you've got mail! from: turla - countermeasure 2019 · timeline moonlight maze us department of...
TRANSCRIPT
You've got mail! from: TurlaCountermeasure 2018 | Ottawa
Matthieu Faou | Malware Researcher
Matthieu FaouMalware Researcher | ESET Montreal
@matthieu_faou
2
Agenda
1. Background on Turla
2. Mosquito MitM campaign
3. Outlook Backdoor
3
Background
Timeline
Moonlight Maze
1998
5
Timeline
Moonlight Maze
1998
6
Timeline
Moonlight Maze
US Department of Defense breach
2008
1998
7
Timeline
Moonlight Maze
US Department of Defense breach
2008
1998
8
Timeline
Moonlight Maze
US Department of Defense breach
Finnish MFA breach
2008
20131998
9
Timeline
Moonlight Maze
US Department of Defense breach
Finnish MFA breach
2008
20131998
2014
RUAG breach
10
Timeline
Moonlight Maze
US Department of Defense breach
Finnish MFA breach
MitM/MotS on adobe.com
2008
201620131998
2014
RUAG breach
11
Timeline
Moonlight Maze
US Department of Defense breach
Finnish MFA breach
MitM/MotS on adobe.com
German Government breach goes public
2008
2016
2018
20131998
2014
RUAG breach
12
Arsenal
•Rootkit
•MitM
•Watering Hole
•Several advanced 2nd stage backdoors
13
Mosquito
Diplomatsin
Eastern Europe/Central Asia
July 2016
Fake flash installer
Downloaded from http://admdownload.adobe.com *
* We believe Adobe was not compromised
Infection Vector-
Tracing the infection chain (end-point perspective)
http://admdownload.adobe.com/bin[...]
Legitimate Akamai/Adobe IP address
Fake Flash Installer
Download executable
Something weird is happening on the network
Possible interception points
Local MitM & Compromised Gateway
•Full control of a *particular* organization’s traffic
•Ex:• DNS Changer
• Slingshot
WiFi Credentials Export
ISP MitM
•Full control of its customers’ traffic
•Can be targeted
•Stealthy
Ex: FinFisher
•Sophisticated Commercial Spyware
•FinFly ISP product
•MitM campaign discovered by ESET in 2016
FinFisher MitM
•Malicious redirect
•Trojanized software (VLC, Avast, …)
•Easy to infect (again and again) particular targets
BGP Hijacking
•Reroute traffic to an attacker-controlled server
•Noisy / Not Targeted
•We didn’t see malicious announcement for the Adobe/Akamia prefixes
Other possibilities: Man-on-the-Side attack
•Race condition
•Condition: ability to read the traffic
•Objective: Replying to the victim before the legitimate server
Other possibilities: Man-on-the-Side attack
•Hard to beat Akamai
•And exfiltrated data would reach Akamai servers
-> Hard and noisy
Other possibilities: Domain Fronting
•Adobe uses a CDN: Akamai
•Leverage HTTPs to hide the final destination
•Use different hostname in DNS, TLS and HTTP
Fifield, David & Lan, Chang & Hynes, Rod & Wegmann, Percy & Paxson, Vern. (2015). Blocking-resistant communication through domain fronting. Proceedings on Privacy Enhancing Technologies. 2015. 10.1515/popets-2015-0009.
Other possibilities: Domain Fronting
•Fake flash is downloaded through HTTP
•Not possible to hide the destination
Other possibilities
•Adobe/Akamai compromised
•We reached them
• Very unlikely
And it contacts adobe.com again
During the installation…
http://get.adobe.com/stats/AbfFcBebD/q=<base64-encoded data>
Information exfiltrated to get.adobe.com over HTTP
Link with OSX/Snake
OSX/Snake
OSX/Snake
It even tricked researchers!
Windows Backdoor
•Download
•Execute
•Exfiltrate
Other tools
JScript Backdoor
•C&C: Google Script
•Exfiltrate MAC address + unique ID
•Downloads & Executes (eval) additional JS code
Metasploit
•Started in March 2018
•Fake flash • Executes a Metasploit shellcode
• Downloads a Meterpreter from https://209.239.115[.]91/6OHEJ
•Mosquito backdoor finally dropped
Outlook Backdoor
The group Snake is said to have attacked the German government network.
46
Hackers have been able to copy data from the government networks via the Outlook mail program.
47
We need to look deeper
48
Targets
•Ministry of Foreign Affairs
•Defense contractors
•?
49
Timeline
Oldest compilation timestamp
2009
50
Timeline
Oldest compilation timestamp
2009
51
Timeline
Oldest compilation timestamp
First sample uploaded on
VirusTotal
2009
2010
52
Timeline
Oldest compilation timestamp
First sample uploaded on
VirusTotal
2009
2010
53
Timeline
Oldest compilation timestamp
First sample uploaded on
VirusTotal
Execute commands
sent by emails (XML)
2009
2010
2013
54
Timeline
Oldest compilation timestamp
First sample uploaded on
VirusTotal
Execute commands
sent by emails (XML)
2009
2010 2016 (?)
2013
Commands are hidden in PDF documents sent
to the victims
55
Timeline
Oldest compilation timestamp
First sample uploaded on
VirusTotal
Execute commands
sent by emails (XML)
Public announcement of the German incident
2009
2010
Mar. 2018
2016 (?)
2013
Commands are hidden in PDF documents sent
to the victims
56
Timeline
Oldest compilation timestamp
First sample uploaded on
VirusTotal
Execute commands
sent by emails (XML)
Public announcement of the German incident
Our report goes public
2009
2010
Mar. 2018
2016 (?)
2013
Commands are hidden in PDF documents sent
to the victims
Aug. 2018
57
Installation
•COM object hijacking•Quite old technique
• ComRAT & Mosquito• https://www.virusbulletin.com/uploads/pdf/conference_slides/2011/Larimer
-VB2011.pdf
• https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence
•Outlook Protocol Manager.
58
HKCR = HKCU + HKLM
59
60
61
62
63
MAPI
•Messaging Application Programming Interface
•COM-based API
•Allows software to be email-aware
•Replace olmapi32.dll
64
65
66
67
68
Outgoing emails
•All outgoing emails are forwarded to the attacker’s email address
•Can be disabled by changing a config value in the registry
69
70
71
72
73
Outgoing emails
• Information is exfiltrated at the same time the victim sends an email• Prevent sending emails at unusual hours
•Data is encrypted and stored in a PDF attached to the email
74
75
76
77
Operator email addresses
78
Operator email addresses
79
Operator email addresses
80
Operator email addresses
81
Operator email addresses
• In recent campaigns, we have seen them using gmx.com
•Pattern seems firstname.lastname@[free webmail]
•Sometimes, they impersonate the victim
82
83
Incoming emails
•All incoming email metadata is logged (subject, sender, etc.)
•Checks if the attachment is a PDF and contains a command
84
85
Hiding UI artefacts
•Delete all backdoor-related messages• Sent
• Received
• If it contains the operator email address
•Hooks
86
Hiding UI artefacts
87
Hiding UI artefacts
88
Backdoor
•Fully-controlled by email• Commands are contained in PDF attachments
•Old versions: XML in the email body
•Operator agnostic• Even if the email address is took down, a command can
be sent from any other email address
89
Backdoor | PDF format
•Really complex – a pain to reverse• Probably just to make analysis more time consuming
•Valid PDF document
•Data appended after a JPG
90
91
92
93
94
95
Backdoor | FunctionsID Commands
0x10 Not implemented
0x11 Display a MessageBox
0x12 Sleep
0x20 Delete file
0x21 Get file
0x22 Set operator email address
0x23 Put file
0x24 Run shell command
0x25 Create process
0x26 Delete directory
0x27 Create directory
0x28 Change timeout
0x29 Run PowerShell command (PSInject - 2018)
0x2A Set answer mode (2018)
96
97
Turla Encryption History
•Carbon and Snake: CAST-128
•Gazer: Custom RSA implementation
•Mosquito: BlumBlumShub
•Uroboros: Threefish
98
Backdoor | Encryption
•All significant values were changed
• Identification of the main characteristics• Symmetric
• 128-bit key
• Two hardcoded tables
• 64-bits block
• 8 rounds
99
Changes to MISTY1
•The 128–bit key is generated from two hardcoded 1024–bit keys plus a 2048–bit Initialization Vector.
•They shuffled s7 and s9
•They added XOR operations in FI
100
Demo
Mitigations
103
104
On the computer side
•EDR/Sysmon (?) to identify COM hijacking
•Windows Defender Security Center
105
Do not allow child processes
106
Do not allow child processes
107
Code Integrity Guard
108
Code Integrity Guard
109
Code Integrity Guard
110
Code Integrity Guard
111
On the mail server side
•Blocking emails based on PDF format: controlled by the attackers
•Monitoring duplicate sending of emails• High FP rate?
• Attacker’s address looks like private victim’s address
112
•Comprehensive WhitePaperreleased in August 2018
• https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf
• https://github.com/eset/malware-ioc/tree/master/turla#turla-outlook-indicators-of-compromise
113
Conclusion
•Two examples showing the sophistication of Turla
•Turla is not your casual and lazy attacker
114
www.eset.com | www.welivesecurity.com
Matthieu FaouMalware Researcher
@matthieu_faou