Grand Mars OperationDefending against Anunak

Thanassis Diogos, Trustwave MC for EMEA IR

MSc Infosec, CISSP trainer

Agenda

• APT Detection

• Entry point

• Persistence

• Public services

• Malicious software

• Motivation

• Conclusions

APT Detection

• AV Alerts

• Weird event log entries

• Email followed by phone call (social engineering vector)

• Word attachment containing encoded VBS

Entry Point

Analysis

• Several malicious files/scripts generated

Persistence & lateral movement

• Files in user’s %temp% folder

• Registry autorun location

• Scheduled tasks

• Backdoor exe & scripts (VB, PS) as memory resident code

• Pass-the-hash

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TransbaseOdbcDriver

Google Docs, Pastebin

• Register/Update Bots

• Flow of operation based on Pastebin

Hosts distribution/location

Anunak

• Spawns into a new svchost.exe process• Gathers information of the system• Anti-reversing, terminates specific AVs• Privilege escalation• Enables RDP• POS malware functions• Local password stealer• Scrounging Outlook PST files• Target iFobs banking application• Backdoor commands (downloads and executes additional malware)

Cobalt’s Strike Beacon

• Covert channel

• Metepreter

• Downloading Eicar test file

AdobeUpdateManagementTool (VBScript)

• Downloads & executes files, VBScripts or PowerShell files

• Collects and communicates• OS Name, Version, Service Pack, Install Directory

• Physical Memory Available/Total, Available Virtual Memory

• System Name, Model, Manufacturer

• Locale ,Time Zone

• BIOS Version, Processor System Type

• Computer/user name & Domain

Motivation

• Bots collection

• Financial

• Control of victim organizations

• Multiple groups involved (assumption)

Conclusions

• Victims • Weak detection security controls • Missing or poor readiness for security incidents• AV detection low to zero scores• Reluctant to cooperate with authorities

• Features of the operation indicating to organized crime activities• Targeted social engineering• Several malicious software used• Attacking methods such as pass-the-hash• Purchase of certificates• Multiple hosts used in Europe mainly• Usage of public cloud services, Google Docs and Pastebin

• Investigation of malicious software and activities give the impression that distinct parties involved • Underground cooperation or trading

Questions?

Thank you!