apt - a pretty trojan
DESCRIPTION
Talk I gave at Navaja Negra 2014 about an exfiltration testing.TRANSCRIPT
![Page 1: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/1.jpg)
![Page 2: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/2.jpg)
![Page 3: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/3.jpg)
APT - A Pretty TrojanIñaki Rodríguez
![Page 4: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/4.jpg)
APT - A Pretty TrojanIñaki Rodríguez
![Page 5: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/5.jpg)
And the thanks goes to …
3
![Page 6: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/6.jpg)
4
![Page 7: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/7.jpg)
About me
4
- Security Manager at Wuaki TV!- Ex-Pentester at SensePost!- Founder member of Mlw.re!- @virtualminds_es
❝
❞
![Page 8: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/8.jpg)
![Page 9: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/9.jpg)
A Middle East tale
![Page 10: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/10.jpg)
A Middle East tale(Malware, Russians and Exploit kits)
![Page 11: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/11.jpg)
Far, far, really far in Dubai
6
![Page 12: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/12.jpg)
Far, far, really far in Dubai
6
• Exfiltration test!
• Social Engineering!
• Targeted Attack!
• Desktop users!
• Exploit kits
![Page 13: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/13.jpg)
7
![Page 14: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/14.jpg)
7
Our team mate got access
Meanwhile in London
• Email!• Excel files!• PDF!• Metasploit!• Sakura
![Page 15: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/15.jpg)
7
Our team mate got access
Meanwhile in London
• Email!• Excel files!• PDF!• Metasploit!• Sakura
![Page 16: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/16.jpg)
8
![Page 17: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/17.jpg)
8
But no exfiltration!
Almost there but …
• First stage executed!• Meterpreter downloaded!• No reply
![Page 18: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/18.jpg)
9
![Page 19: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/19.jpg)
9
Give me baby one more time
![Page 20: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/20.jpg)
10
![Page 21: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/21.jpg)
10
Help! I need somebody
![Page 22: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/22.jpg)
![Page 23: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/23.jpg)
The characters
![Page 24: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/24.jpg)
12
![Page 25: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/25.jpg)
12
BarceloDub
![Page 26: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/26.jpg)
12
BarceloDub
![Page 27: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/27.jpg)
12
BarceloDub
![Page 28: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/28.jpg)
12
BarceloDub
![Page 29: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/29.jpg)
12
BarceloDub
![Page 30: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/30.jpg)
12
BarceloDub
![Page 31: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/31.jpg)
12
BarceloDub
![Page 32: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/32.jpg)
12
BarceloDub
![Page 33: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/33.jpg)
12
BarceloDub
![Page 34: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/34.jpg)
12
BarceloDub
![Page 35: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/35.jpg)
12
BarceloDub
Starring…
![Page 36: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/36.jpg)
Russian wettest
13
![Page 37: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/37.jpg)
Russian wettest
13
Russian wettest dream
• Exploit kit for campaigns!
• Phishing!
• Trainings
![Page 38: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/38.jpg)
Impossible Mission?
14
![Page 39: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/39.jpg)
Impossible Mission?
14
• Exfiltration of information!
• Help the company to avoid it!
• Two weeks
![Page 40: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/40.jpg)
![Page 41: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/41.jpg)
Adventure Time
![Page 42: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/42.jpg)
Back to the Future
16
![Page 43: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/43.jpg)
Back to the Future
16
• Same payloads!• Same exploits!• Patterns in Splunk
![Page 44: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/44.jpg)
Growing Pains
17
![Page 45: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/45.jpg)
Growing Pains
17
• Meterpreter!
• First stage: A kind of client!
• Second stage: The real meterpreter!
• Problems: Protocol and DLL!
• Crypters useless
![Page 46: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/46.jpg)
My TODO
18
![Page 47: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/47.jpg)
My TODO
18
• Endpoint protection!
• Proxy!
• Antispam/AV solution!
• Firewall/IDS/IPS!
• Flight under the radar!
• Custom Malware
![Page 48: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/48.jpg)
Bypassing SEP (I)
19
![Page 49: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/49.jpg)
Bypassing SEP (I)
19
• Macro execution!
• Shellcodes!
• Dropper!
• First Irat version!
• Because anything with I is cool
![Page 50: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/50.jpg)
Bypassing SEP (II)
20
![Page 51: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/51.jpg)
Bypassing SEP (II)
20
EXE to VBS
![Page 52: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/52.jpg)
Bypassing Websense (I)
21
![Page 53: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/53.jpg)
Bypassing Websense (I)
21
• Content classification!
• Financial content!
• No executables!
• Mirroring!
• Hidden commands
![Page 54: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/54.jpg)
Bypassing Websense (II)
22
![Page 55: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/55.jpg)
Bypassing Websense (II)
22
![Page 56: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/56.jpg)
Bypassing Message Labs
23
![Page 57: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/57.jpg)
Bypassing Message Labs
23
• Zip files!• Antivirus!• Password protected!
• SPF!• Controlled SMTP server
![Page 58: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/58.jpg)
Bypassing PaloAlto
24
![Page 59: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/59.jpg)
Bypassing PaloAlto
24
• Next-gen firewall!• No ports!• Based on Application recognition!• RFC!
• Meterpreter HTTP(s) caught!!• IRAT to the rescue!
• Pretty simple GET and POST!• No SSL!• ASCII to HEX encoding
![Page 60: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/60.jpg)
Bypassing IDS
25
![Page 61: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/61.jpg)
IRAT: Iñaki’s Remote Administration Tool
26
![Page 62: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/62.jpg)
IRAT: Iñaki’s Remote Administration Tool
26
• KISS!
• No dependencies!
• C (Nightmare)!
• No crypters (Sorry Abraham)!
• Proxy Support!
• HTTP(s)!
• Ascii to Hex!
• Commands into simple HTML files
• C&C panel with templates!
• FUD (Full undetectable)
![Page 63: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/63.jpg)
IRAT: Communication
27
![Page 64: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/64.jpg)
IRAT: C&C (I)
28
![Page 65: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/65.jpg)
IRAT: C&C (II)
29
![Page 66: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/66.jpg)
IRAT: C&C (II)
29
![Page 67: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/67.jpg)
IRAT: C&C (II)
29
![Page 68: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/68.jpg)
![Page 69: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/69.jpg)
The attack
![Page 70: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/70.jpg)
Bypassing Humans
31
![Page 71: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/71.jpg)
Bypassing Humans
31
• Top 120 lusers!
• Emails with a predefined message!
• Excel attached (.xls)!
• HHRR Impersonation!
• With my own smtp server!
• Client threatened by employees!
• Not my fault :)
![Page 72: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/72.jpg)
You've Got Mail
32
![Page 73: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/73.jpg)
/con/cat
33
![Page 74: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/74.jpg)
/con/cat
33
![Page 75: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/75.jpg)
/con/cat
33
![Page 76: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/76.jpg)
Facts!
34
![Page 77: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/77.jpg)
Facts!
34
![Page 78: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/78.jpg)
Results
35
![Page 79: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/79.jpg)
Results
35
First try
![Page 80: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/80.jpg)
Results
35
First try
![Page 81: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/81.jpg)
Results
35
First try
Second try
![Page 82: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/82.jpg)
Results
35
First try
Second try
![Page 83: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/83.jpg)
![Page 84: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/84.jpg)
And now what?
![Page 85: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/85.jpg)
The hangover
37
![Page 86: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/86.jpg)
The hangover
37
• Patterns on logs!
• Splunk logging everything!
• Under the radar!
• User agent!
• One guy on SecurityFocus!
• Looking for mainframe exploits
![Page 87: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/87.jpg)
The hangover
37
• Patterns on logs!
• Splunk logging everything!
• Under the radar!
• User agent!
• One guy on SecurityFocus!
• Looking for mainframe exploits
![Page 88: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/88.jpg)
Weakness
38
![Page 89: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/89.jpg)
Weakness
38
• SPF!
• Check your own domains!!
• Logging!
• Too much, too useless!
• Antivirus!
• In AVs we trust
![Page 90: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/90.jpg)
Yet another Cuckoo deployment
39
![Page 91: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/91.jpg)
Yet another Cuckoo deployment
39
• Exchange mailboxes!
• Attachments to Cuckoo!
• VBS!
• Logs sent to Splunk!
• Custom Signatures
![Page 92: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/92.jpg)
Mail2Cuckoo
40
![Page 93: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/93.jpg)
Mail2Cuckoo
40
![Page 94: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/94.jpg)
Mail2Cuckoo
40
![Page 95: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/95.jpg)
Mail2Cuckoo
40
![Page 96: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/96.jpg)
Ok, Ok… I finish. But…
41
![Page 97: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/97.jpg)
Ok, Ok… I finish. But…
41
• PowerPoint Engineering!
• Expectations!
• Security By Default!
• Investment on people!
![Page 98: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/98.jpg)
![Page 99: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/99.jpg)
THANKS!!
![Page 100: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/100.jpg)
![Page 101: APT - A Pretty Trojan](https://reader034.vdocument.in/reader034/viewer/2022052619/55669c16d8b42a78708b52fa/html5/thumbnails/101.jpg)
Q/A