 So, my name is Paolo Scaniere, I work for the Gdata Security Labs and more specifically on malware analysis of targeted attack or more or less every cool stuff. And I'm not only malware analyst, I make some private article about radio-frequency hacking or how to open a physical safe on the hotel when you are boring. And this kind of stuff. So, I think everybody is wake up, everybody is ready, I'm going to make a talk about one hour of assembly language. No, I'm just kidding. No, in fact, I'm going to present a few tools used by what I call Euroboros Actors, so it's more or less the planning. So, we work on this group since more than one year and we are able to create a kind of timeline of tool we think it's developed by the same guys or same groups. Why? Because sometimes they copy past some part of code, they use some same encryption keys, et cetera, et cetera, I will speak about this fact after. So, we are, I'm speaking about a group that start to work in 2006, so I'm speaking about a group that work basically since 10 years and in offensive topic. So, in 2006, we found something that called a jump B T Z here and a few years after they make some evolution in it and create something called carbon or sometimes it's called Cobra, it depends of which security company is picking. You will see it's really complicated, it goes for same malware, generally we have at least five names and Euroboros or Snake or Turla or et cetera, it's the same sample. So I will present each project functionality, how it works, et cetera, et cetera and at the end I will speak about attribution because I must speak about attribution but we will see it's not so easy. So the first case is a jump B T Z and comrade, in fact if you look here, it's for me the same malware but during the first year the evolution was really slow, it's only patching and small features or et cetera and in 2013 they changed more or less half of the malware so that's why we decided to rename it but it's really in the continuity. So here is the number of samples we identified during the last year so we can see it was really used in 2007 and the number of samples decreased and it reappeared in 2012 and in fact it's the comrade version of the malware. Here I created a small array to show you the evolution so the percentage you can see is a difference between two versions of the malware because in this case developers put a versioning on it so I can easily say it's this version and this one et cetera and make some bindiff between two versions so we can see at the beginning the difference is 10% of the code is different et cetera et cetera and here we have a big difference, 60% of the code is similar it's the switch from a jump B T Z to comrade with new functionality and they change the compiler too so if you change the compiler the binary will be different that's why it's so different and after the percentage are really the difference are really small. So the 1.5 version was used against US Pentagon in 2008 I think something like that you can read a lot of paper about this topic and here it's when a jump B T Z begins from our point of view comrade. So few binary not world binary with developers forgot to remove the compilation path so we can see the internal name of the project is chink or chink 64 for 64 bit version. So the features of this malware are really common it allows you to execute command, download file, upload file et cetera et cetera all the requests are performed in HTTP and on the first version of a jump B T Z the developers implement a USB media in infection thanks to the utterance enabled by default on Windows XP. So when an infected machine when someone connected a USB key on an infected machine it automatically created an author and file and when the USB key was connected to another one it was automatically executed and automatically installed. So Microsoft removed this feature on 7 and it's not enabled by default so the developers decided to remove this functionality because it doesn't work anymore. So just for information for the US Pentagon case if you read on the press visibly someone found the USB key on the where the bark the car take it and plug it inside of the US Pentagon and that's how the first infection was performed. So on the last version of comrade the developers implement a new trick to become persistent that's cause of course every malware generate want to start automatically on the reboot of the system. We can use some tools like C's internals, utterance or other tool to list every program started when the system start and in this case to not appear on the list of executed program the malware use com object. So in Windows everything is com object and they create a com object with the same name than an existing one and it's thanks to this trick when an application use this legitimate com object it's not the legitimate code that is executed but the DLL installed by the attackers. So with this trick for the moment I didn't see any tools that list com object created and com object executed during the boot or during execution of legitimate binaries etc. In this case they hijacked the functionality used to increase the contrast of the window basically it's not used by a lot of people and they can hijack it and if it doesn't work it's not a big problem cause nobody really use it. Another interesting case on every sample from the beginning to today it's always the same XOR encryption key you can see there. And this key was used on every case basically. So it was for the first one. The first one is really simple to analyze it's old products and it works in user land it's create one thread it's really they don't use a big obfuscation extra extra. The second one so created few years after is Cobra or Finet it depends which company. And this one is more complicated and they use some really funny tricks to complexify the analysis and to complexify the detection of the malware. For example they use a legitimate file to set configuration. So on Windows system you've got a inf directory with a lot of inf file and on one of this legitimate file the malware add a stanza with configuration. So you have this file you must have this file but it's simply add at the top of the file it's configuration. In this case it's explained that the root directory of the malware is in accessories and US and this directory is generated randomly when the malware is installed. So on every machine you will have a different directory. And on every machine a different inf file will be used to start this configuration. How this malware works? In this case it's most more complicated the malware is divided in three parts. You've got in one part the orchestrator called system by the developers. And this one is you stay in background and he used to handle request. In the other part you've got the payload and this one is called user by the attackers and it generate request to the orchestrator and give results to the payload. So the design is more complicated and they have a configuration to avoid putting configuration in the binary. So in this case they use encryption to start configuration and I copy here an example of configuration. So you've got an object it's simply an ID to identify the machine. You've got iProx is the process list where the malware will be injected. In this case the malware is injected into Internet Explorer, Outlook, MSN, Firefox, Perine Chrome, every browser and email client. And here you've got an exclusion list where the malware will not be injected. So the other part of the configuration concerning a network. So it's a command and control used by the malware. So here we've got four command and control. One is located in Iran and one in France and I don't remember for the other one but it's not really important. So when the malware wants to exfiltrate data he used randomly one of these domain and if the domain is down it's switched to another one. So basically if you blacklist only one domain it's like if you do nothing. The other part of configuration is a transport protocol. It's how the orchestrator speak with the payload injected into browsers. In this case it uses a name pipe and the name pipe name is a comnap here. And something really useful for analysts is they provide a versioning. So we are able to create timeline and to know which version is used extra extra. So for the system, so the payload injected, no, for the orchestrator it's 3 slash 61 and for the payload it's 3 slash 62. Something really useful too from my point of view. They create a log file. So it was encrypted but once you decrypt it you can have every action performed on the machine. Typically you've got a slide with the definition of each later but you can see when the malware started stopping extra in which process it's injected. For example, here we can see it's injected in explorer.exe. You can see the web request here for example. You've got web request. You can see when the malware is slipping, extra extra. Basically you can trust all the activity and you can see when the malware was installed because the oldest log is when the malware is installed, extra extra. So it's a more complicated design but the purpose is exactly the same as previously. Code execution, file downloading, file uploading and they have a plug-in management system. So they are able to push library and for example to have, I don't know, a kilogram feature or to be able to switch on microphone or I don't know everything is possible and they have an efficient plug-in system. So Cobra or Carbon or whatever the name is what we call a user-land-centric snake because we will see after the hotel often use an image of snake to name their malware. So in this case we have two components that spoke together in user-land and one used to handle everything and the second one used to exfiltrate data, used to steal information in the browser, etc. The new, the last version we know about this group is Uroboros snake or Tula malware. In this case it's always a snake but in this time they decided to switch from user-land to kernel-land. So the malware is not running as previously with the user's context or stuff like that but it's executed in the driver, on the kernel as a driver. And thanks to this choice they are able to make more interesting stuff. For example they are able to hook, to modify the behavior of internal function of Microsoft. They are able to create a DPI monitor. They are able to make some filter on network to be able to catch direct information on the network flow basically. And to do that they had to bypass some kernel protection put in place by Microsoft I will explain after. And something fun, they use a virtual file system. So you cannot see it, it's not map on drive but in fact they have an NTFS file system mount in memory and they are able to put file, get file, etc. like a kind of SAS. So why Uroboros? It's a reference to a Greek word that it's a snake that eats its own tail. It's like the draw and its strings are coded on the binary. It's Uroboros got you. So it's a name chose by developers. So the malware is composed of two files, the driver first and that file it's the virtual voice system I mentioned before. It's an encrypted one. So just some tricks they use on kernel side. So first when the malware is loaded the first thing they do is to remove the beginning of the binary. You can see this program cannot be in DOS mode so it's basically the beginning of the Windows binary. But at the beginning you've got only zero here. They simply replace the beginning of the loaded driver by zero. Why? Because I think if we have people from incident response teams here you use often volatility I think to analyze memory dump. And typically volatility is looking for the beginning of strings. It's looking for the MZ stuff. So if you use volatility on an infected machine, volatility didn't see the loaded driver. Because he's looking for the pattern of the beginning of the binary. And in this case it's null so the tool will never see the loaded driver. So after the publication we made about this topic, volatility patched the binary and now he's able to detect it even if the beginning of the binary is wiped in memory. Another trick is they use a pull tag ID NTFS and it's a legitimate pull tag ID used by the NTFS driver, the real one. And WinDBG for example, trust this file and say to you, oh yeah this driver don't care about it, it's NTFS driver. Simply because the author choose the same name. So if you list every driver on the infected machine you can see a driver with a name null so it's our bad driver. And if you look at every object linked to this driver you can see something called FWPM callout. It's in fact a network mini-filter, I will speak about that after. And you can see how this one, how this one is the part that handles the virtual file system loaded in memory. So one interesting thing is that malware performs some hook on an interesting internal function of Microsoft. To perform this task the malware had an interruption at the beginning of function. For example at the beginning of the IOCRAD device function you've got int C3 and normally you don't have that. So malware modifies the beginning of the function in order to generate an interruption and execute its own code instead of the legitimate one. So it's not really interesting. Here you've got the code of the malware. I create a small byte and script to list every hooked function on an infected machine. I simply take every function and look if I've got an int at the beginning. If I've got this int interruption at the beginning it's a hooked function, it's not so complicated. And here you've got all functions hooked by the malware. So basically the malware modifies the way of our Microsoft Windows and registry process driver file system. So when you try to list file on the specific directory, Explorer asks to Windows what kind of file I've got here. And Windows automatically jump on the malware code. The malware code decided if he want to show you or not the file in the directory. And go back to Explorer and you've got the output. So basically I spoke about a virtual file system dot that file and the hooked function I used to hide this file. If you go in the directory you cannot see the file. Even if you use a process Explorer or MS-DOS or what you wish, every tool will show you no file. It's the same for the registry used to automatically start the malware to load the driver at the boot. It's the same thing if you go on the registry and you try to see if the key is here you will not see the starting key. And it's the same thing for a lot of stuff. So you cannot trust an infected system. You must take a memory dump and analyze the memory dump of the infected system on the clean system. So what is the Windows filtering platform? It's an API provided by Microsoft to create a network filter. In this case the malware creates a kind of deep packet inspection and he's able to sniff the network and looking for a specific pattern. For example it was used on NEM pipe and when a machine tried to connect to a NEM pipe on the infected machine, the malware looked at the network and when he saw a specific pattern he said, oh yeah I've got an order I need to do something and here it's how the malware detects the order. He's looking for a specific string in the network flow. If he has this specific string he knows that I got an order after and I need to do something. So it's completely passive. The malware don't ask order, he's waiting to receive order. So the other interesting part is the virtual file system I mentioned. So the fun thing is it's mapped, it's mounted in memory. You cannot access it by your explorer but you can access it by MS-DOS. If you do dear space, backslash, backslash dot, backslash, HD1, backslash, you can see all the files stored in the virtual file system in memory. So all the tools used by the attackers and temporary put in this virtual file system can be listed thanks to this trick. So on the case I worked on I saw a queue file. I will mention after what is a queue file, log file, and additional tools such as RAR to compress data, pass the hash tool, dump the hash tool, etc. So it's really a common reconnaissance tool. So in the virtual file system, I don't know if you can read, but you can see a queue file and a KT log file. It's the log file and the queue file and the queue file is encrypted too and contains configuration, CC configuration for example, and it contains DLL. And in fact, the rootkit, the driver, does not directly communicate to Internet. He injects a DLL in New Zealand, in the browser typically, and this DLL in the browser will contact the CC on the Internet. So it's the same kind of design that previously. Previously we had an orchestrator and a pilot, and we have exactly the same thing, but the orchestrator now is in Kernel. So it's simply an evolution of Cobra. The design is more or less the same. So, yeah, the injected DLL on the browser is used like a proxy in fact. The kernel is set to your browser to go to Internet. Your browser receives a request and sends to the kernel the order of what it has to do. The DLL was named by attackers for injection, underscore snake underscore win32.dll, or win64, of course, I copy this. And this communication can be performed in HTTP. So it's directly a web request performed by the browser. But the communication can be performed thanks to SMTP, ping, etc. So it's really modulable and the attackers can configure how you want. So, I explained that it's a driver loaded in memory that hook a function, etc. But Microsoft did a lot of work to avoid this approach. So, directly, it's impossible to add the interruption C3 at the beginning of the function. If you do that on Windows 7, 64 bits, the system crashed. Microsoft prefer to suicide your system than doing that. So normally, it's not possible to do that. In this case, the malware simply creates hook before the hook control. So he modifies the behavior of the hook control that checks if hook are performed. So he simply does a task before and it works. So he modifies a keyer bug check X function to never say a hook is here. It always says everything is good, everything is good. It's a first trick and they use another trick. On Windows 7, 64 bits, directly, you are not able to load a not signed driver. If the driver is not signed, you cannot load it. But if you are developers, you are able to switch your system in test mode and load your driver during development period, etc. If you do that on your Windows, it's simply a command on MS-DOS. You will see at the bottom right a message that's explained to you. You are in testing mode. It's the screenshot I put here. So if an attacker wants to load an unsigned driver, he must switch in test mode. But the user is able to see this text and say, oh, it's weird, normally I'm not in test mode, something is wrong. In this case, the developers use a trick and use a legitimate driver to load the bad driver. So how they did that? VirtualBox released a driver, I don't know, in 2008, so it's a really old binary. And VirtualBox is a legitimate tool and it's signed by the company that created this tool. And, of course, this driver can be loaded. But a vulnerability exists on this binary, on this old driver, and this vulnerability allows to switch to zero an arbitrary memory address. And what the attackers do, they decided to switch the test mode from one to zero. So they are looking for the address of test mode enabled, yes, no. And they switch from yes to no. So as the driver is signed and legitimate, the driver is able to do this task. And once they switch off the signature enforcement, they are able to load the unsigned driver after. Here it's step by step. They load VirtualBox driver, use a symbolic link, et cetera, to switch off the signature enforcement. It's simply one line. Here it's how to do this task. It's simply one line of code to switch off driver signature. Something really interesting is the VirtualBox driver is presently expired. And it's expired since three years, something like that. But Microsoft doesn't support expiration of the certificate. So if you use certificate to sign driver and it's expired, the problem Microsoft reloaded. So it doesn't support an expiration date. So it's one point. And the other thing is I never saw company that revoke certificate in case of vulnerability. I never saw that. Usually a company revoke certificate only when the certificate is compromised. But not for each bug they had. And it's impossible to deal with this philosophy. So basically it's another problem of the certificate ecosystem from my point of view. And the stuff about signing driver protection is the first time we saw this approach on this malware. It was during the analysis a new trick. And the Euroboros case included some other exploit too. So they have exploit to have administrator privilege to be able to install the driver typically. And they include a lot of exploit. So concerning the command and control. I saw two kinds of CC. Dedicated server from my point of view only used by attackers to do the job. And legitimate compromise website. So we have free kind of malware, free quality of malware. And how the attackers work. Basically they always work with the same approach. They start with an exploit on a legitimate website. Or spear phishing campaign to target entities. The first install malware is a reconnaissance tool called the bot of Davdig. It's really a not important malware. The purpose is simply to infect the machine, get information and select if the machine is relevant or not. If the machine is not interesting, the malware is cleaned and the machine is okay. If the machine is interesting, at this time the auto switch to a second malware. And the second malware is Cobra or Euroboros, depending of customers or targets. And for each infection part we saw it's always the same modus operandi. We bot and Davdig is typically to have information on the infected machine and to validate if it's an interesting machine or not. So he takes OS, he takes host name domain. Because thanks to the domain we basically know who is infected. Because every company has a domain with the name of the company. It's the same for government basically. They get time zone to be sure the guy is in the good time zone etc. Once this first step is realized and they have access to a first machine. The next step is to compromise more machines infrastructure. And basically they compromise a lot of workstation. And they compromise internal server. And they compromise a server or two in border directly connected to internet. Basically the server in border is a HTTP server, a website, or exchange server. They compromise the exchange server and to communicate to internet directly if they want because it's connected to internet. It's work as designed. In the case I saw the compromise server inside of the infrastructure where basically a fight sharing server. Windows fight sharing. Because all the information, interesting information of company are located in file share server. And on the internet part you've got CC managed by the attackers. So once they have this infrastructure in place on the targeted company. They use classic post exploitation tools like Mimicat. In fact it takes the source code of Mimicat and adds some features as encryption of output etc. So it's exactly the same code with some obfuscation and encryption feature. They use pass the hash and pass the ticket tools. So at the beginning they use pass the hash, but due to new security on company etc. They switch to pass the ticket. So they use the caberos ticket on Microsoft to bounce from a machine to another one. And they use a custom PS exec binaries that use the hash or the tickets to make remote connection of the machine in the network. So something interesting is what kind of targets we have. So in 2008 we have US Pentagon. It's the first publicly known target by this group. So it's a Wikipedia article if you're interested. We published a Euroboros case in February 2014. And we simply said that due to the complexity we think it's targeted really important company or entities or government. Because it's not a crime where typically it's too complicated. And two months after our publication the Belgium Ministry of Foreign Affairs publicly announced they were compromised by Euroboros. In August after our publication Kaspersky published their own analysis of what they call Epic Snake. And they mentioned that this malware target government embassies military research organization Pharmaceutical Group. And in September the Finnish Ministry of Foreign Affairs announced that they were compromised by this malware tool. And we know a lot of other targets and other compromised entities or government. But it's not publicly available so I don't mention them. Visibly the group targets a lot of Ministry of Foreign Affairs of a lot of different countries. So attribution. And I suggest to come to our talk with Joanne. I don't know if it's today or tomorrow. Today? Okay. Because we will speak about attribution and why it's not so easy. So during analysis we found usage of same encryption key, same phy name, some malware. Euroboros check if a job it is installed before installing itself extracts. So we have strong link between each sample. And on one or two samples the developers we think forget to remove the language used by the compiler. And the language used by compiler was Russian. And another thing is the username of developers. We found Vlad, Yurik, Gilg. I don't know, I know we have a Russian guy maybe it will ring a bell for him. But as always it's easy to modify username and tomorrow I can make program with a Vlad username. So yeah. In 2011 a journalist from Reuters write an article about the compromision of US Pentagon. And he writes that the US government strongly suspects that the original attacks was crafted by Russian intelligence. So it's confirmed what we expect. And it was the same thing for the Belgium case. A journalist in Belgium explained that it's probably a Russian route to this case. So thanks for your attention. It's a rethink for me if you have questions feel free to ask.