Omri Misgav - Whitelist Me, Maybe? When Cyber Criminals Try A Daring Approach to Evade Detection

and now i'm going to invite our next speaker who is a returned speaker to besides tel aviv our next speaker is omri misgov omri is the cto can yes you can join me here 2 meters apart for socially distance omri is the cto of the security threat research group at fortinet and he's focused on operating system os internals now he's spoken besides tel aviv before but now he's going to talk to us about some very clever some very creative criminals who want to get into his white list let's welcome hombre to the beside serving stage everyone hi everyone so first thing first cheers disinfectant thank you okay good morning i'm happy very happy to be here my name is

guaranty introduced me i won't do the introductions again uh the research i'm going to talk about today um that we did was led by rotem our malware research team lead he's here in the crowd and you can also find him in the booth in our booth today so if you feel free if you can feel free later on to give him high five for the great work [Music] so we today i'm going to talk to you about an interesting case we had earlier this year uh when basically cyber criminals decided to hand us their malware and ask us very nicely um to remove our detection from it because it bothered them we'll talk about how we what we investigated

how they approached us and everything we found later on uh which eventually led us to discover uh malware delivery infrastructure which is written in written in golang so at least regarding the conference agenda today somebody really knew what he did with the with the timing um but before we begin just one warning um as i compiled the slides i realized i'm really really bad the graphic designer yeah so we prepared we preferred to put our money um for for like for the ice cream that we give out in our booth so feel free to grab the scope later on i think it's a much better location of our resources than using graphic designer and so let's begin so

you can see here we got an email that we got it was on february uh the email was sent to the ceo and cto of the company uh ken and michael and another and a few other sea level executives um if we go over it briefly so i read it really really quickly i was referred to ken by ted kim no idea who it is and advised that this team could help with an urgent issue we have it at our company we are suffering from false positive on our application update and it's hurting our business uh heavily you're finding false positive in our software states as such and such how can we work together so we can get

whitelisted for the future and avoid false positives or company image and a user and and for the company image won't earth and we have further installations you can find the download here the link to download here just take it we also run it in vt and you can see that we are not bluffing pretty much and uh well that that concluded uh so we had no idea what the sender was again um we had no idea with this ted kim that referred to us um but you can see all the grammar mistakes uppercase lowercase and space and extra spacing all over the place so we decided to start having a look first thing we did

was doing forensics on the email message we checked the structure there wasn't any extra data any attachments or whatever uh and the link the text of the link was the same as the address so nobody tried to play to play with us next we looked at the headers to the smtp headers to see from where the email came from everything was checked out all the servers on the way seemed trusted well known no signature was a mess to it the data wasn't changed during transit but it did came from a custom mailing app which wasn't really familiar so now we have to decide what to do next um so well we kind of click the link as one

would expect we reached the site that promised us good money without doing anything which is also always sounds like a great promise um why not actually and then we started looking for the for the same link that we were sent but we didn't find it instead we could see that the download link that you can see here led to a different url this the files that we got was were in totally different sizes and significantly different sizes when we started looking at them we saw that they have different icons um they were totally different uh software one is what was in what the file that we got was in golang and from the file we got from the

website was anansis installer for an ogs application and they were both of the files were signed with the same certificate [Music] so we had to when we move forward we started looking at the signatures to see if this file was somehow altered or what not even though you see that the certificate is isn't valid it was because it was revoked but for at least a certain period of time it was valid as we can see the the original on the right the file we got from the site the official installer as we call it was signed with a timestamp so it means that somebody else validated the signature when the file was created and another

thing that popped up is that the email address has nothing on the certificate that has nothing to do with the company which is really strange and when you look at the domain it's uh it's something that is related to apple icloud accounts from back at 2012. if you opened an account before that you got a few other domains with it so has nothing that seems even relevant to the files we continue on looking at the company we wanted to see uh maybe somebody tried to uh kind of play with us and use the real company or maybe the company was fake so we couldn't find any reference to that to the entities that we talked about the packet the llc

and other and other comp in the secure network stacks that is in signature there are no profiles of employees online which is kind of funny because lee was supposed to be the cto expect somebody somebody like that to have some presence online and the site was up for two years which is quite a lot of time if somebody wants to create him create himself a cover story and just keep it keep it running and then use it after such amount of time besides the in addition to the website the other also the twitter account it wasn't very active there was some user reviews for the product on google which weren't really that positive when we think about it

and the code signing certificates themselves well to get a certificate you usually have to pay to someone uh but those specific certificates uh without extended validation means they are cheaper and usually getting them is much more easier and don't require any more complicated authentication by the certificate authority so at this point we aren't sure if we are at a dead end we start reversing the binary the go executable that we got it wasn't it didn't look like it really installed it in any way uh didn't have the ui didn't create any files it did register itself as a service and it could update itself during its uh run time and the famous bandwidth sharing functionality uh it

didn't add anything like that uh so we just couldn't see anything really malicious but still not something that we could ignore but not something that really screams at us danger so we decided to keep on digging we had two ways that we could go from here one was trying to figure out the timeline and when stuff changed and go back and find original installers like all the original installers and try and look for other files that are similar to the one that we got on the email doing it it was pretty easy we could use the certificate the icon the strings a few quick searches and queries on virustotal and in our internal systems we got a few

hits we found an older an older installer on the official installer we can see that it was a different certificate with a different validity period and the email was relevant to the company so that really kept us going when we tried to look for new files as we said similar to one that we got the one we got we found uh a binary that's called netel per gui dot exe which was signed with a similar stat with the same certificate as the file that we were sent and the size was nearly identical when we been differed them both the both of the files we saw that they matched pretty almost completely um this one was first seen in the while two days

after we got the email and when we did that we when we looked at the specific code changes um this is a graph disassembly of the main function we can see on the lower right that there is a few add a few new basic blocks so what we did is when we ran it uh we we saw the the flow that happens um so first of all it checks if the service is not installed and in case it it isn't it's the first time it's been executed uh it will call a function that will download and execute another executable named prograpper.exe which we'll talk about uh just in just a bit and then it will go ahead to install

itself as a service and restart it as a service what the service will do um is when it will start this the main function will run uh it registers a timer every five minutes it will check for an update um this update is uh being you being done using uh an open source library um as as mentioned previously sorry as mentioned previously go as a very very significant open source ecosystem and if the update is available thank you give it up to the team and when the update is available it will simply fetch it and restart itself so the tools that we found uh we named them netbonds we'll see why in a bit in a second just why

um so the safe update capability that we mentioned is used using the equinox package it's both an sdk and a public paid service meaning that they offer you they offer offer the ability for you to pay them and then they will lost you and you pretty much don't have to ma to deal with all the logistics of the updates and they also have a pretty good documentation and that code we find it we found it copy pasted inside of the malware pretty much without changes and we can see that on the left of the screen we can see the it also took the code as is and didn't change it a bit on the right

this is post update they changed the the the package name alongside changing the default values for the download url and a user agent another change was that the first on the first in this first stage the pre-update version had a hard-coded app id while the following the update they changed to uh an app id that is generated by the machine serial number so another capability that we found was the reverse proxy this this capability was in the post update uh sample um maybe you could think that it's the promised bandwidth sharing functionality but at least it's partially true you would just won't get any money out of it um it you also used another open source

uh from ago the tunnel package and it was also changed slightly um just in order to allow the attackers to um to decide on where they can redirect the traffic the package by default uh does the redirection only locally only on the localhost so you can see that the formatting is just slightly different so just to recap for a second we had two stages the pre-update and post update and the pre-update can lead to an execution execution of a different program it's called programper we'll talk about it in a second it has a persistency for itself and the update that is redirected to equinox and post update the updates goes through the net bounce domain

so what is the program we ask ourselves if we reached an actual payload because like up until now it was only the delivery phase so no not entirely but it's it was also signed with the same certificate the same fake certificate it basically also download and executes another program but it does some basic check before that it fetches some sort of configuration it checks whether a file or a registry key exists on the machine beforehand and if not then it will download it and execute it so the payload that we got the output 40. exe turned out to be infostiller it was packed with a few [Music] with a few layers that also seem to be

related to this malware infrastructure malware delivery infrastructure the payload that we saw was figure steeler that at the time was relatively new it was less than six months old reports linked it mainly to hansitor it's developer installed in russian hacking phones and it's developer actually handed it out for a review you can find it online it's very funny to see uh trend google translate does a really good job on that it's written in rust up until now most of our uh most of the files were developed in go but this one is in rust uh and it also eventually also as its own download and execute capability um and one other thing that is interesting

is that we can see the tracking folder start this was this is the actual first operation that happens in this variant of the figure steeler we went back and for previous variants it wasn't there go back for a second this is this this is a similar path to what we get from the configuration of the downloader so it's another interesting link between them so at this point we did this this cycle a bit a few times more and every time we got a new piece of information we chased it we also found support for cross-platform and variants for mac which we found via hunting it used the same the same app id and similar urls for

download um basically we found an app package with the post installation script that fetches the the first stage uh first stage variant and then executes it we also find the linux sample a few actually and here we did a nicer trick basically since since the since the download the updating capabilities in implement implemented by the same equinox sdk we kind of figure out how um how the links to the binaries on the server looks like we relied on that that relied on the fact that uh if the client is equinox the server side might be equinox as well and started trying started figuring out all the all the details that it sends on the protocol

and how it builds the the url to download the file so basically uses the name of the executable with the version os and the business the architecture and then we've just started messing with it until we this we managed to fetch the fetch samples from the server from the network server the infection vector we found to be from zip archives and msi installers which makes sense because that's the first time when if when the first time the pre uh pre-update stage one variants are being uh executed the the service is not installed yet so it will also it will also do the uh the update the download and execute the extra download and execute of the

program up they also had a program up here and the stage one also in the stage one variant also had shared code the same download and execute function was pretty much the same and we got other payloads we also found a program wrapper variant with reversiel mini backdoor if you want it added the command command functionality and for some reason it decided to use the net bounce user agent we also capture more info stealers such as the wider steeler and the other variants of the packer that basically worked a bit differently but though this the state the layers were pretty similar so if i just have to recap for a second and now we when we have the entire

picture all what all what we see circle in red is what we call the net bounce tool set which is pretty complex operation the c2 infrastructure that we saw going a bit about it pretty quickly many of the domains were registered but the same entity even though it was private you can see still you can still see it's the same same account that did that sub domains are the same and some use the same subdomain and some use the same very similar distinct pattern even though it's not really let's say complicated all the domains were resolved to the same ips on the same subnet and some domain some different domains also pointed to the same servers

same ip addresses uh we could also see when we looked on passive dns data we can see the uh the lifetime of the campaign um we we got the email on the 12th and pretty soon after we could see that the fret actor decided to start changing the domains maybe because we didn't respond to their call and here our investigation ended we decided that that's it and we can move on to our next thing our conclusions were um that the sample that they sent us that they pointed us at is sterilized stage 2 post update it had the net bounce version of the update mechanism and no program upper no download and execute and no reverse proxy so maybe it will be

a bit less suspicious and they did it in order to trick us and so we could widely whitelist them and not in order to infect us and their end goal is using a smashing grab steelers such as figure and wider so just to wrap up basically they were very confident that the fret actor he was very confident with their let's say cover story tooling and they decided to try and use it directly against the security vendor with social engineering maybe if you can't beat them then ask them nicely to let you go um we saw a pretty complex multi-stage infection mechanism it can be activated at any point in time and it even after it works for the first time

it stays there and they can reuse it again and again since all the tools were written in a go it was really really helpful it was at least for the attackers uh it really cut them cut down of the work time and they they only needed to use like open source that had all the functionality that they need with really minimalistic changes uh to support the different uh uh operating operating system they only had to to switch the compilation target and that's pretty much it almost just almost i have to admit that when i prepare the slides for this talk i was a bit bummed down [Music] i came i started working on it and i saw

that basically i'm going to do a talk about the malware infrastructure that is six months old and is not very active anymore but apparently up until this week i was wrong introducing mosaic loader so the day before last we defender published a report about it uh it's another it looks really similar to ours it shares the same infrastructure same ttps uh same installer theme signed binaries look the same multi-stage infection mechanism and the same program up here it's pretty much all the same code and yeah as i mentioned shares the domain and ips it also delivers infostealers it's basically seems like a port to delphi so when we looked about it we i looked a

bit very briefly and it seems that like three weeks after we we published our work the attacker switched and this campaign new campaign began so it is interesting to see that they are still active any questions thank you thank you so much