APT29 HAMMERTOSS Jayakrishnan M.

Slides:

Advertisements

Similar presentations

Reuel A. Morales (Sr. Security Analyst, APAC-RTL) APAC RTL Clean Tool v5.0 Solution.

Advertisements

Thank you to IT Training at Indiana University Computer Malware.

CHAPTER 15 WEBPAGE OPTIMIZATION. LEARNING OBJECTIVES How to test your web-page performance How browser and server interactions impact performance What.

Monnappa KA  Info Security Cisco  Core Member of SecurityXploded  Focus on Threat Intelligence  Reverse Engineering, Malware Analysis,

MIRAGE MALWARE SIDDARTHA ELETI CLEMSON UNIVERSITY.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

By Hiranmayi Pai Neeraj Jain

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.

Advanced Persistent Threats CS461/ECE422 Spring 2012.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

DroidKungFu and AnserverBot

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

By, Anish Shanmugasundaram Yashwanth Sainath Jammi.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

ISNE101 Dr. Ken Cosh Week 14. This Week  Challenges (still) facing Modern IS  Reliability  Security.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

CIS 450 – Network Security Chapter 16 – Covering the Tracks.

A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8.

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

1 Higher Computing Topic 8: Supporting Software Updated

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

Chapter 5: General Computer Topics Department of Computer Science Foundation Year Program Umm Alqura University, Makkah Computer Skills /1436.

Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.

Advanced Persistent Threats (APT) Sasha Browning.

Computer Systems Viruses. Virus A virus is a program which can destroy or cause damage to data stored on a computer. It’s a program that must be run in.

Internet Applications (Cont’d) Basic Internet Applications – World Wide Web (WWW) Browser Architecture Static Documents Dynamic Documents Active Documents.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.

Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.

Chapter 1 Real World Incidents Spring Incident Response & Computer Forensics.

Uploading Web Page  It would be meaningful to share your web page with the rest of the net user.  Thus, we have to upload the web page to the web server.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon.

©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.

MUHAMMAD GHAZI AIMAN BIN MOHD AIDI. DEFINITION  A computer virus is a malware program that, when executed, replicates by inserting copies of itself (possibly.

Powerpoint presentation on Drive-by download attack -By Yogita Goyal.

Koustav Sadhukhan, Rao Arvind Mallari and Tarun Yadav DRDO, Ministry of Defense, INDIA Cyber Attack Thread: A Control-flow Based Approach to Deconstruct.

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

7 Tips To Improve Your Website Security. Introduction Use of Content management systems like WordPress, Joomla & Drupal, utilization of various tools,

Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.

Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.

How To Remove Flooders?-Get Help Website:

Understanding and breaking the cyber kill chain

Understanding Cyber Attacks: Technical Aspects of Cyber Kill Chain

Advanced Endpoint Security Data Connectors-Charlotte January 2016

Botnets A collection of compromised machines

BUILD SECURE PRODUCTS AND SERVICES

Intelligence Driven Defense, The Next Generation SOC

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan.

Trends in Ransomware Distribution

ADVANCED PERSISTENT THREATS (APTs) - Simulation

Botnets A collection of compromised machines

SPRING DRAGON APT - A CASE STUDY OF TARGETED ATTACKS IN APAC COUNTRIES

Chap 10 Malicious Software.

Chap 10 Malicious Software.

Crisis and Aftermath Morris worm.

Exploring DOM-Based Cross Site Attacks

Presentation transcript:

APT29 HAMMERTOSS Jayakrishnan M

Contents What is APT? Who is APT29? Introduction to Hammertoss 5 Stages of Hammertoss Detection and Prevention Conclusion

WHAT is APT? Advanced: Persistent: Threat: Combine multiple attack methods. Develop or buy zero-day exploits. High Sophistication. Persistent: Avoids detection. Harvest information over long time. “Low and Slow” approach. Threat: Skilled, motivated, organized and well funded criminal organizations. Not malware/exploit/attack alone.

Who USES APT? Targets Nations. Organized Crime Groups. Hacktivist Groups. Targets Business Organizations. Political Targets. Nations.

APT29 – Russian Advanced Persistent Threat Group. Operating from late 2014. Suspected to be sponsored by Russian Government. Cease operations on Russian holidays. Workhours aligned to UTC +3 time zone. Disciplined and Consistent. Uses Anti Forensic techniques and monitor victim remediation efforts.

Attacked US Department of Defense Email System in 2014. Was able to read President Barack Obama’s unclassified emails. Led to a partial shut down of White House email systems. Used DDoS. Gathered massive amount of information. Distributed to thousands of Internet accounts within minutes.

HAMMERTOSS Stealthy Malware. Discovered by FireEye in 2015. Used as backdoor by attackers who have gained access to network. Communication – low, slow and obfuscated. Very difficult to detect. Uses twitter, github and cloud storage.

VARIANTS 2 variants – both written in C#. UPLOADER tDiscoverer

UPLOADER Hard Coded server for its CnC. Goes to specific page. Obtain image with specific size.

tDISCOVERER More obfuscation. Goes to twitter account to obtain CnC URL. Acquire target image from URL.

5 Stages of Hammertoss 1 2 Creates twitter handle URL to image in github 5 Execute commands 3 4 Download image containing payload Use steganography to hide instructions

STAGE 1: Communication begins with twitter Hammertoss (HT) contains algorithm to generate Twitter handles. Twitter handle: User ID in Twitter. HT visits twitter URL. A. APT 29 operator registers handle. Tweet instructions. HT gets instruction from tweet. B. Operator does not register handle. HT waits till next day. Begin process again.

STAGE 1: Communication begins with twitter ALGORITHM Uses a base name. eg: “Bob”. Appends and prepends CRC32 values based on current date. Eg: 1abBob52b

STAGE 1: Communication begins with twitter APT29 knows algorithm to generate handles. Chooses to register a handle. Post obfuscated instruction to handle. APT 29 restricts: Checking twitter handles on weekdays. Specify start date.

STAGE 2:Tweeting URL, FILE SIZE, PART OF KEY Once registered, tweet a URL and a hash tag. Eg. doctorhandbook.com #101docto 101 – Location within the image file. Instruction starts from 101 byte. doco – Part of decryption key. URL: Download content hosted at specified URL.

STAGE 3: download image from GitHub APT29’s operator registers github page and upload images. Use IE application COM object to visit and download image.

STAGE 4: Using Steganography APT29 uses basic steganography. Steganography – Practice of concealing message in images. Download image from specified URL. Retrieve’s image from browser cache. Searches for any image having size at least that of offset specified in stage 2. Image looks normal- encrypted with commands. Decryption key -> hard coded key + characters obtained from tweet in stage 2. Data includes commands or login credentials.

STAGE 5: Executing commands and uploading victim data Creates cloud storage account. Obtains victim data from cloud storage service.

Detection and prevention - Challenges Difficulty in identifying Twitter Accounts. Requires access to HT binary. Reverse engineer to identify base name and algorithm. Generates 100’s of accounts but registers only few. Discovering legitimate and malicious traffic. Usage of SSL connection for encrypted communication. Locating payload. Usage of steganography and varying image size. Need of decryption key.

Detection and prevention No current ways to prevent infection. Ensure OS and all third party applications are updated. Disable any browser plugin not needed. Detect malicious HT processes running on network through endpoint monitoring. Investigating on data exfiltration.

CONCLUSION HT shows APT29’s ability to adapt quickly – avoids detection and removal. Very sophisticated attack. Not reported any use of ransomware as payload for HT. Takedown actions likely to be ineffective since state sponsored. Behavioral based analysis also fails because of large number of false positives.

Thank YOU