Upload
security-bootcamp
View
416
Download
3
Embed Size (px)
DESCRIPTION
Finfisher- Nguyễn Chấn Việt
Citation preview
1
FinFisher The Cyber Espionage Tool
VietNC
Security Research
Who Am I?
• VietNC
• Malware Analyst
• Exploit Developer
2
Agenda
• Overview
• PC version •Windows
• Mobile version •iOS
•Android
•Windows Mobile
•BlackBerry
•Symbian
3
Gamma Group
Gamma Group serves Governmental Customers only
Target Clients :
- Law Enforcement Agencies: Police, Anti-Corruption, VIP Protection, Customs, Presidential Guard, Naval & Border Security
- Intelligence Agencies: Internal and External Security Departments
- Military: Intelligence, Signal Intelligence, Army, Navy, Air Force
- Special Events: International Conferences & Events
4
Overview
5
Overview
6
Product Capabilities
7
Product Name Description
FinSpy Mobile Offers ability to compromise target’s mobile phone:
BlackBerry, iOS, Android.
FinSpy Refers to the suite of FinFly offerings enumerated below.
FinFly USB Requires direct access to machine. Can extract and infect.
FinFly FireWire Requires direct access to machine. Can extract and infect.
FinFly LAN Requires direct access to the target LAN. Can perform
various MITM activities.
FinFly NET Requires that target visit a network that is in the control of
the attacker. Can perform various MITM activies.
FinFly ISP Attacks the target’s ISP. Can MITM either before hitting the
ISPs core network, or afterward.
FinFly Web Attempts to deploy malware to targets through various
web-based attack vectors.
FinFly Exploit Portal
Basically an online repository of 0-days and 1-days that paying customers can integrate into their attacks on targets
and deploy to said targets using various other FinFly offerings.
Bypassing AVs
8
Bypassing AVs
9
Dropper
Malware extracts two of the PE resources from itself (using PE traversal manually) and deobfuscates them using a simple XOR algorithm.
One of the resources deobfuscates to a JPEG file that is then used as a replacement to the original sample file
The other resource is a PE file that is later loaded into the current process’s address space using a custom PE loader
10
Dropper
Start with the key bytes and XOR that with the first 4 bytes.
XOR the next 4 bytes with the (obfuscated) previous 4 bytes.
11
Dropper
Before XOR :
12
After XOR :
Self Delete
13
Payload Extraction
Decrypt the resources :
- Test.exe (main component)
- driverw.sys : named “Microsoft Disk Driver”
- shell32.dll
- msvcr90.dll
- …
Put into %TEMP% and execute using ShellExecuteW API
14
Features in the payload
15
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Shell32.dll
16
Inject msvcr90.dll into another process
Detect Firewalls/AVs (Comodo, KAS)
Inject code into explorer.exe
OS Version
17
Malware checks OS version :
- 32-bit : continue to decrypt 32-bit modules
- 64-bit : creates a new x64 malware in %TEMP% folder, CreateProcess to execute and terminates itself
msvcr90.dll
18
Packed and encrypted tiny DLL
Only decrypt in memory
it does act as an internet proxy
Create serveral threads :
- one for checking injection
- one for injecting into Windows task manager and Sysinternals process explorer (32 and 64 bit)
- one for injecting into all processes
- …
The injected code
The injected codedoes inline user-mode hook in the following functions in every running process :
ntdll.dll!NtDeviceIoControlFile
ntdll.dll!NtEnumerateKey
ntdll.dll!NtEnumerateValueKey
ntdll.dll!NtQueryDirectoryFile
ntdll.dll!NtQueryKey
ntdll.dll!NtQuerySystemInformation
19
kernel32.dll!CreateFileW
kernel32.dll!CreateProcessInternalW
kernel32.dll!MoveFileW
kernel32.dll!DeleteFileW
kernel32.dll!MoveFileExW
…
Features in the PE payload
20
Covering Tracks
21
GetCurrentDirectory()
FindFirstFile() / FindNextFile()
DeleteFileW
C&C Signatures
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FinFisher Malware Connection Initialization"; flow:to_server,established; content:"|0c 00 00 00 40 01 73 00|"; depth:8; sid:1000001; rev:1; classtype:trojan-activity; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FinFisher Malware Connection Handshake"; flow:to_server,established; content:"|5c 00 00 00 a0 02 72 00 0c 00 00 00 40 04 fe 00|"; depth:16; sid:1000002; rev:1; classtype:trojan-activity; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher;)
22
Mobile version
23
iOS version
iOS version is developed for Arm7, built against iOS SDK 5.1 on OSX 10.7.3 and it appears that it will run on iPhone 4, 4S, iPad 1, 2, 3, and iPod touch 3, 4 on iOS 4.0 and up
24
iOS version
The code signature contains 3 certificates:
Certificate “Apple Root CA”:
Will expire on 09.02.2035.
Your keychain contains this root certificate.
Certificate “Apple Worldwide Developer Relations Certification Authority”:
Will expire on 14.02.2016.
Certificate “iPhone Distribution: Martin Muench”:
Will expire on 03.04.2013.
SHA1 fingerprint: “1F921F276754ED8441D99FB0222A096A0B6E5C65”.
25
Android
The application appears to install itself as “Android Services”:
26
Android
C&C server decoded :
27
Blackberry version
28
After installing :
Blackberry version
29
Malware requests enhanced permissions after installing :
Windows Mobile version
30
AddressBook: Providing exfiltration of details from contacts stored in the local address book.
CallInterception: Used to intercept voice calls, record them and store them for later transmission.
PhoneCallLog: Exfiltrates information on all performed, received and missed calls stored in a local log file.
SMS: Records all incoming and outgoing SMS messages and stores them for later transmission.
Tracking: Tracks the GPS locations of the device.
Windows Mobile version
31
Windows Mobile version
32
In order to manipulate phone calls, the malware makes use of the functions provided by RIL.dll, the Radio Interface Layer.
Windows Mobile version
33
Symbian version
34
The Symbian.sisx : “System Update”
Symbian version
Main component : “c:\sys\bin\updater.exe”
35
Symbian version
As mentioned in the security section of the Nokia developer notes for Symbian:
“Trusted UI dialogs are rare. They must be used only when confidentiality and security are critical: for instance for password dialogs. Normal access to the user interface and the screen does not require this.”
The second file (“mysym.sisx”) is “Installation File” and appears to be signed by the “Symbian CA I” for “Cyan Engineering Services SAL (offshore),”
36
C&C Servers
Two servers in Brunei
One in Turkmenistan’s Ministry of Communications
Two in Singapore,
One in the Netherlands
A new server in Indonesia
A new server in Bahrain
37
Conclusion
Great malware
38
Questions?
39
Thank you!
40