You've got mail! from: TurlaCountermeasure 2018 | Ottawa

Matthieu Faou | Malware Researcher

Matthieu FaouMalware Researcher | ESET Montreal

@matthieu_faou

2

Agenda

1. Background on Turla

2. Mosquito MitM campaign

3. Outlook Backdoor

3

Background

Timeline

Moonlight Maze

1998

5

Timeline

Moonlight Maze

1998

6

Timeline

Moonlight Maze

US Department of Defense breach

2008

1998

7

Timeline

Moonlight Maze

US Department of Defense breach

2008

1998

8

Timeline

Moonlight Maze

US Department of Defense breach

Finnish MFA breach

2008

20131998

9

Timeline

Moonlight Maze

US Department of Defense breach

Finnish MFA breach

2008

20131998

2014

RUAG breach

10

Timeline

Moonlight Maze

US Department of Defense breach

Finnish MFA breach

MitM/MotS on adobe.com

2008

201620131998

2014

RUAG breach

11

Timeline

Moonlight Maze

US Department of Defense breach

Finnish MFA breach

MitM/MotS on adobe.com

German Government breach goes public

2008

2016

2018

20131998

2014

RUAG breach

12

Arsenal

•Rootkit

•MitM

•Watering Hole

•Several advanced 2nd stage backdoors

13

Mosquito

Diplomatsin

Eastern Europe/Central Asia

July 2016

Fake flash installer

Downloaded from http://admdownload.adobe.com *

* We believe Adobe was not compromised

Infection Vector-

Tracing the infection chain (end-point perspective)

http://admdownload.adobe.com/bin[...]

Legitimate Akamai/Adobe IP address

Fake Flash Installer

Download executable

Something weird is happening on the network

Possible interception points

Local MitM & Compromised Gateway

•Full control of a *particular* organization’s traffic

•Ex:• DNS Changer

• Slingshot

WiFi Credentials Export

ISP MitM

•Full control of its customers’ traffic

•Can be targeted

•Stealthy

Ex: FinFisher

•Sophisticated Commercial Spyware

•FinFly ISP product

•MitM campaign discovered by ESET in 2016

FinFisher MitM

•Malicious redirect

•Trojanized software (VLC, Avast, …)

•Easy to infect (again and again) particular targets

BGP Hijacking

•Reroute traffic to an attacker-controlled server

•Noisy / Not Targeted

•We didn’t see malicious announcement for the Adobe/Akamia prefixes

Other possibilities: Man-on-the-Side attack

•Race condition

•Condition: ability to read the traffic

•Objective: Replying to the victim before the legitimate server

Other possibilities: Man-on-the-Side attack

•Hard to beat Akamai

•And exfiltrated data would reach Akamai servers

-> Hard and noisy

Other possibilities: Domain Fronting

•Adobe uses a CDN: Akamai

•Leverage HTTPs to hide the final destination

•Use different hostname in DNS, TLS and HTTP

Fifield, David & Lan, Chang & Hynes, Rod & Wegmann, Percy & Paxson, Vern. (2015). Blocking-resistant communication through domain fronting. Proceedings on Privacy Enhancing Technologies. 2015. 10.1515/popets-2015-0009.

Other possibilities: Domain Fronting

•Fake flash is downloaded through HTTP

•Not possible to hide the destination

Other possibilities

•Adobe/Akamai compromised

•We reached them

• Very unlikely

And it contacts adobe.com again

During the installation…

http://get.adobe.com/stats/AbfFcBebD/q=<base64-encoded data>

Information exfiltrated to get.adobe.com over HTTP

Link with OSX/Snake

OSX/Snake

OSX/Snake

It even tricked researchers!

Windows Backdoor

•Download

•Execute

•Exfiltrate

Other tools

JScript Backdoor

•C&C: Google Script

•Exfiltrate MAC address + unique ID

•Downloads & Executes (eval) additional JS code

Metasploit

•Started in March 2018

•Fake flash • Executes a Metasploit shellcode

• Downloads a Meterpreter from https://209.239.115[.]91/6OHEJ

•Mosquito backdoor finally dropped

Outlook Backdoor

The group Snake is said to have attacked the German government network.

46

Hackers have been able to copy data from the government networks via the Outlook mail program.

47

We need to look deeper

48

Targets

•Ministry of Foreign Affairs

•Defense contractors

•?

49

Timeline

Oldest compilation timestamp

2009

50

Timeline

Oldest compilation timestamp

2009

51

Timeline

Oldest compilation timestamp

First sample uploaded on

VirusTotal

2009

2010

52

Timeline

Oldest compilation timestamp

First sample uploaded on

VirusTotal

2009

2010

53

Timeline

Oldest compilation timestamp

First sample uploaded on

VirusTotal

Execute commands

sent by emails (XML)

2009

2010

2013

54

Timeline

Oldest compilation timestamp

First sample uploaded on

VirusTotal

Execute commands

sent by emails (XML)

2009

2010 2016 (?)

2013

Commands are hidden in PDF documents sent

to the victims

55

Timeline

Oldest compilation timestamp

First sample uploaded on

VirusTotal

Execute commands

sent by emails (XML)

Public announcement of the German incident

2009

2010

Mar. 2018

2016 (?)

2013

Commands are hidden in PDF documents sent

to the victims

56

Timeline

Oldest compilation timestamp

First sample uploaded on

VirusTotal

Execute commands

sent by emails (XML)

Public announcement of the German incident

Our report goes public

2009

2010

Mar. 2018

2016 (?)

2013

Commands are hidden in PDF documents sent

to the victims

Aug. 2018

57

Installation

•COM object hijacking•Quite old technique

• ComRAT & Mosquito• https://www.virusbulletin.com/uploads/pdf/conference_slides/2011/Larimer

-VB2011.pdf

• https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence

•Outlook Protocol Manager.

58

HKCR = HKCU + HKLM

59

60

61

62

63

MAPI

•Messaging Application Programming Interface

•COM-based API

•Allows software to be email-aware

•Replace olmapi32.dll

64

65

66

67

68

Outgoing emails

•All outgoing emails are forwarded to the attacker’s email address

•Can be disabled by changing a config value in the registry

69

70

71

72

73

Outgoing emails

• Information is exfiltrated at the same time the victim sends an email• Prevent sending emails at unusual hours

•Data is encrypted and stored in a PDF attached to the email

74

75

76

77

Operator email addresses

78

Operator email addresses

79

Operator email addresses

80

Operator email addresses

81

Operator email addresses

• In recent campaigns, we have seen them using gmx.com

•Pattern seems firstname.lastname@[free webmail]

•Sometimes, they impersonate the victim

82

83

Incoming emails

•All incoming email metadata is logged (subject, sender, etc.)

•Checks if the attachment is a PDF and contains a command

84

85

Hiding UI artefacts

•Delete all backdoor-related messages• Sent

• Received

• If it contains the operator email address

•Hooks

86

Hiding UI artefacts

87

Hiding UI artefacts

88

Backdoor

•Fully-controlled by email• Commands are contained in PDF attachments

•Old versions: XML in the email body

•Operator agnostic• Even if the email address is took down, a command can

be sent from any other email address

89

Backdoor | PDF format

•Really complex – a pain to reverse• Probably just to make analysis more time consuming

•Valid PDF document

•Data appended after a JPG

90

91

92

93

94

95

Backdoor | FunctionsID Commands

0x10 Not implemented

0x11 Display a MessageBox

0x12 Sleep

0x20 Delete file

0x21 Get file

0x22 Set operator email address

0x23 Put file

0x24 Run shell command

0x25 Create process

0x26 Delete directory

0x27 Create directory

0x28 Change timeout

0x29 Run PowerShell command (PSInject - 2018)

0x2A Set answer mode (2018)

96

97

Turla Encryption History

•Carbon and Snake: CAST-128

•Gazer: Custom RSA implementation

•Mosquito: BlumBlumShub

•Uroboros: Threefish

98

Backdoor | Encryption

•All significant values were changed

• Identification of the main characteristics• Symmetric

• 128-bit key

• Two hardcoded tables

• 64-bits block

• 8 rounds

99

Changes to MISTY1

•The 128–bit key is generated from two hardcoded 1024–bit keys plus a 2048–bit Initialization Vector.

•They shuffled s7 and s9

•They added XOR operations in FI

100

Demo

Mitigations

103

104

On the computer side

•EDR/Sysmon (?) to identify COM hijacking

•Windows Defender Security Center

105

Do not allow child processes

106

Do not allow child processes

107

Code Integrity Guard

108

Code Integrity Guard

109

Code Integrity Guard

110

Code Integrity Guard

111

On the mail server side

•Blocking emails based on PDF format: controlled by the attackers

•Monitoring duplicate sending of emails• High FP rate?

• Attacker’s address looks like private victim’s address

112

•Comprehensive WhitePaperreleased in August 2018

• https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf

• https://github.com/eset/malware-ioc/tree/master/turla#turla-outlook-indicators-of-compromise

113

Conclusion

•Two examples showing the sophistication of Turla

•Turla is not your casual and lazy attacker

114

www.eset.com | www.welivesecurity.com

Matthieu FaouMalware Researcher

@matthieu_faou

matthieu.faou@eset.com