McAfee White Paper Global Energy Cyberattacks : “ Night Dragon”

1. McAfee White PaperGlobal Energy Cyberattacks:“Night Dragon” 報告人：劉旭哲

2. Starting in November 2009, coordinated covert and targeted cyberattacks have been conducted against global oil, energy, and petrochemical companies. • Social engineering, phishing attacks, exploitation of Windows , remote administration tools (RATs)

3. Harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations. • This types of attacks originate primarily in China. • McAfee have dubbed Night Dragon

4. Anatomy of a Hack • Company extranet web servers • SQL-injection or Spear-Phishing Attacks • Remote command execution • Hacker tools are uploaded on compromised web servers • Allowing attackers to pivot into the company’s intranet • Using password cracking and pass-the-hash tools • attackers gain additional usernames and passwords • authenticated access to sensitive internal desktops and servers • Disable Microsoft Internet Explorer (IE) proxy settings • Initially using the company’s compromised web servers as command and control (C&C) servers • Using the RAT malware • connect to other machines (targeting executives) • exfiltratingemail archives and other sensitive documents

5. Anatomy of a Hack

6. Hacking tools developed in China and widely available on Chinese underground hacker websites • Establish “backdoors” through reverse proxies and planted Trojans that allowed the attackers to bypass network and host security policies and settings.

7. Use of remote administration tools • A commonly used RAT in the hacker community is Gh0st and its many variants. • RAT features often include screen and webcam spying, keystroke logging, mouse control, file/registry, and process management, and, of course, remote command shell capability.

8. One of the most prevalent RATs is zwShell, which McAfee has seen in the wild since the spring of 2010 (compiled on 2010-03-17 08:47:00). • custom variants of the Trojan • Dumped account hashes with gsecdump and used the Cain & Abel tool to crack the hashes to leverage them in targeting ever more sensitive infrastructures.

9. Detection • The following artifacts can help to determine whether a company has been compromised: • Host files and/or registry keys • Anti-virus alerts • Network communications

10. Host files and/or registry keys • zwShell.exe • 093640a69c8eafbc60343bf9cd1d3ad3 • 85df6b3e2c1a4c6ce20fc8080e0b53e9 • Trojan dropper • Be deleted when the backdoor is installed • The temporary file is removed when the computer is restarted. • If a backdoor has already been configured on the system, the dropper installation will fail unless it uses a different configuration

11. Trojan backdoor • startup.dll A6CBA73405C77FEDEAF4722AD7D35D60 • connect.dll 6E31CCA77255F9CDE228A2DB9E2A3855 • Connect.dll creates the temporary file “HostID.DAT,” which is sent to the C&C server, then downloads and configures related DLLs including • PluginFile.dll • PluginScreen.dll • PluginCmd.dll • PluginKeyboard.dll • PluginProcess.dll • PluginService.dll • PluginRegedit.dll

12. Network communications • Each communication packet between the compromised host and the C&C server is signed with a plain text signature of “hW$.” (or “\x68\x57\x24\x13”) at the byte offset 0x42 within the TCP packet.

13. The backdoor begins its beacon at approximately five-second intervals • The backdoor sends the password to the server in clear text after the server acknowledges the connection. • While the backdoor and the server have an active connection, the backdoor will send “keep-alive” messages

14. Conclusion • The tools and techniques of this kind can be highly successful when targeting any industry. • These attacks focus not on using and abusing machines ,but rather on the theft of specific data and intellectual property.

15. Reference • http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf • http://www.oxid.it/cain.html