RAT-a-tat-tat

Taking the fight to the RAT controllers

Who Am I

• Jeremy du Bruyn– twitter: @herebepanda, irc: panda

• Pentester / Consultant at SensePost• Spoken at a previous ZaCon about password

cracking• Currently doing MSc. At Rhodes

What's this about

• I've done some research on two prolific RAT's that I'd like to share with y'all– I am not a malware researcher, I'm just a ex-network-

pentester-consultant-infosec guy– Some dynamic analysis using cuckoo sandbox– Some static analysis using scripts to pick apart the

server binaries• Ways to search for these RAT's on the greater

internet– With an example

Background story

• Malware.lu report on Mandiant APT1– Python code for finding Poison Ivy C2's

• Are there any Poison Ivy C2's in ZA?– Writing robust network code is hard– Rather leverage off of NMAP• I didn’t find any Poison Ivy C2's in ZA :) / :(

• I really want to play with this, where can I get some samples?

credit (http://www.malware.lu/Pro/RAP002_APT1_Technical_backstage.1.0.pdf)

My collection• VirusTotal provide access to their Private API, which allows for searching

and downloading of samples, to researchers• After speaking with some malware folks I got a list of the most popular

rats being used in attacks– (@vlad_o, @undeadsecurity, @bobmcardle)

• Started collecting in August 2013• Samples downloaded

– Searched for “Poison.* and “Fynloski.*”– Total 34 GB of samples

• For sure a cheap VPS would hold the few 100 MB's of samples I'd download

link (https://www.virustotal.com/en/documentation/private-api/)

RAT infrastructure

credit (http://www.contextis.com/research/blog/malware-analysis-dark-comet-rat/)

Poison Ivy

• Been around for many years– Oldest version on the website is from 2006, first

released in 2005– Latest public version is 2.3.2 released in 2008– Private versions still being released, including a Vista+

patch– Free to download off the authors website

• Apparently very popular amongst Chinese attackers– Recently used by Mandiant APT1 groups– Used in RSA hack

Poison Ivy

• Samples– 12,133 downloaded– 5,004 analysed

• Too much pondering/figuring in the beginning

• 26 live• Not a lot I know, but they provide some interesting insights• Average PI C2 lifespan is 3 months

• Analysis conducted using a mixture of the VirusTotal behavioural analysis results and local cuckoo sandbox instance

VT Behavioural Analysis

• They use a “cluster” of cuckoo sandbox machines to perform the analysis and provide data via JSON

• VirusTotal behavioural analysis not conducted on all samples– Like 1 in 10– Not allowed to share samples with 3rd parties

Cuckoo sandbox

• Cuckoo sandbox used for the majority of the samples– 5 WinXP SP2 virtual machine guests– Timeout of 2 minutes

• Only allowed DNS traffic to cuckoo host– Unbound DNS resolver

• Tweaked to report all traffic, even SYN– modules/processing/network.py (host down, not reported)– Malwr.com has the same problem

• api.py is super useful– Submit jobs, get analysis reports in JSON

• At the end able to process a couple hundred samples a day

Analysis system

• System is postgres driven• Extracted info from the samples put into DB:– C2 / proxy IP– Port

• Scripts would pick up unprocessed samples and perform liveness testing of C2 and extract the Camellia key– Again writing to the DB

Poison Ivy

• Camellia key used to authenticate server and encrypt communication– Crypto hashing algorithm– Used for all servers– Can be extracted from server traffic :)

link (https://en.wikipedia.org/wiki/Camellia_(cipher))

Poison Ivy

• JtR module available for brute-forcing (malware.lu)– I've asked for its inclusion into hashcat– @atom, if you are reading this, *cough* oclhashcat

Vulnerabilities

• Metasploit module for Buffer Overflow bug in Poison Ivy 2.3.2– Think meterpreter – All you need is the C2 IP, port and clear-text Camellia

password– Malware.lu guys used this to great effect

• FireEye “PIVY memory-decoding tool” for Immunity debugger can also extract this info

Link (http://www.rapid7.com/db/modules/exploit/windows/misc/poisonivy_bof) (http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf)

My contribution

• NMAP service probes to detect C2’s across the Internet and NSE script to extract Camellia key from server traffic

DarkComet

• Very popular around the world• Development abandoned by the author after

Syrian government use– Crippled version available on author website– Current public full version is 5.3.1– Current public crippled version 5.4.1 “Legacy”

• Fairly good collection available via .torrent

Link (http://darkcomet-rat.com/) (https://thepiratebay.sx/torrent/7420705/DarkComet_RAT_Collection)

DarkComet

• Samples– 33,592 downloaded (32GB)– 12,133 analysed• 4408 successfully

• 40 live• Analysis script inspired by AlienVault Labs– Only worked on V5, updated to work on V5.1+

credit (https://code.google.com/p/alienvault-labs-garage/downloads/list)

DarkComet• Encrypted server configuration information contained within the binary

– C2 IP, port, password– FTP host, port, username, password, path

• Server configuration encrypted using static keys: – V5.1+ : #KCMDDC51#-890– V5.0 : #KCMDDC5#-890 – V4.2F : #KCMDDC42F#-890– V4.2 : #KCMDDC42#-890– V4.1 : #KCMDDC4#-890 – V2.x + 3.x : #KCMDDC2#-890

• Static key and password (“PWD”) used to authenticate and encrypt communications

credit (http://www.arbornetworks.com/asert/wp-content/uploads/2012/03/Crypto-DarkComet-Report1.pdf)

DarkComet

90.22

1.16 8.62

#KCMDDC51#-890 #KCMDDC51#-8900123456789 Other

DarkComet

• All this is encrypted using the static key + 'PWD‘

credit (http://www.contextis.com/research/blog/malware-analysis-dark-comet-rat/)

Vulnerabilties

• Makes use of SQLite DB– SQLi

• Arbitrary File Download vulnerability– RAT allows controller to overwrite files– Doesn't check that C2 initiated connection

• (comet.db)• Contains information on all connected servers

credit (http://www.matasano.com/research/PEST-CONTROL.pdf)

My contribution

• NMAP service probes to detect C2’s across the Internet – DarkComet• Receives “IDTYPE” encrypted with default (and most

popular) password

– Xtreme RAT• Sends “myversion|3.6 Public\r\n”• Receives

– Bytes 1-3 "\x58\x0d\x0a– Bytes 4 – 12 "\xd2\x02\x96\x49\x00\x00\x00\x00"

My contribution

• Updated DarkComet configuration extraction script, for v5.1+

menuPass Campaign

• One of my samples had the filename “Strategy_Meeting.exe” and a Google gave me the FireEye report “Poison Ivy: Assessing Damage and Extracting Intelligence”– menuPass campaign launched in 2009 targeting defense contractors– Main industries targeted where

• Defense, Consulting / Engineering, ISP, Aerospace, Heavy Industry, Government

• Spear-phishing used as initial attack vector– Weaponised .doc and .zip

• Using Pentest footprinting techniques I uncovered a bit about their infrastructure

Link (http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf)

menuPass Campaign

credit (http://www.paterva.com/web6/products/casefile.php)

menuPass Campaign

• “The IP 60.10.1.120 hosted the domain apple.cmdnetview.com”

• This hostname appeared in my analysis but with an IP of 112.213.118.34

• One of my samples has hk.2012yearleft.com (112.213.118.33) and tw.2012yearleft.com (50.2.160.125) as C2’s– tw.2012yearleft.com was 60.10.1.114, 60.1.1.114 in FireEye

report– 5 live samples using this C2 in my collection– All used Camellia key “ketcxsAWfeAxiQ64ndURvA==”

menuPass Campaign

• New hostnames found using “ketcxsAWfeAxiQ64ndURvA==” from my samples:– banana.cmdnetview.com– drives.methoder.com– muller.exprenum.com

• New hostnames in 50.2.160.0/24 from samples:– kmd.crabdance.com 50.2.160.104– banana.cmdnetview.com 50.2.160.146– drives.methoder.com 50.2.160.125– muller.exprenum.com 50.2.160.125

menuPass Campaign• Using my NMAP poison-ivy.nse and nmap-service-probes.pi I found

additional C2's in 50.2.160.0/24:– 50.2.160.42:80/443 3ntLjgUGgQUYeKl3ncWgeQ==– 50.2.160.84:80/443 (daddy.gostudyantivirus.com)

(AoFSY4Fi5u8sX3Bo7To86w==)– 50.2.160.104:443 gdWSvDcDqmZFC5/qvQiwhQ==– 50.2.160.125:80/443 (document.methoder.com, drives.methoder.com,

mocha.100fanwen.com, scrlk.exprenum.com, zone.demoones.com) (ketcxsAWfeAxiQ64ndURvA==)

– 50.2.160.146:443 ketcxsAWfeAxiQ64ndURvA==– 50.2.160.179:443 gdWSvDcDqmZFC5/qvQiwhQ==– 50.2.160.193:443 tG3Sl8fQtuyKj/jh97O67w==– 50.2.160.226:443 gdWSvDcDqmZFC5/qvQiwhQ==– 50.2.160.241:443 gdWSvDcDqmZFC5/qvQiwhQ==

menuPass Campaign• Same key (gdWSvDcDqmZFC5/qvQiwhQ==) as kmd.crabdance.com (from

50.2.160.104):– ux.niushenghuo.info 142.4.121.144– for.ddns.mobi 142.4.121.144

• Hostnames from samples in 142.4.121.0/24:– gold.polopurple.com 142.4.121.138

• Additional PI C2 in 142.4.121.0/24 using NMAP:– 142.4.121.137:80/443 3ntLjgUGgQUYeKl3ncWgeQ==– 142.4.121.139:80/443 AoFSY4Fi5u8sX3Bo7To86w==– 142.4.121.140:443 gdWSvDcDqmZFC5/qvQiwhQ==– 142.4.121.141:80 ketcxsAWfeAxiQ64ndURvA==– 142.4.121.142:443 ketcxsAWfeAxiQ64ndURvA==– 142.4.121.144:443 gdWSvDcDqmZFC5/qvQiwhQ==– 142.4.121.181:443 gdWSvDcDqmZFC5/qvQiwhQ==– 142.4.121.203:443 gdWSvDcDqmZFC5/qvQiwhQ==

menuPass Campaign

• zhengyanbin8@gmail.com registered:– 2012yearleft.com– cmdnetview.com– gostudyantivirus.com– 100fanwen.com

• DomainTools reports that this email address has been used to register 157 domains– So still a lot of research to be done

Conclusion

• Those with an interest in amateur malware analysis– I utilised my pentesting skillset to work on this stuff

• Defenders looking for more ways to defend – Using these methods you can start investigating

attacks on your organisation and start moving up the kill-chain

• Greyhats wanting to increase the cost of attackers running these RAT's

Thank You

• If there’s time for questions, shoot.• Otherwise catch me at lunch