Transcription
RTM: SINK-HOLING THE BOTNET
WHO WE ARESemyon RogachevRustam MirkasymovMalware analystThreat Intelligence analyst 4 years in malware analysis andincident response Strong skills in reverse engineering Author and co-author of Group-IBransomware reports 8 years in cyber threat researchand threat intelligence Strong skills in reverse engineering,knowledge in exploit development andunderstanding software vulnerabilitiesmechanisms Author / co-author of numerous APTthreat reports (including Lazarus,Silence, Cobalt, Moneytaker, RedCurl,)Twitter: @Ta1ien
GROUPS EVOLUTIONMost of banking hacking groups in 2008-2017 were Russian speaking.
GROUPS EVOLUTIONFIRST STAGE –RECONNAISSANCEMODULEPhishing emails contain a reconnaissancemodule, which checks if any indicators offinancial activity is presented on the infectedhost.SECOND STAGE – RTMCOREIf indicators of the financial activity were found,RTM core module is downloaded from the C2server. In other case some common malware,like Pony Stealer is downloaded.THIRD STAGE – RTMMODULESRTM Core collects additional information aboutthe infected host, downloads and executesmodules, which are used for the networkreconnaissance, lateral movement and moneystealing.
RTM ATTACK OVERVIEWFIRST STAGE –RECONNAISSANCEMODULEC&C serverPhishing emails contain a reconnaissancemodule, which checks if any indicators offinancial activity is presented on the infectedhost.Compromisedemail serversPhishing domainnamesSECOND STAGE – RTMCOREPhishing emailswith RTMReconnaissancemodule attachedIf indicators of the financial activity were found,RTM core module is downloaded from the C2server. In other case some common malware,like Pony Stealer is downloaded.RTM ReconReconnaissanceRTM Core with modulesTHIRD STAGE – RTMMODULESCompromised websites forfinancial specialistsRTM Core collects additional information aboutthe infected host, downloads and executesmodules, which are used for the networkreconnaissance, lateral movement and moneystealing.
FIRST STAGE - RECONNAISSANCERTM Reconnaissance module checks browser history to find traces of the followingremote banking rnunionelba.raiffeisenelbrus.Raiffeisen
FIRST STAGE - RECONNAISSANCERTM Reconnaissance module checks file system to find the traces of the followingfinancial software:1CSBERBANKFTC GPK cgpk.exeWEBMONEYCRYPTO llet.dll
SECOND STAGE – CORE MODULEAfter reconnaissance module acquired and run RTM Core, it is capable ofexecution of the following oduleUninstalls modulehosts-clearRemoves all records from the hosts filefind-filesScans filesystem for the specified filecfg-set-*Commands to manipulate RTM settingsdownloadUploads a specified file to the C&CscreenshotCreates a screenshot every 5 secondsunloadCloses main window of the RTMdnsGets/sets DNS servers via the WMIuninstallStops all activities and removes itselfauto-elevateUAC bypassuninstall-lockErases MBR, removes itselfreloadRestarts the RTMshutdownShutdowns infected hostccSets new C&C addressrebootReboots infected hostget-ccSends the list of the C&C addresseshosts-addAdds records to the hosts filebotnet-idSets new bot ID
SECOND STAGE – CORE MODULEAfter reconnaissance module acquired and run RTM Core, it is capable ofexecution of the following commands:CommandDescriptionprefixSets new bot prefixconnect-intervalSets pause between C&C communicationsdbo-scanScan for using banking serviceskill-processTerminates specified processvideo-processStarts a video recording threadvideo-stopStops a video recording threadmsgShows a message box
THIRD STAGE – RTM MODULESAt the third stage additional modules are used. During the tracking of the RTM group, thefollowing modules were detected:Module nameModule nameModule name1c 2 klchrome hstpersist445scanlpewndponyalfa scandomainproc lockanti mseffardparp scanflash grablpe evtvwrbdatalock iemimibss hideinj phoneprc listchrome pwmitmstealer
TYPICAL ATTACK SCHEMESRDP OR TEAMVIEWERThe most frequently seen attack scheme nowadays.Modified version of the TeamViewer is uploaded tothe infected host, which allows to transfer moneydirectly, for example, via the browser.1C 2 KL MODULEUsed to be frequently used method, but almost goneright now. Modifies the 1C banking software processto modify the 1c 2 kl.txt file, which stores thepayment data.RANSOMWAREFollowing the modern trends, RTM is capable ofdeploying a ransomware. During our monitoring ofthe RTM activity, at least 4 different were deployed onthe compromised machines.
C&C ADDRESS COMPUTATIONLiveJournal «f72bba81c921.livejournal.com»[ botnet-id ] encrypted C&C address [/ botnet-id ]LIVEJOURNALFirst tracked versions of the RTM usedLIVEJOURNAL blogs to store the C&C addresses.BIT DOMAINSNewer versions of the RTM .bit domains asaddresses of the C&C servers. .bit domain IPaddresses are stored using the Namecointechnology.BITCOIN The newest versions of the RTM compute C&Cserver address using the transactions data of theexact Bitcoin wallet.
BITCOIN BASED ALGORITHMRECON: 1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQCORE: 1CeLgFDu917tgtunhJZ6BA2YdR559Boy9YBLOCKCYPHER APIBlockcypher API is leveraged to obtain an informationabout the transactions of the exact wallet.C&C ADDRESS INTRANSACTION VALUEAfter obtaining of the transaction information, RTMextracts the value of the last 2 transactions andinterprets it as an IP address octets.NO ADDITIONALTRANSACTIONS DATACHECKRTM hasn’t been checking which wallet the currencywas received from, which made it possible tosinkhole the botnet.
BITCOIN BASED ALGORITHMExamples for better 00
BITCOIN BASED ALGORITHMExamples for better understanding: 5th December91.200.103.138
TRACKING C&CS
C&C IS JUST A PROXYaccess log /dev/null;error log /dev/null;server {listen*:80;boughtlocation /index.php {proxy set header Accept-Encoding "";#proxy set headerHost http host;#proxy http version 1.1;proxy buffering off;proxy set header X-Real-IP remote addr;proxy set header X-Forwarded-For remote addr;proxy connect timeout600;proxy send timeout600;proxy read timeout600;send timeout600;proxy pass http://91.200.103.39/index.php;}location / { return 404; #
SINK-HOLINGDeploy a server which redirects datato the actual C&C serverRun a sniffer and collect all the trafficAll C&Cs are proxiesWrite a code that decrypts a trafficNew C&C is deployed every 2-3daysMake transactions right after theadversaryNo validation of a transaction sourceIdentify victims and notify themProvide collected data to LE
TESTING ATTEMPTTransaction should be 0.000005405.2.67.50Higher fee, faster the confirmation0x205 - 0.00000517 0.00000540
DAY X1 confirmation1 confirmationNot confirmed2 confirmations We transferred money with the minimal fee. Every transaction should be confirmed by some amount of other members of the blockchain. Otherwise it will be unconfirmed and can not be observed. Our transferes came to the wallet in wrong sequence
OVERALL STATISTIC553683762LE of differentcountrieswere involvedCommunicating hostsCompromisedmachines identified562Years the botnet wasaliveDifferent languageswere installed onbotsYears took to collectenough evidences andmake arrests
GROUPS EVOLUTIONFIRST STAGE –RECONNAISSANCEMODULEPhishing emails contain a reconnaissancemodule, which checks if any indicators offinancial activity is presented on the infectedhost.SECOND STAGE – RTMCOREIf indicators of the financial activity were found,RTM core module is downloaded from the C2server. In other case some common malware,like Pony Stealer is downloaded.THIRD STAGE – RTMMODULESRTM Core collects additional information aboutthe infected host, downloads and executesmodules, which are used for the networkreconnaissance, lateral movement and moneystealing.
To fight effectively againstcybercrime LE agenciesshould collaborate
online.sberbank bps-sber bco.vtb24.ru dbo.vtb bco.vtv.24 link.alfabank click.alfabank ibank.alfa-bank.by elba.raiffeisen elbrus.Raiffeisen . RTM Reconnaissance module checks browser history to find traces of the following remote banking services: 1cv7.exe 1cv7l.exe 1cv8.exe wclnt.exe _ftcgpk.exe webmoney.exe wallet.dat wallet.dll qiwicashier.exe
