I am back for part 2 of the analysis breakdown of the ICIT APT briefing. After an excellent discussion on the topic of Malware Evolution with someone from the Malware Bytes team, I think it is time to finish what I started several weeks ago. Here is the second half of my analysis or the APT report.
SeaDuke
Ah, yes. Another Duke. But so far this
is my favorite Duke. Firstly because it shows an evolution in the
controller's methodology. But primarily because the evolution they
have undergone is one that really strengthened the Duke strain's
survivability.
According to the report:
“The main difference between
Seaduke and its sister campaigns is that SeaDuke focuses on a
small number of high-value targets.
Additionally, of the Duke malware, SeaDuke alone is
programmed in
python.”
Yeah! Finally
someone is writing code in a language that is younger than I am.
Python is, in my opinion, the best general purpose language...if your
general purpose is hackery.
The CnC
architecture is a large, mutli-layered, presumably fast-fluxed,
centralized design. It relies on roughly 200 compromised web servers
to host the HTTP(s) rally points. The description of the
multi-layered encryption is also intriguing:
“...several layers of RC4 and AES
encryption and Base 64 encoding techniques. These
extra obfuscation measures may be an
attempt to remain undiscovered and thereby remove
the attention on the Duke
campaigns.
”
Okay, aside from
the last part about trying to obfuscate the communication. The fact
that thy are using multiple encryption schemes and wrapping it with
an HTTPS wrapper deserves a nod. They certainly want to protect their
exfiltrated data.
Cloud Duke
okay I swear this
is the last Duke....for now. Is it possible to be a fan of a Malware
family? The code behind the Duke campaigns is as close to a live
competitor as I have ever seen. With the SeaDuke campaign it appears
the Malware tried one evolution to shake loose the attention of the
security community. However with Cloud Duke, the actors have switched
arena's entirely.
“The CloudDuke malware is
comprised of a downloader, a loader, and two backdoors,
which download and execute from
either web address or from a Microsoft OneDrive account.
The malware maps a OneDrive cloud
storage drive as a network drive using hardcoded
credentials and then it downloads
its backdoors to the local system. The downloader may also
download and execute additional
malware”
Aside from
hard-coding credentials Cloud Duke makes a great center-piece to a
campaign. Downloaders should be more popular as they make great
places to do Sandbox/VM checks. The best delivery would then be an
infected installer. Something like the BackDoor Factory/Veil Evasion
doing live intercepts on a Man-in-the-Middle network (or Tor Exit
Node Poisoning).
“CloudDuke’s backdoor
functionality resembles that of SeaDuke. One backdoor will
contact a preconfigured C&C
server while the other relies on a Microsoft OneDrive account. As
per its name, CloudDuke uses cloud
storage services for its command and control infrastructure
as well as its data exfiltration
method
”
The One Drive
account is cool, they probably want to add another layer on the CnC
to deliver new credentials to the bot. Say an NTP or DNS server which
responds to bots with the credentials to use. Also, there are other
cloud services that could be used in cases where OneDrive is not
accessible. Skype, Google Drive, and S3 buckets, all make excellent
Cloud File System options as well.
Carbanak
This post is more
interesting to me than the groups technology. The report on this
group's methods reads more like a political dissection, rather than
an APT assessment.
“The Carbanak group is
particularly significant because it demonstrates how the
dangerous escalation of
sophisticated cyber exploit kits, perpetuated by state sponsored
groups
and government agencies, has guided
the development of complex and demonstratively
effective criminal platforms that
can financially harm private organizations and individuals alike.
Consider that the Carbanak group
stole an estimated $1 billion in less than 6 months.
”
Equation
This group has some
interesting methods. Most notably to me is GrayFish. With the sea of
similar Malware Platforms, this one stands out as wholly different.
According to the writing:
“ When an infected system is
powered on, GRAYFISH injects code
into the boot record so that it can
control every stage of the Windows launch process.
GRAYFISH, its virtual file system,
its stolen information, and its functional modules are stored
in the registry of the system.
Because everything is stored in the registry and GRAYFISH and its
modules are dynamically decrypted
and executed by the bootkit, there are no malicious
executables contained in the user’s
filesystem. This means that the user cannot detect the
GRAYFISH malware on the system; at
least not with traditional anti-malware tools.
That ingenious if
you ask me. Storing everything in Reg Keys instead of files and
executables. One would need to be running a registry monitor with a
previous snapshot to catch the changes. Infecting the boot record to
run everything shows a considerable amount of skill as well.
“During the
bootup process,
GRAYFISH processes through 4-5 layers of decryption where each layer
triggers the execution of the next
layer of decryption. If all of the layers successfully decrypt,
then GRAYFISH executes its code and
the malware silently runs on the machine. If even one
layer fails to decrypt during
launch, then GRAYFISH proceeds to delete itself from the system.
This technique confounds analysis
and makes GRAYFISH infection difficult to discover because
the malware might delete itself the
moment the user detects anomalous behavior and begins
diagnostic procedures.
”
Moker
Moker
is interesting to me because it could represent the first time we
have seen the emergence of an APT, rather than discovering it after
the fact. Moker uses a highly sophisticated RAT, with a healthy
amount of anti-analysis heaped in for good measure. The brief
describes it as:
“A RAT is not an APT.
Malware is
the tool that supports the APT campaign. However, Ensilo contends
that the RAT is
complex enough to suggest that it may be developed
and deployed by an emerging APT group.
The quality of the code is
high. The code checks its return values, validates its pointers,
handles its exceptions, and prevents
buffer overflows. The malware also contains obfuscation
measures to inhibit deconstruction
and analysis attempts.
”
If
nothing else, I give them an A for their coding habits. How many bot
master do you think worry about validating returns and gracefully
handling exceptions? It's like as soon as something “hackerish”
comes along all the standards get tossed out with the rules. This
does create a noticeable signature though. Good coding practices will
stand out. It hasn't seemed to generate too much intelligence for the
security firm, Ensilo, though.
“Neither the identity of the
developer of the malware nor the infection vectors are
known. The malware targets the
operating system of Microsoft Windows hosts. The single
sample of the malware discovered
communicated with a domain that corresponded to a HTTP
server in Montenegro.
”
All that work, and
you go with hard-coding a rally point? Sure it is in Montenegro.
Probably behind some bulletproof hosting...but 1? Two words for you:
Redundant Failsafes.
Conclusion
There you have it. The best of the worst. Laid out for you to study.
I think the main take-away here is the effectiveness of spear
phishing has not waned. Indeed even the groups that have been sitting
on a pile of 0 Day exploits still deliver their foothold attempts via
targeted email campaigns. As defenders of attacks we need to get
better at identifying and mitigating user actions that allow
footholds to be found.
On the other side of the table, attackers need to stop being lazy.
Encryption isn't scary guys. I don't just mean HTTPS either. Look
back through the list and see all the groups using RC4,5 AES, etc.
This should be are minimum expectation to be considered and
“Advanced” threat. What is advanced about having a RootKit (even
writing one is no longer arcane knowledge) or an HTTP bot? HammerToss
is Advanced and the group behind it is advanced because it has chosen
to deliver HammerToss in an innovative and effective manner. If all
of our attackers were this creative we, as defenders, would find
ourselves being pushed to try harder and come up with better defenses
as well.
No comments:
Post a Comment