Unorthodox Command-and-Control Channels

Tabraiz Malik

PwC UK Cyber Security

www.pwc.com

Building a secure digital society.

What they are and how they work

PwC │ 2

Introduction

Tabraiz Malik

• PwC, Cyber Security

• Work in the Ethical Hacking team (… we are hiring!)

• Previously worked in Rolls-Royce within the HPC team

PwC │ 3

Why this talk?

• Raising awareness of unusual C2 communications

• Emphasising need for identifying future threats

• Strengths and limitations of defensive techniques

PwC │ 4

What is a C2 channel?

• The way in which attackers communicate with victim machines

• Remote channels

Attacker Victim

PwC │ 5

Timeline of Malware

ROKRATTwitter

‘

HammertossTwitterInfected web servers

InstegogramInstagram

FbotBlockchain DNS

Unnamed GroupInstagram and Firefox extension

RogueRobinDNSGoogle Drive

MULTIGRAINDNS

China ChopperWeb shell

2012

2015

2016

2017

2018

2019

VPNFilterTor

DarkBotIRC

SamSamWebshellsRDP

SANNYHTTP

WannaCryTor proxy

1999

PrettyParkIRC

PwC │ 6

Evolution of detection capabilities

• Intrusion Detection Systems (IDS) and Deep Packet Inspection (DPI)

• YARA rules

• Heuristic detection using language modelling and network artefact analysis

• Behavioural analysis and anomaly-based detection

“Hello my name is

CRESTCon”

1-gramString

“Hello my name is

CRESTCon”

“Hello my”

“my name”

“name is”

“is CRESTCon”

“Hello my name”

“my name is”

2-gram 3-gram

“name is CRESTCon”

PwC │ 7

Case studies

3

HTTP21

DNS

5

SteganographySocial Media

“More and more threat actors are using CDN to send payloads past network security appliances” –PwC Threat Intelligence

4

X.509

PwC │ 8

Hammertoss (2015)

Image: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf

1) Dynamically generates Twitter handles

PwC │ 9

Hammertoss (2015)

Image: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf

2) Malware operator publishes a tweet to the Twitter account timeline

3) Inspects tweet address

PwC │ 10

Hammertoss (2015)

4) Visits target URL downloads all content including image files

5) Hide commands in images.

6) Execute commands and upload output to cloud storage service

Read more on Hammertoss: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf

PwC │ 11

Hammertoss (2015)

Challenges to SOC analysts:

• Analysts would require more than just the binary to carry out comprehensive analysis

• Valid Twitter handle required

• Access to malicious tweet(s) to decrypt content

PwC │ 12

Instegogram (2016)

Image: International Journal on Computer Science and Engineering Vol.1 (3), 2009, 137-141

• Steganography can involve messages, images, videos

• Attack infrastructure combines steganography and social media

PwC │ 13

Instegogram (2016)

Image: https://www.youtube.com/watch?v=ICN7rTmQdR4

1) Embed commands into images

2) Upload images to Instagram account

PwC │ 14

Instegogram (2016)

Image: https://www.youtube.com/watch?v=ICN7rTmQdR4

3) Decode image

4) Execute command

5) Embed output in an image and post on

to the Instagram account

Read more on Instegogram: https://www.endgame.com/blog/technical-blog/instegogram-leveraging-

instagram-c2-image-steganography

PwC │ 15

x.509 (2018)

Certificate

keyUsage=<malicious data>

subjectKeyIdentifier=<malicious data>

extendedKeyUsage=<malicious data>

PwC │ 16

x.509 (2018)

Image: https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities

Transferring a malicious executable (Mimikatz) in an X.509 certificate.

Read more on x.509 as a C2:

https://www.fidelissecurity.com/threatgeek/threat-

intelligence/x509-vulnerabilities

• Misusing the TLS handshake

• Bypassing detection methods that fail to inspect the certificates which underpin TLS

PwC │ 17

Novel C2 Channels

• My contributions to this research subject

• Threat Intelligence driven approach

• Exploring technologies that have become more prevalent in corporate environment

PwC │ 18

GitHub

Why GitHub?

• 28 million users

• 57 million repositories

C2 PoC

• GitHub API

• Repository used as C2 channel (public/private)

• Activation message: specific string in Git commit

• Communications: Git comments

PwC │ 19

PwC │ 20

Slack

Why Slack?

• Instant messaging

• 10+ million daily active users

• 85,000 paying customers

C2 PoC

• Slack API

• Slack channel used as C2 (public/private)

• Activation message: specific string published to channel

• Communications: messages published to channel

• Human simulated conversation through Slack bots

PwC │ 21

Slack

PwC │ 22

JSFiddle

Why JSFiddle?

• Anonymous sharing

• Permanent fiddles

• Widely used in the development community

C2 PoC

• Public anonymous fiddle

• Queries the most recent fiddle version

• Activation message: not used

• Communication: fiddle updated with commands/output

PwC │ 23

PwC │ 24

Cryptocurrency and Blockchain

Why Blockchain?

• Huge interest in the application of blockchain

Why Cryptocurrencies?

• 32 million Bitcoin wallets

• 7.1 million active Bitcoin users

C2 PoC

• PwCoin

• Valid addresses are accepted on the PwCoin network

• Activation message: not used

• Communication: transactions issued with encoded content

PwC │ 25

Bitcoin and Blockchain

PwC │ 26

Countermeasures (1)

Basic & brittle solutions:

• Domain whitelisting

• Black-listing non-approved Slack subdomains

• Egress filtering and firewall exceptions

PwC │ 27

Countermeasures (2)

Complex & current solutions

• Live system composed of layer 4 metrics associated with timestamps and connection frequencies to determine malicious traffic

• Fingerprinting TLS metadata & network flow analysis

• LogicHub – triage, respond and hunt

• Palo Alto Magnifier

• Software-defined firewalls for malicious traffic detection

PwC │ 28

Future work

• Fine tuning human interaction within C2 channels

• Build non-standard detection models using new machine-learning and data science powered techniques

• Alternative platforms such as Jira, Slido

PwC │ 29

Key takeaways

• Heightened awareness of seemingly benign technologies

• Re-assess risk appetite based on enterprise-wide software inventory

• Automated security solutions are often not enough

• Complement core defences with more advanced detection systems

• Penetration testers can begin to explore similar technologies deployed within organisations

PwC │ 30

At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 223,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

© 2019 PricewaterhouseCoopers LLP. All rights reserved. In this document, "PwC" refers to the UK member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

Design services 31310_PRES_04/18

@wilbourneuk

tabraiz.malik@pwc.com

Thoughts, questions, feedback:

PwC │ 31

References

Reaves, J. (2018). “Covert channel by abusing x509 extensions”. http://vixra.org/pdf/1801.0016v1.pdf. Accessed 26/07/2018.

FireEye. (2015). “Hammertoss: Stealthy Tactics Define a Russian Cyber Threat Group”. https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf. Accessed 22/08/2018.

Steganography Image. https://media.wired.com/photos/594db1717c1bde11fe06f341/master/w_799,c_limit/hidden_data-01.png. Accessed 24/08/2018.

Grant, D. (2016) “Instegogram: Leveraging Instagram for C2 Via Image Steganography”, https://www.endgame.com/blog/technical-blog/instegogram-leveraging-instagram-c2-image-steganography. Accessed 28/08/2018.

Deep Secure. (2018). “Stegware Threat Removal for Web Gateways”, https://www.deep-secure.com/uploads/files/deep_secure/resources/18/Deep_Secure_Solution_Brief_Stegware_Threat_Removal_for_Web_Gateways.pdf. Accessed: 02/11/2018.

Berg, G., Davidson, I., Duan, M., Paul, G. (2003). “Searching For Hidden Messages: Automatic Detection of Steganography”. https://www.aaai.org/Papers/IAAI/2003/IAAI03-007.pdf. Accessed 15/10/2018.

Sheridan, S., Keane, A. (2017). “Improving Stealthiness of DNS-based Covert Communication”, https://pdfs.semanticscholar.org/e7bd/7b29b5357e7c9ffe43ff85aad1788e88c983.pdf. Accessed 18/10/2018.

Booth, J. (2018). “Heuristic DNS detections in Azure Security Center”, https://azure.microsoft.com/en-us/blog/heuristic-dns-detections-in-azure-security-center/. Accessed 28/10/2018.

PwC │ 32

References

GB Hackers. (2018) “Domain Fronting: A New Technique For Hiding Malware Command and Control (C2) Traffic within a Content Delivery Network”. https://i0.wp.com/gbhackers.com/wp-content/uploads/2017/07/api.jpg?resize=904%2C420&ssl=1. Accessed: 17/02/2019.

Puodzius, C. (2017). “DownAndExec: Banking malware utilizes CDNs in Brazil”, https://www.welivesecurity.com/2017/09/13/downandexec-banking-malware-cdns-brazil. Accessed 10/01/2019.

LogicHub (2018). https://www.logichub.com/company/news/logichub-accelerates-security-operations-rsa-archer-suite-support. Accessed 12/02/2019.

Google. (2017). ”Malware Beaconing Detection Methods”, https://patentimages.storage.googleapis.com/2a/0d/78/23bdc0f69c794d/US20170187736A1.pdf. Accessed 11/01/2019

Finley, K. (2017). “Why workplace instant messaging is hot again”. https://www.wired.com/story/why-workplace-instant-messaging-is-hot-again. Accessed 21/01/2019.

Gao, S., Li, Z., Yao, Y., Xiao, B., Guo, S., Yang, Y. (2018). “Software-Defined Firewall: Enabling Malware Traffic Detection and Programmable Security Control”. http://www4.comp.polyu.edu.hk/~csbxiao/paper/2018/SDF-asiaccs18.pdf. Accessed 30/01/2019.

Cisco. (2017). “Detect threats in encrypted traffic without decryption, using network based security analytics”. https://clnv.s3.amazonaws.com/2017/usa/pdf/BRKCRS-1560.pdf. Accessed 30/01/2019.

Reaves, J. (2018). “Sometimes What’s Missing is Right In Front of Us, We Only Need to Look”. https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities. Accessed 26/07/2018.

PwC │ 33

References

Crouch, H. Digital Health. “Message platform Slack reportedly eyeing up US healthcare sector. https://www.digitalhealth.net/2019/02/messaging-platform-slack-healthcare-sector. Accessed: 04/02/2019.

Westbrook, I., BBC. (2015), “Hackers combine codes photos and Twitter to hit targets” https://www.bbc.co.uk/news/technology-33702678. Accessed: 01/01/2019.

Liao, S. (2019). The Verge. “Here are the messaging apps Slack crushed on its road to IPO”. http://www.theverge.com/tldr/2019/2/4/18210980/slack-ipo-messaging-apps-competition-chat. Accessed: 19/02/2019.

Eckert, N. (2019). DBK News. http://www.dbknews.com/2019/02/15/umd-senate-slack-communication-app-meeting-participation-vote. Accessed: 18/02/2019.

Guri, ., Zadov, B., Bykhovsky, D., Elovici, Y. (2018). “PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines”. https://arxiv.org/pdf/1804.04014.pdf. Accessed 13/02/2019.

Guri, M. (2018). “Mind the gap: This researcher steals data with noise, light, and magnets”. https://www.wired.com/story/air-gap-researcher-mordechai-guri. Accessed: 19/02/2019.

Lielacher, A. (2019). “How Many People Use Bitcoin in 2019?”. https://www.bitcoinmarketjournal.com/how-many-people-use-bitcoin