Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State...
Transcript of Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State...
![Page 1: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/1.jpg)
Author: Ömer Coşkun
Why Nation-State Malwares Target Telco Networks: Dissecting Technical Capabilities of Regin and Its Counterparts
The supreme art of war is to subdue the enemy without fighting. Sun Tzu
![Page 2: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/2.jpg)
Outline
¡ Overview
¡ Telecom Network Architecture
¡ Practical Attack Surfaces
¡ GRX Attack Vectors
¡ SS7 Attack Vectors
¡ Practical Attack Scenarios
¡ Rootkit Attacks: Regin and it’s counterparts
¡ Common Rootkit Techniques and Regin
¡ Regin vs. Uruborus and Duqu
¡ Demo: PoC || GTFO
¡ Questions ?
1
![Page 3: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/3.jpg)
$ whoami
Ömer Coşkun (@0xM3R) ¡ BEng. Computer Science
Research Assistant in Quantum Cryptography & Advanced Topics in AI
2
¡ Industry Experience
KPN – CISO , Ethical Hacking
Verizon – Threat & Vulnerability Management
IBM ISS – Threat Intelligence
¡ Interests
Algorithm Design, Programming, Cryptography, Reverse Engineering, Malware Analysis, OS Internals, Rootkits
![Page 4: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/4.jpg)
$ REDteam 3
![Page 5: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/5.jpg)
Motivations 4 ¡ Analyze existing vulnerabilities and attack
surface of GSM networks
¡ Governments hack their own citizens
¡ Surveillance implants shifted focus to telecom networks and network devices
¡ European Telco companies are really paranoid after Regin attack
¡ Rootkits are fun : a lot to learn & challenge
¡ Reproduce the attack scenario and implement it!
![Page 6: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/6.jpg)
GSM Network Architecture 5
![Page 7: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/7.jpg)
GSM Network Architecture 6
![Page 8: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/8.jpg)
Regin targets GSM Networks 7
![Page 9: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/9.jpg)
Determining Attack Surface 8
![Page 10: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/10.jpg)
Determining Attack Surface 9
![Page 11: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/11.jpg)
Determining Attack Surface 10
![Page 12: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/12.jpg)
Potential Attack Surfaces 11 ¡ Absence of physical intrusion detection devices
¡ Vulnerable services running accessible from BTS
¡ Absence of tamper resistance and unauthorized access protection
¡ Improper network segmentation; inner non-routable segments of the Telco company could accessible.
¡ Core GPRS Network and Network Subsystem (NSS) could be exploitable!
![Page 13: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/13.jpg)
Potential Attack Surfaces 12
![Page 14: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/14.jpg)
GRX Networks 13
![Page 15: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/15.jpg)
GRX Networks 14 ¡ GPRS roaming exchange,
interconnecting networks.
¡ Your local GSM provider abroad
¡ Trust-based, highly interconnected network, made for internet sharing
¡ A failure or malicious activity would affect multiple connected machines
¡ Multiple attacks vectors, not limited to a particular segment where you are originating from.
![Page 16: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/16.jpg)
GRX Networks – Attack Vectors 15
![Page 17: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/17.jpg)
GRX Networks – Attack Vectors 16 ¡ GPRS roaming
exchange, interconnecting networks.
¡ Your local GSM provider abroad
¡ Trust-based, highly interconnected network, made for internet sharing
¡ Multiple attacks vectors, not limited to a particular segment where you are originating from.
![Page 18: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/18.jpg)
GRX Networks – Network Flow 17
![Page 19: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/19.jpg)
GRX Networks – Network Flow 18
Juicy information is here.
![Page 20: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/20.jpg)
GRX Networks – Network Flow 19 And more juicy information is here.
![Page 21: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/21.jpg)
GRX Networks – Attacks & Flaws 20 Are you telling me all your communication intercepted and logged including your physical location?.
![Page 22: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/22.jpg)
SS7 & SIGTRAN 21
![Page 23: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/23.jpg)
SS7 & SIGTRAN 22 SS7 Introduces procedures for
¡ User identification.
Routing
¡ Billing
¡ Call management
![Page 24: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/24.jpg)
SS7 & SIGTRAN 23 • Flow control of transmitted information
• Traffic congestion controls
• Peer entity status detection (GT + PC or SPC)
• Traffic Monitoring and monitoring measuremen
¡ SS7 Features:
![Page 25: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/25.jpg)
SS7 & SIGTRAN 24
![Page 26: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/26.jpg)
SS7 & SIGTRAN 25
![Page 27: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/27.jpg)
SS7 Protocol Analysis 26
![Page 28: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/28.jpg)
SS7 Protocol Analysis 27 All the juicy info here :
ü Calling no.
ü Called no
ü Call duration
ü Call duration
ü Call status
![Page 29: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/29.jpg)
28 Feel confident that NSA not interested in ‘Good’ people?.
SS7 Protocol Attacks & Flows
![Page 30: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/30.jpg)
29 SS7 Practical Attack Scenarios
1 • Intercepting subscribers calls
![Page 31: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/31.jpg)
30 SS7 Practical Attack Scenarios
2 • Subscriber service change attacks
![Page 32: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/32.jpg)
31 SS7 Practical Attack Scenarios
3 • Interception of SMS messages
4 • Interception of outgoing calls
5 • Redirection of incoming or outgoing calls
6 • Making changes in user bills or balance
![Page 33: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/33.jpg)
32 SS7 Practical Attack Scenarios
7 • Unblocking stolen mobile devices
IEEE August 2015, Nokia Researchers Espoo, Finland.
![Page 34: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/34.jpg)
33 SS7 Practical Attack Scenarios
IEEE August 2015, Nokia Researchers Espoo, Finland.
7 • Unblocking stolen mobile devices
![Page 35: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/35.jpg)
34
Source: https://wikileaks.org/hackingteam/emails/emailid/343623
Hacking Team after SS7 Hacks
![Page 36: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/36.jpg)
35 Rootkit Techniques
![Page 37: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/37.jpg)
Hardware/Software Interception: Captain Hook Style Hacking 36
Captain Hook Style Hacking: Intercepts every function, keeps a copy of the content for herself, and then let the function continue as it was supposed to …
![Page 38: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/38.jpg)
37 Rootkit Techniques
![Page 39: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/39.jpg)
38 Regin Platform Structure
![Page 40: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/40.jpg)
39 Regin Platform Analysis
• No one had the dropper when started analysis
• Multi stage and encrypted framework structure
• Modules are invoked via SOA structure by the framework
• Malware data are stored inside the VFS
• Researched GSM Networks had no indication of compromise J
¡ Challenges, Hurdles & Difficulties:
![Page 41: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/41.jpg)
40 Regin Platform Analysis
¡ What is the solution ?
Check similar work & the write up: http://artemonsecurity.com/regin_analysis.pdf
RE Orchestrator Memory dumps Static Analysis Instrumentation of Calls
Dynamic Analysis
![Page 42: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/42.jpg)
41 Regin Platform Stages
![Page 43: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/43.jpg)
42 Regin Platform – Stage 1
![Page 44: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/44.jpg)
43 Regin Platform – Stage 2
![Page 45: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/45.jpg)
44 Regin Platform – Stage 2
![Page 46: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/46.jpg)
45 Regin Platform – Stage 3 & 4
![Page 47: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/47.jpg)
46 Regin Platform – Stage 3 & 4
![Page 48: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/48.jpg)
47 Regin Platform – Stage 3 & 4 – How to Weaponize it ?
1 • Register a call-back function to a process
2 • Log the PID of the target process
3 • Obtain PEB via ZwQueryInformation() for base
adresses of the modules
4 • Obtain the EP via PsLookupProcesByProcess()
5 • Get inside to the process context via
KeStackAttachProcess() referenced by EP
6 • Read PEB and other data in process context
![Page 49: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/49.jpg)
48 Regin Platform – Stage 3 & 4 – How to Weaponize it ?
![Page 50: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/50.jpg)
49 Uruborus < Regin < Duqu2
Uruborus Regin Duqu2
Encrypted VFS Encrypted VFS Encrypted VFS #2
PatchGuard Bypass Fake Certificate Stolen Certificate
Multiple Hooks Orchestrator SOA Orchestrator SOA
AES RC5 Camellia 256, AES, XXTEA
Backdoor/Keylogger Mod
Advanced Network/File Mods
More Advanced Network/File/USB Mods
![Page 51: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/51.jpg)
50 Regin Attack Simulation
Mini Regin Attack Simulator
Covert Channel Data Exfiltration
Run as a thread of legitimate app’s address space
Orchestrator simulator and partial SOA
File system, registry and network calls hooking
Backdoor/Keylogger Mod
![Page 52: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/52.jpg)
51
Demo
![Page 53: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/53.jpg)
52
Questions ?
![Page 54: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/54.jpg)
53
![Page 55: Why Nation-State Malwares Target Telco Networks - DEF … CON 23/DEF CON 23... · Why Nation-State Malwares Target Telco Networks: ... Core GPRS Network and Network Subsystem ...](https://reader031.fdocuments.in/reader031/viewer/2022022510/5adab0ea7f8b9afc0f8cd36b/html5/thumbnails/55.jpg)
54 References
¡ http://denmasbroto.com/article-5-gprs-network-architecture.html
¡ http://docstore.mik.ua/univercd/cc/td/doc/product/wireless/moblwrls/cmx/mmg_sg/cmxgsm.htm
¡ http://4g-lte-world.blogspot.nl/2013/03/gprs-tunneling-protocol-gtp-in-lte.html
¡ http://labs.p1sec.com/2013/04/04/ss7-traffic-analysis-with-wireshark/
¡ http://www.gl.com/ss7_network.html
¡ http://www.slideshare.net/mhaviv/ss7-introduction-li-in
¡ http://www.gl.com/ss7.html