Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in...

Abusing third-party cloud services in targeted attacks

Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi)

October 02, 2019, Virus Bulletin, London, UK

Outline

• Introduction

• General comparison of two malware infrastructures• Custom

• Cloud based

• Selected APT cases• Presentation of the malware operation

• Advantages and disadvantages from an attacker perspective

• Conclusion

Introduction

• Cloud services abuse is not something new• “C&C-as-a-Service” presentation at VB in 2015

• This talk focuses on cloud abuse in the context of targeted attacks that we investigated

• Goals:• Show different real implementations of cloud abuse

• Find how, as defenders, we can leverage this setup to our advantage

Custom malware infrastructure

• Developed and maintained by threat actor

• Costly• Domain name(s), server(s) hosting, data storage, bandwidth …

• Time consuming• Design, implementation and testing of the communication protocol

• Installation and maintenance of the C&C server(s)

Custom malware infrastructure

• Disadvantages• Easier to monitor/block/sinkhole/seize

• Higher probability of flaws in the communication protocol

• Difficult to assess the reliability in real conditions

• Advantage• You choose to implement whatever funny idea you like

Cloud malware infrastructure

• Advantages• Developed, maintained and operated by knowledgeable third party

• Cheaper (often free)

• API

• Higher reliability

• Harder to block/monitor/seize

• Disadvantage• Constrained by the features the cloud services provide

Selected APT cases

Patchwork

Known targeted countries

Patchwork – Badnews

• “Badnews” backdoor

• A mix of both alternatives

1. HTTPS GET request

2. Encrypted C&C

3. Connect to C&C

• Hardcoded and encoded (sub 0x01) URL addresses

• Examples of encoded configuration

• Encryption uses XOR & ROL

• Versions after November 2017 added a layer of blowfish

encryption

• C&C is usually a PHP script hosted in a web server without

domain name

rp3f.strangled.net

185.29.11.59

Confucius

Confucius – Swissknife

• “Swissknife” stealer

• Uses Dropbox API to upload documents with selected extensions

(.pdf, .doc, .docx, .ppt, .pptx, .xls, and .xlsx)

HTTPS POST request

API key in “Authorization” header

• API key in decompiled code

• File downloader in Python using Dropbox API

• Enumerating the deleted files

• Enumerating the deleted folders

Confucius – pCloud

• “pCloud” stealer

• Uses pCloud API to upload documents with selected extensions (.pdf,

.doc, .docx, .ppt, .pptx, .xls, and .xlsx)

HTTPS POST request

Embeds login/password

• Using pCloud API to list files

• Content from attacker’s machine

Confucius – TweetyChat

• “TweetyChat”, backdoored Android chat application

1. Register to C&C

2. Send commands3. Upload stolen files

awsAccessKey/awsSecretKeyUpdate AWS credentials

3. Upload SMS, contacts, call logs

• awsAccessKey and awsSecretKey are not hardcoded

• AWS keys are updated through Google Cloud Messaging platform (Firebase Cloud Messaging in newer versions)

• Google Cloud/ Firebase message receiver

• Calling PutObjectRequest to “upload a new object to the specified Amazon S3 bucket”

• As usual, operators test the malware on their own devices…

MuddyWater

MuddyWater – CloudSTATS

• “CloudSTATS” backdoor

1. Register

Put “.reg” file

2. Send command

Put “.cmd” file3. Read command

4. Send command results

Put encoded “.res” file

• Hardcoded API keys

• Check existing folder/victim

• Asynchronous C&C communication

• Files with extensions (cmd, reg, prc, res)

• .reg file

• .res file

MuddyWater – Telegram

• Android mobile app, Telegram exfiltration

3. Upload stolen information

2. Send commands BotID & ChatID

1. Register to C&C

• .com.telegram.readto.client.ProcessCommand

• Timer sending all data once a day

• Code for exfiltration all system information

• Metadata of the Telegram account

Country of interest

SLUB v1

HTTPS requestCheck for commands

HTTPS requestSend results

HTTPS requestSend stolen files

SLUB v1

• Malware delivered via waterholing of websites related to North Korea

• Read gist snippet for commands to execute

• ^ and $ encapsulate active commands

SLUB v1/v2

• Hardcoded Slack token

• Slack token’s o-auth scopes

SLUB v1/v2

• Exfiltration via file.io, link sent to Slack

SLUB v2

• Newer version from July 2019• GitHub is not used anymore

• Operator creates a Slack workspace

• A separate channel named <user_name>-<pc_name> is created in the workspace for each infected machine

• Commands to execute sent via messages pinned to a victim-specific channel

• Victim machine reads pinned messages from its dedicated channel, parses the message, and executes the requested command

SLUB v2

HTTPS requestCheck commands and send results

HTTPS requestSend stolen files

HTTP requestCheck for new Slack token

SLUB v2

• Configuration update

• New token between HELLO^, WHAT^ and !!! tokens

SLUB v1

• Gist revisions show activation of specific commands

SLUB v1/v2

• Using Slack API in Python

SLUB v2

• File & exec operations

SLUB v1/v2

• Screenshot upload

• Screenshot download (using API key and path to the file)

SLUB v1

Conclusion

• Abusing cloud service providers is a worldwide trend

• Such services can be used for different purposes:

• To store a reference used by the malware (C&C …)

• To store the stolen data

• To store all the commands and data

• This behavior brings benefits not only to the attackers, but

also to the defenders, and without the need to “hack back”

References

• Patchwork: https://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-

patchwork-cyberespionage-group/

• Confucius: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-

confucius-cyberespionage-operations/

• MuddyWater: https://blog.trendmicro.com/trendlabs-security-intelligence/new-

powershell-based-backdoor-found-in-turkey-strikingly-similar-to-muddywater-tools/

• https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-

multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/

• Slub v1: https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-

uses-github-communicates-via-slack/

• Slub v2: https://blog.trendmicro.com/trendlabs-security-intelligence/slub-gets-rid-of-

github-intensifies-slack-use/

Threats detected and blocked globally by Trend Micro in 2018. Created with real data by artist Daniel Beauchamp.

Abusing third-party cloud services in · 2019. 10. 9. · Abusing third-party cloud services in...

Documents

DOCUMENT RESUME EC 073 819 Horejsi, Charles R.; Berkley ...DOCUMENT RESUME ED 112 594 EC 073 819 AUTHOR Horejsi, Charles R.; Berkley,.Ann E. TITLE Deinstitutionalization and the Development

Abusing & Exploiting With Firefox Add-Ons1

Abusing Java Remote Interfaces

Abusing Windows Remote Management with Metasploit

Taesoo Kim Abusing Performance Optimization Weaknesses …csong/bhusa14-aslr.pdf•Abusing non-randomized data structures ... Abusing Collision Resolution bucket# ⇐ Hash(Number(1))

Abusing, & Exploiting DHCP

Abusing Target

OWASP Abusing PHP Sockets

Abusing Microsoft Kerberos: sorry you guys ... - Gentil Kiwiblog.gentilkiwi.com/.../Abusing-Microsoft-Kerberos-Sorry-You...It.pdf · Abusing Microsoft Kerberos sorry you guys don’tget

Abusing Symlinks on Windows

Abusing Firefox Extensions - Defcon

Abusing Software Defined Networks (Whitepaper) - Black … · Abusing Software Defined Networks Gregory Pickett, gregory.pickett@hellfiresecurity.com, @shogun7273 Introduction

Using and Abusing Government Intervention and abusing government...A Revised Version of this paper appears as: “Using and Abusing Government Intervention and Trade Policy,” In

Abusing text/template for data transformation

Abusing belkin home automation devices

2nd 9 Weeks Science Review Created and modified 1/3/2012 By: C. Horejsi

Abusing HTML 5 Client-side Storage

STATEMENT OF BRIAN L. HOREJSI, PhD. ADDRESSING GRIZZLY ...montanaforestplan.org/images/take-action/Dr... · STATEMENT OF BRIAN L. HOREJSI, PhD. ADDRESSING GRIZZLY BEAR RECOVERY February

USING WITHOUT ABUSING THE BIOSPHERE*

Abusing COM & DCOM objects