Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
JPCERT/CC
Analysis Center
Shusei Tomonaga
Yuu Nakamura
Agenda
Introduction
Operation A
Operation B
Introduction
Operation A
Operation B
Shusei Tomonaga
Yuu Nakamura
Analysis Center at JPCERT Coordination Center
Malware analysis, Forensics investigation
130 Operation A
organizations
9393
organizations
Operation B
44
organizations
Operation A
Operation B
Introduction
Operation A
Operation B
Initial Compromise
Collecting Information
Lateral Movement
Initial Compromise
Collecting Information
Lateral Movement
Disguised
Icon
Medical expense,
Document Health insurance 2014/11
File
(Exploit
vulnerabilities)
CVE-2014-7247
2015/07
Drive-By
Download CVE-2015-5119
CVE-2015-5122
In many attacks, malware are disguised with fake icons, compressed with
zip or lzh and attached to emails.
Attacks aiming certain targets may lead to correspondence of emails.
11 Copyright2015 JPCERT/CC All rights reserved.
Details of Internal Intrusion Techniques
Initial Compromise
Collecting Information
Lateral Movement
dir
net
net view
net localgroup administrators
ver
ipconfig
systeminfo
wmic
csvde
dsquery
Download
Delete Evidence
16 Copyright2015 JPCERT/CC All rights reserved.
Search Network Drive (1)
net use command
> net use
New connections will be remembered.
wmic command
> wmic logicaldisk get caption,providername,drivetype,volumename
Caption DriveType ProviderName VolumeName
C: 3 OS
D: 3 Volume
T: 4 FILESV01SECRET Volume
U: 4 FILESV01SECRET Volume
DriveType = 4
Network Drive
17 Copyright2015 JPCERT/CC All rights reserved.
Search Network Drive (2)
FILESVSECRET Directory
Initial Compromise
Collecting Information
Lateral Movement
6. Malware executes
according to the task
4. Copy malware to PC-B
Attackers Domain
Infrastructure Controller 1. Download logon script,
compress and archive
3. Search admins 6. Malware executes
password according to the task
2. Download 4. Copy malware to
PC-B
5. Execute
2. Attempts logon
with logon.exe 3. Copy malware
Key Point
PC-A PC-B
3. Request http://wpad/wpad.dat
4. Response
wpad.exe
PC-A PC-B
6. Drive-by download
attack
Mail account theft Similar to NirSoft Mail PassView CallMail.exe, outl.exe , etc.
Attempt logon based on list logon.exe
WinRAR archiver yrar.exe, rar,exe, etc.
Utility
Highly sophisticated dir command dirasd.exe, etc.
BeginX Client
Client which sends commands to BeginX Server
Controlled via Emdivi
BeginX BeginX
Server Client Emdivi
Computer
Infected
with Emdivi
41 Copyright2015 JPCERT/CC All rights reserved.
GStatus
HTTP BOT different from Emdivi
Not found in many organizations, but...
Bot Function
Get drive information
Execute arbitrary shell command
Process list
Screen related functions
emdivi_string_decryptor.py
IDAPython
Used to analyze Emdivi
Decode encoded strings
Supported version
t17, 19, 20
45 Copyright2015 JPCERT/CC All rights reserved.
emdivi_string_decryptor.py
Emdivi encoded strings
Scanf(
MD5( "%x",
MD5(base64(ver)) Inc_Add(
Inc_Add(
Key + ver17_key
MD5(key_string) ver17_key
)
) )
)
47 Copyright2015 JPCERT/CC All rights reserved.
emdivi_string_decryptor.py
Introduction
Operation A
Operation B
Update Hijacking
Update Hijacking
Targeted Japanese
Organization 0. Deface Web site Web server
. Redirect
Attackers
Server
. Malware
Infection . Download malware
Target name
IP address
CVE-2013-3893 (MS13-080)
CVE-2013-3918 (MS13-090)
CVE-2014-0324 (MS14-012)
Update Hijacking
1. Request to update
Fake Update
. Request to download Server
. Malware
. Download malware
Infection
58 Copyright2015 JPCERT/CC All rights reserved.
Another Update Hijacking Pattern
Method used without changing update server's file
Targeted Update
Organization Server
0. Change iptables
1. Software Update
Fake Update
Server
Key Point
Update Hijacking
Web Web
Server Server
4.Web access
62 Copyright2015 JPCERT/CC All rights reserved.
DETAILS OF MALWARE
Key Point
AAA.example.com
Routing of only specific sub domains
Other DNS queries are routed to the
legitimate DNS server
Plug-in-based malware
Command list
command number info
0 Send data to server
1 Set TickCount
3 Plug-in registration
4 Allocate Plug-in settings area
5 Set Plug-in settings area
6 Create/Execute plug-in
7 Terminate plug-in
8 Create configuration file
9 -
69 Copyright2015 JPCERT/CC All rights reserved.
Malware Running in Memory Only
CVE-2013-3918 with McRAT
ROP
Shellcode
skip
Malware
70 Copyright2015 JPCERT/CC All rights reserved.
Malware Running in Memory Only
CVE-2013-3918 with McRAT
Command list
command info
downonly Download file
downexec Download and Execute file
- Run remote shell command
Command list
command info command info
1 Get disk information 8 -
2 File list 9 Delete file
3 Open file 10 Delete file/folder
4 Upload file 11 Upload file
5 Create file 12 Create folder
7 Load file 13 Move file
ID
Target name
Proxy info
Rootkit setting
ID
Proxy info
Backdoor
Targeted
Organization
Attackers
Server
Overseas
C2 Server Server
iptables
mod_rootme
apache module
Runs a remote shell by sending a keyword
mod_rootme source
Keyword
Roronoa
rs_linux
Function
MyNetstat CreateShell Mymkdir
PortTunnelGet GetFileSource Mymkfile
PortTunnel_RemoteClose MyPs Myrmfile
PortTunnel_Show KillByPid Myrmdir
CreatePortTunnel NewConnectTo ListDir
PortForward StartPutFile my_reboot
PortForward_Show PutFileDest ShowHide
PortForward_Close ShellServer SwitchHide
apt17scan.py
Volatility Plugin
Detect malware in memory dump
Extract malware configuration information
Function
apt17scan
derusbiconfig
hikitconfig
agtidconfig
85 Copyright2015 JPCERT/CC All rights reserved.
apt17scan.py
Search configuration
data address
Dump configuration
86 Copyright2015 JPCERT/CC All rights reserved.
apt17scan.py
apt17scan Detecting Malware
Incident Report
info@jpcert.or.jp
https://www.jpcert.or.jp/form/