Transcript Malware Analysis

How to fight an APT attack:
Identifying and Responding to a
visit from China
Trends of Cyber Espionage
• “Most surprising to us is the consistent, significant
growth of incidents in the dataset. We knew it was
pervasive, but it’s a little disconcerting when it
triples last year’s already much-increased number.
Espionage exhibits a wider variety of threat actions
than any other pattern. The most evident changes
from our last report include the rise of strategic web
compromises and the broader geographic regions
represented by both victims and actors.”
-Verizon DBIR
Cyber Espionage Statistics
2013 Compromises
• 511 Reported Incidents
• 306 Confirmed Data Disclosures
Malware Threat Vectors
• 78% Email Attachments
• 20% Drive By Downloads
• 2% Email Link
Discovery Timeline
• 0% Seconds
• 0% Minutes
• 9% Hours
• 8% Days
• 16% Weeks
• 62% Months
• 5% Years
Discovery Methods
• 85% External
• 15% Internal
• Which breaks down as follows:
• 67% External Unrelated Party
• 16% External Law Enforcement
• 8% Internal Anti-Virus
• 2% Internal Network IDS
• 2% Reported by User
• 1% Internal Log Review
• 1% Other
Spearphish
• Spoofed sender
• Looks legitimate, will research your social media
presence for customization
• Will leverage a reconnaissance tool such as
“TheHarvester” to acquire email targets
• Email Attachments (typically PDF, Word, or Excel
documents) contain embedded malware
• Once attachment is opened, malware is installed and
beacons to it’s Command and Control Server
Drive By Downloads
• Malicious actors set a trap on legitimate websites
redirecting the target to an Exploit Kit Landing Page
– Excel Forums, NBC, Council on Foreign Relations
• Once the Exploit Kit is successful, malware is dropped
on the victim’s system
• The malware installs and beacons back to the
Command and Control server
Pondurance Network Sensors > Drive By Downloads
Now we’re just showing off….
Cyber Espionage Attack Structure
• The custom dropper malware beacons to a command and control web site
and pulls down backdoor malware which enables the attacker with reverse
shell access.
• The attacker establishes multiple backdoors to ensure access can be
maintained if the other systems are found.
• The attacker now has access to the system and dumps account names and
passwords from the domain controller.
• The attacker cracks the passwords and now has access to legitimate user
accounts to continue the attack undetected.
• The attacker performs reconnaissance to identify and gather data.
• Data is collected on a staging server.
• Data is exfiltrated from the staging server.
• The attacker will cover their tracks by deleting files but can return at any time
to conduct additional activity.
Lateral Movement
• Scan the network for targets
– Copy the backdoor malware file over
– Schedule an “at” job to execute the malware
• PsExec
• Internal Remote Access Tools (TeamViewer!)
Incident Response Procedure
• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons Learned
Network Sensors – Initial Detection
The POST included:
HTTP/1.1 200 OK
Host: militarysurpluspotsandpans.com
Dst: {“status”:”1”}
Notice a pattern in these beacons?
Stop! Acquisition is so 2013…
• Acquisition takes A LONG TIME, it is nearly
impossible to keep up with a skilled attacker using this
methodology
• When an incident related to foreign nation-state cyber
espionage goes to court, let me know ;)
• Remote Forensics is where its at….this capability
allows you to mount remote Memory and Disk to your
workstation for analysis in READ ONLY MODE in
mere seconds
The Culprit – Captured in Real Time
PDF Analysis
• http://blog.didierstevens.com/programs/pdf-tools/
• http://blog.zeltser.com/post/3235995383/pdf-streamdumper-malicious-file-analysis
• Malware embedded within PDF documents typically
involve Shellcode, JavaScript or .swf (flash) files
• These tools allow you to identify and extract these
objects for further analysis
Memory Analysis
Command Line Input
root@ubuntu:/home/john/Volatility# python vol.py cmdscan
Cmd #0 @ 0x300500: hostname
Cmd #1 @ 0x310038: whoami
Cmd #2 @ 0x31002d: netstat -ano
Cmd #3 @ 0x2d0039: net use \\user-xp-pc\IPC$ /u:DOMAIN\USER-01
Cmd #4 @ 0x310037: psexec \\user-xp-pc cmd.exe
Cmd #5 @ 0x2d0030: netstat -ano
Memory Analysis
• Suspicious Exited Connection
• Umm…..
Memory Analysis - Processes
Memory Analysis – Acquiring Processes
• Process saved as an executable to your local directory in seconds
• From there you may proceed with malware analysis
• Works for DLLs as well
Malware Analysis
Malware Analysis
Capabilities:
• Remote Access Trojan [RAT]
– Able to provide a reverse shell to the attacker for backdoor
level access
• Keylogger
– Able to steal credentials from the affected system
• How does this influence the remediation strategy?
Malware Analysis – C2 Traffic
Domains
IP Address
g.ceipmsn.com
131.253.40.10
microsoftwlsearchcrm.112.2o7.net
66.235.138.225
puppydepo.com
120.199.31.8
414780153.log.optimizely.com
54.235.178.178
militarysurpluspotsandpans.com
54.196.135.175
az10143.vo.msecnd.net
65.54.89.229
ajax.aspnetcdn.com
68.232.34.200
static.revenyou.com
198.232.124.224
Oh look….
Basic Dynamic Analysis
• Regshot will allow the analyst to identify how the
malware influences the Registry upon execution
• On a test machine, use Regshot to “snapshot” the
Registry
• Run the malware
• Use Regshot to take a second “snapshot” of the
Registry
• Regshot will then output the difference
Scoping the Attack
• IOC Sweeps
– Indicators of Compromise – OpenIOC Framework
– XML Format
– Leverage threat intelligence of the malware (registry keys it
writes to, file names, file sizes, compilation timestamps, etc)
– Forensically scan every node on the network to see if these
exist
Finding Evil with Autorunsc
• for /L %i in (1, 1, 254) do @psexec -s -n 4 -d \\n.n.n.%i cmd /c "net use
o: \\server\share PASSWORD /user:doman\username &&
\\live.sysinternals.com\tools\autorunsc -a -v -f -c '*' > o:n.n.n.%i.csv &&
net use o: /delete”
• Remotely extract all Registry entries set to known autostart locations
as well as the MD5 hash of the associated files
• Example:
• SYSTEM\CurrentControlSet\Services
• If Start Key is set to 0x02 then service will start at boot
• Another way to quickly scan an enterprise if the auto-start mechanisms
of the malware are known by pushing this out through Group Policy
Containment – Get it right the first time or else
• Isolate the affected subnets from the rest of the
network (if feasible, if not then the affected machines)
• Sinkhole all the C2 Domains in DNS Servers
• Suspend all user accounts related to the attack
• Submit malware to AV Vendor for signature creation
Eradication
• Pull affected machines from the network IN UNISON
• Rebuild machines from a known clean base image
• Issue new credentials to affected users
• Ensure AV Signatures are updated throughout the
environment
Recovery
• Bring remediated machines back on the network
• Remove ACL restrictions that isolated affected
subnets
• Ensure business returns to normal
• Continue monitoring and sweeping network
Lessons Learned
• Review incident with team
• Discuss what went right, what went wrong
• Document and implement these strategies in future
scenarios
Any Questions?