Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Careto APT

The Careto APT

Old set of summary slides (2014), which summarised the "Mask" malware, also known as Careto. Most references are from the report by Kaspersky Lab.

Adrian L. Shaw

April 05, 2017
Tweet

More Decks by Adrian L. Shaw

Other Decks in Technology

Transcript

  1.                    

               Careto    -­‐“The  Mask”   Adrian  Shaw  
  2. Campaign   •  Comprises  a  large  number  of  connected  pieces

      •  Many  specific  types  of  data  being  exfiltrated   •  Supposedly  targeted  at:   – Government  insDtuDons  and  embassies   – Private/public  energy  oil  and  gas  companies   – Research  insDtuDons   – Specific  private  firms   •  Suggests  a  large  campaign  behind  it  
  3. Campaign   •  Spain,  Morocco,  France   –  Consistent  targets

      –  Read  report  for  info   •  Malware  has  a  lot  of   Spanish  references   •  If  you  rely  on  compiler   on  Dmestamps…   –  may  indicate  acDvity   between  2011  and  2013   –  and  possibly  as  far  back   as  2007   –  Not  really  sufficient    
  4. ExfiltraDon  highlights   •  PGP  keys,  documents,  e-­‐mails   • 

    Keystrokes  and  screen  captures   •  SSH  keys  and  Remote  Desktop  Protocol  files   •  Other  extensions  exist   – Not  yet  been  thoroughly  analysed   •  Skype  conversaDons...  
  5. A  peek  into  the  C&C  server   •  Bad  guys

     expected  parDcular  visitors       •  Modified  their  htaccess  files  on  web  servers  to  try  and  cause  a  nuisance  
  6. A  peek  into  the  C&C  server   Kaspersky  supposedly  managed

     to  get  one  of  the  C&C  servers   MacOS?  
  7. A  peek  into  the  C&C  server   •  Server  logs

     indicate  mulDple  browsers   – Use  JavaScript  to  profile  the  vicDm’s  pla_orm   •  Different  directories  containing  different   exploit  modules  for  many  pla_orms   – Mac  OS  X   – Windows   – PotenDal  traces  of  Linux  (nothing  complete)   •  Old  exploits  discovered  but  new  ones  are   now  at  different  addresses  
  8. It  began  with  phishing   •  TradiDonal  spear  phishing  afack

      through  emails   •  Top  level  domains  themselves  are   not  malicious  –  don't  do  any   infecDng  –  and  have  no  direct   references  to  the  exploits   –  E-­‐mail  contains  direct  link  to    the   subdomains/directories  with  the   exploits   –  Subdomains  appear  to  most   people  as  genuine   –  Lots  of  references  to  news  big   Spain  newspapers  and  others  
  9. Exploit  vector  #1:  User  clicks  the  link   •  Old

     Adobe  Flash  vulnerability  (10.3  and  11.2)   – Discovered  during  compeDDon     •  CanSecWest  Pwn2Own  2012     – First  Flash  exploit  to  break  out  of  Chrome  sandbox   – They  won!   •  …but  refused  to  give  details  about  the  exploit  worked   •  Stated  that  it  was  up  for  sale…could  have  been  bought   – Vulnerability  now  known  as  CVE-­‐2012-­‐0773    
  10. Exploit  vector  #1:  User  clicks  the  link   •  User

     clicks  the  e-­‐mail  link   – gets  sent  to  a  subdomain   – exploit  is  tried     – If  successful,  malware  lands  onto  the  machine   •  Backdoor  immediately  setup   •  Happens  invisibly   •  User  is  redirected  to  a  benign  site  like  youtube.com  
  11. Exploit  vector  #2:  Trojans   •  Ask  user  to  run

     “JavaUpdater.jar”   •  Harmless  right?  
  12. Exploit  vector  #2:  Trojans   •  Ask  user  to  run

     “JavaUpdater.jar”   •  Harmless  right?   •  Nope.   •  Java  RunDme  Environment  exploit    for  running   arbitrary  code   – CVE-­‐2011-­‐3544     – Same  backdoor  set  up  
  13. Other  exploits  exists   •  Not  going  to  go  through

     them  all   – Try  to  get  user  to  install  Chrome  plugin     – Firefox  plugin  targets  Linux  system   •  Social  engineering  apparently  in  heavy  use  too  
  14. Backdoor  malware  called  “Careto”   •  Careto  designed  to  have

     pluggable  modules   –  Disguises  executable  code  as  JPEGs   •  General  purpose  backdoor  in  userspace   •  Executes  arbitrary  code  provided  from  C&C   •  Separate  backdoor  package  similar  to  netcat! –  “Swiss  army  knife  of  TCP/IP”  –  UDP  also   –  Handy  sooware  package   •  Allows  easy  scripDng  and  creaDon  of  any  kind  of  connecDon   you  can  think  of      
  15. Careto  bundle   •  Inside  Careto  there  are  3  encrypted

     blobs   – Used  the  RC4  cipher  key  "!$7be&.Kaw-­‐12[}".     – 206  bytes  |  96  bytes  |  880  bytes     – Blob  #1  –  encrypted  payload  (CAB  file)   – Blob  #2  –  selecDon  of  names  it  could  call  the  DLL     – Blob  #3  –  payload  configuraDon   •  Once  decrypted,  writes  config  back  to  binary  
  16. When  Careto  is  run   –  Loads  its  own  32-­‐bit

     or  64-­‐bit  DLL   –  Checks  if  UAC  is  enabled    (registry)   •  If  off  then  it  sefles  in  %system%   •  Else  it  sefles  in  %APPDATA%Microsoo   •  Sets  itself  the  same  Dmestamp  as  system  files   –  Payload  registered  as  a  COM  object  via  registry  entry   •  Alters  module  list  references  of  process  and  places  hijacked  DLL   •  Loads  a  system  DLL  not  currently  being  used  by  process   •  Once  loaded,  contents  of  DLL  overwrifen  in  memory   •  Module  references  appear  genuine  to  analyst   –  Have  to  manually  inspect  DLL  memory  in  order  to  know   –  Communicates  to  C&C  through  infinite  loop  in  patched  IE?  
  17. Backdoor  malware  called  “Careto”   •  Although  task  is  achieved…

      •  …Careto  can  setup  other  things   – And  can  make  a  call  to  a  superior  malware  
  18. Backdoor  malware  called  “Careto”   •  Although  task  is  achieved…

      •  …Careto  can  setup  other  things   – And  can  make  a  call  to  a  superior  malware   SGH!
  19. Backdoor  malware  called  “SGH”   •  It  gets  worse…  

    •  SGH  lives  in  the  kernel   •  Broad  rootkit  capabiliDes  which  survey/control:   –  System  events,  including  keystrokes  from  the  user   –  File  operaDons   –  Wi-­‐Fi  traffic     –  Extra  modules:  create  encrypted  file-­‐systems,  Skype   •  If  you  find  SGH   –   you’ve  probably  been  hit  by  Careto  already   •  Careto  and  SGH  aware  of  each  other  
  20. Backdoor  malware  called  “SGH”   •  InteresDng  part  of  installaDon

      –  Tries  to  hook  old  anDvirus  products   •  E.g.  opens  descriptor  (\\.\KLIF”  ),  sends  custom  code   –  If  successful,  module  and  services.exe  will  be  ignored  by  AV   •  Whitelisted  –  may  allow  escape  from  AV  sig  updates   •  SGH  extensions     –  Logs+extensions  stored  on  encrypted  file-­‐systems   –  Includes  libraries  like  Zlib  for  unpacking  things   –  Checks  if  it’s  inside  a  VM  (VMware,  MS  VPC)   –  Creates  service  for  automaDc  booDng  of  components   –  Can  infect  BOOTMGR     –  And  more…  
  21. Malware  is  also  signed   •  Who  are  TechSystem  Ltd?

      •  Originates  in  Bulgaria   –  Fake  company?   –  Disappeared  company?   –  Cert  valid  from  2010   –  Some  installer  variants  have   expired  signatures  (2013)   –  But  sDll  valid   •  Prefy  suspicious  
  22. Conclusion  summary   •  Elite  afackers  are  expanding  their  capabiliDes

      •  Signed  malware   •  MulDple  co-­‐operaDve  backdoors   – Userspace  and  kernelspace   •  Windows  and  OS  X  (sense  of  Linux  too)   – Shadow  casted  onto  iOS  and  Android  devices   •  Sheer  size  of  campaign  suggests  a  large  set  of   resources  and  a  lot  of  Dme