Family What is a Malware? Malware Economy # Criminals are making money with their creation # Using it to steal data # Selling it for other criminals # Creating business model such as Malware as a Service
Family What is a Malware? Malware Economy # Ransomware as a Service Source: https://securingtomorrow.mcafee.com/mcafee-labs/free-ransomware-available-dark-web/
Family What is a Malware? Malware Attribution # Malware are developed by Humans # Many techniques can lead to attribution # PDB Path # Strings # Code comparison # Tools used # Operating method # Timestamp # Infrastructure reuse
Family What is a Malware? Malware Attribution # Malware are developed by Humans # Many techniques can lead to attribution # PDB Path # Strings # Code comparison # Tools used # Operating method # Timestamp # Infrastructure reuse Attribution can be faked!
Family Malware Techniques Persistence # To survive to reboot Malware need to be persistent on the infected machine. # Registry RUN keys # Task Scheduler # Windows Services # AppInit_DLL # COM Hijacking # Bootkit
Family Malware Techniques Persistence # Scheduler can be used to run tasks | NotPetya • at <time> shutdown.exe /r /f • schtasks /create /SC once /TN “” /TR shutdown.exe /r /f /ST <time>
Family Malware Techniques Privilege Escalation # Malware needs to elevate privilege to perform actions To access to sensitive data to steal/modify/encrypt… # Token Manipulation # Bypass User Access Control (UAC) # Vulnerability Exploitation # Hooking # Dump Credentials # Many more
Family Malware Techniques Privilege Escalation # UAC Bypass | Operation HoneyBee cmd /c wusa %TEMP%\setup.cab /quiet /extract:%SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe cmd /c expand %TEMP%\setup.cab -F:* %SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe # The macro extracts the CAB file into %systemroo%\system32, using either wusa.exe or expand.exe (depending on the OS) to bypass UAC prompts # Once the files have been extracted, the Visual Basic macro deletes the CAB file and runs the malicious NTWDBLIB.dll via cliconfg.exe (to gain privileges and bypass UAC protections) Source: https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/
Family Malware Techniques Privilege Escalation # Vulnerability Exploitation | Wannacry - EternalBlue # EternalBlue Vulnerability from Equation Group (MS17-010) – Kernel Exploit # Used to spread on the network but also to obtain system privileges https://www.slideshare.net/ThomasRoccia | https://securingtomorrow.mcafee.com/mcafee-labs/analysis-wannacry-ransomware/
Family Malware Techniques Command & Control # Malware needs to communicate with C&C # Infected machines controlled by the same C&C are called Botnet # Malware use C&C to: # Receive command # Exfiltrate/download data # Get encryption key (Ransomware) or interact to pay the ransom Matthew Andrews/Getty Images/Hemera
Family Malware Techniques Command & Control # Fast-Flux communication # One domain has multiple IP addresses # Every 3 min or more, host is pointing to another computer # Infected machines can serve of proxy https://commons.wikimedia.org/wiki/File:Single_und_double_flux.png
Family Malware Techniques Command & Control # Domain Generation Algorithm # Connexion to multiple domains # Lot of domain can be generated by the sample # Attackers can activate one of several servers to allow communication # Conficker worm used this technique https://www.senet-int.com/blog/2013/09/malware-domain-generation-algorithm-dga
Malware – Focus on Remote Administration Tool Family Malware Analysis Process Identification Analysis • Hash calculation • Virus Total… • Anti-Virus • Previous research • Internal Databases Static Dynamic Detection and Remediation • What the malware does? • Which CnC it contacts? • Does it still data? • How does it infects my system? • Sandboxing • Debugging • Monitoring Infected machines • Block CnC • Deploy signature • Clean infected machines • Improve Security
and gives in exchange the different application parts. Monthly, Yearly, Version The product owner could also decide to rent his Malware with a subscription limited in time. Extra Services • FUD / UD • Support • Pay per installs • Extra Modules • Training • Open Source Access RAT Business Model
Editor Stub Graphical application to take the control of infected machines by the Malware Graphical application designed to configure the Malware The Malware .exe, .js, .bat, .py, .pdf, .docx RAT Identify the Different part of the Framework
Malware coder can create custom protocol • They can also use existing protocol (HTTP Botnet) • To evade detection, cryptographic principle could be used RAT Network Protocol
Models C&C – Client Connect(89.27.25.120) Stub – Server Listen(1403) Out Port (TCP/UDP) > 1403 Internet (Cloud) In Port (TCP/UDP) > 1403 C&C – Client Listen(1403) Stub –Client Connect(45.25.142.32) In Port (TCP/UDP) > 1403 Internet (Cloud) Out Port (TCP/UDP) > 1403 AND / OR RAT Network Models
Main Thread + Listener Thread (Server) Closed Client New Client Receive Plain / Text Management Thread Receive Buffer Thread Process List File List Reverse shell stdout buffer Webcam Streaming Desktop Streaming File Transfer + + Main Thread + Connection Attempt to C&C routine Thread New Server + Command Parser and Dispatcher Thread Process List File List Remote Desktop Thread + RAT Network Protocol
1 2 filesystem;c:\ filesystem;c:\windows,c:\users,c:\Pr ogram Files,c:\Program Files (x86)|c:\file.pdf,c:\file2.png... 3 downloadfile;c:\file.pdf 4 downloadfile;c:\file.pdf,10240 5 OK 6 CHUNK 1 CHUNK 2 CHUNK N C&C Infected system file size / packet size = number of packets required for a file transfer RAT Network Protocol
how to contact the C&C • IP address(es) / Domain Name pointing to IP address(es) • Communication Port(s) • It also contains other important configuration elements such as • Persistence Information's (Startup, Process, File) • Anti’s functions (Anti-VM, Anti-Debugger etc.) • Encryption key (symmetric) • C&C private key for asymmetric traffic encryption (Asymmetric) • Optional file downloader (if dropper module available and enabled) • Embedded files (File Binder / Wrapper) • Fake error messages / events (Open other process) • Etc. RAT Payload Configuration
configuration inside the Stub • PE Resources Section • PE Custom Section • EOF (End Of File) • In the same way of network communication, the configuration could be from any formats • Plaintext : CSV, JSON, XML • Byte encoded structures • Some Malware encrypt configuration data to hide sensitive data's RAT Payload Configuration
Add new section info Section Address : 0x000FF12A Size of section : N Bytes Name of section : malconf Section 1 DOS Segment PE Header Section 1 Section N DOS Header … Custom Section 0x000FF12A Explore PE Header and Sections (PE Bear) JSON / CSV / Structures etc. { "cncaddr": [ "127.0.0.1", "192.168.0.11", "89.214.25.111", "lamer.no-ip.org", "lamer2.dyndns.org" ], "startup": { "enabled": true, "name": "svchost.exe" } [...] } RAT Payload Configuration
is simply appended at the End of the application file. Appending content at the end of an application file doesn’t corrupt the application itself since it is out of the scope defined by the PE Structure (SizeOfImage structure attribute defined in the PE Header > IMAGE_OPTIONAL_HEADER) Most Antivirus detect such behavior by comparing the size of the image (SizeOfImage) from the PE Header with the file size. Example (Pascal/Delphi) RAT Payload Configuration
delete original copy run installed copy Installed Exit Process Copy to destination location Register location to startup Extract embedded files Download / Execute Initialize Melting Inject code to legitimate process (Explorer.exe ; Iexplore.exe ; firefox.exe) No Create Mutex Exists No Yes Establish a connection to C&C Anti-VM Yes Detected Yes No RAT Infection Process
Family Conclusion # Malware are becoming more and more complex # Security industry and researcher are developping new techniques to fight advanced threats. # Understand the concepts behind malware can help to stay protected
fr0gger
rainerhahnekamp
haochenx
makies
ktc_wada
mokocm
oracle4engineer
devops_vtj
nokonoko1203
baseballyama
akkie76
ham0215
keropiyo
trishagee
kneath
geeforr
keavy
soudai
swwweet
cherdarchuk
holman
lara
jacobian
bermonpainter
cassininazir
