The document discusses 5 case studies of modern reconnaissance techniques used by advanced persistent threat (APT) actors. Each case study examines a different infection vector involving documents with embedded objects that first perform reconnaissance on the target system before deciding whether to deploy a final payload. The case studies demonstrate evolving tactics to avoid exposing valuable code and thwart analysis.
2. whoami
• Paul Rascagneres – prascagn@cisco.com // @r00tbsd
• Security Researcher at Cisco Talos
• Malware & APT hunter for more than 7 years…
• Co-Organizer of Botconf, the CFP is still opened ;-)
https://www.botconf.eu/botconf-2017/call-for-papers-2017/
3. whoami
• Warren Mercer – wamercer@cisco.com // @SecurityBeard
• Security Researcher at Cisco Talos
• I like looking at malware and finding it J
• NetSec, Malware Analysis,
Threat Intelligence.
• Co-Founder of BSides Belfast,
don’t go to France,
come to Northern Ireland instead!
https://www.bsidesbelfast.org
4. Agenda
• Infection vector: reconnaissance evolution
• 5 case studies
• Maybe the beginning…
• Mitigations
• Conclusion
• Technical bonus ( if nobody asks questions :P )
6. Infection vector: reconnaissance evolution
• Why this presentation?
• Few issues for APT actors:
• Sandbox systems
• Automatic analysis of malicious documents
• Valuable code for APT actors:
• Complex RAT framework
• 0-day
• Evolution: the infection vectors include mechanisms to avoid leaking
0-day, complex RAT framework or any valuable code to malware
researchers/security companies
8. Case Study 1
• SHA256: ffd5bd7548ab35c97841c31cf83ad2ea5ec02c741560317fc9602a49ce36a763
• Filename: NATO secretary meeting.doc
Matryoshka doll – Reconnaissance Framework
9. Case Study 1
• RTF document with a succession of embedded objects
10. Case Study 1
• First step: Reconnaissance via a first Flash object:
A=t&SA=t&SV=t&EV=t&MP3=t&AE=t&VE=t&ACC=f&PR=t&SP=t&SB=f
&DEB=t&V=WIN%209%2C0%2C0%2C0&M=Adobe%20Windows&R=16
00x1200&DP=72&COL=color&AR=1.0&OS=Windows%20XP&L=en&PT
=ActiveX&AVD=f&LFD=f&WD=f&IME=t&DD=f&DDP=f&DTS=f&DTE=f
&DTH=f&DTM=f
HTTP request to the C&C (*note the /nato)
Flash in ActiveX object
Windows versionFlash version
11. Case Study 1
• Second step: if the collected data is good for the operator:
Downloading of the Payload & Flash Exploit
• if not: end of chain :’(
12. Case Study 1
• Third step: Flash loading and exploitation & payload execution
On the fly Flash loading
Shellcode variable
13. Case Study 1
• Cisco Umbrella helped us to identify DNS traffic associated with this
C&C. The huge quantity of requests starting the 16th of January was
performed by the security research community:
15. Case Study 2
• SHA256: 2299ff9c7e5995333691f3e68373ebbb036aa619acd61cbea6c5210490699bb6
• Filename: National Day Reception (Dina Mersine Bosio Ambassador’s Secretary).doc
16. • Macro
Beginning of the
encoded next
stage
JavaScript stage
RC4 key in argument to the
JavaScript stage
Ca se S t ud y 2
18. Case Study 2
• Final payload
Systeminfo
net view
net view /domain
tasklist /v
gpresult /z
netstat -nao
ipconfig /all
arp -a
net share | net use | net user
net user administrator
net user /domain
net user administrator /domain
set
dir %systemdrive%Users*.*
dir
%userprofile%AppDataRoamingMicrosoftWindowsRecent*.*
dir %userprofile%Desktop*.*
tasklist /fi modules eq wow64.dll
tasklist /fi modules ne wow64.dll
dir %programfiles(x86)%
dir %programfiles%
dir %appdata%
CC
19. Case Study 2
• Data sent to 2 compromised websites
• If the data is good for the attacker, a PE32 file is download and
executed (MailForm.pif)
• If not: no final payload :’(
24. Case Study 3
• A batch file is downloaded from the C&C in order to collect
information about the target system:
• If the collected data is sufficient for the attacker a RAT is
downloaded, if not: no final payload
26. Case Study 4
• SHA256: 281828d6f5bd377f91c6283c34896d0483b08ac2167d34e981fbea871893c919
• Filename: 5170101-17년_북한_신년사_분석.hwp
(5170101-17 __ North Korea _ New Year _ analysis .hwp)
27. Case Study 4
• Hangul Word Processor
• A HWP document allegedly written by Korean Ministry of Unification
• The document contains links to 2 OLE objects
28. Case Study 4
• The OLE objects drop 2 executables
C:UsersADMINI~1AppDataLocalTempHwp (2).exe
C:UsersADMINI~1AppDataLocalTempHwp (3).exe
30. Case Study 4
• Second step: collect information about the target
- Computer name
- Username
- Execution path
- BIOS Model
(HKLMSystemCurrentControlSetServicesmssmbi
osDataSMBiosData)
• Purpose: to determine if target is suitable for attack
31. Case Study 4
• Example request (PCAP available on VirusTotal)
Decoded data:
0F37555F#0#0#0#TEQUILABOOMBOOM#janetted
oe#C:4b20883386665bd205ac50f34f7b6293747f
d720d602e2bb3c270837a21291b4#innotek
GmbH VirtualBox 1.2
Hostname
username
Execution path
BIOS model
32. Case Study 4
• Third step: if the collected data is sufficient for the attacker: download
& execute the final payload, if not: no payload (.jpg file)
• The command & control is a compromised Korean governmental
website: Korean Government Legal Service
- www.kgls.or.kr/news2/news_dir/index.php (where the collected
information is sent)
- www.kgls.or.kr/news2/news_dir/02BC6B26_put.jpg (where
02BC6B26 is a random ID)
38. Case Study 5
• EPS Object embedded within
HWP document.
• ZLIB Compression (Default with
Hangul)
• EPS Document is where the magic
was, by magic, we mean exploit !
39. Case Study 5
• Extracted EPS object reveals the exploit
• CVE-2013-0808 exploit used which is an EPS based overflow
• Shellcode directly embedded in the EPS, using a NOP Sled (0x04)
http://acddesigns[.]com[.]au/clients/ACPRCM/kingstone.jpg
http://discgolfglow[.]com:/wp-content/plugins/maintenance/images/worker.jpg
40. Case Study 5
• Analysis Frustrations! This can complicated analysis and make it harder!
Infinite loop of sleep on Windows XP or Windows Server 2003
41. Case Study 5
• Doh! More anti-analysis techniques used!
Control of the running process to detect analysis tools
• "mtool" for VMWare Tools
• "llyd" for OllyDBG
• "ython" for Python (Cuckoo Sandbox for example)
• "ilemo" for File Monitor
• "egmon" for Registry Monitor
• "peid" for PEiD
• "rocex" for Process Explorer
• "vbox" for VirtualBox
• "iddler" for Fiddler
• "ortmo" for Portmon
• "iresha" for Wireshark
• "rocmo" for Process Monitor
• "utoru" for Autoruns
• "cpvie" for TCPView
42. Case Study 5
• Beginning to get annoying now… Right?
Fake IOCs in analysis tools or sandbox, trying to confuse you!
https://www[.]amazon[.]com/Men-War-PC/dp/B001QZGVEC/EsoftTeam/watchcom.jpg
http://www[.]hulu[.]com/watch/559035/episode3.mp4
43. Case Study 5
• C&C Infrastructure, used for controlling compromised assets, ROKRAT brought
their A Game.
• CC #1: Twitter used
• Traffic analysis can be difficult
• Used 7 different hardcoded Twitter
API Tokens for C2
• Used Update, Tweet & Search API
functions
44. Case Study 5
• File exfiltration can be hard, normally.
• CC #2: Yandex (Cloud storage
platform)
• Used for file/document exfiltration
• Using API functionality again, this
time 4 tokens identified
• Performed over HTTPS
45. Case Study 5
• More file exfiltration!
• CC #3: Mediafire (Cloud Platform)
• Additional mechanism for
file/document exfiltration
• Single API token identified, again
hard coded
• HTTPS, again!
46. Case Study 5
• File/Document exfiltration was complimented, why not have everything?
• Attacker implemented screen shot & key logging functionality.
47. Case Study Summary
• Users. Users. Users. Users. Users. Users. Users. Users.
• They’re the weak target in every case study.
• Spear Phishing is a favoured method of infection through all, this
results in small campaigns and less arousal of suspicion.
• Innovation attempts to keep their exploits and capabilities private.
• Target / Asset information collection – ensure their exploits are not
wasted.
49. Maybe the beginning
• No APT tools but could inspire some actors….
• MS Publisher documents
• “Unlike other applications within the Microsoft
Office suite, Microsoft Publisher does not support
a 'Protected View' mode. This is a read only mode
which can help end users remain protected from
malicious document files. Microsoft Publisher is
included and installed by default in Office 365.”
• => http://blog.talosintelligence.com/2017/02/pony-pub-files.html
50. Maybe the beginning
• No APT tools but could inspire some actors….
• “Yay! I use MacOS… I’m saved !! “
• Interesting sample:
• sha256: 40c414fd75de6def664b3e953313125fc5e05628b6a2e07ded7634dc4f884666
51. Maybe the beginning
• No APT tools but could inspired some actors….
• “Yay! I use MacOS… I’m saved !! “
54. Mitigations
• Office Macro:
• Disable Macro execution
• New feature in Office 2016:
https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-
feature-in-office-2016-can-block-macros-and-help-prevent-
infection/
• PowerShell:
• To restrict Execution Policy
• Set-ExecutionPolicy -ExecutionPolicy Restricted
55. Mitigations
• JavaScript / Wscript
• To disable WSH
• HKEY_LOCAL_MACHINESoftwareMicrosoftWindows Script
HostSettingsEnabled => REG_DWORD = 0
• More generally
• Keep your software up to date…
• AppLocker (correctly configured!!! Don’t forget dll loading)
• Device Guard / VBS
56. Mitigations
• Monitoring of the usage of scripting languages
• MacOS mitigations…
• For Microsoft Office, see previous slides
• For script control… … … no method
58. Conclusion
• APT actors put more and more efforts to protect valuable code by
performing reconnaissance before the final payload execution
• In the near future:
• more controls of the target’s relevance
• CC used for reconnaissance alive for only few hours/days
• 0-day & advanced RAT framework are expensive, the bad guys
will improve the way to deliver its on the real targets (memory
only/fileless/…)
• New difficulties for malware researchers: without the last stage and
the final payload, the investigations will be complicated and
incomplete
59. Conclusion
• Scripting languages on Windows are really trendy for APT
campaigns:
• PowerShell
• JavaScript
• Batch
• …
• These languages are native, embedded in Windows and powerful
• Obfuscation is included almost « by design » for these languages
• Monitoring is mandatory
60. Conclusion
• If that target was already compromised in the past, the
identification of the relevance is easier:
• Is the domain name known from the previous compromise?
• Is the OS version known from the previous compromise?
• Is the network setup known from the previous compromise?
• Is the available account setup known from the previous
compromise?
• …
• In this context, bad guys know your internal infrastructure…
63. Technical Bonus
• Powershell is an unmissable tool for malware developers…
• How to automate Powershell analysis ?
• Can we debug Powershell scripts with WinDBG ?
YES we can
65. Technical Bonus
• Usage of unmanaged code (for example dllimport)
• Standard WinDBG breakpoint => bp kernelbase!VirtualAlloc
• No specific WinDBG tricks, debug “as usual”
66. Technical Bonus
• Usage of managed code == .NET framework
0:011> .loadby sos clr
0:011> !bpmd system.dll System.Diagnostics.Process.Start
Found 6 methods in module 00007fff97581000...
breakpoint: bp 00007FFF977C96D9 [System.Diagnostics.Process.Start(System.
breakpoint: bp 00007FFF97E8057D [System.Diagnostics.Process.Start(System.
breakpoint: bp 00007FFF97E80539 [System.Diagnostics.Process.Start(System.
breakpoint: bp 00007FFF97E804B6 [System.Diagnostics.Process.Start(System.
breakpoint: bp 00007FFF97E80436 [System.Diagnostics.Process.Start(System.
System.String, breakpoint: bp 00007FFF977C72DA [System.Diagnostics.Proces
Adding pending breakpoints...
• SOS for .NET analysis + breakpoint
67. Technical Bonus
• Usage of managed code == .NET framework
Breakpoint 0 hit
System_ni+0x2496d9:
00007fff`977c96d9 488d0d08711e00 lea rcx,[System_ni+0x4307e8
(00007fff`979b07e8)]
0:008> !CLRStack -p
OS Thread Id: 0x2d34 (8)
Child SP IP Call Site
000000a7f9ace700 00007fff977c96d9
System.Diagnostics.Process.Start(System.Diagnostics.ProcessStartInfo)
PARAMETERS:
startInfo (<CLR reg>) = 0x0000028cbd5faa18
• .NET breakpoint & arguments playing