 So hi everybody So my name is Paul and we are a little bit late, so I'm gonna avoid the bio stuff I Would make this presentation with the colleagues of me. He should be here today, but in fact he has a calendar Conflict so he's in Dubai and it's not easy to be in two places in the same day So today I'm gonna speak about a new Kind of issue we have during investigation it's in fact a new trend for APT actors to had some feature inside of the infection vector in order to Never delivered the exploit or the final remote administration to if they are not sure at 100% that the targeted people is a good one I will show you with five case studies exactly how the guys Modified the infection vector in order to to limited the spread of the exploit of the or all the remote administration tool after I will Mention that it's maybe the beginning of a real Massive trend and I will explain you some other tricks that attackers could do to Detect if it's really the good target and not an analyst or a sandbox or whatever. I Will speak a little bit of it mitigation. I it will be something really common how it's not Rocket ship. It's simply best practice. It's gonna be short after I will have a conclusion and I decided last week to have post conclusion chapter about technical stuff and And About power shell just as before and the wind dbg. So I will show you how to debug power shell with wind dbg and specifically How to massively make automate Analyzes with this tool so what's New so in my case generally the common model is the attackers send a document an office document excel document, whatever with macro or a zero day of vulnerability and they finally execute something on the machine and this something is usually a remote administration tool that give access to The bad guys to to the machine So but the thing is zero day are expensive first and if you Develop your own remote administration tool with complex fixtures, etc. It's expensive too So we we are seeing a new trend where attackers try to never delivered Zero day exploit or rat on Infected machine if they're not sure at 100% is a good target is a good person in on the system The first case study I had to work on concerned NATO and You've got a hash if you want to look at it for yourself by yourself It's a doc a world document and inside of this world document You have a flash object. You can embed it flash object in world documents. It's supported without a problem And this flash document did something not really common. In fact, he used a flash API named a capability server strings to generate a Kind of HTTP request with information on the system. So for example You have the flash If in Activix object, it means that if you extract the flash object from the document and you execute it in standalone typically when you are an analysis to take sub-object and you work individually on each sub-object If you use the flash object alone This value won't be Activix like on the screenshot, but standalone or something like that so This query is sent to the CC and the attacker is able to check the value and be sure that the flash object is Executed inside of a world and not directly like a flash document other thing the attackers get the flash version, so he's able to provide an exploit that much perfectly the flash version of the target and last thing he Get the windows version so he can have an exploit that much exactly the windows version So this flash object is the first step of this flash object is simply to send data on on the infected machine if the data is Correct for the bad guys at this time you will receive a second flash object and this one will be loading memory and It's this one contains the exploit used to drop the final malware on the machine and execute it so if you don't have a Good data you won't have the final pillow and In this case the attackers was fine with us because he name is viable with shell code With exploit extra so it was easy to guess the purpose Yeah, it's on the fly flash loading something interesting is the attackers sent the first Email with the malicious attachment in at the end of December just before the new year and Here is our open DNS extract of connection to the CC and you've got some big at the beginning and On the right so huge mountain is when security researcher finally found the document and work on it so it generates a lot of requests to the CC and Obviously more or less everybody was in a holiday during this period another case today that match the same Way of of work is from a different actor. So it's not a specific actor that try to avoid Giving zero date to security company they use documents to Where the title contains the name of the? Ambassador secretary of I don't know remember which country Lebanon so I don't know if the profile is a real one on LinkedIn She doesn't have a lot of friend extra. So I think it's maybe a fake profile to Justify the title of the document. I don't know so in this case. It's an office document with VBA inside and The purpose of the macro he is to the first step was to decode in bus 64 a string and This string was stored on a JavaScript file on your machine and at the end it execute the JavaScript file with a key Irsi for key so if you find for example the JavaScript on Virus total or if you find the JavaScript on a machine if you don't have the key put in argument when This JavaScript is executed. You cannot read the content. It would be encrypted So you need the initial office document to be able to analyze a JavaScript and the purpose was really simple Take this key and decrypt a second JavaScript and the purpose of this Final script was to get a lot of information on the machine so you get the system info output so install patch and your configuration basically he Upload the network configuration the share configuration the users etc extra so all these data are sent to the attackers and At this moment only if it match what the attackers want You will receive the final pillowed on the machine if it doesn't match What the attackers want he the final pillowed is never downloaded and you cannot continue your investigation, it's finished for you another case to deal with the same approach is an excel document with VBA in this case the Document create a PowerShell script and execute a script with Inside of a schedule task, so it's not directly a create process, but it creates a schedule task and Same thing this Dropped file for a PowerShell script connect to a cc and Send specific information on the on the machine if it doesn't match what The attacker is expected no final pillow and your investigation is finished I work a lot of South Korean threat and On specific actors in South Korea started to do exactly the same things few weeks month ago In South Korea, they basically don't use office They use Angul which is a Local office like applications that supports Korean characters in fact So the extension of this kind of document is that HWP for Angul word processor something like that So I started to analyze a lot of HWP document and I find this one. It's pretty interesting and if you look at the logo at the bottom of Of the first page it's a logo of the Ministry of Unification So it's a ministry where the purpose is to unify North Korea and South Korea So it's something really official Something fun. I don't speak Korean and I sent the document to someone in South Korea To have a translation of the document and the guy was so afraid he said to me I think it's a classified document. I cannot read it. I will have some problem blah blah blah blah blah So visibly it's it looks really legit for for people So how works the HWP format in fact it's a little bit like office document it contains OLE object and the difference is each object Are that compressed with ZLIB so you can simply extract object and zip and ZLIB The object and you have the final document in this case something interesting is The payload was not executed automatically when you open the document When you open the document you have to link in blue in my country to have additional Information and if you click on the link you will have additional information and in fact it's execute the payload on the machine so if you look then execute this document on a sandbox in Korean with angle installed You must click on the link to have the a full report of what's happened on the on the mission so here it's the output of my sandbox and When you click on the link it open a new HWP document and behind execute the shellcode this document is a decoy document to Make legit. I have more information about the document What the payload Does in background he gets a computer name? He gets a user name of the machine the execution path and the BIOS model and he use a really specific key registry key to have the BIOS model and You can make some search on Google and it was not really Documented and I don't see a lot of manual that takes this specifically. So it's interesting What is the purpose always the same? Identify the target and be sure it's the real target Here is the peak a peak up of this fixation of this data From virus total on virus total you can download sample and sometimes you can download the pick up generated by the sample and once once decoded You have the information and typically tequila boom boom is the host name of the sandbox system of various total Janet a is the name is a user name of the sandbox of various total virus total put the sample in see Drive and execute it with the hash and Finally, you've got the BIOS model it's In a tech virtual box. So various total use virtual box So typically in this case when it's executed by Sunbox of various total so bad guy received this report and they're sure it's not the real target and they Will not provide the final pillow The final pillowed is Generated did dynamically if you look here the first data is An ID and it generates an ID underscore put the gpeg and in fact, it's a final remote administration Tool in this case. We sadly didn't get the final remote the final binary and The attackers compromise the current government website to store the executable Generating dynamically if the infected Target match what the attackers want So basically you cannot blacklist legitimate governmental website in your country Yeah, here. It's the map Which is a slide and you can have more detail about the infrastructure of the bad guy Always containing South Korea As I said on the previous case, we were not able to have the final remote administration tool So investigation finished but on another case. We finally find a way to to have it and In this case the attackers Compromised the official email of Korean global forum. So it's a forum in South Korea so bad guys compromise the email account and send spear phishing from this legitimate email to several people with a Survey in attachment HWP file it's South Korea. It's always HWP file and They use another comp kind of email Asking for help for someone Living in North Korea. So in this case, he's the attacker is trying to work on the home party On on the target The two documents and it's same things it's OLE object inside of the HWP document they decompress as I said And in this case, it was an exploit That download the GPEG file. So it's a pattern for this group. They always download GPEG file maybe this group is a previous speaker, I don't know and In this case, we were able to download the final payload and it was a funny sample I was gonna speak really quickly about it because it's it's not so common The first thing is does not support Windows XP if it's a random Windows XP You have an infinite loop. So your sandbox system show nothing He is looking for several running Analysts tool it's really common for malware and if he identifies one of these tools if for example, you have Virtual box or you have a process explorer or this kind of application the Malware will Download a movie a TV show on the internet. That's all So if you look on your logs, you will see you are watching a TV show a Japanese TV show If you are correct and not a sandbox he makes some connection on the first CC It was seven Twitter account So he's trying to connect on this Twitter account through the API to download order If it doesn't work, he use Yandex Russian cloud system with four different account and if it's really don't work He switched to media fire cloud platform With account all the account are coded inside of the sample for so you can see If it's up and running or not and additionally he contain kilograms. It's something Really common So on each of these case today We saw it's basically always Users opening document and it's basically always start by fishy campaign But they make a lot of efforts to to keep their exploit and and tools private So for us, it's it's it's a little bit boring because sometimes you spend time on Investigation and it's finished you cannot go deeper and you cannot have the final to lower You could don't have the zero days that no patch, etc. And maybe it's a beginning Because we work on several other case absolutely not linked to targeted attack but more crime or stuff and Sometimes people from crime where have a pretty nice idea. For example, we we saw a Group that drop pony stealer malware using publisher I say what's the fuck why they use publisher to drop this kind of stuff and in fact Microsoft documented I think why The protected view mode is not supported by publisher So if in your company you put a GPO that block Macro and the user cannot enable macro. In fact, it works for every office product except publisher And publisher is in installed by default by in office 365. So if you are People we have this kind of office Automatically have publisher install on the system. So I think it's a reason why they decided to use publisher to drop pony I Add another slide cause each time I I meet conference people say to me. Yeah, I use micro s I'm safe and saved. So I decided to add a slide to prove they're wrong we worked on Office documents so you can have office on Mac it works and Macro are supported on Mac OS It's it works too. So I work on the case where the guy have a function named Mac shell and Execute a one-liner Python script on the Mac So you have exactly the same problem on Mac OS if you have office you can enable macro and you can execute Python script on your system. So Mac OS is not kind of protection We have some mitigations for for for this topic. It's nothing Awesome, it's simply a good practice like disabling macro execution on Windows on office 2016 you can have a better control of macro for power shell typically you can add some execution restriction policy So it's all these stuff are documented and should be applied and if you apply all this stuff The all the case today I mentioned won't work anymore You can disable Definitely JavaScript and W script Generate does not generate problem except if your your company developed everything in JavaScript. So in this case, good luck and More generally update your system As you look on Friday last week Install up looker and configure it correctly I sell a lot of case where people install up looker, but does not include DLL protection So it avoids execution of .exe file, but it doesn't block library loading So yeah, and after you've got more advanced stuff like device guard on VBS for on Windows 10 I'm not sure to to mention everything and for Mac OS I don't know if we can control script and I don't think we have holds a mitigation Equivalent of Windows system So the conclusion for for me is The actor may put a lot of efforts to protect the Valuable code and something interesting is Generally, if the actors already compromise your company, they know your network better than you They know your IP range. They know your domain. They know The pattern of your user name. They know the pattern of the host name So if the attackers was already on your infrastructure in the past, he can really really easily Check if it's on the correct machine and I'm not sure that your sandbox system has bind to your domain I'm not sure the naming convention of the users on inside of the virtual machine match your Naming convention same for the host name same for everything and as the guy was here before He can easily control and check if it's a real system Scripting language are really really trendy each case the guy use poor shell or JavaScript or batch file sometime So we we must really take time to have a control and audit of this script execution It's really important And all these language are Embedded in windows. You don't have to install anything. It's here. Why don't use it and Sometimes it's a little bit Obfuscation is by default if you look at PowerShell sometimes it looks like obfuscated by design So getting take times to read it Yeah, it's exactly what I said just just before You the bad guys know your infrastructure sometimes more than you so it's easy for for him to check I think yeah, so Have you got some question concerning this first part before going to the next one? We have some time for that. Don't worry No, I was clear or boring. You are sleeping Yeah, so I I Compressed a little bit the first part who had something not scheduled at the beginning. I decided last week to add it It's technical bonus because technical conference So I was a little bit frustrated to don't put any assembly language in my slides So I decided to add a post conclusion part Last week I opened a poll on Twitter and I asked a simple question I would like to know if I was the only one to use wind ebg to analyze PowerShell script and I will try on the room. So who say yes I'm the only one to use Who said no, so everybody is what the fuck? Okay, I Will explain you why so PowerShell is more and more often used by my developers and I have more and more to analyze a shitty language so I need to find a solution to have a better life and I like wind ebg because it works. It's here. It's free. It's efficient So I would like to analyze PowerShell script when wind ebg So yes, you can just for people that don't know wind ebg It's ready to came out to clearly understand where we are so in fact You have two different kind of usage of wind ebg by malware developers sometimes they Directly use unmanaged code. So like DLL in port in C share So they can directly use the I don't know virtual a lock API and In this case, you don't have to make something really specific You debug as usual you make some break point on virtual a lock and you can debug it like every Application so this part is not the most interesting part, but sometimes the guy use Directly PowerShell command and in this case you cannot debug as usual How PowerShell works in fact each time he tried to execute? PowerShell command in fact behind he choose.net framework So PowerShell is more or less.net So Wind ebg have the dotnet support you can make load by SOS C L R and after you've got new commands for example BPMD for breakpoint manage, I don't know what and in this case you can directly breakpoint on dotnet execution so here it's an example where I break point on process.start and As it's High-level language you can have several functions for Process.start the same API in fact you have several functions depending of the tip of Argument you put if you use a byte array if you use a string if you use something else It would be a different function. So that's why in this case I've got Five different breakpoint by setting only one So first thing I'm able to break point here It's next step. I execute my PowerShell and it stops the execution on my breakpoint Wind ebg provide a command to analyze a stack of the dotnet Code it's a C L R stack for example and here we can see that one parameter is start the start info structures at a specific address finishing by 18 I Can have information on these structures finishing by 18 and I've got all the description of what is a process.start info object and The first field of this object is a file name and it's a system.string Structure So I can dump directly these structures and I can see it in my case not pad.exe So I can basically use wind ebg to automatically get the first argument of start-process it works if you want to avoid all the Managed command I give you directly the register used to store this value just for information in this case is RCEX, but it depends if you are PowerShell in 32 or 64 bits and it depends of your dotnet version In dotnet 2 and 3 it's different from dotnet 4 so you need to check when you analyze something Another example is I've got a lot of manuals that make download file download the file and execute it after I can do exactly the same thing. I can breakpoint on system.net.webclient.load file. I got my breakpoint and You know, it's up on breakpoint and I'm able to get the two arguments The first one is the URL and the second one is where the file will be stored on your system So the good point for me is Imagine I got to analyze, I don't know 600 PowerShell script But I know it's the same kind of stuff. It's obfuscation encryption XOR plus 64 whatever and at the end he performs a download file and the start process It's all different script, but the philosophy behind is exactly the same. I Decrypt the URL I download I execute In this case I can easily create a script on WinDBG to pass my 600 PowerShell script in one hour It works. I can show you Because I'm crazy. I decided to create a demo a few minutes ago So if I make my start my start process here So my calculator is executed, but here you can see I directly get The argument, maybe it's small. I don't know if I can increase but I directly have the executed command and if I do the same thing with Downloading for example, I download the home page of Northeck. I store it in test.exe file Yeah, same thing. I automatically get the URL and automatically get where it's stored on the system So I can really really easily create a script to massively dump argument of this API and automatically Analyze get URL, blacklist, URL, etc. So it works so Last slide for me So generate people doesn't like WinDBG for a really good reason and But it's really powerful and you can make really awesome stuff. You can even debug.net code For example, I often use it to create an unpacker for .net packer so directly in WinDBG, I'm able to manipulate .net to Unpack and get the final payload, the final P file, the final shell code, the final whatever and I use WinDBG to do that because it's perfectly support .net and You can make script. You can make script with the shitty language of Microsoft. I don't know if you know how it works It's so beautiful. I must show you. Yeah, it's a script So it's not really easy But you can have an extension to have Python support So you can write it in Python if you prefer and don't like this wonderful syntax So you can really make some powerful investigation and automate Give your life have a better life and make a lot of stuff automatically So if you have questions the first part or the second part, I'm here and it will stay here all the day So if you don't want to speak in front of everybody feel free to come to me after