Nice One, Dad: Dissecting A Rare Malware Used By Leviathan - Brian Bartholomew

so over to you and your Orleans Oaks have fun alright cool yep so thanks everybody for coming just let you know this talks about 30 minutes so we'll have 15 minutes of fun talkie time afterwards but and also I've been tweeting dad jokes all day with the hashtag besides in case anybody wants some of my other ones out there so yeah today we're going to talk about a piece of malware that was called dad joke is actually used by the actor Leviathan or some people refer to as APD 40 so before we get into it I just want to say a few things first off credit where credit's do thanks to fire I we have names like

dad Bob and dad joke and dad Schwartz this is fun but special credit to Nick Carr and Rick Cole without their tweets that I'll show you later on I basically wouldn't have been able to find any of this stuff in the first place so kudos to them just want to make sure I say that first hopefully we'll be releasing a blog shortly it's already written we're just going through to make sure we don't say anything we shouldn't say in there and I'd like to try to coordinate that with fireEye's so we'll see if that actually happens but hopefully in the next couple weeks obviously there's dad jokes contained herein so please feel free to laugh or

boo but please don't throw any tomatoes at me they are dad jokes so the first one this is good I'll give you a second to read it I can't like that one he was on duty uh-huh so we'll get into the initial discovery the malware obviously most of the stuff that we talk about nowadays they usually starts with a fish so back in August of this past year we saw a wave of attacks that was targeting a specific ministry in Southeast Asia in particular Ministry of Defense and while it was a wave of spear fishes it really wasn't super widespread we actually only found about three documents that targeted a couple different users two of the users were

actually overseas not in Southeast Asia one was actually in Southeast Asia but they all worked for the ministry so it wasn't really widespread it was an interesting phishing campaign usually you'll see them blast an entire agency with hundreds emails but in this case this kind of piques my interest so when I started looking at it the delivery method itself was actually kind of unique too and it had an interesting very intricate ornate delivery chain that we'll talk about but basically it was a word document that got sent to the users it had a couple embedded executables specifically in exe and DLL inside of it it contained or actually reached out and grabbed the remote template pulled down the macro

inside of the template executed it and did load order hijacking or what some folks call side loading so I said okay this is interesting I'll go try to find some more so I looked at the location of where the remote template was and I quickly discovered that I wasn't really going to go anywhere with this one because the actor used a short-lived campaign so this was pretty interesting and unique to me as well the fact that the actor flipped the switch this is based on our passive DNS system but you can see they started the campaign on August 29th they turned it off on the 12th so basically it was a two-week campaign they scored the targets they

wanted to and then they flipped it off to loopback which is makes it difficult for a researcher because a lot of times if you're not out there collecting the stuff as it happens you can't go back and get it later so that was kind of interesting to me so I hit a dead end on that but I did look at the macro that was inside and I was able to pivot on a couple of things so we'll get back to this screenshot in a little bit later but at the top and the bottom I highlighted some interesting values the two at the top and the one at the bottom there used these hex values were used by

the actor in the macro but surprisingly they didn't change them that often so it was a unique value that I could put into a simple Yara cig and actually pivot off of and find some more stuff we'll get back to what they were in in a little bit but I was able to pivot on that and I found a few more documents that were sent in around middle of July this is where the tweets come in but basically one of them was discussed on Twitter so take your time read the tweet but basically Rick Cole on the Left talks about a spirit that they found and he said oh you got a dad joke instead talks about

the exploit a gnat actually I just kind of discussed with you and then on the right Nick actually refers to dad joke as well and says probable apt forty so this was obviously you could imagine my excitement because I'm such a connoisseur of dad jokes plus apt forty is a pretty interesting actor so thanks to them again for dropping those tidbits so now we have a name we have a group a PT forty or what we refer to as Leviathan unfortunately when I started going out there and looking for dad jokes there wasn't really anything out there except for this shirt that my wife bought me because she knows I love them so much so I kind of hit a dead end again

luckily at Kaspersky we save all the data all the time so looking back I was able to go back into a retro haunt and what was surprising is that I only found a total of eight campaigns since the beginning of 2019 so the malware itself was kind of rare usually when you find something you go back and you'll see consistent campaigns over and over again usually in the dozens or hundreds of victims for example with our data that we have in this case we only saw eight campaigns the other interesting fact was that this was actually looks like it began in January of 2019 so this is the possible epoch time for the malware which is kind of interesting this is a

list of the campaigns I was able to find feel free to take pictures I'll leave it up there for a second if anybody wants I OC s but essentially you can see that the actor started using this malware essentially at the first of the year or the third and then they took about two months off and then they came back did it again took another two months off used it again so consistently every month or two they'll send one or two campaigns but eight campaigns over a span of now ten months is actually pretty rare to me what was even more interesting is that we could see the development cycles happening in between each campaigns so they would use it

presumably come back to the drawing table report on bugs and things that happen fix some things add some new features functionalities whatever and go back to the drawing board and use it again so this indicated to me that the actor is being pretty meticulous they have a developer they're fixing some stuff that they found which is pretty interesting to me so before we get into the malware though we need to actually talk about the actor dad drug number two bison so I got a laugh at the front at least that was good there's plenty more where that came from so just to get everybody in the room on the same page with apt 40 we'll just

talk a little bit about them before we go any further so they're also known as Leviathan like I said earlier that was the name I think that was made by Proofpoint when they first wrote about them about a year to maybe two years ago Microsoft has publicly called them gadolinium Accenture I believe it was put a paper out in maybe February of this year they called the actor mud carp and then on the right hand side you see temp dot periscope and temp dot jumper that's the old I site names that we used or they used I should say before they actually wrap this actor into an official apt number which was 40 so if anybody wants

to cross-reference those are names that were used fireEye's says they've been active since 2013 personally myself I would say I only see it about 2015 but really the general community hasn't really known about this actor since about late 2018 early 2019 when they started getting some press coverage on some of the campaigns that were running referring to some of the campaigns they've done or headlines this first one for instance China basically they say hackers targeting universities this was in relation to some naval technologies being developed that those universities listed up above so they targeted them this is an example of one of the c2s that was tweeted a while back but you can see the Thiessen group marine system

so you have a trend here on naval technologies they actually had their hands in the Cambodian election at one point this was I forget who actually came out with this research but maybe fireEye in July of 2018 again naval secrets in this instance here the actual Chinese Navy did seize an American uuv at one point they intercepted underwater our unmanned vehicle and then when they did that they actually sent Spears and posed as a uuv manufacturer as well to get more technologies and then I think this was recorded future if I'm not mistaken they wrote some reporting on how they were using some Russian apt techniques so if you've seen any of these headlines this

is the actor we're talking about I mentioned the naval technologies this was what they focused on early on they were very heavily involved in gathering information on anything related to naval technologies or maritime interests and also South China Sea you'll see a map here in a minute more recently though we see them targeting people or countries or organizations that are invested in the Bri so they've moved away not completely but moved away from the naval stuff and more focused on Bri at this point so you'll see on the map fire I did a really good job in their report back in March on this but basically you can see very distinct separation of targeting the interesting part here why

I put this up as if you look at the South China Sea pretty much every country that borders that sea has been targeted and hit by these guys I would argue that Vietnam is actually on the list as well it's not colored here but and then you have countries like in the Middle East you have you know Norway UK u.s. obviously this is where they're targeting engineering companies defense contractors as well as Bri energy stuff like that so pretty much pretty wide across the board their endgame obviously like any other cyber espionage actor is going after information they're more of a smash-and-grab type actor so they'll come in they'll find the information they want bundle it up ship it out we

don't see them doing anything like destructive attacks or any of that other stuff financially motivated type things what's interesting about their tempo is it's fairly consistent but they always tend to use very short very targeted campaigns the people that they target we're talking defense attache directly ministers directly president's office directly we're not going after secretaries we're not going after people in an organization their various meticulous with who they target and then they shut that campaign down very quickly to try to hide what they did so onto the malware I like Star Wars the one on the left is my favorite and he felt your presence so I broke the malware down into three pieces because

it had this very intricate exploit chain that was going on so we talking to talk about the macro or the template first and then the loader DLL and then ultimately the end main dad joke payload itself so on to the template this is obviously the initial start of the exploit chain when the document is opened the the it will go out and basically fetch a template from a remote location on the server inside the template there's a macro that's executed and that kicks off a very interesting chain of events and I show you a couple things here so first off the part that's highlighted in white in this URL feel free to take pictures again because this

is I'll mention this later on in the detection and defense section but these are pretty unique to this actual macro so as soon as the macro is run the first thing it does is it goes and does a get request to the server of choice and it does this two parameters at the end the username and the hostname basically beginning back and saying hey the macro was run on this box then it goes through and it actually extracts the benign executable from the word doc in the last wave of attacks this was a Windows Defender executable that's vulnerable to the load order hijacking and then it'll send another get request and then this time it uses the parameter a equals exe

basically saying hey I was able to pull the executable out of the document almost like it's logging then it'll go through and actually extract the DLL or the loader from the word document as well and it unhides the content to the user which we'll discuss here in the next slide and it executes the benign executable ultimately side loading the loader into place and then it sends another get request and this time it says a equals run so those three things in order like that is actually a really unique indicator to the macro obviously just talked about that basically what this is is the actor built this functionality into the macro to track the exploit chain so if

something goes wrong along the way they're able to say okay well we were able to have the macro execute and then the exe got pulled out at the document but the dll they can get side loaded so it helps them kind of debug and figure out before they have full access on the box what actually happened in the chain which is pretty smart they just look at their web logs basically they also use these things called eyes shapes in the macro pardon me and that was those values that I showed you earlier so they use these values for the executable the dll and the actual hidden content so what's unique about this is that the two

values that's at top we've seen change a little bit but the one at the bottom has not so we've observed three actual different values for the exe and the loader and all the eight campaigns we've seen but they've used the exact same value every time for the hidden content portion this was kind of a screw-up I think by their part so they'll probably see these slides and then change it sorry but for now it's a really good detection you're able to pivot it and find other stuff just based on that in the macro so onto the loader this basically only has two functions it basically extracts the payload from a resource and loads it into memory and

the way it does that is obviously it started started using the load order hijacking and then inside of the actual loader there's an encrypted config block as well as a compressed payload lzma compressed payload which is the dad joke malware itself the thing about the loader is it's very small in function and it only does a couple things and it's changed every campaign so it makes it super difficult to sigil on in the latest wave the configuration block itself is actually 188 bytes and it's decrypted using a doubles or routine I think it was like Azure 88 and then 66 sorry if I said so wrong but previous versions actually had different sizes for the config blocks they had different

routines and it made it really really hard to sing on this DLL which actually kind of sucks because it's really the only file that's stored on disk everything else has run out of memory so it it made it very difficult for us to find things this is an example of the config block it's pretty standard if anybody's worked with malware before hopefully everybody in this room but up at the top you have the SI toos I highlighted a few interesting pieces here so the middle part is the web directory where actually all the data gets uploaded to so they're able to put one or multiple c2s in the config but then for each victim organization or each person they're

going after they can actually change that config value and have that user's data go to a different folder so it's easy for them to track the more interesting pieces are the two byte flags that I actually highlighted there so the first one on the right hand side the double zero I found in this last wave that they left the ability in the malware to actually flip a debug switch on so the malware developer forgot to turn that out or turn it off or take it out but this is the value in the config block where if you were able to turn that on by making it a non zero value the malware will just basically crap out

logs like it's going out of style which is great because if you're not a reverse or you can just run it and look at the log files and see what's going on the one on the left is actually the persistence flag so what really sucks is they can turn that to zero and not even write the dll to the hard disk in the first place so everything is a memory which is really cool and it makes it very hard to detect so onto the payload let me make sure I didn't skip a slide there yeah we're good so the payload itself is actually nothing really special I was hoping there was going to be loads of functionality in this thing

but in real in reality it was just basically a beacon and a download and execute stage - so this was really designed as a stage one payload unfortunately in the last couple waves we haven't been able to figure out what the stage two payload actually is in previous campaigns in the past this actor has used things like Cobalt strike and other cots and and open source type but in this case I don't really know what it is yet so we're still looking potentially this is one of those dad shorts or dad bod things but I don't know I haven't I don't have access to fireEye reporting so hopefully we can find it but what was really cool is the

actor was again very meticulous each payload that I looked at was literally compiled a day or two before the campaign started so they were building each individual payload for each victim that they were going after which was it's pretty unique for an actor to do that a lot of times actors will spit out one payload and send it to a bunch of people in this case they were really going in configuring that specific for that victim sending it and they could track all their pieces of malware based off of this so it was pretty cool again the latest piece had actually a debug and persistence switch in the config and hopefully in the blog will have the

exact bytes where that's at so if you do come across this malware you'll know what bite to flip on but if you look at it and Ida it's pretty easy to see the chain of events that have to happen for the debug to happen so the beacon traffic itself for those that are interested in network traffic from a defender standpoint this is kind of what it looks like I highlighted values in blue because this is generated randomly in the system but all the stuff in red other than the payload or the actual data the header information is hard-coded in the malware so you can sig on the user agent which I don't think in this case is super unique but there's

some other things in there that you might be able to to write signatures on specifically the file name with image that blue portion is filled in through format strings for example so you can write some signatures on that but basically it's made to look like a PNG they slap the PNG header on the front they do a post to the c2 and then they're off to the races getting data the data itself is actually encrypted using AES 128 so that's not super unique or anything but what was unique is the key generation for the actual encryption a lot of times bad guys will put in the key hard-coded into the malware and go from there and use that as obviously the

key for the encryption in case they followed a very weird chain of events but basically they generate a 64-byte value using the Microsoft API and then what they did is they prepended this string secure 32 dot Lib to the front of that 64 byte value so now they have whatever it is 75 bytes or something and then what they do is they take a shot 256 of that full value and that will spit out a 32 byte value that then they split into two 16 byte values and they use the first one as the key and then the second one as the IV and then each time they encrypt the next package they throw the IV in the top of

the data so it's able to be decrypted in CBC mode on the back end so it was kind of a unique way of generating the key here but it was pretty interesting to me previous versions actually used the string hello everyone we're talking the ones back in like January March timeframe and I think they've changed that to a more benign type string now because everyone started singing on hello everyone they wanted to look more professional I guess so but older versions use that as the prepended value instead of the secure 32 dot live and the decrypted data once you decrypt it it's really nothing super special but it's just MAC address username system name IP address etc so that's basically

the malware but I did want to go through some final things about the actor in particular warren you're missing the mathematician jack come on it's a good one I want to talk about the attribution caveats there was a couple things and also I always like to kind of throw in some defense and detection strategies for those people that are involved in that sort of thing so on the attribution fire I specifically says that this is probable apt 40 i've only have the tweet from nick basically saying this but i've talked to them and they still don't definitively tie this to the actor i will say that the malware itself is only unique to this actor that i see so that

is kind of an indication that it's them but i still my official stance with our reporting is that with moderate confidence this is leviathan or apt 40 the reason i say moderate confident is there were some data points going through when I was writing the report that I found that made me second-guess whether this is actually them or not and I really can't account for why this happened but in particular there was one user that actually was targeted with a different malware called net eagle about a week before they were targeted with that joke so it was kind of interesting the net eagle malware in particular is usually attributed to apt 30 a different Chinese

based actor so it says to me one of a few things either a PT 30 and apt 40 aren't talking to each other and they're both targeting the same victim I think that might be the case but it could also mean that a PT 30 and 40 might be the same person I'm not really sure but I think that they're just stepping on each other's toes because they have the same directive and there's many many teams coming out of China so this is one of those cases where you have a collision more interestingly though we had this actor group or this activity group that we called per fan Li pardon if it's spelled wrong I think some people call

it profoundly was that actually the name in the malware but we have this cluster of activity that we never really had attributed to anybody previously we just knew it as a cluster we didn't have an actor with it what I saw with this which was really interesting is that at the end of 2018 I saw per fan Li being backed out of systems and then dad joke them being targeted with dad joke immediately after so in December they removed that and then in January there was targeting by dad joke at the same target so I think it kind of indicates that potentially profoundly if anybody else has ever tracked that activity might be another tool or cluster from

the Leviathan actor I'm not really sure I'd love to talk to some people if they're familiar with that so onto detection I mentioned earlier the easiest thing is those three URLs if you're looking at the perimeter basically at post request coming out of your network you're able to pretty easily sig on those URLs that I highlighted in white we have had one false positive on that some other website actually uses those parameters it's pretty rare and we just put in a little whitelist and it was fine we haven't really seen any other false-positive since then so that's pretty easy detection secondly if you have the ability to detect macros I don't I would say you should look into

something that lets you look into macro code but if you do have that ability or if you do break those out based on attachments in your mail server or whatever looking for those unique eyeshape values that I mentioned earlier that's a pretty easy Sig also too ripe and indicates that you're looking at dad joke malware and then finally a lot of people don't have this ability but it needs to become more prevalent is looking in memory a lot of actors nowadays are moving to the file list type malware and the only way you're going to detect it is in memory so in this case we couldn't detect the loader DLL because of there's there's so many

changes that happened over the period of 8 months or 10 months we focused on the actual main payload once it's loaded in memory or at least decompressed in memory and this was a pretty good cig to look at as well and you can stop it before it's actually called so again static detection on the loader was pretty tough so looking on disk is not that easy to do if you do business in Southeast Asia or if you're a defense contractor or if you deal in naval technologies you probably should know about this actor I'm hoping that if you do you are aware of apt 40 but if not go read about them they're super important

to your business and then finally obviously user awareness I put it in all my slides but we don't do it enough we need to train our users more and more they're the front lines of defense so you know please let them know about what these Spears look like how this actor in particular is going after people and and let the defense attache types know about this training as well not just your normal staff because those are the ones being targeted so at that point I'll take any questions those are my kids this is usually the reaction I get every time I tell a dad they don't quite get them but I do so that's it thanks

you