Advanced
Persistent Threats or APTs has become a well known term over the last 5 years. In terms on
Network security an attack is considered
Advanced if it shows traits
that have not been seen before (such as exploiting so called 0day
flaws) or if it is particularly resistant to analysis. One hacking
group has stood out from the rest and earned the Moniker APT1. They
regularly find and exploit flaws previously unseen in the wild. It
has led at least one research company, Mandiant, to release a report
on the subject
(http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf).
Persistence is used in this case to describe how long an attacker
has carried out a particular attack. What the threshold for a
“persistent” attack is, is unclear. What is clear is that
surviving normal cleaning methods (like Operating System
re-installation) is very possible, so I will use persistence in this
way.
Finally a Threat is anyone or any organization trying to obtain
information or resources that would otherwise be denied to them. This
could be stealing files or adding computers to a bot net. It also includes actors which seek to due physical damage (as in the case of Stuxnet).
If
you are going to carry out security breaches, having the capabilities
of an APT is like having a fully stocked tool chest. These threats are often state sponsored or backed by large bankrolls. Though, if you examine the most recent reports on APT groups (http://icitech.org/know-your-enemies-2-0/) you will see that only a few of them are boasting highly technically advanced Malware. I have started to go through the report and do research on the Tools described within it.
Analyzing the CnC information in the
ICIT brief “Know you Enemies” and “Know your Enemies 2.0”
The briefing describes what it
considers to be the most advanced persistent threats currently active
in the interwebs. I would like to discuss some of the these because
they relate to a topic near and dear to me. Botnet architecture. This
may be seen only as a critique of the purposed system. Not of the
designers, developers, sponsors, or anyone else who might want to
attack me for this.
I will be skipping
a bunch of actors because it is really like reading the APT1 report
over and over again. Some highlights to lookup later: Sakurel Trojan,
Hurix Trojan, Mivast backdoor, Gresim backdoor, Fexel backdoor, Hikit
backdoor, Derusbi malware , ZXShell, Gh0st RAT, etc. etc. It's a
veritable who's who of backdoors and RATs. Hikit being the most
interesting in my opinion, as it appears to be reserved for Higher
Value Targets than others like ZXShell for example. Here is a better
analysis from Cisco on ZXShell as it was used by “group 72”
http://blogs.cisco.com/security/talos/opening-zxshell
and one for Hikit from Mandiant
https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html
Blue Termite/Cloudy Omega/Emdivi
(According to Kaspersky, the malware is Chinese in origin):
The part of the description that most
intrigues me about Blue Termite is this:
“...The
backdoor enables a remote adversary to execute commands from a C&C
server via HTTP. The malware contains components to search files,
delete files, upload files to C2 servers, execute code, acquire a
list of running processes, steal auto-complete information and saved
credential information from Internet Explorer, and steal the proxy
settings of browsers such as Mozilla Firefox...“
Wait, whats a guy gotta do to get an
HTTPS CnC around here? Is it wrong to want a more sophisticated exfil
method than plain text? The next line, describing the built-in
features, can be read to imply that the Blue Termite family used a
“Fat Bot Skinny Server” approach. I would expect a bot with
HTTP(S) Shell capability to load most of it's functions remotely as
well. Finally, nothing in that paragraph is outside the realm of any
competent programmer. Using a more interchangeable design, someone
could develop each of those features into it's own module and load
them only as needed. It isn't clear from the summary if this is the
case or not.
This Malware family apparently comes
in two variants S and T. According to the report:
“...Both
types allow the adversary to remotely execute code and to steal
credentials stored in Internet Explorer. Both variants also share
the same hardcoded C&C infrastructure...”
Hard-coded CnC
architecture? Why? I reiterate my modularity argument from above. The
maximum amount of information a bot needs hard-coded is a single URL
it can expect to receive more instructions from. Using a URL instead
of an IP allows the attackers to Flux the CnC layer and have more
resiliency. Admittedly the Rally Point Layer is a notoriously weak
point in the CnC architecture. I just seems that using a URL pool (or
Domain Name generation algorithm a la Torpig) would make it even
harder/impossible to accurately gauge the size of the effected
network.
The difference in
the two variants comes down to programming language and anti-analysis
techniques. The T variant is apparently written in C++ and employs
some basic techniques to avoid or complicate analysis (such as
encryption) while it's S counterpart is a .NET application with no
encryption or notable anti-analysis capabilities.
The Elderwood Platform (Also
considered Chinese in origin)
According to the section on The
Elderwood Platform:
“...is the
name given to a set of zero-day exploits that is either used within a
large organization or sold as a package to many attackers. ”
If you have ever
undertaken the task of finding and exploiting a previously unknown
bug, you will stop and read that line twice. They have a whole set of
0days!? Sure, we see large security firms (I am looking at you
Hacking Team) sitting on a few 0days centered around hopelessly
insecure platforms like flash before....Perhaps Hacking Team did not
develop their 0day capability, but instead purchased it off the deep
web. Oddly the analysis here spends more time theorizing about the
monetization scheme than the technical capabilities which are clearly
amazing. Seriously. Go and try a toy problem from smashthestack.org
or hackthissite.org and then take the complexity of that multiply it
by 100 and you will have roughly what it takes to find 1 0day in the
wild. Now imagine what it takes to consistently pump out new 0days
for software which is regularly patched...at least it should be. The
last line of this bothers me:
“The platform
could contain information gathering tools such as keyloggers,
automated domain name and account generators, and an information
analysis platform. ”
What the hell is
this 'could'? Sure it could. It could also contain a bitchin' port of
Tetris, but that didn't make the list? It is reasonable to assume any
actor capable of producing 0days frequently has the capability of
adding these features to it's delivery platform. The moral of this
story. Don't use Flash...or I.E....or Flash in I.E. Something like
that. You really can't defend against 0days...yet. Stay tuned for the
results of the DARPA Cyber Grand Challenge: August, 2016.
Deep Panda /
Black Vine / Pupa (Also considered Chinese in origin)
The thing that drew
me to this was that they are suspected of developing their set of
trojans (droppers) and RATs. The Tools code is signed using a S.
Korean companies signature. The fact it is probably a forged
certificate deserves a nod. Having signed DLLs passes a lot of
Windows scrutiny right off the bat. However, the MOST notable part of
this to me?
“Domains and
C2 servers often feature the names of Marvel comic book characters as
the
register. ”
The fact that a
large majority of their targets (about 80% according to this paper)
have been American makes that a tad ironic to me. Maybe we need to
have Stan Lee ask them to stop? All kidding aside this is actually a
signature that may be of some value. Imagine, if you will, a DNS
proxy which gets the whois information and compares it against a list
of suspicious registrant names, addresses, etc. before returning the
result to the requester. Signature based detection has flaws, of
course, but it is one more layer to add.
Putter Panda/
APT2/ PLA Unit 61486
Ajax/ FLYING
KITTEN/ Saffron Rose (Considered Iranian)
This group's tactics are interesting because they have evolved in a
manner that should be familiar to you by now. They went from
encrypting data and exfiltrating it over FTP, to using HTTP POST
requests. Now, this is where I would normally begin to bash HTTP but
I can only assume they did not remove the built-in encryption
capability they had so it isn't as bad as usual. Still, knowing you
should encrypt, as they obviously do. HTTPS would have still been the
better choice. According to the document:
“Ajax relies on the Stealer malware which consists of a backdoor
and tools. Using one
tool, the attackers can create new backdoors and bind them to
legitimate applications.”
Gasp...you mean they too have found The Backdoor Factory on GitHub?!
I am frankly amazed they even list this as a capability. Who can't
bind a custom backdoor to any legitimate application these days?
Going on to describe some of the capabilities of Stealer we have:
“Stealer collects system data, logs keystrokes, grabs
screenshots, collects credentials,
cookies, plugin information, and bookmarks from major browsers,
and collects email and
instant messenger information along with any saved conversations.
Stealer also has
components that acquire Remote Desktop Protocol (RDP) accounts
from Windows vault and
collects user browsing history. Data is encrypted using symmetric
encryption (AES-256)
using a hardcoded encryption key. The information is then
exfiltrated using FTP with a built
in client (AppTransferWiz.dll). ”
That's actually pretty cool. Using a component model to be more
flexible. Taking the time to encrypt the loot before running for the
door. They could have done without the hard-coded encryption key,
though. One shortcut. As I mentioned this was their initial M.O.
Which changed in mid 2014 to include exfiltration over HTTP POST.
Uroburos / Epic
Turla/ Snake / SnakeNet (Considered E. Eurpean)
probably created by the same group that created Agent.BTZ and led to
the creation of the United States Cyber Command. Uroburos was
discovered in 2014. It is a feature packed, sophisticated malware
capable of hiding it's activity. It uses a true Kernel Level Rootkit,
and encrypted Virtual File System and a complex driver to hook the
system.
“The Uroburos rootkit is a very advanced and very sophisticated
modular malware
designed to infect entire networks and exfiltrate confidential
data. The sophistication and
flexibility of the Uroburos malware suggests that a highly skilled
team, who had access to
considerable resources, developed it. The significant monetary
investment necessary to
develop the Uroburos platform suggests that it was developed to
target businesses, nation
states, and intelligence agencies, rather than average citizens.”
Interestingly, It looks to see if the system is already pwnd by
Agent.BTZ. If so, it remains inactive. Code comments, file names,
encryption keys, and other indicators also point to related
development between the Agent.btz and Uroburos malwares. Although
other possibilities exist, this is what the document suggests and I
am inclined to agree. Focusing back on capabilities:
“The virtual file system contains protocol information to
exfiltrate information through
HTTP (external website with GET and POST requests), through ICMP
(ping), through SMTP
(email), and through named pipe to another infected system. New
libraries and tools can be
added by adjusting the built in queue, without reinstalling the
malware. ”
Finally. A group that seems to be using the technology available to
them. They must want to be really REALLY sure they can steal whatever
it is they're after. A nod to modular design as well. All Malware
should take this approach to flexibility. The peer-to-peer modular
design is resilient,scalable, and reliable.
APT 28/ Sofacy
Group/ Sednit Group/ Tsar Team/ Fancy Bear (Considered E. Eurpean)
Another good architecture here:
“The Sednit platform consists of the SOURFACE/ CORESHELL
downloader, the EVILTOSS
backdoor, and the CHOPSTICK modular implant. SOURFACE (also known
as Sofacy) or
CORESHELL performs runtime checks and reverse engineering counter
operations before
verifying that the infected machine matches the system profile of
the target. If the target is
verified, then the SOURFACE/CORESHELL dropper obtains a second
stage backdoor from the
C2 server and installs it on the victim’s system. The backdoor,
EVILTOSS, is used to steal
credentials and execute shellcode. EVILTOSS uploads an RSA public
key and encrypts the
stolen data. Then the data is sent via email as an attachment.
EVILTOSS then delivers
CHOPSTICK to the victim’s system and installs it. CHOPSTICK is
comprised of custom implants
and tools that are tailored to the target system. CHOPSTICK
actively monitors the victim’s
system by logging keystrokes, taking screenshots, and monitoring
network traffic. ”
I am surprised that this is the first time we are seeing the use of
a pre-loader doing this type of self defense staging before getting
the payload. Methods for detecting Virtual Machines, attached
debuggers, and modified isDebuggerPresent functions have been around
for as long as I have. Sending the data out over email is noisy
though. Even if it is encrypted the traffic alone would tip off a
savvy network administrator.
CosmicDuke/
Tinybaron/ BotgenStudios/ NemesisGemina
Really only mentioning this one because it is super old at this point
but still kicking around. As early as 2014 CosmicDuke could
exfiltrate the stolen data to hardcoded C&C servers via HTTP(s),
FTP, or WebDav. Finally! An APT willing to take a little time and
wrap an HTTPS key around their CnC. Remember Safe hacking means you
always wrap it up.
MiniDuke
/OnionDuke
MiniDuke is a uber malware found by Kaspersky Labs in February 2013.
The malware may have been developed as early as 2010. According to
the document. MiniDuke is largely written in Assembly language. This
could indicate that the Russian authors behind it have significant
experience in the field. The description of the operation:
“The malware drops in 3 stages that are designed to evade
sandbox, virtual, and
analysis environments. Checks are processed at each stage before
the malware decrypted
more of itself. … The downloader determines the system
fingerprint and it later uses the
information to encrypt its communication with the C&C server.
... the malware will
access Twitter as a background process and search for specific
tweets from pre-made
accounts. ... The tweets, authored by the malware operators,
contain tags
that correspond to the encrypted URLs where the backdoors are
stored. The URLs lead to the
C&C servers that contain commands and backdoors as .GIF files.
In the event that Twitter is
inaccessible, then the malware will run Google search in the
background to find the
encrypted strings that lead to the next C&C server. ”
Inspired me to develop a similar Twitter based CnC in Python. It will
be released along with my other examples in 2016.
In October 2014, Leviathan Security Group disclosed that a Russia
based Tor exit node was attaching malware onto the files that passed
through it by wrapping legitimate executables with it's own payload.
(ala Backdoor Factory or similar i'd bet). OnionDuke does not operate
like the other related campaigns; however, it does share some C&C
infrastructure with the MiniDuke. That is why I lumped them together
instead of separating them as in the report. OnionDuke is built to
modular and designed for versatility. As the paper puts it:
“The tools delivered from the C&C server contains the
information stealer, a DDOS module, a password stealing module, an
information gathering module, and a social network (Vkontakte)
spamming component.”
They note as well that the infection of files off of Tor fails if the
target encrypts their traffic behind a VPN. So, you know, go set up a
VPN already, because that is a hearty tool chain.
APT29/
Hammertoss / HammerDuke
The new kids on the block. But they came out swinging in terms of
features and tactics. From the write-up:
“APT29 employs anti-forensic techniques, they monitor analysis
and remediation
efforts, and they rely upon compromised C2C infrastructure. Apt29
embeds the Hammertoss
commands into images using steganography. APT29 programs
Hammertoss to operate to
blend into normal target network traffic and normal target network
traffic patterns. The group preconfigures Hammertoss to activate
after a predetermined date and only communicates during specified
hours. ”
The bits about Stego and intelligently designing the traffic are my
favorite. Hiding information in images is not new by any means.
However, I think it is a highly under-utilized method for both
infiltration and exfiltration. This, and the video 11B-X-1371, have
spawned my own module for automatically generating Stego
communications. I call this method LOSTDOG. It will be released with
the rest of the code samples later this year.
No comments:
Post a Comment