How to become an APT

Hi fellas,

You know there are many tutorials like “How to become a hacker” or “How to become a pentester” etc literally everywhere. Some actually have very good content (such as the ones here heheh=) but you might be asking: OK I’ve become a hacker now what’s next? So today I’m gonna walk you through on a journey of becoming an APT :stuck_out_tongue:

Jokes aside, as I may have mentioned earlier I am regularly delivering reverse code engineering and malware analysis courses. During my class we are solving challenges from RPISEC Malware open courseware (great resource! https://github.com/RPISEC/Malware). Then we take the challenge one step further and play a game named “How to become an APT” :smiley:

Overview

During this game students are tasked with reverse engineering the communication protocol of APT1’s STARSYPOUND implant, then develop a server application and remotely control the implant on an infected virtual machine.

First lets have an overview of this implant’s behavior on a poorly drawn board:

resim

Some key features:

  • Malware receives its IP:Port configuration from its Resources
  • If malware has received “cmd” it spawns a new thread of cmd.exe
  • Malware creates a pipe to its child thread and redirects network I/O to cmd.exe back and forth
  • Malware contains a custom PRNG like key generator which will be used to generate a key of N-bytes on demand
  • Network traffic will be XOR ciphered with these generated keys
  • Each packet sent by malware will contain a 4 byte header at the beginning to indicate the size of message, however packets received by malware aren’t expected to have this “header”

IP:Port Configuration

resim

When malware receives “cmd” command

resim

Encryption/Decryption Procedure

resim

Example Traffic

Debugging Encryption Routine

Lets inspect the encryption routine step by step to see what is getting xor’d.

To put it simply the procedure is basically;

ciphertext[i] = plaintext[i] ^ generate_key_byte()

Becoming APT

To remotely control the implant I need to be able to generate the same sequence of bytes as the malware. In order to do that I have two options.

  1. Reverse the key generation algorithm and re-implement it (hard way)
  2. Patch the program to make it dump the key somewhere in memory on the fly, then make it generate a long key (1024 bytes long for example)

Obviously I took the second way :smiley:

Steps I Followed

  • Create a new section with RWE permissions, fill it with NOP’s
  • Write a small assembly code which will copy the key on the fly and return
  • Hijack the execution flow by patching encryption routine and redirect it to our key thief
  • Debug the patched malware, initiate handshake then send 1024-byte long message
  • Retrieve the key from dumped memory location

Key Copier Code

resim
Pseudocode:

ciphertext[i] = plaintext[i] ^ key_byte
mem[i] = key_byte ; ==> where we are copying the key
return

Hijacked Execution Flow

resim

Lets Do It :slight_smile:

1. Engaging with Malware

2. Retrieving the Key

Last Step

Now that you have retrieved a key of sufficient length you may encrypt/decrypt the traffic in order to engage and remotely control the implant. You may even develop a server application to automate the thing. I have made a shitty one (on purpose) here: https://github.com/robindimyan/apthowto/tree/master/APT1-STARSYPOUND

Congratulations, you have just become APT1 :smile:

16 Likes

Interesting, but I think a more detailed explanation is needed. According to Wikipedia the first sentence is:

“stealthy computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period.”

All APTs that we are aware of operate invisibly. Even when querying and probing of servers are detected by someone by that point it is to late. The factors that let APTs stand out are:

  1. Well funded
  2. Maintain access and if locked out they usually find another way in
  3. They always have an end goal

An example is APT39 which is suspected to be associated with the Russian Intelligence. APT39 are what many security researchers believe were behind DNC hack during the 2016 election. The feds noticed that a person or a group of people were probing the servers and contacted the DNC, but even with the usual checks, COZY BEAR which is the suite of malware that they use, was invisible and allowed them to continue their operation. We all know how that played out. Lastly, it is rare for an individual to be considered an APT since most of the known APTs are too sophisticated and too organized to just be the doing of one person.

4 Likes

Thanks for the definition but in case you didn’t know, I don’t believe it was meant to be taken seriously.

2 Likes

Thanks for your comment! As @dtm pointed out I wasn’t really serious on this being a tutorial to become an APT, its only a name we’ve given to an exercise made during my class :smile:

However you have made a good point on defining APTs (Advanced Persistent Threat). While working in the field of cyber threat intelligence I’ve came to realize that definitions of APT in popular sources like Wikipedia are mostly wrong. I saw that even cyber security companies sometimes make incorrect definitions for the sake of marketing.

Term of “APT” is usually associated with nation-state or state sponsored attacker groups, because the term itself has its origins in military. But in the realm of cyber security you will see that the term has actually a more generic meaning and it may include (however rarely) non-state actors.

Now lets break down the term shall we :slight_smile:

  • ADVANCED: Meaning the threat group has advanced capabilities. This advancement isn’t measured by the number of 0days or MBR rootkits a threat group possess. But it’s measured by their target selection and their modus operandi (how they roll out their operation). Their campaigns may or may not be sophisticated.

Myth #1: APT’s are invisible and their attacks are very sophisticated

To start with, “invisibility” itself is impossible. There is no invisibility (of an attacker) but rather insufficient visibility (of a defender). Even if an attacker penetrates a system using 0days and then implants a rootkit, their activity can be detected.

Second, many campaigns which are attributed to APT groups are actually far from sophisticated. Some even have very poor OPSEC, you would be surprised. What we need to understand is that these groups run on a budget and every 0day/implant used on a target shall be considered burned. So it’s certain that these guys won’t spit out their 0days and most advanced implants on every target they see. Apart from that, a campaign may be meant to be detected as a part of counter intelligence, influence op, diplomatic signaling etc.

  • PERSISTENT: Meaning, targets of the threat group is most probably dictated by a higher-level agenda like political motivations, intelligence needs, military or diplomatic objectives etc. Because of this APT campaigns are not only targeted but also they’re very insistent on intruding their targets.

This topic most probably deserves its own thread but this is all what I can do at the moment. I hope it is somehow helpful :slight_smile:

4 Likes

ETERNALBLUE was an outdated exploit which already had patches available for the vulnerability. WannaCry was a pretty bad piece of malware. The (or one of) NK agent who deployed it had poor OPSEC. Very APT. :thinking:

It would be helpful if you continue this topic to part 2 or another class. This class is really helpful.

Glad that it became helpful :smile: If I get to have some free time I’m thinking of writing a loooong thread about instrumentation of ‘cyber’ in interstate conflicts. Will touch upon the terms in more detail and hopefully will contain lots of case analysis :smiley:

1 Like

WannaCry is a joke because as far as I know, it infected machines that haven’t been updated in months?

Yes, a lot of systems are not properly patched. But a lot of malware, if not most, operate in this fashion, leveraging known vulns and utilizing existing exploits. You’re not going to burn 0-days on every run. Patching is notoriously, well, patchy. This isn’t really the same as OPSEC. Not to mention, a ransomware like WannaCry isn’t meant to hide (for obvious reasons). The goal is quick, dirty money. Of course, it’s hard to reconcile this as APT because it really isn’t. (APT as I see it applies more to a group than it does specific strain of malware.)

edit: Actually if you consider NK’s overall goals and strategies for its uses of cyber, I guess WannaCry is more-or-less consistent.

edit: I think this is sort of off-topic from OP. So to go back to that. First off, very cool. I’d like to know if you have other “games”, “challenges”, or exercises like this.

1 Like

The exploit wasn’t the reason why it was bad. NotPetya used the same infection method but it was much more severe probably because it wasn’t so poorly developed(?)

1 Like

Intersting read. Thank you :slight_smile:

This topic was automatically closed after 30 days. New replies are no longer allowed.