The document discusses 5 case studies of modern reconnaissance techniques used by advanced persistent threat (APT) actors. Each case study examines a different infection vector involving documents with embedded objects that first perform reconnaissance on the target system before deciding whether to deploy a final payload. The case studies demonstrate evolving tactics to avoid exposing valuable code and thwart analysis.

1. Modern reconnaissance phase
by APT – protection layer

2. whoami
• Paul Rascagneres – prascagn@cisco.com // @r00tbsd
• Security Researcher at Cisco Talos
• Malware & APT hunter for more than 7 years…
• Co-Organizer of Botconf, the CFP is still opened ;-)
https://www.botconf.eu/botconf-2017/call-for-papers-2017/

3. whoami
• Warren Mercer – wamercer@cisco.com // @SecurityBeard
• Security Researcher at Cisco Talos
• I like looking at malware and finding it J
• NetSec, Malware Analysis,
Threat Intelligence.
• Co-Founder of BSides Belfast,
don’t go to France,
come to Northern Ireland instead!
https://www.bsidesbelfast.org

4. Agenda
• Infection vector: reconnaissance evolution
• 5 case studies
• Maybe the beginning…
• Mitigations
• Conclusion
• Technical bonus ( if nobody asks questions :P )

5. Infection vector:
reconnaissance evolution

6. Infection vector: reconnaissance evolution
• Why this presentation?
• Few issues for APT actors:
• Sandbox systems
• Automatic analysis of malicious documents
• Valuable code for APT actors:
• Complex RAT framework
• 0-day
• Evolution: the infection vectors include mechanisms to avoid leaking
0-day, complex RAT framework or any valuable code to malware
researchers/security companies

7. Case Study 1 - NATO

8. Case Study 1
• SHA256: ffd5bd7548ab35c97841c31cf83ad2ea5ec02c741560317fc9602a49ce36a763
• Filename: NATO secretary meeting.doc
Matryoshka doll – Reconnaissance Framework

9. Case Study 1
• RTF document with a succession of embedded objects

10. Case Study 1
• First step: Reconnaissance via a first Flash object:
A=t&SA=t&SV=t&EV=t&MP3=t&AE=t&VE=t&ACC=f&PR=t&SP=t&SB=f
&DEB=t&V=WIN%209%2C0%2C0%2C0&M=Adobe%20Windows&R=16
00x1200&DP=72&COL=color&AR=1.0&OS=Windows%20XP&L=en&PT
=ActiveX&AVD=f&LFD=f&WD=f&IME=t&DD=f&DDP=f&DTS=f&DTE=f
&DTH=f&DTM=f
HTTP request to the C&C (*note the /nato)
Flash in ActiveX object
Windows versionFlash version

11. Case Study 1
• Second step: if the collected data is good for the operator:
Downloading of the Payload & Flash Exploit
• if not: end of chain :’(

12. Case Study 1
• Third step: Flash loading and exploitation & payload execution
On the fly Flash loading
Shellcode variable

13. Case Study 1
• Cisco Umbrella helped us to identify DNS traffic associated with this
C&C. The huge quantity of requests starting the 16th of January was
performed by the security research community:

14. Case Study 2 – Dina Bosio

15. Case Study 2
• SHA256: 2299ff9c7e5995333691f3e68373ebbb036aa619acd61cbea6c5210490699bb6
• Filename: National Day Reception (Dina Mersine Bosio Ambassador’s Secretary).doc

16. • Macro
Beginning of the
encoded next
stage
JavaScript stage
RC4 key in argument to the
JavaScript stage
Ca se S t ud y 2

17. • JavaScript
Base64 function
RC4 function
Ca se S t ud y 2

18. Case Study 2
• Final payload
Systeminfo
net view
net view /domain
tasklist /v
gpresult /z
netstat -nao
ipconfig /all
arp -a
net share | net use | net user
net user administrator
net user /domain
net user administrator /domain
set
dir %systemdrive%Users*.*
dir
%userprofile%AppDataRoamingMicrosoftWindowsRecent*.*
dir %userprofile%Desktop*.*
tasklist /fi modules eq wow64.dll
tasklist /fi modules ne wow64.dll
dir %programfiles(x86)%
dir %programfiles%
dir %appdata%
CC

19. Case Study 2
• Data sent to 2 compromised websites
• If the data is good for the attacker, a PE32 file is download and
executed (MailForm.pif)
• If not: no final payload :’(

20. Case Study 3 – Survey Time!

21. Case Study 3
• SHA256: eb1f47c9f71d3fd2ff744a9454c256bf3248921fbcbadf0a80d5e73a0c6a82de
• Filename: survey.xls

22. Case Study 3
• Macro
• Creation of a VBS to execute a PowerShell
Execution with a Schedule Task…
No CreateProcess()

23. Case Study 3
CC

24. Case Study 3
• A batch file is downloaded from the C&C in order to collect
information about the target system:
• If the collected data is sufficient for the attacker a RAT is
downloaded, if not: no final payload

25. Case Study 4 – Korean New Year

26. Case Study 4
• SHA256: 281828d6f5bd377f91c6283c34896d0483b08ac2167d34e981fbea871893c919
• Filename: 5170101-17년_북한_신년사_분석.hwp
(5170101-17 __ North Korea _ New Year _ analysis .hwp)

27. Case Study 4
• Hangul Word Processor
• A HWP document allegedly written by Korean Ministry of Unification
• The document contains links to 2 OLE objects

28. Case Study 4
• The OLE objects drop 2 executables
C:UsersADMINI~1AppDataLocalTempHwp (2).exe
C:UsersADMINI~1AppDataLocalTempHwp (3).exe

29. Case Study 4
• First step : open a decoy document

30. Case Study 4
• Second step: collect information about the target
- Computer name
- Username
- Execution path
- BIOS Model
(HKLMSystemCurrentControlSetServicesmssmbi
osDataSMBiosData)
• Purpose: to determine if target is suitable for attack

31. Case Study 4
• Example request (PCAP available on VirusTotal)
Decoded data:
0F37555F#0#0#0#TEQUILABOOMBOOM#janetted
oe#C:4b20883386665bd205ac50f34f7b6293747f
d720d602e2bb3c270837a21291b4#innotek
GmbH VirtualBox 1.2
Hostname
username
Execution path
BIOS model

32. Case Study 4
• Third step: if the collected data is sufficient for the attacker: download
& execute the final payload, if not: no payload (.jpg file)
• The command & control is a compromised Korean governmental
website: Korean Government Legal Service
- www.kgls.or.kr/news2/news_dir/index.php (where the collected
information is sent)
- www.kgls.or.kr/news2/news_dir/02BC6B26_put.jpg (where
02BC6B26 is a random ID)

33. Global mapGlobal map

34. Case Study 5 - ROKRAT

35. Case Study 5
• From the official email contact of
Korea Global Forum
• Compromised & abused email
• Email asking to complete attached
document

36. Case Study 5
• Email asking for help from someone
in North Korea
• Attacker works on empathy

37. Case Study 5

38. Case Study 5
• EPS Object embedded within
HWP document.
• ZLIB Compression (Default with
Hangul)
• EPS Document is where the magic
was, by magic, we mean exploit !

39. Case Study 5
• Extracted EPS object reveals the exploit
• CVE-2013-0808 exploit used which is an EPS based overflow
• Shellcode directly embedded in the EPS, using a NOP Sled (0x04)
http://acddesigns[.]com[.]au/clients/ACPRCM/kingstone.jpg
http://discgolfglow[.]com:/wp-content/plugins/maintenance/images/worker.jpg

40. Case Study 5
• Analysis Frustrations! This can complicated analysis and make it harder!
Infinite loop of sleep on Windows XP or Windows Server 2003

41. Case Study 5
• Doh! More anti-analysis techniques used!
Control of the running process to detect analysis tools
• "mtool" for VMWare Tools
• "llyd" for OllyDBG
• "ython" for Python (Cuckoo Sandbox for example)
• "ilemo" for File Monitor
• "egmon" for Registry Monitor
• "peid" for PEiD
• "rocex" for Process Explorer
• "vbox" for VirtualBox
• "iddler" for Fiddler
• "ortmo" for Portmon
• "iresha" for Wireshark
• "rocmo" for Process Monitor
• "utoru" for Autoruns
• "cpvie" for TCPView

42. Case Study 5
• Beginning to get annoying now… Right?
Fake IOCs in analysis tools or sandbox, trying to confuse you!
https://www[.]amazon[.]com/Men-War-PC/dp/B001QZGVEC/EsoftTeam/watchcom.jpg
http://www[.]hulu[.]com/watch/559035/episode3.mp4

43. Case Study 5
• C&C Infrastructure, used for controlling compromised assets, ROKRAT brought
their A Game.
• CC #1: Twitter used
• Traffic analysis can be difficult
• Used 7 different hardcoded Twitter
API Tokens for C2
• Used Update, Tweet & Search API
functions

44. Case Study 5
• File exfiltration can be hard, normally.
• CC #2: Yandex (Cloud storage
platform)
• Used for file/document exfiltration
• Using API functionality again, this
time 4 tokens identified
• Performed over HTTPS

45. Case Study 5
• More file exfiltration!
• CC #3: Mediafire (Cloud Platform)
• Additional mechanism for
file/document exfiltration
• Single API token identified, again
hard coded
• HTTPS, again!

46. Case Study 5
• File/Document exfiltration was complimented, why not have everything?
• Attacker implemented screen shot & key logging functionality.

47. Case Study Summary
• Users. Users. Users. Users. Users. Users. Users. Users.
• They’re the weak target in every case study.
• Spear Phishing is a favoured method of infection through all, this
results in small campaigns and less arousal of suspicion.
• Innovation attempts to keep their exploits and capabilities private.
• Target / Asset information collection – ensure their exploits are not
wasted.

48. Maybe the beginning…

49. Maybe the beginning
• No APT tools but could inspire some actors….
• MS Publisher documents
• “Unlike other applications within the Microsoft
Office suite, Microsoft Publisher does not support
a 'Protected View' mode. This is a read only mode
which can help end users remain protected from
malicious document files. Microsoft Publisher is
included and installed by default in Office 365.”
• => http://blog.talosintelligence.com/2017/02/pony-pub-files.html

50. Maybe the beginning
• No APT tools but could inspire some actors….
• “Yay! I use MacOS… I’m saved !! “
• Interesting sample:
• sha256: 40c414fd75de6def664b3e953313125fc5e05628b6a2e07ded7634dc4f884666

51. Maybe the beginning
• No APT tools but could inspired some actors….
• “Yay! I use MacOS… I’m saved !! “

52. Maybe the beginning
macshell() + Python script ;)

53. Mitigations

54. Mitigations
• Office Macro:
• Disable Macro execution
• New feature in Office 2016:
https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-
feature-in-office-2016-can-block-macros-and-help-prevent-
infection/
• PowerShell:
• To restrict Execution Policy
• Set-ExecutionPolicy -ExecutionPolicy Restricted

55. Mitigations
• JavaScript / Wscript
• To disable WSH
• HKEY_LOCAL_MACHINESoftwareMicrosoftWindows Script
HostSettingsEnabled => REG_DWORD = 0
• More generally
• Keep your software up to date…
• AppLocker (correctly configured!!! Don’t forget dll loading)
• Device Guard / VBS

56. Mitigations
• Monitoring of the usage of scripting languages
• MacOS mitigations…
• For Microsoft Office, see previous slides
• For script control… … … no method

57. Conclusion

58. Conclusion
• APT actors put more and more efforts to protect valuable code by
performing reconnaissance before the final payload execution
• In the near future:
• more controls of the target’s relevance
• CC used for reconnaissance alive for only few hours/days
• 0-day & advanced RAT framework are expensive, the bad guys
will improve the way to deliver its on the real targets (memory
only/fileless/…)
• New difficulties for malware researchers: without the last stage and
the final payload, the investigations will be complicated and
incomplete

59. Conclusion
• Scripting languages on Windows are really trendy for APT
campaigns:
• PowerShell
• JavaScript
• Batch
• …
• These languages are native, embedded in Windows and powerful
• Obfuscation is included almost « by design » for these languages
• Monitoring is mandatory

60. Conclusion
• If that target was already compromised in the past, the
identification of the relevance is easier:
• Is the domain name known from the previous compromise?
• Is the OS version known from the previous compromise?
• Is the network setup known from the previous compromise?
• Is the available account setup known from the previous
compromise?
• …
• In this context, bad guys know your internal infrastructure…

61. Technical Bonus

62. Technical Bonus

63. Technical Bonus
• Powershell is an unmissable tool for malware developers…
• How to automate Powershell analysis ?
• Can we debug Powershell scripts with WinDBG ?
YES we can

64. Technical Bonus
We are here: cdb is the CLI

65. Technical Bonus
• Usage of unmanaged code (for example dllimport)
• Standard WinDBG breakpoint => bp kernelbase!VirtualAlloc
• No specific WinDBG tricks, debug “as usual”

66. Technical Bonus
• Usage of managed code == .NET framework
0:011> .loadby sos clr
0:011> !bpmd system.dll System.Diagnostics.Process.Start
Found 6 methods in module 00007fff97581000...
breakpoint: bp 00007FFF977C96D9 [System.Diagnostics.Process.Start(System.
breakpoint: bp 00007FFF97E8057D [System.Diagnostics.Process.Start(System.
breakpoint: bp 00007FFF97E80539 [System.Diagnostics.Process.Start(System.
breakpoint: bp 00007FFF97E804B6 [System.Diagnostics.Process.Start(System.
breakpoint: bp 00007FFF97E80436 [System.Diagnostics.Process.Start(System.
System.String, breakpoint: bp 00007FFF977C72DA [System.Diagnostics.Proces
Adding pending breakpoints...
• SOS for .NET analysis + breakpoint

67. Technical Bonus
• Usage of managed code == .NET framework
Breakpoint 0 hit
System_ni+0x2496d9:
00007fff`977c96d9 488d0d08711e00 lea rcx,[System_ni+0x4307e8
(00007fff`979b07e8)]
0:008> !CLRStack -p
OS Thread Id: 0x2d34 (8)
Child SP IP Call Site
000000a7f9ace700 00007fff977c96d9
System.Diagnostics.Process.Start(System.Diagnostics.ProcessStartInfo)
PARAMETERS:
startInfo (<CLR reg>) = 0x0000028cbd5faa18
• .NET breakpoint & arguments playing

68. Technical Bonus
• Usage of managed code == .NET framework
0:008> !DumpObj /d 0000028cbd5faa18
Name: System.Diagnostics.ProcessStartInfo
MethodTable: 00007fff979ae380
EEClass: 00007fff975e29f0
Size: 144(0x90) bytes
File:
C:WINDOWSMicrosoft.NetassemblyGAC_MSILSystemv4.0_4.0.0.0__b77a5c561934e089System.dll
Fields:
MT Field Offset Type VT Attr Value Name
00007fff9897de98 40027f3 8 System.String 0 instance 0000028cbd5fde18 fileName
00007fff9897de98 40027f4 10 System.String 0 instance 0000000000000000 arguments
[...redacted...]
00007fff9897ad70 4002806 58 System.WeakReference 0 instance 0000000000 weakParentProces
00007fff979af0a0 4002807 60 ....StringDictionary 0 instance 000000 environmentVariables
00007fff982e5ec0 4002808 68 ...tring, mscorlib]] 0 instance 0000000000000 environment
• .NET breakpoint & arguments playing

69. Technical Bonus
• Usage of managed code == .NET framework
0:008> !DumpObj /d 0000028cbd5fde18
Name: System.String
MethodTable: 00007fff9897de98
EEClass: 00007fff982d35f0
Size: 88(0x58) bytes
File:
C:WINDOWSMicrosoft.NetassemblyGAC_64mscorlibv4.0_4.0.0.0__b77a5c56
1934e089mscorlib.dll
String: C:WINDOWSsystem32notepad.exe
• .NET breakpoint & arguments playing

70. Technical Bonus
• Usage of managed code == .NET framework
0:008> dp rcx+8 L1
0000028c`bd5faa20 0000028c`bd5fde18
0:008> du 0000028c`bd5fde18+0xC
0000028c`bd5fde24 "C:WINDOWSsystem32notepad.exe"
• For geeks directly in RCX

71. Technical Bonus
• Usage of managed code == .NET framework
0:011> .loadby sos clr
0:008> !bpmd system.dll System.Net.WebClient.DownloadFile
Found 2 methods in module 00007fff97581000...
MethodDesc = 00007fff976c1fe8
MethodDesc = 00007fff976c1ff8
Setting breakpoint: bp 00007FFF97DCAE0C
[System.Net.WebClient.DownloadFile(System.Uri, System.String)]
Setting breakpoint: bp 00007FFF97DCADBC
[System.Net.WebClient.DownloadFile(System.String, System.String)]
Adding pending breakpoints...
• SOS for .NET analysis + breakpoint

72. Technical Bonus
• Usage of managed code == .NET framework
Breakpoint 7 hit
System_ni+0x84adbc:
00007fff`97dcadbc 4885d2 test rdx,rdx
• SOS for .NET analysis + breakpoint

73. Technical Bonus
• Usage of managed code == .NET framework
0:008> du rdx+c
0000028c`bd53f13c "http://blog.talosintelligence.co"
0000028c`bd53f17c "m/"
0:008> du r8+c
0000028c`bd53f3b4 "c:usersluciferdesktopdemo.tx"
0000028c`bd53f3f4 "t"
• SOS for .NET analysis + breakpoint

74. www.talosintelligence.com
blog.talosintel.com
@talossecurity
@r00tbsd
@SecurityBeard