JSAC2020_en_1.1rc

Kích thước: px
Bắt đầu hiển thị từ trang:

Download "JSAC2020_en_1.1rc"

Bản ghi

1 Japan Security Analyst Conference 2020 Evil Hidden in Shellcode: The Evolution of Malware DBGPRINT Malware Researcher CiYi "YCY" Yu Aragorn Tseng

2 Malware Researcher! CiYi "YCY" Yu Aragorn Tseng 1P Malware Analysis Campaign Tracking Automated Analysis 2P Malware analysis Incident response Machine learning

3 AGENDA Adversary Profile: HUAPI Malware Profile: DBGPRINT Evolution of DBGPRINT In-Depth Analysis of DBGPRINT Detection Warfare Remediation & Detection

4 Adversary Profile: HUAPI u Alias BlackTech u Since 2007 u Malware: u TSCOOKIE u KIVARS u CAPGELD u DBGPRINT

5 Malware Profile: DBGPRINT u Alias Waterbear u Since at least 2009 u DLL export name DbgPrint u Acted as second stage u Advanced malware design u Adopt shellcode stager u Able to load the plugins

6 Malware Profile: DBGPRINT Government Education Think Tank Finance Technology Healthcare

7 Evil Hidden in Shellcode: The Evolution of Malware DBGPRINT Evolution of DBGPRINT

8 Version Changes in the Wild Discovery time in the wild b n 0.2b Listen port

9 Access Payload EXE Stager Payload EXE DLL Stager Payload EXE DLL Stager Payload EXE DLL DLL Stager Payload Inside EXE Inside DLL Standalone payload Double DLLSideloading

10 RC4 Key of Payload mov al, byte ptr [ecx] mov dl, al shr dl, 3 shl al, 5 or dl, al mov byte ptr [ecx], dl inc ecx dec esi jnz short CD FF D1 0A 40 C0 21 BB C:\Program Files\NVIDIA Corporation\Display\ nvwss.ptn\x00 Miss You! printupg.pnf XOR / Shift Random 16 bytes File path String + File name

11 Evil Hidden in Shellcode: The Evolution of Malware DBGPRINT In-Depth Analysis of DBGPRINT

12 Execution Procedure Access Decrypt Payload Stager Implant DBGPRINT Controller ❶ Ask for DLL implant ❷ Wait for connection

13 Inside DBGPRINT Stager In some version Check PEB!IsDebugged Test connection Relocate function table Generate session keys DBGPRINT Stager Initialize API from hash table Check for challenge Fail Drop connection Checkfor proxy setting Decrypt implant & Execute in memory

14 Inside DBGPRINT Stager DBGPRINT Stager Generate request packet Check for challenge Request the DBGPRINT implant with session keys Send the calculated challenge DBGPRINT Controller Calculate the pre-session key and challenge Decrypt implant and execute in memory Sendthe DBGPRINTimplant Split implant into encrypted blocks

15 Inside DBGPRINT Stager DBGPRINT Stager DBGPRINT Controller Generate request packet Check for challenge Request the DBGPRINT implant with session keys Generate request packet Generate header Fixed signature Send the calculated challenge 40 1f 03 Calculate the random key and challenge (GetTickCount()/0xff)*2 mod 0xff Data size (Little Endian) GetTickCount() mod 0xff Decrypt implant and execute in memory Command Sendthe DBGPRINTimplant (GetTickCount()/0xff)>>1 mod 0xff Split implant into encrypted blocks

16 Inside DBGPRINT Stager DBGPRINT Stager DBGPRINT Controller Request the DBGPRINT implant with session keys Generate request packet Generate sessionkeys Calculate the random key and challenge Authentication key Random number = Pre-session key Send the calculated challenge Check Pre-session for challenge key 0x A6B6C6D6E6F00 = Session key 1 Pre-session key 0x = Session key 2 Decrypt implant and execute in memory Sendthe DBGPRINTimplant Split implant into encrypted blocks

17 Inside DBGPRINT Stager DBGPRINT Stager DBGPRINT Controller Generate request packet Request the DBGPRINT implant with session keys Generate request packet Generate request packet Send the calculated challenge Check for challenge da 40 1f b5 03 6d A 35 c5 da 9c ae f7 5a b3 37 2d A 55 a5 ba fc ce a 5c dd 5d Calculate the random key and challenge Session key 1 Session key 2 Decrypt implant and execute in memory Send the DBGPRINT implant Split implant into encrypted blocks

18 Inside DBGPRINT Stager DBGPRINT Stager DBGPRINT Controller Generate request packet Request the DBGPRINT implant with session keys Calculate the pre-session key and challenge Calculate the random Session key 1 0x A6B6C6D6E6F00 = Pre-session key and challenge key Pre-session key Authentication key = Server challenge Send the calculated challenge Check for challenge Command for challenge Server challenge de 40 1f ee 01 bd dc e1 84 f b2 50 8f eb 47 a1 Decrypt implant and Send the DBGPRINT implant execute in memory Split implant into encrypted blocks

19 Inside DBGPRINT Stager DBGPRINT Stager DBGPRINT Controller Generate request packet Check for challenge Request the DBGPRINT implant with session keys Check for challenge Calculate the random key and challenge if (Server challenge Pre-session key) == Authentication key: Send the - Yes: calculated Continue challenge - No: Abort---- Decrypt implant and execute in memory Sendthe DBGPRINTimplant Split implant into encrypted blocks

20 Inside DBGPRINT Stager DBGPRINT Stager DBGPRINT Controller Generate request packet Request the DBGPRINT implant with session keys Split implant into encrypted blocks # Modified_RC4_PRGA for char in prga_data: Send the calculated challenge Check for challenge x = (x + 1) % 256 y = (y + box[x]) % 256 box[x], box[y] = box[y], box[x] z = (box[x] + box[y]) % 256 box[z] = ((box[z] Decrypt implant and Send the << DBGPRINT 4) & 0xf0) + implant ((box[z] >> 4) & 0x0f) execute in memory Calculate the random key and challenge Split implant into encrypted blocks

21 Inside DBGPRINT Stager DBGPRINT Stager DBGPRINT Controller Generate request packet Request the DBGPRINT implant with session keys Split implant into encrypted blocks PRGA_data1 PRGA_data2 PRGA_data A f 2a 96 e6 4e f8 91 ed 64 7c dc 46 Calculate the random A c 6a 3d ac 47 e0 51 f c key 5e and 0a challenge A 44 b9 Send b6 f4 the38 calculated 3d challenge b3 d b3 f1 10 ac Check for challenge A f3 3b 1f ab f2 c3 8c c2 d A a7 62 5a e ba 33 b b0 17 PRGA_data4 Decrypt implant and Send the DBGPRINT implant Split implant into execute in memory encrypted blocks

22 Inside DBGPRINT Stager DBGPRINT Stager DBGPRINT Controller Generate request packet Request the DBGPRINT implant with session keys decrypted data Send size theheader calculated = challenge RC4_PRGA(PRGA_data1) Check for challenge Decrypt implant and execute in memory Decrypt implant and execute in memory RC4_KSA(Pre-session key) Send the DBGPRINT implant Calculate the random key and challenge decrypted data size = Modified_RC4_PRGA(PRGA_data2) decrypted data header = Modified_RC4_PRGA(PRGA_data3) decrypted data = Modified_RC4_PRGA(PRGA_data4) Split implant into encrypted blocks

23 DBGPRINT Implant u File transfer / management Command code Capability 2 Enumerate disk drives 3 List files 4 Upload file to C2 server 5 Download file from C2 server 6 Rename file 7 Create folder 8 Delete file 10 Execute file 11 Move file 12 NtSetInformationFile

24 u Windows management / Screenshot DBGPRINT Implant Command code Capability 807 Enumerate Windows 808 Hide Windows 809 Show Windows 810 Close Windows 811 Minimize Windows 812 Maximize Windows 814 Screenshot 815 Set screenshot event signaled

25 DBGPRINT Implant u Remote desktop connection u Process / Network connection / Servicemanagement Command code Capability 816 Remote desktop 817 Enumerate process 818 Terminate process 820 List network connection status 821 Abort a network connection 822 Enumerate services 827 Manipulate service

26 u Remote shell / Registry management DBGPRINT Implant Command code Capability 1006 Start remote shell 1007 Exit remote shell 1008 Obtain remote shell PID 2011 Enumerate registry 2013 Create registry key 2014 Setregistry key 2015 Delete registry key 2016 Delete registry value

27 Evil Hidden in Shellcode: The Evolution of Malware DBGPRINT Detection Warfare

28 Eliminate Patterns èê mutex......login.narlla b.com......p.». abcdefghijklmno../e.oó{-cóf5ç².ä Mutex F.P...M...~...H1...b M......abcdefgh ijklmno../e.o.{- M }8ºýáÈÒß î3ù. R ÎÏÑÍÏÑÎÎÈÑÎÎ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿ a.....q.ßä ; ò Õ=uÌÓ.Wrê. žú. Space (0x20)

29 Eliminate Patterns è mutex......usr.narllab. com......».p. abcdefghijklmno../e.oó{-cóf5ç².ä Plain text Þ CV Ô.² w;ôó îïñçñéñìíÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿp ñî. îù XOR with 0xff F.P...M...~...H1...b M......abcdefgh ijklmno../e.o {- cf5...v....%hm]... Listen port

30 x64 Version

31 Self-Modifying Code H.\$.H.l$.H.t$ WATAUAVAWH..0...XH..!...H...H...QPH1...XI..u...I..C...M).L..PH..ATY.H1...%h...X.(.eH.`...PA\A..$=... t.u..i...i...xyh..h...h...u...x...h..h...e1.e1.h...n... H..(...H...E1.E1.H......E1.L...L..h...1.H...H.D$PH.. vh...(...i..h v3l.l$pl..(...a.m.l...i..$h..ty..i...i...a..;+r...h...r..q...h...h...p...h..h..i..h...a..h..h....p...h...h...h.\$xh.l$`h.t$hh..0a_a^a]a\_.h.\$.wh.. 3.H..H..H;.t<D. hh...d...h...h..h...h...d.d$`h.l$h3...d... H.....H...A...H..H......D...H.....H..H...H..tv3.A.....H...D...H..0...H...L._.H.G.H.L$(H..L.\$ H.D$0H. $8... L.L$ H..H...H..D.....H..p...H...L..I..A..p...H.C.H.K.3.A L.[.H..A......H.. $D&r...l$DH.T$HE3.D.E.H...t.D...H..`...H...U.L..$P...H.L$E..`...D...H..`...H...A.MZ..fD9\$E..A...H.L$ Before C.U:<w...{.a...N{.C...qgB.._.z...q...-N.a.b...s.7..&..s.# co.31c.d.~...[w"s.-...v..`p...u..z..._#..vf...u.`..&.a-/.}....."90...u..o.a1mih.yr0e.4...y.0=!...).!..o8.hd..y...mq... '....&...qk...qy1.q..8l...(77"l..}...d.x.7tf...]...,...l...?4-...}.+g+'...d f}...t.q.d...n...y.a-...q m.k..w.[{ygz.<).y... 8L...N4dx...cc...^..Z{..3.".a.u. C.zH...y...I...Z3.l...]3.jB.../.".5.0.C..../.".tt.y.Y..Z{.)..kt.t.!{...)...<13..s[[{H..V.u.<y=...Z3.m.F.u.<};...?l.gZ.<)..!...z..j<).q.C.._...].ykt...Z?.%..jt...B...5..jt..u.#..~..)...l.<1..I3.Z{.)..kt.t.y.E/+..I./...C.._._(...N...!...j..j <)...C.._...j5.41.C....]..kt.x.1...j<).y=.1` [{H..<...p.C...]..ht.x.1...j</...C..Y.o./h."...]._h...ND..M.{1` H..H...H..D.....H..p...H...L..I..A..p...H.C.H.K.3.A L.[.H..A......H.. [...m.k.~.~k.+[.r#.hp..o..^{h..p.u.<y=...z3..'.jt...1d [{H...z8/...A...)...,.<1..M..Z{.)..kt.t.}.]_.Z{./h."...q.p.._...Z-.j.Z. D.p...Y{H..Rnv.<y=.V..Z3.i.B.u.<y;...1..jt...A.../.".i...B..T &_..]ge...u...h...<)..%...j=1..ed.[{h...=1...l.-. j</p...]..z{.).9kt.t.%#...].ykt.}...b..j..5]...f.\...u.2c.4._...,...u...n4]...c.._..i./...=1..e<+..i./...\2.c.z.~[.)...,.<1..m..z{.)..kt.t.}.]_.z{.1g.jt...vb.../...p...j< /h...v..z{.)...$.<1..m..z{.)..kt.t.}.]_.z{./{.,</p...s..z{.)... u>/. Only the wait-for-connection function is left After self-modifying

32 Double DLL Sideloading (White) BenignEXE (Gray) Malicious DLL (Black) Malicious DLL

33 Anti SecurityProduct RC4 Decryption Injects Anti- SecurityProduct Payload 1 Injects SecurityProduct Malicious DLL svchost.exe Wait for connection RC4 Decryption DBGPRINT Payload 2 Injects Actor

34 Questions?