Summary

Total Articles Found: 2

Top sources:

Top Keywords:

Top Authors

Top Articles:

  • FLASHMINGO: The FireEye Open Source Automatic Analysis Tool for Flash
  • CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis

CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis

Published: 2019-04-23 17:45:00

Popularity: 76

Author: Michael Bailey

Keywords:

  • James T. Bennett
  • Malware
  • Threat Research
  • CARBANAK
  • FLARE
  • Michael Bailey
  • Latest Blog Posts
  • Homepage Carousel
  • 🤖: "Hacked again"

    FireEye has observed the certificate most recently being served on the following IPs (Table 4):

    IP

    Hostname

    Last Seen

    104.193.252.151:443

    vds2.system-host[.]net

    2019-04-26T14:49:12

    185.180.196.35:443

    customer.clientshostname[.]com

    2019-04-24T07:44:30

    213.227.155.8:443

     

    2019-04-24T04:33:52

    94.156.133.69:443

     

    2018-11-15T10:27:07

    185.174.172.241:443

    vds9992.hyperhost[.]name

    2019-04-27T13:24:36

    109.230.199.227:443

     

    2019-04-27T13:24:36

    Table 4: Recent Test Company certificate use

    While these IPs have not been observed in any CARBANAK activity, this may be an indication of a common developer or a shared toolkit used for testing various malware. Several of these IPs have been observed hosting Cobalt Strike BEACON payloads and METERPRETER listeners. Virtual Private Server (VPS) IPs may change hands frequently and additional malicious activity hosted on these IPs, even in close time proximity, may not be associated with the same users.

    I also parsed an unprotected private key from the source code dump. Figure 4 and Table 5 show the private key parameters at a glance and in detail, respectively.


    Figure 4: Parsed 512-bit private key

    Field

    Value

    bType

    7

    bVersion

    2

    aiKeyAlg

    0xA400 (CALG_RSA_KEYX) – RSA public key exchange algorithm

    Magic

    RSA2

    Bitlen

    512

    PubExp

    65537

    Modulus

    0B CA 8A 13 FD 91 E4 72 80 F9 5F EE 38 BC 2E ED

    20 5D 54 03 02 AE D6 90 4B 6A 6F AE 7E 06 3E 8C

    EA A8 15 46 9F 3E 14 20 86 43 6F 87 BF AE 47 C8

    57 F5 1F D0 B7 27 42 0E D1 51 37 65 16 E4 93 CB

    P

    8B 01 8F 7D 1D A2 34 AE CA B6 22 EE 41 4A B9 2C

    E0 05 FA D0 35 B2 BF 9C E6 7C 6E 65 AC AE 17 EA

    Q

    81 69 AB 3D D7 01 55 7A F8 EE 3C A2 78 A5 1E B1

    9A 3B 83 EC 2F F1 F7 13 D8 1A B3 DE DF 24 A1 DE

    Dp

    B5 C7 AE 0F 46 E9 02 FB 4E A2 A5 36 7F 2E ED A4

    9E 2B 0E 57 F3 DB 11 66 13 5E 01 94 13 34 10 CB

    Dq

    81 AC 0D 20 14 E9 5C BF 4B 08 54 D3 74 C4 57 EA

    C3 9D 66 C9 2E 0A 19 EA C1 A3 78 30 44 52 B2 9F

    Iq

    C2 D2 55 32 5E 7D 66 4C 8B 7F 02 82 0B 35 45 18

    24 76 09 2B 56 71 C6 63 C4 C5 87 AD ED 51 DA 2ÂŞ

    D

    01 6A F3 FA 6A F7 34 83 75 C6 94 EB 77 F1 C7 BB

    7C 68 28 70 4D FB 6A 67 03 AE E2 D8 8B E9 E8 E0

    2A 0F FB 39 13 BD 1B 46 6A D9 98 EA A6 3E 63 A8

    2F A3 BD B3 E5 D6 85 98 4D 1C 06 2A AD 76 07 49

    Table 5: Private key parameters

    I found a value named PUBLIC_KEY defined in a configuration header, with comments indicating it was for debugging purposes. The parsed values are shown in Table 6.

    Field

    Value

    bType

    6

    bVersion

    2

    aiKeyAlg

    0xA400 (CALG_RSA_KEYX) – RSA public key exchange algorithm

    Magic

    RSA1

    Bitlen

    512

    PubExp

    65537

    Modulus

    0B CA 8A 13 FD 91 E4 72 80 F9 5F EE 38 BC 2E ED

    20 5D 54 03 02 AE D6 90 4B 6A 6F AE 7E 06 3E 8C

    EA A8 15 46 9F 3E 14 20 86 43 6F 87 BF AE 47 C8

    57 F5 1F D0 B7 27 42 0E D1 51 37 65 16 E4 93 CB

    Table 6: Key parameters for PUBLIC_KEY defined in configuration header

    Network Based Indicators

    The source code and binaries contained multiple Network-Based Indicators (NBIs) having significant overlap with CARBANAK backdoor activity and FIN7 operations previously observed and documented by FireEye. Table 7 shows these indicators along with the associated FireEye public documentation. This includes the status of each NBI as it was encountered (active in source code, commented out, or compiled into a binary). Domain names are de-fanged to prevent accidental resolution or interaction by browsers, chat clients, etc.

    NBI

    Status

    Threat Group Association

    comixed[.]org

    Commented out

    Earlier CARBANAK activity

    194.146.180[.]40

    Commented out

    Earlier CARBANAK activity

    aaaabbbbccccc[.]org

    Active

     

    stats10-google[.]com

    Commented out

    FIN7

    192.168.0[.]100:700

    Active

     

    80.84.49[.]50:443

    Commented out

     

    52.11.125[.]44:443

    Commented out

     

    85.25.84[.]223

    Commented out

     

    qwqreererwere[.]com

    Active

     

    akamai-technologies[.]org

    Commented out

    Earlier CARBANAK activity

    192.168.0[.]100:700

    Active

     

    37.1.212[.]100:700

    Commented out

     

    188.138.98[.]105:710

    Commented out

    Earlier CARBANAK activity

    hhklhlkhkjhjkjk[.]org

    Compiled

     

    192.168.0[.]100:700

    Compiled

     

    aaa.stage.4463714.news.meteonovosti[.]info

    Compiled

    DNS infrastructure overlap with later FIN7 associated POWERSOURCE activity

    193.203.48[.]23:800

    Active

    Earlier CARBANAK activity

    Table 7: NBIs and prevously observed activity

    Four of these TCP endpoints (80.84.49[.]50:443, 52.11.125[.]44:443, 85.25.84[.]223, and 37.1.212[.]100:700) were new to me, although some have been documented elsewhere.

    Conclusion

    Our analysis of this source code dump confirmed it was CARBANAK and turned up a few new and interesting data points. We were able to notify vendors about disclosures that specifically targeted their security suites. The previously documented NBIs, Windows API function resolution, backdoor command hash values, usage of Windows cabinet file APIs, and other artifacts associated with CARBANAK all match, and as they say, if the shoe fits, wear it. Interestingly though, the project itself isn’t called CARBANAK or even Anunak as the information security community has come to call it based on the string artifacts found within the malware. The authors mainly refer to the malware as “bot” in the Visual Studio project, filenames, source code comments, output binaries, user interfaces, and manuals.

    The breadth and depth of this analysis was a departure from the usual requests we receive on the FLARE team. The journey included learning some Russian, searching through a hundred thousand of lines of code for new information, and analyzing a few dozen binaries. In the end, I’m thankful I had the opportunity to take this request.

    In the next post, Tom Bennett takes the reins to provide a retrospective on his and Barry Vengerik’s previous analysis in light of the source code. Part Four of CARBANAK Week is available as well.

    ...more

    FLASHMINGO: The FireEye Open Source Automatic Analysis Tool for Flash

    Published: 2019-04-15 15:00:00

    Popularity: 151

    Author: Carlos Garcia Prado

    Keywords:

  • tools
  • Threat Research
  • Flash
  • FLARE
  • Carlos Garcia Prado
  • Latest Blog Posts
  • Homepage Carousel
  • Adobe Flash is one of the most exploited software components of the last decade. Its complexity and ubiquity make it an obvious target for attackers. Public sources list more than one thousand CVEs being assigned to the Flash Player alone since 2005. Almost nine hundred of these vulnerabilities have a Common Vulnerability Scoring System (CVSS) score of nine or higher.

    After more than a decade of playing cat and mouse with the attackers, Adobe is finally deprecating Flash in 2020. To the security community this move is not a surprise since all major browsers have already dropped support for Flash.

    A common misconception exists that Flash is already a thing of the past; however, history has shown us that legacy technologies linger for quite a long time. If organizations do not phase Flash out in time, the security threat may grow beyond Flash's end of life due to a lack of security patches.

    As malware analysts on the FLARE team, we still see Flash exploits within malware samples. We must find a compromise between the need to analyse Flash samples and the correct amount of resources to be spent on a declining product. To this end we developed FLASHMINGO, a framework to automate the analysis of SWF files. FLASHMINGO enables analysts to triage suspicious Flash samples and investigate them further with minimal effort. It integrates into various analysis workflows as a stand-alone application or can be used as a powerful library. Users can easily extend the tool's functionality via custom Python plug-ins.

    Background: SWF and ActionScript3

    Before we dive into the inner workings of FLASHMINGO, let’s learn about the Flash architecture. Flash’s SWF files are composed of chunks, called tags, implementing a specific functionality. Tags are completely independent from each other, allowing for compatibility with older versions of Flash. If a tag is not supported, the software simply ignores it. The main source of security issues revolves around SWF’s scripting language: ActionScript3 (AS3). This scripting language is compiled into bytecode and placed within a Do ActionScript ByteCode (DoABC) tag. If a SWF file contains a DoABC tag, the bytecode is extracted and executed by a proprietary stack-based virtual machine (VM), known as AVM2 in the case of AS3, shipped within Adobe’s Flash player. The design of the AVM2 was based on the Java VM and was similarly plagued by memory corruption and logical issues that allowed malicious AS3 bytecode to execute native code in the context of the Flash player. In the few cases where the root cause of past vulnerabilities was not in the AVM2, ActionScript code was still necessary to put the system in a state suitable for reliable exploitation. For example, by grooming the heap before triggering a memory corruption. For these reasons, FLASHMINGO focuses on the analysis of AS3 bytecode.

    Tool Architecture

    FLASHMINGO leverages the open source SWIFFAS library to do the heavy lifting of parsing Flash files. All binary data and bytecode are parsed and stored in a large object named SWFObject. This object contains all the information about the SWF relevant to our analysis: a list of tags, information about all methods, strings, constants and embedded binary data, to name a few. It is essentially a representation of the SWF file in an easily queryable format.

    FLASHMINGO is a collection of plug-ins that operate on the SWFObject and extract interesting information. Figure 1 shows the relationship between FLASHMINGO, its plug-ins, and the SWFObject.


    Figure 1: High level software structure

    Several useful plug-ins covering a wide range of common analysis are already included with FLASHMINGO, including:

    • Find suspicious method names. Many samples contain method names used during development, like “run_shell” or “find_virtualprotect”. This plug-in flags samples with methods containing suspicious substrings.
    • Find suspicious constants. The presence of certain constant values in the bytecode may point to malicious or suspicious code. For example, code containing the constant value 0x5A4D may be shellcode searching for an MZ header.
    • Find suspicious loops. Malicious activity often happens within loops. This includes encoding, decoding, and heap spraying. This plug-in flags methods containing loops with interesting operations such as XOR or bitwise AND. It is a simple heuristic that effectively detects most encoding and decoding operations, and otherwise interesting code to further analyse.
    • Retrieve all embedded binary data.
    • A decompiler plug-in that uses the FFDEC Flash Decompiler. This decompiler engine, written in Java, can be used as a stand-alone library. Since FLASHMINGO is written in Python, using this plug-in requires Jython to interoperate between these two languages.

    Extending FLASHMINGO With Your Own Plug-ins

    FLASHMINGO is very easy to extend. Every plug-in is located in its own directory under the plug-ins directory. At start-up FLASHMINGO searches all plug-in directories for a manifest file (explained later in the post) and registers the plug-in if it is marked as active.

    To accelerate development a template plug-in is provided. To add your own plug-in, copy the template directory, rename it, and edit its manifest and code. The template plug-in’s manifest, written in YAML, is shown below:

    ```
    # This is a template for easy development
    name: Template
    active: no
    description: copy this to kickstart development
    returns: nothing

    ```

    The most important parameters in this file are: name and active. The name parameter is used internally by FLASHMINGO to refer to it. The active parameter is a Boolean value (yes or no) indicating whether this plug-in should be active or not. By default, all plug-ins (except the template) are active, but there may be cases where a user would want to deactivate a plug-in. The parameters description and returns are simple strings to display documentation to the user. Finally, plug-in manifests are parsed once at program start. Adding new plug-ins or enabling/disabling plug-ins requires restarting FLASHMINGO.

    Now for the actual code implementing the business logic. The file plugin.py contains a class named Plugin; the only thing that is needed is to implement its run method. Each plug-in receives an instance of a SWFObject as a parameter. The code will interact with this object and return data in a custom format, defined by the user. This way, the user's plug-ins can be written to produce data that can be directly ingested by their infrastructure.

    Let's see how easy it is to create plug-ins by walking through one that is included, named binary_data. This plugin returns all embedded data in a SWF file by default. If the user specifies an optional parameter pattern then the plug-in searches for matches of that byte sequence within the embedded data, returning a dictionary of embedded data and the offset at which the pattern was found.

    First, we define the optional argument pattern to be supplied by the user (line 2 and line 4):

    Afterwards, implement a custom run method and all other code needed to support it:

    This is a simple but useful plugin and illustrates how to interact with FLASHMINGO. The plug-in has a logging facility accessible through the property “ml” (line 2). By default it logs to FLASHMINGO’s main logger. If unspecified, it falls back to a log file within the plug-in’s directory. Line 10 to line 16 show the custom run method, extracting information from the SWF’s embedded data with the help of the custom _inspect_binary_data method. Note the source of this binary data: it is being read from a property named “swf”. This is the SWFObject passed to the plug-in as an argument, as mentioned previously. More complex analysis can be performed on the SWF file contents interacting with this swf object. Our repository contains documentation for all available methods of a SWFObject.

    Conclusion

    Even though Flash is set to reach its end of life at the end of 2020 and most of the development community has moved away from it a long time ago, we predict that we’ll see Flash being used as an infection vector for a while. Legacy technologies are juicy targets for attackers due to the lack of security updates. FLASHMINGO provides malware analysts a flexible framework to quickly deal with these pesky Flash samples without getting bogged down in the intricacies of the execution environment and file format.

    Find the FLASHMINGO tool on the FireEye public GitHub Repository.

    ...more

    end