From GhostNet to PseudoManuscrypt - The evolution of Gh0st RAT - Jorge Rodriguez; Souhail Hammou
Summary
TLDR本次播客深入探讨了名为GhostRad的恶意软件及其变种Save the Manuscript。Intel471的安全研究人员Jorge Rodriguez和团队通过分析恶意软件的代码和传播方式,揭示了其与中国黑客组织Crossroad的联系。他们还讨论了GhostRad的发展历程、功能以及如何通过不同的分发渠道感染受害者。此外,研究人员还介绍了Save the Manuscript的高级功能,包括窃取加密货币和浏览器cookie,以及其插件系统。最后,他们得出结论,这个恶意软件是由可能说中文的金融动机团体操作的,且仍在活跃发展中。
Takeaways
- 🔍 介绍了一种名为GhostRad的恶意软件及其变种Save the Manuscript,由Intel 471的研究人员Jorge Rodriguez和团队进行研究。
- 📈 讨论了GhostRad的历史,它最初由中国黑客组织开发,自2008年以来一直在演变,并在开源社区中产生了多个变种。
- 🌐 GhostRad的最新变种Save the Manuscript在2021年被卡巴斯基首次发现,并在2022年8月通过恶意软件加载器和假冒软件破解网站传播。
- 🔥 目前,Save the Manuscript的僵尸网络拥有大约50,000个僵尸机器,并且这个数字还在增长。
- 🔄 恶意软件通过自动化提取特征进行跟踪,使用自定义的TCP通信协议和特殊的数据包头部标识。
- 🛠️ 恶意软件具有模块化结构,包括各种管理器,如文件管理器、屏幕管理器、视频/音频管理器、键盘记录器等。
- 🚀 Save the Manuscript使用了高级服务管理器,并且添加了新功能,如隐藏VNC管理器、双向剪贴板共享和TCP代理。
- 🔒 恶意软件支持插件,用于窃取凭据和加密货币,以及进行中间人攻击来拦截TLS流量。
- 🌍 通过分析恶意软件使用的库和基础设施,研究人员推测幕后可能是讲中文的黑客组织。
- 💡 强调了GhostRad及其变种的持续威胁,以及当前操作者通过多样化和加强分发手段来扩大僵尸网络的动机。
Q & A
什么是Ghostrad以及它的历史背景是什么?
-Ghostrad是一种远程访问木马(RAT),最早由名为Great Wall Security Team(CRST)的中国黑客组织在2006年至2009年间开发。该团队在2008年发布了Ghostrad的第一个稳定版本,并在同年发布了开源版本。Ghostrad以其模块化结构和强大的功能而闻名,被多个APT组织和网络犯罪团伙采用和修改。
Save the Manuscript RAT与Ghostrad有什么关系?
-Save the Manuscript RAT是Ghostrad的一个最新变种,由Kaspersky在2021年首次发现。它通过模仿Ghostrad的功能和结构,继承了Ghostrad的许多特性,但也有一些独特的改进和新增功能,如更先进的服务管理器和支持插件等。
Save the Manuscript RAT的主要传播途径是什么?
-Save the Manuscript RAT主要通过两种方式传播:一是假冒破解软件网站,二是通过安装服务。攻击者使用这些途径广泛散布恶意软件,试图吸引受害者下载并执行。
Save the Manuscript RAT的目标是什么?
-Save the Manuscript RAT的主要目标是财务收益。它通过盗取受害者的加密货币钱包地址、截取浏览器流量、窃取cookie和保存的凭据等方式,为攻击者带来经济利益。
Save the Manuscript RAT使用了哪些通信协议和框架?
-Save the Manuscript RAT主要使用UDP协议作为主要通信协议,并使用HP Socket C++框架进行TCP、UDP和HTTP通信。此外,它还使用了kcp协议,这是一种由中国开发者开发的高性能通信协议,比TCP快30%到40%。
Save the Manuscript RAT的感染链是如何开始的?
-感染链从下载恶意的下载器组件开始,该组件要么来自假冒破解软件的软件分发网络,要么来自恶意加载器。下载器组件首先重启自身并提升权限,然后下载两个文件:一个是名为loader.dll的PNG图像,另一个是名为campaign ID的HTML文件。下载器组件随后运行RunDll32执行db.dll,并触发一个特殊的导出函数,db.dll读取加密的shellcode并解密执行。
Save the Manuscript RAT如何实现持久性?
-Save the Manuscript RAT通过在系统关机时注册一个回调函数来实现持久性。这个回调函数会在系统关机时被调用,从而确保恶意软件能够在系统重启后继续运行。持久性是通过一个嵌入在核心模块中的服务DLL实现的,该DLL被复制到system32目录,并在注册表中注册一个新的服务组。
Save the Manuscript RAT的配置信息存储在哪里?
-Save the Manuscript RAT的配置信息存储在核心组件的数据部分。配置包括主协议和备用协议、使用的端口、主命令控制服务器地址、DGA参数以及API密钥等。
Save the Manuscript RAT支持哪些插件?
-Save the Manuscript RAT支持多种插件,包括剪贴板监控插件、键盘记录器插件、中间人代理插件和窃取cookie的插件。这些插件主要用于窃取加密货币钱包地址、实时监控和转发加密货币相关活动、拦截和篡改浏览器流量以及窃取浏览器cookie和保存的凭据。
如何确定Save the Manuscript RAT的运营者可能是中国说话的演员?
-通过分析恶意软件使用的库和框架(如HP Socket框架和kcp协议),以及其基础设施的地理位置(东亚地区),以及一些特定的行为模式(如使用中文面板和命名约定),研究人员推测运营者可能是中国说话的演员。
Save the Manuscript RAT的运营者主要关注什么?
-Save the Manuscript RAT的运营者主要关注财务收益,他们通过多样化的插件和功能来窃取加密货币、截取浏览器流量以及盗取敏感凭据,显示出他们对经济利益的追求。
Outlines
🎤 介绍与背景
本段介绍了演讲者Jorge Rodriguez,他是Intel 471恶意软件情报团队的大理石研究团队负责人。他们专注于通过自动化提取工件来跟踪恶意软件,并利用这些工件进行Bondnet仿真。Jorge本人是一名高级恶意软件逆向工程师,主要工作包括逆向工程恶意软件、编写综合报告、编码提取器和仿真器来跟踪恶意软件和僵尸网络活动。此外,还介绍了演讲的主题,即对GhostRad和Save the Manuscript撤回的研究,以及Save the Manuscript RAT的历史背景和它与臭名昭著的Crossroad的关联。
📚 GhostRad的起源与特性
这一部分深入探讨了GhostRad的起源和特性。GhostRad是由Great Wall Security Team(CRST)开发的,该团队在2006至2009年间活跃,成员超过12人。他们开发了多个变体,并在2007至2009年间发布了多个版本。GhostRad的源代码在2008年被开放,但随后很快被用于恶意活动。GhostRad的变体被用于针对100多个国家的政府办公室的攻击,这些攻击被归因于说中文的威胁行为者。此外,还介绍了GhostRad的一些技术细节,如它的通信协议、管理器组件和功能。
🔍 伪稿变体的分析
本段讨论了伪稿变体的分析,包括它与原始GhostRad的关系以及它的独特特性。伪稿变体是基于GhostRad开发的,但进行了一些改进,如使用了新的服务管理器和添加了双向剪贴板共享等功能。此外,还提到了伪稿变体的插件系统,这些插件主要用于窃取凭据和加密货币。伪稿变体的开发者可能受到了财务动机的驱动,并且可能说中文,因为他们使用了中国开发者开发的库和面板。
🚀 伪稿变体的分发和感染链
这一部分描述了伪稿变体的分发方法和感染链。伪稿变体主要通过两种方式分发:假冒的破解软件网站和安装服务。攻击者没有针对特定的行业、国家或地区,而是采用了“喷溅和祈祷”的方法。感染链从下载器组件开始,该组件会下载两个文件:一个加密的DLL和一个包含活动ID的HTML文件。下载器组件会执行并加载核心模块,该模块会在系统重启时持久化并注入到SVC主机实例中。
🛡️ 伪稿变体的配置和通信协议
本段详细介绍了伪稿变体的配置和通信协议。伪稿变体的配置存储在核心组件的数据部分,包括主协议和备用协议、端口、主控制服务器和DGA参数。通信协议使用开源的HP套接字C++框架,该框架使用KCP协议进行UDP通信。KCP是一种高性能的TCP、UDP、HTTP通信框架,由中国开发者开发。伪稿变体使用UDP作为主要通信协议,并在必要时使用TCP作为备用。
🔑 伪稿变体的插件和功能
这一部分讨论了伪稿变体支持的插件及其功能。伪稿变体有多个插件,包括剪贴板监控插件、键盘记录器插件、中间人攻击插件和窃取cookie的插件。这些插件主要用于窃取凭据和加密货币。伪稿变体还具有一些高级功能,如隐藏的VNC管理器、双向剪贴板共享、TCP代理和netstat管理器。这些功能表明伪稿变体是一个以财务动机为主的复杂威胁。
🎯 总结与问答
最后一部分总结了GhostRad是一个持续的潜在威胁,伪稿变体是一个先进的、财务成功的、不断增长的变体。攻击者可能因为其模块化结构而选择使用伪稿变体。伪稿变体的运营商正在多样化和加大其分发力度,并且由于僵尸网络的规模已经很大,它可以被用作间谍软件来监视受害者。演讲结束后,进行了问答环节。
Mindmap
Keywords
💡ghostrad
💡Save the Manuscript RAT
💡恶意软件分发
💡自动化提取工件
💡恶意软件配置
💡插件
💡网络间谍活动
💡域名生成算法
💡恶意软件分析
💡金融犯罪
Highlights
本次播客是关于恶意软件幽灵(Ghost)雷达的研究,这是第二次播客,希望未来能有更多。
Jorge Rodriguez 是 Intel 471 恶意软件情报团队的大理石研究团队负责人,专注于通过自动化提取工件来跟踪恶意软件。
幽灵雷达(GhostRad)是由 Kaspersky 在 2021 年发现的,主要通过假冒破解网站和恶意软件加载器传播。
截至 2022 年 8 月,幽灵雷达的僵尸网络拥有约 50k 个僵尸机器,并且数量在不断增加。
幽灵雷达是 Crossroad 恶意软件的最新分支之一,Crossroad 自 2008 年起就存在,由中文行动者操作。
原始的幽灵雷达(Costrat)开发者是 Seawolf 安全团队,也称为 Great Wall 安全团队(CRST),在 2006 至 2009 年间活跃。
幽灵雷达的源代码在 2008 年被开源,随后被多个保护组织和基于间谍活动的组织纳入其武器库。
幽灵雷达的变体使用了 C++ 编写,提供了对受感染主机的全面控制,并作为 Windows 服务 DLL 持久化运行。
幽灵雷达的通信协议是自定义的 TCP 协议,数据包头部以特殊的标志开始。
幽灵雷达的功能通过独立的组件实现,每个管理器都继承自 C 管理器类。
最新的开源版本和最新的闭源版本之间存在几个主要差异,包括用户界面的更新和一些类名的更改。
研究人员收集了 22 个开源变体,以链接显著特征到可用的开源版本,从而洞察每个变体的起源和开发者的动机。
幽灵雷达的变体使用了多种交付方法,包括假冒破解软件和安装服务。
幽灵雷达的感染链从下载器组件开始,该组件从软件交付网络或恶意软件加载器下载。
幽灵雷达的恶意软件配置存储在核心组件的数据部分,包括主要和备用协议、端口、主控服务器和 DGA 参数。
幽灵雷达使用开源的 HP 套接字 C++ 框架进行通信,该框架提供了高性能的 TCP、UDP 和 HTTP 通信能力。
幽灵雷达的变体支持插件,这些插件在首次检查后被请求,包括剪贴板监控、键盘记录和中间人攻击插件。
幽灵雷达的变体开发者可能说中文,因为它们使用了由中文开发者开发的库和框架,并且基础设施位于东亚地区。
幽灵雷达是一个老旧但仍然具有潜在威胁的恶意软件,其先进的变体目前财务上成功且不断增长。
Transcripts
thank you very much for
um thank you everyone and thank you for
the
opportunity to be here today we are
super excited this is our second podcast
of hopefully many more to come
and today we wanted to share some
research we have done on ghostrad and
save the manuscript withdrawal
first let us introduce ourselves my name
is Jorge Rodriguez I am the marble
research team lead in the malware
intelligence team at intel471
um we are mainly
tracking malware through automated
extraction of artifacts which then we
leverage for Bond net emulation
I'm a senior malware reverse engineer
with intel471 my main duties include a
reverse engineer malware writing
comprehensive reports coding extractors
and emulators to track malware and
botnet activities
so the agenda we have for today is
mainly focus on Save the manuscript we
are going to do a deep dive later in the
second part of the talk but before doing
so we are going to
set ourselves in a proper context on the
coast route the you know table variance
and so on history
on it
the
save the manuscript rat was spot by
Kaspersky in 2021 it was mainly
delivered by fake crack websites and
malware loaders
lately later in August 2022
bitside Telemetry from their sinkholes
so that this board net has around 50k
Bots
which is now being increased because
this operation is ongoing as we speak is
still relevant
today
we had to look deeper into it because we
noticed the operation was rather active
so that's when so he'll realize this
save the manuscript rat was actually one
of the latest Forks of the infamous
Crossroad
which dates back from 20 in 2008 so go
start is still hunting
it was open source that very same year
and was mainly operated by Chinese
actors
many
protector groups both financially
motivated and based in
Espionage were incorporating these
modified Forks into their Arsenal and
it's still relevant 15 years later
about the original developers of
coastrat the sea roofer security team
also known as Great Wall security team
or CRST it was mostly active between
2006 and 2009 they had around 12 plus
members and they had this romantic ideas
of themselves they pull the plane they
were passionate Security Professionals
they encourage pure technical
discussions and they wanted to keep the
internet
clean place
they actively developed construct
between 2007 and 2009 were multiple
variants were released some of them to
the general public if we put this
information on a timeline it would look
like something like this on January 2008
we had the first stable release March
2008 the first open source release for
the 2.5 percent
this releases have some internal
comments from the developer cool Dyer
and we could read some comments in the
fashion after internal discussion with
the team we have decided to make this
version open source or then later the
last known open source release from
ghostrad
version 3.6 beta
they claim I can't believe it 3.6 will
be open source
only one month later the inevitable
happens
costnet campaigns are fast spotted in
the wild
they were targeting government office in
more than 100 countries and these
attacks were attributed to Chinese
speaking threat actors later that year
December 2008
the last official release in a closed
Source format we have cost 1.0 the Alpha
version
so it goes to becoming a notorious
thread back in the day in forward
monitor release the investigation
reporting corporate in March 2009 and
the team behind closade was attracting
lots of attention
zero for security team activity Reduce
by that time but the development
possibly continued in private Beyond
this person 1.0 Alpha
um
actually there were comments in
subsequent variance from the same
developer mentioning the the chain block
basically and from here we move into
some features from the original ghostrad
thank you
so both the panel and the Bots and go
start were written in C plus plus uh
it's all right so it offers full-fledged
control over the infected host and
persists as a Windows service dll that
runs as part of the Network Services
Group its protocol is a custom TCP
communication protocol and the packet
header starts with a special flag and in
this case it's ghosts in other variants
it's can be another value and this is
followed by the packet size including
the header the size the uncompressed
packet so that the Bots can allocate the
necessary memory to decompress the
following deadlift compress data
so features are implemented in separate
components called managers each manager
would inherit from C manager class and
new instances would get a new socket
that is already connected to the command
control server so to code a manager
basically have to implement an abstract
on receive method Constructor of course
and this on received method will
generally Implement a switch case
statement to handle commands
so the main manager in ghostrad is
called the kernel manager so its mission
is to spawn new managers but also to
handle miscellaneous commands such as
installing the bot download and
executing uh follow-up malware but it
also has other managers that like the
file manager for example the shell
manager screen manager to spy on the
screen video on audio managers to spy on
the camera and microphone keyboard
manager access keylogger and others
so between the latest open source
release and the latest closed Source
release there are a couple major
differences so first of all the panel
user interface was overhauled to use a
more newish
xtp library for the user interface of
the panel some class names were also
changed probably for easier readability
for example the audio manager who tends
to be the voice manager and this is
actually a nice change because if we
look at a variant and we find a class
name that is a camera manager that would
probably indicate that it was based on
this newer Fork of ghost track audio and
video compression also were introduced
and the kernel manager's on receive
method was changed to handle commands
using a callback table instead of a
switch case statement
so these open source releases coming
from the ghost track team uh spawned
lots of variants in the Wilds like
hundreds of them so to investigate this
a little bit and familiarize ourselves
with ghost we collected 22 open source
forks from various sources and our main
goal was to link prominent traits of
these notable variants like sudo
manuscripts for example to these
available Forks that are open source so
this would allow us to gain insight into
the origins of each variant and its
developers motivations
but like any evolutionary story there
has to be missing links so
these open source variants in our
collection that share one or more new
traits with ghost 1.0 Alpha which is
cloud Source by the way they all retain
all trades from 3.6 beta for example the
old class names are still used and the
old kernel manager relying on switch
case statement is also there so this
could indicate that there were some
possible leaks that are unknown to us of
intermediate releases that happen
between 3.6 and 1.0 which we call
ghostax
so to get more insight into this and to
be more on the ground so we conducted
analysis of some closed Source variants
that are used by distinct uh terractor
groups and we try to establish and
understand connections with other
variants in our collection
so the first one was Ghost times which
was first documented by Japan cert in
2020 it was seen in attacks by blacktech
apt they Stripped Away most features of
ghost 3.6 beta only left a few managers
but they improved the communication
protocol added water notification
authentification rc4 encryption they
also implemented two new classes
a manager called the ultra Port map
manager which does port forwarding
basically turning the bot into a gateway
to connect to internal service and also
a port map manager which is a proxy
feature
so these broad map managers are
interesting because they have a similar
but not the same implementation of an
open source tool called Z export map
which is common among Chinese speaking
thread actors and apt groups so in this
case uh the transform one mode of this
tool which implements the port
forwarding maps to the ultraport map
manager in ghost times and the transfer
2 and transfer 3 mode which work in
tandem
they they correspond to the port map
manager proxy
so this same name is seen in other
variants of ghost for example in BBS rat
that is operated by the Roman tiger
group and also in sudo manuscript these
are all similar but distinct
implementations
so the second group we saw was gambling
puppet which is a sophisticated apt
uncovered by Trend Micro in 2022 they're
targeting online gambling businesses
operating plugx ghostrad and other uh
malware they use multiple modified Forks
of course thread that all seem to
originate from that ghost x variant we
talked about
so we analyzed these samples and we saw
that they actually share some traits
with forks in our collection
so the first trade was a unique chat
manager called ctex chat which we found
in only in one variant in our collection
which allows us like the the operator to
chat with the victim
second one is a couple of functions that
allow to play with the victim a little
bit like open the CD tray swap Mouse
buttons and this was found in a variant
called Terminator Platinum
in addition this malware hasn't had an
improved version of the ghost MBR killer
which is shared by two variants
Terminator Platinum mentioned in the
previous slide another variant called
fell VIP 3.0 and it's actually
interesting because the ghost 1.0 Alpha
version does not have
um an MBR killer
so the presence of code overlap with
multiple variants in this samp in this
uh in these samples used by the APT
indicates a complex origin we saw uh or
we saw code originated from multiple
variants and it's really difficult to
trace it back to a single source so we
think they probably cherry-picked
features from various projects as it's
super easy to do that just take the
manager class and you're good to go
and I'm going to hand it over to Jorge
so now that we have a proper context on
where this
latest variant set of manuscript is a
steaming from
we have the history of goshrad already
present now let's delve into these
latest form as we mentioned before it
was first spot by Kaspersky July 2021
they reported some similarities with the
manuscript malware operated by Lazarus
but since the malware wasn't really the
same and there were uncertain whether
the Developers
behind both projects were the same or
not they coined the moniker set of
manuscript
Worth to mention here we are not
attributing this one to Lazarus in any
way
it was brought to our attention in 2022
and later that year in October we
started tracking it and very soon after
we put our Tools in place we realized
this
thread was rather active with motivate
which motivated us to have a proper and
deeper look to improve our tracking
collection and
the data we were collecting from it and
that's where when to heal realized the
the gospel connection
leading to This research we are
presenting today
again this is an ongoing situation the
group is still active as we speak they
are trying to grow the botnet and for
doing so they are mainly using two
delivery methods the first one of them
is fake cracked rubber where you will
turn to your search engine of choice try
to look for some activator or some crack
tool to save a few bucks but in Turn You
Are running malware as a volunteer on
your own
and the other one is install Services
that's why we claim here they are
following us pray and pray approach for
distribution
we haven't observed any targeted
campaigns towards any business or sector
or country or region for that matter
since
they are using this spray and pray
approach the initably in the back end
and if I were certain bodies coming from
and that's why they have this campaign
identifier which is composed of four
numbers like 3003 and they are bright in
this value in the registry and the SEO
ID key
so this will allow them ideally in the
back end of track infections
moving on into the install Services when
we started tracking This Thread they
were only using one install service the
one which the actors from private loader
offer we are also certain they are not
targeting any specific region
when it comes to delivery because they
are using
the install service
of the business which allows them to
spread the binaries to any country in
the world for example some of these
install services offer installs to
worldwide locations or
only Europe or only the USA which are
more expensive than the worldwide and
this one issues in the worldwide option
we think they are also learning as they
continue their operation because when we
started tracking it they were only using
private loader for delivery
my guess here is that at some point they
realize that using the same install
service again again and again
will lead their payloads to be executed
on the very very same computers again
again and again
that's why in late 2022 they started
diversifying the install service they
use
they start a good one and nowadays they
are using at least four as far as we can
see and it's interesting because it
looks like they tried another install
service with another actor offers
through an amade botnet also they have a
test at another service which some other
actor offers through a smoke loader
botnet
perhaps it didn't pay off very well they
went back to their religions private
loader but then they they fund the key
to delivery and they started using a
different service every two days so
every two days they will switch from
amade to private loader to a smoke
loader to a Google loader to start again
the the very next week hopefully getting
a wider read and grow in their podnet as
much as they can
foreign
so the infection chain of
pseudomanuscript starts with the
download obviously of the downloader
component either from the soft software
delivery Network for fake cracks or from
a malware loader as we saw so the
downloader component first will restart
itself elevate it and then we download
two files so the first file is a PNG
image with a show called loader dll that
is encrypted in its overlay data so this
dll name db.dll will be dropped to the
user's temporary directory the second
file is a binary file with an HTML
extension with its name being set to the
campaign ID so this is saved in the
temporary directory as well as as a
db.dat file so the downloader component
would run the Run dll 32 executable with
the db.dlo and revoke a special export
called open and the db.dll would read
the encrypted shell codes from the
dp.dhp file
so this file stores 32-bit and 64-bit
shell codes each preceded with its
length with the
encoded by adding a simple value which
was always the same since the Inception
of sudo manuscript and at this stage
only the 32-bit shock code is used
so this shortcode is decrypted in two
rounds first round involving X or
um with the key depending on the index
of uh of the bytes in the in the file
and then the second round involver
involves the reverse xor algorithm where
the first byte is the last bytes key and
each bytes is then its previous key
until reaching the the beginning of the
file so this Shell Code itself being
decrypted will decrypt and load and
invoke the core module of sudo
manuscript which is embedded in the
Shell Code and encrypted with a one byte
X or key and is compressed with the LZ
nt1 algorithm
so at this stage the core module is
running inside the Run dll 32 instance
in its first execution and this time it
would process the appropriate Shell Code
uh for the system systems architecture
uh in the registry so it will read the
db.d DHE file encrypt the proper Shell
Code and then persist it and then it
would inject a remote thread into the
currently running SVC host instance for
the net Services Group
and this instance would read that
persisted showcode inject it via process
hollowing into a new SVC host SVC host
instance which will be the main instance
of sudo manuscript and this instance is
the one responsible for talking with the
command and control server so these two
instances would actually monitor each
other so if one of them is terminated
the other would start would start it
so persistence here is performed only
during system shutdown by registering a
callback using this control you can set
console control Handler API so this
function would be invoked
when a lot of events happen including
the system shutdown so this
automatically means that an unexpected
shutdown for example due to a blue
screen of death means that sudo
manuscript will not persist on the
system
so this persistence is done using a
service DLo that is embedded inside the
core module this dll is copied to the
system32 directory and then a new
service group is registered in the
register in the registry that is called
uh app service so this service would
start after the system reboot it will
read the persisted shock code from the
registry and then inject it into SVC
host.xz
the net Services Group instance and then
the infection would go on from there
like we saw on the previous slide
so the malware configuration is stored
in the data section of the core
component there are two configuration
buffers a primary one which is always
used and then a secondary one that is
only used when a special command is
received from the command and control
server to switch so when this command is
received so the manuscript would create
a new file extension Association in the
registry to
switch to this to this other
configuration so when it runs the next
time it will check if this Association
exists if it does it will use the
secondary configuration
so the configuration format starts with
the main and fallback protocols to use
the value one is for TCP and value 2 is
for UDP and in all cases we've seen that
UDP is used as the main protocol so
these two fields are followed by the
ports to use so Port 53 will be used for
the main protocol which is UDP and Port
443 for the fallback protocol TCP
so the next field is the primary command
and control server
followed by the DGA parameters in case
this server is unreached so the fallback
domain generation algorithm see string
follows it's equal to API key and then
domain generation algorithms top level
domain which is.com in this case and the
last field is an integer that determines
the maximum numbers of domains to
generate before trying again and
communicating with the main C2
so the dja works by taking a domain seed
and the string seed so the main seed at
first is the main C2 it will be
concatenated with the API key using a
comma md5 hashed and then 10 characters
in the middle would be taken uh
converted to uppercase and then they
would undergo a small transformation
that would yield a lowercase string that
will be concatenated with the top level
domain in this case.com that would give
the
domain that is to be conducted so if
communication fails with this domain the
the algorithm would use use it as a seed
for the next domain and so on until that
maximum number we talked about is
reached
so the communication protocol relies on
the open source HP socket C plus plus
framework developed by Chinese
developers it is a high performance TCP
UDP HTTP communication framework that's
offering clients and server capabilities
the framework uses the kcp protocol when
communicating with UDP uh when uh
automatic repeat request error control
is used so kcp is a custom protocol also
developed by a Chinese developer that is
described as being 30 percent to 40
percent faster than TCP so so the
manuscript as we saw uses UDP as its
main communication protocol uh which in
this case kcp and TCP as a fallback so
this use of kcp in sudo manuscript can
be attributed to the capabilities of the
library itself rather than being a
deliberate design Choice by the
Developers
so the packet header here starts with
the header magic which this time is only
one byte which is always ox43 it's
followed by a transformation type that
dictates the format of the packet data
so this transformation type can have
multiple values the data can be in plain
text sword sadly compressed
Etc but the most popular one we saw we
see in multiple commands is the zlip
plus xor algorithm and if you remember
ghostrad uses zlib for compression so
the other two fields are kind of similar
to what we saw in Gold Strat the packet
size including the header size and then
the size of the untransformed packet
so pseudom manuscript was directly based
on ghostrad or some variants that it's
directly linked to because it's misses
changes uh that we see in later variants
uh it also doesn't include any audio or
video compression and it only shares a
few attributes with open source variants
that are in our collection for example
it has a similar but uh more advanced
service manager to a variant uh called
Bobo remote control
so sudo manuscripts developers improved
on existing Managers from ghostrad but
also added new ones for example in the
second version I think they added the
hidden VNC manager which was a fork of
tiny nuke hidden VNC which they broke
down into multiple commands and then
they also added bi-directional clipboard
sharing between the operators machine
and the infected host there's also the
board map manager which implements the
TCP proxy a netstat manager allowing
exfiltration and to close UDP and TCP
connections services manager we talked
about and then uh a registry editor
basically
so so the manuscript also supports
plugins which are always requested after
the first check-in so the C2 will answer
with a list of entries from which
interesting fields are the plugin hash
in md5 the start type either if it wants
to start a Plugin or uninstall it and
the plugin type if it's an executable or
dll but we've only seen dll dlls up to
this point so the bot will follow up
with requests to only receive new
plugins that it doesn't have stored into
registry
so the first one is a clipper plugin
which would monitor clipboard data for
wallet addresses that are copied by the
victim patch them on the fly to operator
controlled wallets and these addresses
these attacker control addresses are
hard-coded and are the same across all
campaigns giving credit to the idea that
there's probably one group behind this
thread
so we've taken a look at this wallet
addresses and tallied up a sum that is
equal to 187 dollars currently in these
wallets and pretty much of it is still
there actually
so the next plugin is a key logger
plugin that will complement the existing
keylogger implemented in the keyboard
manager so unlike the keyboard manager
which needs a special command to be
activated this keylogger would
immediately start monitoring the
foreground window for substrings that
are related to cryptocurrency and these
logs are will be forwarded in real time
they won't be written to any files they
will be forwarded to real time in real
time to the C2 using a callback that is
provided by the core module at plugin
initialization
so the other plugin we see is a man in
the middle plugin called set proxy so
what it does it it's it will allow
interception of secure browser TLS
traffic for specific websites so what it
will do is First add a root certificate
to the trusted Authority search store so
this certificate is long-lived and will
stay valid until 2032.
uh what it then does is it will add a
proxy Auto configuration script to the
global proxy settings of the system
which are inherited by all browsers and
this will point to a URL that will
download a file called Javascript file
called win.pac so when the user
navigates to a website uh the browser
will download this file cache it and
then match our request hosts on on this
using this this script so here it will
match cryptocurrency websites and then
if there is a match it will forward the
traffic to the the proxy in red
so what this proxy does it will provide
a fixed certificate that is generated by
the malicious certification Authority
and then this malicious proxy can be
used by the actors to intercept TLS
traffic and get access to credit user
credentials
so the next plugin is still plugin that
is focused on stealing cookies and saved
credentials from various browsers it
does extensive targeting for Instagram
possibly to compromise account with
accounts with a high follow count also
targets Facebook and Facebook's ads
manager in a similar way that fabuki
does but we didn't see any we couldn't
establish any code relationships between
the two so Facebook's ad manager uh come
from compromising would uh let the
actors run advertising campaigns for
example in this case distiller
communicates with a different C2 over
https but it's still sending the
campaign ID and the Bots ID to this to
this command and control server
so what's interesting is that our
emulated Bots receive no commands
besides to download and start plugins
and to update the bot to a new version
so this led us to think that this is
probably a plug-in oriented operation
because uh all plugins we see are
oriented towards harvesting credentials
and stealing cryptocurrency and possibly
the corebot commands could only be used
for interesting Bots for example uh they
they would open a hidden VNC session to
the to the host when they want to
impersonate the user
so
we concluded that this was a financially
motivated group there were likely
chinese-speaking actors because of some
patterns we saw for example the trend of
14 ghost trap uh the use of libraries
that were developed by Chinese
developers such as the HP socket
framework they're also using a Chinese
panel called Pagoda panel to operate
some infrastructure but also their old
infrastructure was hosted in the Eastern
Asian region
so to conclude uh ghostride is an old
thread that is still a Potential Threat
actors possibly because of its
well-designed and modular structure we
saw that sudo manuscript is an advanced
variant that is currently financially
successful and is ever growing so it is
actually more relevant than ever
especially since operators are
diversifying and ramping up their
distribution and given the botnet size
which is pretty big it can already be
used as spyware to spy on victims
because the functionality is already
there for example we saw that it's
exfiltrating the that it can exfiltrate
the tencent QQ number which would which
could be used to spy on Chinese
Nationals outside of China seeing that
they they're infecting victims from all
over the world but it also had has other
spyware functionalities and that's it
for us thank you
[Applause]
yeah
okay time for questions
you know everything now already
they're all sleeping in
Eric you don't have a detection question
or
one two three
okay thank you very much
[Applause]
5.0 / 5 (0 votes)