APTs are known to use advanced Techniques, Tactics, and Procedures (TTP), including advanced malware design with protection layers, sandboxing evasion, and lateral movement inside penetrated networks to seek out high value targets. In this webinar, Nick Bilogorskiy of Cyphort Labs will review various lateral movement techniques and methods used by advanced threats in the past. He will look at some APT samples, e.g. Shamoon, in detail to show the specific steps in the lateral movement by the malware. Understanding the lateral movement of APT should help security defenders to better select and implement protection solutions.
6. Threat Monitoring &
Research team
________
24X7 monitoring for
malware events
________
Assist customers with
their Forensics and
Incident Response
We enhance malware
detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the
security ecosystem
________
Contribute to and learn
from malware KB
________
Best of 3rd Party threat
data
7. What is Lateral Spread
Lateral Spread is the
movement of malware
within the same
network.
It is also called
east-west movement as
opposed to north-south
movement.
9. Stages
Stage 1
Reconnaissance
• Network hierarchy
• Services used in
servers
• Operating systems
• Check host naming
conventions
• Use netstat tool, port
scanning
Stage 2
Stealing Credentials
• Use keyloggers
• pwdump tool,
mapiget, lslsass, WCE
tools
• Brute force attacks -
guessing passwords
• Look for credentials
for systems, servers,
switches
Stage 3
Infiltrating Other
Computers
• Remotely access
desktops and blend in
with regular IT
support staff
• PsExec and WMI tools
13. Shamoon
Shamoon - August 2012
o Shamoon rendered up to 30,000 computers inoperable at Saudi
Aramco, the national oil company of Saudi Arabia.
o Credit claimed by Cutting Sword of Justice
14. Shamoon
o Installs itself as a service
o Connects home every 5 mins to send stolen data
o Spreads to other Windows hosts via SMB
o Uses dictionary of passwords to drop a copy of itself
to ADMIN$ network share.
16. What was stolen and leaked?
In a word, everything!
Personal data on employees
Movies and Scripts
Performance reports and salary information
Source code, Private keys, passwords, certificates
Production schedules, Box office projections
Executives email correspondence
Brad Pitt phone number! and more..
18. Wiper Switches
The module can be executed with many parameters:
switch description
-i Install itself as a service
-k Remove the service
-d Start file wipe module
-s Mount remote shares with hardcoded passwords and delete files
from them
-m Drop Eldos Software RawDisk kernel driver to wipe MBR
-a Start anti-AV module
-w Drop and execute webserver to show the ransom message
19. -w Warning
o Drops a decrypted from
resource section webserver
o Runs on the infected machine
with the only purpose of
showing the user this ransom
message
20. -d Delete
o Sends string of “AAAAA”s in a
loop to the Eldos driver
requesting it to write directly
to the hard disk.
o Deletes all files in the system
except the files with
extension exe and dll
o Known to wipe out network
drives
22. Dridex Trojan
o First seen: Nov 2014
o Target: North American and European Banks
o Distribution: Spam mails with Word Documents,
o Infected Users: about 29,000 (Symantec)
23. Conficker
o Devastating worm that infected over 15 million computers through
MS08-067, file shares and removal media
o Microsoft disabled autorun in response to this worm
15 million computers
infected through MS08-067,
file shares and removal media
24. Stuxnet
o Spread using 0-day
exploits and network
file shares
o Disabled 1000 Iran's
nuclear centrifuges
in 2009
26. Target Breach Malware - BlackPOS
BlackPOS
o November 2013
o 110 million cards stolen
o $500 Million total
exposure to Target (Gartner)
o Cards resold on Rescator forum
27. How did the breach happen?
o Utility contractor’s Target credentials compromised
o Hackers accessed the Target network
o Uploaded malware to a few POS systems
o Tested malware efficacy and uploaded to the majority of
POS systems
o Data drop locations across the world
27
Login from the HVAC
contractor
Target’s POS
updater server
Target’s internal
server with
fileshare
Credit card info
transfer to internal
fileshare
Card info infiltration
using FTP to external
drop location
Point of sale network
Compromised drop
locations
28. What is BlackPOS/Potato?
o Malware is a modified version of BlackPos or
Kaptoxa (Russian for Potato).
o
Runs on point of sale terminals and scans
memory for credit card data.
o First samples of this malware date back to Jan
2013 and were coded by Rinat Shibaev aka
“ree4”, aka “AntiKiller” from Russia.
o Malware was sold by Antikiller on hacker
forum. However Antikiller is not directly
involved in the Target breach.
28
Malware on sale
ree4
29. Who wrote BlackPOS/Potato?
o The suspect in the breach is a person called
“Rescator” aka “Hel”. He is part of a larger
hacker network called “Lampeduza Republic”
o Rescator sold the stolen Target card info in bulk
in underground markets at a price of $20-45
per card.
o Brian Krebs named Andrey Hodirevski from
Ukraine as Rescator.
29
Hel
30. Malware Workflow
30
1. Infect System
o Adds to autostart via
service
o Download and run
memory scraper
2. Steal Info
o Use memory scraping to
find credit card data
o Output to a file locally
o Send the dump file to
exfiltration server via
SMB
3. Exfiltrate Info
o Periodically scan
winxml.dll for updates
o Upload information to
the FTP server
31. Dissecting the Malware
31
This malware had 2 modules:
o Mmon module – is used for scanning the memory of the POS machine
, extract credit card numbers and dump them to a file, then send them
to another compromised system inside Target’s network via network
share
o Bladelogic Uploader module – is used to upload those dumps into an
ftp server.
32. Dissecting the Target Malware
o Mmon module creates a thread that will upload the stolen
information to another compromised system within Target’s network
using a network share with the following credentials:
o hostname: 10.116.240.31
o username: ttcopscli3acsBest1_user
o password: BackupU$r
o Afterwards, it deletes the mapping of
the drive to avoid detection.
32
33. More Examples of Lateral Spread Malware
o Allaple
o Bondat
o Bugbear
o Dorkbot
o Gamarue
o Katar
o Kenilfe
o Mytob
o Narilam
o Nimda
o Pushbot
o Rimecud
o Sality
o Silly
o Vobfus
38. Conclusions
o It is not sufficient to monitor the egress point for threats
o Apply Machine Learning to all malware inspection, including
lateral spread
o Go deep and wide in the network
o Correlate north-south and east-west malware movements
o Attack malware at each stage of the malware kill-chain.
