Holger Unterbrink

Security Researcher

Agenda

• Who Is Talos ?

• Threats Talos has invest igated recent ly

Who is Talos

• Cisco’s threat intelligence organization

• Threat hunting

• Malware analysis

• 5 groups collaborating to produce threat intel

• Reputation feeds, signatures, IOC

• Security engines and tools

• Threat reports and blogs

• Who is behind Talos

• Cisco, Ironport, Sourcefire, ScanSafe,…

• RevEng, Data Scientists, Spam -, Web-,

DNS-, BGP-Experts, …

THREAT DATA CYCLE

TALOS PRODUCTS & INTELLIGENCE

Talos develops the threat intelligence detection that goes into all Cisco Security products and services.

Open Source End Point Cloud Web Network ServicesEmail Intelligence

P R O D U C T S

ESA

SpamCop

SenderBase

Snort Rules

ClamAV Sigs

AMP

ClamAV

CWS

OpenDNS

WSA FirePower

ClamAV

ATA

IR

ThreatGrid

D E T E C T I O N S E R V I C E S

Email Reputation

Malware

Protection

URL, Domain, IP

Reputation

Phishing

Protection

Vulnerability

Protection

Malware

Protection

Policy & Control

Cloud & End

Point IOCs

Malware

Protection

IP Reputation

URL, Domain, IP

Reputation

Malware

Protection

AVC

URL, Domain, IP

Reputation

Malware

Protection

AVC

Policy & Control

Malware

Protection

URL, Domain, IP

Reputation

Vulnerability

Protection

Cloud & End

Point IOCs

Malware

Protection

URL, Domain, IP

Reputation

Vulnerability

Protection

Custom

Protection

Cloud & End

Point IOCs

Malware

Protection

URL, Domain, IP

Reputation

Network

Protection

250+Full Time Threat Intel Researchers

MILLIONSOf Telemetry Agents

4Global Data Centers

1100Threat Traps

Over 100Threat Intelligence Partners

THREAT INTEL

1.5 MILLION

Daily Malware Samples

600 BILLION

Daily Email Messages

16 BILLION

Daily Web Requests

Global

Honeypotnetwork

Open Source

Communities

• Spamcop

• OpenDNS• Senderbase

Vulnerability Discovery (Internal)

3.4 BILLION

AMP requestsTelemetry

ThreatGridCommunity

INTEL SHARING

AspisCrete

AEGIS

3rd Party Programs (MAPP)

ISACs

TALOS INTEL BREAKDOWN

INTELLIGENCE COMMUNITIES

Project Aspis – collaboration between Talos and host providers

• Talos provides expertise and resources to identify major threat actors

• Providers potentially save significant costs in fraudulent charges

• Talos gains real world insight into threats on a global scale, helping us

improve detection and prevention, making the internet safer for everyone

• project-aspis@external.cisco.com

AEGIS – information exchange between Talos and participating members

of the security industry

• Open to partners, customers, and members of the security industry

• Collaborative nexus of intelligence sharing in order to provide better

detection and insight into worldwide threats

• aegis-interest@cisco.com

Talos Homepage

http://www.talosintelligence.com/

Talos Homepage

Threats Investigated by Talos

Ransomware

Ransomware In format ion

TeslaCrypt 3 – Tales from-crypt(o)http://blog.talosintel.com/2016/03/teslacrypt-301-tales-from-crypto.html

• TeslaCrypt Details• Elliptic Curve Cryptography Basics

TeslaCrypt – The Battle is overhttp://blog.talosintel.com/2016/06/teslacrypt-decryptor.html

More Ransomware In format ion

Cryptowall 4:http://blog.talosintel.com/2015/12/cryptowall-4.html

• Localized docs

• Eastern Europe regions excluded

SamSam:http://blog.talosintel.com/2016/03/samsam-ransomware.html

• Manually installed ransomware

Qbot Banking Trojan

Overview

• Around since 2008

• Recently experienced a large surge in development

and deployments

• Infection via browser based exploit kits

• Targets sensitive banking credentials and

FTP credentials

Qbot Banking Trojan

Packer

Header

code

Header

Stub code

packedorg. code

Header

Stub code

unpackedorg. code

jmpunpackpack

Org. executablee.g. Trojan.exe Packed executable

Unpacked executablein memory

Malware Packer

Payload(unpacked malware)

(Un)Packer Frequently changed

Much lessfrequently changed

Executable

Qbot Packer

Payload(unpacked malware)

(Un)Packer

Payload(unpacked malware)

618 different samples 73 different samples

Qbot Dropper

Payload(unpacked malware)

%appdata%\Microsoft\[RandomName]\ [RandomName].exe

{ProductId,Computer Name,Harddrive Serial Number}

PRNG

RC4 encrypted Log Fi le

Script to decrypt logs for enhances IR

analysis

This will print out configuration information including initial infection time andFTP Exfil server information.

RC4 key generated by converting the folder name to lowercase, then taking the SHA1 hash of the resulting string

%appdata%\Microsoft\oykyjxjx\oykyjxj.dll

Updater

http[:]//<maliciousdomain.com>/viewtopic.php

• first 20 bytes are the RC4 key• 20-byte SHA1 hash • Updated version of Obot

Domain Generat ion Algor i thms (DGA)

2.mar.2016.00000001

First digit is the tens digit of the day of the month (though 2 is also used for days 30 and 31)e.g. 16. March 2016 = 1

22. March 2016 = 230. March 2016 = 2

Constant

Get date by sending an innocent looking GET request to Google and parsing the HTTP 301 Response for the date

Generate date based string:

Domain Generat ion Algor i thms (DGA)

2.mar.2016.00000001

Mersenne Twister (PRNG)

llrbprhssvbsmmfrpsojzjct.org

TLD Array[n]:.info.com.org.net…

n

…and use it as seed for the Mersenne Twister PRNG:

Webin jects – Fake Log Off

“set_url https://*.<BankDomain>.com/*logoff* GPR http://<MaliciousSite>/fakes/onlineserv_cm_logoff.html”

Sign out

FTP Exf i l

Content: " ext_ip=[%s] dnsname=[%s] hostname=[%s] user=[%s] domain=[%s]

is_admin=[%s] os=[%s] qbot_version=[%s] install_time= %s] exe=[%s]“ …

FTP to a list of servers hardcoded in its config file.

“article_covezh618946_1450458170.zip”

“article” string | Random Value| Seconds since Linux Epoch |.zip

Compi la t ion by Day (Sun -Sat)

Compi le Time – Working Hours ?

MS Rich Headers (undocumented)

Embedded compiler and linker version

MS Visual Studio executables

Rich Headers - Unpacked b inar ies

• 154 unpacked binaries contained only 6 unique Rich Headers• Some of which were almost identical • Likely caused by minor compiler updates on the same computer

These headers suggest the unpacked binaries were compiled in 3 unique environments

Rich Headers – Packed b inar ies

• The packed binaries contained 44 unique Rich Headers• 35 of which seemed to be slight variants of the others. • None of which matched the 3 Rich Headers from the unpacked binaries.

The packed binaries appear to be compiled from 9 unique environments

The Group ?

Coder Team3 group members

6AM-8PM GMTMo-Fr* (Su)

Packer Team9 group members~10AM - 10:30PM GMTMo-Sa* (Su)

Developing and maintaining malware and a malicious infrastructure is a full time job !

More In format ion

Qbot on the risehttp://blog.talosintel.com/2016/04/qbot-on-the-rise.html

ShadowGate Takedown

What is a Gate?

redir-iframes

profiling andexploitation

Proxy ExploitKit Server (EK)

Gate

Victim

WebServer• Compromised or• Malvertising

What is ShadowGate?

• Large scale Malvertising based EK gate• Moved from Angler to Neutrino EK• Long lasting periods of inactivity• Very picky:

• Only 0.1% send finally to an EK• Large Scale Malvertising Campaign

• US/Canada/Middle East/China/New Zealand• Delivered various payloads including

Ransomware and Trojans

• Other Gates: Darkleech, Pseudo Darkleech, EITest

Campaign Deta i ls

Action Taken• Shadowed Domains Registered through GoDaddy

• Worked with GoDaddy to get domains shutdown• After first shutdown Gate pivoted• Found second server/campaign

• Also shutdown by GoDaddy

Domain shadowing:<attacker registered sub domain>. <legit domain>e.g. hasdsakdal.merrybrycemas.com

More In format ion

Shadow Gate Campaign Take down (blog post)http://blog.talosintel.com/2016/09/shadowgate-takedown.html

Shadow Gate in action (video):

http://blog.talosintel.com/2016/09/shadowgate-takedown.html

Closing

More can be found here

Checkout our blog: http://blog.talosintel.com/

http://www.talosintelligence.com/

@talossecurity

Aegis Program: aegis-interest@cisco.comAspis Program: project-aspis@external.cisco.com

Angler Exploit Kit

Vic t ims View Demo

Explo i t Deta i ls

“Hacking Team” Adobe Flash 0days

CVE-2015-5119, CVE-2015-5122

IE 10 and 11 JScript9 Memory

Corruption Vulnerability

CVE-2015-2419

IE OLE Vulnerability

CVE 2014-6332

No JAVA ! Adobe Flash

CVE

2014-6332

Silverlight

Analys is

• Extremely innovative in evading or bypassing security devices

• Infrastructure

• One landing page serving 90000 victims a day

• 10% served with an exploit

• 40% success rate

• Hosting Information

• Found 60%+ Angler activity for month at two providers

• Limestone Networks and Hetzner

• $10,000 in cost and lost revenue each month for Limestone

due to use of stolen CC

Angler Back-End Archi tecture Exposed

Redirect to Proxy Server

Show Me The Money

http://talosintel.com/angler-exposed/

Overview

• Ransomware first seen beginning of 2015• First ransomware targeting gamers• Distributed via Exploitkits and Phishing Emails• Fast Evolution, but…• A history of cryptographic flaws

TeslaCrypt

Simpl i f ied Encrypt ion Algor i thm

Temp.AES256

key15/10/07 12:39 <DIR> .15/10/07 12:39 <DIR> ..15/10/07 12:36 78,971 1.jpg15/10/07 12:39 154,330 2.jpg15/10/07 12:36 123,240 3.jpg…

AES Encryption

1.jpg

PublicKey Encryption

Encrypted AES256 key

Meta data

Encrypted 1.jpg

• Elliptic Curve Cryptography• Encrypted Temporary AES key can only be decrypted with the private key• The public key is embedded in the malware dropper

Scan logical volumes

.XXX, .TTT, .MICRO, others*

Encrypted File

Org. File

They are ly ing, can you bel ieve i t ?

More In format ion

TeslaCrypt 3 – Tales from-crypt(o)http://blog.talosintel.com/2016/03/teslacrypt-301-tales-from-crypto.html

• TeslaCrypt Details• Elliptic Curve Cryptography Basics

TeslaCrypt – The Battle is overhttp://blog.talosintel.com/2016/06/teslacrypt-decryptor.html

Other Ransomware

Cryptowall 4:http://blog.talosintel.com/2015/12/cryptowall-4.html

• Localized docs

• Eastern Europe regions excluded

SamSam:http://blog.talosintel.com/2016/03/samsam-ransomware.html

• Manually installed ransomware