🔥 Interesting research about The Dukes (aka APT29 and Cozy Bear) from ESET.
welivesecurity.com/2019/10/17/ope…
To save somebody time, it’s 40 pages. Some interesting info in the thread below
welivesecurity.com/2019/10/17/ope…
To save somebody time, it’s 40 pages. Some interesting info in the thread below
RegDuke: first stage implant (.net obfuscated via .NET Reactor)
Standard switch/case inside a loop workflow.
Standard switch/case inside a loop workflow.
Persistence via WMI( WMI consumer named MicrosoftOfficeUpdates. It is launched every time a process named WINWORD.EXE is started )
- read encrypted file from hardcoded or in-registry path
- decrypt(PBKDF2) with hardcoded pathword and salt stored at registry
- read encrypted file from hardcoded or in-registry path
- decrypt(PBKDF2) with hardcoded pathword and salt stored at registry
HKLM\SOFTWARE\Intel\ MediaSDK\Dispatch\0102 => PathCPA / CPAmodule / Init
HKLM\SOFTWARE\Intel\ MediaSDK\Dispatch\hw64-s1-1 => RootPath / APIModule / Stack
HKLM\SOFTWARE\Microsoft\ MSBuild\4.0 => MSBuildOverrideTasksPath / DefaultLibs / BinaryCache
HKLM\SOFTWARE\Intel\ MediaSDK\Dispatch\hw64-s1-1 => RootPath / APIModule / Stack
HKLM\SOFTWARE\Microsoft\ MSBuild\4.0 => MSBuildOverrideTasksPath / DefaultLibs / BinaryCache
After decoding .exe loaded via Assembly.Load(are you still planing to collect ETW .Net traces?;) start now.)
than in-memory payload gets new C&C from dropbox’s image(standard steganography, last 2 bits from each pixels color)
than in-memory payload gets new C&C from dropbox’s image(standard steganography, last 2 bits from each pixels color)
MiniDuke: 2nd stage(pure x86 assembly):
*Search API function by hash
*GET, POST and PUT communication with C2 via HTTP
*send and receive data over a named pipe(say hello to P2P Command and Control)
*tunneling via 8080 port
*Search API function by hash
*GET, POST and PUT communication with C2 via HTTP
*send and receive data over a named pipe(say hello to P2P Command and Control)
*tunneling via 8080 port
FatDuke: the third stage
Persistence:
standart registry \CurrentVersion\Run entry «Canon Gear» => C:\Program Files\Canon\NetworkScanGear\Canocpc.exe
Persistence:
standart registry \CurrentVersion\Run entry «Canon Gear» => C:\Program Files\Canon\NetworkScanGear\Canocpc.exe
Configuration hardcoded(encrypted) in resource section.
C&C communication via HTTP(mimic installed browser)
To get installed browser implant using 2 technics:
C&C communication via HTTP(mimic installed browser)
To get installed browser implant using 2 technics:
1) Starting http server on port 80. ShellExecuteW with open http://localhost: server reply with simple JavaScript code which will directly close the browser.
User-Agent parsed from HTTP request
User-Agent parsed from HTTP request
2) if the previous method not working, it checks default browser in the registry HKCU\Software\ Classes\http\shell\open\command and select one of hardcoded user-agents strings.
The C&C servers used are registered domains with variants of existing domains names and redirect the homepage of their C&C server to the homepage of the real domain. (from outside it looks like domain registered to prevent cybersquatting or typosquatting)
Obfuscation: string stacking +basic operations to the stacking, opaque predicates, junk code(beacon size 13+MB)
Binary contains many strings from different projects like Chromium. It’s try to bypass next-gen AI products :) Say hello to Cylance AI Module skylightcyber.com/2019/07/18/cyl…
Binary contains many strings from different projects like Chromium. It’s try to bypass next-gen AI products :) Say hello to Cylance AI Module skylightcyber.com/2019/07/18/cyl…
