dissecting derusbi - rsa conference · dissecting derusbi. hta-w02. ... multistage malware dropper...

44
SESSION ID: #RSAC Vanja Svajcer Dissecting Derusbi HTA-W02 Threat Research Manager Hewlett Packard Enterprise @vanjasvajcer

Upload: vuhanh

Post on 10-Aug-2018

219 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

SESSION ID:

#RSAC

Vanja Svajcer

Dissecting Derusbi

HTA-W02

Threat Research ManagerHewlett Packard Enterprise@vanjasvajcer

Page 2: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Dissecting Derusbi

2

Setting the scene

Sakula/Shyape/Derusbi analysis

Summary

Page 3: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Setting the scene

Page 4: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Timelines

4

2008 2011 2013 2014 2015

Early Derusbi Elderwoodplatform

ColdFusionserver compromise

Ephemeralhydra

April Anthemhack

FebruaryAnthem hackdiscovered

CapstoneTurbine

Page 5: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Actors

5

Shell Crew

Deep Panda

Black Vine

APT17

Axiom

Group 72

Page 6: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Tools, tactics and procedures (TTPs)

6

Spear phishing

Exploits (Elderwood)Compromised web servers

Hacking tools for credentials and data stealing

Authenticode signed files

Multistage malwareDropperDownloaderBackdoors

Page 7: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Malware

7

Sakula

Shyape

Derusbi

Hikit

Plugx

PoisonIvy

Hdroot

Hydraq

Zxshell

Page 8: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Analysis

Page 9: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Static analysis

9

Structural characteristics

Compiler

Type

Checksums

Strings

Version information

Sections

Digital signatures

Debug paths/strings

Language

Resources

Packers

Exports/Imports/APIs

Page 10: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Static analysis

10

FunctionalityAnti-debugging

Analysis environment detection

Configuration data

Downloads or drops additional components

Similarity with known threats

How to detect it, YARA rules?

Page 11: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Static analysis tools

11

IDAPro + Hex-Rays decompiler

IDAPython

Bochs emulator

Pefile based tools (peframe, AnalyzePE, Remnux)

Page 12: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Dynamic analysis

12

Installation and persistence mechanismsHow it sets itself to survive reboot

Any exploits to escalate privilages or bypass defences

PurposeTargeted or opportunistic

Self-replication

Payload

Additional components

C&C communication endpoints

OS changes

Detection and removal

Page 13: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Dynamic analysis tools

13

Cuckoo sandbox (or commercial sandbox)

WinDbg

OllyDbg

Pin, DynamoRIO

SysInternal tools

Page 14: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Malware set

14

336 samples, Sakula/Shyape/Derusbi

Automated analysis to find representative samples

Chosen www.we11point.com

Sakula dropper

Shyape/scar downloader

Derusbi backdoor

Page 15: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Top domains

15

0

20

40

60

80

100

120

140

160

Top domains

Page 16: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Digital signatures

16

0 5 10 15 20 25

DTOPTOOLZ Co.,Ltd.

NexG

MICRO DIGITAL INC.

U-Tech IT service

SJ SYSTEM

Career Credit Co,.Ltd.

Dig sigs

Page 17: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

What are we looking at?

17

Samples related to Anthem breach

Sakula dropper

Dropped Shyape downloader

Derusbi backdoor

Dropped driver

Page 18: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Static analysis details Derusbi update.dll

18

Page 19: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Static analysis – digital signature

19

Page 20: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Sakula - execution

20

Page 21: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Sakula - execution

21

Page 22: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Sakula - execution

22

Page 23: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Sakula - execution

23

Page 24: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Sakula - execution

24

Page 25: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Sakula – deobfuscate Shyape

25

Page 26: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Sakula – deobfuscate Shyape IDAPython

26

Page 27: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Shyape - execution

27

Page 28: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Derusbi analysis

28

Installation

Configuration

Driver

Communication with C2

Detection rules

Page 29: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Regsvr32 EP - DllRegisterServer

29

Page 30: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSACStartCore

30

Page 31: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Rootkit driver

31

Page 32: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Rootkit driver TCP port check

32

BOOL __stdcall CheckLocalPortRange(int a1, int a2, int a3, int a4){

return (a4 - 25700) <= 200;}

Page 33: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Configuration decobfuscation

33

Page 34: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Configuration structure

34

struct __declspec(align(1)) configdata{

CHAR infectionid[64]; /* campaign-infection id */CHAR httpconfig[256]; /* C2 endpoints (address and port) */_DWORD dw1;_DWORD dw2;_DWORD timeout; /* C2 beacon interval */_DWORD ConnectionType; /* Type of connection to use */CHAR proxyconfig[32]; /* Proxy address and port */CHAR user[16]; /* proxy username */CHAR password[16]; /* proxy password */

};

Page 35: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Our sample config

35

infectionid heritagehttpconfig vpn.foundationssl.com:443,openssh.

x24hr.com:53dw1 0x00dw2 0x00timeout 0x0DConnectionType 0x10proxyconfig 172.16.1.141:3128user not setpassword not set

Page 36: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Save to Internet Explorer registry key

36

Page 37: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Network packet structure

37

struct struct_packet /* packet header */

{

_DWORD sizetotal;

_DWORD type;

_DWORD checksum;

_DWORD xorkey;

_DWORD iscompressed;

_DWORD rawdatasize;

char databuf[];

};

Page 38: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Original WU service DLL in Security

38

Page 39: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

ServiceMain runs original service

39

Page 40: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Goofs

40

Page 41: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Example Yara rule

41

rule Derusbidll{

strings:$keydriver = {F3 5D 88 2E}$servicename = "wuauserv"$mutexcheck = "c1212win”

condition:all of them

}

Page 42: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

Summary

Page 43: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

“Apply”

43

Use IDAPro to analyze a Derusbi sample

Use IDAPython to script analysis, practice on configuration data and dropped file

Use Bochs emulator with IDAPro to deobfuscate samples

Use YARA to scan for IOCs on your network

Page 44: Dissecting Derusbi - RSA Conference · Dissecting Derusbi. HTA-W02. ... Multistage malware Dropper Downloader Backdoors. #RSAC Malware. 7 Sakula Shyape Derusbi Hikit Plugx PoisonIvy

#RSAC

References

44

https://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf

https://assets.documentcloud.org/documents/2084641/crowdstrike-deep-panda-report.pdf

http://blog.airbuscybersecurity.com/post/2015/10/Malware-Sakula-Evolutions-%28Part-2/2%29

http://blog.jpcert.or.jp/2015/11/a-volatility-plugin-created-for-detecting-malware-used-in-targeted-attacks.html

http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family

https://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf

https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/

https://www.cs.bu.edu/~goldbe/teaching/HW55815/presos/anthem.pdf

https://www.virusbtn.com/pdf/conference_slides/2015/Pun-etal-VB2015.pdf

http://www.sekoia.fr/blog/windows-driver-signing-bypass-by-derusbi/

https://download.pureftpd.org/misc/UAC.cpp