Analysis of tools and attacks Lazarus... · India SWIFT City Union Bank India SWIFT Unknown Mexica...
Transcript of Analysis of tools and attacks Lazarus... · India SWIFT City Union Bank India SWIFT Unknown Mexica...
Analysis of tools and attacks
Vitalii Trifonov
Group-IB
Global name
Subdivision
Motivation Sabotage Financial Espionage
Specific, but shared tools
DDoS bots
KillDisk/MBRKiller
WannaCry
Banswift/BBSwift
FastCash
ATM trojan
RatankbaPOS
Common trojans • Recon aka Ratankba
• PowerRatankba
• ClientRAT (aka FALLCHILL aka Manuscrypt)
• ClientTraficForwarder (Proxy)
New malware• AppleJeus
Undocumented new• PowerTask• PowershellRAT
Lazarus
Lazarus Bluenorofff Andariel
January2015
October2015
February2016
December 2016
February2017
March2017
October 2017
January 2018
February 2018
April 2018
May 2018
July 2018
August 2018
October2018
December 2018
2019
Banco del AustroEcuadorSWIFT
Tien Phong BankVietnamSWIFT
Central BankBangladeshSWIFT
AkBankTurkeySWIFT
Several banksPoland
Far Eastern International BankTaiwanSWIFT
NIC Asia BankNepalSWIFT
BancomextMexicaSWIFT
Punjab BationalBankIndiaSWIFT
City Union BankIndiaSWIFT
UnknownMexicaSPEI (Domestic payment system)
Banco de ChileChileSWIFT
Possibly: Saigon Thuong Tin Commercial Joint Stock BankVietnamATM
Cosmos bankIndiaATM
RedbancChileATM
2 Europe1 Nigeria1 Kuwait
Confirmed
Not confirmed
UnnamedThailand
UnknownSouth KoreaATM
Focus on ATM attacks
????PakistanATM
Delivery:
• Watering hole
• Spear phishing Delivery:
• Watering hole
• Spear phishing
• + Social network
https://baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.htmlhttps://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
SWIFT specific malware:
• Only 2 known cases in 2016: Bangladesh and unnamed South East Asia bank (probably Vietnam)
• Further attack without signs of automation
Steps to get access:
• Infect workstation (not server) of legitimate operator
• Inject malicious DLL into the specific processes of the messaging interface
• Can unload DLL to bypass local security features
• Intercept login and password
• Login to the system as legitimate operator and send funds manually
Submit fraud:
• In most cases they send MT103 using the Serial Method.
• As an exception, they can use Cover Method
• Value per message varies without pattern:
1. 10M USD 2. 1M-10M USD range 3. Over 300K USD
Serial method: Only one message is initiated by the sender to settle the funds.
Cover method: two messages are initiated by the sender to settle the funds: announcement and cover message, moves the funds.
https://www.blackhat.com/docs/eu-17/materials/eu-17-Shen-Nation-State%20Moneymules-Hunting-Season-APT-Attacks-Targeting-Financial-Institutions.pdf
In 2015, Lazarus compromised network of Korean ATM operator network through antivirus server’s service port. 230.000 cards were compromised within Sept, 2016 ~ Feb, 2017
Attack description:
• Attacker got access to the bank
• Identified switch application servers - ATM Switch (AIX)
• Upload on ATM Switch command-line utility to inject code
• Inject a library into a currently running process
• Library hijack and return fraudulent ATM financial query responses for specified card numbers:
1. generates a random cash amount
2. block and log certain financial transactions
2017, unnamed bank. Withdrawn from ATMs located in over 30 different countries.
2018, Cosmos bank, India. Withdrawn from ATMs in 23 different countries. 944 million rupees ($13.5 mln)
2018, Redbanc, Chile
syschk.ps1 26466867557F84DD47
84845280DA1F27
Spyware (keylogger/screenshot grabber) D45931632ED9E11476325189CCB6B530
Empire PowerShell
From Vietnamese CERT
From IR in Cosmos bank
Spyware:
• The first thread is used to log all pressed keyboard into %TEMP%\GoogleChrome\chromeupdater_pkfile
• The second thread is used to create screenshots to %TEMP%\GoogleChrome\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d
• The third thread is used to read C:\ProgramData\2.dat and uses value from this file as time interval between screenshots
Some facts:
• In August 2018 SWIFT ISAC notified about IP 89.144.25.23 as C2 reverse HTTP backdoor used in Lazarus attack
• Partner who did IR in Cosmos bank claimed that Metasploit was used to launch attacks and / or retain access
• Metasploit main payloads are fileless, that is why it is hard to recover them
Metasploit2017-12-29 - 2018-02-22
CobaltStrike2018-05-25 - 2018-09-10
Metasploit2018-02-07 - 2018-02-07
CobaltStrike2017-12-29 - 2018-09-02
1. Second program found during the IR in Cosmos bank with MD5 hash 238bf358c459d8f14a2bef2442d8c07b has been uploaded to VT with name SvcTimeBroker.dll and it also was used by Lazarus in Vietnam attack.
2. The name SvcTimeBroker.dll is very similar to FileTokenBroker.dll which was used in attack on Far Eastern International Bank (FEIB) in 2017.
3. SvcTimeBroker.dll compiled on October, 24 2016 and it’s code after decrypting is the same as was in attacks on banks by Lazarus in 2016 - Client_TrafficForwarder
Timeline:
• 26.10.2018 new dump under name "PAKISTAN-WORLD-EU-MIX-01" went on sale on cardshop Jokerstash. This base has 10.467 dumps, 8704 belong to Pakistan’s banks (including Bankislami).
• 28.10.2018 Pakistan bank BankIstami issued press release that they detected on the morning 27.10.2018 abnormal transactions. During these transactions malefactors cashed out $2.6 million.
• 31.10.2018 new Pakistan base with 11.795 dumps.
• 13.11.2018 new Pakistan base with 177.878 dumps.
In total: 150.632 dumps of Pakistan banks, 16.227 cards of other regions and 11.019 undefined banks.
Timeline:
• 24.01.2019 new database «PAKISTAN-D+P-01» which contained 1.535credit card dumps, 96% - belong to the Meezan Bank Ltd.
• 30.01.2019 one more «PAKISTAN-D+P-02» with 67.654 credit card dumps, 96% - belong to the Meezan Bank Ltd.
• The main difference with previous case – presence of PIN code of card.
2993: Other 4%
64661: Meezan Bank, Ltd. 96%
ApplicationPDF.exe
File from Chile File from Pakistan
Ecombox.store
CONNECT TO HOST CONNECT TO HOST
LazarusPowerShell backfoor
Drops a script file(REG_TIME.ps1)
Watering hole Spear phishing
Watering hole and spear phishing attacks are active since early beginning till now days.
Redbanc – attack started with a LinkedIn advert offering a developer role. Then Skype call to conduct an interview. Then downloading a file ApplicationPDF.exe.
Pakistan – similar to Redbanc according to ApplicationPDF.exe.
Cosmos bank – version of the partner who did IR: communication via IM like Lync, XMPP, etc. Then use of collaboration tools like Jira, Slack, Huddle.
Vietnam, Thailand – unknown infection vector.
Since middle of 2018 they started to use social networks to find proper employees in the banks and trick them to deploy malware.
Lazarus starter to develop legitimately looking applications. They they trick user to deploy these applications in the corporate network that lead to infection.
Crypto currency backdoored app:
• July 2018 Lazarus attack with trading software Celas Trade Pro. Celas Trade Pro based on the open source Qt Bitcoin Trader.
• Legitimate Qt Bitcoin Trader was staffed with malicious module «Updater».
• Updater - first stage backdoor, that collects local information: the process list, computer name and system information.
• Updater had versions for Windows and for MacOS.
Job offering and backdoored app:
• Delivered ApplicationPDF.exe to employees in the bank. Found in Redbanc and Pakistan cases.
• ApplicationPDF.exe - C# dropper with string: F:\05.GenereatePDF\CardOffer\salary\salary\obj\Release\ApplicationPDF.pdb
• ApplicationPDF.exe generates PDF file and infect computer with PowerRatankba reconnaissance tool.
• Only Windows version was identified.
Lazarus since the beginning till nowadays use multistage infection process. Multistage simplifies development and support for attackers. Complicates analysis and response for responders and researchers.
Before June 2017 July 2018
• Recon backdoor (Ratankba)
• Loader
• ClientRat
• ClientTrafficForwarder (Proxy)
• ServerRat
• PowerRatankba -
PowerShell reconnaissance
tool for Windows
• AppleJeus - reconnaissance
tool for MacOS
December 2018 May 2019
• PowerShell RAT active but
still under development
• PowerTask new version of
reconnaissance tool for Windows
PowerRatankba.BC&C commands
Command Description
success Sleep and send request after sleep
killkill Exit
interval Change default sleep length
cmd Execute command using “cmd.exe /c $cmdInst” . Command response is sent back to the C&C DES encrypted and Base64 encoded
cf_sv Replace SCH, VBS, PS1 files with provided server location and pre-determined URI
rrr Download payload from provided URL, write to C:\Users\Public\Documents\000.exe, and then execute payload
exe or inj Download payload from provided URL, inject into process memory using InvokeReflectivePEInjection
PowerRatankba.AC&C commands
Command Description
success Sleep and send request after sleep
killkill Exit
Execute Download payload from provided URL and execute via memory injection
DownExec Download payload from provided URL, save to disk, then execute
RatankbaC&C commands
Command Description
killkill Remove itself from the system
http Download payload from provided URL, save to disk, then execute
In May new version of Recon – backdoor was identified and later detected in several companies
PowerRatankba.CC&C commands
Command Description
byebye Deletes itself and file with the result of command execution. Example of command: “byebye”
run Creation of new process. Nam of process and arguments are passed as a new parameter. Example of command: “run explorer.exe”
cfg Updates the time period after which the script will be Command execution in cmd.exe. Example of command: ”echo Hello!” if the file with the command is not created. In the current version of the script does not affect anything. Example of command: “cfg 300”
test Check for a connection to the specified host. Example of command: “test 192.168.1.1:80”
ps Execute the specified command in PowerShell. The command is executed with the following arguments: ErrorAction SilentlyContinue, WarningAction, SilentlyContinue. Example of command: “ps Get-Service”
<CMD> Command execution in cmd.exe. Example of command: ”echo Hello!”
New version found:
• SWIFT ISAC shared indicators.
• 2019-05-14 dump of the memory page was uploaded on VirusTotal with 0 detection.
• Dump was uploaded from Nigeria.
• In the dump PowerTast (Recon backdoor) was found.
Command Description
NONE Do not execute any commands
GINF Collects and sends extensive system information about the PC
SLEP Do not execute any commands
HIBN Do not execute any commands
DRIV Get information about available disks in the system
DIRP List files with the specified extension
CHDR Changes the current directory
DOWN Download and run the file
CMDL Execute the command and upload the result of its operation to the C&C server
Command Description
RUNX Get the user's token
MOVE Renames the specified file
FTIM Set the timestamps of the %windir%/system32/kernel32.dll file to the specified file
NEWF Create a new directory with the specified name
ZDWN Purportedly, downloads a file/files
PEIN Inject the code in the specified process
TCON Purportedly, it connects to the specified network node
RUN Run the command
PVEW List running processes
Command Description
DIR Enumerates files in the selected directory
DIE Remove itself from the system
DEL Delete the selected file
WIPE Delete the selected file and make it unrecoverable
UPLD Upload the file to the C&C server
SCFG Get a new bot configuration
GCFG Download bot configuration
DRIV List the installed drivers
PEEX Inject the code in the explorer.exe process
PKIL Terminate the process with the selected PID
Till the 2018 the Lazarus used constantly updated RAT that gave full control over infected host. RAT supported 28 commands to manipulate the host. In addition, threat actors used additional tools to proxy traffic and other RATs as second stage malware.
PowerShell RAT functions:
• Update configuration
• Collect and send information about the infected PC and running processes with ability to ruminate them
• Collect and send files to a remote server
• Change properties and attributes of files
• Supports operations with Registry
• Supports operations for working with ZIP-archives
• Download and run PowerShell scripts
• Uploading files to an infected PC
• Execute commands from a remote server in the command line interpreter
New malware:
• December 2018 from Thailand related incident we got RAT written in PowerShell
• RAT can work in 2 modes: client and server mode
• Some commands were under development
• Trojan can fully replace ClientRAT (FALLCHILL aka Manuscrypt) and ServerRAT
• New RAT supports operations with Registry, Screenshots, Video
Argument Default value Description
ARG_1 1 Integer variable If the value of the variable is 0, then the running script will be deleted.
ARG_2 1 Integer variable If the value of the variable is 1, the script will run in server mode. Otherwise, it will try to connect to one of two CnC servers.
ARG_3 8080 The port number on which the server will be running.
ARG_4 “” Path to the file in which the integer variable is stored. The integer variable is responsible for the port number on which the server will be started in case of problems with the connection. If the value has not been set, then during work the value% TEMP% \ <BOT_ID> will be set.
ARG_5 “” СNC server address. Record format: “<CnC_ADDR>: <CnC_PORT>”
ARG_6 “” СNC server address. Record format: “<CnC_ADDR>: <CnC_PORT>”
ARG_7 “” Settings for the proxy server. The recording format is “<PROXY_ADDR>: <PROXY_PORT>: <PROXY_LOGIN>: <PROXY_PASS>: <UNUSED_PARAM>”
To launch new RAT you need to pass valid parameters listed in the table.
Command Description
CONNECT Sends information about an infected machine
ALIVE Sends BOT_ID as a response
FILE_REQUEST Sends a list of files located in the directory
CMD_REQUEST Runs the command on the infected PC
PROCESS_REQUEST Collects information about running processes
REGISTRY_REQUEST Retrieves a list of values and all keys contained in a specific registry key
SCREEN_REQUEST Launches a PowerShell script
DOWNLOAD_REQUEST
Sends a file to a remote server from an infected PC
FILE_ZIP_REQUEST Creates a zip archive with the contents of the folder
New RAT supported 24 existing commands and 13 additional commands were under development. Predefined list of commands come from C&C server.
Command Description
ZIP_DOWNLOAD_REQUEST
Creates a ZIP archive with of the folder and sends it to the server
FILE_UNZIP_REQUEST
Extract archive to “Decompressed” directory
UPLOAD_REQUEST Uploads a file from a remote server, save it to disk, change the file properties obtained as parameter
PROCESS_TERMINATE
Terminates the process with the specified PID
FILE_DELETE Deletes the specified file or directory
FILE_RENAME Renames the specified file or directory
FILE_NEW_DIR Creates a new directory on a specific path
REG_DELETE Removes value from key in registry
Command Description
REG_RENAME Renames the value of the key in the registry
REG_NEW_KEY Creates a new key in the registry
REG_NEW_STRING
Creates a new value for a key with type STRING
REG_NEW_DWORD
Creates a new value for a key with a DWORD type
REG_NEW_BINARY
Creates a new value for a key with type BINARY
DELAY_REQUEST Terminates the active connection to the CnC server. Changes the timeout before creating a new connection.
AGENT_CONFIG Updates script parameters
Command Command
KEYBOARD_REQUEST DATA_TAG_CAMERA_LOWQ
KEYBOARD_STOP DATA_TAG_CAMERA_NORMALQ
DOWNLOAD_STOP DATA_TAG_CAMERA_HIGHQ
PROCESS_INJECT DATA_TAG_SCREEN_LOWQ
DATA_TAG_SCREEN_STOP DATA_TAG_SCREEN_NORMALQ
DATA_TAG_CAMERA DATA_TAG_SCREEN_HIGHQ
DATA_TAG_CAMERA_STOP
New RAT supported 24 existing commands and 13 additional commands were under development. New command allow attacker to control Screen, Cameras, Keyboard and inject into the process.
Argument Argument Argument
BOT_ID IS_PROXY_ENABLE CNC1_ADDR
IP_ADDR PROXY_ADDR CNC1_PORT
PC_NAME AGENT_SCRIPT_PATH CNC2_ADDR
USERNAME LAST_BOOT_UP_TIME CNC2_PORT
OS_VERSION OS_CAPTION OS_ARCH2
OS_ARCH1 OS_LANG
OS_ARCH2 OS_COUNTRY_CODE
The CONNECT command sends information about the infected machine. The list of information collected is available below.
63 unique IP address within last 6 months
Huntbox identified unique pattern for C2 servers
42 unique domainswithin last 6 months
Additionally we reversed communication protocol and wrote emulator to detect new C2.
1. Generate information about the infected machine
2. Send the length of the message and the message itself
3. Accept from the server the length of the message that must be received
4. Accept the message which contains the command
5. Check the presence of the command in the received message
Securely remove files
• Windows Event Logs
• NTFS $LogFile
• Prefetch files
• Temporary files and files specified in configuration
SWIFT system
• Disable all connectivity to back-office applications
• Use SQL statements to delete data from the Alliance Access database
Attacker need to extend the period before they might be detected, to avoid fraudulent messages being cancelled.
Varian 1
1. Goes through all logical drives
2. Randomly rename files, then overwrite first bytes of the file. Except file in whitelisted system directories.
3. Reads MBR of every drive, then writes “0x00” to the first 0x20 sectors.
4. From MBR it finds partitions and then overwrites the first 0x10 and last sectors of the volume.
5. 15 minutes after, it force machine to reboot by killing processes: csrss.exe, wininit.exe, winlogon.exe, lsass.exe.
Varian 2
1. Retrieve hard disk handle via API CreateFileA
2. Overwrites the first sector of the disk (512 bytes) with “0x00”
3. Repeat the same step for every next hard drive
4. Force the machine to shut down via the API ExitWindows.
In 2018 they used it to destroy networks in Banco de Chile and Bancomext.9.000 PC and 500+ servers were affected in Banco de Chile.*
*https://badcyber.com/banco-de-chile-victim-of-a-devastating-wiper-attack-money-allegedly-stolen/
Modified version:
• The sample is tailored for the environment and contains hardcoded Windows credentials.
• Spreading via network shares and creating scheduled tasks
• Was not correctly configured and did not show message with a ransom demand.
At final stage of Taiwanese Far Eastern International Bank (FEIB) Lazarus launched Hermes ransomware which has been used by other financially motivated group.
Modified version:
• The text that will be displayed at boot time is hardcoded to "Invalid system disk".
• The partition table of the original MBR is not copied to the new MBR. This renders the system unbootable.
Lazarus started to use modified version of mbr-lovenote