SlideShare a Scribd company logo

Advanced Malware Analysis Training Session 10 - (Part 1) Reversing & Decrypting Communications of HeartBeat RAT

Download as PPTX, PDF
securityxploded
securityxploded

This presentation is part of our Advanced Malware Analysis Training Series program. For more details refer our Security Training page http://securityxploded.com/security-training-advanced-malware-analysis.php

Technology
1 of 28
Advanced Malware Analysis Training Series www.SecurityXploded.com
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the Trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here. www.SecurityXploded.com
Acknowledgement  Special thanks to Null community for their extended support and co-operation.  Special thanks to ThoughtWorks for the beautiful venue.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen. www.SecurityXploded.com
Advanced Malware Analysis Training This presentation is part of our Advanced Malware Analysis Training program. Currently it is delivered only during our local meets for FREE of cost. For complete details of this course, visit our Security Training page. www.SecurityXploded.com
Who am I Monnappa  m0nna  Member of SecurityXploded  Info Security Investigator @ Cisco  Reverse Engineering, Malware Analysis, Memory Forensics  Email: monnappa22@gmail.com  Twitter: @monnappa22  LinkedIn: http://www.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8 www.SecurityXploded.com
Contents  Overview of Advanced threats  HeartBeat APT campaign  Part 1A – Demo (Decrypting the communications of HeartBeat RAT)  Part 1B – Demo (Reverse Engineering the HeartBeat RAT)  References www.SecurityXploded.com
Overview of advanced threats  Sophisticated  Stealthy  Multistaged  Targeted  Uses zero day exploits  Designed for long term manipulation www.SecurityXploded.com
HeartBeat APT Campaign  Targeted attack exposed by Trend Micro document http://blog.trendmicro.com/trendlabs-security-intelligence/pulsing-the-heartbeat-apt/  Targeted organizations related to the South Korean government (political parties, media outfits, South Korean military)  “HeartBeat RAT" was used to gain access over their targets network  In this session, we will o Part 1a) Decrypt the communications of HeartBeat RAT o Part 1b) Reverse Engineer the HeartBeat RAT www.SecurityXploded.com
HeartBeat RAT Network Traffic Below screenshot shows the HeartBeat RAT traffic on port 80 and also shows connection to a malicious domain www.SecurityXploded.com
Encrypted communications of HeartBeat RAT The one shown in Red is the Header and green shows the Encrypted Traffic www.SecurityXploded.com
Decryption Script (heart_decrypt.py) The below screenshot shows the script usage www.SecurityXploded.com
Decrypted Communication The below screenshot shows the Decrypted C2 check-in. The one marked in RED is the hostname of the infected machine www.SecurityXploded.com
Decrypted Communication (contd...) www.SecurityXploded.com
Malware Decrypts Strings Below screenshots show the malware decrypting the C2 domain www.SecurityXploded.com
Malware Decrypts Strings (contd...) Below screenshots show the malware decrypting the campaign password “qawsed” www.SecurityXploded.com
Malware Decrypts Strings (contd...) Below screenshots show the malware decrypting the campaign code “jpg-jf-0925” www.SecurityXploded.com
Malware Resolves C2 Domain Below screenshots show the malware resolving the C2 domain and the corresponding network traffic www.SecurityXploded.com
Malware Connects to C2 Domain Below screenshots show the malware establishing connection to the C2 domain www.SecurityXploded.com
Malware Collects System Information Below screenshots show the malware collecting the system information www.SecurityXploded.com
Malware Collects Hostname Information Below screenshots show the malware collecting the hostname information www.SecurityXploded.com
Malware uses XOR encryption malware uses xor algorithm (key 0x2) to encrypt the collected data www.SecurityXploded.com
Malware uses XOR encryption (contd...) Below screenshot shows the encrypted data www.SecurityXploded.com
Malware Sends the Encrypted Data Malware sends the encrypted data to the C2 www.SecurityXploded.com
Malware Sends the Encrypted Data (contd...) The packet capture shows the encrypted traffic www.SecurityXploded.com
References Complete Reference Guide for Advanced Malware Analysis Training [Include links for all the Demos & Tools] www.SecurityXploded.com
Thank You ! www.SecurityXploded.com www.SecurityXploded.com

Recommended

Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
securityxploded
 
Application Virtualization
Application VirtualizationApplication Virtualization
Application Virtualization
securityxploded
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
securityxploded
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Android
securityxploded
 
Primer on password security
Primer on password securityPrimer on password security
Primer on password security
securityxploded
 
Antivirus Evasion Techniques and Countermeasures
Antivirus Evasion Techniques and CountermeasuresAntivirus Evasion Techniques and Countermeasures
Antivirus Evasion Techniques and Countermeasures
securityxploded
 
Advanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing AutomationAdvanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing Automation
securityxploded
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
securityxploded
 

Recommended

Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
securityxploded
 
Application Virtualization
Application VirtualizationApplication Virtualization
Application Virtualization
securityxploded
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
securityxploded
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Android
securityxploded
 
Primer on password security
Primer on password securityPrimer on password security
Primer on password security
securityxploded
 
Antivirus Evasion Techniques and Countermeasures
Antivirus Evasion Techniques and CountermeasuresAntivirus Evasion Techniques and Countermeasures
Antivirus Evasion Techniques and Countermeasures
securityxploded
 
Advanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing AutomationAdvanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing Automation
securityxploded
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
securityxploded
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
securityxploded
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
securityxploded
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
securityxploded
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
securityxploded
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
securityxploded
 
Reversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicsReversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basics
securityxploded
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
securityxploded
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis TechniquesAdvanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
securityxploded
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
securityxploded
 
Fingerprinting healthcare institutions
Fingerprinting healthcare institutionsFingerprinting healthcare institutions
Fingerprinting healthcare institutions
securityxploded
 
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive TacticsHollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
securityxploded
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
securityxploded
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learning
securityxploded
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Study
securityxploded
 
Linux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon SandboxLinux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon Sandbox
securityxploded
 
Introduction to SMPC
Introduction to SMPCIntroduction to SMPC
Introduction to SMPC
securityxploded
 
Breaking into hospitals
Breaking into hospitalsBreaking into hospitals
Breaking into hospitals
securityxploded
 
Bluetooth [in]security
Bluetooth [in]securityBluetooth [in]security
Bluetooth [in]security
securityxploded
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
securityxploded
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysis
securityxploded
 
Reverse Engineering Malware
Reverse Engineering MalwareReverse Engineering Malware
Reverse Engineering Malware
securityxploded
 
DLL Preloading Attack
DLL Preloading AttackDLL Preloading Attack
DLL Preloading Attack
securityxploded
 

More Related Content

Viewers also liked

Viewers also liked (9)

Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
 
Reversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicsReversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basics
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis TechniquesAdvanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
 

More from securityxploded

More from securityxploded (20)

Fingerprinting healthcare institutions
Fingerprinting healthcare institutionsFingerprinting healthcare institutions
Fingerprinting healthcare institutions
 
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive TacticsHollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learning
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Study
 
Linux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon SandboxLinux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon Sandbox
 
Introduction to SMPC
Introduction to SMPCIntroduction to SMPC
Introduction to SMPC
 
Breaking into hospitals
Breaking into hospitalsBreaking into hospitals
Breaking into hospitals
 
Bluetooth [in]security
Bluetooth [in]securityBluetooth [in]security
Bluetooth [in]security
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysis
 
Reverse Engineering Malware
Reverse Engineering MalwareReverse Engineering Malware
Reverse Engineering Malware
 
DLL Preloading Attack
DLL Preloading AttackDLL Preloading Attack
DLL Preloading Attack
 
Partial Homomorphic Encryption
Partial Homomorphic EncryptionPartial Homomorphic Encryption
Partial Homomorphic Encryption
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
 
Return Address – The Silver Bullet
Return Address – The Silver BulletReturn Address – The Silver Bullet
Return Address – The Silver Bullet
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)
 
Hunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory ForensicsHunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory Forensics
 
Malicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine LearningMalicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine Learning
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kits
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Advanced Malware Analysis Training Session 10 - (Part 1) Reversing & Decrypting Communications of HeartBeat RAT

  • 1. Advanced Malware Analysis Training Series www.SecurityXploded.com
  • 2. Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the Trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here. www.SecurityXploded.com
  • 3. Acknowledgement  Special thanks to Null community for their extended support and co-operation.  Special thanks to ThoughtWorks for the beautiful venue.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen. www.SecurityXploded.com
  • 4. Advanced Malware Analysis Training This presentation is part of our Advanced Malware Analysis Training program. Currently it is delivered only during our local meets for FREE of cost. For complete details of this course, visit our Security Training page. www.SecurityXploded.com
  • 5. Who am I Monnappa  m0nna  Member of SecurityXploded  Info Security Investigator @ Cisco  Reverse Engineering, Malware Analysis, Memory Forensics  Email: monnappa22@gmail.com  Twitter: @monnappa22  LinkedIn: http://www.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8 www.SecurityXploded.com
  • 6. Contents  Overview of Advanced threats  HeartBeat APT campaign  Part 1A – Demo (Decrypting the communications of HeartBeat RAT)  Part 1B – Demo (Reverse Engineering the HeartBeat RAT)  References www.SecurityXploded.com
  • 7. Overview of advanced threats  Sophisticated  Stealthy  Multistaged  Targeted  Uses zero day exploits  Designed for long term manipulation www.SecurityXploded.com
  • 8. HeartBeat APT Campaign  Targeted attack exposed by Trend Micro document http://blog.trendmicro.com/trendlabs-security-intelligence/pulsing-the-heartbeat-apt/  Targeted organizations related to the South Korean government (political parties, media outfits, South Korean military)  “HeartBeat RAT" was used to gain access over their targets network  In this session, we will o Part 1a) Decrypt the communications of HeartBeat RAT o Part 1b) Reverse Engineer the HeartBeat RAT www.SecurityXploded.com
  • 9.
  • 10. HeartBeat RAT Network Traffic Below screenshot shows the HeartBeat RAT traffic on port 80 and also shows connection to a malicious domain www.SecurityXploded.com
  • 11. Encrypted communications of HeartBeat RAT The one shown in Red is the Header and green shows the Encrypted Traffic www.SecurityXploded.com
  • 12. Decryption Script (heart_decrypt.py) The below screenshot shows the script usage www.SecurityXploded.com
  • 13. Decrypted Communication The below screenshot shows the Decrypted C2 check-in. The one marked in RED is the hostname of the infected machine www.SecurityXploded.com
  • 15.
  • 16. Malware Decrypts Strings Below screenshots show the malware decrypting the C2 domain www.SecurityXploded.com
  • 17. Malware Decrypts Strings (contd...) Below screenshots show the malware decrypting the campaign password “qawsed” www.SecurityXploded.com
  • 18. Malware Decrypts Strings (contd...) Below screenshots show the malware decrypting the campaign code “jpg-jf-0925” www.SecurityXploded.com
  • 19. Malware Resolves C2 Domain Below screenshots show the malware resolving the C2 domain and the corresponding network traffic www.SecurityXploded.com
  • 20. Malware Connects to C2 Domain Below screenshots show the malware establishing connection to the C2 domain www.SecurityXploded.com
  • 21. Malware Collects System Information Below screenshots show the malware collecting the system information www.SecurityXploded.com
  • 22. Malware Collects Hostname Information Below screenshots show the malware collecting the hostname information www.SecurityXploded.com
  • 23. Malware uses XOR encryption malware uses xor algorithm (key 0x2) to encrypt the collected data www.SecurityXploded.com
  • 24. Malware uses XOR encryption (contd...) Below screenshot shows the encrypted data www.SecurityXploded.com
  • 25. Malware Sends the Encrypted Data Malware sends the encrypted data to the C2 www.SecurityXploded.com
  • 26. Malware Sends the Encrypted Data (contd...) The packet capture shows the encrypted traffic www.SecurityXploded.com
  • 27. References Complete Reference Guide for Advanced Malware Analysis Training [Include links for all the Demos & Tools] www.SecurityXploded.com