APT - A Pretty Trojan

APT - A Pretty TrojanIñaki Rodríguez

And the thanks goes to …

3

About me

4

- Security Manager at Wuaki TV!- Ex-Pentester at SensePost!- Founder member of Mlw.re!- @virtualminds_es

❝

❞

A Middle East tale

A Middle East tale(Malware, Russians and Exploit kits)

Far, far, really far in Dubai

6

Far, far, really far in Dubai

6

• Exfiltration test!

• Social Engineering!

• Targeted Attack!

• Desktop users!

• Exploit kits

7

Our team mate got access

Meanwhile in London

• Email!• Excel files!• PDF!• Metasploit!• Sakura

8

But no exfiltration!

Almost there but …

• First stage executed!• Meterpreter downloaded!• No reply

9

Give me baby one more time

10

Help! I need somebody

The characters

12

BarceloDub

12

BarceloDub

Starring…

Russian wettest

13

Russian wettest

13

Russian wettest dream

• Exploit kit for campaigns!

• Phishing!

• Trainings

Impossible Mission?

14

Impossible Mission?

14

• Exfiltration of information!

• Help the company to avoid it!

• Two weeks

Adventure Time

Back to the Future

16

Back to the Future

16

• Same payloads!• Same exploits!• Patterns in Splunk

Growing Pains

17

Growing Pains

17

• Meterpreter!

• First stage: A kind of client!

• Second stage: The real meterpreter!

• Problems: Protocol and DLL!

• Crypters useless

My TODO

18

My TODO

18

• Endpoint protection!

• Proxy!

• Antispam/AV solution!

• Firewall/IDS/IPS!

• Flight under the radar!

• Custom Malware

Bypassing SEP (I)

19

Bypassing SEP (I)

19

• Macro execution!

• Shellcodes!

• Dropper!

• First Irat version!

• Because anything with I is cool

Bypassing SEP (II)

20

Bypassing SEP (II)

20

EXE to VBS

Bypassing Websense (I)

21

Bypassing Websense (I)

21

• Content classification!

• Financial content!

• No executables!

• Mirroring!

• Hidden commands

Bypassing Websense (II)

22

Bypassing Message Labs

23

Bypassing Message Labs

23

• Zip files!• Antivirus!• Password protected!

• SPF!• Controlled SMTP server

Bypassing PaloAlto

24

Bypassing PaloAlto

24

• Next-gen firewall!• No ports!• Based on Application recognition!• RFC!

• Meterpreter HTTP(s) caught!!• IRAT to the rescue!

• Pretty simple GET and POST!• No SSL!• ASCII to HEX encoding

Bypassing IDS

25

IRAT: Iñaki’s Remote Administration Tool

26

IRAT: Iñaki’s Remote Administration Tool

26

• KISS!

• No dependencies!

• C (Nightmare)!

• No crypters (Sorry Abraham)!

• Proxy Support!

• HTTP(s)!

• Ascii to Hex!

• Commands into simple HTML files

• C&C panel with templates!

• FUD (Full undetectable)

IRAT: Communication

27

IRAT: C&C (I)

28

IRAT: C&C (II)

29

The attack

Bypassing Humans

31

Bypassing Humans

31

• Top 120 lusers!

• Emails with a predefined message!

• Excel attached (.xls)!

• HHRR Impersonation!

• With my own smtp server!

• Client threatened by employees!

• Not my fault :)

You've Got Mail

32

/con/cat

33

Facts!

34

Results

35

Results

35

First try

Results

35

First try

Second try

And now what?

The hangover

37

The hangover

37

• Patterns on logs!

• Splunk logging everything!

• Under the radar!

• User agent!

• One guy on SecurityFocus!

• Looking for mainframe exploits

Weakness

38

Weakness

38

• SPF!

• Check your own domains!!

• Logging!

• Too much, too useless!

• Antivirus!

• In AVs we trust

Yet another Cuckoo deployment

39

Yet another Cuckoo deployment

39

• Exchange mailboxes!

• Attachments to Cuckoo!

• VBS!

• Logs sent to Splunk!

• Custom Signatures

Mail2Cuckoo

40

Ok, Ok… I finish. But…

41

Ok, Ok… I finish. But…

41

• PowerPoint Engineering!

• Expectations!

• Security By Default!

• Investment on people!

THANKS!!

APT - A Pretty Trojan

Technology

Transcript of APT - A Pretty Trojan