You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of...
Transcript of You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of...
![Page 1: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/1.jpg)
You've got mail! from: TurlaCountermeasure 2018 | Ottawa
Matthieu Faou | Malware Researcher
![Page 2: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/2.jpg)
Matthieu FaouMalware Researcher | ESET Montreal
@matthieu_faou
2
![Page 3: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/3.jpg)
Agenda
1. Background on Turla
2. Mosquito MitM campaign
3. Outlook Backdoor
3
![Page 4: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/4.jpg)
Background
![Page 5: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/5.jpg)
Timeline
Moonlight Maze
1998
5
![Page 6: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/6.jpg)
Timeline
Moonlight Maze
1998
6
![Page 7: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/7.jpg)
Timeline
Moonlight Maze
US Department of Defense breach
2008
1998
7
![Page 8: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/8.jpg)
Timeline
Moonlight Maze
US Department of Defense breach
2008
1998
8
![Page 9: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/9.jpg)
Timeline
Moonlight Maze
US Department of Defense breach
Finnish MFA breach
2008
20131998
9
![Page 10: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/10.jpg)
Timeline
Moonlight Maze
US Department of Defense breach
Finnish MFA breach
2008
20131998
2014
RUAG breach
10
![Page 11: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/11.jpg)
Timeline
Moonlight Maze
US Department of Defense breach
Finnish MFA breach
MitM/MotS on adobe.com
2008
201620131998
2014
RUAG breach
11
![Page 12: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/12.jpg)
Timeline
Moonlight Maze
US Department of Defense breach
Finnish MFA breach
MitM/MotS on adobe.com
German Government breach goes public
2008
2016
2018
20131998
2014
RUAG breach
12
![Page 13: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/13.jpg)
Arsenal
•Rootkit
•MitM
•Watering Hole
•Several advanced 2nd stage backdoors
13
![Page 14: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/14.jpg)
Mosquito
![Page 15: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/15.jpg)
Diplomatsin
Eastern Europe/Central Asia
![Page 16: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/16.jpg)
July 2016
![Page 17: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/17.jpg)
Fake flash installer
Downloaded from http://admdownload.adobe.com *
* We believe Adobe was not compromised
![Page 18: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/18.jpg)
Infection Vector-
Tracing the infection chain (end-point perspective)
![Page 19: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/19.jpg)
http://admdownload.adobe.com/bin[...]
Legitimate Akamai/Adobe IP address
Fake Flash Installer
Download executable
![Page 20: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/20.jpg)
Something weird is happening on the network
![Page 21: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/21.jpg)
Possible interception points
![Page 22: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/22.jpg)
Local MitM & Compromised Gateway
•Full control of a *particular* organization’s traffic
•Ex:• DNS Changer
• Slingshot
![Page 23: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/23.jpg)
WiFi Credentials Export
![Page 24: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/24.jpg)
ISP MitM
•Full control of its customers’ traffic
•Can be targeted
•Stealthy
![Page 25: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/25.jpg)
Ex: FinFisher
•Sophisticated Commercial Spyware
•FinFly ISP product
•MitM campaign discovered by ESET in 2016
![Page 26: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/26.jpg)
FinFisher MitM
•Malicious redirect
•Trojanized software (VLC, Avast, …)
•Easy to infect (again and again) particular targets
![Page 27: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/27.jpg)
BGP Hijacking
•Reroute traffic to an attacker-controlled server
•Noisy / Not Targeted
•We didn’t see malicious announcement for the Adobe/Akamia prefixes
![Page 28: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/28.jpg)
Other possibilities: Man-on-the-Side attack
•Race condition
•Condition: ability to read the traffic
•Objective: Replying to the victim before the legitimate server
![Page 29: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/29.jpg)
Other possibilities: Man-on-the-Side attack
•Hard to beat Akamai
•And exfiltrated data would reach Akamai servers
-> Hard and noisy
![Page 30: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/30.jpg)
Other possibilities: Domain Fronting
•Adobe uses a CDN: Akamai
•Leverage HTTPs to hide the final destination
•Use different hostname in DNS, TLS and HTTP
![Page 31: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/31.jpg)
Fifield, David & Lan, Chang & Hynes, Rod & Wegmann, Percy & Paxson, Vern. (2015). Blocking-resistant communication through domain fronting. Proceedings on Privacy Enhancing Technologies. 2015. 10.1515/popets-2015-0009.
![Page 32: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/32.jpg)
Other possibilities: Domain Fronting
•Fake flash is downloaded through HTTP
•Not possible to hide the destination
![Page 33: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/33.jpg)
Other possibilities
•Adobe/Akamai compromised
•We reached them
• Very unlikely
![Page 34: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/34.jpg)
And it contacts adobe.com again
![Page 35: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/35.jpg)
During the installation…
http://get.adobe.com/stats/AbfFcBebD/q=<base64-encoded data>
![Page 36: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/36.jpg)
Information exfiltrated to get.adobe.com over HTTP
![Page 37: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/37.jpg)
Link with OSX/Snake
![Page 38: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/38.jpg)
OSX/Snake
![Page 39: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/39.jpg)
OSX/Snake
![Page 40: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/40.jpg)
It even tricked researchers!
![Page 41: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/41.jpg)
Windows Backdoor
•Download
•Execute
•Exfiltrate
![Page 42: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/42.jpg)
Other tools
![Page 43: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/43.jpg)
JScript Backdoor
•C&C: Google Script
•Exfiltrate MAC address + unique ID
•Downloads & Executes (eval) additional JS code
![Page 44: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/44.jpg)
Metasploit
•Started in March 2018
•Fake flash • Executes a Metasploit shellcode
• Downloads a Meterpreter from https://209.239.115[.]91/6OHEJ
•Mosquito backdoor finally dropped
![Page 45: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/45.jpg)
Outlook Backdoor
![Page 46: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/46.jpg)
The group Snake is said to have attacked the German government network.
46
![Page 47: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/47.jpg)
Hackers have been able to copy data from the government networks via the Outlook mail program.
47
![Page 48: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/48.jpg)
We need to look deeper
48
![Page 49: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/49.jpg)
Targets
•Ministry of Foreign Affairs
•Defense contractors
•?
49
![Page 50: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/50.jpg)
Timeline
Oldest compilation timestamp
2009
50
![Page 51: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/51.jpg)
Timeline
Oldest compilation timestamp
2009
51
![Page 52: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/52.jpg)
Timeline
Oldest compilation timestamp
First sample uploaded on
VirusTotal
2009
2010
52
![Page 53: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/53.jpg)
Timeline
Oldest compilation timestamp
First sample uploaded on
VirusTotal
2009
2010
53
![Page 54: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/54.jpg)
Timeline
Oldest compilation timestamp
First sample uploaded on
VirusTotal
Execute commands
sent by emails (XML)
2009
2010
2013
54
![Page 55: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/55.jpg)
Timeline
Oldest compilation timestamp
First sample uploaded on
VirusTotal
Execute commands
sent by emails (XML)
2009
2010 2016 (?)
2013
Commands are hidden in PDF documents sent
to the victims
55
![Page 56: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/56.jpg)
Timeline
Oldest compilation timestamp
First sample uploaded on
VirusTotal
Execute commands
sent by emails (XML)
Public announcement of the German incident
2009
2010
Mar. 2018
2016 (?)
2013
Commands are hidden in PDF documents sent
to the victims
56
![Page 57: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/57.jpg)
Timeline
Oldest compilation timestamp
First sample uploaded on
VirusTotal
Execute commands
sent by emails (XML)
Public announcement of the German incident
Our report goes public
2009
2010
Mar. 2018
2016 (?)
2013
Commands are hidden in PDF documents sent
to the victims
Aug. 2018
57
![Page 58: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/58.jpg)
Installation
•COM object hijacking•Quite old technique
• ComRAT & Mosquito• https://www.virusbulletin.com/uploads/pdf/conference_slides/2011/Larimer
-VB2011.pdf
• https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence
•Outlook Protocol Manager.
58
![Page 59: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/59.jpg)
HKCR = HKCU + HKLM
59
![Page 60: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/60.jpg)
60
![Page 61: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/61.jpg)
61
![Page 62: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/62.jpg)
62
![Page 63: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/63.jpg)
63
![Page 64: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/64.jpg)
MAPI
•Messaging Application Programming Interface
•COM-based API
•Allows software to be email-aware
•Replace olmapi32.dll
64
![Page 65: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/65.jpg)
65
![Page 66: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/66.jpg)
66
![Page 67: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/67.jpg)
67
![Page 68: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/68.jpg)
68
![Page 69: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/69.jpg)
Outgoing emails
•All outgoing emails are forwarded to the attacker’s email address
•Can be disabled by changing a config value in the registry
69
![Page 70: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/70.jpg)
70
![Page 71: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/71.jpg)
71
![Page 72: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/72.jpg)
72
![Page 73: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/73.jpg)
73
![Page 74: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/74.jpg)
Outgoing emails
• Information is exfiltrated at the same time the victim sends an email• Prevent sending emails at unusual hours
•Data is encrypted and stored in a PDF attached to the email
74
![Page 75: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/75.jpg)
75
![Page 76: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/76.jpg)
76
![Page 77: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/77.jpg)
77
![Page 78: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/78.jpg)
Operator email addresses
78
![Page 79: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/79.jpg)
Operator email addresses
79
![Page 80: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/80.jpg)
Operator email addresses
80
![Page 81: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/81.jpg)
Operator email addresses
81
![Page 82: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/82.jpg)
Operator email addresses
• In recent campaigns, we have seen them using gmx.com
•Pattern seems firstname.lastname@[free webmail]
•Sometimes, they impersonate the victim
82
![Page 83: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/83.jpg)
83
![Page 84: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/84.jpg)
Incoming emails
•All incoming email metadata is logged (subject, sender, etc.)
•Checks if the attachment is a PDF and contains a command
84
![Page 85: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/85.jpg)
85
![Page 86: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/86.jpg)
Hiding UI artefacts
•Delete all backdoor-related messages• Sent
• Received
• If it contains the operator email address
•Hooks
86
![Page 87: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/87.jpg)
Hiding UI artefacts
87
![Page 88: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/88.jpg)
Hiding UI artefacts
88
![Page 89: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/89.jpg)
Backdoor
•Fully-controlled by email• Commands are contained in PDF attachments
•Old versions: XML in the email body
•Operator agnostic• Even if the email address is took down, a command can
be sent from any other email address
89
![Page 90: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/90.jpg)
Backdoor | PDF format
•Really complex – a pain to reverse• Probably just to make analysis more time consuming
•Valid PDF document
•Data appended after a JPG
90
![Page 91: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/91.jpg)
91
![Page 92: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/92.jpg)
92
![Page 93: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/93.jpg)
93
![Page 94: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/94.jpg)
94
![Page 95: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/95.jpg)
95
![Page 96: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/96.jpg)
Backdoor | FunctionsID Commands
0x10 Not implemented
0x11 Display a MessageBox
0x12 Sleep
0x20 Delete file
0x21 Get file
0x22 Set operator email address
0x23 Put file
0x24 Run shell command
0x25 Create process
0x26 Delete directory
0x27 Create directory
0x28 Change timeout
0x29 Run PowerShell command (PSInject - 2018)
0x2A Set answer mode (2018)
96
![Page 97: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/97.jpg)
97
![Page 98: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/98.jpg)
Turla Encryption History
•Carbon and Snake: CAST-128
•Gazer: Custom RSA implementation
•Mosquito: BlumBlumShub
•Uroboros: Threefish
98
![Page 99: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/99.jpg)
Backdoor | Encryption
•All significant values were changed
• Identification of the main characteristics• Symmetric
• 128-bit key
• Two hardcoded tables
• 64-bits block
• 8 rounds
99
![Page 100: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/100.jpg)
Changes to MISTY1
•The 128–bit key is generated from two hardcoded 1024–bit keys plus a 2048–bit Initialization Vector.
•They shuffled s7 and s9
•They added XOR operations in FI
100
![Page 101: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/101.jpg)
Demo
![Page 102: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/102.jpg)
Mitigations
![Page 103: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/103.jpg)
103
![Page 104: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/104.jpg)
104
![Page 105: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/105.jpg)
On the computer side
•EDR/Sysmon (?) to identify COM hijacking
•Windows Defender Security Center
105
![Page 106: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/106.jpg)
Do not allow child processes
106
![Page 107: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/107.jpg)
Do not allow child processes
107
![Page 108: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/108.jpg)
Code Integrity Guard
108
![Page 109: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/109.jpg)
Code Integrity Guard
109
![Page 110: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/110.jpg)
Code Integrity Guard
110
![Page 111: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/111.jpg)
Code Integrity Guard
111
![Page 112: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/112.jpg)
On the mail server side
•Blocking emails based on PDF format: controlled by the attackers
•Monitoring duplicate sending of emails• High FP rate?
• Attacker’s address looks like private victim’s address
112
![Page 113: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/113.jpg)
•Comprehensive WhitePaperreleased in August 2018
• https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf
• https://github.com/eset/malware-ioc/tree/master/turla#turla-outlook-indicators-of-compromise
113
![Page 114: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/114.jpg)
Conclusion
•Two examples showing the sophistication of Turla
•Turla is not your casual and lazy attacker
114
![Page 115: You've got mail! from: Turla - CounterMeasure 2019 · Timeline Moonlight Maze US Department of Defense breach Finnish MFA breach 2008 1998 2013 2014 RUAG breach 10](https://reader034.fdocuments.us/reader034/viewer/2022042319/5f0942857e708231d425f884/html5/thumbnails/115.jpg)
www.eset.com | www.welivesecurity.com
Matthieu FaouMalware Researcher
@matthieu_faou