APT - A Pretty Trojan

APT - A Pretty TrojanIñaki Rodríguez

And the thanks goes to …

About me

- Security Manager at Wuaki TV!- Ex-Pentester at SensePost!- Founder member of Mlw.re!- @virtualminds_es

A Middle East tale

A Middle East tale(Malware, Russians and Exploit kits)

Far, far, really far in Dubai

• Exfiltration test!

• Social Engineering!

• Targeted Attack!

• Desktop users!

• Exploit kits

Our team mate got access

Meanwhile in London

• Email!• Excel files!• PDF!• Metasploit!• Sakura

Our team mate got access

Meanwhile in London

• Email!• Excel files!• PDF!• Metasploit!• Sakura

But no exfiltration!

Almost there but …

• First stage executed!• Meterpreter downloaded!• No reply

Give me baby one more time

Help! I need somebody

The characters

BarceloDub

Starring…

Russian wettest

Russian wettest dream

• Exploit kit for campaigns!

• Phishing!

• Trainings

Impossible Mission?

• Exfiltration of information!

• Help the company to avoid it!

• Two weeks

Adventure Time

Back to the Future

• Same payloads!• Same exploits!• Patterns in Splunk

Growing Pains

• Meterpreter!

• First stage: A kind of client!

• Second stage: The real meterpreter!

• Problems: Protocol and DLL!

• Crypters useless

My TODO

• Endpoint protection!

• Proxy!

• Antispam/AV solution!

• Firewall/IDS/IPS!

• Flight under the radar!

• Custom Malware

Bypassing SEP (I)

• Macro execution!

• Shellcodes!

• Dropper!

• First Irat version!

• Because anything with I is cool

Bypassing SEP (II)

EXE to VBS

Bypassing Websense (I)

• Content classification!

• Financial content!

• No executables!

• Mirroring!

• Hidden commands

Bypassing Websense (II)

Bypassing Message Labs

• Zip files!• Antivirus!• Password protected!

• SPF!• Controlled SMTP server

Bypassing PaloAlto

• Next-gen firewall!• No ports!• Based on Application recognition!• RFC!

• Meterpreter HTTP(s) caught!!• IRAT to the rescue!

• Pretty simple GET and POST!• No SSL!• ASCII to HEX encoding

Bypassing IDS

IRAT: Iñaki’s Remote Administration Tool

• KISS!

• No dependencies!

• C (Nightmare)!

• No crypters (Sorry Abraham)!

• Proxy Support!

• HTTP(s)!

• Ascii to Hex!

• Commands into simple HTML files

• C&C panel with templates!

• FUD (Full undetectable)

IRAT: Communication

IRAT: C&C (I)

IRAT: C&C (II)

The attack

Bypassing Humans

• Top 120 lusers!

• Emails with a predefined message!

• Excel attached (.xls)!

• HHRR Impersonation!

• With my own smtp server!

• Client threatened by employees!

• Not my fault :)

You've Got Mail

/con/cat

Facts!

Results

First try

Results

First try

Results

First try

Second try

Results

First try

Second try

And now what?

The hangover

• Patterns on logs!

• Splunk logging everything!

• Under the radar!

• User agent!

• One guy on SecurityFocus!

• Looking for mainframe exploits

The hangover

• Patterns on logs!

• Splunk logging everything!

• Under the radar!

• User agent!

• One guy on SecurityFocus!

• Looking for mainframe exploits

Weakness

• SPF!

• Check your own domains!!

• Logging!

• Too much, too useless!

• Antivirus!

• In AVs we trust

Yet another Cuckoo deployment

• Exchange mailboxes!

• Attachments to Cuckoo!

• VBS!

• Logs sent to Splunk!

• Custom Signatures

Mail2Cuckoo

Ok, Ok… I finish. But…

• PowerPoint Engineering!

• Expectations!

• Security By Default!

• Investment on people!

THANKS!!

APT - A Pretty Trojan

Technology

Transcript of APT - A Pretty Trojan

UsersGuide Trojan

TROJAN GRAND BALLROOM - Trojan Event Services · TROJAN GRAND BALLROOM 3607 Trousdale Parkway Los Angeles CA, 90089 The Trojan Grand Ballroom is USC’s largest multipurpose room.

The Trojan

Trojan Whitepaper

Trojan linux

Trojan magazine

Trojan technologies

Trojan Horse

PACKAGING DESIGN, ARTWORK & MOCKUPS | PRIVATE CLIENT · Apt. 58 Apt. 5 9 Apt. 5 7 Apt. 5 6 Apt. 55 Apt. 54 1 Apt. 60 2 Apt. 61 1 2 Apt. 1 9 t. 20 1 t. 18Ap t. 2 2 Apt. 17 Apt. 16

Trojan - Golf

Android App Lifecycling - Virus Bulletin · DEVIL How-to App lifecycling Case studies Conclusion. ... Trojan/KorTalk. Trojan/KorTalk. Trojan/KorTalk. Trojan/KorTalk. Trojan/Bankun.

TAKEA DIFFERENT ROAD TAK L200 TROJAN L200 TROJAN DIFFERENT ROAD EA L200 TROJAN … · L200 TROJAN L200 TROJAN DIFFERENT ROAD EA TAKTAKEA DIFFERENT ROAD L200 TROJAN. ... – as well

The Trojan [1960]€¦ · The Trojan I960 SeventhVolume CharlesH.DardenHighSchool Wilson,NorthCarolina

Trojan Park History Highlights Native Americans European Settlers Trojan Plant.

TROJAN TIMES TROJAN TIMES - …stfrancismorgantown.com/download/sfcs_alumni/Trojan Times Edition … · The true Trojan colors of black and red, ... Morgantown St. Francis Alumni

Vawtrak Banking Trojan Technical Report - Botconf 2018 · Vawtrak Banking Trojan Technical Report Raashid Bhat BlueLiv Labs. Vawtrak Trojan has been an enduring banking trojan for

Trojan backdoors

TROJAN TROJAN TROJAN TROJAN

OUTLINE TROJAN What is trojan? How did trojan create? Why was its name trojan? What is the differences with Trojan and other? Virus Worm Trojan Trojan’s.

THE TROJAN HORSE - Central Intelligence Agency · Title: THE TROJAN HORSE Subject: THE TROJAN HORSE Keywords