Command and Control Mechanism Trends in Exploit Kits, RATs, APTs, - - PowerPoint PPT Presentation

command and control mechanism trends in exploit kits rats
SMART_READER_LITE
LIVE PREVIEW

Command and Control Mechanism Trends in Exploit Kits, RATs, APTs, - - PowerPoint PPT Presentation

Oct 31, 2023 125 likes •352 views

Command and Control Mechanism Trends in Exploit Kits, RATs, APTs, and Other Malware January 13, 2016 Mark Mager US-CERT Code Analysis Team Homeland National Cybersecurity and Communications Integration Center Security Agenda About Me

slide-1
SLIDE 1

Homeland Security

National Cybersecurity and Communications Integration Center

Command and Control Mechanism Trends in Exploit Kits, RATs, APTs, and Other Malware

January 13, 2016

Mark Mager US-CERT Code Analysis Team

slide-2
SLIDE 2

Homeland Security

Office of Cybersecurity and Communications

Agenda

  • About Me
  • 2015 Year in Review
  • Malware Crash Course
  • Other Malware
  • Remote Access Tools
  • Exploit Kits
  • APTs
  • Conclusion
slide-3
SLIDE 3

Homeland Security

Office of Cybersecurity and Communications

  • Mark Mager
  • US-CERT Code Analysis Team
  • phia LLC
  • Reverse Engineer / Software Engineer
  • Away from daily malware analysis for 4 years

– Returned in 2015

  • What’s changed?

3

About Me

slide-4
SLIDE 4

Homeland Security

Office of Cybersecurity and Communications

  • Hacking Team
  • OPM
  • Hacktivism

– Anonymous – Terrorist cells

  • Cybercrime

– Carbanak – Premera Blue Cross

  • See hackmageddon Cyber Attacks Timeline…

4

2015 Year in Review

slide-5
SLIDE 5

Homeland Security

Office of Cybersecurity and Communications

  • Malware Roles

– Contained within one or more files

  • Initial Attack Vector
  • Launcher
  • Dropper
  • Downloader
  • Command and Control
  • Advanced Malicious Capabilities

– Keylogging, process enumeration, reverse shell

  • Persistence

5

Malware Crash Course

slide-6
SLIDE 6

Homeland Security

Office of Cybersecurity and Communications

  • Malware Categories

– Remote Access Tools – Exploit Kits – Advanced Persistent Threats – Other Malware…

6

Malware Crash Course

slide-7
SLIDE 7

Homeland Security

Office of Cybersecurity and Communications

  • Analysis Techniques

– Dynamic Analysis

  • Virtualization
  • Debugging
  • Unpacking

– Static Analysis

  • Disassemby / decompilation
  • Deobfuscation

– Live Dynamic Analysis

  • Non-attribution
  • Payload retrieval

7

Malware Crash Course

slide-8
SLIDE 8

Homeland Security

Office of Cybersecurity and Communications

  • Derived from own research, analysis

– Curated dataset

  • Primarily Windows samples
  • Generalized info

– Limited indicators – OPSEC

  • Timeline: February 2015 – November 2015

8

Caveats

slide-9
SLIDE 9

Homeland Security

Office of Cybersecurity and Communications

  • Decoy document text

– Enable macros, please?

  • Obfuscated macros

– Commercial obfuscation

  • CrunchCode
  • Multi-stage

– VBScript, batch files, PowerShell

  • Payloads directly downloaded and executed

– Spray and pray spear phishing – No attempt at obscuring comms

  • GET stage2.exe HTTP/1.1

9

Low-Hanging Fruit: Office Documents

slide-10
SLIDE 10

Homeland Security

Office of Cybersecurity and Communications

  • Decoy document text

– Enable macros, please?

  • Obfuscated macros

– Commercial obfuscation

  • CrunchCode
  • Multi-stage

– VBScript, batch files, PowerShell

  • Payloads directly downloaded and executed

– Spray and pray spear phishing – No attempt at obscuring comms

  • GET stage2.exe HTTP/1.1

10

Low-Hanging Fruit: Office Documents

slide-11
SLIDE 11

Homeland Security

Office of Cybersecurity and Communications

  • Callback URIs

– Compromised sites

  • Wordpress blogs

– *.*/wp-content/uploads/*

11

Low-Hanging Fruit: Office Documents

slide-12
SLIDE 12

Homeland Security

Office of Cybersecurity and Communications

  • Gh0st RAT

– Connects to C2 URI over TCP port 80

  • "HTTP\1.1 Sycmentec" header

– 48 54 54 50 5c 31 2e 31 20 53 79 63 6d 65 6e 74 65 63 d3

  • variable length of null bytes
  • data pertaining to compressed / decompressed size of

payload

  • zlib default compression header: 78 9c [4b]
  • encrypted (using Gh0st RAT's custom encryption routine)

payload consisting of system information (e.g. operating system version, computer name, username) which has been compressed with zlib

– No request method specified

12

Remote Access Tools

slide-13
SLIDE 13

Homeland Security

Office of Cybersecurity and Communications

  • PlugX

– Connects to C2 over TCP port 80 then initiates a HTTP POST request

  • POST /update?id=00188d08 HTTP/1.1

– Accept: */* – OldServer: 0 – Check: 0 – PostSize: 61456 – PostSerial: 1 – User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2; SV1) – Host: xxx.xxx.xxx.xxx – Content-Length: 0 – Cache-Control: no-cache

13

Remote Access Tools

slide-14
SLIDE 14

Homeland Security

Office of Cybersecurity and Communications

  • exeproxy

– Ciphers 80 byte block of data

  • randomly-generated data and host's NetBIOS name
  • block is XORed using an embedded shifting XOR cipher

– Establishes a secure session (using the embedded OpenSSL library) over TCP port 443 with C2 URI and sends the the data block – XOR decrypts response data from the C2 server with key that is included in the response – Validates the decrypted data and determines whether to continue its established session with the C2 or terminate the session

14

Remote Access Tools

slide-15
SLIDE 15

Homeland Security

Office of Cybersecurity and Communications

  • exeproxy

– Anti-reversing techniques

  • Code blocks have no effect
  • Thwart reverse engineering efforts and obfuscate capabilities
  • Implemented via inline assembly

– x86 instructions (e.g. pushf, popf) not often seen in compiled code – meaningless instructions (e.g. or ax, ax)

  • Conditional statements which always yield same value
  • Explicit preservation of registers via the stack

– e.g. code blocks begin with several push instructions in a row and pushf and then end with the equivalent popf / pop instructions

15

Remote Access Tools

slide-16
SLIDE 16

Homeland Security

Office of Cybersecurity and Communications

Exploit Kits

  • Modular
  • Easy to use GUI
  • Packed with exploits
  • Amorphous, multi-stage payloads

16

slide-17
SLIDE 17

Homeland Security

Office of Cybersecurity and Communications

Angler Exploit Kit

  • Multi-stage
  • Multiple potential vectors

– Java, Flash, Silverlight – Silverlight is not as easily reversed

  • Heavily obfuscated

– Unprintable Unicode characters – Obscured control flow » Nested, indirect function calls – Functionality spread across several classes

17

slide-18
SLIDE 18

Homeland Security

Office of Cybersecurity and Communications

Advanced Persistent Threats

  • Zero Days

– Hacking Team SWF exploits

  • CVE-2015-5119

– Quick turnaround

  • Spear phishing still extremely common

– Easiest initial exploit vector – HTTP GET requests to compromised sites for payloads

  • Gh0st RAT Variant used in APT activity

18

slide-19
SLIDE 19

Homeland Security

Office of Cybersecurity and Communications

19

54 1 5 2 1 2 3 13 51 Executables PDFs Word Docs SWFs JARs Silverlight E-mails Web Other

Total Artifacts Analyzed

slide-20
SLIDE 20

Homeland Security

Office of Cybersecurity and Communications

20

47 7 32-bit 64-bit

Executables Analyzed

slide-21
SLIDE 21

Homeland Security

Office of Cybersecurity and Communications

  • Advanced C2 techniques not always used
  • Older malware and TTPs are still used

– pwdump, ophcrack, Hacker’s Door – RATs analyzed trace back several years – spray and pray is still very common

  • Complex multi-stage / modular frameworks
  • Turnaround for zero days is shortening
  • Lack of 64-bit malware, rootkits

21

Conclusion

slide-22
SLIDE 22

Homeland Security

Office of Cybersecurity and Communications

Thanks

  • US-CERT Code Analysis Team
  • Northrop Grumman

– Rob Mangiante

  • phia LLC

– Chad Hein

  • Rodney DeCarteret
  • Tessa Strasser

22