WIXLIB

Let's go with a Go RAT!Dec 2018Yoshihiro IshikawaShinichi NaganoCopyright LAC Co., Ltd. All Rights Reserved.

Who are we? Organization: LAC Co.,Ltd.(lac.co.jp) Department: Cyber Emergency Center Job Title: Cyber Threat Analyst and handlerYoshihiro Ishikawa (CISSP) Department: Cyber Emergency Center Job Title: Cyber Threat Analyst and handlerShinichi Nagano (GREM)Copyright LAC Co., Ltd. All Rights Reserved.

AgendaPurposen A study of Go language (GoLang)n wellmess and its detailn wellmess C2 traffic simulation (DEMO)n Prevention methodn ConclusionnCopyright LAC Co., Ltd. All Rights Reserved.

Purposennnwellmess malware and its botnet is currentlystill categorized as an unknown Golangmalwareseveral incident cases that we handled fromJanuary 2018Not detected[2] by security software until wepublished analysis report[1] about June 2018We would like to introduce the analysis result of "wellmess"And now hopefully will be useful to prevent the attack in the future.Copyright LAC Co., Ltd. All Rights Reserved.

We provide IT total solutionsbased on advanced security technologies.CYBER-EDUCATION-PENTEST -JSOC-119-CONSULTINGA study of Golang executableCopyright LAC Co., Ltd. All Rights Reserved.

What about GolangnnnnGo[3] is an open source programming language developed byGoogle Inc. in 2009, in our presentation we call it as “GoLang”.Current stable version 1.11.2Run on various platforms such as Linux, Mac, Windows, AndroidGolang malwarennMirai(C2/Server) is one of the most famousOtherwise such as Lady[4], GoARM.Bot[5], Go Athena RAT[6], Encriyoko[7],Copyright LAC Co., Ltd. All Rights Reserved.

Golang executables characteristicsnnnGo executables is huge file size (even packed by UPX[8] 4Mb)Function name is left intact in the executable files (in many cases)The character string becomes one continuous block (go1.8 higher)Not strippedfunction Namecontinuous blockCopyright LAC Co., Ltd. All Rights Reserved.

Golang executables characteristics - 2The function names can be specified by using IDAGolangHelper[9] in IDA Pro[11].BeforeAfterRenamefunctionsCopyright LAC Co., Ltd. All Rights Reserved.

Golang executables characteristics - 3Not every string-blob can be separated IDAGolangHelper, so we need to do it manuallyPossiblesplit valuesImpossibleNo split values Copyright LAC Co., Ltd. All Rights Reserved.

We provide IT total solutionsbased on advanced security technologies.CYBER-EDUCATION-PENTEST -JSOC-119-CONSULTINGwellmess and its detailCopyright LAC Co., Ltd. All Rights Reserved.

What’s about wellmesswellmess is a RAT coded on GoLang on multiple platform operatingsystems.nC2 FunctionsnnnCommand Execution (RCE)File Upload and DownloadIdentificationnnnLang: GoLang (main) & .Net (minor version only)Type: Windows 32/64-bit Executable(these main slides) & ELF x64 (Appendix:C)Characteristic:n Compiled with Ubuntu (go1.8.3), Windows (go1.8)n "wellmess” naming is coming from "Welcome Message” (attacker’s thought)n Usage of IRC terms like “welcome message”, “bot”, “chat” or “join” etcCopyright LAC Co., Ltd. All Rights Reserved.

Typo stringsDoes he means choice?Does he means welcome message?Does he means Mozilla?Copyright LAC Co., Ltd. All Rights Reserved.

Specific characteristic stringsdifferent package name C2 serverSupports Japanese,Korean and ChineseCopyright LAC Co., Ltd. All Rights Reserved.

Specific User-AgentsEach wellmess had a different User-Agents hard-coded.nnnnnnMozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; U; Linux x86 64; ja-JP; rv:1.9.2.16) Gecko/20110323Ubuntu/10.10 (maverick) Firefox/3.6.16Mozilla/5.0 (Macintosh; Intel Mac OS X 10 9 3) AppleWebKit/537.75.14(KHTML, Like Gecko) Version/7.03 Safari/7046A194AMozilla/5.0 (X11; OpenBSD amd64; rv:28.0) Gecko/20100101 Firefox/28.0Mozzila/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0;FunWebProducts)Copyright LAC Co., Ltd. All Rights Reserved.

Lateral movementwelmess doesn’t have lateral movement function, for that purpose theattacker was using another tool, in some cases they used gost[13], a tunnelingtools written by GolangVictimAttackerCopyright LAC Co., Ltd. All Rights Reserved.

Other version: compiled with .NET wellmessdnSpy[13](too long, redacted)Payload(DLL file) is encryptedReplace strings and Base64, decrypt RC6Payload DLL file isloaded and executedusing AppDomainCreateInstanceAndUnwrap methodutilizing Proxy class.Copyright LAC Co., Ltd. All Rights Reserved.

Other version: The payload of .NET wellmess.NET version RCE is also using Powershellmethods which are not found in theHas similar functionsas per in Golang version Golang versionCopyright LAC Co., Ltd. All Rights Reserved.

Comparison of Golang and .NET wellmessFunctionsGolang (mostly spotted).NET (several cases only)Support OSWindows, Linux, (NAS)WindowsEncryptionRC6, AES, RSA, obfuscationRC6, AES, RSA, obfuscationBot commandsCommand ExecutionFile Upload and DownloadCommand ExecutionFile Upload and DownloadHow to Command ExecCMD (Windows)Execve (Linux)PowerShell, CMDC2 ProtocolHTTP, POST, CookieHTTP, POST, CookiePackerUPX or noneOriginal Packer (bytes obfuscator)Latest version(ITW)2018-10-02#Virus Total First Submission2018-07-25Bot functions is almost the same among Golang and .NETWe think that the main wellmess used by an attacker is GolangCopyright LAC Co., Ltd. All Rights Reserved.

Comparison of Golang and .NET wellmessFunctionsGolang (mostly spotted).NET (several cases only)Support OSWindows, Linux, (NAS)WindowsEncryptionRC6, AES, RSA, obfuscationRC6, AES, RSA, obfuscationCommand ExecutionCommand ExecutionHow to Command ExecCMD (Windows)Execve (Linux)PowerShell, CMDC2 ProtocolHTTP, POST, CookieHTTP, POST, CookiePackerUPX or noneOriginal Packer (bytes obfuscator)Bot commandsdata.replace(" ",").replace(""").replace("File Upload"andDownload ", " ").replace(".File Upload and ",Download", "").replace(",", " ").replace(":", "/") reference by JPCERT/CC [15]Latest version(ITW)2018-10-02#Virus Total First Submission2018-07-25Bot functions is almost the same among Golang and .NETWe think that the main wellmess used by an attacker is GolangCopyright LAC Co., Ltd. All Rights Reserved.

Bot commands syntaxwellmess uses tags in XML format to communicate tag C2 commandsFollowing is regular expression matching rules of the tagsGolang version ;(?P key [ ;]*?); (?P value [ ]*?) ;[ ;]*?; .NET version ;(? key [ ;]*?); (? value [ ]*?) ;[ ;]*?; Copyright LAC Co., Ltd. All Rights Reserved.

Bot commandsTagCommand Functions ;head; CUsed with ;service; tagGC2 server acceptancep(Re)Initialize AES key and Sending Host InfofuFile upload (from C2 to bot)fdFile download (from bot to C2)mChange the division size per communicationuChange user-agenta:x xItem number information of dividedcommunicationrcWaiting C2 command ;service; ;title; ;body; Payload part added to the commandCopyright LAC Co., Ltd. All Rights Reserved.

Bot commands samplesAOyniCcS 1bLTL NuPy0 %2CeDJx 1Q%2Cm0 1zZ8a uj84J VLbRk tYH8v pCeL6 gRkR; D9y5yGqO G B%3AbW%3Ao. Y8GDHj K2QKny WZ2vQZ L1v84h p3P1qT. Z8auj8 4JVLbR ktYH8v pCfbOO ZDq577. LySyuj 30PqHX %2CXho8Z YzBMr8 tQIevh. rxEbIz OVIVRP x9DfH6 duxldn PKi3f4. y%2CI6td RfavbR 67eQVw twTN%3AI HB1vPy. hWzm2f ASQlzB Jiz9pt EzNRQA fRv1mL. pziFHi vzbux9 VA2zkY 8Ve9rz T0u8jb. 1LH0%2Cx WDpcVw TIJjDV 5Dy6Mx GTUarDtVk Decrypted Cookie header ;head; 55/p ;head; ;title; a:1 0 ;title; ;service; p ;service; Copyright LAC Co., Ltd. All Rights Reserved.

C2 traffic communicationBot1C21’22’33’44’We must prepare thehard-coded RC6 key andchanging RSA public keyThere are 4 steps until command &control communication1.Bot sends AES iv Host Information1ʼ.C2 acceptance2.Bot sends Host Information2ʼ.C2 acceptance3.Bot sends ready signal to RCE3ʼ.C2 send RCE4.Bot sends result of RCE4ʼ.C2 acceptanceCopyright LAC Co., Ltd. All Rights Reserved.

C2 traffic communication - 1BotC2Cookie Header: InfectedHost Information in RC61POST Body: AES iv inRSA public keyCopyright LAC Co., Ltd. All Rights Reserved.

C2 traffic communication - 1BotC21“p” means Initial phasePhase 1 of 2Copyright LAC Co., Ltd. All Rights Reserved.

C2 traffic communication - 1BotC2NULL of SHA256 hash1HexDumpInfected PC InformationCopyright LAC Co., Ltd. All Rights Reserved.

C2 traffic communication - 1BotC21Copyright LAC Co., Ltd. All Rights Reserved.

C2 traffic communication - 1'Bot1C21’Cookie Header: C2 Serverresponse in RC6“G” means just receivedCopyright LAC Co., Ltd. All Rights Reserved.

C2 traffic communication - 2Bot12C2Cookie Header: InfectedHost Information in RC61’POST Body: Host Informationin RSA public keyCopyright LAC Co., Ltd. All Rights Reserved.

C2 traffic communication - 2Bot12C21’Phase 2 of 2Copyright LAC Co., Ltd. All Rights Reserved.

C2 traffic communication - right LAC Co., Ltd. All Rights Reserved.

C2 traffic communication - 3Bot123C2Cookie Header: standbyto receive C2 Command1’2’POST Body: It looks likeno data is includedCopyright LAC Co., Ltd. All Rights Reserved.

C2 traffic communication - 3Bot123C21’2’“rc” means to standbyreceiving C2 commandCopyright LAC Co., Ltd. All Rights Reserved.

C2 traffic communication - 3'Bot123C21’2’3’POST Body:C2 Command in AESCopyright LAC Co., Ltd. All Rights Reserved.

C2 traffic communication - 4BotC2Cookie Header: splitblock number in RC612341’2’3’POST Body: Result of C2Command in AESCopyright LAC Co., Ltd. All Rights Reserved.

C2 traffic communication - 4Bot1234C21’2’3’Phase 1 of 1Copyright LAC Co., Ltd. All Rights Reserved.

C2 traffic communication - 4BotC2The Japanese font is garbledCopyright LAC Co., Ltd. All Rights Reserved.

We provide IT total solutionsbased on advanced security technologies.CYBER-EDUCATION-PENTEST -JSOC-119-CONSULTINGwellmess C2 traffic simulation DEMOCopyright LAC Co., Ltd. All Rights Reserved.

Import notesnnnIt is forbidden in Japan to share any form of any malicious codewithout the written acknowledgement from and to the lawenforcement.In this demonstration there is a possibility the used PoC code can bemisused to control a real alive malware, there is a risk for maliciousused if this PoC leaks, it is considered as malicious code.Due the circumstances above, we can not share the source codeused for this demonstration, however, this demonstration itself isexplaining enough details to proofing the concept of the C2communication traffic/protocol used by wellmess malware.Copyright LAC Co., Ltd. All Rights Reserved.

Prevention and DetectionnC2 traffic connection in network detectionnwellmess traffic detect at using Suricata[16] or snort[17]alert tcp HOME NET any - EXTERNAL NET any (msg:"wellmess C2 traffic detection!";content:"Accept-Encoding 3a 20 gzip"; content: "POST / HTTP/1.1"; pcre:"/Cookie\x3a [azA-Z0-9]{8} /"; content:"Content-Type 3A application 2F x-www-form-urlencoded 3b charset 3d utf-8"; sid:1000000;)nStatic and dynamic detectionnnYARA[18]n wellmess malware can be detected and identified. By the YARA rule (willbe introduce next slide)EDRn Powershell and cmd wellmess execution can be traced by EDR log orprocess treeCopyright LAC Co., Ltd. All Rights Reserved.

YARA rules (one case)For GolangFor .NETrule wellmess go {rule chatbot net {meta:author "LAC Co., Ltd."strings: mz { 4D 5A } elf {7F 45 4C 46} str1 "botlib.FromNormalToBase64" str2 "botlib.AES Encrypt" str3 "botlib.UnpackB" str4 "botchat.go" str5 "choise.go" str6 "wellmess.go"condition:( mz at 0 or elf at 0) and any of ( str*)}meta:author "LAC Co., Ltd."strings: mz { 4D 5A } str "Start bot" wide str2 "ROL" str3 "ROR" str4 "FromBase64ToNormal" str5 "FromNormalToBase64" str6 "SSL"condition:( mz at 0) and all of them}Copyright LAC Co., Ltd. All Rights Reserved.

EDR tracing for wellmess infectionWindows Defender ATP[19]Machine TimelineCopyright LAC Co., Ltd. All Rights Reserved.