,
6 tweets,
35 min read
Read on Twitter
@cglyer @matthewdunwoody @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec Next on the show we talked #APT29's early adoption of cross-platform scripting language backdoors. Their primary backdoor in 2014's #NoEasyBreach was the Python-based implant we call SEADADDY.
Every day or two, they'd move to 10 new systems, dropping SEADADDY on 9 of them.
35/n
Every day or two, they'd move to 10 new systems, dropping SEADADDY on 9 of them.
35/n
@cglyer @matthewdunwoody @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec We're finally seeing cross-platform script backdoors as a much wider trend. (Payloads in Go, D, etc). We highlighted this in our 2019 predictions:
For Python fans specifically, @byt3bl33d3r released #SilentTrinity last year: github.com/byt3bl33d3r/SI…
36/n
For Python fans specifically, @byt3bl33d3r released #SilentTrinity last year: github.com/byt3bl33d3r/SI…
36/n
@cglyer @matthewdunwoody @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec @byt3bl33d3r The Python-based SEADADDY (SeaDuke) implant became APT29's workhorse for years, but we agree with @FSecure/@lehtior2's awesome 2015 deepdive on "The Dukes" that it emerged in mid-2014. READ: labsblog.f-secure.com/2015/09/17/the…
37/n
37/n
@cglyer @matthewdunwoody @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec @byt3bl33d3r @FSecure @lehtior2 Hidden in layers of Python obfuscation, Py2Exe or PyInstaller wrapping, and UPX-packing, was plaintext Python.
We watched APT29 actively develop the underlying Python within those ~9 new SEADADDY samples-per-day.
Weekly tweaks, 3 major revisions.
7 persistence mechanisms.
38/n
We watched APT29 actively develop the underlying Python within those ~9 new SEADADDY samples-per-day.
Weekly tweaks, 3 major revisions.
7 persistence mechanisms.
38/n
@cglyer @matthewdunwoody @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec @byt3bl33d3r @FSecure @lehtior2 Watching Python backdoors change may sound easy. It wasn't: active dev focused on evading us.
When #APT29 built SSL into SEADADDY's comms to compromised C2, we lost them. Until we found new ways to profile x509 w/ Bro & track Python-initiated SSL (early TLS fingerprinting).
39/n
When #APT29 built SSL into SEADADDY's comms to compromised C2, we lost them. Until we found new ways to profile x509 w/ Bro & track Python-initiated SSL (early TLS fingerprinting).
39/n
@cglyer @matthewdunwoody @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec @byt3bl33d3r @FSecure @lehtior2 Quick shout-out to the @salesforce team for standardizing & scaling TLS profiling with #JA3 in 2017, and later #JA3S[erver]. 💙 simplified sharing of suspicious SSL.
👀 DETAILS:
40/n
👀 DETAILS:
40/n
