Post on 15-Apr-2018
Securing the Industrial Internet
Operation BugDrop:
Stage 1 Cyber-Reconnaissance in the Real-World
David Atch, VP/Research
SANS ICS Security Summit -- March 21, 2017
www.cyberx-labs.com
Ongoing Responsible
Disclosures to ICS-CERT &
Industrial Vendors
Industry Recognition
Only Industrial Cyber
Vendor Recognized
by International
Society of
Automation
Only Industrial Cyber
Vendor Chosen for
Innovation Award
Sponsored by
US DHS & DoD
Best ICS/SCADA
Security Two Years
in a Row
Defining Next-Generation IIoT
Security Architecture
Only Industrial Cyber Vendor
Chosen by Israel Consortium for
Japan 2020 Games
Featuring CyberX’s
Vulnerability
Research
CyberX Threat Intelligence Research Team
• Former IDF threat intelligence & forensic experts
• Scrutinize range of open & closed sources, including
forensics from IR in customer environments
• Develop custom tools to reverse-engineer malware &
firmware
• Work directly with ICS-CERT & industrial vendors
• Enriches real-time threat detection provided by our
industrial cybersecurity platform
– Continuous, real-time monitoring
– M2M behavioral analytics & anomaly detection
– Non-invasive vulnerability assessments
– Proprietary ICS-specific threat intelligence
“CyberX believes threat actors turned KillDisk
into a piece of ransomware because, unlike
cyber-sabotage, the new functionality enables
them to directly monetize their attacks.”
“These kinds of campaigns are running, even
as we speak,” said Omer Schneider, co-founder
of CyberX.
How a Michigan Utility Got Hacked
“Security vendor CyberX uncovered the operation …
dubbing the campaign Operation BugDrop because one
of the methods employed by the threat actors is to
eavesdrop on conversations via the victim’s PC
microphone …[and] the operators of BugDrop are using
DropBox to store data exfiltrated from victim systems,
making it harder to spot the illegal activity.”
“Cybersecurity firm CyberX said it has uncovered a
cyber-espionage operation in Ukraine that has
compromised more than 70 victims. Victims of the
malware included an energy ministry, a scientific
research institute and a firm that designs remote
monitoring systems for oil & gas pipelines.”
Operation BugDrop: Key Aspects
• Captures audio (“bugs”), screen
shots, files, passwords, keylogger
• Uses Dropbox cloud-based
service for data exfiltration
• Reflective DLL Injection (like
Stuxnet & BlackEnergy)
• Encrypted DLLs
• Free web hosting services for C&C
servers
www.cyberx-labs.com
Multi-stage
dropperRegistry
Persistency
Embedded
VBSStage 0 exe
Stage 1
dll
Stage 2
dll
windows-problem-
reporting[.]site88[.]net
Main
ModuleDropbox
Word
doc
Data-Stealing
Plugins
www.cyberx-labs.com
Multi-stage dropper
starts with phishing &
malicious MS-Office
attachment
Embedded
VBSStage 0 exe
Stage 1
dll
Stage 2
dll
windows-problem-
reporting[.]site88[.]net
Main
ModuleDropbox
Word
doc
Data-Stealing
Plugins
Registry
Persistency
www.cyberx-labs.com
Russian text in MS-Office dialog box: “внимание! Файл создан в более новой
версии программы Микрософт Office. Необходимо включить Макросы для
корректного отображения содержимого документа”
Translation: “Attention! The file was created in a newer version of Microsoft
Office programs. You must enable macros to correctly display the contents of
this document.”
www.cyberx-labs.com
Decoy document:
personal information
about military
personnel
www.cyberx-labs.com
Stage 0: Extract
Malicious DLLs
Shortcut icon for dropper DLL
Embedded
VBSStage 0 exe
Stage 1
dll
Stage 2
dll
windows-problem-
reporting[.]site88[.]net
Main
ModuleDropbox
Word
doc
Data-Stealing
Plugins
Registry
Persistency
www.cyberx-labs.com
Hard DriveMemory
Custom PE loader
Stage1.exe
Stage1.dllEncoded
Stage2.dllEncoded
.text
.data
.rdata
.text
.data
.rdata
Stage 1 & 2:
Decrypt & Inject
Malicious DLLs
www.cyberx-labs.com
Stage 2: Connect to
C&C server to
download main
module
Embedded
VBSStage 0 exe
Stage 1
dll
Stage 2
dll
windows-problem-
reporting[.]site88[.]net
Main
ModuleDropbox
Word
doc
Data-Stealing
Plugins
Registry
Persistency
Sophisticated Targeted Operation
• Manually approves infection of specific targets
• Checks victim location
• Checks for virtualization
• Looks for security products
• Looks for network monitoring software
• Checks for Ukrainian keyboard
• Checks for not auto-generated Computer Name
• Looks for debugging
• Might be without hard drive persistence
How We Thwarted Them
• Used original malware sample
(more authentic)
• Used Ukrainian IP
• Setup non-virtualized environment
• Disabled all security products
• Used winpmem and Wireshark – to rename process names
• Setup Windows with Ukrainian Computer Name & keyboard
• Didn’t attach debuggers
www.cyberx-labs.com
Threat Intelligence Research Setup
CyberX
network
Internet
Malware
operator
VPN traffic
to/from
infected
computer
Ukrainian IP
Infection Results
• Took 4 hours for operator to infect target
– Probably approved manually
• As expected, main module checks for:
– Virtualization
– Debugger
– Computer Name
– WireShark
– Original malware
• Success!!
www.cyberx-labs.com
Main Module
Embedded
VBSStage 0 exe
Stage 1
dll
Stage 2
dll
windows-problem-
reporting[.]site88[.]net
Main
ModuleDropbox
Word
doc
Data-Stealing
Plugins
Registry
Persistency
Dissecting the Main Module
• Well-written code
• Obfuscated strings
• Modular and 64-bit compatible
• Dropbox as C&C server – Evades network security products,
fully SSL encrypted
• Every module is encrypted and loaded with the custom PE
loader
• Module output is stored encrypted on Dropbox
• Blowfish is the main encryption – Key derived from user ID
Malware Architecture
Dropbox
Main Module
Module Module Module
Collected data Collected data Collected data
Commands
Dissecting the Data-Stealing Plug-Ins
• Plug-ins are stored on Dropbox
– Computer Info
– Screenshot collector
– Keylogger
– File Collector
• Receives commands from Dropbox about which files to upload
on-demand
• Looks for: doc, docx, xls, xlsx, ppt, pptx, pdf, zip, rar, db, txt
– USB File Collector
– Browser Passwords Collector
– Microphone – Used with more than 20 targets
Collected Audio
• Only specific targets hand-picked for audio
surveillance
• Around ~100 GB of collected data per month
• Out of this data, 19% are audio files with bitrate
of 16Kbps (7.2MB per hour)
• Approximately 2,700 hours of recordings
• Requires audio processing backend
• Requires team of analysts
• Might indicate this is nation-sponsored
www.cyberx-labs.com
* Majority of Ukrainian
targets located in pro-
Russian separatist
states of Donetsk and
Luhansk*
Sampling of Industrial Victims
• A company that designs remote
monitoring systems for oil & gas
pipeline infrastructures
• An engineering company that
designs electrical substations, gas
distribution pipelines, and water
supply plants
• An international organization that
monitors human rights, counter-
terrorism and cyberattacks on critical
infrastructure in the Ukraine
Stage 1 of the ICS Kill Chain?
• Picked specific targets with well-
crafted social engineering
• Persistent tool to collect sensitive
data and report to C&C
• Document exfiltration and credentials
• Modular to extend capabilities
• Attribution is tricky
– Who’s spying on who?
– False flags
– Cyber criminals share tools with nation-
states
Defending Against Threats
• Raise awareness with employees– Anti-phishing vendors offer simulated
phishing tests & online training for “victims”
• Verify the email sender
• Don’t open unknown documents
• Disable macros, ask the security guy if needed
• Keep your files encrypted – DLP solutions
• Don’t save passwords in browsers – use password managers
Defending Against Targeted Threats
• It’s not possible to hermetically secure
the IT network
• OT networks must be secured as well
• Air gap is not going to save you
• Continuously monitor all network activity with behavioral
analytics, anomaly detection, threat intelligence
• Add layers of security – makes it harder to get to you
www.cyberx-labs.com
For more information, visit our ICS Security Knowledge Base & Blog
www.cyberx-labs.com
Get your free copy of this
new 390-page guide*
at the CyberX tabletop*
CyberX’s threat intelligence research team is proud to
have been featured in “Chapter 7: ICS Zero-Day
Vulnerability Research”
* While supplies last …
CyberX’s threat intelligence research team is
proud to have been featured in “Chapter 7: ICS
Zero-Day Vulnerability Research”
* While supplies last …
info@cyberx-labs.com
Thank You!
Thank You!david@cyberx-labs.com