Malware are becoming more and more complex. In this talk presenting with Jean-Pierre Lesueur at the School 42, we explained the business model behind as well provided an understanding of the Malware Threat.
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
42 - Malware - Understand the Threat and How to Respond
1. Malware
Understanding the Malware Threat and How to Respond
Jean-Pierre LESUEUR
Full Stack Developer x IT Security Researcher
Thomas ROCCIA
Security Researcher, Advanced Threat Research at McAfee
@DarkCoderSc @fr0gger_
3. What is a Malware?
Malware Introduction to Malware – Focus on Remote Administration Tool Family
An introduction to Malicious Software
Malware
4. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Different families of Malware
Virus, Worm
Dropper, File Binder / Wrapper / Crypter, Downloader
Trojan Backdoor
Remote Administration Tools (RAT)
HTTP Botnet
Scareware / Rogue
Ransomware
Stealer (Password and/or Files)
Spyware, Adware
CoinMiners
Rootkit / Bootkit
What is a Malware? Malware Families
5. What is a Malware?
# Who is behind ?
Grey-hat Black-hat
# Who use them and why ?
• Script Kiddies
• Criminal Organizations
• Governments
• Terrorism
• IT Security Researcher
Who and why
6. Malware Introduction to Malware – Focus on Remote Administration Tool Family
What is a Malware? Malware Economy
# Criminals are making money with their creation
# Using it to steal data
# Selling it for other criminals
# Creating business model such as Malware as a Service
7. Malware Introduction to Malware – Focus on Remote Administration Tool Family
What is a Malware? Malware Economy
# Ransomware as a Service
Source: https://securingtomorrow.mcafee.com/mcafee-labs/free-ransomware-available-dark-web/
8. Malware Introduction to Malware – Focus on Remote Administration Tool Family
What is a Malware? Malware Economy
# Exploit kits
Source: https://www.mcafee.com/threat-center/threat-landscape-dashboard/
9. Malware Introduction to Malware – Focus on Remote Administration Tool Family
What is a Malware? Malware Attribution
# Malware are developed by Humans
# Many techniques can lead to attribution
# PDB Path
# Strings
# Code comparison
# Tools used
# Operating method
# Timestamp
# Infrastructure reuse
10. Malware Introduction to Malware – Focus on Remote Administration Tool Family
What is a Malware? Malware Attribution
# Malware are developed by Humans
# Many techniques can lead to attribution
# PDB Path
# Strings
# Code comparison
# Tools used
# Operating method
# Timestamp
# Infrastructure reuse
Attribution can be faked!
12. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Infection Vectors
Medias
USB keys, CD/DVD, (External) Hard Drives
Social Networks
Facebook, Twitter, Google+, YouTube / Dailymotion, Instagram etc.
Websites
Phishing, Distributed Software, Vulnerabilities (JAVA, Flash, Web-browser)
Exploits
Local Exploits, Remote Exploits, Physical Exploits
Network Sharing
P2P Software (Torrent, Emule), Network file (NAS, FTP)
Email
Phishing, attachment
13. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Infection Vectors
# Supply Chain Attack
Third Party Infected Download
Trojanised Software
Source: https://www.youtube.com/watch?v=tX0v-rMcuwc
14. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Persistence
# To survive to reboot Malware need to be persistent on the infected machine.
# Registry RUN keys
# Task Scheduler
# Windows Services
# AppInit_DLL
# COM Hijacking
# Bootkit
15. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Persistence
# Registry RUN Keys
# Emotet Malware Example
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce
HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
16. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Persistence
# Scheduler can be used to run tasks | NotPetya
• at <time> shutdown.exe /r /f
• schtasks /create /SC once /TN “” /TR shutdown.exe /r /f /ST <time>
17. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Persistence
# Bootkit
18. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Privilege Escalation
# Malware needs to elevate privilege to perform actions
To access to sensitive data to steal/modify/encrypt…
# Token Manipulation
# Bypass User Access Control (UAC)
# Vulnerability Exploitation
# Hooking
# Dump Credentials
# Many more
19. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Privilege Escalation
# Token Manipulation | Teslacrypt
20. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Privilege Escalation
# UAC Bypass | Operation HoneyBee
cmd /c wusa %TEMP%setup.cab /quiet /extract:%SystemRoot%System32 &&
del /f /q %TEMP%setup.cab && cliconfg.exe cmd /c expand
%TEMP%setup.cab -F:* %SystemRoot%System32 && del /f /q
%TEMP%setup.cab && cliconfg.exe
# The macro extracts the CAB file into %systemroo%system32,
using either wusa.exe or expand.exe (depending on the OS) to
bypass UAC prompts
# Once the files have been extracted, the Visual Basic macro
deletes the CAB file and runs the malicious NTWDBLIB.dll via
cliconfg.exe (to gain privileges and bypass UAC protections)
Source: https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/
21. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Privilege Escalation
# Vulnerability Exploitation | Wannacry - EternalBlue
# EternalBlue Vulnerability from Equation Group (MS17-010) – Kernel Exploit
# Used to spread on the network but also to obtain system privileges
https://www.slideshare.net/ThomasRoccia | https://securingtomorrow.mcafee.com/mcafee-labs/analysis-wannacry-ransomware/
22. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Privilege Escalation
# Credentials Dumping | Olympic Destroyer
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
23. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Evasion Techniques
# Malware use Evasion Techniques to avoid detection, analysis
https://www.slideshare.net/ThomasRoccia/malware-evasion-techniques
Packer/Binder/Crypter
Compress/Encrypt, IAT Protect, Code Virtualizing
Process Injection
Process Hollowing, DLL Injection, Process Doppelganging
Sandbox Evasion
VM Artifacts, x86 Instructions, Sleep, Running Process
Anti-Virus Evasion
Disabling AV, file Size, Injection
Obfuscation
Base64, XOR, Encryption, Hash, Custom
Anti-Debugging
Windows API, Timing Check, Debugger Detection
Anti-Forensic
Melting, File-less, Wiper, Removal
24. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Evasion Techniques
# Packers
https://securingtomorrow.mcafee.com/technical-how-to/malware-packers-use-tricks-avoid-analysis-detection/
25. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Evasion Techniques
# Process Hollowing | Zcrypt Ransomware
26. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Evasion Techniques
# Antivirus Detection | Pinkslipbot
27. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Evasion Techniques
# Virtual Machine Detection | Pinkslipbot
28. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Evasion Techniques
# Unprotect Project | Malware Evasion Trick Database
Unprotect.tdgt.org
29. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Command & Control
# Malware needs to communicate with C&C
# Infected machines controlled by the same C&C are called Botnet
# Malware use C&C to:
# Receive command
# Exfiltrate/download data
# Get encryption key (Ransomware) or
interact to pay the ransom
Matthew Andrews/Getty Images/Hemera
30. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Command & Control
# Fast-Flux communication
# One domain has multiple IP addresses
# Every 3 min or more, host is pointing to
another computer
# Infected machines can serve of proxy
https://commons.wikimedia.org/wiki/File:Single_und_double_flux.png
31. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Command & Control
# Domain Generation Algorithm
# Connexion to multiple domains
# Lot of domain can be generated by the
sample
# Attackers can activate one of several
servers to allow communication
# Conficker worm used this technique
https://www.senet-int.com/blog/2013/09/malware-domain-generation-algorithm-dga
32. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques More Information
# Mitre ATT&CK Matrix | https://attack.mitre.org
38. # What is a Remote Administration Tool
A RAT is a Malware Framework designed to take the control of a remote system:
• Trojan Backdoor
• Botnets
• File Binder / Wrapper, Downloader
• Stealer
• Spyware
• Crypter
• Worms
Commonly offered remote control modules:
• Remote Desktop Streaming
• Remote Webcam Streaming
• Remote Ambient Sound Streaming (Micro)
• Keylogger
• Password Grabber
• System Management
• File System Management
RAT Introduction
41. One shot
The product owner received a one time payment and gives in exchange the different
application parts.
Monthly, Yearly, Version
The product owner could also decide to rent his Malware with a subscription limited in time.
Extra Services
• FUD / UD
• Support
• Pay per installs
• Extra Modules
• Training
• Open Source Access
RAT Business Model
42. Payment methods:
Liberty Reserve
Online banking system
Western Union
Cash deposal service
PayPal
Ease of use
Crypto-currency
Bitcoin, Monero, Ethereum
RAT Business Model
43. Malware Identify the different parts of the Framework
C&C Stub Editor Stub
Graphical application
to take the control of
infected machines
by the Malware
Graphical application
designed to configure
the Malware
The Malware
.exe, .js, .bat, .py, .pdf, .docx
RAT Identify the Different part of the Framework
44. Malware Network Protocol
• Client / Server based architecture
• Malware coder can create custom protocol
• They can also use existing protocol (HTTP Botnet)
• To evade detection, cryptographic principle could be used
RAT Network Protocol
45. # Mode 1 : Direct Connection
C&C – Client
Connect(89.27.25.120)
Stub – Server
Listen(1403)
Out Port
(TCP/UDP) > 1403
Internet (Cloud)
In Port
(TCP/UDP) > 1403
Malware Network Models
RAT Network Models
46. # Mode 2 : Reverse Connection
Malware Network Models
C&C – Client
Listen(1403)
Stub –Client
Connect(45.25.142.32)
In Port
(TCP/UDP) > 1403
Internet (Cloud)
Out Port
(TCP/UDP) > 1403
RAT Network Models
47. # Mode 3 : Hybrid (Direct and/or Reverse)
Malware Network Models
C&C – Client
Connect(89.27.25.120)
Stub – Server
Listen(1403)
Out Port
(TCP/UDP) > 1403
Internet (Cloud)
In Port
(TCP/UDP) > 1403
C&C – Client
Listen(1403)
Stub –Client
Connect(45.25.142.32)
In Port
(TCP/UDP) > 1403
Internet (Cloud)
Out Port
(TCP/UDP) > 1403
AND / OR
RAT Network Models
48. # P2P (Peer to Peer)
Malware Network Models
RAT Network Models
49. Malware Network Protocol
# Example of communication system
Server
Client
Main Thread + Listener Thread
(Server)
Closed Client
New Client
Receive Plain / Text
Management Thread
Receive Buffer
Thread
Process List
File List
Reverse shell stdout buffer
Webcam Streaming
Desktop Streaming
File Transfer
+
+
Main Thread +
Connection
Attempt to C&C
routine Thread
New Server +
Command Parser
and Dispatcher
Thread
Process List
File List
Remote Desktop Thread+
RAT Network Protocol
52. Malware Network Protocol
# Use case : Basic File Transfer
1
2
filesystem;c:
filesystem;c:windows,c:users,c:Pr
ogram Files,c:Program Files
(x86)|c:file.pdf,c:file2.png...
3 downloadfile;c:file.pdf
4downloadfile;c:file.pdf,10240
5 OK
6CHUNK 1 CHUNK 2 CHUNK N
C&C Infected system
file size / packet size = number of packets required for a file transfer
RAT Network Protocol
56. Malware Payload Configuration
• Payload configuration contains important information about how to contact
the C&C
• IP address(es) / Domain Name pointing to IP address(es)
• Communication Port(s)
• It also contains other important configuration elements such as
• Persistence Information's (Startup, Process, File)
• Anti’s functions (Anti-VM, Anti-Debugger etc.)
• Encryption key (symmetric)
• C&C private key for asymmetric traffic encryption (Asymmetric)
• Optional file downloader (if dropper module available and enabled)
• Embedded files (File Binder / Wrapper)
• Fake error messages / events (Open other process)
• Etc.
RAT Payload Configuration
57. Malware Payload Configuration
• Multiple ways exist to store the configuration inside the Stub
• PE Resources Section
• PE Custom Section
• EOF (End Of File)
• In the same way of network communication, the configuration could be from any formats
• Plaintext : CSV, JSON, XML
• Byte encoded structures
• Some Malware encrypt configuration data to hide sensitive data's
RAT Payload Configuration
58. Malware Payload Configuration
# PE (Portable Executable) Resources
.rsrc
(Resource Section)
DOS Segment
PE Header
Section Tables
Section 1
…
Section N
DOS Header
Icon
Versions Info
Bitmaps
Custom Resources
Window Resources (Dialogs)
* LockResource, LoadResource, UpdateResource, SizeOfResource…
RAT Payload Configuration
59. Malware Payload Configuration
# PE (Portable Executable) Sections
Section Tables Add new section info
Section Address : 0x000FF12A
Size of section : N Bytes
Name of section : malconf
Section 1
DOS Segment
PE Header
Section 1
Section N
DOS Header
…
Custom Section
0x000FF12A
Explore PE Header and Sections (PE Bear)
JSON / CSV / Structures etc.
{
"cncaddr": [
"127.0.0.1",
"192.168.0.11",
"89.214.25.111",
"lamer.no-ip.org",
"lamer2.dyndns.org"
],
"startup": {
"enabled": true,
"name": "svchost.exe"
}
[...]
}
RAT Payload Configuration
60. Malware Payload Configuration
# EOF (End of File)
Payload configuration is simply appended at the End of the application file.
Appending content at the end of an application file doesn’t corrupt the application itself since it is out of the scope defined by the PE Structure
(SizeOfImage structure attribute defined in the PE Header > IMAGE_OPTIONAL_HEADER)
Most Antivirus detect such behavior by comparing the size of the image (SizeOfImage) from the PE Header with the file size.
Example (Pascal/Delphi)
RAT Payload Configuration
62. Malware An example of timeline
Malware Execution
ping + timeout
delete original copy
run installed copy
Installed
Exit Process
Copy to destination location
Register location to startup
Extract embedded files
Download / Execute
Initialize Melting
Inject code to legitimate process
(Explorer.exe ; Iexplore.exe ; firefox.exe)
No
Create Mutex
Exists
No
Yes
Establish a connection to C&C
Anti-VM
Yes
Detected
Yes No
RAT Infection Process
64. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Conclusion
# Malware are becoming more and more complex
# Security industry and researcher are developping new techniques to
fight advanced threats.
# Understand the concepts behind malware can help to stay protected
65. Thank You
Jean-Pierre LESUEUR
Full Stack Developer x IT Security Researcher
@DarkCoderSc
Thomas ROCCIA
Security Researcher, Advanced Threat Research at McAfee
@fr0gger_
Q/A