CCT 250 Exam 3
Information that can be obtained through APTs
Classified documents Control system access information Network information Organizational business strategies Payment card info PII, regarding employess or customers Transaction information User credentials
How do hosts get infected?
Clicking malicious online ads Connecting to untrusted networks Installing pirated software Not running the latest antivirus software Not updating and installing new versions of plug-ins Opening infected email attachments Using portable media When a user accepts and downloads files without checking the source
Using Custom Environment Variables
Dynamic objects that store modifiable values used by apps at runtime. This can be exploited to split malicious commands into multiple strings.
Caret Symbol (^)
Escapes malicious commands during execution time
Divergent
Fileless malware that depends mostly on the registry and employs a key in the registry to maintain persistence and Exploits PowerShell to inject itself into other processes
Taxonomy of Fileless Malware
Hardware (Type 1) Execution/Injection (Type 2) Exploit (Type 3)
Crypter
Hides viruses, keyloggers, or tools in any kind of file i.e. BitCrypter, SwayzCryptor, AegisCryptrr v1.5, Hidden Sight Crypter, Battleship Crypter, Heavens Crypter, Cypherx
Dynamic Malware Analysis AKA Behavioral Analysis
The process of executing the malware code to see how it interacts with the system and its impacts
Static Malware Analysis AKA Code Analysis
The process of looking at the executable binary code without actually executing the code itself
Propagate and deploy
via email, proxy, covert channel, USB
Ismdoor, Poison Ivy, POWERSTATS ports
80
Zeus and Shamoon ports
8080
Back Orifice 2000 ports
8787, 54321
Worms
A malicious program that independently replicates, executes, and spreads across network connections
Explore kits
A platform to deliver exploits and payloads. comes with pre-written exploit codes
Downloader
A program that can download and install harmful programs without carrying the malware itself I.e. Godzilla Downloader, Trojan Downloader
Trojan
A program where mal-code hides within seemingly benign data to gain control and cause damage, such as ruining the FAT on your hard disk
APT (Advanced Persistent Threat)
A type of network attack where an attacker gains access to a target and remains undetected for a long period of time
difference between a Worm and a Virus
A worm is self-replicating and cannot attach itself to other programs as well as spreading throughout the network via file or info transport features
indications of a Trojan
Abnormal system and network activities
Using Pre-assigned Environment Variables
%CommonProgramFiles% contains a default value of C:\Program Files\Common Files and specific characters from this value can be accessed through indexing and used for malicious commands
Delf ports
10048
Gift ports
101000
Senna Spy ports
11000
Progenic Trojan ports
11223
njRAT ports
1177
Hack 99 KeyLogger ports
12223
DarkComet RAT and Pandora RAT ports
1604
SpySender ports
1807
XtremeRAT ports
1863
Emotet Ports
20, 22, 80, 43
Blade Runner and DarkFTP ports
21
Deep Throat ports
2140, 3150, 6670, 6671
SSH RAT and Linux Rabbit ports
22
EliteWrap ports
23
Evil FTP and Ugly FTP
23456
Back Orifice/Back Orifice 1.20/Deep BO ports
31337, 31338
Cardinal RAT, gh0st RAT, TrickBot ports
443
WannaCry and Petya ports
445
SpyGate RAT and Punisher RAT ports
5000
Blade Runner ports
5400, 5401, 5402
Devil ports
65000
KillerRat ans Houdini RAT ports
6666
Bionet and Magic Hound ports
6667, 12349
Mspy ports
68
GateCrasher and Priority ports
6969
Remote Grab ports
7000
ICKiller ports
7789
characteristics of APTs
Actions Attack origination points Evading signature-based detection systems Knowledge Source Multiple points of entry Multi-phased Number of hosts involved in the attack Objectives to obtain info Resources used for attacks Risk tolerance skills and methods specific warning signs tailored to vulnerabilities timelines
Types of Viruses
Add-on and Intrusive Companion/Camouflage Direct action or transient Email and armored Encryption FAT and logic bomb File and multipartite Macro and cluster Metamorphic Overwriting file or cavity Polymorphic Shell and File extension Sparse Infector Stealth/tunneling System or boot sector Terminate & Stay resident Web scripting
Malware examples
Adware Backdoors Botnets Crypters Ransomware Rootkits Spyware Trojans Viruses Worms
Testbed Prep Steps
Allocate a physical system for the analysis lab > Install a VM on the system > Install the guest OS on the VM > Isolate the system from the network by ensuring the NIC card is in "host only" mode > Simulate internet services using tools such as INetSim > Disable the "shared folders" and "Guest isolation" > Install malware analysis tools > Generate the hash value of each OS and tool > Copy the malware over to the guest OS
Characteristics of Viruses
Alters data Corrupts files and programs Encrypt themselves Infeft other programs Self-replicates Transforms themselves
Sheep Dipping
Analysis of suspect files, incoming messages, etc. for malware
System Administration Tools
Attackers exploit ________ such as CertUtil, WMIC, and Regsvr32 to launch fileless infections. They run malicious DLL's on Regsvr32 and runddl32 specifically
In-Memory Exploits
Attackers inject a malicious payload into RAM that targets legitimate processes without leaving any footprints
Phishing
Attackers will try to use __________ to spread fileless malware that loads and run malicious payloads on the victim's pc to get information from the process memory
Dharma (Ransomware)
Attacks through email campaigns and require bitcoins for decryption
different types of Trojans
Backdoor Botnet Command Shell DDos attack Defacement Destructive EBanking IoT Mobile Point-of-sale Remote Access Trojan (RAT) Rootkit Security S/W Disabler Service Protocol
Inserting Characters ( , or ; and etc.)
Between malicious commands to make the strings more complex to detect
common distribution methods for malware
Black Hat SEO Compromised legitimate websites Drive-by downloads Malvertising Social engineered click-jacking Spam emails Spear-phishing sites
Entry Points
Browser and email Downloading files from the internet Email attatchments File sharing OS services Insecure patch management Instant messaging apps Installations from other malware Network Propagation Portable hardware media Rogue/decoy apps Untrusted sites and freeware apps Wireless networks
Dropper
Camouflages malware payloads i.e. Emotet and Dridex
detection methods for viruses
Code emulation Heuristic Analysis Integrity Checking Interception Scanning
File Fingerprinting
Computing hash value for binary code
What is the infection process?
Create > Dropper or Downloader > wrapper > crypter > propagate > deploy by execution > execute the damage routine
components of malware
Crypter Downloader Dropper Exploit Injector Obfuscator Packer Payload Malicious Code
File-less Malware Propagation
Infection through lateral movement Legitimate apps Malicious website Memory code injection Native apps Phishing emails Registry manipulation Script-based injection
File-less Malware AKA Non-malware
Infects legitimate software, apps, and other protocols
SamSam (Ransomware)
Infects unpatched servers by emplying the RSA-2048 asymmetric encryption technique
Conditions needed for Sheep Dipping
Installed with a port, file, network monitors, and antivirus software, then connects to a network only under strictly controlled conditions l
Worm Tools
Internet Worm Make Thing, Batch Worm Generator
Malware (Malicious Software)
Malicious software that damages or disables computer systems
3 main phase examples for Fileless malware
Phishing email > Malicious code > Script based > Code injection > malicious code running directly in the memory > Registry, Windows management instrumentation, scheduled task > reconnaissance, credential harvesting, data exfiltration, cyber espionage Malicious website> Script based > Code injection > malicious code running directly in the memory > Registry, Windows management instrumentation, scheduled task > reconnaissance, credential harvesting, data exfiltration, cyber espionage Malicious website > Memory Exploits > Code injection > malicious code running directly in the memory > Registry, Windows management instrumentation, scheduled task > reconnaissance, credential harvesting, data exfiltration, cyber espionage
The main phases of fileless malware
PoE > Execution > Persist > Objectives
life cycle of an APT
Preparation > Initial Intrusion > Expansion > Persistence > Search and exfiltration > cleanup
Purpose of File-less Malware
Resides in RAM and injects mal code into running processes such as Word, Flash, Adobe PDF Viewer, JavaScript, and PowerShell
Ransomware
Restricts access to the computer system's files and folders and demands a ransom payment to remove restrictions
Tasks for Sheep Dipping
Run user, group permissions, and process monitors Run port and network monitors Run device driver and file monitors Run registry and kernel monitors
Script Injection
Scripts that have binaries and shell codes embedded, obfuscated, and compiled to avoid file creations on the disk and allow attackers to communicate and infect the apps or OS's without being traced
Viruses
Self-replicating program that produces its own copy by attaching itself to another program
Reasons for malware analysis
To catch the perpetrator accountable for installing the malware To determine the complexity level of an intruder To determine the malicious intent of the malware To exactly determine what happened To identify indicators of compromise To identify the exploited vulnerability To identify the extent of damage caused by the intrusion
Examples of Trojan Objectives
To create backdoors for remote access To delete or replace critical OS files To disable firewalls and antivirus To download spyware, adware, and other malware To encrypt data and lock out victims from accessing the machine To generate fake traffic to create DoS attacks To infect a victim's PC as a proxy server (relay attack) and/or as a botnet (DDoS attack) To record screenshots, audio, and video of the infected PC To steal personal information To use the victim's PC for spamming/blasting email
objective of using Trojans
To create covert communication channels between the victim and attacker for transferring sensitive data
Document Exploits
Trick users into downloading any attractive files consisting of malicious macro codes and launches VBA or JavaScript
Trojan trigger conditions
Trojans are activated upon predefined conditions and upon activation resulting in unrestricted access to all data on a compromised system and cause immense damage
Purpose of Worms
Use worm payloads to install backdoors on infected computers, which turns them into zombies and creates a botnet
Process of Explot Kits
Victim visits genuine site > website is hosted on a compromised web server > victim is redirected through various intermediary servers > victim lands at an exploit kit server holding the exploit pack landing page > exploit kit gathers information on the victim and delivers the exploit
Inserting parentheses ( () )
When used, variables in code block are considered single line commands. Attackers use this to split and obfuscate malicious code
Malware Analysis
___________ is the reverse engineering of a specific piece of malware to determine its origins, functionality, and potential impact
Finding the portable executables (PE) information
analyze the metadata of PE (Portable Executables) files to get information that is embedded in resources
wrapper
binds the executable Trojan with genuine apps and once ran, installs Trojan in background and runs genuine app in foreground i.e. Elite Wrap, IExpress Wizard, Advanced File Joiner, Soprano 3, Exe2vbs, Kriptomatik
Antivirus evasion tatics
break Trojan into multiple pieces then zip them together Write your own Trojan Change the Trojan syntax Use hex editor to change content Checksum Encrypt Never download Trojans from the internet
eCh0raix (Ransomware)
targets linux devices with QNAP Network Attached Storages (NAS) by employing AES encryption technique
Identifying file dependencies
checks the dynamically linked list in the malware executable file and find out all the library functions
Antivirus sensor systems
collection of computer software that detects and analyzes malicious code threats such as viruses, worms, and Trojans. Used along with sheep dip computers.
indicators of a virus
constant virus alerts, suspicious hard drive activity, lack of storage space, unwanted pop-up windows
life cycle of a virus
design > replication > launch > detection > incorporation > execution of the damage routine
Transmission methods of Viruses
file downloads, infected disk/flash drives and email attachments
Inserting double quotes ("")
is an argument delimiter and can be used to concatenate malicious commands