part 1 -reversing and decrypting communications of heartbeat rat
DESCRIPTION
Advanced Malware Analysis Training Series. Monnappa. Part 1 -Reversing and Decrypting Communications of HeartBeat RAT. www.SecurityXploded.com. Disclaimer. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/1.jpg)
Part 1 -Reversing and Decrypting Communications of HeartBeat RAT
Monnappa
www.SecurityXploded.com
Advanced Malware Analysis Training Series
![Page 2: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/2.jpg)
Disclaimer
The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working.
However in no circumstances neither the Trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here.
www.SecurityXploded.com
![Page 3: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/3.jpg)
Acknowledgement
Special thanks to Null community for their extended support and co-operation.
Special thanks to ThoughtWorks for the beautiful venue.
Thanks to all the trainers who have devoted their precious time and countless hours to make it
happen.
www.SecurityXploded.com
![Page 4: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/4.jpg)
Advanced Malware Analysis Training
This presentation is part of our Advanced Malware Analysis Training program. Currently it
is delivered only during our local meets for FREE of cost.
For complete details of this course, visit our Security Training page.
www.SecurityXploded.com
![Page 5: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/5.jpg)
www.SecurityXploded.com
Who am IMonnappa
m0nna
Member of SecurityXploded
Info Security Investigator @ Cisco
Reverse Engineering, Malware Analysis, Memory Forensics
Email: [email protected] Twitter: @monnappa22
LinkedIn: http://www.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
![Page 6: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/6.jpg)
Contents
Overview of Advanced threats
HeartBeat APT campaign
Part 1A – Demo (Decrypting the communications of HeartBeat RAT)
Part 1B – Demo (Reverse Engineering the HeartBeat RAT)
References
www.SecurityXploded.com
![Page 7: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/7.jpg)
Overview of advanced threats
www.SecurityXploded.com
Sophisticated
Stealthy
Multistaged
Targeted
Uses zero day exploits
Designed for long term manipulation
![Page 8: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/8.jpg)
HeartBeat APT Campaign
Targeted attack exposed by Trend Micro documenthttp://blog.trendmicro.com/trendlabs-security-intelligence/pulsing-the-heartbeat-apt/
Targeted organizations related to the South Korean government (political parties, media outfits, South Korean military)
“HeartBeat RAT" was used to gain access over their targets network
In this session, we will o Part 1a) Decrypt the communications of HeartBeat RATo Part 1b) Reverse Engineer the HeartBeat RAT
www.SecurityXploded.com
![Page 9: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/9.jpg)
Part 1A – Demo
Decrypting The Communications Of HeartBeat RAT
![Page 10: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/10.jpg)
HeartBeat RAT Network Traffic
www.SecurityXploded.com
Below screenshot shows the HeartBeat RAT traffic on port 80 and also shows connection to a malicious domain
![Page 11: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/11.jpg)
Encrypted communications of HeartBeat RAT
www.SecurityXploded.com
The one shown in Red is the Header and green shows the Encrypted Traffic
![Page 12: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/12.jpg)
Decryption Script (heart_decrypt.py)
www.SecurityXploded.com
The below screenshot shows the script usage
![Page 13: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/13.jpg)
Decrypted Communication
www.SecurityXploded.com
The below screenshot shows the Decrypted C2 check-in. The one marked in RED is the hostname of the infected machine
![Page 14: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/14.jpg)
Decrypted Communication (contd...)
www.SecurityXploded.com
![Page 15: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/15.jpg)
Part 1B – Demo
Reverse Engineering The HeartBeat RAT
![Page 16: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/16.jpg)
Malware Decrypts Strings
www.SecurityXploded.com
Below screenshots show the malware decrypting the C2 domain
![Page 17: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/17.jpg)
www.SecurityXploded.com
Malware Decrypts Strings (contd...)Below screenshots show the malware decrypting the campaign password “qawsed”
![Page 18: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/18.jpg)
www.SecurityXploded.comwww.SecurityXploded.com
Malware Decrypts Strings (contd...)Below screenshots show the malware decrypting the campaign code “jpg-jf-0925”
![Page 19: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/19.jpg)
www.SecurityXploded.com
Malware Resolves C2 DomainBelow screenshots show the malware resolving the C2 domain and the corresponding network traffic
![Page 20: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/20.jpg)
www.SecurityXploded.comwww.SecurityXploded.com
Malware Connects to C2 DomainBelow screenshots show the malware establishing connection to the C2 domain
![Page 21: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/21.jpg)
www.SecurityXploded.comwww.SecurityXploded.comwww.SecurityXploded.com
Malware Collects System InformationBelow screenshots show the malware collecting the system information
![Page 22: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/22.jpg)
www.SecurityXploded.comwww.SecurityXploded.comwww.SecurityXploded.comwww.SecurityXploded.com
Malware Collects Hostname InformationBelow screenshots show the malware collecting the hostname information
![Page 23: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/23.jpg)
www.SecurityXploded.comwww.SecurityXploded.comwww.SecurityXploded.comwww.SecurityXploded.comwww.SecurityXploded.com
Malware uses XOR encryptionmalware uses xor algorithm (key 0x2) to encrypt the collected data
![Page 24: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/24.jpg)
www.SecurityXploded.comwww.SecurityXploded.comwww.SecurityXploded.comwww.SecurityXploded.comwww.SecurityXploded.com
Malware uses XOR encryption (contd...)Below screenshot shows the encrypted data
![Page 25: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/25.jpg)
www.SecurityXploded.comwww.SecurityXploded.comwww.SecurityXploded.comwww.SecurityXploded.comwww.SecurityXploded.com
Malware Sends the Encrypted DataMalware sends the encrypted data to the C2
![Page 26: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/26.jpg)
www.SecurityXploded.comwww.SecurityXploded.comwww.SecurityXploded.comwww.SecurityXploded.comwww.SecurityXploded.com
Malware Sends the Encrypted Data (contd...)The packet capture shows the encrypted traffic
![Page 27: Part 1 -Reversing and Decrypting Communications of HeartBeat RAT](https://reader035.vdocuments.mx/reader035/viewer/2022062810/56815e47550346895dccbbd5/html5/thumbnails/27.jpg)
References
Complete Reference Guide for Advanced Malware Analysis Training[Include links for all the Demos & Tools]
www.SecurityXploded.com