Another threat actor day…

Paul Jung (Excellium Services)
partner message

ANY.RUN - Interactive malware analysis sandbox

http://any.run/

Get fast results in real-time! Intuitive interface. Convenient for any level analysts.

Join for free and start your malware hunting!

partner message

Avira Cloud Sandbox API. Completely private, unlimited-scale, automated malware analysis service

https://oem.avira.com/en/solutions/cloud-sandbox-api

Avira’s Cloud Sandbox API is built to ensure data privacy.

Receive detailed, file-specific threat intelligence reports containing actionable intelligence.

Supports MITRE ATT&CK™ framework.

partner message

Do APT Mercenary Groups Pose Real Threat to Companies?

https://businessresources.bitdefender.com/apt-as-a-service-webinar

Learn about the recent Bitdefender investigation of a new attack attributed to a sophisticated actor offering advanced-persistent-threats-as-a-service.

Access the investigation

partner message

Be a part of the cyber resilience story - explore careers at

https://careers.opentext.com/

Join the cybersecurity and data protection team at Carbonite + Webroot, OpenText companies.

partner message

We don’t just talk about sharing. We do it every day

https://www.cyberthreatalliance.org/our-sharing-model/

Find out more about how threat intelligence sharing and collaboration through the Cyber Threat Alliance can function as a force multiplier to improve defenses across the ecosystem.

partner message

Map Malicious Infrastructures with Pure Signal™ Intelligence

https://partners.team-cymru.com/pure-signal-trial

Elite analyst teams use Team Cymru’s Pure Signal platform to access 50+ data types, including global network flow, PDNS, malware and more.

Start your 2-week trial now!

partner message

What is cyber threat intelligence (CTI) and how is it used?

Join the VB2020 Threat Intelligence Practitioners’ Summit (TIPS)

Join the VB2020 Threat Intelligence Practitioners’ Summit, sponsored by the Cyber Threat Alliance,

to hear from leading industry voices on how CTI sharing can function as a force multiplier to strengthen defenses across the ecosystem.

partner message

Kaspersky Threat Intelligence Portal - find cyberthreats in files, URLs, IPs and domains

https://opentip.kaspersky.com/

Know which alerts or incidents pose real threats, and prioritize them fast and effectively based on impact and risk levels.

partner message

No-Cost Threat Detection for ISPs and Hosting Providers

https://partners.team-cymru.com/nimbus-threat-monitor

Partner with Team Cymru and get near-real-time threat detection, powered by our world-class IP Reputation data.

Join us now!

partner message

Outsource your Unwanted Software/PUA Work for Free

https://appesteem.com/avs

AppEsteem’s feeds sort out the good apps from the Deceptors.

Our criteria are widely accepted. We’ll help with your disputes.

All for Free. Giving you more time to fight real malware.

partner message

Do you want to know how IT security products score in independent tests?

https://www.av-comparatives.org/enterprise/latest-tests/

AV-Comparatives is an ISO certified independent organization offering systematic testing that checks whether security software lives up to its promises.

Results are available for free!

partner message

Defeating Application Fraud - Learn How

https://www.shapesecurity.com/solutions

We protect more accounts from fraud than everyone else in the world combined.

Shape Security is now part of F5 (www.f5.com)

partner message

30+ years of experience in the anti-malware industry

www.virusbulletin.com

Virus Bulletin is so much more than just a great conference.

Check out our website to see what more we have to offer.

partner message

DNSDB®: The DNS Super Power for Security Teams

https://www.farsightsecurity.com/get-started-guide/

Farsight Security DNSDB®: the world's largest real-time and historical database of DNS resolutions.

Get your free DNSDB API key and use it in our newly updated web GUI, DNSDB Scout and your own environments.

Contextualize everything DNS related with one API key - DNSDB.

partner message

Tired of home office and in urgent need of some networking?

https://www.amtso.org/newsletter/

Join the AMTSO community and meet security vendors, testers, journalists, and researchers to discuss cybersecurity trends, tests and standards!

This will be a TLP:WHITE talk about an incident response that I had to face with my team in the medical sector.

In December 2019, a Belgian hospital required our help to manage a breach of their informations system. During this intervention we were able to collect a lot of artifacts and information about the attacker's methods and tools.

We propose to detail the attack and explain the droppers, the malware and the TTPs used. We attribute this attack to the TA505 group with high confidence since we were able to cross-check many details in infrastructure, tools and habits from several other reports.

During this talk I will outline:

Initial compromise

The client was compromised (as usual) using a VBA enabled malicious Office document. The interesting point here is the payload. The maldoc payload contains two PE binaries: one for 64-bit systems and one for 32-bit systems responsible for the installation of the backdoor malware.

I will discuss:
  • How the payloads and infrastructure were prepared shortly before the attack
  • The key artifact of the dropped maldocs

  • The capacity of the dropper, the dropper report basic information

  • Used decoy documents (multiple forms available in the wild XLS/DOX)

  • Delivery methods.


Persistence

The attacker deployed a malware named SDBbot on the patient 0. This malware is a backdoor with a couple of interesting capabilities allowing the attacker persistence inside the information system. SDBbot is a simple malware in terms of conception. It uses a simple persistence method when run with simple user rights. The connectivity is also really simple with this malware since it uses only TCP connections. This is an interesting point since this network protocol allows an effective detection of the CC. Besides that, SDBbot is also a fileless malware. The main malware is stored in the registry in a blob containing the memory mapped PE and a dedicated small 32- or 64-bit DLL launcher is generated per victim. This specificity also allows SDBbot to be less present in public sandbox reports and VirusTotal, helping to hide the threat actor.

I will cover in this part:

  • How SDBbot is stored and launched from the registry

  • The unique per-workstation loader with hard-coded UUID

  • The capacity of SBDbot. The network protocol used and its weaknesses.


Actions on objectives

The attacker used pentester skills to compromise the whole informations system. In our case it was not really complicated since the Active Directory servers were vulnerable to MS17-10. The attacker used Metasploit to perform the compromise and pivoting using a combination of PowerShell for remotely launching meterpreter, a repackaged TinyMet client and Psexec. The actor spread over 50 servers and workstations.

I will cover in this part:

  • The tools and technique used for pivoting

  • TTP and tools used for extracting the AD database.

  • How SDBbot is deployed and persistent at system level

  • How we use SDBbot CC configuration feature to block globally the attacker.


Finding SDBbot

In this last part I will explain how to hunt for SDBbot in the Internet space. Since this malware use a simple binary handshake it is easy to spot the malware running in a victim network by looking at network level with Suricata Rules. It is possible also to hunt SDBbot efficiently in the wild using a dedicated Nmap NSE script. It is interesting for the moment to see that all SDBbot C&Cs we found didn’t show the SDBbOT port on Shodan. It look likes the group is managing blacklisting quite well.

I will cover in this part:

  • How to detect it in a victim infrastructure in memory and network

  • How to detect it in the wild

  • Tricks to find candidates based on PDNS.
Paul Jung
Excellium Services Paul Jung has been a security enthusiast for a long time. He has worked in the security field in Luxembourg for more than a decade. During this time, Paul has covered operations as well as consulting within various industries. He possesses a wide range of skills and experiences that enable him to perform multiple roles from offensive security audit to security incident handling. From 2008 to 2014, prior to joining Excellium Services, Paul was Senior Security Architect in the Managed Network Security department of the European Commission. In this position, Paul was responsible for leading technical aspects of security projects. He also wrote a few articles in MISC magazine (French) about DDoS, botnets, malware and incident response. Since 2014, Paul has worked at Excellium Services as a senior security consultant. He leads the Excellium Services CSIRT (CERT-XLM). In this position, Paul manages the response team and is involved in incident handling and intrusion responses. He provides security awareness and recommendations to Excellium Services customers. Paul is often a speaker at local events and has been a speaker several times for First, Hack.lu and Botconf security conferences. His mother tongue is French, and he speaks English.
arrow left Back

Another threat actor day…

Paul Jung (Excellium Services)
This will be a TLP:WHITE talk about an incident response that I had to face with my team in the medical sector.

In December 2019, a Belgian hospital required our help to manage a breach of their informations system. During this intervention we were able to collect a lot of artifacts and information about the attacker's methods and tools.

We propose to detail the attack and explain the droppers, the malware and the TTPs used. We attribute this attack to the TA505 group with high confidence since we were able to cross-check many details in infrastructure, tools and habits from several other reports.

During this talk I will outline:

Initial compromise

The client was compromised (as usual) using a VBA enabled malicious Office document. The interesting point here is the payload. The maldoc payload contains two PE binaries: one for 64-bit systems and one for 32-bit systems responsible for the installation of the backdoor malware.

I will discuss:
  • How the payloads and infrastructure were prepared shortly before the attack
  • The key artifact of the dropped maldocs

  • The capacity of the dropper, the dropper report basic information

  • Used decoy documents (multiple forms available in the wild XLS/DOX)

  • Delivery methods.


Persistence

The attacker deployed a malware named SDBbot on the patient 0. This malware is a backdoor with a couple of interesting capabilities allowing the attacker persistence inside the information system. SDBbot is a simple malware in terms of conception. It uses a simple persistence method when run with simple user rights. The connectivity is also really simple with this malware since it uses only TCP connections. This is an interesting point since this network protocol allows an effective detection of the CC. Besides that, SDBbot is also a fileless malware. The main malware is stored in the registry in a blob containing the memory mapped PE and a dedicated small 32- or 64-bit DLL launcher is generated per victim. This specificity also allows SDBbot to be less present in public sandbox reports and VirusTotal, helping to hide the threat actor.

I will cover in this part:

  • How SDBbot is stored and launched from the registry

  • The unique per-workstation loader with hard-coded UUID

  • The capacity of SBDbot. The network protocol used and its weaknesses.


Actions on objectives

The attacker used pentester skills to compromise the whole informations system. In our case it was not really complicated since the Active Directory servers were vulnerable to MS17-10. The attacker used Metasploit to perform the compromise and pivoting using a combination of PowerShell for remotely launching meterpreter, a repackaged TinyMet client and Psexec. The actor spread over 50 servers and workstations.

I will cover in this part:

  • The tools and technique used for pivoting

  • TTP and tools used for extracting the AD database.

  • How SDBbot is deployed and persistent at system level

  • How we use SDBbot CC configuration feature to block globally the attacker.


Finding SDBbot

In this last part I will explain how to hunt for SDBbot in the Internet space. Since this malware use a simple binary handshake it is easy to spot the malware running in a victim network by looking at network level with Suricata Rules. It is possible also to hunt SDBbot efficiently in the wild using a dedicated Nmap NSE script. It is interesting for the moment to see that all SDBbot C&Cs we found didn’t show the SDBbOT port on Shodan. It look likes the group is managing blacklisting quite well.

I will cover in this part:

  • How to detect it in a victim infrastructure in memory and network

  • How to detect it in the wild

  • Tricks to find candidates based on PDNS.
Paul Jung
Excellium Services Paul Jung has been a security enthusiast for a long time. He has worked in the security field in Luxembourg for more than a decade. During this time, Paul has covered operations as well as consulting within various industries. He possesses a wide range of skills and experiences that enable him to perform multiple roles from offensive security audit to security incident handling. From 2008 to 2014, prior to joining Excellium Services, Paul was Senior Security Architect in the Managed Network Security department of the European Commission. In this position, Paul was responsible for leading technical aspects of security projects. He also wrote a few articles in MISC magazine (French) about DDoS, botnets, malware and incident response. Since 2014, Paul has worked at Excellium Services as a senior security consultant. He leads the Excellium Services CSIRT (CERT-XLM). In this position, Paul manages the response team and is involved in incident handling and intrusion responses. He provides security awareness and recommendations to Excellium Services customers. Paul is often a speaker at local events and has been a speaker several times for First, Hack.lu and Botconf security conferences. His mother tongue is French, and he speaks English.