CFC REPORT SPHINX MOTH

Recommendations

Info

CFC REPORT: SPHINX MOTH When this key was altered, the DLL was attached to the “lsass.exe” process (security provider process). With the DLL attached to a central process of the operating system, the attackers were able to perform a large number of actions (e.g. hashes dump) and to ensure persistence. This technique was described in a paper by Mandiant during MirCON 2014 3 . We don’t know if the samples seen by Mandiant were related to the Sphinx Moth group. 2.2.2. “--SET” This command was used, for example, to set the configuration of the Command and Control server. 2.2.3. “--SHOW” This command showed the current configuration set in the registry and the version of the malware. As we can see below, the version analyzed in this report is 1.6.5; the one analyzed in the Kaspersky report is 1.6.4. 2.2.4. “--START” AND “--STOP” These commands either attach or remove the DLL (cudacrt.dll) from “lsass.exe”. 2.2.5. “--CLEAN” This command deleted all binaries and removed the two registry keys. Some other commands were identified but are not described in detail: “—ndebug”, “—cdebug”, “—debug”, “—pleh”, “—test”, “—proxy”, “—sleep”. 2.2.6. TIMESTAMP MODIFICATION The timestamp of the DLL copied was modified to fool forensic analysis. Before: After: 3 https://dl.mandiant.com/EE/library/MIRcon2014/MIRcon_2014_IR_Track_Analysis_of_Malicious_SSP.pdf Cybersecurity unit of Kudelski Group 10 www.kudelskisecurity.com request@kudelskisecurity.com
CFC REPORT: SPHINX MOTH 2.3. “CUDACRT.DLL” (MD5: D91ED1715DE8EDDD5244565926ED2899) “Cudacrt.dll” – a tool for persistence and backdoor control This DLL was attached to “lsass.exe”, and was responsible for the execution of the binary “iastor32.exe” (SSH client) for communication. One interesting function of this DLL is its ability to deobfuscate the registry entries (under “SOFTWARE\SsoAuth\Service”). Again, we are dealing with a simple single-byte “XOR”. This time, deobfuscation was even easier, as the key was “0x01”. 2.4. “KERBEROS32.DLL” (MD5 : FD4C881DF95B67EE2F07ADAD0DCA9C98) “Kerberos32.dll” – the attackers’ toolset for lateral movements and hiding capabilities This DLL was also loaded into “lsass.exe”, as the one above, but gave the attackers more control. For example, as already stated in the Symantec report, it was able to dump the hashes in memory, clean logs, start or stop logs or reboot. The “Kerberos*.dll” commands are listed in Appendix 4.3. To interact with this backdoor, a named pipe was created on the host (“\\.\lsassp” in our samples) and the traffic was then obfuscated with an “XOR” key (see below). We provided a Powershell that can be run (with SCCM for example) to detect if hosts are compromised on a corporate environment. See Appendix 4.4 for details. The “XOR” key for traffic was as follows: “\x24\x75\x60\xCA\x94\x40\xA8\x23\xCD\x55\xCE\x66\xCE\x63\x9b\x8E” The backdoor supported an impressive number of OS: • Windows 2000 • Windows XP • Windows 2003 • Windows Vista • Windows 2008 • Windows 7 • Windows 2008R2 • Windows 8 • Windows 2012 • Windows 8.1 • Windows 2012R2 Cybersecurity unit of Kudelski Group 11 www.kudelskisecurity.com request@kudelskisecurity.com
Page 1 and 2: CFC REPORT: SPHINX MOTH CFC REPORT:
Page 3 and 4: CFC REPORT: SPHINX MOTH OVERVIEW Sp
Page 5 and 6: CFC REPORT: SPHINX MOTH 1.1. ANATOM
Page 7 and 8: CFC REPORT: SPHINX MOTH 2. TECHNICA
Page 9: CFC REPORT: SPHINX MOTH 2.2. “NVC
Page 13 and 14: CFC REPORT: SPHINX MOTH APPENDICES
Page 15 and 16: CFC REPORT: SPHINX MOTH rule iastor
Page 17 and 18: CFC REPORT: SPHINX MOTH 4.3. KERBER
Page 19: NAGRAVISION SA Route de Genève 22-

CFC REPORT SPHINX MOTH

Create successful ePaper yourself

Delete template?

Save as template?