Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
HOW VIGILANT RESEARCHERSCAN UNCOVER APT ATTACKS
FOR FUN AND NON PROFIT
Ladislav Baco@ladislav_b
AGENDA
• Introduction: a poor man’s toolkit
• Malware samples: Advanced search
• Analysis of Cobalt Strike sample
• Investigation of C&C infrastructure
• Findings and Summary
2
INTRO:
WHOAMI
• Ladislav Bačo
• Senior Security Consultant
and Malware Analyst
• 10+ years in cyber security,
computer science and education
• Head of Research Department @IstroSec
• Former Director of R&D @LIFARS
• Former Head of Cyber Threat Analysis Dept. @CSIRT_SK
• Practical hands-on with real APT attacks
3
A POOR MAN’S TOOLKITMOTIVATION
• Threat Intelligence + OSInt resources
– What about price?
• Even students/amateurs/enthusiasts can analyze APT
– Lot of malware samples available
• What about yet unknown and ongoing campaigns?
– YES, it is possible. For FREE :-)
4
A POOR MAN’S TOOLKITRESOURCES
• Malware Samples
– Online repositories, e.g. Malware Bazaar and vx-underground
• Malware Feeds + Advanced search capabilities
– Hybrid-Analysis, Any.Run, Tria.ge
– VirusTotal relations and graphs
5
A POOR MAN’S TOOLKITRESOURCES + TOOLS
• Threat Intel platform
– YETI
– Feeds + search
– Tweettioc.com, twint
6
A POOR MAN’S TOOLKITMALWARE HUNTING
• Advanced Search + Filters
– Hybrid-Analysis
– Any.Run
– String search
– YARA rules
– Twint
7
A POOR MAN’S TOOLKITMALWARE HUNTING
• Twint
8
A POOR MAN’S TOOLKITC&C HUNTING
• Advanced Search + Filters + History
– Shodan
– Censys
– Web Archive
9
A POOR MAN’S TOOLKITC&C HUNTING
• Shodan tip: search by hash
– Http.favicon.hash
10
MALWARE HUNTINGINTERESTING SAMPLES
• APT-like attacks targeting specific industry/government
– Much easier to find among sample submissions from small country
– Any.Run
country filter :-)
11
Country Population No. of pages
Austria 8.86M 209
Belgium 11.46M 215
Czech Republic 10.65M 205
Germany 83.02M 1506
Hungary 9.77M 216
Netherlands 17.28M 595
Poland 37.97M 1606
Slovakia 5.45M 60
United States 328.24M 17269
MALWARE HUNTINGWHERE THE FUN BEGINS
• Personal research in March 2021
• Malware samples submitted from Slovakia
12
MALWARE HUNTING”NSA” ISO SAMPLE
13
• “Aktualizácia” = Update
• “NBU” = NSA in Slovakia
MALWARE ANALYSIS”NSA” ISO SAMPLE
• ISO contains LNK and DLL file
• LNK executes command:
C:\Windows\System32\rundll32.exe diassvcs.dll InitializeComponent
• LNK accessed 13 min before
the ISO has been created
– Probably no automation
in packing process14
MALWARE ANALYSISDLL FILE
• diassvcs.dll
• Loader/packer with anti-analysis protections
• Unpacking routine
– Decryption loops
– VirtualProtect
• Unpacked payload
– Another DLL file
15
MALWARE ANALYSISUNPACKED PAYLOAD
• DLL file without standard MS-DOS header
• Malformed/modified header
– Used as a part of shellcode
● e.g. Metasploit
Meterpreter
16
MALWARE ANALYSISCOBALT STRIKE BEACON
• Payload => Cobalt Strike Beacon
• Configuration can be easily extracted
– There are scripts for this :-)
17
MALWARE ANALYSISCOBALT STRIKE WATERMARK
• Watermark field
– Associated with license file
– Unique to a customer
– Can be used to track and
link Cobalt Strike samples
• 1359593325 in our case
– Not unique one :-(
18
C&C INFRASTRUCTUREINVESTIGATION
• C2 server from config
– content.pcmsar[.]net
• Website info
– Redirect to spectator.sme.sk
● EN version of Slovak news
– Let’s Encrypt cert (7 days ago)
– Nginx server
19
C&C INFRASTRUCTURESHODAN INVESTIGATION
• Usually other servers hosted in network/provider
– In our case, OVH hosting (ASN AS16276)
• Search filters based on C&C configuration
– Open ports, available services
● HTTPS, maybe HTTP, SSH
● (Cobalt Strike teamserver on 50050 often opened)
• Search => => Better filter needed
20
C&C INFRASTRUCTURESHODAN INVESTIGATION 2
• Search filters based on C&C configuration
– Website info
● Nginx server
• Search => => Better filter needed
21
C&C INFRASTRUCTURESHODAN INVESTIGATION 3
• How to create precise filter?
– Website info
● Nginx server
● Redirection
● Content type
● Content length
● Referrer-Policy
● TLS/SSL certificate22
C&C INFRASTRUCTURESHODAN INVESTIGATION 4
• Put it all together
– Couple of tests and the winner is…
asn:AS16276 port:443 Location nginx no-referrer 154
23
C&C INFRASTRUCTUREEXAMPLE RESULT
24
C&C INFRASTRUCTUREFINDINGS
• More potential C&C servers discovered
– Let’s Encrypt and Sectigo certificates
– Some of them active since February 2021 (confirmed)
– Probably used also in 2020
• Redirection to innocent websites
• Malicious domains mostly similar to the innocent websites
25
MALWARE HUNTING 2MORE SAMPLES
• Extracted Cobalt Strike info/configs from C&C servers
– Various tools and Nmap NSE script available
• Advanced search in malware repositories
– Communication with C&C IP addresses or domains
– File type filters (ISO/UDF)
26
MALWARE HUNTING 2ANOTHER ISO
27
• Any.Run => Evil.iso
– Original name invitation.iso
– February 2021
– Submitted from Netherlands
● ProtonVPN?
• Similar to “NSA” ISO
– LNK + DLL with Cobalt Strike
MALWARE HUNTING 2ANOTHER ISO
28
• Any.Run => Evil.iso
– Original name invitation.iso
– February 2021
– Submitted from Netherlands
● ProtonVPN?
• String search
– Hybrid-Analysis
MALWARE HUNTING 2DELIVERY METHOD
29
• String search on Hybrid-Analysis
– Even more samples
● ISO/UDF IMG files produced by same tool
● Similar properties and structure
• Found email from 04 March 2021
– Subject: Fwd: Payment Invoice
– Attachement: MS Word document/UDF filesystem
MALWARE HUNTING 2DELIVERY METHOD
30
• IMGBURN
• EXE file embedded
MALWARE HUNTING 2DELIVERY METHOD
31
• IMGBURN
• Email from NetWire botnet
MALWARE HUNTING 2DELIVERY METHOD
32
• Probably hacked
Windows Server
– Shodan
+ history
FINDINGS AND SUMMARYINVESTIGATION
33
• Targeting Government in Slovakia, too
– Mimics local “NSA”
• Phishing + ISO files + LNK + DLL
• Malware samples with Cobalt Strike Beacons
• Several C&C servers found
• Incident reported to local authorities (CSIRT)
– IOCs reported
– Investigation confirmed some of the C&C IP addresses
FINDINGS AND SUMMARYTAKEAWAYS
34
• Tips&Tricks for malware hunting and advanced search
• Independent researchers without budget can be hunters
• IOCs from investigation helped
– Fun from hunting => Profit for society
IOCSSAMPLES FROM THIS TALK
35
Hashes
bd05e95b88b41cad419d450b10f801c5: AktualizC!ciu.img
ed24b708a0abb91d2d984c646527823f: Aktualizáciu.lnk
e55d9f6300fa32458b909fded48ec2c9: diassvcs.dll
1adfe420043628286d0f3ff007113bfa: Cobalt Strike Beacon
b0c12b32ed763e2fd9f0a1669f82d579: evil.iso
038579bdb1de9e0ab541df532afeb50d: Programme outline.lnk
72b494d0921296cdd5e4a07a0869b244: Plending forms.lnk
600aceaddb22b9a1d6ae374ba7fc28c5: GraphicalComponent.dll
Domains
content.pcmsar[.]net
cbdnewsandreviews[.]net
IP Addresses
51.79.69[.]211
139.99.167[.]177
THANK YOU
36
• Ladislav Baco
• Twitter:
@ladislav_b
@malwarelab_eu
• Personal website:
https://malwarelab.eu
• Company website:
https://istrosec.com