RAT-a-tat-tat
Taking the fight to the RAT controllers
Who Am I
• Jeremy du Bruyn
– twitter: @herebepanda, irc: panda
• Pentester / Consultant at SensePost
• Spoken at a previous ZaCon about password
cracking
• Currently doing MSc. At Rhodes
What's this about
• I've done some research on two prolific RAT's that
I'd like to share with y'all
– I am not a malware researcher, I'm just a ex-networkpentester-consultant-infosec guy
– Some dynamic analysis using cuckoo sandbox
– Some static analysis using scripts to pick apart the
server binaries
• Ways to search for these RAT's on the greater
internet
– With an example
Background story
• Malware.lu report on Mandiant APT1
– Python code for finding Poison Ivy C2's
• Are there any Poison Ivy C2's in ZA?
– Writing robust network code is hard
– Rather leverage off of NMAP
• I didn’t find any Poison Ivy C2's in ZA :) / :(
• I really want to play with this, where can I get
some samples?
credit (http://www.malware.lu/Pro/RAP002_APT1_Technical_backstage.1.0.pdf)
My collection
• VirusTotal provide access to their Private API, which allows for
searching and downloading of samples, to researchers
• After speaking with some malware folks I got a list of the most
popular rats being used in attacks
– (@vlad_o, @undeadsecurity, @bobmcardle)
• Started collecting in August 2013
• Samples downloaded
– Searched for “Poison.* and “Fynloski.*”
– Total 34 GB of samples
• For sure a cheap VPS would hold the few 100 MB's of samples I'd
download
link (https://www.virustotal.com/en/documentation/private-api/)
RAT infrastructure
credit (http://www.contextis.com/research/blog/malware-analysis-dark-comet-rat/)
Poison Ivy
• Been around for many years
– Oldest version on the website is from 2006, first
released in 2005
– Latest public version is 2.3.2 released in 2008
– Private versions still being released, including a Vista+
patch
– Free to download off the authors website
• Apparently very popular amongst Chinese
attackers
– Recently used by Mandiant APT1 groups
– Used in RSA hack
Poison Ivy
• Samples
– 12,133 downloaded
– 5,004 analysed
• Too much pondering/figuring in the beginning
• 26 live
• Not a lot I know, but they provide some interesting insights
• Average PI C2 lifespan is 3 months
• Analysis conducted using a mixture of the
VirusTotal behavioural analysis results and local
cuckoo sandbox instance
VT Behavioural Analysis
• They use a “cluster” of cuckoo sandbox
machines to perform the analysis and provide
data via JSON
• VirusTotal behavioural analysis not conducted
on all samples
– Like 1 in 10
– Not allowed to share samples with 3rd parties
Cuckoo sandbox
• Cuckoo sandbox used for the majority of the samples
– 5 WinXP SP2 virtual machine guests
– Timeout of 2 minutes
• Only allowed DNS traffic to cuckoo host
– Unbound DNS resolver
• Tweaked to report all traffic, even SYN
– modules/processing/network.py (host down, not reported)
– Malwr.com has the same problem
• api.py is super useful
– Submit jobs, get analysis reports in JSON
• At the end able to process a couple hundred samples a day
Analysis system
• System is postgres driven
• Extracted info from the samples put into DB:
– C2 / proxy IP
– Port
• Scripts would pick up unprocessed samples
and perform liveness testing of C2 and extract
the Camellia key
– Again writing to the DB
Poison Ivy
• Camellia key used to authenticate server and
encrypt communication
– Crypto hashing algorithm
– Used for all servers
– Can be extracted from server traffic :)
link (https://en.wikipedia.org/wiki/Camellia_(cipher))
Poison Ivy
• JtR module available for brute-forcing (malware.lu)
– I've asked for its inclusion into hashcat
– @atom, if you are reading this, *cough* oclhashcat
Vulnerabilities
• Metasploit module for Buffer Overflow bug in
Poison Ivy 2.3.2
– Think meterpreter 
– All you need is the C2 IP, port and clear-text Camellia
password
– Malware.lu guys used this to great effect
• FireEye “PIVY memory-decoding tool” for
Immunity debugger can also extract this info
Link (http://www.rapid7.com/db/modules/exploit/windows/misc/poisonivy_bof)
(http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf)
My contribution
• NMAP service probes to detect C2’s across the
Internet and NSE script to extract Camellia key
from server traffic
DarkComet
• Very popular around the world
• Development abandoned by the author after
Syrian government use
– Crippled version available on author website
– Current public full version is 5.3.1
– Current public crippled version 5.4.1 “Legacy”
• Fairly good collection available via .torrent
Link (http://darkcomet-rat.com/)
(https://thepiratebay.sx/torrent/7420705/DarkComet_RAT_Collection)
DarkComet
• Samples
– 33,592 downloaded (32GB)
– 12,133 analysed
• 4408 successfully
• 40 live
• Analysis script inspired by AlienVault Labs
– Only worked on V5, updated to work on V5.1+
credit (https://code.google.com/p/alienvault-labs-garage/downloads/list)
DarkComet
• Encrypted server configuration information contained within the
binary
– C2 IP, port, password
– FTP host, port, username, password, path
• Server configuration encrypted using static keys:
–
–
–
–
–
–
V5.1+
V5.0
V4.2F
V4.2
V4.1
V2.x + 3.x
: #KCMDDC51#-890
: #KCMDDC5#-890
: #KCMDDC42F#-890
: #KCMDDC42#-890
: #KCMDDC4#-890
: #KCMDDC2#-890
• Static key and password (“PWD”) used to authenticate and encrypt
communications
credit (http://www.arbornetworks.com/asert/wp-content/uploads/2012/03/Crypto-DarkComet-Report1.pdf)
DarkComet
1.16
8.62
90.22
#KCMDDC51#-890
#KCMDDC51#-8900123456789
Other
DarkComet
• All this is encrypted using the static key +
'PWD‘
credit (http://www.contextis.com/research/blog/malware-analysis-dark-comet-rat/)
Vulnerabilties
• Makes use of SQLite DB
– SQLi
• Arbitrary File Download vulnerability
– RAT allows controller to overwrite files
– Doesn't check that C2 initiated connection
•
(comet.db)
• Contains information on all connected servers
credit (http://www.matasano.com/research/PEST-CONTROL.pdf)
My contribution
• NMAP service probes to detect C2’s across the
Internet
– DarkComet
• Receives “IDTYPE” encrypted with default (and most
popular) password
– Xtreme RAT
• Sends “myversion|3.6 Public\r\n”
• Receives
– Bytes 1-3 "\x58\x0d\x0a
– Bytes 4 – 12 "\xd2\x02\x96\x49\x00\x00\x00\x00"
My contribution
• Updated DarkComet configuration extraction
script, for v5.1+
menuPass Campaign
• One of my samples had the filename
“Strategy_Meeting.exe” and a Google gave me the FireEye
report “Poison Ivy: Assessing Damage and Extracting
Intelligence”
– menuPass campaign launched in 2009 targeting defense
contractors
– Main industries targeted where
• Defense, Consulting / Engineering, ISP, Aerospace, Heavy Industry,
Government
• Spear-phishing used as initial attack vector
– Weaponised .doc and .zip
• Using Pentest footprinting techniques I uncovered a bit
about their infrastructure
Link (http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf)
menuPass Campaign
credit (http://www.paterva.com/web6/products/casefile.php)
menuPass Campaign
• “The IP 60.10.1.120 hosted the domain
apple.cmdnetview.com”
• This hostname appeared in my analysis but with
an IP of 112.213.118.34
• One of my samples has hk.2012yearleft.com
(112.213.118.33) and tw.2012yearleft.com
(50.2.160.125) as C2’s
– tw.2012yearleft.com was 60.10.1.114, 60.1.1.114 in
FireEye report
– 5 live samples using this C2 in my collection
– All used Camellia key “ketcxsAWfeAxiQ64ndURvA==”
menuPass Campaign
• New hostnames found using
“ketcxsAWfeAxiQ64ndURvA==” from my samples:
– banana.cmdnetview.com
– drives.methoder.com
– muller.exprenum.com
• New hostnames in 50.2.160.0/24 from samples:
–
–
–
–
kmd.crabdance.com
banana.cmdnetview.com
drives.methoder.com
muller.exprenum.com
50.2.160.104
50.2.160.146
50.2.160.125
50.2.160.125
menuPass Campaign
• Using my NMAP poison-ivy.nse and nmap-service-probes.pi I found
additional C2's in 50.2.160.0/24:
– 50.2.160.42:80/443
3ntLjgUGgQUYeKl3ncWgeQ==
– 50.2.160.84:80/443 (daddy.gostudyantivirus.com)
(AoFSY4Fi5u8sX3Bo7To86w==)
– 50.2.160.104:443
gdWSvDcDqmZFC5/qvQiwhQ==
– 50.2.160.125:80/443 (document.methoder.com, drives.methoder.com,
mocha.100fanwen.com, scrlk.exprenum.com, zone.demoones.com)
(ketcxsAWfeAxiQ64ndURvA==)
– 50.2.160.146:443
ketcxsAWfeAxiQ64ndURvA==
– 50.2.160.179:443
gdWSvDcDqmZFC5/qvQiwhQ==
– 50.2.160.193:443
tG3Sl8fQtuyKj/jh97O67w==
– 50.2.160.226:443
gdWSvDcDqmZFC5/qvQiwhQ==
– 50.2.160.241:443
gdWSvDcDqmZFC5/qvQiwhQ==
menuPass Campaign
• Same key (gdWSvDcDqmZFC5/qvQiwhQ==) as kmd.crabdance.com (from
50.2.160.104):
– ux.niushenghuo.info
– for.ddns.mobi
142.4.121.144
142.4.121.144
• Hostnames from samples in 142.4.121.0/24:
– gold.polopurple.com
142.4.121.138
• Additional PI C2 in 142.4.121.0/24 using NMAP:
–
–
–
–
–
–
–
–
142.4.121.137:80/443
142.4.121.139:80/443
142.4.121.140:443
142.4.121.141:80
142.4.121.142:443
142.4.121.144:443
142.4.121.181:443
142.4.121.203:443
3ntLjgUGgQUYeKl3ncWgeQ==
AoFSY4Fi5u8sX3Bo7To86w==
gdWSvDcDqmZFC5/qvQiwhQ==
ketcxsAWfeAxiQ64ndURvA==
ketcxsAWfeAxiQ64ndURvA==
gdWSvDcDqmZFC5/qvQiwhQ==
gdWSvDcDqmZFC5/qvQiwhQ==
gdWSvDcDqmZFC5/qvQiwhQ==
menuPass Campaign
• zhengyanbin8@gmail.com registered:
– 2012yearleft.com
– cmdnetview.com
– gostudyantivirus.com
– 100fanwen.com
• DomainTools reports that this email address
has been used to register 157 domains
– So still a lot of research to be done
Conclusion
• Those with an interest in amateur malware
analysis
– I utilised my pentesting skillset to work on this stuff
• Defenders looking for more ways to defend
– Using these methods you can start investigating
attacks on your organisation and start moving up the
kill-chain
• Greyhats wanting to increase the cost of attackers
running these RAT's
Thank You
• If there’s time for questions, shoot.
• Otherwise catch me at lunch