 Hi, everybody. How are you doing today tonight? Welcome to uh, yeah, whatever so It's a pleasure having you here tonight. We're gonna give you a give you a great show everybody around all flaws. Come on It's ccc. I can swear, right? I can swear at ccc. Yes swearing. Yes. No shut the fuck up. I Missed it by Q because of all the so First of all, we want to apologize. There was a thing we discovered about the thingy And we had to change the name of the talk Yeah, that's right. So if you have seen an early version of the fapland that had a different title on it and So what we're gonna talk about is some some case that we analyzed And while doing so we figured that we were dealing with something much bigger So originally we thought that we were looking at some industrial economic espionage attack and then later on it turned into a high-profile Probably nation-state Ever we're gonna finish at the end with attribution But the thing is attribution is really really hard. You can't ever really tell who it is So we're gonna be very careful about our attribution But we can't say we can't say at the very high likely of this is a nation-state So we are not gonna say this is a nation-state attack But rather this is a ninety nine percent point nine percent ninety nine point nine percent nation-state attack Because we're just those kind of guys We'll get there we can we'll get there if we can so let's get started. I think it was against nation-state or was it by a nation-state? Who what where? All right, so getting started This is doing I'm got it First of all there is a required sunny joke at this conference It's just required right, I mean we can't go on without it told you He came over and said gatti where I'm nuking the slide He actually nuked it without my permission because I said there have been too many Sony jokes It's now old news and I had to fight him over this one all us so This started the Israeli search the Israeli search is out there ready to get your complaints abuse responses Needs for help whatever it is you want to do. Thank you um tealman Is basically very very humble and a snob too, but that's beside the point is very very humble And you'll see it in a second why and he basically says in the reverse engineer its crowd strike, which is true enough I'm required to put a few titles up there. So I removed my entire bio. I'm CEO of Symmetria, which is a startup I'm chairman of the board with the Israeli cert which I'm is Kind of handle this presentation this internet response and I'm asked some things over there, which happened or didn't happen whatever so Tealman is a snob about pizzas. That's what you should know about him before he gets started. That's his bio And I'm a dancing snob. I dance West Coast swing Now to the topic at hand. This is the story the backstory It was on a dark late April night and I'm getting this phone call from a guy a really really nice guy I understand security and those completely different things and he says gaudy Somebody just tried to attack us. It looks like an APT. Are you interested in that? No, so he said he started sending it started by just basically saying send it over to me Let's see what's going on and you will see in a second how it worked and That's why I where I started looking for somebody to help us and delete technically We have our people but the service very volunteer oriented eventually found Tealman and That's when I asked him for his help and he was yeah, I look it over, right? Yeah, pretty much And we didn't find much at first. I'll let you take that one. I Missed that part. So we didn't find much at first. Oh, yeah, we didn't find much at first Yeah, so so gaudy came to me and said hey, we need some help with the technical analysis of this thing so I'm always interested in new stuff and in challenging stuff. So I took a look and It was very very weird because everything started with a spearfishing campaign. You guys familiar with spearfishing, right? So there was a targeted manually specially crafted email that was sent to this victim organization that gaudy was talking about and that email Had an Excel document attached to it and the text was designed in a way to you know trick the user into opening the the Excel document and Of course the Excel document when you would open it would drop a payload So that was this thing right and he was bored by it. He said well, it looks interesting. I'll get back to you That was basically the beginning of it, right and I didn't For a long time it didn't for about a month in which we worked out your cases And then things started to get interesting and that's where we go into our story. So Before we begin is it an APT or not? That's the biggest argument Tealman and I had should we call this an APT or not because Some of this is really low level. So this is really advanced and is everything we see out there from the Chinese for example an APT Is it advanced? Is it a buzzword? So this is honestly the biggest time-waster and preparing this talk was an APT. Is it an APT or not? So that's the beginning of our story. Is it an APT or not? And now we're gonna talk about it So gaudy, maybe we need to give some to provide some context with this picture here The interesting thing is that this spearfishing campaign that we initially looked at was relying on user interaction and That's why there is I think the guys called Dave over there. So, you know other people they like they they use zero-day exploits or something like that to break into a target machine and then they deploy their Their their their backdoor tool on there and seal information or something like that this particular threat Relyed on the user clicking okay And I mean if you do that then all the technology up there like firewalls antivirus and so on doesn't help much You know if Dave clicks okay, so going on from there. Yeah, we saw spearfishing message. That was the first one Hey guys, whatever. Here's the message next message. Hey guys. I'm sorry. Here's the file next message Hey guys, I forgot to follow again. Here it is now That's one of the reasons still and basically told me forget about it, man It's not interesting. Maybe these guys will throw smarter not we'll get to that but that was just plain weird We just don't see that kind of thing Or maybe they just wanted to wanted to target to become really really curious About that file We cannot psychologically I'm not an expert. It could possibly be that's how they pass spam filters It could possibly be that's how they gain interest from the users It could possibly be they are just really really bad at operations Regardless, this is the beginning of what we saw So just to get a little bit of a hint of what we're seeing up to now in December. There have been several campaigns that we have had Some sort of coverage into not everything is covered on this timeline But there is more than just this original company. It's adjacent to defense and aerospace in Israel that we saw So starting with that fiction vector. We've got the spearfishing So the Tucker spent sent a specially crafted email we saw that one, right was very sophisticated now Feifei don't disturb me. So next step we had a macro enabled dropper anybody since the 90s have seen a macro Enabled dropper out there. We've seen a few but it's not something that happens a lot It's you and just said we usually use a vulnerability or something next up the user needs to enable it Next up the back door is deployed till I'm going to all of that. It's pretty cool And then it downloads and installs yet another version of itself as a service for for persistence So this is an example of what the excel looks like you can see it was still man who took the screenshot because German up there Let's give away This is an example of a lure and excel that was sent. We just want to give you guys immediately some of the information if you look closely It might look like it's Austrian. We don't know it. It's a lure. We are guessing it's a German language Entity we know it's a defense related Entity, but we can't tell if it's Austrian or German or anything else. Just the lure to open the document is apparently Austrian So currently Yeah, so so the way this works is When the user first opens the excel document They see the picture from the previous slide there They are asked to enable macros or to allow macros to run and when they do that The payload gets deployed and the macro also switches to another worksheet I guess is the term and this is the the decoy worksheet that they're presented with that's displayed to the user and Obviously as Gotti pointed out, I mean it's in German language. So we kind of know that the target has probably is probably German speaking and There's also military context. Okay, moving on This is you That's me. Okay, so those of you are often are familiar with the with the open XML the office open XML document format that is the default document format since I think Microsoft Office 2007 if I'm not mistaken know that these documents are really zip files, right zip archives and as With any other zip archive you can extract that you can extract the files from the archive And this is what you get when you list the archives content from the original spearfishing attack and We highlighted some of the more interesting entries for you. Let me start at the bottom here. So there's Directory called doc props document properties. That's where all the metadata is stored Like who created the document when was it created when was it last edited and stuff like that, okay? And that's all in this core dot XML file over there Then the macro is in the first red line there XL VBA project. I mean the macro language for Microsoft Office is visual basic for applications as you guys know And that's where the macro is stored. It's in in binary form So it's not like readable code, but you can easily convert it back into the original macro So where's the payload the payload obviously is in the third red file there XL custom property one dot bin Again, it's encoded what the macro does is it loads this file or it loads this property Which is a property of the document Decodes the payload drops it to a file and runs it Okay, so that's where all the all the meat is All right, so one of the first things I Guess most analysts do when they deal with something like this is they look at Information that's statically available, you know, I mean you can as well put the document in a sandbox and open it there and watch it Drop its payload, but you can take a look at the metadata first and this is what's in the core XML file so you can see there and we added the indenting for better readability It's usually not indented, but you can see there There is a creator XML tag and that contains the handle woolen hat in In lead speed, okay, and it was also last modified by woolen hat and when was that it was created on April 23rd, and it was also last modified just a few hours about two hours after that Okay, so what we have unless this information is spoofed What we have here is an indicator is a hint about when this attack took place or when it was prepared if we are to believe this information, okay, so this is interesting and Later on you will see How we use this kind of information to find other related campaigns, okay? So this is all statically available metadata this is the custom property file that stores the payload and You can see this is unicode or white character encoding. So every other byte is zero byte But if you look at the at the right-hand side of this hack some you can see some integer numbers there So you can see the first number is a 77 the decimal number then comes a Pipe sign pipe character and then the second number is 90 and then the next number is 144 and so on so if you take these numbers and Convert them into the corresponding binary values and the binary byte values and write those to a file what you end up is What you end up with is a an executable a PE file, okay? So this is the relevant part of the macro as I've told you you can easily convert the binary object back into the VBA Code and this is the relevant part of that You can see it splits the text that it reads from the property thing with the pipe character And then it dumps that to use a profile to so to the user's profile directory and assist DLL.exe and and Then runs it by calling shell execute with the open parameter. Okay, so this is how the payload gets invoked All right, so now we know How the infection is carried out there is this document user has to click okay I want to allow macros to run and then shell execute Runs the drop payload. So what's in the payload? What is the payload and what you can do is you can load that up into like Ida Pro or you know your your preferred reverse engineering tool and take a look at the structure of the data that's in there and This is what you see here in this colored graph. So at the beginning you see this this green stuff there That's see standard library code. So that's stuff like I don't know like like malloc or I don't know right or send or something like that. So the basic basic low-level API calls, right? then the blue stuff is code that relates to Code that has been written for for this binary. So that's the actual code With the functionality of this thing and then in gray you have constant data. So in the beginning there is this little gray piece over there that contains strings Hard-coded strings as well as space for function pointers. So we will on one of the next slides We will talk a little bit about How API calls are resolved Which means the code generates function pointers the function pointers are stored in this area And then you see some more code the blue stuff and then you see some other gray areas for for other for more constant data and what you find in there If you know what are you looking for is for example? AES crypto constant so AES is a symmetric crypto algorithm, right? You have like these these ass boxes in there and some stuff like that. So that's all stored stored over there And then you can also see a tiny little blue Slice at the end and this is where the main function lives So when you start to execute this binary Execution starts at the main function obviously and this is where that main function lives Which is kind of odd that it's at the end, but you know whatever Okay, and also we provide the the md5 hash and the shaw 256 hash here for you So if you're interested if you're curious grab that file from the internet and Take a look at it yourself Okay, so we did the same thing as with this Excel document We first took a look at at data data that's statically available and The first thing we looked at was everything that's part of the PE header of the file header Okay, so what you see in the in the PE header of this executable is a debug so-called debug directory The deep debug directory is where debugging information is stored So for those of you who are more familiar with the Unix world or the Linux world You guys know that you can have like symbols in their function names and stuff like that So there is also debug information available in the Windows world PE binaries. You have that in the debug directory however When you're actually debugging something most of that information is not embedded into the binary It's stored in an in an external file so-called PDB file PDB stands for Program database if I'm not mistaken. Okay, so this debug directory That's part of the executable has to store a pointer link the path of the PDB file And that's what you see in blue at the bottom of the slide So you can tell by looking at that again unless it's spoofed that this was compiled in on the D drive in that directory here Under this name and obviously it's a win32 program. Okay Okay, so that was one thing but we didn't that we didn't quite know what to what to make out of this So that didn't help us much with our analysis, but it was interesting that that path was in there Then the next thing we did was we looked at resources. So in a PE binary you can store Additional arbitrary data you can store for example mouse cursors or you can store icons or you can store whatever right and these Additional chunks of data are stored in so-called resources. So you have an additional directory in such a file Which is the resource directory or the resource table and what you can see here is The list of resources in that binary and what's interesting is that each resource has a language code Associated with it. That's the stuff in blue and also in black down there. So the stuff involved What's interesting here is that the language code codes in blue stand for Argentinian which Could mean perhaps that this binary was compiled on an Argentinian system Okay, which might mean that the the person who compiled this was running a system Or they just changed it to the a when they needed to choose where to compile it from Yeah, or that so I mean of course you always have to question this kind of stuff when you analyze it But yeah, so there was this Argentinian nexus to the whole thing But when we when we I remember Tillman says nexus it means connection or just Indian connection So everybody knows I was confused by that for months All right, so yeah, and but I mean we've both both been confused because when we first discussed this we said that doesn't really make sense I mean Argentina attacking an Israeli Defense and space company. I mean I can see other states attacking Israel or that sector in Israel, but Perhaps not Argentina, but I mean I'm a reverse engineer. I'm not a politician or anything like that, right? So so yeah, anyhow, so that didn't quite make sense to us So we said, okay, we got to reverse engineer the functionality and understand what this thing really does and that was our next step So this slide is supposed to give you a high-level overview We will touch on some of the things that you see on here On the next few slides, but this is a high-level overview. So the first thing we noticed was This is more complex more advanced more sophisticated than the stuff that we usually get to look at Okay, so this was like really high-quality code It was well written and so on and it has some interesting characteristics one was the entire code was completely position independent so you can load that At any memory offset offset and then run it from there And it wouldn't rely on any offset or relocation or stuff like that for those of you are familiar with these concepts, right? So usually when you want when you do something like this when you write position independent code That can run anywhere in memory You do that because you want to take this code and inject it into another process And because you don't know where you will up in memory where we will end up in memory You have to keep the code position independent. Okay, and I mean Injecting code into another process is always let's say a little hostile or you know a little Definitely not not not friendly in most cases API calls So the windows API is like write file create file and so on those are all resolved dynamically So they are not resolved through Import and export port tables that you usually have in binaries They're all resolved manually and dynamically during runtime, which is part of the position independent independence paradigm here and there are also called through wrapper functions, so You know, whenever the code wants to say access a file or send data on to the network or I don't know change the registry key. You name it It does that through a wrapper function that called the actual function that does the thing Okay, and we were wondering why because it makes the code more complex But we didn't really understand why at that point in time and the next thing we noticed was whenever the code has to deal with immediate or Constants as as you can also say It would not use these constants directly, but it would consult a lookup table. So let's say Let's say it wants to open an IP socket, okay So in that case it would have to use the constant to for the for the socket type, right? But it wouldn't use the number of two it would Look consult this lookup table for another constant then, you know Find the mapping for that constant and then that would give them the number two and that would use that In the in the actual API call. So we said it why why is it doing that and then suddenly we figured okay? The code is written in a way that it exposes a generic a unified interface Okay, so you can easily take this code and port it to say a unix system or a Mac or BSD which is also unix and and other systems right other platforms and keep the The the interface The same right you can use this keep using the same constants You can call the same wrapper functions that then internally call of course different functions But this is like an abstract abstraction layer between the system that the thing is running on and some other components That's interfacing with okay? So there's more we found that was interesting The whole thing has to manage has to maintain some sessions You can you know talk to it over the network that means you have to establish a session and so on session management is is tricky and You have to keep keep track of sessions of active sessions This thing does it by hashing but the hashing method that's used here is related to blowfish. It uses blowfish the crypto scheme For hashing which is kind of unusual right? Maybe sounds a little over engineered, but you can I mean it's all right You can use blowfish for that. That's a legitimate application, but it's special You know you don't usually see that that often and then and this is probably the most important point At some point we realized that the stuff that we were looking at was a generic API call proxy And we will explain what that is in a minute So then we took these last two so originally we said sis call proxy and then later on we changed that to API call proxy in our In our notes so that we took these two terms sis call proxy and we took blowfish and We entered that into Google Actually a friend a friend of mine did that a guy I'm working with and The first hit we encountered was opposed to BSD newsletter.com from Over ten years ago, and that was an announcement by a company called core security That is based in Argentina coincidentally and also in America in Boston And they announced a new technology a new product of theirs that now runs on some BSD system as well And that was a sis call proxy and there was blowfish involved So with this pointer we went back to our analysis and confirmed that the thing that we were looking at Was their product it was a product called core impact for those of you who are familiar with it, so This is a little bit odd. We have seen threat actors using crime where we've seen threat actors developing their own Special crafted tools, but you think core impact is just something we have not seen before and we've talked to many other Researchers who have not seen that before we encountered two others who suspected it So number one core security is based out of Argentina and Boston that general information They are completely white hat. They're good people. They've been around for a long long time. They are very very innovative. They did Point and pentast or pointed Huck if you like back when nobody even thought about it At least not on that level of a scale of a tool that is so automated and out there Next they've been this sounds a little bit corny, but seriously these guys have been helping organizations out there for More far more than a decade to protect themselves and get better at security They have a patent on this sis call thing which is important to say and they even lectured about it in black They're very very open and visible about what they do now We talked to them and they helped us throughout this process. They really tried to Be as straightforward as they can and as visible as they can with us in responding to this incident And that's that's their statement which we promised to include but the important part is for me and everybody read that statement Please the important part for me is that these are good guys Somebody took their tool like we have seen happened before and used it for malicious purposes So far so good what Tillman is starting to say now new thread Tangent what Tillman is starting to say is that yes, this is core impact But it's also extremely advanced It's half off the shelf technology And it is used by a nation-state level threat actor That is the first twist in our story where we really realized something different is going on Yeah, so to give you an idea I mean we when we first looked at the thing nothing really made sense. We said well, Argentina Argentina probably not Doesn't sound reasonable and then we were speculating maybe you know, there are other states or other advanced threat actors that are known for knowing how to implement cryptography properly and We saw cryptography being implemented properly here in here So we said maybe it's coming from that corner and then we had to change our assessment again and so on until we figured okay It's this it's this thing. It's the core impact agent And I will explain what that means in just a second And then it also became clear to us why we thought this is like enterprise quality code that we were looking at Because it's a commercial product. So just listen to what you just said enterprise level code. When have we last seen? Too many malware samples out there that were actually enterprise level code. I did not come from a nation-state That's just the beginning of what's interesting about this All right, so I guess we have to talk a little bit about core impact and then I'll continue with that slide here So for those of you are not familiar with it and I haven't been familiar or we haven't been familiar with it before this analysis either It's a penetration testing framework and what you do with the control panel or the console or whatever you want to call it. That's the software you're you're Operating what you do with that is you deploy a tiny component which is called the agent on a target system That's the system you want to pen test or one of the systems you want to penetration test Okay, and the power of the tool lies in the ability to pivot from that system onto other systems behind it Okay, so you you deploy the agent on one system and then you use that system as a stepping stone to reach Through it to other systems behind it. Okay, and that's as far as I understand I haven't used the product ever but that as far as I understand or we understand this is the Main feature that makes a core impact so powerful in other words check their websites, right? All right, so We want to talk about some of the technical I mean we could talk talk about the technical details and the technical Specialties forever. It's you can talk about the technical details forever if you say so So yeah, so but we don't want to bore you with with too much of it But there is some stuff that we that we chose just to show you how advanced this is This is the the code that you see down here. This is the lookup table for constant so you can see it takes a key or the lookup value as an argument and then it iterates over the map and Looks for that other content. I mean, that's how you all you perform lookups in the lookup table, right? So That is that is that part here. There is another one. There's one for status codes or error codes as they're called here And then is another one for for actual constants like the IP socket one. I just talked about Okay But really the key feature is this API call proxy So quick show of hands may be how many of you are familiar with the concept of syscall proxying Anybody, okay a few people. So who is familiar with the concept of user space and kernel space? Awesome, so that is great So the idea behind syscall proxying is to have The kernels to use the kernel space of one system and that's the system that I'm penetration testing or attacking or whatever But this system is only running a small stop executable And the user space is offloaded to another system and this system communicates over the network with the stop component here so you basically Offload the user space onto another system and then this user space and this kernel space communicate over the network Why do you want to do something like that sounds really crazy, right? if you if you implement such a generic stop binary that just takes you know a user call identifier and some parameters and then Runs it here. You can keep all the logic outside of the stop binary the stop binary can be really really tiny And you can implement all the logic here on your console on your system Okay, so if you want to add another feature to your attack tool, you only have to do that here You can leave that part alone and you're not it's also obsequious less risky for the operation You don't necessarily need to put everything in one place you can change it up Exactly, so you end up with a very tiny executable that Generically proxies system calls from your user space somewhere else in the world to your target One thing that's not very technical if you consider modular malware If you want to if you're in a preparation nation-state or somebody very serious You'd create something modular and as you compile new agents you'd put different aspects of it depending on the target Now if you can do it on the fly after you're in the target without risking anything to begin with or much That is pretty cool shit. I Fetch it just because this is ccc and it's obligatory to say that Okay, so does that make sense to two people all right So what what they have in there in their tool what we have seen in the tool is not quite a syscall proxy Because it's one level above the syscall level. I mean when you write code for the window system You don't usually call syscalls you call API functions that are more high-level like bright file is a high-level API function that translates to syscall Maybe but there are other high-level ones. So what they did what was they they Implemented the same concept but on the API level. So you have the control panel over there You have the agent deployed over here the box in blue and then an underlying window system that exposes an API and All the communication takes place over the network or whatever okay, and Then can you switch back to the previous slide for one second? So and then as I've said before This agent can then be instructed to tunnel connections basically to proxy connections or tunnel is maybe a better word because that Otherwise we can confuse it with the proxy term over there Then you can tunnel connections to a third system and Do the same thing so you can basically I don't know if I should use the term onion routing routing because But yeah, you can do something like that. Okay, so that's really cool And of course they also implemented their own network protocol for that. So we called this an RPC Network protocol because really this reminded us of remote procedure calls. So right file is turned into a remote procedure call in this case So Gotti said we have to include an Ida Pro screenshot. So here it is. This is Ida Pro This is the send payload function. That's what we labeled it as You can either send it encrypted or you can send it unencrypted Don't you guys think I know I'm just disturbing you right now heckling him, but that's part of the fun It's 11 p.m. 11 30. So don't you guys think that if we just put assembly code out there? Or if we took Ida Pro screenshot that looks cooler No, seriously hands up. What everybody thinks it looks cooler. Okay. Let's do it another way Everybody take your end up with me. Everybody take your end up now. Everybody who doesn't think it's cool All right, but Let's talk about the cryptography they use so what they do is for every session they generate a pseudo random session key of 256 bits and They use this for AES encryption. So that's their AES key But in order to securely transfer that key to the other system. They're talking to They have to use something like you know some some as asymmetric crypto in this case They use RSA they use 1,024 bit RSA Which means there it must be a public key in the binary and in fact There is a hard-coded public key in the binary and that public key changes Across campaign so you can but looking at the public key You can say this is a sample that belongs to this campaign and this is a sample that belongs to another campaign All right One more thing to note here We have seen malware before that uses three-bit RSA if that makes any sort of sense But but still using this small key is kind of weird In a way, I personally don't really see how weird it is, but Tillman insists and he just forgot so I'm reminding him All right, so yeah, let's skip over this rather quickly So this is the blowfish hashing that they used to track sash keep track of sessions You can see down there. They use this low-level blowfish function to a hash an integer Which is the I think if I remember correctly the file descriptor number of the socket that the session relates to Okay, next slide So here's some more assembly There is I told you that the code is position independent But the problem with position independent code is that you cannot really very easily configure it You cannot easily pass parameters to it But they need to have some kind of configuration data like the RSA key maybe command control server IP address or Come on a control server sounds so offensive. Maybe you should say a control panel IP address and then also maybe a campaign ID something like that So there is are some parameters that are used to configure the dashboard Dashboard yeah operators interface so what they do is they they The blue blue box down there is the code is the entry point that they really want to call or that where they really want to Start but before they do they need to prepare an environment. They need to push some Some arguments on the stack so to speak right so what they do is they start at the gray box up there Jump down to the second gray box then call back up and then do some more stuff and then jump down to the blue box and You can you can see some assembly code that relates to this chart So you can see the jump at the very top and that that takes us down and that's not on the slide anymore And then you can see a call back up and then that second line there the pop eax Basically then pops the instruction pointer from the stack into the eax register for those of you who are familiar with that Right, and then you can see these pushes there of the long These long immediate sir These are ASCII strings So if you would take these and render them as ASCII strings you would see that the first one is an IP address the second one is a campaign identifier and The third one is the what we call the our parameter, but we don't know what the purpose is Okay, so once you're able to extract this kind of information you can collect samples and Extract you know and mind that data a little bit and we did that and we came across these command-and-control server IP addresses Now you can see they or at least the first four kind of live in the same You know in the in the same proximity they live in related network ranges In fact each of them belongs to its own very tiny network ranges slash 27 or slash 28 or something like that And these ranges are all operated by a German company. In fact, it's called I a BG I forget what that stands for but they're they're a technology company in New Munich and they also Offer satellite services, so they're probably operating some satellite or something like that and they're offering Satellite links as a service so internet connectivity through satellites Which means when you do geolocation lookups for those IP addresses you get something like this Yeah And an interesting note about the crowd You're not Many of you are not operating your own networks because only a couple of you took up a camera and took a field photo of these IOC's Interesting note about a crowd Okay, so we got to give props to a friend of ours called Mark Schlösser Mark Schlösser runs internet-wide scans for interesting data For example, he does internet sweeps for SSL certificates and that's the reason why we reached out to him So we Figured that one of the IP addresses was or one of the the campaigns from the previous slide Used an SSL enabled version of core impact. So the command control connection was SSL protected Which means there must be a certificate involved. So we talked to Mark and said hey, can you? Because that IP address was no longer online. Can you? dig Into your database. Can you see if you have the certificate from that IP address and he found this certificate? And as you can see there, it's in a certificate that was issued to to core security technology This is the RSA key. Is it RSA? I think so in 2009 it's not valid anymore, but I mean of course you can still use it Turns out whenever you use core impact or at least as far as we know With SSL You will end up using this certificate here So by scanning for SSL services that use this certificate or offer this certificate You can identify core impact C2s. So we asked mark Hey, can you give us any other IP addresses that were hosting this certificate and he did and that's how we identified some more of the campaigns? So thank you mark for that So let's talk a little bit about campaigns. Do you want to take over again? Sure You take this slide. I'll take the next okay, so First thing we did was we took at a look at all the lower documents The Excel spreadsheets that we found that we collected okay as you remember hopefully from one of the first slides There is this metadata in there that gives you the create date and that gives you the modification date And then there is also the the handle of the creator and the handle of the last modifier And that's what you see in this table now the create date isn't very telling because you can take a document That was created ten years ago and then modify it and use it for this campaign. Thank you So That is the third column the modification dates and that's chronologically ordered as you can see through the first attack we came across occurred in April 23rd Wollin hat was the guy and it was targeting this Israeli target that we talked about and then on the same day There was another attack against another Israeli target and so on and so on so then in in July you can see various attacks against European targets And we will talk more about those in a second and the last one was actually from this month We had to redact some of the operator name Creator names because they were they identified the target the victim right they probably the thing is we didn't really know Whether somebody used this is metadata right so we can we don't really think somebody tried to use Metadata to pass through scanners or to pass through the human eye So what we think happened some of these documents were created specifically as lures and some of the others one so other ones were stolen from the victim whether it's open source or not we're we can't we're not sure we didn't find them and Put their names their names were on the document Now if you want to see with one thing that we didn't react Second from the bottom the name no, I'm it actually Israeli just as a side note so moving on I can take that one to all right So the next thing of course was the core impact variants that we came across I told you earlier that there is this this RSA key in there. There is a campaign identifier So we did the same thing we mapped them onto the document modification dates So these are the dates the first column That we found in the documents that drop the respective executables In the second column we have the IP addresses that you already saw then we have a campaign identifier and Then we have the RSA key and you can see there is a clear correlation between RSA key campaign ID and C2 IP address so it seems like they keep their infrastructure meaning command control servers for The different campaigns separate, okay, so they use a difference C2 a different RSA key and a different Campaign ID for each campaign that they're running Intelligence wise if you go to previous slide for a second and you look at the operation You can see the creation date of the actual Excel lures is usually earlier a little bit than the actual attack so if you can identify these Modifiers and you can detect the lure ahead of time. You can probably prevent the attack all together Depending on your operational security and if you have this type of intelligence capability In-house whether from your own intelligence or something trying to get into your network or from outside of it And just to be just to be very clear and we limited ourselves to lower documents that fit into our pattern or into our this this modus operandi We didn't consider any other core impact samples we came across because of course It's possible to find others, but they're not related to activity by this by this threat actor here. Okay So we're going to look at some decoy spreadsheets This one is against an Israeli target We had so the first target as we discussed was an organization adjacent to the defense and aerospace industries But very quickly it spread through Europe and through Israel some academic institutions and some defense agencies across Europe So this is one of the lures just looking very real even as a cool graph I don't know accurate the data is for the organization But still pretty impressive. I mean you will not see something impressive like that again. They're graphic designer sucks So I mean the data the data on there I mean like this table up there is not Really interesting what's interesting for us from an intelligence perspective is We take a look at this and we try to figure out who the target was because obviously the the decoy Has been designed for a specific target Okay, and that's why we are going to show you some of the other decoy spreadsheets here now so for example this one is Listing Israeli holidays on other types of Observance days nothing very interesting more than open source for the past several thousand years but If you want to go to the Bible Well to be pedantic some of these are not in the Bible, but still it's pretty clear nothing very very special Not a very good lure, but it does have information looks very I guess safe Next up. This is really horrible graphically. I mean who is the graphic designer? Seriously, would anybody click on an able after they see this would you? So that's another example, which is pretty nice To the we didn't figure out the target of this one by the way, so this is this isn't heck from May We don't know who the target was So if if you in the audience got this message and got past the horrible the graphic design, please tell us yeah This is really boring yet again Not very impressive But maybe they were you know if I was down with I would actually play with human beings to try and see what they would click And what other reason if they got to do this? This is from an Israeli target you can see that it's again innocuous information nothing very special there But it seems to be internal to the organization This is a little bit interesting the it took us a while we went to Tina We went to reverse image search we searched Google for logos with triangles and circles. We did everything we possibly could eventually till when found it Does anybody know what what what this who this is nobody's gonna know what you know what this is nobody's gonna know what anybody ha So If we had time I would say let's play a really annoying game and try to find it on Google no Ever wins gets a beer or something But or pizza in our case, but this is actually a Georgian Organization that's related to NATO you can read the Wikipedia page Again not very interesting except for the logo But there is this military. Yeah, no this you've always seen it's one of the more Elaborate documents it's convincing even has a little bit of graphic design although. I don't know who the designer is again and That's probably a stolen document. I find it hard to believe they actually created it Now again, we must stress. There is something there are some things in there that look like they're from Venice and Vienna, but this is a German language lure. We don't know who the actual target is could be anywhere that speaks German But it is a defense organization This is just a list of names it's generals Kapitan admiral colonel major what is colonel major is it that the made-up rank? Again, not very impressive, but it was targeting the same organization as the previous one So it's obvious that thank you. It's obvious that they were targeting the military sector the German speaking military organization This one is also probably a stolen document also German speaking You can look at the logo, which is kind of nice, but other than that not very interesting Um Yet another lure we can start skipping them unless you really want to see what's interesting here Is that that this seems to target embassies? German speaking so embassies in the German speaking country. I mean there are not that many but yeah Just to be clear that the attacks that we saw in the time earlier. We're not just against Israeli targets and German speaking targets There are also ones in Eastern Europe and others all over the place another one and This one is interesting a little bit because we tried to find out how to decode this thing and and we we think We think they're just messing with us and this is on purpose because everything repeats No, I think they they messed this up. It is what we used to call this Chinese whenever it wouldn't decode the Hebrew I'm just saying hold on take the microphone man Cyrillic Cyrillic, but it doesn't Russian looks like if you if you select the wrong code page So it could be Cyrillic, but if you just play if you just play Cyrillic and not the code page for windows for Cyrillic button in Latin one it looks like this, but it still doesn't I don't know Maybe you need to try this but it still doesn't make sense. It's that it's repeating over the whole spreadsheet But if you actually have Russian enabled on my laptop and I didn't see it, but we'll try anyway Well, but if you if you take the the title column and you search for that on the internet you will find that this is a table of Missile launch Events that is on Wikipedia. So they probably try to use that as a lure or a decoy This last one is personally not very interesting to me. Do you have anything to say about that? No, but it did say if you want all the information No, notice how they started putting in instructions They didn't just want people to click enable anymore if you like if you want to see more Please click enable and they actually misspeal the view which is kind of nice. I guess there were conversion rates were low This one is interesting for several reasons. Number one again. It's a stolen document. It's against an Israeli target But what's more interesting for me is that it was sent around the date of an actual event happening in Israel So if you send it to academia, it's which was some of the targets You can actually notice that it proves your conversion rate if they know of the event They might click on it more, but that's just a wild guess about trying to time the events on real life To something else which shows a little bit more operational sophistication. It shows there. This is one of the later I believe it's one of the later campaigns. Yeah, so this is from December 1st. This is from this month just now So it shows they have really they're really interested in the academic sector in Israel and they're trying to their operational capability is growing Even if a little bit Trying to tie in to something that will convert people by their interests There's another example of that which is the same conference once again just An agenda and they once again try to give you instructions to increase conversion I don't know if it's related to the previous one what their conversion rates were we'll discuss that a little bit later But it's interesting nonetheless This is you Okay, so and just one more thing We there is a very old rule in the antivirus world of do not use the attackers name Nowadays, you don't really follow it, but for me it was still important. We didn't really want to call it what the attacker called this So we started thinking of a name and I just said let's call it name credential stealer and we went with that All right, so I think we need to hurry up a little bit because we're running out of time So you need to come here for that. I will so this this threat actor this group here doesn't only use core impact They also have their own custom tools and this is one of them And this has one purpose and one purpose only and that is stealing credentials and instead of showing you more more White background slides with black text on it. We've said let's show you some code because this thing here is written in in in a dot-net language, which means you can Decompile it back into some form of the original source code You can recover some form of the original source code and of course, that's what we did and then you can read source code instead of machine code assembly code so We'll skip over this really quickly so there's some stuff happening here that we're not going to talk about but then here you can see First of all there is this email address here, right and we already know that handle Right so this was not only dropped by a lore document that followed the same The same concept it also contained that handle up there So it's pretty obvious that this is related to the same threat what this does is it takes a look at the Firefox profile directory and then steals these two files of sign-on sqlite and key 3db These are the files where different firefox versions store browser credentials Username's passwords, right and if you use your browser to log into your say gmail or whatever web mail Portal then you prop, you know, it's not you but some people store their credentials in those files and by stealing those You get access to these things and then you can use that data for example to design another spearfishing campaign And then it sends that off to this exact this very address here Which is a gmail address and that's why it's talking to smkp gmail.com and it even has Yeah, and we had to take those out so moving on quickly Moving on quickly we have conclusions. So this is likely again We are not gonna commit to that 100 percent because we believe attribution is never 100 percent until somebody comes out and says We did it, but this is very likely a nation-state We have other reasons to believe this as well, which we can disclose this stage They have limited operational and technical capabilities although they're getting better We have seen a remote sophisticated remote access tool We want to say even very advanced, but you can't really compare these things some things are very advanced on one thing other third another The implant itself is a legitimate protection tool. It's off the shelf though It's advanced and it's misused and the big thing is everybody can now use this. They know core impacted out there They should have known before but honestly this is instead of just being It's another crime-ware thing now it's a nation-state level tool that has been used once actively More than once in many many campaigns and other people can yet now have this capability for a certain amount of money or stealing it Although core impact does their best to keep this safe We want to give some quick Props we stand on the shoulders of giants that's been some research on one of these campaigns It was called goalie by a remoy all at clear sky and there's some others worked on this We want to give them an anonymous credit right now because they deserve it These are some MD5 ashes if you want some IOC's you can also email us or check the report in a few days We want to thank the either early search crowd strike and cementria for all their help Appreciation to search boond because they helped us all in the incident response And that's about it now questions We know what the first question is gonna be speed on to a lot of times to just skip that one Did you mention the report? What did you mention the report? Yes? We're gonna release in a few days So there is a technical group so we have way more information than then we're able to touch on during this presentation We have a technical report a very technical report. I should say 50 pages something that we are going to release To the public in just very soon. Yeah now I'm gonna skip the first question we want this to be theatrical We don't know who the nation state what the nation state is or whatever and one does not simply you like the texts Attributed tax based on IP is alone That said We don't know who's behind this right. We don't know it is right. We can't really tell you come on come here Say if I take a picture So we probably have time for what one minute or the question does anybody have questions at this stage? possible Thank you Gotti. Thank you TW We do have one question from the internet and for those in the room Please line up in front of the microphones if you do have questions So did you lock into the Gmail account? No, we did not Thanks That that's the we probably could get some victim data from there about their success, but we decided not to break the law Somebody else is gonna do that. We can't break the law because they are the law. I am the law Okay, any other questions anybody left microphone to I Think it's a smart move that you can see spammers do To focus on really dumb people and they try to scam you they make it really obvious that it's a scam So that the people who do fall for it are really dumb and it's not gonna be noticed for a while So maybe we see some pickup of that tactic in the APT world now The idea is that this is now even though it was widely used in 90s. It's new We have only been seeing it till one can speak of this more in the past year But right now it's passing filters and it's getting work done Yeah, I didn't get the question So yeah, no, we actually talked to all the victims that we could identify and some of them have been aware of this activity fortunately Not all any other questions, please Mike from number three. I think you'll line up first Hi, I was wondering who controls the CNC servers. Is it core impact or is it the attack? No, no core impact. It's very important to say again core impact is not related to this They're good guys the attackers are controlling them, but I mean There is probably the the the controller component of core impact running somewhere I think we think that these IP addresses that we showed they're probably just acting as proxies as network proxies And relay traffic to the rear back end But the rear back end is probably running the core impact console and we can't really say who it is at this stage And the reason I'm asking is because the certificates were signed by core security, right? That's a certificate for the actual so the same secure is the same a certificate for any any CNC or Do they sign each one specifically? So we only saw an SSL enabled version in one case all the others didn't use SSL encryption All right. Thank you very much. Oh, this guy is really important to hear this question. Yes, I understand But we are always we are out of time and our next talk will actually start all right some 30 seconds Thanks a lot. Yeah, if you're kind enough, please handle this question outside and give them a give some some applause