![Page 1: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/1.jpg)
Dec 2018
Copyright©LACCo.,Ltd.AllRightsReserved.
Yoshihiro IshikawaShinichi Nagano
Let'sgowithaGoRAT!
![Page 2: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/2.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
Whoarewe?
• Organization:LACCo.,Ltd.(lac.co.jp)• Department:CyberEmergencyCenter• JobTitle:CyberThreatAnalystandhandler
YoshihiroIshikawa(CISSP)
• Department:CyberEmergencyCenter• JobTitle:CyberThreatAnalystandhandler
ShinichiNagano(GREM)
![Page 3: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/3.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
Agenda
n Purposen AstudyofGolanguage(GoLang)n wellmessanditsdetailn wellmessC2trafficsimulation(DEMO)n Preventionmethodn Conclusion
![Page 4: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/4.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
Purposen wellmessmalwareanditsbotnetiscurrently
stillcategorizedasanunknownGolangmalware
n severalincidentcasesthatwehandledfromJanuary2018
n Notdetected[2]bysecuritysoftwareuntilwepublishedanalysisreport[1]aboutJune2018
Wewouldliketointroducetheanalysisresultof"wellmess"Andnowhopefullywillbeusefultopreventtheattackinthefuture.
![Page 5: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/5.jpg)
CYBER - EDUCATION - PENTEST - JSOC - 119 - CONSULTING
We provide IT total solutions based on advanced security technologies.
Copyright©LACCo.,Ltd.AllRightsReserved.
A study of Golang executable
![Page 6: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/6.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
WhataboutGolang
n Go[3]isanopensourceprogramminglanguagedevelopedbyGoogleInc.in2009,inourpresentationwecallitas“GoLang”.
n Currentstableversion1.11.2n RunonvariousplatformssuchasLinux,Mac,Windows,Androidn Golangmalware
n Mirai(C2/Server)isoneofthemostfamousn OtherwisesuchasLady[4],GoARM.Bot[5],GoAthenaRAT[6],Encriyoko[7],
![Page 7: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/7.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
Golangexecutablescharacteristics
n Goexecutablesishugefilesize(evenpackedbyUPX[8]<4Mb)n Functionnameisleftintactintheexecutablefiles(inmanycases)n Thecharacterstringbecomesonecontinuousblock(go1.8higher)
NotstrippedfunctionName continuousblock
![Page 8: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/8.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
ThefunctionnamescanbespecifiedbyusingIDAGolangHelper[9]inIDAPro[11].
AfterBefore
Renamefunctions
Golangexecutablescharacteristics-2
![Page 9: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/9.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
Noteverystring-blobcanbeseparatedIDAGolangHelper,soweneedtodoitmanually
Golangexecutablescharacteristics-3
splitvalues
Possible
Impossible
Nosplitvalues…
![Page 10: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/10.jpg)
CYBER - EDUCATION - PENTEST - JSOC - 119 - CONSULTING
We provide IT total solutions based on advanced security technologies.
Copyright©LACCo.,Ltd.AllRightsReserved.
wellmess and its detail
![Page 11: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/11.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
What’saboutwellmesswellmessisaRATcodedonGoLangonmultipleplatformoperatingsystems.
n C2Functionsn CommandExecution(RCE)n FileUploadandDownload
n Identificationn Lang:GoLang(main)&.Net(minorversiononly)n Type:Windows32/64-bitExecutable(thesemainslides)&ELFx64(Appendix:C)n Characteristic:
n CompiledwithUbuntu(go1.8.3),Windows(go1.8)n "wellmess”namingiscomingfrom"WelcomeMessage”(attacker’sthought)n UsageofIRCtermslike“welcomemessage”,“bot”,“chat”or“join”etc
![Page 12: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/12.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
Typostrings
Doeshemeanschoice?
Doeshemeanswelcomemessage?
DoeshemeansMozilla?
![Page 13: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/13.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
Specificcharacteristicstrings
differentpackagenameC2server
SupportsJapanese,KoreanandChinese
![Page 14: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/14.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
SpecificUser-Agents
n Mozilla/5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/41.0.2228.0Safari/537.36
n Mozilla/5.0(X11;U;Linuxx86_64;ja-JP;rv:1.9.2.16)Gecko/20110323Ubuntu/10.10(maverick)Firefox/3.6.16
n Mozilla/5.0(Macintosh;IntelMacOSX10_9_3)AppleWebKit/537.75.14(KHTML,LikeGecko)Version/7.03Safari/7046A194A
n Mozilla/5.0(X11;OpenBSDamd64;rv:28.0)Gecko/20100101Firefox/28.0n Mozzila/5.0(WindowsNT6.1;WOW64;rv:56.0)Gecko/20100101Firefox/
56.0n Mozilla/5.0(compatible;MSIE9.0;WindowsNT6.1;Trident/5.0;
FunWebProducts)
EachwellmesshadadifferentUser-Agentshard-coded.
![Page 15: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/15.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
welmessdoesn’thavelateralmovementfunction,forthatpurposetheattackerwasusinganothertool,insomecasestheyusedgost[13],atunnelingtoolswrittenbyGolang
Victim
Attacker
Lateralmovement
![Page 16: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/16.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
(toolong,redacted)Payload(DLLfile)isencrypted
ReplacestringsandBase64,decryptRC6PayloadDLLfileisloadedandexecutedusingAppDomainCreateInstanceAndUnwrapmethodutilizingProxyclass.
Otherversion:compiledwith.NETwellmessdnSpy[13]
![Page 17: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/17.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
Otherversion:Thepayloadof.NETwellmess
HassimilarfunctionsasperinGolangversion
.NETversionRCEisalsousingPowershellmethodswhicharenotfoundintheGolangversion
![Page 18: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/18.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
Functions Golang(mostlyspotted) .NET(severalcasesonly)
SupportOS Windows,Linux,(NAS) Windows
Encryption RC6,AES,RSA,obfuscation RC6,AES,RSA,obfuscation
Botcommands CommandExecutionFileUploadandDownload
CommandExecutionFileUploadandDownload
HowtoCommandExec CMD(Windows)Execve(Linux)
PowerShell,CMD
C2Protocol HTTP,POST,Cookie HTTP,POST,Cookie
Packer UPXornone OriginalPacker(bytesobfuscator)
Latestversion(ITW)#VirusTotalFirstSubmission
2018-10-02 2018-07-25
ComparisonofGolangand.NETwellmess
BotfunctionsisalmostthesameamongGolangand.NETWethinkthatthemainwellmessusedbyanattackerisGolang
![Page 19: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/19.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
Functions Golang(mostlyspotted) .NET(severalcasesonly)
SupportOS Windows,Linux,(NAS) Windows
Encryption RC6,AES,RSA,obfuscation RC6,AES,RSA,obfuscation
Botcommands CommandExecutionFileUploadandDownload
CommandExecutionFileUploadandDownload
HowtoCommandExec CMD(Windows)Execve(Linux)
PowerShell,CMD
C2Protocol HTTP,POST,Cookie HTTP,POST,Cookie
Packer UPXornone OriginalPacker(bytesobfuscator)
Latestversion(ITW)#VirusTotalFirstSubmission
2018-10-02 2018-07-25
ComparisonofGolangand.NETwellmess
BotfunctionsisalmostthesameamongGolangand.NETWethinkthatthemainwellmessusedbyanattackerisGolang
data.replace("+","").replace("","=").replace(".","").replace("","").replace(",","+").replace(":","/")referencebyJPCERT/CC[15]
![Page 20: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/20.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
Golangversion<;(?P<key>[^;]*?);>(?P<value>[^<]*?)<;[^;]*?;>.NETversion<;(?<key>[^;]*?);>(?<value>[^<]*?)<;[^;]*?;>
BotcommandssyntaxwellmessusestagsinXMLformattocommunicatetagC2commandsFollowingisregularexpressionmatchingrulesofthetags
![Page 21: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/21.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
BotcommandsTag Command Functions
<;head;> C Usedwith<;service;>tag
G C2serveracceptance
<;service;> p (Re)InitializeAESkeyandSendingHostInfo
fu Fileupload(fromC2tobot)
fd Filedownload(frombottoC2)
m Changethedivisionsizepercommunication
u Changeuser-agent
<;title;> a:x_x Itemnumberinformationofdividedcommunication
rc WaitingC2command
<;body;> Payloadpartaddedtothecommand
![Page 22: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/22.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
Botcommandssamples
<;head;>57494e2d3550464b544835345154517c636f6e736f6c657c57494e2d3550464b544835345154517c75736572e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/p<;head;><;title;>a:1_0<;title;><;service;>p<;service;>
AOyniCcS=1bLTL+NuPy0+%2CeDJx+1Q%2Cm0+1zZ8a+uj84J+VLbRk+tYH8v+pCeL6+gRkR;D9y5yGqO=G+B%3AbW%3Ao.+Y8GDHj+K2QKny+WZ2vQZ+L1v84h+p3P1qT.+Z8auj8+4JVLbR+ktYH8v+pCfbOO+ZDq577.+LySyuj+30PqHX+%2CXho8Z+YzBMr8+tQIevh.+rxEbIz+OVIVRP+x9DfH6+duxldn+PKi3f4.+y%2CI6td+RfavbR+67eQVw+twTN%3AI+HB1vPy.+hWzm2f+ASQlzB+Jiz9pt+EzNRQA+fRv1mL.+pziFHi+vzbux9+VA2zkY+8Ve9rz+T0u8jb.+1LH0%2Cx+WDpcVw+TIJjDV+5Dy6Mx+GTUarDtVk+++
DecryptedCookieheader
![Page 23: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/23.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
C2trafficcommunicationC2C2
1
Thereare4stepsuntilcommand&controlcommunication1.BotsendsAES+iv+HostInformation
1 .̓C2 acceptance2.BotsendsHostInformation
2 .̓C2 acceptance3.BotsendsreadysignaltoRCE
3 .̓C2 send RCE4.BotsendsresultofRCE
4 .̓C2 acceptance
2
3
4
1’
2’
3’
4’
Bot
Wemustpreparethehard-codedRC6keyandchangingRSApublickey
![Page 24: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/24.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
C2trafficcommunication-1CookieHeader:InfectedHostInformationinRC6
1
C2C2
POSTBody:AES+ivinRSApublickey
Bot
![Page 25: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/25.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
1
C2C2
C2trafficcommunication-1
“p”meansInitialphase Phase1of2
Bot
![Page 26: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/26.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
1
C2C2
C2trafficcommunication-1
HexDump
NULLofSHA256hash
InfectedPCInformation
Bot
![Page 27: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/27.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
C2C2
1
C2trafficcommunication-1Bot
![Page 28: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/28.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
C2trafficcommunication-1'
1
C2C2
1’ CookieHeader:C2ServerresponseinRC6
“G”meansjustreceived
Bot
![Page 29: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/29.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
C2C2
C2trafficcommunication-2
1
21’
CookieHeader:InfectedHostInformationinRC6
POSTBody:HostInformationinRSApublickey
Bot
![Page 30: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/30.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
C2C2
C2trafficcommunication-2
1
21’
Phase2of2
Bot
![Page 31: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/31.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
C2C2
C2trafficcommunication-2
1
21’
Bot
ComputerName
Mode
UserDomain
UserName
![Page 32: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/32.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
C2C2
POSTBody:Itlookslikenodataisincluded
C2trafficcommunication-3
1
2
3
1’
2’
CookieHeader:standbytoreceiveC2Command
Bot
![Page 33: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/33.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
C2C2
C2trafficcommunication-3
1
2
3
1’
2’“rc”meanstostandbyreceivingC2command
Bot
![Page 34: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/34.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
C2C2
C2trafficcommunication-3'
1
2
3
1’
2’
3’
POSTBody:C2CommandinAES
Bot
![Page 35: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/35.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
C2C2
C2trafficcommunication-4
1
2
3
4
1’
2’
3’
POSTBody:ResultofC2CommandinAES
CookieHeader:splitblocknumberinRC6
Bot
![Page 36: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/36.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
C2C2
C2trafficcommunication-4
1
2
3
4
1’
2’
3’ Phase1of1
Bot
![Page 37: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/37.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
C2C2
C2trafficcommunication-4Bot
TheJapanesefontisgarbled
![Page 38: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/38.jpg)
CYBER - EDUCATION - PENTEST - JSOC - 119 - CONSULTING
We provide IT total solutions based on advanced security technologies.
Copyright©LACCo.,Ltd.AllRightsReserved.
wellmess C2 traffic simulation DEMO
![Page 39: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/39.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
Importnotesn ItisforbiddeninJapantoshareanyformofanymaliciouscode
withoutthewrittenacknowledgementfromandtothelawenforcement.
n InthisdemonstrationthereisapossibilitytheusedPoCcodecanbemisusedtocontrolarealalivemalware,thereisariskformalicioususedifthisPoCleaks,itisconsideredasmaliciouscode.
n Duethecircumstancesabove,wecannotsharethesourcecodeusedforthisdemonstration,however,thisdemonstrationitselfisexplainingenoughdetailstoproofingtheconceptoftheC2communicationtraffic/protocolusedbywellmessmalware.
![Page 40: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/40.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
PreventionandDetectionn C2trafficconnectioninnetworkdetection
n wellmesstrafficdetectatusingSuricata[16]orsnort[17]
n Staticanddynamicdetection
n YARA[18]
n wellmessmalwarecanbedetectedandidentified.BytheYARArule(willbeintroducenextslide)
n EDRn PowershellandcmdwellmessexecutioncanbetracedbyEDRlogorprocesstree
alerttcp$HOME_NETany->$EXTERNAL_NETany(msg:"wellmessC2trafficdetection!";content:"Accept-Encoding|3a20|gzip";content:"POST/HTTP/1.1";pcre:"/Cookie\x3a[a-zA-Z0-9]{8}=/";content:"Content-Type|3A|application|2F|x-www-form-urlencoded|3b|charset|3d|utf-8";sid:1000000;)
![Page 41: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/41.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
YARArules(onecase)
rulewellmess_go{meta:author="LACCo.,Ltd."strings:$mz={4D5A}$elf={7F454C46}$str1="botlib.FromNormalToBase64"$str2="botlib.AES_Encrypt"$str3="botlib.UnpackB"$str4="botchat.go"$str5="choise.go"$str6="wellmess.go"condition:($mzat0or$elfat0)andanyof($str*)}
rulechatbot_net{meta:author="LACCo.,Ltd."strings:$mz={4D5A}$str="Startbot"wide$str2="ROL"$str3="ROR"$str4="FromBase64ToNormal"$str5="FromNormalToBase64"$str6="SSL"condition:($mzat0)andallofthem}
ForGolang For.NET
![Page 42: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/42.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
EDRtracingforwellmessinfection
WindowsDefenderATP[19]
MachineTimeline
![Page 43: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/43.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
Conclusion
n wellmessisaRATcodedonGoLangand.NET,aRATcontrolledbytheC2botnet.
n Wehaveconfirmedsomecaseswherewellmessinfectionwasfoundintargetedorganizations.So,Attacksusingthemalwaremaycontinueinothercountries.
n FortheinformationsharingwithOPSEConaglobalscale,youaremorethanwelcometocontactus!
![Page 44: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/44.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
AppendixA-Reference1. https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf2. https://www.virustotal.com/ja/file/
0b8e6a11adaa3df120ec15846bb966d674724b6b92eae34d63b665e0698e0193/analysis/3. https://golang.org/4. https://news.drweb.com/show/?i=10140&lng=en5. http://blog.0day.jp/2014/09/linuxgoarmbot.html6. https://blog.talosintelligence.com/2017/02/athena-go.html#more7. https://www.symantec.com/connect/blogs/malware-uses-google-go-language8. https://upx.github.io/9. https://github.com/sibears/IDAGolangHelper10. https://www.hex-rays.com/products/ida/11. https://www.paterva.com/web7/12. https://github.com/ginuerzh/gost13. https://github.com/0xd4d/dnSpy14. https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html15. https://suricata-ids.org/16. https://www.snort.org/17. http://virustotal.github.io/yara/18. https://www.microsoft.com/en-us/windowsforbusiness/windows-atp
![Page 45: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/45.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
AppendixB-IOC
n Golangn efda5178286678794b40987e66e686cen 6fd56f2df05a77bdfd3265a4d1f2abacn b981736a057b888170148a91bcd86a59n 579d3af1b487ea3c442870eabe886a4f
n .NETn 98fe909510c79b21e740fec32fb6b1a0n 4a2b8954695b32322508e844ff7e74f5
![Page 46: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/46.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
AppendixC–Flowchart1/4(caseofELF)Initialcommunication
![Page 47: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/47.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
AppendixC–Flowchart2/4(caseofELF)Receiveresponse&Botprocess
![Page 48: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/48.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
AppendixC–Flowchart3/4(caseofELF)ExecuteBotCommand
![Page 49: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/49.jpg)
Copyright©LACCo.,Ltd.AllRightsReserved.
AppendixC–Flowchart4/4(caseofELF)ContinueBotCommand
![Page 50: Let's go with a Go RAT! - Botconf 2020 · 2018-12-09 · Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES,](https://reader034.vdocuments.mx/reader034/viewer/2022042302/5ecd532c7b8a796bf06b9518/html5/thumbnails/50.jpg)
CYBER - EDUCATION - PENTEST - JSOC - 119 - CONSULTING
We provide IT total solutions based on advanced security technologies.
Copyright©LACCo.,Ltd.AllRightsReserved.
Thank you. Any Questions ?