command and control mechanism trends in exploit kits rats
play

Command and Control Mechanism Trends in Exploit Kits, RATs, APTs, - PowerPoint PPT Presentation

Oct 31, 2023 •125 likes •348 views

Command and Control Mechanism Trends in Exploit Kits, RATs, APTs, and Other Malware January 13, 2016 Mark Mager US-CERT Code Analysis Team Homeland National Cybersecurity and Communications Integration Center Security Agenda About Me

  1. Command and Control Mechanism Trends in Exploit Kits, RATs, APTs, and Other Malware January 13, 2016 Mark Mager US-CERT Code Analysis Team Homeland National Cybersecurity and Communications Integration Center Security

  2. Agenda • About Me • 2015 Year in Review • Malware Crash Course • Other Malware • Remote Access Tools • Exploit Kits • APTs • Conclusion Homeland Office of Cybersecurity and Communications Security

  3. About Me • Mark Mager • US-CERT Code Analysis Team • phia LLC • Reverse Engineer / Software Engineer • Away from daily malware analysis for 4 years – Returned in 2015 • What’s changed? Homeland Office of Cybersecurity and Communications Security 3

  4. 2015 Year in Review • Hacking Team • OPM • Hacktivism – Anonymous – Terrorist cells • Cybercrime – Carbanak – Premera Blue Cross • See hackmageddon Cyber Attacks Timeline… Homeland Office of Cybersecurity and Communications Security 4

  5. Malware Crash Course • Malware Roles – Contained within one or more files • Initial Attack Vector • Launcher • Dropper • Downloader • Command and Control • Advanced Malicious Capabilities – Keylogging, process enumeration, reverse shell • Persistence Homeland Office of Cybersecurity and Communications Security 5

  6. Malware Crash Course • Malware Categories – Remote Access Tools – Exploit Kits – Advanced Persistent Threats – Other Malware… Homeland Office of Cybersecurity and Communications Security 6

  7. Malware Crash Course • Analysis Techniques – Dynamic Analysis • Virtualization • Debugging • Unpacking – Static Analysis • Disassemby / decompilation • Deobfuscation – Live Dynamic Analysis • Non-attribution • Payload retrieval Homeland Office of Cybersecurity and Communications Security 7

  8. Caveats • Derived from own research, analysis – Curated dataset • Primarily Windows samples • Generalized info – Limited indicators – OPSEC • Timeline: February 2015 – November 2015 Homeland Office of Cybersecurity and Communications Security 8

  9. Low-Hanging Fruit: Office Documents • Decoy document text – Enable macros, please? • Obfuscated macros – Commercial obfuscation • CrunchCode • Multi-stage – VBScript, batch files, PowerShell • Payloads directly downloaded and executed – Spray and pray spear phishing – No attempt at obscuring comms • GET stage2.exe HTTP/1.1 Homeland Office of Cybersecurity and Communications Security 9

  10. Low-Hanging Fruit: Office Documents • Decoy document text – Enable macros, please? • Obfuscated macros – Commercial obfuscation • CrunchCode • Multi-stage – VBScript, batch files, PowerShell • Payloads directly downloaded and executed – Spray and pray spear phishing – No attempt at obscuring comms • GET stage2.exe HTTP/1.1 Homeland Office of Cybersecurity and Communications Security 10

  11. Low-Hanging Fruit: Office Documents • Callback URIs – Compromised sites • Wordpress blogs – *.*/wp-content/uploads/* Homeland Office of Cybersecurity and Communications Security 11

  12. Remote Access Tools • Gh0st RAT – Connects to C2 URI over TCP port 80 • "HTTP\1.1 Sycmentec" header – 48 54 54 50 5c 31 2e 31 20 53 79 63 6d 65 6e 74 65 63 d3 • variable length of null bytes • data pertaining to compressed / decompressed size of payload • zlib default compression header: 78 9c [4b] • encrypted (using Gh0st RAT's custom encryption routine) payload consisting of system information (e.g. operating system version, computer name, username) which has been compressed with zlib – No request method specified Homeland Office of Cybersecurity and Communications Security 12

  13. Remote Access Tools • PlugX – Connects to C2 over TCP port 80 then initiates a HTTP POST request • POST /update?id=00188d08 HTTP/1.1 – Accept: */* – OldServer: 0 – Check: 0 – PostSize: 61456 – PostSerial: 1 – User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2; SV1) – Host: xxx.xxx.xxx.xxx – Content-Length: 0 – Cache-Control: no-cache Homeland Office of Cybersecurity and Communications Security 13

  14. Remote Access Tools • exeproxy – Ciphers 80 byte block of data • randomly-generated data and host's NetBIOS name • block is XORed using an embedded shifting XOR cipher – Establishes a secure session (using the embedded OpenSSL library) over TCP port 443 with C2 URI and sends the the data block – XOR decrypts response data from the C2 server with key that is included in the response – Validates the decrypted data and determines whether to continue its established session with the C2 or terminate the session Homeland Office of Cybersecurity and Communications Security 14

  15. Remote Access Tools • exeproxy – Anti-reversing techniques • Code blocks have no effect • Thwart reverse engineering efforts and obfuscate capabilities • Implemented via inline assembly – x86 instructions (e.g. pushf, popf) not often seen in compiled code – meaningless instructions (e.g. or ax, ax) • Conditional statements which always yield same value • Explicit preservation of registers via the stack – e.g. code blocks begin with several push instructions in a row and pushf and then end with the equivalent popf / pop instructions Homeland Office of Cybersecurity and Communications Security 15

  16. Exploit Kits • Modular • Easy to use GUI • Packed with exploits • Amorphous, multi-stage payloads Homeland Office of Cybersecurity and Communications Security 16

  17. Angler Exploit Kit • Multi-stage • Multiple potential vectors – Java, Flash, Silverlight – Silverlight is not as easily reversed • Heavily obfuscated – Unprintable Unicode characters – Obscured control flow » Nested, indirect function calls – Functionality spread across several classes Homeland Office of Cybersecurity and Communications Security 17

  18. Advanced Persistent Threats • Zero Days – Hacking Team SWF exploits • CVE-2015-5119 – Quick turnaround • Spear phishing still extremely common – Easiest initial exploit vector – HTTP GET requests to compromised sites for payloads • Gh0st RAT Variant used in APT activity Homeland Office of Cybersecurity and Communications Security 18

  19. Total Artifacts Analyzed Executables PDFs 51 54 Word Docs SWFs JARs Silverlight E-mails Web Other 13 5 2 1 3 2 1 Homeland Office of Cybersecurity and Communications Security 19

  20. Executables Analyzed 7 32-bit 64-bit 47 Homeland Office of Cybersecurity and Communications Security 20

  21. Conclusion • Advanced C2 techniques not always used • Older malware and TTPs are still used – pwdump, ophcrack, Hacker’s Door – RATs analyzed trace back several years – spray and pray is still very common • Complex multi-stage / modular frameworks • Turnaround for zero days is shortening • Lack of 64-bit malware, rootkits Homeland Office of Cybersecurity and Communications Security 21

  22. Thanks • US-CERT Code Analysis Team • Northrop Grumman – Rob Mangiante • phia LLC – Chad Hein • Rodney DeCarteret • Tessa Strasser Homeland Office of Cybersecurity and Communications Security 22

Recommend

Stealing From Thieves: Breaking IonCube VM to RE Exploit Kits

Stealing From Thieves: Breaking IonCube VM to RE Exploit Kits

Stealing From Thieves: Breaking IonCube VM to RE Exploit Kits Mohamed Saher (@halsten) About @halsten Reverse Engineering Automa5on of RE tasks

687 views • 52 slides
Stealing From Thieves: Breaking IonCube VM to RE Exploit Kits Mohamed Saher (@halsten) About

Stealing From Thieves: Breaking IonCube VM to RE Exploit Kits Mohamed Saher (@halsten) About

Stealing From Thieves: Breaking IonCube VM to RE Exploit Kits Mohamed Saher (@halsten) About @halsten Reverse Engineering Automa5on of RE tasks Virtualiza5on Regular projecteuler problem solver (ranked #1 locally) Old

683 views • 52 slides
Tracking and Detecting Trojan Command and Control Servers Ryan Olson FIRST 2008 Outline + What

Tracking and Detecting Trojan Command and Control Servers Ryan Olson FIRST 2008 Outline + What

Tracking and Detecting Trojan Command and Control Servers Ryan Olson FIRST 2008 Outline + What do we Track and Why? + Overview of Information Stealing Trojans How/What they steal Phoning Home Popular Kits + Detecting C&C

378 views • 25 slides
of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing kits Implementation Results

of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing kits Implementation Results

PhishEye: Xiao Han Nizar Kheir Live Monitoring Davide Balzarotti of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing kits Implementation Results [APWG Phishing Activity Trends Report 2 nd Quarter 2016] All time high record

921 views • 59 slides
Static Analysis of Control-Command Systems: Floating-Point and Integer Invariants Vivien

Static Analysis of Control-Command Systems: Floating-Point and Integer Invariants Vivien

Static Analysis of Control-Command Systems: Floating-Point and Integer Invariants Vivien Maisonneuve Thesis supervisors: Olivier Hermant Franois Irigoin Thesis defense Paris, February 6, 2015 Control-Command Systems A control-command

1.17k views • 83 slides
Command and Control Command and Control Warfare Demonstrator Warfare Demonstrator (C 2 WS) (C 2

Command and Control Command and Control Warfare Demonstrator Warfare Demonstrator (C 2 WS) (C 2

Command and Control Command and Control Warfare Demonstrator Warfare Demonstrator (C 2 WS) (C 2 WS) 2005-2007 2005-2007 Magdalena Hammervik Jenny Lindoff Martin Castor Lars Tydn Purpose of this presentation Purpose of this presentation

530 views • 24 slides
A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
Key Human System Integration Plan Elements for Command & Control Acquisition Michael B.

Key Human System Integration Plan Elements for Command & Control Acquisition Michael B.

2010 Command and Control Research and Technology Symposium Key Human System Integration Plan Elements for Command & Control Acquisition Michael B. Cowen, Ph.D. SPAWAR Systems Center Pacific Code 53621 53560 Hull Street San Diego, CA 92152

492 views • 13 slides
The Environment in Network Centric Operations: A Framework for Command and Control Presented to

The Environment in Network Centric Operations: A Framework for Command and Control Presented to

The Environment in Network Centric Operations: A Framework for Command and Control Presented to the 12th International Command and Control Research and Technology Symposium Paper I-156 Dr. Michael R. Hieb Sean Mackay Michael Powers Martin

332 views • 19 slides
A time-based intervention to promote self-control in middle- aged rats Jennifer R. Peterson

A time-based intervention to promote self-control in middle- aged rats Jennifer R. Peterson

A time-based intervention to promote self-control in middle- aged rats Jennifer R. Peterson & Kimberly Kirkpatrick Kansas State University Department of Psychological Sciences Impulsive Behavior and Aging Age-related cognitive and

411 views • 10 slides
Bertrand Meyer Lecture 6: More patterns: Visitor, Strategy, Chain, State, Command 1 Command 2

Bertrand Meyer Lecture 6: More patterns: Visitor, Strategy, Chain, State, Command 1 Command 2

Software Architecture Software Architecture Bertrand Meyer Lecture 6: More patterns: Visitor, Strategy, Chain, State, Command 1 Command 2 2 Command pattern - Intent Purpose Way to implement an undo-redo mechanism, e.g. in text y p g

1.11k views • 82 slides
Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley

Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley

Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley Carnegie Mellon University 8/15/2011 1 Downloading Exploits I found a Exploit control flow hijack exploit online! Evil Ed Windows 7 8/15/2011 2

837 views • 58 slides
Solutions to exercise 3 Rasmus Waagepetersen October 16, 2019 Exercise 3 (rats) We plot

Solutions to exercise 3 Rasmus Waagepetersen October 16, 2019 Exercise 3 (rats) We plot

Solutions to exercise 3 Rasmus Waagepetersen October 16, 2019 Exercise 3 (rats) We plot response versus log-age (and age) rats$logage=log(rats$age) library(lattice) xyplot(response~logage,group=rat,type="l",data=rats) Vs log-age

112 views • 8 slides
OCA Conference 2014 First Aid Kits Types Placement # of Kits Contents

OCA Conference 2014 First Aid Kits Types Placement # of Kits Contents

OCA Conference 2014 First Aid Kits Types Placement # of Kits Contents AEDs Definition Types Placement Benefits Training Roles Scope of Practice Working Together Reporting Canadian Red

488 views • 34 slides
Clean Delivery Kit: A job aid Linda Bruce, PATH 1 What are Delivery What are Delivery Kits?

Clean Delivery Kit: A job aid Linda Bruce, PATH 1 What are Delivery What are Delivery Kits?

Clean Delivery Kit: A job aid Linda Bruce, PATH 1 What are Delivery What are Delivery Kits? Kits? Delivery kits are pre- packaged, single- use, disposable kits that contain essential items for conducting a clean delivery. 2 WHOs

532 views • 9 slides
Response: WCC, SDC & Partners Multi-Agency Command and Control - 4 Cs - Command, Control

Response: WCC, SDC & Partners Multi-Agency Command and Control - 4 Cs - Command, Control

Emergency Planning in Stratford Scrutiny Committee Michael Enderby Head of Service, CSW Resilience 6 th September 2017 04/09/2017 Civil Contingencies Act 2004 THE 7 DUTIES A single framework for civil protection in the United Kingdom to

419 views • 4 slides
C3CEN Industry Day 2018 CAPT Michael F. Nasitka Commanding Officer Command, Control, and

C3CEN Industry Day 2018 CAPT Michael F. Nasitka Commanding Officer Command, Control, and

Command, Control, and Communications Engineering Center (C3CEN) C3CEN Industry Day 2018 CAPT Michael F. Nasitka Commanding Officer Command, Control, and Communications Engineering Center Sustaining the PresentDeveloping the Future Command,

1.18k views • 49 slides
FGAN Content 1. The Development of a Formal Grammar 2. Designing a Command and Control Grammar

FGAN Content 1. The Development of a Formal Grammar 2. Designing a Command and Control Grammar

Applying A Formal Language of Command and Control for Interoperability Between Systems Presented to the AFCEA - GMU C4I Center Symposium on Critical Issues in C4I Dr. Michael Hieb Dr. Ulrich Schade George Mason University FGAN-FKIE US

562 views • 14 slides
COMMAND AND CONTROL SYSTEMS zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA CRITICAL PATH

COMMAND AND CONTROL SYSTEMS zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA CRITICAL PATH

COMMAND AND CONTROL SYSTEMS zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA CRITICAL PATH APPROACH TO BY D. J. LAMB AND P. F. O'NEILL OPERATIONAL RESEARCH AND ANALYSIS NATIONAL DEFENCE HEADQUARTERS OTTAWA, CANADA OUTLINE OF PRESENTATION

680 views • 45 slides
Webjive abdullah.amjad@maxiv.lu.se On behalf of the KITS group Start with Why? Web based tool

Webjive abdullah.amjad@maxiv.lu.se On behalf of the KITS group Start with Why? Web based tool

Webjive abdullah.amjad@maxiv.lu.se On behalf of the KITS group Start with Why? Web based tool for control system. Not dependent on OS. User-friendly and intuitive interactions. Easy and quick-to-use. Monitoring as well as control. User

542 views • 21 slides
Between Fluffy Bunnies and Command & Control Agile Adop8on

Between Fluffy Bunnies and Command & Control Agile Adop8on

Between Fluffy Bunnies and Command & Control Agile Adop8on in Prac8ce 5493 Benjamin Mitchell Independent Consultant @benjaminm Mixed Messages &

964 views • 48 slides
A quick accurate diagnosis will lead to early treatment and more importantly break the spread of

A quick accurate diagnosis will lead to early treatment and more importantly break the spread of

rapid-test-kits.com admin@ Rapid-test-kits.com Rapid Test Kits Malaria, Dengue, HIV 1&2 (P24 A g), Tuberculosis, Syphilis, HBsAg & HCV & Combination Medical diagnostic tests that are quick and easy to perform. Suitable for

716 views • 29 slides
New UPM analyzers & smart kits Power analyzers for energy control in industrial environment

New UPM analyzers & smart kits Power analyzers for energy control in industrial environment

New UPM analyzers & smart kits Power analyzers for energy control in industrial environment for CTs (UPM209 UPM309) for DIRECT connection up to 80A (UPM209) for ROGOWSKI coils (UPM209RGW UPM309RGW) 1 NEW UPM ANALYZERS UPM209 UPM309

260 views • 10 slides
Multiagent Traffic Management: An Improved Intersection Control Mechanism Mechanism PRESENTED

Multiagent Traffic Management: An Improved Intersection Control Mechanism Mechanism PRESENTED

Multiagent Traffic Management: An Improved Intersection Control Mechanism Mechanism PRESENTED BY PATRICIA PEREZ AND LAURA MATOS PRESENTED BY: PATRICIA PEREZ AND LAURA MATOS Outline Introduction The Original System Improving the

854 views • 21 slides

More recommend