Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
TheVOHOCampaignAnInDepthAnalysis
Christopher C. ElisanPrincipal Malware Scientist
RSA NetWitness
Agenda
• AboutMe
• AboutUs
• VOHOCampaign
• QuestionsandAnswers
About Me
• PrincipalMalwareScientist– RSANetWitness
• Authorof“Malware,Rootkits&Botnets:ABeginner’sGuide”(bit.ly/mrbbook)
• PastAdventures– Damballa (2009-2012)– F-Secure(2006-2009)– TrendMicro(1998-2006)
• @Tophs
ChristopherC.Elisan
About UsAdvanced Threat Research & Intelligence
• EstablishedinApril,2012• HQReston,VirginiawithaGlobalScopeandRepresentation
• Heritagedatingbacktothelate1990sfeaturinga‘who’swho’ofresearchers
• Elite,highlyskilledteamfocusingonthefollowingareas:– Maliciouscode&contentanalysis– Threatresearch&ecosystemanalysis– Automationexpertise
• Focusedonthethreatecosystemandprofilingthreatactors
• Mission:– ToprovideRSANetWitnesscustomerscoverttacticaland
strategicthreatintelligenceonadvancedthreats&actors
Attribution: Who Was Behind VOHO
• Gotthisquestionalot…• Attributionisdifficult:– Botnets– Registrar/Registrynon-cooperation(I’mlookingatyouICANNJ)
– Anonymizationservices:TOR,Proxy,VPN– DHCP– VirtualMachineImages
• Wehavesomeverysoundideas…
VOHO Campaign• VOHO– June/July2012byRSAFirstWatch
• InitiallyconfusedwithElderwood(similarMO‘waterholing’;differentinfrastructure)
• iSightPartnersreferredtoitaspartofthe‘Mourdour’Trojancampaign
– Somesharedinfrastructure• MultistageCampaign– Redirection
• HeavydependencyonJavaScriptontwospecificdomainsformajorityofpromulgation
• Leverages“WaterHole”techniqueheavily– TOOà TOIà Compromiseà Exploitationà Enumerationà Exfiltrationà Promulgation
VOHO Campaign
• VOHOCampaignfocusedheavilyon:– Geopoliticaltargets(especiallyusefulinredirection/promulgationtoexploitsites)
– DefenseIndustrialBase(DIB)– Highconcentrationsofactivitynotedfromageointelligenceperspectivein:• Boston,Massachusetts• Washington,D.CandNOVA• NortheasternNewJerseyandNewYorkCity
VOHOCampaign
“WateringHole”PivotSites
PoliticalActivism
DefenseIndustrialBase
MetroBoston•FinancialSvcs
MetroWashington,
DC•Government•Education
C2 & Covert Channel Communications Paths
• TherewereseveralIPaddressesofnoteinthiscampaign• Wedidn’tpublishthemallinourpublicpaperduetocontinuedresearchonthecampaignandassociatedcampaigns
• Hereisalist ofC2,ControllerChannels,andassociates– 58.64.155.59(gh0stRATC2)– 58.64.155.57(gh0stRATC2)– 58.64.143.245(gh0stRATC2)– 58.64.158.111(gh0stRATC2)– 64.26.174.74(www.torontocurling.com)– 134.255.242.47(VOHOgh0stController)– 113.10.180.163(www.goophone.hk)*– 113.10.103.170(“starhub”SouthKoreanbroadband)– 113.10.113.39(“starhub”SouthKoreanbroadband)
VOHOCampaign
PhaseI• Iframe.js
– Iframe.jschecksifthevisitingmachineisrunningaWindowsOSandInternetExplorer.Italsosetsacookievalue(presumablytotrackindividualvisits).IfthevisitingmachineisrunningaWindowsoperatingsystemandInternetExplorer,itforwardtomodule.php.
• Module.php– Module.phpusesasimpleredirectionscript
toredirectthebrowsertoEngine.js• Engine.js
– Engine.jslooksforprocessesrelatedtothefollowingantivirusenginesusinganoldervulnerabilityinInternetExplorer(CVE-2007-4848)thatallowslocalfileenumeration.• TrendMicro• McAfee• Symantec
VOHOCampaign
xKungFooScript
VOHOCampaign
• If.htm– Checksifthevisitinghost’suseragent
reflectsisoneofthefollowing:• Unknown• WindowsXP• Windows2003• WindowsVista• Windows7
• Checksifthevisitinghostslanguagesettingsare:– English– Chinese– French– German– Japanese– Portuguese– Korean– Russian
• Enblue.htm– Enblue.htmusestheCVE-2012-1889XML
vulnerabilitytocompromisethevisitingbrowser,whichresultsinapullandinstallationofthegh0stRATmalware.
– Thisscriptalsoappearstobecodereuseofascriptseenonpastebin asfollows:
– http://pastebin.com/VfmuhEiq
• Book.cab– Book.cab,thefinalpayload,isan
obfuscatedexecutablewhich,whende-obfuscatedusingXOR95,isthegh0stRATsamplenamed“vptray.exe”(e6b43c299a9a1f5abd9be2b729e54577)
VOHOCampaign
PhaseII- ExploitChain– SunJava• PhaseIIofthiscampaignwasobservedJuly16-18th,2012,using
thesameinfrastructure,butwithadifferentdirectoryfortheexploitchainfilesasfollows:– hxxp://xxxxxxxxxxxxxxcountymd.gov(orotherwaterholesite)à
hxxp://www.xxxxxxxcurling.com/Docs/BW06/iframe.jsà– hxxp://www.xxxxxxxcurling.com/Docs/BW06/module.phpà– hxxp://www.xxxxxxxcurling.com/Docs/BW06/engine.jsà– hxxp://www.xxxxxxxcurling.com/Docs/BW06/if.htmà– hxxp://www.xxxxxxxcurling.com/Docs/BW06/applet.jar
•
VOHOCampaign
• If.htm– Inthiscase,allofthescripts
wereidenticalupto“if.htm”,whichinsteadcontainedajavacallthatloadedapplet.jar,aswellasalargeblobofobfuscatedcodeasa“param”element.ThislargeblobofcodeisabinaryobfuscatedwithXOR77,whichthejavaappletdeobfuscates andrunsas“svohost.exe”(2fe340fe2574ae540bd98bd9af8ec67d).
• FakeSymantecUpdate• FakeMicrosoftUpdate
TheVOHOMalwareFamilies
FakeSymantecUpdate
• VPTray.EXE• UPXcompressedbinary• LocalSettings\Tempfolder• Autostart
– HKEY_CURRENT_USER\Software\Microsoft\Windows\Current\Version\Run– HKEY_USERS\<User’sSecurityID>\Software\Microsoft\Windows\Current\Version\Run– Value=SymantecUpdate– Data=
43:3a:5c:44:4f:43:55:4d:45:7e:31:5c:41:44:4d:49:4e:49:7e:31:5c:4c:4f:43:41:4c:53:7e:31:5c:54:65:6d:70:5c:56:50:54:72:61:79:2e:65:78:65:00• C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\VPTray.exe
• ProtectiveMechanisms– RegistryEditorisdisabled– WindowsSystemRestoreisdisabled
FakeMicrosoftUpdate
• SVOHOST.EXE• UPXcompressedbinary• LocalSettings\Tempfolder• Autostart
– HKEY_CURRENT_USER\Software\Microsoft\Windows\Current\Version\Run– HKEY_USERS\<User’sSecurityID>\Software\Microsoft\Windows\Current\Version\Run– Value=MicrosoftUpdate– Data=
43:3a:5c:44:4f:43:55:4d:45:7e:31:5c:41:44:4d:49:4e:49:7e:31:5c:4c:4f:43:41:4c:53:7e:31:5c:54:65:6d:70:5c:73:76:6f:68:6f:73:74:2e:65:78:65:00.• C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svohost.exe
• ProtectiveMechanisms– RegistryEditorisdisabled– WindowsSystemRestoreisdisabled
Victim Notification
Victim Notification • Endeavoredtonotifyvictims-- ~1000• Response– None– Anger/Fear/Panic /Frustration– Curiosity– SenseofUrgency
• LEResponse– Wishedwe’dnotifiedthemfirstastheyfeltourresearchcausedsomepartiesto‘panic’
• Altruisticintent;nosalespitch
VOHOCampaignTheTrooper
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
TotalExposurebyRedirect TotalCompromises
TotalExposureandCompromise
• Totalof32,160uniquehosts• Representing731uniqueglobal
organizations• Redirectedfromcompromisedweb
serversinjectedwiththeredirectiframetotheexploitserver
• Oftheseredirects,3,934hostsor12%wereseentodownloadtheexploitCABandJARfiles(indicatingasuccessfulexploit/compromiseofthevisitinghost)
• Basedonourpreviousunderstandingofexploitcampaigns,indicatesaverysuccessfulcampaign.
VOHOCampaignTheTrooper
0 500 1,000 1,500 2,000 2,500
CORPORATE
DIB
EDU
FEDGOVT
FINANCIAL
HEALTHCARE
ISP
LOCALGOVT
OTHERGOVT
UTILITIES/SCADA
CompromisesbyIndustry
0 100 200 300 400 500 600 700
CORPORATE
DIB
EDU
FEDGOVT
FINANCIAL
HEALTHCARE
LOCALGOVT
OTHERGOVT
UTILITIES/SCADA
CompromiseByIndustry(withoutISP)
TheVOHOCampaignPaper
Authors:
Will Gragido, Sr. Manager RSA First WatchChris ‘Tophs’ Elisan, Principal Malware Scientist RSA First WatchJon McNeil, Principal Threat Researcher RSA First WatchAlex Cox, Principal Threat Researcher RSA First WatchChris Harrington, Threat Researcher, EMC CIRC
THANKYOUTHANKYOU