Malware C2 over x509 Certificate Exchange

[Music]

so now receipt or x.509 search exchange so that's a lot of things to say I'm basically talking about data infill exfil over a certificate as opposed to HTTP traffic so an HTTP request the certs been exchanged but no HTTP request has actually been made and you can transmit protocol over X 4 9 because of extensions a little bit about me I used 20 Jackanory number of years ago I now work at Fidelis cyber security and the DC primarily focuses a reverse engineering and development around like automation frameworks my primary focus is dead of structures and algorithms not really my primary focus but more like my interest I guess you could say I used to run dire tracker back when Dyer was

still a thing and there's my Twitter handle and my email so for my email this is gonna be a pretty quick Homer's pretty quick presentation the code piece I'm gonna kind of fly through I'll show some highlights if you want the code email me and I'll send you the whole code I'm not gonna post it on github because I've never seen this used in malware and I don't really want to post it Healthcare all right yeah so primarily the reason that I created this presentation was to highlight the fact that cybersecurity is mostly proact or mostly reactive as opposed to proactive and that's just because we primarily deal with defense right that's changed a lot over the years so the recent shift

being exploit developers pen testers red teaming I think is what most people call it has really kind of played a bigger part over the years and I consider that more proactive reactive is I think primarily because most of the people that come into cyber security come from IR forensics type backgrounds and they always deal with stuff after it's kind of the nature of the beast so I ma'am our researcher I also have exploitation experience so I relate the fact that I saw this happen due to my exploitation experience I don't write exploits I'm not really very good at it I primarily focused with malware but just the fact that I've cross-trained has helped my mind kind of see those

holes and those potential gaps and then kind of create these situations so the story about this happened I was probably looking at Vetrov Autec has a DGA when they added the DGA and they used to be HTTP traffic they started looking at a specific extension in the cert and what they were doing was they were taking the data and they were encoding it and I thought that they were passing data over this earth turns out I was wrong they were just checking a hash they were just making sure that that hash was related to their their real c2 but it got me interested in what this extension meant it's a subject key identifier so I went

to the I googled it went to the specifications and read what it said which you can read here the if you have any exploitation experience reading stuff like this you pick up on some buzz words right like this is a string extension it can take two possible values the the in sentence the use of this hex string is strongly discouraged they don't have any guidelines for how big or small it should be you can put whatever you want in there it's supposed to be a hash but it doesn't have to be a hash length there's all these things that they that they don't specify in their specifications and it leaves you open to this kind of exploitation

mindset of how you can use it for something other than its intended purpose which I go over here so we have a field like hold arbitrary information so we're into it things that came to mind exploitation data exfil data infill since I do with my malware that's malware see - so for a proof of concept which was what I went to next I wanted to automatically create search they could hold this arbitrary data I wanted to create a server that I could then talk to you with a bot and I wanted to have the bot code write the code to retrieve the data but I put this specification that I didn't want it to actually perform an HTTP request so it

does a head request and then we'll get into why it doesn't do the head request so generation is pretty easy this is straight out of Google how to generate assert or a key right so it's three commands it's nothing really fancy this is a Python script I wrote up but it pretty much just takes your cert and I got like a past write of stupid and a config dot txt they can figure that txt is what I consider my banker config for my fake bought and this Python script can run at any time take the the script or take the config and code it stick it in this extensions CNF file there at the bottom and then it generates a cert

that's kind of hard to see isn't it anyway so it generates the cert using the extensions and it does it in real time so I can't use that cert and something like a patchy because it loads it in memory you have to have the key I can't change it in memory I would have to create like a module and Apache to bypass their security so instead I'm gonna skip actually so instead I create a server which is the Python server waits for incoming connections over where the port I specify and serves up the cert from disk so the last line of my previous script is a open open ssl RSA i'm basically stripping the password

off of the key that way my Python script can use the key with the cert in real time from disk and I don't have to load it in memory with Apache or something like that for retrieving the data as please is pretty straightforward if you've ever looked at like anything off most of this code came from him that's the end with the exception of the callback but this is pretty much just making a head request so it's making HTTP head request so the magic happens with a callback and I had to do something some really deep kind of finding of this specific callback because I've never seen before maybe if you're developer you've heard of it

before basically this callback function when you set it up when you make a request if sits there and you can tell it to wait for a specific status of the request so the HDP request is going to go out you're going to do a cert exchange all these different steps are laid out and MSDN this one is not some sort I can tell it's internet status sending request basically this status happens after the sir exchanged but before the HTTP head request is actually sent so at that point I have access to this certificate so you see at the bottom there I parse out the subject key identifier I decode it using I think ixora long and then I I I pranked a

screen so we'll I'll show here so this is a bot kind of in the bug mode I've told it to connect to my Python server and then I've set up all these things to kind of print out all the statuses right so internet open success it's be open so this entered a set option and then all the subject parameters and then you see there the TV data at the bottom is the data from the subject key identifier field and then I decode it and print it out and it's basically kind of like a Baker Trojan config right I'm telling it to steal from Gmail Yahoo Amazon doing whatever form grabbing cookies theft or whatever and then I'm telling it the web

inject Gmail with a div around stupid so very kind of demonstration purposes so here's the traffic all you see is tell us you don't see an HTTP request actually go out so yeah Wireshark at the top filter at the front at the bottom well you see they connect and fiddler but you know you don't actually see any HTTP requests so how did the tech this right so when I saw this and I thought of it I created the POC and I went to our developers I was like to make sure we could detect it but how do you actually detect this you either have to parse out at all the data inside x.509 which there's a lot and potentially as

we'll see in the next slide kind of an arbitrary amount unless you code Senate you have a so you can detect it that you see either the the IP is malicious or you're pulling out data from the x.509 certificate and you're saying that the subject can identify are in the specs says it should be a hash so you can check the length and say this isn't a hash length but then there's you know you start thinking of ways to get around that well then I can just have my bot talk to me until it hits an end marker so I can just keep sending hash length data segments back these are some kind of interesting things I observed I

was going through oh so they open SSL version I add which is zero point nine point eight zah on my Mac I didn't see a limit on how big I could make an extension so I made one pretty like crazy long and I loaded it up with Apache so another interesting thing Apache will gladly load a ginormous certificate and serve it back to you open SSL will then connect to that Apache server and attempt to parse it in memory and crash because it runs out of memory Microsoft 10 64-bit on my VM actually doesn't I don't know if it reads all of it so I didn't deep dive you'd have to go pretty deep to figure out exactly

what it's doing but it doesn't did I didn't have access to all the data it had a hard limit on what it gave me so it probably has a limit on what it is expecting to see from an extension yeah how's it any questions I'll put my own like I said if you want the proof of concept code you can email me and I'll send it to you

I think you'd have to tome it for when you generate it has to be when you generate it now I don't know exactly how the certificate authority stuff works so I know if you have a CSR you can generate a certificate so if let's encrypt gives you the CSR you can probably generate but I don't think they do that even just generate because you always have to for let's encrypt you always after updating right so you always have to you always get us to hear from them yeah you're doing it so for exfil purposes and I didn't really touch on it much I just kind of mentioned it because I was trying to create a proof

of concept for it if you pivoted in a local network to your HTTP server which is what I would do as an attacker and then tried to overwrite your cert to send data so we're talking about like what's the thing that happened not so long ago they had like image files in the the web server and then the they were infected and so the bad guys were like hitting web servers for the text pool if you did something similar to that with your HTTP server it's going to exist in memory so you would have to find that in memory and edit it I think and I that may be possible if you always use the exact same amount of data but

then how do you control I guess you'd only have so much data block you can echo you could use it yeah I haven't seen anybody do it and if I might like I said my primary focus was the fact that I thought that if your defense product or your security product was looking at URLs the only way to block that would be to parse the data and see that it's anomalous or detect it by IP since there's no HTTP request you can't really do anything maybe if you're man in the milling everything like what do you if you're not man in the middle in your network what do you see I know most corporations are going to man in the

middle of it oh yeah from the endpoint so everything changes in the endpoint endpoints alert a lot of the good stuff comes

so if your man in the milling it yeah you'd see the tos kickoff and you wouldn't see an HTTP request so is that bad no always only it's always bad what if I go to http google.com and I just don't get a good resolution they're updating the website and I just click the tab closed or something like at what point does the request actually go through and not go through you'd get some false positives there probably yeah for expo purposes it's kind of odd so you could use it if a malicious guy so if you had internal stuff set up and you were looking for BOTS talking to other BOTS internally which not a lot of people do there's

some security you could get around with by doing that it like from one bot to the other blog as well the situation that that would arise there that would be a pretty advanced actor and very specific to your network they've already been there for a while any other questions

[Music]