Securing the Industrial Internet

Operation BugDrop:

Stage 1 Cyber-Reconnaissance in the Real-World

David Atch, VP/Research

SANS ICS Security Summit -- March 21, 2017

www.cyberx-labs.com

Ongoing Responsible

Disclosures to ICS-CERT &

Industrial Vendors

Industry Recognition

Only Industrial Cyber

Vendor Recognized

by International

Society of

Automation

Only Industrial Cyber

Vendor Chosen for

Innovation Award

Sponsored by

US DHS & DoD

Best ICS/SCADA

Security Two Years

in a Row

Defining Next-Generation IIoT

Security Architecture

Only Industrial Cyber Vendor

Chosen by Israel Consortium for

Japan 2020 Games

Featuring CyberX’s

Vulnerability

Research

CyberX Threat Intelligence Research Team

• Former IDF threat intelligence & forensic experts

• Scrutinize range of open & closed sources, including

forensics from IR in customer environments

• Develop custom tools to reverse-engineer malware &

firmware

• Work directly with ICS-CERT & industrial vendors

• Enriches real-time threat detection provided by our

industrial cybersecurity platform

– Continuous, real-time monitoring

– M2M behavioral analytics & anomaly detection

– Non-invasive vulnerability assessments

– Proprietary ICS-specific threat intelligence

“CyberX believes threat actors turned KillDisk

into a piece of ransomware because, unlike

cyber-sabotage, the new functionality enables

them to directly monetize their attacks.”

“These kinds of campaigns are running, even

as we speak,” said Omer Schneider, co-founder

of CyberX.

How a Michigan Utility Got Hacked

“Security vendor CyberX uncovered the operation …

dubbing the campaign Operation BugDrop because one

of the methods employed by the threat actors is to

eavesdrop on conversations via the victim’s PC

microphone …[and] the operators of BugDrop are using

DropBox to store data exfiltrated from victim systems,

making it harder to spot the illegal activity.”

“Cybersecurity firm CyberX said it has uncovered a

cyber-espionage operation in Ukraine that has

compromised more than 70 victims. Victims of the

malware included an energy ministry, a scientific

research institute and a firm that designs remote

monitoring systems for oil & gas pipelines.”

Operation BugDrop: Key Aspects

• Captures audio (“bugs”), screen

shots, files, passwords, keylogger

• Uses Dropbox cloud-based

service for data exfiltration

• Reflective DLL Injection (like

Stuxnet & BlackEnergy)

• Encrypted DLLs

• Free web hosting services for C&C

servers

www.cyberx-labs.com

Multi-stage

dropperRegistry

Persistency

Embedded

VBSStage 0 exe

Stage 1

dll

Stage 2

dll

windows-problem-

reporting[.]site88[.]net

Main

ModuleDropbox

Word

doc

Data-Stealing

Plugins

www.cyberx-labs.com

Multi-stage dropper

starts with phishing &

malicious MS-Office

attachment

Embedded

VBSStage 0 exe

Stage 1

dll

Stage 2

dll

windows-problem-

reporting[.]site88[.]net

Main

ModuleDropbox

Word

doc

Data-Stealing

Plugins

Registry

Persistency

www.cyberx-labs.com

Clever social

engineering

www.cyberx-labs.com

Russian text in MS-Office dialog box: “внимание! Файл создан в более новой

версии программы Микрософт Office. Необходимо включить Макросы для

корректного отображения содержимого документа”

Translation: “Attention! The file was created in a newer version of Microsoft

Office programs. You must enable macros to correctly display the contents of

this document.”

www.cyberx-labs.com

Decoy document:

personal information

about military

personnel

www.cyberx-labs.com

Macro

Contains

XORed PE

www.cyberx-labs.com

Stage 0: Extract

Malicious DLLs

Shortcut icon for dropper DLL

Embedded

VBSStage 0 exe

Stage 1

dll

Stage 2

dll

windows-problem-

reporting[.]site88[.]net

Main

ModuleDropbox

Word

doc

Data-Stealing

Plugins

Registry

Persistency

www.cyberx-labs.com

Hard DriveMemory

Custom PE loader

Stage1.exe

Stage1.dllEncoded

Stage2.dllEncoded

.text

.data

.rdata

.text

.data

.rdata

Stage 1 & 2:

Decrypt & Inject

Malicious DLLs

www.cyberx-labs.com

Stage 2: Connect to

C&C server to

download main

module

Embedded

VBSStage 0 exe

Stage 1

dll

Stage 2

dll

windows-problem-

reporting[.]site88[.]net

Main

ModuleDropbox

Word

doc

Data-Stealing

Plugins

Registry

Persistency

Sophisticated Targeted Operation

• Manually approves infection of specific targets

• Checks victim location

• Checks for virtualization

• Looks for security products

• Looks for network monitoring software

• Checks for Ukrainian keyboard

• Checks for not auto-generated Computer Name

• Looks for debugging

• Might be without hard drive persistence

How We Thwarted Them

• Used original malware sample

(more authentic)

• Used Ukrainian IP

• Setup non-virtualized environment

• Disabled all security products

• Used winpmem and Wireshark – to rename process names

• Setup Windows with Ukrainian Computer Name & keyboard

• Didn’t attach debuggers

www.cyberx-labs.com

Threat Intelligence Research Setup

CyberX

network

Internet

Malware

operator

VPN traffic

to/from

infected

computer

Ukrainian IP

Infection Results

• Took 4 hours for operator to infect target

– Probably approved manually

• As expected, main module checks for:

– Virtualization

– Debugger

– Computer Name

– WireShark

– Original malware

• Success!!

www.cyberx-labs.com

Main Module

Embedded

VBSStage 0 exe

Stage 1

dll

Stage 2

dll

windows-problem-

reporting[.]site88[.]net

Main

ModuleDropbox

Word

doc

Data-Stealing

Plugins

Registry

Persistency

Dissecting the Main Module

• Well-written code

• Obfuscated strings

• Modular and 64-bit compatible

• Dropbox as C&C server – Evades network security products,

fully SSL encrypted

• Every module is encrypted and loaded with the custom PE

loader

• Module output is stored encrypted on Dropbox

• Blowfish is the main encryption – Key derived from user ID

Malware Architecture

Dropbox

Main Module

Module Module Module

Collected data Collected data Collected data

Commands

Dissecting the Data-Stealing Plug-Ins

• Plug-ins are stored on Dropbox

– Computer Info

– Screenshot collector

– Keylogger

– File Collector

• Receives commands from Dropbox about which files to upload

on-demand

• Looks for: doc, docx, xls, xlsx, ppt, pptx, pdf, zip, rar, db, txt

– USB File Collector

– Browser Passwords Collector

– Microphone – Used with more than 20 targets

www.cyberx-labs.com

Collected Audio

• Only specific targets hand-picked for audio

surveillance

• Around ~100 GB of collected data per month

• Out of this data, 19% are audio files with bitrate

of 16Kbps (7.2MB per hour)

• Approximately 2,700 hours of recordings

• Requires audio processing backend

• Requires team of analysts

• Might indicate this is nation-sponsored

www.cyberx-labs.com

* Majority of Ukrainian

targets located in pro-

Russian separatist

states of Donetsk and

Luhansk*

Sampling of Industrial Victims

• A company that designs remote

monitoring systems for oil & gas

pipeline infrastructures

• An engineering company that

designs electrical substations, gas

distribution pipelines, and water

supply plants

• An international organization that

monitors human rights, counter-

terrorism and cyberattacks on critical

infrastructure in the Ukraine

Stage 1 of the ICS Kill Chain?

• Picked specific targets with well-

crafted social engineering

• Persistent tool to collect sensitive

data and report to C&C

• Document exfiltration and credentials

• Modular to extend capabilities

• Attribution is tricky

– Who’s spying on who?

– False flags

– Cyber criminals share tools with nation-

states

Defending Against Threats

• Raise awareness with employees– Anti-phishing vendors offer simulated

phishing tests & online training for “victims”

• Verify the email sender

• Don’t open unknown documents

• Disable macros, ask the security guy if needed

• Keep your files encrypted – DLP solutions

• Don’t save passwords in browsers – use password managers

Defending Against Targeted Threats

• It’s not possible to hermetically secure

the IT network

• OT networks must be secured as well

• Air gap is not going to save you

• Continuously monitor all network activity with behavioral

analytics, anomaly detection, threat intelligence

• Add layers of security – makes it harder to get to you

www.cyberx-labs.com

For more information, visit our ICS Security Knowledge Base & Blog

www.cyberx-labs.com

Get your free copy of this

new 390-page guide*

at the CyberX tabletop*

CyberX’s threat intelligence research team is proud to

have been featured in “Chapter 7: ICS Zero-Day

Vulnerability Research”

* While supplies last …

CyberX’s threat intelligence research team is

proud to have been featured in “Chapter 7: ICS

Zero-Day Vulnerability Research”

* While supplies last …

info@cyberx-labs.com

Thank You!

Thank You!david@cyberx-labs.com