Presentation is loading. Please wait.

Presentation is loading. Please wait.

RAT-a-tat-tat Taking the fight to the RAT controllers.

Similar presentations

Presentation on theme: "RAT-a-tat-tat Taking the fight to the RAT controllers."— Presentation transcript:

1 RAT-a-tat-tat Taking the fight to the RAT controllers

2 Who Am I Jeremy du Bruyn – twitter: @herebepanda, irc: panda Pentester / Consultant at SensePost Spoken at a previous ZaCon about password cracking Currently doing MSc. At Rhodes

3 What's this about I've done some research on two prolific RAT's that I'd like to share with y'all – I am not a malware researcher, I'm just a ex-network- pentester-consultant-infosec guy – Some dynamic analysis using cuckoo sandbox – Some static analysis using scripts to pick apart the server binaries Ways to search for these RAT's on the greater internet – With an example

4 Background story report on Mandiant APT1 – Python code for finding Poison Ivy C2's Are there any Poison Ivy C2's in ZA? – Writing robust network code is hard – Rather leverage off of NMAP I didn’t find any Poison Ivy C2's in ZA :) / :( I really want to play with this, where can I get some samples? credit (

5 My collection VirusTotal provide access to their Private API, which allows for searching and downloading of samples, to researchers After speaking with some malware folks I got a list of the most popular rats being used in attacks – (@vlad_o, @undeadsecurity, @bobmcardle) Started collecting in August 2013 Samples downloaded – Searched for “Poison.* and “Fynloski.*” – Total 34 GB of samples For sure a cheap VPS would hold the few 100 MB's of samples I'd download link (

6 RAT infrastructure credit (

7 Poison Ivy Been around for many years – Oldest version on the website is from 2006, first released in 2005 – Latest public version is 2.3.2 released in 2008 – Private versions still being released, including a Vista+ patch – Free to download off the authors website Apparently very popular amongst Chinese attackers – Recently used by Mandiant APT1 groups – Used in RSA hack

8 Poison Ivy Samples – 12,133 downloaded – 5,004 analysed Too much pondering/figuring in the beginning 26 live Not a lot I know, but they provide some interesting insights Average PI C2 lifespan is 3 months Analysis conducted using a mixture of the VirusTotal behavioural analysis results and local cuckoo sandbox instance

9 VT Behavioural Analysis They use a “cluster” of cuckoo sandbox machines to perform the analysis and provide data via JSON VirusTotal behavioural analysis not conducted on all samples – Like 1 in 10 – Not allowed to share samples with 3rd parties

10 Cuckoo sandbox Cuckoo sandbox used for the majority of the samples – 5 WinXP SP2 virtual machine guests – Timeout of 2 minutes Only allowed DNS traffic to cuckoo host – Unbound DNS resolver Tweaked to report all traffic, even SYN – modules/processing/ (host down, not reported) – has the same problem is super useful – Submit jobs, get analysis reports in JSON At the end able to process a couple hundred samples a day

11 Analysis system System is postgres driven Extracted info from the samples put into DB: – C2 / proxy IP – Port Scripts would pick up unprocessed samples and perform liveness testing of C2 and extract the Camellia key – Again writing to the DB

12 Poison Ivy Camellia key used to authenticate server and encrypt communication – Crypto hashing algorithm – Used for all servers – Can be extracted from server traffic :) link (

13 Poison Ivy JtR module available for brute-forcing ( – I've asked for its inclusion into hashcat – @atom, if you are reading this, *cough* oclhashcat

14 Vulnerabilities Metasploit module for Buffer Overflow bug in Poison Ivy 2.3.2 – Think meterpreter – All you need is the C2 IP, port and clear-text Camellia password – guys used this to great effect FireEye “PIVY memory-decoding tool” for Immunity debugger can also extract this info Link ( (

15 My contribution NMAP service probes to detect C2’s across the Internet and NSE script to extract Camellia key from server traffic

16 DarkComet Very popular around the world Development abandoned by the author after Syrian government use – Crippled version available on author website – Current public full version is 5.3.1 – Current public crippled version 5.4.1 “Legacy” Fairly good collection available via.torrent Link ( (

17 DarkComet Samples – 33,592 downloaded (32GB) – 12,133 analysed 4408 successfully 40 live Analysis script inspired by AlienVault Labs – Only worked on V5, updated to work on V5.1+ credit (

18 DarkComet Encrypted server configuration information contained within the binary – C2 IP, port, password – FTP host, port, username, password, path Server configuration encrypted using static keys: – V5.1+: #KCMDDC51#-890 – V5.0 : #KCMDDC5#-890 – V4.2F: #KCMDDC42F#-890 – V4.2 : #KCMDDC42#-890 – V4.1 : #KCMDDC4#-890 – V2.x + 3.x : #KCMDDC2#-890 Static key and password (“PWD”) used to authenticate and encrypt communications credit (

19 DarkComet

20 All this is encrypted using the static key + 'PWD‘ credit (

21 Vulnerabilties Makes use of SQLite DB – SQLi Arbitrary File Download vulnerability – RAT allows controller to overwrite files – Doesn't check that C2 initiated connection (comet.db) Contains information on all connected servers credit (

22 My contribution NMAP service probes to detect C2’s across the Internet – DarkComet Receives “IDTYPE” encrypted with default (and most popular) password – Xtreme RAT Sends “myversion|3.6 Public\r\n” Receives – Bytes 1-3 "\x58\x0d\x0a – Bytes 4 – 12 "\xd2\x02\x96\x49\x00\x00\x00\x00"

23 My contribution Updated DarkComet configuration extraction script, for v5.1+

24 menuPass Campaign One of my samples had the filename “Strategy_Meeting.exe” and a Google gave me the FireEye report “Poison Ivy: Assessing Damage and Extracting Intelligence” – menuPass campaign launched in 2009 targeting defense contractors – Main industries targeted where Defense, Consulting / Engineering, ISP, Aerospace, Heavy Industry, Government Spear-phishing used as initial attack vector – Weaponised.doc Using Pentest footprinting techniques I uncovered a bit about their infrastructure Link (

25 menuPass Campaign credit (

26 menuPass Campaign “The IP hosted the domain” This hostname appeared in my analysis but with an IP of One of my samples has ( and ( as C2’s – was, in FireEye report – 5 live samples using this C2 in my collection – All used Camellia key “ketcxsAWfeAxiQ64ndURvA==”

27 menuPass Campaign New hostnames found using “ketcxsAWfeAxiQ64ndURvA==” from my samples: – – – New hostnames in from samples: – kmd.crabdance.com50.2.160.104 – banana.cmdnetview.com50.2.160.146 – drives.methoder.com50.2.160.125 – muller.exprenum.com50.2.160.125

28 menuPass Campaign Using my NMAP poison-ivy.nse and nmap-service-probes.pi I found additional C2's in – – ( (AoFSY4Fi5u8sX3Bo7To86w==) – – (,,,, (ketcxsAWfeAxiQ64ndURvA==) – – gdWSvDcDqmZFC5/qvQiwhQ== – tG3Sl8fQtuyKj/jh97O67w== – gdWSvDcDqmZFC5/qvQiwhQ== –

29 menuPass Campaign Same key (gdWSvDcDqmZFC5/qvQiwhQ==) as (from – ux.niushenghuo.info142.4.121.144 – Hostnames from samples in – Additional PI C2 in using NMAP: – 3ntLjgUGgQUYeKl3ncWgeQ== – AoFSY4Fi5u8sX3Bo7To86w== – gdWSvDcDqmZFC5/qvQiwhQ== – ketcxsAWfeAxiQ64ndURvA== – ketcxsAWfeAxiQ64ndURvA== – – gdWSvDcDqmZFC5/qvQiwhQ== – gdWSvDcDqmZFC5/qvQiwhQ==

30 menuPass Campaign registered: – – – – DomainTools reports that this email address has been used to register 157 domains – So still a lot of research to be done

31 Conclusion Those with an interest in amateur malware analysis – I utilised my pentesting skillset to work on this stuff Defenders looking for more ways to defend – Using these methods you can start investigating attacks on your organisation and start moving up the kill-chain Greyhats wanting to increase the cost of attackers running these RAT's

32 Thank You If there’s time for questions, shoot. Otherwise catch me at lunch

Download ppt "RAT-a-tat-tat Taking the fight to the RAT controllers."

Similar presentations

Ads by Google