StealthWare – Social Engineering Malware Running malware for Social Engineering and Covert Operations By: Joey Dreijer
StealthWare – Social Engineering Malware Social Engineering and Covert Operations Introduction Research Security companies provide specialised Social Engineering services Approach A few examples: Networking Reachability (Spear) Phishing attacks: Sending falsified e-mails to individuals and/or entire companies Detection USB Drop campaigns: Who doesn't want free USB sticks? Conclusion Advanced pentest campaigns: From gathering intel to physical penetration at client facilities 5 Jul 2015 2
StealthWare – Social Engineering Malware Social Engineering and Covert Operations Introduction Research So your client asks you to perform a social engineering test / covert ops Approach assignment to gain access to their network, what now? Networking Reachability How far can you go? Detection What methodology will you use? Conclusion What is your entry point? What overly priced framework will you use? 5 Jul 2015 3
StealthWare – Social Engineering Malware Having the right framework Introduction Research Research Is it possible to 'stealthy' (and effectively) use social engineering Approach malware for specialized security assessments? Networking W hat existing tools are out there? Reachability What network/security policies will you often find on company Detection premises? Conclusion Can these policies be bypassed? Can the researched tools effectively cope with the different network architectures? 5 Jul 2015 4
StealthWare – Social Engineering Malware Having the right toolkit Introduction Research Research Research focus on the limitations of existing tools Approach Networking VS. Reachability Detection VS. Conclusion VS. NYAN Edition 5 Jul 2015 5
StealthWare – Social Engineering Malware Introduction Research Research Approach Networking NO FOCUS ON Reachability EXPLOITATION* Detection Conclusion *At least, only at minimal level 5 Jul 2015 6
StealthWare – Social Engineering Malware Testing environment Introduction Research Infect virtual client Approach Approach Communicate with CnC Networking server Reachability On-site locations with Detection different network Conclusion configurations 5 Jul 2015 7
StealthWare – Social Engineering Malware Testing environment Introduction Field testing reachability Research Campus networks Approach Approach Networking University labs (Proxy networks) Reachability Open Wifi points (captive Detection portals) Conclusion Restaurants (semi-open networks) Company networks (ie. unauth proxies 5 Jul 2015 8
StealthWare – Social Engineering Malware Common network configurations Introduction Research Testing different network configurations: Approach Approach Clients behind a captive portal Networking Clients behind an unauthorized proxy Reachability Clients behind an authorized proxy Detection And different firewall policies: Conclusion Open Internet: Everything is allowed (out) Limited access: Port 80/443 (Web), 53 (DNS) and IMAP/SMTP (143, 25) are allowed. Everything else is blocked Web-Only: Only allowing 80/443 for 'daily' browsing and internal DNS 5 Jul 2015 9
StealthWare – Social Engineering Malware Command and control Introduction Research 1 . Client infected via e-mail Approach social engineering campaign Networking Tooling Reachability 2 . Client 'beacons' command and control Detection server to ask for queued Conclusion commands 3 . Server replies with task or 'None' 5 Jul 2015 10
StealthWare – Social Engineering Malware Command and control channels Introduction Research Cobalt Strike* ThrowBack ~Nyan** ThrowBack Approach HTTP Yes No No Networking Tooling HTTPS Yes Yes Yes DNS Yes (TXT+A Records) Yes (RRSIG+A Records) No Reachability Social Media No Yes (Twitter Stego) No Detection Conclusion * Only taking current default channels into account ** Proof-of-concept malware client based on ThrowBack backend. 5 Jul 2015 11
StealthWare – Social Engineering Malware Effectiveness Introduction Research None of the default clients have 'fallback' methods :( Approach Ie. No HTTP access? Try HTTPS. No HTTPS? Try DNS. Networking No DNS? Try smoke signals Reachability Reachability Requires prior knowledge of the network and/or 'HTTP is Detection probably open anyway' statistical knowledge Conclusion Current proof-of-concept attempts to find a way out autonomously 5 Jul 2015 12
StealthWare – Social Engineering Malware Effectiveness proof-of-concept Introduction Research Malware Backend Proxy Backend CnC Approach Networking Crypto Magic Reachability Reachability Twitter Twitter Proxy 1. POST Detection HTTP Conclusion HTTPS 2. 2. Server 3. DNS DNS Proxy Automatically attempt channel 1 and increment after failed attempts 5 Jul 2015 13
StealthWare – Social Engineering Malware Effectiveness (with prior-knowledge) Introduction Research Network Config Cobalt ThrowBack ThrowBack Approach Strike ~Nyan Networking Unauth Proxy Yes Yes Yes Auth Proxy Yes Yes Yes (but buggy) Reachability Reachability Captive Portal (with No Yes No Detection DNS allowed) Conclusion Both Cobalt Strike and Throwback (Nyan) are able to get the current Windows configured proxy settings. TODO: Still creating/visiting environments to test reachability. Full 'documented' details in report later 5 Jul 2015 14
StealthWare – Social Engineering Malware Detectability Introduction Beacon detection in PCAP Files – L. van Duijn (OS3, 2014): Proof of Research Concept code, beacon detection still not 'ready' for realtime analysis Approach SSL Stripping + DPI (a la Blue Coat): R unning appliances as Blue Networking Coat with SSL stripping Reachability Domain 'trust' index: Monitor 'trusted' domains and analyse domain Detection Detection structures (ie. Runforestrunabcd.omgthisunique1928481.ru) Conclusion Anomaly detection: Ex. Beacons during the night, lunch and/or Fussball session Static Signatures: Only available for 'known' malware. But not for ThrowBack and Cobalt Strike yet?! 5 Jul 2015 15
StealthWare – Social Engineering Malware Detectability Introduction Research 'Hindsight' methodolody: Virus Scanners / IDS systems don't detect Approach standard beaconing. MetaSploit interpreter sessions on the other hand... Networking Develped SNORT Reachability (2.9+3.0Alpha) IDS Signatures for Cobalt Strike and ThrowBack Detection Detection HTTPS Conclusion 1 . Specific traffic behaviour 2 . Standard response sizes Available in the report 5 Jul 2015 16
StealthWare – Social Engineering Malware Detectability – Simple IDS example Introduction Research Cobalt Strike HTTPS channel: Approach Server response size always the same Networking Client always RESETS connection (instead of ack/fin) Reachability Detection Detection Conclusion 5 Jul 2015 17
StealthWare – Social Engineering Malware Bypassing limited detection Introduction Research Improving ThrowBack and creating NYAN Edition Approach 1 . Randomize content (length) request and response Networking Reachability 2 . Random beacon timers (ie. Set time + 1% - 80%) Detection Detection 3. Multiple 'bogus' sessions to prevent specific behavior signatures Conclusion 4. DNS: Base64 in TXT records is an old trick. Put your data in a valid RRSIG format for compliancy! 5. Using trusted channels/domains for Command and Control 5 Jul 2015 18
StealthWare – Social Engineering Malware Introduction Research Approach Networking Reachability Detection Detection Conclusion 5 Jul 2015 19
StealthWare – Social Engineering Malware Introduction Research Approach Networking Reachability Detection Detection Conclusion 5 Jul 2015 20
StealthWare – Social Engineering Malware Conclusion Introduction Research Not many frameworks available (and commercial) Approach Cobalt Strike works in most scenarios (with prior-knowledge) Networking Reachability Network detection can be very easy, depending on the monitoring tools made available (remember hindsight?) Detection Conclusion Conclusion Current proof-of-concept bypassing common detection and network limitations. Good anomaly detection still rare WIP code available on GitHub to test real-life monitoring capabilities 5 Jul 2015 21
Recommend
More recommend