THE A AND THE P OF THE T #APT #APT # APT #APwot ADVANCED w e - - PowerPoint PPT Presentation

the a
SMART_READER_LITE
LIVE PREVIEW

THE A AND THE P OF THE T #APT #APT # APT #APwot ADVANCED w e - - PowerPoint PPT Presentation

Feb 16, 2023 106 likes •443 views

THE A AND THE P OF THE T #APT #APT # APT #APwot ADVANCED w e dont [ d v :n :n(t) (t)st st] understand it PERSISTENT we detected it [p s st st nt nt] too late Ma Mari rion on Ma Marsc rschalek halek

slide-1
SLIDE 1

THE A AND THE P OF THE T

slide-2
SLIDE 2

#APT #APT #APT #APwot

slide-3
SLIDE 3

ADVANCED [ədˈvɑ:n :n(t) (t)st st] PERSISTENT [pəˈsɪst stənt nt]

we don‘t understand it we detected it too late

slide-4
SLIDE 4

Ma Mari rion

  • n Ma

Marsc rschalek halek

@pinkflawd marion@cyphort.com

desktopwallpaper.info

slide-5
SLIDE 5

A A Dig Digital ital Thr Threa eat t Hist History

  • ry

http://www.hdbackgroundpoint.com

VIRUS EXPLOIT WORM

TROJAN

MULTI-COMPONENT MALWARE

AD ADWARE WARE

ROOTKIT

SPYWARE APT

TARGETED THREAT

SU SURVEILL VEILLAN ANCE CE SO SOFT FTWARE ARE

IN INSIDE THREAT

slide-6
SLIDE 6

Source:

  • bsoletemedia.org

A THREAT DETECTION HISTORY

slide-7
SLIDE 7

www.crane.com

Your signature update.

slide-8
SLIDE 8

Virus Detection Signature Product Computer Server

slide-9
SLIDE 9

Checksums Byte Patterns Behavior Patterns Static / Dynamic Heuristics Whitelisting Network Streams Cloud Protection

slide-10
SLIDE 10

BOILS DOWN TO

The binary is known. The binary is recognized. The behavior of the binary is recognized.

slide-11
SLIDE 11

KN KNOW OWLED LEDGE GE BAS ASED ED

THREAT DETECTION

BOILS DOWN TO

PR PRED EDICTIVE CTIVE

THREAT DETECTION

slide-12
SLIDE 12

NO NOT BE T BEING ING UNIQ UNIQUE UE

Runtime packer trigger heuristics! Altered compiler settings don‘t ... Dynamic API resolving Character-wise string recovery

http://www.dvd-ppt-slideshow.com

slide-13
SLIDE 13

jump table FTW spot the string

FindNextFileA

slide-14
SLIDE 14

ON ONE B E BINA INARY TO R RY TO RULE ULE F FOR OREVER EVER

Filehash-based detection Updating of binaries in irregular intervals Route traffic through local proxy

slide-15
SLIDE 15

ZEUS ZEUS

E(DDIE) VASION

%APP%\Uwirpa

10.12.2013 23:50

%APP%\Woyxhi

10.12.2013 23:50

%APP%\Hibyo

19.12.2013 00:10

%APP%\Nezah

19.12.2013 00:10

%APP%\Afqag

19.12.2013 23:29

%APP%\Zasi

19.12.2013 23:29

%APP%\Eqzauf

20.12.2013 22:23

%APP%\Ubapo

20.12.2013 22:23

%APP%\Ydgowa

20.12.2013 22:23

%APP%\Olosu

20.12.2013 23:03

%APP%\Taal

20.12.2013 23:03

%APP%\Taosep

20.12.2013 23:03

%APP%\Wokyco

16.01.2014 13:22

%APP%\Semi

17.01.2014 16:34

%APP%\Uheh

17.01.2014 16:34

slide-16
SLIDE 16

REPE REPETIT TITIVE A IVE ARTI RTIFAC FACTS TS

File names Domain names Registry key names / value names Infiltration methods Persistence methods

slide-17
SLIDE 17

ENVI ENVIRO RONM NMENT ENTAL AL INS INSENS ENSITI ITIVIT VITY

Might want to refuse executing in sandboxes, emulators & analyst‘s machines Potentially targeted systems usually homogeneous

slide-18
SLIDE 18

Only infecting Tuesdays, sorry. Or 16, 17 and 18 next month?

slide-19
SLIDE 19

SING SINGULA ULAR PER R PERSIST SISTENC ENCE

Remember the P? Registry & service list monitored One process easy to kill MBR regularly scanned Why not do all?

slide-20
SLIDE 20

SEPA SEPARAT RATION ION OF LA OF LAYER YERS

Runtime packers trigger heuristics! In-memory scanning identifies equal payloads Consistent evasion tricks multiply success

slide-21
SLIDE 21

KN KNOWN OWN SPHER SPHERES ES

Remember the A? Find new battle fields Virtual machine execution Kernel land code Bootkits BIOS

slide-22
SLIDE 22

BATTLE FIELD

you said?

slide-23
SLIDE 23

That moment a researcher tells you what‘s wrong with your system, an attacker is already exploiting it.

slide-24
SLIDE 24

Bl Black ackEnerg Energy

Crimeware going APT: Sandworm Runtime Packer Malware-like startup & infiltration Driven by plugins

slide-25
SLIDE 25

Ha Have vex

RAT used by EnergeticBear Targets ICS data, accessed via Windows COM/DCOM Standard system infiltration No protection

(T)EDD DDIE IE

slide-26
SLIDE 26

Target‘s Network

BL BLACK ACK POS S anatomy of a genius hack

Los Angeles Russia

slide-27
SLIDE 27

Big Boss Worker2 Worker1 Worker0 Worker3 MainThread PerfMon CommandParsing ScriptExecution Manage Worker Threads FileMan/Inet

Ev Evil il Bu Bunny ny

slide-28
SLIDE 28
  • 1. Unique binaries
  • 2. Irregular updates
  • 3. No repetitive artifacts
  • 4. Environmental sensitivity
  • 5. Multiple persistence techniques
  • 6. Consistent evasion
  • 7. Unknown spheres
slide-29
SLIDE 29

The A and the P of the T

1 2 3 4 5 6 7 BlackEnergy Havex BlackPOS EvilBunny

estimated 56 Mio. credit cards compromised

slide-30
SLIDE 30

http://wall.alphacoders.com/big.php?i=318353

slide-31
SLIDE 31

RESOURCES

  • Havex - http://www.cyphort.com/windows-meets-industrial-control-systems-ics-

havex-rat-spells-security-risks-2/

  • BlackPOS - http://www.cyphort.com/parallels-among-three-notorious-pos-

malwares-attacking-u-s-retailers/

  • EvilBunny - https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-

en8FX4M2lXN1B4eElHcE0/view

  • Eddie - http://maiden-world.com/downloads/wallpaper.html
slide-32
SLIDE 32

Thank you!

Marion Marschalek @pinkflawd marion@cyphort.com

http://karmadecay.com/