Going down the RAT hole: Deep dive into the Vuln-derland of APT-class RAT Tools

Slide 1

Slide 1 text

Slide 2

Slide 2 text

TLP: CLEAR © 2024 NTT Communications Corporation, N.F.Laboratories. Inc. About us 2 Org.: NFLaboratories Job: Malware Analyst Ryo Minakawa @strinsert1Na Akitoshi Takezaki @z4ck_key Org.: NTT Communications Job: Intelligence Analyst We are threat intel. team, !!

Slide 3

Slide 3 text

TLP: CLEAR © 2024 NTT Communications Corporation, N.F.Laboratories. Inc. Attention 3 Please use the content within the scope of the TLP !! TLP: CLEAR TLP: AMBER Approved for internet discussion Limited disclosure

Slide 4

Slide 4 text

Slide 5

Slide 5 text

Slide 6

Slide 6 text

TLP: CLEAR © 2024 NTT Communications Corporation, N.F.Laboratories. Inc. In my case… 6 It’s been an exciting year with tons of information leaks from Chinese APTs due to OPSEC failures! Legacy Threat: PlugX Builder/Controller Discovered in Open Directory https://hunt.io/blog/legacy-threat-plugx-builder-controller-discovered-in- open-directory Data From Chinese Security Services Company i-Soon Linked to Previous Chinese APT Campaigns https://unit42.paloaltonetworks.com/i-soon-data-leaks/

Slide 7

Slide 7 text

TLP: CLEAR © 2024 NTT Communications Corporation, N.F.Laboratories. Inc. The Benefits by Tool Leaks 7 Analyzing from a forensic perspective is very limited because only modules that can be recovered from memory are available for analysis. Before the Leak After the Leak Malware only loads Module A Module B from C2 server Analyst Dumped the RAT implant from memory. Next stage, analyze malware modules…… Analyst The post-exploitation tool delivers the following modules: Module A Module B Module C Module D The functions of the post-exploitation tool are easy to understand intuitively!! Analyzing from a post-exploitation tool perspective makes it much easier to assess the tool’s capabilities and apply insights for defense.

Slide 8

Slide 8 text

TLP: CLEAR © 2024 NTT Communications Corporation, N.F.Laboratories. Inc. The Benefits by Tool Leaks 8 Even a small mistake in the investigation might lead to an exploit and could carry a risk of arrest. Before the Leak After the Leak Analyst Even if we are the victims, we can only conduct a limited investigation…. Analyst Set up a C2 server on the host's local network Reduce the risk of arrest and investigate as much as we want!! Setting up a RAT C2 server in a local environment enables investigations that include the scope of vulnerability exploitation!! Internet scanning

Slide 9

Slide 9 text

TLP: CLEAR © 2024 NTT Communications Corporation, N.F.Laboratories. Inc. Our presentation topics • Identified RAT infrastructure’s fingerprint and vulnerabilities from an offensive perspective • Found interesting vulnerabilities along the way • Hoping for future applications in Active Cyber Defense 9 An investigation triggered by the leakage of Nation State- Sponsored APT's Custom RATs

Slide 10

Slide 10 text

Slide 11

Slide 11 text

TLP: CLEAR © 2024 NTT Communications Corporation, N.F.Laboratories. Inc. RATs Leaked Over the Past Year • PlugX • Used by chinese APT groups for over 10 years • Hunt.io discovered builder and controller on “opendir” C2 Server [1] • ShadowPad • High-functionality modular RAT, considered a successor to PlugX • Management interface found in i-Soon Leak [2] • nao_sec discovered builder on VirusTotal due to operator’s OPSEC failure [3] • RatelS (a.k.a. micDown, HemiGate) • High-functionality modular RAT reflecting PlugX developer’s intent • First reported by LAC last year in incident report noting the builder was uploaded to VirusTotal [4][5] • nao_sec and Trend Micro also reported it, showing connections across all cases [6][7][8] 11 Three RATs developed by state-sponsored APTs identified by us

Slide 12

Slide 12 text

Slide 13

Slide 13 text

Slide 14

Slide 14 text

TLP: CLEAR © 2024 NTT Communications Corporation, N.F.Laboratories. Inc. What You Can Learn from Using RAT 14 Attacker Victim Infrastructure delivery Command & Control execution BLOB Tools Defense Leveraging TTPs: Likely effective Attribution: Ineffective Defense Leveraging TTPs: Limitedly effective Attribution: Likely effective

Slide 15

Slide 15 text

Slide 16

Slide 16 text

TLP: CLEAR © 2024 NTT Communications Corporation, N.F.Laboratories. Inc. Basic Analysis Approach Set up the local server and client environment on the Proxmox • Kali Linux • For RAT C2 server scanning • RAT C2 Server • RAT lister is running on Windows server • Victim machine • RAT implant is running on Windows 10 16 Research Environment Starting Point: Identify unique fingerprints of RAT C2 Infrastructure

Slide 17

Slide 17 text

Slide 18

Slide 18 text

Slide 19

Slide 19 text

Slide 20

Slide 20 text

TLP: CLEAR © 2024 NTT Communications Corporation, N.F.Laboratories. Inc. Key Takeaway: Active Cyber Defense • These vulnerabilities, if exploited, are highly dangerous • However, with the legitimate use of these vulnerabilities, a takedown operation like Emotet's might be possible. • Yet, even as laws are under review, the feasibility of this approach remains uncertain... 20 Not just for fun

Slide 21

Slide 21 text

TLP: CLEAR © 2024 NTT Communications Corporation, N.F.Laboratories. Inc. Key Takeaway: Active Cyber Defense • Expert meetings continue, but issues remain unresolved • Meeting records raises concerns: • e.g.) Reporting obligations for infrastructure providers — our options are very limited • Need for practical and tactical adjustments beyond theoretical strategies • (even if relevant stakeholders aren't here ) 21 「能動的サイバー防御」政府有識者会議の論点整理まとまる https://www3.nhk.or.jp/news/html/20240807/k10014539571000.html

Slide 22

Slide 22 text

Slide 23

Slide 23 text

Slide 24

Slide 24 text

TLP: CLEAR © 2024 NTT Communications Corporation, N.F.Laboratories. Inc. Summary • Focused not only on understanding the modules but also on: • Identifying unique infrastructure fingerprints • Exploring potential vulnerability-based takedown operation • If this presentation has made you interested in RAT C2 servers, don’t miss the PowerShell Empire workshop today ! 24 Deep investigation on RAT & their infrastructure from an offensive perspective

Slide 25

Slide 25 text

TLP: CLEAR © 2024 NTT Communications Corporation, N.F.Laboratories. Inc. Thank you for listening! 25 Going down the RAT hole: Deep dive into the Vuln-derland of APT-class RAT Tools Your comments & feedbacks are always welcome!! ☞ [email protected]

Slide 26

Slide 26 text

TLP: CLEAR © 2024 NTT Communications Corporation, N.F.Laboratories. Inc. References -1- [1] Legacy Threat: PlugX Builder/Controller Discovered in Open Directory, Hunt.io (2024/6/5), https://hunt.io/blog/legacy-threat-plugx-builder-controller-discovered-in-open-directory [2] Data From Chinese Security Services Company i-Soon Linked to Previous Chinese APT Campaigns, UNIT 42 Palo Alto Networks (2024/2/23), https://unit42.paloaltonetworks.com/i-soon- data-leaks/ [3] Building Casper’s Shadow, nao_sec (2024/6/30), https://nao-sec.org/2024/06/building-caspers- shadow.html [4] 新たなモジュール型マルウェア「RatelS」に見るPlugXの面影, LAC WATCH(2023/9/14), https://www.lac.co.jp/lacwatch/report/20230914_003513.html [5] New Modular Malware RatelS: Shades of PlugX, Botconf 2024 (2024/4/24), https://www.botconf.eu/botconf-presentation-or-article/new-modular-malware-ratels-shades-of- plugx/ 26

Slide 27

Slide 27 text

TLP: CLEAR © 2024 NTT Communications Corporation, N.F.Laboratories. Inc. References -2- [6] The Secret Life of RATs: connecting the dots by dissecting multiple backdoors, JSAC2024 (2024/1/26), https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_7_hara_nakajima_kawakami_jp.pdf [7] GroundPeony: Crawling with Malice, nao_sec (2023/8/22), https://nao-sec.org/2023/08/groundpeony-crawling-with-malice.html [8] 攻撃グループ「Earth Estries」が政府機関や技術業界を狙って新たなサイバー諜報活動を展開, Trend Micro (2023/10/27), https://www.trendmicro.com/ja_jp/research/23/j/earth-estries-targets- government-tech-for-cyberespionage.html [9] 「能動的サイバー防御」政府有識者会議の論点整理まとまる, NHK, (2024/8/23), https://www3.nhk.or.jp/news/html/20240807/k10014539571000.html 27