Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
DEF CON Demo Lab
Copyright ©2019 JPCERT/CC All rights reserved.1
Motivation
Sandbox
MalwareAnalyst
Perfect! That's not what I want…
Human
Copyright ©2019 JPCERT/CC All rights reserved.2
Motivation
Sandbox
MalwareAnalyst
I want configuration
data!
Human
Perfect!
Copyright ©2019 JPCERT/CC All rights reserved.3
Why do we need malware configuration data?
Many variants of malware code are almost unchanged, and only configuration data is different.• If the configuration data is known, there is no
need for static analysis.
Configuration data contains important information that cannot be obtained by Sandbox analysis.
• Including campaign id, encryption key etc.
Copyright ©2019 JPCERT/CC All rights reserved.4
How to Extract Malware Configuration Data Manually
It's very simple.
Copyright ©2019 JPCERT/CC All rights reserved.
Malware Analysis• Understand encryption techniques• Understand configuration
structures
5
How to Extract Malware Configuration Data Manually
Step 1
Copyright ©2019 JPCERT/CC All rights reserved.
Create tool
6
How to Extract Malware Configuration Data Manually
Step 2
That's all.
Copyright ©2019 JPCERT/CC All rights reserved.7
How to Extract PlugX Configuration
In PlugX data,PlugX main module and configuration are encoded.
Code
Encoded Code&
PlugX&
Config
Code
LZNT1 CompressPlugX
Encoded + LZNT1Config
DecmpressPlugX
Config
Decoded Code
Injection Process
Copyright ©2019 JPCERT/CC All rights reserved.8
PlugX Encoding Method
PlugX uses a custom encoding method.
Config size 0x2540
Config size 0x36A4
Copyright ©2019 JPCERT/CC All rights reserved.9
PlugX Configuration Structure
Copyright ©2019 JPCERT/CC All rights reserved.10
How to Extract TSCookie Configuration
TSCookie uses only RC4 for encryption.
Code
Encrypted Resource
Decoded Code
TSCookie
RC4 Config
TSCookie
Config
Copyright ©2019 JPCERT/CC All rights reserved.11
TSCookie Configuration Structure
Copyright ©2019 JPCERT/CC All rights reserved.
MalConfScan is a Volatility plugin that extracts configuration data of known malware. Volatility is an open-source memory forensics framework for incident response and malware analysis.MalConfScan searches for malware in memory images and dumps configuration data.
12
What is MalConfScan?
Copyright ©2019 JPCERT/CC All rights reserved.13
Example (RedLeaves configuration data)
Copyright ©2019 JPCERT/CC All rights reserved.14
Supported Malware FamiliesSupported Malware Families
Ursnif TSCookie AZORultEmotet TSC_Loader NanoCore RAT
Smoke Loader xxmm AgentTeslaPoisonIvy Datper FormBook
CobaltStrike Ramnit NodeRATNetWire HawkEye njRATPlugX Lokibot TrickBot
RedLeaves Bebloh RemcosQuasarRAT AsyncRAT WellMessELF_PLEAD
Copyright ©2019 JPCERT/CC All rights reserved.
Supported Malware FamiliesUrsnif TSCookie AZORultEmotet TSC_Loader NanoCore RAT
Smoke Loader xxmm AgentTeslaPoisonIvy Datper FormBook
CobaltStrike Ramnit NodeRATNetWire HawkEye njRATPlugX Lokibot TrickBot
RedLeaves Bebloh RemcosQuasarRAT AsyncRAT WellMessELF_PLEAD
15
Supported Malware Families
Copyright ©2019 JPCERT/CC All rights reserved.16
Question
Why use Volatility?
Copyright ©2019 JPCERT/CC All rights reserved.17
Advantages of Dumping Configuration Data from Memory
• Unpacking malware is not necessary when extracting configuration data.
No Need to Unpack
• Configuration data may be already decoded.
• No need to know how to decrypt configuration data.
No Need to Decode
Copyright ©2019 JPCERT/CC All rights reserved.
This tool also dumps more than configuration data if needed.
18
In Addition
Configuration Data
Decoded Strings
DGA Domains
Copyright ©2019 JPCERT/CC All rights reserved.19
Example (Bebloh configuration data and DGAs)
Copyright ©2019 JPCERT/CC All rights reserved.20
Example (FormBook decoded strings)
Copyright ©2019 JPCERT/CC All rights reserved.
malstrscan function can list strings to which the hollowed process refers.
21
Additional Feature
Configuration data is usually encoded by malware.
Most of malwares writes decoded configuration data on memory.
This feature list decoded configuration data when possible.
Copyright ©2019 JPCERT/CC All rights reserved.22
Example
Copyright ©2019 JPCERT/CC All rights reserved.
linux_malconfscan searches for malware in Linux OS memory images and dumps configuration data.
Few malware supported.WellMessELF_PLEAD
23
More Additional Feature
Copyright ©2019 JPCERT/CC All rights reserved.
D E M O N S T R A T I O N
24
Copyright ©2019 JPCERT/CC All rights reserved.
MalConfScan Wiki
https://github.com/JPCERTCC/MalConfScan/wiki
25
How to Use
https://github.com/JPCERTCC/MalConfScan/wiki
Copyright ©2019 JPCERT/CC All rights reserved.
Automation!
26
Next Stage
Copyright ©2019 JPCERT/CC All rights reserved.
MalConfScan-with-Cuckoo is Cuckoo Sandbox plugin for MalConfScan.
The plugin adds the function to extract known malware's configuration data from memory dump and add the MalConfScan report to Cuckoo Sandbox.
27
What is MalConfScan-with-Cuckoo?
Copyright ©2019 JPCERT/CC All rights reserved.
This tool uses Cuckoo's memory dump function to extract configuration data of executed malware from memory dumps.
28
How it Works
Copyright ©2019 JPCERT/CC All rights reserved.
Overv i ew
29
Copyright ©2019 JPCERT/CC All rights reserved.30
GUI
Copyright ©2019 JPCERT/CC All rights reserved.
Anti-Analysis functions disturbs the analysis in sandboxSome of the malware have these functions
Ursnif variants (targeting Japan) etc.
31
Anti-Analysis
Copyright ©2019 JPCERT/CC All rights reserved.
GenericLanguage settingsExecution after rebootTotal physical memoryCount of processors etc.
VirtualizationCPUID (CPU brand, virtualization setting, etc.)Device info (Device name, MAC address, etc.) Registry keys etc.
ProcessesProcess name (wireshark, OllyDbg, Process Monitor, etc.)
32
Anti-analysis techniques
Copyright ©2019 JPCERT/CC All rights reserved.33
How to bypass anti-analysis
Configure your VM.
Copyright ©2019 JPCERT/CC All rights reserved.34
How to configure you VM
Ursnif have some anti-analysis functions.
CPU Brand Detection
Device Name Detection
Debugger Detection
Boot-time Detection
Copyright ©2019 JPCERT/CC All rights reserved.35
Anti-Analysis : CPU Brand Name Detection
Call CPUID opcode to dump the CPU brand name.
Check the CPU brand name if it includes “XEON”.
mov eax, 8000000[2-4]h__cpuid
Copyright ©2019 JPCERT/CC All rights reserved.36
Anti-Anti-Analysis: Fake the CPU Brand Name (VMware)
Fake the return value of CPUID with VM configuration
cpuid.80000002.0.eax = "0110:0101:0111:0100:0110:1110:0100:1001"cpuid.80000002.0.ebx = "0010:1001:0101:0010:0010:1000:0110:1100"cpuid.80000002.0.ecx = "0111:0010:0110:1111:0100:0011:0010:0000"cpuid.80000002.0.edx = "0100:1101:0101:0100:0010:1000:0110:0101"cpuid.80000003.0.eax = "0011:0101:0110:1001:0010:0000:0010:1001"cpuid.80000003.0.ebx = "0011:0101:0101:1001:0011:0111:0010:1101"cpuid.80000003.0.ecx = "0101:0000:0100:0011:0010:0000:0011:0100"cpuid.80000003.0.edx = "0010:0000:0100:0000:0010:0000:0101:0101"cpuid.80000004.0.eax = "0011:0000:0011:0010:0010:1110:0011:0001"cpuid.80000004.0.ebx = "0000:0000:0111:1010:0100:1000:0100:0111"cpuid.80000004.0.ecx = "0000:0000:0000:0000:0000:0000:0000:0000"cpuid.80000004.0.edx = "0000:0000:0000:0000:0000:0000:0000:0000"
Insert following settings to your .vmx file
Copyright ©2019 JPCERT/CC All rights reserved.37
Before After
Copyright ©2019 JPCERT/CC All rights reserved.38
Anti-Analysis : Device Name Detection
Call Win32API to get the device name
Check the device name includes specific strings
Copyright ©2019 JPCERT/CC All rights reserved.39
Anti-Anti-Analysis: Modify the Device Name (VMware)
Modify the device name.
scsi0:0.productID = "Toshiba SSD"scsi0:0.vendorID = "Toshiba"scsi1:0.productID = "Toshiba SSD"scsi1:0.vendorID = "Toshiba"
Insert following settings to your .vmx file
Copyright ©2019 JPCERT/CC All rights reserved.
Do NOT use VMware tools or VirtualBox guest additions.Use local language OS for VMModify the CPUID responseModify the Device nameModify the NIC (MAC address)
40
Recommended setting for Anti-Anti-Analysis
Copyright ©2019 JPCERT/CC All rights reserved.
D E M O N S T R A T I O N
41
Copyright ©2019 JPCERT/CC All rights reserved.
MalConfScan with Cuckoo wiki
https://github.com/JPCERTCC/MalConfScan-with-Cuckoo/wiki
42
How to Use
https://github.com/JPCERTCC/MalConfScan-with-Cuckoo/wiki
Copyright ©2019 JPCERT/CC All rights reserved.43
We are going to Volatility3!
MalConfScan will support Volatility3.
https://github.com/JPCERTCC/MalConfScan/tree/Volatility3
@jpcert_en [email protected] https://www.jpcert.or.jp/english/pgp/
Contact
https://github.com/JPCERTCC/MalConfScan
https://github.com/JPCERTCC/MalConfScan-with-Cuckoo
スライド番号 1MotivationMotivationWhy do we need malware configuration data?How to Extract Malware Configuration Data ManuallyHow to Extract Malware Configuration Data ManuallyHow to Extract Malware Configuration Data ManuallyHow to Extract PlugX ConfigurationPlugX Encoding MethodPlugX Configuration StructureHow to Extract TSCookie ConfigurationTSCookie Configuration StructureWhat is MalConfScan?Example (RedLeaves configuration data)Supported Malware FamiliesSupported Malware FamiliesQuestionAdvantages of Dumping Configuration Data from MemoryIn Addition Example (Bebloh configuration data and DGAs)Example (FormBook decoded strings)Additional FeatureExample More Additional Featureスライド番号 25How to UseNext StageWhat is MalConfScan-with-Cuckoo?How it Worksスライド番号 30GUIAnti-AnalysisAnti-analysis techniquesHow to bypass anti-analysisHow to configure you VMAnti-Analysis : CPU Brand Name DetectionAnti-Anti-Analysis: Fake the CPU Brand Name (VMware)Before AfterAnti-Analysis : Device Name DetectionAnti-Anti-Analysis: Modify the Device Name (VMware)Recommended setting for Anti-Anti-Analysisスライド番号 42How to UseWe are going to Volatility3!Thank you!