Garage4Hackers

www.Garage4Hackers.comLessons learned tracking an APT

team

Advance Persistent Threats

[APT] Tracking for Dummies

http:/www.Garage4Hackers.com

About Me

[Garage4Hackers ]

A community of like minded security folks.

Forum based community www.Garage4Hackers.com.

Ranchoddas Series Webcast every month [promoting free info sec education]. :- THN is one of our biggest supporter.

www.garage4hackers.com/ranchoddas-webcast

https://twitter.com/Garage4Hackers

Our views and opinions do not represent those of our employers.

Garage4Hackers

Netravler APT Attribution

This talk would be on how we attributed the APT team behind Netravler .

How we did it and how you could do the same.

Reference:

http://www.kaspersky.com/about/news/virus/2013/NetTraveler_is_back_with_new_tricks

http://www.kaspersky.com/about/news/virus/2014/NetTraveler-Gets-Makeover-for-Tenth-Anniversary

http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf

Tracking an APT TeamAgenda:

Exploit/Malware analysis.

Information gathering .

Finding security bugs in attacker infrastructure.

Taking over attacker Command and Controller servers.

Identifying victims.

Countering attacks.

What ever mentioned in the talk today is based on data collected over an year. This research was done with active participation from g4h members

41.Wariro , rbat , reverser90, fb1.

Garage4Hackers

The Attack.Spear-phishing :Comes form Spoofed email address via email.

Watering hole technique (browser exploits, drive by downloads) to infect victims surfing the web

Garage4Hackers

Step 1: Email header analysis .

Evidences to Collect.

http://mxtoolbox.com/Public/Tools/EmailHeaders.aspx

1) Collect sender time, return path, SMTP address etc.

Garage4Hackers

Step 2: Exploit Analysis

The objective is to identify/extract the malware dropped using the exploit.

Collect Metadata embedded in the exploit .

Find any piece of information that would help in attribution.

Identify CVE using virustotal.com helps when the exploit is not a 0-day .

Garage4Hackers

Automated: MS-office exploit analysis.

These sites should help.

www.document-analyzer.net/

www.joesecurity.org

http://scan.xecure-lab.com/

Garage4Hackers

Extracting Malware out of Exploits.

Manual: MS-office exploit analysis.

Run the document file in a virtual machine and use process monitor to watch system level changes [drops at temp file].

Use Sandboxie to execute the document file and extract the binary.

Load office in a debugger and put breakpoints at file write API.

Garage4Hackers

Evidences Collected from Step 1,2.

Sent from a spoofed email address .

The email contained a malicious attachment, which exploited cve-2010-333 rtf exploit .

Based on initial analysis the same malware samples were used to attacks Korea and Russia.

Campaign that have been active since 2009 .

Opening the exploit drops a legitimate file with

md5: e617348b8947f28e2a280dd93c75a6ad.

File Name: Jallianwala Bagh massacre a deeply shameful act.doc

It drops the following binaries:

c0c093987a55fe9ac61e6e2b5a362d51 netmgr.dll 8dc61b737990385473dca9bfc826727b winlogin.exe

Garage4Hackers

Step 3: Malware Analysis

Evidences to Collect.

Command and Control Domain names/ IP address.

Whois Information about the IP address.

Registrant Email Address

Malware Activities.

Interesting strings in Malware .

Garage4Hackers

Automated Malware Analysis

http://anubis.iseclab.org/

https://aerie.cs.berkeley.edu/

http://camas.comodo.com/

http://eureka.cyber-ta.org/

https://malwr.com/submission/

http://www.threatexpert.com/submit.aspx

http://www.threattracksecurity.com/resources/sandbox-malware-analysis.aspx

Source: http://zeltser.com/reverse-malware/automated-malware-analysis.html

Garage4Hackers

Manual: Malware Analysis.

Reversing Malware:

• Normally controller information would be encrypted or encoded inside the malware.

• Just run the malware in a debugger and then analyze the heap for IP address / Domain patters.

• Alternately put breakpoint at Winsock Functions and analyze the stack . http://msdn.microsoft.com/en-us/library/windows/desktop/ms741394(v=vs.85).aspx

Garage4Hackers

Manual: Malware Analysis.

• You can figure out encryption/encoding algorithms.

• The current malware compressed data and then base64 encoded them before sending them to attacker controlled servers.

• Registry / File system values malwares write for persistence.

Garage4Hackers

Controller Information: http://www.faceboak.net/2012nt/nettraveler.asp

IP: 110.34.193.13

Request: Compressed+B64 encoded Get request

Evidences Collected from Step 3.

Garage4Hackers

Domain Information.IP address 110.34.193.13 hosted many domains .

Also each domains we identified were behind the fast flux domain.

Registrant email ID were found using whois and was used to reverse query other domains.

Source: http://blogs.mcafee.com/mcafee-labs/travnet-trojan-could-be-part-of-apt-campaign

Garage4Hackers

We wrote a Fast Flux Monitor

Garage4Hackers

• Collected all IP address associated with the group.

• Created another program to get whois info of all these IP address registration information.

Collect information about victims.

Find information about attackers .

Identify stolen information .

Collect tools used by attackers.

Learn about attacker tools and tactics.

Some time you find 0-days on these server, this would give better protection.

“The only real defense is offensive defense” (Mao Zedong)

Step 4: Offensive Attacks on C&C

Garage4Hackers

Find Vulnerabilities.On the C&C application .

On the hosted server .

Or what ever evil ways you could think about.

We found a lame bug in the controller application and we had our first non-interactive shell on the controller.

Garage4Hackers

Attack the AttackersGarage4Hackers

ResultHuge no of C&C servers were under control.

Lot of evidences to collect.

Garage4Hackers

They looked for :

- .ppt(x) , .xls(x) .doc(x) .pdf

Encrypted ??:

• The contents were compressed and unusable.

• Decompression was needed to convert it back to a usable format.

Garage4Hackers

Lots of Data and Lots of Victims

Garage4Hackers

Source: http://www.kaspersky.com/about/news/virus/2014/NetTraveler-Gets-Makeover-for-Tenth-Anniversary

Evidences CollectedWebserver logs, System logs .

Activity and admin login logs.

Victim Information.

IP address and Mac Address.

Highlights:

1. Attackers where behind a proxy.

2. Military like working pattern identified 24/7.

3. The controller admins showed lack of technicalskills. (So the developers of Nettravler is not themaintainers of the controllers. )

00 ** **

**

01 ** **

02 ** ** **

03 ** **

04 ** **

05 **

**

06 **

**

07 ** ** **

08 ** **

09 ** **

10 **

11 **

** **

12 ** ** **

M T W T F S SU

Garage4Hackers

Retaliation by AttackersGarage4Hackers

While analyzing the data on the controllers, we were attacked by the attackers. The attacker attacked from 61.178.77.18 IP and tried to sent Ms08-067 exploit .

61.178.77.* is a notorious IP range and is attributed in many attacks against governments around the world.

Some advance googling, we stumbled upon an interesting discovery, soldiers from PLA Lanzhou camp talking about their experiences and the above IP was there .

http://tieba.baidu.com/f?ct=335544320&lm=0&rn=30&tn=postBrowserN&sc=0&z=65932096&pn=0&word=%C1%D9%D4%F3

The Lanzhou Military Region is one of seven military regions in the People's Republic of China.

Netravler AttributionHuge amount spent for the malware infrastructure [Military funds].

24/7 Working hours [Military working hours] .

Low technical skills, developers of Netravler were different from the maintainers [ Trained users not core hackers].

IP address attribution to PLA[People liberation Army] military camp.

All evidences were leading to PLA IT department Lanzhou .

The EndNot really :D

Garage4Hackers

Finger print IP address of SMTP server from Email header analysis . Identified an Exploit/Phishing mailer kit named Chilly fisher

Go to step 4, identify vulnerabilities in the server hosting the exploit kit.

Tracking the SMTP server.

Garage4Hackers

Chilly Fisher Exploit KitThe kit had a frontend and Backend code .

The function of the Front end code was to send mass phishing/exploit emails to targets.

The front end code allowed attackers to mass include target emails, subject and email content.

The phishing email sent has a hyperlink with unique callback to the backend code.

The kit contained a phishing and browser exploit module .

Garage4Hackers

Victim DatabaseGarage4Hackers

Chillyfisher DatabaseThe backend database used is MS-Access . All collected information is stored in this database.

Chillyfisher instance had "Loginlog" table having information's about ChillyFisher admins who logged into the control panel.

Garage4Hackers

IP attribution.All the logged in Admins were from China.

There were around 10,000 unique IP address found in target db.

Garage4Hackers

Chillyfisher Targets.Garage4Hackers

Questions

Garage4Hackers

info@garage4hackers.com

www.Garage4Hackers.com