Operation HangOver

how to outsource your APT development

Jonathan Camp
About Me
Norman Shark, offices in Oslo and San Diego
American in Norway FTW!

Overview
HangOver in 60 seconds
And I care because?
Intrusion
Post-Publication
OSX exploits in the wild
Next Steps

Disclaimer: "None of the information contained in this
presentation is intended to implicate any individual or
entity or suggest inappropriate activity by any individual
or entity mentioned"
TL;DR
Telenor Norwegian telco; 17 billion dollars
Went public with intrusion in March 2013
spearfishing; known exploits; no stealth; no crypto
Investigation by Norman Shark uncovered extensive
landscape of malware, actors, and development
patterns

Commoditization, Componentization and Outsourcing

Targeting government and the private sector
Many indicators showing Indian origin
TL;DR
Surveillance Platform
Industrial Espionage
National Security Targets
Why is this interesting?
Scale

Lack of sophistication

Organizational aspects

Script-kiddies += scrum

Why does this even work?
Telenor Intrusion
Spear phishing email
Self-extracting ZIP archive containing:
conhosts.exe and legal operations.doc


Payload
Minimally obfuscated VB binaries
Connecting via HTTP port 80 to wreckmove.org

GET /flaws/snwd.php?tp=1&tg=[ID]&tv=Error[]&ts=[PLATFORM]

Observed C&C:
wreckmove.org
infocardiology.biz
enlighten-energy.org
researcherzone.net
151.237.188.167
gadgetscorner.org
Telenor Epilogue
Seemed like a pretty simple phishing case
Then a second phishing email was seen:

http://mail.telenor.no-
cookieauth.dll-getlogon-reason-
0.formdir-1-curl-
z2fowaz2f.infocardiology.biz
Telenor Epilogue
Followed by:

internet-security-suite-
review.toptenreviews.com.infocardiolog
y.biz

An exact copy of toptenreviews.com
And it was hosting a trojaned BitDefender
installer
Expansion
Following the trail
Strong behavioral indicators
No anti-sandboxing tricks
Hits in all major public DBs
VirusTotal, malwr, TheatExpert



DNS
URL
Patterns
VBScript
signatures
Now we have a pile of domain names
Note: no DGA
Most domains parked or dead
But not all
Open Directories!
Treasure Trove
Additional signed malware
Keylogs
Malware naming and embedded documents
reveal potential targets

details_for_the_ENRC_Board_Meeting_X10FR333_2012.exe
ENRC__DEBT__INVESTORS__2012__for__your__Reference.docx
agni5_inda's_deadliest_ballistic_nuclear_missile.exe
detail_description_of_ferro_chrome_silicon_and_ferro_chrome.exe

Exploits
Exploits
No 0-days
Well-known vulnerabilities
CVE-2012-0158 - MSCOMCTL.OCX
CVE-2012-4792 IE 6-8 use-after-free
CVE-2012-0422 Java
get.adobe.flash.softmini.net
Smackdown
VisualBasic downloaders
Similar methods (simple) of string obfuscation
Smackdown
D:\YASH\PRO\MY\DELIVERED\2012\DOWNLOADERS\c
ompiled\NewSmack(sep2012)\miNaPro.vbp

Telenor case:
C:\miNaPro.vbp
HangOver aka Hanove
Second stage malware
C++
Recursively scan for office documents
Upload via HTTP or FTP
Commonish UserAgents
Alternate names from debug paths:
HangOver, Ron, Dragonball, Tourist,
Klogger, FirstBlood and Babylon
Targeting
Targeting
Sinkhole logs
Strange domain names
Social engineering attempts

Pakistan
Two thirds of addresses in logs




GET /sdata/shopx.php?fol=EMBASSYOFPAKIST-
Embassy%20of%20Pakistan


And many more
China
Industrial espionage
Telenor
Other possible targets:
Eurasian Natural Resources Corporation
Bumi PLC, Indonesia
Porsche Informatik
Chicago Mercantile Exchange
Chicago Mercantile Exchange
cmegroups.net spoofing cmegroup.com
Same IP as other HangOver C&C
Complaint filed with WIPO

The disputed domain name had been used by an
imposter who has claimed to be the secretary of the
Complainants president Terrence Duffy. Using the
email address []@cmegroups.net the imposter has
requested investment information on the pretext that
it was sought by Mr. Duffy.
Attribution
Attribution 101:: Why?
1. Law enforcement stop the bad guys
Most stringent burden of proof
2. Correlation expanded gathering of evidence
Concerned with similarity of actors rather than who
Attribution 101:: How?
Strings
can be faked
DNS registrations
is not authenticated
Signed binaries
certificates can be stolen
Function signatures
benign libraries
URL/C&C patterns
Copypasta and benign libraries
OSI (open source intelligence)
Not validated
The problem with internet quotes is that you cant always depend on
their accuracy Abraham Lincoln, 1864
strings FTW
R:\payloads\ita nagar\Uploader\HangOver 1.5.7 (Startup)\HangOver 1.5.7
(Startup)\Release\Http_t.pdb
C:\Users\neeru rana\Desktop\Klogger- 30 may\Klogger- 30
may\Release\Klogger.pdb
C:\Users\Yash\Desktop\New folder\HangOver 1.5.7 (Startup)
uploader\Release\Http_t.pdb

...May Payload\new keylogger\Flashdance1.0.2\...
...\Monthly Task\August 2011\USB Prop\...
...\Sept 2012\Keylogger\Release\...
...\June mac paylods\final Klogger-1 june-Fud from eset5.0\Klogger- 30
may\...
...\final project backup\complete task of ad downloader& usb
grabber&uploader\...
...D:\YASH\PRO\MY\DELIVERED\2012\DOWNLOADERS\compiled\...
strings FTW
C:\BNaga\backup_28_09_2010\threads tut\pen-backup\BB_FUD_23\Copy of
client\ Copy of
client\appinbot_1.2_120308\Build\Win32\Release\appinclient.pdb
C:\BNaga\kaam\Appin SOFWARES\RON 2.0.0\Release\Ron.pdb
C:\BNaga\SCode\BOT\MATRIX_1.2.2.0\appinbot_1.2_120308\Build\Win32\Rele
ase\deleter.pdb
C:\Documents and
Settings\Administrator\Desktop\Backup\17_8_2011\MATRIX_1.3.4\CLIENT\
Build\Win32\Release\appinclient.pdb
D:\Projects\Elance\AppInSecurityGroup\FtpBackup\Release\Backup.pdb
Domain Game
Several hundred names
Most with private registration
Correlation muddied by sinkholes and parked
domains
Fingerprint open services (e.g. ESMTP)

Malicious Domains
NITR0RAC3.COM, VALL3Y.COM, S3RV1C3S.NET, GAUZPIE.COM,
BLUECREAMS.COM:
Registrant:
NA
Prakash (mail@gmail.com)
Jain
TY-76, Kohat Enclave
Delhi
Delhi,110034
IN
Tel. +011.9873456756

Non-Malicious Domain (May 2011)
HACKERSCOUNCIL.COM:

Registrant:
NA
Prakash (mail@gmail.com)
Jain
TY-76, Kohat Enclave
Delhi
Delhi,110034
IN
Tel. +011.9873456756

Non-Malicious Domain (April 2011)
HACKERSCOUNCIL.COM:

Registrant:
Appin Technologies
Rakesh Gupta (rakesh.gupta@appinonline.com)
9th Floor, Metro Heights,NSP, PitamPura,
Delhi
Delhi,110034
IN
Tel. +91.1147063300
Privacy Fail
PIEGAUZ.NET

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Domain Suspension
PrivacyProtect.org provides private DNS
registration


Privacy Fail
PIEGAUZ.NET

Registrant:
Appin Technologies
Rakesh Gupta (rakesh.gupta@appinonline.com)
9th Floor, Metro Heights,NSP, PitamPura,
Delhi
Delhi,110034
IN
Tel. +91.1147063300
Post-Publication
Samples received by Norman Shark that attempt to contact a known HangOver domain
OSX Exploitation and Attribution
Oslo Freedom Forum
May 16
th
F-Secure reported new OS X
spyware
Mach-O universal (i386, x86_64)
Contacted:
securitytable.org and docsforum.info
Both seen as part of previous HangOver research
Apple Dev IDs
Oslo malware was signed with an Apple Dev ID

Image via F-Secure
URL Correlation
10 samples with identical Apple Dev IDs

securitytable.org/lang.php
torqspot.org/App/MacADV/up.php?cname=%@&file=%@
docsforum.info/lang.php
liveapple.eu/ADMac/up.php?cname=%@&file=%@&res=%@
URL Correlation
Search VxDB for php?cname=file=
URL Correlation
Two different target OSes
Different domains
Same URL pattern
Code Flow
Disassembled a few OS X binaries
1. Search for *.doc, *.ppt, *.xls
2. Compress documents
3. POST to server
4. Ensure crontab entry
5. loop


Where now?
Operation HangOver could have been
prevented by the most basic of security
precautions
Closing questions & comments
MAG2 saw it. Why didnt AV work?
Signature definitions can lag by days or weeks

Step 1: assume users are dumb special
Step 2: ?

Behavioral (dynamic) analysis is a mandatory
component of any security infrastructure
Special Thanks
Snorre Fagerland & Morten Krkvik
Norman Shark AMD Team
For more information:

jonathan.camp@norman.com
@NormanSec, @irondojo
Black Hat 2013, Booth 321

Full Report:
http://normanshark.com/hangoverreport/
Disclaimer: "None of the information contained in this
presentation is intended to implicate any individual or
entity or suggest inappropriate activity by any individual
or entity mentioned"