Francisco J Donoso, Randori
Most research into the Shadow Brokers’ leaks of Equation Group tools has focused on the Equation Group's brilliant exploits, but very few researchers concentrated on the extremely effective post exploitation capabilities.
This talk expands on my research into the Equation Group's post exploitation tools. My previous research focused on providing a general overview of DanderSpritz, a full-featured post-exploitation toolkit included in the ShadowBroker's "Lost in Translation" leak. This talk provides a deep dive into KillSuit which is the Equation Group's Swiss Army Knife for persistence, information gathering, defense evasion, and data exfiltration in unique and interesting ways.
During the talk, we will dissect the capabilities and functionality of the KillSuit framework, a little-known (and somewhat overlooked) component of the much larger DanderSpritz post-exploitation toolkit, leaked by the Shadow Brokers in April 2017. KillSuit is a full featured and versatile framework used by a variety of the Equation Group's tools and implants. KillSuit provides the ability to quietly establish persistence on machines via bootkits and other persistence methods and then allows operators to install persistent modules such as keyloggers, packet capture tools, tools that perform WiFi MITM, and other more information gathering tools. KillSuit also includes support for many plugins that provide interesting ways to silently exfiltrate data - some specifically designed to make data exfiltration across air gapped networks possible - including custom written IPSEC-like protocols and misuse of "disabled" WIFI cards and nearby open networks.
4. • RESEARCHERS FOCUSED ON EXPLOITS
• WANTED TO KNOW MORE ABOUT “APT” POST EXPLOITATION
• ENCOURAGE OTHERS TO RESEARCH & REVERSE
• THIS HAS WORKED (A LITTLE)!
• WANTED A TECHNICAL SIDE PROJECT
5. • BRIEF OVERVIEW OF DANDERSPRITZ
• QUICK HISTORY OF THE FRAMEWORK(S)
• GETTING TO POST-EXPLOITATION
• KILLSUIT
• PERSISTENCE
• EVASION
• DATA EXFIL
• QUANTUM SHOOTER – MAN ON THE SIDE
• DANDERSPRITZ LAB
6. • FREAKING COOL
• A FULLY FUNCTIONAL POST-EXPLOITATION FRAMEWORK
• WRITTEN IN JAVA
• EXTREMELY MODULAR
• “PLUGINS” (FEATURES) WRITTEN IN PYTHON / CUSTOM SCRIPTING ☺
• DESIGNED FOR STEALTH
• DESIGNED TO PREVENT DUMB OPERATORS FROM MESSING IT UP
20. • EXTREMELY MODULAR PERSISTENCE FRAMEWORK
• MULTIPLE SUPPORTED PERSISTENCE METHODS
• CAN LOAD SEVERAL DIFFERENT ”PLUGINS”
• ENCRYPTION FOR EVERYTHING
21. • INSTANCE = A SPECIFC INSTANCE OF KILLSUIT (MULTIPLE CAN BE
INSTALLED)
• TYPE = A SPECIFIC KISU INSTANCE INTENDED TO SUPPORT PERSISTENCE
FOR A COMPLEX IMPLANT
• LAUNCHER = THE DRIVER EXPLOITED TO RUN KERNEL MODE CODE
• MODULE = SPECIFIC IMPLANT / CODE THAT IS INTENDED TO BE
PERSISTENT
• MODULE STORE = ENCRYPTED VIRTUAL FILE SYSTEM
22.
23. • MODIFIES VBR TO LOAD KERNEL DRIVER
• USES AN ENCRYPTED TRUETYPE FONT FILES AS “CONTAINERS” FOR
KERNEL DRIVER
• PATCHES WINLOAD.EXE & THE FIRST DRIVER LOADED DURING BOOT
TIME
24.
25. • LAUNCHES A “KERNEL MODE ORCHESTRATOR” BY EXPLOITING A
“LAUNCHER” DRIVER
• PROVIDES ABILITY TO RUN *UNSIGNED* KERNEL MODE AND USER
MODE CODE
• BEGINS LAUNCHING IMPLANTS
• INJECTS MALICIOUS USER MODE CODE INTO PROCESSES
28. • EVERYTHING ENCRYPTED WITH UNIQUE KEY PER TARGET
• VIRTUAL FILE SYSTEM STORED IN REGISTRY
• PROCESS INJECTION FOR USER MODE CODE
• TEMPORARILY CREATE FILES
• TIME STOMPING
34. • STEALTHY KEYLOGGERS
• PERSISTENCE USING KILLSUIT USING THE “STLA” INSTANCE TYPE
• STORES ENCRYPTED DATA IN VBNARM.DLL (CONFIGURABLE)
35. • FULLY FEATURED PACKET CAPTURE TOOL
• USES BERKLEY PACKET FILTER (BPF) FILTER FORMAT
• INSTALLED ONTO AN EXISTING KILLSUIT INSTANCE
• CAPTURED DATA STORED TO AN ENCRYPTED CONTAINER
36.
37. • DANDERSPRITZ INCLUDES DRIVERS TO INTERACT WITH
SEVERAL DATABASES
• CAN BE INSTALLED PERSISTENTLY WITH KISU
• MSSQL, MYSQL, SQLITE, ORACLE
38.
39. • WIFI MAN IN THE MIDDLE (MITM)
• USES A SEPARATE KILLSUIT INSTANCE WITH IT’S OWN TYPE (MABE)
• INSTALLS DRIVER WITH PACKET INJECTION CAPABILITIES
42. • STRAITBIZARRE = IMPLANT DESIGNED FOR STEALTHY DATA EXFIL
• FRIEZERAMP = CUSTOM NETWORK PROTOCOL
• PROVIDES COVERT & ENCRYPTED NETWORKING CAPABILITIES
• USES ”ADAPTERS” TO INSERT PACKETS INTO RELEVANT TRANSPORT LAYER
• SIMILAR TO IPSEC
43.
44. • DATA EXFIL VIA UN-USED / DISABLED WIFI CARDS
• USED WHEN THE TARGET IS AIR GAPPED
• CAN USE STOLEN CREDENTIALS OR SEND VIA OPEN NETWORKS
• USES A SEPARATE KILLSUIT INSTANCE WITH IT’S OWN TYPE (SOKN)
51. • STRAITBIZARRE SHOOTER REDIRECTS TO FOXACID EXPLOIT
SERVER
• EXPLOIT SERVER DEPLOYS “VALIDATOR”
• VALIDATOR CONFIRMS IF TARGET IS INTERESTING
• UPGRADE TO UNITED RAKE
62. • FULLY FUNCTIONAL DANDERSPRITZ LAB IN 2 COMMANDS
• PACKER BUILD DANDERSPRITZ_LAB.JSON
• VAGRANT UP
63. • BRIEF OVERVIEW OF DANDERSPRITZ
• FRAMEWORK HISTORY & OVERVIEW
• GETTING TO POST-EXPLOITATION
• SOLARTIME
• KILLSUIT MODULES
• QUANTUM SHOOTER – MAN ON THE SIDE
• DANDERSPRITZ LAB