Attribution 2.0

Costin Raiu (@craiu)

Director of GReAT

Kaspersky Lab

OUR RESEARCH (BEFORE 2017)

2

Darkhotel

- part 2

MsnMM

Campaigns

Satellite

Turla

Wild

Neutron

Blue

Termite

Spring

Dragon

2011

2010

2013

Stuxnet

Duqu

2012

Gauss

Flame

miniFlame

NetTraveler

Miniduke

RedOctober

Icefog

Winnti

Kimsuky

TeamSpy

2014

Epic Turla

CosmicDuke

Regin

Careto / The Mask

Energetic Bear /

Crouching Yeti

Darkhotel

2015

Desert

Falcons

Hellsing

Sofacy

Carbanak

Equation

Naikon

Animal

Farm

Duqu 2.0

ProjectSauron

Saguaro

StrongPity

Ghoul

Fruity Armor

ScarCruft

2016

Poseidon

Lazarus

Lurk

GCMan

Danti

Adwind

Dropping

Elephant

Metel

The problem of

attribution

The 2016 USA elections

5 |

Before the elections, there was “Guccifer”

6 |

Before the elections, there was “Guccifer”

• Aka “Marcel Lazăr Lehel”

• Occupation: Romanian hacker, taxi driver

• “the style of Gucci and the light of Lucifer”

• Had no skills, no knowledge except what he found on

the web

• Hacked: Colin Powell, Rockefeller family, FBI/SS agents,

Corina Cretu, George Maior

• Called Maior (top man in Romanian intelligence) a

‘skunk’ and asking him for money (Aug 2013)

https://www.nbcnews.com/news/us-

news/hacker-guccifer-claims-he-got-hillary-

clinton-s-server-n568911

DNC Hack – introducing Guccifer 2.0

Guccifer 2.0 interview by Lorenzo Franceschi-Bicchierai / Motherboard

• And where are you from?

• From Romania.

• Ai vrea să vorbească în română pentru un pic? [You want to talk for

a bit in Romanian?]

• Vorbiți limbă română? [Speak Romanian?]

• De ce ai pus metadate rusă în primul lot de documente? [Why did

you put Russian metadata in the first batch of documents?]

• Este filigranul meu [It is my watermark]

• Puteți găsi de asemenea alte filigrane în limbă spaniolă. Caută mai bine.

[You can also find other watermarks in Spanish. Look better]

• Oare nu știți ce este filigran? [You do not know what is a watermark?]

https://motherboard.vice.com/en_us/article/yp3bbv/dnc-hacker-guccifer-20-full-interview-transcript

Code similarity big

stories

May 12, 2017…

13 |

15 |

How did they do it?

• 2011 – Google buys Zynamics

• 2014 – “CPU time is cheap. You just spin 10,000 machines and

do a string search in parallel”

• 2015 – Me asks for CAPEX to buy 10,000 machines.

Answer: you’ve guessed it.

• …

• 2017 – Google links Wannacry to Lazarus

18 |

Problem: find common code between files

• Easy approach: generate all 8-16-byte strings for all files in our

collection. For new files, check overlaps.

• Problems:

• Collection too big.

• Capex too small.

• How to solve it?

Introducing:

APT similarity

hunting with Yara

Solution – multi step

• Identify relevant code in a file

• Extract _ONLY_ “interesting” strings

• Create a whitelisting databases of strings from clean files

• Extract interesting strings from new samples that are not in the

whitelist db

• Make a Yara rule

21 |

Define “Relevant”

• A 100k file has 102,384 16-byte substrings

• After filtering out “known clean” we still have 30k

substrings

• How do we know which ones are interesting and

which ones are not?

55 8B EC 64 A1 30 00 00 00 8B 40 0C 8B 40 0C 83

20 00 CC CC CC CC CC CC CC CC CC CC CC CC

push ebp

mov ebp,esp

mov eax,fs:[000000030]

mov eax,[eax][00C]

mov eax,[eax][00C]

sub esp,00C

☺

Sample rule

Shellcode fragments

that do not appear in

any clean samples

but appear in all

ShadowPad 64 bit

samples.

24 |

Improvements:

• Generate Yara rule on a new malware sample

• Test it against your big APT samples collection

• Find if it detects samples from another APT by shared common

code

• Modify the rule to detect only the family’s common code

• Run the new rule on KLARA and/or VTMIS

• Find other samples produced by the same actor

25 |

Our code similarity system

• processed samples / day ~ 250 K

• known, good samples - 28 mln

• known, good strings - ~4 bln

• known, good opcode sequences - ~8 bln

Output: Yara rules and similarity profiles

Attributing APT

malware by common

code

The ShadowPad APT

• We found a high end APT

implant hidden in management

software during IR at a bank

• We worked with Netsarang to

mitigate the problem and

remove infected software

packages from website

• Code is similar to

“PoisonPlug” used by a

Winnti subset group

Shadowpad plugin Plugin from sample

observed in Winnti incident378411F30AB0663AA5BB4267F67ECF7B

The “CCleaner” incident

CCleaner malware – custom base64 encoding

apt_ZZ_Cbkrdr_genotypes //AuroraPanda/Missle/e77e708924168afd17dbe26bba8621af

apt_ZZ_Cbkrdr_genotypes //AuroraPanda/Missle/ba86c0c1d9a08284c61c4251762ad0df

apt_ZZ_Cbkrdr_genotypes //AuroraPanda/Missle/35a4783a1db27f159d7506a78ca89101

apt_ZZ_Cbkrdr_genotypes //Zoxpng/8ad22f3e9e603ff89228f3c66d9949d9

apt_ZZ_Cbkrdr_genotypes //Hikit/ba86c0c1d9a08284c61c4251762ad0df

apt_ZZ_Cbkrdr_genotypes //Hikit/35a4783a1db27f159d7506a78ca89101

apt_ZZ_Cbkrdr_genotypes //Hikit/hhkt_2014_2/Samples/ZoxFamily/07f93e49c7015b68e2542fc59…d

apt_ZZ_Cbkrdr_genotypes //Hikit/hhkt_2014_2/Samples/ZoxFamily/0375b4216334c85a4b29441a…2

apt_ZZ_Cbkrdr_genotypes //Hikit/hhkt_2014_2/Samples/ZoxFamily/ee362a8161bd442073775363…0

apt_ZZ_Cbkrdr_genotypes //Gresim_ZoxPNG/07f93e49c7015b68e2542fc591ad2b…d

apt_ZZ_Cbkrdr_genotypes //Gresim_ZoxPNG/0375b4216334c85a4b29441a3d37e…2

apt_ZZ_Cbkrdr_genotypes //Gresim_ZoxPNG/ee362a8161bd442073775363bf5fa1…0

The “CCleaner” incident

• APT samples with the same code:

• Missl, Zoxpng/Gresim, Hikit

BTW, what is MISSL?

https://www.youtube.com/watch?v=NFJqD-LcpIg

“families of malware range in uniqueness from extremely

common (Poison Ivy, Gh0st, ZXshell) to more focused tools

used by Axiom and other threat groups directed by the

same organization (Derusbi, Fexel) to tools only seen used

by Axiom (ZoxPNG/ZoxRPC, Hikit).”

Novetta, Operation “SMN”

Axiom Threat Actor Group Report

www.novetta.com/2015/06/operation-smn-full-report/

Regin rule

Yara finds

Shadowbrokers’

cnli-1.dll

Shadowbrokers dump libraries?

cnli-1.dll exports:

CNE?

Regin / cnli-1.dll shared code

example:

Regin sample

66afaa303e13faa4913eaad50f7237ea

cnli-1.dll

07cc65907642abdc8972e62c1467e83b

The Lamberts APT

Timeline of discoveries:

BlackLambert discovery: Oct 2014

BlackLambert analysis: Oct 2015

GreenLambert analysis: Oct 2016

BlueLambert analysis: Dec 2016

WhiteLambert: Jan 2017

PinkLambert: March 2017

GrayLambert: June 2017

RedLambert: Aug 2017

BrownLambert: Oct 2017

Total: 3 years

The Lamberts

WhiteLambert 1.2 driver2f60906ca535eb958389e6aed454c2a2

BlackLambert font exploit99ef1e473ac553cf80f6117b2e95e79b

BrownLambert6c466283e7f8757973ba253aa6080d8c

41 |

Wannacry rule

Catches:

BlueNoroff,

ManusCrypt,

Decafett

42 |

ScarCruft rule

Catches:

DarkHotel samples

43 |

Yara with opcodes

Your old Yara rules

You

Attribution 2.0?

Attribution 2.0

• Tasks which took months (years?) can now be done in minutes

• Technology will become ubiquitous in 2-3 years

• Attributing attacks can be partly automated

• Effect: more false flags

• Think Lazarus malware with Russian keywords evolved

• OlympicDestroyer

• Effect: more scripting, reliance on automated tools

• PowerShell, CobaltStrike to Metasploit

THE INFORMATION WAR

CYBER ESPIONAGE

MASS OPINION

MANIPULATION

CYBER SABOTAGE

Malware

47 |

Stay foolish, stay GReAT!

HAPPY HUNTING! ;)

@craiu

Less talk, more hashes