open source as fuel of recent apt - hitcon.org · n recent apt attacks are heavily using open...

Dec 2017

Copyright©LACCo.,Ltd.AllRightsReserved.

Yoshihiro Ishikawa

OpenSourceasfuelofrecentAPT


Whoami?

• Organization:LAC• Department:CyberCounterThreatTeam• JobTitle:SecurityResearcher

CISSPyoshihiro.ishikawa[at]lac.co.jp

YoshihiroIshikawa

2


Agenda

n  Purposen OpenSourceMalwareTargetingMacOSn  PowerShellEmpireimproperlyusedn  Preventionmethodn  Conclusion

3


Purpose

PowerSploit

TinySHell

n  Recently,therearesomanyAPTattacksfueledbytheusageoftheopensourcetoolsandmalware.

n  Why?n  Actorsperformingattacksusingopensourcetools

arebecomingmoreeasyandmoreresourceful.n  Actorsare likelyanonymizetheirattacks.n  Actorsusuallymodifiedtheirattackcodeand

createdanewcustomizedmalwareeasily.

Koadic

QuasarRAT

mimikatz

TrochilusPupy

4

Nishang


Purpose:APTgroupswithOpenSourceToolsn  APT10(menuPass):PowerSploit,Koadic,QuasarRAT,Redleaves(Trochilus)

n  Public,Technology,Energysectors,etc(USA,Canada,UK,France,SouthKorea,Japan,etc)[1]

n  CloudyOmega(BlueTermite):mimikatzn  Somecompanies,nospecifictrends(Japan)

n  Tick(BRONZEBUTLER):mimikatzn  CriticalInfrastructureandmanufacture(SouthKoreaandJapan)

n  PassCV/BARIUM(Winnti?)[2][3]:Metasploit,BeFFn  Gamemakers(USA,China,Russia,SouthKorea,TaiwanandJapan)

n  UnsureGroup(APT10):PowerShellEmpiren  Politicalandacademicsectors(Japan)

Inthispresentation,IwillintroducePassCVandUnsureGroup’sTTPsconfirmedinJapanin2017

5

CYBER　-　EDUCATION　-　PENTEST　-　JSOC　-　 119　-　CONSULTING

We provide IT total solutions based on advanced security technologies.


Open Source Malware Targeting MacOS


OpensourcemalwarevariantusingTinySHelln  Identification(Ipickedonlyonecase)

n  Hash:0161317c5f4fb3901df63c6e88f60933n  Type:Mach-O64-bitExecutablen  Lang:Cn  Characteristic:

n  DevelopedwithXcodeonMacOSXSierra(10.12)n  TinySHelloriginalsourcecodewasusedn  Nocodesigning

Fileinformation

CharacteristicString

7


WhataboutTinySHell

TinySHellisanopensourcebackdoorthatcompilesonallPOSIXvariants[4][5]

n  Functionsn  RemoteShellExecutionn  FileUploadn  FileDownload

n  C2Communicationn  Protocol:TCPn  Port:22(default)n  Encryption:AES

n  Defaultkeyis"neversayneversaydie"


Comparisonofsimilarities

tocallAESencryption

TinySHell MaliciousvariantusingTinySHell

WecanconfirmthatthesecodesareALMOSTidentical.

AESKey=“free&2015”

tocallbackdoorfunctions

9


FunctionsonlyinTinySHellvariants1.Themalwareconfiguration/settingfile

Caseroot(Privilegeuser)

n  Forsettinginformationusedbymalware,itwassavedasa“.cache”file.This“.cache”fileisreadfromdifferentPATHaccordingtoauthority.

n  C2informationwritteninthe".cache"fileisencryptedandmalwaredecryptsthestringusingtheXORdecoderfunctiondescribedinpart"2.Decryptionfunction".

10

.cachefileloadingfunction

Caseroot(Privilegeuser)

Caseuser

C2DomainPortSleepTime

ForgedProcess

.cachefile


2.DecryptionFunctionXORdecryptthecontentsof.cacheorhard-codedstringsinmalware.

OurDecryptingScriptinpython

DecryptedString

FunctionsonlyinTinySHellvariants

11


3.Anti-analysisfunctionandmaliciousenvironmentsetupn  Afunctiontocheckwhether“tcpdump”isrunningonthecomputer.n  ShellandMySQLcommandwithouthistoryenabledsetting.

FunctionsonlyinTinySHellvariants

12


4.Createrootkitandbecalledfromit

n  Arootkit(“rsakit”)iscreatedafterconnectedtoC2serverandreceivingresponse.n  Thisrootkitisalsousinganopensourcetoolvariantofrtkitcode.[6]

n  Rootkitfunctionality:tohideownprocessorarbitraryprocess.

rootkit(rsakit)

variantTinySHell

FunctionsonlyinTinySHellvariantsinLinux

13


MalwareconnectionandrelatedelementsIPaddressassociatedwiththeC2serverdomainofmalwareis“61.78.62[.]21”

ThisIPwasused“war[.]geekgalaxy[.]com”

Thisdomainrelated“PassCV”[7]

NextattentiontootherIPaddress“106.184.5[.]252”[8]

iisexit[at]gmail.com61.78.62.xxx106.184.5.xxx

job[.]yoyakuweb[.]technologyresume[.]immigrantlol[.]com

Relatedelement

14


Howusedforattacking

job[.]yoyakuweb[.]technology

User-AgentCheck

resume[.]immigrantlol[.]com

info.zip Resume.app

BeefC2

CaseMac

info.zip Info.doc

CaseWindows

appaffect[.]com

CobaltStrike[10]

vps2java[.]securitytactics[.]com

MetasploitFramework[9]

xxxx.zip Info.chm/Stefan_Info.doc……exe

OtherC2

Beginningisspearphishinge-mail

15


CaseWindows:usingCVE-2017-0199exploit

CVE-2017-0199exploit

decoyfileoftheresumeisopened,andmaliciousscriptdownload

Base64+gzip

NextPayloaddownload

16


Thiscodeisusingexec-sc.ps1ofDon'tKillMyCat(DKMC)[11]

(toolong,redacted)

Base64

ThiscodeisMetasploitshellcode

ThiscombinationusedattackCobaltStrikecalled"Beacon"

DecodedScript

CaseWindows:usingCVE-2017-0199exploit

17


CaseWindows:othersattackingtypes

Downloadnextdownloader

Casechm(in2014)

Caseexe(in2016)

.chmfilecontaininmaliciousscript

extract execute

drop&execute

CobaltStrikeBeaconPayloadexecute

decoyfileisopenedandexefileexecute18


CaseMac:usingmaliciousjarfileInfo.zip Info.plist

JavaAppLauncher

ApplicationBundle

Functions:ReadandexecutebundledResume.jarThisapplicationisnotmalicious.ItwassimilartoAppBundlercode.[12]

codesign

19


config

decompile

decoyfile

Resume.jar

readconfig(Flash.dat)andconnecttoC2

saveanddisplaydecoyfile

CaseMac:usingmaliciousjarfile

20


Flash.dat(config)

C2DomainFlag

PortSleepTime

Thisfilecontentencrypt10-bytesXORkey

vps2java[.]securitytactics.com

ThispacketisusingMeterpreter.ItseemsthatMetasploitFrameworkwasrunningontheC2server.

CaseMac:usingmaliciousjarfile

21


Attackisongoing?

ThisIPisPassCVInfrastructures

Isnewspearphishinge-mailattacklaunching?

“eggagent[.]info”used“106.184.5[.]252”andnowused“139.162.95[.]39”ItmightbenewattackInfrastructure

(PassiveTotal)[13]

(DomainTools)[14]22

Aresumeisdisplayedwhenaccessingthedomain




PowerShell Empire improperly used


WhataboutPowerShellEmpirePowerShellEmpire[15]

RunningPowerShellEmpire

24

PowerShellEmpireisapost-exploitationframeworkanditismainlyusinginapenetrationtestandRedTeamAssessment.


PowerShellEmpire:InfectionvectorSpecificUniversityOrganization

ThecontentsoftheZipfilearesuspiciousLNKfilesandRTFfiles

spearphishinge-mail accesstoURLandZipFileDownload

Zipfile

specifiedaccounthasbeenhackd

[16]25


LNK/RTFfiledetailof1stpayloadLNK

RTF

CallPowerShellusingScriptintheHTAfile

Thiscommunicationis443/TCPbut,HTTPisusedinsteadofHTTPS

RTFfilewithCVE-2017-0199exploit

LNKfilewillexecuteMSHTA.exe

26


HTAfiledetailof2ndpayload(caseofLNK)

ThiscodeisPowerShellEmpire

Base64

Responsedata(HTAfile)

DisplayDecoyWebPages

27


PersistencemethodswithPowerShellEmpire

ThisstringBase64decodedresultisEmpirescript

Taskscheduler

Pleasecheckthe“debug”registryvalue

TaskProgramtolunchPowerShell

28


Malwareconnectionandrelatedelements

BothcompaniesprovideWebHostingservice

Wecansee“HTTP/1.0”and“Microsoft-IIS/7.5”intheHTTPresponseheader

ThiscombinationusedEmpireC2Server(listeners/http.py).ItwasrunningasofcheckedonlateAugust2017.

27


Preventionmethodn  PlentyofinitialattackvectorsareSpearPhishingE-mail.

n  Keepup-to-datewithlatestsystems,softwareandusedsecurityproductsn  Educateemployeesonpotentialsecuritythreats&notopeningunknownemail

n  Haveaspecialcareforrecentexploitvectors(DDE,XLLAdd-Ins,etc)whicharehavingverypotentialusagetobeusedinattack.n  DisablingDDE,XLLAdd-InswithMicrosoftOfficesettingsetc.[17]

n  PowerShell,HTA,CHMareoftenusedinthisseriesorsimilarthreats.n  BlockingPowerShell,HTAandCHMwithAppLockerorSRPetc[18][19]

n  Repeatedlyusesimilarattackmethodsandusealmostsameinfrastructure.n  UtilizeThreatIntelligencetools

30


Conclusion

n  RecentAPTattacksareheavilyusingopensourcetoolandhastheincreasingtendensiontomodifytheoriginalsourcecode,sothattheycancorrespondtovariousplatforms.

n  Thepastevidenceshowsusthattheattacksarecontinuingandstillongoingtoonow.

n  FortheinformationsharingwithOPSEConaglobalscale,youaremorethanwelcometocontactus!

31




Thank you. Any Questions ?


1.  https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf2.  https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies3.  https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-

windows-defender-atp/4.  https://packetstormsecurity.com/files/31650/tsh-0.6.tgz.html5.  https://github.com/creaktive/tsh6.  https://github.com/ivyl/rootkit7.  https://www.bluecoat.com/zh-cn/security-blog/2014-07-21/korean-gaming-industry-still-under-fire8.  https://www.protectwise.com/post/winnti-evolution-going-open-source/9.  https://www.metasploit.com/10.  https://www.cobaltstrike.com/11.  https://github.com/Mr-Un1k0d3r/DKMC12.  https://bitbucket.org/infinitekind/appbundler13.  https://community.riskiq.com/14.  https://www.domaintools.com/15.  https://www.powershellempire.com/16.  https://www.jcer.or.jp/center/f.relationship_jp-us.html17.  https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/18.  https://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol32_infra_EN.pdf19.  https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-

attacks-16-en.pdf

Reference

33

open source as fuel of recent apt - hitcon.org · n recent apt attacks are heavily using open...

Documents