SlideShare a Scribd company logo

Shooting

P
pinkflawd

Presentation 'Shooting Elephants' at SyScan 2015 Singapore

Engineering
1 of 31
Download to read offline
Shooting Elephants
Big Game Hunter Marion Marschalek @pinkflawd Cyphort Inc. http://en.wikipedia.org/wiki/File:Lara_Croft_%282013%29.png
DIGGING in other people‘s underwear.
TIME 2009 ? 20142011 TFC NBOT NGBD Watering hole on website of Syrian ministery of justice Spear phishing with a PDF 0-day DDoS, plugins & what not Babar Superstar
TFC.. NBOT.. NGBD.. Nwot? • Lots of code sharing • Lots of shouty capitals • DDoS bots • Plugin platforms & Reconnaissance Building botnets with plain binaries. U serious?
Bunny
Lua + C/Invoke • Lua interpreter to be embedded into C • Instrumentation of C code Script Script Script Thread Thread Thread Lua Interpreter
Bunny Evasion •Searching for.. Sandboxes? •AV enumeration for ‚special treatment‘ •Compile my breath away
Bunny Evasion • Searching for.. Sandboxes? Bitdefender Kaspersky Also Kaspersky: lstcvix.exe tudib.exe izmdmv.exe ubgncn.exe jidgdsp.exe evabgzib.exe qzqjafyt.exe cnyporqb.exe ... U serious?
Bunny Evasion • AV enumeration for ‚special treatment‘ • Identification of AVs through querying of WMI Inject to existing svchost Create new svchost and inject there
Compile my Breath away Obfuscation by compiler 52 HeapAlloc wrapper ~100 memcpy wrapper > 3000 string constants
50 Shades Of Grey
Babar PET (Persistent Elephant Threat) •Stealing all the things • Keylogging, screenshots, audio captures, clipboard data, what-not. •Via local instance or through: • hooking APIs in remote processes • after invading them via global Windows hooks
Hiding in plain sight
Regsvr32.exe BabarDLL Child instance Main instance Child instance Process of interest Named Pipes Global Windows hook for WH_KEYBOARD / WH_GETMESSAGE API Hooking with trampoline functions Data dump module Keylogger Clipboard snooping Other stuffz List of process names from config Modus Operandi Elephanti
Rooootkittykittykitty Internet communication | File creation | Audio streams Source Function Target Function Source Function Target Function Detour Function Trampoline Function http://research.microsoft.com/en-us/projects/detours/
Stolen Goods http://www.codeproject.com/Articles/297312/Minimal-Key-Logger-using-RAWINPUT http://www.codeproject.com/Articles/332109/AMR-Audio-Encoding
Reversing Casper • Reconnaissance malware • AV ‚strategies‘ • Spooking in Syria http://www.mycomicshop.com/search?IVGroupID=22688789
Binary handwriting? Any attribute can be faked. Question is, how many attributes can be faked. Approach: Collect as many attributes as possible.... .... from different domains .... .... and rely the adversary was not genius enough to fake all.
Bugs
Oh mon dieu.
Proxy Bypass Hint.. https://developer.chrome.com /extensions/proxy Stealth FTW • Babar starts up using regsvr32.exe process for loading payload • Process remains running, when rootkit has looong dissappeared
Crash me, if you can • NBOT dropper crashes with a STATUS_SHARING_VIOLATION 0xC0000043 on CreateFile of own binary • A file cannot be opened because the share access flags are incompatible. Bug & Feature & Bug • Bunny dropper won’t invoke its payload • Does not delete dropper either • Bypasses sandboxes, but leaves unnecessary artifacts lying around
STUXNET-O-METER ... Stuxnet ... ... ... NBOT TFC Bunny Babar Casper ... “To people who ask me to compare the complexity of #Regin and #Babar, keep in mind that a Peugeot is enough for the day-to-day life ;)” – Paul Rascagnéres
Attribution is hard.
A cyberwarfare tale on nuclear matters Cartoons allegedly originate from France, main suspect is DGSE Linked by document from CSEC Iran as main target Other victims in Syria, Norway, Canada .. and Mr. Brown said [abt. Iran not meeting international demands], “The international community has no choice today but to draw a line in the sand.” – NYT, Sep.2009 A blog by Matt Suiche
MILKFROTH PANDA ! New Crowdstrike report? - Halvar Flake
A Warm-Hearted Thank You to Joan Calvet Paul Rascagnères Morgan Marquis-Boire Sebastien Larinier Matthieu Suiche Michael Shalyt Alexandre Dulaunoy Raphäel Vinot Fred Arbogast
Further Reading • Babar Reversed https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/ • Bunny Reversed https://drive.google.com/file/d/0B9Mrr-en8FX4M2lXN1B4eElHcE0/view?usp=sharing • Casper Reversed by Joan Calvet http://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny- another-espionage-cartoon/ • Blog on Babar http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/ • Linking the Cartoon Malware to CSEC slides by Paul Rascagneres https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the- microscope.html • Slides ‚TS/NOFORN‘ at Hack.lu2015 http://2014.hack.lu/archive/2014/TSNOFORN.pdf • Slides on Snowglobe from CSEC http://www.spiegel.de/media/media-35683.pdf and http://www.spiegel.de/media/media-35688.pdf • A cyberwarfare tale on nuclear matters by Matt Suiche http://www.msuiche.net/2015/03/09/did-alleged- dgse-used-stackoverflow-like-to-write-their-malwares/ • Animal Farm https://securelist.com/blog/research/69114/animals-in-the-apt-farm/
Hashes Bunny: • 3bbb59afdf9bda4ffdc644d9d51c53e7 • b8ac16701c3c15b103e61b5a317692bc • c40e3ee23cf95d992b7cd0b7c01b8599 • eb2f16a59b07d3a196654c6041d0066e Babar: • 4525141d9e6e7b5a7f4e8c3db3f0c24c • 9fff114f15b86896d8d4978c0ad2813d • 8b3961f7f743daacfd67380a9085da4f • 4582D9D2120FB9C80EF01E2135FA3515 NBOT: • 8132ee00f64856cf10930fd72505cebe • 2a64d331964dbdec8141f16585f392ba • e8a333a726481a72b267ec6109939b0d • 51cd931e9352b3b8f293bf3b9a9449d2 Other: • bbf4b1961ff0ce19db748616754da76e • 330dc1a7f3930a2234e505ba11da0eea
Marion Marschalek @pinkflawd Cyphort Inc.

Recommended

Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortVincent Ohprecio
 
[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against Botnet[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against BotnetGangSeok Lee
 
In ur-internets
In ur-internetsIn ur-internets
In ur-internets55020
 
Damas
DamasDamas
Damaswalfra
 
Public speaking : prepare for great sex with your audience
Public speaking : prepare for great sex with your audiencePublic speaking : prepare for great sex with your audience
Public speaking : prepare for great sex with your audienceHans Demeyer
 
Reproductive system
Reproductive systemReproductive system
Reproductive systemDrChintansinh Parmar
 
Sex boxes
Sex boxesSex boxes
Sex boxesajsekera
 
The Pattern of Sex
The Pattern of SexThe Pattern of Sex
The Pattern of SexZamin Dharsi
 

Recommended

Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortVincent Ohprecio
 
[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against Botnet[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against BotnetGangSeok Lee
 
In ur-internets
In ur-internetsIn ur-internets
In ur-internets55020
 
Damas
DamasDamas
Damaswalfra
 
Public speaking : prepare for great sex with your audience
Public speaking : prepare for great sex with your audiencePublic speaking : prepare for great sex with your audience
Public speaking : prepare for great sex with your audienceHans Demeyer
 
Reproductive system
Reproductive systemReproductive system
Reproductive systemDrChintansinh Parmar
 
Sex boxes
Sex boxesSex boxes
Sex boxesajsekera
 
The Pattern of Sex
The Pattern of SexThe Pattern of Sex
The Pattern of SexZamin Dharsi
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...EC-Council
 
Coding Is Maneuver
Coding Is ManeuverCoding Is Maneuver
Coding Is Maneuverjstogdill
 
Dark Net
Dark NetDark Net
Dark Netjangezkhan
 
Raspberry Tank - Barcamp Bournemouth 5
Raspberry Tank - Barcamp Bournemouth 5Raspberry Tank - Barcamp Bournemouth 5
Raspberry Tank - Barcamp Bournemouth 5ianrenton
 
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...CODE BLUE
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
Criminals in the Cloud: Past, Present, and Future
Criminals in the Cloud: Past, Present, and FutureCriminals in the Cloud: Past, Present, and Future
Criminals in the Cloud: Past, Present, and FutureJim Lippard
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
OpenTuesday: Internet of Things & Bottom-up Innovation
OpenTuesday: Internet of Things & Bottom-up InnovationOpenTuesday: Internet of Things & Bottom-up Innovation
OpenTuesday: Internet of Things & Bottom-up InnovationDigicomp Academy AG
 
Wordcamp2009 - Lessons from Mozilla
Wordcamp2009 - Lessons from MozillaWordcamp2009 - Lessons from Mozilla
Wordcamp2009 - Lessons from MozillaJohn Lilly
 
Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!InnoTech
 
Trey tech
Trey techTrey tech
Trey techMarq2014
 
The Tor Network
The Tor NetworkThe Tor Network
The Tor NetworkJie Liau
 
Virus Bulletin 2017: Browser attack points still abused by banking trojans
Virus Bulletin 2017: Browser attack points still abused by banking trojansVirus Bulletin 2017: Browser attack points still abused by banking trojans
Virus Bulletin 2017: Browser attack points still abused by banking trojansPeter Kálnai
 
Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank... Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank...ITCamp
 
Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)Stephen Abram
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Harvesting The Web With Cloud Computing
Harvesting The Web With Cloud ComputingHarvesting The Web With Cloud Computing
Harvesting The Web With Cloud ComputingKing Huang
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)André Fucs de Miranda
 
So You Want to be a Hacker?
So You Want to be a Hacker?So You Want to be a Hacker?
So You Want to be a Hacker?Christopher Grayson
 
The Magic Superpowers of a well-established "Us"
The Magic Superpowers of a well-established "Us"The Magic Superpowers of a well-established "Us"
The Magic Superpowers of a well-established "Us"pinkflawd
 
La Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tLa Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tpinkflawd
 

More Related Content

Similar to Shooting

Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...EC-Council
 
Coding Is Maneuver
Coding Is ManeuverCoding Is Maneuver
Coding Is Maneuverjstogdill
 
Raspberry Tank - Barcamp Bournemouth 5
Raspberry Tank - Barcamp Bournemouth 5Raspberry Tank - Barcamp Bournemouth 5
Raspberry Tank - Barcamp Bournemouth 5ianrenton
 
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...CODE BLUE
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
Criminals in the Cloud: Past, Present, and Future
Criminals in the Cloud: Past, Present, and FutureCriminals in the Cloud: Past, Present, and Future
Criminals in the Cloud: Past, Present, and FutureJim Lippard
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
OpenTuesday: Internet of Things & Bottom-up Innovation
OpenTuesday: Internet of Things & Bottom-up InnovationOpenTuesday: Internet of Things & Bottom-up Innovation
OpenTuesday: Internet of Things & Bottom-up InnovationDigicomp Academy AG
 
Wordcamp2009 - Lessons from Mozilla
Wordcamp2009 - Lessons from MozillaWordcamp2009 - Lessons from Mozilla
Wordcamp2009 - Lessons from MozillaJohn Lilly
 
Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!InnoTech
 
The Tor Network
The Tor NetworkThe Tor Network
The Tor NetworkJie Liau
 
Virus Bulletin 2017: Browser attack points still abused by banking trojans
Virus Bulletin 2017: Browser attack points still abused by banking trojansVirus Bulletin 2017: Browser attack points still abused by banking trojans
Virus Bulletin 2017: Browser attack points still abused by banking trojansPeter Kálnai
 
Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank... Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank...ITCamp
 
Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)Stephen Abram
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Harvesting The Web With Cloud Computing
Harvesting The Web With Cloud ComputingHarvesting The Web With Cloud Computing
Harvesting The Web With Cloud ComputingKing Huang
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)André Fucs de Miranda
 

Similar to Shooting (20)

Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
Coding Is Maneuver
Coding Is ManeuverCoding Is Maneuver
Coding Is Maneuver
 
Dark Net
Dark NetDark Net
Dark Net
 
Raspberry Tank - Barcamp Bournemouth 5
Raspberry Tank - Barcamp Bournemouth 5Raspberry Tank - Barcamp Bournemouth 5
Raspberry Tank - Barcamp Bournemouth 5
 
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
 
Criminals in the Cloud: Past, Present, and Future
Criminals in the Cloud: Past, Present, and FutureCriminals in the Cloud: Past, Present, and Future
Criminals in the Cloud: Past, Present, and Future
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
OpenTuesday: Internet of Things & Bottom-up Innovation
OpenTuesday: Internet of Things & Bottom-up InnovationOpenTuesday: Internet of Things & Bottom-up Innovation
OpenTuesday: Internet of Things & Bottom-up Innovation
 
Wordcamp2009 - Lessons from Mozilla
Wordcamp2009 - Lessons from MozillaWordcamp2009 - Lessons from Mozilla
Wordcamp2009 - Lessons from Mozilla
 
Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!
 
Trey tech
Trey techTrey tech
Trey tech
 
The Tor Network
The Tor NetworkThe Tor Network
The Tor Network
 
Virus Bulletin 2017: Browser attack points still abused by banking trojans
Virus Bulletin 2017: Browser attack points still abused by banking trojansVirus Bulletin 2017: Browser attack points still abused by banking trojans
Virus Bulletin 2017: Browser attack points still abused by banking trojans
 
Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank... Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank...
 
Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
Harvesting The Web With Cloud Computing
Harvesting The Web With Cloud ComputingHarvesting The Web With Cloud Computing
Harvesting The Web With Cloud Computing
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)
 
So You Want to be a Hacker?
So You Want to be a Hacker?So You Want to be a Hacker?
So You Want to be a Hacker?
 

More from pinkflawd

The Magic Superpowers of a well-established "Us"
The Magic Superpowers of a well-established "Us"The Magic Superpowers of a well-established "Us"
The Magic Superpowers of a well-established "Us"pinkflawd
 
La Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tLa Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tpinkflawd
 
Big Game Hunting - Peculiarities In Nation State Malware Research
Big Game Hunting - Peculiarities In Nation State Malware ResearchBig Game Hunting - Peculiarities In Nation State Malware Research
Big Game Hunting - Peculiarities In Nation State Malware Researchpinkflawd
 
The A and the P of the T
The A and the P of the TThe A and the P of the T
The A and the P of the Tpinkflawd
 
Zeus' Not Dead Yet
Zeus' Not Dead YetZeus' Not Dead Yet
Zeus' Not Dead Yetpinkflawd
 
How would you find what you can't see?
How would you find what you can't see?How would you find what you can't see?
How would you find what you can't see?pinkflawd
 
Catch Me If You Can
Catch Me If You CanCatch Me If You Can
Catch Me If You Canpinkflawd
 
Curing A 15 Year Old Desease
Curing A 15 Year Old DeseaseCuring A 15 Year Old Desease
Curing A 15 Year Old Deseasepinkflawd
 
Troopers Diffray v1.1
Troopers Diffray v1.1Troopers Diffray v1.1
Troopers Diffray v1.1pinkflawd
 
brightfuture
brightfuturebrightfuture
brightfuturepinkflawd
 

More from pinkflawd (11)

The Magic Superpowers of a well-established "Us"
The Magic Superpowers of a well-established "Us"The Magic Superpowers of a well-established "Us"
The Magic Superpowers of a well-established "Us"
 
La Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tLa Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren't
 
Big Game Hunting - Peculiarities In Nation State Malware Research
Big Game Hunting - Peculiarities In Nation State Malware ResearchBig Game Hunting - Peculiarities In Nation State Malware Research
Big Game Hunting - Peculiarities In Nation State Malware Research
 
The A and the P of the T
The A and the P of the TThe A and the P of the T
The A and the P of the T
 
Zeus' Not Dead Yet
Zeus' Not Dead YetZeus' Not Dead Yet
Zeus' Not Dead Yet
 
TS/NOFORN
TS/NOFORNTS/NOFORN
TS/NOFORN
 
How would you find what you can't see?
How would you find what you can't see?How would you find what you can't see?
How would you find what you can't see?
 
Catch Me If You Can
Catch Me If You CanCatch Me If You Can
Catch Me If You Can
 
Curing A 15 Year Old Desease
Curing A 15 Year Old DeseaseCuring A 15 Year Old Desease
Curing A 15 Year Old Desease
 
Troopers Diffray v1.1
Troopers Diffray v1.1Troopers Diffray v1.1
Troopers Diffray v1.1
 
brightfuture
brightfuturebrightfuture
brightfuture
 

Recently uploaded

STATE TRANSITION DIAGRAM in psoc subject
STATE TRANSITION DIAGRAM in psoc subjectSTATE TRANSITION DIAGRAM in psoc subject
STATE TRANSITION DIAGRAM in psoc subjectGayathriM270621
 
AntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxAntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxLina Kadam
 
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHTEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHSneha Padhiar
 
Theory of Machine Notes / Lecture Material .pdf
Theory of Machine Notes / Lecture Material .pdfTheory of Machine Notes / Lecture Material .pdf
Theory of Machine Notes / Lecture Material .pdfShreyas Pandit
 
tourism-management-srs_compress-software-engineering.pdf
tourism-management-srs_compress-software-engineering.pdftourism-management-srs_compress-software-engineering.pdf
tourism-management-srs_compress-software-engineering.pdfchess188chess188
 
70 POWER PLANT IAE V2500 technical training
70 POWER PLANT IAE V2500 technical training70 POWER PLANT IAE V2500 technical training
70 POWER PLANT IAE V2500 technical trainingGladiatorsKasper
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfDrew Moseley
 
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...KrishnaveniKrishnara1
 
CS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfCS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfBalamuruganV28
 
Artificial Intelligence in Power System overview
Artificial Intelligence in Power System overviewArtificial Intelligence in Power System overview
Artificial Intelligence in Power System overviewsandhya757531
 
Detection&Tracking - Thermal imaging object detection and tracking
Detection&Tracking - Thermal imaging object detection and trackingDetection&Tracking - Thermal imaging object detection and tracking
Detection&Tracking - Thermal imaging object detection and trackinghadarpinhas1
 
ADM100 Running Book for sap basis domain study
ADM100 Running Book for sap basis domain studyADM100 Running Book for sap basis domain study
ADM100 Running Book for sap basis domain studydhruvamdhruvil123
 
Module-1-Building Acoustics(Introduction)(Unit-1).pdf
Module-1-Building Acoustics(Introduction)(Unit-1).pdfModule-1-Building Acoustics(Introduction)(Unit-1).pdf
Module-1-Building Acoustics(Introduction)(Unit-1).pdfManish Kumar
 
Turn leadership mistakes into a better future.pptx
Turn leadership mistakes into a better future.pptxTurn leadership mistakes into a better future.pptx
Turn leadership mistakes into a better future.pptxStephen Sitton
 
Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...
Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...
Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...Amil baba
 
Substation Automation SCADA and Gateway Solutions by BRH
Substation Automation SCADA and Gateway Solutions by BRHSubstation Automation SCADA and Gateway Solutions by BRH
Substation Automation SCADA and Gateway Solutions by BRHbirinder2
 
Cost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionCost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionSneha Padhiar
 
Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsResearcher Researcher
 

Recently uploaded (20)

STATE TRANSITION DIAGRAM in psoc subject
STATE TRANSITION DIAGRAM in psoc subjectSTATE TRANSITION DIAGRAM in psoc subject
STATE TRANSITION DIAGRAM in psoc subject
 
AntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxAntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptx
 
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHTEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
 
Theory of Machine Notes / Lecture Material .pdf
Theory of Machine Notes / Lecture Material .pdfTheory of Machine Notes / Lecture Material .pdf
Theory of Machine Notes / Lecture Material .pdf
 
tourism-management-srs_compress-software-engineering.pdf
tourism-management-srs_compress-software-engineering.pdftourism-management-srs_compress-software-engineering.pdf
tourism-management-srs_compress-software-engineering.pdf
 
70 POWER PLANT IAE V2500 technical training
70 POWER PLANT IAE V2500 technical training70 POWER PLANT IAE V2500 technical training
70 POWER PLANT IAE V2500 technical training
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdf
 
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...
 
CS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfCS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdf
 
Artificial Intelligence in Power System overview
Artificial Intelligence in Power System overviewArtificial Intelligence in Power System overview
Artificial Intelligence in Power System overview
 
Detection&Tracking - Thermal imaging object detection and tracking
Detection&Tracking - Thermal imaging object detection and trackingDetection&Tracking - Thermal imaging object detection and tracking
Detection&Tracking - Thermal imaging object detection and tracking
 
ADM100 Running Book for sap basis domain study
ADM100 Running Book for sap basis domain studyADM100 Running Book for sap basis domain study
ADM100 Running Book for sap basis domain study
 
ASME-B31.4-2019-estandar para diseño de ductos
ASME-B31.4-2019-estandar para diseño de ductosASME-B31.4-2019-estandar para diseño de ductos
ASME-B31.4-2019-estandar para diseño de ductos
 
Module-1-Building Acoustics(Introduction)(Unit-1).pdf
Module-1-Building Acoustics(Introduction)(Unit-1).pdfModule-1-Building Acoustics(Introduction)(Unit-1).pdf
Module-1-Building Acoustics(Introduction)(Unit-1).pdf
 
Versatile Engineering Construction Firms
Versatile Engineering Construction FirmsVersatile Engineering Construction Firms
Versatile Engineering Construction Firms
 
Turn leadership mistakes into a better future.pptx
Turn leadership mistakes into a better future.pptxTurn leadership mistakes into a better future.pptx
Turn leadership mistakes into a better future.pptx
 
Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...
Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...
Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...
 
Substation Automation SCADA and Gateway Solutions by BRH
Substation Automation SCADA and Gateway Solutions by BRHSubstation Automation SCADA and Gateway Solutions by BRH
Substation Automation SCADA and Gateway Solutions by BRH
 
Cost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionCost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based question
 
Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending Actuators
 

Shooting

  • 2. Big Game Hunter Marion Marschalek @pinkflawd Cyphort Inc. http://en.wikipedia.org/wiki/File:Lara_Croft_%282013%29.png
  • 4. TIME 2009 ? 20142011 TFC NBOT NGBD Watering hole on website of Syrian ministery of justice Spear phishing with a PDF 0-day DDoS, plugins & what not Babar Superstar
  • 5. TFC.. NBOT.. NGBD.. Nwot? • Lots of code sharing • Lots of shouty capitals • DDoS bots • Plugin platforms & Reconnaissance Building botnets with plain binaries. U serious?
  • 7. Lua + C/Invoke • Lua interpreter to be embedded into C • Instrumentation of C code Script Script Script Thread Thread Thread Lua Interpreter
  • 8. Bunny Evasion •Searching for.. Sandboxes? •AV enumeration for ‚special treatment‘ •Compile my breath away
  • 9. Bunny Evasion • Searching for.. Sandboxes? Bitdefender Kaspersky Also Kaspersky: lstcvix.exe tudib.exe izmdmv.exe ubgncn.exe jidgdsp.exe evabgzib.exe qzqjafyt.exe cnyporqb.exe ... U serious?
  • 10. Bunny Evasion • AV enumeration for ‚special treatment‘ • Identification of AVs through querying of WMI Inject to existing svchost Create new svchost and inject there
  • 11. Compile my Breath away Obfuscation by compiler 52 HeapAlloc wrapper ~100 memcpy wrapper > 3000 string constants
  • 12. 50 Shades Of Grey
  • 13. Babar PET (Persistent Elephant Threat) •Stealing all the things • Keylogging, screenshots, audio captures, clipboard data, what-not. •Via local instance or through: • hooking APIs in remote processes • after invading them via global Windows hooks
  • 15. Regsvr32.exe BabarDLL Child instance Main instance Child instance Process of interest Named Pipes Global Windows hook for WH_KEYBOARD / WH_GETMESSAGE API Hooking with trampoline functions Data dump module Keylogger Clipboard snooping Other stuffz List of process names from config Modus Operandi Elephanti
  • 16. Rooootkittykittykitty Internet communication | File creation | Audio streams Source Function Target Function Source Function Target Function Detour Function Trampoline Function http://research.microsoft.com/en-us/projects/detours/
  • 18. Reversing Casper • Reconnaissance malware • AV ‚strategies‘ • Spooking in Syria http://www.mycomicshop.com/search?IVGroupID=22688789
  • 19. Binary handwriting? Any attribute can be faked. Question is, how many attributes can be faked. Approach: Collect as many attributes as possible.... .... from different domains .... .... and rely the adversary was not genius enough to fake all.
  • 20. Bugs
  • 22. Proxy Bypass Hint.. https://developer.chrome.com /extensions/proxy Stealth FTW • Babar starts up using regsvr32.exe process for loading payload • Process remains running, when rootkit has looong dissappeared
  • 23. Crash me, if you can • NBOT dropper crashes with a STATUS_SHARING_VIOLATION 0xC0000043 on CreateFile of own binary • A file cannot be opened because the share access flags are incompatible. Bug & Feature & Bug • Bunny dropper won’t invoke its payload • Does not delete dropper either • Bypasses sandboxes, but leaves unnecessary artifacts lying around
  • 24. STUXNET-O-METER ... Stuxnet ... ... ... NBOT TFC Bunny Babar Casper ... “To people who ask me to compare the complexity of #Regin and #Babar, keep in mind that a Peugeot is enough for the day-to-day life ;)” – Paul Rascagnéres
  • 26. A cyberwarfare tale on nuclear matters Cartoons allegedly originate from France, main suspect is DGSE Linked by document from CSEC Iran as main target Other victims in Syria, Norway, Canada .. and Mr. Brown said [abt. Iran not meeting international demands], “The international community has no choice today but to draw a line in the sand.” – NYT, Sep.2009 A blog by Matt Suiche
  • 27. MILKFROTH PANDA ! New Crowdstrike report? - Halvar Flake
  • 28. A Warm-Hearted Thank You to Joan Calvet Paul Rascagnères Morgan Marquis-Boire Sebastien Larinier Matthieu Suiche Michael Shalyt Alexandre Dulaunoy Raphäel Vinot Fred Arbogast
  • 29. Further Reading • Babar Reversed https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/ • Bunny Reversed https://drive.google.com/file/d/0B9Mrr-en8FX4M2lXN1B4eElHcE0/view?usp=sharing • Casper Reversed by Joan Calvet http://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny- another-espionage-cartoon/ • Blog on Babar http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/ • Linking the Cartoon Malware to CSEC slides by Paul Rascagneres https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the- microscope.html • Slides ‚TS/NOFORN‘ at Hack.lu2015 http://2014.hack.lu/archive/2014/TSNOFORN.pdf • Slides on Snowglobe from CSEC http://www.spiegel.de/media/media-35683.pdf and http://www.spiegel.de/media/media-35688.pdf • A cyberwarfare tale on nuclear matters by Matt Suiche http://www.msuiche.net/2015/03/09/did-alleged- dgse-used-stackoverflow-like-to-write-their-malwares/ • Animal Farm https://securelist.com/blog/research/69114/animals-in-the-apt-farm/
  • 30. Hashes Bunny: • 3bbb59afdf9bda4ffdc644d9d51c53e7 • b8ac16701c3c15b103e61b5a317692bc • c40e3ee23cf95d992b7cd0b7c01b8599 • eb2f16a59b07d3a196654c6041d0066e Babar: • 4525141d9e6e7b5a7f4e8c3db3f0c24c • 9fff114f15b86896d8d4978c0ad2813d • 8b3961f7f743daacfd67380a9085da4f • 4582D9D2120FB9C80EF01E2135FA3515 NBOT: • 8132ee00f64856cf10930fd72505cebe • 2a64d331964dbdec8141f16585f392ba • e8a333a726481a72b267ec6109939b0d • 51cd931e9352b3b8f293bf3b9a9449d2 Other: • bbf4b1961ff0ce19db748616754da76e • 330dc1a7f3930a2234e505ba11da0eea