Operation HangOverhow to outsource your APT development

Jonathan Camp

About Me

• Norman Shark, offices in Oslo and San Diego

• American in Norway FTW!

$17

Overview

• HangOver in 60 seconds• And I care because?• Intrusion• Post-Publication– OSX exploits in the wild

• Next Steps

Disclaimer: "None of the information contained in this presentation is intended to implicate any individual or entity or suggest inappropriate activity by any individual or entity mentioned"

TL;DR

• Telenor → Norwegian telco; 17 billion dollars– Went public with intrusion in March 2013

• spearfishing; known exploits; no stealth; no crypto

• Investigation by Norman Shark uncovered extensive landscape of malware, actors, and development patterns

Commoditization, Componentization and Outsourcing

• Targeting government and the private sector• Many indicators showing Indian origin

TL;DR

Surveillance PlatformIndustrial Espionage

National Security Targets

Why is this interesting?

Scale

Lack of sophistication

Organizational aspects

“Script-kiddies += scrum”

Why does this even work?

Telenor Intrusion

Spear phishing email

• Self-extracting ZIP archive containing:– conhosts.exe and legal operations.doc

Payload

• Minimally obfuscated VB binaries• Connecting via HTTP port 80 to wreckmove.org

GET /flaws/snwd.php?tp=1&tg=[ID]&tv=Error[]&ts=[PLATFORM]

• Observed C&C:wreckmove.orginfocardiology.bizenlighten-energy.orgresearcherzone.net151.237.188.167gadgetscorner.org

Telenor Epilogue

• Seemed like a pretty simple phishing case

• Then a second phishing email was seen:

http://mail.telenor.no-cookieauth.dll-getlogon-reason-0.formdir-1-curl-

z2fowaz2f.infocardiology.biz

Telenor Epilogue

Followed by:

internet-security-suite-review.toptenreviews.com.infocardio

logy.biz

• An exact copy of toptenreviews.com• And it was hosting a trojaned

BitDefender installer

Expansion

Following the trail

• Strong behavioral indicators• No anti-sandboxing tricks• Hits in all major public DBs– VirusTotal, malwr, TheatExpert

DNS

URL Patterns

VBScript signatures

• Now we have a “pile” of domain names• Note: no DGA• Most domains parked or dead• But not all…

Open Directories!

Treasure Trove

• Additional signed malware• Keylogs• Malware naming and embedded

documents reveal potential targets

details_for_the_ENRC_Board_Meeting_X10FR333_2012.exe

ENRC__DEBT__INVESTORS__2012__for__your__Reference.docx

agni5_inda's_deadliest_ballistic_nuclear_missile.exedetail_description_of_ferro_chrome_silicon_and_ferro_c

hrome.exe

Exploits

Exploits

• No 0-days• Well-known vulnerabilities– CVE-2012-0158 - MSCOMCTL.OCX – CVE-2012-4792 – IE 6-8 use-after-free– CVE-2012-0422 – Java

• get.adobe.flash.softmini.net

Smackdown

• VisualBasic downloaders• Similar methods (simple) of string

obfuscation

Smackdown

D:\YASH\PRO\MY\DELIVERED\2012\DOWNLOADERS\compiled\NewSmack(sep2012)\miNaPro.vbp

Telenor case:C:\miNaPro.vbp

HangOver aka Hanove

• Second stage malware• C++• Recursively scan for office documents• Upload via HTTP or FTP– Commonish UserAgents

• Alternate names from debug paths:– “HangOver”, “Ron”, ”Dragonball”, ”Tourist”,

”Klogger”, “FirstBlood” and “Babylon”

Targeting

Targeting

• Sinkhole logs• Strange domain names• Social engineering attempts

Pakistan

• Two thirds of addresses in logs

GET /sdata/shopx.php?fol=EMBASSYOFPAKIST-Embassy%20of%20Pakistan…

And many more…

• China• Industrial espionage– Telenor

• Other possible targets:– Eurasian Natural Resources Corporation– Bumi PLC, Indonesia– Porsche Informatik– Chicago Mercantile Exchange

Chicago Mercantile Exchange

• cmegroups.net spoofing cmegroup.com– Same IP as other HangOver C&C

• Complaint filed with WIPO

The disputed domain name had been used by an imposter who has claimed to be the secretary of the Complainant’s president Terrence Duffy. Using the email address “[…]@cmegroups.net” the imposter has requested investment information on the pretext that it was sought by Mr. Duffy.

Attribution

Attribution 101:: Why?

1. Law enforcement – stop the bad guysMost stringent burden of proof

2. Correlation – expanded gathering of evidence

Concerned with similarity of actors rather than who

Attribution 101:: How?

• Strings– can be faked

• DNS registrations– is not authenticated

• Signed binaries– certificates can be stolen

• Function signatures– benign libraries

• URL/C&C patterns– Copypasta and benign libraries

• OSI (open source intelligence)– Not validated

“The problem with internet quotes is that you can’t always depend on their accuracy” – Abraham Lincoln,

1864

strings FTW

R:\payloads\ita nagar\Uploader\HangOver 1.5.7 (Startup)\HangOver 1.5.7 (Startup)\Release\Http_t.pdbC:\Users\neeru rana\Desktop\Klogger- 30 may\Klogger- 30 may\Release\Klogger.pdbC:\Users\Yash\Desktop\New folder\HangOver 1.5.7 (Startup) uploader\Release\Http_t.pdb

...May Payload\new keylogger\Flashdance1.0.2\...

...\Monthly Task\August 2011\USB Prop\...

...\Sept 2012\Keylogger\Release\...

...\June mac paylods\final Klogger-1 june-Fud from eset5.0\Klogger- 30 may\......\final project backup\complete task of ad downloader& usb grabber&uploader\......D:\YASH\PRO\MY\DELIVERED\2012\DOWNLOADERS\compiled\...

strings FTW

C:\BNaga\backup_28_09_2010\threads tut\pen-backup\BB_FUD_23\Copy of client\ Copy of client\appinbot_1.2_120308\Build\Win32\Release\appinclient.pdbC:\BNaga\kaam\Appin SOFWARES\RON 2.0.0\Release\Ron.pdbC:\BNaga\SCode\BOT\MATRIX_1.2.2.0\appinbot_1.2_120308\Build\Win32\Release\deleter.pdbC:\Documents and Settings\Administrator\Desktop\Backup\17_8_2011\MATRIX_1.3.4\CLIENT\Build\Win32\Release\appinclient.pdbD:\Projects\Elance\AppInSecurityGroup\FtpBackup\Release\Backup.pdb

Domain Game

• Several hundred names• Most with private registration• Correlation muddied by sinkholes and

parked domains• Fingerprint open services (e.g. ESMTP)

Malicious Domains

NITR0RAC3.COM, VALL3Y.COM, S3RV1C3S.NET, GAUZPIE.COM, BLUECREAMS.COM:Registrant: NA Prakash (mail@gmail.com) Jain TY-76, Kohat Enclave Delhi Delhi,110034 IN Tel. +011.9873456756

Non-Malicious Domain (May 2011)

HACKERSCOUNCIL.COM:

Registrant: NA Prakash (mail@gmail.com) Jain TY-76, Kohat Enclave Delhi Delhi,110034 IN Tel. +011.9873456756

Non-Malicious Domain (April 2011)

HACKERSCOUNCIL.COM:

Registrant: Appin Technologies Rakesh Gupta (rakesh.gupta@appinonline.com) 9th Floor, Metro Heights,NSP, PitamPura, Delhi Delhi,110034 IN Tel. +91.1147063300

Privacy Fail

PIEGAUZ.NET

Registrant: PrivacyProtect.org Domain Admin (contact@privacyprotect.org) P.O. Box 97 Note - All Postal Mails Rejected, visit Privacyprotect.org Moergestel null,5066 ZH NL Tel. +45.36946676

Domain Suspension

• PrivacyProtect.org provides private DNS registration

Privacy Fail

PIEGAUZ.NET

Registrant: Appin Technologies Rakesh Gupta (rakesh.gupta@appinonline.com) 9th Floor, Metro Heights,NSP, PitamPura, Delhi Delhi,110034 IN Tel. +91.1147063300

FAIL

Post-Publication

Samples received by Norman Shark that attempt to contact a known HangOver domain

OSX Exploitation and Attribution

Oslo Freedom Forum

• May 16th F-Secure reported new OS X spyware

• Mach-O universal (i386, x86_64)• Contacted:– securitytable.org and docsforum.info– Both seen as part of previous HangOver

research

Apple Dev IDs

• Oslo malware was signed with an Apple Dev ID

Image via F-Secure

URL Correlation

• 10 samples with identical Apple Dev IDs

securitytable.org/lang.phptorqspot.org/App/MacADV/up.php?cname=%@&file=%@docsforum.info/lang.phpliveapple.eu/ADMac/up.php?cname=%@&file=%@&res=%@

URL Correlation

• Search VxDB for php?cname=file=

URL Correlation

• Two different target OSes• Different domains• Same URL pattern

Code Flow

• Disassembled a few OS X binaries1. Search for *.doc, *.ppt, *.xls2. Compress documents3. POST to server4. Ensure crontab entry5. loop

Where now?

Operation HangOver could have been prevented by the most basic of

security precautions

Closing questions & comments

MAG2 saw it. Why didn’t AV work?Signature definitions can lag by days or weeks

Step 1: assume users are dumb specialStep 2: ?

Behavioral (dynamic) analysis is a mandatory component of any security infrastructure

Special Thanks

• Snorre Fagerland & Morten Kråkvik• Norman Shark AMD Team

For more information:

jonathan.camp@norman.com@NormanSec, @irondojoBlack Hat 2013, Booth 321

Full Report: http://normanshark.com/hangoverreport/

Disclaimer: "None of the information contained in this presentation is intended to implicate any individual or entity or suggest inappropriate activity by any individual or entity mentioned"