WARNING: Do Not Feed the Bears
0 likes•287 views
The document discusses advanced persistent threats (APTs) targeting the Croatian government, highlighting two suspicious emails containing malicious Microsoft Office documents received in early 2017. It details various findings related to malware infection, including decryption routines and payloads, specifically vulnerabilities exploited within the documents. The document concludes with references to related works on related exploits and security incidents.
WARNING: Do Not Feed the Bears
- 1. WARNING:WARNING: Do Not Feed the BearsDo Not Feed the Bears Miroslav Štampar ([email protected]; [email protected]) WARNING:WARNING: Do Not Feed the BearsDo Not Feed the Bears Miroslav Štampar ([email protected]; [email protected])
- 2. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 2 ContextContext Croatian Government CERT Dealing with vast diversity of different incidents (e.g. ransomware, defacements, DoS attacks, etc.) Most interesting (by far) are APT attacks “Have you noticed anything strange with your computer lately? -Nope. Though, IE with Twitter is popping out here and there… and I don’t use Twitter” (recent APT incident) We are part of NATO and EU – hence, natural target of “advanced persistent threats”
- 3. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 3 IntroductionIntroduction In January got two (forwarded) suspicious emails with question “was this an attack?” August (Bulletin.doc - bigger) and November (Operation_in_Mosul.doc - smaller) of 2016 Originally addressed to one “sensitive” government institution, hence, we expected the “unexpected” Attachments were Microsoft Office documents (.doc), regular attacking vector in this kind of (spear) phishing attacks In majority of cases, malicious Macros are used, while in this case, there were no Macros
- 4. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 4 Emails (content)Emails (content)
- 5. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 5 Emails (headers)Emails (headers)
- 6. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 6 Emails (reverse DNS)Emails (reverse DNS)
- 7. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 7 Attachments (.doc / RTF)Attachments (.doc / RTF)
- 8. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 8 Initial findings (long hex strings)Initial findings (long hex strings)
- 9. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 9 Initial findings (CLSID)Initial findings (CLSID)
- 10. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 10 Initial findings (ShockwaveFlash)Initial findings (ShockwaveFlash)
- 11. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 11 Initial findings (hash/VirusTotal)Initial findings (hash/VirusTotal)
- 12. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 12 Dummy run (VM)Dummy run (VM)
- 13. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 13 Extracting OLE objects (OfficeMalScanner)Extracting OLE objects (OfficeMalScanner)
- 14. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 14 Decompiling SWF files (ffdec)Decompiling SWF files (ffdec)
- 15. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 15 Encrypted payloads (exploit + dropper)Encrypted payloads (exploit + dropper)
- 16. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 16 Decryption (LFSR) routine (Bulletin.doc)Decryption (LFSR) routine (Bulletin.doc)
- 17. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 17 Decryption/Loader routine (Operation_in_Mosul.doc)Decryption/Loader routine (Operation_in_Mosul.doc)
- 18. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 18 Payload “choice” (Bulletin.doc)Payload “choice” (Bulletin.doc) Flash Player Version Embedded Binary Vulnerability 20.0.0.306 - 21.0.0.242 (Ver_)ExtSwf2 CVE-2016-4117 20.0.0.228 - 20.0.0.306 (Ver_)ExtSwf CVE-2016-1019 11.5.502.146 - 19.0.0.207 (Ver_)ExtSwf1 CVE-2015-7645
- 19. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 19 Vulnerabilities exploited (Bulletin.doc)Vulnerabilities exploited (Bulletin.doc)
- 20. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 20 Payload decryptionPayload decryption
- 21. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 21 Payload decompression (CWS/FWS)Payload decompression (CWS/FWS)
- 22. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 22 Payload (dbg) strings (Bulletin.doc)Payload (dbg) strings (Bulletin.doc)
- 23. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 23 CVE-2016-4117 (Bulletin.doc)CVE-2016-4117 (Bulletin.doc)
- 24. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 24 CVE-2015-7645 (Bulletin.doc)CVE-2015-7645 (Bulletin.doc)
- 25. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 25 CVE-2016-1019 (Bulletin.doc)CVE-2016-1019 (Bulletin.doc)
- 26. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 26 Payload “fetch” (Operation_in_Mosul.doc)Payload “fetch” (Operation_in_Mosul.doc)
- 27. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 27 Infection phase (Bulletin.doc)Infection phase (Bulletin.doc)
- 28. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 28 nshwmpfs.dll (runtime check)nshwmpfs.dll (runtime check)
- 29. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 29 nshwmpfs.dll (Carberp source)nshwmpfs.dll (Carberp source)
- 30. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 30 nshwmpfs.dll (string (de)obfuscation)nshwmpfs.dll (string (de)obfuscation)
- 31. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 31 nshwmpfs.dll (what it is all about?)nshwmpfs.dll (what it is all about?) Reconnaissance (first stage) malware (aka. JHUHUGIT) Downloading, execution and deletion of arbitrary files Collects basic data about the infected system and sends it (in encrypted form) to C&C In case that C&C server and/or operator finds the system “interesting” leaves command for downloading of second stage malware Second stage malware: SPLM (aka Xagent, aka CHOPSTICK) and AZZY (aka. ADVSTORESHELL, NETUI, EVILTOSS)
- 32. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 32 Appendix A: Servers (C&C)Appendix A: Servers (C&C) accgmail.com (mail server) 213.202.214.148 servicecdp.com (C&C - Bulletin.doc) 87.236.211.182 uniquecorpind.com (C&C / exploits - Operation_in_Mosul.doc) 62.113.232.196
- 33. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 33 Appendix B: Passive DNS / WHOISAppendix B: Passive DNS / WHOIS
- 34. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 34 Related workRelated work Palo Alto Networks, “‘DealersChoice’ is Sofacy’s Flash Player Exploit Platform”, Oct. 2016. Palo Alto Networks, “Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue”, Dec. 2016. FireEye, “CVE-2016-4117: Flash Zero-Day Exploited in the Wild”, May. 2016. SonicWall, “Adobe Type Confusion Vulnerability CVE-2015-7645 Exploits in the Wild”, 2016. Trend Micro, “A Look Into Adobe Flash Player CVE-2016-1019 Zero-Day Attack”, Apr. 2016.
- 35. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 35 Questions?Questions?