apt3 uncovered the code evolution of pirpi
play

APT3 Uncovered: The code evolution of Pirpi Your functions are - PowerPoint PPT Presentation

Jan 29, 2024 •556 likes •831 views

APT3 Uncovered: The code evolution of Pirpi Your functions are showing (and leaving a trail) Micah Yates - @m1k4chu Palo Alto Networks Your functions are showing Persistent Code Reuse Finding The Trail Pirpi.201x vs Operation

  1. APT3 Uncovered: The code evolution of Pirpi Your functions are showing (and leaving a trail) Micah Yates - @m1k4chu Palo Alto Networks

  2. Your functions are showing • Persistent Code Reuse • Finding The Trail • Pirpi.201x vs Operation Clandestine DoubleTap • Just give me all the Pirpi you have • EXEProxy

  3. Persistent Code Reuse: function_1

  4. Persistent Code Reuse • What is Pirpi? • Targeted malware delivered via 0-days • (CVE-2010-3962) • (CVE-2014-1776) • (CVE-2014-4113) • (CVE-2014-6332) • (CVE-2015-3113) • (CVE-2015-5119) • Appended to a valid gif • Obfuscated Command and Control • Compromised infrastructure

  5. Finding a Trail • Why are you doing this? • It’s fun • You don’t know what you don’t know • Pick 2 binaries by: • Family • Compile Times • File Size • % similarity (ssdeep)

  6. It started out with a diff, how did it end up like this? • Inspect Binaries w/ IDA Tools • Bindiff – Hex Rays • IDAScope – Plohmann/Hanel • Bindiff two known Pirpi samples • fb838cda6118a003b97ff3eb2edb7309 • e33804e3e15920021c5174982dd69890

  7. It was only a diff

  8. It was only a diff

  9. Aside: Putting the FUN in Function

  10. Pirpi.201x vs Operation Clandestine DoubleTap

  11. Pirpi.201x vs Operation Clandestine DoubleTap

  12. Just give me all the Pirpi you have: function_1 Compile MD5 Beacon 2007 01 3f5d79b262472a12e3666118a7cdc2ca www.msnmessengerupdate.com/index31382/f2ae95b93i97.bmp 2008 01 6bdee405ed857320aa8c822ee5e559f2 www.msnmessengerupdate.com/image19582/7e7e7eb7fi7f.gif 2009 03 e22d02796cfb908aaf48e2e058a0890a www.office2008updates.com/dream/dream.php? 2009 10 1fa0813be4b9f23613204c94e74efc9d ini.msnmessengerupdate.net/smart/smartmain.php? 2010 01 914e9c4c54fa210ad6d7ed4f47ec285f ini.office2005updates.net/smart/smartmain.php? 2013 01 44bd652a09a991100d246d8280cac3ac 218.42.147.106/bussinesses/caetrwet/ 2014 04 b48e578f030a7b5bb93a3e9d6d1e2a83 product.sorgerealty.com 2016 04 f683cf9c2a2fdc27abff4897746342c4 ste.mullanclan.com

  13. function_1 Just give me all the Pirpi you have: UNIQUE SAMPLES 100 10 20 30 40 50 60 70 80 90 0 2006 03 2007 01 2007 10 2008 01 2008 02 2008 03 2008 04 2008 05 2008 06 2008 07 2008 09 2008 11 2008 12 2009 03 2009 05 2009 07 2009 08 2009 09 2009 10 2009 11 2009 12 2010 01 2010 02 2010 03 2010 05 2010 06 2010 07 COMPILE YEAR AND MONTH 2010 08 2010 10 2011 01 2011 04 2011 05 2011 06 2011 07 2011 08 2011 10 2011 11 2011 12 2012 01 2012 04 2012 05 2012 09 2012 11 2012 12 2013 01 2013 02 2013 07 2013 09 2013 12 2014 04 2014 05 2014 07 2014 08 2014 09 2015 01 2015 06 2015 07 2015 09 2016 03 2016 04 2016 08 2017 02

  15. function_1 - minor versions UNIQUE SAMPLES 100 10 20 30 40 50 60 70 80 90 0 2006 03 2007 01 2007 10 2008 01 2008 02 2008 03 2008 04 2008 05 2008 06 2008 07 2008 09 2008 11 2008 12 2009 03 2009 05 2009 07 2009 08 2009 09 2009 10 2009 11 2009 12 2010 01 2010 02 2010 03 2010 05 2010 06 2010 07 COMPILE YEAR AND MONTH 2010 08 2010 10 2011 01 2011 04 2011 05 2011 06 2011 07 2011 08 2011 10 2011 11 2011 12 2012 01 2012 04 2012 05 2012 09 2012 11 2012 12 2013 01 2013 02 2013 07 2013 09 2013 12 2014 04 2014 05 2014 07 2014 08 2014 09 2015 01 2015 06 2015 07 2015 09 2016 03 2016 04 2016 08 2017 02 v1 v2 v3 v4 v5 v6

  16. function_1 - minor versions function_1 - minor versions V1 - 2007 V2 - 2008 V3 – 2006 MD5: MD5: MD5: 98011f5b7b957a142f14cbda57a5ea82 272cb6c16e083ca143d40c63005753a2 acd8d34d8360129df1c8d03f253ba747 @00401FC0 @00403110 @100016A0

  17. function_1 - minor versions V4 - 2014 V5 - 2016 V6 - 2017 MD5: MD5: MD5: c006faaf9ad26a0bd3bbd597947da3e1 f683cf9c2a2fdc27abff4897746342c4 07b4d539a6333d7896493bafd2738321 @0040B320 @00401D60 @00404A20

  18. function_2

  19. function_2 UNIQUE SAMPLES 100 10 20 30 40 50 60 70 80 90 0 2006 03 2007 01 2007 10 2008 01 2008 02 2008 03 2008 04 2008 05 2008 06 2008 07 2008 09 2008 11 2008 12 2009 03 2009 05 2009 07 2009 08 2009 09 2009 10 2009 11 2009 12 2010 01 2010 02 2010 03 pirpi_version_check 2010 05 2010 06 2010 07 COMPILE YEAR AND MONTH 2010 08 2010 10 2011 01 2011 04 2011 05 2011 06 2011 07 2011 08 2011 10 2011 11 2011 12 2012 01 2012 04 2012 05 2012 09 2012 11 2012 12 2013 01 2013 02 2013 07 2013 09 2013 12 2014 04 2014 05 2014 07 2014 08 2014 09 2015 01 2015 06 2015 07 2015 09 2016 03 2016 04 2016 08 2017 02

  20. function_3

  21. function_3 UNIQUE SAMPLES 10 15 20 25 30 35 40 45 0 5 2006 03 2007 01 2007 10 2008 01 2008 02 2008 03 2008 04 2008 05 2008 06 2008 07 2008 09 2008 11 2008 12 2009 03 2009 05 2009 07 2009 08 2009 09 2009 10 2009 11 2009 12 2010 01 pirpi_cmdline_createproc 2010 02 2010 03 2010 05 2010 06 2010 07 COMPILE YEAR AND MONTH 2010 08 2010 10 2011 01 2011 04 2011 05 2011 06 2011 07 2011 08 2011 10 2011 11 2011 12 2012 01 2012 04 2012 05 2012 09 2012 11 2012 12 2013 01 2013 02 2013 07 2013 09 2013 12 2014 04 2014 05 2014 07 2014 08 2014 09 2015 01 2015 06 2015 07 2015 09 2016 03 2016 04 2016 08 2017 02

  22. EXEProxy • b94bcffcacc65d05e5f508c5bd9c 950c • Contains function_1 • Contains Anti-Disasm • OpenSSL included • Requires cmd line params to run

  23. pirpi_EXEPROXY EXEProxy: UNIQUE SAMPLES 0 1 2 3 4 5 6 7 8 9 2006 03 2007 01 2007 10 2008 01 2008 02 2008 03 2008 04 2008 05 2008 06 2008 07 2008 09 2008 11 2008 12 2009 03 2009 05 2009 07 2009 08 2009 09 2009 10 2009 11 2009 12 2010 01 2010 02 2010 03 2010 05 pirpi_EXEPROXY 2010 06 2010 07 COMPILE YEAR AND MONTH 2010 08 2010 10 2011 01 2011 04 2011 05 2011 06 2011 07 2011 08 2011 10 2011 11 2011 12 2012 01 2012 04 2012 05 2012 09 2012 11 2012 12 2013 01 2013 02 2013 07 2013 09 2013 12 2014 04 2014 05 2014 07 2014 08 2014 09 2015 01 2015 06 2015 07 2015 09 2016 03 2016 04 2016 08 2017 02

  24. EXEProxy 2: Electric Boogaloo • 4d3874480110ba537b383 9cb8b416b50 • Contains function_1 • Server tool ">Ltime %2d:%2d:%2d Disconnect >“ • Requires Cmd Line "%2d:%2d:%2d >Cback :“ Params ">LTime : %2d:%2d:%2d“ ">Cback: %s:%d" • No other notable "H:%s " anchor functions "Ok. " "K:%d"

  25. EXEProxy 2: Electric Boogaloo • a85f9b4c33061ee724e59291242b9e86 • OpenSSL Server • Contains Public/Private Keys

  26. In Summary: • Some families never change • Anchor Functions are Fun! • Use public info • Pirpi malware active since at least 2006 • Unintended findings

  27. • Thanks: • Richard Wartell – Palo Alto Networks • Mike Scott – Palo Alto Networks • Biblio: • MITRE: • https://attack.mitre.org/wiki/Software/S0063 • FireEye: • https://www.fireeye.com/blog/threat-research/2010/11/ie-0-day-hupigon-joins-the-party.html • https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html • https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html • https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html • Symantec: • https://www.symantec.com/connect/blogs/new-ie-zero-day-used-targeted-attacks • https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong • http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/Symantec-Buckeye-IOCs.txt • EmergingThreats: • https://rules.emergingthreats.net/changelogs/suricata-1.3.etpro.2015-09-10T21:29:38.txt • (cached by other sites, search for hash 4d3874480110ba537b3839cb8b416b50 and EXEProxy) • Palo Alto Networks: • https://researchcenter.paloaltonetworks.com/2015/07/apt-group-ups-targets-us-government-with-hacking-team- flash-exploit/ • https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and- the-pirpi-payload/

Recommend

Refactoring Section 7.2.1 (JIAs) OTHER SOURCES Code Evolution Programs evolve and code is

Refactoring Section 7.2.1 (JIAs) OTHER SOURCES Code Evolution Programs evolve and code is

Refactoring Section 7.2.1 (JIAs) OTHER SOURCES Code Evolution Programs evolve and code is NOT STATIC Code duplication Outdated knowledge (now you know more) Rethink earlier decisions and rework portions of the code Customer

1.03k views • 76 slides
SMUHSDs New Dress Code Evolution of the New Dress Code Policy Student representatives

SMUHSDs New Dress Code Evolution of the New Dress Code Policy Student representatives

SMUHSDs New Dress Code Evolution of the New Dress Code Policy Student representatives expressed concerns to the Board of Trustees about the inequitable dress code across District schools. Female students felt targeted for the way

191 views • 8 slides
Lecture 6 & 7 Empirical Studies of Software Evolution: Code Decay EE382V Software Evolution:

Lecture 6 & 7 Empirical Studies of Software Evolution: Code Decay EE382V Software Evolution:

Lecture 6 & 7 Empirical Studies of Software Evolution: Code Decay EE382V Software Evolution: Spring 2009, Instructor Miryung Kim Announcement Your proposals have been graded. Literature Survey & Tool Evaluation: Each in the range

930 views • 56 slides
AFM S CORPORATE GOVERNANCE CODE Martin Shaw Chief Executive, AFM EVOLUTION OF THE CODE

AFM S CORPORATE GOVERNANCE CODE Martin Shaw Chief Executive, AFM EVOLUTION OF THE CODE

! AFM S CORPORATE GOVERNANCE CODE Martin Shaw Chief Executive, AFM EVOLUTION OF THE CODE EQUITABLE LIFE In 2000 the House of Lords ruled that the society must honour the bonuses that it promised to 90,000 policy holders with

518 views • 13 slides
LinkedIn: Network Updates Uncovered LinkedIn: Network Updates Uncovered Ruslan Belkin Sean

LinkedIn: Network Updates Uncovered LinkedIn: Network Updates Uncovered Ruslan Belkin Sean

LinkedIn: Network Updates Uncovered LinkedIn: Network Updates Uncovered Ruslan Belkin Sean Dawson Agenda Agenda Quick T Quick Tour our Req equirements (User Experience / Infrastructure) uirements (User Experience / Infrastructure)

680 views • 42 slides
Presence of Evolution: Models vs. Code Jan Jrjens TU Dortmund & Fraunhofer ISST

Presence of Evolution: Models vs. Code Jan Jrjens TU Dortmund & Fraunhofer ISST

Security Certification in the Presence of Evolution: Models vs. Code Jan Jrjens TU Dortmund & Fraunhofer ISST http://jan.jurjens.de What is Software Evolution ? Software today often long-living (cf. Year-2000-Bug). Continual change

683 views • 29 slides
Exchange Rates and Uncovered Interest Differentials: The Role of Permanent Monetary Shocks

Exchange Rates and Uncovered Interest Differentials: The Role of Permanent Monetary Shocks

Exchange Rates and Uncovered Interest Differentials: The Role of Permanent Monetary Shocks Stephanie Schmitt-Groh e and Mart n Uribe Columbia University November 4, 2020 Schmitt-Groh e and Uribe Exchange Rates and Uncovered

629 views • 37 slides
Modelling the spectral evolution of Supernovae - The JEKYLL code Mattias Ergon In collaboration

Modelling the spectral evolution of Supernovae - The JEKYLL code Mattias Ergon In collaboration

Modelling the spectral evolution of Supernovae - The JEKYLL code Mattias Ergon In collaboration with Claes Fransson, Anders Jerkstrand, Markus Kromer and Cecilia Kozma H, He, O, Ca, Fe, Continuum The JEKYLL code What: Realistic* simulations of

228 views • 19 slides
Understanding and Aiding Code Evolution by Inferring Change Patterns Miryung Kim Doctoral

Understanding and Aiding Code Evolution by Inferring Change Patterns Miryung Kim Doctoral

Understanding and Aiding Code Evolution by Inferring Change Patterns Miryung Kim Doctoral Symposium ICSE 2007 1. Title: Understand & Aiding Code Evolution by Inferring Change Patterns. (30 sec) My name is Miryung Kim & I am a graduate

571 views • 17 slides
Genealogy of D3 Code Cathy Zhu, Lucas Throckmorton Genealogy of D3 Code Goal: identify the

Genealogy of D3 Code Cathy Zhu, Lucas Throckmorton Genealogy of D3 Code Goal: identify the

Genealogy of D3 Code Cathy Zhu, Lucas Throckmorton Genealogy of D3 Code Goal: identify the shared pieces of code amongst pieces of d3 code via MOSS and visualize the evolution of D3 code snippets. Scope: about 30k examples of D3 code

278 views • 16 slides
EVOLUTION X3 - 1 - Evolution X3 Marketing Dpt. November 2006 - 2 - EVOLUTION X3 Evolution X3

EVOLUTION X3 - 1 - Evolution X3 Marketing Dpt. November 2006 - 2 - EVOLUTION X3 Evolution X3

Marketing Dpt. November 2006 EVOLUTION X3 - 1 - Evolution X3 Marketing Dpt. November 2006 - 2 - EVOLUTION X3 Evolution X3 Evolution X3 Technical Features: HP Pum p Highly reliable plunger pump with brass head and 3 ceramic pistons for

405 views • 13 slides
Language evolution in the lab language evolution synthesized agent-based simulations iterated

Language evolution in the lab language evolution synthesized agent-based simulations iterated

Language evolution in the lab language evolution synthesized agent-based simulations iterated learning experimental semiotics evolutionary game theory 2 evolving an artificial code Bruno Galantucci (2005) An Experimental Study on the

461 views • 31 slides
Modelling the spectral evolution of supernova (with the JEKYLL code). Mattias Ergon (Stockholm

Modelling the spectral evolution of supernova (with the JEKYLL code). Mattias Ergon (Stockholm

Modelling the spectral evolution of supernova (with the JEKYLL code). Mattias Ergon (Stockholm University) In collaboration with Claes Fransson, Anders Jerkstrand, Markus Kromer, Cecilia Kozma and Kristoffer Spricer H, He, O, Ca, Fe, Continuum

579 views • 36 slides
The Evolution of IT Applications: Control of computations hidden in code; integration a

The Evolution of IT Applications: Control of computations hidden in code; integration a

Service Engagements The Evolution of IT Applications: Control of computations hidden in code; integration a nightmare Workflows: Control abstracted out; integration still difficult Standards-driven orchestration: Integration improved;

410 views • 10 slides
INTERNATIONAL ARBITRATION FOR BUSINESS: ENERGY AND INFRASTRUCTURE SECTORS UNCOVERED Bucharest, 21

INTERNATIONAL ARBITRATION FOR BUSINESS: ENERGY AND INFRASTRUCTURE SECTORS UNCOVERED Bucharest, 21

INTERNATIONAL ARBITRATION FOR BUSINESS: ENERGY AND INFRASTRUCTURE SECTORS UNCOVERED Bucharest, 21 February 2019 The Club Espaol del Arbitraje is an international non-governmental organization that is dedicated to the promotion of arbitration

87 views • 4 slides
1 MICROEVOLUTION: change in the properties of populations of organisms over the course of

1 MICROEVOLUTION: change in the properties of populations of organisms over the course of

Introduction to Molecular Evolution (BIOL 3046) Course website: www.biol3046.info What is evolution? Evolution: from Latin evolvere , to unfold broad sense, to change e.g., stellar evolution, cultural evolution,

518 views • 6 slides
Thermic Presentation of Uncovered Composed Coverings in Jordan's Hot Dry Desert Province (Southern

Thermic Presentation of Uncovered Composed Coverings in Jordan's Hot Dry Desert Province (Southern

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/283300399 Thermic Presentation of Uncovered Composed Coverings in Jordan's Hot Dry Desert Province (Southern Badya) Article January

271 views • 14 slides
80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

Slammer s Bandwidth-Limited Growth 80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up due to released Jan 2004 Nimda endemic dies off released with Oct. onset of Blaster (and 2005; not since

450 views • 34 slides
OUTLOOK Rain Overcast Sunny TRANSPORTATION LESSON NO Uncovered Covered Theoretical

OUTLOOK Rain Overcast Sunny TRANSPORTATION LESSON NO Uncovered Covered Theoretical

Learning the concept Go to lesson OUTLOOK Rain Overcast Sunny TRANSPORTATION LESSON NO Uncovered Covered Theoretical Practical NO YES NO YES Decision trees encode logical formulas A decision tree represents a disjunction of

248 views • 4 slides
WIOA Uncovered California Placement Association San Diego | March 4, 2016 Todays Agenda

WIOA Uncovered California Placement Association San Diego | March 4, 2016 Todays Agenda

WIOA Uncovered California Placement Association San Diego | March 4, 2016 Todays Agenda Foundation Introduction What is WIOA What is the Task Force on Workforce Development Discussion/Q&A: What does this mean for your

564 views • 39 slides
LEPs UNCOVERED Alex Pratt OBE Holder of The Queens Award For Enterprise Promotion Chair of

LEPs UNCOVERED Alex Pratt OBE Holder of The Queens Award For Enterprise Promotion Chair of

LEPs UNCOVERED Alex Pratt OBE Holder of The Queens Award For Enterprise Promotion Chair of Buckinghamshire Thames Valley LEP ALL LEPS ARE EQUAL But Some Are More Equal Than Others. Heineken Lights The long term competitiveness on

708 views • 19 slides
DRIVING EVOLUTION Automatic Code Generation For Autonomous Vehicles Anthony Matarazzo Bodo

DRIVING EVOLUTION Automatic Code Generation For Autonomous Vehicles Anthony Matarazzo Bodo

DRIVING EVOLUTION Automatic Code Generation For Autonomous Vehicles Anthony Matarazzo Bodo Seifert Director ADAS - HMI DURA Automotive Systems 1 AGENDA A LYNN TILTON COMPANY DURA COMPANY OVERVIW SIL Testing 0 0 1 4 Requirements

233 views • 22 slides
Evolution of CMEs in the Heliosphere Simon Plunkett NRL Code 7662 STEREO Science Working Group

Evolution of CMEs in the Heliosphere Simon Plunkett NRL Code 7662 STEREO Science Working Group

Evolution of CMEs in the Heliosphere Simon Plunkett NRL Code 7662 STEREO Science Working Group Pasadena, CA November 2007 SECCHI Panoramic View of the Heliosphere HI-2 HI-1 EUVI, COR1, COR2 Science Objectives How does the structure

487 views • 11 slides
Rehabilitation Consequences of Road Collisions ine Carroll Evolution Evolution Evolution

Rehabilitation Consequences of Road Collisions ine Carroll Evolution Evolution Evolution

Rehabilitation Consequences of Road Collisions ine Carroll Evolution Evolution Evolution Exoskeleton Endoskeleton Soft and squishy! Lascaux Consequences Pedestrian RTCs Brain Spinal cord injury Common Clinical Patterns Upper Limbs

706 views • 54 slides

More recommend