Thursday, June 11, 2015

The Duqu 2.0. Technical Details (English)

См. также:
WSJ: "Мосад" заразил компьютеры европейских гостиниц, в которых проходили переговоры с Ираном

..Most of the final targets appear to be similar to their 2011 goals – which is to spy on Iran’s nuclear program. Some of the new 2014-2015 infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal. The threat actor behind Duqu appears to have launched attacks at the venues for some of these high level talks. In addition to the P5+1 events, the Duqu 2.0 group has launched a similar attack in relation to the 870th anniversary event of the liberation of Auschwitz-Birkenau...

During our 2011 analysis, we noticed that the logs collected from some of the proxies indicated the attackers appear to work less on Fridays and didn’t appear to work at all on Saturdays, with their regular work week starting on Sunday. They also compiled binaries on January 1st, indicating it was probably a normal work day for them. The compilation timestamps in the binaries seemed to suggest a time zone of GMT+2 or GMT+3. Finally, their attacks would normally occur on Wednesdays, which is why we originally called them the “Wednesday Gang”.

There is more below.
Ниже есть продолжение.

...While the 2014 attack against Kaspersky Lab also took place on a Wednesday, the gang made huge OPSEC improvements compared to their older 2011 operations, including faking all the timestamps in PE files, removing the debug paths and internal module names for all plugins.

The 2014 Duqu 2.0 binaries contain several strings in almost perfect English but one of them has a minor mistake indicating the involvement of non-native speakers. The usage of “Excceeded” instead of “Exceeded” in the file-harvesting module of Duqu 2.0 is the only language mistake we observed.

Most interesting, one of the victims appear to have been infected both by the Equation Group and by the Duqu group at the same time; this suggests the two entities are different and competing with each other to obtain information from this victim...

...In the case of Duqu 2.0, the lateral movement technique appears to have taken advantage of another zero-day, (CVE-2014-6324) which was patched in November 2014 with 5MS14-068. This exploit allows an unprivileged domain user to elevate credentials to a domain administrator account. Although we couldn’t retrieve a copy of this exploit, the logged events match the Microsoft detection guidance for this attack. Malicious modules were also observed performing a “pass the hash” attack inside the local network, effectively giving the attackers many different ways to do lateral movement.

Once the attackers gained domain administrator privileges, they can use these permissions to infect other computers in the domain.

To infect other computers in the domain, the attackers use few different strategies. In most of the attacks we monitored, they prepare Microsoft Windows Installer Packages (MSI) and then deploy them remotely to other machines. To launch them, the attackers create a service on the target machine with the following command line:

msiexec.exe /i “C:\\[…]\tmp8585e3d6.tmp” /q PROP=9c3c7076-d79f-4c

The PROP value above is set to a random 56-bit encryption key that is required to decrypt the main payload from the package. Other known names for this parameter observed in the attacks are “HASHVA” and “CKEY”. The folder where the package is deployed can be different from case to case, depending on what the attackers can access on the remote machine.

In addition to creating services to infect other computers in the LAN, attackers can also use the Task Scheduler to start “msiexec.exe” remotely. The usage of Task Scheduler during Duqu infections for lateral movement was also observed with the 2011 version and was described by 6Symantec in their technical analysis.

The MSI files used in the attacks contain a malicious stub inside which serves as a loader. The stub loads the other malware resources right from the MSI file and decrypts them, before passing execution to the decrypted code in memory.

The encryption algorithms used for these packages differ from case to case. It’s important to point out that the attackers were careful enough to implement unique methods, encryption algorithms and names (such as file names) for each attack, as a method to escape detection from security products and limit the ability of an antivirus company to find other infections once one of them has been identified...

...In essence, each compiled attack platform uses a unique combination of algorithms that make it very difficult to detect.

The attackers can deploy two types of packages to their victims:
* “Basic”, in-memory remote backdoor (~500K)
* Fully featured, C&C-capable, in-memory espionage platform (18MB)

...The “basic” in-memory remote backdoor is pushed to computers inside the domain by the Domain Controller on a regular basis – almost like a worm infection. This gives the attackers an entry into most of the machines from the domain and if further access is needed, they can upload a more sophisticated MSI file that deploys tens of different plugins to harvest information...

...The Duqu 2.0 malware platform was designed in a way that survives almost exclusively in memory of the infected systems, without need for persistence. To achieve this, the attackers infect servers with high uptime and then re-infect any machines in the domain that get disinfected by reboots. Surviving exclusively in memory while running kernel level code through exploits is a testimony to the technical prowess of the group. In essence, the attackers were confident enough they can survive within an entire network of compromised computers without relying on any persistence mechanism at all. The reason why there is no persistence with Duqu 2.0 is probably because the attackers wanted to stay under the radar as much as possible. Most modern anti-APT technologies can pinpoint anomalies on the disk, such as rare drivers, unsigned programs or maliciously-acting programs. Additionally, a system where the malware survives reboot can be imaged and then analyzed thoroughly at a later time. With Duqu 2.0, forensic analysis of infected systems is extremely difficult – one needs to grab memory snapshots of infected machines and then identify the infection in memory.

However, this mechanism has one weakness; in case of a massive power failure, all computers will reboot and the malware will be eradicated. To get around this problem, the attackers have another solution – they deploy drivers to a small number of computers, with direct Internet connectivity. These drivers can tunnel traffic from the outside into the network, allowing the attackers to access remote desktop sessions or to connect to servers inside the domain by using previously acquired credentials. Using these credentials, they can re-deploy the entire platform following a massive power loss.

...Duqu 2.0 uses a sophisticated and highly flexible command-and-control mechanism that builds on top of the 2011 variant, with new features that appear to have been inspired by other top class malware such as Regin. This includes the usage of network pipes and mailslots, raw filtering of network traffic and masking C&C traffic inside image files.

Inside a Windows LAN, newly infected clients may not have a C&C hardcoded in their installation MSI packages. Without a C&C, they are in “dormant” state and can be activated by the attackers over SMB network pipes with a special TCP/IP packet that contains the magic string “tttttttttttttttt”. If a C&C is included in the configuration part of the MSI file, this can be either a local IP address, which serves as a bouncing point or an external IP address. As a general strategy for infection, the attackers identify servers with high uptime and set them as intermediary C&C points. Hence, an infected machine can jump between several internal servers in the LAN before reaching out to the Internet. To connect the the C&C servers, both 2011 and 2014/2015 versions of Duqu can hide the traffic as encrypted data appended to a harmless image file. The 2011 version used a JPEG file for this; the new version can use either a GIF file or a JPEG file. Here’s how these image files look like:

Another modification to the 2014/2015 variants is the addition of multiple user agent strings for the HTTP communication. The 2011 used the following user agent string:

* Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/20100824
Firefox/3.6.9 (.NET CLR 3.5.30729)

The new variants will randomly select an user agent string from a table of 53 different possible ones.

Another unusual C&C mechanism relies on driver files that are used to tunnel the C&C communications and attacker’s RDP/SMB activity into the network. The attackers deploy such translation drivers on servers with direct Internet connectivity. Through a knocking mechanism, the attackers can activate the translation mechanism for their IPs and tunnel their traffic directly into the LAN. Outside the LAN, the traffic can be masked over port 443; inside the LAN, it can be either direct SMB/RDP or it can be further translated over fake TCP/IP packets to IP

...The 2014/2015 Duqu 2.0 is a greatly enhanced version of the 2011 Duqu malware
discovered by CrySyS Lab. It includes many new ideas from modern malware, such as
Regin, but also lateral movement strategies and harvesting capabilities which surpasses
commonly seen malware from other APT attacks.
Side by side:

...There are many similarities in the code that leads us to conclusion that Duqu 2.0 was built on top of the original source code of Duqu...
  2011 Duqu 2014/2015 Duqu 2.0
Number of victims: <50 (estimated) <100 (estimated)
Persistence mechanism: Yes No
Loader: SYS driver MSI file
Zero-days used: Yes Yes
Main storage: PNF (custom) files MSI files
C&C mechanism: HTTP/HTTPS, network pipes HTTP/HTTPS, network pipes
Known plugins: 6 >100 (pdf)

No comments:

Post a Comment