Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in...
Transcript of Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in...
Abusing third-party cloud services in targeted attacks
Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi)
October 02, 2019, Virus Bulletin, London, UK
© 2019 Trend Micro Inc.2
Outline
• Introduction
• General comparison of two malware infrastructures• Custom
• Cloud based
• Selected APT cases• Presentation of the malware operation
• Advantages and disadvantages from an attacker perspective
• Conclusion
© 2019 Trend Micro Inc.3
Introduction
• Cloud services abuse is not something new• “C&C-as-a-Service” presentation at VB in 2015
• This talk focuses on cloud abuse in the context of targeted attacks that we investigated
• Goals:• Show different real implementations of cloud abuse
• Find how, as defenders, we can leverage this setup to our advantage
© 2019 Trend Micro Inc.4
Custom malware infrastructure
• Developed and maintained by threat actor
• Costly• Domain name(s), server(s) hosting, data storage, bandwidth …
• Time consuming• Design, implementation and testing of the communication protocol
• Installation and maintenance of the C&C server(s)
© 2019 Trend Micro Inc.5
Custom malware infrastructure
• Disadvantages• Easier to monitor/block/sinkhole/seize
• Higher probability of flaws in the communication protocol
• Difficult to assess the reliability in real conditions
• Advantage• You choose to implement whatever funny idea you like
© 2019 Trend Micro Inc.6
Cloud malware infrastructure
• Advantages• Developed, maintained and operated by knowledgeable third party
• Cheaper (often free)
• API
• Higher reliability
• Harder to block/monitor/seize
• Disadvantage• Constrained by the features the cloud services provide
© 2019 Trend Micro Inc.7
Selected APT cases
© 2019 Trend Micro Inc.8
Patchwork
Known targeted countries
© 2019 Trend Micro Inc.9
Patchwork – Badnews
• “Badnews” backdoor
• A mix of both alternatives
1. HTTPS GET request
2. Encrypted C&C
3. Connect to C&C
© 2019 Trend Micro Inc.10
Patchwork – Badnews
• Hardcoded and encoded (sub 0x01) URL addresses
© 2019 Trend Micro Inc.11
Patchwork – Badnews
• Examples of encoded configuration
© 2019 Trend Micro Inc.12
Patchwork – Badnews
• Encryption uses XOR & ROL
• Versions after November 2017 added a layer of blowfish
encryption
• C&C is usually a PHP script hosted in a web server without
domain name
© 2019 Trend Micro Inc.13
Patchwork – Badnews
rp3f.strangled.net
185.29.11.59
185.29.11.59
© 2019 Trend Micro Inc.14
Patchwork – Badnews
© 2019 Trend Micro Inc.15
Confucius
Known targeted countries
© 2019 Trend Micro Inc.16
Confucius – Swissknife
• “Swissknife” stealer
• Uses Dropbox API to upload documents with selected extensions
(.pdf, .doc, .docx, .ppt, .pptx, .xls, and .xlsx)
HTTPS POST request
API key in “Authorization” header
© 2019 Trend Micro Inc.17
Confucius – Swissknife
• API key in decompiled code
© 2019 Trend Micro Inc.18
Confucius – Swissknife
• File downloader in Python using Dropbox API
© 2019 Trend Micro Inc.19
Confucius – Swissknife
• Enumerating the deleted files
© 2019 Trend Micro Inc.20
Confucius – Swissknife
• Enumerating the deleted folders
© 2019 Trend Micro Inc.21
Confucius – pCloud
• “pCloud” stealer
• Uses pCloud API to upload documents with selected extensions (.pdf,
.doc, .docx, .ppt, .pptx, .xls, and .xlsx)
HTTPS POST request
Embeds login/password
© 2019 Trend Micro Inc.22
Confucius – pCloud
• Using pCloud API to list files
© 2019 Trend Micro Inc.23
Confucius – pCloud
© 2019 Trend Micro Inc.24
Confucius – pCloud
© 2019 Trend Micro Inc.25
Confucius – pCloud
• Content from attacker’s machine
© 2019 Trend Micro Inc.26
Confucius – pCloud
© 2019 Trend Micro Inc.27
Confucius – TweetyChat
• “TweetyChat”, backdoored Android chat application
1. Register to C&C
2. Send commands3. Upload stolen files
awsAccessKey/awsSecretKeyUpdate AWS credentials
3. Upload SMS, contacts, call logs
© 2019 Trend Micro Inc.28
Confucius – TweetyChat
• awsAccessKey and awsSecretKey are not hardcoded
• AWS keys are updated through Google Cloud Messaging platform (Firebase Cloud Messaging in newer versions)
© 2019 Trend Micro Inc.29
Confucius – TweetyChat
• Google Cloud/ Firebase message receiver
• Calling PutObjectRequest to “upload a new object to the specified Amazon S3 bucket”
© 2019 Trend Micro Inc.30
Confucius – TweetyChat
© 2019 Trend Micro Inc.31
Confucius – TweetyChat
• As usual, operators test the malware on their own devices…
© 2019 Trend Micro Inc.32
MuddyWater
Known targeted countries
© 2019 Trend Micro Inc.33
MuddyWater – CloudSTATS
• “CloudSTATS” backdoor
1. Register
Put “.reg” file
2. Send command
Put “.cmd” file3. Read command
4. Send command results
Put encoded “.res” file
© 2019 Trend Micro Inc.34
MuddyWater – CloudSTATS
• “CloudSTATS” backdoor
© 2019 Trend Micro Inc.35
MuddyWater – CloudSTATS
• “CloudSTATS” backdoor
© 2019 Trend Micro Inc.36
MuddyWater – CloudSTATS
• Hardcoded API keys
• Check existing folder/victim
© 2019 Trend Micro Inc.37
MuddyWater – CloudSTATS
• Asynchronous C&C communication
• Files with extensions (cmd, reg, prc, res)
© 2019 Trend Micro Inc.38
MuddyWater – CloudSTATS
• .reg file
• .res file
© 2019 Trend Micro Inc.39
MuddyWater – Telegram
• Android mobile app, Telegram exfiltration
3. Upload stolen information
2. Send commands BotID & ChatID
1. Register to C&C
© 2019 Trend Micro Inc.40
MuddyWater – Telegram
© 2019 Trend Micro Inc.41
MuddyWater – Telegram
• .com.telegram.readto.client.ProcessCommand
© 2019 Trend Micro Inc.42
MuddyWater – Telegram
• Timer sending all data once a day
• Code for exfiltration all system information
© 2019 Trend Micro Inc.43
MuddyWater – Telegram
• Metadata of the Telegram account
© 2019 Trend Micro Inc.44
SLUB
Country of interest
© 2019 Trend Micro Inc.45
SLUB v1
HTTPS requestCheck for commands
HTTPS requestSend results
HTTPS requestSend stolen files
© 2019 Trend Micro Inc.46
SLUB v1
• Malware delivered via waterholing of websites related to North Korea
• Read gist snippet for commands to execute
• ^ and $ encapsulate active commands
© 2019 Trend Micro Inc.47
SLUB v1/v2
• Hardcoded Slack token
• Slack token’s o-auth scopes
© 2019 Trend Micro Inc.48
SLUB v1/v2
• Exfiltration via file.io, link sent to Slack
© 2019 Trend Micro Inc.49
SLUB v2
• Newer version from July 2019• GitHub is not used anymore
• Operator creates a Slack workspace
• A separate channel named <user_name>-<pc_name> is created in the workspace for each infected machine
• Commands to execute sent via messages pinned to a victim-specific channel
• Victim machine reads pinned messages from its dedicated channel, parses the message, and executes the requested command
© 2019 Trend Micro Inc.50
SLUB v2
HTTPS requestCheck commands and send results
HTTPS requestSend stolen files
HTTP requestCheck for new Slack token
© 2019 Trend Micro Inc.51
SLUB v2
• Configuration update
• New token between HELLO^, WHAT^ and !!! tokens
© 2019 Trend Micro Inc.52
SLUB v1
• Gist revisions show activation of specific commands
© 2019 Trend Micro Inc.53
SLUB v1/v2
• Using Slack API in Python
© 2019 Trend Micro Inc.54
SLUB v2
• File & exec operations
© 2019 Trend Micro Inc.55
SLUB v1/v2
• Screenshot upload
• Screenshot download (using API key and path to the file)
© 2019 Trend Micro Inc.56
SLUB v1
© 2019 Trend Micro Inc.57
Conclusion
© 2019 Trend Micro Inc.58
Conclusion
• Abusing cloud service providers is a worldwide trend
• Such services can be used for different purposes:
• To store a reference used by the malware (C&C …)
• To store the stolen data
• To store all the commands and data
• This behavior brings benefits not only to the attackers, but
also to the defenders, and without the need to “hack back”
© 2019 Trend Micro Inc.59
References
• Patchwork: https://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-
patchwork-cyberespionage-group/
• Confucius: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-
confucius-cyberespionage-operations/
• MuddyWater: https://blog.trendmicro.com/trendlabs-security-intelligence/new-
powershell-based-backdoor-found-in-turkey-strikingly-similar-to-muddywater-tools/
• https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-
multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/
• Slub v1: https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-
uses-github-communicates-via-slack/
• Slub v2: https://blog.trendmicro.com/trendlabs-security-intelligence/slub-gets-rid-of-
github-intensifies-slack-use/
Threats detected and blocked globally by Trend Micro in 2018. Created with real data by artist Daniel Beauchamp.