RAT-a-tat-tat Taking the fight to the RAT controllers Who Am I • Jeremy du Bruyn – twitter: @herebepanda, irc: panda • Pentester / Consultant at SensePost • Spoken at a previous ZaCon about password cracking • Currently doing MSc. At Rhodes What's this about • I've done some research on two prolific RAT's that I'd like to share with y'all – I am not a malware researcher, I'm just a ex-networkpentester-consultant-infosec guy – Some dynamic analysis using cuckoo sandbox – Some static analysis using scripts to pick apart the server binaries • Ways to search for these RAT's on the greater internet – With an example Background story • Malware.lu report on Mandiant APT1 – Python code for finding Poison Ivy C2's • Are there any Poison Ivy C2's in ZA? – Writing robust network code is hard – Rather leverage off of NMAP • I didn’t find any Poison Ivy C2's in ZA :) / :( • I really want to play with this, where can I get some samples? credit (http://www.malware.lu/Pro/RAP002_APT1_Technical_backstage.1.0.pdf) My collection • VirusTotal provide access to their Private API, which allows for searching and downloading of samples, to researchers • After speaking with some malware folks I got a list of the most popular rats being used in attacks – (@vlad_o, @undeadsecurity, @bobmcardle) • Started collecting in August 2013 • Samples downloaded – Searched for “Poison.* and “Fynloski.*” – Total 34 GB of samples • For sure a cheap VPS would hold the few 100 MB's of samples I'd download link (https://www.virustotal.com/en/documentation/private-api/) RAT infrastructure credit (http://www.contextis.com/research/blog/malware-analysis-dark-comet-rat/) Poison Ivy • Been around for many years – Oldest version on the website is from 2006, first released in 2005 – Latest public version is 2.3.2 released in 2008 – Private versions still being released, including a Vista+ patch – Free to download off the authors website • Apparently very popular amongst Chinese attackers – Recently used by Mandiant APT1 groups – Used in RSA hack Poison Ivy • Samples – 12,133 downloaded – 5,004 analysed • Too much pondering/figuring in the beginning • 26 live • Not a lot I know, but they provide some interesting insights • Average PI C2 lifespan is 3 months • Analysis conducted using a mixture of the VirusTotal behavioural analysis results and local cuckoo sandbox instance VT Behavioural Analysis • They use a “cluster” of cuckoo sandbox machines to perform the analysis and provide data via JSON • VirusTotal behavioural analysis not conducted on all samples – Like 1 in 10 – Not allowed to share samples with 3rd parties Cuckoo sandbox • Cuckoo sandbox used for the majority of the samples – 5 WinXP SP2 virtual machine guests – Timeout of 2 minutes • Only allowed DNS traffic to cuckoo host – Unbound DNS resolver • Tweaked to report all traffic, even SYN – modules/processing/network.py (host down, not reported) – Malwr.com has the same problem • api.py is super useful – Submit jobs, get analysis reports in JSON • At the end able to process a couple hundred samples a day Analysis system • System is postgres driven • Extracted info from the samples put into DB: – C2 / proxy IP – Port • Scripts would pick up unprocessed samples and perform liveness testing of C2 and extract the Camellia key – Again writing to the DB Poison Ivy • Camellia key used to authenticate server and encrypt communication – Crypto hashing algorithm – Used for all servers – Can be extracted from server traffic :) link (https://en.wikipedia.org/wiki/Camellia_(cipher)) Poison Ivy • JtR module available for brute-forcing (malware.lu) – I've asked for its inclusion into hashcat – @atom, if you are reading this, *cough* oclhashcat Vulnerabilities • Metasploit module for Buffer Overflow bug in Poison Ivy 2.3.2 – Think meterpreter – All you need is the C2 IP, port and clear-text Camellia password – Malware.lu guys used this to great effect • FireEye “PIVY memory-decoding tool” for Immunity debugger can also extract this info Link (http://www.rapid7.com/db/modules/exploit/windows/misc/poisonivy_bof) (http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf) My contribution • NMAP service probes to detect C2’s across the Internet and NSE script to extract Camellia key from server traffic DarkComet • Very popular around the world • Development abandoned by the author after Syrian government use – Crippled version available on author website – Current public full version is 5.3.1 – Current public crippled version 5.4.1 “Legacy” • Fairly good collection available via .torrent Link (http://darkcomet-rat.com/) (https://thepiratebay.sx/torrent/7420705/DarkComet_RAT_Collection) DarkComet • Samples – 33,592 downloaded (32GB) – 12,133 analysed • 4408 successfully • 40 live • Analysis script inspired by AlienVault Labs – Only worked on V5, updated to work on V5.1+ credit (https://code.google.com/p/alienvault-labs-garage/downloads/list) DarkComet • Encrypted server configuration information contained within the binary – C2 IP, port, password – FTP host, port, username, password, path • Server configuration encrypted using static keys: – – – – – – V5.1+ V5.0 V4.2F V4.2 V4.1 V2.x + 3.x : #KCMDDC51#-890 : #KCMDDC5#-890 : #KCMDDC42F#-890 : #KCMDDC42#-890 : #KCMDDC4#-890 : #KCMDDC2#-890 • Static key and password (“PWD”) used to authenticate and encrypt communications credit (http://www.arbornetworks.com/asert/wp-content/uploads/2012/03/Crypto-DarkComet-Report1.pdf) DarkComet 1.16 8.62 90.22 #KCMDDC51#-890 #KCMDDC51#-8900123456789 Other DarkComet • All this is encrypted using the static key + 'PWD‘ credit (http://www.contextis.com/research/blog/malware-analysis-dark-comet-rat/) Vulnerabilties • Makes use of SQLite DB – SQLi • Arbitrary File Download vulnerability – RAT allows controller to overwrite files – Doesn't check that C2 initiated connection • (comet.db) • Contains information on all connected servers credit (http://www.matasano.com/research/PEST-CONTROL.pdf) My contribution • NMAP service probes to detect C2’s across the Internet – DarkComet • Receives “IDTYPE” encrypted with default (and most popular) password – Xtreme RAT • Sends “myversion|3.6 Public\r\n” • Receives – Bytes 1-3 "\x58\x0d\x0a – Bytes 4 – 12 "\xd2\x02\x96\x49\x00\x00\x00\x00" My contribution • Updated DarkComet configuration extraction script, for v5.1+ menuPass Campaign • One of my samples had the filename “Strategy_Meeting.exe” and a Google gave me the FireEye report “Poison Ivy: Assessing Damage and Extracting Intelligence” – menuPass campaign launched in 2009 targeting defense contractors – Main industries targeted where • Defense, Consulting / Engineering, ISP, Aerospace, Heavy Industry, Government • Spear-phishing used as initial attack vector – Weaponised .doc and .zip • Using Pentest footprinting techniques I uncovered a bit about their infrastructure Link (http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf) menuPass Campaign credit (http://www.paterva.com/web6/products/casefile.php) menuPass Campaign • “The IP 60.10.1.120 hosted the domain apple.cmdnetview.com” • This hostname appeared in my analysis but with an IP of 112.213.118.34 • One of my samples has hk.2012yearleft.com (112.213.118.33) and tw.2012yearleft.com (50.2.160.125) as C2’s – tw.2012yearleft.com was 60.10.1.114, 60.1.1.114 in FireEye report – 5 live samples using this C2 in my collection – All used Camellia key “ketcxsAWfeAxiQ64ndURvA==” menuPass Campaign • New hostnames found using “ketcxsAWfeAxiQ64ndURvA==” from my samples: – banana.cmdnetview.com – drives.methoder.com – muller.exprenum.com • New hostnames in 50.2.160.0/24 from samples: – – – – kmd.crabdance.com banana.cmdnetview.com drives.methoder.com muller.exprenum.com 50.2.160.104 50.2.160.146 50.2.160.125 50.2.160.125 menuPass Campaign • Using my NMAP poison-ivy.nse and nmap-service-probes.pi I found additional C2's in 50.2.160.0/24: – 50.2.160.42:80/443 3ntLjgUGgQUYeKl3ncWgeQ== – 50.2.160.84:80/443 (daddy.gostudyantivirus.com) (AoFSY4Fi5u8sX3Bo7To86w==) – 50.2.160.104:443 gdWSvDcDqmZFC5/qvQiwhQ== – 50.2.160.125:80/443 (document.methoder.com, drives.methoder.com, mocha.100fanwen.com, scrlk.exprenum.com, zone.demoones.com) (ketcxsAWfeAxiQ64ndURvA==) – 50.2.160.146:443 ketcxsAWfeAxiQ64ndURvA== – 50.2.160.179:443 gdWSvDcDqmZFC5/qvQiwhQ== – 50.2.160.193:443 tG3Sl8fQtuyKj/jh97O67w== – 50.2.160.226:443 gdWSvDcDqmZFC5/qvQiwhQ== – 50.2.160.241:443 gdWSvDcDqmZFC5/qvQiwhQ== menuPass Campaign • Same key (gdWSvDcDqmZFC5/qvQiwhQ==) as kmd.crabdance.com (from 50.2.160.104): – ux.niushenghuo.info – for.ddns.mobi 142.4.121.144 142.4.121.144 • Hostnames from samples in 142.4.121.0/24: – gold.polopurple.com 142.4.121.138 • Additional PI C2 in 142.4.121.0/24 using NMAP: – – – – – – – – 142.4.121.137:80/443 142.4.121.139:80/443 142.4.121.140:443 142.4.121.141:80 142.4.121.142:443 142.4.121.144:443 142.4.121.181:443 142.4.121.203:443 3ntLjgUGgQUYeKl3ncWgeQ== AoFSY4Fi5u8sX3Bo7To86w== gdWSvDcDqmZFC5/qvQiwhQ== ketcxsAWfeAxiQ64ndURvA== ketcxsAWfeAxiQ64ndURvA== gdWSvDcDqmZFC5/qvQiwhQ== gdWSvDcDqmZFC5/qvQiwhQ== gdWSvDcDqmZFC5/qvQiwhQ== menuPass Campaign • zhengyanbin8@gmail.com registered: – 2012yearleft.com – cmdnetview.com – gostudyantivirus.com – 100fanwen.com • DomainTools reports that this email address has been used to register 157 domains – So still a lot of research to be done Conclusion • Those with an interest in amateur malware analysis – I utilised my pentesting skillset to work on this stuff • Defenders looking for more ways to defend – Using these methods you can start investigating attacks on your organisation and start moving up the kill-chain • Greyhats wanting to increase the cost of attackers running these RAT's Thank You • If there’s time for questions, shoot. • Otherwise catch me at lunch