A number of security firms have issued detailed reports on groups of attackers who intend not only to “hack” into the website of a company’s data systems, but also to establish a persistent beachhead in those systems so that it can use that company’s information; connect to other company systems through “trusted,” less secure connections; and establish a long-term site where they can test out new versions of their malware and update it when it is discovered to have been detected. Among these identified persistent threat groups are the following.
Rivest–Shamir–Adleman (RSA) Identified Shell Crew
The Shell Crew are a set of hacking groups, frequently closely aligned with nation-states (China and Russia), who have particularly well-educated and extremely highly skilled technicians who continue to experiment and test new versions of malware and break-in approaches and then cross communicate their discoveries with other hacking communities.
Among the most prominent groups identified by RSA that address common adversaries and have targeted common client infrastructure and assets are
■ Deep Panda
■ WebMasters
■ KungFU Kittens
■ SportsFans
■ Pink Panther
■ Equation Group
■ Master APT nation-state group
The Shell Crew groups utilize the following tactics and techniques:
■ Prevalent use of web shells to maintain low-level persistence despite determined remediation efforts
■ Altering or poisoning existing legitimate web pages maintained by an organization
■ Occasional use of web application framework exploits to achieve initial entry versus standard spearfishing attacks
■ Lateral movement and compromise of digital code signing certificate infrastructure
■ Abuse of code signing infrastructure to validly sign custom backdoor malware
■ Exploiting systems using different SETHC.exe methods accessible via Remote Desktop Protocol (RDP)
■ Long history of Internet Protocol/Domain Name Server (IP/DNS) telemetry, allowing for historical research and link analysis
■ Placement of malicious proxy tools introduced into the environment on Windows server–based proxies to bypass proxy logging
■ Extensive use of time/date stamping of malicious files to hinder forensic analysis
■ Use of malware leveraging compromised credentials to bypass authentication Windows New Technology Local Area Network Manager (NTLM) proxies (proxy aware)
The Shell Crew’s initial penetration, subsequent placement of malware, and establishment of a hidden beachhead in a target system follows the pattern detected in the recent 2014–2015 Anthem break-in. Figure 3.1 shows the anatomy of a Shell Crew website application penetration that is believed to have been employed by the attackers.
The tools employed by the Shell Crew hackers—in addition to the initial spear phishing and ScanBox keylogging used to acquire a technician’s passwords and a map of the data system and its servers, application systems, and data files—are
1. Implant web shells
2. Modify System.Web.DLL file
Figure 3.1 Shell Crew web attack process.
3. Insert variations of Trojan.Derusbi malware routines
4. Insert “Sticky Keys” backdoor routines—particularly Seth RDP backdoor routines
5. Insert modified handshake packets (for authentication steps)
6. Modify registry files and insert RDP backdoor routines
7. Insert malicious files
8. Insert an initial Trojan.Derusbi and then try out new variations
9. Insert NotePad—malicious command lines and file details
10. Insert credential loggers
a. Hash dumping routines
b. Keystroke-logging routines (SmartBox)
c. MSGINA, a corruption of msgina.dll—a module loaded by Winlogon to implement the authentication policy. The file performs all user identification and authentication interactions.
d. Hooking authentication function
Kaspersky Lab Has Identified a Recent Attack Group That Identifies Its Tools as Careto: The Mask
The Mask is an advanced threat actor that has been involved in cyberespionage operations since at least 2007. What makes The Mask special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated piece of malware, a rootkit, a bootkit, Mac OS X and Linux versions, and possibly versions for Android and iPad/iPhone (iOS).
The Mask also uses a customized attack against older Kaspersky Lab products in order to successfully hide in the system. This puts it above Duqu in terms of sophistication, making The Mask one of the most advanced threats at the current time. This and several other factors lead us to believe that this could be a state-sponsored operation.
The initial attack begins with spear-phishing. A technician receives a valid-appearing email which, when opened, connects him to an infected website. That infected website surreptitiously downloads a keystroke-logging program to his device and may also download national news information or even a YouTube video in order to hide that malicious download. Some known exploit websites are “linkconf.net,” “redirserver.net,” and “swupdt.com.” Furthermore, valid certificates are frequently employed from real or fake companies–quite frequently from TecSystem of Bulgaria, which appears to be a real company with real certificates, but which have been stolen and misused by hackers.
Careto is the official name of the hacking group also known as The Mask, which is a translation from the Spanish (mask = “ugly mug”). More generally, it is a type of icon in the shape of a face that shows emotions and expressions like a human face.
The main targets of Careto fall into the following categories:
■ Government institutions
■ Diplomatic offices and embassies
■ Energy, oil, and gas companies
■ Research institutions
■ Private equity firms
■ Activists
Backdoor components of Careto:
■ Windows backdoor components rootkit and bootkit for 32- and 64-bit versions
– Two CAB files: shrink32.dll and shrink64.dll
– Three executable files packed along with CAB files
• dinner.jpg
• waiter.jpg
• chef.jpg
■ Max OS X: rootkit and bootkit
■ Linux: rootkit and bootkit
■ IPad: rootkit and bootkit
Mask implants:
■ Intercept network traffic
■ Capture keystrokes
■ Analyze Wi-Fi traffic
■ Capture PGP keys
■ Screen capture
■ Monitor all file operations
■ Fetch info from Nokia and other cell devices
A program named “Recorded Future” scrapes everything posted on Pastebin and other “paste” websites—the sites on the dark web where plaintext can be posted anonymously. Pastebin is a popular example of such a place to find torrents and hacking data dumps, and, in December 2014, it was the site where links to the leaked files from the Sony hack ended up. It’s also a fantastic place to find links to other dark web sites. The company also monitors Twitter and forums all around the normal Internet for links to the dark web.
QUESTIONS
1. What are three techniques that the Shell Crew uses for hacking?
2. Explain: What is “The Mask”?
3. How is The Mask different from any other advance persistent attack?
4. What are three main targets of The Mask?