ShadyRAT : Anatomy of targeted attack

Vladislav Radetskiy

vr@bakotech.com

About me…

Start in 2007 as Help Desk > System Administrator.

4 years experience in IT Outsourcing.

From 2011 working in BAKOTECH® Group.

Information security previously was my hobby, now it`s my job.

I am responsible for technical support of McAfee solutions.

https://radetskiy.wordpress.com/

http://www.slideshare.net/Glok17/

http://ua.linkedin.com/pub/vladislav-radetskiy/47/405/809

Vladislav Radetskiy

Technical Lead

C|EH applicant

Agenda

Terminology, today battleground of cybersecurity

ShadyRAT _ successful long-term complex cybercrime operation

How can we protect our clients from such advanced attacks?

Basics #1

Open-source intelligence – getting information from public sources.

Usual OSINT sources are Google, Facebook, LinkedIn etc.

Social Engineering – act of deception and manipulation of human to get profit: money, information disclosure, access to restricted area etc.

Famous: Frank William Abagnale (Catch Me If You Can), Kevin Mitnick.

OSINT during Cold War

“The decryption of a picture” from CIA library

3 month of analysisby Charles V. ReevesFrom Boston Edison

OSINT nowadays

Getting information about someone it`s not rocket science

Couple hours or evenless with tools

Name, DOB, job, family statusHabits, likes & dislikes, complex

Basics #2

Cyber-Attack – sequence of steps to compromise IT system

Advanced Persistent Threat (APT) – targeted, covered, long-term attack

Vulnerability – defect (a bug) in software (Microsoft, Adobe, Java)

Exploit – tool for take advantage of vulnerability (exploit-db.com)

Basics #3

Remote Access Tool (RAT) – tool for remote control of hacked system

Trojan / Backdoor / meterpreter etc

Command and Control (C&C) – servers on Internet which attackers used to control compromised systems and interact with persistent malware

Steganography – method of hiding data/code in to files (images)

Briefing about modern battleground

Cyber-criminals:

make attacks for information or money

can use prepared tools (regardless of their technical skills)

can chose anyone as their target

use OSINT and social engineering (to make perfect lure)

ShadyRAT

In 2011 McAfee Labs gain access to one C&C server.From server logs:

Duration of operation: 5+ years

Number of victims: 70+

Average duration persistence: ~ 9 months

Outcome: stolen data

Scope of targets: government, private, non-profit org…

ShadyRAT

Hi, Bob.Remember me?It`s me, John.We was together on last Yankees game.Listen, I can give you a great discount on ___________ .Thanks in advance

ShadyRATBob trustfully opened attached file, which use vulnerability to install RAT on Bob`s system.

ShadyRATRAT communicate with C&C server to get instructions

ShadyRAT

Attacker sends command:Sleep / Download / Upload …

RAT communicate with C&C server to get instructions

ShadyRATRAT transfer private data from Bob system to C&C server

Channel between RAT and C&C wasencrypted by steganographyIt`s like smokescreen for security staff

ShadyRAT

It`s a payday for attacker –collecting stolen data.Which can be sold for real money

ShadyRATThis can be repeat again & again3-9 monthsAnd Bob didn't noticed anything.Meanwhile his company go down..

ShadyRAT

1. Attackers chose company-victim

2. Gathering info about employees by OSINT

3. Use Social Engineering to compose fake emails with attached files

4. Victims receive fake email and .. open attached file (.xls)

5. Exploit from attached file used to deploy RAT

6. RAT establish outbound connections to C&C and transfer data

7. Commands to RAT hidden by steganography (HTML, images)

ShadyRAT

What the matter?!

Attackers used vulnerabilities in system along with social engineering

Attackers has ability to search and collect data for months

Operation was not so complex (technically), rather simple

RAT was undetected by months (9 - 28)

Outcome = big amount of data which can be sold by money or used later for blackmail

Any lessons learned after ShadyRAT? No!

July 2014 – January 2015 Meet CTB-Locker (Critrony)

Crypto ransomware > 350 – 700 $ for unencrypt data

Spreads by random! not targeted SPAM

Any lessons learned after ShadyRAT? No!

Meet CTB-Locker (Critrony)

How can we protect against APT

Components

How can we protect against APT

Conclusions

Cybercrime today it`s a way to make money > business

Almost anyone can take tools and try to brake in (Kali Linux, msf etc)

At the same time anyone can be chosen like a target

Be aware about targeted attacks, OSINT and Social Engineering

Sources

• Dmitri Alperovitch, Vice President of McAfee Threat Research

Revealed: Operation Shady RAT (August 2011)

• Bruce Schneier, computer security and privacy specialist

The State of Incident Response (Black Hat USA 2014)

• Steven Rambam, private investigator which use OSINT, Pallorium, Inc.

“Privacy is Dead - Get Over It” (2010)

“Privacy: A Postmortem” (2012)

“…Taking Anonymity” (2014)

Example of human vulnerabilities

Example of human vulnerabilities

2012 - Photos of Prince William Expose Royal Air Force Passwords

Example of human vulnerabilities

2014 - FIFA World Cup Brazilian Security Command Center Wi-Fi Pass

b5a2112014

Example of human vulnerabilities

2015 – French TV5Monde exposed pass during TV interview > hacked

And please don’t forget …

Sometimes (usually always) Google, Facebook, twitter and LinkedIn are the primarysources about private information about whole companies and their employees.

Information about predilections, habits and complexes of chosen people can berecovered by OSINT and used by attacker as pre-text for Social Engineering.

Thank you for your attention

Vladislav Radetskiy

vr@bakotech.com

radetskiy.wordpress.com