sign in sign up
<<
Home , Carbanak, DarkHotel, Duqu, Turla (malware)

Supercharging Threat Research

Costin Raiu (@craiu) Director of GReAT 2 OUR RESEARCH (BEFORE 2017)

Duqu 2.0 Metel

Darkhotel ProjectSauron 2010 TeamSpy - part 2

Darkhotel Naikon Adwind

MsnMM Saguaro 2011 Miniduke Campaigns

CosmicDuke Hellsing Lazarus

Satellite StrongPity Gauss RedOctober

Regin Sofacy Lurk

2012 2013 Icefog 2014 2015 2016

Careto / The Mask Carbanak GCMan

miniFlame Wild Winnti Ghoul Neutron Desert Epic Turla Poseidon Falcons Blue NetTraveler Fruity Armor Termite Energetic Bear / Equation Danti Crouching Yeti Spring Kimsuky ScarCruft Dragon Animal Dropping Farm Elephant Fake news and attribution The 2016 USA elections Before the elections, there was “

5 | Before the elections, there was “Guccifer”

• Aka “Marcel Lazăr Lehel” • Occupation: Romanian , taxi driver • “the style of Gucci and the light of Lucifer” • Had no skills, no knowledge except what he found on the web • Hacked: Colin Powell, Rockefeller family, FBI/SS agents, Corina Cretu, George Maior https://www.nbcnews.com/news/us- • Called Maior (top man in Romanian intelligence) a news/hacker-guccifer-claims-he-got-hillary- clinton-s-server-n568911 ‘skunk’ and asking him for money (Aug 2013)

6 | DNC Hack – introducing Guccifer 2.0 Guccifer 2.0 interview by Lorenzo Franceschi-Bicchierai / Motherboard • And where are you from? • From Romania.

• Ai vrea să vorbească în română pentru un pic? [You want to talk for a bit in Romanian?] • Vorbiți limbă română? [Speak Romanian?] • De ce ai pus metadate rusă în primul lot de documente? [Why did you put Russian metadata in the first batch of documents?] • Este filigranul meu [It is my watermark] • Puteți găsi de asemenea alte filigrane în limbă spaniolă. Caută mai bine. [You can also find other watermarks in Spanish. Look better] • Oare nu știți ce este filigran? [You do not know what is a https://motherboard.vice.com/en_us/article/yp3bbv/dncwatermark?] -hacker-guccifer-20-full-interview-transcript https://www.justice.gov/file/1080281/download What’s missing?

Where are the Dukes?

https://www.justice.gov/file/1080281/download Code similarity big stories May 12, 2017…

15 |

How did they do it?

• 2011 – Google buys Zynamics • 2014 – “CPU time is cheap. You just spin 10,000 machines and do a string search in parallel” • 2015 – Me asks for CAPEX to buy 10,000 machines. Answer: you’ve guessed it. • … • 2017 – Google links Wannacry to Lazarus

17 |

Problem: find common code between files

• Easy approach: generate all 8-16-byte strings for all files in our collection. For new files, check overlaps. • Problems: • Collection too big. • Capex too small.  • How to solve it?

20 | Introducing: APT similarity hunting with Yara What is Yara?

@plusvic Solution – multi step

• Identify relevant code in a file • Extract _ONLY_ “interesting” strings • Create a whitelisting databases of strings from clean files • Extract interesting strings from new samples that are not in the whitelist db • Make a Yara rule Define “Relevant”

• A 100k file has 102,384 16-byte substrings • After filtering out “known clean” we still have 30k substrings • How do we know which ones are interesting and which ones are not?

24 | 55 8B EC 64 A1 30 00 00 00 8B 40 0C 8B 40 0C 83

push ebp mov ebp,esp mov eax,fs:[000000030] mov eax,[eax][00C] mov eax,[eax][00C] sub esp,00C

20 00 CC CC CC CC CC CC CC CC CC CC CC CC  Sample rule

Shellcode fragments that do not appear in any clean samples but appear in all ShadowPad 64 bit samples. Improvements:

• Generate Yara rule on a new malware sample • Test it against your big APT samples collection • Find if it detects samples from another APT by shared common code • Modify the rule to detect only the family’s common code • Run the new rule on KLARA and/or VTMIS • Find other samples produced by the same actor

27 | Our code similarity system

• processed samples / day ~ 250 K • known, good samples - 56 mln • known, good strings - ~6 bln • known, good opcode sequences - ~10 bln

Output: Yara rules and similarity profiles

28 | Attributing APT malware by common code The ShadowPad APT

• We found a high end APT implant hidden in management software during IR at a bank • We worked with Netsarang to mitigate the problem and remove infected software packages from website

• Code is similar to “PoisonPlug” used by a Winnti subset group Shadowpad plugin Plugin from sample observed in Winnti incident 378411F30AB0663AA5BB4267F67ECF7B The “CCleaner” incident CCleaner malware – custom base64 encoding The “CCleaner” incident

apt_ZZ_Cbkrdr_genotypes //AuroraPanda/Missle/e77e708924168afd17dbe26bba8621af apt_ZZ_Cbkrdr_genotypes //AuroraPanda/Missle/ba86c0c1d9a08284c61c4251762ad0df apt_ZZ_Cbkrdr_genotypes //AuroraPanda/Missle/35a4783a1db27f159d7506a78ca89101 apt_ZZ_Cbkrdr_genotypes //Zoxpng/8ad22f3e9e603ff89228f3c66d9949d9 apt_ZZ_Cbkrdr_genotypes //Hikit/ba86c0c1d9a08284c61c4251762ad0df apt_ZZ_Cbkrdr_genotypes //Hikit/35a4783a1db27f159d7506a78ca89101 apt_ZZ_Cbkrdr_genotypes //Hikit/hhkt_2014_2/Samples/ZoxFamily/07f93e49c7015b68e2542fc59…d apt_ZZ_Cbkrdr_genotypes //Hikit/hhkt_2014_2/Samples/ZoxFamily/0375b4216334c85a4b29441a…2 apt_ZZ_Cbkrdr_genotypes //Hikit/hhkt_2014_2/Samples/ZoxFamily/ee362a8161bd442073775363…0 apt_ZZ_Cbkrdr_genotypes //Gresim_ZoxPNG/07f93e49c7015b68e2542fc591ad2b…d apt_ZZ_Cbkrdr_genotypes //Gresim_ZoxPNG/0375b4216334c85a4b29441a3d37e…2 apt_ZZ_Cbkrdr_genotypes //Gresim_ZoxPNG/ee362a8161bd442073775363bf5fa1…0

• APT samples with the same code: • Missl, Zoxpng/Gresim, Hikit BTW, what is MISSL?

https://www.youtube.com/watch?v=NFJqD-LcpIg “families of malware range in uniqueness from extremely common (Poison Ivy, Gh0st, ZXshell) to more focused tools used by Axiom and other threat groups directed by the same organization (Derusbi, Fexel) to tools only seen used by Axiom (ZoxPNG/ZoxRPC, Hikit).”

Novetta, Operation “SMN” Axiom Threat Actor Group Report www.novetta.com/2015/06/operation-smn-full-report/ When code similarity fails (well, kind of): Olympic Destroyer

Intezer found code similarities in OD with APT10, APT3, APT12

RecordedFuture found code similarities with Lazarus Comparison of wiping module (left: Bluenoroff tool; right: OlympicDestroyer) Our own system found similarities with Lazarus malware

Rich headers of both files (3c0d740347b0362331c882c2dee96dbf – OlympicDestroyer, 5d0ffbc8389f27b0649696f0ef5b3cfe – BlueNoroff) are exactly the same. https://securelist.com/the-devils-in-the-rich-header/84348/ Wannacry rule

Catches: BlueNoroff, ManusCrypt, Decafett

40 | Attribution 2.0? Attribution 2.0

• Tasks which took months (years?) can now be done in minutes • Technology will become ubiquitous in 2-3 years • Attributing attacks can be partly automated • Effect: more false flags • Think Lazarus malware with Russian keywords evolved • Eg: OlympicDestroyer • Effect: more scripting, reliance on automated tools • PowerShell, CobaltStrike to Metasploit THE INFORMATION WAR

CYBER ESPIONAGE

Malware

MASS OPINION CYBER SABOTAGE MANIPULATION HAPPY HUNTING! ;) Stay foolish, stay GReAT! @craiu

44 | Less talk, more hashes