DYRE STRAITSPONDURANCE 1
DYRE STRAITS
AGENDA
• Incident Notification
• Threat Research
• Incident Scoping – Option A
• Incident Scoping – Option B
...
DYRE STRAITS
NOTIFICATION OF THE INCIDENT
<- Public IP
DYRE STRAITS
DYRE STRAITS
HOW IT WORKS
• The Dyre trojan will initially attempt to contact its C2 servers using an encrypted SSL connec...
DYRE STRAITS
DYRE STRAITS
SAMPLES FROM THE WILD
Below is a list of subject lines observed in 2015 Dyre phishing campaigns:
• “Wire tran...
DYRE STRAITS
DYRE STRAITS
SAMPLES FROM THE WILD (CONT.)
Payload downloads:
• hxxp://aaepablog.com/aaepa/inst_s12.pdf (IP: 50.87.144.171...
DYRE STRAITS
SAMPLES FROM THE WILD (CONT.)
Command and control resiliency
• Since Dyre’s inception, it has relied upon a s...
DYRE STRAITS
SAMPLES FROM THE WILD (CONT.)
System Level Indicators (If successful in exploitation):
• Copies itself under ...
DYRE STRAITS
WHILE WE WERE INVESTIGATING THE PHISHING INCIDENT…
• Same company requested a separate incident response enga...
DYRE STRAITS
SCOPING THE INCIDENT – OPTION A
REACTIVE
1. Locate hosts associated with users that Salesforce identified
as ...
DYRE STRAITS
SCOPING THE INCIDENT – OPTION A
REACTIVE
We’re not done yet…using threat intel from initial findings:
8. Sear...
DYRE STRAITS
SCOPING THE INCIDENT – OPTION B
PROACTIVE
Install NSM Sensor and look at it
DYRE STRAITS
SCOPING THE INCIDENT – OPTION B
PROACTIVE
1. Pull from network
2. Perform filesystem forensics to determine t...
DYRE STRAITS
SCOPING THE INCIDENT – OPTION C PROACTIVE ADVANCED
1. Let Live Response forensically analyze affected
systems...
DYRE STRAITS
EXPLORING THE KILL CHAIN
1. Email Delivered
2. Attachment Opened
3. Exploit Launched
4. Trojan Dropper Instal...
DYRE STRAITS
EMAIL DELIVERY
Email Filter such as IronPort
1. Block certain attachment types such as .scr, .exe, .zip,
.rar...
DYRE STRAITS
ATTACHMENT OPENED
Attacker uses social engineering
1. Awareness Training is key
2. Red Team Exercises
3. If i...
DYRE STRAITS
EXPLOIT LAUNCHED
In the case we investigated the phishing emails were using a flash exploit that
leveraged CV...
DYRE STRAITS
TROJAN DROPPER INSTALLATION
• AV Client
• Whitelisting
• HIPS
DYRE STRAITS
TROJAN DROPPER BEACON
• NIPS (must have active blocking signature)
• Sinkhole domains in DNS Server
• On the ...
DYRE STRAITS
PAYLOAD INSTALLED
• AV Client
• Whitelisting
• HIPS
DYRE STRAITS
COMMAND AND CONTROL/CREDENTIALS CAPTURED
• NIPS (must have active blocking signature)
• Sinkhole domains in D...
DYRE STRAITS
ACCESS TO BANK PORTAL
• Restrict access to only those who need it
• Two Factor Authentication
• Regularly Cha...
DYRE STRAITS
EVOLUTION OF DYRE
DYRE STRAITS
JUST THIS MONTH…
• Latest version of Dyre includes sandbox evading
capabilities, making analysis much more di...
DYRE STRAITS
PARTING THOUGHTS
• Patch your third party applications
• Keep AV up to date
• Use NSM to catch successful att...
DYRE STRAITS
ANY QUESTIONS?
John Henderson
Sr. Security Analyst
john.henderson@pondurance.com
Pondurance
DYRE STRAITS
SOURCES
• malware-traffic-analysis.net
• Secure Works
• F5
• US-CERT
• Emerging Threats
DYRE STRAITS
John Henderson
Sr. Security Analyst
QUESTIONS?
DYRE STRAITS
of 32

Dyre Straits: Money For Nothing

Want to know a great way to make your boss very, very angry? Hand your username and password to your company’s corporate bank account over to the bad guys. If you just couldn’t resist opening that PDF with an embedded flash exploit containing the Upatre trojan downloader, guess what….you’ve done just that, as Dyre has installed and claimed their latest victim. This malware has accounted for millions of corporate dollars stolen in the last 6 months and shows no signs of slowing down. This presentation will explore the symptoms, attacker methodologies, and remediation steps necessary to combat this threat to your hard earned cash.
Published on: Mar 4, 2016
Published in: Presentations & Public Speaking      
Source: www.slideshare.net


Transcripts - Dyre Straits: Money For Nothing

  • 1. DYRE STRAITSPONDURANCE 1
  • 2. DYRE STRAITS AGENDA • Incident Notification • Threat Research • Incident Scoping – Option A • Incident Scoping – Option B • Incident Scoping – Option C • Exploring the Kill Chain • Dyre Evolution
  • 3. DYRE STRAITS NOTIFICATION OF THE INCIDENT <- Public IP
  • 4. DYRE STRAITS
  • 5. DYRE STRAITS HOW IT WORKS • The Dyre trojan will initially attempt to contact its C2 servers using an encrypted SSL connection. If this connection fails, it will attempt to establish a connection using addresses generated using a domain generation algorithm (DGA) or hardcoded Invisible Internet Project (I2P) addresses. • When a user enters his bank’s URL in the browser line, the Trojan is triggered and forwards the URL to the corresponding proxy server as stated in its configuration file. • The MITM proxy server forwards requests to the banks and disguises itself as the real user. • The returning response from the bank is intercepted by the proxy server. • Instead of the real response, the user receives a fake login page which is stored on the proxy server, and contains scripts and resources from the real bank’s page. The scripts and resources are stored in folders named after the unique port configured for each bank. • The information entered by the user is sent to the proxy server and then forwarded to the real bank server, allowing the attacker to log in instead of the user and perform operations on his behalf. • After all the information has been acquired by the attacker, he can remotely access the victim’s computer using a built-in VNC (Virtual Network Computing) module and perform transactions, data exfiltration, and more.
  • 6. DYRE STRAITS
  • 7. DYRE STRAITS SAMPLES FROM THE WILD Below is a list of subject lines observed in 2015 Dyre phishing campaigns: • “Wire transfer receive” • “Medicines here” • “Complaint against your company” • “Payment Advice - advice Ref:[xxxxxx]/CHAPS credits” • “Company repor” - (note the missing t in “report") • “Wire transfer complete” • “Important – New Outlook Settings” • “Your Documen” - (note the missing t in “Document") • “Voice Message” • “Employee Documents – Internal Use” • “Fwd Wire Payment” *Personally witnessed those in bold
  • 8. DYRE STRAITS
  • 9. DYRE STRAITS SAMPLES FROM THE WILD (CONT.) Payload downloads: • hxxp://aaepablog.com/aaepa/inst_s12.pdf (IP: 50.87.144.171) • hxxp://acmeeconnect.com/dropbox/ml1from2.tar (IP: 107.190.133.12) • hxxp://aixact.com/Docs/ml1from2.tar (IP: 213.186.33.19) • hxxp://allcommerc.com/wp-includes/pomo/eulaa.pdf (IP: 62.149.144.49) • hxxp://www.onoranzefunebricarrara.it/public/eulaa.pdf (IP: 62.149.128.151, 62.149.131.204) • hxxp://angkosoteknologi.co.id/fonts/manualac.pdf (IP: 23.92.215.218) • hxxp://cgksolutions.com/files/manualac.pdf (IP: 62.149.128.166, 62.149.140.202) • hxxp://creazionidarte.it/mandoc/seo21.pdf (IP: 62.149.128.74, 62.149.131.67) • hxxp://cwvancouver.com/cp/images/digits/arrowu.jpg (IP: 71.18.62.202) • hxxp://dipford.com/mandoc/info22.pdf (IP: 209.235.144.9) • hxxp://dms-online-files.com/pdfs/prewa.pdf (IP: 206.188.192.13) • hxxp://ettfire.com/js/ml2from2.tar (IP: 66.175.58.9) • hxxp://gumtek.com/wp-includes/pomo/sw_docb.pdf (IP: 50.87.148.213) • hxxp://harveyouellet.com/TOXICOUSTIQUE/arrowu.jpg (IP: 192.185.35.92) • hxxp://houndsofcullen.com/mandoc/eula022.pdf (IP: 198.136.54.104) • hxxp://manualtatex.com/mandoc/eula022.pdf (IP: 69.49.115.33) • hxxp://marodz.republika.pl/1/manualec.pdf (IP: 213.180.150.17) • hxxp://metflex.uk.com/images/t_image.jpg (IP: 91.103.217.10) • hxxp://tickto.com/apk/ml1from2.tar (IP: 50.23.103.91) • hxxp://posharpstore.com/Google/ml1from2.tar (IP: 162.254.162.184) • hxxp://utokatalin.ro/administrator/ml2from2.tar (IP: 86.106.30.102) • hxxp://vimax-marireapenisului.ro/docuv.pdf (IP: 195.78.124.14) • hxxp://rx-liquid.ro/docuv.pdf (IP: 195.78.124.14) • hxxp://washcount.org/Documentation/file_u21.pdf (IP: 216.224.135.21) • hxxp://www.geothermole.com/mandoc/gb_eule.pdf (IP: 81.21.76.62) • hxxp://www.wholesalesyntheticmotoroil.com/mandoc/story_su21.pdf (IP: 192.163.217.66) • hxxp://zac-buero.de/mandoc/ml1from1.tar (IP: 78.143.39.41) • hxxp://best-synthetic-motor-oil.com/file_k12.pdf (IP: 192.163.217.66)
  • 10. DYRE STRAITS SAMPLES FROM THE WILD (CONT.) Command and control resiliency • Since Dyre’s inception, it has relied upon a set of hard-coded proxy servers to communicate with its backend infrastructure. The threat actors have implemented two mechanisms to maintain control of the botnet if the proxies are unreachable: a domain generation algorithm and a plugin that integrates with an anonymization network called I2P Domain generation algorithm • Similar to other malware families, Dyre uses a domain generation algorithm (DGA) that is seeded by the current date. It generates 1,000 34-character domains per day, which are appended to one of eight country code top-level domains (ccTLDs) in Asia and the Pacific Islands: .cc, .ws, .to, .in, .hk, .cn, .tk, and .so. The following domains were generated on December 8, 2014: y3aaa48a7056d7075c3760cdbd90a75b8f.cc z376dfe4955a257a78944864dd0158d172.ws a8377c5a7c390331b15c1df94fa745e38a.to ba3be71036fc2c06d603a2b17d41ffe71a.in c9cca04cec2588918820cf33ba4337cca8.hk dec4f75e53d7202136164e2b26456dabdf.cn e3d68349d47efa0d5a9a92b1239bc4d48c.tk f85db5ce8675f53b61f00ca0e822a33312.so
  • 11. DYRE STRAITS SAMPLES FROM THE WILD (CONT.) System Level Indicators (If successful in exploitation): • Copies itself under C:Windows[RandomName].exe • Created a Service named ""Google Update Service” by setting the following registry keys: • HKLMSYSTEMCurrentControlSetServicesgoogleupdat eImagePath: "C:WINDOWSpfdOSwYjERDHrdV.exe" • HKLMSYSTEMCurrentControlSetServicesgoogleupdat eDisplayName: "Google Update Service"
  • 12. DYRE STRAITS WHILE WE WERE INVESTIGATING THE PHISHING INCIDENT… • Same company requested a separate incident response engagement related to internal threat • Claimed a user had stolen hundreds of thousands of dollars from a corporate bank account • Claimed the user colluded with a coworker to gain privileged rights to their banking portal to initiate a wire transfer • Right away it was blatantly obvious Dyre had done its job, but I suppose it wasn’t so obvious to the customer • We were able to clear the user of any wrong doing after confirming presence of the malware on the user systems • Proved to their insurance provider they met their “due diligence” requirements and were reimbursed for the loss • Placed even more pressure on our team to fix this issue QUICKLY
  • 13. DYRE STRAITS SCOPING THE INCIDENT – OPTION A REACTIVE 1. Locate hosts associated with users that Salesforce identified as compromised in initial alert 2. Acquire Memory 3. Pull from network 4. Perform filesystem forensics to determine timestamp of compromise and recover malware (Dyre and Cutwail) 5. Perform email forensics to recover phishing email 6. Perform forensics on browsing history to determine if any online web portals were accessed since that time 7. Change credentials to those web portals that were accessed, all credentials resident on the system, and to the user’s email 8. Reimage affected system to eliminate all threats
  • 14. DYRE STRAITS SCOPING THE INCIDENT – OPTION A REACTIVE We’re not done yet…using threat intel from initial findings: 8. Search email logs to find phishing emails sent to other users 9. Search DNS logs to find systems requesting the known malicious domains 10. Search firewall logs for known malicious IPs 11. Submit malware samples (don’t forget Cutwail) to AV Vendor for signature creation 12. If another affected system is found, repeat steps 2-8 from last slide 13. Repeat
  • 15. DYRE STRAITS SCOPING THE INCIDENT – OPTION B PROACTIVE Install NSM Sensor and look at it
  • 16. DYRE STRAITS SCOPING THE INCIDENT – OPTION B PROACTIVE 1. Pull from network 2. Perform filesystem forensics to determine timestamp of compromise and recover malware (Dyre and Cutwail) 3. Perform email forensics to recover phishing email 4. Perform forensics on browsing history to determine if any online web portals were accessed since that time 5. Change credentials to those web portals that were accessed, all credentials resident on the system, and to the user’s email 6. Reimage affected system to eliminate all threats 7. Submit malware samples (don’t forget Cutwail) to AV Vendor for signature creation
  • 17. DYRE STRAITS SCOPING THE INCIDENT – OPTION C PROACTIVE ADVANCED 1. Let Live Response forensically analyze affected systems (we’ll have this done before you can even locate the system) 2. Pull from network 3. Change credentials to those web portals that were accessed, all credentials resident on the system, and to the user’s email 4. Reimage affected system to eliminate all threats 5. Submit malware samples (don’t forget Cutwail) to AV Vendor for signature creation
  • 18. DYRE STRAITS EXPLORING THE KILL CHAIN 1. Email Delivered 2. Attachment Opened 3. Exploit Launched 4. Trojan Dropper Installed 5. Trojan Dropper Beacons 6. Payload Delivered 7. Payload Installed 8. Command and Control Established 9. Credentials Captured 10. Bank Portal Accessed
  • 19. DYRE STRAITS EMAIL DELIVERY Email Filter such as IronPort 1. Block certain attachment types such as .scr, .exe, .zip, .rar 2. File inspection 3. Source Reputation filters
  • 20. DYRE STRAITS ATTACHMENT OPENED Attacker uses social engineering 1. Awareness Training is key 2. Red Team Exercises 3. If incident is underway, alert users via announcements of known subject lines and senders, etc
  • 21. DYRE STRAITS EXPLOIT LAUNCHED In the case we investigated the phishing emails were using a flash exploit that leveraged CVE-2013-2729 (March 2013!!1!) • Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2727
  • 22. DYRE STRAITS TROJAN DROPPER INSTALLATION • AV Client • Whitelisting • HIPS
  • 23. DYRE STRAITS TROJAN DROPPER BEACON • NIPS (must have active blocking signature) • Sinkhole domains in DNS Server • On the fly executable analyzer
  • 24. DYRE STRAITS PAYLOAD INSTALLED • AV Client • Whitelisting • HIPS
  • 25. DYRE STRAITS COMMAND AND CONTROL/CREDENTIALS CAPTURED • NIPS (must have active blocking signature) • Sinkhole domains in DNS Server
  • 26. DYRE STRAITS ACCESS TO BANK PORTAL • Restrict access to only those who need it • Two Factor Authentication • Regularly Change Credentials • Only access portals from specific systems…a VM perhaps with a clean snapshot?
  • 27. DYRE STRAITS EVOLUTION OF DYRE
  • 28. DYRE STRAITS JUST THIS MONTH… • Latest version of Dyre includes sandbox evading capabilities, making analysis much more difficult • Able to determine number of hardware processors to identify whether or not it is launched in a virtual environment, also looks for network services such as DNS
  • 29. DYRE STRAITS PARTING THOUGHTS • Patch your third party applications • Keep AV up to date • Use NSM to catch successful attacks in real time when prevention fails • Conduct regular awareness training so users aren’t so quick to click • Set up a process for users to forward suspicious emails to security team for analysis
  • 30. DYRE STRAITS ANY QUESTIONS? John Henderson Sr. Security Analyst john.henderson@pondurance.com Pondurance
  • 31. DYRE STRAITS SOURCES • malware-traffic-analysis.net • Secure Works • F5 • US-CERT • Emerging Threats
  • 32. DYRE STRAITS John Henderson Sr. Security Analyst QUESTIONS? DYRE STRAITS

Related Documents