• Many specific types of data being exfiltrated • Supposedly targeted at: – Government insDtuDons and embassies – Private/public energy oil and gas companies – Research insDtuDons – Specific private firms • Suggests a large campaign behind it
– Read report for info • Malware has a lot of Spanish references • If you rely on compiler on Dmestamps… – may indicate acDvity between 2011 and 2013 – and possibly as far back as 2007 – Not really sufficient
Keystrokes and screen captures • SSH keys and Remote Desktop Protocol files • Other extensions exist – Not yet been thoroughly analysed • Skype conversaDons...
indicate mulDple browsers – Use JavaScript to profile the vicDm’s pla_orm • Different directories containing different exploit modules for many pla_orms – Mac OS X – Windows – PotenDal traces of Linux (nothing complete) • Old exploits discovered but new ones are now at different addresses
through emails • Top level domains themselves are not malicious – don't do any infecDng – and have no direct references to the exploits – E-‐mail contains direct link to the subdomains/directories with the exploits – Subdomains appear to most people as genuine – Lots of references to news big Spain newspapers and others
Adobe Flash vulnerability (10.3 and 11.2) – Discovered during compeDDon • CanSecWest Pwn2Own 2012 – First Flash exploit to break out of Chrome sandbox – They won! • …but refused to give details about the exploit worked • Stated that it was up for sale…could have been bought – Vulnerability now known as CVE-‐2012-‐0773
clicks the e-‐mail link – gets sent to a subdomain – exploit is tried – If successful, malware lands onto the machine • Backdoor immediately setup • Happens invisibly • User is redirected to a benign site like youtube.com
pluggable modules – Disguises executable code as JPEGs • General purpose backdoor in userspace • Executes arbitrary code provided from C&C • Separate backdoor package similar to netcat! – “Swiss army knife of TCP/IP” – UDP also – Handy sooware package • Allows easy scripDng and creaDon of any kind of connecDon you can think of
or 64-‐bit DLL – Checks if UAC is enabled (registry) • If off then it sefles in %system% • Else it sefles in %APPDATA%Microsoo • Sets itself the same Dmestamp as system files – Payload registered as a COM object via registry entry • Alters module list references of process and places hijacked DLL • Loads a system DLL not currently being used by process • Once loaded, contents of DLL overwrifen in memory • Module references appear genuine to analyst – Have to manually inspect DLL memory in order to know – Communicates to C&C through infinite loop in patched IE?
• SGH lives in the kernel • Broad rootkit capabiliDes which survey/control: – System events, including keystrokes from the user – File operaDons – Wi-‐Fi traffic – Extra modules: create encrypted file-‐systems, Skype • If you find SGH – you’ve probably been hit by Careto already • Careto and SGH aware of each other
– Tries to hook old anDvirus products • E.g. opens descriptor (\\.\KLIF” ), sends custom code – If successful, module and services.exe will be ignored by AV • Whitelisted – may allow escape from AV sig updates • SGH extensions – Logs+extensions stored on encrypted file-‐systems – Includes libraries like Zlib for unpacking things – Checks if it’s inside a VM (VMware, MS VPC) – Creates service for automaDc booDng of components – Can infect BOOTMGR – And more…
• Signed malware • MulDple co-‐operaDve backdoors – Userspace and kernelspace • Windows and OS X (sense of Linux too) – Shadow casted onto iOS and Android devices • Sheer size of campaign suggests a large set of resources and a lot of Dme