 00 ........PE..d... ``` ###### ACPI!GsDriverEntry original ----- ## Bootkit Workflow |BOO|TMGR| |---|---| |Hook|| ###### Infected MBR BOOTMGR Winload.exe Hook Hook Original MBR ACPI.sys Real Mode … Kernel Init Protected Mode ----- ## Bootkit Workflow |BOO|TMGR| |---|---| |Hook|| ###### Infected MBR BOOTMGR Winload.exe Hook Hook Original MBR ACPI.sys Hook Real Mode … Kernel Init Protected Mode ----- ## ACPI.sys Hook ##### • Restores ACPI!GsDriverEntry • Maps the bootkit physical address into virtual address space by calling MmMapIoSpace • Decrypts hidden driver ----- ## Bootkit Workflow |BOO|TMGR| |---|---| |Hook|| ###### Infected MBR BOOTMGR Winload.exe Hook Hook Original MBR ACPI.sys Hook Real Mode “Bootkit DOWNDELPH user-mode Bootkit Driver component” Kernel Init Protected Mode ----- ## Bootkit Workflow |BOO|TMGR| |---|---| |Hook|| |Col1|Winload.exe Hook| |---|---| ||ACPI.sys Hook| |“Bootkit DOWNDELPH user-mode component”|Bootkit Driver| ||Kernel Init| ###### Infected MBR BOOTMGR Winload.exe Hook Hook Original MBR ACPI.sys Hook Real Mode “Bootkit DOWNDELPH user-mode Bootkit Driver component” Kernel Init Protected Mode ----- ## Bootkit Workflow |BOO|TMGR| |---|---| |Hook|| |Col1|Winload.exe Hook| |---|---| ||ACPI.sys Hook| |“Bootkit DOWNDELPH user-mode component”|Bootkit Driver| ||Kernel Init| ###### Infected MBR BOOTMGR Winload.exe Hook Hook Original MBR ACPI.sys Hook Real Mode “Bootkit DOWNDELPH user-mode Bootkit Driver component” Kernel Init Protected Mode ----- ## Bootkit Workflow |BOO|TMGR| |---|---| |Hook|| |Col1|Winload.exe Hook| |---|---| ||ACPI.sys Hook| |“Bootkit DOWNDELPH user-mode component”|Bootkit Driver| ||Kernel Init| ###### Infected MBR BOOTMGR Winload.exe Hook Hook Original MBR ACPI.sys Hook Real Mode “Bootkit DOWNDELPH user-mode Bootkit Driver component” Kernel Init Why a DLL to load another DLL ? Protected Mode ----- ## Who Are You Bootkit? ##### • Missing exported variable in DOWNDELPH ----- ## Who Are You Bootkit? ##### • Missing exported variable in DOWNDELPH • Code sharing with BlackEnergy ###### – Relocations fixing – DLL injection calling three exports (“Entry”, “ep_data” and “Dummy”) – … ----- ### But It s Not The End of The Story ##### 2014 DOWNDELPH Samples ###### Dropper ###### DOWNDELPH ----- ## Not So Boring Component++ ----- ## Kernel Mode Rootkit (1) ##### • Registered as a Windows service • Injects DOWNDELPH into explorer.exe (APC) • Hides files, folders and registry keys • Relies on a set of rules: ###### HIDEDRV: >>>>>>>>Hide rules>>>>>>>> rules HIDEDRV: File rules: \Device\[…]\dnscli1.dll HIDEDRV: File rules: \Device\[…]\FsFlt.sys HIDEDRV: Registry rules: \REGISTRY\[…]\FsFlt HIDEDRV: Registry rules: \REGISTRY\[…]\FsFlt HIDEDRV: Registry rules: \REGISTRY\[…]\FsFlt HIDEDRV: Inject dll: C:\Windows\system32\mypathcom\dnscli1.dll HIDEDRV: Folder rules: \Device\HarddiskVolume1\Windows\system32\mypathcom HIDEDRV: <<<<<<<