Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only...
Transcript of Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only...
![Page 1: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/1.jpg)
ìSoftware Reverse EngineeringCYBR 220 | Spring 2020 | University of the Pacific | Jeff Shafer
BehavioralAnalysis
![Page 2: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/2.jpg)
ì
Spring 2020Software Reverse Engineering
2
Malware
![Page 3: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/3.jpg)
Dark Caracal – January 2018
ì “Dark Caracal” is name of spyware campaign
ì Operations observed (w/ different malware) since 2012ì Publically disclosed in 2018 in joint report by EFF and Lookout
ì Advanced Persistent Threat (APT) surveillance targeting individuals and institutions (utilities, financial institutions, defense contractors, …)ì Observed operations exfiltrating “hundreds of gigabytes of data”
ì Authors: Lebanese General Security Directorate (alleged)ì Attack infrastructure correlated to building they ownì So we have to watch out for Lebanon now too??
Spring 2020Software Reverse Engineering
3
![Page 4: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/4.jpg)
Dark Caracal – January 2018
ì Multiple tools in use since inceptionì FinFisher – “lawful intercept” tool sold to
governments for “legitimate purposes”ì Bandook RAT - Original RAT, Windows-onlyì CrossRAT – New RAT? Cross platform! (Windows,
OSX, Linux) Written in Javaì Pallas – Android malware in trojanized apps
ì Capture documents, messaging clients (contacts and messages), audio, …ì Mobile component
Spring 2020Software Reverse Engineering
4
![Page 5: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/5.jpg)
Dark Caracal
ì SHA256 for CrossRAT:15af5bbf3c8d5e5db41fd7c3d722e8b247b40f2da747d5c334f7fd80b715a649
Spring 2020Software Reverse Engineering
5
VirusTotaldetection on
1/23/2018
Thanks to digitalsecurity.com
![Page 6: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/6.jpg)
Dark Caracal
ì Dark Caracal: Cyber-espionage at a Global Scaleì https://info.lookout.com/rs/051-ESQ-
475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf
ì Very good report – you should at least read the executive summaryì 11 Android malware IOCsì 26 desktop malware IOCsì 60 domains and IP addressesì Lots of hashes to search for
Spring 2020Software Reverse Engineering
6
![Page 7: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/7.jpg)
Dark Caracal
ì Analyzing CrossRAT: A cross-platform implant, utilized in a global cyber-espionage campaignì https://digitasecurity.com/blog/2018/01/23/crossrat/
Spring 2020Software Reverse Engineering
7
![Page 8: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/8.jpg)
ìAnalysis Tools
Spring 2020Software Reverse Engineering
8
![Page 9: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/9.jpg)
Build Your Own: Malware Analysis Lab
ì What tools do we need in the lab?
ì Static property analysis (program not running)ì PEStudio, Strings, BinText, …
ì Interactive behavioral analysis (program is running)ì Process Hacker, RegShot, Wireshark, API Monitor, …
ì Code analysis/reversing (We 🖤 Assembly)ì IDA Pro, x64dbg, OllyDbg, …
Spring 2020Software Reverse Engineering
9
![Page 10: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/10.jpg)
Spring 2020Software Reverse Engineering
10
ì PEStudioì Static analysis
ì Hash valuesì MD5ì SHA1ì SHA256
ì 32 or 64 bit
![Page 11: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/11.jpg)
Spring 2020Software Reverse Engineering
11
ì PEStudioì Static analysis
ì What do VirusTotalAV scanners think?
🤔
![Page 12: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/12.jpg)
Spring 2020Software Reverse Engineering
12
ì PEStudioì Static analysis
ì Only one library?(kernel32.dll is always loaded)
ì Only one function imported?(allocates memory)
🤔
![Page 13: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/13.jpg)
Spring 2020Software Reverse Engineering
13
ì PEStudioì Static analysis
ì Many strings, but none are human readable
🤔
![Page 14: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/14.jpg)
Spring 2020Software Reverse Engineering
14
ì bytehistì Static analysis
ì Green section is histogram of byte occurrences from 0x00 to 0xFF
ì It’s not compressedor encrypted (which would show fully random/even distribution), but perhaps encoded?
0x00 0xFF
🤔ASCII Table
Space?A-Z?a-z?
![Page 15: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/15.jpg)
Spring 2020Software Reverse Engineering
15
![Page 16: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/16.jpg)
Static Analysis
ì We could continue using other static analysis tools, but likely a waste of time
ì Few imported libraries?Few imported functions?Few readable strings?Histogram showing perfectly random or lumpy distribution?
ì Could be a binary program that does absolutely nothing useful, or malware is likely packed
Spring 2020Software Reverse Engineering
16
![Page 17: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/17.jpg)
Packing
Spring 2020Software Reverse Engineering
17
Original Executable
• Malware• Not
obfuscated• Easy for AV
programs to detect
• Easy for static analysis tools to examine
Packing program
• Compression• Encryption• XOR• Standard or
custom algorithms -easy to write new variants
Obfuscated Malware
• Unpacking program is wrapper
• Original executable is payload to be unpacked
😈
![Page 18: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/18.jpg)
Next Steps
ì We could dive into the packer assembly code nextì Figure out exactly how it works…ì Write a tool to extract the malware payload…ì Try our static analysis tools again…
ì But, the payload may not be a nice PE executable with perfect header. Could be a binary blob injected into memory
ì And do we really care how the packer works?ì Packers are throwaway code –
You have your malware interns write them!
Spring 2020Software Reverse Engineering
18
![Page 19: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/19.jpg)
ìBehavioral Analysis
Spring 2020Software Reverse Engineering
19
![Page 20: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/20.jpg)
Behavioral Analysis
ì Run the malware in its native environment and observe what happensì Filesystem access? (Read/Write/Create/Delete)ì Registry access? (Read/Write/Create/Delete)ì Network access?ì System calls?
ì Can interact with malware and change its behavior
Spring 2020Software Reverse Engineering
20
![Page 21: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/21.jpg)
Spring 2020Software Reverse Engineering
21
Let’s run the malware and see what happens!
Try not to get bitten…
![Page 22: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/22.jpg)
Spring 2020Software Reverse Engineering
22
Or trampled…
![Page 23: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/23.jpg)
Tools – Process Hacker
ì Like Task Manager on steroidsì Processes and threadsì Resource utilizationì Disk utilization
(open files, I/O activity)ì Network utilization (active
connections, I/O activity)ì Handles (Mutexes, Keys, …)ì Stack tracesì Strings / Memory dumps
ì [Demo: Changing text in Notepad]
Spring 2020Software Reverse Engineering
23
http://processhacker.sourceforge.net/
![Page 24: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/24.jpg)
Tool - Regshot
ì Registry and file monitoring utility
ì Snapshotsì #1 – Before malware runsì #2 – After malware runsì Compare to see what the
malware did
ì Limitations: Will not report the sequence of events, or catch temporary changes
Spring 2020Software Reverse Engineering
24
https://sourceforge.net/projects/regshot/
![Page 25: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/25.jpg)
Tool – Process Monitor
Spring 2020Software Reverse Engineering
25
https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
ì Capture real-time file system, registry, and process/thread activity
ì Will need to filter desired processes or events (or be overwhelmed with data)
![Page 26: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/26.jpg)
Tool - Wireshark
ì Packet capture and analysis
ì Will need to filter (or be overwhelmed with data)
ì Suggestion: Run this outside of the Windows VM to minimize interference or detection
Spring 2020Software Reverse Engineering
26
https://www.wireshark.org/
![Page 27: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/27.jpg)
Tool - TcpLogView
Spring 2020Software Reverse Engineering
27
ì List of TCP connections (which you could get from Wireshark) plus the process responsible for the connection
ì Very useful for brief network connections you might otherwise miss
https://www.nirsoft.net/utils/tcp_log_view.html
![Page 28: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/28.jpg)
Tool - ProcDOT
ì Correlation of data from Process Monitor (system calls) and Wireshark (networking)
ì Interactive visual analysis
ì Timeline (sequence) of events
Spring 2020Software Reverse Engineering
28
http://www.procdot.com/
![Page 29: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/29.jpg)
Tool - AutoRuns
ì What services, processes, or drivers will start at system boot?
ì At user login?
ì When launching IE or Windows Media Player?
Spring 2020Software Reverse Engineering
29
https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
![Page 30: Software Reverse Engineering › courses › comp293a › ...ìBandookRAT-Original RAT, Windows-only ìCrossRAT–New RAT? Cross platform! (Windows, OSX, Linux) Written in Java ìPallas](https://reader033.fdocuments.in/reader033/viewer/2022060209/5f045a727e708231d40d8f8b/html5/thumbnails/30.jpg)
Spring 2020Software Reverse Engineering
30
MALWAREDEMO!