Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in...
Transcript of Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in...
![Page 1: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/1.jpg)
Abusing third-party cloud services in targeted attacks
Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi)
October 02, 2019, Virus Bulletin, London, UK
![Page 2: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/2.jpg)
© 2019 Trend Micro Inc.2
Outline
• Introduction
• General comparison of two malware infrastructures• Custom
• Cloud based
• Selected APT cases• Presentation of the malware operation
• Advantages and disadvantages from an attacker perspective
• Conclusion
![Page 3: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/3.jpg)
© 2019 Trend Micro Inc.3
Introduction
• Cloud services abuse is not something new• “C&C-as-a-Service” presentation at VB in 2015
• This talk focuses on cloud abuse in the context of targeted attacks that we investigated
• Goals:• Show different real implementations of cloud abuse
• Find how, as defenders, we can leverage this setup to our advantage
![Page 4: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/4.jpg)
© 2019 Trend Micro Inc.4
Custom malware infrastructure
• Developed and maintained by threat actor
• Costly• Domain name(s), server(s) hosting, data storage, bandwidth …
• Time consuming• Design, implementation and testing of the communication protocol
• Installation and maintenance of the C&C server(s)
![Page 5: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/5.jpg)
© 2019 Trend Micro Inc.5
Custom malware infrastructure
• Disadvantages• Easier to monitor/block/sinkhole/seize
• Higher probability of flaws in the communication protocol
• Difficult to assess the reliability in real conditions
• Advantage• You choose to implement whatever funny idea you like
![Page 6: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/6.jpg)
© 2019 Trend Micro Inc.6
Cloud malware infrastructure
• Advantages• Developed, maintained and operated by knowledgeable third party
• Cheaper (often free)
• API
• Higher reliability
• Harder to block/monitor/seize
• Disadvantage• Constrained by the features the cloud services provide
![Page 7: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/7.jpg)
© 2019 Trend Micro Inc.7
Selected APT cases
![Page 8: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/8.jpg)
© 2019 Trend Micro Inc.8
Patchwork
Known targeted countries
![Page 9: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/9.jpg)
© 2019 Trend Micro Inc.9
Patchwork – Badnews
• “Badnews” backdoor
• A mix of both alternatives
1. HTTPS GET request
2. Encrypted C&C
3. Connect to C&C
![Page 10: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/10.jpg)
© 2019 Trend Micro Inc.10
Patchwork – Badnews
• Hardcoded and encoded (sub 0x01) URL addresses
![Page 11: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/11.jpg)
© 2019 Trend Micro Inc.11
Patchwork – Badnews
• Examples of encoded configuration
![Page 12: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/12.jpg)
© 2019 Trend Micro Inc.12
Patchwork – Badnews
• Encryption uses XOR & ROL
• Versions after November 2017 added a layer of blowfish
encryption
• C&C is usually a PHP script hosted in a web server without
domain name
![Page 13: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/13.jpg)
© 2019 Trend Micro Inc.13
Patchwork – Badnews
rp3f.strangled.net
185.29.11.59
185.29.11.59
![Page 14: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/14.jpg)
© 2019 Trend Micro Inc.14
Patchwork – Badnews
![Page 15: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/15.jpg)
© 2019 Trend Micro Inc.15
Confucius
Known targeted countries
![Page 16: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/16.jpg)
© 2019 Trend Micro Inc.16
Confucius – Swissknife
• “Swissknife” stealer
• Uses Dropbox API to upload documents with selected extensions
(.pdf, .doc, .docx, .ppt, .pptx, .xls, and .xlsx)
HTTPS POST request
API key in “Authorization” header
![Page 17: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/17.jpg)
© 2019 Trend Micro Inc.17
Confucius – Swissknife
• API key in decompiled code
![Page 18: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/18.jpg)
© 2019 Trend Micro Inc.18
Confucius – Swissknife
• File downloader in Python using Dropbox API
![Page 19: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/19.jpg)
© 2019 Trend Micro Inc.19
Confucius – Swissknife
• Enumerating the deleted files
![Page 20: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/20.jpg)
© 2019 Trend Micro Inc.20
Confucius – Swissknife
• Enumerating the deleted folders
![Page 21: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/21.jpg)
© 2019 Trend Micro Inc.21
Confucius – pCloud
• “pCloud” stealer
• Uses pCloud API to upload documents with selected extensions (.pdf,
.doc, .docx, .ppt, .pptx, .xls, and .xlsx)
HTTPS POST request
Embeds login/password
![Page 22: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/22.jpg)
© 2019 Trend Micro Inc.22
Confucius – pCloud
• Using pCloud API to list files
![Page 23: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/23.jpg)
© 2019 Trend Micro Inc.23
Confucius – pCloud
![Page 24: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/24.jpg)
© 2019 Trend Micro Inc.24
Confucius – pCloud
![Page 25: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/25.jpg)
© 2019 Trend Micro Inc.25
Confucius – pCloud
• Content from attacker’s machine
![Page 26: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/26.jpg)
© 2019 Trend Micro Inc.26
Confucius – pCloud
![Page 27: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/27.jpg)
© 2019 Trend Micro Inc.27
Confucius – TweetyChat
• “TweetyChat”, backdoored Android chat application
1. Register to C&C
2. Send commands3. Upload stolen files
awsAccessKey/awsSecretKeyUpdate AWS credentials
3. Upload SMS, contacts, call logs
![Page 28: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/28.jpg)
© 2019 Trend Micro Inc.28
Confucius – TweetyChat
• awsAccessKey and awsSecretKey are not hardcoded
• AWS keys are updated through Google Cloud Messaging platform (Firebase Cloud Messaging in newer versions)
![Page 29: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/29.jpg)
© 2019 Trend Micro Inc.29
Confucius – TweetyChat
• Google Cloud/ Firebase message receiver
• Calling PutObjectRequest to “upload a new object to the specified Amazon S3 bucket”
![Page 30: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/30.jpg)
© 2019 Trend Micro Inc.30
Confucius – TweetyChat
![Page 31: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/31.jpg)
© 2019 Trend Micro Inc.31
Confucius – TweetyChat
• As usual, operators test the malware on their own devices…
![Page 32: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/32.jpg)
© 2019 Trend Micro Inc.32
MuddyWater
Known targeted countries
![Page 33: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/33.jpg)
© 2019 Trend Micro Inc.33
MuddyWater – CloudSTATS
• “CloudSTATS” backdoor
1. Register
Put “.reg” file
2. Send command
Put “.cmd” file3. Read command
4. Send command results
Put encoded “.res” file
![Page 34: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/34.jpg)
© 2019 Trend Micro Inc.34
MuddyWater – CloudSTATS
• “CloudSTATS” backdoor
![Page 35: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/35.jpg)
© 2019 Trend Micro Inc.35
MuddyWater – CloudSTATS
• “CloudSTATS” backdoor
![Page 36: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/36.jpg)
© 2019 Trend Micro Inc.36
MuddyWater – CloudSTATS
• Hardcoded API keys
• Check existing folder/victim
![Page 37: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/37.jpg)
© 2019 Trend Micro Inc.37
MuddyWater – CloudSTATS
• Asynchronous C&C communication
• Files with extensions (cmd, reg, prc, res)
![Page 38: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/38.jpg)
© 2019 Trend Micro Inc.38
MuddyWater – CloudSTATS
• .reg file
• .res file
![Page 39: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/39.jpg)
© 2019 Trend Micro Inc.39
MuddyWater – Telegram
• Android mobile app, Telegram exfiltration
3. Upload stolen information
2. Send commands BotID & ChatID
1. Register to C&C
![Page 40: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/40.jpg)
© 2019 Trend Micro Inc.40
MuddyWater – Telegram
![Page 41: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/41.jpg)
© 2019 Trend Micro Inc.41
MuddyWater – Telegram
• .com.telegram.readto.client.ProcessCommand
![Page 42: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/42.jpg)
© 2019 Trend Micro Inc.42
MuddyWater – Telegram
• Timer sending all data once a day
• Code for exfiltration all system information
![Page 43: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/43.jpg)
© 2019 Trend Micro Inc.43
MuddyWater – Telegram
• Metadata of the Telegram account
![Page 44: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/44.jpg)
© 2019 Trend Micro Inc.44
SLUB
Country of interest
![Page 45: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/45.jpg)
© 2019 Trend Micro Inc.45
SLUB v1
HTTPS requestCheck for commands
HTTPS requestSend results
HTTPS requestSend stolen files
![Page 46: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/46.jpg)
© 2019 Trend Micro Inc.46
SLUB v1
• Malware delivered via waterholing of websites related to North Korea
• Read gist snippet for commands to execute
• ^ and $ encapsulate active commands
![Page 47: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/47.jpg)
© 2019 Trend Micro Inc.47
SLUB v1/v2
• Hardcoded Slack token
• Slack token’s o-auth scopes
![Page 48: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/48.jpg)
© 2019 Trend Micro Inc.48
SLUB v1/v2
• Exfiltration via file.io, link sent to Slack
![Page 49: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/49.jpg)
© 2019 Trend Micro Inc.49
SLUB v2
• Newer version from July 2019• GitHub is not used anymore
• Operator creates a Slack workspace
• A separate channel named <user_name>-<pc_name> is created in the workspace for each infected machine
• Commands to execute sent via messages pinned to a victim-specific channel
• Victim machine reads pinned messages from its dedicated channel, parses the message, and executes the requested command
![Page 50: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/50.jpg)
© 2019 Trend Micro Inc.50
SLUB v2
HTTPS requestCheck commands and send results
HTTPS requestSend stolen files
HTTP requestCheck for new Slack token
![Page 51: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/51.jpg)
© 2019 Trend Micro Inc.51
SLUB v2
• Configuration update
• New token between HELLO^, WHAT^ and !!! tokens
![Page 52: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/52.jpg)
© 2019 Trend Micro Inc.52
SLUB v1
• Gist revisions show activation of specific commands
![Page 53: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/53.jpg)
© 2019 Trend Micro Inc.53
SLUB v1/v2
• Using Slack API in Python
![Page 54: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/54.jpg)
© 2019 Trend Micro Inc.54
SLUB v2
• File & exec operations
![Page 55: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/55.jpg)
© 2019 Trend Micro Inc.55
SLUB v1/v2
• Screenshot upload
• Screenshot download (using API key and path to the file)
![Page 56: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/56.jpg)
© 2019 Trend Micro Inc.56
SLUB v1
![Page 57: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/57.jpg)
© 2019 Trend Micro Inc.57
Conclusion
![Page 58: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/58.jpg)
© 2019 Trend Micro Inc.58
Conclusion
• Abusing cloud service providers is a worldwide trend
• Such services can be used for different purposes:
• To store a reference used by the malware (C&C …)
• To store the stolen data
• To store all the commands and data
• This behavior brings benefits not only to the attackers, but
also to the defenders, and without the need to “hack back”
![Page 59: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/59.jpg)
© 2019 Trend Micro Inc.59
References
• Patchwork: https://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-
patchwork-cyberespionage-group/
• Confucius: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-
confucius-cyberespionage-operations/
• MuddyWater: https://blog.trendmicro.com/trendlabs-security-intelligence/new-
powershell-based-backdoor-found-in-turkey-strikingly-similar-to-muddywater-tools/
• https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-
multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/
• Slub v1: https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-
uses-github-communicates-via-slack/
• Slub v2: https://blog.trendmicro.com/trendlabs-security-intelligence/slub-gets-rid-of-
github-intensifies-slack-use/
![Page 60: Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in targeted attacks Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) October](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009e7fecc171b5cb6290e12/html5/thumbnails/60.jpg)
Threats detected and blocked globally by Trend Micro in 2018. Created with real data by artist Daniel Beauchamp.