New Ways of Emerging Actors: India, South Africa, Nigeria, and ...

SESSION ID:

#RSAC

Wayne Huang

New Ways of Emerging Actors: India, South Africa, Nigeria, and Indonesia

TTA-R03

VP Engineering Proofpoint, Inc. @waynehuang [email protected] [email protected]

Sun Huang

Senior Threat Researcher, Proofpoint, Inc. [email protected]

#RSAC

Agenda

u  TTP summary u  Crimeware adoption u  Monetization u  Current C2 vulnerabilities u  Actor attribution methodology u  Those targeted and

compromised u  Nigerian gang’s strategy change u  Conclusion

2

#RSAC

TTP summary

#RSAC

Actors overview

u  Tracked nine actors, unique 1200+ nodes (C2 panels) during the past year

u  Actors located in Nigeria (most), India, South Africa, and Indonesia

u  One actor changed TTP significantly in March 2015

u  One of the Zeus panels includes a backdoor (undisclosed)

#RSAC

Overview of the nine actors

Group # 9

Vic+m # 12,953

Stolen creden+als pop3:7,671 -p:1,137 h/p:1,538

Malware used Zeus/IceIX/Citadel/Betabot/Solarbot/Syndicate Keylogger/ISR Stealer

Server owned 1,200+

Technique Spear phishing -‐-‐ a/achment Phishing

#RSAC Tactics, Techniques and Procedures (TTP) Summary u  Objectives

u  Compromise endpoints u  Collect data and intelligence u  Credentials (POP3, FTP, HTTPS forms), client-side certs, screenshots u  #1: Obtain online banking accounts u  #2: Sell off data & intelligence

u  Motivation u  Purely financial u  Not state-backed

#RSAC Tactics, Techniques and Procedures (TTP) Summary u  Target individuals

u  Attack vector into endpoints u  Mostly via email messages u  URLs pointing to exploit kits, zips (containing exes), or jars u  Attached exploits (Office, PDF) or malware executables

#RSAC Tactics, Techniques and Procedures (TTP) Summary u  Endpoint ownership, data extraction & exfiltration

u  Are NOT capable of developing own trojans u  Use whatever off-the-shelf trojans they can get hold of u  Most used trojan features:

u  Web inject – steals specific banking accounts u  Wallet stealer – steals virtual currencies

u  Also phish for credentials – seen daily

#RSAC Tactics, Techniques and Procedures (TTP) Summary u  Command and control (C2) servers

u  Do NOT rent or maintain own servers u  C2s entirely run on compromised shared hosting servers u  ARE capable of and dedicate to compromising servers u  Do NOT buy cPanel credentials

u  Rely entirely on own-compromised servers

u  Installs C2 scripts mostly via cPanel

#RSAC Tactics, Techniques and Procedures (TTP) Summary u  Vector into shared hosting accounts

u  Stage 1: acquire remote access to ONE shared hosting account u  Mass-scale scanning + manual intrusion

u  Stage 2: acquire multiple cPanel credentials on this shared hosting u  Via acquiring (DB) credentials from config files u  Via cPanel vulnerabilities and privilege escalation u  Via brute forcing MySQL credentials using usernames from /etc/passwd

#RSAC

Crimeware usage

#RSAC

Crimeware adoption

u  Exploit kits u  Angler, Nuclear, Fiesta, FlashPack, RIG, Sweet Orange, etc.

u  Banking trojan u  Zeus, ICEIX, Citadel, PONY, Betabot, Solarbot, JollyRoger, Dridex, etc.

u  Remote access trojans (RATs) u  XtremeRAT, Gh0stRAT , Poison Ivy, Dark Comet, etc.

u  Fully Undetectables (FUDs) u  CypherX Crypter, Stage Crypter, Orway Crypter, etc.

#RSAC

Banking trojan panels

u  Zeus

#RSAC


u  Zeus/ICEIX

#RSAC


u  Zeus/ICEIX/Citadel

#RSAC


u  Zeus/ICEIX/Citadel/Betabot

#RSAC


u  Zeus/ICEIX/Citadel/Betabot/Solarbot

#RSAC


u  Zeus/ICEIX/Citadel/Betabot/Solarbot/JollyRoger

#RSAC


u  Zeus/ICEIX/Citadel/Betabot/Solarbot/JollyRoger/PONY

#RSAC

Banking trojan features

u  Credentials theft: HTTP/HTTPS/FTP/POP3/RDP/certs u  Man in the Browser (MitB)

u  Video recording

u  Screen capture

u  Back-connect

u  Jabber notifier

#RSAC

Monetization

#RSAC

Zbot-based businesses loss: $500M↑

0

50

100

150

200

250

2008 2009 2010 2011 2012 2013 2014

Total: $500↑ Million

#RSAC

DEMO main monetization means: Screen recording of a compromised ebanking account holding 3M USD

#RSAC Corporate emails sold on the black market for different prices according to value

Different price by industry

#RSAC Unlimited access to all stolen data -- salvage what you can!

$50 per hour

#RSAC

Current C2 vulnerability

#RSAC

Zeus web panels compared Zeus 2.0.8.9 (most) – 2.9.6.1

Zeus Robot/Panther/GOZ

Login page cp.php?m=login cp.php?le/er=login Gateway gate.php secure.php Upload folder

_reports _feedback

Config in System/ Inc/ Bots table botnet_list membership_list Data table botnet_reports_(date) membership_reports_(date) Cryptkey $config['botnet_cryptkey'] $config['membership_cryptkey']

#RSAC

Current C2 panel vulnerabilities Zeus 2.0.8.9 Zeus

2.7.6.8 – current

Zeus Robot ICEIX Citadel 1.3.5.1

File Upload Vulnerability (known, patched))

◎ X X ◎

X

Remote Command Execugon (0day) ◎

◎

◎

◎

◎

Reflected Cross Site Scripgng (0day)

◎

◎

◎

◎ ◎

Informagon leakage (/install/) (known, unpatched)

◎

◎

◎

◎ ◎

#RSAC

File upload vulnerability

u  Vulnerable panels: Zeus >= 2.1.0.1 / ICEIX

u  Upload to /_reports/files/BOTNET_ID/BOTID/certs/

u  Known and patched

#RSAC




#RSAC




u  Apache multiple file extension support Apache manual: “Files can have more than one extension, and the order of the extensions is normally irrelevant.”

#RSAC




#RSAC

File upload vulnerability has been fixed

u  Fixed in Zeus Robot

#RSAC

C2 remote command execution

u  0day

u  Affected: All Zeus / IceIX / Citadel

u  Source: reports_files.php (database search)

u  Sink: fsarc.php (file archiving)

u  Affected parameter: files

u  Execute arbitrary commands

#RSAC

C2 remote command execution

#RSAC

Reflected cross site scripting

u  0day

u  Affected: All Zeus / IceIX / Citadel

u  Source: reports_files.php (database search)

u  Sink: fsarc.php (file archiving)

u  Affected parameter: files

u  Cookie stealing or client side exploitation

#RSAC

Reflected cross site scripting

#RSAC Actor attribution methodology

#RSAC

C2 tracking system

u  Tracking actors C2 server

u  Analyze actor geolocation and activity

u  RC4 keypass brute forcing in order to automatic getshell

u  Password brute forcing

u  Support: Zeus/ICEIX/Citadel

#RSAC

C2 tracking system

u  Tracking actors C&C server

u  Analysis actors location and activity

u  RC4 keypass brute force to automatic getshell

u  Password brute force

u  Support: Zeus/ICEIX/Citadel

#RSAC

Campaign attribution via XSS fingerprinting

#RSAC

Actors’ tool for cPanel remote privilege escalation

u  cPanel apache Symlink Race Condition Vulnerability

#RSAC

Actors’ tool for cPanel password brute forcing

u  cPanel password brute forcing

#RSAC

Upload & install C2 mostly via cPanel

u  Upload C2 panel, dropper and config files via cPanel

#RSAC

Identifying actor location

u  Access logs

u  Last login IP record in .lastlogin file p  /home/[username]/.lastlogin

#RSAC A good technique in finding more C2 servers on the same shared host

u  Identify additional active C2 domains via cPanel webalizer

u  Many cPanel webStats allow unrestricted access p  /home/[username]/tmp/webalizer/

#RSAC

Top 10 C2 passwords and RC4 keys

Password RC4 KeyPass

123456 reh4357heGTJHaegharhet4575hawrGAEha

12345678 78fghrYU%^&$ER

admin123 144458686889uiuiui

1qaz2wsx hello

enugu042 SXMQ!xz%US!K5~#(K(

mankind man1

1234567 E354B6KUO986C434C5677BBH2WER

master PrE/Y!!#$@#

password1 olivertwist

1234567890 pelli$10pelli

#RSAC Those targeted and compromised

#RSAC

Overview of the nine actors

Group # 9

Vic+m # 12,953


Malware used Zeus/IceIX/Citadel/Betabot/Solarbot/Syndicate Keylogger/ISR Stealer

Server owned 212


#RSAC

Engineering 14%

Environmental systems 1%

Bicycle and Skate rental 9%

Construc+on 8%

Educa+on 1%

Financial 5%

Logis+cs Services 4%

Energy & U+li+es 3% Chemicals & Petroleum

1%

Electronics 6%

Food 3%

Telecommunica+on 8%

Travel and Transporta+on 22%

Services/Consul+ng 4%

Informa+on Technology 1%

Healthcare 1%

Marke+ng and distribu+on 1%

Manufacturing 9%

Engineering Environmental systems Bicycle and Skate rental Construc+on Educa+on Financial Logis+cs Services Energy & U+li+es Chemicals & Petroleum Electronics Food Telecommunica+on Travel and Transporta+on Services/Consul+ng Informa+on Technology Healthcare Marke+ng and distribu+on Manufacturing

Singaporean victims by industry

u  Logistics industry

******cs.com.sg

******ing.com.sg

u  Oil / Energy industry

******ring.com.sg

******l.com.sg

#RSAC

Group NG03 Group Name NG03

Na+onality/ Loca+on

NIGERIA, LAGOS, LAGOS

Vic+m # 15,887


Malware used ZeuS/Citadel/ISR Stealer

Server owned 265

Technique Spear phishing -‐-‐ a/achment, Phishing

Feature PO# JKT-‐130090.doc Purchase Order.DOC PaymentCopy.scr Chief Architect X2.exe remi/ance details.zip

#RSAC

Retail 21%

Manufacturing 18%

Informa+on Technology 14% Services/Consul+ng

7%

Travel & Transporta+on 21%

Electronics 4%

Chemicals & Petroleum 7%

Energy & U+li+es 4%

Others 4%

Retail Manufacturing Informagon Technology Services/Consulgng Travel & Transportagon Electronics Chemicals & Petroleum Energy & Ugliges Others

Group NG03 – Victims by industry

u  Pakistan’s energy center s****energy.org

u  well-known energy expert

u  UK’s logistics company i*****tions.co.uk

u  Many videos recorded with Citadel

u  Also doing phishing

#RSAC

AE, 4% CN , 13%

DE, 3%

HK , 6%

ID , 20%

IN , 21%

KR , 10%

AE AR AT AU BA BD BE BF BG BH BT BY CA CH CI

CN DE DK DZ EC EG ES ET EU FI FJ FR GB GE GH

GR HK HU ID IE IL IN IR IT JO JP KE KH KR KW

KZ LB LK LT LU LV MA MD ME MO MU MX MY MZ NG

Group NG03 – Victims by country

#RSAC

Group IN01 Group Name IN01

Na+onality/ Loca+on

INDIA, DELHI, NEW DELHI

Vic+m # 493

Stolen creden+als pop3:102 -p:7 h/p:52

Malware used IceIX

Server owned 4

Technique Spear phishing -‐-‐ a/achment

Feature

#RSAC

Retail 40%

Manufacturing 20% Informa+on Technology

7%

Services/Consul+ng 7%

Travel & Transporta+on 10%

Healthcare 7%

Insurance 3%

Financial 3%

Others 3%

Retail Manufacturing Informagon Technology Services/Consulgng Travel & Transportagon Healthcare Insurance Financial

Group IN01 – Victims by industry

u  Targeted India

u  India's logistics company f******ight.net

#RSAC

IN, 78%

US, 4% IT, 9%

RU, 1%

IN US IT RU BG DE IL AT FR HU GR EG BE CA PL ES PK MU CN HK GB BH TW SG

Group IN01 – Victims by country

#RSAC

Group ZA01 Group Name ZA01

Na+onality/ Loca+on

SOUTH AFRICA, KWAZULU-‐NATAL, DURBAN

Vic+m # 27


Malware used Zeus

Server owned 3

Technique Spear phishing -‐-‐ a/achment

Feature Your Order.exe drop.exe drops.exe

#RSAC

Retail 29%

Manufacturing 29%

Informa+on Technology

14%

Travel & Transporta+on

14%

Others 14%

Retail Manufacturing

Informa+on Technology Travel & Transporta+on

Others

Group ZA01 – Victims by industry

u  South Africa, India, Germany

u  Australian government .gov.au

u  Petrochemical Industry c****.com

u  Logistics company e**.net

#RSAC

IN 37%

DE 18%

ZA 15%

PL 7%

ID 7%

BD 4%

HK 4%

SE 4%

US 4%

IN DE ZA PL ID BD HK SE US

PL 7%

Group ZA01 – Victims by country

#RSAC

Group ID01

Group Name ID01

Na+onality/ Loca+on

INDONESIA

Vic+m # 100


Malware used Zeus

Server owned 3


Feature

#RSAC

Retail 50%

Manufacturing 9%

Informa+on Technology

8%

Electronics 17%

Insurance 8%

Government 8%

Retail Manufacturing

Informa+on Technology Electronics

Insurance Government

Group ID1 – Victims by industry

u  Aviation Equipment Company

u  India’s electrical equipment manufacturer

u  European flying committee

#RSAC

US 44%

DE 19%

NZ 19%

RU 10%

CN 8%

US DE NZ RU CN

Group ID01 – Victims by country

#RSAC Nigerian gang’s strategy change

#RSAC

New campaign since Apr 28 2015

u  Microsoft RTF Document with CVE-2014-1761

u  Malware: ISR Stealer

#RSAC

ISR Stealer admin panel

#RSAC

ISR stealer mostly setup on free hosting

#RSAC

ISR stealer persistent cross site scripting

u  Source & sink: index.php

Specific user agent

#RSAC


u  Source & sink: index.php

Source Input

Specific user agent

#RSAC


#RSAC

Campaign attribution

p  USER_AGENT: p  Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/

537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36 OPR/28.0.1750.51

p  IP addresses: p  41.220.69.115 - AS 29465 (Nigeria) p  41.220.69.185 - AS 29465 (Nigeria)

It turns out this actor is the same Nigerian gang whom we’ve been tracking for a year

#RSAC

Actors attribution research

XSS targeted experiment 170 ISR Stealer panels on unique domain name

Duration 2 weeks Successful triggers Received 103 cookies Success rate 60 % Total stolen credentials 66,284

#RSAC

Nigeria 71% Romania

1%

Singapore 1%

Pakistan 2%

United Arab Emirates 3%

Ghana 3%

Russia 3%

Turkey 1%

Iran 3%

Canada 3%

Benin 1% Australia

1%

Mexico 1%

Myanmar 3% Malaysia

3%

Nigeria Romania Singapore Pakistan United Arab Emirates Ghana Russia Turkey Iran Canada Benin Australia Mexico Myanmar Malaysia

Actors by country

Nigeria ASN 29465 36873 37076 37127 37148

#RSAC

Win 7 72%

Win 8 12%

Win XP 12%

Unknown 4%

Win 7 Win 8 Win XP Unknown

Actors by OS

#RSAC

Firefox 37%

IE 1%

Chrome 60%

Safari 2%

Firefox IE

Chrome Safari

US 46%

Actors by browser and by flash version

Latest 81%

Outdate 19%

Latest Outdated

#RSAC

Conclusion

#RSAC

Nigerian gang evolution

u  2014: Traditional attachment techniques p  Executable files (exe, scr) compressed within a Zip file p  Purchase_Order.zip or Payment Advice pdf.zip etc. p  Malware: Zeus / IceIX / Citadel / Betabot / ISR Stealer

u  2015: Changed tactics! p  Microsoft RTF Document with CVE-2014-1761 p  Still some old schools (exe/scr) p  Malware: Zeus Robot / PONY / ISR Stealer (increased) / Citadel /

Betabot / Zeus 2.1.0.1 (decreased) / Zeus 2.0.8.9 (decreased)

#RSAC

RU 9%

US 46%

High profile victims u  23 government email accounts

0

1

2

3

4

5

6

7

RW IT PK RW UA TW ZA VN IQ MK IN

11 different countries

#RSAC

Conclusion

u  Actor tracking & attribution can be done

u  Key features: passwords, RC4 keys, browser versions, environment variables, and directory names

u  Secondary features: IP range, geolocation, language, operating hours

u  Strategy change made them more difficult to track u  Avoided using vulnerable C2 panels

u  Currently the most used Zeus: Zeus Robot

96

New Ways of Emerging Actors: India, South Africa, Nigeria, and ...

Documents

Transcript of New Ways of Emerging Actors: India, South Africa, Nigeria, and ...