operation hangover - black hat 2013
TRANSCRIPT
Operation HangOverhow to outsource your APT development
Jonathan Camp
About Me
• Norman Shark, offices in Oslo and San Diego
• American in Norway FTW!
$17
Overview
• HangOver in 60 seconds• And I care because?• Intrusion• Post-Publication– OSX exploits in the wild
• Next Steps
Disclaimer: "None of the information contained in this presentation is intended to implicate any individual or entity or suggest inappropriate activity by any individual or entity mentioned"
TL;DR
• Telenor → Norwegian telco; 17 billion dollars– Went public with intrusion in March 2013
• spearfishing; known exploits; no stealth; no crypto
• Investigation by Norman Shark uncovered extensive landscape of malware, actors, and development patterns
Commoditization, Componentization and Outsourcing
• Targeting government and the private sector• Many indicators showing Indian origin
TL;DR
Surveillance PlatformIndustrial Espionage
National Security Targets
Why is this interesting?
Scale
Lack of sophistication
Organizational aspects
“Script-kiddies += scrum”
Why does this even work?
Telenor Intrusion
Spear phishing email
• Self-extracting ZIP archive containing:– conhosts.exe and legal operations.doc
Payload
• Minimally obfuscated VB binaries• Connecting via HTTP port 80 to wreckmove.org
GET /flaws/snwd.php?tp=1&tg=[ID]&tv=Error[]&ts=[PLATFORM]
• Observed C&C:wreckmove.orginfocardiology.bizenlighten-energy.orgresearcherzone.net151.237.188.167gadgetscorner.org
Telenor Epilogue
• Seemed like a pretty simple phishing case
• Then a second phishing email was seen:
http://mail.telenor.no-cookieauth.dll-getlogon-reason-0.formdir-1-curl-
z2fowaz2f.infocardiology.biz
Telenor Epilogue
Followed by:
internet-security-suite-review.toptenreviews.com.infocardio
logy.biz
• An exact copy of toptenreviews.com• And it was hosting a trojaned
BitDefender installer
Expansion
Following the trail
• Strong behavioral indicators• No anti-sandboxing tricks• Hits in all major public DBs– VirusTotal, malwr, TheatExpert
DNS
URL Patterns
VBScript signatures
• Now we have a “pile” of domain names• Note: no DGA• Most domains parked or dead• But not all…
Open Directories!
Treasure Trove
• Additional signed malware• Keylogs• Malware naming and embedded
documents reveal potential targets
details_for_the_ENRC_Board_Meeting_X10FR333_2012.exe
ENRC__DEBT__INVESTORS__2012__for__your__Reference.docx
agni5_inda's_deadliest_ballistic_nuclear_missile.exedetail_description_of_ferro_chrome_silicon_and_ferro_c
hrome.exe
Exploits
Exploits
• No 0-days• Well-known vulnerabilities– CVE-2012-0158 - MSCOMCTL.OCX – CVE-2012-4792 – IE 6-8 use-after-free– CVE-2012-0422 – Java
• get.adobe.flash.softmini.net
Smackdown
• VisualBasic downloaders• Similar methods (simple) of string
obfuscation
Smackdown
D:\YASH\PRO\MY\DELIVERED\2012\DOWNLOADERS\compiled\NewSmack(sep2012)\miNaPro.vbp
Telenor case:C:\miNaPro.vbp
HangOver aka Hanove
• Second stage malware• C++• Recursively scan for office documents• Upload via HTTP or FTP– Commonish UserAgents
• Alternate names from debug paths:– “HangOver”, “Ron”, ”Dragonball”, ”Tourist”,
”Klogger”, “FirstBlood” and “Babylon”
Targeting
Targeting
• Sinkhole logs• Strange domain names• Social engineering attempts
Pakistan
• Two thirds of addresses in logs
GET /sdata/shopx.php?fol=EMBASSYOFPAKIST-Embassy%20of%20Pakistan…
And many more…
• China• Industrial espionage– Telenor
• Other possible targets:– Eurasian Natural Resources Corporation– Bumi PLC, Indonesia– Porsche Informatik– Chicago Mercantile Exchange
Chicago Mercantile Exchange
• cmegroups.net spoofing cmegroup.com– Same IP as other HangOver C&C
• Complaint filed with WIPO
The disputed domain name had been used by an imposter who has claimed to be the secretary of the Complainant’s president Terrence Duffy. Using the email address “[…]@cmegroups.net” the imposter has requested investment information on the pretext that it was sought by Mr. Duffy.
Attribution
Attribution 101:: Why?
1. Law enforcement – stop the bad guysMost stringent burden of proof
2. Correlation – expanded gathering of evidence
Concerned with similarity of actors rather than who
Attribution 101:: How?
• Strings– can be faked
• DNS registrations– is not authenticated
• Signed binaries– certificates can be stolen
• Function signatures– benign libraries
• URL/C&C patterns– Copypasta and benign libraries
• OSI (open source intelligence)– Not validated
“The problem with internet quotes is that you can’t always depend on their accuracy” – Abraham Lincoln,
1864
strings FTW
R:\payloads\ita nagar\Uploader\HangOver 1.5.7 (Startup)\HangOver 1.5.7 (Startup)\Release\Http_t.pdbC:\Users\neeru rana\Desktop\Klogger- 30 may\Klogger- 30 may\Release\Klogger.pdbC:\Users\Yash\Desktop\New folder\HangOver 1.5.7 (Startup) uploader\Release\Http_t.pdb
...May Payload\new keylogger\Flashdance1.0.2\...
...\Monthly Task\August 2011\USB Prop\...
...\Sept 2012\Keylogger\Release\...
...\June mac paylods\final Klogger-1 june-Fud from eset5.0\Klogger- 30 may\......\final project backup\complete task of ad downloader& usb grabber&uploader\......D:\YASH\PRO\MY\DELIVERED\2012\DOWNLOADERS\compiled\...
strings FTW
C:\BNaga\backup_28_09_2010\threads tut\pen-backup\BB_FUD_23\Copy of client\ Copy of client\appinbot_1.2_120308\Build\Win32\Release\appinclient.pdbC:\BNaga\kaam\Appin SOFWARES\RON 2.0.0\Release\Ron.pdbC:\BNaga\SCode\BOT\MATRIX_1.2.2.0\appinbot_1.2_120308\Build\Win32\Release\deleter.pdbC:\Documents and Settings\Administrator\Desktop\Backup\17_8_2011\MATRIX_1.3.4\CLIENT\Build\Win32\Release\appinclient.pdbD:\Projects\Elance\AppInSecurityGroup\FtpBackup\Release\Backup.pdb
Domain Game
• Several hundred names• Most with private registration• Correlation muddied by sinkholes and
parked domains• Fingerprint open services (e.g. ESMTP)
Malicious Domains
NITR0RAC3.COM, VALL3Y.COM, S3RV1C3S.NET, GAUZPIE.COM, BLUECREAMS.COM:Registrant: NA Prakash ([email protected]) Jain TY-76, Kohat Enclave Delhi Delhi,110034 IN Tel. +011.9873456756
Non-Malicious Domain (May 2011)
HACKERSCOUNCIL.COM:
Registrant: NA Prakash ([email protected]) Jain TY-76, Kohat Enclave Delhi Delhi,110034 IN Tel. +011.9873456756
Non-Malicious Domain (April 2011)
HACKERSCOUNCIL.COM:
Registrant: Appin Technologies Rakesh Gupta ([email protected]) 9th Floor, Metro Heights,NSP, PitamPura, Delhi Delhi,110034 IN Tel. +91.1147063300
Privacy Fail
PIEGAUZ.NET
Registrant: PrivacyProtect.org Domain Admin ([email protected]) P.O. Box 97 Note - All Postal Mails Rejected, visit Privacyprotect.org Moergestel null,5066 ZH NL Tel. +45.36946676
Domain Suspension
• PrivacyProtect.org provides private DNS registration
Privacy Fail
PIEGAUZ.NET
Registrant: Appin Technologies Rakesh Gupta ([email protected]) 9th Floor, Metro Heights,NSP, PitamPura, Delhi Delhi,110034 IN Tel. +91.1147063300
FAIL
Post-Publication
Samples received by Norman Shark that attempt to contact a known HangOver domain
OSX Exploitation and Attribution
Oslo Freedom Forum
• May 16th F-Secure reported new OS X spyware
• Mach-O universal (i386, x86_64)• Contacted:– securitytable.org and docsforum.info– Both seen as part of previous HangOver
research
Apple Dev IDs
• Oslo malware was signed with an Apple Dev ID
Image via F-Secure
URL Correlation
• 10 samples with identical Apple Dev IDs
securitytable.org/lang.phptorqspot.org/App/MacADV/up.php?cname=%@&file=%@docsforum.info/lang.phpliveapple.eu/ADMac/up.php?cname=%@&file=%@&res=%@
URL Correlation
• Search VxDB for php?cname=file=
URL Correlation
• Two different target OSes• Different domains• Same URL pattern
Code Flow
• Disassembled a few OS X binaries1. Search for *.doc, *.ppt, *.xls2. Compress documents3. POST to server4. Ensure crontab entry5. loop
Where now?
Operation HangOver could have been prevented by the most basic of
security precautions
Closing questions & comments
MAG2 saw it. Why didn’t AV work?Signature definitions can lag by days or weeks
Step 1: assume users are dumb specialStep 2: ?
Behavioral (dynamic) analysis is a mandatory component of any security infrastructure
Special Thanks
• Snorre Fagerland & Morten Kråkvik• Norman Shark AMD Team
For more information:
[email protected]@NormanSec, @irondojoBlack Hat 2013, Booth 321
Full Report: http://normanshark.com/hangoverreport/
Disclaimer: "None of the information contained in this presentation is intended to implicate any individual or entity or suggest inappropriate activity by any individual or entity mentioned"