new ways of emerging actors: india, south africa, nigeria, and
TRANSCRIPT
SESSION ID:
#RSAC
Wayne Huang
New Ways of Emerging Actors: India, South Africa, Nigeria, and Indonesia
TTA-R03
VP Engineering Proofpoint, Inc. @waynehuang [email protected] [email protected]
Sun Huang
Senior Threat Researcher, Proofpoint, Inc. [email protected]
#RSAC
Agenda
u TTP summary u Crimeware adoption u Monetization u Current C2 vulnerabilities u Actor attribution methodology u Those targeted and
compromised u Nigerian gang’s strategy change u Conclusion
2
#RSAC
Actors overview
u Tracked nine actors, unique 1200+ nodes (C2 panels) during the past year
u Actors located in Nigeria (most), India, South Africa, and Indonesia
u One actor changed TTP significantly in March 2015
u One of the Zeus panels includes a backdoor (undisclosed)
#RSAC
Overview of the nine actors
Group # 9
Vic+m # 12,953
Stolen creden+als pop3:7,671 -p:1,137 h/p:1,538
Malware used Zeus/IceIX/Citadel/Betabot/Solarbot/Syndicate Keylogger/ISR Stealer
Server owned 1,200+
Technique Spear phishing -‐-‐ a/achment Phishing
#RSAC Tactics, Techniques and Procedures (TTP) Summary u Objectives
u Compromise endpoints u Collect data and intelligence u Credentials (POP3, FTP, HTTPS forms), client-side certs, screenshots u #1: Obtain online banking accounts u #2: Sell off data & intelligence
u Motivation u Purely financial u Not state-backed
#RSAC Tactics, Techniques and Procedures (TTP) Summary u Target individuals
u Attack vector into endpoints u Mostly via email messages u URLs pointing to exploit kits, zips (containing exes), or jars u Attached exploits (Office, PDF) or malware executables
#RSAC Tactics, Techniques and Procedures (TTP) Summary u Endpoint ownership, data extraction & exfiltration
u Are NOT capable of developing own trojans u Use whatever off-the-shelf trojans they can get hold of u Most used trojan features:
u Web inject – steals specific banking accounts u Wallet stealer – steals virtual currencies
u Also phish for credentials – seen daily
#RSAC Tactics, Techniques and Procedures (TTP) Summary u Command and control (C2) servers
u Do NOT rent or maintain own servers u C2s entirely run on compromised shared hosting servers u ARE capable of and dedicate to compromising servers u Do NOT buy cPanel credentials
u Rely entirely on own-compromised servers
u Installs C2 scripts mostly via cPanel
#RSAC Tactics, Techniques and Procedures (TTP) Summary u Vector into shared hosting accounts
u Stage 1: acquire remote access to ONE shared hosting account u Mass-scale scanning + manual intrusion
u Stage 2: acquire multiple cPanel credentials on this shared hosting u Via acquiring (DB) credentials from config files u Via cPanel vulnerabilities and privilege escalation u Via brute forcing MySQL credentials using usernames from /etc/passwd
#RSAC
Crimeware adoption
u Exploit kits u Angler, Nuclear, Fiesta, FlashPack, RIG, Sweet Orange, etc.
u Banking trojan u Zeus, ICEIX, Citadel, PONY, Betabot, Solarbot, JollyRoger, Dridex, etc.
u Remote access trojans (RATs) u XtremeRAT, Gh0stRAT , Poison Ivy, Dark Comet, etc.
u Fully Undetectables (FUDs) u CypherX Crypter, Stage Crypter, Orway Crypter, etc.
#RSAC
Banking trojan features
u Credentials theft: HTTP/HTTPS/FTP/POP3/RDP/certs u Man in the Browser (MitB)
u Video recording
u Screen capture
u Back-connect
u Jabber notifier
#RSAC
Zbot-based businesses loss: $500M↑
0
50
100
150
200
250
2008 2009 2010 2011 2012 2013 2014
Total: $500↑ Million
#RSAC
DEMO main monetization means: Screen recording of a compromised ebanking account holding 3M USD
#RSAC Corporate emails sold on the black market for different prices according to value
Different price by industry
#RSAC
Zeus web panels compared Zeus 2.0.8.9 (most) – 2.9.6.1
Zeus Robot/Panther/GOZ
Login page cp.php?m=login cp.php?le/er=login Gateway gate.php secure.php Upload folder
_reports _feedback
Config in System/ Inc/ Bots table botnet_list membership_list Data table botnet_reports_(date) membership_reports_(date) Cryptkey $config['botnet_cryptkey'] $config['membership_cryptkey']
#RSAC
Current C2 panel vulnerabilities Zeus 2.0.8.9 Zeus
2.7.6.8 – current
Zeus Robot ICEIX Citadel 1.3.5.1
File Upload Vulnerability (known, patched))
◎ X X ◎
X
Remote Command Execugon (0day) ◎
◎
◎
◎
◎
Reflected Cross Site Scripgng (0day)
◎
◎
◎
◎ ◎
Informagon leakage (/install/) (known, unpatched)
◎
◎
◎
◎ ◎
#RSAC
File upload vulnerability
u Vulnerable panels: Zeus >= 2.1.0.1 / ICEIX
u Upload to /_reports/files/BOTNET_ID/BOTID/certs/
u Known and patched
#RSAC
File upload vulnerability
u Vulnerable panels: Zeus >= 2.1.0.1 / ICEIX
u Upload to /_reports/files/BOTNET_ID/BOTID/certs/
u Known and patched
#RSAC
File upload vulnerability
u Vulnerable panels: Zeus >= 2.1.0.1 / ICEIX
u Upload to /_reports/files/BOTNET_ID/BOTID/certs/
u Known and patched
#RSAC
File upload vulnerability
u Vulnerable panels: Zeus >= 2.1.0.1 / ICEIX
u Upload to /_reports/files/BOTNET_ID/BOTID/certs/
#RSAC
File upload vulnerability
u Vulnerable panels: Zeus >= 2.1.0.1 / ICEIX
u Upload to /_reports/files/BOTNET_ID/BOTID/certs/
u Apache multiple file extension support Apache manual: “Files can have more than one extension, and the order of the extensions is normally irrelevant.”
#RSAC
File upload vulnerability
u Vulnerable panels: Zeus >= 2.1.0.1 / ICEIX
u Upload to /_reports/files/BOTNET_ID/BOTID/certs/
#RSAC
C2 remote command execution
u 0day
u Affected: All Zeus / IceIX / Citadel
u Source: reports_files.php (database search)
u Sink: fsarc.php (file archiving)
u Affected parameter: files
u Execute arbitrary commands
#RSAC
Reflected cross site scripting
u 0day
u Affected: All Zeus / IceIX / Citadel
u Source: reports_files.php (database search)
u Sink: fsarc.php (file archiving)
u Affected parameter: files
u Cookie stealing or client side exploitation
#RSAC
C2 tracking system
u Tracking actors C2 server
u Analyze actor geolocation and activity
u RC4 keypass brute forcing in order to automatic getshell
u Password brute forcing
u Support: Zeus/ICEIX/Citadel
#RSAC
C2 tracking system
u Tracking actors C&C server
u Analysis actors location and activity
u RC4 keypass brute force to automatic getshell
u Password brute force
u Support: Zeus/ICEIX/Citadel
#RSAC
Actors’ tool for cPanel remote privilege escalation
u cPanel apache Symlink Race Condition Vulnerability
#RSAC
Identifying actor location
u Access logs
u Last login IP record in .lastlogin file p /home/[username]/.lastlogin
#RSAC A good technique in finding more C2 servers on the same shared host
u Identify additional active C2 domains via cPanel webalizer
u Many cPanel webStats allow unrestricted access p /home/[username]/tmp/webalizer/
#RSAC A good technique in finding more C2 servers on the same shared host
u Identify additional active C2 domains via cPanel webalizer
u Many cPanel webStats allow unrestricted access p /home/[username]/tmp/webalizer/
#RSAC
Top 10 C2 passwords and RC4 keys
Password RC4 KeyPass
123456 reh4357heGTJHaegharhet4575hawrGAEha
12345678 78fghrYU%^&$ER
admin123 144458686889uiuiui
1qaz2wsx hello
enugu042 SXMQ!xz%US!K5~#(K(
mankind man1
1234567 E354B6KUO986C434C5677BBH2WER
master PrE/Y!!#$@#
password1 olivertwist
1234567890 pelli$10pelli
#RSAC
Overview of the nine actors
Group # 9
Vic+m # 12,953
Stolen creden+als pop3:7,671 -p:1,137 h/p:1,538
Malware used Zeus/IceIX/Citadel/Betabot/Solarbot/Syndicate Keylogger/ISR Stealer
Server owned 212
Technique Spear phishing -‐-‐ a/achment Phishing
#RSAC
Engineering 14%
Environmental systems 1%
Bicycle and Skate rental 9%
Construc+on 8%
Educa+on 1%
Financial 5%
Logis+cs Services 4%
Energy & U+li+es 3% Chemicals & Petroleum
1%
Electronics 6%
Food 3%
Telecommunica+on 8%
Travel and Transporta+on 22%
Services/Consul+ng 4%
Informa+on Technology 1%
Healthcare 1%
Marke+ng and distribu+on 1%
Manufacturing 9%
Engineering Environmental systems Bicycle and Skate rental Construc+on Educa+on Financial Logis+cs Services Energy & U+li+es Chemicals & Petroleum Electronics Food Telecommunica+on Travel and Transporta+on Services/Consul+ng Informa+on Technology Healthcare Marke+ng and distribu+on Manufacturing
Singaporean victims by industry
u Logistics industry
******cs.com.sg
******ing.com.sg
u Oil / Energy industry
******ring.com.sg
******l.com.sg
#RSAC
Group NG03 Group Name NG03
Na+onality/ Loca+on
NIGERIA, LAGOS, LAGOS
Vic+m # 15,887
Stolen creden+als pop3:9,622 -p:1,117 h/p:6,59
Malware used ZeuS/Citadel/ISR Stealer
Server owned 265
Technique Spear phishing -‐-‐ a/achment, Phishing
Feature PO# JKT-‐130090.doc Purchase Order.DOC PaymentCopy.scr Chief Architect X2.exe remi/ance details.zip
#RSAC
Retail 21%
Manufacturing 18%
Informa+on Technology 14% Services/Consul+ng
7%
Travel & Transporta+on 21%
Electronics 4%
Chemicals & Petroleum 7%
Energy & U+li+es 4%
Others 4%
Retail Manufacturing Informagon Technology Services/Consulgng Travel & Transportagon Electronics Chemicals & Petroleum Energy & Ugliges Others
Group NG03 – Victims by industry
u Pakistan’s energy center s****energy.org
u well-known energy expert
u UK’s logistics company i*****tions.co.uk
u Many videos recorded with Citadel
u Also doing phishing
#RSAC
AE, 4% CN , 13%
DE, 3%
HK , 6%
ID , 20%
IN , 21%
KR , 10%
AE AR AT AU BA BD BE BF BG BH BT BY CA CH CI
CN DE DK DZ EC EG ES ET EU FI FJ FR GB GE GH
GR HK HU ID IE IL IN IR IT JO JP KE KH KR KW
KZ LB LK LT LU LV MA MD ME MO MU MX MY MZ NG
Group NG03 – Victims by country
#RSAC
Group IN01 Group Name IN01
Na+onality/ Loca+on
INDIA, DELHI, NEW DELHI
Vic+m # 493
Stolen creden+als pop3:102 -p:7 h/p:52
Malware used IceIX
Server owned 4
Technique Spear phishing -‐-‐ a/achment
Feature
#RSAC
Retail 40%
Manufacturing 20% Informa+on Technology
7%
Services/Consul+ng 7%
Travel & Transporta+on 10%
Healthcare 7%
Insurance 3%
Financial 3%
Others 3%
Retail Manufacturing Informagon Technology Services/Consulgng Travel & Transportagon Healthcare Insurance Financial
Group IN01 – Victims by industry
u Targeted India
u India's logistics company f******ight.net
#RSAC
IN, 78%
US, 4% IT, 9%
RU, 1%
IN US IT RU BG DE IL AT FR HU GR EG BE CA PL ES PK MU CN HK GB BH TW SG
Group IN01 – Victims by country
#RSAC
Group ZA01 Group Name ZA01
Na+onality/ Loca+on
SOUTH AFRICA, KWAZULU-‐NATAL, DURBAN
Vic+m # 27
Stolen creden+als pop3:28 -p:3 h/p:20
Malware used Zeus
Server owned 3
Technique Spear phishing -‐-‐ a/achment
Feature Your Order.exe drop.exe drops.exe
#RSAC
Retail 29%
Manufacturing 29%
Informa+on Technology
14%
Travel & Transporta+on
14%
Others 14%
Retail Manufacturing
Informa+on Technology Travel & Transporta+on
Others
Group ZA01 – Victims by industry
u South Africa, India, Germany
u Australian government .gov.au
u Petrochemical Industry c****.com
u Logistics company e**.net
#RSAC
IN 37%
DE 18%
ZA 15%
PL 7%
ID 7%
BD 4%
HK 4%
SE 4%
US 4%
IN DE ZA PL ID BD HK SE US
PL 7%
Group ZA01 – Victims by country
#RSAC
Group ID01
Group Name ID01
Na+onality/ Loca+on
INDONESIA
Vic+m # 100
Stolen creden+als pop3:22 -p:31 h/p:10
Malware used Zeus
Server owned 3
Technique Spear phishing -‐-‐ a/achment Phishing
Feature
#RSAC
Retail 50%
Manufacturing 9%
Informa+on Technology
8%
Electronics 17%
Insurance 8%
Government 8%
Retail Manufacturing
Informa+on Technology Electronics
Insurance Government
Group ID1 – Victims by industry
u Aviation Equipment Company
u India’s electrical equipment manufacturer
u European flying committee
#RSAC
New campaign since Apr 28 2015
u Microsoft RTF Document with CVE-2014-1761
u Malware: ISR Stealer
#RSAC
ISR stealer persistent cross site scripting
u Source & sink: index.php
Source Input
Specific user agent
#RSAC
ISR stealer persistent cross site scripting
u Source & sink: index.php
Source Input
Specific user agent
#RSAC
ISR stealer persistent cross site scripting
u Source & sink: index.php
Source Input
Specific user agent
#RSAC
ISR stealer persistent cross site scripting
u Source & sink: index.php
Source Input
Specific user agent
#RSAC
Campaign attribution
p USER_AGENT: p Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/
537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36 OPR/28.0.1750.51
p IP addresses: p 41.220.69.115 - AS 29465 (Nigeria) p 41.220.69.185 - AS 29465 (Nigeria)
It turns out this actor is the same Nigerian gang whom we’ve been tracking for a year
#RSAC
Actors attribution research
XSS targeted experiment 170 ISR Stealer panels on unique domain name
Duration 2 weeks Successful triggers Received 103 cookies Success rate 60 % Total stolen credentials 66,284
#RSAC
Nigeria 71% Romania
1%
Singapore 1%
Pakistan 2%
United Arab Emirates 3%
Ghana 3%
Russia 3%
Turkey 1%
Iran 3%
Canada 3%
Benin 1% Australia
1%
Mexico 1%
Myanmar 3% Malaysia
3%
Nigeria Romania Singapore Pakistan United Arab Emirates Ghana Russia Turkey Iran Canada Benin Australia Mexico Myanmar Malaysia
Actors by country
Nigeria ASN 29465 36873 37076 37127 37148
#RSAC
Firefox 37%
IE 1%
Chrome 60%
Safari 2%
Firefox IE
Chrome Safari
US 46%
Actors by browser and by flash version
Latest 81%
Outdate 19%
Latest Outdated
#RSAC
Nigerian gang evolution
u 2014: Traditional attachment techniques p Executable files (exe, scr) compressed within a Zip file p Purchase_Order.zip or Payment Advice pdf.zip etc. p Malware: Zeus / IceIX / Citadel / Betabot / ISR Stealer
u 2015: Changed tactics! p Microsoft RTF Document with CVE-2014-1761 p Still some old schools (exe/scr) p Malware: Zeus Robot / PONY / ISR Stealer (increased) / Citadel /
Betabot / Zeus 2.1.0.1 (decreased) / Zeus 2.0.8.9 (decreased)
#RSAC
RU 9%
US 46%
High profile victims u 23 government email accounts
0
1
2
3
4
5
6
7
RW IT PK RW UA TW ZA VN IQ MK IN
11 different countries
#RSAC
Conclusion
u Actor tracking & attribution can be done
u Key features: passwords, RC4 keys, browser versions, environment variables, and directory names
u Secondary features: IP range, geolocation, language, operating hours
u Strategy change made them more difficult to track u Avoided using vulnerable C2 panels
u Currently the most used Zeus: Zeus Robot
96