BSidesMCR 2018: APT15: Live And Kicking by Ahmed Zaki

thank you very much so wow this is a large audience didn't expect this but yeah pretty cool first time to besides I'm super fun so today I'm going to be talking about apt 15 also known as key chain or Mirage and the reason I'm talking about EPG 15 is that last year NCC cyber defense operations team were involved in an investigation that was attributed to apt 15 and during that investigation we were able to uncover more than 200 C 2 commands from compromised hosts which gave us a very good insight into the operation of the group owner on a compromised network we also managed to retrieve several back towards tools that were used by the group which I'm going

to discuss today but before I do so I'd like first to so basically I'll first give a brief overview of who apt 15 is for the audience here don't know you know what's what's apt number me and then I'll talk about the case that we were involved in and then the tools so what was apt 15 apt 15 first came into public attention in 2014 and that was when fire I polished the report operation keychain that was around the same time that the so the campaign keychain was around the same time as the g20 summit I believe at that point in time I was during the Syrian crisis and [Music] they managed to get access to a situ for

a brief period of time I believe less than a day and they managed to get inside into the campaign's that were operated by apt 15 at the time they managed to get insight into the tools used by the group and they I found out that actually they were targeting several ministries of Foreign Affairs in this campaign in several European countries different industries as well but definitely there was a focus on government entities per se and they estimated that the group had been on operation since at least 2010 typical mode of operation involves spear fishing targets so attachments emails to targets look very familiar look very reasonable and yet they would leverage typically word vulnerabilities in order to

ultimately get the backdoor on victims from 2014 to 2016 nothing has been published about apt 15 at least in the public domain until Palo Alto release the blog posts discussing tide pool which was a campaign again that was attributed to a fifty fifteen and the campaign was targeting several Indian embassies this time there again they were leveraging where its vulnerability in order to ultimately launch tide pool which was a backdoor that what an evolution from previous factors that fire are discussed in operation teacher so yeah typical vulnerabilities includes words sometimes even PDF reader adobe PDF reader even Java so the names are you can see down there BMW my web PS 2005 these are the

names that finer I gave to the back doors and I think the knees are taken from the debug information inside the PE header so the debug director he can get like the path of the project in Visual Studio and so you can see they're like so yeah they they named it according to the path there so according to fire the camping from 2007 it would what was called my WebM BMW and then evolved into BS 2005 and that continued until 2016 which was when type who was introduced into the tool set of this actor so now so the case the case is for a global technical and MASMA consulting company they had offices in the UK USA India

several places on Europe defense contractor they operated in several sectors including funnily cybersecurity and the incident basically started off in April 2017 in April 2017 there was a mini cats alert that was caught by the customer and they started the investigation because they wanna they're a they basically flagged bimmy cats when they started the investigation and they called out the NCC in May 2017 that's when we got involved we started to look at traces of activity and we found that actually the active had been on the network since at least May 2016 and the reason I'm saying at least is that we found that the customer was going through a huge IT transformation project during that same period of time so it's

highly likely that a lot of forensic evidence was lost and so we couldn't actually trace it even back further we continued the investigation until the end of June and we found traces of data exfiltration in April and then in June they asked us to stop the investigation because they had handle over things they could take things from there so we did and then coming August 2017 they asked for our help again and they say well it seems like the attacker has been on the network again so right after we left in June that I could got in again and that's when we thought well yeah that's why we got called in in August we continued

their position till October and that's when it concluded from outside typical TTP is for this active obviously mimic act so they use mimic apps to get domain creds and his main credits to move laterally across the network they try to use many caps to get a curve his golden ticket that didn't work they managed to steal a VPN sir for a user and use the credits in order to log in and that's how they got in the second time around so that's when they got in after we left the first time they leveraged whatever was present on the machines so typical tools available on any Windows Goff's they would mount the C dollar share on a

remote machine copy the back door and then remote exact the back door and so on so forth using domain credits what was interesting is that they didn't stop there I mean they they even went further to use tools that were in some cases present with vanilla installations of like mssql so Microsoft SQL you get a hand utility cool DCP which is like both copy program and that allows you to copy data out of SQL or into it and you can see there this is a decoded command from the sea to Moby CDs and then a select statement there that's actually sent from the C tool to be compromised machine they brought in tools whatever they wanted in

order to the job so remote exact something called lucky nom which is like a vulnerability scanning tool I apologize for many of you pentesters will probably know these stuff I'm I'm not so I do apologize csvde is apparently a tool that allows you to dump stuff from M abyzou Active Directory you can dump data in CSV format and they use that in order to Tom data from the customers Active Directory but they didn't also then stop at just like off the shelf tools they created their own stuff they've been long enough there in order to go back and create their own stuff and we found three what - bespoke tools and probably key loggers that we used

using about their problem so one tool was used in order to enumerate Microsoft SharePoint so they created dotnet tool to connect to SharePoint and look for specific project IDs so they knew what they were looking for they had specific project that is they were looking for in SharePoint they would get the links in SharePoint for these documents dump them out and then that would be insulated another tool I had been used to connect to exchange so they had user grants again that was specifically hard-coded IP addresses invited to connect to exchange using user creds enumerate everything subjects attachments body search by everything dump everything out to a file and then yeah they would accelerate that this is you can see up

there that's basically hard-coded paths were one of the key loggers so you can see this is lucky his a path so obviously they had access to the user account and then they went and built the key logger and then came back and deployed it because otherwise they won't have access to that path typically exfiltration took place in drawer archives so information they were after were was yeah military projects that apply might have been engaged in emails that were the constants information what was interesting was the naming convention used for the up quite so you can see there over 331 0 does anyone want to take any guess what this means you know so this is March the 31st our

comp number 0 so they that was very handy for us in order to tell us actually this was when they are quite was great to know that the data start to be collected at this archive in this date because they use days and then we come we could obviously correlate that with a timeline on the time stamps for when the file was created the other thing was they used heavily batch files for everything I don't know if this is intentional or due to the weakness of the actor I don't know but some of the backdoors didn't have persistence in them so they wouldn't persist on reboots etc but they would go on and create the

batch file to create the run key for the back doors and then execute the batch files for the back Thursday's to persist they use that files and even to like run commands and then fight these commands into a file and then exfiltrate the file so i'm not sure why they have really relied on that ones to like execute what they wanted many of the backdoors you'll come across they would take commands execute them and then just post the result back to the c2 right away they wouldn't just write the command to a batch file then executed and then post the data back but yeah this was one like if there was one unique attribute about

this actor i guess this would be it the other thing which is interesting from the decoded commands was i can see there a typo to see windows them and they had to fight with their own system this gave us insight into the fact that probably this is not an automated like server-side script that's just sending queries to the backdoors this is probably someone manually sitting on the other end typing commands that get sent to the back door and then get executed so the tools I spoke about the key loggers so they had the best book to us the key loggers I'm a share pointer miss exchange enumeration tools they brought in off the shelf tools in

order to do the job but we found three different backdoors on the customers network BS 2005 was perhaps one that was previously discussed by fire but we found it there we didn't find tide pool which means probably that the actor doesn't have to stick to what's him when they're using the back doors they'll use the back doors that do the job for them meaning even though tide pool was released in 2016 and this was the latest backdoor in their arsenal they didn't we didn't find that we found bs 2005 what was new was two other back towards royalty law in rural DNS which I'll discuss now so royal Salina the compile field of 2015 and the name comes from

the debug information so just following convention here and these were the c2 is there what was interesting about this backdoor is a tricot I first time I see this trick which is they copied CMD into the current working directory and then they would patch it they would they would look for a specific string inside CMV called disable CMD and then changed one character from a D to any does anyone know why what disable CMD is what does it do yeah yeah the Sun exactly yeah so basically CMD when it starts it will check this registry key and if it's set to a value of two I believe then it exits execution and if it doesn't exist

they will continue execution so you can step to basically block C and D for running on machines by setting this registry key apparently they ran into problems before and they rely heavily on CMD to run their commands so they would copy CMD into the current working directory patch it and used that version instead instead of the default CMD setting in system 32 the configuration file which included the C choice was typically dropped in the temp directory it was or encoded and I mean at the end of the top you'll find the link to order like scripts that you can use if you run into instances of this backdoor or if you want to play with the backdoor and learn more about

it there were lots of similarities with BS 2005 and my web tip specifically the mode of communication so they use HTTP and they use the I web browser to comment their face to instrument IV so like every HTML files that would get festival typically get cached on the machines which is very this this is why we had access to the 200 C 2 or more commands because we had so many HTML files cached on the compromised hosts that we took decrypted and understood actually what happened there the beacon of war oli goes something like it's a get request starts with an ID which an ID parameter which is an infection identifier followed by a page parameter

which is the hostname Zoar and based 82 a base64 encoded and then you get the role parameter which is the encryption key so the role parameter was the zuhr key which can decode the page parameter which is the hostname mode of operation involves heartbeat which is just get requests to help the SPX typically the cito responds with a number of milliseconds for the back door to sleep and then a find a flag the flag would then tell the back door what should it fetch on the second time after it sleeps so if the flag is not set it will just continue in the heartbeat operation and approaching if getting number of many seconds to sleep if the

flag is set then it fetches a personal note and communicates perfect personal HTML which is an HTML that will carry execution functions that the back door needs to operate this is an example of an inch the ml5 retrieved from one of the compromise posts so you can see there prepend it to the HTML base with 64 encoded data in between backward slashes and that's basically the command they're not using the same zhurqi that is in the row parameter in the HTML there so I believe the first 16 bytes would form a seat that they would use in order to generate the key that would then be used to decrypt the commands this is an example of a decoded command

so you can see there it starts with an O 3 this o 3 is basically an identifier for a function that the backdoor needs to perform so they had like different hex numbers for different operations and then followed by some data and then a string and you can see @echo off CD c windows them ipconfig this is the batch file so they're writing this string to a batch file and then they will execute that batch file in order to retrieve the commands and this is all pipe two in front of them so what was interesting about the way this whole thing works is how they actually track writing to files so this is a write this

is not an execution function so or three means right to file so how do they know which file try to the c2 will be sending a number that they will be using on the server and to track which find they're writing to this number gets multiplied by a constant in the backdoor and the resulting ID number gets prepended to what sorry appended to till the CLI temp dot ini so they'll till does he like them and then that number dot ini will be red and then the CN key will have the path of the file that the data gets written to it's a very convoluted long way to write or what but why are they

going through this hassle so they have other things BN b SD b the BN is the block number yes is the block size and T V is the index inside the block so this means that they will be reading that file and then moving the index eighteen blocks in the file and then starting to write from index number zero the reason they're using this is I guess in order to track execution to track basically how far they've gone if the connection drops or for some reason you know during the the writing to a file or eating the reading from a file anything happens they can go back to the ini file and continue from where they stopped they

used to file mapping objects for reading and writing my our object is for reading file from files so they would map the file and then use that handle and the myw object will be used for writing and they were out late early you'll find you'll see why this is significant or why this is important this is briefly like some of the functions that the back door employees like any back door download execute upload data with the addition of like matching CMV this is like they have this thing that they can redo the whole patching process again if it didn't work the first time next one is BS 2005 who found two samples or via 2005 one was

back to the vm protect and the other was not so the 2016 sample was backed with being protected and for some reason it was used to download the unpacked version of the sample and the unpacked version was used in order to execute yet they used the unpacked version throughout like when they moved laterally they would copy this unpacked version rather than the packed one which is weird I guess maybe for some reason AV picked up impact version but it's VM protected it's a legitimate backer I don't know why why would they use the unpack version again HTTP mode of communication using the I web browsers to calm interface so cached HTML on the compromised toasts this is what I think

it looks like four BS 2005 so it's supposed to quest instead of a get and the data is base64 and AES encrypted this time the AES IV is the last 16 bytes and the key is the first 16 bytes so this gives ya the IP address the host name and an infection identifier when it when it starts unlike rural CLI besito when it responds back with an HTML the commands are not actually prepended to the HTML they are inside a view state field so they would go and read HTML find the view state field and look for two markers and you can see there they're highlighted in and red this is like Google and 2 WP 8 h but Bismarck has

changed from back door the back door whatever back door yeah we found like earlier sample of beers 2005 using different markers but typically they will be included in between markers and the data inside is again base64 and AES encrypted last up is rural DNS this was the last addition to the tool set and this was interesting it was quite different from the previous ones as you can see there the compiled it is 2017 and this is in March it was like basically a few months away from when we start in the investigation or when yeah basically a month away from the mini caps alerts and this one contains persistence so you get a service it's a

DLL it runs as a service on the SVC hosts by default the services NWS ap agent but that can be changed the DLL can take arguments change the service name and it uses the NS for communication for some reason they're sorry the image is yeah not so aggressive the sentence that's my mistake I apologize this is what the beacon looks like so it's a text request and as you can see there I've highlighted so many of you might be familiar with what the text request format looks like so the 3f there that's highlighted in red is basically the length of the first subdomain so the first number of characters that should be read and then

the second one up is 12 that's again the length of 12 characters and then finally you get a 8 which is an Spurs the length of the answers domain and then comm which is 3 and spurs DNS resolver is the one that's only going to be able to resolve these requests so they will the DNS requests don't get passed on on and on until there is over for word that specific domain gets their quest and basically the data that gets sent is what will be decoded or handled by the C to the data doesn't make much sense as you can see there it's basically a sequence of bytes you can see Oh 1 2 3 4

5 6 you know you can see like a sequence there doesn't make much sense unfortunately when we were looking at a sample at the time the C toes were down so we didn't really make much sense out of this information but it would go on so the first request would be a 5 followed by the sequence of data and then it will try again with X instead of 5 try again with V sorry 3 and then based 32 in quotes the same data so the same data the same zeros and then 0 1 2 3 gets very based 32 encoded and then gets appended to 3 and then another the same thing again with variants and it

goes on in like an infinity which is trying to post this request to the DNS so this is purely here because we couldn't get the C 2 working or responding to any requests this is purely from reverse engineering so if the scene to response they would hash the hostname Zoar it with a volume serial number and then use that as a fingerprint for the infection they would typically read data from and then go on having data from c un dos temp esto text this is hard-coded so they always read the same file rc4 encrypt the data and encode it and then send DNS requests with this information here for responses received from the cito then they would execute

these commands the functions of the backdoor are very limited so if only supports execution and some loot doesn't upload really yeah it reads like it reads basically the output of the execution from esta Tex encodes it and sends it back so basically execute get relief which is the result of the execution or download data to a hard-coded paths which is see when the stem or the exe what was interesting was they used the same file mapping object name in this case my W objects which was very when I first saw this I was like I saw this before where did I see it and that was really annoyed and so this was a very good indicator of

this is actually the same thing this is actually the same group probably even though they moved away from HTTP even though they're using persistence at the backdoor that was what gave it away they were typically again used batch files so this was another thing commands are written to our dog bath in the sea when the stem directory you get executed and the commands get pipe the result gets piped into estopped X which gets on each iteration read or see four encoded such etc when you look at even the function for the writing or downloading to files you can see there it's almost identical so this is the final mapping so my deputy object howard swiss basically so it when they download

data they were try to target e exceeds it's the same function that droid CLI uses when they download data are to toe file and they're using the same ini technique as well yeah basically exactly the same so thank a PK 15 for good news because that was very useful for us to actually tie this sample to the previous samples copy based on functions is heavily actually used across different actors and different to booster so it's it's a good technique generally speaking to try to find similar samples we found that actually they didn't have any problems investing time developing their own tools for the target so I mean they've been there since that means to 8th 2016

why wouldn't they they would go back right there SharePoint or Exchange integration tools and then deploy them and yeah why not probably operation and develop and go hand in hand for this group so they are not separate I believe or I think that some in Summit some instance of actors out there they outsource development or develop done by a different group and so operation would be develop and be separate but the fact that we had this builder for the keylogger we had the dotnet tools I think probably it's the same person or team that are behind this you can find the decoding scripts and yard signatures for this group on the group's github page and that's right

yeah thanks to everyone who has actually helped Lister this is a shout out to the guys in NCC and pops IT who were very helpful on this operation I believe are very early on time so happy to take questions superb so do we have any questions for you just say rivets all right that tries to ring the mic up to I'm sorry I could have had a question down the bar I need to do some weight thanks Don when you're looking at this did you get any indication of what level of automation was there was through a lot of interaction with the attackers who did he do most of this stuff like from scripts in automatically automation you

know obviously on the server side yes so [Music] when we were there I don't believe we had activity ongoing so during the times that NCC he do one goal which is where we have a couple of months and then a couple of months later so two intervals we don't think we've had a lot of interaction when we were there with the attactive but I think it's hard to get the level of automation the fact that they were using like manual commands for the backdoors I wouldn't say there is a lot of automation happening in the background on the server side but that's a pure guess because I don't have insight into the c2 I didn't get access to sir yeah oh go to

fetch my father was the environment being attacked windows and the environment because all of the examples you gave there were attacking windows systems as opposed to you next anything else sir so the question is whether the attacks were only focused on Windows platforms yes definitely yes yeah yeah we can find any instance of attacks on none Windows servers on the fly that's right a bit of exercise morning yeah if we do fall over everybody cheer by the way do you have any idea the volume of data and number of files the guide sort rated in this we do I mean I don't have the exact figures off the top of my head but we definitely traced the number of

points that we expect rated and the data associated so we're looking at emails document network mapping information in terms of volume I don't think it was large per se and not not huge but definitely important information oh not so far good Japanese idea why the attack was picking this target like have you found them other other similar related clients is there anything in common that well we think it's at the typical I think kind of like supply chain so they're after government related information so they went to a contractors and they talked did that constructor to get that information previously they were targeting according to fire and Palo Alto like government entities so embassies etc so it looks

like instead of going directly to their targets they're going through someone who'll be working with their target you know if they get the information thanks for presentation I just cover that yeah I just have a small question you said that development in the parishioner we're going together so and what do you think the code it looks like Bank Bank production oh they still first-time intestine and everything because of the typos and everything I don't think there's I don't think there's a lot of testing happening and this is evidence I'd say from the DNS there Oh Indiana stamp in the fact that they had hard-coded paths there so they had like a stop text or the exe

fact that you heart go the path for you download for downloading a file that means you're poking your idea you're basically hard coding this and see if seeing if it works and then yeah so I think it's kind of like iterative model of write code send it out see if it works yeah that that kind of mode I think so see so there was a second if exfiltration or second compromised in in the timeline what recommendations do you make for preventing the compromise only in terms of detection rather than just waiting for the accidents are happen that's a very good question fortunately I'm not the one who actually did the report and so but typically

recommendations really for many of the incidents that we run into involving patching systems making sure that you could have a good hygiene IP wise in your state I don't think there's anything I mean the case of some of the compromises hosts were for users who were actually consultants working in specific sectors and so education for these consultants would have helped what what emails should you open who should you trust you expect me sir to be mail that sort of thing yeah I mean obviously in terms of like they went and they included like IDs firewall this standard that you would get in their many environments but that on its own I don't think because that's after the

backdoor has already been on the network right so you don't want to be you know chasing beacons you want to be preventing the back door in the first place getting on snowshoes yeah hi so I'm always interested in faces on this to Johnny involvement with law enforcement with all your findings afterwards there was definitely law enforcement involved in this case not sure I can share a lot of details but yeah there was there was involvement there was interaction definitely because there is government reading information do have any more questions so we actually so we actually beaten the actor to the same so the attribution was to the same group that we know of which is

a PG 15 fireEye when they did their a child report they believe that the operation or Janita from China and according to our analysis as well from the SI toos we can probably make the same conclusion that they were operating out of China as well who in China I don't know obviously who is who they I don't know

code so called codon and the samples think things like HTTP I web browser - I mean this is common obviously across many malware but the combination of things together well will make it okay this is the same thing that fire I talked about and that one talked about so it's probably the same crew yeah do we have any more questions it's okay we've got loads of time thanks very much the presentation always useful to get them insight into what the bad guys are up to they don't seem to cover their tracks very well though now think they didn't care correct yes there was definitely sense of not caring if they get caught or there found that

because they came in the second time right after we left yeah I completely there is there's a sense of trying to hide their tracks or anything like that

do you think they knew about you you think that when you forgetting about the first time they knew it was NCC did they know that someone was on the network probably yes NCC specifically I don't know I was involved in that sometime I was more of the reverse engineer so but Rob who worked with me on this investigation and and Alex or not I don't think they're here today there will be better positioned to answer that whether they were actually they think that they were NCC on the network but I don't think they knew someone was on the network whether it was NCC or not I don't think so I'm wondering how much all the clients thought they were in

terms of the shock capability was it somebody job to spot this sort of attack and the reaction based on the fact that they watch a movie so again I can't really answer that question very because I wasn't involved on the customer side very much on on the network but I can tell you that I mean they they had the mini cats alert and they were started off that alert they started to triage things but in terms of what we found what we find typically I mean not myself but the instant response guys as that many customers will have you know nice budgets and they will put nice appliances here there but they wouldn't have processes they wouldn't have the

proper things like who would do what and when this escalate through to escalated to and what should they be these kinds of steps are not very clear so they would spend money on very expensive kids but it will be useless because there would be like no one really looking at this sort of thing alright so item we're gonna set up a defense but from my perspective it looks like they use credit data techniques they used a quite dated techniques they will compromise we're lucky if we're dropping binaries on drive they're using DNS queries for communications they're using batch files which kind of is above the past I don't see any PowerShell staff nothing which it would be kind of characteristic of a

modern red teaming technique so no past no no no I'm surprised boy no yeah I'm surprised for you having me code to even quicker and at the front we don't kind of Sedona maybe so this is one thing like I've been so I've been doing like malware for quite a long time and there are from my experience there are these types of new offensive techniques that everyone starts used at certain point in time and the whole industry just rushes to try to prevent these sort of techniques and forgets about what actually already you know standard stuff that's been used for a long time so in some instances you don't need to use fancy new offensive techniques or you know you

use the latest get from the sophistication or whatever you don't sometimes need to do any of this stuff it's very simple because simply the network with the target that you are interested in it's very weak hello sir how many of the actual taser taser turned off anyway honest early active Martin to see if it not there not there

do we have any more questions I feel like you should sir showing my age of over that so they're in the network for quite a while and you don't really thought how long they're in there Chris obviously they did a transformation piece you certain is just one actor was it multiple actors in there at the time we think it's one from what we looked at I mean they had obviously a lot of alerts and stuff but from our work Epping was all tied to this actor so you're doing have any more questions superb right well that was a lot of questions myself actually really good that we have the time and thank you very much ready for that and for stand a

little bit early that definitely helps us as we progressed through the rest of the day but can everybody please put the hands together father