## Visiting the snake nest ###### Recon Brussels 2018 Jean-Ian Boutin | Senior Malware Researcher ----- ##### Jean-Ian Boutin Matthieu Faou ###### Senior Malware Researcher Malware Researcher @jiboutin @matthieu_faou ----- ##### 1. Introduction 2. Infection Vectors 3. First Stages 4. Advanced First Stages 5. Second Stages 6. Infrastructure 7. Conclusion ----- # Introduction ----- ----- ----- ----- ----- ----- ##### • One of the oldest espionage group • Targets includes governments, government officials, diplomats, … • Very large toolset targeting all major platforms ----- # Infection Vectors ----- ##### • Wateringhole • Spearphishing ----- |URL (past campaigns)|Notes| |---|---| |http://www.namibianembassyusa.org|Namibia Embassy - USA| |http://www.avsa.org|African Violet Societa of America| |http://www.zambiaembassy.org|Zambian Embassy - USA| |http://russianembassy.org|Russian Embassy - USA| |http://au.int|African Union| ##### • Planting scripts in targets’ favs websites ###### URL (past campaigns) Notes http://www.namibianembassyusa.org Namibia Embassy - USA http://www.avsa.org African Violet Societa of America http://www.zambiaembassy.org Zambian Embassy - USA http://russianembassy.org Russian Embassy - USA http://au.int African Union http://mfa.gov.kg Ministry of Foreign Affairs – Kyrgyzstan ----- ###### 1[st] level C&C mentalhealthcheck.net drivers.epsoncorp.com rss.nbcpost.com static.travelclothes.org ----- ###### 1[st] level C&C mentalhealthcheck.net drivers.epsoncorp.com rss.nbcpost.com static.travelclothes.org ----- ###### 1[st] level C&C mentalhealthcheck.net drivers.epsoncorp.com rss.nbcpost.com static.travelclothes.org ----- ##### • Fingerprinting potential target through JS ----- ----- ###### • Computes comments checksum • Regular expression applied '(?:\\u200d)(?:#|@)?(\\w)' • https://bitly.com/2kdhuHX ----- ###### • Computes comments checksum • Regular expression applied '(?:\\u200d)(?:#|@)?(\\w)' • https://bitly.com/2kdhuHX ----- ##### • A bit disappointing that this one was not used… ----- ----- # Mosquito ----- ##### • Campaign running since at least July 2016 • Infection vector is a fake flash installer ###### • Downloaded from http://admdownload.adobe.com * ##### • Use either a Win32 or a JScript backdoor ###### * We believe Adobe was not compromised ----- ----- # Something weird is happening on the network ----- ----- ###### http://get.adobe.com/stats/AbfFcBebD/q= ----- ----- ----- ----- ----- ----- # 1[st] Stages ----- ##### • Culex • Tavdig • Skipper • Kopiluwak • … ----- # Tavdig/ Wipbot ----- ##### • (Older) backdoor used to assess target usefulness • Can execute command, modify backdoor configuration, download additional files, etc • Dropped through watering hole or spearphishing (old PDF CVE and macros) ----- ##### • Used for ###### • System fingerprinting • OS version • Computer name • Current user name • Local groups • System directory • System language, user language, timezone, uptime, etc ----- |Version|Sample sightings|Differences| |---|---|---| |A|October 2013 – February 2014|• N/A| |B|April 2014 – July 2014|• Introduction of macro based Word dropper • Introduction of the two steps injection • Introduction of shell_traywnd injection trick| |C|September 2015 – November 2015|• Introduction of code obfuscation through “this” pointer • Introduction of list of injectable processes instead of just iexplore.exe| ##### • Observations based on samples analyzed ###### Version Sample sightings Differences A October 2013 – February 2014 • N/A B April 2014 – July 2014 • Introduction of macro based Word dropper • Introduction of the two steps injection • Introduction of shell_traywnd injection trick C September 2015 – November 2015 • Introduction of code obfuscation through “this” pointer • Introduction of list of injectable processes instead of just iexplore.exe ----- |icq.exe|msimn.exe|opera.exe| |---|---|---| |chrome.exe|pidgin.exe|firefox.exe| |outlook.exe|iexplore.exe|jusched.exe| |browser.exe|icqlite.exe|adobearm.exe| ##### • Hash-based process name search • Crackable through John the Ripper ###### icq.exe msimn.exe opera.exe chrome.exe pidgin.exe firefox.exe outlook.exe iexplore.exe jusched.exe browser.exe icqlite.exe adobearm.exe ----- ##### • Malicious macro embedded in document • Macro decrypts payload and launches it ----- ##### • Malicious macro embedded in document • Macro decrypts payload and launches it ----- ##### • Malicious macro embedded in document • Macro decrypts payload and launches it ----- # Skipper ----- ##### • Minimal backdoor used against governmental and diplomatic institutions since at least 2014 • Can execute commands, ex-filtrate files and download additional malware • Delivered in malicious macros, JS attachments ----- ----- ----- ----- ###### • C:\Users\admin\Documents\Visual Studio ``` 2012\Projects\dws\x64\Release\ GetPidByProcessName_x64.pdb • C:\Users\work4\Documents\Visual Studio 2012\Projects\KOTEL 24.11.16 No COOKIE No STORAGE only BODY\KOTEL_2.1\x64\Release\ GetPidByProcessName x64.pdb ``` ----- ###### • C:\Users\admin\Documents\Visual Studio ``` 2012\Projects\dws\x64\Release\ GetPidByProcessName_x64.pdb • C:\Users\work4\Documents\Visual Studio 2012\Projects\KOTEL 24.11.16 No COOKIE No STORAGE only BODY\KOTEL_2.1\x64\Release\ GetPidByProcessName x64.pdb ``` ----- ##### • SECTION_INTERNET- NOTICE_TO_ALL_USERS_13-05-2016.pdf.js ----- ###### C&C Comm Loader ----- ##### • Implements a bunch of anti-emulation tricks ----- ##### • Implements a bunch of anti-emulation tricks ----- ##### • Implements a bunch of anti-emulation tricks ----- ##### • Implements a bunch of anti-emulation tricks ----- ##### • Implements a bunch of anti-emulation tricks ----- ----- ##### • Operators use Vim!! ###### • https://[C&C server]/rss.php~ ----- # Advanced 1[st] stages Image credit: SpaceX ----- # Mosquito ----- ##### • 1[st] or 2[nd] stage (Skipper) • Deployed in Eastern Europe on diplomats’ machines • Uses a custom packer ----- ----- ##### • Call to SetupDiGetClassDevs(0,0,0,0xFFFFFFFF) • Last parameter value is undocumented • Expect 0xE000021A as return value ----- ----- #### Backdoor ----- #### Backdoor Loader ----- #### Backdoor Loader Encrypted log file ----- ##### • CLSID hijacking ###### • Ex: Ntshrui.dll ----- ##### • Create a new admin account: HelpAssistant ###### • Enable remote administrative actions for this user • Maybe used to spy or regain control if the backdoor is deleted. ----- ----- ----- ----- ##### • Data is xored with a generated key ###### • No, I won’t show you the xor loop :D ##### • Generation algorithm looks like BlumBlumShub ###### • Takes a key and a modulo to generate a bytes stream ----- ##### • C&C ###### • HTTPs • URI: /scripts/m/query.php?id= • SATCOM IP addresses and Cloudflare ----- ##### • C&C ###### • HTTPs • URI: /scripts/m/query.php?id= • SATCOM IP addresses and Cloudflare ##### • Encrypted data in: ###### • GET parameter (id) • Cookie ----- ##### • Download & execute additional files • Launch a process • Delete a file • Exfiltrate a file • Add/Delete a C&C server ----- ##### • Encryption algorithms are different • Log structures are different • Both use CLSID hijacking • Overlap in the network infrastructure • Some similarities in the code ----- # Second Stages Image credit: SpaceX ----- ##### • Second stages implement similar concepts to stay persistent and hidden on the system • They are meant to stay undected as long as possible ----- # Carbon/ Cobra ----- ##### • Evolution of the previous rootkit • Sophisticated backdoor • Receive and dispatch tasks from other nodes ----- ##### • Dropper • Loader • Orchestrator • Communication DLL ----- |Compilation date|Orchestrator version|Communication library version| |---|---|---| |2014-02-26|3.71|3.62| |2016-02-02|3.77|4.00| |2016-03-17|3.79|4.01| |2016-03-24|3.79|4.01| |2016-04-01|3.79|4.03| |2016-08-30|3.81|????| |2016-10-05|3.81|????| ###### Compilation date Orchestrator version Communication library version 2014-02-26 3.71 3.62 2016-02-02 3.77 4.00 2016-03-17 3.79 4.01 2016-03-24 3.79 4.01 2016-04-01 3.79 4.03 2016-08-30 3.81 ???? 2016-10-05 3.81 ???? ----- ##### • Several steps are taken before beaconing out ###### • Check for network sniffers • First GET request to root page of C&C • Real request is made ----- ##### • Data that should be sent to the C&C server is written to a file ###### • Each blob is encrypted with CAST-128 • extra 3DES encryption is configurable ----- ##### • Tasks are retrieved from a webpage • Once decrypted, the tasks are added to a queue ----- ##### • Tasks are retrieved from a webpage • Once decrypted, the tasks are added to a queue ----- ##### • Example of communication between modules ----- ##### • Tasks can be forwarded to another node ----- ##### • Tasks can be forwarded to another node ----- ##### • Tasks can be forwarded to another node ----- ##### • Tasks can be forwarded to another node ----- ##### • Tasks can be forwarded to another node ----- ##### • [CONFIG] ###### • NAME (“cmd.exe” by default) • ARG • RESULT (“stdout” by default) • COMPRESSION (“yes” by default) • DELETE (“no” by default) ----- # Kazuar ----- ##### • .NET backdoor • Crossplatform • Similar in architecture to Carbon ###### • Plugin support • Working directory • Configuration file • Log file ----- ##### • LZMA code compression • Anti debug • Control flow obfuscation • Strings obfuscation ----- ##### • LZMA code compression • Anti debug • Control flow obfuscation • Strings obfuscation ----- # Gazer/ White Bear https://chocolate80y.deviantart.com/art/bear-snake-149185270 ----- ##### • The most recent 2[nd] stage backdoor • Similar architecture to the previously discussed backdoors ----- ----- ----- ----- ##### • Standard ones: • Custom ones: ###### • iexplore.exe • osoupd.exe • firefox.exe • acrotray.exe • outlook.exe • UpdaterUI.exe • chrome.exe • dropbox.exe • browser.exe • onedrive.exe • opera.exe ----- ##### • Standard ones: • Custom ones: ###### • iexplore.exe • osoupd.exe • firefox.exe • acrotray.exe • outlook.exe • UpdaterUI.exe • chrome.exe • dropbox.exe • browser.exe • onedrive.exe • opera.exe ----- ##### • Seen in tandem • Usage of code signing certificates • We have seen Gazer being installed 24 hours after initial Skipper infection ----- ##### • C++ class introspection (dynamic_cast, typeid, exception dispatcher) requires additional information to be stored in binary • Gazer has this information. We can recover ###### • Virtual Function Table (VFT) • Class names • Base classes ----- ##### • Looking for “.?AV” strings ----- # Similarities exposed ----- ----- ----- ##### md5('log') XOR key ----- ###### • Moved to registry • %RootStoragePath%\{119D263D-68FC-1942-3CA3-46B23FA652A0} • Object ID: a unique ID to identify the victim • %RootStoragePath%\{1DC12691-2B24-2265-435D-735D3B118A70} • Task Queue: linked list of tasks to be executed • %RootStoragePath%\{28E74BDA-4327-31B0-17B9-56A66A818C1D} • Plugins • %RootStoragePath%\{31AC34A1-2DE2-36AC-1F6E-86F43772841F} • Communication Module: the DLL that communicates with the C&C server • %RootStoragePath%\{3CDC155D-398A-646E-1021-23047D9B4366} • Autorun: the persistency method ----- ##### • Encrypted with CAST-128 • Format: Date|Time|Object-Id|Source|Mesage ----- ##### • Encrypted with AES-256-CBC • Format: process_name [PID]: message ----- ##### • Encrypted with 3DES • Format: Hour:Min:Sec:Ms|[log ID] [log] ----- ##### • Processes where to inject 3[rd] stage • Last C&C contact time • C&C list • Victim ID • Frequency and time of tasks execution ----- ##### • Processes where to inject 3[rd] stage • Last C&C contact time • C&C list • Victim ID • Frequency and time of tasks execution ----- # Interlude - Metasm ----- ##### • Custom RSA implementation • Unable to decrypt data with standard libraries • Why not use directly Gazer code? ----- ##### • Assembler / Disassembler / Compiler / Debugger ----- ##### • Assembler / Disassembler / Compiler / Debugger • Scriptable in Ruby ----- ##### • Assembler / Disassembler / Compiler / Debugger • Scriptable in Ruby ----- ##### • Assembler / Disassembler / Compiler / Debugger • Scriptable in Ruby • https://github.com/jjyg/metasm ----- ##### 1. Put breakpoints on specific addresses 2. Debug the Gazer sample 3. Dump unencrypted data ----- ----- # Infrastructure ----- ###### y ----- ##### • Hide real C&C addresses • Attribution is more difficult • Take-down almost impossible ----- ----- ###### Infected machine ----- ###### Satellite broadcasts traffic Infected machine ----- ###### Satellite broadcasts SIGINT traffic interception Infected machine ----- ###### Satellite broadcasts SIGINT traffic interception Real C&C server. Infected machine Uses the IP address of a real SAT customer. ----- ##### • Gazer change in IOCs • Carbon changes in IOCs • Nautilus changes after NCSC UK report • Mosquito DLLs no longer dropped on disk after our publication ----- ##### • Turla is still very active • Really effective at tricking the users • Large toolset ###### • Most advanced backdoors used on the most protected networks ----- ##### Jean-Ian Boutin Matthieu Faou ###### Senior Malware Researcher Malware Researcher @jiboutin @matthieu_faou -----