 Merci. Salut, les gars. Donc, comme vous l'avez dit, merci. Asperdavid m'a dit que je vais parler de l'équipe de Sennit qui est une équipe d'attaqueurs que nous avons travaillé dans l'année dernière à E-Set. Et donc, pour ces gars, ils font un espionage. Donc, leur main-gole est de distinguer l'information confidentielle de leurs victimes. Et ils ont été actifs depuis à peu près de 2006 en faisant des attaques targées. Et je dirais que l'une des particularités c'est qu'ils sont plutôt fortes. Et en particulier, ils ont développé leurs propres malwares et ils ont un peu de leurs propres malwares. Ils ont aussi développé leurs propres exploits qui n'est pas comme même pour ce type d'advance group. Et dans l'industrie, ils sont aussi connus comme Fancy Beer, un beurre, et APT-28, ou SOFA-C. Donc, en basse, je parlerai d'abord de la façon dont ces groupes infectent leurs attaques. Je dirais qu'il y a 4 méthodes différentes qu'ils ont été utilisées dans le passé et qui sont encore récemment utilisées. Les e-mails de spearfishing, ce qui est une très classique. Mais aussi, plus originalement, un kit d'exploit custom qui a été construit pour infecter leurs attaques. Une méthode qu'ils ont utilisé pour protéger les prédentaux de webmails. Et enfin, ils ont utilisé des applications privées pour pivoter dans l'organisation. Et je vais vous montrer un exemple. Et après ça, je parlerai de ce qu'ils font quand ils infectent leurs attaques, et ce genre de malwares qu'ils utilisent. Et ce qu'ils ont essayé d'achever. Donc, ils ont eu différentes malwares, comme je l'ai dit, quelques pour les attaques reconnaissances, quelques pour l'actualisation des attaques sur les attaques. Et ils ont aussi construit un petit malwares juste pour atteindre des computers physiquement isolés. Donc, je vais vous expliquer ceci aussi. Et enfin, je vais vous donner des ins sur qui pourrait être derrière ces groupes. Donc, la première chose, comment ils infectent leurs attaques? La première méthode est la méthode très classique de l'école de la fissure de l'école, la fissure de la pierre, en ce cas, c'est-à-dire la fissure de la fissure targetée. Et c'est-à-dire un exemple horizon. C'est une email qu'ils ont envoyé en septembre 2013. C'est supposé d'avoir l'Apex Summit en 2013, qui est une conférence économique qui s'est annulée en Asie à cette époque. Et ils ont envoyé cette email à une liste de 50 militaires attaques de plusieurs pays. Donc, vous pouvez voir ici le Canada, France, Japan. Et le texte de l'email dit, ok, il y a une liste de journalistes accrédités pour la conférence. Et l'email a la signature de la personne réelle en charge des médias pour la conférence. Donc, ils ont le nom, le numéro de cell phone est le correct, le compte de Twitter est aussi le correct. Et, dans l'attachement, il y a deux spreadsheets. La première est en exploit. Donc, si vous mettez dans un excès vulnérable, on va être infecté et on va avoir un compte de 1er stage. Et la deuxième est juste un document décor. Et si vous ouvrez le document décor, vous allez avoir une liste de environ 800 journalistes, information personnelle, email, including the passport number et leur affiliation. Donc, le espérifichin est une technique classique pour attaquer des attaques mais dans ce genre de cas, on peut voir une très high level de sophistication de cette groupe parce qu'ils ont un document décor qui ressemble à un réel et ils sont probablement sur le site. Et ils ont la liste, les adresses d'attachement militaire. Le exploit qu'ils ont utilisé en ce cas, c'est un classique classique mais on a aussi observé qu'ils ont utilisé 0-day exploit dans les campaigns de espérifichin dans le passé. Donc, c'était la première technique classique d'infection. La deuxième est plus originale pour attaquer des attaques. La groupe saine a construit leur propre exploit kit. Donc, une exploit kit est un toolkit qui est installée sur Internet sur un service comme un visiteur visiteur sur le site le service va avoir un exploit suitable pour infecter ses machines avec des malwares. C'est un moyen classique pour crimeware mais pour attaquer des attaques que la première fois on voit une groupe en faisant ce genre de choses. On a discoveré l'exploit kit en septembre 2013. On a trouvé trois sites financières qui ont été compromis. Et les attaques ont simplement installé deux frames dans le code HTML de ces websites polices comme les visiteurs qui ont installé les URLs dans les frames. C'était le même URL sur les trois sites. La première URL sur la première frame n'a pas répondu à la fois qu'on a trouvé le compromis. Mais la deuxième URL a toujours été installée. Donc, on a commencé d'investir autour de ce particular domain name que vous pouvez voir ici défenseIQ.us. Et donc, on a commencé d'investir autour d'un site défenseIQ.us. Et ce que l'on a noté est que on a automatiquement été redirecté au nom défenseIQ.com qui est en fait un magazine défense légitime et c'est une direction légitime qui est une technique classique pour l'exploit kit. On a toujours fait ça. L'exploit kit est installé sur un certain nom domain et si vous ne visite pas un domaine d'un groupe sédanique. Donc, dans notre cas, pour s'exploiter, nous devons visiter une url très spécifique qui est installée dans l'I-Frame. Donc, si nous visons cette url très spécifique, ce que nous avons ce temps n'est pas une direction mais une page en JavaScript. Donc, c'est un peu un JavaScript qui va collectir des informations sur la machine et envoyer une report au web server. Ils extractent la liste des plug-ins et installent le browser d'un visiteur. Ça va servir pour vous une exploit pour votre computer, votre machine. Mais ce n'est pas la seule chose qu'ils collectent. Ils aussi collectent la zone où vous êtes, la langue de votre machine et les dimensions des screens, par exemple. Donc, bas sur ça, le server a des targets. Si vous avez un target polish et que vous venez de l'U.S., vous n'allez pas obtenir une exploit au cours de cette étape. Donc, juste pour sumer, le visiteur a la page de la landing, la page de la landing collecte cette reporte et donne la report au server. Le server peut décider si le user est exploité ou pas. Et peut-il exploiter le user? Est-ce que c'est vénéreble? Si le user n'est pas vénéreble, il est directé si nous devons exploiter pour l'usage, pour l'opérateur, sorry. Puis, ils rendent le user downloader et exécuter un exploit suitable qui, Ilsef, va downloader et exécuter la backdoor. Pour vous donner une idée comment ça ressemble à la pointe du network, sur cette image, chaque ligne est un dialogue entre la victime et le host. La première ligne, la victime visite la page de la landing, donne la page de la landing JavaScript. La seconde ligne, la victime visite dit que la victime va au site défenseQ.com et est la web légitimée. La visite n'est pas sélectée pour l'exploitation. En plus, si vous êtes sélecté, vous avez la page de la landing, vous envoiez la reporte. Et sur la troisième ligne, vous êtes actuellement demandé par la visite d'exécuter un file, qui est l'exploit. En ce cas, c'était un exploit internet. Et l'exploit va ensuite s'exécuter sur la même visite, la backdoor. Et finalement, l'exécuter et sur la dernière ligne, vous vous envoiez un payload pour les services CNC. Donc, cette sélection sur le site de service est classique de crimeware. Mais pour les attaques targetaires, c'est le premier. Et ce qui est très spécifique pour les attaques targetaires c'est qu'ils tentent de s'occuper des langues spécifiques et ce genre de choses. En regardant l'exploit actuel, nous avons observé que nous avons vu des exploits de l'exploit qu'ils ont utilisé dans le passé et très récemment, ils ont commencé d'utiliser une plage d'exploit de l'exploit. C'était pas deux semaines avant. Donc, c'est un autre proof de la manière technique qu'ils ont de l'argent qu'ils ont pour acheter ce genre d'exploit. En regardant le développement de l'exploit, comme je l'ai dit au début, nous avons l'impression qu'ils n'ont pas d'exploit de l'exploit d'autre côté. Ils ont en fait une capacité de développement. Par exemple, à la top, vous pouvez voir deux snippets de JavaScript qui sont des exploits internet et vous pouvez voir quelques commentaires. Il y a un to-do à la gauche et à la droite, c'est un chaine de route qu'ils ont commandé. Donc, ils sont en train de développer les choses eux-mêmes et commenter et travailler sur les choses. C'est-à-dire que la manière qu'ils ont en fait été dit, la manière qu'ils ont en fait la plupart des temps directent les victimes à l'exploit qu'ils n'ont pas dans l'impact. C'était probablement juste le premier test au début de l'exploit pour obtenir des trafics sur l'exploit et pour tester l'exploit. Maintenant, ce qu'ils font c'est qu'ils reviennent à l'exploit. Donc, en ce cas, vous pouvez voir l'email qu'on a envoyé à un gars officiel officiel et c'est basically about some European Asia Energy Matter and if you click on the the domain name is actually mimicking the one of a real Asia news website and if you click on it, you go on the exploit kit. Just to give you an idea, there is a list of domains that they used in the last month to host the exploit kit and the same relationship that between defansiq.us and defansiq.com if you don't visit in the right way the set need domain you got redirected to the legit website and as you can see most of this actually all of these domains are related to geopolitics so that's give us an idea about what kind of target they are after that will be people that are interested in this kind of thing so NATO, diplomat news and yeah, this kind of subject. This is a method they use to propagate it's not actually a method to infect people it's a way to steal their webmail credentials it's not technically advanced but it's still pretty original I think so it works like this basically a user is inside this webmail organization webmail he opens an email which is a phishing email and sent by the send it group and most of the time they use conference security conference so there is a URL inside the email and if you click on the URL so the user click there is a new window that opens inside the browser and you arrive in front of this new domain which is controlled by the send it group and on this domain there is a bunch of JavaScript that will do two things the first one is to redirect the parent window so the webmail window the one that opens this one to a domain that is close to the webmail domain so the parent window got redirected to another domain belonging to the send it group and that is close to the webmail original domain the second thing that the JavaScript code do is to redirect the current window to the legitimate website of the conference so this window will be redirected to the conference website the user is in front of the website so he browse the website and at some point he comes back onto the first window where now he is in front of a login panel of supposedly login panel of his webmail so he got the impression that has just been logged out from the webmail so he says why not it could happen so he enters back its login password click on login and actually what it's just a fake login page of course and by clicking on login it's just redirected to the original webmail URL where it was actually still logged in and the attackers just grab the login password so regarding the implementation just to give you an ID there is an example they used in 2014 they were using a conference called cunter terror expo and that's basically the page that is open from the webmail so there is actually three snippets of javascript here the first one is just a sleep function they copy pasted from stack overflow the second one is a obfuscated javascript which actually does this window opener location to a certain URL that's the redirection of a parent window the webmail window to another URL and finally this code just redirect the current window to the legitimate website of the conference so that's it for the implementation another example is a fake webmail login page that they used so it was hosted on one of our server a few weeks ago so it's a webmail for the Ministry of Internal Affairs of Georgia which is actually accessible from internet so they copy pasted the code of the webmail and changed the URL inside the code and hosted it on some of our server so that give us an idea about what kind of target they were after another example is a fake yahoo change password page that they also host on one of our server so they simply copy pasted the code from the original yahoo web page the interesting thing is that yahoo put a html comment when it generates code for a visitor and they forgot to remove it so at the end there is a comment saying that actually the code was generated in April 2014 so that's the date probably where they copy pasted the code and put it on one of our server so it's running for more than a year now so that's it for the webmail and the last method of infection that we observed in the last month from this group is also a very specific one so here is the context we found two binaries that were compiled in February 2014 and each of these binaries contain two things two binaries actually inside the first one is an internal application of the Ministry of Foreign Affairs of Uzbekistan that they use to manage visa demands for their citizens the second one is a set need backdoor and both are packaged inside these two binaries so once you execute this package you got the two at the same time that are executed so the legitimate application show up but at the same time you got infected with the set need backdoor and to give you an idea is the first case it's an application called ill-consul that got executed so as you can see it's written in Cyrillic and it actually connects to a URL on the Ministry of Foreign Affairs domain so it's really a legit application para a little doubt about that and on the second case this is the legit application called visa win it's written visa system in Uzbek and that's the same thing if you execute this package you got this but at the same time you are infected so the scenario here is probably pretty obvious is that they got access at some point to the location where the Ministry saw the internal applications because these are really not public applications I didn't find any sign of them on the internet they simply replaced the binaries in place with a trojanite version containing the backdoor after that they have just to wait for the employees of the Ministry to grab the new application to execute it and they infect this new guys so it's probably a way to pivot inside an organization that they already compromise so now what they do when they actually infect someone with these all different methods that they got the usual process they follow is the following there is a dropper first and the dropper sometimes display a decoy document to the user to victim the decoy document is here to make the user believe something legit just happened but at the same time the dropper also decryps and executes the first stage implant of sedmit so basically they have always so the first stage is a very simple backdoor we are going to see and its purpose is to collect a few information on the machine and send a small report to the CNC server and the CNC server will decide if he wants to continue so it can't give back a binary or not and if he gives back a binary the first stage backdoor will simply decryps and execute this binary and execute it and that's really where the spying capabilities are so I will first describe the first stage backdoor and then the second stage so regarding the first stage as I said they come encrypted inside the dropper sometimes with a decoy document that shows at the same time so regarding the decoy document just to give you an idea there is one they used six months ago it's a NATO related press communicate that they simply copy pasted from the internet and use as a decoy so they display the document and another one use at the same period also related to NATO so these are just doc files that show up on the user side and at the same time they execute the actual backdoor so the backdoor itself the purpose of the operators of this first stage as I said is really to answer the question is this an interesting machine for us in other words is it a real target or is it just a malware researcher playing with us so that's the goal of this first stage and to do so they simply send to the CLT a report as I said containing the list of the running process the computer name and the version of the operating system so there are not a lot of information inside the report but it's actually enough apparently for them to decide if they want to go on and then the binary will simply ask each 30 minutes to the CNC do you got something for me do you want me to execute another binary and I have to say that they are really suspicious I mean it's been really difficult for us to pass the test probably because they know as we see they have already compromised a lot of organizations so they probably know very well what a real victim looks like a real target looks like so you probably have to got the computer name formatted in a certain way that is the expected way in this organization you probably have to got some process particular process running on your machine and if you don't fit the profile they will never give you something regarding the actual implementation of a code they take special care to be discreet on the machine and first regarding the network communication one other thing they do is that each time the first stage backdoor contact the CNC server they hide they try to hide this request between two legitimate request so each time it does a request to the CNC it also does just before a request to google.com so you can see here a request to google.com it's a HTTP post with pseudo random looking URI and of course Google doesn't know anything about it so it just answer 404 not found but just after there is the actual request to the SEDNIT CNC server and it's always like this they try to hide that traffic between legitimate traffic so someone just looking around it rapidly will not see the SEDNIT CNC traffic another thing they do is that if the network request fail they will try maybe because there is a firewall running on the machine blocking the actual request to go out they will try to do it from inside a browser by injecting some code inside a browser but to do it they will just wait for a browser to open they will not create a new process on the machine to inject the code because creating a process is noisy it could be catch by antivirus so they will just wait for the user to actually browse something and they will inject the code to do the SEDNIT request and all the CNC domains they use are always mimicking software update domains regarding the actual binary in the first stage backdoor so this is really probably program in C and they use basically always the same two techniques to make the detection and the analysis harder the first technique is that all the strings are encrypted with various algorithms and second technique is that they don't declare statically the name of the API functions that are going to be used during the execution they fetch these addresses at runtime so for example you got a snippet here where you can see that they are called to a certain address actually at this address there is nothing at the beginning it's just zero because the address would be filled dynamically so this address would be filled by this bunch of code here where we got a series of get proc address API call so the purpose of get proc address is to retrieve the address of library function it normally takes in first parameter the name of a function that we are looking for in this case you can see just the beginning of encrypted string so first the backdoor will decrypt all the strings you will get actually the library function names written in memory then they execute the snippet of code the get proc address retrieve the address of the library function they are fit into memory and finally you can rewrite your code in the disassembly with the API calls and all the strings decrypted so this is this is actually very classic technique for malware but they always do that another thing they do in the binary is that they one of the first thing they do is that they do system library they open it so it's a classic windows library and they fetch the actual time stamps of this binary so the last modification time the creation time and etc and every time they are going to drop a new binary on the machine they will set the time stamps of this binary to be the same as the windows library just to not have a binary newly created that could raise suspicion so yeah something interesting I found one specific binary four weeks ago it's a first stage implant of sednet where basically after each API call in the binary there is a print inside a file and they write it into a file they write something like this so you got a call to malloc for example then print a new line in the file beginning with an acronym that indicate the type of API call that is logged probably COE for control of execution then there is the artcoded constant that is different for each print operation and finally there is the written code of the API function so it's kind of printf debugging and so you got a file written on the machine that is basically an execution trace of API calls based on print the interesting thing is that they never send this file to a CNC server so I really believe that the it's the way the developer actually debug the thing on his machine they forgot to remove the print code the deployed binary and that's interesting to see like how do they actually debug their code so yeah so just to give you an idea the second value is the artcoded constant in the code so it's like if you do print1, print2, print3 and this value is also artcoded I believe to be the trade ID probably to debug multi-tread binary and the last one is the error code of the API call on windows 0 mean success another thing also for from three weeks ago in actually in the dropper so before the first stage backdoor in the binary dropping the backdoor there was this function where basically there is a first call at the top that is a function that retrieve the integrity level of the current process so on windows the integrity level is a measure of the trustworthiness of the process and a process that run under certain integrity level cannot access objects that are at higher integrity level integrity level than its own so they retrieve the integrity level and by the way binary that got downloaded from internet run at low integrity level which is the lowest you can get so they check if the current integrity level is low and if it's the case they enter a loop and in the loop they will execute an exploit for windows 7 to escalate the integrity level to the system level which is which is the maximum and if it is a success they will set the persistence of the binary for all the users on the machine because they got the right to do that once they escalate the privilege if it fails so they will try three times the loop if the exploit fails they will end at the bottom left and only set the persistence for the current user on the machine for the backdoor because they don't have the right to do that to do more than that the particularly interesting thing is that this thing was actually a zero day three weeks ago it has only been patched in the last Tuesday patch from last week to the level of technical involvement they got so now if you pass the test of the first stage implants if the operators decide that you are an interesting target they go up to the next stage which is the actual spying on you the second stage implants they call it X agent so this is the name they give to the project that is behind all the spying programs it's actually a framework to create programs and it has been a long running development project we found sign of these binaries from 2006 we found the windows linux and iOS versions in the wild and basically X agent binary is a set of modules that they chose specifically for the target and each module implement a small functionality then the binary also comes with several ways to communicate with the CNC server and they can choose different ways depending on the target just to give you an idea in the windows version there is the list of module we found in the different binary we don't have a lot of these binaries because as I said they are hard to get and the name of the module is actually inside the binary if you were there at the presentation yesterday on C++ revesting from Ijean you have seen that the RTTI information gives us the name of the class and it is developed in C++ and the RTTI information are inside the binary so we can get the name chosen by the developer to name the module so there is a module that is in all binary they call it the agent kernel like the name imply it's the execution manager then they got a remote keylogger what they call a remote keylogger which is basically a keylogger and they got a module to enumerate network resources which is basically the share the windows share the overcomputers on the same local network there is a module that abstract the file system access and there is a module that monitor all the drives of the machine they look for very specific file types based on the extension they look for doc file and they look for cryptographic keys and if they found one of this file they will extract the file and send them to the CNT server there is also a module which is just a remote shell regarding the actual communication channels as I said for each target it's not necessarily the same communication channels and it's totally it's made in an app it's programmed in oriented object so it's for the kernel it doesn't know the actual implementation of a channel of a channel it just know that it wants to communicate with the CNT and the actual implementation can be different in each binary so we have found implementation in HTTP implementation based on emails so they send emails with SMTP to the CNT server and they retrieve the emails with POP3 to receive orders we found a binary where the the actual communication channel is only by removable drives so it's probably made for non internet connected machines they just drop messages on the removable drives and wait for messages coming inside from USB stick for example just to give you an idea an example of SMTP exfiltration channel we found in the wild basically the code when they want to communicate with a CNT when they want to exfiltrate some file that they found on the machine they will log into this SMTP server which belongs to the ministry of internal affairs of Georgia and to log inside this SMTP server they have a list of four logins which are real email address belonging to the ministry of internal affairs and they got the password inside the binary hardcoded so as you can see the password they are probably generated by the user like the 8x8 and so they log it to the SMTP server using an existing employee account then they send an email from the particular account of the employee to an address also in the same organization that is archived in the binary and they attach the file they want to exfiltrate to the operators which means that they got the four login passwords of existing employees they probably control they surely control the recipient email address which probably serve as a central point to gather all the information from the infected computers inside this organization it also means that the binary was made specifically for this organization and it's the only communication channel in this binary so that's another proof about the fact that they compile specifically for target their ex-agent binary a small snippet of the ex-agent iOS version that was found six months ago by Trendmicro actually and you can see here the class and there are many different classes but basically they can list the install application on the phone geolocalize the phone record the voice take screenshots and they also use the same naming so the communication channel is called xa for ex-agent HTTP channel and they forgot to remove the development path inside the binary so you can see the iOS project ex-agent so there is no doubt it's the same kind of thing finally the last malware I would like to talk about is a small component they built as I said at the beginning to reach physically isolated computers so that's probably just a standalone version of the ex-agent communication channel using removable drives so the way it works is the following you got two computers belonging to the same organization and one computer A and computer B computer A is connected to internet and it has already been compromised by the group so it's under the control on the other hand you got computer B which is not connected to internet and physically isolated so there is a gap and it's initially clean the idea is very simple that there is someone that plug in a USB stick in computer A then the setting group will infect the USB key with USB Stealer which is the name we give to this particular malware and the infection is actually just a modification of the auto-run file of the USB stick then someone bring the same USB stick to computer B probably because they want to transfer some data and computer B at this point becomes infected by USB Stealer of course only if it is vulnerable by only if it actually executes the auto-run file which has been patched in 2009 by Microsoft but we can expect our gap computers to not be necessarily up to date and we believe that USB Stealer was used before 2009 also so if computer B is actually infected it will register its name on the USB stick so the USB Stealer binary got executed on B and it actually create a folder with a computer name on the USB stick that will serve for the operators to know which computers can be which with USB stick so then someone bring back the USB stick to computer A and at this point the operators they know about computer B because it has registered on the stick all commands on the stick for computer B you guess the the next step the USB stick is coming back into computer B the USB Stealer binary see the stick take the commands and basically all the commands relate to a file searching so these are commands to say ok give me all the doc file on this machine that were modified in the last three days and so the USB Stealer binary execute these commands grab the file and put them onto the USB stick and finally the USB stick is brought back into computer A where the operators can just collect the files so it's really building a command and control channel based on USB stick an interesting thing inside these USB Stealer binaries is that they they got a list of hard-coded file names that they look for on the air-gapped machine so we found two different lists in various binaries so we actually don't know anything about these binary names so we can guess but for example the talgar.exe at the bottom right is a talgar is the name of the town in Kazakhstan so that could be some private application used in some institution that they try to grab and if you recognize one of these file names I would be very happy if you tell me so last thing just to give you a very few technical hints on who could be behind this group as you probably guess from the bear so a first technical facts is the resource local ID if you saw our flash talk yesterday you have already heard about it it's basically resource local ID is a mechanism on Windows to allow developers to provide resources in different language so on Windows resources are the text of a menu the text of a button and developers can provide these resources in various language the interesting thing is that if you don't select a language manually in the compiler when you insert the resource the compiler will take the language of the machine of the developer and put this value inside the resource ID so that means that when someone doesn't care about it and doesn't know about it it will be the language of this machine that is written here as you may have guessed 1049 that we found in many set need binaries we also found a lot of binaries with English US but there are a bunch of binaries that don't have English US they have 1049 which is Russian so that's the first technical fact when you found a lot of binaries over the years with this value it's kind of pretty strong proof another thing we found in ex-agent binary is a debug path that they forgot to remove where it's written in Cyrillic administrator my documents so that's a kind of mistake they can do of course this can be it could have been forged by someone who wants to point the finger at the Russian but given the amount of small technical proof we got over the year it's very likely that these are Russian speaking developers which doesn't mean of course that it's Russia as a state that is behind and if you want a more aggressive version of the attribution you can read the FireEye report on this group so just as a conclusion I tried to convince you that the Senate group is really doing long running operation mainly focused on geopolitics and they are technically pretty good they always renew themselves in particular for the infection methods and just some final thanks to Sébastien Ducat I don't know if he is here because he works with me on the export kit and to all ESET Canada team and by the way we are hiring so thank you for your attention