Operation PZCHAO

welcome to theater 15 everybody my name is Harry I'll be your Proctor this was actually originally supposed to be a Rolling Stones reunion concert but by popular demand I'm happy to introduce Devon Alexander and Chile here with the session title operation operation PZ Chou and I'm gonna hand it off to her she can take it away the round of applause folks hello everyone today I'm here to say a few words about the research I did recently about targeted attack that is based on a rad component I hope that at the end of the presentation you'll find the information useful and you'll better understand the impact of mother please allowed to introduce myself my name is Ivana I'm a

forest engineer and bee defender with four years of expertise in the cyber threat intelligence lab and I'm also a master's student in the information security team who are we well the defender is a security product founded in 2001 with almost two decades of security expertise it also operates a security delivery infrastructure of 500 million of machines in 150 countries also you can find us in most of the top security products that also integrate our technology and last but not least we are a community of researchers that are very passionate about machine learning and artificial intelligence and also our studies are integrated in our technologies the agenda for today is quite simple we are going to review some

general aspects behind the case then we are going to dive into some more technical details and then we'll close with with some conclusions some quick facts about the case in July 2017 our trade intelligence systems has detected a number of packed samples disguised as legitimate applications that were flagged as malicious at the first glance in our telemetry data we have found a small number of hosts that are belonging to some IP addresses belonging to Asia but after digging more into our telemetry we have arrived arrived at a total number of 10,000 institutions from technology sector government education and telecommunications now we'll take an in-depth look in the attack chain the infrastructure used by the tractors

along with the Mahler sublimates they control the payloads delivered on the systems and also some telltale signs that indicate the return of iron Tiger abt the tractors behind the attack have control over five sub domains that hosts communication and control servers suggestively named each one serve specific functionalities like downloading additional tools uploading a sensitive data and rut related communication the initial point of compromise seems to be highly targeted spam messages that lure the target into opening a malicious document that will further download the first-stage payload this download server is one of the malicious servers affiliated and has been resolving to an IP located in South Korea since July 2017 also when the first sample for one our trade

intelligence systems first encounter I encountered the first indicator starting this year the domain changed its resolution to another IP but it is still located in South Korea as you can see in the diagram below at each stage of the attack new samples are downloaded and executed on the system in the last stage of the attack once the dose rate has arrived on the system the system will be fully controlled and monitor eyes will see some details regarding these payloads in next so talking about the first stage payloads the first payload it arrives in the system is a self-extracting 7-zip archive that will drop on a cyst on the system to malicious bad scripts and one legitimate

application curl so the first script run will be up bet and its purpose is to schedule the second bet in order to run as a task under the legitimate name are the flash updaters this starts this guy is often yours by de mother attackers in order to avoid detection of the security products so before setting the task to run it will make sure that nothing will interfere with the sample and will kill all legitimate adopt flash applications and also all legitimate security solutions installed on that system so this newly installed malicious Adobe a task has two main functionalities the first one is to download additional companion tools from a download server and the second one is to upload system

information and later sensitive data to the upload server for the uploading part it will need a helper bat which will drop on the system call 360 mainly because of its resemblance to highly popular security suit in China so it will upload to the server a fingerprint of the system consisting of domain username MAC address and a flag indicating if the RDP port is open after finishing profiling the victims device it will start sending credentials such as passwords the password achievement is done via an implementation of mini cards which will which will be downloaded along with the second stage payloads the uploading of the sensitive data is scheduled to run every week at 3 a.m. now let's talk about the second stage

payload and the first payload that is requested from the server is the pastor stealer application which is mini cards actually a two version of the Makar to be downloaded for both system architectures was if the cuted it will dump a file containing all the credentials on the disk and this file will be later uploaded when the scheduled time comes the second pillow that is downloaded is a set of Bitcoin Bitcoin mining tools that will run under a legitimate name called Java time they are scheduled to run every three weeks at 3:00 a.m. the last payload that arrives on the system and the most important one is a slightly modified variant of ghost rad that is

designed to act as a backdoor implant once it arrives on the system it will start becoming the CNC server so this goes threat is composed of two components the first component represents a dropper which is a Windows application that contains all the code required to prepare the host for the installation of the actual rad server so the actual actual rad server is a dll that will be installed again under am a legitimate name Oracle and once installed it will start communicating with the attackers endpoint the attackers endpoint is also known as the rat client so they are the rat infrastructure is composed of the attacker part also known as the client which will control the victims through

the server that was previously downloaded and installed on their systems very interesting is that the ghost architecture takes advantage of the ability to create custom resources in custom binaries so it is very easy for the attackers to create binaries that will better exploit custom targets in order to communicate with the C&C servers it will first search its own binary to find the encrypted AES actually encrypted C&C servers once it manages to decrypt them it will perform a handshake with a server by sending a logon token along some login data consisting of voice version IP address hostname and a flag indicating if the webcam is available or not once the handshake is performed it will enter a loop and a wait for further

instructions the attackers usually use these data in order to identify what kind and or maybe what role does the victim has in that specific network of the organization so after establishing this handshake it will send some instructions instructing the server what to do so from among the the capabilities there are the remote shell keystroke logging likely the webcam and microphone downloading additional binaries and system information such as the list of processes currently running on the system or screenshots of the infected host this instruction contains an instruction code and this instruction code can be of two types there are the commands this is when the client mmm also known as the attacker part will instruct the server what to do next and

also there are the tokens that are used to sync the data between the server and the client as we have seen with a token login now we'll see some similarities with those red variants used in attacks associated with Baron Tiger mainly there are the register key name used for persistence there are some scripts used for process cleanup this is done because they prefer to remove all the traces between infecting the system also there are some strings specific strings are coded for generating the is encryption key the use of specific agencies that provide a new configuration of the server list they do that in order to evade detection and also the use of pass or steal our

applications such such as mimic cards while analyzing the download server we managed to retrieve a list of all the files that were hosted on that server including some meta information such as last modified time and also the total number of hits that were made account at some examples among the variant we have found there are several ghost red variants on the server along with some IP addresses that contain IP addresses of the targeted hosts and what is more in thing is that once in a while the attackers reset the IP logs along with the number of hits in order to mark the end of a campaign and the start of a new one okay so at I have a as I said there

are other variants of ghost threat hosted on the server if the behavior is very similar with the one I have analyzed but the protocol the communication protocol differs a little there is no encryption with AES but the body of the packet is compressed this variant or also spotted in Iran tiger attacks the double server also contains a Python developed threat that it has functionalities like downloading uploading and information gathering another category of application are the port scanning tools that come with a set of IP logs that are passed as an argument when the tools are executed so the logs contain some subnet ranges meaning located in Asia heard that indicating that the attackers prior to an infection

will scan the target for vulnerabilities so in the end the hosts that will be infected are the ones that are vulnerable to sum up in the end what is concerning is a significant number of targeted hosts or infected hosts and what is more concerning is the big number of users that are unaware of this threat track that has very powerful capabilities of espionage and also lateral movement mechanisms and we can point that is a very close linkage to this affiliate group meaning that they will come with more and more campaigns ok so now some takeaways in case you want to check if your system is infected or if your system was a victim of such

an attack you should look into suspicious network traffic malicious scheduled tasks suspicious some processes or maybe high usage of the CPU and because in most of our investigations the tech vector begins with some spam messages a very important advice would be do not open spam attachments and also another important advice would be to keep all your installed applications up-to-date because if your applications are not updated it would be easier for the attackers to infiltrate in your organization and last but not least use a security solution that would have multiple layers of protection so that the attacks may be stopped at least at one intermediate attack stage for more indicators of compromised you may check our B defender technical blog or if you

want to check more of our investigations you can check the white paper section also there are some useful tools in case of harassment infection more precisely for we have for some families decrypted tools that will decrypt your files so you don't need to pay the ransom also we provide a live attack map that registers all the attack that we see in the wild also if you have any questions please do not hesitate to contact me I will be here today in tomorrow but you can you can contact me through LinkedIn Twitter or email thank you very much

awesome thank you very much upon him we're gonna we got a couple questions for you if we want to hit the audience first is someone the audience has a question I see you there I'm gonna come to you with the microphones you were here uh no thanks quick update do you have any list of the vulnerabilities that would that the malware would deem fit to run on like what vulnerabilities would you check for before it uninstalled sorry can you repeat this what what system vulnerabilities would it check for before it decides to make that system a victim it will check for if certain ports are open on that machine so it can infiltrate a couple cluster

questions came in here off slide oh and while I make my way down to you sir I can ask you those did you evaluate the this file using virustotal if yes what information was gained through there did you evaluate this file using virustotal if yes what information was gained through there if I check the virus total platform I couldn't understand okay we'll move on to another question does it affect Mac users I know it hasn't a hunt hi I'm wondering how did you get the list of all the files on the download server including all the download counts because they use a HTTP server so that is like a trick in order to comment it

is oh yes it is a directory listing yeah welcome Dave any estimates on how large attack was like and how powerful it was how long it's been going sorry oh sorry do you have any estimates of how large the attack got oh sorry okay no we from our telemetry we think that are over but that there are only targets not we don't know if the attack succeeded any more questions on my way hey so I was trying to ask the question on virustotal when we analyzed malware files we try to see if the hash is available on virustotal so I was just curious if you upload it to file or the hash on virustotal or if you have any other

website that you use to kind of gather more information about the file and when was the first time it was seen what the community thinks of it I think up looking at the file BitDefender would flag it as a malware on virus aura but what would all the other a v's what they had to say about this file this files are very subtle were not explicitly detected only BitDefender had more specific detection but you're regarding what you have said first yeah we have the files uploaded to there's the virus total so you can find them there also you can find them on the white paper were there any other questions