SlideShare a Scribd company logo

AREA41 - Anatomy of attacks aimed at financial sector by the Lazarus group

S
SeongsuPark8

The document analyzes attacks by the Lazarus group aimed at the financial sector. It finds that Lazarus has increasingly sophisticated its use of malicious HWP files to target cryptocurrency exchanges in South Korea. It decrypts and summarizes the various postscript techniques used in these files and how they have evolved over time. It also examines the infrastructure and global reach of the command and control servers behind these attacks.

Presentations & Public Speaking
1 of 50
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Anatomy of attacks aimed at financial sector by the Lazarus group June 28, 2018 Seongsu Park Senior Security Researcher @ Kaspersky Lab GReAT
Who is Lazarus? • Notorious APT group • State-sponsored APT group • Aimed at financial profit and cyber espionage, sabotage LAZARUS Andariel Bluenoroff …… …… Well-known attack case 2013 — DarkSeoul cyber attack 2014 — SPE cyber attack 2016 — Bangladesh bank heist 2017 — WannaCry outbreak
Recent activities of Lazarus
About Manuscrypt • From when?  Start to use Manuscrypt from around 2013  Use it actively until recent • Connection?  Many overlap with known Lazarus code style and C&C infrastructure • Attack where?  Usually attacked national intelligence before  Recently, used when attacked financial sector
5 Attacks on South Korea
Status of cryptocurrency exchange of Korea World TOP 10 Cryptocurrency Exchanges South Korea company
Continuous hacked Korea exchanges
Infection vectors MALICIOUS HWP MALICIOUS OFFICE MALICIOUS APK
Weaponized hwp HWP file format • Hangul (also known as Hangul Word Processor or HWP) is a proprietary word processing application published by the South Korean company Hancom Inc. -Wikipedia • Used by most government agencies and government offices due to national software activation policy of Government • The South Korea is one of the few countries where MS Word does not rank first Recently, postscript mainly used to deliver payload
Decoy and targets Cryptocurrency Any cryptocurrency related news/contents Cryptocurrency market expectation Legal issues Related to lawsuit or audit Forms about legal issues Resume Resume of mainly financial related person Some decoy include victim company name
Relationship Last saved user name Author name Malicious hwp
Postscript Type #1 — Postscript has asciihex-format executable — Drop file %startup% folder for persistence mechanism — Dropped file is Manuscrypt Direct drop from embedded ascii hex string Creation path (+persistence mechanism) asciihex type payload Asciihex type Manuscrypt Postscript to drop executable Drop and execute Structure
Postscript Type #2 — Use Chinese variable name i.e.) yaoshi, yima, yinzi — Decrypt real postscript/shellcode with hardcoded XOR key Has encryption stage with 4-bytes XOR key 4-bytes XOR key Encrypted postscript & Shellcode Postscript to decrypt Decrypt Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Encrypted postscript and shellcode Encrypted Manuscrypt executable
Postscript Type #2 – Decrypted data — Decrypted data contains exploit code and shellcode — Trigger the postscript vulnerability and execute shellcode Has encryption stage with 4-bytes XOR key Encrypted postscript & Shellcode Postscript to decrypt Exploit, Decrypt payload and inject Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Shellcode to decrypt payload and inject Heap-spray Exploit code
Postscript Type #3-4 — Remove decryption process — Malware author elaborate exploit code Elaborated exploit code Shellcode Postscript Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Shellcode Encrypted Manuscrypt Decrypt & Inject
Postscript type #5 – add XOR — Same structure with #3 — Add shellcode decryption script with 1-byte XOR Elaborated exploit code Script for decryption of shellcode Shellcode Postscript Decrypt & Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Decrypt & Inject
Postscript type #6 — Same postscript to trigger vulnerability — No more embedded payload — Shellcode just has download function Change shellcode function Shellcode Postscript Structure Postscript Decrypt & Exploit Download Manuscrypt
Change history of hwp attack Type #2 • Start to use postscript vulnerability • Decrypt shellcode and exploitation postscript with 4-bytes XOR • Decrypt payload with 4-bytes XOR key Type #3 • Remove shellcode/postscript decryption routine • Elaborate postscript to trigger vulnerability • Decrypt payload with 4-bytes XOR key Type #4 • Decrypt payload with AES algorithm Type #5 • Add shellcode encryption postscript with 1-byte XOR Type #6 • Change shellcode just download payload Type #1 • Drop embedded asciihex type payload
Change history of hwp attack Asciihex type Manuscrypt Postscript to drop executable Drop and execute Structure Encrypted postscript & Shellcode Postscript to decrypt Decrypt Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Shellcode Postscript Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Decrypt & Inject Shellcode Postscript Decrypt & Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Decrypt & Inject Shellcode Postscript Structure Postscript Decrypt & Exploit Download Manuscrypt Type #1 Type #2 Type #3, 4 Type #5 Type #6 Decrypt & Inject
Change history of hwp attack Type #1 Type #6Type #2 Type #5Type #4Type #3 4-bytes XOR Shellcode Decryption 1-bytes XOR 1-bytes XOR Shellcode Triggering CVE-2017-8291 (Ghostscript exploit) Shellcode Type Decrypt embedded payload and inject to legit process Download 4-bytes XOR AES Payload Decryption
21 Attacker vs Defender Type #1 Direct drop from asciihex string 2017-04 2017-06 2017-07 2017-08 2017-09 2017-10 2017-11 2017-12 2018-03 Type #2 Start to use Exploit XORed shellcode + exploit trigger script Type #4 Replace to AES algorithm Type #3 Polishing exploit script 4-bytes XOR decryption Type #6 Download payload from remote server Type #5 Decrypt shellcode with 1-byte XOR ATTACKER SIDE DEFENDER SIDE Detect embedded ascii type executable Detect XOR postscript routine Detect embedded shellcode in postscript Detect embedded encrypted payload
Shellcode comparison from each types Different postscripts, but same shellcode
Shellcode comparison from each types Different postscripts, but same shellcode Process searching Get handle
Shellcode Shellcode execution flow Get API by hash Decrypt payload Find decryption key Get Handle Inject to legit process
Payload summary IP-based C&C communication type • Only used up to type #2 • Not seen after November 2017 • Fake SSL communication • Full featured backdoor - File handling - Process handling - Execute commands - Data exfiltration HTTP-based C&C communication type • Usually used this type communications • Using compromised server • Full featured backdoor - System info gathering - Execute commands - and so on
Type of C&C servers COMPROMISED SERVER — Compromised server — Direct connect by IP address — Encryption channel COMPROMISED WEB SERVER IN CHINA — Usually compromised IIS server — Upload attacker’s PHP scripts — DedeCMS vulnerability — Wordpress vulneraility COMPROMISED WEB SERVER IN KOREA — Usually compromised IIS server — Upload attacker’s JSP scripts — Using specific board vulnerability — Using wordpress vulnerability
Not only hwp file
Not only hwp file Persistence attack 2017-07-31 07:40:07 비트코인_지갑주소 _및_거래번호.hwp e3796387 (web) KR 2017-07-31 16:25:00 비트코인_지갑주소 _및_거래번호.doc e3796387 (web) KR 2017-08-03 18:13:23 비트코인 거래내역.xls e3796387 (web) KR Decoy of malicious hwp Decoy of malicious word
29 Attacks on other countries
Attack methodology SPEARPHISHING — Malicious office document — Malicious macro embedded — Decoy : Usually used job description and proposal
Attack methodology Structure of Macro Attribute VB_Name = "Module1" Sub Auto_Open() On Error GoTo gaqz liveOn = "sjop/fyf" liveOff = Environ("temp") + "" For qnx = 1 To Len(liveOn) liveOff = liveOff + Chr(Asc(Mid$(liveOn, qnx, 1)) - 1) Next Dim str(1635) As String str(1) = "F0E72DBDBEBDBDBD………[redacted]……………DBDBDBD" .... [redacted]…. str(1635) = "9D9D9D9D9D9D81…. ……[redacted]…..….……DBDBDBD" Dim offBin(499) As Byte Open liveOff For Binary Access Write As #1 lpdq = 1 For jnx = 0 To 1634 For inx = 0 To 499 offBin(inx) = Val("&H" + Mid(str(jnx + 1), inx * 2 + 1, 2)) offBin(inx) = offBin(inx) Xor 189 Next inx Macro to create payload liveOn = "EFG492:2/ymt" liveOffd = Environ("temp") + "" For qnx = 1 To Len(liveOn) liveOffd = liveOffd + Chr(Asc(Mid$(liveOn, qnx, 1)) - 1) Next qnx Dim strd(239) As String strd(1) = "1906D8296878D328C9C9C9…[redacted]…..36363636363636" ...... [redacted]…… strd(239) = "C9C9C9C9C9C9C9C9C9C9…[redacted]…….D9C9C9C9C9C9C9" Dim offBind(499) As Byte Open liveOffd For Binary Access Write As #2 lpdq = 1 For jnx = 0 To 238 For inx = 0 To 499 offBind(inx) = Val("&H" + Mid(strd(jnx + 1), inx * 2 + 1, 2)) offBind(inx) = offBind(inx) Xor 201 Next inx Put #2, lpdq, offBind lpdq = lpdq + 500 Next jnx Close #2 Macro to create decoy document
Who is target? Finance Engineering Crypto Currency
Payload summary • File search, handling • Process handling • Collect system information • Directory / File listing …… Full-featured backdoor a.k.a Fallchill • IP-based C&C communication - Fake SSL communication (Polar SSL) - Used compromised server • HTTP-based C&C communication - Compromised ASP hosting IIS server - Allegedly used board/CMS vulnerability
34 C&C server Configuration
How did I start this investigation? Malicious hwp dropped Manuscrypt Found 1 C&C server in South Korea — Suspected compromised server Working closely with investigation agency — Investigate compromised server — Found one proxy module Expanding research with our telemetry — Yara magic! — Found additional module from compromised sever
Manuscrypt C2 infrastructure Manuscrypt infected host Send information Multi-stage Proxy Servers Communication Final-stage C2 server
Manuscrypt C2 Geolocations
Malwares/Tools from C&C server Sensing the production process, manipulating the production process Monitoring, supervisory control and automated control of the production process Backdoor Variants Threat actor uses many kind of backdoors - Active backdoor, Passive backdoor, HTTP backdoor, IIS backdoor Proxy Malware Main component of multi stage of proxy structure, forward incoming traffic to other host Information Harvester TCP connection harvester to steal inbound/outbound network connections Other Tools Loader to decrypt and execute encrypted payload, File wiper to wipe out specific file securely
Proxy module Simply forward traffic from incoming host to next hop Firewall punching Add allowed port list using windows command Fake SSL communication Disguised as legit sites SSL handshaking Configuration Stores configuration at registry key Saved configuration as specific file Updating file with data from another hop Decrypt this file when read
Proxy module – P2P proxy another infected host Listening named pipe ((.pipeAnonymousPipe) Connect to external named pipe (%spipeAnonymousPipe) Polar SSL Encryption Thread #1 : Receive data from global P2P and write it to listened named pipe Listening named pipe ((.pipeAnonymousPipe) Thread #2 : Read data from external named pipe and send it to global P2P server Global P2P C&C server (Passive backdoor module installed) P2P-based C&C infrastructures
Active backdoor Has C&C server address, performs backdoor functions IP-based communications - Configuration data in registry key - Full-featured backdoor • File / directory listing • Process handling • Get system information • Execute windows command • Send screenshot HTTP-based communications - Same configuration data with IP-based backdoor - Choose HEAD, GET or POST method randomly when communicate C&C server - Full-featured backdoor
Passive backdoor Doesn’t have C&C server address, Open port and wait connections Get Windows service list and choose one INSTALLATION PROCESS Get display name of service and append “Service” Append decrypted strings at service display name Change service name as small case and append “svc” Drop payload as service name Change file timestamp i.e. Choose “SharedAccess” service i.e. Change “Internet Connection Sharing (ICS)" display name to “Internet Connection Sharing Service” i.e. SharedAccess -> sharedaccesssvc i.e. Drop payload to sharedaccesssvc.dll i.e. Append “is an essential element in Windows System configuration and management.” F/W Punching cmd.exe /c netsh firewall add portopening TCP [Port] "adp" Backdoor functions - Almost same with active backdoor - Some variants has routing functions
Other tools Log Wiper Generate random buffer Overwrite file with that data repeatly Delete file TCP Connection Harvester Choose proper API depends on OS version File name
Malwares/Tools from C&C server Indonesia India Bangladesh Malaysia Vietnam Korea Taiwan Thailand Active Backdoor Passive Backdoor Proxy TCP conn Harvester IIS Backdoor HTTP Backdoor
Malwares/Tools from C&C server India Active backdoor Columbia Dominican Republic GermanyIndonesia South Korea Sri Lanka Case #1 Panama Proxy HTTP Backdoor Passive Backdoor Vietnam TCP Conn Harvester Case #2
Vulnerability information IP Web server ver OS fingerprinting 2xx.xx.xx.xxx N/A Windows Server 2003 R2 5x.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows Server 2003 (91%), Microsoft Windows Server 2003 SP2 (91%) 2xx.xx.xx.xxx IIS 6.0 N/A 1xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows 2003 R2 (93%), Microsoft Windows Server 2003 (93%), Microsoft Windows Server 2003 SP2 (93%) 2xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows XP SP3 or Windows Server 2003 SP2 (97%), Microsoft Windows Server 2003 SP2 (94%), 1xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (99%), Microsoft Windows XP SP3 or Windows Server 2003 SP2 (97%), Microsoft Windows Server 2003 SP2 (94%), 2xx.xx.xx.xxx IIS 6.0 N/A 2xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows Server 2003 SP2 (89%) 5x.xx.xx.xxx N/A Aggressive OS guesses: Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows Server 2003 SP1 - SP2 (92%)
Vulnerability information 2017-03-26 CVE-2017-7269 published 2017-04-11 Attack tool for this exploit was created 2017-03-31 PoC for CVE-2017-7269 added to Metasploit module 2017-06-13 Microsoft published patch for this vulnerability
Let’s put them together Active backdoor Passive backdoor Proxy module TCP harvester ……Victim (Manuscrypt infected) Weaponized hwp/doc Corporate Users Sometimes infect corporate hosts from server C&C server Infrastructure Configure C&C infra Control infected hosts Communicate multi-stage C&C
Takeaways • Never let your server compromised by them • They keep polishing their tools • Their favorite attack vector is spearphishing • Recently, they are changing their TTPs • Let’s head up their TTPs
LET’S TALK? Twitter : @unpacker Mail : seongsup4rk@gmail.com

More Related Content

PPTX
Cryptography - Simplified - Hash Functions
Abdul Manaf Vellakodath
 
PDF
Cryptography for Smalltalkers 2
ESUG
 
PDF
Apache Commons ソースリーディングの会:Codec
moai kids
 
PDF
Cryptography in PHP: use cases
Enrico Zimuel
 
PDF
Cryptography For The Average Developer - Sunshine PHP
Anthony Ferrara
 
PDF
Strong cryptography in PHP
Enrico Zimuel
 
PDF
How does cryptography work? by Jeroen Ooms
Ajay Ohri
 
PPTX
SSL Primer
Mahadev Gaonkar
 
Cryptography - Simplified - Hash Functions
Abdul Manaf Vellakodath
 
Cryptography for Smalltalkers 2
ESUG
 
Apache Commons ソースリーディングの会:Codec
moai kids
 
Cryptography in PHP: use cases
Enrico Zimuel
 
Cryptography For The Average Developer - Sunshine PHP
Anthony Ferrara
 
Strong cryptography in PHP
Enrico Zimuel
 
How does cryptography work? by Jeroen Ooms
Ajay Ohri
 
SSL Primer
Mahadev Gaonkar
 

What's hot (18)

ODP
Applying Security Algorithms Using openSSL crypto library
Priyank Kapadia
 
PDF
VisualWorks Security Reloaded - STIC 2012
Martin Kobetic
 
PDF
Recover A RSA Private key from a TLS session with perfect forward secrecy
Priyanka Aash
 
PDF
HMAC authentication
Siu Tin
 
PDF
UVic Startup Slam September 2014 (Kiind)
sendwithus
 
PDF
Python Cryptography & Security
Jose Manuel Ortega Candel
 
PDF
Iam r31 a (2)
SelectedPresentations
 
PPT
Hash crypto
Harry Potter
 
PDF
Native or External?
ESUG
 
PDF
Stu r33 b (2)
SelectedPresentations
 
PDF
CNIT 141: 1. Encryption
Sam Bowne
 
PPT
Lecture 3b public key_encryption
rajakhurram
 
PPT
Network security cryptographic hash function
Mijanur Rahman Milon
 
PDF
CNIT 141: 8. Authenticated Encryption
Sam Bowne
 
PDF
Cryptography For The Average Developer
Anthony Ferrara
 
PDF
Web cryptography javascript
Jose Manuel Ortega Candel
 
PPTX
Cool Crypto Concepts CodeOne SFO
Roy Wasse
 
PDF
IPv6 for Pentester
Amish Patadiya
 
Applying Security Algorithms Using openSSL crypto library
Priyank Kapadia
 
VisualWorks Security Reloaded - STIC 2012
Martin Kobetic
 
Recover A RSA Private key from a TLS session with perfect forward secrecy
Priyanka Aash
 
HMAC authentication
Siu Tin
 
UVic Startup Slam September 2014 (Kiind)
sendwithus
 
Python Cryptography & Security
Jose Manuel Ortega Candel
 
Iam r31 a (2)
SelectedPresentations
 
Hash crypto
Harry Potter
 
Native or External?
ESUG
 
Stu r33 b (2)
SelectedPresentations
 
CNIT 141: 1. Encryption
Sam Bowne
 
Lecture 3b public key_encryption
rajakhurram
 
Network security cryptographic hash function
Mijanur Rahman Milon
 
CNIT 141: 8. Authenticated Encryption
Sam Bowne
 
Cryptography For The Average Developer
Anthony Ferrara
 
Web cryptography javascript
Jose Manuel Ortega Candel
 
Cool Crypto Concepts CodeOne SFO
Roy Wasse
 
IPv6 for Pentester
Amish Patadiya
 
Ad

Similar to AREA41 - Anatomy of attacks aimed at financial sector by the Lazarus group (20)

PDF
Analysing Ransomware
Napier University
 
PPTX
Cryptanalysis in the Time of Ransomware
Mark Mager
 
PPTX
Cryptography
Rohan04
 
PDF
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
EC-Council
 
PDF
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
CODE BLUE
 
PDF
Cryto Party at CCU
Jose L. Quiñones-Borrero
 
PDF
Advances in Open Source Password Cracking
n|u - The Open Security Community
 
PPTX
Advanced SOHO Router Exploitation XCON
Lyon Yang
 
PDF
Analysing space complexity of various encryption algorithms 2
IAEME Publication
 
PDF
注意看,這些Windows的Potatoes太狠了! 解析5種基於MS-RPCE的攻擊手法.pdf
slideshare779123
 
PDF
Webinar alain-2009-03-04-clamav
thc2cat
 
PDF
International Journal of Engineering Research and Development
IJERD Editor
 
DOC
Encryption
Vijay Kumar
 
PPT
Day5
Jai4uk
 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
PPTX
Secured algorithm for gsm encryption & decryption
Tharindu Weerasinghe
 
PDF
Analysis of Cryptographic Algorithms
ijsrd.com
 
PPT
Nwc rsa
anupamnm
 
PPT
RC4-Basics-Presentation_hill cipher_ceasercipheer.ppt
srivisundararaju
 
PDF
SE-4128, DRM: From software secrets to hardware protection, by Rod Schultz
AMD Developer Central
 
Analysing Ransomware
Napier University
 
Cryptanalysis in the Time of Ransomware
Mark Mager
 
Cryptography
Rohan04
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
EC-Council
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
CODE BLUE
 
Cryto Party at CCU
Jose L. Quiñones-Borrero
 
Advances in Open Source Password Cracking
n|u - The Open Security Community
 
Advanced SOHO Router Exploitation XCON
Lyon Yang
 
Analysing space complexity of various encryption algorithms 2
IAEME Publication
 
注意看,這些Windows的Potatoes太狠了! 解析5種基於MS-RPCE的攻擊手法.pdf
slideshare779123
 
Webinar alain-2009-03-04-clamav
thc2cat
 
International Journal of Engineering Research and Development
IJERD Editor
 
Encryption
Vijay Kumar
 
Day5
Jai4uk
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Secured algorithm for gsm encryption & decryption
Tharindu Weerasinghe
 
Analysis of Cryptographic Algorithms
ijsrd.com
 
Nwc rsa
anupamnm
 
RC4-Basics-Presentation_hill cipher_ceasercipheer.ppt
srivisundararaju
 
SE-4128, DRM: From software secrets to hardware protection, by Rod Schultz
AMD Developer Central
 
Ad

Recently uploaded (20)

PPTX
A Power Point Presentaion of 2 test match
katarapiyush21
 
PPTX
Iconic Destinations in India: Explore Heritage and Beauty
dhorashankar
 
PPTX
Ocean_and_Freshwater_Awareness_Presentation.pptx
Suhaira9
 
PPTX
Working-with-HTML-CSS-and-JavaScript.pptx
badalsenma5
 
PPTX
Information Security and Risk Management.pptx
prembasnet12
 
PPTX
THE school_exposure_presentation[1].pptx
sayanmondal3500
 
PDF
SXSW Panel Picker: Placemaking: Culture is the new cost of living
GabrielCohen28
 
PPTX
Public Speakingbjdsbkjfdkjdasnlkdasnlknadslnbsjknsakjscbnkjbncs.pptx
ranazunairriaz1
 
PPTX
Marketing Mix Analysis of Singapore Airlines.pptx
auntorkhastagirpujan
 
PPTX
Influencing Factors of Business Environment of Vegetables Selling Business
auntorkhastagirpujan
 
PPTX
GAMABA AWARDEES GINAW BILOG AND SALINTA MONON BY REYMART
purezagambala458
 
PPTX
Assam' Vibrant Bihu Festival Bihu presentation.pptx
rpmsbarman
 
PPTX
AMFI - Investor Awareness Presentation.pptx
ssuser89d308
 
PDF
Enhancing Bambara Groundnut Production Through Improved Agronomic Practices
Francois Stepman
 
PPTX
Introductions to artificial intelligence
rakshjain77
 
PPTX
How do Company Analysis Short Term and Long Term Investment.pptx
auntorkhastagirpujan
 
PDF
protein structure and function for basics .pdf
RakeshKumar508211
 
PPT
strucure of protein geomics for new .ppt
RakeshKumar508211
 
PPTX
Raksha Bandhan Celebrations PPT festival
sowmyabapuram
 
PPTX
DARKWEB Deepweb what to do or not ?.pptx
prembasnet12
 
A Power Point Presentaion of 2 test match
katarapiyush21
 
Iconic Destinations in India: Explore Heritage and Beauty
dhorashankar
 
Ocean_and_Freshwater_Awareness_Presentation.pptx
Suhaira9
 
Working-with-HTML-CSS-and-JavaScript.pptx
badalsenma5
 
Information Security and Risk Management.pptx
prembasnet12
 
THE school_exposure_presentation[1].pptx
sayanmondal3500
 
SXSW Panel Picker: Placemaking: Culture is the new cost of living
GabrielCohen28
 
Public Speakingbjdsbkjfdkjdasnlkdasnlknadslnbsjknsakjscbnkjbncs.pptx
ranazunairriaz1
 
Marketing Mix Analysis of Singapore Airlines.pptx
auntorkhastagirpujan
 
Influencing Factors of Business Environment of Vegetables Selling Business
auntorkhastagirpujan
 
GAMABA AWARDEES GINAW BILOG AND SALINTA MONON BY REYMART
purezagambala458
 
Assam' Vibrant Bihu Festival Bihu presentation.pptx
rpmsbarman
 
AMFI - Investor Awareness Presentation.pptx
ssuser89d308
 
Enhancing Bambara Groundnut Production Through Improved Agronomic Practices
Francois Stepman
 
Introductions to artificial intelligence
rakshjain77
 
How do Company Analysis Short Term and Long Term Investment.pptx
auntorkhastagirpujan
 
protein structure and function for basics .pdf
RakeshKumar508211
 
strucure of protein geomics for new .ppt
RakeshKumar508211
 
Raksha Bandhan Celebrations PPT festival
sowmyabapuram
 
DARKWEB Deepweb what to do or not ?.pptx
prembasnet12
 

AREA41 - Anatomy of attacks aimed at financial sector by the Lazarus group

  • 1. Anatomy of attacks aimed at financial sector by the Lazarus group June 28, 2018 Seongsu Park Senior Security Researcher @ Kaspersky Lab GReAT
  • 2. Who is Lazarus? • Notorious APT group • State-sponsored APT group • Aimed at financial profit and cyber espionage, sabotage LAZARUS Andariel Bluenoroff …… …… Well-known attack case 2013 — DarkSeoul cyber attack 2014 — SPE cyber attack 2016 — Bangladesh bank heist 2017 — WannaCry outbreak
  • 4. About Manuscrypt • From when?  Start to use Manuscrypt from around 2013  Use it actively until recent • Connection?  Many overlap with known Lazarus code style and C&C infrastructure • Attack where?  Usually attacked national intelligence before  Recently, used when attacked financial sector
  • 6. Status of cryptocurrency exchange of Korea World TOP 10 Cryptocurrency Exchanges South Korea company
  • 9. Weaponized hwp HWP file format • Hangul (also known as Hangul Word Processor or HWP) is a proprietary word processing application published by the South Korean company Hancom Inc. -Wikipedia • Used by most government agencies and government offices due to national software activation policy of Government • The South Korea is one of the few countries where MS Word does not rank first Recently, postscript mainly used to deliver payload
  • 10. Decoy and targets Cryptocurrency Any cryptocurrency related news/contents Cryptocurrency market expectation Legal issues Related to lawsuit or audit Forms about legal issues Resume Resume of mainly financial related person Some decoy include victim company name
  • 11. Relationship Last saved user name Author name Malicious hwp
  • 12. Postscript Type #1 — Postscript has asciihex-format executable — Drop file %startup% folder for persistence mechanism — Dropped file is Manuscrypt Direct drop from embedded ascii hex string Creation path (+persistence mechanism) asciihex type payload Asciihex type Manuscrypt Postscript to drop executable Drop and execute Structure
  • 13. Postscript Type #2 — Use Chinese variable name i.e.) yaoshi, yima, yinzi — Decrypt real postscript/shellcode with hardcoded XOR key Has encryption stage with 4-bytes XOR key 4-bytes XOR key Encrypted postscript & Shellcode Postscript to decrypt Decrypt Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Encrypted postscript and shellcode Encrypted Manuscrypt executable
  • 14. Postscript Type #2 – Decrypted data — Decrypted data contains exploit code and shellcode — Trigger the postscript vulnerability and execute shellcode Has encryption stage with 4-bytes XOR key Encrypted postscript & Shellcode Postscript to decrypt Exploit, Decrypt payload and inject Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Shellcode to decrypt payload and inject Heap-spray Exploit code
  • 15. Postscript Type #3-4 — Remove decryption process — Malware author elaborate exploit code Elaborated exploit code Shellcode Postscript Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Shellcode Encrypted Manuscrypt Decrypt & Inject
  • 16. Postscript type #5 – add XOR — Same structure with #3 — Add shellcode decryption script with 1-byte XOR Elaborated exploit code Script for decryption of shellcode Shellcode Postscript Decrypt & Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Decrypt & Inject
  • 17. Postscript type #6 — Same postscript to trigger vulnerability — No more embedded payload — Shellcode just has download function Change shellcode function Shellcode Postscript Structure Postscript Decrypt & Exploit Download Manuscrypt
  • 18. Change history of hwp attack Type #2 • Start to use postscript vulnerability • Decrypt shellcode and exploitation postscript with 4-bytes XOR • Decrypt payload with 4-bytes XOR key Type #3 • Remove shellcode/postscript decryption routine • Elaborate postscript to trigger vulnerability • Decrypt payload with 4-bytes XOR key Type #4 • Decrypt payload with AES algorithm Type #5 • Add shellcode encryption postscript with 1-byte XOR Type #6 • Change shellcode just download payload Type #1 • Drop embedded asciihex type payload
  • 19. Change history of hwp attack Asciihex type Manuscrypt Postscript to drop executable Drop and execute Structure Encrypted postscript & Shellcode Postscript to decrypt Decrypt Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Shellcode Postscript Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Decrypt & Inject Shellcode Postscript Decrypt & Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Decrypt & Inject Shellcode Postscript Structure Postscript Decrypt & Exploit Download Manuscrypt Type #1 Type #2 Type #3, 4 Type #5 Type #6 Decrypt & Inject
  • 20. Change history of hwp attack Type #1 Type #6Type #2 Type #5Type #4Type #3 4-bytes XOR Shellcode Decryption 1-bytes XOR 1-bytes XOR Shellcode Triggering CVE-2017-8291 (Ghostscript exploit) Shellcode Type Decrypt embedded payload and inject to legit process Download 4-bytes XOR AES Payload Decryption
  • 21. 21 Attacker vs Defender Type #1 Direct drop from asciihex string 2017-04 2017-06 2017-07 2017-08 2017-09 2017-10 2017-11 2017-12 2018-03 Type #2 Start to use Exploit XORed shellcode + exploit trigger script Type #4 Replace to AES algorithm Type #3 Polishing exploit script 4-bytes XOR decryption Type #6 Download payload from remote server Type #5 Decrypt shellcode with 1-byte XOR ATTACKER SIDE DEFENDER SIDE Detect embedded ascii type executable Detect XOR postscript routine Detect embedded shellcode in postscript Detect embedded encrypted payload
  • 22. Shellcode comparison from each types Different postscripts, but same shellcode
  • 23. Shellcode comparison from each types Different postscripts, but same shellcode Process searching Get handle
  • 24. Shellcode Shellcode execution flow Get API by hash Decrypt payload Find decryption key Get Handle Inject to legit process
  • 25. Payload summary IP-based C&C communication type • Only used up to type #2 • Not seen after November 2017 • Fake SSL communication • Full featured backdoor - File handling - Process handling - Execute commands - Data exfiltration HTTP-based C&C communication type • Usually used this type communications • Using compromised server • Full featured backdoor - System info gathering - Execute commands - and so on
  • 26. Type of C&C servers COMPROMISED SERVER — Compromised server — Direct connect by IP address — Encryption channel COMPROMISED WEB SERVER IN CHINA — Usually compromised IIS server — Upload attacker’s PHP scripts — DedeCMS vulnerability — Wordpress vulneraility COMPROMISED WEB SERVER IN KOREA — Usually compromised IIS server — Upload attacker’s JSP scripts — Using specific board vulnerability — Using wordpress vulnerability
  • 27. Not only hwp file
  • 28. Not only hwp file Persistence attack 2017-07-31 07:40:07 비트코인_지갑주소 _및_거래번호.hwp e3796387 (web) KR 2017-07-31 16:25:00 비트코인_지갑주소 _및_거래번호.doc e3796387 (web) KR 2017-08-03 18:13:23 비트코인 거래내역.xls e3796387 (web) KR Decoy of malicious hwp Decoy of malicious word
  • 30. Attack methodology SPEARPHISHING — Malicious office document — Malicious macro embedded — Decoy : Usually used job description and proposal
  • 31. Attack methodology Structure of Macro Attribute VB_Name = "Module1" Sub Auto_Open() On Error GoTo gaqz liveOn = "sjop/fyf" liveOff = Environ("temp") + "" For qnx = 1 To Len(liveOn) liveOff = liveOff + Chr(Asc(Mid$(liveOn, qnx, 1)) - 1) Next Dim str(1635) As String str(1) = "F0E72DBDBEBDBDBD………[redacted]……………DBDBDBD" .... [redacted]…. str(1635) = "9D9D9D9D9D9D81…. ……[redacted]…..….……DBDBDBD" Dim offBin(499) As Byte Open liveOff For Binary Access Write As #1 lpdq = 1 For jnx = 0 To 1634 For inx = 0 To 499 offBin(inx) = Val("&H" + Mid(str(jnx + 1), inx * 2 + 1, 2)) offBin(inx) = offBin(inx) Xor 189 Next inx Macro to create payload liveOn = "EFG492:2/ymt" liveOffd = Environ("temp") + "" For qnx = 1 To Len(liveOn) liveOffd = liveOffd + Chr(Asc(Mid$(liveOn, qnx, 1)) - 1) Next qnx Dim strd(239) As String strd(1) = "1906D8296878D328C9C9C9…[redacted]…..36363636363636" ...... [redacted]…… strd(239) = "C9C9C9C9C9C9C9C9C9C9…[redacted]…….D9C9C9C9C9C9C9" Dim offBind(499) As Byte Open liveOffd For Binary Access Write As #2 lpdq = 1 For jnx = 0 To 238 For inx = 0 To 499 offBind(inx) = Val("&H" + Mid(strd(jnx + 1), inx * 2 + 1, 2)) offBind(inx) = offBind(inx) Xor 201 Next inx Put #2, lpdq, offBind lpdq = lpdq + 500 Next jnx Close #2 Macro to create decoy document
  • 32. Who is target? Finance Engineering Crypto Currency
  • 33. Payload summary • File search, handling • Process handling • Collect system information • Directory / File listing …… Full-featured backdoor a.k.a Fallchill • IP-based C&C communication - Fake SSL communication (Polar SSL) - Used compromised server • HTTP-based C&C communication - Compromised ASP hosting IIS server - Allegedly used board/CMS vulnerability
  • 35. How did I start this investigation? Malicious hwp dropped Manuscrypt Found 1 C&C server in South Korea — Suspected compromised server Working closely with investigation agency — Investigate compromised server — Found one proxy module Expanding research with our telemetry — Yara magic! — Found additional module from compromised sever
  • 36. Manuscrypt C2 infrastructure Manuscrypt infected host Send information Multi-stage Proxy Servers Communication Final-stage C2 server
  • 38. Malwares/Tools from C&C server Sensing the production process, manipulating the production process Monitoring, supervisory control and automated control of the production process Backdoor Variants Threat actor uses many kind of backdoors - Active backdoor, Passive backdoor, HTTP backdoor, IIS backdoor Proxy Malware Main component of multi stage of proxy structure, forward incoming traffic to other host Information Harvester TCP connection harvester to steal inbound/outbound network connections Other Tools Loader to decrypt and execute encrypted payload, File wiper to wipe out specific file securely
  • 39. Proxy module Simply forward traffic from incoming host to next hop Firewall punching Add allowed port list using windows command Fake SSL communication Disguised as legit sites SSL handshaking Configuration Stores configuration at registry key Saved configuration as specific file Updating file with data from another hop Decrypt this file when read
  • 40. Proxy module – P2P proxy another infected host Listening named pipe ((.pipeAnonymousPipe) Connect to external named pipe (%spipeAnonymousPipe) Polar SSL Encryption Thread #1 : Receive data from global P2P and write it to listened named pipe Listening named pipe ((.pipeAnonymousPipe) Thread #2 : Read data from external named pipe and send it to global P2P server Global P2P C&C server (Passive backdoor module installed) P2P-based C&C infrastructures
  • 41. Active backdoor Has C&C server address, performs backdoor functions IP-based communications - Configuration data in registry key - Full-featured backdoor • File / directory listing • Process handling • Get system information • Execute windows command • Send screenshot HTTP-based communications - Same configuration data with IP-based backdoor - Choose HEAD, GET or POST method randomly when communicate C&C server - Full-featured backdoor
  • 42. Passive backdoor Doesn’t have C&C server address, Open port and wait connections Get Windows service list and choose one INSTALLATION PROCESS Get display name of service and append “Service” Append decrypted strings at service display name Change service name as small case and append “svc” Drop payload as service name Change file timestamp i.e. Choose “SharedAccess” service i.e. Change “Internet Connection Sharing (ICS)" display name to “Internet Connection Sharing Service” i.e. SharedAccess -> sharedaccesssvc i.e. Drop payload to sharedaccesssvc.dll i.e. Append “is an essential element in Windows System configuration and management.” F/W Punching cmd.exe /c netsh firewall add portopening TCP [Port] "adp" Backdoor functions - Almost same with active backdoor - Some variants has routing functions
  • 43. Other tools Log Wiper Generate random buffer Overwrite file with that data repeatly Delete file TCP Connection Harvester Choose proper API depends on OS version File name
  • 44. Malwares/Tools from C&C server Indonesia India Bangladesh Malaysia Vietnam Korea Taiwan Thailand Active Backdoor Passive Backdoor Proxy TCP conn Harvester IIS Backdoor HTTP Backdoor
  • 45. Malwares/Tools from C&C server India Active backdoor Columbia Dominican Republic GermanyIndonesia South Korea Sri Lanka Case #1 Panama Proxy HTTP Backdoor Passive Backdoor Vietnam TCP Conn Harvester Case #2
  • 46. Vulnerability information IP Web server ver OS fingerprinting 2xx.xx.xx.xxx N/A Windows Server 2003 R2 5x.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows Server 2003 (91%), Microsoft Windows Server 2003 SP2 (91%) 2xx.xx.xx.xxx IIS 6.0 N/A 1xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows 2003 R2 (93%), Microsoft Windows Server 2003 (93%), Microsoft Windows Server 2003 SP2 (93%) 2xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows XP SP3 or Windows Server 2003 SP2 (97%), Microsoft Windows Server 2003 SP2 (94%), 1xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (99%), Microsoft Windows XP SP3 or Windows Server 2003 SP2 (97%), Microsoft Windows Server 2003 SP2 (94%), 2xx.xx.xx.xxx IIS 6.0 N/A 2xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows Server 2003 SP2 (89%) 5x.xx.xx.xxx N/A Aggressive OS guesses: Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows Server 2003 SP1 - SP2 (92%)
  • 47. Vulnerability information 2017-03-26 CVE-2017-7269 published 2017-04-11 Attack tool for this exploit was created 2017-03-31 PoC for CVE-2017-7269 added to Metasploit module 2017-06-13 Microsoft published patch for this vulnerability
  • 48. Let’s put them together Active backdoor Passive backdoor Proxy module TCP harvester ……Victim (Manuscrypt infected) Weaponized hwp/doc Corporate Users Sometimes infect corporate hosts from server C&C server Infrastructure Configure C&C infra Control infected hosts Communicate multi-stage C&C
  • 49. Takeaways • Never let your server compromised by them • They keep polishing their tools • Their favorite attack vector is spearphishing • Recently, they are changing their TTPs • Let’s head up their TTPs