From GhostNet to PseudoManuscrypt - The evolution of Gh0st RAT - Jorge Rodriguez; Souhail Hammou

botconf eu
15 Apr 202334:01

Summary

TLDR本次播客深入探讨了名为GhostRad的恶意软件及其变种Save the Manuscript。Intel471的安全研究人员Jorge Rodriguez和团队通过分析恶意软件的代码和传播方式,揭示了其与中国黑客组织Crossroad的联系。他们还讨论了GhostRad的发展历程、功能以及如何通过不同的分发渠道感染受害者。此外,研究人员还介绍了Save the Manuscript的高级功能,包括窃取加密货币和浏览器cookie,以及其插件系统。最后,他们得出结论,这个恶意软件是由可能说中文的金融动机团体操作的,且仍在活跃发展中。

Takeaways

  • 🔍 介绍了一种名为GhostRad的恶意软件及其变种Save the Manuscript,由Intel 471的研究人员Jorge Rodriguez和团队进行研究。
  • 📈 讨论了GhostRad的历史,它最初由中国黑客组织开发,自2008年以来一直在演变,并在开源社区中产生了多个变种。
  • 🌐 GhostRad的最新变种Save the Manuscript在2021年被卡巴斯基首次发现,并在2022年8月通过恶意软件加载器和假冒软件破解网站传播。
  • 🔥 目前,Save the Manuscript的僵尸网络拥有大约50,000个僵尸机器,并且这个数字还在增长。
  • 🔄 恶意软件通过自动化提取特征进行跟踪,使用自定义的TCP通信协议和特殊的数据包头部标识。
  • 🛠️ 恶意软件具有模块化结构,包括各种管理器,如文件管理器、屏幕管理器、视频/音频管理器、键盘记录器等。
  • 🚀 Save the Manuscript使用了高级服务管理器,并且添加了新功能,如隐藏VNC管理器、双向剪贴板共享和TCP代理。
  • 🔒 恶意软件支持插件,用于窃取凭据和加密货币,以及进行中间人攻击来拦截TLS流量。
  • 🌍 通过分析恶意软件使用的库和基础设施,研究人员推测幕后可能是讲中文的黑客组织。
  • 💡 强调了GhostRad及其变种的持续威胁,以及当前操作者通过多样化和加强分发手段来扩大僵尸网络的动机。

Q & A

  • 什么是Ghostrad以及它的历史背景是什么?

    -Ghostrad是一种远程访问木马(RAT),最早由名为Great Wall Security Team(CRST)的中国黑客组织在2006年至2009年间开发。该团队在2008年发布了Ghostrad的第一个稳定版本,并在同年发布了开源版本。Ghostrad以其模块化结构和强大的功能而闻名,被多个APT组织和网络犯罪团伙采用和修改。

  • Save the Manuscript RAT与Ghostrad有什么关系?

    -Save the Manuscript RAT是Ghostrad的一个最新变种,由Kaspersky在2021年首次发现。它通过模仿Ghostrad的功能和结构,继承了Ghostrad的许多特性,但也有一些独特的改进和新增功能,如更先进的服务管理器和支持插件等。

  • Save the Manuscript RAT的主要传播途径是什么?

    -Save the Manuscript RAT主要通过两种方式传播:一是假冒破解软件网站,二是通过安装服务。攻击者使用这些途径广泛散布恶意软件,试图吸引受害者下载并执行。

  • Save the Manuscript RAT的目标是什么?

    -Save the Manuscript RAT的主要目标是财务收益。它通过盗取受害者的加密货币钱包地址、截取浏览器流量、窃取cookie和保存的凭据等方式,为攻击者带来经济利益。

  • Save the Manuscript RAT使用了哪些通信协议和框架?

    -Save the Manuscript RAT主要使用UDP协议作为主要通信协议,并使用HP Socket C++框架进行TCP、UDP和HTTP通信。此外,它还使用了kcp协议,这是一种由中国开发者开发的高性能通信协议,比TCP快30%到40%。

  • Save the Manuscript RAT的感染链是如何开始的?

    -感染链从下载恶意的下载器组件开始,该组件要么来自假冒破解软件的软件分发网络,要么来自恶意加载器。下载器组件首先重启自身并提升权限,然后下载两个文件:一个是名为loader.dll的PNG图像,另一个是名为campaign ID的HTML文件。下载器组件随后运行RunDll32执行db.dll,并触发一个特殊的导出函数,db.dll读取加密的shellcode并解密执行。

  • Save the Manuscript RAT如何实现持久性?

    -Save the Manuscript RAT通过在系统关机时注册一个回调函数来实现持久性。这个回调函数会在系统关机时被调用,从而确保恶意软件能够在系统重启后继续运行。持久性是通过一个嵌入在核心模块中的服务DLL实现的,该DLL被复制到system32目录,并在注册表中注册一个新的服务组。

  • Save the Manuscript RAT的配置信息存储在哪里?

    -Save the Manuscript RAT的配置信息存储在核心组件的数据部分。配置包括主协议和备用协议、使用的端口、主命令控制服务器地址、DGA参数以及API密钥等。

  • Save the Manuscript RAT支持哪些插件?

    -Save the Manuscript RAT支持多种插件,包括剪贴板监控插件、键盘记录器插件、中间人代理插件和窃取cookie的插件。这些插件主要用于窃取加密货币钱包地址、实时监控和转发加密货币相关活动、拦截和篡改浏览器流量以及窃取浏览器cookie和保存的凭据。

  • 如何确定Save the Manuscript RAT的运营者可能是中国说话的演员?

    -通过分析恶意软件使用的库和框架(如HP Socket框架和kcp协议),以及其基础设施的地理位置(东亚地区),以及一些特定的行为模式(如使用中文面板和命名约定),研究人员推测运营者可能是中国说话的演员。

  • Save the Manuscript RAT的运营者主要关注什么?

    -Save the Manuscript RAT的运营者主要关注财务收益,他们通过多样化的插件和功能来窃取加密货币、截取浏览器流量以及盗取敏感凭据,显示出他们对经济利益的追求。

Outlines

00:00

🎤 介绍与背景

本段介绍了演讲者Jorge Rodriguez,他是Intel 471恶意软件情报团队的大理石研究团队负责人。他们专注于通过自动化提取工件来跟踪恶意软件,并利用这些工件进行Bondnet仿真。Jorge本人是一名高级恶意软件逆向工程师,主要工作包括逆向工程恶意软件、编写综合报告、编码提取器和仿真器来跟踪恶意软件和僵尸网络活动。此外,还介绍了演讲的主题,即对GhostRad和Save the Manuscript撤回的研究,以及Save the Manuscript RAT的历史背景和它与臭名昭著的Crossroad的关联。

05:02

📚 GhostRad的起源与特性

这一部分深入探讨了GhostRad的起源和特性。GhostRad是由Great Wall Security Team(CRST)开发的,该团队在2006至2009年间活跃,成员超过12人。他们开发了多个变体,并在2007至2009年间发布了多个版本。GhostRad的源代码在2008年被开放,但随后很快被用于恶意活动。GhostRad的变体被用于针对100多个国家的政府办公室的攻击,这些攻击被归因于说中文的威胁行为者。此外,还介绍了GhostRad的一些技术细节,如它的通信协议、管理器组件和功能。

10:02

🔍 伪稿变体的分析

本段讨论了伪稿变体的分析,包括它与原始GhostRad的关系以及它的独特特性。伪稿变体是基于GhostRad开发的,但进行了一些改进,如使用了新的服务管理器和添加了双向剪贴板共享等功能。此外,还提到了伪稿变体的插件系统,这些插件主要用于窃取凭据和加密货币。伪稿变体的开发者可能受到了财务动机的驱动,并且可能说中文,因为他们使用了中国开发者开发的库和面板。

15:05

🚀 伪稿变体的分发和感染链

这一部分描述了伪稿变体的分发方法和感染链。伪稿变体主要通过两种方式分发:假冒的破解软件网站和安装服务。攻击者没有针对特定的行业、国家或地区,而是采用了“喷溅和祈祷”的方法。感染链从下载器组件开始,该组件会下载两个文件:一个加密的DLL和一个包含活动ID的HTML文件。下载器组件会执行并加载核心模块,该模块会在系统重启时持久化并注入到SVC主机实例中。

20:06

🛡️ 伪稿变体的配置和通信协议

本段详细介绍了伪稿变体的配置和通信协议。伪稿变体的配置存储在核心组件的数据部分,包括主协议和备用协议、端口、主控制服务器和DGA参数。通信协议使用开源的HP套接字C++框架,该框架使用KCP协议进行UDP通信。KCP是一种高性能的TCP、UDP、HTTP通信框架,由中国开发者开发。伪稿变体使用UDP作为主要通信协议,并在必要时使用TCP作为备用。

25:08

🔑 伪稿变体的插件和功能

这一部分讨论了伪稿变体支持的插件及其功能。伪稿变体有多个插件,包括剪贴板监控插件、键盘记录器插件、中间人攻击插件和窃取cookie的插件。这些插件主要用于窃取凭据和加密货币。伪稿变体还具有一些高级功能,如隐藏的VNC管理器、双向剪贴板共享、TCP代理和netstat管理器。这些功能表明伪稿变体是一个以财务动机为主的复杂威胁。

30:09

🎯 总结与问答

最后一部分总结了GhostRad是一个持续的潜在威胁,伪稿变体是一个先进的、财务成功的、不断增长的变体。攻击者可能因为其模块化结构而选择使用伪稿变体。伪稿变体的运营商正在多样化和加大其分发力度,并且由于僵尸网络的规模已经很大,它可以被用作间谍软件来监视受害者。演讲结束后,进行了问答环节。

Mindmap

起源
开发者团队
版本发展
历史背景
编程语言
持久性
组件管理
技术特征
开源分支
闭源变种
变种分析
幽灵辐射(GhostRad)
发现与分析
感染链
核心模块
持久性
配置与通信
技术特征
剪贴板监控
键盘记录器
中间人攻击
Cookie和凭证窃取
插件系统
财务动机
地理分布
动机与影响
救世稿件(Save the Manuscript)
恶意软件研究
喷雾和祈祷
安装服务
恶意软件分发策略
Jorge Rodriguez
Intel 471
研究者与分析团队
网络安全与恶意软件分析
Alert

Keywords

💡ghostrad

ghostrad是一种恶意软件,最早由中国黑客组织开发,后来成为了开源项目。在视频中,提到了ghostrad的不同版本和变种,以及它们在网络间谍活动和金融犯罪中的使用情况。

💡Save the Manuscript RAT

Save the Manuscript RAT是ghostrad恶意软件的一个变种,由Kaspersky在2021年首次发现。它通过假破解网站和恶意软件加载器进行分发,主要通过自动化提取工件来跟踪恶意软件,并且与Lazarus组织的恶意软件操作有关。

💡恶意软件分发

恶意软件分发是指恶意软件通过不同的渠道传播到目标系统的过程。在视频中,提到了使用假破解软件和安装服务作为分发手段,这些手段能够使恶意软件传播到全球各地的计算机上。

💡自动化提取工件

自动化提取工件是指使用自动化工具和技术从恶意软件样本中提取关键信息的过程,这些信息可以用于分析恶意软件的行为和特征。在视频中,Intel 471的研究人员使用这种方法来跟踪和分析ghostrad及其变种。

💡恶意软件配置

恶意软件配置是指恶意软件在系统中运行时所采用的设置和参数,这些配置信息通常存储在恶意软件的核心组件中,用于指导恶意软件如何与控制服务器通信以及执行何种恶意行为。

💡插件

插件是指可以添加到核心软件中的小型软件组件,用于扩展或增强软件的功能。在恶意软件中,插件通常用于增加新的恶意行为或数据收集能力。

💡网络间谍活动

网络间谍活动是指通过网络手段进行的间谍行为,包括但不限于监视、数据窃取和远程控制等。在视频中,提到了ghostrad及其变种被用于网络间谍活动,用于监视受害者和窃取敏感信息。

💡域名生成算法

域名生成算法(DGA)是一种算法,用于在无法直接访问控制服务器时,自动生成可用于通信的域名列表。这种算法使得即使主要的C2服务器被关闭,恶意软件也能通过生成的域名列表找到替代的服务器进行通信。

💡恶意软件分析

恶意软件分析是指对恶意软件样本进行深入研究,以了解其工作原理、行为特征和潜在的威胁。这通常涉及逆向工程、行为分析和网络流量监控等技术。

💡金融犯罪

金融犯罪是指利用计算机和网络技术进行的非法金融活动,包括盗窃、欺诈和其他与金钱有关的犯罪行为。在视频中,提到了Save the Manuscript RAT被用于金融犯罪,如窃取加密货币钱包地址和进行中间人攻击。

Highlights

本次播客是关于恶意软件幽灵(Ghost)雷达的研究,这是第二次播客,希望未来能有更多。

Jorge Rodriguez 是 Intel 471 恶意软件情报团队的大理石研究团队负责人,专注于通过自动化提取工件来跟踪恶意软件。

幽灵雷达(GhostRad)是由 Kaspersky 在 2021 年发现的,主要通过假冒破解网站和恶意软件加载器传播。

截至 2022 年 8 月,幽灵雷达的僵尸网络拥有约 50k 个僵尸机器,并且数量在不断增加。

幽灵雷达是 Crossroad 恶意软件的最新分支之一,Crossroad 自 2008 年起就存在,由中文行动者操作。

原始的幽灵雷达(Costrat)开发者是 Seawolf 安全团队,也称为 Great Wall 安全团队(CRST),在 2006 至 2009 年间活跃。

幽灵雷达的源代码在 2008 年被开源,随后被多个保护组织和基于间谍活动的组织纳入其武器库。

幽灵雷达的变体使用了 C++ 编写,提供了对受感染主机的全面控制,并作为 Windows 服务 DLL 持久化运行。

幽灵雷达的通信协议是自定义的 TCP 协议,数据包头部以特殊的标志开始。

幽灵雷达的功能通过独立的组件实现,每个管理器都继承自 C 管理器类。

最新的开源版本和最新的闭源版本之间存在几个主要差异,包括用户界面的更新和一些类名的更改。

研究人员收集了 22 个开源变体,以链接显著特征到可用的开源版本,从而洞察每个变体的起源和开发者的动机。

幽灵雷达的变体使用了多种交付方法,包括假冒破解软件和安装服务。

幽灵雷达的感染链从下载器组件开始,该组件从软件交付网络或恶意软件加载器下载。

幽灵雷达的恶意软件配置存储在核心组件的数据部分,包括主要和备用协议、端口、主控服务器和 DGA 参数。

幽灵雷达使用开源的 HP 套接字 C++ 框架进行通信,该框架提供了高性能的 TCP、UDP 和 HTTP 通信能力。

幽灵雷达的变体支持插件,这些插件在首次检查后被请求,包括剪贴板监控、键盘记录和中间人攻击插件。

幽灵雷达的变体开发者可能说中文,因为它们使用了由中文开发者开发的库和框架,并且基础设施位于东亚地区。

幽灵雷达是一个老旧但仍然具有潜在威胁的恶意软件,其先进的变体目前财务上成功且不断增长。

Transcripts

00:02

thank you very much for

00:04

um thank you everyone and thank you for

00:06

the

00:07

opportunity to be here today we are

00:09

super excited this is our second podcast

00:12

of hopefully many more to come

00:15

and today we wanted to share some

00:18

research we have done on ghostrad and

00:21

save the manuscript withdrawal

00:24

first let us introduce ourselves my name

00:28

is Jorge Rodriguez I am the marble

00:29

research team lead in the malware

00:32

intelligence team at intel471

00:35

um we are mainly

00:37

tracking malware through automated

00:39

extraction of artifacts which then we

00:42

leverage for Bond net emulation

00:48

I'm a senior malware reverse engineer

00:50

with intel471 my main duties include a

00:53

reverse engineer malware writing

00:55

comprehensive reports coding extractors

00:58

and emulators to track malware and

00:59

botnet activities

01:02

so the agenda we have for today is

01:05

mainly focus on Save the manuscript we

01:08

are going to do a deep dive later in the

01:10

second part of the talk but before doing

01:13

so we are going to

01:15

set ourselves in a proper context on the

01:19

coast route the you know table variance

01:21

and so on history

01:23

on it

01:26

the

01:28

save the manuscript rat was spot by

01:30

Kaspersky in 2021 it was mainly

01:34

delivered by fake crack websites and

01:36

malware loaders

01:39

lately later in August 2022

01:42

bitside Telemetry from their sinkholes

01:46

so that this board net has around 50k

01:51

Bots

01:53

which is now being increased because

01:55

this operation is ongoing as we speak is

01:57

still relevant

01:59

today

02:03

we had to look deeper into it because we

02:06

noticed the operation was rather active

02:09

so that's when so he'll realize this

02:12

save the manuscript rat was actually one

02:14

of the latest Forks of the infamous

02:17

Crossroad

02:20

which dates back from 20 in 2008 so go

02:24

start is still hunting

02:27

it was open source that very same year

02:30

and was mainly operated by Chinese

02:33

actors

02:35

many

02:36

protector groups both financially

02:39

motivated and based in

02:42

Espionage were incorporating these

02:45

modified Forks into their Arsenal and

02:50

it's still relevant 15 years later

02:55

about the original developers of

02:57

coastrat the sea roofer security team

03:00

also known as Great Wall security team

03:02

or CRST it was mostly active between

03:08

2006 and 2009 they had around 12 plus

03:12

members and they had this romantic ideas

03:16

of themselves they pull the plane they

03:19

were passionate Security Professionals

03:21

they encourage pure technical

03:23

discussions and they wanted to keep the

03:25

internet

03:26

clean place

03:28

they actively developed construct

03:31

between 2007 and 2009 were multiple

03:35

variants were released some of them to

03:38

the general public if we put this

03:42

information on a timeline it would look

03:44

like something like this on January 2008

03:47

we had the first stable release March

03:50

2008 the first open source release for

03:54

the 2.5 percent

03:57

this releases have some internal

04:00

comments from the developer cool Dyer

04:03

and we could read some comments in the

04:06

fashion after internal discussion with

04:08

the team we have decided to make this

04:10

version open source or then later the

04:13

last known open source release from

04:16

ghostrad

04:17

version 3.6 beta

04:19

they claim I can't believe it 3.6 will

04:22

be open source

04:27

only one month later the inevitable

04:30

happens

04:31

costnet campaigns are fast spotted in

04:34

the wild

04:35

they were targeting government office in

04:37

more than 100 countries and these

04:39

attacks were attributed to Chinese

04:41

speaking threat actors later that year

04:44

December 2008

04:47

the last official release in a closed

04:51

Source format we have cost 1.0 the Alpha

04:55

version

04:57

so it goes to becoming a notorious

04:59

thread back in the day in forward

05:01

monitor release the investigation

05:03

reporting corporate in March 2009 and

05:06

the team behind closade was attracting

05:10

lots of attention

05:12

zero for security team activity Reduce

05:15

by that time but the development

05:18

possibly continued in private Beyond

05:20

this person 1.0 Alpha

05:24

um

05:25

actually there were comments in

05:28

subsequent variance from the same

05:32

developer mentioning the the chain block

05:36

basically and from here we move into

05:38

some features from the original ghostrad

05:43

thank you

05:44

so both the panel and the Bots and go

05:47

start were written in C plus plus uh

05:49

it's all right so it offers full-fledged

05:51

control over the infected host and

05:53

persists as a Windows service dll that

05:55

runs as part of the Network Services

05:57

Group its protocol is a custom TCP

06:00

communication protocol and the packet

06:02

header starts with a special flag and in

06:05

this case it's ghosts in other variants

06:06

it's can be another value and this is

06:09

followed by the packet size including

06:11

the header the size the uncompressed

06:13

packet so that the Bots can allocate the

06:15

necessary memory to decompress the

06:17

following deadlift compress data

06:21

so features are implemented in separate

06:24

components called managers each manager

06:27

would inherit from C manager class and

06:30

new instances would get a new socket

06:32

that is already connected to the command

06:34

control server so to code a manager

06:37

basically have to implement an abstract

06:39

on receive method Constructor of course

06:41

and this on received method will

06:44

generally Implement a switch case

06:46

statement to handle commands

06:49

so the main manager in ghostrad is

06:52

called the kernel manager so its mission

06:54

is to spawn new managers but also to

06:57

handle miscellaneous commands such as

06:58

installing the bot download and

06:59

executing uh follow-up malware but it

07:03

also has other managers that like the

07:05

file manager for example the shell

07:07

manager screen manager to spy on the

07:09

screen video on audio managers to spy on

07:11

the camera and microphone keyboard

07:15

manager access keylogger and others

07:19

so between the latest open source

07:24

release and the latest closed Source

07:26

release there are a couple major

07:28

differences so first of all the panel

07:30

user interface was overhauled to use a

07:32

more newish

07:35

xtp library for the user interface of

07:38

the panel some class names were also

07:40

changed probably for easier readability

07:43

for example the audio manager who tends

07:45

to be the voice manager and this is

07:47

actually a nice change because if we

07:49

look at a variant and we find a class

07:51

name that is a camera manager that would

07:54

probably indicate that it was based on

07:56

this newer Fork of ghost track audio and

08:00

video compression also were introduced

08:02

and the kernel manager's on receive

08:04

method was changed to handle commands

08:07

using a callback table instead of a

08:09

switch case statement

08:12

so these open source releases coming

08:15

from the ghost track team uh spawned

08:17

lots of variants in the Wilds like

08:19

hundreds of them so to investigate this

08:22

a little bit and familiarize ourselves

08:24

with ghost we collected 22 open source

08:26

forks from various sources and our main

08:30

goal was to link prominent traits of

08:32

these notable variants like sudo

08:33

manuscripts for example to these

08:35

available Forks that are open source so

08:37

this would allow us to gain insight into

08:39

the origins of each variant and its

08:41

developers motivations

08:43

but like any evolutionary story there

08:46

has to be missing links so

08:48

these open source variants in our

08:50

collection that share one or more new

08:51

traits with ghost 1.0 Alpha which is

08:54

cloud Source by the way they all retain

08:57

all trades from 3.6 beta for example the

09:01

old class names are still used and the

09:03

old kernel manager relying on switch

09:05

case statement is also there so this

09:07

could indicate that there were some

09:09

possible leaks that are unknown to us of

09:11

intermediate releases that happen

09:13

between 3.6 and 1.0 which we call

09:16

ghostax

09:19

so to get more insight into this and to

09:23

be more on the ground so we conducted

09:25

analysis of some closed Source variants

09:27

that are used by distinct uh terractor

09:30

groups and we try to establish and

09:31

understand connections with other

09:33

variants in our collection

09:35

so the first one was Ghost times which

09:37

was first documented by Japan cert in

09:40

2020 it was seen in attacks by blacktech

09:43

apt they Stripped Away most features of

09:45

ghost 3.6 beta only left a few managers

09:48

but they improved the communication

09:50

protocol added water notification

09:52

authentification rc4 encryption they

09:55

also implemented two new classes

09:58

a manager called the ultra Port map

10:00

manager which does port forwarding

10:02

basically turning the bot into a gateway

10:04

to connect to internal service and also

10:07

a port map manager which is a proxy

10:09

feature

10:11

so these broad map managers are

10:13

interesting because they have a similar

10:15

but not the same implementation of an

10:16

open source tool called Z export map

10:19

which is common among Chinese speaking

10:21

thread actors and apt groups so in this

10:24

case uh the transform one mode of this

10:27

tool which implements the port

10:28

forwarding maps to the ultraport map

10:30

manager in ghost times and the transfer

10:32

2 and transfer 3 mode which work in

10:34

tandem

10:36

they they correspond to the port map

10:38

manager proxy

10:40

so this same name is seen in other

10:42

variants of ghost for example in BBS rat

10:45

that is operated by the Roman tiger

10:47

group and also in sudo manuscript these

10:50

are all similar but distinct

10:52

implementations

10:54

so the second group we saw was gambling

10:57

puppet which is a sophisticated apt

10:59

uncovered by Trend Micro in 2022 they're

11:02

targeting online gambling businesses

11:04

operating plugx ghostrad and other uh

11:08

malware they use multiple modified Forks

11:11

of course thread that all seem to

11:13

originate from that ghost x variant we

11:15

talked about

11:16

so we analyzed these samples and we saw

11:20

that they actually share some traits

11:22

with forks in our collection

11:24

so the first trade was a unique chat

11:26

manager called ctex chat which we found

11:28

in only in one variant in our collection

11:30

which allows us like the the operator to

11:33

chat with the victim

11:35

second one is a couple of functions that

11:39

allow to play with the victim a little

11:41

bit like open the CD tray swap Mouse

11:43

buttons and this was found in a variant

11:46

called Terminator Platinum

11:49

in addition this malware hasn't had an

11:52

improved version of the ghost MBR killer

11:55

which is shared by two variants

11:58

Terminator Platinum mentioned in the

11:59

previous slide another variant called

12:01

fell VIP 3.0 and it's actually

12:04

interesting because the ghost 1.0 Alpha

12:06

version does not have

12:08

um an MBR killer

12:11

so the presence of code overlap with

12:13

multiple variants in this samp in this

12:17

uh in these samples used by the APT

12:19

indicates a complex origin we saw uh or

12:23

we saw code originated from multiple

12:25

variants and it's really difficult to

12:27

trace it back to a single source so we

12:29

think they probably cherry-picked

12:31

features from various projects as it's

12:33

super easy to do that just take the

12:35

manager class and you're good to go

12:39

and I'm going to hand it over to Jorge

12:41

so now that we have a proper context on

12:44

where this

12:46

latest variant set of manuscript is a

12:48

steaming from

12:49

we have the history of goshrad already

12:53

present now let's delve into these

12:56

latest form as we mentioned before it

12:59

was first spot by Kaspersky July 2021

13:04

they reported some similarities with the

13:06

manuscript malware operated by Lazarus

13:09

but since the malware wasn't really the

13:12

same and there were uncertain whether

13:15

the Developers

13:16

behind both projects were the same or

13:18

not they coined the moniker set of

13:21

manuscript

13:22

Worth to mention here we are not

13:24

attributing this one to Lazarus in any

13:27

way

13:28

it was brought to our attention in 2022

13:31

and later that year in October we

13:34

started tracking it and very soon after

13:37

we put our Tools in place we realized

13:40

this

13:41

thread was rather active with motivate

13:45

which motivated us to have a proper and

13:48

deeper look to improve our tracking

13:51

collection and

13:54

the data we were collecting from it and

13:58

that's where when to heal realized the

14:01

the gospel connection

14:03

leading to This research we are

14:04

presenting today

14:06

again this is an ongoing situation the

14:10

group is still active as we speak they

14:13

are trying to grow the botnet and for

14:15

doing so they are mainly using two

14:18

delivery methods the first one of them

14:21

is fake cracked rubber where you will

14:24

turn to your search engine of choice try

14:27

to look for some activator or some crack

14:30

tool to save a few bucks but in Turn You

14:34

Are running malware as a volunteer on

14:36

your own

14:38

and the other one is install Services

14:40

that's why we claim here they are

14:43

following us pray and pray approach for

14:45

distribution

14:47

we haven't observed any targeted

14:50

campaigns towards any business or sector

14:53

or country or region for that matter

14:58

since

15:00

they are using this spray and pray

15:01

approach the initably in the back end

15:04

and if I were certain bodies coming from

15:07

and that's why they have this campaign

15:09

identifier which is composed of four

15:12

numbers like 3003 and they are bright in

15:15

this value in the registry and the SEO

15:20

ID key

15:22

so this will allow them ideally in the

15:26

back end of track infections

15:29

moving on into the install Services when

15:34

we started tracking This Thread they

15:36

were only using one install service the

15:40

one which the actors from private loader

15:43

offer we are also certain they are not

15:46

targeting any specific region

15:50

when it comes to delivery because they

15:53

are using

15:54

the install service

15:58

of the business which allows them to

16:00

spread the binaries to any country in

16:02

the world for example some of these

16:04

install services offer installs to

16:07

worldwide locations or

16:10

only Europe or only the USA which are

16:13

more expensive than the worldwide and

16:16

this one issues in the worldwide option

16:21

we think they are also learning as they

16:25

continue their operation because when we

16:27

started tracking it they were only using

16:29

private loader for delivery

16:33

my guess here is that at some point they

16:36

realize that using the same install

16:38

service again again and again

16:41

will lead their payloads to be executed

16:44

on the very very same computers again

16:46

again and again

16:47

that's why in late 2022 they started

16:51

diversifying the install service they

16:54

use

16:54

they start a good one and nowadays they

16:57

are using at least four as far as we can

17:00

see and it's interesting because it

17:02

looks like they tried another install

17:05

service with another actor offers

17:08

through an amade botnet also they have a

17:11

test at another service which some other

17:14

actor offers through a smoke loader

17:15

botnet

17:17

perhaps it didn't pay off very well they

17:19

went back to their religions private

17:21

loader but then they they fund the key

17:25

to delivery and they started using a

17:28

different service every two days so

17:30

every two days they will switch from

17:32

amade to private loader to a smoke

17:34

loader to a Google loader to start again

17:37

the the very next week hopefully getting

17:40

a wider read and grow in their podnet as

17:43

much as they can

17:46

foreign

17:48

so the infection chain of

17:50

pseudomanuscript starts with the

17:52

download obviously of the downloader

17:54

component either from the soft software

17:57

delivery Network for fake cracks or from

17:59

a malware loader as we saw so the

18:01

downloader component first will restart

18:03

itself elevate it and then we download

18:05

two files so the first file is a PNG

18:08

image with a show called loader dll that

18:11

is encrypted in its overlay data so this

18:14

dll name db.dll will be dropped to the

18:17

user's temporary directory the second

18:19

file is a binary file with an HTML

18:22

extension with its name being set to the

18:25

campaign ID so this is saved in the

18:27

temporary directory as well as as a

18:31

db.dat file so the downloader component

18:34

would run the Run dll 32 executable with

18:39

the db.dlo and revoke a special export

18:41

called open and the db.dll would read

18:45

the encrypted shell codes from the

18:47

dp.dhp file

18:49

so this file stores 32-bit and 64-bit

18:53

shell codes each preceded with its

18:57

length with the

18:59

encoded by adding a simple value which

19:02

was always the same since the Inception

19:04

of sudo manuscript and at this stage

19:06

only the 32-bit shock code is used

19:10

so this shortcode is decrypted in two

19:12

rounds first round involving X or

19:15

um with the key depending on the index

19:18

of uh of the bytes in the in the file

19:20

and then the second round involver

19:22

involves the reverse xor algorithm where

19:25

the first byte is the last bytes key and

19:27

each bytes is then its previous key

19:29

until reaching the the beginning of the

19:32

file so this Shell Code itself being

19:34

decrypted will decrypt and load and

19:37

invoke the core module of sudo

19:39

manuscript which is embedded in the

19:41

Shell Code and encrypted with a one byte

19:43

X or key and is compressed with the LZ

19:46

nt1 algorithm

19:49

so at this stage the core module is

19:52

running inside the Run dll 32 instance

19:55

in its first execution and this time it

19:58

would process the appropriate Shell Code

20:00

uh for the system systems architecture

20:03

uh in the registry so it will read the

20:06

db.d DHE file encrypt the proper Shell

20:09

Code and then persist it and then it

20:11

would inject a remote thread into the

20:13

currently running SVC host instance for

20:16

the net Services Group

20:18

and this instance would read that

20:21

persisted showcode inject it via process

20:24

hollowing into a new SVC host SVC host

20:27

instance which will be the main instance

20:29

of sudo manuscript and this instance is

20:31

the one responsible for talking with the

20:33

command and control server so these two

20:35

instances would actually monitor each

20:37

other so if one of them is terminated

20:39

the other would start would start it

20:43

so persistence here is performed only

20:46

during system shutdown by registering a

20:49

callback using this control you can set

20:51

console control Handler API so this

20:55

function would be invoked

20:58

when a lot of events happen including

21:01

the system shutdown so this

21:03

automatically means that an unexpected

21:05

shutdown for example due to a blue

21:06

screen of death means that sudo

21:08

manuscript will not persist on the

21:10

system

21:11

so this persistence is done using a

21:14

service DLo that is embedded inside the

21:16

core module this dll is copied to the

21:19

system32 directory and then a new

21:22

service group is registered in the

21:25

register in the registry that is called

21:26

uh app service so this service would

21:29

start after the system reboot it will

21:32

read the persisted shock code from the

21:34

registry and then inject it into SVC

21:38

host.xz

21:39

the net Services Group instance and then

21:42

the infection would go on from there

21:44

like we saw on the previous slide

21:47

so the malware configuration is stored

21:50

in the data section of the core

21:51

component there are two configuration

21:53

buffers a primary one which is always

21:56

used and then a secondary one that is

21:59

only used when a special command is

22:01

received from the command and control

22:02

server to switch so when this command is

22:04

received so the manuscript would create

22:07

a new file extension Association in the

22:11

registry to

22:13

switch to this to this other

22:15

configuration so when it runs the next

22:17

time it will check if this Association

22:19

exists if it does it will use the

22:22

secondary configuration

22:24

so the configuration format starts with

22:27

the main and fallback protocols to use

22:30

the value one is for TCP and value 2 is

22:33

for UDP and in all cases we've seen that

22:37

UDP is used as the main protocol so

22:39

these two fields are followed by the

22:41

ports to use so Port 53 will be used for

22:44

the main protocol which is UDP and Port

22:47

443 for the fallback protocol TCP

22:50

so the next field is the primary command

22:53

and control server

22:54

followed by the DGA parameters in case

22:58

this server is unreached so the fallback

23:01

domain generation algorithm see string

23:03

follows it's equal to API key and then

23:06

domain generation algorithms top level

23:09

domain which is.com in this case and the

23:12

last field is an integer that determines

23:14

the maximum numbers of domains to

23:16

generate before trying again and

23:19

communicating with the main C2

23:22

so the dja works by taking a domain seed

23:26

and the string seed so the main seed at

23:28

first is the main C2 it will be

23:30

concatenated with the API key using a

23:32

comma md5 hashed and then 10 characters

23:36

in the middle would be taken uh

23:38

converted to uppercase and then they

23:40

would undergo a small transformation

23:42

that would yield a lowercase string that

23:46

will be concatenated with the top level

23:48

domain in this case.com that would give

23:50

the

23:52

domain that is to be conducted so if

23:56

communication fails with this domain the

24:00

the algorithm would use use it as a seed

24:03

for the next domain and so on until that

24:05

maximum number we talked about is

24:07

reached

24:10

so the communication protocol relies on

24:12

the open source HP socket C plus plus

24:15

framework developed by Chinese

24:17

developers it is a high performance TCP

24:20

UDP HTTP communication framework that's

24:22

offering clients and server capabilities

24:25

the framework uses the kcp protocol when

24:29

communicating with UDP uh when uh

24:33

automatic repeat request error control

24:35

is used so kcp is a custom protocol also

24:38

developed by a Chinese developer that is

24:41

described as being 30 percent to 40

24:43

percent faster than TCP so so the

24:46

manuscript as we saw uses UDP as its

24:48

main communication protocol uh which in

24:51

this case kcp and TCP as a fallback so

24:55

this use of kcp in sudo manuscript can

24:58

be attributed to the capabilities of the

25:00

library itself rather than being a

25:03

deliberate design Choice by the

25:05

Developers

25:07

so the packet header here starts with

25:10

the header magic which this time is only

25:12

one byte which is always ox43 it's

25:15

followed by a transformation type that

25:17

dictates the format of the packet data

25:20

so this transformation type can have

25:23

multiple values the data can be in plain

25:26

text sword sadly compressed

25:29

Etc but the most popular one we saw we

25:32

see in multiple commands is the zlip

25:34

plus xor algorithm and if you remember

25:36

ghostrad uses zlib for compression so

25:39

the other two fields are kind of similar

25:42

to what we saw in Gold Strat the packet

25:44

size including the header size and then

25:46

the size of the untransformed packet

25:50

so pseudom manuscript was directly based

25:53

on ghostrad or some variants that it's

25:56

directly linked to because it's misses

25:59

changes uh that we see in later variants

26:01

uh it also doesn't include any audio or

26:04

video compression and it only shares a

26:07

few attributes with open source variants

26:09

that are in our collection for example

26:10

it has a similar but uh more advanced

26:14

service manager to a variant uh called

26:16

Bobo remote control

26:20

so sudo manuscripts developers improved

26:22

on existing Managers from ghostrad but

26:25

also added new ones for example in the

26:28

second version I think they added the

26:30

hidden VNC manager which was a fork of

26:35

tiny nuke hidden VNC which they broke

26:37

down into multiple commands and then

26:39

they also added bi-directional clipboard

26:41

sharing between the operators machine

26:44

and the infected host there's also the

26:46

board map manager which implements the

26:48

TCP proxy a netstat manager allowing

26:52

exfiltration and to close UDP and TCP

26:54

connections services manager we talked

26:57

about and then uh a registry editor

27:00

basically

27:02

so so the manuscript also supports

27:04

plugins which are always requested after

27:07

the first check-in so the C2 will answer

27:10

with a list of entries from which

27:12

interesting fields are the plugin hash

27:15

in md5 the start type either if it wants

27:18

to start a Plugin or uninstall it and

27:21

the plugin type if it's an executable or

27:23

dll but we've only seen dll dlls up to

27:26

this point so the bot will follow up

27:28

with requests to only receive new

27:30

plugins that it doesn't have stored into

27:33

registry

27:36

so the first one is a clipper plugin

27:38

which would monitor clipboard data for

27:41

wallet addresses that are copied by the

27:43

victim patch them on the fly to operator

27:46

controlled wallets and these addresses

27:49

these attacker control addresses are

27:51

hard-coded and are the same across all

27:53

campaigns giving credit to the idea that

27:55

there's probably one group behind this

27:57

thread

27:59

so we've taken a look at this wallet

28:01

addresses and tallied up a sum that is

28:04

equal to 187 dollars currently in these

28:08

wallets and pretty much of it is still

28:11

there actually

28:13

so the next plugin is a key logger

28:16

plugin that will complement the existing

28:18

keylogger implemented in the keyboard

28:20

manager so unlike the keyboard manager

28:23

which needs a special command to be

28:25

activated this keylogger would

28:27

immediately start monitoring the

28:28

foreground window for substrings that

28:31

are related to cryptocurrency and these

28:34

logs are will be forwarded in real time

28:36

they won't be written to any files they

28:38

will be forwarded to real time in real

28:40

time to the C2 using a callback that is

28:43

provided by the core module at plugin

28:46

initialization

28:49

so the other plugin we see is a man in

28:52

the middle plugin called set proxy so

28:54

what it does it it's it will allow

28:56

interception of secure browser TLS

28:58

traffic for specific websites so what it

29:00

will do is First add a root certificate

29:02

to the trusted Authority search store so

29:05

this certificate is long-lived and will

29:07

stay valid until 2032.

29:10

uh what it then does is it will add a

29:13

proxy Auto configuration script to the

29:15

global proxy settings of the system

29:16

which are inherited by all browsers and

29:19

this will point to a URL that will

29:21

download a file called Javascript file

29:23

called win.pac so when the user

29:26

navigates to a website uh the browser

29:29

will download this file cache it and

29:31

then match our request hosts on on this

29:35

using this this script so here it will

29:38

match cryptocurrency websites and then

29:41

if there is a match it will forward the

29:43

traffic to the the proxy in red

29:47

so what this proxy does it will provide

29:49

a fixed certificate that is generated by

29:51

the malicious certification Authority

29:54

and then this malicious proxy can be

29:57

used by the actors to intercept TLS

29:59

traffic and get access to credit user

30:03

credentials

30:06

so the next plugin is still plugin that

30:09

is focused on stealing cookies and saved

30:11

credentials from various browsers it

30:15

does extensive targeting for Instagram

30:16

possibly to compromise account with

30:19

accounts with a high follow count also

30:22

targets Facebook and Facebook's ads

30:24

manager in a similar way that fabuki

30:26

does but we didn't see any we couldn't

30:29

establish any code relationships between

30:31

the two so Facebook's ad manager uh come

30:35

from compromising would uh let the

30:38

actors run advertising campaigns for

30:40

example in this case distiller

30:43

communicates with a different C2 over

30:46

https but it's still sending the

30:49

campaign ID and the Bots ID to this to

30:53

this command and control server

30:56

so what's interesting is that our

30:58

emulated Bots receive no commands

31:00

besides to download and start plugins

31:02

and to update the bot to a new version

31:04

so this led us to think that this is

31:07

probably a plug-in oriented operation

31:09

because uh all plugins we see are

31:12

oriented towards harvesting credentials

31:15

and stealing cryptocurrency and possibly

31:17

the corebot commands could only be used

31:20

for interesting Bots for example uh they

31:23

they would open a hidden VNC session to

31:27

the to the host when they want to

31:28

impersonate the user

31:32

so

31:34

we concluded that this was a financially

31:37

motivated group there were likely

31:40

chinese-speaking actors because of some

31:42

patterns we saw for example the trend of

31:45

14 ghost trap uh the use of libraries

31:48

that were developed by Chinese

31:50

developers such as the HP socket

31:52

framework they're also using a Chinese

31:54

panel called Pagoda panel to operate

31:57

some infrastructure but also their old

32:00

infrastructure was hosted in the Eastern

32:04

Asian region

32:07

so to conclude uh ghostride is an old

32:10

thread that is still a Potential Threat

32:12

actors possibly because of its

32:14

well-designed and modular structure we

32:17

saw that sudo manuscript is an advanced

32:19

variant that is currently financially

32:21

successful and is ever growing so it is

32:24

actually more relevant than ever

32:26

especially since operators are

32:28

diversifying and ramping up their

32:30

distribution and given the botnet size

32:33

which is pretty big it can already be

32:35

used as spyware to spy on victims

32:37

because the functionality is already

32:38

there for example we saw that it's

32:41

exfiltrating the that it can exfiltrate

32:44

the tencent QQ number which would which

32:47

could be used to spy on Chinese

32:48

Nationals outside of China seeing that

32:51

they they're infecting victims from all

32:54

over the world but it also had has other

32:57

spyware functionalities and that's it

33:00

for us thank you

33:01

[Applause]

33:09

yeah

33:11

okay time for questions

33:25

you know everything now already

33:32

they're all sleeping in

33:41

Eric you don't have a detection question

33:43

or

33:51

one two three

33:54

okay thank you very much

33:58

[Applause]

Rate This

5.0 / 5 (0 votes)

Related Tags
恶意软件分析幽灵雷达网络安全变种研究情报团队技术访谈黑客攻击金融威胁隐私保护中英文对照
Do you need a summary in English?