Cyphort Labs Malware’s Most Wanted SeriesAttack on Sony Pictures
Destover
Most Wanted of 2014@belogor
Your speakers today
Nick Bilogorskiy@belogor
Director of Security Research
Shel SharmaProduct Marketing Director
Agenda
o Sony Destover trojan dissection
o Sony attack attribution
o Most wanted of 2014
o Wrap-up and Q&A
Cyp
ho
rt L
abs
T-sh
irt
Threat Monitoring & Research team
________
24X7 monitoring for malware events
________
Assist customers with their Forensics and Incident Response
We enhance malware detection accuracy
________
False positives/negatives________
Deep-dive research
We work with the security ecosystem
________
Contribute to and learn from malware KB
________
Best of 3rd Party threat data
Sony Pictures Attack by Destover Trojan
o Attack on Sony Pictures…Nov 24, 2014 by GOP - “Guardians of Peace”
o 111 Terabytes of Data Stolen
o Suspected Origin: North Korea
o 7 lawsuits filed against Sony, so far
o Controversy over “The Interview” which made $46 million to date
o Trojan designed for Sony’s network.
Attack Timeline for Sony Pictures, Nov – Dec 2014
Destovermalware discovered
Guardians of Peace claims credit, starts releasing stolen movies
Sony decides to release “The Interview” on Dec 25
Wiper activates
Nov 21 Nov 24 Nov 27 Dec 1 Dec 3 Dec 11 Dec 15 Dec 17 Dec 19 Dec 23
Sony receives email from ‘God’s Apstls”
FBI sends “flash alert”
GOP leaks Sony Exec emails
Sony hit with 1st
class-action lawsuit for failure to protect employee info
Sony cancels movie “The Interview”
FBI says hack done by North Korea
What was stolen and leaked?
In a word, everything!
Personal data on employees Movies and Scripts Performance reports and salary information Source code, Private keys, passwords, certificates Production schedules, Box office projections Executives email correspondence Brad Pitt phone number! and more..
Destover Workflow Diagram
8
ATTACKER
Spreads via SMB port 445Destover
Command
and Control
Servers
DropsWIPER
DROPPER-w Webserver -d Disk Driver
Drops
Disk Wiper
Wiper Command and Control
o This Trojan uses encrypted config file net_ver.dat embedded in the resource section that has several IP addresses later used for C&C communication
o Once connectivity is established with C2 servers, it initiates a two hour countdown at which time the infected machine will reboot
Net_ver.dat (Config File)
Wiper switches
The module can be executed with many parameters:
switch description
-i Install itself as a service
-k Remove the service
-d Start file wipe module
-s Mount and remote shares with hardcoded passwords and delete files from them
-m Drop Eldos Software RawDisk kernel driver to wipe MBR
-a Start anti-AV module
-w Drop and execute webserver to show the ransom message
-w Warning
• This switch drops a decrypted from resource section webserver.
• It runs on the infected machine with the only purpose of showing the user this ransom message.
-d switch
o usbdrv3.sys - Eldos Software RawDisk (a commercial product to enable raw access to the hard disk from Windows).
o After ten attempts to connect to one of the local systems, the process of wiping the hard drive began.
-d Delete
o sends string of “AAAAA”s in a loop to the Eldosdriver requesting it to write directly to the hard disk.
o It deletes all files in the system except the files with extension exe and dll
o The malware is also known to wipe out network drives
Who do you think is responsible?POLL #1 – Who was it
o A – North Korea
o B – Insiders
o C – Sony hacked itself
o D – China
o E – Russia
o F – None of the above
By GOP
The result of investigation by CNN is so excellent that you might have seen what we were doing with your own eyes.We congratulate you success.CNN is the BEST in the world.
You will find the gift for CNN at the following address.
https://www.youtube.com/watch?v=hiRacdl02w4
Enjoy!
P.S. You have 24 hours to give us the Wolf.
Dec 24: FBI: the GOP threaten USPER2 – NEWS ORGANIZATION
Dec 20: By GOP – CNN , give us the Wolf
Attribution is Hard…The GoP pastebin hoax
Dec 31:Homeland Security writer takes credit as a joke
Insiders?
o This Trojan uses stored user name and password combination to get access to the other machines.
How did attackers get them? They must have known the internal network, either from insiders or previous attacks.
Alternative Arguments? … Similarity to other APT attacks
o August 2012o Shamoon rendered up to 30,000 computers inoperable at
Saudi Aramco, the national oil company of Saudi Arabia.
o Credit claimed by Cutting Sword of Justice
o 2013o DarkSeoul, a hacking group with suspected links to North
Korea, performed a delayed wipe on 32,000 systems at South Korean banks and media companies
o Credit claimed by Whois
North Koreans?
o The resource section of the main file shows that the language pack used was Korean.
North Korea? Argument #1
FBI Bulletin, Dec 19
o Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
o The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
o Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.
o Hackers used their true IP address
o Similar tools
o Malware analysis
North Korea? Argument #2
o Snowden docs show NSA first hacked North Korea in 2010 with help from SK
o “early warning radar” was implanted to monitor North Korea
o Fourth party collection
North Korea Bureau 121.
o Reconnaissance General Bureau, North Korea’s main intelligence service with 6,000 hackers
o Bureau 121, its secretive hacking unit, with a large outpost in China
o Hackers in Bureau 121 were among the 100 students who graduate from the University of Automation each year after five years of study. Over 2,500 apply for places at the university, which has a campus in Pyongyang, behind barbed wire.
Most Wanted of 2014
APT- Regina.k.a. Prax
Qwerty WARRIORPRIDE
APT DarkHotel
a.k.a. Luder / Karba / Tapaoux / Nemim
APT- Turlaa.k.a. Uroboros /
SnakeOrigin: Russian
POSBlackPOSVictim: Target
POSFramework
Victim: Home Depot
POSBackoff
Victims: Albertsons, Dairy Queen, …
NightHunterOrigin: Spain
CryptoLockerRansom ware
Accessory to Murder
ShellshockExploit
Heartbleed PoodleDestovera.k.a. Sony Trojan
APT: Regin
o Active since around 2008
o Victims: Belgacom, European Parliament
o Suspected Origin: NSA / GCHQ
o Multi-layer malware with 6 stages
o Extensible platform with custom pluginso Network traffic monitoring
o Key logging
o Credential capturingImage source: http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance
Known as Regin / Prax / Qwerty / WARRIORPRIDE
o Campaign started in 2007
o Targets executives through hotel networks
o Suspected Origin: South Korea
o Sandbox evasion & anti-virus detection
o Espionage & data exfiltration
o Components
o Kernel-mode keylogger
o Downloader
o Information Stealer
o Collects email and IM accounts, system info
Known as Luder / Karba / Tapaoux / Nemim
APT: DarkHotel
APT: TurlaKnown as Uroboros/Snake
o Active since around 2008
o Framework for Espionage against France and other NATO states
o Suspected Origin: Russia
o Uses direct spear-phishing e-mails and watering hole attacks to infect victims.
o Has a Linux rootkit component
Point of Sale (POS) Malware
BlackPOS• November 2013• 40 million cards stolen• $500 Million total
exposure to Target (Gartner)• Cards resold on Rescator forum
Backoff• Began in October 2013• Government warned retailers in July• Not targeted• Protected by run-time packer• Supports keylogging • communicates to a C&C, can update
itself• More than 1,000 victims
FrameworkPOS• April – Sep 2014• 56 Million cards leaked• Copy-cat attack, imitated BlackPOS• Cards resold on Rescator forum• Likely different actors
Exploits
Heartbleed• April 2014• CVE-2014-0160
• Exploits a flaw in the heartbeat step of TLS
• Buffer over-read• 39% of Internet users changed their
passwords, according to Pew• 500,000 vulnerable websites
POODLE• Found in September, 2014• CVE-2014-3566
• Google discovered flaw in SSL v3• Allows man-in-the-middle• Stands for “Padding Oracle On
Downgraded Legacy Encryption”• Not as bad as the other two
ShellShock• Found in September, 2014• CVE-2014-6271
• Bug in Bash shell allowed to execute arbitrary commands
• 1.5 million attacks per day according to CloudFlare.
• 500 million vulnerable machines!• Yahoo hacked on Oct 6 via this
o Discovered by Cyphort in March 2014, NightHunter is a major data exfiltration that went undetected for 5 years.
o Steals login credentials of users, Google, Facebook, Dropbox, Skype and other services
o Malware coded in .NET
o At least 1,800 infections
o Using SMTP and more than 3,000 unique keylogger binaries
o Ten different string obfuscation techniques
NightHunter
NightHunter
df
UserReceives a phishing
email with a DOC/ZIP attachment
Stage 1 –EXEDecrypts the DLL from a
resource section and loads it from memory
AttackerReceives stolen credentials in
the email server
Stage 2 – DLLRuns from EXE’s process memory and Sends out
credentials via SMTP
Cryptolocker
o Began September 2013
o Encrypts victim’s files, asks for $300 ransom
o Impossible to recover files without a key
o Ransom increases after deadline
o Goal is monetary via Bitcoin
o 250,000+ victims worldwide (According to Secureworks)
o Unforeseen Consequences
POLL #2 – What was the “most wanted” attack of 2014?
o A – Sony Destover Trojan
o B – Cryptolocker
o C – Backoff POS Trojan
o D – NightHunter
o E – Shellshock exploit
o F – None of the above
Conclusions1. Sony attack was sophisticated , targeted and politically motivated
2. In Sony’s case - early compromise harvesting the user account credentials
lead to the later stage using malware designed with the credentials
embedded
3. Sony is the first significant breach where the data exposure is beyond
"consumer account and personal information", with direct theft of
corporate assets (movies & scripts), and with legal implication on corporate
obligation and contract
4. 2014 was an exceptional year for malware with successful malware breaches
at Target, Sony, JPMorgan and Home Depot to name a few
5. The best defense is an approach that continuously monitors network
activities and file movements, detects threat activities across threat kill
chain, and correlates observations across the enterprise network
References:http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation
http://blog.erratasec.com/2015/01/the-gop-pastebin-hoax.html
http://thehackernews.com/2015/01/police-ransomware-suicide.html
http://www.reuters.com/article/2014/03/07/us-russia-cyberespionage-insight-idUSBREA260YI20140307
http://www.nytimes.com/2015/01/19/world/asia/nsa-tapped-into-north-korean-networks-before-sony-attack-officials-say.html?_r=0
http://www.reuters.com/article/2014/03/07/us-russia-cyberespionage-insight-idUSBREA260YI20140307
http://thehackernews.com/2014/12/powerful-linux-trojan-turla.html
http://www.cyphort.com/latest-sony-pictures-breach-deadly-cyber-extortion/
http://www.darkreading.com/shellshock-bash-bug-impacts-basically-everything-exploits-appear-in-wild/d/d-id/1316064
http://www.pewinternet.org/2014/04/30/heartbleeds-impact/
http://www.bbc.com/news/technology-29361794
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25630/en_US/McAfee_Labs_Threat_Advisory_Trojan-Wiper.pdf
http://arstechnica.com/information-technology/2015/01/nsa-secretly-hijacked-existing-malware-to-spy-on-n-korea-others/
http://securelist.com/blog/research/67985/destover/
http://deadline.com/2014/12/is-the-chinese-armys-cyber-squad-behind-the-sony-attack-1201325918/
Top Related