HOW VIGILANT RESEARCHERSCAN UNCOVER APT ATTACKS

FOR FUN AND NON PROFIT

Ladislav Baco@ladislav_b

AGENDA

• Introduction: a poor man’s toolkit

• Malware samples: Advanced search

• Analysis of Cobalt Strike sample

• Investigation of C&C infrastructure

• Findings and Summary

2

INTRO:

WHOAMI

• Ladislav Bačo

• Senior Security Consultant

and Malware Analyst

• 10+ years in cyber security,

computer science and education

• Head of Research Department @IstroSec

• Former Director of R&D @LIFARS

• Former Head of Cyber Threat Analysis Dept. @CSIRT_SK

• Practical hands-on with real APT attacks

3

A POOR MAN’S TOOLKITMOTIVATION

• Threat Intelligence + OSInt resources

– What about price?

• Even students/amateurs/enthusiasts can analyze APT

– Lot of malware samples available

• What about yet unknown and ongoing campaigns?

– YES, it is possible. For FREE :-)

4

A POOR MAN’S TOOLKITRESOURCES

• Malware Samples

– Online repositories, e.g. Malware Bazaar and vx-underground

• Malware Feeds + Advanced search capabilities

– Hybrid-Analysis, Any.Run, Tria.ge

– VirusTotal relations and graphs

5

A POOR MAN’S TOOLKITRESOURCES + TOOLS

• Threat Intel platform

– YETI

• Twitter

– Feeds + search

– Tweettioc.com, twint

6

A POOR MAN’S TOOLKITMALWARE HUNTING

• Advanced Search + Filters

– Hybrid-Analysis

– Any.Run

– String search

– YARA rules

– Twint

7

A POOR MAN’S TOOLKITMALWARE HUNTING

• Twint

8

A POOR MAN’S TOOLKITC&C HUNTING

• Advanced Search + Filters + History

– Shodan

– Censys

– Web Archive

9

A POOR MAN’S TOOLKITC&C HUNTING

• Shodan tip: search by hash

– Http.favicon.hash

10

MALWARE HUNTINGINTERESTING SAMPLES

• APT-like attacks targeting specific industry/government

– Much easier to find among sample submissions from small country

– Any.Run

country filter :-)

11

Country Population No. of pages

Austria 8.86M 209

Belgium 11.46M 215

Czech Republic 10.65M 205

Germany 83.02M 1506

Hungary 9.77M 216

Netherlands 17.28M 595

Poland 37.97M 1606

Slovakia 5.45M 60

United States 328.24M 17269

MALWARE HUNTINGWHERE THE FUN BEGINS

• Personal research in March 2021

• Malware samples submitted from Slovakia

12

MALWARE HUNTING”NSA” ISO SAMPLE

13

• “Aktualizácia” = Update

• “NBU” = NSA in Slovakia

MALWARE ANALYSIS”NSA” ISO SAMPLE

• ISO contains LNK and DLL file

• LNK executes command:

C:\Windows\System32\rundll32.exe diassvcs.dll InitializeComponent

• LNK accessed 13 min before

the ISO has been created

– Probably no automation

in packing process14

MALWARE ANALYSISDLL FILE

• diassvcs.dll

• Loader/packer with anti-analysis protections

• Unpacking routine

– Decryption loops

– VirtualProtect

• Unpacked payload

– Another DLL file

15

MALWARE ANALYSISUNPACKED PAYLOAD

• DLL file without standard MS-DOS header

• Malformed/modified header

– Used as a part of shellcode

● e.g. Metasploit

Meterpreter

16

MALWARE ANALYSISCOBALT STRIKE BEACON

• Payload => Cobalt Strike Beacon

• Configuration can be easily extracted

– There are scripts for this :-)

17

MALWARE ANALYSISCOBALT STRIKE WATERMARK

• Watermark field

– Associated with license file

– Unique to a customer

– Can be used to track and

link Cobalt Strike samples

• 1359593325 in our case

– Not unique one :-(

18

C&C INFRASTRUCTUREINVESTIGATION

• C2 server from config

– content.pcmsar[.]net

• Website info

– Redirect to spectator.sme.sk

● EN version of Slovak news

– Let’s Encrypt cert (7 days ago)

– Nginx server

19

C&C INFRASTRUCTURESHODAN INVESTIGATION

• Usually other servers hosted in network/provider

– In our case, OVH hosting (ASN AS16276)

• Search filters based on C&C configuration

– Open ports, available services

● HTTPS, maybe HTTP, SSH

● (Cobalt Strike teamserver on 50050 often opened)

• Search => => Better filter needed

20

C&C INFRASTRUCTURESHODAN INVESTIGATION 2

• Search filters based on C&C configuration

– Website info

● Nginx server

• Search => => Better filter needed

21

C&C INFRASTRUCTURESHODAN INVESTIGATION 3

• How to create precise filter?

– Website info

● Nginx server

● Redirection

● Content type

● Content length

● Referrer-Policy

● TLS/SSL certificate22

C&C INFRASTRUCTURESHODAN INVESTIGATION 4

• Put it all together

– Couple of tests and the winner is…

asn:AS16276 port:443 Location nginx no-referrer 154

23

C&C INFRASTRUCTUREEXAMPLE RESULT

24

C&C INFRASTRUCTUREFINDINGS

• More potential C&C servers discovered

– Let’s Encrypt and Sectigo certificates

– Some of them active since February 2021 (confirmed)

– Probably used also in 2020

• Redirection to innocent websites

• Malicious domains mostly similar to the innocent websites

25

MALWARE HUNTING 2MORE SAMPLES

• Extracted Cobalt Strike info/configs from C&C servers

– Various tools and Nmap NSE script available

• Advanced search in malware repositories

– Communication with C&C IP addresses or domains

– File type filters (ISO/UDF)

26

MALWARE HUNTING 2ANOTHER ISO

27

• Any.Run => Evil.iso

– Original name invitation.iso

– February 2021

– Submitted from Netherlands

● ProtonVPN?

• Similar to “NSA” ISO

– LNK + DLL with Cobalt Strike

MALWARE HUNTING 2ANOTHER ISO

28

• Any.Run => Evil.iso

– Original name invitation.iso

– February 2021

– Submitted from Netherlands

● ProtonVPN?

• String search

– Hybrid-Analysis

MALWARE HUNTING 2DELIVERY METHOD

29

• String search on Hybrid-Analysis

– Even more samples

● ISO/UDF IMG files produced by same tool

● Similar properties and structure

• Found email from 04 March 2021

– Subject: Fwd: Payment Invoice

– Attachement: MS Word document/UDF filesystem

MALWARE HUNTING 2DELIVERY METHOD

30

• IMGBURN

• EXE file embedded

MALWARE HUNTING 2DELIVERY METHOD

31

• IMGBURN

• Email from NetWire botnet

MALWARE HUNTING 2DELIVERY METHOD

32

• Probably hacked

Windows Server

– Shodan

+ history

FINDINGS AND SUMMARYINVESTIGATION

33

• Targeting Government in Slovakia, too

– Mimics local “NSA”

• Phishing + ISO files + LNK + DLL

• Malware samples with Cobalt Strike Beacons

• Several C&C servers found

• Incident reported to local authorities (CSIRT)

– IOCs reported

– Investigation confirmed some of the C&C IP addresses

FINDINGS AND SUMMARYTAKEAWAYS

34

• Tips&Tricks for malware hunting and advanced search

• Independent researchers without budget can be hunters

• IOCs from investigation helped

– Fun from hunting => Profit for society

IOCSSAMPLES FROM THIS TALK

35

Hashes

bd05e95b88b41cad419d450b10f801c5: AktualizC!ciu.img

ed24b708a0abb91d2d984c646527823f: Aktualizáciu.lnk

e55d9f6300fa32458b909fded48ec2c9: diassvcs.dll

1adfe420043628286d0f3ff007113bfa: Cobalt Strike Beacon

b0c12b32ed763e2fd9f0a1669f82d579: evil.iso

038579bdb1de9e0ab541df532afeb50d: Programme outline.lnk

72b494d0921296cdd5e4a07a0869b244: Plending forms.lnk

600aceaddb22b9a1d6ae374ba7fc28c5: GraphicalComponent.dll

Domains

content.pcmsar[.]net

cbdnewsandreviews[.]net

IP Addresses

51.79.69[.]211

139.99.167[.]177

THANK YOU

36

• Ladislav Baco

• Twitter:

@ladislav_b

@malwarelab_eu

• Personal website:

https://malwarelab.eu

• Company website:

https://istrosec.com