Analysis of tools and attacks

Vitalii Trifonov

Group-IB

Global name

Subdivision

Motivation Sabotage Financial Espionage

Specific, but shared tools

DDoS bots

KillDisk/MBRKiller

WannaCry

Banswift/BBSwift

FastCash

ATM trojan

RatankbaPOS

Common trojans • Recon aka Ratankba

• PowerRatankba

• ClientRAT (aka FALLCHILL aka Manuscrypt)

• ClientTraficForwarder (Proxy)

New malware• AppleJeus

Undocumented new• PowerTask• PowershellRAT

Lazarus

Lazarus Bluenorofff Andariel

January2015

October2015

February2016

December 2016

February2017

March2017

October 2017

January 2018

February 2018

April 2018

May 2018

July 2018

August 2018

October2018

December 2018

2019

Banco del AustroEcuadorSWIFT

Tien Phong BankVietnamSWIFT

Central BankBangladeshSWIFT

AkBankTurkeySWIFT

Several banksPoland

Far Eastern International BankTaiwanSWIFT

NIC Asia BankNepalSWIFT

BancomextMexicaSWIFT

Punjab BationalBankIndiaSWIFT

City Union BankIndiaSWIFT

UnknownMexicaSPEI (Domestic payment system)

Banco de ChileChileSWIFT

Possibly: Saigon Thuong Tin Commercial Joint Stock BankVietnamATM

Cosmos bankIndiaATM

RedbancChileATM

2 Europe1 Nigeria1 Kuwait

Confirmed

Not confirmed

UnnamedThailand

UnknownSouth KoreaATM

Focus on ATM attacks

????PakistanATM

Delivery:

• Watering hole

• Spear phishing Delivery:

• Watering hole

• Spear phishing

• + Social network

https://baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.htmlhttps://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf

SWIFT specific malware:

• Only 2 known cases in 2016: Bangladesh and unnamed South East Asia bank (probably Vietnam)

• Further attack without signs of automation

Steps to get access:

• Infect workstation (not server) of legitimate operator

• Inject malicious DLL into the specific processes of the messaging interface

• Can unload DLL to bypass local security features

• Intercept login and password

• Login to the system as legitimate operator and send funds manually

Submit fraud:

• In most cases they send MT103 using the Serial Method.

• As an exception, they can use Cover Method

• Value per message varies without pattern:

1. 10M USD 2. 1M-10M USD range 3. Over 300K USD

Serial method: Only one message is initiated by the sender to settle the funds.

Cover method: two messages are initiated by the sender to settle the funds: announcement and cover message, moves the funds.

https://www.blackhat.com/docs/eu-17/materials/eu-17-Shen-Nation-State%20Moneymules-Hunting-Season-APT-Attacks-Targeting-Financial-Institutions.pdf

In 2015, Lazarus compromised network of Korean ATM operator network through antivirus server’s service port. 230.000 cards were compromised within Sept, 2016 ~ Feb, 2017

Attack description:

• Attacker got access to the bank

• Identified switch application servers - ATM Switch (AIX)

• Upload on ATM Switch command-line utility to inject code

• Inject a library into a currently running process

• Library hijack and return fraudulent ATM financial query responses for specified card numbers:

1. generates a random cash amount

2. block and log certain financial transactions

2017, unnamed bank. Withdrawn from ATMs located in over 30 different countries.

2018, Cosmos bank, India. Withdrawn from ATMs in 23 different countries. 944 million rupees ($13.5 mln)

2018, Redbanc, Chile

syschk.ps1 26466867557F84DD47

84845280DA1F27

Spyware (keylogger/screenshot grabber) D45931632ED9E11476325189CCB6B530

Empire PowerShell

From Vietnamese CERT

From IR in Cosmos bank

Spyware:

• The first thread is used to log all pressed keyboard into %TEMP%\GoogleChrome\chromeupdater_pkfile

• The second thread is used to create screenshots to %TEMP%\GoogleChrome\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d

• The third thread is used to read C:\ProgramData\2.dat and uses value from this file as time interval between screenshots

Some facts:

• In August 2018 SWIFT ISAC notified about IP 89.144.25.23 as C2 reverse HTTP backdoor used in Lazarus attack

• Partner who did IR in Cosmos bank claimed that Metasploit was used to launch attacks and / or retain access

• Metasploit main payloads are fileless, that is why it is hard to recover them

Metasploit2017-12-29 - 2018-02-22

CobaltStrike2018-05-25 - 2018-09-10

Metasploit2018-02-07 - 2018-02-07

CobaltStrike2017-12-29 - 2018-09-02

1. Second program found during the IR in Cosmos bank with MD5 hash 238bf358c459d8f14a2bef2442d8c07b has been uploaded to VT with name SvcTimeBroker.dll and it also was used by Lazarus in Vietnam attack.

2. The name SvcTimeBroker.dll is very similar to FileTokenBroker.dll which was used in attack on Far Eastern International Bank (FEIB) in 2017.

3. SvcTimeBroker.dll compiled on October, 24 2016 and it’s code after decrypting is the same as was in attacks on banks by Lazarus in 2016 - Client_TrafficForwarder

Timeline:

• 26.10.2018 new dump under name "PAKISTAN-WORLD-EU-MIX-01" went on sale on cardshop Jokerstash. This base has 10.467 dumps, 8704 belong to Pakistan’s banks (including Bankislami).

• 28.10.2018 Pakistan bank BankIstami issued press release that they detected on the morning 27.10.2018 abnormal transactions. During these transactions malefactors cashed out $2.6 million.

• 31.10.2018 new Pakistan base with 11.795 dumps.

• 13.11.2018 new Pakistan base with 177.878 dumps.

In total: 150.632 dumps of Pakistan banks, 16.227 cards of other regions and 11.019 undefined banks.

Timeline:

• 24.01.2019 new database «PAKISTAN-D+P-01» which contained 1.535credit card dumps, 96% - belong to the Meezan Bank Ltd.

• 30.01.2019 one more «PAKISTAN-D+P-02» with 67.654 credit card dumps, 96% - belong to the Meezan Bank Ltd.

• The main difference with previous case – presence of PIN code of card.

2993: Other 4%

64661: Meezan Bank, Ltd. 96%

ApplicationPDF.exe

File from Chile File from Pakistan

Ecombox.store

CONNECT TO HOST CONNECT TO HOST

LazarusPowerShell backfoor

Drops a script file(REG_TIME.ps1)

Watering hole Spear phishing

Watering hole and spear phishing attacks are active since early beginning till now days.

Redbanc – attack started with a LinkedIn advert offering a developer role. Then Skype call to conduct an interview. Then downloading a file ApplicationPDF.exe.

Pakistan – similar to Redbanc according to ApplicationPDF.exe.

Cosmos bank – version of the partner who did IR: communication via IM like Lync, XMPP, etc. Then use of collaboration tools like Jira, Slack, Huddle.

Vietnam, Thailand – unknown infection vector.

Since middle of 2018 they started to use social networks to find proper employees in the banks and trick them to deploy malware.

Lazarus starter to develop legitimately looking applications. They they trick user to deploy these applications in the corporate network that lead to infection.

Crypto currency backdoored app:

• July 2018 Lazarus attack with trading software Celas Trade Pro. Celas Trade Pro based on the open source Qt Bitcoin Trader.

• Legitimate Qt Bitcoin Trader was staffed with malicious module «Updater».

• Updater - first stage backdoor, that collects local information: the process list, computer name and system information.

• Updater had versions for Windows and for MacOS.

Job offering and backdoored app:

• Delivered ApplicationPDF.exe to employees in the bank. Found in Redbanc and Pakistan cases.

• ApplicationPDF.exe - C# dropper with string: F:\05.GenereatePDF\CardOffer\salary\salary\obj\Release\ApplicationPDF.pdb

• ApplicationPDF.exe generates PDF file and infect computer with PowerRatankba reconnaissance tool.

• Only Windows version was identified.

Lazarus since the beginning till nowadays use multistage infection process. Multistage simplifies development and support for attackers. Complicates analysis and response for responders and researchers.

Before June 2017 July 2018

• Recon backdoor (Ratankba)

• Loader

• ClientRat

• ClientTrafficForwarder (Proxy)

• ServerRat

• PowerRatankba -

PowerShell reconnaissance

tool for Windows

• AppleJeus - reconnaissance

tool for MacOS

December 2018 May 2019

• PowerShell RAT active but

still under development

• PowerTask new version of

reconnaissance tool for Windows

PowerRatankba.BC&C commands

Command Description

success Sleep and send request after sleep

killkill Exit

interval Change default sleep length

cmd Execute command using “cmd.exe /c $cmdInst” . Command response is sent back to the C&C DES encrypted and Base64 encoded

cf_sv Replace SCH, VBS, PS1 files with provided server location and pre-determined URI

rrr Download payload from provided URL, write to C:\Users\Public\Documents\000.exe, and then execute payload

exe or inj Download payload from provided URL, inject into process memory using InvokeReflectivePEInjection

PowerRatankba.AC&C commands

Command Description

success Sleep and send request after sleep

killkill Exit

Execute Download payload from provided URL and execute via memory injection

DownExec Download payload from provided URL, save to disk, then execute

RatankbaC&C commands

Command Description

killkill Remove itself from the system

http Download payload from provided URL, save to disk, then execute

In May new version of Recon – backdoor was identified and later detected in several companies

PowerRatankba.CC&C commands

Command Description

byebye Deletes itself and file with the result of command execution. Example of command: “byebye”

run Creation of new process. Nam of process and arguments are passed as a new parameter. Example of command: “run explorer.exe”

cfg Updates the time period after which the script will be Command execution in cmd.exe. Example of command: ”echo Hello!” if the file with the command is not created. In the current version of the script does not affect anything. Example of command: “cfg 300”

test Check for a connection to the specified host. Example of command: “test 192.168.1.1:80”

ps Execute the specified command in PowerShell. The command is executed with the following arguments: ErrorAction SilentlyContinue, WarningAction, SilentlyContinue. Example of command: “ps Get-Service”

<CMD> Command execution in cmd.exe. Example of command: ”echo Hello!”

New version found:

• SWIFT ISAC shared indicators.

• 2019-05-14 dump of the memory page was uploaded on VirusTotal with 0 detection.

• Dump was uploaded from Nigeria.

• In the dump PowerTast (Recon backdoor) was found.

Command Description

NONE Do not execute any commands

GINF Collects and sends extensive system information about the PC

SLEP Do not execute any commands

HIBN Do not execute any commands

DRIV Get information about available disks in the system

DIRP List files with the specified extension

CHDR Changes the current directory

DOWN Download and run the file

CMDL Execute the command and upload the result of its operation to the C&C server

Command Description

RUNX Get the user's token

MOVE Renames the specified file

FTIM Set the timestamps of the %windir%/system32/kernel32.dll file to the specified file

NEWF Create a new directory with the specified name

ZDWN Purportedly, downloads a file/files

PEIN Inject the code in the specified process

TCON Purportedly, it connects to the specified network node

RUN Run the command

PVEW List running processes

Command Description

DIR Enumerates files in the selected directory

DIE Remove itself from the system

DEL Delete the selected file

WIPE Delete the selected file and make it unrecoverable

UPLD Upload the file to the C&C server

SCFG Get a new bot configuration

GCFG Download bot configuration

DRIV List the installed drivers

PEEX Inject the code in the explorer.exe process

PKIL Terminate the process with the selected PID

Till the 2018 the Lazarus used constantly updated RAT that gave full control over infected host. RAT supported 28 commands to manipulate the host. In addition, threat actors used additional tools to proxy traffic and other RATs as second stage malware.

PowerShell RAT functions:

• Update configuration

• Collect and send information about the infected PC and running processes with ability to ruminate them

• Collect and send files to a remote server

• Change properties and attributes of files

• Supports operations with Registry

• Supports operations for working with ZIP-archives

• Download and run PowerShell scripts

• Uploading files to an infected PC

• Execute commands from a remote server in the command line interpreter

New malware:

• December 2018 from Thailand related incident we got RAT written in PowerShell

• RAT can work in 2 modes: client and server mode

• Some commands were under development

• Trojan can fully replace ClientRAT (FALLCHILL aka Manuscrypt) and ServerRAT

• New RAT supports operations with Registry, Screenshots, Video

Argument Default value Description

ARG_1 1 Integer variable If the value of the variable is 0, then the running script will be deleted.

ARG_2 1 Integer variable If the value of the variable is 1, the script will run in server mode. Otherwise, it will try to connect to one of two CnC servers.

ARG_3 8080 The port number on which the server will be running.

ARG_4 “” Path to the file in which the integer variable is stored. The integer variable is responsible for the port number on which the server will be started in case of problems with the connection. If the value has not been set, then during work the value% TEMP% \ <BOT_ID> will be set.

ARG_5 “” СNC server address. Record format: “<CnC_ADDR>: <CnC_PORT>”

ARG_6 “” СNC server address. Record format: “<CnC_ADDR>: <CnC_PORT>”

ARG_7 “” Settings for the proxy server. The recording format is “<PROXY_ADDR>: <PROXY_PORT>: <PROXY_LOGIN>: <PROXY_PASS>: <UNUSED_PARAM>”

To launch new RAT you need to pass valid parameters listed in the table.

Command Description

CONNECT Sends information about an infected machine

ALIVE Sends BOT_ID as a response

FILE_REQUEST Sends a list of files located in the directory

CMD_REQUEST Runs the command on the infected PC

PROCESS_REQUEST Collects information about running processes

REGISTRY_REQUEST Retrieves a list of values and all keys contained in a specific registry key

SCREEN_REQUEST Launches a PowerShell script

DOWNLOAD_REQUEST

Sends a file to a remote server from an infected PC

FILE_ZIP_REQUEST Creates a zip archive with the contents of the folder

New RAT supported 24 existing commands and 13 additional commands were under development. Predefined list of commands come from C&C server.

Command Description

ZIP_DOWNLOAD_REQUEST

Creates a ZIP archive with of the folder and sends it to the server

FILE_UNZIP_REQUEST

Extract archive to “Decompressed” directory

UPLOAD_REQUEST Uploads a file from a remote server, save it to disk, change the file properties obtained as parameter

PROCESS_TERMINATE

Terminates the process with the specified PID

FILE_DELETE Deletes the specified file or directory

FILE_RENAME Renames the specified file or directory

FILE_NEW_DIR Creates a new directory on a specific path

REG_DELETE Removes value from key in registry

Command Description

REG_RENAME Renames the value of the key in the registry

REG_NEW_KEY Creates a new key in the registry

REG_NEW_STRING

Creates a new value for a key with type STRING

REG_NEW_DWORD

Creates a new value for a key with a DWORD type

REG_NEW_BINARY

Creates a new value for a key with type BINARY

DELAY_REQUEST Terminates the active connection to the CnC server. Changes the timeout before creating a new connection.

AGENT_CONFIG Updates script parameters

Command Command

KEYBOARD_REQUEST DATA_TAG_CAMERA_LOWQ

KEYBOARD_STOP DATA_TAG_CAMERA_NORMALQ

DOWNLOAD_STOP DATA_TAG_CAMERA_HIGHQ

PROCESS_INJECT DATA_TAG_SCREEN_LOWQ

DATA_TAG_SCREEN_STOP DATA_TAG_SCREEN_NORMALQ

DATA_TAG_CAMERA DATA_TAG_SCREEN_HIGHQ

DATA_TAG_CAMERA_STOP

New RAT supported 24 existing commands and 13 additional commands were under development. New command allow attacker to control Screen, Cameras, Keyboard and inject into the process.

Argument Argument Argument

BOT_ID IS_PROXY_ENABLE CNC1_ADDR

IP_ADDR PROXY_ADDR CNC1_PORT

PC_NAME AGENT_SCRIPT_PATH CNC2_ADDR

USERNAME LAST_BOOT_UP_TIME CNC2_PORT

OS_VERSION OS_CAPTION OS_ARCH2

OS_ARCH1 OS_LANG

OS_ARCH2 OS_COUNTRY_CODE

The CONNECT command sends information about the infected machine. The list of information collected is available below.

63 unique IP address within last 6 months

Huntbox identified unique pattern for C2 servers

42 unique domainswithin last 6 months

Additionally we reversed communication protocol and wrote emulator to detect new C2.

1. Generate information about the infected machine

2. Send the length of the message and the message itself

3. Accept from the server the length of the message that must be received

4. Accept the message which contains the command

5. Check the presence of the command in the received message

Securely remove files

• Windows Event Logs

• NTFS $LogFile

• Prefetch files

• Temporary files and files specified in configuration

SWIFT system

• Disable all connectivity to back-office applications

• Use SQL statements to delete data from the Alliance Access database

Attacker need to extend the period before they might be detected, to avoid fraudulent messages being cancelled.

Varian 1

1. Goes through all logical drives

2. Randomly rename files, then overwrite first bytes of the file. Except file in whitelisted system directories.

3. Reads MBR of every drive, then writes “0x00” to the first 0x20 sectors.

4. From MBR it finds partitions and then overwrites the first 0x10 and last sectors of the volume.

5. 15 minutes after, it force machine to reboot by killing processes: csrss.exe, wininit.exe, winlogon.exe, lsass.exe.

Varian 2

1. Retrieve hard disk handle via API CreateFileA

2. Overwrites the first sector of the disk (512 bytes) with “0x00”

3. Repeat the same step for every next hard drive

4. Force the machine to shut down via the API ExitWindows.

In 2018 they used it to destroy networks in Banco de Chile and Bancomext.9.000 PC and 500+ servers were affected in Banco de Chile.*

*https://badcyber.com/banco-de-chile-victim-of-a-devastating-wiper-attack-money-allegedly-stolen/

Modified version:

• The sample is tailored for the environment and contains hardcoded Windows credentials.

• Spreading via network shares and creating scheduled tasks

• Was not correctly configured and did not show message with a ransom demand.

At final stage of Taiwanese Far Eastern International Bank (FEIB) Lazarus launched Hermes ransomware which has been used by other financially motivated group.

Modified version:

• The text that will be displayed at boot time is hardcoded to "Invalid system disk".

• The partition table of the original MBR is not copied to the new MBR. This renders the system unbootable.

Lazarus started to use modified version of mbr-lovenote