Upload
kathy-pelletier
View
82
Download
3
Embed Size (px)
Citation preview
DYRE STRAITSPONDURANCE 1
DYRE STRAITS
AGENDA
• Incident Notification• Threat Research• Incident Scoping – Option A• Incident Scoping – Option B• Incident Scoping – Option C• Exploring the Kill Chain• Dyre Evolution
DYRE STRAITS
NOTIFICATION OF THE INCIDENT
<- Public IP
DYRE STRAITS
DYRE STRAITS
HOW IT WORKS
• The Dyre trojan will initially attempt to contact its C2 servers using an encrypted SSL connection. If this connection fails, it will attempt to establish a connection using addresses generated using a domain generation algorithm (DGA) or hardcoded Invisible Internet Project (I2P) addresses.
• When a user enters his bank’s URL in the browser line, the Trojan is triggered and forwards the URL to the corresponding proxy server as stated in its configuration file.
• The MITM proxy server forwards requests to the banks and disguises itself as the real user.• The returning response from the bank is intercepted by the proxy server.• Instead of the real response, the user receives a fake login page which is stored on the proxy server, and
contains scripts and resources from the real bank’s page. The scripts and resources are stored in folders named after the unique port configured for each bank.
• The information entered by the user is sent to the proxy server and then forwarded to the real bank server, allowing the attacker to log in instead of the user and perform operations on his behalf.
• After all the information has been acquired by the attacker, he can remotely access the victim’s computer using a built-in VNC (Virtual Network Computing) module and perform transactions, data exfiltration, and more.
DYRE STRAITS
DYRE STRAITS
SAMPLES FROM THE WILD
Below is a list of subject lines observed in 2015 Dyre phishing campaigns:
• “Wire transfer receive”• “Medicines here”• “Complaint against your company”• “Payment Advice - advice Ref:[xxxxxx]/CHAPS credits”• “Company repor” - (note the missing t in “report")• “Wire transfer complete”• “Important – New Outlook Settings”• “Your Documen” - (note the missing t in “Document")• “Voice Message”• “Employee Documents – Internal Use”• “Fwd Wire Payment”
*Personally witnessed those in bold
DYRE STRAITS
DYRE STRAITS
SAMPLES FROM THE WILD (CONT.)
Payload downloads:
• hxxp://aaepablog\.com/aaepa/inst_s12.pdf (IP: 50.87.144\.171)• hxxp://acmeeconnect\.com/dropbox/ml1from2.tar (IP: 107.190.133\.12)• hxxp://aixact\.com/Docs/ml1from2.tar (IP: 213.186.33\.19)• hxxp://allcommerc\.com/wp-includes/pomo/eulaa.pdf (IP: 62.149.144\.49)• hxxp://www.onoranzefunebricarrara.it/public/eulaa.pdf (IP: 62.149\.128\.151, 62.149.131\.204)• hxxp://angkosoteknologi\.co.id/fonts/manualac.pdf (IP: 23.92.215\.218)• hxxp://cgksolutions\.com/files/manualac.pdf (IP: 62.149.128\.166, 62.149.140\.202)• hxxp://creazionidarte\.it/mandoc/seo21.pdf (IP: 62.149.128\.74, 62.149.131\.67)• hxxp://cwvancouver\.com/cp/images/digits/arrowu.jpg (IP: 71.18.62\.202)• hxxp://dipford\.com/mandoc/info22.pdf (IP: 209.235.144\.9)• hxxp://dms-online-files\.com/pdfs/prewa.pdf (IP: 206.188.192\.13)• hxxp://ettfire\.com/js/ml2from2.tar (IP: 66.175.58\.9)• hxxp://gumtek\.com/wp-includes/pomo/sw_docb.pdf (IP: 50.87.148\.213)• hxxp://harveyouellet\.com/TOXICOUSTIQUE/arrowu.jpg (IP: 192.185.35\.92)• hxxp://houndsofcullen\.com/mandoc/eula022.pdf (IP: 198.136.54\.104)• hxxp://manualtatex\.com/mandoc/eula022.pdf (IP: 69.49.115\.33)• hxxp://marodz.republika\.pl/1/manualec.pdf (IP: 213.180.150\.17)• hxxp://metflex.uk\.com/images/t_image.jpg (IP: 91.103.217\.10)• hxxp://tickto\.com/apk/ml1from2.tar (IP: 50.23.103\.91)• hxxp://posharpstore\.com/Google/ml1from2.tar (IP: 162.254.162\.184)• hxxp://utokatalin\.ro/administrator/ml2from2.tar (IP: 86.106.30\.102)• hxxp://vimax-marireapenisului\.ro/docuv.pdf (IP: 195.78.124\.14)• hxxp://rx-liquid\.ro/docuv.pdf (IP: 195.78.124\.14)• hxxp://washcount\.org/Documentation/file_u21.pdf (IP: 216.224.135\.21)• hxxp://www.geothermole\.com/mandoc/gb_eule.pdf (IP: 81.21.76\.62)• hxxp://www.wholesalesyntheticmotoroil\.com/mandoc/story_su21.pdf (IP: 192.163.217\.66)• hxxp://zac-buero\.de/mandoc/ml1from1.tar (IP: 78.143.39\.41)• hxxp://best-synthetic-motor-oil\.com/file_k12.pdf (IP: 192.163.217\.66)
DYRE STRAITS
SAMPLES FROM THE WILD (CONT.)
Command and control resiliency • Since Dyre’s inception, it has relied upon a set of hard-coded proxy servers to communicate
with its backend infrastructure. The threat actors have implemented two mechanisms to maintain control of the botnet if the proxies are unreachable: a domain generation algorithm and a plugin that integrates with an anonymization network called I2P
Domain generation algorithm• Similar to other malware families, Dyre uses a domain generation algorithm (DGA) that is
seeded by the current date. It generates 1,000 34-character domains per day, which are appended to one of eight country code top-level domains (ccTLDs) in Asia and the Pacific Islands: .cc, .ws, .to, .in, .hk, .cn, .tk, and .so. The following domains were generated on December 8, 2014:
y3aaa48a7056d7075c3760cdbd90a75b8f.ccz376dfe4955a257a78944864dd0158d172.wsa8377c5a7c390331b15c1df94fa745e38a.toba3be71036fc2c06d603a2b17d41ffe71a.inc9cca04cec2588918820cf33ba4337cca8.hkdec4f75e53d7202136164e2b26456dabdf.cne3d68349d47efa0d5a9a92b1239bc4d48c.tkf85db5ce8675f53b61f00ca0e822a33312.so
DYRE STRAITS
SAMPLES FROM THE WILD (CONT.)
System Level Indicators (If successful in exploitation):
• Copies itself under C:\Windows\[RandomName].exe• Created a Service named ""Google Update Service”
by setting the following registry keys:• HKLM\SYSTEM\CurrentControlSet\Services\
googleupdate\ImagePath: "C:\WINDOWS\pfdOSwYjERDHrdV.exe"
• HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\DisplayName: "Google Update Service"
DYRE STRAITS
WHILE WE WERE INVESTIGATING THE PHISHING INCIDENT…
• Same company requested a separate incident response engagement related to internal threat
• Claimed a user had stolen hundreds of thousands of dollars from a corporate bank account
• Claimed the user colluded with a coworker to gain privileged rights to their banking portal to initiate a wire transfer
• Right away it was blatantly obvious Dyre had done its job, but I suppose it wasn’t so obvious to the customer
• We were able to clear the user of any wrong doing after confirming presence of the malware on the user systems
• Proved to their insurance provider they met their “due diligence” requirements and were reimbursed for the loss
• Placed even more pressure on our team to fix this issue QUICKLY
DYRE STRAITS
SCOPING THE INCIDENT – OPTION AREACTIVE
1. Locate hosts associated with users that Salesforce identified as compromised in initial alert
2. Acquire Memory3. Pull from network4. Perform filesystem forensics to determine timestamp of
compromise and recover malware (Dyre and Cutwail)5. Perform email forensics to recover phishing email6. Perform forensics on browsing history to determine if any
online web portals were accessed since that time7. Change credentials to those web portals that were accessed,
all credentials resident on the system, and to the user’s email
8. Reimage affected system to eliminate all threats
DYRE STRAITS
SCOPING THE INCIDENT – OPTION AREACTIVE
We’re not done yet…using threat intel from initial findings:8. Search email logs to find phishing emails sent to other users9. Search DNS logs to find systems requesting the known
malicious domains10. Search firewall logs for known malicious IPs11. Submit malware samples (don’t forget Cutwail) to AV Vendor for signature creation12. If another affected system is found, repeat steps 2-8 from last slide13. Repeat
DYRE STRAITS
SCOPING THE INCIDENT – OPTION BPROACTIVE
Install NSM Sensor and look at it
DYRE STRAITS
SCOPING THE INCIDENT – OPTION BPROACTIVE
1. Pull from network2. Perform filesystem forensics to determine timestamp of
compromise and recover malware (Dyre and Cutwail)3. Perform email forensics to recover phishing email4. Perform forensics on browsing history to determine if any
online web portals were accessed since that time5. Change credentials to those web portals that were
accessed, all credentials resident on the system, and to the user’s email
6. Reimage affected system to eliminate all threats7. Submit malware samples (don’t forget Cutwail) to AV
Vendor for signature creation
DYRE STRAITS
SCOPING THE INCIDENT – OPTION C PROACTIVE ADVANCED
1. Let Live Response forensically analyze affected systems (we’ll have this done before you can even locate the system)
2. Pull from network 3. Change credentials to those web portals that
were accessed, all credentials resident on the system, and to the user’s email
4. Reimage affected system to eliminate all threats5. Submit malware samples (don’t forget Cutwail)
to AV Vendor for signature creation
DYRE STRAITS
EXPLORING THE KILL CHAIN
1. Email Delivered2. Attachment Opened3. Exploit Launched4. Trojan Dropper Installed 5. Trojan Dropper Beacons6. Payload Delivered7. Payload Installed 8. Command and Control Established9. Credentials Captured 10. Bank Portal Accessed
DYRE STRAITS
EMAIL DELIVERY
Email Filter such as IronPort1. Block certain attachment types such
as .scr, .exe, .zip, .rar2. File inspection3. Source Reputation filters
DYRE STRAITS
ATTACHMENT OPENED
Attacker uses social engineering 1. Awareness Training is key2. Red Team Exercises3. If incident is underway, alert users via
announcements of known subject lines and senders, etc
DYRE STRAITS
EXPLOIT LAUNCHED
In the case we investigated the phishing emails were using a flash exploit that leveraged CVE-2013-2729 (March 2013!!1!)• Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.5,
10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2727
DYRE STRAITS
TROJAN DROPPER INSTALLATION
• AV Client• Whitelisting• HIPS
DYRE STRAITS
TROJAN DROPPER BEACON
• NIPS (must have active blocking signature)• Sinkhole domains in DNS Server• On the fly executable analyzer
DYRE STRAITS
PAYLOAD INSTALLED
• AV Client• Whitelisting• HIPS
DYRE STRAITS
COMMAND AND CONTROL/CREDENTIALS CAPTURED
• NIPS (must have active blocking signature)• Sinkhole domains in DNS Server
DYRE STRAITS
ACCESS TO BANK PORTAL
• Restrict access to only those who need it• Two Factor Authentication• Regularly Change Credentials• Only access portals from specific systems…a VM
perhaps with a clean snapshot?
DYRE STRAITS
EVOLUTION OF DYRE
DYRE STRAITS
JUST THIS MONTH…
• Latest version of Dyre includes sandbox evading capabilities, making analysis much more difficult
• Able to determine number of hardware processors to identify whether or not it is launched in a virtual environment, also looks for network services such as DNS
DYRE STRAITS
PARTING THOUGHTS
• Patch your third party applications• Keep AV up to date• Use NSM to catch successful attacks in real time
when prevention fails• Conduct regular awareness training so users
aren’t so quick to click• Set up a process for users to forward suspicious
emails to security team for analysis
DYRE STRAITS
SOURCES
• malware-traffic-analysis.net• Secure Works• F5• US-CERT• Emerging Threats
DYRE STRAITS
John HendersonSr. Security Analyst
QUESTIONS?
DYRE STRAITS