Slide 1

Slide 1 text

Malware Understanding the Malware Threat and How to Respond Jean-Pierre LESUEUR Full Stack Developer x IT Security Researcher Thomas ROCCIA Security Researcher, Advanced Threat Research at McAfee @DarkCoderSc @fr0gger_

Slide 2

Slide 2 text

Malware Agenda #1 What is a Malware? # Malware Definition # Malware Economy # Malware Attribution #2 Malware Techniques # Infection Vectors # Persistence # Privilege escalation # Evasion Techniques # C&C #3 Malware Analysis # Static Analysis # Dynamic Analysis #4 Usecase Remote Administration Tools (RAT) # Definition # Business Model # Network Architecture # Network Protocol # Payload Configuration #5 Conclusion

Slide 3

Slide 3 text

What is a Malware? Malware Introduction to Malware – Focus on Remote Administration Tool Family An introduction to Malicious Software Malware

Slide 4

Slide 4 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Different families of Malware Virus, Worm Dropper, File Binder / Wrapper / Crypter, Downloader Trojan Backdoor Remote Administration Tools (RAT) HTTP Botnet Scareware / Rogue Ransomware Stealer (Password and/or Files) Spyware, Adware CoinMiners Rootkit / Bootkit What is a Malware? Malware Families

Slide 5

Slide 5 text

What is a Malware? # Who is behind ? Grey-hat Black-hat # Who use them and why ? • Script Kiddies • Criminal Organizations • Governments • Terrorism • IT Security Researcher Who and why

Slide 6

Slide 6 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family What is a Malware? Malware Economy # Criminals are making money with their creation # Using it to steal data # Selling it for other criminals # Creating business model such as Malware as a Service

Slide 7

Slide 7 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family What is a Malware? Malware Economy # Ransomware as a Service Source: https://securingtomorrow.mcafee.com/mcafee-labs/free-ransomware-available-dark-web/

Slide 8

Slide 8 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family What is a Malware? Malware Economy # Exploit kits Source: https://www.mcafee.com/threat-center/threat-landscape-dashboard/

Slide 9

Slide 9 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family What is a Malware? Malware Attribution # Malware are developed by Humans # Many techniques can lead to attribution # PDB Path # Strings # Code comparison # Tools used # Operating method # Timestamp # Infrastructure reuse

Slide 10

Slide 10 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family What is a Malware? Malware Attribution # Malware are developed by Humans # Many techniques can lead to attribution # PDB Path # Strings # Code comparison # Tools used # Operating method # Timestamp # Infrastructure reuse Attribution can be faked!

Slide 11

Slide 11 text

Malware Techniques Malware Introduction to Malware – Focus on Remote Administration Tool Family Infection / Evasion / C&C / Privilege Escalation Malware

Slide 12

Slide 12 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Infection Vectors Medias USB keys, CD/DVD, (External) Hard Drives Social Networks Facebook, Twitter, Google+, YouTube / Dailymotion, Instagram etc. Websites Phishing, Distributed Software, Vulnerabilities (JAVA, Flash, Web-browser) Exploits Local Exploits, Remote Exploits, Physical Exploits Network Sharing P2P Software (Torrent, Emule), Network file (NAS, FTP) Email Phishing, attachment

Slide 13

Slide 13 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Infection Vectors # Supply Chain Attack Third Party Infected Download Trojanised Software Source: https://www.youtube.com/watch?v=tX0v-rMcuwc

Slide 14

Slide 14 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Persistence # To survive to reboot Malware need to be persistent on the infected machine. # Registry RUN keys # Task Scheduler # Windows Services # AppInit_DLL # COM Hijacking # Bootkit

Slide 15

Slide 15 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Persistence # Registry RUN Keys # Emotet Malware Example HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Slide 16

Slide 16 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Persistence # Scheduler can be used to run tasks | NotPetya • at

Slide 17

Slide 17 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Persistence # Bootkit

Slide 18

Slide 18 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Privilege Escalation # Malware needs to elevate privilege to perform actions To access to sensitive data to steal/modify/encrypt… # Token Manipulation # Bypass User Access Control (UAC) # Vulnerability Exploitation # Hooking # Dump Credentials # Many more

Slide 19

Slide 19 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Privilege Escalation # Token Manipulation | Teslacrypt

Slide 20

Slide 20 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Privilege Escalation # UAC Bypass | Operation HoneyBee cmd /c wusa %TEMP%\setup.cab /quiet /extract:%SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe cmd /c expand %TEMP%\setup.cab -F:* %SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe # The macro extracts the CAB file into %systemroo%\system32, using either wusa.exe or expand.exe (depending on the OS) to bypass UAC prompts # Once the files have been extracted, the Visual Basic macro deletes the CAB file and runs the malicious NTWDBLIB.dll via cliconfg.exe (to gain privileges and bypass UAC protections) Source: https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/

Slide 21

Slide 21 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Privilege Escalation # Vulnerability Exploitation | Wannacry - EternalBlue # EternalBlue Vulnerability from Equation Group (MS17-010) – Kernel Exploit # Used to spread on the network but also to obtain system privileges https://www.slideshare.net/ThomasRoccia | https://securingtomorrow.mcafee.com/mcafee-labs/analysis-wannacry-ransomware/

Slide 22

Slide 22 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Privilege Escalation # Credentials Dumping | Olympic Destroyer http://blog.talosintelligence.com/2018/02/olympic-destroyer.html

Slide 23

Slide 23 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Evasion Techniques # Malware use Evasion Techniques to avoid detection, analysis https://www.slideshare.net/ThomasRoccia/malware-evasion-techniques Packer/Binder/Crypter Compress/Encrypt, IAT Protect, Code Virtualizing Process Injection Process Hollowing, DLL Injection, Process Doppelganging Sandbox Evasion VM Artifacts, x86 Instructions, Sleep, Running Process Anti-Virus Evasion Disabling AV, file Size, Injection Obfuscation Base64, XOR, Encryption, Hash, Custom Anti-Debugging Windows API, Timing Check, Debugger Detection Anti-Forensic Melting, File-less, Wiper, Removal

Slide 24

Slide 24 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Evasion Techniques # Packers https://securingtomorrow.mcafee.com/technical-how-to/malware-packers-use-tricks-avoid-analysis-detection/

Slide 25

Slide 25 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Evasion Techniques # Process Hollowing | Zcrypt Ransomware

Slide 26

Slide 26 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Evasion Techniques # Antivirus Detection | Pinkslipbot

Slide 27

Slide 27 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Evasion Techniques # Virtual Machine Detection | Pinkslipbot

Slide 28

Slide 28 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Evasion Techniques # Unprotect Project | Malware Evasion Trick Database Unprotect.tdgt.org

Slide 29

Slide 29 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Command & Control # Malware needs to communicate with C&C # Infected machines controlled by the same C&C are called Botnet # Malware use C&C to: # Receive command # Exfiltrate/download data # Get encryption key (Ransomware) or interact to pay the ransom Matthew Andrews/Getty Images/Hemera

Slide 30

Slide 30 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Command & Control # Fast-Flux communication # One domain has multiple IP addresses # Every 3 min or more, host is pointing to another computer # Infected machines can serve of proxy https://commons.wikimedia.org/wiki/File:Single_und_double_flux.png

Slide 31

Slide 31 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Command & Control # Domain Generation Algorithm # Connexion to multiple domains # Lot of domain can be generated by the sample # Attackers can activate one of several servers to allow communication # Conficker worm used this technique https://www.senet-int.com/blog/2013/09/malware-domain-generation-algorithm-dga

Slide 32

Slide 32 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques More Information # Mitre ATT&CK Matrix | https://attack.mitre.org

Slide 33

Slide 33 text

Malware Analysis Malware Introduction to Malware – Focus on Remote Administration Tool Family Process, Techniques, Tools Malware

Slide 34

Slide 34 text

• Packed? • Encrypted? • Reverse Engineering Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Analysis Process Identification Analysis • Hash calculation • Virus Total… • Anti-Virus • Previous research • Internal Databases Static Dynamic Detection and Remediation • What the malware does? • Which CnC it contacts? • Does it still data? • How does it infects my system? • Sandboxing • Debugging • Monitoring Infected machines • Block CnC • Deploy signature • Clean infected machines • Improve Security

Slide 35

Slide 35 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Analysis Toolkit # Static Analysis # Packer Detection: PEiD, RDG Packer Detect, DIE… # PE Format: Ressource Hacker, PEStudio, StudPE… # Reverse Engineering: IDA, Radare2, DnSPY… # Sysinternals: Strings, Sigcheck… # Utilities: HexEdit, Python…

Slide 36

Slide 36 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Analysis Toolkit # Dynamic Analysis # Process: Process Explorer # Monitoring: Regshot, Procmon, Autoruns, API-Monitor… # Network: Wireshark, Fiddler, CurrPort… # Debugging: OllyDBG, X64DBG… # Sandbox: Cuckoo, Proprietary Sandbox…

Slide 37

Slide 37 text

Remote Administration Tools (RAT) Malware A popular Malware Framework Malware

Slide 38

Slide 38 text

# What is a Remote Administration Tool A RAT is a Malware Framework designed to take the control of a remote system: • Trojan Backdoor • Botnets • File Binder / Wrapper, Downloader • Stealer • Spyware • Crypter • Worms Commonly offered remote control modules: • Remote Desktop Streaming • Remote Webcam Streaming • Remote Ambient Sound Streaming (Micro) • Keylogger • Password Grabber • System Management • File System Management RAT Introduction

Slide 39

Slide 39 text

• Backorifice • SubSeven (Sub7) • Optix • Beast • LanFiltrator • Institution 2004 • Netbus • Coma • Y3k RAT • Prorat • Mosucker Past generation : Recent generation : • Poison Ivy • Bifrost • Blackshades • Turkojan • DarkComet • NetWire • SpyNet (Xtreme RAT) • NjRAT • NanoCore • L0stD00r • SubSeven (New gen) # Few renowned RAT’s RAT Introduction

Slide 40

Slide 40 text

Freeware Shareware Open Source SaaS (Software as a Service) It is a real business RAT Business Model

Slide 41

Slide 41 text

One shot The product owner received a one time payment and gives in exchange the different application parts. Monthly, Yearly, Version The product owner could also decide to rent his Malware with a subscription limited in time. Extra Services • FUD / UD • Support • Pay per installs • Extra Modules • Training • Open Source Access RAT Business Model

Slide 42

Slide 42 text

Payment methods: Liberty Reserve Online banking system Western Union Cash deposal service PayPal Ease of use Crypto-currency Bitcoin, Monero, Ethereum RAT Business Model

Slide 43

Slide 43 text

Malware Identify the different parts of the Framework C&C Stub Editor Stub Graphical application to take the control of infected machines by the Malware Graphical application designed to configure the Malware The Malware .exe, .js, .bat, .py, .pdf, .docx RAT Identify the Different part of the Framework

Slide 44

Slide 44 text

Malware Network Protocol • Client / Server based architecture • Malware coder can create custom protocol • They can also use existing protocol (HTTP Botnet) • To evade detection, cryptographic principle could be used RAT Network Protocol

Slide 45

Slide 45 text

# Mode 1 : Direct Connection C&C – Client Connect(89.27.25.120) Stub – Server Listen(1403) Out Port (TCP/UDP) > 1403 Internet (Cloud) In Port (TCP/UDP) > 1403 Malware Network Models RAT Network Models

Slide 46

Slide 46 text

# Mode 2 : Reverse Connection Malware Network Models C&C – Client Listen(1403) Stub –Client Connect(45.25.142.32) In Port (TCP/UDP) > 1403 Internet (Cloud) Out Port (TCP/UDP) > 1403 RAT Network Models

Slide 47

Slide 47 text

# Mode 3 : Hybrid (Direct and/or Reverse) Malware Network Models C&C – Client Connect(89.27.25.120) Stub – Server Listen(1403) Out Port (TCP/UDP) > 1403 Internet (Cloud) In Port (TCP/UDP) > 1403 C&C – Client Listen(1403) Stub –Client Connect(45.25.142.32) In Port (TCP/UDP) > 1403 Internet (Cloud) Out Port (TCP/UDP) > 1403 AND / OR RAT Network Models

Slide 48

Slide 48 text

# P2P (Peer to Peer) Malware Network Models RAT Network Models

Slide 49

Slide 49 text

Malware Network Protocol # Example of communication system Server Client Main Thread + Listener Thread (Server) Closed Client New Client Receive Plain / Text Management Thread Receive Buffer Thread Process List File List Reverse shell stdout buffer Webcam Streaming Desktop Streaming File Transfer + + Main Thread + Connection Attempt to C&C routine Thread New Server + Command Parser and Dispatcher Thread Process List File List Remote Desktop Thread + RAT Network Protocol

Slide 50

Slide 50 text

Malware Network Protocol # HTTP Protocol RAT Network Protocol GET ; POST ; PUT ; UPDATE ; DELETE etc.

Slide 51

Slide 51 text

Malware Network Protocol # Nature of transmitted data CSV kill:14032,1254,12687 JSON { “action”:”kill”, “data”:[ 14032, 1254, 12687 ] } BYTES (Struct) 4c000000011402000000 0000c0000000000000469 b000800200000005284ce b6f7c8d3015284ceb6f7c 8d3014b5333d55ba3d301 00fa01… RAT Network Protocol

Slide 52

Slide 52 text

Malware Network Protocol # Use case : Basic File Transfer 1 2 filesystem;c:\ filesystem;c:\windows,c:\users,c:\Pr ogram Files,c:\Program Files (x86)|c:\file.pdf,c:\file2.png... 3 downloadfile;c:\file.pdf 4 downloadfile;c:\file.pdf,10240 5 OK 6 CHUNK 1 CHUNK 2 CHUNK N C&C Infected system file size / packet size = number of packets required for a file transfer RAT Network Protocol

Slide 53

Slide 53 text

Malware Network Protocol # Encryption Layer Symmetric Encryption RC4 / AES / Camelia Key : passw0rd RC4 / AES / Camelia Key : passw0rd Packet Data (Plain, Byte) Cloud Packet Data (Plain, Byte) Hello CF012FA29C Hello CF012FA29C RAT Network Protocol

Slide 54

Slide 54 text

Malware Network Protocol # Little reminder to XOR Encryption 0 0 0 1 0 1 0 1 1 1 1 0 0 1 0 0 1 1 0 0 1 0 1 1 1 1 0 0 1 1 1 0 0 1 1 1 0 0 1 1 0 1 0 1 1 0 1 0 1 0 1 1 1 0 0 0 1 0 0 1 1 0 1 0 1 0 1 1 1 0 0 0 1 0 0 1 1 1 1 0 0 1 1 1 0 0 1 1 0 1 0 1 0 1 0 0 1 1 0 0 1 0 1 1 1 1 0 0 Plain data Secret key Encrypted data DATA xor KEY = ENCRYPTED_DATA ENCRYPTED_DATA xor KEY = DATA ENCRYPTED_DATA xor DATA = KEY RAT Network Protocol

Slide 55

Slide 55 text

Malware Network Protocol # Encryption Layer Asymmetric Encryption RSA / ECC Remote public key RSA / ECC Local private key Session key Session key Cloud Step 1 : Transmit a generated temporary session key using asymmetric algorithm RC4 / AES / Camelia Key : temporary session key RC4 / AES / Camelia Key : temporary session key Packet Data (Plain, Byte) Cloud Packet Data (Plain, Byte) Hello CF012FA29C Hello CF012FA29C Step 2 : Symmetric encryption using transmitted session key RAT Network Protocol

Slide 56

Slide 56 text

Malware Payload Configuration • Payload configuration contains important information about how to contact the C&C • IP address(es) / Domain Name pointing to IP address(es) • Communication Port(s) • It also contains other important configuration elements such as • Persistence Information's (Startup, Process, File) • Anti’s functions (Anti-VM, Anti-Debugger etc.) • Encryption key (symmetric) • C&C private key for asymmetric traffic encryption (Asymmetric) • Optional file downloader (if dropper module available and enabled) • Embedded files (File Binder / Wrapper) • Fake error messages / events (Open other process) • Etc. RAT Payload Configuration

Slide 57

Slide 57 text

Malware Payload Configuration • Multiple ways exist to store the configuration inside the Stub • PE Resources Section • PE Custom Section • EOF (End Of File) • In the same way of network communication, the configuration could be from any formats • Plaintext : CSV, JSON, XML • Byte encoded structures • Some Malware encrypt configuration data to hide sensitive data's RAT Payload Configuration

Slide 58

Slide 58 text

Malware Payload Configuration # PE (Portable Executable) Resources .rsrc (Resource Section) DOS Segment PE Header Section Tables Section 1 … Section N DOS Header Icon Versions Info Bitmaps Custom Resources Window Resources (Dialogs) * LockResource, LoadResource, UpdateResource, SizeOfResource… RAT Payload Configuration

Slide 59

Slide 59 text

Malware Payload Configuration # PE (Portable Executable) Sections Section Tables Add new section info Section Address : 0x000FF12A Size of section : N Bytes Name of section : malconf Section 1 DOS Segment PE Header Section 1 Section N DOS Header … Custom Section 0x000FF12A Explore PE Header and Sections (PE Bear) JSON / CSV / Structures etc. { "cncaddr": [ "127.0.0.1", "192.168.0.11", "89.214.25.111", "lamer.no-ip.org", "lamer2.dyndns.org" ], "startup": { "enabled": true, "name": "svchost.exe" } [...] } RAT Payload Configuration

Slide 60

Slide 60 text

Malware Payload Configuration # EOF (End of File) Payload configuration is simply appended at the End of the application file. Appending content at the end of an application file doesn’t corrupt the application itself since it is out of the scope defined by the PE Structure (SizeOfImage structure attribute defined in the PE Header > IMAGE_OPTIONAL_HEADER) Most Antivirus detect such behavior by comparing the size of the image (SizeOfImage) from the PE Header with the file size. Example (Pascal/Delphi) RAT Payload Configuration

Slide 61

Slide 61 text

Malware Payload Formats Binary Application Script Files Documents Exploit Kit RAT Payload Format

Slide 62

Slide 62 text

Malware An example of timeline Malware Execution ping + timeout delete original copy run installed copy Installed Exit Process Copy to destination location Register location to startup Extract embedded files Download / Execute Initialize Melting Inject code to legitimate process (Explorer.exe ; Iexplore.exe ; firefox.exe) No Create Mutex Exists No Yes Establish a connection to C&C Anti-VM Yes Detected Yes No RAT Infection Process

Slide 63

Slide 63 text

Conclusion Malware Introduction to Malware – Focus on Remote Administration Tool Family “Know your enemy” Malware

Slide 64

Slide 64 text

Malware Introduction to Malware – Focus on Remote Administration Tool Family Conclusion # Malware are becoming more and more complex # Security industry and researcher are developping new techniques to fight advanced threats. # Understand the concepts behind malware can help to stay protected

Slide 65

Slide 65 text

Thank You Jean-Pierre LESUEUR Full Stack Developer x IT Security Researcher @DarkCoderSc Thomas ROCCIA Security Researcher, Advanced Threat Research at McAfee @fr0gger_ Q/A