Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of...
Transcript of Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of...
![Page 1: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/1.jpg)
Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage
Joan Calvet
Jessy Campos
Thomas Dupuy
1
![Page 2: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/2.jpg)
Sednit Group
• Also know as APT28, Fancy Bear, Sofacy, STRONTIUM, Tsar Team
• Group of attackers doing targeted attacks since 2006
• Mainly interested into geopolitics
2
![Page 3: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/3.jpg)
3
Plan
• Context
• The Week Serge Met The Bear
• The Mysterious DOWNDELPH
• Speculative Mumblings
![Page 4: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/4.jpg)
CONTEXT
What kind of group is Sednit?
4
![Page 5: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/5.jpg)
Who Is The Bear After? (1)
• We found a list of targets for Sednit phishing campaigns:
–Operators used Bitly and “forgot” to set the profile private
(feature now removed from Bitly)
–Around 4,000 shortened URLs during 6 months in 2015
5
![Page 6: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/6.jpg)
6
http://login.accoounts-google.com/url/?continue= cGFyZXBreWl2QGdtYWlsLmNvbQ==&df=UGFraXN0YW4rRW1iYXNzeStLeWl2&tel=1
Who Is The Bear After? (2)
![Page 7: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/7.jpg)
6
http://login.accoounts-google.com/url/?continue= cGFyZXBreWl2QGdtYWlsLmNvbQ==&df=UGFraXN0YW4rRW1iYXNzeStLeWl2&tel=1
Who Is The Bear After? (2)
![Page 8: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/8.jpg)
6
http://login.accoounts-google.com/url/?continue= cGFyZXBreWl2QGdtYWlsLmNvbQ==&df=UGFraXN0YW4rRW1iYXNzeStLeWl2&tel=1
Who Is The Bear After? (2)
Pakistan+Embassy+Kyiv
![Page 9: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/9.jpg)
6
http://login.accoounts-google.com/url/?continue= cGFyZXBreWl2QGdtYWlsLmNvbQ==&df=UGFraXN0YW4rRW1iYXNzeStLeWl2&tel=1
Who Is The Bear After? (2)
Pakistan+Embassy+Kyiv
![Page 10: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/10.jpg)
Who Is The Bear After? (3)
• Embassies and ministries of more than 40 countries
• NATO and EU institutions
• “Who’s who” of individuals involved in Eastern Europe politics: – Politicians – Activists – Journalists – Academics – Militaries – …
7
![Page 11: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/11.jpg)
The Bear Has Money
• A bag full of 0-day exploits:
8
2015
Apr May Jun Jul Aug Sep Oct
CVE-2015-3043 (Flash) CVE-2015-1701 (Windows LPE)
CVE-2015-2590 (Java) CVE-2015-4902 (Java click-to-play bypass)
CVE-2015-7645 (Flash)
CVE-2015-2424 (Office RCE)
![Page 12: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/12.jpg)
The Bear Can Code
• Tens of custom-made software used since 2006:
– Droppers
– Downloaders
– Reconnaissance tools
– Long-term spying backdoors
– Encryption proxy tool
– USB C&C channel
– Many helper tools
– …
9
![Page 13: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/13.jpg)
Disclaimers
• Over the last two years we tracked Sednit closely, but of course our visibility is not exhaustive
• How do we know it is ONE group? – We don’t
– Our Sednit “definition” is based on their toolkit and the related infrastructure
• We do not do attribution (but we point out hints that may be used for that)
10
![Page 14: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/14.jpg)
THE WEEK SERGE MET THE BEAR
11
![Page 15: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/15.jpg)
Who Is Serge?
• Code name for an imaginary Sednit target
• Serge is a government employee with access to sensitive information
• The chain of events in Serge’s attack matches
several real cases we investigated
• We use it as a textbook case to present (a part of) the Sednit toolkit
12
![Page 16: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/16.jpg)
13
Monday, 9:30AM
![Page 17: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/17.jpg)
Serge Opens an Email
14
![Page 18: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/18.jpg)
Legitimate URL Mimicking
15
![Page 19: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/19.jpg)
Legitimate URL Mimicking
15
![Page 20: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/20.jpg)
Legitimate URL Mimicking
15
![Page 21: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/21.jpg)
Legitimate URL Mimicking
15
![Page 22: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/22.jpg)
16
Serge clicks on the URL, and…
![Page 23: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/23.jpg)
…Serge Meets SEDKIT
• Exploit-kit for targeted attacks
• Entry-point URLs mimic legitimate URLs
• Usually propagated by targeted phishing emails (also seen with hacked website + iframe)
• Period of activity: September 2014 - Now
17
![Page 24: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/24.jpg)
Landing Page (1) Reconnaissance Report Building
18
![Page 25: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/25.jpg)
Landing Page (1) Reconnaissance Report Building
18
![Page 26: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/26.jpg)
Landing Page (1) Reconnaissance Report Building
18
![Page 27: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/27.jpg)
19
![Page 28: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/28.jpg)
Crawling Sedkit
20
![Page 29: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/29.jpg)
21
Serge is selected to be exploited…
![Page 30: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/30.jpg)
… and Visits Sednit Exploits Factory
Vulnerability Targeted Application Note
CVE-2013-1347 Internet Explorer 8
CVE-2013-3897 Internet Explorer 8
CVE-2014-1510 + CVE-2014-1511
Firefox
CVE-2014-1776 Internet Explorer 11
CVE-2014-6332 Internet Explorer Several versions
N/A MacKeeper
CVE-2015-2590 + CVE-2015-4902
Java 0-day*
CVE-2015-3043 Adobe Flash 0-day*
CVE-2015-5119 Adobe Flash Hacking Team gift
CVE-2015-7645 Adobe Flash 0-day*
22 * : At the time SEDKIT dropped them
![Page 31: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/31.jpg)
… and Visits Sednit Exploits Factory
Vulnerability Targeted Application Note
CVE-2013-1347 Internet Explorer 8
CVE-2013-3897 Internet Explorer 8
CVE-2014-1510 + CVE-2014-1511
Firefox
CVE-2014-1776 Internet Explorer 11
CVE-2014-6332 Internet Explorer Several versions
N/A MacKeeper
CVE-2015-2590 + CVE-2015-4902
Java 0-day*
CVE-2015-3043 Adobe Flash 0-day*
CVE-2015-5119 Adobe Flash Hacking Team gift
CVE-2015-7645 Adobe Flash 0-day*
23 * : At the time SEDKIT dropped them
![Page 32: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/32.jpg)
… and Visits Sednit Exploits Factory
Vulnerability Targeted Application Note
CVE-2013-1347 Internet Explorer 8
CVE-2013-3897 Internet Explorer 8
CVE-2014-1510 + CVE-2014-1511
Firefox
CVE-2014-1776 Internet Explorer 11
CVE-2014-6332 Internet Explorer Several versions
N/A MacKeeper
CVE-2015-2590 + CVE-2015-4902
Java 0-day*
CVE-2015-3043 Adobe Flash 0-day*
CVE-2015-5119 Adobe Flash Hacking Team gift
CVE-2015-7645 Adobe Flash 0-day*
24 * : At the time SEDKIT dropped them
![Page 33: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/33.jpg)
… and Visits Sednit Exploits Factory
Vulnerability Targeted Application Note
CVE-2013-1347 Internet Explorer 8
CVE-2013-3897 Internet Explorer 8
CVE-2014-1510 + CVE-2014-1511
Firefox
CVE-2014-1776 Internet Explorer 11
CVE-2014-6332 Internet Explorer Several versions
N/A MacKeeper
CVE-2015-2590 + CVE-2015-4902
Java 0-day*
CVE-2015-3043 Adobe Flash 0-day*
CVE-2015-5119 Adobe Flash Hacking Team gift
CVE-2015-7645 Adobe Flash 0-day*
25 * : At the time SEDKIT dropped them
![Page 34: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/34.jpg)
Revamping CVE-2014-6332 (a.k.a. IE “Unicorn bug”)
• October 2015:
– Re-use of public PoC to disable VBScript “SafeMode”
– Next stage binary downloaded by PowerShell
26
![Page 35: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/35.jpg)
Revamping CVE-2014-6332 (a.k.a. IE “Unicorn bug”)
• October 2015:
– Re-use of public PoC to disable VBScript “SafeMode”
– Next stage binary downloaded by PowerShell
• February 2016:
– No more “SafeMode” disabling, direct ROP-based shellcode execution
– Around 400 lines of VBScript, mostly custom
27
![Page 36: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/36.jpg)
28
![Page 37: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/37.jpg)
29
![Page 38: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/38.jpg)
VBScript Framework
• Functions: – addToROP() – getROPstringAddress () – Code_section_explorer_7 () – Code_section_explorer_XP() – getNeddedAddresses () – addrToHex () – …
30
![Page 39: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/39.jpg)
VBScript Framework
• Functions: – addToROP() – getROPstringAddress () – Code_section_explorer_7 () – Code_section_explorer_XP() – getNeddedAddresses () – addrToHex () – …
Have you ever seen this somewhere?
(cuz we don’t)
30
![Page 40: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/40.jpg)
31
Exploit downloads a payload and…
![Page 41: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/41.jpg)
Serge Meets SEDUPLOADER (a.k.a. JHUHUGIT, JKEYSKW)
• Downloaded by SEDKIT
• Two binaries: the dropper and its embedded payload
• Deployed as a first-stage component
• Period of activity: March 2015 - Now
![Page 42: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/42.jpg)
SEDUPLOADER DROPPER Workflow
Anti-Analysis
Payload Dropping
Escalating Privileges
Payload Persistence
![Page 43: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/43.jpg)
SEDUPLOADER DROPPER Workflow
Anti-Analysis
Payload Dropping
Escalating Privileges
Payload Persistence
![Page 44: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/44.jpg)
![Page 45: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/45.jpg)
![Page 46: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/46.jpg)
![Page 47: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/47.jpg)
![Page 48: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/48.jpg)
![Page 49: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/49.jpg)
![Page 50: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/50.jpg)
SEDUPLOADER DROPPER Workflow
Anti-Analysis
Payload Dropping
Escalating Privileges
Payload Persistence
![Page 51: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/51.jpg)
SEDUPLOADER DROPPER Workflow
Anti-Analysis
Payload Dropping
Escalating Privileges
Payload Persistence
• CVE-2015-1701 (0-day)
• CVE-2015-2387 ( )
![Page 52: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/52.jpg)
SEDUPLOADER DROPPER Workflow
Anti-Analysis
Payload Dropping
Escalating Privileges
Payload Persistence
• Windows COM object hijacking
• Shell Icon Overlay COM object
• Registry key UserInitMprLogonScript
• JavaScript code executed within rundll32.exe
• Scheduled tasks, Windows service,…
![Page 53: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/53.jpg)
SEDUPLOADER DROPPER Workflow
Anti-Analysis
Payload Dropping
Escalating Privileges
Payload Persistence
• Windows COM object hijacking
• Shell Icon Overlay COM object
• Registry key UserInitMprLogonScript
• JavaScript code executed within rundll32.exe
• Scheduled tasks, Windows service,…
![Page 54: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/54.jpg)
SEDUPLOADER DROPPER Workflow
Anti-Analysis
Payload Dropping
Escalating Privileges
Payload Persistence
• Windows COM object hijacking Win32/COMpfun
• Shell Icon Overlay COM object
• Registry key UserInitMprLogonScript
• JavaScript code executed within rundll32.exe Win32/Poweliks
• Scheduled tasks, Windows service,…
![Page 55: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/55.jpg)
SEDUPLOADER PAYLOAD Workflow
Network Link Establishment
First Stage Report
Parsing C&C Orders
![Page 56: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/56.jpg)
SEDUPLOADER PAYLOAD Workflow
Network Link Establishment
First Stage Report
Parsing C&C Orders
![Page 57: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/57.jpg)
SEDUPLOADER PAYLOAD Workflow
Network Link Establishment
First Stage Report
Parsing C&C Orders
Direct Connection
![Page 58: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/58.jpg)
SEDUPLOADER PAYLOAD Workflow
Network Link Establishment
First Stage Report
Parsing C&C Orders
Direct Connection
C&C Successfully Contacted
SUCCESS
![Page 59: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/59.jpg)
SEDUPLOADER PAYLOAD Workflow
Network Link Establishment
First Stage Report
Parsing C&C Orders
Direct Connection
Via Proxy
C&C Successfully Contacted
FAIL
SUCCESS
![Page 60: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/60.jpg)
SEDUPLOADER PAYLOAD Workflow
Network Link Establishment
First Stage Report
Parsing C&C Orders
Direct Connection
Via Proxy
C&C Successfully Contacted
FAIL
SUCCESS
![Page 61: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/61.jpg)
SEDUPLOADER PAYLOAD Workflow
Network Link Establishment
First Stage Report
Parsing C&C Orders
Direct Connection
Via Proxy Inject Into Browsers
C&C Successfully Contacted
FAIL
SUCCESS
![Page 62: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/62.jpg)
SEDUPLOADER PAYLOAD Workflow
Network Link Establishment
First Stage Report
Parsing C&C Orders
Direct Connection
Via Proxy Inject Into Browsers
C&C Successfully Contacted
FAIL
SUCCESS
![Page 63: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/63.jpg)
SEDUPLOADER PAYLOAD Workflow
Network Link Establishment
First Stage Report
Parsing C&C Orders
![Page 64: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/64.jpg)
SEDUPLOADER PAYLOAD Workflow
Network Link Establishment
First Stage Report
Parsing C&C Orders
![Page 65: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/65.jpg)
East Side Story printf debugging
![Page 66: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/66.jpg)
46
Serge opens an email leading to SEDKIT, and then SEDUPLOADER 9:30AM
Chain of Events
Mon Tue Wed Thu Fri
![Page 67: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/67.jpg)
47
Monday, 10:00AM
![Page 68: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/68.jpg)
…Serge meets SEDRECO
• Downloaded by SEDUPLOADER
• Backdoor with the ability to load external plugins
• Usually deployed as a second stage backdoor to spy on the infected computer
• Period of activity : 2012 - Now
48
![Page 69: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/69.jpg)
Dropper
• Drops encrypted configuration
– In a file (“msd”)
– In the Windows Registry
• No configuration linked to the payload
![Page 70: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/70.jpg)
Configuration Overview
![Page 71: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/71.jpg)
Configuration Overview
XOR KEY
![Page 72: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/72.jpg)
Configuration Overview
XOR KEY FIELD SIZES
![Page 73: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/73.jpg)
Configuration Overview (Decrypted)
![Page 74: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/74.jpg)
Configuration Overview (Decrypted)
('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '')
![Page 75: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/75.jpg)
Configuration Overview (Decrypted)
('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '')
Various timeouts
![Page 76: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/76.jpg)
Configuration Overview (Decrypted)
('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '')
Computer name
![Page 77: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/77.jpg)
Configuration Overview (Decrypted)
('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '')
Keylogger enabled
![Page 78: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/78.jpg)
Configuration Overview (Decrypted)
('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '')
C&C servers
![Page 79: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/79.jpg)
Configuration Overview (Decrypted)
('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '')
Operation name (rhst, rhbp, mctf, mtqs)
![Page 80: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/80.jpg)
Configuration Overview (Decrypted)
('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '')
Plugins list
![Page 81: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/81.jpg)
Payload
![Page 82: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/82.jpg)
Payload
![Page 83: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/83.jpg)
Payload
![Page 84: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/84.jpg)
Payload
![Page 85: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/85.jpg)
Payload
![Page 86: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/86.jpg)
Payload
![Page 87: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/87.jpg)
Payload
![Page 88: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/88.jpg)
Payload
![Page 89: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/89.jpg)
Payload
![Page 90: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/90.jpg)
Extending The Core (1)
• Plugins are DLLs loaded in the same address space
• Plugins receive arguments from the core:
![Page 91: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/91.jpg)
Extending The Core (1)
• Plugins are DLLs loaded in the same address space
• Plugins receive arguments from the core:
![Page 92: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/92.jpg)
Extending The Core (1)
• Plugins are DLLs loaded in the same address space
• Plugins receive arguments from the core:
![Page 93: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/93.jpg)
Extending The Core (2)
![Page 94: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/94.jpg)
Extending The Core (2)
New command
![Page 95: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/95.jpg)
55
Serge opens an email leading to SEDKIT, and then SEDUPLOADER 9:30AM
SEDRECO deployment 10:00AM
Chain of Events
Mon Tue Wed Thu Fri
![Page 96: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/96.jpg)
56
Monday, 2:00PM
![Page 97: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/97.jpg)
Serge Meets XAGENT (a.k.a SPLM, CHOPSTICK)
• Downloaded by SEDUPLOADER
• Modular backdoor developed in C++ with Windows, Linux and iOS versions
• Deployed in most Sednit operations, usually after the reconnaissance phase
• Period of activity: November 2012 - Now
57
![Page 98: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/98.jpg)
58
![Page 99: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/99.jpg)
59
![Page 100: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/100.jpg)
• Linux XAGENT, compiled in July 2015
59
![Page 101: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/101.jpg)
• Linux XAGENT, compiled in July 2015
• ~ 18,000 lines of code in 59 classes
59
![Page 102: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/102.jpg)
• Linux XAGENT, compiled in July 2015
• ~ 18,000 lines of code in 59 classes
• Derives from Windows version:
59
![Page 103: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/103.jpg)
• Linux XAGENT, compiled in July 2015
• ~ 18,000 lines of code in 59 classes
• Derives from Windows version:
• XAGENT major version 2, but matches the
logic of currently distributed binaries (version 3)
59
![Page 104: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/104.jpg)
Such Comments
60
<- That’s a lot
![Page 105: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/105.jpg)
61 main.cpp
![Page 106: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/106.jpg)
61 main.cpp
![Page 107: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/107.jpg)
61 main.cpp
![Page 108: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/108.jpg)
61 main.cpp
![Page 109: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/109.jpg)
61 main.cpp
![Page 110: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/110.jpg)
61 main.cpp
![Page 111: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/111.jpg)
62
Translates messages from modules for
the C&C server
Translates messages from the C&C
server for modules
AgentKernel::run()
AgentKernel
RemoteShell
FSModule
Keylogger
Channel Controller
Modules
C&C SERVER
Unencrypted messages
Encrypted messages
Communication Workflow
XAGENT INFECTED COMPUTER
![Page 112: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/112.jpg)
62
Translates messages from modules for
the C&C server
Translates messages from the C&C
server for modules
AgentKernel::run()
AgentKernel
RemoteShell
FSModule
Keylogger
Channel Controller
Modules
C&C SERVER
Unencrypted messages
Encrypted messages
Communication Workflow
XAGENT INFECTED COMPUTER
![Page 113: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/113.jpg)
62
Translates messages from modules for
the C&C server
Translates messages from the C&C
server for modules
AgentKernel::run()
AgentKernel
RemoteShell
FSModule
Keylogger
Channel Controller
Modules
C&C SERVER
Unencrypted messages
Encrypted messages
Communication Workflow
XAGENT INFECTED COMPUTER
![Page 114: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/114.jpg)
62
Translates messages from modules for
the C&C server
Translates messages from the C&C
server for modules
AgentKernel::run()
AgentKernel
RemoteShell
FSModule
Keylogger
Channel Controller
Modules
C&C SERVER
Unencrypted messages
Encrypted messages
Communication Workflow
XAGENT INFECTED COMPUTER
![Page 115: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/115.jpg)
62
Translates messages from modules for
the C&C server
Translates messages from the C&C
server for modules
AgentKernel::run()
AgentKernel
RemoteShell
FSModule
Keylogger
Channel Controller
Modules
C&C SERVER
Unencrypted messages
Encrypted messages
Communication Workflow
XAGENT INFECTED COMPUTER
![Page 116: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/116.jpg)
62
Translates messages from modules for
the C&C server
Translates messages from the C&C
server for modules
AgentKernel::run()
AgentKernel
RemoteShell
FSModule
Keylogger
Channel Controller
Modules
C&C SERVER
Unencrypted messages
Encrypted messages
Communication Workflow
XAGENT INFECTED COMPUTER
![Page 117: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/117.jpg)
62
Translates messages from modules for
the C&C server
Translates messages from the C&C
server for modules
AgentKernel::run()
AgentKernel
RemoteShell
FSModule
Keylogger
Channel Controller
Modules
C&C SERVER
Unencrypted messages
Encrypted messages
Communication Workflow
XAGENT INFECTED COMPUTER
![Page 118: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/118.jpg)
62
Translates messages from modules for
the C&C server
Translates messages from the C&C
server for modules
AgentKernel::run()
AgentKernel
RemoteShell
FSModule
Keylogger
Channel Controller
Modules
C&C SERVER
Unencrypted messages
Encrypted messages
Channel (HTTP or emails)
Communication Workflow
XAGENT INFECTED COMPUTER
![Page 119: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/119.jpg)
Emails Channel (1) Workflow
63
[email protected] XAGENT INFECTED COMPUTER
USING MailChannel
C&C SERVER
![Page 120: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/120.jpg)
Emails Channel (1) Workflow
63
[email protected] XAGENT INFECTED COMPUTER
USING MailChannel
SMTPS
C&C SERVER
![Page 121: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/121.jpg)
Emails Channel (1) Workflow
63
[email protected] XAGENT INFECTED COMPUTER
USING MailChannel
SMTPS POP3S
C&C SERVER
![Page 122: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/122.jpg)
Emails Channel (1) Workflow
63
[email protected] XAGENT INFECTED COMPUTER
USING MailChannel
SMTPS POP3S
SMTPS
C&C SERVER
![Page 123: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/123.jpg)
Emails Channel (1) Workflow
63
[email protected] XAGENT INFECTED COMPUTER
USING MailChannel
SMTPS
POP3S
POP3S
SMTPS
C&C SERVER
![Page 124: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/124.jpg)
Emails Channel (1) Workflow
63
[email protected] XAGENT INFECTED COMPUTER
USING MailChannel
SMTPS
POP3S
POP3S
SMTPS
C&C SERVER
An email-based C&C protocol needs to provide: 1. A way to distinguish C&C emails from unrelated emails 2. A way to bypass spam filters
![Page 125: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/125.jpg)
Email Channel (2) P2Scheme, a.k.a “Level 2 Protocol”
64
![Page 126: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/126.jpg)
Email Channel (2) P2Scheme, a.k.a “Level 2 Protocol”
64
KEY SUBJ_TOKEN ̂ KEY XAGENT_ID ^ KEY
base64
0 5 12 16
![Page 127: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/127.jpg)
Email Channel (2) P2Scheme, a.k.a “Level 2 Protocol”
64
KEY SUBJ_TOKEN ̂ KEY XAGENT_ID ^ KEY
base64
0 5 12 16
![Page 128: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/128.jpg)
Email Channel (3) Georgian Protocol
65
![Page 129: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/129.jpg)
Email Channel (3) Georgian Protocol
65
Georgian national ID number
![Page 130: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/130.jpg)
Email Channel (3) Georgian Protocol
65
Georgian national ID number
“Hello”
![Page 131: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/131.jpg)
Email Channel (3) Georgian Protocol
65
Georgian national ID number
“Hello”
“detailed” + timestamp
![Page 132: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/132.jpg)
Bonus: XAGENT C&C Infrastructure
66
![Page 133: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/133.jpg)
Bonus: XAGENT C&C Infrastructure
66
Thank you, Google search engine
![Page 134: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/134.jpg)
XAGENT Proxy Server
• Python code used between April and June 2015
![Page 135: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/135.jpg)
XAGENT Proxy Server
• Python code used between April and June 2015
• ~ 12,200 lines of code
![Page 136: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/136.jpg)
XAGENT Proxy Server
• Python code used between April and June 2015
• ~ 12,200 lines of code
• Translates email protocol from XAGENT into a HTTP protocol for the C&C server:
(over HTTP)
P3Protocol
XAGENT PROXY BACKEND C&C SERVER
INBOX
P2Protocol
![Page 137: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/137.jpg)
68
Serge opens an email leading to SEDKIT, and then SEDUPLOADER 9:30AM
SEDRECO deployment 10:00AM
XAGENT deployment 02:00PM
Chain of Events
Mon Tue Wed Thu Fri
![Page 138: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/138.jpg)
69
Next three days…
![Page 139: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/139.jpg)
Serge Meets Passwords Extractors
• SecurityXploded tools (grand classic of Sednit)
– Cons: usually detected by AV software
• Custom tools, in particular a Windows Live Mail passwords extractor compiled for Serge:
70
![Page 140: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/140.jpg)
Serge Meets Windows Passwords Extractors
• From registry hives
– Deployed with LPE for CVE-2014-4076
• Good ol’ Mimikatz (“pi.log”)
– Deployed with LPE for CVE-2015-1701
71
![Page 141: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/141.jpg)
Serge Meets Screenshoter
• Custom tool to take screenshots each time the mouse moves
72
![Page 142: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/142.jpg)
And… Serge Meets XTUNNEL
• Network proxy tool to contact machines normally unreachable from Internet
• Period of activity: May 2013 - Now
73
![Page 143: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/143.jpg)
74
SERGE’S COMPUTER (XTUNNEL INFECTED) COMPUTER A
(CLEAN)
COMPUTER B (CLEAN)
INTERNET
INTERNAL NETWORK
C&C SERVER
Initial Situation
![Page 144: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/144.jpg)
75
SERGE’S COMPUTER (XTUNNEL INFECTED)
INTERNET
INTERNAL NETWORK
Encryption Handshake
C&C SERVER
COMPUTER A (CLEAN)
COMPUTER B (CLEAN)
![Page 145: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/145.jpg)
75
SERGE’S COMPUTER (XTUNNEL INFECTED)
INTERNET
INTERNAL NETWORK
D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87
…
Encryption Handshake
D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87
…
T
T
C&C SERVER
COMPUTER A (CLEAN)
COMPUTER B (CLEAN)
![Page 146: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/146.jpg)
75
SERGE’S COMPUTER (XTUNNEL INFECTED)
INTERNET
INTERNAL NETWORK
D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87
…
Encryption Handshake
D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87
…
T
T RC4 key
O
C&C SERVER
COMPUTER A (CLEAN)
COMPUTER B (CLEAN)
![Page 147: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/147.jpg)
75
SERGE’S COMPUTER (XTUNNEL INFECTED)
INTERNET
INTERNAL NETWORK
D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87
…
Encryption Handshake
D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87
…
T
T
Offset O in T Proof of knowledge of T
RC4 key
O
C&C SERVER
COMPUTER A (CLEAN)
COMPUTER B (CLEAN)
![Page 148: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/148.jpg)
76
SERGE’S COMPUTER (XTUNNEL INFECTED)
INTERNET
INTERNAL NETWORK
D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87
…
Encryption Handshake
D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87
…
T
T
“OK”
RC4 key
RC4 Key
O
O
C&C SERVER
COMPUTER A (CLEAN)
COMPUTER B (CLEAN)
![Page 149: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/149.jpg)
77
C&C SERVER
SERGE’S COMPUTER (XTUNNEL INFECTED)
INTERNET
INTERNAL NETWORK
Encryption Handshake
RC4-encrypted link
COMPUTER A (CLEAN)
COMPUTER B (CLEAN)
![Page 150: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/150.jpg)
78
C&C SERVER
SERGE’S COMPUTER (XTUNNEL INFECTED)
INTERNET
INTERNAL NETWORK
Encryption Handshake
TLS encapsulation (added in 2014)
COMPUTER A (CLEAN)
COMPUTER B (CLEAN)
![Page 151: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/151.jpg)
79
C&C SERVER
SERGE’S COMPUTER (XTUNNEL INFECTED)
INTERNET
INTERNAL NETWORK
Tunnels Opening
COMPUTER A (CLEAN)
COMPUTER B (CLEAN)
![Page 152: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/152.jpg)
79
C&C SERVER
SERGE’S COMPUTER (XTUNNEL INFECTED)
INTERNET
INTERNAL NETWORK
Tunnels Opening
COMPUTER A (CLEAN)
COMPUTER B (CLEAN)
![Page 153: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/153.jpg)
79
C&C SERVER
SERGE’S COMPUTER (XTUNNEL INFECTED)
INTERNET
INTERNAL NETWORK
Tunnels Opening
COMPUTER A (CLEAN)
COMPUTER B (CLEAN)
Any kind of TCP-based traffic can be tunneled!
(PsExec)
![Page 154: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/154.jpg)
79
C&C SERVER
SERGE’S COMPUTER (XTUNNEL INFECTED)
INTERNET
INTERNAL NETWORK
Tunnels Opening
COMPUTER A (CLEAN)
COMPUTER B (CLEAN)
Any kind of TCP-based traffic can be tunneled!
(PsExec)
![Page 155: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/155.jpg)
Code Obfuscation (1)
• Starting in July 2015 XTUNNEL code was obfuscated
(which is two months after the Sednit attack against the German parliament, where XTUNNEL was used)
80
![Page 156: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/156.jpg)
Code Obfuscation (1)
• Starting in July 2015 XTUNNEL code was obfuscated
(which is two months after the Sednit attack against the German parliament, where XTUNNEL was used)
• The obfuscation is a mix of classic syntactic techniques, like insertion of junk code and opaque predicates
80
![Page 157: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/157.jpg)
Code Obfuscation (2)
BEFORE AFTER
81
![Page 158: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/158.jpg)
Code Obfuscation (2)
BEFORE AFTER
81
Good toy example for automatic desobfuscation magic?
![Page 159: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/159.jpg)
82
Serge opens an email leading to SEDKIT, and then SEDUPLOADER 9:30AM
SEDRECO deployment 10:00AM
XAGENT deployment 02:00PM
Information exfiltration and lateral movements
Chain of Events
Mon Tue Wed Thu Fri
![Page 160: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/160.jpg)
83
Friday, 11:00AM
![Page 161: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/161.jpg)
Long Term Persistence (1)
• Special XAGENT copied in Office folder under the name “msi.dll”
84
![Page 162: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/162.jpg)
Long Term Persistence (2)
• system32\msi.dll is a legitimate Windows DLL needed by Office applications
85
![Page 163: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/163.jpg)
Long Term Persistence (2)
• system32\msi.dll is a legitimate Windows DLL needed by Office applications
• XAGENT msi.dll exports the same function names as the legitimate msi.dll:
85
![Page 164: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/164.jpg)
Long Term Persistence (3)
• Each time Serge starts Office, XAGENT msi.dll is loaded (search-order hijacking): – Loads real msi.dll from system32
– Fills its export table with the addresses of the real msi.dll functions
– Starts XAGENT malicious logic
86
![Page 165: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/165.jpg)
Long Term Persistence (3)
• Each time Serge starts Office, XAGENT msi.dll is loaded (search-order hijacking): – Loads real msi.dll from system32
– Fills its export table with the addresses of the real msi.dll functions
– Starts XAGENT malicious logic
• Same technique also seen with LINKINFO.dll dropped in C:\WINDOWS
86
![Page 166: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/166.jpg)
87
Serge opens an email leading to SEDKIT, and then SEDUPLOADER 9:30AM
SEDRECO deployment 10:00AM
XAGENT deployment 02:00PM
Long-term persistence method deployment
11:00AM
Chain of Events
Mon Tue Wed Thu Fri
Information exfiltration and lateral movements
![Page 167: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/167.jpg)
THE MYSTERIOUS DOWNDELPH
What the hell is going on here ?!
88
![Page 168: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/168.jpg)
Discovery September 2015
• Classic Sednit dropper
• Shows a decoy document
![Page 169: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/169.jpg)
What Is In This Dropper?
![Page 170: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/170.jpg)
The Ultimate Boring Component
• Delphi downloader, we named it DOWNDELPH (slow clap)
• Simple workflow:
– Downloads a config (.INI file)
– Based on the config, downloads a payload
– Executes payload
• Persistence method: Run registry key
![Page 171: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/171.jpg)
The Ultimate Boring Component
• Delphi downloader, we named it DOWNDELPH (slow clap)
• Simple workflow:
– Downloads a config (.INI file)
– Based on the config, downloads a payload
– Executes payload
• Persistence method: Run registry key
![Page 172: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/172.jpg)
Let The Hunt Begins 2013 DOWNDELPH Sample
Dropper
Helper Bootkit Installer DOWNDELPH
![Page 173: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/173.jpg)
Let The Hunt Begins 2013 DOWNDELPH Sample
Dropper
Helper Bootkit Installer DOWNDELPH
• Infects BIOS-based systems • Tested on Windows XP/7, 32bit/64bit • Never been documented
![Page 174: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/174.jpg)
Not So Boring Component
![Page 175: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/175.jpg)
Bootkit Installation
MBR Legitimate data
First sectors before infection
1ST sector
![Page 176: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/176.jpg)
Malicious MBR
Original MBR (1-byte XOR)
Hooks (1-byte XOR)
Driver (1-byte XOR + RC4)
Legitimate Data
First sectors before infection First sectors after infection
Bootkit Installation 1ST sector 2ND sector
![Page 177: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/177.jpg)
Normal Boot Process Windows 7 x64
BOOTMGR Winload.exe
…
Real Mode
Protected Mode
Original MBR
Kernel Init
![Page 178: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/178.jpg)
Infected Boot Process Windows 7 x64
Infected MBR BOOTMGR Winload.exe
Real Mode
Protected Mode
Original MBR
… Kernel Init
![Page 179: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/179.jpg)
Infected Boot Process Windows 7 x64
Infected MBR BOOTMGR Winload.exe
Real Mode
Protected Mode
Original MBR
… Kernel Init
![Page 180: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/180.jpg)
Malicious MBR
• Hooks INT 13h handler (low-level read/write operations)
![Page 181: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/181.jpg)
Malicious MBR
• Hooks INT 13h handler (low-level read/write operations)
• Patches BOOTMGR in memory
![Page 182: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/182.jpg)
Bootkit Workflow
Infected MBR BOOTMGR Winload.exe
Real Mode
Protected Mode
Original MBR
… Kernel Init
![Page 183: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/183.jpg)
Bootkit Workflow
Infected MBR BOOTMGR Winload.exe
Real Mode
Protected Mode
Original MBR
Hook
… Kernel Init
![Page 184: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/184.jpg)
BOOTMGR Hook
• Searches OslArchTransferToKernel() in winload.exe to patch it
kd> u winload!OslArchTransferToKernel winload!OslArchTransferToKernel: 00000000`003381f0 e961fdd5ff jmp 00000000`00097f56
Before:
After:
![Page 185: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/185.jpg)
Bootkit Workflow
Infected MBR BOOTMGR Winload.exe
Real Mode
Protected Mode
Original MBR
Hook
… Kernel Init
![Page 186: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/186.jpg)
Bootkit Workflow
Infected MBR BOOTMGR Winload.exe
Real Mode
Protected Mode
Original MBR
Hook Hook
… Kernel Init
![Page 187: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/187.jpg)
Winload.exe Hook
• Locates MmMapIoSpace
• Saves some code in ACPI.sys resources section
(and makes the section executable)
• Hooks ACPI!GsDriverEntry
![Page 188: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/188.jpg)
Saving Important Information
ACPI!GsDriverEntry original opcodes
0: kd> db rbx $$ kernel header address 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ.............. b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@....... 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00-00 00 00 00 f8 00 00 00 ................ 00 74 09 00 00 b4 09 cd-21 b8 01 4c cd 21 54 68 .t......!..L.!Th 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$....... 8a 4a 9e 90 ce 2b f0 c3-ce 2b f0 c3 ce 2b f0 c3 .J...+...+...+.. c7 53 73 c3 aa 2b f0 c3-c7 53 63 c3 c5 2b f0 c3 .Ss..+...Sc..+.. ce 2b f1 c3 a2 2b c0 97-8f 00 00 f8 ff ff 30 fc .+...+........0. 04 00 f2 0f 00 00 48 83-ec 28 4c c3 d4 2b f0 c3 ......H..(L..+.. c7 53 62 c3 cf 2b f0 c3-c7 53 64 c3 cf 2b f0 c3 .Sb..+...Sd..+.. c7 53 61 c3 20 cd a2 02-00 f8 ff ff ce 2b f0 c3 .Sa. ........+.. 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00-50 45 00 00 64 86 18 00 ........PE..d...
Bootkit physical address
MmMapIoSpace address
![Page 189: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/189.jpg)
Bootkit Workflow
Infected MBR BOOTMGR Winload.exe
ACPI.sys
Real Mode
Protected Mode
Original MBR
Kernel Init
Hook Hook
…
![Page 190: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/190.jpg)
Bootkit Workflow
Infected MBR BOOTMGR Winload.exe
ACPI.sys
Real Mode
Protected Mode
Original MBR
Kernel Init
Hook Hook
Hook
…
![Page 191: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/191.jpg)
ACPI.sys Hook
• Restores ACPI!GsDriverEntry
• Maps the bootkit physical address into virtual
address space by calling MmMapIoSpace
• Decrypts hidden driver
![Page 192: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/192.jpg)
Bootkit Workflow
Infected MBR BOOTMGR Winload.exe
ACPI.sys
Bootkit Driver “Bootkit
user-mode component”
DOWNDELPH
Real Mode
Protected Mode
Original MBR
Kernel Init
Hook Hook
Hook
![Page 193: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/193.jpg)
Bootkit Workflow
Infected MBR BOOTMGR Winload.exe
ACPI.sys
Bootkit Driver “Bootkit
user-mode component”
DOWNDELPH
Real Mode
Protected Mode
Original MBR
Kernel Init
Hook Hook
Hook
![Page 194: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/194.jpg)
Bootkit Workflow
Infected MBR BOOTMGR Winload.exe
ACPI.sys
Bootkit Driver “Bootkit
user-mode component”
DOWNDELPH
Real Mode
Protected Mode
Original MBR
Kernel Init
Hook Hook
Hook
![Page 195: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/195.jpg)
Bootkit Workflow
Infected MBR BOOTMGR Winload.exe
ACPI.sys
Bootkit Driver “Bootkit
user-mode component”
DOWNDELPH
Real Mode
Protected Mode
Original MBR
Kernel Init
Hook Hook
Hook
Why a DLL to load another DLL ?
![Page 196: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/196.jpg)
Who Are You Bootkit?
• Missing exported variable in DOWNDELPH
![Page 197: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/197.jpg)
Who Are You Bootkit?
• Missing exported variable in DOWNDELPH
• Code sharing with BlackEnergy
– Relocations fixing
– DLL injection calling three exports (“Entry”, “ep_data” and “Dummy”)
– …
![Page 198: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/198.jpg)
But It’s Not The End of The Story 2014 DOWNDELPH Samples
Dropper
Helper Kernel Mode
Rootkit DOWNDELPH
![Page 199: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/199.jpg)
Not So Boring Component++
![Page 200: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/200.jpg)
Kernel Mode Rootkit (1)
• Registered as a Windows service
• Injects DOWNDELPH into explorer.exe (APC)
• Hides files, folders and registry keys
• Relies on a set of rules:
HIDEDRV: >>>>>>>>Hide rules>>>>>>>> rules HIDEDRV: File rules: \Device\[…]\dnscli1.dll HIDEDRV: File rules: \Device\[…]\FsFlt.sys HIDEDRV: Registry rules: \REGISTRY\[…]\FsFlt HIDEDRV: Registry rules: \REGISTRY\[…]\FsFlt HIDEDRV: Registry rules: \REGISTRY\[…]\FsFlt HIDEDRV: Inject dll: C:\Windows\system32\mypathcom\dnscli1.dll HIDEDRV: Folder rules: \Device\HarddiskVolume1\Windows\system32\mypathcom HIDEDRV: <<<<<<<<XXXXX<<<<<<<< rules HIDEDRV: <<<<<<<<Hide rules<<<<<<<< rules
![Page 201: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/201.jpg)
Kernel Mode Rootkit (2) How It Works
• Two implementations of the hiding ability:
– SSDT hooking
– Minifilter driver
![Page 202: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/202.jpg)
Implementation Minifilter
![Page 203: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/203.jpg)
Implementation Minifilter
![Page 204: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/204.jpg)
Implementation Minifilter
![Page 205: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/205.jpg)
Implementation Minifilter
![Page 206: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/206.jpg)
Who Are You Rootkit?
• Never documented (to the best of our knowledge)
• PDB paths:
d:\!work\etc\hi\Bin\Debug\win7\x86\fsflt.pdb
d:\!work\etc\hideinstaller_kis2013\Bin\Debug\win7\x64\fsflt.pdb
d:\new\hideinstaller\Bin\Debug\wxp\x86\fsflt.pdb
![Page 207: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/207.jpg)
Who Are You Rootkit?
• Never documented (to the best of our knowledge)
• PDB paths:
d:\!work\etc\hi\Bin\Debug\win7\x86\fsflt.pdb
d:\!work\etc\hideinstaller_kis2013\Bin\Debug\win7\x64\fsflt.pdb
d:\new\hideinstaller\Bin\Debug\wxp\x86\fsflt.pdb
![Page 208: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/208.jpg)
Who Are You Rootkit?
• Never documented (to the best of our knowledge)
• PDB paths:
d:\!work\etc\hi\Bin\Debug\win7\x86\fsflt.pdb
d:\!work\etc\hideinstaller_kis2013\Bin\Debug\win7\x64\fsflt.pdb
d:\new\hideinstaller\Bin\Debug\wxp\x86\fsflt.pdb
![Page 209: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/209.jpg)
To Summarize
• Seven different samples (!) of DOWNDELPH over the past three years
• One C&C server was up for two years
• Persistence methods: – Bootkit able to infect from Windows XP to Windows 7
– Rootkit
• So, WHY such advanced persistence methods for such a simple component?
• DOWNDELPH downloaded SEDRECO + XAGENT in a few cases, so SEDNIT related for sure
![Page 210: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/210.jpg)
SPECULATIVE MUMBLINGS
116
![Page 211: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/211.jpg)
Call For Speculation
• The diversity of Sednit software is impressive (DOWNDELPH, bootkit, XAGENT, SEDKIT…)
• Diversity is good for their operations, as it makes detection and tracking harder
• How did they created this software ecosystem?
117
![Page 212: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/212.jpg)
Sednit Development Process (1) Developers Role
• Binaries are often compiled specifically for a target, after it has been infected
118
XAGENT SMTP logins/passwords
![Page 213: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/213.jpg)
Sednit Development Process (1) Developers Role
• Binaries are often compiled specifically for a target, after it has been infected
• Main software evolve regularly (XTUNNEL,
SEDUPLOADER, XAGENT…)
118
XAGENT SMTP logins/passwords
![Page 214: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/214.jpg)
Sednit Development Process (1) Developers Role
• Binaries are often compiled specifically for a target, after it has been infected
• Main software evolve regularly (XTUNNEL,
SEDUPLOADER, XAGENT…)
118
Developers are part of the team, not outsiders paid for a one-time job
XAGENT SMTP logins/passwords
![Page 215: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/215.jpg)
Sednit Development Process (2) Software Design
• Different Sednit software share some techniques:
– RC4 keys built as concatenation of a hardcoded value and a randomly generated value
(XAGENT, DOWNDELPH, SEDUPLOADER)
– Hardcoded “tokens” in network messages (XAGENT, SEDUPLOADER, SEDRECO)
119
![Page 216: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/216.jpg)
Sednit Development Process (2) Software Design
• Different Sednit software share some techniques:
– RC4 keys built as concatenation of a hardcoded value and a randomly generated value
(XAGENT, DOWNDELPH, SEDUPLOADER)
– Hardcoded “tokens” in network messages (XAGENT, SEDUPLOADER, SEDRECO)
119
The same developers may be behind this variety of software
![Page 217: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/217.jpg)
Sednit Development Process (3) Programming Errors
120
Linux XAGENT Communications termination
![Page 218: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/218.jpg)
Sednit Development Process (3) Programming Errors
120
Linux XAGENT Communications termination
![Page 219: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/219.jpg)
Sednit Development Process (3) Programming Errors
120
Linux XAGENT Communications termination
![Page 220: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/220.jpg)
Sednit Development Process (3) Programming Errors
120
Linux XAGENT Communications termination
![Page 221: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/221.jpg)
Sednit Development Process (3) Programming Errors
121
XTUNNEL report message
![Page 222: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/222.jpg)
Sednit Development Process (3) Programming Errors
121
XTUNNEL report message
Developers do not have a code review process (“hackish” feeling)
![Page 223: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/223.jpg)
Sednit Development Process (4) Seeking Inspiration
• SEDUPLOADER employed novel persistence methods also found in crimeware, and shares code with Carberp
• DOWNDELPH bootkit code bears some similarities with BlackEnergy code
122
![Page 224: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/224.jpg)
Sednit Development Process (4) Seeking Inspiration
• SEDUPLOADER employed novel persistence methods also found in crimeware, and shares code with Carberp
• DOWNDELPH bootkit code bears some similarities with BlackEnergy code
122
Developers have ties with the crimeware underground
![Page 225: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/225.jpg)
Sednit Development Process (5) Having Fun
123
![Page 226: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/226.jpg)
Sednit Development Process (5) Having Fun
123
Developers are not working in a formal environment…
![Page 227: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/227.jpg)
Mumblings Summary
Sednit has some in-house skilled developers, working with little supervision, and those guys have ties with crimeware underground
124
![Page 228: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/228.jpg)
Conclusion
• Sednit activity increased a lot during the last two years (targeted attacks with a LOT of targets)
– Heard about the DNC hack last week?
• Sednit toolkit in constant evolution, moar fun to come!
125
![Page 229: Visiting The Bear Den - welivesecurity.com · Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1 . Sednit Group •Also know](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed473d464cb9d0fda746e8e/html5/thumbnails/229.jpg)
That’s All Folks!
• Feel free to poke us:
{calvet,campos,dupuy} .at. esetlabs.com
• Whitepaper coming soon!...
(“dans deux mois”)
126