SlideShare ist ein Scribd-Unternehmen logo

Shooting

P
pinkflawd

Presentation 'Shooting Elephants' at SyScan 2015 Singapore

Ingenieurwesen
1 von 31
Downloaden Sie, um offline zu lesen
Shooting Elephants
Big Game Hunter Marion Marschalek @pinkflawd Cyphort Inc. http://en.wikipedia.org/wiki/File:Lara_Croft_%282013%29.png
DIGGING in other people‘s underwear.
TIME 2009 ? 20142011 TFC NBOT NGBD Watering hole on website of Syrian ministery of justice Spear phishing with a PDF 0-day DDoS, plugins & what not Babar Superstar
TFC.. NBOT.. NGBD.. Nwot? • Lots of code sharing • Lots of shouty capitals • DDoS bots • Plugin platforms & Reconnaissance Building botnets with plain binaries. U serious?
Bunny
Lua + C/Invoke • Lua interpreter to be embedded into C • Instrumentation of C code Script Script Script Thread Thread Thread Lua Interpreter
Bunny Evasion •Searching for.. Sandboxes? •AV enumeration for ‚special treatment‘ •Compile my breath away
Bunny Evasion • Searching for.. Sandboxes? Bitdefender Kaspersky Also Kaspersky: lstcvix.exe tudib.exe izmdmv.exe ubgncn.exe jidgdsp.exe evabgzib.exe qzqjafyt.exe cnyporqb.exe ... U serious?
Bunny Evasion • AV enumeration for ‚special treatment‘ • Identification of AVs through querying of WMI Inject to existing svchost Create new svchost and inject there
Compile my Breath away Obfuscation by compiler 52 HeapAlloc wrapper ~100 memcpy wrapper > 3000 string constants
50 Shades Of Grey
Babar PET (Persistent Elephant Threat) •Stealing all the things • Keylogging, screenshots, audio captures, clipboard data, what-not. •Via local instance or through: • hooking APIs in remote processes • after invading them via global Windows hooks
Hiding in plain sight
Regsvr32.exe BabarDLL Child instance Main instance Child instance Process of interest Named Pipes Global Windows hook for WH_KEYBOARD / WH_GETMESSAGE API Hooking with trampoline functions Data dump module Keylogger Clipboard snooping Other stuffz List of process names from config Modus Operandi Elephanti
Rooootkittykittykitty Internet communication | File creation | Audio streams Source Function Target Function Source Function Target Function Detour Function Trampoline Function http://research.microsoft.com/en-us/projects/detours/
Stolen Goods http://www.codeproject.com/Articles/297312/Minimal-Key-Logger-using-RAWINPUT http://www.codeproject.com/Articles/332109/AMR-Audio-Encoding
Reversing Casper • Reconnaissance malware • AV ‚strategies‘ • Spooking in Syria http://www.mycomicshop.com/search?IVGroupID=22688789
Binary handwriting? Any attribute can be faked. Question is, how many attributes can be faked. Approach: Collect as many attributes as possible.... .... from different domains .... .... and rely the adversary was not genius enough to fake all.
Bugs
Oh mon dieu.
Proxy Bypass Hint.. https://developer.chrome.com /extensions/proxy Stealth FTW • Babar starts up using regsvr32.exe process for loading payload • Process remains running, when rootkit has looong dissappeared
Crash me, if you can • NBOT dropper crashes with a STATUS_SHARING_VIOLATION 0xC0000043 on CreateFile of own binary • A file cannot be opened because the share access flags are incompatible. Bug & Feature & Bug • Bunny dropper won’t invoke its payload • Does not delete dropper either • Bypasses sandboxes, but leaves unnecessary artifacts lying around
STUXNET-O-METER ... Stuxnet ... ... ... NBOT TFC Bunny Babar Casper ... “To people who ask me to compare the complexity of #Regin and #Babar, keep in mind that a Peugeot is enough for the day-to-day life ;)” – Paul Rascagnéres
Attribution is hard.
A cyberwarfare tale on nuclear matters Cartoons allegedly originate from France, main suspect is DGSE Linked by document from CSEC Iran as main target Other victims in Syria, Norway, Canada .. and Mr. Brown said [abt. Iran not meeting international demands], “The international community has no choice today but to draw a line in the sand.” – NYT, Sep.2009 A blog by Matt Suiche
MILKFROTH PANDA ! New Crowdstrike report? - Halvar Flake
A Warm-Hearted Thank You to Joan Calvet Paul Rascagnères Morgan Marquis-Boire Sebastien Larinier Matthieu Suiche Michael Shalyt Alexandre Dulaunoy Raphäel Vinot Fred Arbogast
Further Reading • Babar Reversed https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/ • Bunny Reversed https://drive.google.com/file/d/0B9Mrr-en8FX4M2lXN1B4eElHcE0/view?usp=sharing • Casper Reversed by Joan Calvet http://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny- another-espionage-cartoon/ • Blog on Babar http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/ • Linking the Cartoon Malware to CSEC slides by Paul Rascagneres https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the- microscope.html • Slides ‚TS/NOFORN‘ at Hack.lu2015 http://2014.hack.lu/archive/2014/TSNOFORN.pdf • Slides on Snowglobe from CSEC http://www.spiegel.de/media/media-35683.pdf and http://www.spiegel.de/media/media-35688.pdf • A cyberwarfare tale on nuclear matters by Matt Suiche http://www.msuiche.net/2015/03/09/did-alleged- dgse-used-stackoverflow-like-to-write-their-malwares/ • Animal Farm https://securelist.com/blog/research/69114/animals-in-the-apt-farm/
Hashes Bunny: • 3bbb59afdf9bda4ffdc644d9d51c53e7 • b8ac16701c3c15b103e61b5a317692bc • c40e3ee23cf95d992b7cd0b7c01b8599 • eb2f16a59b07d3a196654c6041d0066e Babar: • 4525141d9e6e7b5a7f4e8c3db3f0c24c • 9fff114f15b86896d8d4978c0ad2813d • 8b3961f7f743daacfd67380a9085da4f • 4582D9D2120FB9C80EF01E2135FA3515 NBOT: • 8132ee00f64856cf10930fd72505cebe • 2a64d331964dbdec8141f16585f392ba • e8a333a726481a72b267ec6109939b0d • 51cd931e9352b3b8f293bf3b9a9449d2 Other: • bbf4b1961ff0ce19db748616754da76e • 330dc1a7f3930a2234e505ba11da0eea
Marion Marschalek @pinkflawd Cyphort Inc.

Empfohlen

Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortVincent Ohprecio
 
[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against Botnet[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against BotnetGangSeok Lee
 
In ur-internets
In ur-internetsIn ur-internets
In ur-internets55020
 
Damas
DamasDamas
Damaswalfra
 
Public speaking : prepare for great sex with your audience
Public speaking : prepare for great sex with your audiencePublic speaking : prepare for great sex with your audience
Public speaking : prepare for great sex with your audienceHans Demeyer
 
Reproductive system
Reproductive systemReproductive system
Reproductive systemDrChintansinh Parmar
 
Sex boxes
Sex boxesSex boxes
Sex boxesajsekera
 
The Pattern of Sex
The Pattern of SexThe Pattern of Sex
The Pattern of SexZamin Dharsi
 

Empfohlen

Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortVincent Ohprecio
 
[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against Botnet[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against BotnetGangSeok Lee
 
In ur-internets
In ur-internetsIn ur-internets
In ur-internets55020
 
Damas
DamasDamas
Damaswalfra
 
Public speaking : prepare for great sex with your audience
Public speaking : prepare for great sex with your audiencePublic speaking : prepare for great sex with your audience
Public speaking : prepare for great sex with your audienceHans Demeyer
 
Reproductive system
Reproductive systemReproductive system
Reproductive systemDrChintansinh Parmar
 
Sex boxes
Sex boxesSex boxes
Sex boxesajsekera
 
The Pattern of Sex
The Pattern of SexThe Pattern of Sex
The Pattern of SexZamin Dharsi
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...EC-Council
 
Coding Is Maneuver
Coding Is ManeuverCoding Is Maneuver
Coding Is Maneuverjstogdill
 
Dark Net
Dark NetDark Net
Dark Netjangezkhan
 
Raspberry Tank - Barcamp Bournemouth 5
Raspberry Tank - Barcamp Bournemouth 5Raspberry Tank - Barcamp Bournemouth 5
Raspberry Tank - Barcamp Bournemouth 5ianrenton
 
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...CODE BLUE
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
Criminals in the Cloud: Past, Present, and Future
Criminals in the Cloud: Past, Present, and FutureCriminals in the Cloud: Past, Present, and Future
Criminals in the Cloud: Past, Present, and FutureJim Lippard
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
OpenTuesday: Internet of Things & Bottom-up Innovation
OpenTuesday: Internet of Things & Bottom-up InnovationOpenTuesday: Internet of Things & Bottom-up Innovation
OpenTuesday: Internet of Things & Bottom-up InnovationDigicomp Academy AG
 
Wordcamp2009 - Lessons from Mozilla
Wordcamp2009 - Lessons from MozillaWordcamp2009 - Lessons from Mozilla
Wordcamp2009 - Lessons from MozillaJohn Lilly
 
Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!InnoTech
 
Trey tech
Trey techTrey tech
Trey techMarq2014
 
The Tor Network
The Tor NetworkThe Tor Network
The Tor NetworkJie Liau
 
Virus Bulletin 2017: Browser attack points still abused by banking trojans
Virus Bulletin 2017: Browser attack points still abused by banking trojansVirus Bulletin 2017: Browser attack points still abused by banking trojans
Virus Bulletin 2017: Browser attack points still abused by banking trojansPeter Kálnai
 
Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank... Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank...ITCamp
 
Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)Stephen Abram
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Harvesting The Web With Cloud Computing
Harvesting The Web With Cloud ComputingHarvesting The Web With Cloud Computing
Harvesting The Web With Cloud ComputingKing Huang
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)André Fucs de Miranda
 
So You Want to be a Hacker?
So You Want to be a Hacker?So You Want to be a Hacker?
So You Want to be a Hacker?Christopher Grayson
 
The Magic Superpowers of a well-established "Us"
The Magic Superpowers of a well-established "Us"The Magic Superpowers of a well-established "Us"
The Magic Superpowers of a well-established "Us"pinkflawd
 
La Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tLa Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tpinkflawd
 

Weitere ähnliche Inhalte

Ähnlich wie Shooting

Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...EC-Council
 
Coding Is Maneuver
Coding Is ManeuverCoding Is Maneuver
Coding Is Maneuverjstogdill
 
Raspberry Tank - Barcamp Bournemouth 5
Raspberry Tank - Barcamp Bournemouth 5Raspberry Tank - Barcamp Bournemouth 5
Raspberry Tank - Barcamp Bournemouth 5ianrenton
 
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...CODE BLUE
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
Criminals in the Cloud: Past, Present, and Future
Criminals in the Cloud: Past, Present, and FutureCriminals in the Cloud: Past, Present, and Future
Criminals in the Cloud: Past, Present, and FutureJim Lippard
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
OpenTuesday: Internet of Things & Bottom-up Innovation
OpenTuesday: Internet of Things & Bottom-up InnovationOpenTuesday: Internet of Things & Bottom-up Innovation
OpenTuesday: Internet of Things & Bottom-up InnovationDigicomp Academy AG
 
Wordcamp2009 - Lessons from Mozilla
Wordcamp2009 - Lessons from MozillaWordcamp2009 - Lessons from Mozilla
Wordcamp2009 - Lessons from MozillaJohn Lilly
 
Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!InnoTech
 
The Tor Network
The Tor NetworkThe Tor Network
The Tor NetworkJie Liau
 
Virus Bulletin 2017: Browser attack points still abused by banking trojans
Virus Bulletin 2017: Browser attack points still abused by banking trojansVirus Bulletin 2017: Browser attack points still abused by banking trojans
Virus Bulletin 2017: Browser attack points still abused by banking trojansPeter Kálnai
 
Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank... Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank...ITCamp
 
Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)Stephen Abram
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Harvesting The Web With Cloud Computing
Harvesting The Web With Cloud ComputingHarvesting The Web With Cloud Computing
Harvesting The Web With Cloud ComputingKing Huang
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)André Fucs de Miranda
 

Ähnlich wie Shooting (20)

Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
Coding Is Maneuver
Coding Is ManeuverCoding Is Maneuver
Coding Is Maneuver
 
Dark Net
Dark NetDark Net
Dark Net
 
Raspberry Tank - Barcamp Bournemouth 5
Raspberry Tank - Barcamp Bournemouth 5Raspberry Tank - Barcamp Bournemouth 5
Raspberry Tank - Barcamp Bournemouth 5
 
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
 
Criminals in the Cloud: Past, Present, and Future
Criminals in the Cloud: Past, Present, and FutureCriminals in the Cloud: Past, Present, and Future
Criminals in the Cloud: Past, Present, and Future
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
OpenTuesday: Internet of Things & Bottom-up Innovation
OpenTuesday: Internet of Things & Bottom-up InnovationOpenTuesday: Internet of Things & Bottom-up Innovation
OpenTuesday: Internet of Things & Bottom-up Innovation
 
Wordcamp2009 - Lessons from Mozilla
Wordcamp2009 - Lessons from MozillaWordcamp2009 - Lessons from Mozilla
Wordcamp2009 - Lessons from Mozilla
 
Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!
 
Trey tech
Trey techTrey tech
Trey tech
 
The Tor Network
The Tor NetworkThe Tor Network
The Tor Network
 
Virus Bulletin 2017: Browser attack points still abused by banking trojans
Virus Bulletin 2017: Browser attack points still abused by banking trojansVirus Bulletin 2017: Browser attack points still abused by banking trojans
Virus Bulletin 2017: Browser attack points still abused by banking trojans
 
Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank... Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank...
 
Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
Harvesting The Web With Cloud Computing
Harvesting The Web With Cloud ComputingHarvesting The Web With Cloud Computing
Harvesting The Web With Cloud Computing
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)
 
So You Want to be a Hacker?
So You Want to be a Hacker?So You Want to be a Hacker?
So You Want to be a Hacker?
 

Mehr von pinkflawd

The Magic Superpowers of a well-established "Us"
The Magic Superpowers of a well-established "Us"The Magic Superpowers of a well-established "Us"
The Magic Superpowers of a well-established "Us"pinkflawd
 
La Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tLa Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tpinkflawd
 
Big Game Hunting - Peculiarities In Nation State Malware Research
Big Game Hunting - Peculiarities In Nation State Malware ResearchBig Game Hunting - Peculiarities In Nation State Malware Research
Big Game Hunting - Peculiarities In Nation State Malware Researchpinkflawd
 
The A and the P of the T
The A and the P of the TThe A and the P of the T
The A and the P of the Tpinkflawd
 
Zeus' Not Dead Yet
Zeus' Not Dead YetZeus' Not Dead Yet
Zeus' Not Dead Yetpinkflawd
 
How would you find what you can't see?
How would you find what you can't see?How would you find what you can't see?
How would you find what you can't see?pinkflawd
 
Catch Me If You Can
Catch Me If You CanCatch Me If You Can
Catch Me If You Canpinkflawd
 
Curing A 15 Year Old Desease
Curing A 15 Year Old DeseaseCuring A 15 Year Old Desease
Curing A 15 Year Old Deseasepinkflawd
 
Troopers Diffray v1.1
Troopers Diffray v1.1Troopers Diffray v1.1
Troopers Diffray v1.1pinkflawd
 
brightfuture
brightfuturebrightfuture
brightfuturepinkflawd
 

Mehr von pinkflawd (11)

The Magic Superpowers of a well-established "Us"
The Magic Superpowers of a well-established "Us"The Magic Superpowers of a well-established "Us"
The Magic Superpowers of a well-established "Us"
 
La Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tLa Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren't
 
Big Game Hunting - Peculiarities In Nation State Malware Research
Big Game Hunting - Peculiarities In Nation State Malware ResearchBig Game Hunting - Peculiarities In Nation State Malware Research
Big Game Hunting - Peculiarities In Nation State Malware Research
 
The A and the P of the T
The A and the P of the TThe A and the P of the T
The A and the P of the T
 
Zeus' Not Dead Yet
Zeus' Not Dead YetZeus' Not Dead Yet
Zeus' Not Dead Yet
 
TS/NOFORN
TS/NOFORNTS/NOFORN
TS/NOFORN
 
How would you find what you can't see?
How would you find what you can't see?How would you find what you can't see?
How would you find what you can't see?
 
Catch Me If You Can
Catch Me If You CanCatch Me If You Can
Catch Me If You Can
 
Curing A 15 Year Old Desease
Curing A 15 Year Old DeseaseCuring A 15 Year Old Desease
Curing A 15 Year Old Desease
 
Troopers Diffray v1.1
Troopers Diffray v1.1Troopers Diffray v1.1
Troopers Diffray v1.1
 
brightfuture
brightfuturebrightfuture
brightfuture
 

Kürzlich hochgeladen

Class 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm SystemClass 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm Systemirfanmechengr
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleAlluxio, Inc.
 
Introduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHIntroduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHC Sai Kiran
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionMebane Rash
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxk795866
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxKartikeyaDwivedi3
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx959SahilShah
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfAsst.prof M.Gokilavani
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)Dr SOUNDIRARAJ N
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
Vishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsVishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsSachinPawar510423
 
Indian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptIndian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptMadan Karki
 
Solving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.pptSolving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.pptJasonTagapanGulla
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfAsst.prof M.Gokilavani
 

Kürzlich hochgeladen (20)

Class 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm SystemClass 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm System
 
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at Scale
 
Introduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHIntroduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECH
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of Action
 
Design and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdfDesign and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdf
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptx
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptx
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
Vishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsVishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documents
 
Indian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptIndian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.ppt
 
Solving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.pptSolving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.ppt
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
 

Shooting

  • 2. Big Game Hunter Marion Marschalek @pinkflawd Cyphort Inc. http://en.wikipedia.org/wiki/File:Lara_Croft_%282013%29.png
  • 4. TIME 2009 ? 20142011 TFC NBOT NGBD Watering hole on website of Syrian ministery of justice Spear phishing with a PDF 0-day DDoS, plugins & what not Babar Superstar
  • 5. TFC.. NBOT.. NGBD.. Nwot? • Lots of code sharing • Lots of shouty capitals • DDoS bots • Plugin platforms & Reconnaissance Building botnets with plain binaries. U serious?
  • 7. Lua + C/Invoke • Lua interpreter to be embedded into C • Instrumentation of C code Script Script Script Thread Thread Thread Lua Interpreter
  • 8. Bunny Evasion •Searching for.. Sandboxes? •AV enumeration for ‚special treatment‘ •Compile my breath away
  • 9. Bunny Evasion • Searching for.. Sandboxes? Bitdefender Kaspersky Also Kaspersky: lstcvix.exe tudib.exe izmdmv.exe ubgncn.exe jidgdsp.exe evabgzib.exe qzqjafyt.exe cnyporqb.exe ... U serious?
  • 10. Bunny Evasion • AV enumeration for ‚special treatment‘ • Identification of AVs through querying of WMI Inject to existing svchost Create new svchost and inject there
  • 11. Compile my Breath away Obfuscation by compiler 52 HeapAlloc wrapper ~100 memcpy wrapper > 3000 string constants
  • 12. 50 Shades Of Grey
  • 13. Babar PET (Persistent Elephant Threat) •Stealing all the things • Keylogging, screenshots, audio captures, clipboard data, what-not. •Via local instance or through: • hooking APIs in remote processes • after invading them via global Windows hooks
  • 15. Regsvr32.exe BabarDLL Child instance Main instance Child instance Process of interest Named Pipes Global Windows hook for WH_KEYBOARD / WH_GETMESSAGE API Hooking with trampoline functions Data dump module Keylogger Clipboard snooping Other stuffz List of process names from config Modus Operandi Elephanti
  • 16. Rooootkittykittykitty Internet communication | File creation | Audio streams Source Function Target Function Source Function Target Function Detour Function Trampoline Function http://research.microsoft.com/en-us/projects/detours/
  • 18. Reversing Casper • Reconnaissance malware • AV ‚strategies‘ • Spooking in Syria http://www.mycomicshop.com/search?IVGroupID=22688789
  • 19. Binary handwriting? Any attribute can be faked. Question is, how many attributes can be faked. Approach: Collect as many attributes as possible.... .... from different domains .... .... and rely the adversary was not genius enough to fake all.
  • 20. Bugs
  • 22. Proxy Bypass Hint.. https://developer.chrome.com /extensions/proxy Stealth FTW • Babar starts up using regsvr32.exe process for loading payload • Process remains running, when rootkit has looong dissappeared
  • 23. Crash me, if you can • NBOT dropper crashes with a STATUS_SHARING_VIOLATION 0xC0000043 on CreateFile of own binary • A file cannot be opened because the share access flags are incompatible. Bug & Feature & Bug • Bunny dropper won’t invoke its payload • Does not delete dropper either • Bypasses sandboxes, but leaves unnecessary artifacts lying around
  • 24. STUXNET-O-METER ... Stuxnet ... ... ... NBOT TFC Bunny Babar Casper ... “To people who ask me to compare the complexity of #Regin and #Babar, keep in mind that a Peugeot is enough for the day-to-day life ;)” – Paul Rascagnéres
  • 26. A cyberwarfare tale on nuclear matters Cartoons allegedly originate from France, main suspect is DGSE Linked by document from CSEC Iran as main target Other victims in Syria, Norway, Canada .. and Mr. Brown said [abt. Iran not meeting international demands], “The international community has no choice today but to draw a line in the sand.” – NYT, Sep.2009 A blog by Matt Suiche
  • 27. MILKFROTH PANDA ! New Crowdstrike report? - Halvar Flake
  • 28. A Warm-Hearted Thank You to Joan Calvet Paul Rascagnères Morgan Marquis-Boire Sebastien Larinier Matthieu Suiche Michael Shalyt Alexandre Dulaunoy Raphäel Vinot Fred Arbogast
  • 29. Further Reading • Babar Reversed https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/ • Bunny Reversed https://drive.google.com/file/d/0B9Mrr-en8FX4M2lXN1B4eElHcE0/view?usp=sharing • Casper Reversed by Joan Calvet http://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny- another-espionage-cartoon/ • Blog on Babar http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/ • Linking the Cartoon Malware to CSEC slides by Paul Rascagneres https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the- microscope.html • Slides ‚TS/NOFORN‘ at Hack.lu2015 http://2014.hack.lu/archive/2014/TSNOFORN.pdf • Slides on Snowglobe from CSEC http://www.spiegel.de/media/media-35683.pdf and http://www.spiegel.de/media/media-35688.pdf • A cyberwarfare tale on nuclear matters by Matt Suiche http://www.msuiche.net/2015/03/09/did-alleged- dgse-used-stackoverflow-like-to-write-their-malwares/ • Animal Farm https://securelist.com/blog/research/69114/animals-in-the-apt-farm/
  • 30. Hashes Bunny: • 3bbb59afdf9bda4ffdc644d9d51c53e7 • b8ac16701c3c15b103e61b5a317692bc • c40e3ee23cf95d992b7cd0b7c01b8599 • eb2f16a59b07d3a196654c6041d0066e Babar: • 4525141d9e6e7b5a7f4e8c3db3f0c24c • 9fff114f15b86896d8d4978c0ad2813d • 8b3961f7f743daacfd67380a9085da4f • 4582D9D2120FB9C80EF01E2135FA3515 NBOT: • 8132ee00f64856cf10930fd72505cebe • 2a64d331964dbdec8141f16585f392ba • e8a333a726481a72b267ec6109939b0d • 51cd931e9352b3b8f293bf3b9a9449d2 Other: • bbf4b1961ff0ce19db748616754da76e • 330dc1a7f3930a2234e505ba11da0eea