0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/669 Thanks! 1 00:00:14,000 --> 00:00:15,229 Jesse himself 2 00:00:16,760 --> 00:00:18,290 is a hardcore 3 00:00:19,310 --> 00:00:21,769 Moers searcher, reverse engineer. 4 00:00:21,770 --> 00:00:24,229 And he also likes to break code 5 00:00:24,230 --> 00:00:26,089 and my voice is breaking to him. 6 00:00:26,090 --> 00:00:27,139 Sorry for that. 7 00:00:27,140 --> 00:00:29,389 So stage is open 8 00:00:29,390 --> 00:00:30,679 to Jesse. 9 00:00:30,680 --> 00:00:32,479 Let's visit the DrippiN. 10 00:00:41,390 --> 00:00:42,409 Thank you very much. 11 00:00:42,410 --> 00:00:44,779 So, yes, Simon Muroi, such a walking 12 00:00:44,780 --> 00:00:46,489 at ease, said Montreal. 13 00:00:46,490 --> 00:00:47,989 And during the past two years we have 14 00:00:47,990 --> 00:00:50,239 been monitoring a group called Sennett's 15 00:00:50,240 --> 00:00:51,949 with my two colleagues, Ron Tooma. 16 00:00:51,950 --> 00:00:53,509 They can be here. 17 00:00:53,510 --> 00:00:55,789 Can be with me here today, 18 00:00:55,790 --> 00:00:56,790 sadly. 19 00:00:57,380 --> 00:00:58,969 And this talk is based on a technical 20 00:00:58,970 --> 00:01:01,039 white paper publicly available on 21 00:01:01,040 --> 00:01:02,330 our blog. If you want to read it. 22 00:01:04,500 --> 00:01:06,619 So, as I said this, we call this group 23 00:01:06,620 --> 00:01:08,119 Senate. But depending on the result 24 00:01:08,120 --> 00:01:10,459 shells, they have other names like 25 00:01:10,460 --> 00:01:13,049 a beauty, 28 fancy bales of AC. 26 00:01:13,050 --> 00:01:15,619 And this is a group of Goldwing 27 00:01:15,620 --> 00:01:18,439 targeted attacks since at least 2004. 28 00:01:18,440 --> 00:01:20,119 And their interest is mainly about 29 00:01:20,120 --> 00:01:21,120 geopolitics. 30 00:01:22,970 --> 00:01:24,469 As you might have seen in the news, they 31 00:01:24,470 --> 00:01:26,149 are very famous at the moment. 32 00:01:26,150 --> 00:01:27,829 They are supposedly behind the hike of 33 00:01:27,830 --> 00:01:29,899 the Democratic National Committee 34 00:01:29,900 --> 00:01:32,279 and also the World Anti-Doping Agency. 35 00:01:34,800 --> 00:01:37,139 And in this presentation, I will start by 36 00:01:37,140 --> 00:01:38,729 giving you some context around this 37 00:01:38,730 --> 00:01:39,629 group. 38 00:01:39,630 --> 00:01:41,729 After that, I will describe a textbook 39 00:01:41,730 --> 00:01:43,829 case of their current operations 40 00:01:43,830 --> 00:01:45,389 during which we will dig into their tool 41 00:01:45,390 --> 00:01:46,390 set. 42 00:01:46,800 --> 00:01:47,999 And after that, I will present a 43 00:01:48,000 --> 00:01:50,249 different and strange operation 44 00:01:50,250 --> 00:01:52,289 also run by the Senate, go up during the 45 00:01:52,290 --> 00:01:53,290 last few years. 46 00:01:54,330 --> 00:01:55,979 And finally, I will conclude with some 47 00:01:55,980 --> 00:01:57,989 lesson learned and open questions. 48 00:02:00,090 --> 00:02:01,919 So let's start with some context around 49 00:02:01,920 --> 00:02:02,920 the Senate group. 50 00:02:04,670 --> 00:02:06,529 So what kind of people people are they 51 00:02:06,530 --> 00:02:07,549 after? 52 00:02:07,550 --> 00:02:10,189 And for once, we know very precisely 53 00:02:10,190 --> 00:02:12,169 some of their targets because they made a 54 00:02:12,170 --> 00:02:13,759 mistake during one of their fishing 55 00:02:13,760 --> 00:02:15,049 campaigns. 56 00:02:15,050 --> 00:02:17,179 The operators used the Bitly service to 57 00:02:17,180 --> 00:02:19,309 shorten the fishing year olds, 58 00:02:19,310 --> 00:02:20,749 but followed to, say, the Bitly profit 59 00:02:20,750 --> 00:02:22,879 privates. So we had access to around 60 00:02:22,880 --> 00:02:25,129 4000 salt on your arms during 61 00:02:25,130 --> 00:02:26,919 six months in 2015. 62 00:02:28,440 --> 00:02:30,149 Here's an example for you all that was 63 00:02:30,150 --> 00:02:31,199 Shotton in court. 64 00:02:31,200 --> 00:02:33,299 It contains the e-mail 65 00:02:33,300 --> 00:02:35,879 address of the targets and also 66 00:02:35,880 --> 00:02:36,929 its real name. 67 00:02:36,930 --> 00:02:38,549 So at this point, identifying the targets 68 00:02:38,550 --> 00:02:39,550 was Pretty's. 69 00:02:41,150 --> 00:02:43,249 In this list, there are embassies and 70 00:02:43,250 --> 00:02:45,709 ministries of more than 40 countries. 71 00:02:45,710 --> 00:02:48,199 There is NATO and EU institutions. 72 00:02:48,200 --> 00:02:50,449 And finally, there is a lot of 73 00:02:50,450 --> 00:02:52,429 individuals involved in Eastern Europe 74 00:02:52,430 --> 00:02:53,430 politics. 75 00:02:55,850 --> 00:02:57,739 To inspect those targets, they pulled out 76 00:02:57,740 --> 00:02:59,479 several Zoetis. 77 00:02:59,480 --> 00:03:00,989 Here you can see a timeline with the 78 00:03:00,990 --> 00:03:03,739 Sendejo, these exploits for 2015 79 00:03:03,740 --> 00:03:04,789 only. 80 00:03:04,790 --> 00:03:06,709 And all this will nobilities have been 81 00:03:06,710 --> 00:03:08,579 reported since. 82 00:03:08,580 --> 00:03:10,579 And I'm not even talking here about the 83 00:03:10,580 --> 00:03:12,559 revamped exploit they use. 84 00:03:12,560 --> 00:03:13,899 There is many of them also. 85 00:03:13,900 --> 00:03:16,039 And we are going to see that later. 86 00:03:17,770 --> 00:03:20,110 The story doesn't end in 2016, 87 00:03:21,160 --> 00:03:22,839 just as an example, the Google threat 88 00:03:22,840 --> 00:03:25,119 analysis go disclosed 89 00:03:25,120 --> 00:03:26,769 vulnerabilities in Flash and in the 90 00:03:26,770 --> 00:03:28,869 Windows channel like a month 91 00:03:28,870 --> 00:03:30,399 ago, I think. 92 00:03:30,400 --> 00:03:32,609 And the exploits was using the in 93 00:03:32,610 --> 00:03:33,939 their ability to gain control on the 94 00:03:33,940 --> 00:03:35,659 remote computer and the win. 95 00:03:35,660 --> 00:03:38,139 We know Win32 Caven ability 96 00:03:38,140 --> 00:03:40,239 to escalate is privileges 97 00:03:40,240 --> 00:03:42,279 and bypass the sandbox. 98 00:03:42,280 --> 00:03:43,779 I won't describe the exploit here. 99 00:03:43,780 --> 00:03:46,509 There is enough information on dunnarts, 100 00:03:46,510 --> 00:03:48,609 but this shows the Senate group 101 00:03:48,610 --> 00:03:49,610 is quite resourceful. 102 00:03:52,070 --> 00:03:53,219 So this is the kind of group that 103 00:03:53,220 --> 00:03:55,289 deployed many custom softwares 104 00:03:55,290 --> 00:03:57,449 of over the past 10 years 105 00:03:57,450 --> 00:03:59,219 from the Hopewell's to encryption proxy 106 00:03:59,220 --> 00:04:00,969 tools, including different types of back 107 00:04:00,970 --> 00:04:02,199 Durrell's. 108 00:04:02,200 --> 00:04:04,080 In short, they developed quite a lot. 109 00:04:06,360 --> 00:04:08,039 And before going further, I want to 110 00:04:08,040 --> 00:04:10,229 mention a few disclaimers 111 00:04:10,230 --> 00:04:12,659 first, even if we track the Senate, go 112 00:04:12,660 --> 00:04:14,289 pretty closely during the last three 113 00:04:14,290 --> 00:04:16,229 years, we might be missing both of the 114 00:04:16,230 --> 00:04:17,230 pictures. 115 00:04:18,190 --> 00:04:20,379 And Azmera itself sells. 116 00:04:20,380 --> 00:04:22,539 We call it a group based on the tool kit. 117 00:04:22,540 --> 00:04:25,749 Even they might be divided in some teams. 118 00:04:25,750 --> 00:04:27,489 And finally, we are not competent to do 119 00:04:27,490 --> 00:04:29,589 any sort of attribution, but 120 00:04:29,590 --> 00:04:31,359 our research might provide you insight 121 00:04:31,360 --> 00:04:32,410 that may be useful that. 122 00:04:34,640 --> 00:04:36,259 So let's start I'll join in the Senate 123 00:04:36,260 --> 00:04:38,089 tool kit with Serge. 124 00:04:41,600 --> 00:04:43,389 Salad is actually a good name for 125 00:04:43,390 --> 00:04:45,559 Fictionalize and the target, he 126 00:04:45,560 --> 00:04:47,509 works for government and has access to 127 00:04:47,510 --> 00:04:48,510 sensitive information. 128 00:04:49,550 --> 00:04:51,679 The chain of events and the timing that I 129 00:04:51,680 --> 00:04:53,869 am going to describes are in line with 130 00:04:53,870 --> 00:04:55,039 several real cases. 131 00:04:55,040 --> 00:04:57,679 We've investigated doing the last meals 132 00:04:57,680 --> 00:05:00,739 and we just sail, such as a textbook case 133 00:05:00,740 --> 00:05:03,019 to prison, part of the Senate tool kit. 134 00:05:04,660 --> 00:05:06,869 So somewhere recently, it's Monday, nine 135 00:05:06,870 --> 00:05:07,969 three a.m. 136 00:05:07,970 --> 00:05:10,609 and sounds, Rob arrives at work and 137 00:05:10,610 --> 00:05:12,679 he opens an e-mail. 138 00:05:12,680 --> 00:05:14,409 This e-mail supposedly came from 139 00:05:14,410 --> 00:05:16,549 Stratfor, which provides regular 140 00:05:16,550 --> 00:05:18,859 reports on geopolitics, except 141 00:05:18,860 --> 00:05:20,989 that if you look closely at the euro, 142 00:05:20,990 --> 00:05:23,599 we will note is that the Dumain mimics 143 00:05:23,600 --> 00:05:25,759 the legitimate threat bottoming, but 144 00:05:25,760 --> 00:05:28,009 also the UI is the same as not to go 145 00:05:28,010 --> 00:05:30,469 on the legitimates what Web site, 146 00:05:30,470 --> 00:05:32,929 except that an idea was incertain 147 00:05:32,930 --> 00:05:34,909 inserted in the middle poley to identify 148 00:05:34,910 --> 00:05:35,910 the target. 149 00:05:36,560 --> 00:05:39,319 But let's say sales clicks on the euro. 150 00:05:39,320 --> 00:05:41,959 And this is when sales Mitt Sevket, 151 00:05:41,960 --> 00:05:43,609 which is the Senate, exploit it. 152 00:05:43,610 --> 00:05:45,739 And it is only useful targeted attacks. 153 00:05:47,070 --> 00:05:49,159 As we just saw, its entry points 154 00:05:49,160 --> 00:05:51,299 is usually your homes 155 00:05:51,300 --> 00:05:53,509 mimicking legitimate websites 156 00:05:53,510 --> 00:05:55,769 and the exploit the infection usually 157 00:05:55,770 --> 00:05:57,389 start from targeted phishing emails. 158 00:05:57,390 --> 00:05:59,459 But we've also seen a 159 00:05:59,460 --> 00:06:01,739 from direction from search it from 160 00:06:01,740 --> 00:06:03,659 hacked Web sites. 161 00:06:03,660 --> 00:06:06,029 We found Surjit in September 2014 162 00:06:06,030 --> 00:06:07,839 for the first time and it is still news. 163 00:06:09,750 --> 00:06:11,219 So as a classic expert kit, when you 164 00:06:11,220 --> 00:06:13,379 visit it, you receive a landing page that 165 00:06:13,380 --> 00:06:15,269 will build a reconnaissance report on the 166 00:06:15,270 --> 00:06:16,689 mission. 167 00:06:16,690 --> 00:06:19,109 Said Get Lending Page contains around 200 168 00:06:19,110 --> 00:06:21,149 lines of JavaScript and the code stayed 169 00:06:21,150 --> 00:06:22,230 the same above the last year. 170 00:06:23,580 --> 00:06:25,169 You can see here a glorified extract of 171 00:06:25,170 --> 00:06:26,649 this landing page. 172 00:06:26,650 --> 00:06:28,229 First, it will retrieve the time zone and 173 00:06:28,230 --> 00:06:30,809 then it will enumerate the properties of 174 00:06:30,810 --> 00:06:32,759 JavaScript object called navigate end 175 00:06:32,760 --> 00:06:34,049 screens. 176 00:06:34,050 --> 00:06:36,059 And finally, it will enumerate the plugin 177 00:06:36,060 --> 00:06:37,310 installed in the browser. 178 00:06:39,050 --> 00:06:40,489 As you can see, there is a special case 179 00:06:40,490 --> 00:06:42,019 for Internet Explorer. 180 00:06:42,020 --> 00:06:44,119 Well, Java and Flash are 181 00:06:44,120 --> 00:06:46,489 detected by special methods. 182 00:06:46,490 --> 00:06:48,229 By the way, the comments here are from 183 00:06:48,230 --> 00:06:49,230 the developers. 184 00:06:51,140 --> 00:06:53,959 So to give you an idea, here is the 185 00:06:53,960 --> 00:06:55,579 report from Cellcom Showdown. 186 00:06:55,580 --> 00:06:56,569 It's a Jizan file. 187 00:06:56,570 --> 00:06:58,009 And you can see it contains a lot of 188 00:06:58,010 --> 00:07:00,079 information such that the server 189 00:07:00,080 --> 00:07:02,329 can select its the targets 190 00:07:02,330 --> 00:07:04,429 very precisely, not only based on 191 00:07:04,430 --> 00:07:06,409 the configuration, but also based on the 192 00:07:06,410 --> 00:07:08,199 language they speak in the time zones. 193 00:07:08,200 --> 00:07:09,350 Or are they are in. 194 00:07:11,560 --> 00:07:13,569 However, we don't know precisely what the 195 00:07:13,570 --> 00:07:15,069 authorities are looking for. 196 00:07:15,070 --> 00:07:16,599 We crawled, the expert did, with various 197 00:07:16,600 --> 00:07:19,599 configuration and different IP addresses. 198 00:07:19,600 --> 00:07:21,299 Sometimes it works, sometimes it doesn't 199 00:07:21,300 --> 00:07:23,169 works. And so far, we don't really know 200 00:07:23,170 --> 00:07:24,170 why. 201 00:07:26,190 --> 00:07:27,889 But let's say that soldiers selected to 202 00:07:27,890 --> 00:07:28,890 be exploited. 203 00:07:30,020 --> 00:07:31,669 And this is one sales visit. 204 00:07:31,670 --> 00:07:33,859 The Senate exploit factory. 205 00:07:33,860 --> 00:07:35,569 So here's the list of exploit that we saw 206 00:07:35,570 --> 00:07:37,160 from setted since its beginning. 207 00:07:38,570 --> 00:07:40,579 And as you can see, three of them also to 208 00:07:40,580 --> 00:07:42,290 exploit at the time they were used. 209 00:07:43,500 --> 00:07:45,079 Also, interestingly, there was an exploit 210 00:07:45,080 --> 00:07:47,129 for my Cupo, which is a cleaning tool for 211 00:07:47,130 --> 00:07:49,319 Oyston made by a company from 212 00:07:49,320 --> 00:07:50,249 Ukraine. 213 00:07:50,250 --> 00:07:52,409 And it is probably mainly used by people 214 00:07:52,410 --> 00:07:53,410 from Eastern Europe. 215 00:07:54,750 --> 00:07:56,039 And the other exploits are recent 216 00:07:56,040 --> 00:07:58,079 exploits. And I am going to describe one 217 00:07:58,080 --> 00:07:59,080 of them right now. 218 00:08:01,240 --> 00:08:02,829 So let's exploit Target the city. 219 00:08:02,830 --> 00:08:05,259 2014 six three, three, two. 220 00:08:05,260 --> 00:08:06,739 And there's been no abilities in to go a 221 00:08:06,740 --> 00:08:08,859 flaw in the entire Explore Uber 222 00:08:08,860 --> 00:08:11,499 script engine that allows 223 00:08:11,500 --> 00:08:13,559 arbitrary right operations 224 00:08:13,560 --> 00:08:15,699 with socity delivering an expert for the 225 00:08:15,700 --> 00:08:18,069 city in October 2015. 226 00:08:18,070 --> 00:08:20,259 And in this case, it was only reusing 227 00:08:20,260 --> 00:08:22,539 APRC to disable the safe mode 228 00:08:22,540 --> 00:08:24,489 and to download a payload with partial. 229 00:08:26,410 --> 00:08:27,639 But at the beginning of the year, we 230 00:08:27,640 --> 00:08:29,439 found a very different version of this 231 00:08:29,440 --> 00:08:31,539 exploit, a more complex 232 00:08:31,540 --> 00:08:34,808 one that was used in February 2016. 233 00:08:34,809 --> 00:08:36,609 This expert didn't disable the safe mode 234 00:08:36,610 --> 00:08:39,219 but were actually executed a rope chain. 235 00:08:39,220 --> 00:08:41,408 The code is pretty big, around 400 lines 236 00:08:41,409 --> 00:08:43,219 of VB script. And interestingly, it's 237 00:08:43,220 --> 00:08:44,220 custom. 238 00:08:44,980 --> 00:08:46,779 Someone tried to read everything, but 239 00:08:46,780 --> 00:08:48,009 here's the beautiful code of the 240 00:08:48,010 --> 00:08:50,349 function, building the rope chain. 241 00:08:50,350 --> 00:08:52,059 And just to give you an example, 242 00:08:53,760 --> 00:08:55,089 we can see here a function to retrieve 243 00:08:55,090 --> 00:08:57,189 the code section at risk of a deal 244 00:08:57,190 --> 00:08:58,299 on Windows seven. 245 00:08:58,300 --> 00:09:00,099 As you can see, that's a lot of effort. 246 00:09:02,240 --> 00:09:03,799 Turns out that part of this code is 247 00:09:03,800 --> 00:09:06,109 actually based or inspired 248 00:09:06,110 --> 00:09:08,479 by a presentation made at Black USA 249 00:09:08,480 --> 00:09:10,009 2014. 250 00:09:10,010 --> 00:09:11,719 And once again, the same group are not 251 00:09:11,720 --> 00:09:13,879 afraid of digging into complex 252 00:09:13,880 --> 00:09:15,709 exploit to make use of them in real life 253 00:09:15,710 --> 00:09:16,710 examples. 254 00:09:18,800 --> 00:09:20,459 But to south stage now. 255 00:09:20,460 --> 00:09:22,109 Let's say that exploit the loads, the 256 00:09:22,110 --> 00:09:23,110 payload. 257 00:09:23,700 --> 00:09:25,519 This is this is when cells meets cell 258 00:09:25,520 --> 00:09:26,520 upload. 259 00:09:26,910 --> 00:09:28,679 So the cell uploads usually downloaded by 260 00:09:28,680 --> 00:09:30,359 such like in such case. 261 00:09:30,360 --> 00:09:32,039 And this component actually includes two 262 00:09:32,040 --> 00:09:33,209 binaries, a doper. 263 00:09:33,210 --> 00:09:34,279 And it's embedded payload. 264 00:09:35,280 --> 00:09:36,599 It is generally the first component 265 00:09:36,600 --> 00:09:38,039 deployed on the victim. 266 00:09:38,040 --> 00:09:39,479 And we dated the operation of solar 267 00:09:39,480 --> 00:09:41,879 product. In March 2015. 268 00:09:44,410 --> 00:09:46,149 So let's start with the doorbell now. 269 00:09:46,150 --> 00:09:48,999 You can see here is very simple workflow, 270 00:09:49,000 --> 00:09:51,549 but it contains some interesting vigils. 271 00:09:51,550 --> 00:09:53,569 The first one is a weird anti analysis 272 00:09:53,570 --> 00:09:54,869 trick. 273 00:09:54,870 --> 00:09:56,659 So he'll just nip it, extract form x 274 00:09:56,660 --> 00:09:57,579 rays. 275 00:09:57,580 --> 00:09:59,979 So first it will allocate they allocate 276 00:09:59,980 --> 00:10:01,059 a 10 byte before. 277 00:10:01,060 --> 00:10:03,579 And it said the last bit to the value 42. 278 00:10:03,580 --> 00:10:05,679 And then it will create its file with 279 00:10:05,680 --> 00:10:07,819 a very specific name. 280 00:10:07,820 --> 00:10:08,809 It will then, right? 281 00:10:08,810 --> 00:10:10,809 One million. I mean, this file and then 282 00:10:10,810 --> 00:10:13,399 with one million time in the same file. 283 00:10:13,400 --> 00:10:15,289 After all that, it will check if the last 284 00:10:15,290 --> 00:10:17,179 bite of the 10 bite before still contains 285 00:10:17,180 --> 00:10:18,409 the value 42. 286 00:10:18,410 --> 00:10:19,469 If it doesn't. 287 00:10:19,470 --> 00:10:21,380 So the plot alternate its execution. 288 00:10:22,520 --> 00:10:24,079 So this could who's kind of strange, but 289 00:10:24,080 --> 00:10:25,729 we believe this is naming stimulation 290 00:10:25,730 --> 00:10:27,259 three because they replaced it with a 291 00:10:27,260 --> 00:10:29,119 more common one in the most recent 292 00:10:29,120 --> 00:10:30,199 simple. 293 00:10:30,200 --> 00:10:32,669 And also, it might create intensive 294 00:10:32,670 --> 00:10:34,759 harddrive operation that may delay the 295 00:10:34,760 --> 00:10:37,399 execution of the software. 296 00:10:37,400 --> 00:10:39,589 Also, it may detect emulators 297 00:10:39,590 --> 00:10:40,999 wrongly implementing the memory 298 00:10:41,000 --> 00:10:42,000 management. 299 00:10:44,420 --> 00:10:45,799 So the next step is to decrypt the 300 00:10:45,800 --> 00:10:47,929 payload and to decompress it. 301 00:10:47,930 --> 00:10:49,819 These operations are implemented in C++ 302 00:10:49,820 --> 00:10:51,859 class named uploader by the developer 303 00:10:51,860 --> 00:10:53,419 Elles. You can see it here on the screen. 304 00:10:55,580 --> 00:10:57,259 I've taught at the Doppelt may use a 305 00:10:57,260 --> 00:10:59,299 local privileges colation exploits 306 00:10:59,300 --> 00:11:00,289 depending on the simple. 307 00:11:00,290 --> 00:11:02,569 One of these two civies may be used. 308 00:11:02,570 --> 00:11:04,399 The first one was as Yoda at the time 309 00:11:04,400 --> 00:11:06,529 they used it. And the second one 310 00:11:06,530 --> 00:11:08,229 is another gift from the hacking team. 311 00:11:08,230 --> 00:11:09,230 Alex. 312 00:11:10,550 --> 00:11:12,079 And finally, the rope made the bill of 313 00:11:12,080 --> 00:11:14,269 best assistant on the system. 314 00:11:14,270 --> 00:11:15,739 Interestingly, with so many different 315 00:11:15,740 --> 00:11:17,449 techniques used of other Passman. 316 00:11:17,450 --> 00:11:19,699 Some of them only used when the doorbell 317 00:11:19,700 --> 00:11:22,129 runs with system privileges. 318 00:11:22,130 --> 00:11:23,689 You can see here just to show them like 319 00:11:23,690 --> 00:11:25,819 the windows come object hijacking 320 00:11:25,820 --> 00:11:28,069 and the JavaScript code executed with the 321 00:11:28,070 --> 00:11:29,070 run the URL for it, too. 322 00:11:30,290 --> 00:11:32,269 Those two techniques were first seen in 323 00:11:32,270 --> 00:11:34,369 other Mel Wells, and 324 00:11:34,370 --> 00:11:36,439 seeking inspiration in crime is something 325 00:11:36,440 --> 00:11:38,330 very common for the Senate group. 326 00:11:40,200 --> 00:11:41,779 At this moment, the pillared is running 327 00:11:41,780 --> 00:11:44,119 on such a computer and 328 00:11:44,120 --> 00:11:46,079 the payload is actually a bricking this 329 00:11:46,080 --> 00:11:47,839 and small well. And you can see here 330 00:11:47,840 --> 00:11:49,019 somebody if I walk again, 331 00:11:50,690 --> 00:11:52,129 establishing the network connection with 332 00:11:52,130 --> 00:11:54,469 the sensors ever would be the first step. 333 00:11:54,470 --> 00:11:55,999 It changed several times in the last few 334 00:11:56,000 --> 00:11:57,000 months. But 335 00:11:58,120 --> 00:12:00,379 first, it will try to reach 336 00:12:00,380 --> 00:12:01,309 Google dot com. 337 00:12:01,310 --> 00:12:03,649 And if it works, it moves on. 338 00:12:03,650 --> 00:12:05,449 However, if it doesn't work, it will 339 00:12:05,450 --> 00:12:07,429 retrieve the particular initials, for 340 00:12:07,430 --> 00:12:08,479 instance, or Firefox. 341 00:12:08,480 --> 00:12:10,009 The payload looks for the pull file file 342 00:12:10,010 --> 00:12:11,809 and it will pass it. 343 00:12:11,810 --> 00:12:13,449 If it succeed, it will contact the census 344 00:12:13,450 --> 00:12:15,319 of all via the proxy using those 345 00:12:15,320 --> 00:12:16,320 credentials. 346 00:12:17,360 --> 00:12:18,859 And then if all the previous techniques 347 00:12:18,860 --> 00:12:20,959 didn't work, it will wait 348 00:12:20,960 --> 00:12:22,789 for the user to launch a browser in order 349 00:12:22,790 --> 00:12:23,790 to inject into it. 350 00:12:25,900 --> 00:12:27,789 The next step is to send the first stage 351 00:12:27,790 --> 00:12:30,039 report on this to the census, although 352 00:12:30,040 --> 00:12:32,109 this report begins with an idea generated 353 00:12:32,110 --> 00:12:34,509 to identify the computer. 354 00:12:34,510 --> 00:12:36,549 And also it will send the process list 355 00:12:36,550 --> 00:12:38,709 some information on disk, a build 356 00:12:38,710 --> 00:12:40,659 number, which is hard coded and binary. 357 00:12:41,830 --> 00:12:43,929 And then it send this encrypted through 358 00:12:43,930 --> 00:12:45,699 the networking that was previously 359 00:12:45,700 --> 00:12:47,889 established is rather a small 360 00:12:47,890 --> 00:12:50,019 report, but it is possibly in 361 00:12:50,020 --> 00:12:51,939 order to filter out security researchers 362 00:12:51,940 --> 00:12:53,009 and automated sandboxes. 363 00:12:55,330 --> 00:12:56,829 The final step is retrieving a 364 00:12:56,830 --> 00:12:58,369 configuration file from the since the 365 00:12:58,370 --> 00:13:00,519 server. Here are different values 366 00:13:00,520 --> 00:13:02,019 handled by the last version of the 367 00:13:02,020 --> 00:13:03,339 product panel. 368 00:13:03,340 --> 00:13:04,389 I will not go through them. They are 369 00:13:04,390 --> 00:13:06,639 quite explicit. But the main purpose 370 00:13:06,640 --> 00:13:08,949 is to download another binary and to 371 00:13:08,950 --> 00:13:11,289 execute it as an executable 372 00:13:11,290 --> 00:13:12,290 audio. 373 00:13:14,330 --> 00:13:15,799 Now, let's go back to our chain of 374 00:13:15,800 --> 00:13:16,729 events. 375 00:13:16,730 --> 00:13:18,829 Well, still, day one sells computer 376 00:13:18,830 --> 00:13:20,660 is infected with the product. 377 00:13:22,330 --> 00:13:24,839 Same day, 30 minutes later, 378 00:13:24,840 --> 00:13:27,079 the operator are now sure that soldiers 379 00:13:27,080 --> 00:13:28,109 is tomorrow is also 380 00:13:29,280 --> 00:13:30,959 said Ricoh is done ordered on such 381 00:13:30,960 --> 00:13:32,070 computer up by said the. 382 00:13:33,240 --> 00:13:34,769 So this is a classic backdoor with 383 00:13:34,770 --> 00:13:36,089 Nomura's come. 384 00:13:36,090 --> 00:13:38,819 And interestingly, it has the ability to 385 00:13:38,820 --> 00:13:40,619 extend its behavior by loading external 386 00:13:40,620 --> 00:13:41,620 plugins. 387 00:13:42,180 --> 00:13:44,129 It is usually deployed after a successful 388 00:13:44,130 --> 00:13:46,199 infection. In such case, 389 00:13:46,200 --> 00:13:48,299 and while this component may be old, 390 00:13:48,300 --> 00:13:50,009 we know for a fact that it is still in 391 00:13:50,010 --> 00:13:51,010 use today. 392 00:13:53,750 --> 00:13:55,809 So so arrive on the system and put it 393 00:13:55,810 --> 00:13:57,949 in the dropper, which usually installed 394 00:13:57,950 --> 00:14:00,349 the payload and its configuration, 395 00:14:00,350 --> 00:14:01,939 it will drub the configuration at two 396 00:14:01,940 --> 00:14:02,929 places on the disk. 397 00:14:02,930 --> 00:14:05,099 The first place will be in the file 398 00:14:05,100 --> 00:14:07,279 name MSJ, and it 399 00:14:07,280 --> 00:14:09,409 will also copy the exact same data 400 00:14:09,410 --> 00:14:10,489 in the Windows registry. 401 00:14:11,690 --> 00:14:13,849 And of course, since the configuration is 402 00:14:13,850 --> 00:14:15,979 installed by the payload issue, 403 00:14:15,980 --> 00:14:17,479 only have the payload, you won't be able 404 00:14:17,480 --> 00:14:19,159 to determine the configuration used with 405 00:14:19,160 --> 00:14:20,160 its. 406 00:14:22,000 --> 00:14:23,809 Now, let's talk about the configuration. 407 00:14:23,810 --> 00:14:26,059 You can see here the encrypted version. 408 00:14:26,060 --> 00:14:28,129 It comes with a small header and 409 00:14:28,130 --> 00:14:30,139 the data is dissolved with a six byte key 410 00:14:30,140 --> 00:14:31,700 located at the beginning of the header. 411 00:14:32,780 --> 00:14:34,659 And it is randomly generated by the 412 00:14:34,660 --> 00:14:36,739 dropper following the key. 413 00:14:36,740 --> 00:14:38,989 You have 20 bytes each bytes 414 00:14:38,990 --> 00:14:41,089 representing the size of a field 415 00:14:41,090 --> 00:14:41,989 in the data. 416 00:14:41,990 --> 00:14:43,730 Everything else is the encrypted data. 417 00:14:45,320 --> 00:14:47,659 Now we have the content once decrypted 418 00:14:47,660 --> 00:14:49,789 and here is the better representation of 419 00:14:49,790 --> 00:14:51,589 the extracted fields. 420 00:14:51,590 --> 00:14:53,179 So those values are just values time 421 00:14:53,180 --> 00:14:55,519 outs. I don't I don't find them really 422 00:14:55,520 --> 00:14:56,520 interesting. 423 00:14:57,670 --> 00:14:59,260 Here is cells captured on AIM. 424 00:15:00,280 --> 00:15:02,419 Here you have a flag to specify whether 425 00:15:02,420 --> 00:15:04,509 or not the kilojoule should be enabled. 426 00:15:05,980 --> 00:15:07,689 Here are the three. 427 00:15:07,690 --> 00:15:09,429 Since the cell fails, the first one is 428 00:15:09,430 --> 00:15:11,049 the main one that Waddell's are 429 00:15:11,050 --> 00:15:12,050 fallbacks. 430 00:15:13,510 --> 00:15:14,979 Here is what we believe to be an 431 00:15:14,980 --> 00:15:15,980 operation name. 432 00:15:16,990 --> 00:15:19,119 We have Fonso found several 433 00:15:19,120 --> 00:15:21,099 of them during the investigation. 434 00:15:21,100 --> 00:15:22,570 Some of them are shown on the screen. 435 00:15:24,700 --> 00:15:26,799 And as I mentioned before said, Ricoh 436 00:15:26,800 --> 00:15:29,409 has the ability to load axolotl plugins 437 00:15:29,410 --> 00:15:30,519 when loading one plugin. 438 00:15:30,520 --> 00:15:32,619 It will stall the path of this plugin at 439 00:15:32,620 --> 00:15:34,679 the end of the configuration. 440 00:15:34,680 --> 00:15:36,639 The there is room for 10 plug ins and in 441 00:15:36,640 --> 00:15:38,319 the initial config configuration, all 442 00:15:38,320 --> 00:15:40,659 those fields are empty because the build 443 00:15:40,660 --> 00:15:42,020 is dropped without any plugins. 444 00:15:43,840 --> 00:15:46,869 So now let's have a look at this payload. 445 00:15:46,870 --> 00:15:49,089 It comes with 26 Cumins, and 446 00:15:49,090 --> 00:15:50,679 it's its command is identified by a 447 00:15:50,680 --> 00:15:51,999 unique number. 448 00:15:52,000 --> 00:15:54,219 Those come on the register and registered 449 00:15:54,220 --> 00:15:56,439 during the runtime using an export 450 00:15:56,440 --> 00:15:58,649 function named Registe on 451 00:15:58,650 --> 00:15:59,650 your command. 452 00:16:00,520 --> 00:16:02,239 And you can see here the registration of 453 00:16:02,240 --> 00:16:04,899 the few commands like, for example. 454 00:16:06,010 --> 00:16:06,909 So can read. 455 00:16:06,910 --> 00:16:08,859 Right. And you find on the disk, it can 456 00:16:08,860 --> 00:16:11,109 also list all running processes. 457 00:16:11,110 --> 00:16:13,959 It can manipulate the registry. 458 00:16:13,960 --> 00:16:15,879 Also, it can update itself, its 459 00:16:15,880 --> 00:16:18,159 configuration or load on node 460 00:16:18,160 --> 00:16:19,160 external plugin. 461 00:16:20,980 --> 00:16:23,409 Speaking of plugins, they come as JLL 462 00:16:23,410 --> 00:16:24,729 and they will be loaded in the same 463 00:16:24,730 --> 00:16:26,739 address space than the payload. 464 00:16:26,740 --> 00:16:28,359 And thanks to that, they can use any 465 00:16:28,360 --> 00:16:30,549 function of the main bill. 466 00:16:30,550 --> 00:16:32,379 So as shown on the picture, here's what 467 00:16:32,380 --> 00:16:33,789 happens when the bill is initialized. 468 00:16:33,790 --> 00:16:36,009 A plugin it calls the plugin in its 469 00:16:36,010 --> 00:16:37,869 export putzing. 470 00:16:37,870 --> 00:16:40,059 Some function addresses as arguments. 471 00:16:40,060 --> 00:16:41,919 In particular, it provides the addresses 472 00:16:41,920 --> 00:16:43,239 of the function handling the output 473 00:16:43,240 --> 00:16:45,219 formatting and also the common 474 00:16:45,220 --> 00:16:46,179 registration. 475 00:16:46,180 --> 00:16:48,339 So the plugin can register any additional 476 00:16:48,340 --> 00:16:49,340 come on if needed. 477 00:16:50,390 --> 00:16:51,909 And here's an example of a plugin used. 478 00:16:51,910 --> 00:16:54,189 In part it was, said Ricoh, this mother 479 00:16:54,190 --> 00:16:56,259 was just registering a new 480 00:16:56,260 --> 00:16:58,159 come on this time opening initiative to 481 00:16:58,160 --> 00:17:01,029 be channel with the census celo 482 00:17:01,030 --> 00:17:03,519 and also silico is terminating. 483 00:17:03,520 --> 00:17:05,509 It will include every plugin by calling 484 00:17:05,510 --> 00:17:06,969 that an export. 485 00:17:06,970 --> 00:17:09,279 In this case, the export only deletes the 486 00:17:09,280 --> 00:17:10,910 previously. Or just don't come and 487 00:17:13,119 --> 00:17:14,209 let's go back to option. And if you don't 488 00:17:14,210 --> 00:17:16,419 know now, we are still day one and silico 489 00:17:16,420 --> 00:17:18,759 was deployed 30 minutes after the initial 490 00:17:18,760 --> 00:17:19,760 infection. 491 00:17:20,980 --> 00:17:22,749 Same day, four hours later, 492 00:17:23,970 --> 00:17:26,169 search meets ex agent, which 493 00:17:26,170 --> 00:17:28,029 was downloaded by said, I don't like said 494 00:17:28,030 --> 00:17:30,159 Ricot X agent is 495 00:17:30,160 --> 00:17:31,960 a millaa backdoor written in C++ 496 00:17:32,990 --> 00:17:35,109 and foraged. There is at least a Windows, 497 00:17:35,110 --> 00:17:37,570 a Linux in US and an Android version 498 00:17:38,660 --> 00:17:40,659 X agent is the flagship backdoor of the 499 00:17:40,660 --> 00:17:42,519 Senate group. They used it in most of 500 00:17:42,520 --> 00:17:44,589 their operation over the 501 00:17:44,590 --> 00:17:46,769 last few years and usually, after 502 00:17:46,770 --> 00:17:48,639 all, the reconnaissance phase light in 503 00:17:48,640 --> 00:17:49,640 sales case, 504 00:17:51,460 --> 00:17:53,629 we dated exigent operation around 505 00:17:53,630 --> 00:17:55,899 November, November 2012 506 00:17:55,900 --> 00:17:56,920 and it is still in use. 507 00:17:57,970 --> 00:17:59,499 So at this point, at this point, you 508 00:17:59,500 --> 00:18:01,589 might expect some C++ 509 00:18:01,590 --> 00:18:03,739 reverse engineering on Oxygen Biner 510 00:18:03,740 --> 00:18:04,869 is right. 511 00:18:04,870 --> 00:18:06,999 Except that due to a mistake from 512 00:18:07,000 --> 00:18:09,039 the operators, we recently got access to 513 00:18:09,040 --> 00:18:10,329 the source code of X agent. 514 00:18:12,100 --> 00:18:13,839 And here's the next flight of this 515 00:18:13,840 --> 00:18:16,039 extract of the source files 516 00:18:16,040 --> 00:18:17,329 we found. 517 00:18:17,330 --> 00:18:19,659 It is a fully working C++ project 518 00:18:19,660 --> 00:18:21,329 corresponding to the Linux version of 519 00:18:21,330 --> 00:18:23,709 Exigent, and it was compiled in 520 00:18:23,710 --> 00:18:25,899 July 2015, which we know 521 00:18:25,900 --> 00:18:28,029 because there is 522 00:18:28,030 --> 00:18:30,129 a bin folder with a binary in it which 523 00:18:30,130 --> 00:18:31,480 was created at this date. 524 00:18:32,530 --> 00:18:34,899 And the source code contains around 525 00:18:34,900 --> 00:18:37,779 18 Kaitlyn's of code among 59 classes. 526 00:18:37,780 --> 00:18:39,459 So it is pretty big. 527 00:18:39,460 --> 00:18:41,709 We believe this new source code 528 00:18:41,710 --> 00:18:43,389 derives from the Windows version of 529 00:18:43,390 --> 00:18:46,579 oxygen because at several places 530 00:18:46,580 --> 00:18:49,149 the lapels just come on those some Win32 531 00:18:49,150 --> 00:18:51,549 EPA calls to replace them, to replace 532 00:18:51,550 --> 00:18:53,709 them by Linux API calls, 533 00:18:53,710 --> 00:18:54,929 like in this case, for threat 534 00:18:54,930 --> 00:18:56,499 termination. 535 00:18:56,500 --> 00:18:59,079 And they're all civil 536 00:18:59,080 --> 00:19:00,279 version of exigent. 537 00:19:00,280 --> 00:19:02,979 The source code is a major version, too. 538 00:19:02,980 --> 00:19:04,689 And the country just biner result. 539 00:19:04,690 --> 00:19:06,039 Version three. 540 00:19:06,040 --> 00:19:08,109 But it's still much as the core logic 541 00:19:08,110 --> 00:19:09,430 of the Vietri binaries. 542 00:19:11,230 --> 00:19:12,489 As you would expect in such a big 543 00:19:12,490 --> 00:19:13,869 project, the source code is heavily 544 00:19:13,870 --> 00:19:15,189 commented. 545 00:19:15,190 --> 00:19:16,989 The comments are a mix of a badly written 546 00:19:16,990 --> 00:19:19,419 English with some Russian, 547 00:19:19,420 --> 00:19:21,159 sometimes some, as you all, to describe 548 00:19:21,160 --> 00:19:22,160 the structures. 549 00:19:23,530 --> 00:19:25,449 But with that being said, let's look at 550 00:19:25,450 --> 00:19:26,530 the communication, Warbelow. 551 00:19:29,080 --> 00:19:31,149 So here we got a simplified view 552 00:19:31,150 --> 00:19:33,219 of the communication Mofro indecision to 553 00:19:33,220 --> 00:19:35,469 give you an idea at the Center 554 00:19:35,470 --> 00:19:37,299 on the exigent infected computer, the 555 00:19:37,300 --> 00:19:39,999 counter run method is an infinite loop 556 00:19:40,000 --> 00:19:41,469 which fetches the messages from the 557 00:19:41,470 --> 00:19:43,579 module. Notice that the kernel is 558 00:19:43,580 --> 00:19:45,160 in its cell phone module. 559 00:19:46,540 --> 00:19:48,669 Those messages are unencrypted C++ 560 00:19:48,670 --> 00:19:51,009 objects, which are serialized 561 00:19:51,010 --> 00:19:52,989 and encrypted by the channel and then 562 00:19:52,990 --> 00:19:54,480 given to the channel controller. 563 00:19:56,040 --> 00:19:58,029 The channel controller is the stuff I 564 00:19:58,030 --> 00:20:00,439 interface to contact the senses salvo 565 00:20:00,440 --> 00:20:02,379 and forwards the messages to the sensor 566 00:20:02,380 --> 00:20:04,539 salvo in 567 00:20:04,540 --> 00:20:06,249 the other direction. 568 00:20:06,250 --> 00:20:08,949 The Channel Control regularly asks 569 00:20:08,950 --> 00:20:11,589 the senses of iPhone encrypted messages 570 00:20:11,590 --> 00:20:13,719 message for each module, and the 571 00:20:13,720 --> 00:20:15,879 message is then given to 572 00:20:15,880 --> 00:20:18,219 the channel which and serialize 573 00:20:18,220 --> 00:20:20,289 and decrypts it and then gives it to 574 00:20:20,290 --> 00:20:21,290 the intendant module. 575 00:20:22,510 --> 00:20:24,039 One of the beauty behind this simple 576 00:20:24,040 --> 00:20:26,199 design is that the channel controller 577 00:20:26,200 --> 00:20:28,419 is aware of the current actual 578 00:20:28,420 --> 00:20:30,429 implementation of the network channel, 579 00:20:30,430 --> 00:20:32,539 which can be based on 580 00:20:32,540 --> 00:20:33,950 ETP or emails. 581 00:20:35,380 --> 00:20:37,569 And in fact, the channel will the channel 582 00:20:37,570 --> 00:20:39,429 controller will switch automatically to a 583 00:20:39,430 --> 00:20:41,589 different channel if the junta used one 584 00:20:41,590 --> 00:20:42,590 is not working. 585 00:20:43,930 --> 00:20:45,279 Now, let's dig a little bit into the 586 00:20:45,280 --> 00:20:46,269 email channel. 587 00:20:46,270 --> 00:20:47,270 How is it working? 588 00:20:48,430 --> 00:20:50,289 So the work for the walkthrough is quite 589 00:20:50,290 --> 00:20:51,290 simple. 590 00:20:51,820 --> 00:20:53,769 When the channel control I just described 591 00:20:53,770 --> 00:20:56,019 has a message for the the SLA, 592 00:20:56,020 --> 00:20:58,209 the MELSA now sends an email 593 00:20:58,210 --> 00:21:00,639 with the message as an attachment 594 00:21:00,640 --> 00:21:03,179 to an inbox, depending on the simple. 595 00:21:03,180 --> 00:21:05,649 The inbox can be a free mail address, a 596 00:21:05,650 --> 00:21:07,839 Senate address or hacked email 597 00:21:07,840 --> 00:21:08,840 address 598 00:21:10,180 --> 00:21:12,339 and the census of all. 599 00:21:12,340 --> 00:21:14,439 Then retrieve the email from the inbox 600 00:21:14,440 --> 00:21:15,670 and processes the attachment 601 00:21:16,870 --> 00:21:17,889 in the other direction. 602 00:21:17,890 --> 00:21:19,719 If the census ever has a message for one 603 00:21:19,720 --> 00:21:22,779 exigent module, it sends a message 604 00:21:22,780 --> 00:21:24,279 as an attachment in an email to a 605 00:21:24,280 --> 00:21:26,419 different inbox from which 606 00:21:26,420 --> 00:21:28,239 its agent melts and retrieves that email. 607 00:21:30,810 --> 00:21:31,949 So it sounds easy, right? 608 00:21:31,950 --> 00:21:34,049 But the thing is, when you use e-mails 609 00:21:34,050 --> 00:21:35,189 to implement a command and control 610 00:21:35,190 --> 00:21:37,259 channel, first you need to have 611 00:21:37,260 --> 00:21:39,509 a way to distinguish your e-mail from 612 00:21:39,510 --> 00:21:41,579 unrelated e-mails like spam 613 00:21:41,580 --> 00:21:44,519 or legitimate e-mails in the inbox. 614 00:21:44,520 --> 00:21:46,529 And second, you need to bypass spam 615 00:21:46,530 --> 00:21:48,359 filters on your way to the inbox. 616 00:21:50,360 --> 00:21:52,049 And for those reasons, the Senate 617 00:21:52,050 --> 00:21:53,249 developed was implemented where they 618 00:21:53,250 --> 00:21:56,129 called the scheme, which they describe 619 00:21:56,130 --> 00:21:57,359 as a level two protocol. 620 00:21:58,710 --> 00:22:01,019 This protocol defines how exigent 621 00:22:01,020 --> 00:22:02,339 e-mails are built. 622 00:22:02,340 --> 00:22:04,079 And here's an example of an e-mail 623 00:22:04,080 --> 00:22:05,759 following the protocol. 624 00:22:05,760 --> 00:22:07,079 So the protocol defines 625 00:22:08,370 --> 00:22:10,919 the subject of the e-mail as the best 64 626 00:22:10,920 --> 00:22:12,509 encoding of a value following this 627 00:22:12,510 --> 00:22:14,609 format, which is thought with a 628 00:22:14,610 --> 00:22:16,769 random key, then a value code 629 00:22:16,770 --> 00:22:18,989 called such token result with 630 00:22:18,990 --> 00:22:21,299 the key. And finally, the agent Agent 631 00:22:21,300 --> 00:22:23,040 Idee Zolt with the same key. 632 00:22:24,270 --> 00:22:26,519 The such token is known by 633 00:22:26,520 --> 00:22:28,739 both the Senses, Salvo and the estate 634 00:22:28,740 --> 00:22:30,689 agent. And that's how they can 635 00:22:30,690 --> 00:22:32,459 distinguish their e-mails from and 636 00:22:32,460 --> 00:22:33,460 related e-mails. 637 00:22:34,530 --> 00:22:36,479 They decode the subject and check if the 638 00:22:36,480 --> 00:22:38,879 substance can is here in practice. 639 00:22:38,880 --> 00:22:41,119 In many exigent samples, such 640 00:22:41,120 --> 00:22:43,289 token is a seven by values that Tansley 641 00:22:43,290 --> 00:22:44,460 contains the China. 642 00:22:47,590 --> 00:22:49,619 The PUTU protocol also defines the body 643 00:22:49,620 --> 00:22:51,719 of the e-mails and the attachment 644 00:22:51,720 --> 00:22:53,399 name. Remember that the attachment 645 00:22:53,400 --> 00:22:56,069 contained the actual message. 646 00:22:56,070 --> 00:22:58,079 So those are simply the basic functioning 647 00:22:58,080 --> 00:22:59,190 of some random values. 648 00:23:00,450 --> 00:23:01,589 So that's the PITU protocol. 649 00:23:01,590 --> 00:23:03,649 But actually, in Oleynik source 650 00:23:03,650 --> 00:23:05,759 code, the developers replaced the beta 651 00:23:05,760 --> 00:23:08,069 protocol with some hard coded values. 652 00:23:09,090 --> 00:23:11,429 We call it the Jörgen all because 653 00:23:11,430 --> 00:23:13,439 those veloute values are worn in the 654 00:23:13,440 --> 00:23:14,489 Jörgen language. 655 00:23:15,630 --> 00:23:17,759 For example, the e-mail subject is set 656 00:23:17,760 --> 00:23:19,829 to QR in memory, which refers to a 657 00:23:19,830 --> 00:23:21,599 national I.D. numbers in Georgia. 658 00:23:22,770 --> 00:23:24,869 And the body is set to get Mudjimba, 659 00:23:24,870 --> 00:23:26,729 which means hello. 660 00:23:26,730 --> 00:23:28,709 And the attachment name begins with that. 661 00:23:28,710 --> 00:23:30,869 You're right, which means detail in 662 00:23:30,870 --> 00:23:32,600 Georgia, followed by a timestamp. 663 00:23:33,720 --> 00:23:35,849 So this way. This was probably done in 664 00:23:35,850 --> 00:23:38,099 order to not attract attention 665 00:23:38,100 --> 00:23:40,139 in the judge and infrastructures or maybe 666 00:23:40,140 --> 00:23:41,669 in a hack jörgen inbox 667 00:23:43,710 --> 00:23:45,699 and to come to the next agent now and has 668 00:23:45,700 --> 00:23:46,619 a bonus. 669 00:23:46,620 --> 00:23:49,049 I just want to say, if she was on oxygen 670 00:23:49,050 --> 00:23:51,359 since infrastructures, because once 671 00:23:51,360 --> 00:23:53,129 again, we've got access to some source 672 00:23:53,130 --> 00:23:55,409 code and the source code this time 673 00:23:55,410 --> 00:23:57,509 was left in an open directory 674 00:23:57,510 --> 00:23:59,819 on the Senate server, and it was 675 00:23:59,820 --> 00:24:01,709 indexed by Google Search that we found it 676 00:24:01,710 --> 00:24:03,809 by some queries for the 677 00:24:03,810 --> 00:24:05,250 beta protocol previously described. 678 00:24:08,680 --> 00:24:10,329 So this school is actually a practice of 679 00:24:10,330 --> 00:24:11,849 server or back in since Selva. 680 00:24:12,990 --> 00:24:14,819 And you can see from the source files 681 00:24:14,820 --> 00:24:16,889 here that it is developed in Biton 682 00:24:16,890 --> 00:24:19,199 and was used between 683 00:24:19,200 --> 00:24:21,359 April and June 2015, which 684 00:24:21,360 --> 00:24:23,429 we know because there are some fine 685 00:24:23,430 --> 00:24:25,020 with that with timestamps in it. 686 00:24:26,250 --> 00:24:28,139 It contains around 12 K lines of code 687 00:24:28,140 --> 00:24:29,429 because this is actually more than this 688 00:24:29,430 --> 00:24:30,430 simple, really. 689 00:24:31,500 --> 00:24:33,419 What it does is it will translate the 690 00:24:33,420 --> 00:24:35,339 e-mail protocol from excisions infected 691 00:24:35,340 --> 00:24:36,340 computers 692 00:24:37,830 --> 00:24:40,019 into request. Well, it should be protocol 693 00:24:40,020 --> 00:24:42,389 for the backend since he salver 694 00:24:42,390 --> 00:24:43,949 those listed to be request follow a 695 00:24:43,950 --> 00:24:46,589 specific format called the P3 protocol 696 00:24:46,590 --> 00:24:47,759 level three protocol. 697 00:24:48,990 --> 00:24:50,249 And by the way, we believe they use the 698 00:24:50,250 --> 00:24:52,439 same kind of setup for 699 00:24:52,440 --> 00:24:54,659 the ETP channel rather than the e-mail 700 00:24:54,660 --> 00:24:55,769 channel. 701 00:24:55,770 --> 00:24:57,569 Even if this particular proxy is just for 702 00:24:57,570 --> 00:24:58,570 the mail channel. 703 00:25:00,080 --> 00:25:02,279 So enough with oxygen now. 704 00:25:02,280 --> 00:25:04,009 Let's come back to the Chernobyl event. 705 00:25:04,010 --> 00:25:06,019 We are still there one after the initial 706 00:25:06,020 --> 00:25:08,139 infection. So like it was deployed, 707 00:25:08,140 --> 00:25:10,369 oxygen was deployed and at this point 708 00:25:10,370 --> 00:25:12,319 suddenly got to spying back doors on the 709 00:25:12,320 --> 00:25:14,419 target at the same time, such 710 00:25:14,420 --> 00:25:16,549 that if one of them is detected, they 711 00:25:16,550 --> 00:25:17,990 don't lose access to the computer. 712 00:25:19,660 --> 00:25:21,169 And the next days are going to be the 713 00:25:21,170 --> 00:25:23,659 time for information, exfiltration 714 00:25:23,660 --> 00:25:24,770 and lateral movement. 715 00:25:26,950 --> 00:25:28,720 So during the next three days, 716 00:25:30,400 --> 00:25:32,349 Senate is going to drop and captured on 717 00:25:32,350 --> 00:25:34,509 some parts extract of tools, they 718 00:25:34,510 --> 00:25:36,459 often use a set of tools called security 719 00:25:36,460 --> 00:25:38,439 experts that are freely available on the 720 00:25:38,440 --> 00:25:39,879 Internet. 721 00:25:39,880 --> 00:25:41,349 And those tools can extract passwords 722 00:25:41,350 --> 00:25:42,849 from a variety of software and such 723 00:25:43,990 --> 00:25:46,479 like Broza or email clients. 724 00:25:46,480 --> 00:25:48,199 The problem is they are of they are 725 00:25:48,200 --> 00:25:50,079 well-known and they are often detected by 726 00:25:50,080 --> 00:25:51,080 antivirus. 727 00:25:51,850 --> 00:25:53,289 So Senator Robb, their own boss, will 728 00:25:53,290 --> 00:25:55,209 instruct all tools in particular. 729 00:25:55,210 --> 00:25:56,949 There is one for windows laid amount that 730 00:25:56,950 --> 00:25:59,739 is dropped on Sal's computer. 731 00:25:59,740 --> 00:26:02,019 It has been compiled specifically for him 732 00:26:02,020 --> 00:26:04,089 as it searches for the buzzword 733 00:26:04,090 --> 00:26:06,159 in the hardcoded path that only exists 734 00:26:06,160 --> 00:26:07,160 on such computer. 735 00:26:09,030 --> 00:26:10,799 Of course, doper adults tried to retrieve 736 00:26:10,800 --> 00:26:12,849 the Windows Pass wall and Seth's computer 737 00:26:12,850 --> 00:26:14,609 for that. They got some custom tools to 738 00:26:14,610 --> 00:26:16,739 them. Windows, passwords from 739 00:26:16,740 --> 00:26:19,199 registry hives and without surprise, 740 00:26:19,200 --> 00:26:20,159 they use Mimi, Kate. 741 00:26:20,160 --> 00:26:22,259 Mimi gets a lots and the output 742 00:26:22,260 --> 00:26:24,449 is often stored in a file named by 743 00:26:24,450 --> 00:26:25,450 the log. 744 00:26:26,280 --> 00:26:28,199 All this all these tools may be deployed 745 00:26:28,200 --> 00:26:29,819 with the LP exploits depending on the 746 00:26:29,820 --> 00:26:30,839 target configuration. 747 00:26:33,090 --> 00:26:35,129 Sales may also meet this controller, 748 00:26:35,130 --> 00:26:36,419 which is a small custom tool. 749 00:26:36,420 --> 00:26:38,729 They're made to take screenshots 750 00:26:38,730 --> 00:26:39,809 when it is executed. 751 00:26:39,810 --> 00:26:41,399 It takes just instant shut in rapid 752 00:26:41,400 --> 00:26:43,619 succession when the most moves. 753 00:26:43,620 --> 00:26:45,310 And it does that 15 times in a row. 754 00:26:47,370 --> 00:26:49,739 And finally sells meets external, 755 00:26:49,740 --> 00:26:51,359 which is a custom, that word proxy tool 756 00:26:51,360 --> 00:26:53,279 to contact computers that not our 757 00:26:53,280 --> 00:26:55,109 normally reachable from Internet using 758 00:26:55,110 --> 00:26:56,970 the infected computer as a pivot. 759 00:26:57,990 --> 00:27:01,049 This component appeared in May 2013 760 00:27:01,050 --> 00:27:02,050 and it is still in use. 761 00:27:04,470 --> 00:27:06,539 So how does it work exactly? 762 00:27:06,540 --> 00:27:08,519 Here's the initial situation. 763 00:27:08,520 --> 00:27:09,929 The Senate since the summer is on 764 00:27:09,930 --> 00:27:12,089 Internet search computer is 765 00:27:12,090 --> 00:27:14,069 in its organization at work and is 766 00:27:14,070 --> 00:27:16,169 infected with external 767 00:27:16,170 --> 00:27:18,089 computer and computer, are in the same 768 00:27:18,090 --> 00:27:21,149 network, but they are not reachable 769 00:27:21,150 --> 00:27:22,559 from Internet and they are not under the 770 00:27:22,560 --> 00:27:23,560 Senate control, 771 00:27:24,720 --> 00:27:26,009 but they are reachable from such 772 00:27:26,010 --> 00:27:28,179 computer, so 773 00:27:28,180 --> 00:27:29,849 external begins and encryption, a 774 00:27:29,850 --> 00:27:32,439 handshake with the census cell. 775 00:27:32,440 --> 00:27:33,899 And the purpose of this handshake is to 776 00:27:33,900 --> 00:27:35,969 share also 40 to encrypt the 777 00:27:35,970 --> 00:27:38,729 communications between the two of them. 778 00:27:38,730 --> 00:27:40,999 To do so external and distance 779 00:27:41,000 --> 00:27:43,439 of all. Both have a copy of 780 00:27:43,440 --> 00:27:45,509 a big table filled with random 781 00:27:45,510 --> 00:27:46,529 looking bytes. 782 00:27:46,530 --> 00:27:47,530 Let's call this table. 783 00:27:48,900 --> 00:27:50,759 Dennis Tinnell randomly picks and I've 784 00:27:50,760 --> 00:27:53,039 said all in the table. 785 00:27:53,040 --> 00:27:54,929 And the 32 byte row starting at this 786 00:27:54,930 --> 00:27:57,089 office at all is the key that 787 00:27:57,090 --> 00:27:58,319 expert wants to share with it. 788 00:27:58,320 --> 00:27:59,320 Since you saw the. 789 00:28:00,170 --> 00:28:01,929 But external does not send the key. 790 00:28:01,930 --> 00:28:04,179 Of course, it sends the upset all. 791 00:28:04,180 --> 00:28:06,259 Plus the proof that SNL really knows 792 00:28:06,260 --> 00:28:07,260 the table to. 793 00:28:08,170 --> 00:28:10,299 This proof is another Rove to 794 00:28:11,310 --> 00:28:13,569 located at the fixed offset, this time an 795 00:28:13,570 --> 00:28:14,869 encrypted with the chosen. 796 00:28:16,940 --> 00:28:18,159 The census of all checks. 797 00:28:18,160 --> 00:28:20,349 The proof. And if it's correct, that is 798 00:28:20,350 --> 00:28:22,089 if it gives the expected value wants 799 00:28:22,090 --> 00:28:23,239 decrypted. 800 00:28:23,240 --> 00:28:25,119 And Ansell's. OK. 801 00:28:25,120 --> 00:28:27,249 And said it's also for key to the 32 802 00:28:27,250 --> 00:28:28,809 byte row starting at the offset. 803 00:28:30,430 --> 00:28:32,319 So at this point, although that data 804 00:28:32,320 --> 00:28:34,399 exchange between the census of our next 805 00:28:34,400 --> 00:28:36,189 tunnel will be awesome for encrypted with 806 00:28:36,190 --> 00:28:38,399 the chosen key, note 807 00:28:38,400 --> 00:28:41,079 is that sending the upset that the key 808 00:28:41,080 --> 00:28:43,239 prevents the decryption of the traffic 809 00:28:43,240 --> 00:28:44,240 by his roper 810 00:28:45,800 --> 00:28:47,989 also since 2014. 811 00:28:47,990 --> 00:28:49,899 Is this encrypted link is encapsulated 812 00:28:49,900 --> 00:28:52,329 into tell us, which is not a bad idea 813 00:28:52,330 --> 00:28:54,369 except that external does not verify the 814 00:28:54,370 --> 00:28:55,819 certificate of the census. 815 00:28:55,820 --> 00:28:56,820 Other. 816 00:28:57,850 --> 00:28:59,170 And now the next step. 817 00:29:00,310 --> 00:29:02,049 Once the encrypted link has been 818 00:29:02,050 --> 00:29:04,329 established, the census can ICANN Eisner 819 00:29:04,330 --> 00:29:05,529 to open. 820 00:29:05,530 --> 00:29:07,299 That's now with a target computer using 821 00:29:07,300 --> 00:29:09,459 an IP address or domain name. 822 00:29:09,460 --> 00:29:10,509 And that's simply both. 823 00:29:10,510 --> 00:29:12,759 No external then 824 00:29:12,760 --> 00:29:14,859 opens a discipline connection with the 825 00:29:14,860 --> 00:29:15,969 target computer. 826 00:29:15,970 --> 00:29:16,970 Yeah. Computer A. 827 00:29:19,400 --> 00:29:21,379 And start filling data between computer 828 00:29:21,380 --> 00:29:23,779 and the census ever in both direction. 829 00:29:23,780 --> 00:29:26,029 That is that the link between external 830 00:29:26,030 --> 00:29:28,309 and computer is not encrypted 831 00:29:28,310 --> 00:29:29,899 so that any kind of discipline that can 832 00:29:29,900 --> 00:29:32,389 be forwarded to the target computer. 833 00:29:32,390 --> 00:29:33,769 We don't know exactly what kind of 834 00:29:33,770 --> 00:29:35,209 traffic they are. 835 00:29:35,210 --> 00:29:37,249 The ballots are usually sent through the 836 00:29:37,250 --> 00:29:39,349 external, but it has been reported to be 837 00:29:39,350 --> 00:29:41,929 used with, yes, exact like tools 838 00:29:41,930 --> 00:29:43,499 that allow the execution of come on on 839 00:29:43,500 --> 00:29:45,769 the remote computer without having 840 00:29:45,770 --> 00:29:47,089 an agent running on this computer. 841 00:29:48,290 --> 00:29:50,539 Finally, Turner is identified 842 00:29:50,540 --> 00:29:51,619 by an I.D. 843 00:29:51,620 --> 00:29:53,509 search that external can management 844 00:29:53,510 --> 00:29:54,510 several of them. 845 00:29:55,580 --> 00:29:57,679 And so, for example, another tunnel can 846 00:29:57,680 --> 00:29:59,779 be open with 847 00:29:59,780 --> 00:30:00,780 the computer. 848 00:30:01,640 --> 00:30:02,689 And it's not we'll take care of the 849 00:30:02,690 --> 00:30:04,890 wording of the traffic in the tunnel. 850 00:30:06,440 --> 00:30:08,399 So to summarize, the Senate census, can 851 00:30:08,400 --> 00:30:10,579 no rich computer a computer be of 852 00:30:10,580 --> 00:30:12,739 our Tsipi using sales computer 853 00:30:12,740 --> 00:30:13,740 as a pivot? 854 00:30:16,150 --> 00:30:17,869 And if it's a no no, let's go back to 855 00:30:17,870 --> 00:30:18,819 chain of events. 856 00:30:18,820 --> 00:30:21,189 We just had three days of information, 857 00:30:21,190 --> 00:30:24,069 exfiltration and lateral movement. 858 00:30:24,070 --> 00:30:26,349 The last action from the operator during 859 00:30:26,350 --> 00:30:27,699 this first week would be to set up an 860 00:30:27,700 --> 00:30:29,859 additional persistance method on such 861 00:30:29,860 --> 00:30:31,839 computer. For long term monitoring. 862 00:30:33,550 --> 00:30:35,230 So Friday, around 11:00 a.m., 863 00:30:36,420 --> 00:30:39,189 the long term persistence method consists 864 00:30:39,190 --> 00:30:40,939 in a special exigence binary code byte in 865 00:30:40,940 --> 00:30:42,879 the Microsoft Office folder under the 866 00:30:42,880 --> 00:30:45,209 name MSA, the Delta. 867 00:30:45,210 --> 00:30:46,989 This copy operation is done by another 868 00:30:46,990 --> 00:30:48,969 binary dropped dimension. 869 00:30:48,970 --> 00:30:51,039 You can see it here and right in 870 00:30:51,040 --> 00:30:52,809 the office folder on this binary needs to 871 00:30:52,810 --> 00:30:55,049 have administrative rights and followed 872 00:30:55,050 --> 00:30:56,829 it felt execute a local privilege, 873 00:30:56,830 --> 00:30:58,539 escalation, exploit. 874 00:30:58,540 --> 00:31:00,459 And then it copies the exigent binary 875 00:31:00,460 --> 00:31:02,199 name MSRA, the jalloh in the office 876 00:31:02,200 --> 00:31:03,200 folder 877 00:31:04,390 --> 00:31:06,069 to understand what will happen next. 878 00:31:06,070 --> 00:31:07,419 First, we need to know that there is a 879 00:31:07,420 --> 00:31:09,609 legitimate Windows JLL named MSA, 880 00:31:09,610 --> 00:31:11,809 the dealer stored in the System 881 00:31:11,810 --> 00:31:13,289 32 folder. 882 00:31:13,290 --> 00:31:15,759 Is this zero is usually 883 00:31:15,760 --> 00:31:18,069 used by office application in particular. 884 00:31:19,470 --> 00:31:21,239 And also you need to know that the 885 00:31:21,240 --> 00:31:23,499 insurgent binary exports 886 00:31:23,500 --> 00:31:25,239 the exact same function names. 887 00:31:25,240 --> 00:31:26,769 Then there's legitimate dealer. 888 00:31:27,850 --> 00:31:29,439 So this at this point, you said to me 889 00:31:29,440 --> 00:31:30,440 just what happened next. 890 00:31:31,930 --> 00:31:34,149 This time, cells start Hovis exigent 891 00:31:34,150 --> 00:31:36,319 MSA, the dealer is loaded 892 00:31:36,320 --> 00:31:38,799 and that the legitimate MSA, the dealer, 893 00:31:38,800 --> 00:31:40,569 because it is in the local folder of 894 00:31:40,570 --> 00:31:42,789 office and thus it is found before the 895 00:31:42,790 --> 00:31:43,869 system 30 to file 896 00:31:45,670 --> 00:31:47,449 excision, then lost the real M inside 897 00:31:47,450 --> 00:31:50,379 Ajello from the system to look for them. 898 00:31:50,380 --> 00:31:52,329 And it fields its own export table with 899 00:31:52,330 --> 00:31:54,579 the addresses of the function 900 00:31:54,580 --> 00:31:56,619 of the legitimate dealer such that each 901 00:31:56,620 --> 00:31:58,359 called to exigent export will actually go 902 00:31:58,360 --> 00:32:00,369 to the legitimate dealer and the 903 00:32:00,370 --> 00:32:01,500 application one Krush. 904 00:32:03,010 --> 00:32:05,859 Finally, it stopped its malicious logic. 905 00:32:05,860 --> 00:32:07,349 In other words, it's so simple, such 906 00:32:07,350 --> 00:32:09,279 order highjacking based on the fact that 907 00:32:09,280 --> 00:32:10,990 they can write into the office folder. 908 00:32:12,010 --> 00:32:14,319 And by the way, we have also seen 909 00:32:14,320 --> 00:32:16,119 recently this sales for the hijacking 910 00:32:16,120 --> 00:32:17,939 technique with a linking for the Delane 911 00:32:17,940 --> 00:32:19,309 dropped into the Windows folder. 912 00:32:21,720 --> 00:32:23,339 So that concludes the story of sales, 913 00:32:23,340 --> 00:32:25,409 this textbook case of what 914 00:32:25,410 --> 00:32:27,719 happened to the son targets 915 00:32:27,720 --> 00:32:29,039 during the fifth day of infection. 916 00:32:31,950 --> 00:32:34,109 No, we have a pretty good idea 917 00:32:34,110 --> 00:32:35,819 of what the Sinitta custom looks like. 918 00:32:38,090 --> 00:32:39,349 Let's have a look at the world case we 919 00:32:39,350 --> 00:32:40,350 found last year. 920 00:32:42,090 --> 00:32:44,159 Some day in September 2015, 921 00:32:44,160 --> 00:32:46,579 we received the unusual symbol. 922 00:32:46,580 --> 00:32:48,659 It was a doorbell pledges to use by 923 00:32:48,660 --> 00:32:49,919 Senate. 924 00:32:49,920 --> 00:32:51,539 And it was showing this document as a 925 00:32:51,540 --> 00:32:52,540 decoy. 926 00:32:53,010 --> 00:32:54,599 As you can see, it is a legitimate 927 00:32:54,600 --> 00:32:57,539 invitation for geopolitics conference. 928 00:32:57,540 --> 00:32:59,429 And this document is actually publicly 929 00:32:59,430 --> 00:33:00,450 available on the Internet. 930 00:33:02,670 --> 00:33:04,799 Sadly, the pilots just did 931 00:33:04,800 --> 00:33:06,839 the lowdown and even worse, it is written 932 00:33:06,840 --> 00:33:08,729 in dolefully. And since we are good at 933 00:33:08,730 --> 00:33:10,279 naming things, we need to dumb down 934 00:33:11,600 --> 00:33:13,249 the world for his simple although it 935 00:33:13,250 --> 00:33:15,029 don't know the configuration file and 936 00:33:15,030 --> 00:33:17,249 based on this configuration, it will 937 00:33:17,250 --> 00:33:19,589 deliver and executes another 938 00:33:19,590 --> 00:33:20,590 payload. 939 00:33:21,180 --> 00:33:23,249 The best method was just the run with the 940 00:33:23,250 --> 00:33:25,319 3G. So nothing really exciting so 941 00:33:25,320 --> 00:33:27,869 far except that 942 00:33:27,870 --> 00:33:29,999 we found another Dundar deployment 943 00:33:30,000 --> 00:33:32,219 in 2013 this time. 944 00:33:32,220 --> 00:33:34,409 And this graph describes the deployment 945 00:33:34,410 --> 00:33:36,809 at the time. You can see we had done that 946 00:33:36,810 --> 00:33:38,719 and battered the same Toppo. 947 00:33:38,720 --> 00:33:40,239 And this time with a small help out and 948 00:33:40,240 --> 00:33:41,240 that would get inStar. 949 00:33:43,950 --> 00:33:46,289 So even if this digital infect embryo 950 00:33:46,290 --> 00:33:48,569 based system, this instead it will infect 951 00:33:48,570 --> 00:33:50,849 multiple versions of Windows running 952 00:33:50,850 --> 00:33:52,260 on the X 86 Processo. 953 00:33:55,040 --> 00:33:56,869 So here are the first set of the list. 954 00:33:56,870 --> 00:33:58,339 After all, the successful infection 955 00:33:59,720 --> 00:34:01,789 the Felstead dealt with is 956 00:34:01,790 --> 00:34:04,069 the new malicious embryo. 957 00:34:04,070 --> 00:34:06,199 The second sector is the original embryo 958 00:34:06,200 --> 00:34:08,869 code Zord with a one by Chey 959 00:34:08,870 --> 00:34:11,059 and starting at the third sector. 960 00:34:11,060 --> 00:34:13,249 We have the core of the Richard code old 961 00:34:13,250 --> 00:34:15,799 on Six-fold at last. 962 00:34:15,800 --> 00:34:18,769 We have also four encrypted driver 963 00:34:18,770 --> 00:34:20,809 and the installer also hide Tudela in the 964 00:34:20,810 --> 00:34:22,549 registry, but I will come through it 965 00:34:22,550 --> 00:34:23,550 later. 966 00:34:25,090 --> 00:34:26,468 So let's describe a very simplified 967 00:34:26,469 --> 00:34:27,489 version of this workflow. 968 00:34:29,239 --> 00:34:31,489 First, the measures NPR is executed 969 00:34:32,840 --> 00:34:34,879 in a very classic way, it will hook the 970 00:34:34,880 --> 00:34:37,129 entire Doyce 13, which handles 971 00:34:37,130 --> 00:34:39,319 all low level read and write 972 00:34:39,320 --> 00:34:40,249 operations. 973 00:34:40,250 --> 00:34:41,988 And by doing that, it is able to 974 00:34:41,989 --> 00:34:44,299 intercept every bite's 975 00:34:44,300 --> 00:34:45,889 read from the desk during the loading. 976 00:34:47,570 --> 00:34:49,669 Thanks to that. The soldiers, the memory 977 00:34:49,670 --> 00:34:51,589 for some specific bites in order to batch 978 00:34:51,590 --> 00:34:52,609 them. 979 00:34:52,610 --> 00:34:54,709 Those bites belong to them jar, which is 980 00:34:54,710 --> 00:34:56,539 the next step into the boot chain, as 981 00:34:56,540 --> 00:34:57,540 explained before. 982 00:34:58,880 --> 00:35:00,650 So at this point, Wythenshawe is perched. 983 00:35:02,890 --> 00:35:04,959 And then the kid takes control again. 984 00:35:04,960 --> 00:35:07,149 This and this time it will buche 985 00:35:07,150 --> 00:35:09,999 the function OSL asked himself to channel 986 00:35:10,000 --> 00:35:12,099 look it in will load that you see, which 987 00:35:12,100 --> 00:35:13,570 is the next step in the bitchen, 988 00:35:14,810 --> 00:35:17,619 like the net, like the name suggests, 989 00:35:17,620 --> 00:35:19,179 this function will call the counter entry 990 00:35:19,180 --> 00:35:20,180 point. 991 00:35:21,130 --> 00:35:23,259 So we know there's no budget and the 992 00:35:23,260 --> 00:35:24,969 kid takes control of the execution before 993 00:35:24,970 --> 00:35:26,859 the cameras execute it. 994 00:35:26,860 --> 00:35:28,749 At this point, the Colonel and all its 995 00:35:28,750 --> 00:35:30,879 basic drivers are mapped into the virtual 996 00:35:30,880 --> 00:35:33,009 memory and the integrated checks 997 00:35:33,010 --> 00:35:34,269 are already performed. 998 00:35:35,830 --> 00:35:38,169 So what this do does now is 999 00:35:38,170 --> 00:35:39,489 it will look at the function. 1000 00:35:39,490 --> 00:35:41,499 M-m up your space and it will set the 1001 00:35:41,500 --> 00:35:43,509 Russel's section of the ECPA drive out to 1002 00:35:43,510 --> 00:35:45,719 executable before hiding some code 1003 00:35:45,720 --> 00:35:47,899 in it. It will also hook the ACBL 1004 00:35:47,900 --> 00:35:49,849 driver entry point to execute this code. 1005 00:35:52,010 --> 00:35:53,709 The budget need to save all those 1006 00:35:53,710 --> 00:35:55,599 important addresses somewhere because the 1007 00:35:55,600 --> 00:35:58,629 physical address won't be accessible 1008 00:35:58,630 --> 00:36:00,909 after the kind of initialization. 1009 00:36:00,910 --> 00:36:02,379 So it will save everything in the canon 1010 00:36:02,380 --> 00:36:03,579 header. You can see. 1011 00:36:03,580 --> 00:36:04,749 Hit it here. 1012 00:36:04,750 --> 00:36:06,969 We have the base address, the address 1013 00:36:06,970 --> 00:36:08,859 of the function and then map your space 1014 00:36:08,860 --> 00:36:11,019 and also the original bytes of 1015 00:36:11,020 --> 00:36:12,429 the ECPA entry points. 1016 00:36:14,170 --> 00:36:16,629 Now the device punched 1017 00:36:16,630 --> 00:36:18,429 and when the driver is loading, the hook 1018 00:36:18,430 --> 00:36:19,430 would be executed. 1019 00:36:20,730 --> 00:36:22,949 So fast, the code hidden in the resource 1020 00:36:22,950 --> 00:36:25,319 section will write back the original 1021 00:36:25,320 --> 00:36:27,959 entry point instructions to avoid 1022 00:36:27,960 --> 00:36:30,689 being detected by the kernel production. 1023 00:36:30,690 --> 00:36:32,639 And this is where the widgets will come 1024 00:36:32,640 --> 00:36:34,469 up. It's a physical address into the 1025 00:36:34,470 --> 00:36:36,059 virtual address space by calling the 1026 00:36:36,060 --> 00:36:38,129 function M-m up space. 1027 00:36:38,130 --> 00:36:39,539 And after that, it will be able to 1028 00:36:39,540 --> 00:36:40,949 decrypt the hidden driver. 1029 00:36:42,580 --> 00:36:44,229 So there is three components involved at 1030 00:36:44,230 --> 00:36:45,679 this moment. 1031 00:36:45,680 --> 00:36:47,699 The British driver will decrypts of felt 1032 00:36:47,700 --> 00:36:49,899 dealer name, the U.S armored component by 1033 00:36:49,900 --> 00:36:51,399 the developers. 1034 00:36:51,400 --> 00:36:53,109 And it will manually map it into its 1035 00:36:53,110 --> 00:36:54,819 products exit. 1036 00:36:54,820 --> 00:36:56,289 Then this use armored components will 1037 00:36:56,290 --> 00:36:58,899 decrypt and load Dunwell itself 1038 00:36:58,900 --> 00:37:00,429 hidden in the registry as well. 1039 00:37:02,700 --> 00:37:04,649 But this workflow was kind of odd because 1040 00:37:04,650 --> 00:37:06,059 the driver could have loaded Donder 1041 00:37:06,060 --> 00:37:08,309 directly and looking at the use armored 1042 00:37:08,310 --> 00:37:09,449 components. 1043 00:37:09,450 --> 00:37:11,159 We have fun evidences that Dundar wasn't 1044 00:37:11,160 --> 00:37:13,119 the intended payload used with this 1045 00:37:13,120 --> 00:37:14,790 booklet that felt more precisely. 1046 00:37:16,650 --> 00:37:18,659 When injecting dumbbells, it sets this 1047 00:37:18,660 --> 00:37:20,369 specific exported via through. 1048 00:37:21,800 --> 00:37:23,759 But the variable doesn't exist in any 1049 00:37:23,760 --> 00:37:25,679 known samples of dandruff. 1050 00:37:25,680 --> 00:37:27,059 So then there was polling that the 1051 00:37:27,060 --> 00:37:28,060 original pill. 1052 00:37:28,830 --> 00:37:31,079 We believe that the budget or at 1053 00:37:31,080 --> 00:37:33,179 least the driver is connected to 1054 00:37:33,180 --> 00:37:34,290 the black energy MOTHERWELL 1055 00:37:35,490 --> 00:37:37,829 because we have found some zero several 1056 00:37:37,830 --> 00:37:39,829 Shell features between the two families. 1057 00:37:39,830 --> 00:37:41,819 It is almost component is manually mapped 1058 00:37:41,820 --> 00:37:43,169 into the X memoria. 1059 00:37:43,170 --> 00:37:45,079 And all this code is shared between 1060 00:37:45,080 --> 00:37:47,269 Dunwell and some Ellis' 1061 00:37:47,270 --> 00:37:48,499 samples of black NLG. 1062 00:37:49,680 --> 00:37:51,959 And to do so, there is three exports used 1063 00:37:51,960 --> 00:37:53,369 in the drive, ultralow the use of the 1064 00:37:53,370 --> 00:37:55,619 component respectively entry epee 1065 00:37:55,620 --> 00:37:57,899 data. And then those exports are 1066 00:37:57,900 --> 00:37:59,989 also present in black and LG 1067 00:37:59,990 --> 00:38:01,560 and used in the exact same way. 1068 00:38:03,240 --> 00:38:04,829 So this might indicate that the 1069 00:38:04,830 --> 00:38:07,769 developers have access to black energy 1070 00:38:07,770 --> 00:38:09,839 source code or however, we are 1071 00:38:09,840 --> 00:38:11,909 not aware of any budget coming with 1072 00:38:11,910 --> 00:38:13,020 black and other toolkits 1073 00:38:14,370 --> 00:38:16,319 anyway and offer that Wickett. 1074 00:38:16,320 --> 00:38:17,499 Let's go back to Don Delph. 1075 00:38:19,100 --> 00:38:21,239 Looking at some other samples of 1076 00:38:21,240 --> 00:38:23,569 Dunwell, we have found another deployment 1077 00:38:23,570 --> 00:38:25,689 in 2014, 1078 00:38:25,690 --> 00:38:27,839 and this time Dundar came with a cannon, 1079 00:38:27,840 --> 00:38:28,840 Mudcrutch it. 1080 00:38:30,110 --> 00:38:32,089 So the Rikard-Bell poses to unshelled on 1081 00:38:32,090 --> 00:38:33,889 their persistence on this system by 1082 00:38:33,890 --> 00:38:35,320 injecting it into its products. 1083 00:38:36,500 --> 00:38:38,659 And also to hide everything related 1084 00:38:38,660 --> 00:38:40,559 to dumbbells, to the user, into the 1085 00:38:40,560 --> 00:38:41,989 system. So you can see anything on the 1086 00:38:41,990 --> 00:38:42,990 disk. 1087 00:38:43,430 --> 00:38:44,779 Thanks for that. The lapel. They just 1088 00:38:44,780 --> 00:38:46,879 left all kind of debugging information in 1089 00:38:46,880 --> 00:38:48,889 the samples. So here's the exact 1090 00:38:48,890 --> 00:38:50,269 debugging output during the driver 1091 00:38:50,270 --> 00:38:51,469 loading. 1092 00:38:51,470 --> 00:38:53,329 We can see the folder on the registry to 1093 00:38:53,330 --> 00:38:55,429 hide, the driver to load and the dialog 1094 00:38:55,430 --> 00:38:56,430 to inject. 1095 00:38:57,870 --> 00:39:00,169 We have to buy into this, Richard. 1096 00:39:00,170 --> 00:39:01,649 The first version, though, Richard, was 1097 00:39:01,650 --> 00:39:03,959 targeting Windows XP computers 1098 00:39:03,960 --> 00:39:05,909 and was doing some simple absurdity 1099 00:39:05,910 --> 00:39:07,109 hooking. 1100 00:39:07,110 --> 00:39:08,739 And the other version is a manipulative 1101 00:39:08,740 --> 00:39:11,099 driver. It was targeting more recent 1102 00:39:11,100 --> 00:39:12,689 version of Windows. 1103 00:39:12,690 --> 00:39:14,789 And it is based on an open source example 1104 00:39:14,790 --> 00:39:16,260 man made by Microsoft. 1105 00:39:18,160 --> 00:39:20,889 Also, we have found a 64 bit sample 1106 00:39:20,890 --> 00:39:22,669 in the wild. But we are missing the drop 1107 00:39:22,670 --> 00:39:23,979 out, so we don't really know how it 1108 00:39:23,980 --> 00:39:26,289 managed to bypass the rival signing 1109 00:39:26,290 --> 00:39:27,290 policy. 1110 00:39:28,000 --> 00:39:30,669 And interestingly, 1111 00:39:30,670 --> 00:39:32,499 it looks like some drive are made for 1112 00:39:32,500 --> 00:39:34,599 specific configuration, like in this like 1113 00:39:34,600 --> 00:39:36,729 this one possibly targeting a computer, 1114 00:39:36,730 --> 00:39:38,379 running Kaspersky Internet security. 1115 00:39:40,990 --> 00:39:43,059 So to summarize, we 1116 00:39:43,060 --> 00:39:45,129 only found a few samples of their use 1117 00:39:45,130 --> 00:39:47,169 during the past three years, which is not 1118 00:39:47,170 --> 00:39:48,170 a lot. 1119 00:39:48,940 --> 00:39:50,139 They were very careful with it. 1120 00:39:50,140 --> 00:39:52,329 Maybe they only used it for some specific 1121 00:39:52,330 --> 00:39:53,330 targets. 1122 00:39:53,980 --> 00:39:55,569 The census of all those samples were 1123 00:39:55,570 --> 00:39:57,819 reporting on was active doing two years. 1124 00:39:57,820 --> 00:39:59,469 It went although under the radar for 1125 00:39:59,470 --> 00:40:00,470 quite a long time. 1126 00:40:02,650 --> 00:40:05,079 And they used the budget 1127 00:40:05,080 --> 00:40:07,239 working on XP and more 1128 00:40:07,240 --> 00:40:08,949 recent version of Windows. 1129 00:40:08,950 --> 00:40:10,659 They made multiple roosted for the same 1130 00:40:10,660 --> 00:40:12,939 operating system versions. 1131 00:40:12,940 --> 00:40:14,889 In short, they worked very hard on the 1132 00:40:14,890 --> 00:40:17,229 best science methods, which is unusual 1133 00:40:17,230 --> 00:40:18,759 in such cases. 1134 00:40:18,760 --> 00:40:20,419 And finally, we know that there was just 1135 00:40:20,420 --> 00:40:22,689 to download Sirico External 1136 00:40:22,690 --> 00:40:24,759 and Exigent mentioned 1137 00:40:24,760 --> 00:40:26,259 earlier on. So this is definitely 1138 00:40:26,260 --> 00:40:27,310 connected to Senate. 1139 00:40:30,370 --> 00:40:32,239 So it is now time to conclude with some 1140 00:40:32,240 --> 00:40:34,039 speculative mumblings, because after 1141 00:40:34,040 --> 00:40:36,259 looking at so many Senate binaries, 1142 00:40:36,260 --> 00:40:38,329 the dentition is bigged rose, some 1143 00:40:38,330 --> 00:40:39,889 general conclusions. 1144 00:40:39,890 --> 00:40:42,389 And I am not talking about the software 1145 00:40:42,390 --> 00:40:44,479 and not talking about attribution the 1146 00:40:44,480 --> 00:40:47,059 more about the software 1147 00:40:47,060 --> 00:40:48,060 in particular. 1148 00:40:48,980 --> 00:40:51,169 There is a question we were often arguing 1149 00:40:51,170 --> 00:40:53,269 between us as we tried to show 1150 00:40:53,270 --> 00:40:54,709 in this presentation. 1151 00:40:54,710 --> 00:40:56,509 The diversity of the Senate software is 1152 00:40:56,510 --> 00:40:57,769 quite impressive. 1153 00:40:57,770 --> 00:40:59,179 You should think about it. There is a 1154 00:40:59,180 --> 00:41:01,639 Delfi download our complete windows, 1155 00:41:01,640 --> 00:41:03,679 but could a model of C++ Back-Door. 1156 00:41:03,680 --> 00:41:05,389 And there is an explicit infrastructure 1157 00:41:05,390 --> 00:41:07,189 with a lot of JavaScript and custom 1158 00:41:07,190 --> 00:41:08,689 exploits and the list goes on. 1159 00:41:09,800 --> 00:41:11,959 So this diversity is good for them as 1160 00:41:11,960 --> 00:41:14,059 it makes tracking and detection 1161 00:41:14,060 --> 00:41:15,259 harder. 1162 00:41:15,260 --> 00:41:17,089 But the question is, how did they come up 1163 00:41:17,090 --> 00:41:19,759 with this burst of an eco system? 1164 00:41:19,760 --> 00:41:21,379 Do they develop themselves or do they 1165 00:41:21,380 --> 00:41:22,849 also devlopment? 1166 00:41:22,850 --> 00:41:24,139 And we have a few hints. 1167 00:41:24,140 --> 00:41:25,340 Forgotten that question. 1168 00:41:27,410 --> 00:41:29,449 First, the Senate binaries are often 1169 00:41:29,450 --> 00:41:31,879 compiled specifically for a target 1170 00:41:31,880 --> 00:41:34,399 and after it has been infected. 1171 00:41:34,400 --> 00:41:36,349 The basic example of that is this X 1172 00:41:36,350 --> 00:41:38,479 agents sample containing the log in 1173 00:41:38,480 --> 00:41:40,369 and password of employees in the Ministry 1174 00:41:40,370 --> 00:41:42,859 of Internal Affairs of Georgia 1175 00:41:42,860 --> 00:41:45,019 and their well used in the mail channel. 1176 00:41:45,020 --> 00:41:46,939 This sample was made specifically to be 1177 00:41:46,940 --> 00:41:48,800 run inside this ministry network 1178 00:41:49,970 --> 00:41:52,099 and more generally sent 1179 00:41:52,100 --> 00:41:54,139 malware in constant evolution, in 1180 00:41:54,140 --> 00:41:55,399 particular external. 1181 00:41:55,400 --> 00:41:57,619 So the plodder and oxygen changed 1182 00:41:57,620 --> 00:41:59,119 a lot since the false version. 1183 00:42:00,180 --> 00:42:02,249 In other words, the rope are part of 1184 00:42:02,250 --> 00:42:04,469 a team not outside of paid for one time 1185 00:42:04,470 --> 00:42:05,470 job. 1186 00:42:07,120 --> 00:42:08,949 Also, among the vice chair of the Senate 1187 00:42:08,950 --> 00:42:11,199 software, there are some shared 1188 00:42:11,200 --> 00:42:13,389 techniques like building a support 1189 00:42:13,390 --> 00:42:15,789 key as the concatenation of a hardcoded 1190 00:42:15,790 --> 00:42:18,129 value and a random value or 1191 00:42:18,130 --> 00:42:20,109 using hardcoded tokens in network 1192 00:42:20,110 --> 00:42:21,699 messages. 1193 00:42:21,700 --> 00:42:24,249 These are two, just a just two 1194 00:42:24,250 --> 00:42:26,069 example of techniques present in several 1195 00:42:26,070 --> 00:42:28,149 Senate software developed in 1196 00:42:28,150 --> 00:42:29,109 different languages. 1197 00:42:29,110 --> 00:42:31,389 So this is not a copy pasted code, but 1198 00:42:31,390 --> 00:42:33,819 more like the implementation 1199 00:42:33,820 --> 00:42:35,709 of the same idea. 1200 00:42:35,710 --> 00:42:37,449 So this may indicate that the same 1201 00:42:37,450 --> 00:42:39,449 developers are behind all this software 1202 00:42:39,450 --> 00:42:40,450 as. 1203 00:42:42,370 --> 00:42:44,169 Another remark on the development process 1204 00:42:44,170 --> 00:42:46,599 is that there are some basic programing 1205 00:42:46,600 --> 00:42:48,819 mistakes in the sense software, 1206 00:42:48,820 --> 00:42:50,889 for example, here in Linux, 1207 00:42:50,890 --> 00:42:53,259 X agent, a thread and all named 1208 00:42:53,260 --> 00:42:55,449 Handal get buckets is terminated 1209 00:42:55,450 --> 00:42:57,699 with petrol exit, but it should 1210 00:42:57,700 --> 00:42:59,829 be handled. Send packets, as you can see 1211 00:42:59,830 --> 00:43:01,839 from the condition before and the 1212 00:43:01,840 --> 00:43:03,339 commented Windows code. 1213 00:43:03,340 --> 00:43:05,679 So poorly run copy paste in the Linux 1214 00:43:05,680 --> 00:43:06,680 version. 1215 00:43:07,540 --> 00:43:10,899 Also there is a here in external 1216 00:43:10,900 --> 00:43:12,999 there is a report message was built 1217 00:43:13,000 --> 00:43:15,219 for the census ever wanted to know has 1218 00:43:15,220 --> 00:43:17,349 been open with the target computer. 1219 00:43:17,350 --> 00:43:20,139 The IP address and the both number. 1220 00:43:20,140 --> 00:43:21,949 Of the target are written in a six byte 1221 00:43:21,950 --> 00:43:22,969 buffer. 1222 00:43:22,970 --> 00:43:25,139 Except that the memory pointer is not 1223 00:43:25,140 --> 00:43:27,379 incremented between the two rates 1224 00:43:27,380 --> 00:43:28,419 and thus the poor of. 1225 00:43:28,420 --> 00:43:30,379 All right. The bot overwrites the IP 1226 00:43:30,380 --> 00:43:32,629 address and we can assume 1227 00:43:32,630 --> 00:43:34,249 the sensor does not even shake the 1228 00:43:34,250 --> 00:43:36,109 report. So the mistake has gone 1229 00:43:36,110 --> 00:43:37,110 unnoticed. 1230 00:43:37,950 --> 00:43:40,039 And this I'll just two quick example 1231 00:43:40,040 --> 00:43:41,599 of mistakes you can find in the Senate 1232 00:43:41,600 --> 00:43:43,919 code so that the robot 1233 00:43:43,920 --> 00:43:45,679 does not have a code review process. 1234 00:43:45,680 --> 00:43:48,439 An overall Senate code often 1235 00:43:48,440 --> 00:43:49,699 feels really hackish 1236 00:43:51,710 --> 00:43:53,179 following this idea. 1237 00:43:53,180 --> 00:43:55,309 This is software, some sometimes inspired 1238 00:43:55,310 --> 00:43:56,239 by classic crime. 1239 00:43:56,240 --> 00:43:58,189 Crime? Well, for example, set up with a 1240 00:43:58,190 --> 00:44:00,679 reduced persistence methods from Chimaira 1241 00:44:00,680 --> 00:44:03,499 and shells. Some code with Khabab 1242 00:44:03,500 --> 00:44:05,809 while Don Delph butchered code bears 1243 00:44:05,810 --> 00:44:07,549 some similarities with black. 1244 00:44:07,550 --> 00:44:09,180 Some earliest sample of black NLG. 1245 00:44:11,300 --> 00:44:13,309 We may be tempted to conclude that the 1246 00:44:13,310 --> 00:44:15,589 developer are connected in some way with 1247 00:44:15,590 --> 00:44:17,379 some classic Crimewatch communities. 1248 00:44:19,160 --> 00:44:20,989 And finally, the exploited Dolapo. 1249 00:44:20,990 --> 00:44:23,089 I'll use funny names like Frodo and LOEL 1250 00:44:23,090 --> 00:44:25,309 for Timmo Thugs or Mesi that 1251 00:44:25,310 --> 00:44:27,399 you know, which is which is a 1252 00:44:27,400 --> 00:44:29,359 suck up player for the Ben-Ari to 1253 00:44:29,360 --> 00:44:31,489 download from an exploits. 1254 00:44:31,490 --> 00:44:33,589 So if they are able to use those 1255 00:44:33,590 --> 00:44:35,689 name in production, we 1256 00:44:35,690 --> 00:44:37,099 can guess that they are not working in a 1257 00:44:37,100 --> 00:44:38,839 very formal environment. 1258 00:44:38,840 --> 00:44:39,840 To say the least. 1259 00:44:41,930 --> 00:44:43,459 So to summarize the speculation, we 1260 00:44:43,460 --> 00:44:45,429 believe that Sinnett has some in-house 1261 00:44:45,430 --> 00:44:47,209 killed the lapels walking with little 1262 00:44:47,210 --> 00:44:48,539 supervision. 1263 00:44:48,540 --> 00:44:50,409 And those guys have ties with Cramer 1264 00:44:50,410 --> 00:44:52,519 underground, which is not so 1265 00:44:52,520 --> 00:44:53,810 common for this kind of group. 1266 00:44:54,910 --> 00:44:57,109 And it you should agree. I would be 1267 00:44:57,110 --> 00:44:58,369 glad to discuss about that. 1268 00:45:00,910 --> 00:45:02,199 End of speculation now. 1269 00:45:02,200 --> 00:45:03,269 It's time to conclude 1270 00:45:04,390 --> 00:45:05,949 Senate activity increased a lot during 1271 00:45:05,950 --> 00:45:07,629 the last two years. 1272 00:45:07,630 --> 00:45:09,699 They are doing targeted attacks on a 1273 00:45:09,700 --> 00:45:11,899 lot of different targets now, 1274 00:45:11,900 --> 00:45:13,689 and that tool kit is in constant 1275 00:45:13,690 --> 00:45:15,579 evolution. So there is definitely, 1276 00:45:15,580 --> 00:45:17,799 definitely more fun to come. 1277 00:45:17,800 --> 00:45:18,900 Former White House officials. 1278 00:45:20,550 --> 00:45:21,699 So thank you very much for your 1279 00:45:21,700 --> 00:45:23,829 attention, though, as 1280 00:45:23,830 --> 00:45:24,830 I see the. 1281 00:45:39,110 --> 00:45:41,179 All right. There is a lot of time for 1282 00:45:41,180 --> 00:45:42,409 talks. 1283 00:45:42,410 --> 00:45:44,509 We don't have, unfortunately, microphones 1284 00:45:44,510 --> 00:45:46,759 that you can pass around in the 1285 00:45:46,760 --> 00:45:48,889 audience. Please go to 1286 00:45:48,890 --> 00:45:49,909 the microphone. 1287 00:45:49,910 --> 00:45:52,039 Microphone stands over there 1288 00:45:52,040 --> 00:45:53,040 or here. 1289 00:45:58,950 --> 00:46:01,139 OK, let's start with the Internets. 1290 00:46:01,140 --> 00:46:02,900 Do we have questions from the Internet? 1291 00:46:10,320 --> 00:46:12,569 One question is this Russian 1292 00:46:12,570 --> 00:46:13,570 state malware? 1293 00:46:17,010 --> 00:46:18,269 I won't answer this question. 1294 00:46:19,650 --> 00:46:21,539 I can discuss about that. 1295 00:46:21,540 --> 00:46:23,279 We don't do any sort of attribution 1296 00:46:23,280 --> 00:46:25,349 because this is very difficult to 1297 00:46:25,350 --> 00:46:26,350 do. 1298 00:46:29,010 --> 00:46:30,660 Another question from the Internet. 1299 00:46:37,420 --> 00:46:38,889 No more serious questions from the 1300 00:46:38,890 --> 00:46:39,890 Internet, just no, 1301 00:46:41,080 --> 00:46:42,339 please, when you exit. 1302 00:46:42,340 --> 00:46:43,689 Please be quiet. 1303 00:46:43,690 --> 00:46:45,309 Respect that. There is some people in 1304 00:46:45,310 --> 00:46:47,649 here who just want to know 1305 00:46:47,650 --> 00:46:48,669 a little bit more. 1306 00:46:51,920 --> 00:46:53,649 There is one question over there to the 1307 00:46:53,650 --> 00:46:55,389 right guy, if a question. 1308 00:46:55,390 --> 00:46:56,799 Indeed. 1309 00:46:56,800 --> 00:46:58,659 Let's say the malware period that you 1310 00:46:58,660 --> 00:47:00,909 found a lot of 1311 00:47:00,910 --> 00:47:02,049 allegedly U.S. 1312 00:47:02,050 --> 00:47:04,479 malware or is a molar was found. 1313 00:47:04,480 --> 00:47:06,669 Do you see any development in code 1314 00:47:06,670 --> 00:47:08,739 that is based upon the ideas that they 1315 00:47:08,740 --> 00:47:10,989 get from these malware analysis 1316 00:47:10,990 --> 00:47:13,269 that have been made in those periods? 1317 00:47:13,270 --> 00:47:15,549 I would say yes, Asians talk 1318 00:47:15,550 --> 00:47:17,499 about it in this presentation. 1319 00:47:17,500 --> 00:47:19,899 But for example, external 1320 00:47:19,900 --> 00:47:21,549 wasn't obfuscated before. 1321 00:47:21,550 --> 00:47:23,469 At some points. And then they started to 1322 00:47:23,470 --> 00:47:25,669 obfuscate some more recent samples. 1323 00:47:25,670 --> 00:47:27,510 So I would say yes. 1324 00:47:29,120 --> 00:47:29,469 OK. 1325 00:47:29,470 --> 00:47:30,470 Thanks. 1326 00:47:33,050 --> 00:47:34,309 More questions. Yes. There is one 1327 00:47:34,310 --> 00:47:35,310 question over there. 1328 00:47:36,920 --> 00:47:39,289 Will I have to like maybe 1329 00:47:39,290 --> 00:47:42,319 obvious question, maybe speculative? 1330 00:47:42,320 --> 00:47:44,419 Do you think this group has 1331 00:47:44,420 --> 00:47:47,029 some ties to, like Russian government 1332 00:47:47,030 --> 00:47:49,280 or Russian secret services or something? 1333 00:47:51,050 --> 00:47:53,419 I already told you I 1334 00:47:53,420 --> 00:47:55,189 won't. I won't answer this question 1335 00:47:55,190 --> 00:47:57,469 because, like, we know they can use 1336 00:47:57,470 --> 00:47:58,999 Russian language, but that doesn't mean 1337 00:47:59,000 --> 00:48:00,000 anything. Right. 1338 00:48:05,890 --> 00:48:06,890 I'm 1339 00:48:11,350 --> 00:48:12,619 sorry, I didn't understand the. 1340 00:48:16,180 --> 00:48:17,149 We didn't. OK. 1341 00:48:17,150 --> 00:48:18,189 So sorry, sorry. 1342 00:48:18,190 --> 00:48:20,529 I need. I need to repeat the question. 1343 00:48:20,530 --> 00:48:22,719 So your question was, was there 1344 00:48:22,720 --> 00:48:25,869 any reaction of your research 1345 00:48:25,870 --> 00:48:27,339 on their site? 1346 00:48:27,340 --> 00:48:28,340 Right. OK. 1347 00:48:29,530 --> 00:48:30,579 Like I said before, 1348 00:48:31,930 --> 00:48:34,389 when we started to analyze 1349 00:48:34,390 --> 00:48:36,579 this tunnel was we've seen some of 1350 00:48:36,580 --> 00:48:38,689 discussion techniques implemented 1351 00:48:38,690 --> 00:48:39,810 in the softwares. 1352 00:48:41,140 --> 00:48:42,759 Also, the research is quite showing. 1353 00:48:42,760 --> 00:48:43,659 It's we published. 1354 00:48:43,660 --> 00:48:45,429 We've published it like a few months ago. 1355 00:48:45,430 --> 00:48:48,369 So I would wait until 1356 00:48:48,370 --> 00:48:50,529 2:00. I would wait a little to see. 1357 00:48:50,530 --> 00:48:52,779 They all actively 1358 00:48:52,780 --> 00:48:53,780 switching things up. 1359 00:48:55,690 --> 00:48:57,489 But they are definitely reading the 1360 00:48:57,490 --> 00:48:58,509 paper, I would say. 1361 00:48:58,510 --> 00:48:59,510 I think so. 1362 00:49:00,680 --> 00:49:02,079 There is one question that back over 1363 00:49:02,080 --> 00:49:03,080 there. 1364 00:49:03,490 --> 00:49:05,259 Have you found any patterns in the 1365 00:49:05,260 --> 00:49:06,399 targets they attacked? 1366 00:49:08,260 --> 00:49:10,359 Sorry. And have you found any patterns 1367 00:49:10,360 --> 00:49:12,009 in the targets they attacked? 1368 00:49:12,010 --> 00:49:14,819 Have they reacted to some of the 1369 00:49:14,820 --> 00:49:16,029 well, when when the targets? 1370 00:49:16,030 --> 00:49:17,799 Probably they that was the first 1371 00:49:17,800 --> 00:49:20,019 question. The second is, have they 1372 00:49:20,020 --> 00:49:22,089 reacted to to any of the reactions of 1373 00:49:22,090 --> 00:49:23,090 the targets? 1374 00:49:24,460 --> 00:49:25,629 What do you mean? 1375 00:49:25,630 --> 00:49:28,089 Well, have they had 1376 00:49:28,090 --> 00:49:30,489 did they have follow up hacks on 1377 00:49:30,490 --> 00:49:31,719 different targets? 1378 00:49:31,720 --> 00:49:33,909 Because they found 1379 00:49:33,910 --> 00:49:35,860 some some information on the first ones? 1380 00:49:37,450 --> 00:49:39,579 Well, like, yeah, because the second 1381 00:49:39,580 --> 00:49:41,559 stage back doors are usually the drugs 1382 00:49:41,560 --> 00:49:43,329 before the reconnaissance phase. 1383 00:49:43,330 --> 00:49:44,949 If the targets isn't interesting, you 1384 00:49:44,950 --> 00:49:46,359 won't see them on the computer. 1385 00:49:46,360 --> 00:49:48,759 So this is what 1386 00:49:48,760 --> 00:49:50,969 you wanted to know now. 1387 00:49:50,970 --> 00:49:52,660 I mean, they have targeted. 1388 00:49:53,680 --> 00:49:55,419 They had they had some attacks on 1389 00:49:55,420 --> 00:49:56,419 specific targets. 1390 00:49:56,420 --> 00:49:57,459 Yeah. Hold us. 1391 00:49:57,460 --> 00:49:59,049 And so you've probably talked to the 1392 00:49:59,050 --> 00:50:00,079 targets. 1393 00:50:00,080 --> 00:50:01,029 I don't know. 1394 00:50:01,030 --> 00:50:02,129 Why not. 1395 00:50:02,130 --> 00:50:04,299 Because, well, some 1396 00:50:04,300 --> 00:50:06,279 targets, as you can see, it's like 1397 00:50:06,280 --> 00:50:08,259 embassies. So that's not a very specific 1398 00:50:08,260 --> 00:50:10,299 people. So we can try to risk them, but 1399 00:50:10,300 --> 00:50:12,489 they don't obviously, and saw 1400 00:50:12,490 --> 00:50:13,759 us every time. 1401 00:50:13,760 --> 00:50:15,879 Sometime people tried to reach us 1402 00:50:15,880 --> 00:50:17,380 and they are doing like all 1403 00:50:19,730 --> 00:50:22,599 the main man in the middle, I would say. 1404 00:50:22,600 --> 00:50:24,849 But I never hear about anything 1405 00:50:24,850 --> 00:50:27,129 from the targets, like when I give them 1406 00:50:27,130 --> 00:50:28,329 the report on. 1407 00:50:34,230 --> 00:50:36,440 Here is one question over their back. 1408 00:50:37,470 --> 00:50:39,579 One more time doing 1409 00:50:39,580 --> 00:50:40,569 the work you're doing. 1410 00:50:40,570 --> 00:50:42,339 Are you concerned about your personal 1411 00:50:42,340 --> 00:50:43,340 safety? 1412 00:50:45,940 --> 00:50:48,129 I mean, I started this work like 1413 00:50:48,130 --> 00:50:49,830 one year ago. So we'll see. 1414 00:51:02,410 --> 00:51:03,410 Or questions? 1415 00:51:04,310 --> 00:51:05,310 Internet. 1416 00:51:06,860 --> 00:51:07,939 More from the Internet. 1417 00:51:07,940 --> 00:51:09,649 What do you think of the crowd strike 1418 00:51:09,650 --> 00:51:11,569 report? Two people are asking 1419 00:51:12,590 --> 00:51:14,029 which one? 1420 00:51:14,030 --> 00:51:15,679 They made multiple reports. 1421 00:51:15,680 --> 00:51:17,299 The one, the vote, the Democratic 1422 00:51:17,300 --> 00:51:18,380 National Committee. 1423 00:51:22,660 --> 00:51:24,319 I have no further information right now, 1424 00:51:24,320 --> 00:51:25,320 that's us. 1425 00:51:28,150 --> 00:51:29,199 They made quite a few. 1426 00:51:34,620 --> 00:51:36,479 We've still got enough time for 1427 00:51:36,480 --> 00:51:38,009 questions. 1428 00:51:38,010 --> 00:51:39,959 Yeah. Here we are one. 1429 00:51:39,960 --> 00:51:42,179 Did you find any winner 1430 00:51:42,180 --> 00:51:44,459 abilities when when 1431 00:51:44,460 --> 00:51:45,989 you investigated the code? 1432 00:51:47,580 --> 00:51:49,679 I think my colleagues did found 1433 00:51:49,680 --> 00:51:50,680 some 1434 00:51:52,510 --> 00:51:54,579 like also when the Google Retno 1435 00:51:54,580 --> 00:51:57,449 system released the advisories 1436 00:51:57,450 --> 00:51:58,649 about the flash on the window. 1437 00:51:58,650 --> 00:52:00,029 This case. 1438 00:52:00,030 --> 00:52:02,820 I found the samples 1439 00:52:04,340 --> 00:52:06,519 right up there. That's the one 1440 00:52:06,520 --> 00:52:07,739 that wanted public. 1441 00:52:07,740 --> 00:52:09,959 But some other some 1442 00:52:09,960 --> 00:52:11,819 other companies publish something about 1443 00:52:11,820 --> 00:52:14,179 that. So sometimes you can find 1444 00:52:14,180 --> 00:52:16,439 zeros. It's rare, but you can 1445 00:52:16,440 --> 00:52:18,659 find them and follow 1446 00:52:18,660 --> 00:52:19,660 up. 1447 00:52:19,950 --> 00:52:22,739 Did you find any vulnerabilities in the 1448 00:52:22,740 --> 00:52:25,019 communication to the command control 1449 00:52:25,020 --> 00:52:27,239 server or something else? 1450 00:52:27,240 --> 00:52:29,549 We don't look about like stuff 1451 00:52:29,550 --> 00:52:30,550 like this. 1452 00:52:32,010 --> 00:52:33,239 I mean, they made some programing 1453 00:52:33,240 --> 00:52:34,709 mistakes in their clients side of the 1454 00:52:34,710 --> 00:52:36,209 software. But they don't know about the 1455 00:52:36,210 --> 00:52:37,409 census salvos and everything. 1456 00:52:43,570 --> 00:52:45,189 More questions. 1457 00:52:45,190 --> 00:52:46,209 One from the Internet. 1458 00:52:49,890 --> 00:52:51,959 Are there any passwords to the fun 1459 00:52:51,960 --> 00:52:53,099 names that are used? 1460 00:52:54,330 --> 00:52:55,949 I don't think so. 1461 00:52:55,950 --> 00:52:57,030 That's an interesting question. 1462 00:53:02,820 --> 00:53:04,199 Anything more from the Internet? 1463 00:53:08,460 --> 00:53:10,019 Could you. Could you use to make the 1464 00:53:10,020 --> 00:53:10,969 microphone, please? 1465 00:53:10,970 --> 00:53:12,749 Or that would be great. 1466 00:53:12,750 --> 00:53:13,750 Thanks. 1467 00:53:20,240 --> 00:53:22,389 Do you believe that 1468 00:53:22,390 --> 00:53:23,529 the U.S. 1469 00:53:23,530 --> 00:53:26,019 agencies that have done some 1470 00:53:26,020 --> 00:53:28,449 sort of attribution, 1471 00:53:28,450 --> 00:53:30,559 that they have more information than you, 1472 00:53:33,000 --> 00:53:33,999 than me? 1473 00:53:34,000 --> 00:53:35,349 More information than me? 1474 00:53:35,350 --> 00:53:37,429 Well, more than the present today. 1475 00:53:37,430 --> 00:53:38,649 Yeah, probably. 1476 00:53:38,650 --> 00:53:40,959 Like I said at the beginning, we might 1477 00:53:40,960 --> 00:53:42,339 be missing part of the picture. 1478 00:53:42,340 --> 00:53:44,649 And this is why some other companies 1479 00:53:44,650 --> 00:53:46,480 operating very good reports. 1480 00:53:47,640 --> 00:53:48,860 So differential in. 1481 00:53:56,390 --> 00:53:57,869 There is a question over there again, 1482 00:53:57,870 --> 00:53:58,870 same microphone. 1483 00:53:59,910 --> 00:54:01,409 This might be a dumb question, but you 1484 00:54:01,410 --> 00:54:03,689 said the targets 1485 00:54:03,690 --> 00:54:06,419 don't usually contact you. 1486 00:54:06,420 --> 00:54:09,179 So how do you know about the targets? 1487 00:54:09,180 --> 00:54:10,859 Well, we have telemetry system that's 1488 00:54:10,860 --> 00:54:12,839 very different. I can't like identified 1489 00:54:12,840 --> 00:54:15,029 targets. Like, I know we have 1490 00:54:15,030 --> 00:54:15,989 hits. 1491 00:54:15,990 --> 00:54:16,919 We have binaries. 1492 00:54:16,920 --> 00:54:18,359 We have samples. 1493 00:54:18,360 --> 00:54:19,439 We are on the losing them. 1494 00:54:19,440 --> 00:54:21,719 And we will finds 1495 00:54:21,720 --> 00:54:23,729 some similarities. 1496 00:54:23,730 --> 00:54:26,369 We when he's 1497 00:54:26,370 --> 00:54:28,199 told me about targets, I was thinking 1498 00:54:28,200 --> 00:54:30,359 about the Bitly list 1499 00:54:30,360 --> 00:54:32,459 we found. And this is why we 1500 00:54:32,460 --> 00:54:34,019 didn't contact any e-mails. 1501 00:54:34,020 --> 00:54:36,389 And like I said, if you think 1502 00:54:36,390 --> 00:54:38,159 you are targeted, you can come see me and 1503 00:54:38,160 --> 00:54:40,649 I will look into this list if 1504 00:54:40,650 --> 00:54:42,809 there is like some Tilda's 1505 00:54:42,810 --> 00:54:43,870 that might interest you. 1506 00:54:46,470 --> 00:54:47,269 Thank you. 1507 00:54:47,270 --> 00:54:48,270 You're welcome. 1508 00:54:50,150 --> 00:54:51,499 More questions. 1509 00:54:53,180 --> 00:54:54,149 Internet. 1510 00:54:54,150 --> 00:54:55,150 Yes. Please. 1511 00:54:56,150 --> 00:54:58,099 Have there been any mass deployments of 1512 00:54:58,100 --> 00:54:59,299 this type of malware? 1513 00:54:59,300 --> 00:55:02,019 Or is it only very individual attacks? 1514 00:55:02,020 --> 00:55:03,169 Yeah, it's very targeted. 1515 00:55:03,170 --> 00:55:05,829 There is not like a widespread infection 1516 00:55:05,830 --> 00:55:06,830 or anything. 1517 00:55:12,900 --> 00:55:13,900 Anything more 1518 00:55:15,450 --> 00:55:16,450 Internet? 1519 00:55:19,200 --> 00:55:20,200 Well, we, sir. 1520 00:55:21,040 --> 00:55:23,169 Sorry. Clarification on the 1521 00:55:23,170 --> 00:55:24,170 previous question. 1522 00:55:25,180 --> 00:55:27,039 There is specifically interested in the 1523 00:55:27,040 --> 00:55:29,319 report that attributes Russia 1524 00:55:29,320 --> 00:55:30,939 to the DNC. 1525 00:55:30,940 --> 00:55:32,979 And then there's another related question 1526 00:55:34,060 --> 00:55:36,719 asking, are there differences between 1527 00:55:36,720 --> 00:55:39,119 crowd strikes, reports and jurors? 1528 00:55:41,870 --> 00:55:43,669 I don't believe we're all talking about 1529 00:55:43,670 --> 00:55:46,159 the same things, because 1530 00:55:46,160 --> 00:55:48,229 when we when we see something 1531 00:55:48,230 --> 00:55:50,809 published by, like the exploits about 1532 00:55:50,810 --> 00:55:52,909 the recent exploits, we are not like 1533 00:55:52,910 --> 00:55:54,949 adding this to the to our people since 1534 00:55:54,950 --> 00:55:56,899 it's already on the Internet. 1535 00:55:56,900 --> 00:55:59,149 So we are all 1536 00:55:59,150 --> 00:56:01,729 white paper is a technical breakdown 1537 00:56:01,730 --> 00:56:04,099 of their tool kit, like X agent external. 1538 00:56:04,100 --> 00:56:06,349 And I don't think they talked 1539 00:56:06,350 --> 00:56:07,350 about this one. 1540 00:56:13,670 --> 00:56:15,010 More questions. 1541 00:56:18,960 --> 00:56:21,150 Internet audience. 1542 00:56:22,860 --> 00:56:23,860 We still got time. 1543 00:56:28,640 --> 00:56:30,230 All right, Internet. 1544 00:56:31,250 --> 00:56:32,689 Internet. Go ahead. 1545 00:56:32,690 --> 00:56:35,209 Internet is asking if the 1546 00:56:35,210 --> 00:56:37,489 targets are any better 1547 00:56:37,490 --> 00:56:38,490 protected. 1548 00:56:40,250 --> 00:56:43,819 If they are a bit like more predicted 1549 00:56:43,820 --> 00:56:45,319 while we are detecting the symbol. 1550 00:56:45,320 --> 00:56:46,609 So if they are running, you said small 1551 00:56:46,610 --> 00:56:47,619 security, maybe. But 1552 00:56:49,870 --> 00:56:52,129 the the goal of the white paper 1553 00:56:52,130 --> 00:56:54,259 is to provide AOSIS also for the 1554 00:56:54,260 --> 00:56:56,749 sysadmins or people that are 1555 00:56:56,750 --> 00:56:58,009 managing infrastructures. 1556 00:56:58,010 --> 00:56:59,629 So if you're looking for that, you can 1557 00:56:59,630 --> 00:57:01,459 download the white paper on the blog and 1558 00:57:01,460 --> 00:57:03,289 there is a pretty, pretty extensive list 1559 00:57:03,290 --> 00:57:05,209 if you want to protect your 1560 00:57:05,210 --> 00:57:06,210 infrastructure. 1561 00:57:07,310 --> 00:57:09,469 All the incident response, of course, 1562 00:57:09,470 --> 00:57:10,670 because we are not doing that. 1563 00:57:18,380 --> 00:57:19,380 OK. 1564 00:57:21,910 --> 00:57:23,649 I didn't see questions in here. 1565 00:57:23,650 --> 00:57:25,929 Still Internet something 1566 00:57:25,930 --> 00:57:26,930 there? 1567 00:57:27,310 --> 00:57:28,689 No. It's getting quiet. 1568 00:57:29,920 --> 00:57:32,139 Well, then there is one more question 1569 00:57:32,140 --> 00:57:33,140 over there. 1570 00:57:33,680 --> 00:57:35,889 I know it seems that a lot of attacks are 1571 00:57:35,890 --> 00:57:38,379 focused on Windows machines. 1572 00:57:38,380 --> 00:57:39,099 Yeah. 1573 00:57:39,100 --> 00:57:41,169 Is that make or like I said, they 1574 00:57:41,170 --> 00:57:43,259 have a second stage backdoor for us 1575 00:57:43,260 --> 00:57:44,619 than us, U.S. 1576 00:57:44,620 --> 00:57:46,719 Android, Linux and 1577 00:57:46,720 --> 00:57:48,349 Light. The source code of excisions is an 1578 00:57:48,350 --> 00:57:49,350 exemption. 1579 00:57:49,930 --> 00:57:51,679 And we also have since set up with those 1580 00:57:51,680 --> 00:57:54,049 symbols for us. 1581 00:57:54,050 --> 00:57:56,439 Then I think if I recall correctly. 1582 00:57:56,440 --> 00:57:58,239 So they have like a big small. 1583 00:58:05,710 --> 00:58:07,439 OK. Yeah, we got another question over 1584 00:58:07,440 --> 00:58:09,269 there. If there are no further questions, 1585 00:58:09,270 --> 00:58:11,579 this is my first visit to C.C.C.. 1586 00:58:11,580 --> 00:58:13,709 Does anyone have a good tip for a goodbar 1587 00:58:13,710 --> 00:58:15,940 in guys? 1588 00:58:24,350 --> 00:58:25,529 Think social life, we can. 1589 00:58:25,530 --> 00:58:27,269 We can discuss a little bit later. 1590 00:58:27,270 --> 00:58:29,429 So once again, 1591 00:58:29,430 --> 00:58:31,900 metastable cool and.