let's go with a go rat! - botconf 2020 · 2018-12-09 · functions golang (mostly spotted)...

Dec 2018

Copyright©LACCo.,Ltd.AllRightsReserved.

Yoshihiro IshikawaShinichi Nagano

Let'sgowithaGoRAT!


Whoarewe?

• Organization:LACCo.,Ltd.(lac.co.jp)• Department:CyberEmergencyCenter• JobTitle:CyberThreatAnalystandhandler

YoshihiroIshikawa(CISSP)

• Department:CyberEmergencyCenter• JobTitle:CyberThreatAnalystandhandler

ShinichiNagano(GREM)


Agenda

n  Purposen  AstudyofGolanguage(GoLang)n wellmessanditsdetailn wellmessC2trafficsimulation(DEMO)n  Preventionmethodn  Conclusion


Purposen  wellmessmalwareanditsbotnetiscurrently

stillcategorizedasanunknownGolangmalware

n  severalincidentcasesthatwehandledfromJanuary2018

n  Notdetected[2]bysecuritysoftwareuntilwepublishedanalysisreport[1]aboutJune2018

Wewouldliketointroducetheanalysisresultof"wellmess"Andnowhopefullywillbeusefultopreventtheattackinthefuture.

CYBER　-　EDUCATION　-　PENTEST　-　JSOC　-　 119　-　CONSULTING

We provide IT total solutions based on advanced security technologies.


A study of Golang executable


WhataboutGolang

n  Go[3]isanopensourceprogramminglanguagedevelopedbyGoogleInc.in2009,inourpresentationwecallitas“GoLang”.

n  Currentstableversion1.11.2n  RunonvariousplatformssuchasLinux,Mac,Windows,Androidn  Golangmalware

n  Mirai(C2/Server)isoneofthemostfamousn  OtherwisesuchasLady[4],GoARM.Bot[5],GoAthenaRAT[6],Encriyoko[7],


Golangexecutablescharacteristics

n  Goexecutablesishugefilesize(evenpackedbyUPX[8]<4Mb)n  Functionnameisleftintactintheexecutablefiles(inmanycases)n  Thecharacterstringbecomesonecontinuousblock(go1.8higher)

NotstrippedfunctionName continuousblock


ThefunctionnamescanbespecifiedbyusingIDAGolangHelper[9]inIDAPro[11].

AfterBefore

Renamefunctions

Golangexecutablescharacteristics-2


Noteverystring-blobcanbeseparatedIDAGolangHelper,soweneedtodoitmanually

Golangexecutablescharacteristics-3

splitvalues

Possible

Impossible

Nosplitvalues…




wellmess and its detail


What’saboutwellmesswellmessisaRATcodedonGoLangonmultipleplatformoperatingsystems.

n  C2Functionsn  CommandExecution(RCE)n  FileUploadandDownload

n  Identificationn  Lang:GoLang(main)&.Net(minorversiononly)n  Type:Windows32/64-bitExecutable(thesemainslides)&ELFx64(Appendix:C)n  Characteristic:

n  CompiledwithUbuntu(go1.8.3),Windows(go1.8)n  "wellmess”namingiscomingfrom"WelcomeMessage”(attacker’sthought)n  UsageofIRCtermslike“welcomemessage”,“bot”,“chat”or“join”etc


Typostrings

Doeshemeanschoice?

Doeshemeanswelcomemessage?

DoeshemeansMozilla?


Specificcharacteristicstrings

differentpackagenameC2server

SupportsJapanese,KoreanandChinese


SpecificUser-Agents

n  Mozilla/5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/41.0.2228.0Safari/537.36

n  Mozilla/5.0(X11;U;Linuxx86_64;ja-JP;rv:1.9.2.16)Gecko/20110323Ubuntu/10.10(maverick)Firefox/3.6.16

n  Mozilla/5.0(Macintosh;IntelMacOSX10_9_3)AppleWebKit/537.75.14(KHTML,LikeGecko)Version/7.03Safari/7046A194A

n  Mozilla/5.0(X11;OpenBSDamd64;rv:28.0)Gecko/20100101Firefox/28.0n  Mozzila/5.0(WindowsNT6.1;WOW64;rv:56.0)Gecko/20100101Firefox/

56.0n  Mozilla/5.0(compatible;MSIE9.0;WindowsNT6.1;Trident/5.0;

FunWebProducts)

EachwellmesshadadifferentUser-Agentshard-coded.


welmessdoesn’thavelateralmovementfunction,forthatpurposetheattackerwasusinganothertool,insomecasestheyusedgost[13],atunnelingtoolswrittenbyGolang

Victim

Attacker

Lateralmovement


(toolong,redacted)Payload(DLLfile)isencrypted

ReplacestringsandBase64,decryptRC6PayloadDLLfileisloadedandexecutedusingAppDomainCreateInstanceAndUnwrapmethodutilizingProxyclass.

Otherversion:compiledwith.NETwellmessdnSpy[13]


Otherversion:Thepayloadof.NETwellmess

HassimilarfunctionsasperinGolangversion

.NETversionRCEisalsousingPowershellmethodswhicharenotfoundintheGolangversion


Functions Golang(mostlyspotted) .NET(severalcasesonly)

SupportOS Windows,Linux,(NAS) Windows

Encryption RC6,AES,RSA,obfuscation RC6,AES,RSA,obfuscation

Botcommands CommandExecutionFileUploadandDownload

CommandExecutionFileUploadandDownload

HowtoCommandExec CMD(Windows)Execve(Linux)

PowerShell,CMD

C2Protocol HTTP,POST,Cookie HTTP,POST,Cookie

Packer UPXornone OriginalPacker(bytesobfuscator)

Latestversion(ITW)#VirusTotalFirstSubmission

2018-10-02 2018-07-25

ComparisonofGolangand.NETwellmess

BotfunctionsisalmostthesameamongGolangand.NETWethinkthatthemainwellmessusedbyanattackerisGolang


Functions Golang(mostlyspotted) .NET(severalcasesonly)

SupportOS Windows,Linux,(NAS) Windows

Encryption RC6,AES,RSA,obfuscation RC6,AES,RSA,obfuscation

Botcommands CommandExecutionFileUploadandDownload

CommandExecutionFileUploadandDownload

HowtoCommandExec CMD(Windows)Execve(Linux)

PowerShell,CMD

C2Protocol HTTP,POST,Cookie HTTP,POST,Cookie

Packer UPXornone OriginalPacker(bytesobfuscator)

Latestversion(ITW)#VirusTotalFirstSubmission

2018-10-02 2018-07-25

ComparisonofGolangand.NETwellmess

BotfunctionsisalmostthesameamongGolangand.NETWethinkthatthemainwellmessusedbyanattackerisGolang

data.replace("+","").replace("","=").replace(".","").replace("","").replace(",","+").replace(":","/")referencebyJPCERT/CC[15]


Golangversion<;(?P<key>[^;]*?);>(?P<value>[^<]*?)<;[^;]*?;>.NETversion<;(?<key>[^;]*?);>(?<value>[^<]*?)<;[^;]*?;>

BotcommandssyntaxwellmessusestagsinXMLformattocommunicatetagC2commandsFollowingisregularexpressionmatchingrulesofthetags


BotcommandsTag Command Functions

<;head;> C Usedwith<;service;>tag

G C2serveracceptance

<;service;> p (Re)InitializeAESkeyandSendingHostInfo

fu Fileupload(fromC2tobot)

fd Filedownload(frombottoC2)

m Changethedivisionsizepercommunication

u Changeuser-agent

<;title;> a:x_x Itemnumberinformationofdividedcommunication

rc WaitingC2command

<;body;> Payloadpartaddedtothecommand


Botcommandssamples

<;head;>57494e2d3550464b544835345154517c636f6e736f6c657c57494e2d3550464b544835345154517c75736572e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/p<;head;><;title;>a:1_0<;title;><;service;>p<;service;>

AOyniCcS=1bLTL+NuPy0+%2CeDJx+1Q%2Cm0+1zZ8a+uj84J+VLbRk+tYH8v+pCeL6+gRkR;D9y5yGqO=G+B%3AbW%3Ao.+Y8GDHj+K2QKny+WZ2vQZ+L1v84h+p3P1qT.+Z8auj8+4JVLbR+ktYH8v+pCfbOO+ZDq577.+LySyuj+30PqHX+%2CXho8Z+YzBMr8+tQIevh.+rxEbIz+OVIVRP+x9DfH6+duxldn+PKi3f4.+y%2CI6td+RfavbR+67eQVw+twTN%3AI+HB1vPy.+hWzm2f+ASQlzB+Jiz9pt+EzNRQA+fRv1mL.+pziFHi+vzbux9+VA2zkY+8Ve9rz+T0u8jb.+1LH0%2Cx+WDpcVw+TIJjDV+5Dy6Mx+GTUarDtVk+++

DecryptedCookieheader


C2trafficcommunicationC2C2

1

Thereare4stepsuntilcommand&controlcommunication1.BotsendsAES+iv+HostInformation

1 .̓C2 acceptance2.BotsendsHostInformation

2 .̓C2 acceptance3.BotsendsreadysignaltoRCE

3 .̓C2 send RCE4.BotsendsresultofRCE

4 .̓C2 acceptance

2

3

4

1’

2’

3’

4’

Bot

Wemustpreparethehard-codedRC6keyandchangingRSApublickey


C2trafficcommunication-1CookieHeader:InfectedHostInformationinRC6

1

C2C2

POSTBody:AES+ivinRSApublickey

Bot


1

C2C2

C2trafficcommunication-1

“p”meansInitialphase Phase1of2

Bot


1

C2C2


HexDump

NULLofSHA256hash

InfectedPCInformation

Bot


C2C2

1

C2trafficcommunication-1Bot


C2trafficcommunication-1'

1

C2C2

1’ CookieHeader:C2ServerresponseinRC6

“G”meansjustreceived

Bot


C2C2


1

21’

CookieHeader:InfectedHostInformationinRC6

POSTBody:HostInformationinRSApublickey

Bot


C2C2


1

21’

Phase2of2

Bot


C2C2


1

21’

Bot

ComputerName

Mode

UserDomain

UserName


C2C2

POSTBody:Itlookslikenodataisincluded


1

2

3

1’

2’

CookieHeader:standbytoreceiveC2Command

Bot


C2C2


1

2

3

1’

2’“rc”meanstostandbyreceivingC2command

Bot


C2C2

C2trafficcommunication-3'

1

2

3

1’

2’

3’

POSTBody:C2CommandinAES

Bot


C2C2


1

2

3

4

1’

2’

3’

POSTBody:ResultofC2CommandinAES

CookieHeader:splitblocknumberinRC6

Bot


C2C2


1

2

3

4

1’

2’

3’ Phase1of1

Bot


C2C2

C2trafficcommunication-4Bot

TheJapanesefontisgarbled




wellmess C2 traffic simulation DEMO


Importnotesn  ItisforbiddeninJapantoshareanyformofanymaliciouscode

withoutthewrittenacknowledgementfromandtothelawenforcement.

n  InthisdemonstrationthereisapossibilitytheusedPoCcodecanbemisusedtocontrolarealalivemalware,thereisariskformalicioususedifthisPoCleaks,itisconsideredasmaliciouscode.

n  Duethecircumstancesabove,wecannotsharethesourcecodeusedforthisdemonstration,however,thisdemonstrationitselfisexplainingenoughdetailstoproofingtheconceptoftheC2communicationtraffic/protocolusedbywellmessmalware.


PreventionandDetectionn  C2trafficconnectioninnetworkdetection

n  wellmesstrafficdetectatusingSuricata[16]orsnort[17]

n  Staticanddynamicdetection

n  YARA[18]

n  wellmessmalwarecanbedetectedandidentified.BytheYARArule(willbeintroducenextslide)

n  EDRn  PowershellandcmdwellmessexecutioncanbetracedbyEDRlogorprocesstree

alerttcp$HOME_NETany->$EXTERNAL_NETany(msg:"wellmessC2trafficdetection!";content:"Accept-Encoding|3a20|gzip";content:"POST/HTTP/1.1";pcre:"/Cookie\x3a[a-zA-Z0-9]{8}=/";content:"Content-Type|3A|application|2F|x-www-form-urlencoded|3b|charset|3d|utf-8";sid:1000000;)


YARArules(onecase)

rulewellmess_go{meta:author="LACCo.,Ltd."strings:$mz={4D5A}$elf={7F454C46}$str1="botlib.FromNormalToBase64"$str2="botlib.AES_Encrypt"$str3="botlib.UnpackB"$str4="botchat.go"$str5="choise.go"$str6="wellmess.go"condition:($mzat0or$elfat0)andanyof($str*)}

rulechatbot_net{meta:author="LACCo.,Ltd."strings:$mz={4D5A}$str="Startbot"wide$str2="ROL"$str3="ROR"$str4="FromBase64ToNormal"$str5="FromNormalToBase64"$str6="SSL"condition:($mzat0)andallofthem}

ForGolang For.NET


EDRtracingforwellmessinfection

WindowsDefenderATP[19]

MachineTimeline


Conclusion

n  wellmessisaRATcodedonGoLangand.NET,aRATcontrolledbytheC2botnet.

n  Wehaveconfirmedsomecaseswherewellmessinfectionwasfoundintargetedorganizations.So,Attacksusingthemalwaremaycontinueinothercountries.

n  FortheinformationsharingwithOPSEConaglobalscale,youaremorethanwelcometocontactus!


AppendixA-Reference1.  https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf2.  https://www.virustotal.com/ja/file/

0b8e6a11adaa3df120ec15846bb966d674724b6b92eae34d63b665e0698e0193/analysis/3.  https://golang.org/4.  https://news.drweb.com/show/?i=10140&lng=en5.  http://blog.0day.jp/2014/09/linuxgoarmbot.html6.  https://blog.talosintelligence.com/2017/02/athena-go.html#more7.  https://www.symantec.com/connect/blogs/malware-uses-google-go-language8.  https://upx.github.io/9.  https://github.com/sibears/IDAGolangHelper10.  https://www.hex-rays.com/products/ida/11.  https://www.paterva.com/web7/12.  https://github.com/ginuerzh/gost13.  https://github.com/0xd4d/dnSpy14.  https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html15.  https://suricata-ids.org/16.  https://www.snort.org/17.  http://virustotal.github.io/yara/18.  https://www.microsoft.com/en-us/windowsforbusiness/windows-atp


AppendixB-IOC

n  Golangn  efda5178286678794b40987e66e686cen  6fd56f2df05a77bdfd3265a4d1f2abacn  b981736a057b888170148a91bcd86a59n  579d3af1b487ea3c442870eabe886a4f

n  .NETn  98fe909510c79b21e740fec32fb6b1a0n  4a2b8954695b32322508e844ff7e74f5


AppendixC–Flowchart1/4(caseofELF)Initialcommunication


AppendixC–Flowchart2/4(caseofELF)Receiveresponse&Botprocess


AppendixC–Flowchart3/4(caseofELF)ExecuteBotCommand


AppendixC–Flowchart4/4(caseofELF)ContinueBotCommand




Thank you. Any Questions ?

let's go with a go rat! - botconf 2020 · 2018-12-09 · functions golang (mostly spotted)...

Documents