State of the Hack Special Cyber Defense Summit Edition: FLARE vs. Carbanak

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] welcome to our episode of state of the hack we're here I'm Nick Carr advanced practices seem chrisrip IRT security architect and we're here with two of the guys from our flare team Tom Bennett okay and Mike Bailey I'm Mike Bailey and we're gonna talk about a bunch of things with these guys here they've been behind a lot of the other stories we've told them they have some really cool news stories that are be sharing with the community coming up and they haven't talked to you as you're giving talk here at sever defense summit talking about carbon AK and yeah piece of malware you guys spend a lot of time reversing and a couple months of your life it's on that that's something really special that happened with that okay yes can't wait excited to get into that and but first would you guys mind to just introduce yourself giving a little to your background and how you got into how you got here yeah I'm Mike Bailey I'm a staffer person here on the third team and I got here through the mandiant red team where I did some information operations and some thought I got into cybersecurity by batch files and ms-dos and late nights with my cd-rom and playing doom and stuff like that so that's kind of where I come from and that turned into vbscript and stuff for an IT administration job that I had and calm and WI and PowerShell and all that stuff and then I did some kernel hacking at a company that did Linux and Windows kernel drivers and wrote some anti-tamper stuff and a little bit of software that kind of resembles malware so yeah I just kind of ramped up from there and joined play fun times nice and James Bennett people call me Tom it's my middle name and there's no real story behind it's funny I'm a junior and my dad's also James Thomas Bennett and they also called him Tom so go figure we're gonna be exact anyways I'm also much tougher ghost engineer on the flare team been there for there for five years now and I got into reverse engineering for a really weird strange way I'm trying to get the story really sure but I originally want to be a video game programmer I love video games and you know been playing since I was like four years old Atari and that's what I wanted to do I have a scholarship it's possible scholarship to Northeastern University but it didn't pan out I'm mentally wasn't prepared for college and also you know that's playing in a band and two and a half hour commute to college I didn't have a computer and I was a computer science major having money in it couldn't afford to live on don't with everything inside dropped out after one semester and I got a job doing tech support $9 an hour at a startup in Boston and that company eventually got acquired by turnback though the third largest and imax company in the world and I just like grab that opportunity and just like ran with it and it's very thankful that I was able to meet the right people to teach me our analysis skills and I just taught myself along the way and eventually you know seven years later I decided to move on to more define write and to do a more deeper level know yeah it's awesome how you guys picked up the analysis or we're taught in our analysis along the way it now that's a big part of what Blair does and what you guys are doing here teaching malware analysis courses to back out to the community whether it got the other we're there a couple things that like two or three things that helped you in particular get speed there may be useful for other people if they want to do it follow like a similar path or something else I loved open security training dot info it's a really cool website and also it goes look tentacle malware analysis those two books helped me go from like the general higher-level malware analysis that a lot of people can do to like the deep level code reverse engineer and understanding x86 and how to use disassemblers and debuggers it was just like I just like hit the books with chuggers handbook which is not an easy start so that would be how I would say it because I already had a background he started at the top it was a gradual ramping up do a lot of things so I have a good I think open city training doesn't focus really like that and I gotta say a way to get in or in front of you guys on the flare team would be the flare on challenge that just wrap it up right there we about a five thousand five thousand people sign up for it's crazy it's getting one more every year Oh Nick heartworm I write up and I hope you don't release yeah so I wrote a piece of software for that that was kind of like malware which a challenge number it was challenge number nine okay but last year's is interesting enough that Russian scientist have it was based on the self hooking rootkit in the apt 29 payload that was in the link file that was used to catch the Democratic National Committee and it's a self rootkit that virtualizes file IO and it makes it so that you can do dis list on that stuff so no thanks how's it like stole that so we talked some about the I borrowed borrow yeah we talked some about the weaponized L&K files on just another episode an earlier episode with some other groups adopting it picking it up and so you had done I remember you did the original analysis of the apt 29 usage a threat until I wanted to know like some facts they saw some blogs they want to know the deeper stuff I feel like though I feel like from reading the blog they were either holding out on the public yeah or they maybe just didn't have that deep of analysis of it so I got to do it I was really fun nice my favorite yeah but several of us missed doing a lot of AP t29 stuff I think so yeah me might be helpful for just kind of background process perspective maybe let the viewers know I think its first time we've interviewed any our analyst so like how do you guys engage it from a process perspective and like I think the interplay because we keep pretty clear lines between instant responders and and analysts and and now our analysts and so kind of walking through like what are processes for getting you guys engaged and then maybe just you know maybe like 30 seconds a minute on just a little bit how that works internally what do you mean like how we get tickets in on how do we do an analysis just you know like you know like when when do we so we have an instant responder who's doing work their job is more kind of triage figure out like is this bad or not yeah Claire gives us triage training so everyone's expect it have some level of triage capability yeah do not tap into their skill set but that's something I recommend honestly everyone in the digital forensics it is a response field have yeah I actually did hit review as well I took the triage training of a consultant even I was like I'm on the red team I want to do some it's a response stuff to it that's really interesting so I took binary triage training really balanced and taught it husband and I would do hit review and just see any things are getting our signatures and we think that these might be a cutie so like look especially at these and so what I would do is I would upload it to our system we have a system that kind of is the workflow for flare and upload it and watch what it does so we have some automated analysis that can help us and so sometimes I would be able to avoid sending a ticket out and eventually I might escalate it to flare like I strongly suspect this is malicious I see it's doing some shell code tactics and that kind of vanishes over the horizon I don't know what the code is doing so and it wasn't my job at the time to do that kind of work even though I really wanted to I knew that flare would be more effective at it so I didn't do it okay and then the ticket would go to something else and so now turning the tables to where I live and work on the Fleur team I wake up on Monday morning and I'm on the threatening tell cube or in London manage defense queue for our customers or I'm working with instant responders on the triage queue and I look at the first ticket and it looks like a doozy and I just go sure and then either wraps up in four hours that's super simple or you know maybe it takes a day or two or maybe it takes in some cases long sleep it oh yeah yeah we always tease each other on the for team about being selective about the ticket you take you see like that I didn't know you know any like oh that's Patrick to my death like we you guys have also been doing a lot of automation stuff to your goals sort of to avoid people sending you the ones that you've already looked at sure or maybe some of the ones that are remove some of the frustrations early that make it easier for you guys to start taking a look the way I explain how these guys really help us to is um like in that ap t-38 report that just uh that's gone out that we put out in North Korea they're using like 24 custom code families we have all these certain names a lot of people sometimes there's some people in the industry who are I don't know don't quite get sometimes like different vendors give things different names all those but like getting a true deep malware analysis understanding of what the core functionality is and what separates code families is where flare really comes into that flow so like I guess people are consuming your product all the time even if they don't know that's what they're consuming publicly yeah you know I try to be pissed hold on it but like they support a lot of different things it's really actually make me kind of proud yeah we don't actually a lot of the time hear about it right like you you write it as a flare and unless you you write a report and there's one you throw it over a wall and you're like next right it's really cool when we do hear back I want to let everyone know that when we hear stories it excites us and gets us more motivated to do our job too which is awesome and the context is really cool yeah it's cool to hear what you guys like you know what doing the work nice and there's more more ways I think for the external people to connect with flare talent as well not just training but I think there's gonna be some other ways that we're gonna have coming out where people can have you guys help them so I'm sort of excited about that we're not just trying to brag that we have these guys right there's there's a lot they do publicly and you guys release a lot of tools and everything like that so if you don't mind can we like hop into some of the maybe how you specifically got some of what your your talk is on so Carmen ACK a lot of people confuse carbon ACK we've talked about fin 7 previously and there's a lot of industry confusion over the different groups that's because we don't associate we don't do attribution based on use of malware so carbon act not necessarily pin 7 or any other group you guys got the you got a chance to analyze for how long how many hours went into this 511 yeah four hours maybe just maybe 23 lucky but not the most fully featured backdoor known to us at this point and so Tom's been someone I think it was you uploaded or our yeah archive that was like five megabytes and turned out to be 20 Meg's of a hundred thousand lines of code 45 areas etc and so I had a chat with him and I was like asking him about carbon and he's like wait a minute did you take the Walker ticket like I'm on it 94 hours and then after ho stone I've written a lot about what the binaries did but our threat Intel team was like no I want like absolute certainty about those binary so please in your health level to report please through the binary so that was another 90 some hours Wow and then I did a finished Intel product that we have on our eyesight portal which again makes me really proud and that stuff comes out as an deliverables so did that that was 40 hours of work and working on these slides and into the blog poblanos also like another like month plus recently because I do a lot more or after they tend to go analysis of why we're gonna find all kinds of ways to get the information out to people so like to step back for a second you guys have probably been analyzing carbonate samples found in the wild on investigation or what for some time three years now have been finding and sending it in and then you had the opportunity to actually look at the full source or a collection from from probably from the attackers right so would upload and that was source of both the builder it was of every right like the whole the whole kidding right like a builder that actually built the malware and then but you know I think the theory is that sometimes when they're testing their rat on like virustotal or another fault or whatever they'll upload and set up uploading their actual DLL or their payload they'll upload the C to panel or something like that and in this case the theory is that maybe they accidentally uploaded the source codes RAR file which is five Meg's so I could see that going quick enough that maybe you'd miss it like emailing their channel please to remove that file yeah I don't know but then advanced practices caught it and you uploaded it and I took the ticket and so there's her story so he was kind of shuttering like yeah thank you yeah the opportunity to compare like the actual reverse engineering you did to try to understand the functionality with the raw source code I imagine that doesn't happen very often no it's totally unusual it's totally other wondering so that's why we wanted to talk about it defense summit were there any things that you found where like you reversed it and you thought like once like where it was different than what you thought it was where you're like oh man I just like totally whiffed on oh yeah he can be relieved and so the conclusion is Tom's a great reverser that I'm glad I didn't have to do the but yeah wanting to talk about it very much yeah one of the interesting things is difficult code is difficult code of the source or the binary level so there was a there's a way that it sends its commands through it and they've kind of work at journey through the stomach of the implant and it's nuts like 1/8 we call it a diabolical name pipe circus and the in the source code it was even worse I felt because it was so ambiguous with all the same function names it was overloading like 20 different layers of functions the call stack was not so just like yeah this is really hard to verify so you guys also probably got your hands on some stuff that maybe we haven't seen or background on it something's up there can elevate also you did some work with the video player the video player was really interesting they the back door carbon AK has the desktop video recording feature like a lot of other back doors have right so you can see what the user is doing on the desktop they have their own proprietary format for the for the videos so they actually wrote their own video player to play that the videos that have inequities it's not like super bright lights or anything it's just like gluing frames together with some metadata but yeah we had access to some of these videos and we obviously wanted to play them when we got the video player so we can pop the video player and it didn't work and we're bummed out but I wasn't ready to give up just yet so I looked at the video format and it took the code in the video player and it turned out all I had to do was uncomment this block of code to play the old format awesome and then we could see the videos and we're gonna what we are talking about that in the top awesome sweet what about some of those other plugins I guess the source for those plugins that we may not have had visibility into so there were some tools so one one gap one length one that we had in their analysis was if download some shell code and execute it and the command as Kaspersky and documented it was called tiny mint and that made no sense at the time turns out there's a project an open source project called tiny met and it's a stager for Metasploit and so I found this thing called meta plug and ended up being encoded shellcode and it didn't match up with the source code quite exactly so it took me a while to decode it but I at the end the slack space has basically developed the key if you're playing with X or anyway that's good to keep detail but it was Metasploit yeah I want to point out when I was reversing the binary before we had the source code the command names you can't see the command names their hashed so like each command name is just the hash and I didn't know tiny Beck was the name of the command and I guessed a lot of the command names and I also referred that that the Kaspersky report for some of them and I've had most of them but have tiny bet because I didn't know it's downloading shellcode and running it right and I'm like I don't know what this is so I didn't know about the tiny bit thing so when you got the source code and you saw like the met dot maybe there isn't I didn't see it I mean okay yeah you might say oh yeah I didn't see it one of the parts from from yours presentation I like to Asit you actually had to learn Russian to start reversing the malware because it was still sweet yeah languages so I studied Spanish in high school and I still study like my phone is in Spanish and I read the news in Spanish that so like whenever anybody gives me a chance to language States I literally asked my boss like can I study Russian could that be a player thing that I do like that'd be awesome yeah I got the source code it was codepage 1250 - and I realized I wanted to read all that so I I wrote a Python script that would tear through and get all the Russian words I had it flipped the words in order of which were the most common and then I translated 500 of them on Google and while my daughter was playing and like watching TV because I was really so me to this no way I don't have her watching TV but while she is playing and watching TV I went on Russian for everyone calm and I learned like a quick Russian lesson do you know how they say file and Russian mm file it's all transliteration so like Cerberus you have a command is : de Bont is both up it's really fun oh nice okay you have always comments and the source code net where in Russian right that was like your main yeah I feel like especially because we pull Nia something like error exeunt command so like I got to know Russian well enough that I could read malware comments it's awesome you heard of like method acting is like method analysis right you guys take it to another level it was the last night before getting ready for their presentation where'd you guys go for dinner just to get in this all yeah and I was like do you realize he was like yes did you order like a Bud Light there LT gov order there terrible by the way like had a few toys for it it's not good we Eric I like Russian vodka not so great beer okay great great malware thank you yeah yeah I like I'm trying to tell like fetishize the stuff you know yeah anymore what have you you know it would like to be honest and spend some of those interesting work so professionals you know they work really hard on these projects even though it's not for the good ends but you know where there's some where there are a couple points of it that we're more impressive to you guys in terms of like how they accomplish a particular task or like just the just the tasking piece that sends the commands bouncing yeah well we don't want to like going all the details here it's really hairy and in our talk it was a bit of a challenge because you wanted it to mention how complicated their command handling code was but without boring the audience of my getting into the weeds and I think we found a good healthy balance like a medium level but like it was one area of the code where it was actually harder for him to look at the source code than it was for me to look at the binary sometime how actually goes the other way around you wouldn't think the compiler actually makes it easier for you yeah yeah and I find that with like a lot of good new projects like anything Richard Stallman is written or like know anything really in Susa them I don't think it really complicated that canoe and it's entrenched and it's old yeah if you look at the source code is like so many macros this could go anywhere anywhere and then let's the binary you just look at the x-ray the crossroads yeah so it's awesome so a couple projects so you guys have you're working on a so Daniel Bohannon who he previously had on came out some amazing dossiers justification research yeah how did you get the develop side of that the DA speciation stuff because I didn't know if you knew it was Depot at the time I read his paper yeah okay I thought that was really cool and I got a sample by this peasy Chow group I don't know one I don't know that comes from but that's our name that's been ascribed to them and it was an obfuscated batch file publicly refer to some places as iron Tiger Tiger Nets at one of our other groups yet so I got this batch file that was awful and normally I I'm like pretty slick with computers right so I just like thought I would echo the statement have it you know interpolate the environment variables and tell me what the commands are but there were lots of commands like I forget it looks like a half a megabyte or stuff like that so anyway I wrote I decided was easier to reverse Windows than it was to reverse this file so I wrote it's I think I think I actually have a tool called flare QDB it's the query oriented debugger and it's just like attaches to your malware and straps on some Python so you can basically do one-liners play hey when you get here please just do this Python and I have some enabling built-ins that can help you access things at the binary level so using that and vivisect which is the binary analysis framework written by an alumnus of mandiant I wrote a debugger for the command prompt that would spit out the commands to a log file and so it was like 300 commands of building a nomenclature for the substitution cipher so it could finally decode the real commands 300 of the separators I would for a long time so 300 minutes later it starts to do this bad stuff as I feel like more narrow coin mine a difference a coin - elevated to get there because that was one of the things outside of the scope of what debo put together is actually getting back into like what the original like a source was so you like you reverse engineered cmd.exe sorry I instead of the I was like maybe they'll be easier to turn out it really was and that's awesome and there's some plans I think to put that out yeah I plan I have a blog written and I have the tool ready and I think pastas gotta go live like I'm trying to perfect it and polish it but yeah it sniffing up there thank you that there get feedback on it and I'm sure you have lots of people who spend a crazy amount of time DFU skating stuff thinking afterwards be out like one of our guys if it's Richard of coal I think yeah he gets a lot out of it he says awesome so yeah that makes me happy really oh that's cool and then I guess it you have anything else that's gonna be coming up that you guys are gonna be releasing that that you know doing 500 hours of not where analysis isn't enough but you do yeah I'm I've been working on an emulation framework built on top of unicorn and hi to pro so it kind of marries unicorn and how to throw together to help reverse engineer automate some emulation test because if you've ever played with the unicorn it's really powerful and really great but there's a lot of setup and teardown work you have to do and cleanup and to make it a robust emulation tool you have to do a lot of extra work so I do all that work in this framework that I'm gonna be releasing probably by the end of the year I used it I used it the reason I built it was I have a Mac OS class that I've built and likes helped with and some others on the team so we teach Mac OS malware analysis and with knockin was now worry sometimes had to deal with the Objective C and Objective C is really annoying to reverse engineer so emulation actually helps a lot and doing some automated analysis on Objective C code so that's why I wrote this tool so I actually I'm gonna release the Objective C stuff as well it's nice we'll have that that's awesome sweet well thanks for your time and it was great talking [Music]

Info

Channel: FireEye, Inc.

Views: 942

Rating: 5 out of 5

Keywords: zero-day, APT, advanced persistent threats, apt attack, zero day exploit, malware detection, cyber security, information security, internet security, cyber threats, zero day exploit attack, malware detection techniques

Id: gDZb4Hr8w_I

Channel Id: undefined

Length: 22min 38sec (1358 seconds)

Published: Mon Oct 15 2018