1 / 32

RAT-a-tat-tat

RAT-a-tat-tat. Taking the fight to the RAT controllers. Who Am I. Jeremy du Bruyn t witter: @ herebepanda , irc : panda Pentester / Consultant at SensePost Spoken at a previous ZaCon about password cracking Currently doing MSc. At Rhodes. What's this about.

sakura
Download Presentation

RAT-a-tat-tat

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RAT-a-tat-tat Taking the fight to the RAT controllers

  2. Who Am I • Jeremy du Bruyn • twitter: @herebepanda, irc: panda • Pentester / Consultant at SensePost • Spoken at a previous ZaCon about password cracking • Currently doing MSc. At Rhodes

  3. What's this about • I've done some research on two prolific RAT's that I'd like to share with y'all • I am not a malware researcher, I'm just a ex-network-pentester-consultant-infosec guy • Some dynamic analysis using cuckoo sandbox • Some static analysis using scripts to pick apart the server binaries • Ways to search for these RAT's on the greater internet • With an example

  4. Background story • Malware.lu report on Mandiant APT1 • Python code for finding Poison Ivy C2's • Are there any Poison Ivy C2's in ZA? • Writing robust network code is hard • Rather leverage off of NMAP • I didn’t find any Poison Ivy C2's in ZA :) / :( • I really want to play with this, where can I get some samples? credit (http://www.malware.lu/Pro/RAP002_APT1_Technical_backstage.1.0.pdf)

  5. My collection • VirusTotal provide access to their Private API, which allows for searching and downloading of samples, to researchers • After speaking with some malware folks I got a list of the most popular rats being used in attacks • (@vlad_o, @undeadsecurity, @bobmcardle) • Started collecting in August 2013 • Samples downloaded • Searched for “Poison.* and “Fynloski.*” • Total 34 GB of samples • For sure a cheap VPS would hold the few 100 MB's of samples I'd download link (https://www.virustotal.com/en/documentation/private-api/)

  6. RAT infrastructure credit (http://www.contextis.com/research/blog/malware-analysis-dark-comet-rat/)

  7. Poison Ivy • Been around for many years • Oldest version on the website is from 2006, first released in 2005 • Latest public version is 2.3.2 released in 2008 • Private versions still being released, including a Vista+ patch • Free to download off the authors website • Apparently very popular amongst Chinese attackers • Recently used by Mandiant APT1 groups • Used in RSA hack

  8. Poison Ivy • Samples • 12,133 downloaded • 5,004 analysed • Too much pondering/figuring in the beginning • 26 live • Not a lot I know, but they provide some interesting insights • Average PI C2 lifespan is 3 months • Analysis conducted using a mixture of the VirusTotal behavioural analysis results and local cuckoo sandbox instance

  9. VT Behavioural Analysis • They use a “cluster” of cuckoo sandbox machines to perform the analysis and provide data via JSON • VirusTotal behavioural analysis not conducted on all samples • Like 1 in 10 • Not allowed to share samples with 3rd parties

  10. Cuckoo sandbox • Cuckoo sandbox used for the majority of the samples • 5 WinXP SP2 virtual machine guests • Timeout of 2 minutes • Only allowed DNS traffic to cuckoo host • Unbound DNS resolver • Tweaked to report all traffic, even SYN • modules/processing/network.py (host down, not reported) • Malwr.com has the same problem • api.py is super useful • Submit jobs, get analysis reports in JSON • At the end able to process a couple hundred samples a day

  11. Analysis system • System is postgres driven • Extracted info from the samples put into DB: • C2 / proxy IP • Port • Scripts would pick up unprocessed samples and perform liveness testing of C2 and extract the Camellia key • Again writing to the DB

  12. Poison Ivy • Camellia key used to authenticate server and encrypt communication • Crypto hashing algorithm • Used for all servers • Can be extracted from server traffic :) link (https://en.wikipedia.org/wiki/Camellia_(cipher))

  13. Poison Ivy • JtR module available for brute-forcing (malware.lu) • I've asked for its inclusion into hashcat • @atom, if you are reading this, *cough* oclhashcat

  14. Vulnerabilities • Metasploit module for Buffer Overflow bug in Poison Ivy 2.3.2 • Think meterpreter • All you need is the C2 IP, port and clear-text Camellia password • Malware.lu guys used this to great effect • FireEye “PIVY memory-decoding tool” for Immunity debugger can also extract this info Link (http://www.rapid7.com/db/modules/exploit/windows/misc/poisonivy_bof) (http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf)

  15. My contribution • NMAP service probes to detect C2’s across the Internet and NSE script to extract Camellia key from server traffic

  16. DarkComet • Very popular around the world • Development abandoned by the author after Syrian government use • Crippled version available on author website • Current public full version is 5.3.1 • Current public crippled version 5.4.1 “Legacy” • Fairly good collection available via .torrent Link (http://darkcomet-rat.com/) (https://thepiratebay.sx/torrent/7420705/DarkComet_RAT_Collection)

  17. DarkComet • Samples • 33,592 downloaded (32GB) • 12,133 analysed • 4408 successfully • 40 live • Analysis script inspired by AlienVault Labs • Only worked on V5, updated to work on V5.1+ credit (https://code.google.com/p/alienvault-labs-garage/downloads/list)

  18. DarkComet • Encrypted server configuration information contained within the binary • C2 IP, port, password • FTP host, port, username, password, path • Server configuration encrypted using static keys: • V5.1+ : #KCMDDC51#-890 • V5.0 : #KCMDDC5#-890 • V4.2F : #KCMDDC42F#-890 • V4.2 : #KCMDDC42#-890 • V4.1 : #KCMDDC4#-890 • V2.x + 3.x : #KCMDDC2#-890 • Static key and password (“PWD”) used to authenticate and encrypt communications credit (http://www.arbornetworks.com/asert/wp-content/uploads/2012/03/Crypto-DarkComet-Report1.pdf)

  19. DarkComet

  20. DarkComet • All this is encrypted using the static key + 'PWD‘ credit (http://www.contextis.com/research/blog/malware-analysis-dark-comet-rat/)

  21. Vulnerabilties • Makes use of SQLite DB • SQLi • Arbitrary File Download vulnerability • RAT allows controller to overwrite files • Doesn't check that C2 initiated connection • (comet.db) • Contains information on all connected servers credit (http://www.matasano.com/research/PEST-CONTROL.pdf)

  22. My contribution • NMAP service probes to detect C2’s across the Internet • DarkComet • Receives “IDTYPE” encrypted with default (and most popular) password • Xtreme RAT • Sends “myversion|3.6 Public\r\n” • Receives • Bytes 1-3 "\x58\x0d\x0a • Bytes 4 – 12 "\xd2\x02\x96\x49\x00\x00\x00\x00"

  23. My contribution • Updated DarkComet configuration extraction script, for v5.1+

  24. menuPass Campaign • One of my samples had the filename “Strategy_Meeting.exe” and a Google gave me the FireEye report “Poison Ivy: Assessing Damage and Extracting Intelligence” • menuPass campaign launched in 2009 targeting defense contractors • Main industries targeted where • Defense, Consulting / Engineering, ISP, Aerospace, Heavy Industry, Government • Spear-phishing used as initial attack vector • Weaponised .doc and .zip • Using Pentest footprinting techniques I uncovered a bit about their infrastructure Link (http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf)

  25. menuPass Campaign credit (http://www.paterva.com/web6/products/casefile.php)

  26. menuPass Campaign • “The IP 60.10.1.120 hosted the domain apple.cmdnetview.com” • This hostname appeared in my analysis but with an IP of 112.213.118.34 • One of my samples has hk.2012yearleft.com (112.213.118.33) and tw.2012yearleft.com (50.2.160.125) as C2’s • tw.2012yearleft.com was 60.10.1.114, 60.1.1.114 in FireEye report • 5 live samples using this C2 in my collection • All used Camellia key “ketcxsAWfeAxiQ64ndURvA==”

  27. menuPass Campaign • New hostnames found using “ketcxsAWfeAxiQ64ndURvA==” from my samples: • banana.cmdnetview.com • drives.methoder.com • muller.exprenum.com • New hostnames in 50.2.160.0/24 from samples: • kmd.crabdance.com 50.2.160.104 • banana.cmdnetview.com 50.2.160.146 • drives.methoder.com 50.2.160.125 • muller.exprenum.com 50.2.160.125

  28. menuPass Campaign • Using my NMAP poison-ivy.nse and nmap-service-probes.pi I found additional C2's in 50.2.160.0/24: • 50.2.160.42:80/443 3ntLjgUGgQUYeKl3ncWgeQ== • 50.2.160.84:80/443 (daddy.gostudyantivirus.com) (AoFSY4Fi5u8sX3Bo7To86w==) • 50.2.160.104:443 gdWSvDcDqmZFC5/qvQiwhQ== • 50.2.160.125:80/443 (document.methoder.com, drives.methoder.com, mocha.100fanwen.com, scrlk.exprenum.com, zone.demoones.com) (ketcxsAWfeAxiQ64ndURvA==) • 50.2.160.146:443 ketcxsAWfeAxiQ64ndURvA== • 50.2.160.179:443 gdWSvDcDqmZFC5/qvQiwhQ== • 50.2.160.193:443 tG3Sl8fQtuyKj/jh97O67w== • 50.2.160.226:443 gdWSvDcDqmZFC5/qvQiwhQ== • 50.2.160.241:443 gdWSvDcDqmZFC5/qvQiwhQ==

  29. menuPass Campaign • Same key (gdWSvDcDqmZFC5/qvQiwhQ==) as kmd.crabdance.com (from 50.2.160.104): • ux.niushenghuo.info 142.4.121.144 • for.ddns.mobi 142.4.121.144 • Hostnames from samples in 142.4.121.0/24: • gold.polopurple.com 142.4.121.138 • Additional PI C2 in 142.4.121.0/24 using NMAP: • 142.4.121.137:80/443 3ntLjgUGgQUYeKl3ncWgeQ== • 142.4.121.139:80/443 AoFSY4Fi5u8sX3Bo7To86w== • 142.4.121.140:443 gdWSvDcDqmZFC5/qvQiwhQ== • 142.4.121.141:80 ketcxsAWfeAxiQ64ndURvA== • 142.4.121.142:443 ketcxsAWfeAxiQ64ndURvA== • 142.4.121.144:443 gdWSvDcDqmZFC5/qvQiwhQ== • 142.4.121.181:443 gdWSvDcDqmZFC5/qvQiwhQ== • 142.4.121.203:443 gdWSvDcDqmZFC5/qvQiwhQ==

  30. menuPass Campaign • zhengyanbin8@gmail.com registered: • 2012yearleft.com • cmdnetview.com • gostudyantivirus.com • 100fanwen.com • DomainTools reports that this email address has been used to register 157 domains • So still a lot of research to be done

  31. Conclusion • Those with an interest in amateur malware analysis • I utilised my pentesting skillset to work on this stuff • Defenders looking for more ways to defend • Using these methods you can start investigating attacks on your organisation and start moving up the kill-chain • Greyhats wanting to increase the cost of attackers running these RAT's

  32. Thank You • If there’s time for questions, shoot. • Otherwise catch me at lunch

More Related