BSidesSF 2019 - RadRAT: An all-in-one toolkit for complex espionage ops (Ivona-Alexandra Chili)

last talk of the day and the nice part about that means that you guys have a few more minutes left to quick run over to coat check and go buy a t-shirt or donate a t-shirt by giving the proceeds to hack the hood hackers for charity or the e F now with that being said we get to listen to a very interesting talk we're back in the day my roommates and I would install rats on our computers while we would compete and counter-strike just so when they think we have each other ready to kill you hope we move their mouse we suddenly started jiggling them around you're like no so as a result they started getting

more interesting as you might imagine roommates start to escalate between each other and before you know it we have government-sponsored rats and all of our computers and you know we've spent all weekend trying to ferret them out wash rinse repeat so I look forward to hearing from Ivana speaking about a very interesting grant that has not received a lot of attention and yet is used in many places that you would never expect hello everyone today I'm here to say a few words about the research I did recently with my colleague Edward about the rat valve malware that was used for accelerating sensitive information and monitoring victims across large network organizations some facts about me I'm a

forensics engineer and B defender with four years of expertise in the cyber threat intelligence lab and also I'm a master's student in information security who are we well the defender is a security product founded in 2001 with almost 20 years of security expertise we protect over 500 million devices in 150 countries also you can find us in many of the top security products that integrate our technology last but not least we are a community of passionate researchers about machine learning and artificial intelligence and all our studies are integrated also in our technology the agenda for today is quite simple well we are going to review some general aspects about the case then we are going

to dive into some more technical details and some interesting facts regarding the telemetry then in the end we'll close with with some conclusions very interesting is that this piece of Mallard has been operational since at least 2013 but has gone unnoticed and undocumented by the research community so let's take an overview of the smaller features and capabilities this binary file is comprised of a set of tools either embedded or downloaded along the way that the attacking party uses for various malicious purposes it contains more than 90 commands including methods of credential harvesting and exaggeration mechanism to avoid detection several ways of contacting the CNC server and interesting lateral movement mechanisms the toolkit is made of two main components that perform most

read behavior these two dll files will both run as Windows Services an interesting aspect in the operation of this threat is that it behaves differently based on its file name in the first case the component will run in installation mode in the second case it will run in a mode that will allow it to inject in every process running on the system denoting a rootkit like behavior so the purpose of this component is gathering windows and network credentials basically there are two ways the system can get infected the first one is when it is compromised by the original infection vector let's call the systems that the patient zero and the installation component will write one of

the two main components of the system and will which will be further launched as services in the second case if the victim has been compromised due to a lateral movement operation the role of the installation component will be played by an already compromised machine in the network apart from the main comm there are also the secondary components that are used only when needed by the rat in order to execute additional rad commands or to invoke the main component or to help the rat in itself update process the method of choice that rat rod employs for persistence is via services so it may replace the legitimate dll file with the malicious one or it may create service the system

device manager through one to run using the malicious component the parameters used by the modern init malicious actions are stored in the Windows registry and each value under this key serves a special purpose so this also can be seen as a configuration of the maillard for example there is the death value which will allow for process injections and used for harvesting credentials and hide resource usage the MPD parameter will enable mini cuts like credential harvesting by injecting code into specific executive balls the empty two parameter will allow for lateral movement capabilities other specific parameters are set in order to control the frequency of contact with a CNC server or to specify the day of the week

when it will call home to its server last but not least there is a log of update operations that the mother will keep in order to keep track of the modifications done along it run on the system now we'll take an in-depth look in the steps the rat takes in order to establish communication with the command and control infrastructure this threat very interesting is that it avoids using default DNS requests or organization controlled DNS referring the use of a hard-coded list of DNS name servers name servers mainly name servers of do I am which is popular dynamic DNS provider which seems to be favored by this group of threat actors also named servers of MTNL which

is an Indian ISP that actually owns the attackers IP address also as an additional matter to avoid restful DNS resolutions the attacker would provide an IP address via hard-coded Google Drive and Dropbox URLs so there is the resource available at Dropbox or Google Drive hard-coded URLs contains an IP address and along with the flag which will indicate if it should enable the DNS resolution or not in case the connection to the given IP will fail so why this component has downloaded or resolved an IP address it will send a fingerprint of the system consisting of version add hostname MAC address or the parameters that are stored in the registry and also the business of the

system radrats current command control set supports 92 instructions some of which are not yet implemented meaning that the developer is still in working progress with the development of the sweat so this commands can be split into multiple categories like file and registry operations credential harvesting network operations operational processes and the system information lateral movement operations update operations and implement the unimplemented operations and automatic operation but because there are a lot of commands and this time is limited we'll highlight and I'll analyze the most interesting categories and the ones are credential harvesting and lateral movement operations the highest risk that arises with a red rat is it powerful data theft capabilities so the main focus of this command is credential

tab theft through ntlm harsh harvesting through the path of hash technique so it allows the attacker to authenticate to remote server only by using the ntlm hash and not the plaintext password as is usually the case so it is very interesting this technique because it is very used by the attacker and also another methods of gaining access to sensitive data is by decrypting the credentials stored under application that data directories apart from the credentials they are they are also interested in browsing history and network traffic another mean of credential harvesting is when the parameter debt from registry is enabled meaning that functions responsible for intercepting usernames and passwords entered into windows credential prompts will be hooked

so the credential will be stolen last but not least there is a group of operations that focus on network discovery and network traffic sniffing through ARP poisoning so the attacker will choose multiple IPS between which the communication will be intercepted so this component that will redirect the spoofed art packets will you know intercept as may be connections or or LDP sessions so it is very possible to intercept even credentials this credential harvesting is done every 72 hours and the amount of credential collected goes hand in glove with the lateral movement operations so in order to affect other machine across the network the specific parameter from from the registry will be set namely mt2 so it can take values from 0 to 3

representing different ways to infect adi target machine so for example 0 means that no refraction will be attempted 1 means that infection is attempted with a current component using empty credentials so infection will be attempted for host for which credentials are already stored and 3 infection will be attempting all only for 64-bit hosts also its third credentials after the target has been chosen one of the two main components will be deployed to the target machine and will be installed as services also allow the argument will be specified that represent the step of the infection to be checked for it for example level minus 5 it will try connected to the Windows registry on that machine and check for the

parameters that are are already set level minus 2 will close the connection existing on that machine and so on now we are going to review some very interesting facts about the timeline and next the telemetry the samples dating from 2013 are compressed but unencrypted then we can distinguish two campaigns in 2015 with an audit come with an updated version of the mother that this time uses a simple soar encryption in 2017 another campaign is launched bringing a new version that adds a custom encryption of the embedded resources so it is clear that the attackers are making efforts to avoid detection of security products now let's talk a bit about telemetry usually during an investigation we are interested to see who were the

victims of the attack if the victims have certain characteristics or if the attack of codes globally in all geographical regions or if certain areas were affected and so on so analyzing our telemetry data we have first observed a small number of hosts or infected meaning that it was a targeted attack so we have discovered 24 different machines belonging to almost 60 IP addresses all located in India New Delhi most of the victims belong to a company that is related to the energy sector but a few other victims belongs to a company that belongs to an open source company there are also some IP addresses which report did I see of detection for files with an unusual

path so it seemed that these files were executed from a sandbox more particularly VirtualBox and our first thought was okay mighty researcher that is analyzing these files dynamically in a sandbox or maybe not the first thing we saw is that the reported malicious files seemed to be consecutive versions of the same software so this was kind of strange right so I decided to check the timestamps of this of this report four consecutive versions the difference was under two minutes so things got even more strange we extracted the files and we took a look at the compile time so not only the compile time is very close to the report time stamp but also the difference between consecutive versions

of the compile time are also very a very proper very close under one minute so from these observations we can draw two conclusions we are dealing with an automated process that compiles the samples and two we have actually find found the developer of this piece of mother so what was actually happening the developer was testing his binaries against our product since the victims are using the defender as a protection he wanted to make sure that the files that he releases in the wild will not be detected by our product so we have identified six IPS that are used to compile and test the detection of our security solutions of the resulted files and all of the six IPS were also located

in New Delhi so both the target and the attacker are located in New Delhi the two CSE found in the binaries we analyzed actually resolved one of the six IP address which was also tagged as belonging to the developer and now some closing remarks we have seen a complex rats that have gone under the radar for a long time which is still under development and as we can see it was a highly targeted campaign where we identify both victims and the attacker and we can proudly say that we managed to detect almost all the files that he compiled in in his hand box for more indicators of compromised such as domains and hashes you can check

our B defender technical blog or if you want to check the white paper section for to find more resources also there are some useful tools in case the four are somewhere or infection such as the critters that will depict your files automatically so we don't need to pay the ransom also you can find other type of studies done by our research team including machine learning networking networking and cloud infrastructure and many more thank you for your attention for more questions you can find me on LinkedIn Twitter or email thank you