SESSION ID:
#RSAC
Pearl Charlaine Espejo
I Am Divergent:EMDIVI’s All Kinds of Attacks
TTA1-F02
Sr. Threat AnalystTrend Micro Inc.
RonJay Kristoffer CaragaySr. Threat AnalystTrend Micro Inc.
#RSAC
I Am Divergent
V. Roth. Divergent. Summit Ent./HarperCollins © https://tempestbooks.files.wordpress.com/2014/03/divergent.jpg
#RSAC
Introduction and Overview of EMDIVI
#RSAC
Introduction
4
EMDIVI
Encrypted Strings
Base64
MD5
Backdoor Malware - RAT
Targets Japan
Keeps on Improving
M ∙ em
D ∙ diV ∙ vi
© commons.wikimedia.org
#RSAC
Overview
5
What is a RAT?Remote Access Tool
Remote Administration ToolRemote Access Trojan
A piece of software that allows aremote "operator" to control asystem as if he has physical accessto that system.
© shutterstock.com
#RSAC
Overview
6
Entry
Drops copy in the system Creates auto-start registries
Installation
Backdoor Routines Gathers system informationCommunicate to a C&C server
Payload
Spear phishing emails Vulnerability Exploits
Remote Access
#RSAC
Timeline of Attack Vector
7
Attachment with fake
icon
Drive by Download
09/2014 11/2014 05/2015 07/201508/2014
Medical receipts and health insurance subjects are usedDocument
File attachment
Flash zero-day exploit (CVE-2015-5119)
Multiple Ichitaro Products Unspecified Remote Code
Execution Vulnerability (CVE-2014-7247)
Attack on Japan Pension Service
Spe
ar p
his
hin
g e
mai
ls
active period
Others
Targeted Attack using DLL Side Loading Technique
#RSAC
Infection Data
8
• Infection count from August 2014 to August2015 based on Smart Protection Network
#RSAC
Infection Data
9
• Country distribution of C&C endpoints from 1H 2015
#RSAC
Analysis of EMDIVI
#RSAC
Arrival - SFX Trojan
11
Self-extracting archive (SFX)
contains
email attachment SFX
EMDIVI
fake document
extracts to
“an executable program which contains compressed data in an archive file combined
with machine-executable program instructions to extract and run its contents”
#RSAC
SFX example
12
SFX Trojan
Decoy Documents
#RSAC
Installation
13
Entry%User Temp%\{malware filename}.exe
%User Temp%\{decoy filename}.{ppt|doc|xls|pdf|jtd|etc}
Auto-Run%User Statup%\{filename}.lnk
%Common Startup%\{filename}.lnk
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run{filename} = "%User Temp%\{filename}.exe“
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonUserinit = "%System%\userinit.exe,%User Temp%\{filename}.exe,"
#RSAC
Timeline of Different Versions
14
t100t20t19t17t16t15t11t9t8
EMDIVI Versions from 2012-2015
#RSAC
Versions Differences
15
Different versions may vary:
Arrival Vector
Installation
Encryption and Decryption Routine
Set of Backdoor Commands
Set of Anti-Analysis related strings
Code Structure
#RSAC
Versions as Magic Numbers
16
Magic numbers
Version
Target
Release date
Random number
#RSAC
Decryption Routine
17
Magic numbers are used as a decryption key to decrypt encoded strings and data
#RSAC
Decryption Routine
18
These strings are:
API Name
Values/Parameters
URLs
Anti-analysis related
Registries Keys/Entries
Other Data
#RSAC
Decryption - Tools
19
Ver. t17 Ver. t19 and t20 (mid)Ver. t20 (early and
late)
Encrypt XxTEA Encryption XxTEA Decryption AES Decryption
Decrypt XxTEA Decryption XxTEA Encryption AES Encryption
Decryption key
MD5( MD5(base64(ver))+MD5(enc_string) )
scanf( "%x%x%x%x",Inc_Add(ver_key) )
Inc_Add(ver_key)[:24]
Emdivi decryption tool developed by JPCERT/CC
#RSAC
Decryption - Tools
20
#RSAC
Backdoor Commands
21
Files and Folders Manipulation
Download and Upload Files
Remote Shell
Gather Information
Gather Proxy settings
Enumerate Process
Clear Security Event Logs
#RSAC
Backdoor Commands
22
COMMAND MD5DOABORT D895D96BC3AE51944B29D53D599A2341
COPY E8606D021DA140A92C7EBA8D9B8AF84F
DIR C1561B120842FABE1310417083827590
DISKLS EA21A1D130824C10F688C61A497AF2F6
DOWNBG 39CD12D51B236BEFC5F939A552181D73
DOWNBG2 69E5E78D9A63F39B879B8C9C7F380523
DOWNLOAD 631152DAEFC8201C641FA7A37C397DCE
EXECUTE 5D76688E2261E6805EE36AD961B3FA7A
EXHIDE 5FDF5E85D443C9282632F811ADABD167
EXIT A42B2FB0E720A080E79A92F4CA97D927
GET 7528035A93EE69CEDB1DBDDB2F0BFCC8
GETFILE 74A9D3A81B79EEC0AA2F849CBC8A7EFB
GETLNK D1D8F3D2861AFAFE1C9B540C1BB069EE
GOTO 4B8BB3C94A9676B5F34ACE4D7102E5B9
HASH 50B7748612B28DB487D115F220BB77AB
HEAD E15E216FC1C639F787B1231ECDFA1BF8
HJLNK 5CB5495170B88F3C83F67BF6B4BDB9D5
LOADDLL 67CA07ECB95C4055D2687815D0C0F8B9
MD 7DC10E66DA5549D351765BD940B81BE9
MKLNK 59EAFE5658C95A76BA3057F73610CEBB
MOVE F7F93635F8E193A924AE4A691BB66B8F
POST A02439EC229D8BE0E74B0C1602392310
RD CD3C9BB8ACB671DBD1FABA3DEAA1E03E
RUNAS BB13A3FDBE0D67E5F83E156350DE7AAD
SETCMD 48BB700B80557EE2E5CF06C90BA6698C
SETLEN C9A9F4E85FC52C1D342DB857C7EE6C6B
SUSPEND EE93A0B023CEF18B34EBFEE347881C14
TYPE 948495146FACADFE8859789036313D79
UPLOAD 8DFF5F89B87EBF91A1ECC1DBED3A6FBB
VERSION 021321E8C168BA3AE39CE3A2E7B3EC87
ZIP 4348F938BBDDD8475E967CCB47ECB234
COMMAND MD5abort 5BB94A1C12413A2E5D14DEABAB29F2AA
cd 6865AEB3A9ED28F9A79EC454B259E5D0
copy 12CBA3EE81CF4A793796A51B6327C678
dir 736007832D2167BAAAE763FD3A3F3CF1
diskls E120A254F254978FC265354A4E79D1D6
doabort 1F6DCC1149B2EEF63F6DD4833D5EF0D3
downbg 1E04875A872812E1F431283244B180D2
downbg2 7F3E982A0D9B4AA5303332AAF414D457
download FD456406745D816A45CAE554C788E754
download2 B5A4000C99977CE512052D4E8BF737F8
execute EC0CD3CB91FE82B9501F62A528EB07A9
exhide FC236C4DDD3414CEE8BD3CBD937461C0
exit F24F62EEB789199B9B2E467DF3B1876B
exuser 0B5396D6BD0867485FF63067AD9363E7
get B5EDA0A74558A342CF659187F06F746F
getfile B24BA6D783F2AA471B9472109A5EC0EE
getlnk 71574CF393BF901EFFA0CBC6C37E4CE2
goto DE94E676C0358EEFEA4794F03D6BDA4F
hash 0800FC577294C34E0B28AD2839435945
head 96E89A298E0A9F469B9AE458D6AFAE9F
hjlnk EBB0149209E008E3F87E26659AA9B173
loaddll 0340B5E3F0D0EA71EEEF6AB890270FC0
md 793914C9C583D9D86D0F4ED8C521B0C1
mklnk A3BB50704B87DA1858A46455DFB5E470
move 3734A903022249B3010BE1897042568E
post 42B90196B487C54069097A68FE98AB6F
postfile 316713CB9F82FF9ADE53712AB1CBF92C
postfile2 F15AE485061A10ADEAD43D7F5D5A9889
rd EEEC033A2C4D56D7BA16B69358779091
runas D88F585460839DD14AD3354BB0D5353B
screen 599EBA19AA93A929CB8589F148B8A6C4
setcmd 27DC2525548F8AB10A2532037A9657E0
setlen 846A44D63B02C23BCFEE5B4CCAA89D54
suspend 497927FB538C4A1572D3B3A98313CAB1
tasklist 6E0AD8E44CFF1B5D2901E1C7D166A2A4
type 599DCCE2998A6B40B1E38E8C6006CB0A
unzip 0A342B59ECDCEDE0571340B9ED11633F
upload 76EE3DE97A1B8B903319B7C013D8C877
version 2AF72F100C356273D46284F6FD1DFC08
zip ADCDBD79A8D84175C229B192AADC02F2
#RSAC
Network Communications
23
Hostname
Malware’s PID
Malware’s Version
OS Information
OS Language
Memory Size
Time Zone
#RSAC
Anti Analysis Routine
24
Hostnames:
wilbert-SC1508
xp-sp3-template
mip-xp-cht
CWS01_03
wilbert-SC2202
CWS05D102
dc-filesrv
Atony-PC
brbrb-d8fb22af1
placehol-6f699a
#RSAC
Anti Analysis Routine
25
Analysis Tools:
OllyDbg
W32Dasm
Wireshark
SoftICE
Process Explorer
Process Monitor
Process Hacker
Fiddler (Sept. 2014 onwards)
#RSAC
Attack Campaigns
#RSAC
Timeline of Attack Vector
27
Attachment with fake
icon
Drive by Download
09/2014 11/2014 05/2015 07/201508/2014
Medical receipts and health insurance subjects are usedDocument
File attachment
Flash zero-day exploit (CVE-2015-5119)
Multiple Ichitaro Products Unspecified Remote Code
Execution Vulnerability (CVE-2014-7247)
Attack on Japan Pension Service
Spe
ar p
his
hin
g e
mai
ls
active period
Others
Targeted Attack using DLL Side Loading Technique
#RSAC
Cloudy Omega
28
Arrival Vector:
Email is the predominant vectorused in this campaign.
The content of the emails varydepending on the interest of thetargeted organization.
#RSAC
Cloudy Omega
29
Multiple Ichitaro Products Unspecified Remote Code Execution Vulnerability (CVE-2014-7247)
contains drops
PAYLOAD EMDIVIemail malicious document
#RSAC
30
Cloudy Omega – Ichitaro Payload
Shell Code
Start of shellcode found at 0xb6f5 using OfficeMalScan
Decrypts code then execute
#RSAC
Cloudy Omega – Ichitaro Payload
31
Main PayloadDecrypt binary file from data then create file
Ver: t17.08.23.jtdmod/t17.08.23
#RSAC
Cloudy Omega – Ichitaro Payload
32
Decoy Document
Execute Drop Files
#RSAC
Blue Termite
33
Arrival Vector:
Initially spreads malware via spear phishing email
In July 2015, due to the breach in the Hacking Team servers and the public disclosure of a zero day exploit, it started using the Watering Hole Technique
Flash zero-day exploit (CVE-2015-5119)
#RSAC
Blue Termite
34
Attacker gathersinitial intelligence to
determine which sites to target.
Attacker injects exploit into selectedsites often visited by
targeted victimsExploit drops the
malware onto vulnerable systems
Using the dropped malware, the attacker may now
initiate malicious activities
Watering Hole Technique
#RSAC
Website hosts movie.swf
35
Blue Termite - Flash Payload
#RSAC
Malicious Flash
LZMA Compressed (Lempel–Ziv–Markov )
36
Blue Termite - Flash Payload
#RSAC
Action Script
37
Blue Termite - Flash Payload
#RSAC
Main Payload
38
Blue Termite - Flash Payload
UPX PackedVer: t17.08.31.Gflash0709
#RSAC
Other Variants
#RSAC
DLL Side Loading
40
Loads
Malicious DLL-File
Configuration Data
Payload: EMDIVI
DLL Hijacking technique“process by which malicious code is injected
into an application via a malicious DLL with the same name as a DLL used by the application.”
Normal PE File
Reads & Decrypt
Run Code
#RSAC
DLL Side Loading - Decryption
41
Gets Host’s SID
Decrypt the blob file using RC4 decryption using the MD5 hash as its key
Decrypts data again using its own algorithm
User Sid
Compute MD5(SID)
1st Decryption:RC4 Decrypt theblob file using
MD5 hash as key
2nd
Decryption
3rd Decryption:RC4 Decrypt
Using KEY frombottom of 2nd layer
4thDecryption
End
Start
#RSAC
DLL Side Loading - Decryption
42
Gets the Host’s SID
#RSAC
DLL Side Loading - Decryption
43
Decrypt using MD5 hash as key
Converts SID to MD5
#RSAC
DLL Side Loading - Decryption
44
Gets Host’s SID
Decrypt the blob file using RC4 decryption using the MD5 hash as its key
Decrypts data again using its own algorithm
User Sid
Compute MD5(SID)
1st Decryption:RC4 Decrypt theblob file using
MD5 hash as key
2nd
Decryption
3rd Decryption:RC4 Decrypt
Using KEY frombottom of 2nd layer
4thDecryption
End
Start
#RSAC
DLL Side Loading - Decryption
45
Injects payload in any of the following process
#RSAC
DLL Side Loading - Decryption
46
Payload is encrypted in the configuration file
Injects the whole binary file
Ver: t20.22.1
#RSAC
Other Versions
47
JP-OS Specific Version
Uses OS language for its decryption key
Hard-coded proxy server
#RSAC
Countermeasures and Best Practices
#RSAC
Apply
49
• Educate employees
• Patch all systems
• Establish a good incident response team
• Deploy a multi-layered approach to security
#RSAC
Apply
50
Users
Networks
Servers
Protect user activities anywhere on any
device reducing initial point of infection Detect and block threats
hitting the data center and user environments,
maximizing efficiency
Protect server workloads wherever
they may be -- physical, virtual or cloud
#RSAC
Summary
#RSAC
Summary
52
It targets organizations mostly in Japan.
Known for being the payload of different Attack Campaigns.
Spread through spear phishing emails and vulnerability exploits.
Domains used by this threat has been updated recently.
It is divergent seeing as each variant the threat actor deploys vary depending on the targeted organization.
#RSAC
References
54
https://www.ipa.go.jp/security/english/virus/antivirus/pdf/targeted_attack_mail_measures_eng.pdf
http://www.lac.co.jp/security/report/pdf/JSOC_INSIGHT_vol9_en.pdf
https://www.jpcert.or.jp/present/2015/20151028_codeblue_apt-en.pdf
http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html
http://blog.jpcert.or.jp/2015/11/emdivi-and-the-rise-of-targeted-attacks-in-japan.html
https://github.com/JPCERTCC/aa-tools/blob/master/emdivi_string_decryptor.py
http://blog.trendmicro.co.jp/archives/10251
http://blog.trendmicro.co.jp/archives/11944
http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/
http://icitech.org/wp-content/uploads/2016/02/ICIT-Brief-Know-Your-Enemies-2.0.pdf
https://blog.kaspersky.co.jp/blue-termite-apt-targeting-japan/8412
https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/
http://www.symantec.com/connect/blogs/operation-cloudyomega-ichitaro-zero-day-and-ongoing-cyberespionage-campaign-targeting-japan
