CASSIDIAN CyberSecurity Blog

2016/12/05

Following Process Hollowing in OllyDbg

Overview

Process Hollowing is a common technique used by modern malware to create a process which appears legitimate when viewed in tools such as Task Manager, but whose code has in fact been replaced with malicious content.

This post will outline the API calls used in Process Hollowing and will explain how to follow the mechanism in OllyDbg, in order to be able to attach to the new process before it can execute any of the malicious code.

Continue reading...

2016/11/28

Analysing the Hancitor Maldoc

Introduction

Recently we have seen several phishing attempts using macro enabled word attachments to load the Hancitor download trojan. The macros in these documents use routine windows API functions with a callback parameter in order to run shellcode directly in memory without the need to drop further files to disk. This entry follows the analysis of this method and may be useful for those new to the reverse engineering field.

Continue reading...

2016/10/27

Playing defence against the Equation Group

In August 2016 an archive was released to the public by an unknown group calling itself Shadow Brokers. This archive contained material attributed to the Equation Group. The authenticity of this leak, its reason, attribution and content have already been widely discussed, by Bruce Schneier and Matthieu Suiche among others. Mustafa Al-Bassam has kept an inventory of the leak and has commented on Twitter.

This post is based on what can be extracted from the various procedures contained in the released material. Most of these procedures can be found in the “SCRIPTS” directory, with a few others scattered in various other directories. Using the aforementioned data, this post will focus on what can be deduced regarding Equation Group’s organisation, their modus operandi, and will list simple techniques to impede or detect their operations.

Continue reading...

2016/06/22

Getting a PlugX builder

PlugX has been a well-known RAT for the last 5 years, and we have written many blog posts about it.

However, there has never been known released builders for this RAT, except the one from Ahnlab which allows the building of very old samples (2011), and another which was discussed in our previous post.

Continue reading...

2016/03/23

Fileless Malware – A Behavioural Analysis Of Kovter Persistence

Background

During a recent talk by a representative of MalwareBytes, it was discussed that several modern malware families, notable Poweliks, Phase Bot and Kovter are moving away from the file system and are instead establishing persistence in the registry of the host. This blog outlines the infection vector used by the kovter malware and the analysis method used to investigate it.

Continue reading...

2016/03/04

Mounting Bitlocker Volumes Under Linux

Background

Recently I have been encountering more and more devices encrypted with Microsoft's Bitlocker. As I tend to perform a lot of my forensics work on a Linux host I needed to find a way to work with these volumes. Thankfully it turns out that an opensource driver has been written for this purpose. This post contains a brief outline of now to install and use this driver.

Continue reading...

2015/12/15

Newcomers in the Derusbi family

Derusbi is a well-known RAT family, used in various APT attacks since at least 2008. Many papers (1,2,3) have described two known variants of this malware: a client version, acting as any other RAT by contacting its C&C server, as well as a server version, which just listens for incoming connections from a client.

This RAT seems to be continuously evolving, as enlightened by Sekoia which recently described a new way for Derusbi to bypass Windows drivers signature enforcement.

In this blog post, we'll present the analysis of two new variants we encountered: a driver for x64 Windows, and a Linux library.

Continue reading...

2015/12/07

Malware Sakula - Evolutions v2.x-3.x (Part 2)

This post is the second part of article on the Sakula malware. It follows the first one available here and covers versions 2.x and 3.x.

Continue reading...

2015/11/09

Malware Sakula - Evolutions v1.x (Part 1)

This post follows a paper published by Symantec about a group of attackers known as BlackVine. It describes the technical evolution of the custom-developed RAT Sakula used in campaigns targeting industries such as energy, aerospace and healthcare.

Continue reading...

2015/09/08

Volatility plugin for PlugX updated

Just after releasing our previous blog post, we encountered a new PlugX variant using a bigger configuration than usual. We thus decided to study it and update our volatility plugin to handle the latest PlugX versions.

Continue reading...

2015/08/06

Latest changes in PlugX

It has been a while since we last wrote about PlugX RAT.
JPCERT made a great blog post covering the latest features added to the RAT, such as:

  • New protocol (raw IP protocol 0xff)
  • P2P communications
  • MAC address binding
  • Process injection for UAC bypass
  • New encoding algorithm

This post aims at giving new elements we discovered during our investigations on this infamous malware.

Continue reading...

2014/12/15

Vinself now with steganography

VinSelf is a known RAT malware already explained on other blogs . It's a family that has been long used in APT attacks. VinSelf can be recognized in two ways:

  • the network patterns used;
  • the strings obfuscation in the binary.

Continue reading...

2014/12/02

APT Kill chain - Part 5 : Access Strenghtening and lateral movements

Being successful at compromising one or several workstations and/or servers from a targeted company is an important step for APT attackers. Just after the initial compromise step, there are 2 possible situations:

  • The attacker managed to gain high privileges on the system.
  • The attacker only managed to compromise machines with regular user privileges.

More often than one would think of, normal user rights can be enough for an APT attacker. This is the case when the attacker has aimed for a particular machine/user which he knows to store the information he wants, or an access to it. The most common situation here is when the attacker has been pushing his reconnaissance phase far enough to know exactly which user is working on a project he wants to steal. He can either aim for the users e-mail box, or decide to go for a compromise of the user's computer.

However, it is more common for APT attackers to want to get a lot more information. Therefore, they aim at compromising the whole information system, and the best way to do that is to elevate their privileges and go for an Active Directory complete dump.

So how does the attacker do, not to be stuck in one workstation with usual user rights ? Well, he does just the same as a penetration tester would do at this step, and this is what this blog post is about.

Continue reading...

2014/11/18

Dissecting Scapy-radio packets with Wireshark

The large adoption of wireless devices goes further than WiFi networks: smartmeters, wearable devices, etc. The engineers behind these new types of devices may not have a deep security background and it can lead to security and privacy issues when a particular technology is stressed. However, to assess the security of these devices, the only current solution would be a dedicated hardware component with an appropriate radio interface for each available technology. Such components are not easy to engineer and this is why we developed Scapy-radio, a generic wireless monitor/injector tool based on Software Defined Radio using GNU Radio and the well-known Scapy framework. In this paper, we present this tool we developed for a wide range of wireless security assessments. The main goal of our tool is to provide effective penetration testing capabilities to security auditors with little to no knowledge of radio communication systems.

Continue reading...

2014/10/24

LeoUncia and OrcaRat

The PWC-named malware OrcaRat is presented as a new piece of malware but looking at the URI used for C&C communication, it could be an updated version of a well-known and kind of old piece of malware: LeoUncia.

Continue reading...

2014/07/11

The Eye of the Tiger

Cyber espionage has been a hot topic through the last years. Computer attacks known as “APT” (Advanced Persistent Threat) have become widely reported and emphasized by the media, damages are now considered as real and strategic trends are moving in cyber defense.

Today, we decided to release publicly information on a specific group of APT attackers known as “Pitty Tiger”. This information comes directly from investigations led by our Threat Intelligence and enlights the activities of a structured organization working in the APT field.

You can get more information in our Whitepaper.

Continue reading...

2014/06/20

APT Kill chain - Part 4 : Initial compromise

This blog post is part of a series on APT killchain. In the previous step, we've seen how the attacker used reconnaissance techniques to collect data on its target. Now we will focus on the initial compromise.

At this stage, the APT attackers have a solid knowledge of their target and its key employees. The attackers have everything they need to start looking for an entry point to the company’s network and establish one or several permanent backdoor accesses.

Continue reading...

2014/06/03

Local root vulnerability in Android 4.4.2

Google has just released Android 4.4.3 version in AOSP (Android Open Source Project). The Funky Android website has published the whole changelog between versions 4.4.2 and 4.4.3. 

This time, it seems Google has fixed an old vulnerability, allowing to elevate privileges from an application with a few permissions to root, on any Android version supporting Android Secure External Caches (ASEC).

Continue reading...

2014/05/23

APT Kill chain - Part 3: Reconnaissance

This blog post is part of a series on APT killchain. On this blog post we focus on the reconnaissance step. All the information written here comes directly from our observations and experience on APT incident handling and APT pentest simulations.

Time for action has started. The attackers have chosen one target, now they have to start working on it.

It does not mean they will rush into the attack as soon as they have a target name. There is no interest in blindly attacking a company’s servers. Like in a lot of other subjects, a good attack is an attack which has been prepared carefully.

The longer the attackers spend time in knowing their target and its online presence, the easiest it will be to find efficient ways to penetrate that company’s systems. This is a bit like penetration testing. If you have ever been involved in such an activity, you know that there are different kinds of pentests, mostly depending on the perimeter to evaluate. Some pentests will cover a narrow part of a company’s network infrastructure (web server for example) while some others will cover a wider area. In the widest case (probably the most interesting one if you have enough time), such a pentest will consist of getting only a company’s name and digging for any vulnerability one can find. The pentester has to find several ways to attack the system, and penetrate it successfully before showing his results to the system’s owner.

After all, technically speaking, in which aspect is the beginning of an APT attack different to a penetration test?

The penetration tester will try to find as many vulnerabilities as he can, to report it to the customer. The APT attacker will try to find one or several vulnerabilities to penetrate the system. The APT attacker won’t search for all the vulnerabilities: one or two are enough for him.

The first phase of an APT is similar to the first phase of a penetration testing service; it is the reconnaissance phase, which can also be called “information gathering” phase.

Continue reading...

2014/05/07

APT Kill chain - Part 2 : Global view

Last week we defined what an APT is. As we have seen, there are different definitions, and I bet nearly all companies working on APT incident handling do have their own definition.

What every experienced APT incident responder agrees on, is the way APT attacks are conducted.

The APT kill chain can be presented with some variations, depending on the detail level you want to show, yet its content is always the same. We chose to show here the easiest kill chain we could draw, not to panic anyone with technical details (yet). We will really go deep into every process of an APT attack in this serie of blog posts, yet we believe it is good to start explaining it from a distant point of view.

Continue reading...

- page 1 of 2