Dissecting Carbanak

welcome everyone this is just to talk about about a malware to call Carbonite so what makes you guys in the right room for 30 minutes today I'm going to be talking about my journey and exploring this hour that I thought was pretty cool so we get started with dad and just

[Music]

yes they're looking at me okay okay great so my my name is Krista Seto and the system software engineer all right system software engineer at Rackspace early before this is more related to my previous employment which was at a company called sir cadence and what they do is they design a cybersecurity virtual environment for learning purposes so if you think there is a talk earlier of the hack box it's something similar to that face I Connor on a bigger scale like though build a whole a whole network of a red team and blue team environments so in case everybody a mine wants to again touch and kind of related to those circles they have a lot of red team and

blue team and the blue team be called missions so they're cyber security missions and they have things ranging from like doing spearfishing another one the hair was on on ransomware like we put like the watercress somewhere in a mission and we always are trying to look for new and exciting the malware so we're looking for is for a mission that dealt with banking transactions more specifically if anybody hears familiar there is a protocol about banking communications how how transactions are transferred and this is the protocol that were looking at the Swift protocol and uh you know a couple of colleagues looked around and look for different things and one thing that kept popping up a lot with this

power called carbon tax

so some background on the actual malware itself so it was I think actual attack happen in 2015 so quite a while back this happened however the the malware itself is pretty complex and I really they're like they have them been that much information about it out there there is a couple of resources are found and so the first company that actually disclosed this was first scale and actually extermination their car Barak itself it's mostly it has been found to be president in in like the Eastern Europe area including Asia areas around there so Kaspersky was really the first company to do analysis on earth and and then a little bit after that so here's the link focus first thing if

anybody needs to go back to it now by the way this is going to be recorded so you guys can you can just look at the video later on but this is really first write-up that came out and let me show you guys what that looks like so they just they came out with a PDF that was more related to how the actual it's happened they don't need to talk about the intricacies of the malware itself how it how it works on the inside they talked about the community communications protocol and what kind of artifacts to look for to see if you're infected so for instance right here when when infection and stuff happens it

installs a couple of files in Sirte folders so this is by the way this is all windows this is all Windows Windows based malware and so from that after Lucas person came out with the report then a Mahler analyst Pro far I analyzed the actual binary and he came out with a write of those extremely detailed and very useful and though his report is here so after that happened the store scope was actually found online it was found in some pavement somewhere so it was very unique relation where somebody analyzed the buyer and then you have the source code after work afterwards so another researcher from far I went to the source code and they compare notes and they

kind of talked about it in this block and they have follow-up YouTube video as well so I thought that was really interesting so if you see here if you look at the block a lot of this stuff is a lot of like comments in the source code I think things like that are in Russian it's a little helpful if you know Russian but I mean yeah and I'll go through that later on in this PowerPoint will look at the actual UI it's it's like a Russian language so so in that in the fire record I from the fire report I really wanted to get the environment working and I I kind of I kind of had a lot of

struggles with that actually get into working and having it run in my system so in this stuff that's kind of what I'm going to talk about my journey Rome again an actual source code dome and diviner is to actually get it running in my system so and then hopefully you guys can benefit from that and you can take take my work and analyze it further because there's just there's a lot of interesting things that are happening in this malware I think and the other two resources are so the first two resources are more technical they're they're more about like the actual operation of the Maori everything else now the two are more media they can

talk about the exported stuff in like what actually happened so those are interesting check out as well

so yeah the actual malware itself right so it has two component it's a remote access Trojan meaning that it has on the victim it has a binary that's executing and it's talking back to your command control server Sam is not exploit right so the yeah so running running cover itself wasn't easy for me I had to do a couple of changes in order to get it running and I really really wanted to have the source code and be able to compile that because in our environment we we have a lot of a lot of times we need to make those different changes and we need to tweak little things if you don't have the source code you can't do that right

so we really wanted to be able to to compile the sort of the source code itself so

the bar itself it was it's it's written in win32 C++ and I you know I really wanted to do that to get a compile but unfortunately I I didn't have success with that so a lot of successful actually compile the the actual win32 C++ code what I end up doing was the dome contain the actual binary I was able to figure out how that works and was able to get that running within my system and I what I what it up happening was I committed a some source code that wasn't compiling for me and then when I actually ran it it was giving me crashes that were related to two dynamic pointers if anyone is familiar with C++

they have something called small pointers so they have that now dot implementation what was actually doing was it was implementing smart pointers in the actual source code so it was it was actually reading some smart pointers and I think that was because the version of you know win32 they were using didn't have smart ponies at that time so they did this some kind of a weird stuff where they really implement operators you know so I mean if anybody's familiar Morphin I'm not very not very familiar with C++ I haven't really user if anyone is familiar with C++ you know you can definitely give it a give it a shot and I I think I got pretty far as far as

that but I mean the binary that was there work obviously so there must be a way to compile it and there must be a way to for it to actually work so yeah so once we we have the binary it was a little bit complicated figured out how it actually what actually needs to happen in order for it to work so there is a binary and there is actually a separate executable which if you use you use the binary as input into the into the executable so it's a configuration the configuration executable and what will do this it'll rewrite the executable you plug in its own values in there so it'll insert the IP of the C&C

things like that and so there's a there's a live version and there is a UI a GUI version what you need to do is I need to set it off right here I need to start my my IP address right here and in the configuration file and then if you can see at the top all them use my laser for so right here I'm running billowed onyx t-bot eat exceeded the input executable example da config is the configuration file which is this and ba-da-da bottom score out is the output executable which actually the the bottom the score out is what actually used or executing the actual binary right like I said it has a good but it's not very good

the corner of this is not especially good like you can tell that they did really hastily like they something some some some functions are are in this call the stern way but they don't actually do what they're called or you can see that somebody like hold it one way then you can change the functionality a little bit inside so it's a little bit a little bit weird in that sense so that's one of the ways that you can configure that a binary your ID the one that Isaac used on the box yeah

that's a good question so I especially I gotta from from the from the dump what I did was there was somebody else that had a github that made he just did a made a github of all the different artifacts and then I took those artifacts and I modify them so if we're looking at the source code I think it's this thing and if they're actually right here so this is actually a beautiful

Oh yeah this Russian so it's kind of hard understand exactly says he needs like Google Translate or something but I I just all I did was I figure out that the video hosts the video hosting is what is the address of the actual CNC alright so this song is don't make much sense like video host you wouldn't think that that's the CNC phone but you know it works yeah obfuscation right so the other thing I think that you need to change is the password or a listen you to know what the password is so that you can you can you can configure it after it's running

yes so so that's where I got those from yeah and so then when you're actually running it what's also interesting is that when it's when it's running you can actually Rick reconfigure it while it's running so it in Windows I think instance of name pipe and there's another program called batch engine start that up it will set up account between the binary and between two batteries and you can essentially configure it our way and there's this little read me about the scene the commands and also what's nice is that his first two guys they provided information about all different commands they have stuff like RTP VPN VNC in secession have a keylogger somewhere

you so that was that was the actual payload itself the turning on on the actual victim now for the CSC as in c-sharp that's a c-sharp application and I was able together working with Visual Studio 2012 and I suggest all 2013 sorry thousand thirteen and I suggest use a version if you resist and it's it's all the changes that I made are actually on that github account and I created a couple of videos rolling through how actually made those changes if anybody is interested in exploring that but essentially what happens is this booty right here pops up this this is the server back in X Server

this right here is the bottom a connect server and you see the line right here for this is actual of the victim victim binary the IP addresses and then you have all the different ways you can you can do stocks in see RTP and the other interesting thing is right here I have prospects for of the top to the server and then you can see right here there's a solicitor known for number seven zero zero and this is I think this is a zero zero so it's so small and supports server and in order to see here we have establish connection the victim yes yes the boss and actually that was first given if it has some information

about how it was encrypted another thing that I needed to it should actually to get it to work I am good thing thank you for asking that question because I forgot about that another thing I ready to get it to work was after you around that configuration executable there's two files that get dumped out of that to you two keys I need to take those you need to to put those on the server because otherwise it's an incomplete connection story nice thing is those in there yeah but I wouldn't imagine what it would be too hard to figure out what those especially like once you have this once you cry out once I was able to modify

the server it was very easy like you can just set breakpoints of the server and you can see exactly what's going on you can see what commands are going through what what actually you know what it's sending back and stuff like that so it's pretty real easy to figure out once you have that

I don't think they'd I don't think they were doing that I think all they needed to do that for this for my specific use case you know I think we do want you back to the kaspersky paper because it has a little mention of that you know I actually I I don't I don't have knowledge about how this actually how the sniper was running on the actual ATM software I have no idea I just I was just able to get it running for my own system but there's some information hearing because Persky about and what they were doing with them

ah

so so we had this send 100 port open and we have 800 port often right so this is actually there's another command you need to run in order to actually control this and it's called command CMD manager and actually another command the system communicates with server and once it establishes a connection right here you're able to do file transfer so I was able to follow file chance right here and I was able to execute commands so it's exactly like a shell exactly like lettuce body you know it's just the sternest e sharp

so and there you have a bunch of different things you can do on the actual victim itself a little a little bit harder to see but this is already here and then you can start socked here you can close RTP and other stuff a lot of the stuff I don't actually router because you kind of like me sometime and or figure out what is fun exactly what it does it's like I said sometimes the bum doesn't actually correspond to the action itself because you know it's just that it's a weird sort of project so we've done similar stuff like this at sir cadence where we had we have like all we have met us for

running and we needed to automate it so we didn't we use the this board has this remote procedure called protocol r15 protocol you can start out on the CEFR pc and we're using that to essentially automate Metasploit and are in our project and I wanted to use something like that for carbon as well so what I did was I went and I looked through Sims II manager that program that I just showed I want to look through the through the communications protocol and just to see how it's actually controlling C and C and I was able to just do a little a very very quick program in Python that will kind of duplicate that behavior so like you can

see here I can get I can get

back in that here this is the back and neck from the actual box this is my P [Music] and either the ports are open I don't have much time to do much further than that but I maybe I will go back and try to actually get a better version the work oh yes so with that I just want to say that there was a very interesting fire especially on the victims side like what the Vic what the victim Byron is doing but I think also from from just signal on expect perspective how how the actual carbon act our works all sensing as well what I was sure there was doing was is the privilege escalation because when I

would see the process itself it would it would run with the system it was running a system and if there is something worse its install itself as a service and studying your system is very typical of Windows Windows now where to do and it is actually something that I would like to go back to is so the far I guys did a presentation and this is the list that they have for for the for the export that they were being used there nothing is nothing like zero days and nothing too complex some the star they actually stole from other projects like they stole from wrapped from that exploit and I think they stole one from COBOL strike

as well but it's just it would be interesting to look at that yeah so I have my you can you can get my videos from my Twitter and uh yeah I just want to say thanks to my colleague star Mario and William um yes so with that I'll turn up the questions if anyone has any

you

you

yes I believe so because this the binary that's executed of the victim itself it was looking for certain processes that are popular for bond banking transactions in those countries so there was something similar to

like a little program that is then little what's it called

you

yeah like in the movies you

yes so if you go back to this video to this source right here I think it's this one there's a podcast that talks about exactly that stuff

you

yeah yeah just with something outta my way here it's very interesting

you

you yeah it's actually actually I can show you right here this is my actual victim here and this is the CNC here that's running I have a faucet right now what I would suggest is if you want to do it you want to make sure that you have your ever open a statistical slowly you want to make sure you do it in that right just one can't stress that enough but yeah that's what I was doing I was I had I had this is my victim and this is my my scene see here

you yes I was and I was able to find that file actually that file that they were talking about I found out every single time a very good indicator of compromise

Oh

yeah well I think I think my time is well yeah anybody else have any bushes I'm sorry I said everybody's questions okay thank you very much guys [Applause]