Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
I Know You Want Me - Unplugging PlugX
1. I Know You Want Me
- Unplugging PlugX
Takahiro Haruyama / Hiroshi Suzuki
Internet Initiative Japan Inc.
2. • Takahiro Haruyama (@cci_forensics)
– Forensic Investigator & Malware Analyst
– Presenter & Hands-on Trainer
• SANS DFIR Summit, BlackHat USA/EU, CEIC, FIRST, RSA
Conference JP, etc..
– EnCase Certified Examiner since 2009
– http://takahiroharuyama.github.io/
• Hiroshi Suzuki (@herosi_t)
– Malware Analyst & Forensic Investigator
– Presenter & Hands-on Trainer
• Co-author of Haruyama’s presentation of BlackHat
USA/EU, FIRST, domestic conference in Japan (MWS, and
others)
Who are we?
3. • Motivation
• Behavior of PlugX
• Parsing PlugX Config
• Associating PlugX samples with known
targeted attacker groups
– Classifying PlugX samples
– Finding relationships between PlugX groups
and known attacker groups
• Wrap-up
Overview
5. • RAT used for targeted attacks
– Also known as
Korplug/Gulpix/Sogu/Thoper/Destory RAT
– Acknowledged in 3Q of 2011 [22]
• Trend Micro pointed out it was part of a campaign
that has been since 2008 [1]
– The author extends its implementation
aggressively
• AlienVault [2] and AhnLab [3] profiled the author
What‘s PlugX?
6. • PlugX includes config data like PoisonIvy
– e.g., C2 hostname/IP/domain, installed service
name/registry value
• The config information can be used for identifying
attacker groups
– FireEye published the analysis result about PoisonIvy
configs [4]
– So, what about PlugX?
• The author's continual update makes it difficult
– 10 config size versions
– frequently-changed encryption algorithms
• We categorized PlugX samples in terms of attackers
based on intelligence extracted from config data and
code
Motivation
13. • C2 Setting
– protocol, port, hostname
• C2 Setting URL
– download C2 Setting from the URL
• Install Options
– type (service, registry, registered_by_loader)
– install folder path
– service name, registry value
• Others
– Proxy Setting
– stand alone flag (not inject code)
– code injection target
– mutex name
Type I: Config (Xsetting)
14. • C2 Setting URL
examples
– http://dl.dropboxuser
content.com/s/eg3qu
sm8pl4iz49/index.txt
– HTTP://TIEBA.BAIDU
.COM/F?KZ=8669653
77
• Download data from
the URL and decode
a string between
“DZKS” and "DZJS“
Type I: Downloading C2 Setting
“127.0.0.1” encoded
15. • Some samples include debug string
– file name
– function name
– version path
– etc…
• Useful information for analysis
Type I: Debug Strings
18. • Supported Protocols
– TCP, HTTP, UDP, ICMP (not implemented)
• Traffic data is encrypted
– the same algorithm as PlugX Payload
Type I: Protocols
dword value
used as key
(date?)
19. • For default UAC setting Win7 machines
(ConsentPromptBehaviorAdmin != 2)
– PlugX: create msiexec.exe process and inject
code to it
– msiexec.exe: abuse DLL load order to
execute malicious code in sysprep.exe
process
– sysprep.exe (privileged): run PlugX again
Type I: Bypassing UAC Dialog
20. • Type I
• Type II
• Type III
Behavior of PlugX
21. • Observed since 2013/3Q
• The differences from type I
– Anti-reversing/forensic techniques
– Encryption algorithm changed
– Config extended
– More protocols
• ICMP
• DNS [5] (not sure)
– More functions
• e.g., network sniffing to steal proxy auth info
– Debug strings suppressed
Type II: Summary
22. • PlugX payload MZ/PE signatures replaced by “XV”
• magic “GULP” in encrypted data table eliminated
• string obfuscation (decode/clear)
• massive API wrappers added for anti code diffing
Type II: Anti-reversing/forensic
techniques
Type I Type II
24. • magic word for message authentication
• multiple code injection targets (1 -> 4)
• configuration for screenshots
Type II: Config Extended
25. • Type I
• Type II
• Type III
Behavior of PlugX
26. • Observed since 2011/3Q
– It may be ancestor of Type I & II, but still evolving
• The differences from type I&II
– Very different implementation
• no PlugX Payload, no encrypted data table
– More advanced anti-reversing
• string obfuscation (200->1000)
• code obfuscation
– Config shrunk
• C2 Setting/C2 Setting URL/Proxy Setting merged
• Recently Type II members (e.g., magic word) added
– TCP & HTTP supported
Type III: Summary
28. • Type III checks the consistency of its
decrypted config
– If not successful, pop up a message
– The correct spelling seems to be “DESTROY”
Type III: “DESTORY”?
29. Comparison
Type I Type II Type III
features in common basic functions (e.g., UAC pop-up bypassing, C2SettingURL decoding),
protocols (e.g., characteristic HTTP headers, date dword encryption
key), C2 command numbers (e.g., disk/registry operations)
executable loading
PlugX
signed exe signed exe rundll32
encrypted data table Yes Yes
(no “GULP”)
No
protocols TCP,HTTP,UDP TCP,HTTP,UDP,
ICMP,DNS?
TCP,HTTP
Debug Strings
(Version Path)
sometimes rarely not at all
string obfuscation No Yes Yes
(much more)
code obfuscation No No Yes
date dword
encryption key
20120123, 20121016,
20121107,
20130810 20100921, 20111011
31. • “PlugXExtract” for Type I [6]
– decrypt PlugX Payload, but not parse
• “plugxdecoder” for Type I [7]
– decrypt PlugX traffic then extract the
artifacts (not parse)
• Volatility Plugin for Type I & II [5]
– decrypt then parse
• supported 6 config size versions
– 0xbe4, 0x150c, 0x1510, 0x1b18, 0x1d18, 0x2540
Related Works
32. • Type I & II
– Immunity Debugger script
• Search encrypted data table in injected process
– “GULP” signature for Type I
– PIC (Position Independent Code) for Type II
• Decrypt (&decompress if needed) config/original PE
• Parse config
– supported: 0x150C, 0x1510, 0x1B18, 0x1D18, 0x2540
• Type III
– IDAPython script
• Deobfuscate strings and identify config decryption
routine
– You need to specify the deobfuscation function
• Decrypt and parse config
– supported: 0x72C, 0x76C, 0x7AC, 0x840, 0xDF0
Implementation
35. • We collected PlugX samples from …
– Incidents (we responded)
– Some sandboxes (such as Malwr)
– Some malware databases (such as Virus
Total, malware.lu, Open Malware)
• We analyzed 150 samples,
– 27 samples are “DEMO” version.
– We classified other 123 samples at this
time.
Classification and Association Overview
36. 1. Extracting configurations from PlugX samples
Classification and Association Procedure
PlugX
samples
Type III
Type I & II
Extract Configurations
IDA Python
Script
ImmDbg
Script
Configurations
Registry
value
Service
name
Mutex
C&C servers
Extract Configurations
And so on…
37. 2. Categorize samples into some groups
a. Make groups based on service name (registry value)
Classification and Association Procedure (Cont.)
PlugX
samples
Type III
Type I & II
Classifying samples
PlugX Group
GroupA
GroupB
GroupC
GroupD
Service name
Classifying samples
38. 2. Categorize samples into some groups
b. Merge groups by using another information (C&C server and etc)
Classification and Association Procedure (Cont.)
PlugX
samples
Type III
Type I & II
Classifying samples
PlugX Group
GroupA
GroupB
GroupC
GroupD
C&C server information
Classifying samples
39. 3. Find relationships between the PlugX groups and published
targeted attack reports
Classification and Association Procedure (Cont.)
Published
reports
Checking relations
PlugX Samples
GroupA
GroupB
GroupC
GroupD
C&C server information
Checking relations
40. • Final Goal
Classification and Association Procedure (Cont.)
Published
reports PlugX Samples
GroupA
GroupB
GroupC
GroupD
41. 1. Extracting configurations from PlugX samples
– With Immunity debugger script (for type I and II) and
IDA Python script (for type III) we mentioned earlier.
2. Categorize samples into some groups
a. Make groups based on service name (registry value)
• Except default service name (SxS, XXX, TVT)
• 1 group includes at least 4 samples
b. Merge groups by using another information
• C2 (IP address, hostname, domain, owner email)
• debug string (version path), Protocol
• etc…
c. Repeat step “a” and “b”.
3. Find relationships between the PlugX groups and
published targeted attack reports
– Hash or C2 (IP address, hostname, domain, owner email)
– etc…
Classification and Association Procedure (Cont.)
42. • VirusTotal passive DNS
– https://www.virustotal.com/en/documentation/sear
ching/
• AlienVault Open Threat Exchange
– http://www.alienvault.com/open-threat-exchange
• TEAM CYMRU IP to ASN Mapping
– https://www.team-cymru.org/Services/ip-to-
asn.html
• Many targeted attack reports [8]-[21]
• Our internal Passive DNS and IP2DNS system
• dig, nslookup, whois command
– And other whois sites
The Main Source of the Intelligence
for the C2 Connection
45. The Legend of The Correlation Diagram
PlugX Group
Known Attacker
Group
Malware sample C&C server
FQDN / IP address Domain Malware
Configurations
Network range Domain Owner
46. • We found seven groups.
Summary of PlugX Groups
Group
Name
Type I
Samples
Type II
Samples
Type III
Samples
Total Samples
in the Group
*Sys 15 0 5 20
*Http 12 3 0 15
Starter 13 7 4 24
Graphedt 8 0 0 8
WS 6 1 0 7
360 4 0 0 4
cochin 0 0 4 4
- (Others) 30 8 3 41 *1
*1: 8 samples in Others
were related to known attackers.
2/3 (67%)
of all samples
71. *Http Group
• Sample 69 and sample 60, 61 have the same registry value.
Note:
Sample 13 whose service
name is “GbfHttp” and
sample 69 share C2 address
(103.246.244.212).
72. *Http Group
• Sample 69 and sample 60, 61 have the same registry value.
Note:
Sample 13 whose service
name is “GbfHttp” and
sample 69 share C2 address
(103.246.244.212).
73. *Http Group
• Sample 24 and sample 23, 53, 20 use “*Gf” value as the
service name.
– And similar debug strings.
Note: Sample 16 whose service name is “GdyHttp”
and sample 24 share C2 domain (baatarfuu.com).
74. Note: Sample 16 whose service name is “GdyHttp”
and sample 24 share C2 domain (baatarfuu.com).
*Http Group
• Sample 24 and sample 23, 53, 20 use “*Gf” value as the
service name.
– And similar debug strings.
75. Note: Sample 16 whose service name is “GdyHttp”
and sample 24 share C2 domain (baatarfuu.com).
*Http Group
• Sample 24 and sample 23, 53, 20 use “*Gf” value as the
service name.
– And similar debug strings.
76. Note: Sample 16 whose service name is “GdyHttp”
and sample 24 share C2 domain (baatarfuu.com).
*Http Group
• Sample 24 and sample 23, 53, 20 use “*Gf” value as the
service name.
– And similar debug strings.
77. Note: Sample 16 whose service name is “GdyHttp”
and sample 24 share C2 domain (baatarfuu.com).
*Http Group
• Sample 24 and sample 23, 53, 20 use “*Gf” value as the
service name.
– And similar debug strings.
86. • The C2 of sample 71 using “Starter” string and flower-
show.org connect to 103.246.245.124.
Starter Group
87. • The C2 of sample 71 using “Starter” string and flower-
show.org connect to 103.246.245.124.
Starter Group
88. • Sample54, 55 and 56 use “SxS[a-z]” as the service name.
– And these samples use the same debug string.
Starter Group
Note:
Sample 56 whose C2 is *.flower-show.org and sample 71 whose
service name is “Starter” share the same IP address,
103.246.245.124 (see the previous slide).
89. Note:
Sample 56 whose C2 is *.flower-show.org and sample 71 whose
service name is “Starter” share the same IP address,
103.246.245.124 (see the previous slide).
• Sample54, 55 and 56 use “SxS[a-z]” as the service name.
– And these samples use the same debug string.
Starter Group
107. • We found some relationships between PlugX
samples and the following attacker groups at this
time.
– Maudi Operation (Norman Shark) [8]
– 1.php (Zscalar) [9]
– Sykipot (Symantec) [11]
– menuPass (FireEye) [12]
– APT1 (Mandiant) [14]
– Winnti (Kaspersky) [15] [16]
– Hangover (FireEye) [17]
– Night Dragon (Command Five) [18]
– Ke3Chang (FireEye) [19]
– ICEFOG (Kaspersky) [20]
– Khaan Quest (TCIRT) [21]
The Overview of the Relations
to Known Attacker Groups
115. • A poison ivy sample of 1.php [9] connects to “Starter” group.
1.php
116. • A poison ivy sample of 1.php [9] connects to “Starter” group.
1.php
117. 1.php
• A poison ivy sample of 1.php [9] connects to “Starter” group.1.Php Poison Ivy sampleStarter group sample
118. • 1.php is potentially related to APT1, zscaler said [9].
• flower-show.org targets Japan, China, Taiwan /
USA relationship, contagio dump said [10].
1.php
http://contagiodump.blogspot.jp/2011/07/message-targeting-experts-on-japan.html
120. • The IP address of the C2 used
by sample 62 belonging to “WS”
group is the same as the one
used by Sykipot [11].
Sykipot
121. • The IP address of the C2 used
by sample 62 belonging to “WS”
group is the same as the one
used by Sykipot [11].
Sykipot
122. • The IP address of the C2 used
by sample 62 belonging to “WS”
group is the same as the one
used by Sykipot [11].
Sykipot
123. • The companies attacked by this latest wave of
Sykipot include, but aren’t limited to, organizations
in the following market sectors, primarily based in
the US or UK:[11]
– Defense contractors
– Telecommunications
– Computer Hardware
– Chemical
– Energy
– Government Departments
Sykipot
124. • Another C2 of 1.php Poison Ivy sample connects to
96.43.141.186. This connects to Sykipot C2.
Sykipot
125. • Another C2 of 1.php Poison Ivy sample connects to
96.43.141.186. This connects to Sykipot C2.
Sykipot
168. • Some “*Http” group samples and sample 21 connect to Khaan
Quest [21].
Khaan Quest
169. • Some “*Http” group samples and sample 21 connect to Khaan
Quest [21].
Khaan Quest
170. • We found some known attacker groups and its relations from
PlugX samples.
Summary for Relations
171. • We found some known attacker groups and its relations from
PlugX samples.
Summary for Relations (Cont.)
172. • These samples are related to some known attackers, we can’t
merge them into any PlugX group though.
– sample97 : Maudi Operation
– sample88 : APT1
– sample95 : Winnti, Night Dragon, APT1 (potentially)
– sample93 : Winnti, APT1
– sample105 : Winnti
– sample86 : Winnti
– sample87 : Winnti
– sample21 : Khaan Quest
• We couldn’t find any relationships between the following PlugX
groups and known attackers at this time.
– “Cochin” group (4 samples)
– “360” group (4 samples)
Summary for Relations (Cont.)
174. • Analyzed 3 types of PlugX samples
– Implemented PlugX config parsers for all types.
• Categorized samples into groups based on PlugX
config and code.
– Some groups are connected to known targeted
attacker groups.
• According to the knowledge, We can develop
countermeasures about not only a few malware samples
but also entire attack methods using them
• The tools and the results are available on
BlackHat archives
– PlugX is widely used in many incidents, so why don’t
we share the analysis results?
Wrap-up
176. [1] PlugX: New Tool For a Not So New Campaign
<http://blog.trendmicro.com/trendlabs-security-intelligence/plugx-new-
tool-for-a-not-so-new-campaign/>
[2] Tracking down the author of the PlugX RAT
<http://www.alienvault.com/open-threat-exchange/blog/tracking-down-
the-author-of-the-plugx-rat>
[3] ETSO APT Attacks Analysis
<http://image.ahnlab.com/global/upload/download/documents/14012236
31603288.pdf>
[4] Poison Ivy: Assessing Damage and Extracting Intelligence
<http://www.fireeye.com/blog/technical/targeted-attack/2013/08/pivy-
assessing-damage-and-extracting-intel.html>
[5] PlugX "v2": meet "SController“
<http://blog.cassidiancybersecurity.com/post/2014/01/PlugX-v2%3A-
meet-SController>
[6] PLUGX - PAYLOAD EXTRACTION
<http://www.contextis.com/research/white-papers/plugx-payload-
extraction/>
[7] plugxdecoder
<https://github.com/kcreyts/plugxdecoder>
176
References
177. [8] The Chinese Malware Complexes : The Maudi Surveillance
Operation
<http://normanshark.com/wp-content/uploads/2013/06/NormanShark-
MaudiOperation.pdf>
[9] Alleged APT Intrusion Set: “1.php” Group
<http://www.zscaler.com/pdf/technicalbriefs/tb_advanced_persistent_threats.p
df>
[10] Jul 5 CVE-2010-2883 PDF invitation.pdf with Poison Ivy from
112.121.171.94 | pu.flower-show.org
<http://contagiodump.blogspot.jp/2011/07/message-targeting-experts-on-
japan.html>
[11] The Sykipot Attacks
<http://www.symantec.com/connect/blogs/sykipot-attacks>
[12] Poison Ivy: Assessing Damage and Extracting Intelligence
<http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf>
[13] Internet Infrastructure Review (IIR) Vol.21
<http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol21_EN.pdf>
177
References (Cont.)
178. [14] APT1: Exposing One of China's Cyber Espionage Units
<http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf>
[15] “Winnti” | More than just a game - Securelist
<https://www.securelist.com/en/downloads/vlpdfs/winnti-more-than-just-a-
game-130410.pdf>
[16] The rush for CVE-2013-3906 - a hot commodity
<http://www.securelist.com/en/blog/208214158/The_rush_for_CVE_2013_39
06_a_hot_commodity>
[17] Exploit Proliferation: Additional Threat Groups Acquire CVE-2013-
3906
<http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-
proliferation-additional-threat-groups-acquire-cve-2013-3906.html>
[18] Command and Control in the Fifth Domain
<http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf>
[19] Operation “Ke3chang” - Targeted Attacks Against Ministries of
Foreign Affairs
<http://www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf>
178
References (Cont.)
179. [20] THE ‘ICEFOG’ APT: A TALE OF CLOAK AND THREE DAGGERS
<http://www.securelist.com/en/downloads/vlpdfs/icefog.pdf>
[21] Khaan Quest: Chinese Cyber Espionage Targeting Mongolia
<http://www.threatconnect.com/news/khaan-quest-chinese-cyber-espionage-
targeting-mongolia/>
[22] SK Hack by an Advanced Persistent Threat
<https://www.commandfive.com/papers/C5_APT_SKHack.pdf>
179
References (Cont.)