Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2015 > May
2015

NOTE: This post was written by Jared Myers of the RSA Incident Response Team. It original appeared on RSA's Speaking of Security blog site: https://blogs.rsa.com/wolves-among-us-abusing-trusted-providers-malware-operations/

 

112926

 

Within the past year the RSA Incident Response (IR) team has worked multiple APT engagements where they’ve identified the adversary’s malware using a unique method of determining its Command and Control (C2) server. By leveraging trusted content providers, such as popular shopping sites and discussion forums, adversaries can perform operations within a network in plain sight. By replacing a hard-coded beacon address within malware with a simple user name, binaries can transmit a basic lookup for activity made by fake accounts on public discussion forums that contain dynamic IP addresses for communications.

 

As an example, RSA IR discovered use of malware known as PNGRAT during a recent response effort.  PNGRAT, which has since been publicly documented as ZoxPNG, is a substantially equipped trojan with the ability to manage files, enumerate and control processes, and execute commands.  In this particular variant, there were additional features that allowed the malware to collect stored HTTP credentials from the registry of the compromised system, as well as monitor for RDP connections.  More importantly, these samples of PNGRAT did not contain a hardcoded IP address or domain for C2 communications.

 

RSA has noted many adversaries who use public services for C2 architecture in order to prevent detection. However, the method in which the C2 IP address is acquired from these samples is considered unique.  In this PNGRAT variant, the malware used the method of retrieving its download instructions from Microsoft’s Technet website. By connecting to Technet and retrieving the user profile for a hardcoded user account, PNGRAT retrieved an IP address for further C2 connections.  This IP address is stored and encoded within the user profile.  Though encoded, the address did have a particular header and footer that made it obvious to those who knew to look for it:

@MICR0S0FTabcdabcdC0RP0RATI0N

 

These C2 messages were made into legitimate discussions on the Microsoft Technet forums, such as shown in the figure below.  In the example highlighted in the red box, the decoded IP Address is 127.0.0.1.

technet_example

 

The malware searches for this value and then retrieves the encoded data stored between “@MICR0S0FT” and “C0RP0RATI0N“. This value is the result of a fairly simple encoding routine.  Every two bytes represents a single number, which when combined back together creates an octet of an IP address.

As described in the example below, the IP address if 192.168.1.1 can be encoded as amyzbabq and would be stored on Technet as:

@MICR0S0FTamyzbabqC0RP0RATI0N

 

Each octet of the IP Address is encoded using two characters.  The table below breaks down the original values for each set of characters.

First setSecond setThird setFourth set
amyzbabq
19216811

 

To determine the first octet simple logic is applied to each character of the first set.

The decimal value for each character is obtained.  For the set of ‘am’, this would be 97 for ASCII letter ‘a’ and 109 for ASCII letter ‘m’.

The second value, 109, is then bit-shifted left by 4.  The resulting value is then added to the value of the first character, 97.

The routine then subtracts the value of 113 (0x71) from the sum and cast as a single byte (commonly seen as “& 0xFF”). The resulting value is 192, the first octet of the IP address.

 

The same logic is followed for the remaining octets.

OperationResulting Value
1109 << 40x06D0 (1744)
21744 + 970x0731 (1841)
31841 – 1130x06C0 (1728)
41728 & 0xFF0x00C0 (192)

 

It should be noted that several letter combinations could produce the same value once decoded.  This is demonstrated in the example 192.168.1.1, which we show in an encoded form as ‘amyzbabq’, both the value ‘ba’ and ‘bq’ will properly decode to the value of 1.

 

The retrieval of this traffic is stored in plain text and can be easily tracked by a comprehensive network-monitoring solution.  RSA’s Security Analytics and ECAT can both be leveraged to assist security hunters in detecting this activity, and an adversary early in their campaign.  Using a custom LUA Parser for Security Analytics, security can be alerted to the presence of this malware in their environment by inspecting all network traffic for this unique encoding structure. Instead of passively allowing all traffic from a trusted provider, incorporating parsers, like the one provided leaves no packet unsearched. This decoder will detect the activity, decode the IP address, and store it as an indexed value for detailed analysis, under IP Alias (which is illustrated in the image below).  This parser is provided along with this blog, along with a Yara Rule for the executables, which can be used independently or ingested into ECAT.  The image below illustrates how the alert that will be observed in Security Analytics.

png_rat_alert

While the attached parser has been tested and used by the RSA IR Team without issue or impact in multiple SA environments for our customers, custom content should always be tested and its performance implications considered before integrating additional content into an organization’s  SA infrastructure.


Additionally, RSA has created a simple Python script for automatically decoding these values that can be leveraged or implemented into other internal projects.  This file is also provided along with the publication.  For more questions about this blog post or other information in general, please contact us at FirstResponse@rsa.com

 

All of the files that were referenced in this blog can be located in this archive

hunter

“In a sea change nothing is safe. Strange waves push us every way,

In a stolen boat we’ll float away” – Beck from Little One

111931

With a week of recovery under my belt I’m finally able to reflect on another amazing RSA Conference. Some of my experiences were the same as years past. My feet were once again sore from 8+ miles a day of walking. I had the pleasure of coming home with the dreaded RSA flu (apparently dousing myself in hand sanitizer does not actually do anything) and my liver and I are no longer on speaking terms. Of course I also got a chance to catch up with dozens of old friends but barely got to speak to countless others. Another year gone and already looking forward to RSA Conference 2016 (in addition to the many Cons I’ll be attending in between).

 

Here are my top 3 personal takeaways from RSA Conference 2015:

 

Amit’s keynote kicked butt

For years at RSA we asked ourselves who would give the keynote at RSA Conference once Art Coviello retired. This was often used as a litmus test for water cooler discussions amongst employees about potential successors to the throne. If you couldn’t imagine a person giving the keynote at RSA Conference could they really lead our company? Could they lead our industry? The RSA Conference keynote represents more than a typical vendor keynote, it has always stood as a state of the union so to speak for the security industry and Art was a master at giving it.

 

When Amit Yoran took over as RSA President no one had any doubt that he was a security guru and a passionate leader. But would that come off on stage? I’ve seen Amit speak many times over the past four years. Sometimes his personality shone through, sometimes he was just seemed like yet another executive. Fortunately, the Amit that gave this year’s keynote was definitely the same passionate, highly opinionated and funny in a slightly inappropriate way person we work with every day at RSA. He doesn’t mince words or shy away from a debate and his keynote was no exception. It was bold, it was aggressive, it kicked butt. You can watch it here.

 

If I had to summarize the keynote in 3 bullets:

  • The security industry is fundamentally broken and we need to change
  • Signature-based tools like SIEM are failing. Pervasive visibility and deep investigation is “what SIEM was meant to be”
  • We’ve lost focus of our mission and often are just pretending to do security. Its time to actually start facing the most important challenges head on.

 

Internally at RSA we’re going through a sea change being dubbed as “RSA 2.0” where we focus on moving faster, thinking bigger and solving the most important problems we see in the industry. Amit’s keynote was a call to action for the rest of the industry to take a long hard look at themselves and start doing the same. Some are already getting the message:

 

Screen Shot 2015-05-01 at 11.35.12 AM

 

Screen Shot 2015-05-01 at 11.35.05 AM

 

Screen Shot 2015-05-01 at 11.34.41 AM


There are over 500 vendors at the RSA Conference and I have no idea what most of them do

I usually try and carve out at least 4 hours to walk the showroom floor. Besides competitive analysis, marketing benchmarking and schwag procurement I really just find it …. Fun. I don’t know what that says about me but I’m guessing it stems from a combination of my love for security and my upbringing walking aimlessly around New Jersey malls hoping to spot a cute girl that I’d inevitably be too afraid to talk to (Side note: I’m so glad the Conference banned overexposed booth babes, it was a long time coming).

Each year (and this is 9 straight for me) walking the floor it seems to become more and more difficult to separate one vendor from the next. Besides the fact that many security teams stink at marketing (RSA luckily has geniuses like me so we’re not in this bucket) but the messages are completely bleeding together. I sympathize for practitioners. If I have no idea what a vendor does and I’m paid to figure it out I can’t imagine trying to navigate the Expo Hall in an attempt to learn more about the industry and what you should be looking to purchase must feel like. It has to be overwhelming. Next year we should supply tour guides like they have at the Roman Coliseum to walk you around. Bottom line: Vendors need to do a better job showing the actual use cases their products solve. Buyers need to pay less attention to marketing buzzwords and think about their individual security priorities before walking around the Expo Hall.

 

We’re past the tipping point

The excitement I felt this year was different than years past. Perhaps it’s the fact that we’ve gone mainstream, or the sheer volume of the event, or the fact that the products we’re focused on in the Advanced SOC group at RSA are really starting to reshape the security landscape. Or perhaps it was the seven caffeinated beverages I drank daily in order to physically get through the Conference. Whatever the cause, I felt there was a real buzz to this year’s event.

 

First, I went to go to our Advanced SOC user group meeting and couldn’t get into the room. Over 100 customers (with a few employees sprinkled in) overstuffed the venue. Our demo stations didn’t just get traffic they got attention. Demos were lasting 45 minutes with real engagement; the hands-on lab we set up in the booth had users interacting with our products for hours in some cases. When I got to San Francisco I saw a lot of competitors using the same key word as we use: visibility. I started to get a little worried we would get lost in the noise but we didn’t. I think our message that you need to see everything, and not just one myopic security viewpoint really resonated. This is why we chose the tagline “See Everything. Fear Nothing.” for our upcoming RSA Security Analytics launch event and why we had hundreds of articles written about RSA (the company, not the event) through the week. Simply amazing. I’m curious if other vendors felt the same buzz. Rising tides lift all boats.

 

The week completely wiped me out but also reinvigorated my passion for security and what we still can achieve. I hope it did the same for you.

 

See you next year.

 

You can find me on Twitter @Geftic

Filter Blog

By date: By tag: