47
Attribution 2.0 Costin Raiu (@craiu) Director of GReAT Kaspersky Lab
Attribution 2.0
Costin Raiu (@craiu)
Director of GReAT
Kaspersky Lab
OUR RESEARCH (BEFORE 2017)
2
Darkhotel
- part 2
MsnMM
Campaigns
Satellite
Turla
Wild
Neutron
Blue
Termite
Spring
Dragon
2011
2010
2013
Stuxnet
Duqu
2012
Gauss
Flame
miniFlame
NetTraveler
Miniduke
RedOctober
Icefog
Winnti
Kimsuky
TeamSpy
2014
Epic Turla
CosmicDuke
Regin
Careto / The Mask
Energetic Bear /
Crouching Yeti
Darkhotel
2015
Desert
Falcons
Hellsing
Sofacy
Carbanak
Equation
Naikon
Animal
Farm
Duqu 2.0
ProjectSauron
Saguaro
StrongPity
Ghoul
Fruity Armor
ScarCruft
2016
Poseidon
Lazarus
Lurk
GCMan
Danti
Adwind
Dropping
Elephant
Metel
The problem of
attribution
The 2016 USA elections
5 |
Before the elections, there was “Guccifer”
6 |
Before the elections, there was “Guccifer”
• Aka “Marcel Lazăr Lehel”
• Occupation: Romanian hacker, taxi driver
• “the style of Gucci and the light of Lucifer”
• Had no skills, no knowledge except what he found on
the web
• Hacked: Colin Powell, Rockefeller family, FBI/SS agents,
Corina Cretu, George Maior
• Called Maior (top man in Romanian intelligence) a
‘skunk’ and asking him for money (Aug 2013)
https://www.nbcnews.com/news/us-
news/hacker-guccifer-claims-he-got-hillary-
clinton-s-server-n568911
DNC Hack – introducing Guccifer 2.0
Guccifer 2.0 interview by Lorenzo Franceschi-Bicchierai / Motherboard
• And where are you from?
• From Romania.
• Ai vrea să vorbească în română pentru un pic? [You want to talk for
a bit in Romanian?]
• Vorbiți limbă română? [Speak Romanian?]
• De ce ai pus metadate rusă în primul lot de documente? [Why did
you put Russian metadata in the first batch of documents?]
• Este filigranul meu [It is my watermark]
• Puteți găsi de asemenea alte filigrane în limbă spaniolă. Caută mai bine.
[You can also find other watermarks in Spanish. Look better]
• Oare nu știți ce este filigran? [You do not know what is a watermark?]
https://motherboard.vice.com/en_us/article/yp3bbv/dnc-hacker-guccifer-20-full-interview-transcript
Code similarity big
stories
May 12, 2017…
13 |
15 |
How did they do it?
• 2011 – Google buys Zynamics
• 2014 – “CPU time is cheap. You just spin 10,000 machines and
do a string search in parallel”
• 2015 – Me asks for CAPEX to buy 10,000 machines.
Answer: you’ve guessed it.
• …
• 2017 – Google links Wannacry to Lazarus
18 |
Problem: find common code between files
• Easy approach: generate all 8-16-byte strings for all files in our
collection. For new files, check overlaps.
• Problems:
• Collection too big.
• Capex too small.
• How to solve it?
Introducing:
APT similarity
hunting with Yara
Solution – multi step
• Identify relevant code in a file
• Extract _ONLY_ “interesting” strings
• Create a whitelisting databases of strings from clean files
• Extract interesting strings from new samples that are not in the
whitelist db
• Make a Yara rule
21 |
Define “Relevant”
• A 100k file has 102,384 16-byte substrings
• After filtering out “known clean” we still have 30k
substrings
• How do we know which ones are interesting and
which ones are not?
55 8B EC 64 A1 30 00 00 00 8B 40 0C 8B 40 0C 83
20 00 CC CC CC CC CC CC CC CC CC CC CC CC
push ebp
mov ebp,esp
mov eax,fs:[000000030]
mov eax,[eax][00C]
mov eax,[eax][00C]
sub esp,00C
☺
Sample rule
Shellcode fragments
that do not appear in
any clean samples
but appear in all
ShadowPad 64 bit
samples.
24 |
Improvements:
• Generate Yara rule on a new malware sample
• Test it against your big APT samples collection
• Find if it detects samples from another APT by shared common
code
• Modify the rule to detect only the family’s common code
• Run the new rule on KLARA and/or VTMIS
• Find other samples produced by the same actor
25 |
Our code similarity system
• processed samples / day ~ 250 K
• known, good samples - 28 mln
• known, good strings - ~4 bln
• known, good opcode sequences - ~8 bln
Output: Yara rules and similarity profiles
Attributing APT
malware by common
code
The ShadowPad APT
• We found a high end APT
implant hidden in management
software during IR at a bank
• We worked with Netsarang to
mitigate the problem and
remove infected software
packages from website
• Code is similar to
“PoisonPlug” used by a
Winnti subset group
Shadowpad plugin Plugin from sample
observed in Winnti incident378411F30AB0663AA5BB4267F67ECF7B
The “CCleaner” incident
CCleaner malware – custom base64 encoding
apt_ZZ_Cbkrdr_genotypes //AuroraPanda/Missle/e77e708924168afd17dbe26bba8621af
apt_ZZ_Cbkrdr_genotypes //AuroraPanda/Missle/ba86c0c1d9a08284c61c4251762ad0df
apt_ZZ_Cbkrdr_genotypes //AuroraPanda/Missle/35a4783a1db27f159d7506a78ca89101
apt_ZZ_Cbkrdr_genotypes //Zoxpng/8ad22f3e9e603ff89228f3c66d9949d9
apt_ZZ_Cbkrdr_genotypes //Hikit/ba86c0c1d9a08284c61c4251762ad0df
apt_ZZ_Cbkrdr_genotypes //Hikit/35a4783a1db27f159d7506a78ca89101
apt_ZZ_Cbkrdr_genotypes //Hikit/hhkt_2014_2/Samples/ZoxFamily/07f93e49c7015b68e2542fc59…d
apt_ZZ_Cbkrdr_genotypes //Hikit/hhkt_2014_2/Samples/ZoxFamily/0375b4216334c85a4b29441a…2
apt_ZZ_Cbkrdr_genotypes //Hikit/hhkt_2014_2/Samples/ZoxFamily/ee362a8161bd442073775363…0
apt_ZZ_Cbkrdr_genotypes //Gresim_ZoxPNG/07f93e49c7015b68e2542fc591ad2b…d
apt_ZZ_Cbkrdr_genotypes //Gresim_ZoxPNG/0375b4216334c85a4b29441a3d37e…2
apt_ZZ_Cbkrdr_genotypes //Gresim_ZoxPNG/ee362a8161bd442073775363bf5fa1…0
The “CCleaner” incident
• APT samples with the same code:
• Missl, Zoxpng/Gresim, Hikit
BTW, what is MISSL?
https://www.youtube.com/watch?v=NFJqD-LcpIg
“families of malware range in uniqueness from extremely
common (Poison Ivy, Gh0st, ZXshell) to more focused tools
used by Axiom and other threat groups directed by the
same organization (Derusbi, Fexel) to tools only seen used
by Axiom (ZoxPNG/ZoxRPC, Hikit).”
Novetta, Operation “SMN”
Axiom Threat Actor Group Report
www.novetta.com/2015/06/operation-smn-full-report/
Regin rule
Yara finds
Shadowbrokers’
cnli-1.dll
Shadowbrokers dump libraries?
cnli-1.dll exports:
CNE?
Regin / cnli-1.dll shared code
example:
Regin sample
66afaa303e13faa4913eaad50f7237ea
cnli-1.dll
07cc65907642abdc8972e62c1467e83b
The Lamberts APT
Timeline of discoveries:
BlackLambert discovery: Oct 2014
BlackLambert analysis: Oct 2015
GreenLambert analysis: Oct 2016
BlueLambert analysis: Dec 2016
WhiteLambert: Jan 2017
PinkLambert: March 2017
GrayLambert: June 2017
RedLambert: Aug 2017
BrownLambert: Oct 2017
Total: 3 years
The Lamberts
WhiteLambert 1.2 driver2f60906ca535eb958389e6aed454c2a2
BlackLambert font exploit99ef1e473ac553cf80f6117b2e95e79b
BrownLambert6c466283e7f8757973ba253aa6080d8c
41 |
Wannacry rule
Catches:
BlueNoroff,
ManusCrypt,
Decafett
42 |
ScarCruft rule
Catches:
DarkHotel samples
43 |
Yara with opcodes
Your old Yara rules
You
Attribution 2.0?
Attribution 2.0
• Tasks which took months (years?) can now be done in minutes
• Technology will become ubiquitous in 2-3 years
• Attributing attacks can be partly automated
• Effect: more false flags
• Think Lazarus malware with Russian keywords evolved
• OlympicDestroyer
• Effect: more scripting, reliance on automated tools
• PowerShell, CobaltStrike to Metasploit
THE INFORMATION WAR
CYBER ESPIONAGE
MASS OPINION
MANIPULATION
CYBER SABOTAGE
Malware
47 |
Stay foolish, stay GReAT!
HAPPY HUNTING! ;)
@craiu
Less talk, more hashes
