fle-r09 chessmaster: a new campaign targeting japan · pdf filebackdoor versions vs packer...
TRANSCRIPT
#RSAC
SESSION ID:SESSION ID:
Kohei Kawabata
ChessMaster: A New Campaign Targeting Japan Using The New ChChesBackdoor
FLE-R09
Security SpecialistTrend Micro Incorporated
CH Lei / Benson SyStaff EngineerTrend Micro Incorporated
#RSAC
Agenda
2
Background
Malware / Tools
Attribution
Summary
Apply
• Loading Techniques• Behavior and Protocol• Malware Evolution
• Backdoor ChChes• 2nd Stage ChChes• Hacking Tools• TinyX vs PlugX• RedLeaves
#RSAC
Background
3
"Managed IT Service Provider" or MSP
60% to 75% of businesses use some form of MSP
Attacks against MSP in order to access their target's network
APT10 / Operation Cloud Hopper
MSP
#RSAC
Targets
4
Academy
Government
Media
MSP
Tech
ChessMaster
#RSAC
TimeLine
5
*The time here is compile time, except PowerShell ChChes.*Some ChChes were compiled at 2011, which is likely faked. Those samples are excluded.
High
Low
Sample Count
#RSAC
ChChes Malware Family
#RSAC
What is BKDR_CHCHES?
7
Named from ChineseChess
Found in Resource Section
Initially named “ChiChess”Issue of other significance
#RSAC
What is BKDR_CHCHES?
8
Several Versions:
1.0.0, 1.2.2, 1.3.0, 1.3.2, 1.4.1, 1.6.4 and 1.7.3
Encryption and Beacon
ChChes is Position independent code (PIC, like shellcode)
Attackers can embed ChChes payload anywhere Main Backdoor
Modules sent by C&C
AES Module
Shell Upload
#RSAC
ChChes Malware Family
Malware Loading Mechanisms
Arrival / Installation
#RSAC
LNK + PowerShell
10
cmd.exe
PowerShell Script
Malware is running inside of powershell.exe context
Download
Execute[H29***]繰越申請について.zip
H29_c-26.lnk
#RSAC
SFX Dropper / DLL Hijacking
11
Encrypted Malware
Legitimate File
Malware Loader
SFX = Self-extracting archive
#RSAC
DLL Hijacking – Load Time
12
MEM
EXE’s Code
Entry Point
Mal.dll (EP)
Load-Time Dynamic Linking:1. Find DLL (“DLL Search Order”)2. Maps DLL into memory3. Calls DLL’s EP func
•• Return “True”
4. Starts the EXE
Mal.dll (F2)
Jmp Mal.dll (F2)
Legitimate File • Initialize / allocate mem / etc• Patch EXE’s EP
#RSAC
ChChes Malware Family
Malware Loading Mechanisms (Part 2)
Memory execution / AV Evasion
#RSAC
AV Evasion
14
Type 1: No EncryptionLoader code variesCode in .data section
Loader 1.1
Loader 1.2
Loader 1.x
#RSAC
AV Evasion
15
Type 2: Byte per byte XOR (PDB: D:\Projects\ByPassAV\WinCConnect)
Programming Error?
Get next key
XOR Original Byte
i < data len?
XOR TABLE
#RSAC
AES
AV Evasion
16
Type 3: Single Key XOR + 1 more
PDB: D:\Projects\ByPassAV\Win32Project2
XOR
#RSAC
7-Sep-16 27-Sep-16 17-Oct-16 6-Nov-16 26-Nov-16 16-Dec-16 5-Jan-17
Versions
1.4.1+
1.4.0
1.3.2
1.3.0
1.0.0
None
AV Evasion
17
Backdoor Versions vs Packer Type
Type 2 (XOR)
Type1
Type 3 (XOR+1)
Heuristic Detection
#RSAC
ChChes Malware Family
Behavior & Protocol
#RSAC
How to communicate with C2?
19
ChChes can use various HTTP method (GET / HEAD / POST)When it uses GET / HEAD method, it embeds encrypted data in Cookie headerIt’ll also encrypt data using AES after it receives AES module from C2
Bot ID
Send system information (checkin)
Get command / module
Command / moduleSend command result
C2ChChes
#RSAC
How to decrypt C2 request?
20
AADMIN-PC*3040?3618468394?C:\Users\Admin\AppData\Local\Temp\?1.0.0*6.1.7601.17514
RC4Decrypt
Base64 decode
…KEY 1 = VALUE 1 ; KEY 2 = VALUE 2 ; KEY N = VALUE N ;
Middle MD5RC4 RC4
Middle MD5: hashlib.md5(key).hexdigest()[8:24]Format
#RSAC
C2 request: Checkin
21
Version Differences
1.3.2 [CHANGE] Explorer.exe file version Kernel32.dll file version
1.4.1 [ADD] Screen resolution
1.6.4 [ADD] Middle MD5 of SID
1.7.3 [CHANGE] Middle MD5 of SID Middle MD5 of <SID + Computer Name>[ADD] OS bit information (x64)
A ADMIN-PC*3040?3618468394?C:\Users\Admin\AppData\Local\Temp\?1.0.0*6.1.7601.17514
Request type System information
Computer name PID Fixed value %TEMP% ChChes version Explorer.exe file version
*ver 1.0.0 – 1.3.0
#RSAC
C2 response: Checkin
22
Bot ID: Middle MD5 of checkin[1:].split(‘?’)[0]
A ADMIN-PC*3040 3618468394?C:\Users\Admin\AppData\Local\Temp\?1.0.0*6.1.7601.17514?
Middle MD5Checkin
3ed87aa8d3997f307d564609405c9c9c
Bot ID (16 bytes)
#RSAC
C2 request: Get Command and Module
23
Decrypt
d3997f307d564609B
Request type Bot ID (16 bytes)
#RSAC
C2 response: Get Command and Module
24
Command / Module
Decrypt
Bot ID
Decrypt
Middle MD5 of Bot ID
Middle MD5 of Bot ID
Command / Module
Middle MD5 of Bot ID
Base64 (+ AES)
#RSAC
Structure of Command and Module
25
Module• Encrypt C2 communication by AES• Execute shell command• Upload/Download file• Load/Execute DLL• . . .
Size of module header + moduleSize of command
Command name
Module size
Module checksum
Module
Command header (16 bytes)Command name
Module header (48 bytes)
Module
Address of module header
#RSAC
C2 request: Send command result
26
AES encrypted if it received AES module
Command result
Size of command resultAddress of module header
Request Type Bot ID Middle MD5 of command name Result
d3997f307d564609C e4bdee527e274ea3 RESULT
Decrypt
#RSAC
ChChes Malware Family
Malware Evolution
#RSAC
Debug build of ChChes (ver 1.3.0)
28
Source codeserver.cdata.htcp_conn.h_http.hhttp_con.htask_mgmt.hcommand.h
#RSAC
Bugs
29
ver 1.0.0 –ver 1.3.2
ver 1.4.1
ver 1.0.0 –ver 1.7.3
#RSAC
Some features added in newer version
30
Head method is removed (1.4.1 - ) / POST method is added (1.6.4 - )
Get proxy information from Protected Storage (1.6.4 - )
Decrypt / encrypt some functions at runtime (1.7.3)
Decrypt & Execute
Encrypt
#RSAC
ChChes Malware Family
Second Stage
#RSAC
Second Stage Attack
32
Another Registry PathDecrypt
Final PayloadChChes version 1.7.3
Decrypt
32
Non-Persistent ChChes Second Stage Malware Legitimate File [exe name].binLoader+
Decrypt
#RSAC
Second Stage Protocol
33
Regular ChChes
Second Stage ChChes
#RSAC
Detection Free?
34
Detection Rate
#RSAC
Hacking Tools
35
Mail Password Recovery Tool Hacking Tool – Mail Password Dumper
Browser Password Recovery Tool Hacking Tool - Browser Password Dumper
#RSAC
TinyX Malware Family
#RSAC
Background
37
TinyX
No plugin capability Shares some similarities with PlugX
(Tiny PlugX)
Open Lure
#RSAC
TinyX vs PlugX
38
PlugX TinyX
#RSAC
RedLeaves Malware Family
#RSAC
RedLeaves
40
Similar to another RAT – Trochilus
Some PlugX-like mechanisms— DLL Hijacking— Similar code flow in dropper and loader— Replace injected malware MZ/PE header with 0xFF
Source: Shusei Tomonaga. (2017 April 3). Japan Computer Emergency Response Team Coordination Center (JPCERT/CC). “RedLeaves - Malware Based on Open Source RAT.” http://blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html
#RSAC
RedLeaves Variant
41
NCC Group RedLeaves YARA Rule
New VariantEvades YARA Rule
2017/04/03 2017/04/13
#RSAC
Attribution
Ties to menuPass / APT 10 / StonePanda
#RSAC
mailj.hostport9.net
First Trigger
43
Connect
Drop
Attack
Resolve
PlugX
ChChes
Packer
Organization
138.128.206.253
xxx.xxx.121.204
music.websegoo.net
vm.vmdnsup.org
PoisonIvy
vmyiersend.websago.info
scorpion.poulsenv.com185.117.88.80
Or185.117.88.81
sbuudd.webssl9.info PlugX
PlugX
#RSAC
Ties to menuPass / APT 10 / StonePanda
44
Similar Packer Similar Targets
ChChes PlugX ChChes PlugXTinyXRedLeaves PoisonIvy
C&C Infrastructure
#RSAC
Attribution
Ties to Emdivi
#RSAC
Decryption
46
2nd Stage Emdivi 2nd Stage ChChes
Emdivi Payload
Algorithm• User SID• MD5
• RC4
Key
ChChes Payload
Algorithm• User SID• Windows ProductId• Forged registry keys
• MD5• SHA512• AES
Key
#RSAC
Samples
47
Compile Date2015-07-[DD]
menuPass Domain
Same MachineAcquire Date
2015-07-[DD+1]
Same packer as ChChes
Compile Date2015-07-[DD]
#RSAC
Summary
#RSAC
Summary – ChessMaster Campaign
49
Mostly attacks Japan
Uses newly developed malware - ChChes, and other malwares such as TinyX, PlugX and RedLeaves
Will response to public disclosure
Is related to menuPass campaign, and Emdivi malware family
Second stage ChChes is able to evade AV detection till today
#RSAC
Apply What You Have Learned Today
50
Spear phishing is the major arrival vector of ChessMasterEducate employeesPatch systemAdopt APT security solutions
Threat intelligence mattersThe key allows us to be one step in advance than the threat actorIf you think you have been the target of APT campaign— Share the information with your security vendor— Don't format the infected machines, but ask for IR service— Prepare for next attack, based on what you learned in previous attacks
#RSAC
Thank You!
#RSAC
Reference
52
https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-cloud-hopper-what-you-need-to-know
https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/understanding-targeted-attacks-defensive-measures
http://www.jpcert.or.jp/magazine/acreport-ChChes.html
https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/
https://www.lac.co.jp/lacwatch/people/20170223_001224.html
https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html
http://csirt.ninja/?p=1103
http://blog.jpcert.or.jp/2017/03/malware-leveraging-powersploit.html
https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf
http://blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html