APT - A Pretty Trojan
-
Upload
inaki-rodriguez -
Category
Technology
-
view
133 -
download
0
description
Transcript of APT - A Pretty Trojan
APT - A Pretty TrojanIñaki Rodríguez
APT - A Pretty TrojanIñaki Rodríguez
And the thanks goes to …
3
4
About me
4
- Security Manager at Wuaki TV!- Ex-Pentester at SensePost!- Founder member of Mlw.re!- @virtualminds_es
❝
❞
A Middle East tale
A Middle East tale(Malware, Russians and Exploit kits)
Far, far, really far in Dubai
6
Far, far, really far in Dubai
6
• Exfiltration test!
• Social Engineering!
• Targeted Attack!
• Desktop users!
• Exploit kits
7
7
Our team mate got access
Meanwhile in London
• Email!• Excel files!• PDF!• Metasploit!• Sakura
7
Our team mate got access
Meanwhile in London
• Email!• Excel files!• PDF!• Metasploit!• Sakura
8
8
But no exfiltration!
Almost there but …
• First stage executed!• Meterpreter downloaded!• No reply
9
9
Give me baby one more time
10
10
Help! I need somebody
The characters
12
12
BarceloDub
12
BarceloDub
12
BarceloDub
12
BarceloDub
12
BarceloDub
12
BarceloDub
12
BarceloDub
12
BarceloDub
12
BarceloDub
12
BarceloDub
12
BarceloDub
Starring…
Russian wettest
13
Russian wettest
13
Russian wettest dream
• Exploit kit for campaigns!
• Phishing!
• Trainings
Impossible Mission?
14
Impossible Mission?
14
• Exfiltration of information!
• Help the company to avoid it!
• Two weeks
Adventure Time
Back to the Future
16
Back to the Future
16
• Same payloads!• Same exploits!• Patterns in Splunk
Growing Pains
17
Growing Pains
17
• Meterpreter!
• First stage: A kind of client!
• Second stage: The real meterpreter!
• Problems: Protocol and DLL!
• Crypters useless
My TODO
18
My TODO
18
• Endpoint protection!
• Proxy!
• Antispam/AV solution!
• Firewall/IDS/IPS!
• Flight under the radar!
• Custom Malware
Bypassing SEP (I)
19
Bypassing SEP (I)
19
• Macro execution!
• Shellcodes!
• Dropper!
• First Irat version!
• Because anything with I is cool
Bypassing SEP (II)
20
Bypassing SEP (II)
20
EXE to VBS
Bypassing Websense (I)
21
Bypassing Websense (I)
21
• Content classification!
• Financial content!
• No executables!
• Mirroring!
• Hidden commands
Bypassing Websense (II)
22
Bypassing Websense (II)
22
Bypassing Message Labs
23
Bypassing Message Labs
23
• Zip files!• Antivirus!• Password protected!
• SPF!• Controlled SMTP server
Bypassing PaloAlto
24
Bypassing PaloAlto
24
• Next-gen firewall!• No ports!• Based on Application recognition!• RFC!
• Meterpreter HTTP(s) caught!!• IRAT to the rescue!
• Pretty simple GET and POST!• No SSL!• ASCII to HEX encoding
Bypassing IDS
25
IRAT: Iñaki’s Remote Administration Tool
26
IRAT: Iñaki’s Remote Administration Tool
26
• KISS!
• No dependencies!
• C (Nightmare)!
• No crypters (Sorry Abraham)!
• Proxy Support!
• HTTP(s)!
• Ascii to Hex!
• Commands into simple HTML files
• C&C panel with templates!
• FUD (Full undetectable)
IRAT: Communication
27
IRAT: C&C (I)
28
IRAT: C&C (II)
29
IRAT: C&C (II)
29
IRAT: C&C (II)
29
The attack
Bypassing Humans
31
Bypassing Humans
31
• Top 120 lusers!
• Emails with a predefined message!
• Excel attached (.xls)!
• HHRR Impersonation!
• With my own smtp server!
• Client threatened by employees!
• Not my fault :)
You've Got Mail
32
/con/cat
33
/con/cat
33
/con/cat
33
Facts!
34
Facts!
34
Results
35
Results
35
First try
Results
35
First try
Results
35
First try
Second try
Results
35
First try
Second try
And now what?
The hangover
37
The hangover
37
• Patterns on logs!
• Splunk logging everything!
• Under the radar!
• User agent!
• One guy on SecurityFocus!
• Looking for mainframe exploits
The hangover
37
• Patterns on logs!
• Splunk logging everything!
• Under the radar!
• User agent!
• One guy on SecurityFocus!
• Looking for mainframe exploits
Weakness
38
Weakness
38
• SPF!
• Check your own domains!!
• Logging!
• Too much, too useless!
• Antivirus!
• In AVs we trust
Yet another Cuckoo deployment
39
Yet another Cuckoo deployment
39
• Exchange mailboxes!
• Attachments to Cuckoo!
• VBS!
• Logs sent to Splunk!
• Custom Signatures
Mail2Cuckoo
40
Mail2Cuckoo
40
Mail2Cuckoo
40
Mail2Cuckoo
40
Ok, Ok… I finish. But…
41
Ok, Ok… I finish. But…
41
• PowerPoint Engineering!
• Expectations!
• Security By Default!
• Investment on people!
THANKS!!
Q/A