fle-r09 chessmaster: a new campaign targeting japan · pdf filebackdoor versions vs packer...

#RSAC

SESSION ID:SESSION ID:

Kohei Kawabata

ChessMaster: A New Campaign Targeting Japan Using The New ChChesBackdoor

FLE-R09

Security SpecialistTrend Micro Incorporated

CH Lei / Benson SyStaff EngineerTrend Micro Incorporated

#RSAC

Agenda

2

Background

Malware / Tools

Attribution

Summary

Apply

• Loading Techniques• Behavior and Protocol• Malware Evolution

• Backdoor ChChes• 2nd Stage ChChes• Hacking Tools• TinyX vs PlugX• RedLeaves

#RSAC

Background

3

"Managed IT Service Provider" or MSP

60% to 75% of businesses use some form of MSP

Attacks against MSP in order to access their target's network

APT10 / Operation Cloud Hopper

MSP

#RSAC

Targets

4

Academy

Government

Media

MSP

Tech

ChessMaster

#RSAC

TimeLine

5

*The time here is compile time, except PowerShell ChChes.*Some ChChes were compiled at 2011, which is likely faked. Those samples are excluded.

High

Low

Sample Count

#RSAC

ChChes Malware Family

#RSAC

What is BKDR_CHCHES?

7

Named from ChineseChess

Found in Resource Section

Initially named “ChiChess”Issue of other significance

#RSAC

What is BKDR_CHCHES?

8

Several Versions:

1.0.0, 1.2.2, 1.3.0, 1.3.2, 1.4.1, 1.6.4 and 1.7.3

Encryption and Beacon

ChChes is Position independent code (PIC, like shellcode)

Attackers can embed ChChes payload anywhere Main Backdoor

Modules sent by C&C

AES Module

Shell Upload

#RSAC


Malware Loading Mechanisms

Arrival / Installation

#RSAC

LNK + PowerShell

10

cmd.exe

PowerShell Script

Malware is running inside of powershell.exe context

Download

Execute[H29***]繰越申請について.zip

H29_c-26.lnk

#RSAC

SFX Dropper / DLL Hijacking

11

Encrypted Malware

Legitimate File

Malware Loader

SFX = Self-extracting archive

#RSAC

DLL Hijacking – Load Time

12

MEM

EXE’s Code

Entry Point

Mal.dll (EP)

Load-Time Dynamic Linking:1. Find DLL (“DLL Search Order”)2. Maps DLL into memory3. Calls DLL’s EP func

•• Return “True”

4. Starts the EXE

Mal.dll (F2)

Jmp Mal.dll (F2)

Legitimate File • Initialize / allocate mem / etc• Patch EXE’s EP

#RSAC


Malware Loading Mechanisms (Part 2)

Memory execution / AV Evasion

#RSAC

AV Evasion

14

Type 1: No EncryptionLoader code variesCode in .data section

Loader 1.1

Loader 1.2

Loader 1.x

#RSAC

AV Evasion

15

Type 2: Byte per byte XOR (PDB: D:\Projects\ByPassAV\WinCConnect)

Programming Error?

Get next key

XOR Original Byte

i < data len?

XOR TABLE

#RSAC

AES

AV Evasion

16

Type 3: Single Key XOR + 1 more

PDB: D:\Projects\ByPassAV\Win32Project2

XOR

#RSAC

7-Sep-16 27-Sep-16 17-Oct-16 6-Nov-16 26-Nov-16 16-Dec-16 5-Jan-17

Versions

1.4.1+

1.4.0

1.3.2

1.3.0

1.0.0

None

AV Evasion

17

Backdoor Versions vs Packer Type

Type 2 (XOR)

Type1

Type 3 (XOR+1)

Heuristic Detection

#RSAC


Behavior & Protocol

#RSAC

How to communicate with C2?

19

ChChes can use various HTTP method (GET / HEAD / POST)When it uses GET / HEAD method, it embeds encrypted data in Cookie headerIt’ll also encrypt data using AES after it receives AES module from C2

Bot ID

Send system information (checkin)

Get command / module

Command / moduleSend command result

C2ChChes

#RSAC

How to decrypt C2 request?

20

AADMIN-PC*3040?3618468394?C:\Users\Admin\AppData\Local\Temp\?1.0.0*6.1.7601.17514

RC4Decrypt

Base64 decode

…KEY 1 = VALUE 1 ; KEY 2 = VALUE 2 ; KEY N = VALUE N ;

Middle MD5RC4 RC4

Middle MD5: hashlib.md5(key).hexdigest()[8:24]Format

#RSAC

C2 request: Checkin

21

Version Differences

1.3.2 [CHANGE] Explorer.exe file version Kernel32.dll file version

1.4.1 [ADD] Screen resolution

1.6.4 [ADD] Middle MD5 of SID

1.7.3 [CHANGE] Middle MD5 of SID Middle MD5 of <SID + Computer Name>[ADD] OS bit information (x64)

A ADMIN-PC*3040?3618468394?C:\Users\Admin\AppData\Local\Temp\?1.0.0*6.1.7601.17514

Request type System information

Computer name PID Fixed value %TEMP% ChChes version Explorer.exe file version

*ver 1.0.0 – 1.3.0

#RSAC

C2 response: Checkin

22

Bot ID: Middle MD5 of checkin[1:].split(‘?’)[0]

A ADMIN-PC*3040 3618468394?C:\Users\Admin\AppData\Local\Temp\?1.0.0*6.1.7601.17514?

Middle MD5Checkin

3ed87aa8d3997f307d564609405c9c9c

Bot ID (16 bytes)

#RSAC

C2 request: Get Command and Module

23

Decrypt

d3997f307d564609B

Request type Bot ID (16 bytes)

#RSAC

C2 response: Get Command and Module

24

Command / Module

Decrypt

Bot ID

Decrypt

Middle MD5 of Bot ID


Command / Module


Base64 (+ AES)

#RSAC

Structure of Command and Module

25

Module• Encrypt C2 communication by AES• Execute shell command• Upload/Download file• Load/Execute DLL• . . .

Size of module header + moduleSize of command

Command name

Module size

Module checksum

Module

Command header (16 bytes)Command name

Module header (48 bytes)

Module

Address of module header

#RSAC

C2 request: Send command result

26

AES encrypted if it received AES module

Command result

Size of command resultAddress of module header

Request Type Bot ID Middle MD5 of command name Result

d3997f307d564609C e4bdee527e274ea3 RESULT

Decrypt

#RSAC


Malware Evolution

#RSAC

Debug build of ChChes (ver 1.3.0)

28

Source codeserver.cdata.htcp_conn.h_http.hhttp_con.htask_mgmt.hcommand.h

#RSAC

Bugs

29

ver 1.0.0 –ver 1.3.2

ver 1.4.1

ver 1.0.0 –ver 1.7.3

#RSAC

Some features added in newer version

30

Head method is removed (1.4.1 - ) / POST method is added (1.6.4 - )

Get proxy information from Protected Storage (1.6.4 - )

Decrypt / encrypt some functions at runtime (1.7.3)

Decrypt & Execute

Encrypt

#RSAC


Second Stage

#RSAC

Second Stage Attack

32

Another Registry PathDecrypt

Final PayloadChChes version 1.7.3

Decrypt

32

Non-Persistent ChChes Second Stage Malware Legitimate File [exe name].binLoader+

Decrypt

#RSAC

Second Stage Protocol

33

Regular ChChes

Second Stage ChChes

#RSAC

Detection Free?

34

Detection Rate

#RSAC

Hacking Tools

35

Mail Password Recovery Tool Hacking Tool – Mail Password Dumper

Browser Password Recovery Tool Hacking Tool - Browser Password Dumper

#RSAC

TinyX Malware Family

#RSAC

Background

37

TinyX

No plugin capability Shares some similarities with PlugX

(Tiny PlugX)

Open Lure

#RSAC

TinyX vs PlugX

38

PlugX TinyX

#RSAC

RedLeaves Malware Family

#RSAC

RedLeaves

40

Similar to another RAT – Trochilus

Some PlugX-like mechanisms— DLL Hijacking— Similar code flow in dropper and loader— Replace injected malware MZ/PE header with 0xFF

Source: Shusei Tomonaga. (2017 April 3). Japan Computer Emergency Response Team Coordination Center (JPCERT/CC). “RedLeaves - Malware Based on Open Source RAT.” http://blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html

http://blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html

#RSAC

RedLeaves Variant

41

NCC Group RedLeaves YARA Rule

New VariantEvades YARA Rule

2017/04/03 2017/04/13

#RSAC

Attribution

Ties to menuPass / APT 10 / StonePanda

#RSAC

mailj.hostport9.net

First Trigger

43

Connect

Drop

Attack

Resolve

PlugX

ChChes

Packer

Organization

138.128.206.253

xxx.xxx.121.204

music.websegoo.net

vm.vmdnsup.org

PoisonIvy

vmyiersend.websago.info

scorpion.poulsenv.com185.117.88.80

Or185.117.88.81

sbuudd.webssl9.info PlugX

PlugX

#RSAC

Ties to menuPass / APT 10 / StonePanda

44

Similar Packer Similar Targets

ChChes PlugX ChChes PlugXTinyXRedLeaves PoisonIvy

C&C Infrastructure

#RSAC

Attribution

Ties to Emdivi

#RSAC

Decryption

46

2nd Stage Emdivi 2nd Stage ChChes

Emdivi Payload

Algorithm• User SID• MD5

• RC4

Key

ChChes Payload

Algorithm• User SID• Windows ProductId• Forged registry keys

• MD5• SHA512• AES

Key

#RSAC

Samples

47

Compile Date2015-07-[DD]

menuPass Domain

Same MachineAcquire Date

2015-07-[DD+1]

Same packer as ChChes

Compile Date2015-07-[DD]

#RSAC

Summary

#RSAC

Summary – ChessMaster Campaign

49

Mostly attacks Japan

Uses newly developed malware - ChChes, and other malwares such as TinyX, PlugX and RedLeaves

Will response to public disclosure

Is related to menuPass campaign, and Emdivi malware family

Second stage ChChes is able to evade AV detection till today

#RSAC

Apply What You Have Learned Today

50

Spear phishing is the major arrival vector of ChessMasterEducate employeesPatch systemAdopt APT security solutions

Threat intelligence mattersThe key allows us to be one step in advance than the threat actorIf you think you have been the target of APT campaign— Share the information with your security vendor— Don't format the infected machines, but ask for IR service— Prepare for next attack, based on what you learned in previous attacks

#RSAC

Thank You!

#RSAC

Reference

52

https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-cloud-hopper-what-you-need-to-know

https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/understanding-targeted-attacks-defensive-measures

http://www.jpcert.or.jp/magazine/acreport-ChChes.html

https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html

http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/

https://www.lac.co.jp/lacwatch/people/20170223_001224.html

https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html

http://csirt.ninja/?p=1103

http://blog.jpcert.or.jp/2017/03/malware-leveraging-powersploit.html

https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf

http://blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html

fle-r09 chessmaster: a new campaign targeting japan · pdf filebackdoor versions vs packer...

Documents