Upload
isc2-hellenic
View
39
Download
0
Embed Size (px)
Citation preview
Grand Mars OperationDefending against Anunak
Thanassis Diogos, Trustwave MC for EMEA IR
MSc Infosec, CISSP trainer
Agenda
• APT Detection
• Entry point
• Persistence
• Public services
• Malicious software
• Motivation
• Conclusions
• Email followed by phone call (social engineering vector)
• Word attachment containing encoded VBS
Entry Point
Persistence & lateral movement
• Files in user’s %temp% folder
• Registry autorun location
• Scheduled tasks
• Backdoor exe & scripts (VB, PS) as memory resident code
• Pass-the-hash
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TransbaseOdbcDriver
Anunak
• Spawns into a new svchost.exe process• Gathers information of the system• Anti-reversing, terminates specific AVs• Privilege escalation• Enables RDP• POS malware functions• Local password stealer• Scrounging Outlook PST files• Target iFobs banking application• Backdoor commands (downloads and executes additional malware)
AdobeUpdateManagementTool (VBScript)
• Downloads & executes files, VBScripts or PowerShell files
• Collects and communicates• OS Name, Version, Service Pack, Install Directory
• Physical Memory Available/Total, Available Virtual Memory
• System Name, Model, Manufacturer
• Locale ,Time Zone
• BIOS Version, Processor System Type
• Computer/user name & Domain
Motivation
• Bots collection
• Financial
• Control of victim organizations
• Multiple groups involved (assumption)
Conclusions
• Victims • Weak detection security controls • Missing or poor readiness for security incidents• AV detection low to zero scores• Reluctant to cooperate with authorities
• Features of the operation indicating to organized crime activities• Targeted social engineering• Several malicious software used• Attacking methods such as pass-the-hash• Purchase of certificates• Multiple hosts used in Europe mainly• Usage of public cloud services, Google Docs and Pastebin
• Investigation of malicious software and activities give the impression that distinct parties involved • Underground cooperation or trading