apt3 uncovered the code evolution of pirpi
play

APT3 Uncovered: The code evolution of Pirpi Your functions are - PowerPoint PPT Presentation

Jan 29, 2024 •556 likes •831 views

APT3 Uncovered: The code evolution of Pirpi Your functions are showing (and leaving a trail) Micah Yates - @m1k4chu Palo Alto Networks Your functions are showing Persistent Code Reuse Finding The Trail Pirpi.201x vs Operation

  1. APT3 Uncovered: The code evolution of Pirpi Your functions are showing (and leaving a trail) Micah Yates - @m1k4chu Palo Alto Networks

  2. Your functions are showing • Persistent Code Reuse • Finding The Trail • Pirpi.201x vs Operation Clandestine DoubleTap • Just give me all the Pirpi you have • EXEProxy

  3. Persistent Code Reuse: function_1

  4. Persistent Code Reuse • What is Pirpi? • Targeted malware delivered via 0-days • (CVE-2010-3962) • (CVE-2014-1776) • (CVE-2014-4113) • (CVE-2014-6332) • (CVE-2015-3113) • (CVE-2015-5119) • Appended to a valid gif • Obfuscated Command and Control • Compromised infrastructure

  5. Finding a Trail • Why are you doing this? • It’s fun • You don’t know what you don’t know • Pick 2 binaries by: • Family • Compile Times • File Size • % similarity (ssdeep)

  6. It started out with a diff, how did it end up like this? • Inspect Binaries w/ IDA Tools • Bindiff – Hex Rays • IDAScope – Plohmann/Hanel • Bindiff two known Pirpi samples • fb838cda6118a003b97ff3eb2edb7309 • e33804e3e15920021c5174982dd69890

  7. It was only a diff

  8. It was only a diff

  9. Aside: Putting the FUN in Function

  10. Pirpi.201x vs Operation Clandestine DoubleTap

  11. Pirpi.201x vs Operation Clandestine DoubleTap

  12. Just give me all the Pirpi you have: function_1 Compile MD5 Beacon 2007 01 3f5d79b262472a12e3666118a7cdc2ca www.msnmessengerupdate.com/index31382/f2ae95b93i97.bmp 2008 01 6bdee405ed857320aa8c822ee5e559f2 www.msnmessengerupdate.com/image19582/7e7e7eb7fi7f.gif 2009 03 e22d02796cfb908aaf48e2e058a0890a www.office2008updates.com/dream/dream.php? 2009 10 1fa0813be4b9f23613204c94e74efc9d ini.msnmessengerupdate.net/smart/smartmain.php? 2010 01 914e9c4c54fa210ad6d7ed4f47ec285f ini.office2005updates.net/smart/smartmain.php? 2013 01 44bd652a09a991100d246d8280cac3ac 218.42.147.106/bussinesses/caetrwet/ 2014 04 b48e578f030a7b5bb93a3e9d6d1e2a83 product.sorgerealty.com 2016 04 f683cf9c2a2fdc27abff4897746342c4 ste.mullanclan.com

  13. function_1 Just give me all the Pirpi you have: UNIQUE SAMPLES 100 10 20 30 40 50 60 70 80 90 0 2006 03 2007 01 2007 10 2008 01 2008 02 2008 03 2008 04 2008 05 2008 06 2008 07 2008 09 2008 11 2008 12 2009 03 2009 05 2009 07 2009 08 2009 09 2009 10 2009 11 2009 12 2010 01 2010 02 2010 03 2010 05 2010 06 2010 07 COMPILE YEAR AND MONTH 2010 08 2010 10 2011 01 2011 04 2011 05 2011 06 2011 07 2011 08 2011 10 2011 11 2011 12 2012 01 2012 04 2012 05 2012 09 2012 11 2012 12 2013 01 2013 02 2013 07 2013 09 2013 12 2014 04 2014 05 2014 07 2014 08 2014 09 2015 01 2015 06 2015 07 2015 09 2016 03 2016 04 2016 08 2017 02

  15. function_1 - minor versions UNIQUE SAMPLES 100 10 20 30 40 50 60 70 80 90 0 2006 03 2007 01 2007 10 2008 01 2008 02 2008 03 2008 04 2008 05 2008 06 2008 07 2008 09 2008 11 2008 12 2009 03 2009 05 2009 07 2009 08 2009 09 2009 10 2009 11 2009 12 2010 01 2010 02 2010 03 2010 05 2010 06 2010 07 COMPILE YEAR AND MONTH 2010 08 2010 10 2011 01 2011 04 2011 05 2011 06 2011 07 2011 08 2011 10 2011 11 2011 12 2012 01 2012 04 2012 05 2012 09 2012 11 2012 12 2013 01 2013 02 2013 07 2013 09 2013 12 2014 04 2014 05 2014 07 2014 08 2014 09 2015 01 2015 06 2015 07 2015 09 2016 03 2016 04 2016 08 2017 02 v1 v2 v3 v4 v5 v6

  16. function_1 - minor versions function_1 - minor versions V1 - 2007 V2 - 2008 V3 – 2006 MD5: MD5: MD5: 98011f5b7b957a142f14cbda57a5ea82 272cb6c16e083ca143d40c63005753a2 acd8d34d8360129df1c8d03f253ba747 @00401FC0 @00403110 @100016A0

  17. function_1 - minor versions V4 - 2014 V5 - 2016 V6 - 2017 MD5: MD5: MD5: c006faaf9ad26a0bd3bbd597947da3e1 f683cf9c2a2fdc27abff4897746342c4 07b4d539a6333d7896493bafd2738321 @0040B320 @00401D60 @00404A20

  18. function_2

  19. function_2 UNIQUE SAMPLES 100 10 20 30 40 50 60 70 80 90 0 2006 03 2007 01 2007 10 2008 01 2008 02 2008 03 2008 04 2008 05 2008 06 2008 07 2008 09 2008 11 2008 12 2009 03 2009 05 2009 07 2009 08 2009 09 2009 10 2009 11 2009 12 2010 01 2010 02 2010 03 pirpi_version_check 2010 05 2010 06 2010 07 COMPILE YEAR AND MONTH 2010 08 2010 10 2011 01 2011 04 2011 05 2011 06 2011 07 2011 08 2011 10 2011 11 2011 12 2012 01 2012 04 2012 05 2012 09 2012 11 2012 12 2013 01 2013 02 2013 07 2013 09 2013 12 2014 04 2014 05 2014 07 2014 08 2014 09 2015 01 2015 06 2015 07 2015 09 2016 03 2016 04 2016 08 2017 02

  20. function_3

  21. function_3 UNIQUE SAMPLES 10 15 20 25 30 35 40 45 0 5 2006 03 2007 01 2007 10 2008 01 2008 02 2008 03 2008 04 2008 05 2008 06 2008 07 2008 09 2008 11 2008 12 2009 03 2009 05 2009 07 2009 08 2009 09 2009 10 2009 11 2009 12 2010 01 pirpi_cmdline_createproc 2010 02 2010 03 2010 05 2010 06 2010 07 COMPILE YEAR AND MONTH 2010 08 2010 10 2011 01 2011 04 2011 05 2011 06 2011 07 2011 08 2011 10 2011 11 2011 12 2012 01 2012 04 2012 05 2012 09 2012 11 2012 12 2013 01 2013 02 2013 07 2013 09 2013 12 2014 04 2014 05 2014 07 2014 08 2014 09 2015 01 2015 06 2015 07 2015 09 2016 03 2016 04 2016 08 2017 02

  22. EXEProxy • b94bcffcacc65d05e5f508c5bd9c 950c • Contains function_1 • Contains Anti-Disasm • OpenSSL included • Requires cmd line params to run

  23. pirpi_EXEPROXY EXEProxy: UNIQUE SAMPLES 0 1 2 3 4 5 6 7 8 9 2006 03 2007 01 2007 10 2008 01 2008 02 2008 03 2008 04 2008 05 2008 06 2008 07 2008 09 2008 11 2008 12 2009 03 2009 05 2009 07 2009 08 2009 09 2009 10 2009 11 2009 12 2010 01 2010 02 2010 03 2010 05 pirpi_EXEPROXY 2010 06 2010 07 COMPILE YEAR AND MONTH 2010 08 2010 10 2011 01 2011 04 2011 05 2011 06 2011 07 2011 08 2011 10 2011 11 2011 12 2012 01 2012 04 2012 05 2012 09 2012 11 2012 12 2013 01 2013 02 2013 07 2013 09 2013 12 2014 04 2014 05 2014 07 2014 08 2014 09 2015 01 2015 06 2015 07 2015 09 2016 03 2016 04 2016 08 2017 02

  24. EXEProxy 2: Electric Boogaloo • 4d3874480110ba537b383 9cb8b416b50 • Contains function_1 • Server tool ">Ltime %2d:%2d:%2d Disconnect >“ • Requires Cmd Line "%2d:%2d:%2d >Cback :“ Params ">LTime : %2d:%2d:%2d“ ">Cback: %s:%d" • No other notable "H:%s " anchor functions "Ok. " "K:%d"

  25. EXEProxy 2: Electric Boogaloo • a85f9b4c33061ee724e59291242b9e86 • OpenSSL Server • Contains Public/Private Keys

  26. In Summary: • Some families never change • Anchor Functions are Fun! • Use public info • Pirpi malware active since at least 2006 • Unintended findings

  27. • Thanks: • Richard Wartell – Palo Alto Networks • Mike Scott – Palo Alto Networks • Biblio: • MITRE: • https://attack.mitre.org/wiki/Software/S0063 • FireEye: • https://www.fireeye.com/blog/threat-research/2010/11/ie-0-day-hupigon-joins-the-party.html • https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html • https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html • https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html • Symantec: • https://www.symantec.com/connect/blogs/new-ie-zero-day-used-targeted-attacks • https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong • http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/Symantec-Buckeye-IOCs.txt • EmergingThreats: • https://rules.emergingthreats.net/changelogs/suricata-1.3.etpro.2015-09-10T21:29:38.txt • (cached by other sites, search for hash 4d3874480110ba537b3839cb8b416b50 and EXEProxy) • Palo Alto Networks: • https://researchcenter.paloaltonetworks.com/2015/07/apt-group-ups-targets-us-government-with-hacking-team- flash-exploit/ • https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and- the-pirpi-payload/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Refactoring Section 7.2.1 (JIAs) OTHER SOURCES Code Evolution Programs evolve and code is

Refactoring Section 7.2.1 (JIAs) OTHER SOURCES Code Evolution Programs evolve and code is

Refactoring Section 7.2.1 (JIAs) OTHER SOURCES Code Evolution Programs evolve and code is NOT STATIC Code duplication Outdated knowledge (now you know more) Rethink earlier decisions and rework portions of the code Customer

1.03k views • 76 slides
SMUHSDs New Dress Code Evolution of the New Dress Code Policy Student representatives

SMUHSDs New Dress Code Evolution of the New Dress Code Policy Student representatives

SMUHSDs New Dress Code Evolution of the New Dress Code Policy Student representatives expressed concerns to the Board of Trustees about the inequitable dress code across District schools. Female students felt targeted for the way

191 views • 8 slides
Lecture 6 & 7 Empirical Studies of Software Evolution: Code Decay EE382V Software Evolution:

Lecture 6 & 7 Empirical Studies of Software Evolution: Code Decay EE382V Software Evolution:

Lecture 6 & 7 Empirical Studies of Software Evolution: Code Decay EE382V Software Evolution: Spring 2009, Instructor Miryung Kim Announcement Your proposals have been graded. Literature Survey & Tool Evaluation: Each in the range

930 views • 56 slides
AFM S CORPORATE GOVERNANCE CODE Martin Shaw Chief Executive, AFM EVOLUTION OF THE CODE

AFM S CORPORATE GOVERNANCE CODE Martin Shaw Chief Executive, AFM EVOLUTION OF THE CODE

! AFM S CORPORATE GOVERNANCE CODE Martin Shaw Chief Executive, AFM EVOLUTION OF THE CODE EQUITABLE LIFE In 2000 the House of Lords ruled that the society must honour the bonuses that it promised to 90,000 policy holders with

518 views • 13 slides
LinkedIn: Network Updates Uncovered LinkedIn: Network Updates Uncovered Ruslan Belkin Sean

LinkedIn: Network Updates Uncovered LinkedIn: Network Updates Uncovered Ruslan Belkin Sean

LinkedIn: Network Updates Uncovered LinkedIn: Network Updates Uncovered Ruslan Belkin Sean Dawson Agenda Agenda Quick T Quick Tour our Req equirements (User Experience / Infrastructure) uirements (User Experience / Infrastructure)

680 views • 42 slides
Presence of Evolution: Models vs. Code Jan Jrjens TU Dortmund & Fraunhofer ISST

Presence of Evolution: Models vs. Code Jan Jrjens TU Dortmund & Fraunhofer ISST

Security Certification in the Presence of Evolution: Models vs. Code Jan Jrjens TU Dortmund & Fraunhofer ISST http://jan.jurjens.de What is Software Evolution ? Software today often long-living (cf. Year-2000-Bug). Continual change

683 views • 29 slides
Exchange Rates and Uncovered Interest Differentials: The Role of Permanent Monetary Shocks

Exchange Rates and Uncovered Interest Differentials: The Role of Permanent Monetary Shocks

Exchange Rates and Uncovered Interest Differentials: The Role of Permanent Monetary Shocks Stephanie Schmitt-Groh e and Mart n Uribe Columbia University November 4, 2020 Schmitt-Groh e and Uribe Exchange Rates and Uncovered

629 views • 37 slides
Modelling the spectral evolution of Supernovae - The JEKYLL code Mattias Ergon In collaboration

Modelling the spectral evolution of Supernovae - The JEKYLL code Mattias Ergon In collaboration

Modelling the spectral evolution of Supernovae - The JEKYLL code Mattias Ergon In collaboration with Claes Fransson, Anders Jerkstrand, Markus Kromer and Cecilia Kozma H, He, O, Ca, Fe, Continuum The JEKYLL code What: Realistic* simulations of

228 views • 19 slides
Understanding and Aiding Code Evolution by Inferring Change Patterns Miryung Kim Doctoral

Understanding and Aiding Code Evolution by Inferring Change Patterns Miryung Kim Doctoral

Understanding and Aiding Code Evolution by Inferring Change Patterns Miryung Kim Doctoral Symposium ICSE 2007 1. Title: Understand & Aiding Code Evolution by Inferring Change Patterns. (30 sec) My name is Miryung Kim & I am a graduate

571 views • 17 slides
Genealogy of D3 Code Cathy Zhu, Lucas Throckmorton Genealogy of D3 Code Goal: identify the

Genealogy of D3 Code Cathy Zhu, Lucas Throckmorton Genealogy of D3 Code Goal: identify the

Genealogy of D3 Code Cathy Zhu, Lucas Throckmorton Genealogy of D3 Code Goal: identify the shared pieces of code amongst pieces of d3 code via MOSS and visualize the evolution of D3 code snippets. Scope: about 30k examples of D3 code

278 views • 16 slides
EVOLUTION X3 - 1 - Evolution X3 Marketing Dpt. November 2006 - 2 - EVOLUTION X3 Evolution X3

EVOLUTION X3 - 1 - Evolution X3 Marketing Dpt. November 2006 - 2 - EVOLUTION X3 Evolution X3

Marketing Dpt. November 2006 EVOLUTION X3 - 1 - Evolution X3 Marketing Dpt. November 2006 - 2 - EVOLUTION X3 Evolution X3 Evolution X3 Technical Features: HP Pum p Highly reliable plunger pump with brass head and 3 ceramic pistons for

405 views • 13 slides
Language evolution in the lab language evolution synthesized agent-based simulations iterated

Language evolution in the lab language evolution synthesized agent-based simulations iterated

Language evolution in the lab language evolution synthesized agent-based simulations iterated learning experimental semiotics evolutionary game theory 2 evolving an artificial code Bruno Galantucci (2005) An Experimental Study on the

461 views • 31 slides
Modelling the spectral evolution of supernova (with the JEKYLL code). Mattias Ergon (Stockholm

Modelling the spectral evolution of supernova (with the JEKYLL code). Mattias Ergon (Stockholm

Modelling the spectral evolution of supernova (with the JEKYLL code). Mattias Ergon (Stockholm University) In collaboration with Claes Fransson, Anders Jerkstrand, Markus Kromer, Cecilia Kozma and Kristoffer Spricer H, He, O, Ca, Fe, Continuum

579 views • 36 slides
The Evolution of IT Applications: Control of computations hidden in code; integration a

The Evolution of IT Applications: Control of computations hidden in code; integration a

Service Engagements The Evolution of IT Applications: Control of computations hidden in code; integration a nightmare Workflows: Control abstracted out; integration still difficult Standards-driven orchestration: Integration improved;

410 views • 10 slides
INTERNATIONAL ARBITRATION FOR BUSINESS: ENERGY AND INFRASTRUCTURE SECTORS UNCOVERED Bucharest, 21

INTERNATIONAL ARBITRATION FOR BUSINESS: ENERGY AND INFRASTRUCTURE SECTORS UNCOVERED Bucharest, 21

INTERNATIONAL ARBITRATION FOR BUSINESS: ENERGY AND INFRASTRUCTURE SECTORS UNCOVERED Bucharest, 21 February 2019 The Club Espaol del Arbitraje is an international non-governmental organization that is dedicated to the promotion of arbitration

87 views • 4 slides
1 MICROEVOLUTION: change in the properties of populations of organisms over the course of

1 MICROEVOLUTION: change in the properties of populations of organisms over the course of

Introduction to Molecular Evolution (BIOL 3046) Course website: www.biol3046.info What is evolution? Evolution: from Latin evolvere , to unfold broad sense, to change e.g., stellar evolution, cultural evolution,

518 views • 6 slides
Introduction to Software Evolution Ashim Shahi Jurgen Vinju Anastasia Izmaylova Magiel

Introduction to Software Evolution Ashim Shahi Jurgen Vinju Anastasia Izmaylova Magiel

Introduction to Software Evolution Ashim Shahi Jurgen Vinju Anastasia Izmaylova Magiel Bruntink Atze van der Ploeg Vadim Zaytsev Davy Landman Michael Steindorfer 1 Introduction to Software Evolution Where are you? International

1.21k views • 82 slides
Large-scale Cancer Genomics Data Analysis David Haussler Center for Biomolecular Science and

Large-scale Cancer Genomics Data Analysis David Haussler Center for Biomolecular Science and

Large-scale Cancer Genomics Data Analysis David Haussler Center for Biomolecular Science and Engineering, UC Santa Cruz Cancer Genomics Hub Being built to store BAM & VCF for TCGA, TARGET and CGAP/CGCI projects Designed for 25,000

413 views • 29 slides
Evolution of Connections in SHRUTI Networks Joe Townsend, Ed Keedwell and Antony Galton

Evolution of Connections in SHRUTI Networks Joe Townsend, Ed Keedwell and Antony Galton

Evolution of Connections in SHRUTI Networks Joe Townsend, Ed Keedwell and Antony Galton Motivation Neural-Symbolic Reasoning: Adaptable representations of logic programs in neural networks. Can help us understand how reasoning might be

1.05k views • 40 slides
The Evolution of Microservices Adrian Cockcroft @adrianco Technology Fellow - Battery Ventures

The Evolution of Microservices Adrian Cockcroft @adrianco Technology Fellow - Battery Ventures

The Evolution of Microservices Adrian Cockcroft @adrianco Technology Fellow - Battery Ventures June 2016 What does @adrianco do? Maintain Relationship with Presentations at Technology Due Cloud Vendors Conferences Diligence on Deals

1.15k views • 66 slides
Chapter 2 Computer Evolution and Performance Contents Key points Brief history of

Chapter 2 Computer Evolution and Performance Contents Key points Brief history of

Chapter 2 Computer Evolution and Performance Contents Key points Brief history of computers Vacuum tubes Transistors ICs Designing for performance microprocessor speed performance balance Pentium and

530 views • 40 slides
Brief History of Evolutionary Theory Before Darwin Robert J. Richards Course: Darwins Origin

Brief History of Evolutionary Theory Before Darwin Robert J. Richards Course: Darwins Origin

Brief History of Evolutionary Theory Before Darwin Robert J. Richards Course: Darwins Origin of Species and Descent of Man Theories of Species Change Prior to Darwin Entangled with : 1. Theories of geological change. 2. Theories of heredity.

568 views • 20 slides
Simulating evolution of spin systems Tobias J. Osborne Department of Mathematics Royal Holloway,

Simulating evolution of spin systems Tobias J. Osborne Department of Mathematics Royal Holloway,

Simulating evolution of spin systems Tobias J. Osborne Department of Mathematics Royal Holloway, University of London Outline 1. Introduction 2. Local answers to local questions 3. Where is the locality? 4. Lets work in the Heisenberg

162 views • 12 slides
Stellar Evolution: Low Mass Stars Mass 2-3 M sun But what about High Mass Stars and all of

Stellar Evolution: Low Mass Stars Mass 2-3 M sun But what about High Mass Stars and all of

Stellar Evolution: Low Mass Stars Mass 2-3 M sun But what about High Mass Stars and all of those other elements??? GRAVITY When core T=10 8 K, He fuses into C (& O) What happens when the Helium runs out?? PRESSURE Answer

726 views • 38 slides

More recommend