350 likes | 558 Views
RAT-a-tat-tat. Taking the fight to the RAT controllers. Who Am I. Jeremy du Bruyn t witter: @ herebepanda , irc : panda Pentester / Consultant at SensePost Spoken at a previous ZaCon about password cracking Currently doing MSc. At Rhodes. What's this about.
E N D
RAT-a-tat-tat Taking the fight to the RAT controllers
Who Am I • Jeremy du Bruyn • twitter: @herebepanda, irc: panda • Pentester / Consultant at SensePost • Spoken at a previous ZaCon about password cracking • Currently doing MSc. At Rhodes
What's this about • I've done some research on two prolific RAT's that I'd like to share with y'all • I am not a malware researcher, I'm just a ex-network-pentester-consultant-infosec guy • Some dynamic analysis using cuckoo sandbox • Some static analysis using scripts to pick apart the server binaries • Ways to search for these RAT's on the greater internet • With an example
Background story • Malware.lu report on Mandiant APT1 • Python code for finding Poison Ivy C2's • Are there any Poison Ivy C2's in ZA? • Writing robust network code is hard • Rather leverage off of NMAP • I didn’t find any Poison Ivy C2's in ZA :) / :( • I really want to play with this, where can I get some samples? credit (http://www.malware.lu/Pro/RAP002_APT1_Technical_backstage.1.0.pdf)
My collection • VirusTotal provide access to their Private API, which allows for searching and downloading of samples, to researchers • After speaking with some malware folks I got a list of the most popular rats being used in attacks • (@vlad_o, @undeadsecurity, @bobmcardle) • Started collecting in August 2013 • Samples downloaded • Searched for “Poison.* and “Fynloski.*” • Total 34 GB of samples • For sure a cheap VPS would hold the few 100 MB's of samples I'd download link (https://www.virustotal.com/en/documentation/private-api/)
RAT infrastructure credit (http://www.contextis.com/research/blog/malware-analysis-dark-comet-rat/)
Poison Ivy • Been around for many years • Oldest version on the website is from 2006, first released in 2005 • Latest public version is 2.3.2 released in 2008 • Private versions still being released, including a Vista+ patch • Free to download off the authors website • Apparently very popular amongst Chinese attackers • Recently used by Mandiant APT1 groups • Used in RSA hack
Poison Ivy • Samples • 12,133 downloaded • 5,004 analysed • Too much pondering/figuring in the beginning • 26 live • Not a lot I know, but they provide some interesting insights • Average PI C2 lifespan is 3 months • Analysis conducted using a mixture of the VirusTotal behavioural analysis results and local cuckoo sandbox instance
VT Behavioural Analysis • They use a “cluster” of cuckoo sandbox machines to perform the analysis and provide data via JSON • VirusTotal behavioural analysis not conducted on all samples • Like 1 in 10 • Not allowed to share samples with 3rd parties
Cuckoo sandbox • Cuckoo sandbox used for the majority of the samples • 5 WinXP SP2 virtual machine guests • Timeout of 2 minutes • Only allowed DNS traffic to cuckoo host • Unbound DNS resolver • Tweaked to report all traffic, even SYN • modules/processing/network.py (host down, not reported) • Malwr.com has the same problem • api.py is super useful • Submit jobs, get analysis reports in JSON • At the end able to process a couple hundred samples a day
Analysis system • System is postgres driven • Extracted info from the samples put into DB: • C2 / proxy IP • Port • Scripts would pick up unprocessed samples and perform liveness testing of C2 and extract the Camellia key • Again writing to the DB
Poison Ivy • Camellia key used to authenticate server and encrypt communication • Crypto hashing algorithm • Used for all servers • Can be extracted from server traffic :) link (https://en.wikipedia.org/wiki/Camellia_(cipher))
Poison Ivy • JtR module available for brute-forcing (malware.lu) • I've asked for its inclusion into hashcat • @atom, if you are reading this, *cough* oclhashcat
Vulnerabilities • Metasploit module for Buffer Overflow bug in Poison Ivy 2.3.2 • Think meterpreter • All you need is the C2 IP, port and clear-text Camellia password • Malware.lu guys used this to great effect • FireEye “PIVY memory-decoding tool” for Immunity debugger can also extract this info Link (http://www.rapid7.com/db/modules/exploit/windows/misc/poisonivy_bof) (http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf)
My contribution • NMAP service probes to detect C2’s across the Internet and NSE script to extract Camellia key from server traffic
DarkComet • Very popular around the world • Development abandoned by the author after Syrian government use • Crippled version available on author website • Current public full version is 5.3.1 • Current public crippled version 5.4.1 “Legacy” • Fairly good collection available via .torrent Link (http://darkcomet-rat.com/) (https://thepiratebay.sx/torrent/7420705/DarkComet_RAT_Collection)
DarkComet • Samples • 33,592 downloaded (32GB) • 12,133 analysed • 4408 successfully • 40 live • Analysis script inspired by AlienVault Labs • Only worked on V5, updated to work on V5.1+ credit (https://code.google.com/p/alienvault-labs-garage/downloads/list)
DarkComet • Encrypted server configuration information contained within the binary • C2 IP, port, password • FTP host, port, username, password, path • Server configuration encrypted using static keys: • V5.1+ : #KCMDDC51#-890 • V5.0 : #KCMDDC5#-890 • V4.2F : #KCMDDC42F#-890 • V4.2 : #KCMDDC42#-890 • V4.1 : #KCMDDC4#-890 • V2.x + 3.x : #KCMDDC2#-890 • Static key and password (“PWD”) used to authenticate and encrypt communications credit (http://www.arbornetworks.com/asert/wp-content/uploads/2012/03/Crypto-DarkComet-Report1.pdf)
DarkComet • All this is encrypted using the static key + 'PWD‘ credit (http://www.contextis.com/research/blog/malware-analysis-dark-comet-rat/)
Vulnerabilties • Makes use of SQLite DB • SQLi • Arbitrary File Download vulnerability • RAT allows controller to overwrite files • Doesn't check that C2 initiated connection • (comet.db) • Contains information on all connected servers credit (http://www.matasano.com/research/PEST-CONTROL.pdf)
My contribution • NMAP service probes to detect C2’s across the Internet • DarkComet • Receives “IDTYPE” encrypted with default (and most popular) password • Xtreme RAT • Sends “myversion|3.6 Public\r\n” • Receives • Bytes 1-3 "\x58\x0d\x0a • Bytes 4 – 12 "\xd2\x02\x96\x49\x00\x00\x00\x00"
My contribution • Updated DarkComet configuration extraction script, for v5.1+
menuPass Campaign • One of my samples had the filename “Strategy_Meeting.exe” and a Google gave me the FireEye report “Poison Ivy: Assessing Damage and Extracting Intelligence” • menuPass campaign launched in 2009 targeting defense contractors • Main industries targeted where • Defense, Consulting / Engineering, ISP, Aerospace, Heavy Industry, Government • Spear-phishing used as initial attack vector • Weaponised .doc and .zip • Using Pentest footprinting techniques I uncovered a bit about their infrastructure Link (http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf)
menuPass Campaign credit (http://www.paterva.com/web6/products/casefile.php)
menuPass Campaign • “The IP 60.10.1.120 hosted the domain apple.cmdnetview.com” • This hostname appeared in my analysis but with an IP of 112.213.118.34 • One of my samples has hk.2012yearleft.com (112.213.118.33) and tw.2012yearleft.com (50.2.160.125) as C2’s • tw.2012yearleft.com was 60.10.1.114, 60.1.1.114 in FireEye report • 5 live samples using this C2 in my collection • All used Camellia key “ketcxsAWfeAxiQ64ndURvA==”
menuPass Campaign • New hostnames found using “ketcxsAWfeAxiQ64ndURvA==” from my samples: • banana.cmdnetview.com • drives.methoder.com • muller.exprenum.com • New hostnames in 50.2.160.0/24 from samples: • kmd.crabdance.com 50.2.160.104 • banana.cmdnetview.com 50.2.160.146 • drives.methoder.com 50.2.160.125 • muller.exprenum.com 50.2.160.125
menuPass Campaign • Using my NMAP poison-ivy.nse and nmap-service-probes.pi I found additional C2's in 50.2.160.0/24: • 50.2.160.42:80/443 3ntLjgUGgQUYeKl3ncWgeQ== • 50.2.160.84:80/443 (daddy.gostudyantivirus.com) (AoFSY4Fi5u8sX3Bo7To86w==) • 50.2.160.104:443 gdWSvDcDqmZFC5/qvQiwhQ== • 50.2.160.125:80/443 (document.methoder.com, drives.methoder.com, mocha.100fanwen.com, scrlk.exprenum.com, zone.demoones.com) (ketcxsAWfeAxiQ64ndURvA==) • 50.2.160.146:443 ketcxsAWfeAxiQ64ndURvA== • 50.2.160.179:443 gdWSvDcDqmZFC5/qvQiwhQ== • 50.2.160.193:443 tG3Sl8fQtuyKj/jh97O67w== • 50.2.160.226:443 gdWSvDcDqmZFC5/qvQiwhQ== • 50.2.160.241:443 gdWSvDcDqmZFC5/qvQiwhQ==
menuPass Campaign • Same key (gdWSvDcDqmZFC5/qvQiwhQ==) as kmd.crabdance.com (from 50.2.160.104): • ux.niushenghuo.info 142.4.121.144 • for.ddns.mobi 142.4.121.144 • Hostnames from samples in 142.4.121.0/24: • gold.polopurple.com 142.4.121.138 • Additional PI C2 in 142.4.121.0/24 using NMAP: • 142.4.121.137:80/443 3ntLjgUGgQUYeKl3ncWgeQ== • 142.4.121.139:80/443 AoFSY4Fi5u8sX3Bo7To86w== • 142.4.121.140:443 gdWSvDcDqmZFC5/qvQiwhQ== • 142.4.121.141:80 ketcxsAWfeAxiQ64ndURvA== • 142.4.121.142:443 ketcxsAWfeAxiQ64ndURvA== • 142.4.121.144:443 gdWSvDcDqmZFC5/qvQiwhQ== • 142.4.121.181:443 gdWSvDcDqmZFC5/qvQiwhQ== • 142.4.121.203:443 gdWSvDcDqmZFC5/qvQiwhQ==
menuPass Campaign • zhengyanbin8@gmail.com registered: • 2012yearleft.com • cmdnetview.com • gostudyantivirus.com • 100fanwen.com • DomainTools reports that this email address has been used to register 157 domains • So still a lot of research to be done
Conclusion • Those with an interest in amateur malware analysis • I utilised my pentesting skillset to work on this stuff • Defenders looking for more ways to defend • Using these methods you can start investigating attacks on your organisation and start moving up the kill-chain • Greyhats wanting to increase the cost of attackers running these RAT's
Thank You • If there’s time for questions, shoot. • Otherwise catch me at lunch