Cuckoo Spear [B-Side]
30:43 Share

Hi, i'm really levy. Welcome to sab militias life.

This week, we have yet another beside episode besides our interview based epo des, where we tackle topics and stories less suited for a regular more narrative episodes. In this, beside we discussing coco spear and S P onic campaign targeting japanese companies by a chinese nation state threat actor known as A P T ten.

As you'll soon here, A P T ten has been active since at least two thousand and six, and in recent years has been using a backdoor mela named load. In a few months ago, researchers from the reason were able to link A P T ten to a new male family called nupe door. This new malware incorporates highly sophisticated persistence mechanisms, allowing A P T ten to evade detection and remain inside enterprise networks for two or even three years.

Our guests in this episode are the two researchers from simple incident response on who investigated the case, gene eto and Louis castle. I'll let them introduce themselves. I tend to treat these beside episodes as great learning opportunities, so during the interview will take short breaks to in produce and explain various technical terms and ideas. Enjoy the amazing.

So hello to reach and hello to jin, please introduce yourself.

My name is jane eto. I am an incident response engineer at cyperus on um I have been with the company for about one year and before that I also did incident response and more analysis for for uh and uh organization .

a japanese company uh hi an um we can be used in france uh doing uh incident response uh for cyberia on since the almost three years now and yeah get A A bit of a past with the both for the blue team sites doing I R and and doing uh security h and center uh work as well as doing and testing regime this kind of thing. So I love that research that we are going to talk about today.

Thank you for joining me on the podcast and very much appreciated. Uh, we are a truly international conversation today. I'm from israel, reaches from france and genius in japan.

So our story today will revolve around the research that you recently did called coco spear. And I think IT begins long before cyberia on itself got involved in the investigation. The mill where that is now known is load info. So tell me that about load info and what other researchers prior to your involvement in the investigation .

discovered about IT short? So load info, in short, is a scared back door. Uh, when we think of back doors, we just think of like uh you you can run arbitrary commands and execute any sort of you know test that you want on the remote computer.

Uh IT has that capability and um and also has capabilities to upload in download files and additional code as necessary is just basically whatever you need to do on the computer. That's the that's the program to do IT. And as far as I know, I think it's been used by A P T ten since twenty twenty.

And and there's there's a lot of uh research going into this and then we can see the various versions that IT has been evolving over the past five years or so, I would say. And every iteration IT just keeps improving, uh, creating new encryption and changing the sizes um perhaps different loading mechanisms in at a and and I guess how IT relate to the aware that we are presenting today is that uh, they don't necessarily work together. But I would say that nupe door mowers that we have a right now that we analyze is a more modified and evolved diversion of that load info. I would say which we will I guess we will get into detail later.

Yeah, we'll talk in more depth about A P, T, ten that you mentioned and about number that you mentioned as well. What kind of organizations were hit with loading full in the past? Do they have like some sort of a common characteristic.

So I think IT IT goes in hand with the targets of A P T ten targets which are mostly um I mean, I obviously I can't speak for them, but they are targeting a lot of critical infrastructure companies, a lot of sort of media companies that that um talk about the new chinese activities, whether its weapons or any just geopolitical topics and also I T companies that create I T systems for you know the government essentially in that country are I I guess those are the prime targets that we keep hearing about or from these actors.

So h how did siberia on get involved in the investigation?

Um we add the new customer uh and starting to our detection using our solution. And IT was very quickly known that this was uh complicated threats was not something common, something that a that has been seen. And IT was uh involved involved uh data theft, a very S H uh like uh techniques and h so the the the the the customer decided to to dive deeper in this and engaged us as the incident responders. So um we uh started to investigate the machine where odd be obvious options, extract some techniques and we decided to pivot from those techniques to a the rest of our customers base. Uh and we did find two of the victims uh involved later we had another uh but which was not a customer which made foreign total that we worked on as a incident response involving both tools used by the the same strategy or so the matter are was .

present in these organizations network for a pretty long time before I was discovered。 How was that persistence maintained on the networks? What where the technique sloan info was using? In his response that you'll hear in a minute, jin will mention a few windows mechanisms which nop door uses in order to maintain persistence in the infected networks.

So for those sisters who aren't familiar with windows development, let's quickly break down a few of these key mechanisms. Task schedule is a windows component that launches programs or scripts at pretty fine times or following a specific event, also known as a trigger. The scheduler can be used to perform routine tasks such as sending an email message, displaying message box or not a case running the melt are M S build, or the microsoft build engine is a component which allows developers to build applications that is, convert source code files into executable software.

The developer provides an example based configuration file that describes the items to be built and various tasks that are part of the build process, such as create directories, copy files, and the like, and finally, W M I or windows management instrumentation. This is a platform that system s can use in order to remote control windows based machines, usually in an enterprise network environment, for example, running an administrative script in response to a certain event. Armed with these concepts, let's return to our interview.

The main persistence mechanisms were uh scheduled tasks, uh running specific comments with scheduled test. They had they we're using M S built that um I think microsoft is a part of the microsoft dot component to build an egg compile and execute uh uh sea shark code. There is a schedule test to compile and run the code so they had actual source code of the injector on the system.

But of course it's obvious that was one. The other was the uh I W of my event consumer saying that this specific event would occur uh of this execution would occur when a specific event occurs. And um the other one was A D L L.

So those two that I just talk about, they were written in sea sharp and there was A A source code. The next one that was A A service deal. L obviously it's a deal format, highly offcasts. IT was you know created as a service depending, uh, I mean IT just IT just loads itself as a service IT loads uh shell code from the registry that is encrypted. So IT IT decrepit a shocker from the red three, based on things like machine ideas, some hashes they get from, you know, each and every system that were unique to each and every system. So it's not like you can create, you know, a script that can just decrepit all of the the new door pilots because I was unique to each system so you had to enter in like we made a script, but you had to also enter in like machine specific uh, information to eventually decrepit and be able to extract the the new door and then figure out what I was doing.

So yes, just just to add on on this, before the persistence happened on all the machines we investigated, we also notice the sweet tors moving literally from a previously compromise machine and that's basically what they did all the time. They just compromised, uh, a set of machine.

And then from this set of machine they moved to other machines, dropped the file, loaded the the modarres the door and and erratic ed that file because after they loaded that new door into the registry, like like jean said, they basically got uh a fully o uh Operational backdoor leaving not leaving any file on the system。 所以 IT is still there is still this evidence because it's in the registry， but not not a problem, is not a uh it's not a file and and and you are using using these techniques, they use different once each time, depending on the the later tour. They they want you to rent uh, they they whether to to control those machines?

How were the attackers able to sneak in that melt into the organization itself? What was the method of a infiltration, you might say?

So initially, loading for uh was known to be pushed by sectors through an initial access uh called peer fishing， which is the use of various trickery or uh scamps to to manipulate the victim into h executing sing。

My issues are on the machine and then from that machine the retellings move to the the rest of the infrastructure and do do the rest of the, so the the the post infection， uh, they used to start a, for instance, of cov products to to get into a network. They they use this kind of of predict and then they also use specific documents targeting to the sector there they were targeting and to the countries as well. In the case of the of the incidents we investigated, we add one case also involving spear fishing.

And i'm seeing that with court because the incidents happens to two years, even more than two years before we started the incident response. So in that kind of cases, the more we wait between an event and the time, investigate, of course, that reduce a lot the the probabilities that our conclusion are right. But uh, we we were able to say with seventy five persons probability that be fishing was involved in that case. But on the other case and IT was also mentioned by other vendors researching the same uh 所以 text or um the victims at a ra G V P N which is a very popular v 篇 solution used in in a firewall n solution used in japan uh and another uh at uh fourteen eight uh five were being breached uh to to to do the attack。 So that either means the reactor change their initial access technique because IT was not working anymore or because they were a they add this opportunity of using the five, which more convenient as an attacker then be a fishing or IT was uh IT was a different rejectors, all of the different Operators behind the behind inside the same.

Now there's a question that i'm curious about for both of you. I'm guessing once you realized that that you're investigating a nation state threat actor, i'm guessing that it's kind of rare to have investigations that actually track these kinds of actors. How exciting was IT for youtube personally to to investigate such a case to actually go head head to head with a nation state threat actor.

Uh, obviously I was very exciting to wear me because um I have I have worked on nation state, uh I our cases before but not none to this level. I would say where they had A I guess we will talk a bit later, but the the tools that they were using are very sophisticated in that i'm going to a bit technical, but they use shell code for their entire the sea to ramework.

Jim mentioned shell code, so here's another learning opportunity. What is shell cold? Shell code is code that runs in a command line environment, such as command that X, C on windows.

In the context of mare, he refers to a male payload code that can be executed once IT is injected into a running application once a ml, where is able to exploit a vulnerability, for example, a buffer overflow to inject the shallow de into memory and trick the program to run IT. The show code runs with all the privileges of the exploit application. The downside is that writing your code is quite chAllenging. IT requires in depth understanding of low level programing languages like C, C plus plus or even assembly, since each Operating system has its own shell code, and while we are edit, c two is a short for and and control infrastructure. The software used by the attackers to communicate with compromised machines inside the network.

Creating shelf route itself is you have to have some specific coding methodologies to create that. It's not like you can just link the library and uh you know use regular windows, uh things like creating files and IT set set. So I can see from the the sophistication is that I need to understand everything about this, the attack that is going on because a aside from the part of I R, because this is just such a great opportunity to be able to take a look at this and it's it's ongoing as which is also great thing that was going on as well because in terms of I R um you don't need to do the full analysis, I would say, of the the tools in the techniques they're doing as long as you and are able to stop the attack, contain IT and then you know get them out of the network and then you know patch whatever whatever you need to do so they don't come back again.

So you don't really need to look at, I guess um you know some of the specific details of the mower, but um it's just something so interesting that I guess that pushed me and like to to document a lot more than what was necessary to do I R and so I guess that's why we're here today. And um I think one interesting thing that about this attack is that I told you I joined cyberia in H A year ago and then this attacked happened, I think, a few months after I joined. But the interesting thing is that I I was analyzing a very similar tool using probably the same D G.

A, I think a year ago in my previous organization. So I I saw in action and in actual you know uh a japanese company that I was working for. And then i'm actually looking at again from a vender perspective and and I can see everything that is all the all the havoc that is that is causing in is just as very interesting. It's very fun.

if I, if I may add something as well. The containment strategy we use is also going to be very different from, I would say, the the most common I S because, uh, we know this is the very advanced protectors. We know they are disseminated all over the network.

They might have multiple other types of back door that we didn't identify. So in that kind of scenario, we take a lot of attention studying before doing any action. We know this kind of that as the monitor the infrastructure, they monitor their victims infrastructure.

So they they know what what's happening inside the network. So we cannot start to, for instance, block the the, the C T S I P, uh, stop specific ash from running. Uh, if we start to do that, the sector, uh, they are going to to change strategy very quickly.

And basically, they are going to play Walker all with us and the victims. Uh, so they are going to change strategy and we are going to identify that strategy, block that and yeah that that's going to happen for a very long time. So in that kind of case, you want to take a lot of caution and containment and revenue strategy specific to this kind of tors.

Yeah IT sounds almost as if you're playing a game of chess against the attackers, kind of a battle of wits of sort. So maybe just to kind of set the baseline for our listeners, can you please describe like the flow of of a typical attack um how IT kind of moves forward from from being initially influence tion the first thing that you do when .

you go in to your organza is not make sure you have access again. So I think this is one of the very first thing that you do. They installed the the persistent mechanism I do through M S bill or the W D M I or the service. And then that's that's when they have access to that machine so they can come back whenever and then they start doing the the sort of content, the getting the the user names, the passwords and its that are going to the domain controller.

And it's and the we also saw a sort of internal c to also within this um these engagements, which made that IT was a modification of the the new door now where but IT was modified。 So it's just a brand as a server and said this one doesn't directly communicate to the the internet to the outside. Its its all internal and it's we we believe they was used as a sort of relay point between other pivot points within the the victims networks that they can know aggregate information or to be able to ease their Operations much more. So I guess that that's how they they scattered throughout the entire and network and they were able to compromise, uh, I would say, hundreds of of devices and that .

since so there's both an internal c to and and the external c to as well 啊。

Yes, yes. Uh, I would say the external c to is just, uh, it's on the the the attacker side. That's where the new por connects to based on the the domain generation algorithms that create IT uses. And the internal c to is yes, like yes, as you said, it's just a it's just run on the victims server or whatever and we see communications going to that or two aggregate information again, it's the same. It's the same back door methods. I can run code IT can load files and drop files and maybe that's where they were on, you know I agree ing all the the user info and we didn't exactly see them being aggregated there is just based on the the telemetry and the the capabilities of that server code. Is that what we think he was used for?

Um that internal c to also give them the capability of controlling machine that are not connected to the internet so that are constrain to in the constraint network and that that that gives also some hints of the the type of victims are targeting a that they have some maturity in cyber security to have this kind of this kind of talk.

meaning like maybe an internal area gap that kind of prevents internal systems to do access internet right?

Absolutely absolutely. So not completely added because they still need connection to the the network uh that hosts the internally to but but yeah yeah .

what other kind of tools were used in the attacks that .

that the the interesting bit as well uh in all these incidents is that we didn't notice any thought about the hacking to all that we usually notice in other incidents, such as um on the top of my head and grog uh for creating tunnels over uh mini cats for credential theft。

Uh that wouldn't be too serious for for the national state actors to to use mini cats like that that uh just as an example and there back door as gene mention, which was very big in size and add a lot of capabilities, allow them to do most of those actions, the critical gathering, uh, the recognition, uh, everything around, uh, expectations as well, uh, the turny capabilities, everything could be done through that back door. The only thing that we noticed, uh, was the use of embedded windows utility. We often call them Robins living off the lens, uh, tools.

That's what we notice the most. We didn't notice some credential safe to at sah process them being to get clear text, ensure so this kind of attack. But IT was always using tools that already existed on the machine to do that.

okay. And we mentioned before the use of a dome generation algorithm, H D G A. So maybe it's big, uh, little deeper into that technique. What is domain generation algorithm and how was IT used?

Usually when when computers connect to the internet, they they connect based on the domain which resolves to win I P address. And then you you're connecting to that I P address. But if the the domain keeps changing and changing and the the I P can change as well, is just a method that attackers you so they can, you know, change their infrastructure, make IT harder to block them.

Because if IT keeps on constantly changing, you're not gonna what domain to block. And especially in this in this case, where I was used was that um there were a couple different domaines that we are being used. The top level, the main meaning like, uh let's say W W W 点 google dot com， that will be a lot of domains that people use.

But instead of google IT would just be W W W dot, the random algorithm generated dot com. What IT essentially becomes like how how do you block that on the firewall and like you will block everything W W W 点 com， or unless you know the domain itself. But there were also other ones where I was like a google die, uh, hosting dot com, where if you just block the the D J F before the hosting, you can block those.

But um there were some chAllenges in a lot of chAllenges, I was saying, and identifying the domaines to block. Uh, that's why we created a scripts. We rever engineer the the domain generation algorithms. Uh, I got to get into too much detail, but I just gets you computer specific information, make some hashes and dynamically generate some random letters, but it's essentially not random.

You can reverse any and create scripts to understand to know which doma domains are going to be generated in the future because we see a change in one hundred eighty days, three hundred sixty five days, maybe ninety days IT depends on the which machine in which type of, uh, I guess, which international of a nut door that I was using. And so we created scripts. So because, uh the the victims can just block any any domains that were going to be generated in for the forseeable future.

okay. So let's turn our attention to the threat actor that was involved in that case. We already mention its name, A P T ten. So keeping in mind how difficult IT is to actually attribute an attack, what do we know about A P T ten from analyzing .

this attack? IT is appear at that. They have a lot of resources at their disposal. And uh uh, what interesting side side topic is that I think a lot of attacks that we saw ended at five or six P M in local time and they started at nine.

So they were working under between those working out and um but it's off topic, I say but yes, it's apparent that they have a lot of resources working on the Operations of this and the development of their tools because as I said, knock door IT was there was no we found a lot of new ports. I think that was uh, over twenty or thirty maybe forty samples of new door itself, the show code, but none of them were were the same. exactly.

There was always some sort of different hard coded strings that were different that makes the the D G. A unique a little bit. And so I think um and that since they must have had some sort of automatic uh tool to generate different iterations of this, nowhere.

And so just creating that and also creating the the short code and the entire Operations of IT um how they were so seretse in their Operations. It's a uh you can tell a lot, a lot of work has gone into this. And uh I think that's one of the most interesting things we can we can connector about this attack.

Uh just one thing in term of targeting uh to spare campaign has been arguing that A P T ten uh as add more global scope uh so that that have been known to get also U K organization uh like the U S as well. So um A P T A is is more global organization, while coco spear is very focused on using the tools we we we are documenting and also ya targeting 裁判。 That's that's that's the .

thank you very much. It's been A A great pleasure.

very nice. The other is what guests.

thank you so much call. thanks.

Thank you very much.

C K milk music muk music muk music k music.