careto: unmasking a new level in apt-ware

Sponsored by

Careto: Unmasking a New Level in APT-ware

© 2014 Monterey Technology Group Inc.

Thanks to Dan Teal, Sr. Architect


www.Lumension.com

Preview of Key Points

Installation

Backdoor components

Use of certificates

Exploit sites

Communication

Command and control servers

Exploits used


Overview

Used many sources for my research but in particular the 65 page Kaspersky report

380 victims in 31 countries

Targets Government Energy, oil and gas Private companies Research institutions Financial Activists

32 and 64 bit Windows

Linux, Mac and Android

2 main components Careto

User level, collects system info, runs arbitrary code

SGH Kernel mode Rootkit Intercepts system

calls Steals files Extensible

Skype, encryption keys, WiFi traffic,keystrokes, screen capture…


Initial attack

Began with spear fishing attacks Videos related to political subjects Food recipes

Links to malicious server using disguised URLs

After infection redirected to actual resource user expecting


Exploit server

Victim first hits java code to profile their endpoint Browser Plugins OS Version of Office Java version

Then depending on profile redirected to appropriate subdirectory for their PC profile

Exploits Java

Signed applets via CVE-2011-3544 Flash Plugins for Chrome and Firefox

Windows, linux and OS X


Exploit to Install

Java exploit 1 Redirected to html file that tries to load run signed java

applet Jar file uses CVE-2011-3544 Pulls an exe out of icon.jpg from the Jar file

Java exploit 2 Uses JNLP files Claims to be Oracle Java update and ask for permission to

install

Another Java exploit apparently tailored for Macs

Flash exploit Leverages CVE-2012-0773

Originally developed by VUPEN to win the pwn2own contest First known exploit to defeat Chrome sandbox

Chrome plugin Relied on users to click Continue on the Chrome “may harm

your computer” warning.


Installer

Windows standalone executable installer

Valid signature: TecSystem Ltd., Sofia, BG

Expired 2013.06.28

Extracts the appropriate DLL that hosts the persistent backdoor

32/64 bit named objframe.dll Saves to either %system% or %appdata% depending on

Windows version Uses or eschews admin authority depending on UAC Changes file meta data to match kernel.dll Replaces a COM object in the registry


Backdoor persisitence

Objframe.dll activated in every application that uses the hijacked COM object

Primary target Windows Explorer – perfect

Loads in the hijacked class DLL

Erases itself from the processes module list

Loads another system DLL not used by current process

Then overwrites contents off that DLL in memory with itself

But leaves the module list alone Disguising its presence Would have to compare actual memory contents of library

to the file on disk


Communication with C&C Servers

Now watches for calls to start IE, Chrome or Firefox Injects itself into the browser All C&C communication through the browser

Evade local firewalls

Communicates with C&C servers via http/https GET and POST verbs

C&C server sends back commands Upload Execute System report Etc


SGH module

Even more sophisticated

Careto and SGH can install each other

SGH runs in Kernel mode

Extensible modules include Skype Keylogger File content Network traffic Skype Screenshots Email messages


How could Careto have been defeated?

Spearfishing email

Malicious URL

Java/Flash Exploit

Malware executables installed

DLL injected

Phone home

Awareness training SpearfishingClicking yes on updates and warnings

Web filtering

Patching

Application Control

Memory protection

Next Gen Network Protection


How do you prevent malware like this?

Additional Information

Free Security Scanner Tools Application Scanner – discover all the apps

being used in your network Device Scanner – discover all the devices

being used in your network

https://www.lumension.com/resources/premium-security-tools.aspx

Reports Whitepaper “The State of APT Preparedness”

from UBM Tech at https://www.lumension.com/resources/ WhitePapers/The-State-of-APT-Preparedness

On-Demand Webcast “Top 9 Mistakes of APT Victims” by Ultimate Windows Security at https://www.lumension.com/resources/ Webcasts/Top-9-Mistakes-of-APT-Victims

Free Trial (virtual or download)http://www.lumension.com/endpoint-management-security-suite/free-trial.aspx

https://www.lumension.com/Resources/Premium-Security-Tools.aspx



http://www.lumension.com/Resources/WhitePapers/The-State-of-APT-Preparedness

http://www.lumension.com/Resources/WhitePapers/The-State-of-APT-Preparedness


http://www.lumension.com/Resources/Webcasts/Top-9-Mistakes-of-APT-Victims

http://www.lumension.com/endpoint-management-security-suite/free-trial.aspx



Additional Information

www.lumension.com/endpoint-management-security-suite/buy-now.aspx

http://www.lumension.com/endpoint-management-security-suite/buy-now.aspx

careto: unmasking a new level in apt-ware

Technology

monterey technology

jar file java exploit

system dll

known exploit

exploit server victim

signed java applet jar

hits java code

system report