careto: unmasking a new level in apt-ware
TRANSCRIPT
Sponsored by
Careto: Unmasking a New Level in APT-ware
© 2014 Monterey Technology Group Inc.
Thanks to Dan Teal, Sr. Architect
© 2014 Monterey Technology Group Inc.
www.Lumension.com
Preview of Key Points
Installation
Backdoor components
Use of certificates
Exploit sites
Communication
Command and control servers
Exploits used
© 2014 Monterey Technology Group Inc.
Overview
Used many sources for my research but in particular the 65 page Kaspersky report
380 victims in 31 countries
Targets Government Energy, oil and gas Private companies Research institutions Financial Activists
32 and 64 bit Windows
Linux, Mac and Android
2 main components Careto
User level, collects system info, runs arbitrary code
SGH Kernel mode Rootkit Intercepts system
calls Steals files Extensible
Skype, encryption keys, WiFi traffic,keystrokes, screen capture…
© 2014 Monterey Technology Group Inc.
Initial attack
Began with spear fishing attacks Videos related to political subjects Food recipes
Links to malicious server using disguised URLs
After infection redirected to actual resource user expecting
© 2014 Monterey Technology Group Inc.
Exploit server
Victim first hits java code to profile their endpoint Browser Plugins OS Version of Office Java version
Then depending on profile redirected to appropriate subdirectory for their PC profile
Exploits Java
Signed applets via CVE-2011-3544 Flash Plugins for Chrome and Firefox
Windows, linux and OS X
© 2014 Monterey Technology Group Inc.
Exploit to Install
Java exploit 1 Redirected to html file that tries to load run signed java
applet Jar file uses CVE-2011-3544 Pulls an exe out of icon.jpg from the Jar file
Java exploit 2 Uses JNLP files Claims to be Oracle Java update and ask for permission to
install
Another Java exploit apparently tailored for Macs
Flash exploit Leverages CVE-2012-0773
Originally developed by VUPEN to win the pwn2own contest First known exploit to defeat Chrome sandbox
Chrome plugin Relied on users to click Continue on the Chrome “may harm
your computer” warning.
© 2014 Monterey Technology Group Inc.
Installer
Windows standalone executable installer
Valid signature: TecSystem Ltd., Sofia, BG
Expired 2013.06.28
Extracts the appropriate DLL that hosts the persistent backdoor
32/64 bit named objframe.dll Saves to either %system% or %appdata% depending on
Windows version Uses or eschews admin authority depending on UAC Changes file meta data to match kernel.dll Replaces a COM object in the registry
© 2014 Monterey Technology Group Inc.
Backdoor persisitence
Objframe.dll activated in every application that uses the hijacked COM object
Primary target Windows Explorer – perfect
Loads in the hijacked class DLL
Erases itself from the processes module list
Loads another system DLL not used by current process
Then overwrites contents off that DLL in memory with itself
But leaves the module list alone Disguising its presence Would have to compare actual memory contents of library
to the file on disk
© 2014 Monterey Technology Group Inc.
Communication with C&C Servers
Now watches for calls to start IE, Chrome or Firefox Injects itself into the browser All C&C communication through the browser
Evade local firewalls
Communicates with C&C servers via http/https GET and POST verbs
C&C server sends back commands Upload Execute System report Etc
© 2014 Monterey Technology Group Inc.
SGH module
Even more sophisticated
Careto and SGH can install each other
SGH runs in Kernel mode
Extensible modules include Skype Keylogger File content Network traffic Skype Screenshots Email messages
© 2014 Monterey Technology Group Inc.
How could Careto have been defeated?
Spearfishing email
Malicious URL
Java/Flash Exploit
Malware executables installed
DLL injected
Phone home
Awareness training SpearfishingClicking yes on updates and warnings
Web filtering
Patching
Application Control
Memory protection
Next Gen Network Protection
© 2014 Monterey Technology Group Inc.
How do you prevent malware like this?
Additional Information
Free Security Scanner Tools Application Scanner – discover all the apps
being used in your network Device Scanner – discover all the devices
being used in your network
https://www.lumension.com/resources/premium-security-tools.aspx
Reports Whitepaper “The State of APT Preparedness”
from UBM Tech at https://www.lumension.com/resources/ WhitePapers/The-State-of-APT-Preparedness
On-Demand Webcast “Top 9 Mistakes of APT Victims” by Ultimate Windows Security at https://www.lumension.com/resources/ Webcasts/Top-9-Mistakes-of-APT-Victims
Free Trial (virtual or download)http://www.lumension.com/endpoint-management-security-suite/free-trial.aspx
Additional Information
www.lumension.com/endpoint-management-security-suite/buy-now.aspx