Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Killsuit: The Equation Group's Swiss Army Knife...

Killsuit: The Equation Group's Swiss Army Knife for Persistence, Evasion, and Data Exfil

Most researchers have focused on the Equation Group's brilliant exploits but very few researchers have focused on their extremely effective post exploitation capabilities. During this talk, we will dissect the KillSuit framework, the Equation Group's Swiss Army Knife for persistence, information gathering, defense evasion, and data exfiltration. KillSuit is a little-known part of the DanderSpritz post-exploitation toolkit, leaked by the Shadow Brokers in April 2017. KillSuit is a full featured and versatile framework used by a variety of the Equation Group's tools and implants. KillSuit provides the ability to stealthily establish persistence on machines, install keyloggers, packet capture tools, perform WiFi MITM, and other more information gathering tools. Killsuit includes many interesting ways to silently exfiltrate data and intel - including custom written IPSEC-like protocols and misuse of ""disabled"" WIFI cards and near-by open networks.

Francisco Donoso

October 07, 2018
Tweet

More Decks by Francisco Donoso

Other Decks in Technology

Transcript

  1. • DEVOPS / SECURITY AT RANDORI • ARCHITECT • SECURITY

    ENGINEER • CONSULTANT • SECURITY ANALYST
  2. • RESEARCHERS FOCUSED ON EXPLOITS • WANTED TO KNOW MORE

    ABOUT “APT” POST EXPLOITATION • ENCOURAGE OTHERS TO RESEARCH & REVERSE • THIS HAS WORKED (A LITTLE)! • WANTED A TECHNICAL SIDE PROJECT
  3. • BRIEF OVERVIEW OF DANDERSPRITZ • QUICK HISTORY OF THE

    FRAMEWORK(S) • GETTING TO POST-EXPLOITATION • KILLSUIT • PERSISTENCE • EVASION • DATA EXFIL • QUANTUM SHOOTER – MAN ON THE SIDE • DANDERSPRITZ LAB
  4. • FREAKING COOL • A FULLY FUNCTIONAL POST-EXPLOITATION FRAMEWORK •

    WRITTEN IN JAVA L • EXTREMELY MODULAR • “PLUGINS” (FEATURES) WRITTEN IN PYTHON / CUSTOM SCRIPTING J • DESIGNED FOR STEALTH • DESIGNED TO PREVENT DUMB OPERATORS FROM MESSING IT UP
  5. • TARGET = ATTACKED COMPUTER(S) • LP = LISTENING POST

    (C&C SERVER) • COMMAND = SOMETHING RUNNING ON TARGET • PSP = PERSONAL SECURITY PRODUCT (AV) • SAFETY HANDLER = DON’T MESS IT UP • IMPLANT = MALICIOUS CODE DEPLOYED ON TARGET
  6. • EXTREMELY MODULAR PERSISTENCE FRAMEWORK • MULTIPLE SUPPORTED PERSISTENCE METHODS

    • CAN LOAD SEVERAL DIFFERENT ”PLUGINS” • ENCRYPTION FOR EVERYTHING
  7. • INSTANCE = A SPECIFC INSTANCE OF KILLSUIT (MULTIPLE CAN

    BE INSTALLED) • TYPE = A SPECIFIC KISU INSTANCE INTENDED TO SUPPORT PERSISTENCE FOR A COMPLEX IMPLANT • LAUNCHER = THE DRIVER EXPLOITED TO RUN KERNEL MODE CODE • MODULE = SPECIFIC IMPLANT / CODE THAT IS INTENDED TO BE PERSISTENT • MODULE STORE = ENCRYPTED VIRTUAL FILE SYSTEM
  8. • MODIFIES VBR TO LOAD KERNEL DRIVER • USES AN

    ENCRYPTED TRUETYPE FONT FILES AS “CONTAINERS” FOR KERNEL DRIVER • PATCHES WINLOAD.EXE & THE FIRST DRIVER LOADED DURING BOOT TIME
  9. • LAUNCHES A “KERNEL MODE ORCHESTRATOR” BY EXPLOITING A “LAUNCHER”

    DRIVER • PROVIDES ABILITY TO RUN *UNSIGNED* KERNEL MODE AND USER MODE CODE • BEGINS LAUNCHING IMPLANTS • INJECTS MALICIOUS USER MODE CODE INTO PROCESSES
  10. • EVERYTHING ENCRYPTED WITH UNIQUE KEY PER TARGET • VIRTUAL

    FILE SYSTEM STORED IN REGISTRY • PROCESS INJECTION FOR USER MODE CODE • TEMPORARILY CREATE FILES • TIME STOMPING
  11. • STEALTHY KEYLOGGERS • PERSISTENCE USING KILLSUIT USING THE “STLA”

    INSTANCE TYPE • STORES ENCRYPTED DATA IN VBNARM.DLL (CONFIGURABLE)
  12. • FULLY FEATURED PACKET CAPTURE TOOL • USES BERKLEY PACKET

    FILTER (BPF) FILTER FORMAT • INSTALLED ONTO AN EXISTING KILLSUIT INSTANCE • CAPTURED DATA STORED TO AN ENCRYPTED CONTAINER
  13. • DANDERSPRITZ INCLUDES DRIVERS TO INTERACT WITH SEVERAL DATABASES •

    CAN BE INSTALLED PERSISTENTLY WITH KISU • MSSQL, MYSQL, SQLITE, ORACLE
  14. • WIFI MAN IN THE MIDDLE (MITM) • USES A

    SEPARATE KILLSUIT INSTANCE WITH IT’S OWN TYPE (MABE) • INSTALLS DRIVER WITH PACKET INJECTION CAPABILITIES
  15. • STRAITBIZARRE = IMPLANT DESIGNED FOR STEALTHY DATA EXFIL •

    FRIEZERAMP = CUSTOM NETWORK PROTOCOL • PROVIDES COVERT & ENCRYPTED NETWORKING CAPABILITIES • USES ”ADAPTERS” TO INSERT PACKETS INTO RELEVANT TRANSPORT LAYER • SIMILAR TO IPSEC
  16. • DATA EXFIL VIA UN-USED / DISABLED WIFI CARDS •

    USED WHEN THE TARGET IS AIR GAPPED • CAN USE STOLEN CREDENTIALS OR SEND VIA OPEN NETWORKS • USES A SEPARATE KILLSUIT INSTANCE WITH IT’S OWN TYPE (SOKN)
  17. • STRAITBIZARRE SHOOTER REDIRECTS TO FOXACID EXPLOIT SERVER • EXPLOIT

    SERVER DEPLOYS “VALIDATOR” • VALIDATOR CONFIRMS IF TARGET IS INTERESTING • UPGRADE TO UNITED RAKE
  18. • • • • • • • • • •

    • • • • • • •
  19. • FULLY FUNCTIONAL DANDERSPRITZ LAB IN 2 COMMANDS • PACKER

    BUILD DANDERSPRITZ_LAB.JSON • VAGRANT UP
  20. • BRIEF OVERVIEW OF DANDERSPRITZ • FRAMEWORK HISTORY & OVERVIEW

    • GETTING TO POST-EXPLOITATION • SOLARTIME • KILLSUIT MODULES • QUANTUM SHOOTER – MAN ON THE SIDE • DANDERSPRITZ LAB