Embed Size (px)
Citation preview
INDUSTROYERAnton Cherepanov / @cherepanov74
Robert Lipovsky / @Robert_Lipovsky
Robert Lipovsky
Senior Malware Researcher
@Robert_Lipovsky
Anton Cherepanov
Senior Malware Researcher
@cherepanov74
ICS-targeting malware
The story of INDUSTROYER: Ukrainian blackout
INDUSTROYER analysis
Potential impact
AGENDA
ICS
MALWARE OPERATOR INDUSTRIAL SITEINTERNET
ICS-targeting malware
ICS
INDUSTROYER
MALWARE OPERATOR INDUSTRIAL SITEINTERNET POWER DISTRIBUTION COMPANY
Industroyer
STUXNET HAVEX BLACKENERGY INDUSTROYER2010 2014 2015 2016
STUXNET HAVEX BLACKENERGY INDUSTROYER2010 2014 2015 2016
STUXNET HAVEX BLACKENERGY INDUSTROYER2010 2014 2015 2016
STUXNET HAVEX BLACKENERGY INDUSTROYER2010 2014 2015 2016
STUXNET HAVEX BLACKENERGY INDUSTROYER2010 2014 2015 2016
23 Dec 2015
STUXNET HAVEX BLACKENERGY INDUSTROYER2010 2014 2015 2016
C&C
Network Scanner
File Stealer
Password Stealer
Keylogger
Screenshots
Network Discovery
BlackEnergyCORE
STUXNET HAVEX BLACKENERGY INDUSTROYER2010 2014 2015 2016
STUXNET HAVEX BLACKENERGY INDUSTROYER2010 2014 2015 2016
Blackout in Ukraine
ESET begins analysis
Initial report finished
Further research
Industroyer report goes public
17 Dec 2016
A few days later
12 Jun 201718 Jan 2017
STUXNET HAVEX BLACKENERGY INDUSTROYER2010 2014 2015 2016
INDUSTROYER
Main Backdoor
ICS
INDUSTROYER
MALWARE OPERATOR INDUSTRIAL SITEINTERNET POWER DISTRIBUTION COMPANY
Industroyer
Main Backdoor
Main Backdoor
Main backdoor – List of commands
Execute process
Execute process using specified user account
Download file from C&C server
Copy & upload file
Execute shell command
Execute shell command using specified user account
Quit
Stop service
Stop service using specified user account
Start service using specified user account
Replace "Image path" registry value for specified service
Main Backdoor
Main Backdoor
Main backdoor – List of commands
Execute process
Execute process using specified user account
Download file from C&C server
Copy & upload file
Execute shell command
Execute shell command using specified user account
Quit
Stop service
Stop service using specified user account
Start service using specified user account
Replace "Image path" registry value for specified service
Copy & upload file
MAIN BACKDOOR -> VBS -> MS SQL -> CSCRIPT -> VBS
Set cmd = CreateObject("ADODB.Command")
cmd.ActiveConnection = mConnection
cmd.CommandText = "BEGIN EXEC sp_configure 'show advanced options', 1;RECONFIGURE;
EXEC sp_configure 'Ole Automation Procedures', 1;RECONFIGURE; END;"
cmd.Execute
cmd.CommandText = "BEGIN EXEC sp_configure 'show advanced options', 1;RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE; END;"
cmd.Execute
Main Backdoor
Main Backdoor
Main backdoor – List of commands
Execute process
Execute process using specified user account
Download file from C&C server
Copy & upload file
Execute shell command
Execute shell command using specified user account
Quit
Stop service
Stop service using specified user account
Start service using specified user account
Replace "Image path" registry value for specified service
Replace "Image path" registry value for specified service
Main Backdoor
Main Backdoor
DOS TOOL
Port ScannerPort Scanner
Additional Backdoor
EXEC xp_cmdshell 'C:\intel\port.exe -ip=%IP_ADDRESS%
-ports= 2404, 21845, 445, 135';
135 - RPC Locator service
445 – SMB
2404 - IEC 60870-5-104
21845 - webphone
700 – Extensible Provisioning Protocol over TCP
701 – Link Management Protocol
1433 – MS SQL Server default port
1521 – nCube License Manager / Oracle dB
DOS TOOL
Main Backdoor
Main Backdoor
Port ScannerPort Scanner
Additional Backdoor
Launcher
Malware impact: PAYLOADS
Malware impact: PAYLOADS
Malware impact: PAYLOADS
DOS TOOL
101 Payload 104 Payload 61850 Payload OPC DA Payload
Main Backdoor
Main Backdoor
Port Scanner
17 Dec 2016 - 22:27 (UTC)
Launcher
Additional Backdoor
101 Payload 104 Payload 61850 Payload
• Serial
• IOA (Information Object Address) ranges
• single command (C_SC_NA_1)
• double command (C_DC_NA_1)
• OFF -> ON -> OFF
OPC DA Payload
• TCP/IP
• Modes:
• Range
• Shift
• Sequence
101 Payload 104 Payload 61850 Payload OPC DA Payload
101 Payload 104 Payload 61850 Payload OPC DA Payload
101 Payload 104 Payload 61850 Payload OPC DA Payload
101 Payload 104 Payload 61850 Payload OPC DA Payload
101 Payload 104 Payload 61850 Payload OPC DA Payload
• Auto-discovery
• CSW, CF, Pos, and Model
• CSW, ST, Pos, and stVal
• CSW, CO, Pos, Oper, but not $T
• CSW, CO, Pos, SBO, but not $T
101 Payload 104 Payload 61850 Payload OPC DA Payload
• Discovers OPC servers
• COM interfaces:
• IOPCServer
• IOPCBrowseServerAddressSpace
• IOPCSyncIO
• ctlSelOn (Select on command)
• ctlSelOff (Select off command)
• ctlOperOn (Operate on command)
• ctlOperOff (Operate off command)
• \Pos and stVal (Switch position status)
101 Payload 104 Payload 61850 Payload OPC DA Payload
101 Payload 104 Payload 61850 Payload OPC DA Payload
Github: https://github.com/eset/malware-research/tree/master/industroyer
• Identifies OPC Data Access LIBIDs, CLSIDs, IIDs in binary
• Creates OPC DA structures and enums in IDA Pro
• Can be used for general purpose reverse engineering
101 Payload 104 Payload 61850 Payload OPC DA Payload
Before
101 Payload 104 Payload 61850 Payload OPC DA Payload
After
Malware impact: DENIAL OF SERVICE
Malware impact: DATA WIPER
DOS TOOL
101 Payload 104 Payload 61850 Payload OPC DA Payload
Main Backdoor
Main Backdoor
Port Scanner
Launcher
Additional Backdoor
Data Wiper
ABB PCM600
ABB MicroScada
Signal Cross References
Substation Configuration Language
Substation Configuration Description
Configured IED Description
! Global Threat
! Dangerous Attacker
! Unfulfilled potential
TAKE AWAYS
Thank you! Questions?
@cherepanov74
@Robert_Lipovsky
