CCT 250 Exam 3

Information that can be obtained through APTs

Classified documents Control system access information Network information Organizational business strategies Payment card info PII, regarding employess or customers Transaction information User credentials ​

How do hosts get infected?

Clicking malicious online ads Connecting to untrusted networks Installing pirated software Not running the latest antivirus software Not updating and installing new versions of plug-ins Opening infected email attachments Using portable media When a user accepts and downloads files without checking the source

Using Custom Environment Variables

Dynamic objects that store modifiable values used by apps at runtime. This can be exploited to split malicious commands into multiple strings.

Caret Symbol (^)

Escapes malicious commands during execution time

Divergent

Fileless malware that depends mostly on the registry and employs a key in the registry to maintain persistence and Exploits PowerShell to inject itself into other processes

Taxonomy of Fileless Malware

Hardware (Type 1) Execution/Injection (Type 2) Exploit (Type 3)

Crypter

Hides viruses, keyloggers, or tools in any kind of file i.e. BitCrypter, SwayzCryptor, AegisCryptrr v1.5, Hidden Sight Crypter, Battleship Crypter, Heavens Crypter, Cypherx

Dynamic Malware Analysis AKA Behavioral Analysis

The process of executing the malware code to see how it interacts with the system and its impacts

Static Malware Analysis AKA Code Analysis

The process of looking at the executable binary code without actually executing the code itself

Propagate and deploy

via email, proxy, covert channel, USB

Ismdoor, Poison Ivy, POWERSTATS ports

80

Zeus and Shamoon ports

8080

Back Orifice 2000 ports

8787, 54321

Worms

A malicious program that independently replicates, executes, and spreads across network connections

Explore kits

A platform to deliver exploits and payloads. comes with pre-written exploit codes

Downloader

A program that can download and install harmful programs without carrying the malware itself I.e. Godzilla Downloader, Trojan Downloader

Trojan

A program where mal-code hides within seemingly benign data to gain control and cause damage, such as ruining the FAT on your hard disk

APT (Advanced Persistent Threat)

A type of network attack where an attacker gains access to a target and remains undetected for a long period of time

difference between a Worm and a Virus

A worm is self-replicating and cannot attach itself to other programs as well as spreading throughout the network via file or info transport features

indications of a Trojan

Abnormal system and network activities

Using Pre-assigned Environment Variables

%CommonProgramFiles% contains a default value of C:\Program Files\Common Files and specific characters from this value can be accessed through indexing and used for malicious commands

Delf ports

10048

Gift ports

101000

Senna Spy ports

11000

Progenic Trojan ports

11223

njRAT ports

1177

Hack 99 KeyLogger ports

12223

DarkComet RAT and Pandora RAT ports

1604

SpySender ports

1807

XtremeRAT ports

1863

Emotet Ports

20, 22, 80, 43

Blade Runner and DarkFTP ports

21

Deep Throat ports

2140, 3150, 6670, 6671

SSH RAT and Linux Rabbit ports

22

EliteWrap ports

23

Evil FTP and Ugly FTP

23456

Back Orifice/Back Orifice 1.20/Deep BO ports

31337, 31338

Cardinal RAT, gh0st RAT, TrickBot ports

443

WannaCry and Petya ports

445

SpyGate RAT and Punisher RAT ports

5000

Blade Runner ports

5400, 5401, 5402

Devil ports

65000

KillerRat ans Houdini RAT ports

6666

Bionet and Magic Hound ports

6667, 12349

Mspy ports

68

GateCrasher and Priority ports

6969

Remote Grab ports

7000

ICKiller ports

7789

characteristics of APTs

Actions Attack origination points Evading signature-based detection systems Knowledge Source Multiple points of entry Multi-phased Number of hosts involved in the attack Objectives to obtain info Resources used for attacks Risk tolerance skills and methods specific warning signs tailored to vulnerabilities timelines

Types of Viruses

Add-on and Intrusive Companion/Camouflage Direct action or transient Email and armored Encryption FAT and logic bomb File and multipartite Macro and cluster Metamorphic Overwriting file or cavity Polymorphic Shell and File extension Sparse Infector Stealth/tunneling System or boot sector Terminate & Stay resident Web scripting ​

Malware examples

Adware Backdoors Botnets Crypters Ransomware Rootkits Spyware Trojans Viruses Worms

Testbed Prep Steps

Allocate a physical system for the analysis lab > Install a VM on the system > Install the guest OS on the VM > Isolate the system from the network by ensuring the NIC card is in "host only" mode > Simulate internet services using tools such as INetSim > Disable the "shared folders" and "Guest isolation" > Install malware analysis tools > Generate the hash value of each OS and tool > Copy the malware over to the guest OS ​

Characteristics of Viruses

Alters data Corrupts files and programs Encrypt themselves Infeft other programs Self-replicates Transforms themselves

Sheep Dipping

Analysis of suspect files, incoming messages, etc. for malware

System Administration Tools

Attackers exploit ________ such as CertUtil, WMIC, and Regsvr32 to launch fileless infections. They run malicious DLL's on Regsvr32 and runddl32 specifically

In-Memory Exploits

Attackers inject a malicious payload into RAM that targets legitimate processes without leaving any footprints

Phishing

Attackers will try to use __________ to spread fileless malware that loads and run malicious payloads on the victim's pc to get information from the process memory

Dharma (Ransomware)

Attacks through email campaigns and require bitcoins for decryption

different types of Trojans

Backdoor Botnet Command Shell DDos attack Defacement Destructive EBanking IoT Mobile Point-of-sale Remote Access Trojan (RAT) Rootkit Security S/W Disabler Service Protocol ​

Inserting Characters ( , or ; and etc.)

Between malicious commands to make the strings more complex to detect

common distribution methods for malware

Black Hat SEO Compromised legitimate websites Drive-by downloads Malvertising Social engineered click-jacking Spam emails Spear-phishing sites

Entry Points

Browser and email Downloading files from the internet Email attatchments File sharing OS services Insecure patch management Instant messaging apps Installations from other malware Network Propagation Portable hardware media Rogue/decoy apps Untrusted sites and freeware apps Wireless networks

Dropper

Camouflages malware payloads i.e. Emotet and Dridex

detection methods for viruses

Code emulation Heuristic Analysis Integrity Checking Interception Scanning

File Fingerprinting

Computing hash value for binary code

What is the infection process?

Create > Dropper or Downloader > wrapper > crypter > propagate > deploy by execution > execute the damage routine

components of malware

Crypter Downloader Dropper Exploit Injector Obfuscator Packer Payload Malicious Code

File-less Malware Propagation

Infection through lateral movement Legitimate apps Malicious website Memory code injection Native apps Phishing emails Registry manipulation Script-based injection

File-less Malware AKA Non-malware

Infects legitimate software, apps, and other protocols

SamSam (Ransomware)

Infects unpatched servers by emplying the RSA-2048 asymmetric encryption technique

Conditions needed for Sheep Dipping

Installed with a port, file, network monitors, and antivirus software, then connects to a network only under strictly controlled conditions l

Worm Tools

Internet Worm Make Thing, Batch Worm Generator

Malware (Malicious Software)

Malicious software that damages or disables computer systems

3 main phase examples for Fileless malware

Phishing email > Malicious code > Script based > Code injection > malicious code running directly in the memory > Registry, Windows management instrumentation, scheduled task > reconnaissance, credential harvesting, data exfiltration, cyber espionage Malicious website> Script based > Code injection > malicious code running directly in the memory > Registry, Windows management instrumentation, scheduled task > reconnaissance, credential harvesting, data exfiltration, cyber espionage Malicious website > Memory Exploits > Code injection > malicious code running directly in the memory > Registry, Windows management instrumentation, scheduled task > reconnaissance, credential harvesting, data exfiltration, cyber espionage

The main phases of fileless malware

PoE > Execution > Persist > Objectives

life cycle of an APT

Preparation > Initial Intrusion > Expansion > Persistence > Search and exfiltration > cleanup

Purpose of File-less Malware

Resides in RAM and injects mal code into running processes such as Word, Flash, Adobe PDF Viewer, JavaScript, and PowerShell

Ransomware

Restricts access to the computer system's files and folders and demands a ransom payment to remove restrictions

Tasks for Sheep Dipping

Run user, group permissions, and process monitors Run port and network monitors Run device driver and file monitors Run registry and kernel monitors

Script Injection

Scripts that have binaries and shell codes embedded, obfuscated, and compiled to avoid file creations on the disk and allow attackers to communicate and infect the apps or OS's without being traced

Viruses

Self-replicating program that produces its own copy by attaching itself to another program

Reasons for malware analysis

To catch the perpetrator accountable for installing the malware To determine the complexity level of an intruder To determine the malicious intent of the malware To exactly determine what happened To identify indicators of compromise To identify the exploited vulnerability To identify the extent of damage caused by the intrusion

Examples of Trojan Objectives

To create backdoors for remote access To delete or replace critical OS files To disable firewalls and antivirus To download spyware, adware, and other malware To encrypt data and lock out victims from accessing the machine To generate fake traffic to create DoS attacks To infect a victim's PC as a proxy server (relay attack) and/or as a botnet (DDoS attack) To record screenshots, audio, and video of the infected PC To steal personal information To use the victim's PC for spamming/blasting email

objective of using Trojans

To create covert communication channels between the victim and attacker for transferring sensitive data

Document Exploits

Trick users into downloading any attractive files consisting of malicious macro codes and launches VBA or JavaScript

Trojan trigger conditions

Trojans are activated upon predefined conditions and upon activation resulting in unrestricted access to all data on a compromised system and cause immense damage

Purpose of Worms

Use worm payloads to install backdoors on infected computers, which turns them into zombies and creates a botnet

Process of Explot Kits

Victim visits genuine site > website is hosted on a compromised web server > victim is redirected through various intermediary servers > victim lands at an exploit kit server holding the exploit pack landing page > exploit kit gathers information on the victim and delivers the exploit

Inserting parentheses ( () )

When used, variables in code block are considered single line commands. Attackers use this to split and obfuscate malicious code

Malware Analysis

___________ is the reverse engineering of a specific piece of malware to determine its origins, functionality, and potential impact

Finding the portable executables (PE) information

analyze the metadata of PE (Portable Executables) files to get information that is embedded in resources

wrapper

binds the executable Trojan with genuine apps and once ran, installs Trojan in background and runs genuine app in foreground i.e. Elite Wrap, IExpress Wizard, Advanced File Joiner, Soprano 3, Exe2vbs, Kriptomatik

Antivirus evasion tatics

break Trojan into multiple pieces then zip them together Write your own Trojan Change the Trojan syntax Use hex editor to change content Checksum Encrypt Never download Trojans from the internet

eCh0raix (Ransomware)

targets linux devices with QNAP Network Attached Storages (NAS) by employing AES encryption technique

Identifying file dependencies

checks the dynamically linked list in the malware executable file and find out all the library functions

Antivirus sensor systems

collection of computer software that detects and analyzes malicious code threats such as viruses, worms, and Trojans. Used along with sheep dip computers.

indicators of a virus

constant virus alerts, suspicious hard drive activity, lack of storage space, unwanted pop-up windows

life cycle of a virus

design > replication > launch > detection > incorporation > execution of the damage routine

Transmission methods of Viruses

file downloads, infected disk/flash drives and email attachments

Inserting double quotes ("")

is an argument delimiter and can be used to concatenate malicious commands