Sei sulla pagina 1di 101

APT - A Pretty Trojan

Iñaki Rodríguez

APT - A Pretty Trojan Iñaki Rodríguez

APT - A Pretty Trojan

Iñaki Rodríguez

And the thanks goes to … 3

And the thanks goes to …

And the thanks goes to … 3
And the thanks goes to … 3
And the thanks goes to … 3
And the thanks goes to … 3
And the thanks goes to … 3

3

4
4
4

4

About me ❝ - Security Manager at Wuaki TV ! - Ex-Pentester at SensePost !

About me

About me ❝ - Security Manager at Wuaki TV ! - Ex-Pentester at SensePost ! -
About me ❝ - Security Manager at Wuaki TV ! - Ex-Pentester at SensePost ! -

- Security Manager at Wuaki TV!

- Ex-Pentester at SensePost!

- Founder member of Mlw.re !

- @virtualminds_es

4

A Middle East tale

A Middle East tale

A Middle East tale (Malware, Russians and Exploit kits)

A Middle East tale

(Malware, Russians and Exploit kits)

Far, far, really far in Dubai 6

Far, far, really far in Dubai

Far, far, really far in Dubai 6
Far, far, really far in Dubai 6

6

Far, far, really far in Dubai • Exfiltration test ! • Social Engineering ! •

Far, far, really far in Dubai

• Exfiltration test !

• Social Engineering!

• Targeted Attack !

• Desktop users !

• Exploit kits

in Dubai • Exfiltration test ! • Social Engineering ! • Targeted Attack ! • Desktop
in Dubai • Exfiltration test ! • Social Engineering ! • Targeted Attack ! • Desktop

6

7
7

7

Meanwhile in London Our team mate got access • Email ! • Excel files !

Meanwhile in London

Meanwhile in London Our team mate got access • Email ! • Excel files ! •

Our team mate got access

Email !

Excel files !

PDF !

Metasploit

Sakura

!

7

Meanwhile in London Our team mate got access • Email ! • Excel files !

Meanwhile in London

Meanwhile in London Our team mate got access • Email ! • Excel files ! •
Meanwhile in London Our team mate got access • Email ! • Excel files ! •

Our team mate got access

Email !

Excel files !

PDF !

Metasploit

Sakura

!

7

8
8
8

8

Almost there but … But no exfiltration! • First stage executed ! • Meterpreter downloaded

Almost there but …

Almost there but … But no exfiltration! • First stage executed ! • Meterpreter downloaded !
Almost there but … But no exfiltration! • First stage executed ! • Meterpreter downloaded !

But no exfiltration!

• First stage executed !

Meterpreter downloaded !

No reply

8

9
9
9
9

9

Give me baby one more time 9

Give me baby one more time

Give me baby one more time 9
Give me baby one more time 9
Give me baby one more time 9

9

10
10
10

10

Help! I need somebody 10

Help! I need somebody

Help! I need somebody 10
Help! I need somebody 10

10

The characters

The characters

12
12

12

Dub Barcelo 12
Dub Barcelo
Dub
Barcelo
Dub Barcelo 12

12

Dub Barcelo 12
Dub Barcelo
Dub
Barcelo
Dub Barcelo 12
Dub Barcelo 12

12

Dub Barcelo 12
Dub Barcelo
Dub
Barcelo
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12

12

Dub Barcelo 12
Dub Barcelo
Dub
Barcelo
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12

12

Dub Barcelo 12
Dub Barcelo
Dub
Barcelo
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12

12

Dub Barcelo 12
Dub Barcelo
Dub
Barcelo
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12

12

Dub Barcelo 12
Dub Barcelo
Dub
Barcelo
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12

12

Dub Barcelo 12
Dub Barcelo
Dub
Barcelo
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12

12

Dub Barcelo 12
Dub Barcelo
Dub
Barcelo
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12

12

Dub Barcelo 12
Dub Barcelo
Dub
Barcelo
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12
Dub Barcelo 12

12

Starring… Dub Barcelo 12

Starring…

Dub Barcelo
Dub
Barcelo
Starring… Dub Barcelo 12
Starring… Dub Barcelo 12
Starring… Dub Barcelo 12
Starring… Dub Barcelo 12
Starring… Dub Barcelo 12

12

Russian wettest 13

Russian wettest

Russian wettest 13
Russian wettest 13

13

Russian wettest Russian wettest dream • Exploit kit for campaigns ! • Phishing ! •

Russian wettest

Russian wettest dream

• Exploit kit for campaigns !

• Phishing!

• Trainings

Russian wettest Russian wettest dream • Exploit kit for campaigns ! • Phishing ! • Trainings
Russian wettest Russian wettest dream • Exploit kit for campaigns ! • Phishing ! • Trainings

13

Impossible Mission? 14

Impossible Mission?

Impossible Mission? 14
Impossible Mission? 14

14

Impossible Mission? • Exfiltration of information ! • Help the company to avoid it !

Impossible Mission?

Impossible Mission? • Exfiltration of information ! • Help the company to avoid it ! •
Impossible Mission? • Exfiltration of information ! • Help the company to avoid it ! •

• Exfiltration of information!

• Help the company to avoid it !

• Two weeks

14

Adventure Time

Adventure Time

Back to the Future 16

Back to the Future

Back to the Future 16
Back to the Future 16

16

Back to the Future • Same payloads ! • Same exploits ! • Patterns in

Back to the Future

• Same payloads !

• Same exploits !

• Patterns in Splunk

Back to the Future • Same payloads ! • Same exploits ! • Patterns in Splunk
Back to the Future • Same payloads ! • Same exploits ! • Patterns in Splunk

16

Growing Pains
Growing Pains
Growing Pains 17

17

Growing Pains • Meterpreter ! • • • First stage: A kind of client !
Growing Pains • Meterpreter ! • • •
Growing Pains
• Meterpreter !

First stage: A kind of client!

Second stage: The real meterpreter !

Problems: Protocol and DLL!

First stage: A kind of client ! Second stage: The real meterpreter ! Problems: Protocol and

• Crypters useless

17

My TODO 18

My TODO

My TODO 18
My TODO 18

18

My TODO • Endpoint protection ! • Proxy ! • Antispam/AV solution ! • Firewall/IDS/IPS

My TODO

My TODO • Endpoint protection ! • Proxy ! • Antispam/AV solution ! • Firewall/IDS/IPS !
My TODO • Endpoint protection ! • Proxy ! • Antispam/AV solution ! • Firewall/IDS/IPS !

• Endpoint protection!

• Proxy !

• Antispam/AV solution!

• Firewall/IDS/IPS !

• Flight under the radar !

• Custom Malware

18

Bypassing SEP (I) 19

Bypassing SEP (I)

Bypassing SEP (I) 19

19

Bypassing SEP (I) • Macro execution ! • Shellcodes ! • Dropper ! • First

Bypassing SEP (I)

Bypassing SEP (I) • Macro execution ! • Shellcodes ! • Dropper ! • First Irat

• Macro execution!

• Shellcodes !

Dropper !

• First Irat version!

• Because anything with I is cool

19

Bypassing SEP (II) 20

Bypassing SEP (II)

Bypassing SEP (II) 20
Bypassing SEP (II) 20

20

Bypassing SEP (II) EXE to VBS 20

Bypassing SEP (II)

EXE to VBS

Bypassing SEP (II) EXE to VBS 20
Bypassing SEP (II) EXE to VBS 20

20

Bypassing Websense (I) 21

Bypassing Websense (I)

Bypassing Websense (I) 21
Bypassing Websense (I) 21

21

Bypassing Websense (I) • Content classification ! • Financial content ! • No executables !

Bypassing Websense (I)

• Content classification! • Financial content !

• No executables !

• Mirroring!

Hidden commands

(I) • Content classification ! • Financial content ! • No executables ! • Mirroring !
(I) • Content classification ! • Financial content ! • No executables ! • Mirroring !

21

Bypassing Websense (II) 22

Bypassing Websense (II)

Bypassing Websense (II) 22
Bypassing Websense (II) 22

22

Bypassing Websense (II) 22

Bypassing Websense (II)

Bypassing Websense (II) 22
Bypassing Websense (II) 22

22

Bypassing Message Labs 23

Bypassing Message Labs

Bypassing Message Labs 23
Bypassing Message Labs 23

23

Bypassing Message Labs • Zip files ! • Antivirus ! • Password protected ! •

Bypassing Message Labs

• Zip files !

• Antivirus !

• Password protected!

• SPF!

• Controlled SMTP server

Bypassing Message Labs • Zip files ! • Antivirus ! • Password protected ! • SPF
Bypassing Message Labs • Zip files ! • Antivirus ! • Password protected ! • SPF

23

Bypassing PaloAlto 24

Bypassing PaloAlto

Bypassing PaloAlto 24
Bypassing PaloAlto 24

24

Bypassing PaloAlto • Next-gen firewall ! • No ports ! • Based on Application recognition

Bypassing PaloAlto

• Next-gen firewall!

• No ports !

• Based on Application recognition!

RFC !

• Meterpreter HTTP(s) caught! !

• IRAT to the rescue !

• Pretty simple GET and POST!

• No SSL!

• ASCII to HEX encoding

HTTP(s) caught! ! • IRAT to the rescue ! • Pretty simple GET and POST !
HTTP(s) caught! ! • IRAT to the rescue ! • Pretty simple GET and POST !

24

Bypassing IDS 25

Bypassing IDS

Bypassing IDS 25
Bypassing IDS 25

25

IRAT: Iñaki’s Remote Administration Tool 26

IRAT: Iñaki’s Remote Administration Tool

IRAT: Iñaki’s Remote Administration Tool 26

26

IRAT: Iñaki’s Remote Administration Tool • KISS ! • No dependencies ! • C (Nightmare)

IRAT: Iñaki’s Remote Administration Tool

• KISS !

No dependencies !

• C (Nightmare) !

• No crypters (Sorry Abraham) !

• Proxy Support !

• HTTP(s)!

• Ascii to Hex !

• Commands into simple HTML files

! • Ascii to Hex ! • Commands into simple HTML files • C&C panel with

• C&C panel with templates ! • FUD (Full undetectable)

26

IRAT: Communication 27

IRAT: Communication

IRAT: Communication 27
IRAT: Communication 27

27

IRAT: C&C (I) 28

IRAT: C&C (I)

IRAT: C&C (I) 28
IRAT: C&C (I) 28
IRAT: C&C (I) 28

28

IRAT: C&C (II) 29

IRAT: C&C (II)

IRAT: C&C (II) 29
IRAT: C&C (II) 29

29

IRAT: C&C (II) 29

IRAT: C&C (II)

IRAT: C&C (II) 29
IRAT: C&C (II) 29

29

IRAT: C&C (II) 29

IRAT: C&C (II)

IRAT: C&C (II) 29

29

IRAT: C&C (II) 29
The attack

The attack

Bypassing Humans 31

Bypassing Humans

Bypassing Humans 31
Bypassing Humans 31

31

Bypassing Humans • Top 120 lusers ! • Emails with a predefined message ! •

Bypassing Humans

Bypassing Humans • Top 120 lusers ! • Emails with a predefined message ! • Excel
Bypassing Humans • Top 120 lusers ! • Emails with a predefined message ! • Excel

• Top 120 lusers!

• Emails with a predefined message !

• Excel attached (.xls) !

• HHRR Impersonation! • With my own smtp server !

• Client threatened by employees ! • Not my fault :)

31

You've Got Mail 32

You've Got Mail

You've Got Mail 32
You've Got Mail 32

32

/con/cat 33

/con/cat

/con/cat 33
/con/cat 33

33

/con/cat 33

/con/cat

/con/cat 33
/con/cat 33

33

/con/cat 33

/con/cat

/con/cat 33
/con/cat 33

33

Facts! 34

Facts!

Facts! 34
Facts! 34

34

Facts! 34

Facts!

Facts! 34
Facts! 34

34

Results 35

Results

Results 35

35

Results First try 35

Results

First try

Results First try 35
Results First try 35

35

Results First try 35

Results

First try

Results First try 35
Results First try 35
Results First try 35

35

Results First try Second try 35

Results

First try

Results First try Second try 35
Results First try Second try 35

Second try

Results First try Second try 35
Results First try Second try 35

35

Results First try Second try 35
Results
First try
Second try
35
And now what?

And now what?

The hangover 37

The hangover

The hangover 37
The hangover 37
The hangover 37

37

The hangover • Patterns on logs ! • Splunk logging everything ! • Under the

The hangover

The hangover • Patterns on logs ! • Splunk logging everything ! • Under the radar
The hangover • Patterns on logs ! • Splunk logging everything ! • Under the radar

• Patterns on logs !

• Splunk logging everything!

• Under the radar !

• User agent !

• One guy on SecurityFocus !

• Looking for mainframe exploits

37

The hangover • Patterns on logs ! • Splunk logging everything ! • Under the

The hangover

The hangover • Patterns on logs ! • Splunk logging everything ! • Under the radar
The hangover • Patterns on logs ! • Splunk logging everything ! • Under the radar

• Patterns on logs !

• Splunk logging everything!

• Under the radar !

• User agent !

• One guy on SecurityFocus !

• Looking for mainframe exploits

37

Weakness 38

Weakness

Weakness 38
Weakness 38

38

Weakness • SPF ! • Check your own domains! ! • Logging ! • Too

Weakness

• SPF!

• Check your own domains! !

Logging!

• Too much, too useless !

• Antivirus !

• In AVs we trust

SPF ! • Check your own domains! ! • Logging ! • Too much, too useless
SPF ! • Check your own domains! ! • Logging ! • Too much, too useless

38

Yet another Cuckoo deployment 39

Yet another Cuckoo deployment

Yet another Cuckoo deployment 39
Yet another Cuckoo deployment 39

39

Yet another Cuckoo deployment • Exchange mailboxes ! • Attachments to Cuckoo ! • VBS

Yet another Cuckoo deployment

• Exchange mailboxes !

• Attachments to Cuckoo! • VBS !

• Logs sent to Splunk !

• Custom Signatures

• Exchange mailboxes ! • Attachments to Cuckoo ! • VBS ! • Logs sent to
• Exchange mailboxes ! • Attachments to Cuckoo ! • VBS ! • Logs sent to

39

Mail2Cuckoo 40

Mail2Cuckoo

Mail2Cuckoo 40
Mail2Cuckoo 40

40

Mail2Cuckoo 40

Mail2Cuckoo

Mail2Cuckoo 40
Mail2Cuckoo 40

40

Mail2Cuckoo 40

Mail2Cuckoo

Mail2Cuckoo 40
Mail2Cuckoo 40

40

Mail2Cuckoo 40

Mail2Cuckoo

Mail2Cuckoo 40
Mail2Cuckoo 40

40

Ok, Ok… I finish. But… 41

Ok, Ok… I finish. But…

Ok, Ok… I finish. But… 41
Ok, Ok… I finish. But… 41

41

Ok, Ok… I finish. But… • PowerPoint Engineering ! • Expectations ! • Security By

Ok, Ok… I finish. But…

• PowerPoint Engineering!

• Expectations !

• Security By Default !

• Investment on people !

finish. But… • PowerPoint Engineering ! • Expectations ! • Security By Default ! • Investment
finish. But… • PowerPoint Engineering ! • Expectations ! • Security By Default ! • Investment

41

THANKS!!

THANKS!!

Q/A

Q/A