RAT-a-tat-tat
description
Transcript of RAT-a-tat-tat
RAT-a-tat-tat
Taking the fight to the RAT controllers
Who Am I
• Jeremy du Bruyn– twitter: @herebepanda, irc: panda
• Pentester / Consultant at SensePost• Spoken at a previous ZaCon about password
cracking• Currently doing MSc. At Rhodes
What's this about
• I've done some research on two prolific RAT's that I'd like to share with y'all– I am not a malware researcher, I'm just a ex-network-
pentester-consultant-infosec guy– Some dynamic analysis using cuckoo sandbox– Some static analysis using scripts to pick apart the
server binaries• Ways to search for these RAT's on the greater
internet– With an example
Background story
• Malware.lu report on Mandiant APT1– Python code for finding Poison Ivy C2's
• Are there any Poison Ivy C2's in ZA?– Writing robust network code is hard– Rather leverage off of NMAP• I didn’t find any Poison Ivy C2's in ZA :) / :(
• I really want to play with this, where can I get some samples?
credit (http://www.malware.lu/Pro/RAP002_APT1_Technical_backstage.1.0.pdf)
My collection• VirusTotal provide access to their Private API, which allows for searching
and downloading of samples, to researchers• After speaking with some malware folks I got a list of the most popular
rats being used in attacks– (@vlad_o, @undeadsecurity, @bobmcardle)
• Started collecting in August 2013• Samples downloaded
– Searched for “Poison.* and “Fynloski.*”– Total 34 GB of samples
• For sure a cheap VPS would hold the few 100 MB's of samples I'd download
link (https://www.virustotal.com/en/documentation/private-api/)
RAT infrastructure
credit (http://www.contextis.com/research/blog/malware-analysis-dark-comet-rat/)
Poison Ivy
• Been around for many years– Oldest version on the website is from 2006, first
released in 2005– Latest public version is 2.3.2 released in 2008– Private versions still being released, including a Vista+
patch– Free to download off the authors website
• Apparently very popular amongst Chinese attackers– Recently used by Mandiant APT1 groups– Used in RSA hack
Poison Ivy
• Samples– 12,133 downloaded– 5,004 analysed
• Too much pondering/figuring in the beginning
• 26 live• Not a lot I know, but they provide some interesting insights• Average PI C2 lifespan is 3 months
• Analysis conducted using a mixture of the VirusTotal behavioural analysis results and local cuckoo sandbox instance
VT Behavioural Analysis
• They use a “cluster” of cuckoo sandbox machines to perform the analysis and provide data via JSON
• VirusTotal behavioural analysis not conducted on all samples– Like 1 in 10– Not allowed to share samples with 3rd parties
Cuckoo sandbox• Cuckoo sandbox used for the majority of the samples
– 5 WinXP SP2 virtual machine guests– Timeout of 2 minutes
• Only allowed DNS traffic to cuckoo host– Unbound DNS resolver
• Tweaked to report all traffic, even SYN– modules/processing/network.py (host down, not reported)– Malwr.com has the same problem
• api.py is super useful– Submit jobs, get analysis reports in JSON
• At the end able to process a couple hundred samples a day
Analysis system
• System is postgres driven• Extracted info from the samples put into DB:– C2 / proxy IP– Port
• Scripts would pick up unprocessed samples and perform liveness testing of C2 and extract the Camellia key– Again writing to the DB
Poison Ivy
• Camellia key used to authenticate server and encrypt communication– Crypto hashing algorithm– Used for all servers– Can be extracted from server traffic :)
link (https://en.wikipedia.org/wiki/Camellia_(cipher))
Poison Ivy
• JtR module available for brute-forcing (malware.lu)– I've asked for its inclusion into hashcat– @atom, if you are reading this, *cough* oclhashcat
Vulnerabilities
• Metasploit module for Buffer Overflow bug in Poison Ivy 2.3.2– Think meterpreter – All you need is the C2 IP, port and clear-text Camellia
password– Malware.lu guys used this to great effect
• FireEye “PIVY memory-decoding tool” for Immunity debugger can also extract this info
Link (http://www.rapid7.com/db/modules/exploit/windows/misc/poisonivy_bof) (http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf)
My contribution
• NMAP service probes to detect C2’s across the Internet and NSE script to extract Camellia key from server traffic
DarkComet
• Very popular around the world• Development abandoned by the author after Syrian
government use– Crippled version available on author website– Current public full version is 5.3.1– Current public crippled version 5.4.1 “Legacy”
• Fairly good collection available via .torrent
Link (http://darkcomet-rat.com/) (https://thepiratebay.sx/torrent/7420705/DarkComet_RAT_Collection)
DarkComet
• Samples– 33,592 downloaded (32GB)– 12,133 analysed
• 4408 successfully
• 40 live• Analysis script inspired by AlienVault Labs– Only worked on V5, updated to work on V5.1+
credit (https://code.google.com/p/alienvault-labs-garage/downloads/list)
DarkComet• Encrypted server configuration information contained within the binary
– C2 IP, port, password– FTP host, port, username, password, path
• Server configuration encrypted using static keys: – V5.1+ : #KCMDDC51#-890– V5.0 : #KCMDDC5#-890 – V4.2F : #KCMDDC42F#-890– V4.2 : #KCMDDC42#-890– V4.1 : #KCMDDC4#-890 – V2.x + 3.x : #KCMDDC2#-890
• Static key and password (“PWD”) used to authenticate and encrypt communications
credit (http://www.arbornetworks.com/asert/wp-content/uploads/2012/03/Crypto-DarkComet-Report1.pdf)
DarkComet
90.22
1.16 8.62
#KCMDDC51#-890 #KCMDDC51#-8900123456789 Other
DarkComet
• All this is encrypted using the static key + 'PWD‘
credit (http://www.contextis.com/research/blog/malware-analysis-dark-comet-rat/)
Vulnerabilties
• Makes use of SQLite DB– SQLi
• Arbitrary File Download vulnerability– RAT allows controller to overwrite files– Doesn't check that C2 initiated connection
• (comet.db)• Contains information on all connected servers
credit (http://www.matasano.com/research/PEST-CONTROL.pdf)
My contribution
• NMAP service probes to detect C2’s across the Internet – DarkComet• Receives “IDTYPE” encrypted with default (and most
popular) password– Xtreme RAT• Sends “myversion|3.6 Public\r\n”• Receives
– Bytes 1-3 "\x58\x0d\x0a– Bytes 4 – 12 "\xd2\x02\x96\x49\x00\x00\x00\x00"
My contribution
• Updated DarkComet configuration extraction script, for v5.1+
menuPass Campaign• One of my samples had the filename “Strategy_Meeting.exe”
and a Google gave me the FireEye report “Poison Ivy: Assessing Damage and Extracting Intelligence”– menuPass campaign launched in 2009 targeting defense contractors– Main industries targeted where
• Defense, Consulting / Engineering, ISP, Aerospace, Heavy Industry, Government
• Spear-phishing used as initial attack vector– Weaponised .doc and .zip
• Using Pentest footprinting techniques I uncovered a bit about their infrastructure
Link (http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf)
menuPass Campaign
credit (http://www.paterva.com/web6/products/casefile.php)
menuPass Campaign• “The IP 60.10.1.120 hosted the domain
apple.cmdnetview.com”• This hostname appeared in my analysis but with an IP of
112.213.118.34• One of my samples has hk.2012yearleft.com
(112.213.118.33) and tw.2012yearleft.com (50.2.160.125) as C2’s– tw.2012yearleft.com was 60.10.1.114, 60.1.1.114 in FireEye
report– 5 live samples using this C2 in my collection– All used Camellia key “ketcxsAWfeAxiQ64ndURvA==”
menuPass Campaign
• New hostnames found using “ketcxsAWfeAxiQ64ndURvA==” from my samples:– banana.cmdnetview.com– drives.methoder.com– muller.exprenum.com
• New hostnames in 50.2.160.0/24 from samples:– kmd.crabdance.com 50.2.160.104– banana.cmdnetview.com 50.2.160.146– drives.methoder.com 50.2.160.125– muller.exprenum.com 50.2.160.125
menuPass Campaign• Using my NMAP poison-ivy.nse and nmap-service-probes.pi I found
additional C2's in 50.2.160.0/24:– 50.2.160.42:80/443 3ntLjgUGgQUYeKl3ncWgeQ==– 50.2.160.84:80/443 (daddy.gostudyantivirus.com)
(AoFSY4Fi5u8sX3Bo7To86w==)– 50.2.160.104:443 gdWSvDcDqmZFC5/qvQiwhQ==– 50.2.160.125:80/443 (document.methoder.com, drives.methoder.com,
mocha.100fanwen.com, scrlk.exprenum.com, zone.demoones.com) (ketcxsAWfeAxiQ64ndURvA==)
– 50.2.160.146:443 ketcxsAWfeAxiQ64ndURvA==– 50.2.160.179:443 gdWSvDcDqmZFC5/qvQiwhQ==– 50.2.160.193:443 tG3Sl8fQtuyKj/jh97O67w==– 50.2.160.226:443 gdWSvDcDqmZFC5/qvQiwhQ==– 50.2.160.241:443 gdWSvDcDqmZFC5/qvQiwhQ==
menuPass Campaign• Same key (gdWSvDcDqmZFC5/qvQiwhQ==) as kmd.crabdance.com (from
50.2.160.104):– ux.niushenghuo.info 142.4.121.144– for.ddns.mobi 142.4.121.144
• Hostnames from samples in 142.4.121.0/24:– gold.polopurple.com 142.4.121.138
• Additional PI C2 in 142.4.121.0/24 using NMAP:– 142.4.121.137:80/443 3ntLjgUGgQUYeKl3ncWgeQ==– 142.4.121.139:80/443 AoFSY4Fi5u8sX3Bo7To86w==– 142.4.121.140:443 gdWSvDcDqmZFC5/qvQiwhQ==– 142.4.121.141:80 ketcxsAWfeAxiQ64ndURvA==– 142.4.121.142:443 ketcxsAWfeAxiQ64ndURvA==– 142.4.121.144:443 gdWSvDcDqmZFC5/qvQiwhQ==– 142.4.121.181:443 gdWSvDcDqmZFC5/qvQiwhQ==– 142.4.121.203:443 gdWSvDcDqmZFC5/qvQiwhQ==
menuPass Campaign
• [email protected] registered:– 2012yearleft.com– cmdnetview.com– gostudyantivirus.com– 100fanwen.com
• DomainTools reports that this email address has been used to register 157 domains– So still a lot of research to be done
Conclusion
• Those with an interest in amateur malware analysis– I utilised my pentesting skillset to work on this stuff
• Defenders looking for more ways to defend – Using these methods you can start investigating
attacks on your organisation and start moving up the kill-chain
• Greyhats wanting to increase the cost of attackers running these RAT's
Thank You
• If there’s time for questions, shoot.• Otherwise catch me at lunch