Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to analyze the APT Trojan horse based on the threat intelligence cycle model. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

On the cycle Model of threat Intelligence processing

The term "threat intelligence processing cycle" (F3EAD), which originates from the military, is a method designed by the United States Army to organize resources and deploy troops for commanders at all levels of the main combat arms. Using this method for reference, the Network Emergency response Center deals with threat intelligence information in the following six stages:

Threat intelligence processing cycle F3EAD

The first step in the application of threat intelligence processing cycle model: find

On a certain day in a certain month, the "Onion" system deployed on the partner's public cloud server alerted and found a suspected Trojan program, so the emergency response team quickly started the emergency response process:

The stakeholders wait for a button to pull the group and connect with the phone.

The victim system is quarantined and pending investigation.

Security system, audit log export for traceability analysis.

Preparation of data related to business system architecture and code, to be analyzed for intrusion breakthrough and affected scope

Step 2: positioning

According to the audit records of the security system, another * .ko file was found in the malicious files directory, which was sent from another server via scp.

Thus it can be seen that the attacker first obtains the privileges of a vulnerable server, and then jumps the scp Trojan file to a machine accessible through the compromised server, including the current victim, and installs control.

Next, we focus on the analysis of this group of Trojan files, according to the naming rules of AV manufacturers (Appendix 1), temporarily named as "backdoor Linux.Rmgrange rookit", in which "rmgr" to the Trojan code in multiple functions using the rmgr prefix.

2.1. Trojan file

At present, the Trojan horse file is divided into four parts, and its functions are briefly described as follows:

2.2 Trojan work flow

Trojans from implantation to operation, including the subsequent possible infiltration activities have used a variety of technologies to hide, if there is no security system, it is difficult to find. At the same time, the Trojan horse has also done a lot of confrontation, the conventional security monitoring capability may not be able to detect. The running process is briefly described as follows:

Trojan work flow

2.3 main functions of each part of the Trojan Horse

1. Rmgr.ko

Rootkit uses the common LKM kernel module. The main actions after loading this rootkit are listed one by one below.

1) proc_create_data creates a virtual file / proc/.dot3 for subsequent interaction with Trojans in user mode

2) register_kprobe registers 4 kp structures:

Kp_kallsyms_lookup_name\ krp_alloc_pid\ kp_do_exit\ kp_seq_path, which is used through kprobe to preemptively erase operations on Trojans when the system executes these functions.

3) the handler function registered in the above kp structure, and fake_seq_path is used to remove the kernel process linked list

4) when the system has read "/ proc/net/tcp" file, it will be processed by fake_seq_show to erase the Trojan network connection.

5) patch vfs_readdir in fake_sys_getdents to erase all information related to Trojans

6) when the system accesses the files related to the Trojan, it will be handled by fake_filldir, and the correct result will be returned according to whether the caller is operated by the Trojan.

7) delete yourself in the kernel module linked list, and kobject_del delete your own kernel objects

8) kthread_create creates kernel thread dot_thread

Create kernel module self-boot / etc/sysconfig/modules/ati_remote3.modules

Write kernel module file / lib/modules/%s/kernel/drivers/input/misc/ati_remote3.ko

Release the rmgr_fake_libc.so file to disk

Release the rmgr_daemon file to disk and run it through call_usermodehelper_exec with the name of the "[khelper]" process.

2. Rmgr__fake_libc.so

This shared library file, released by the kernel rootkit, is written to disk with the path / tmp/.tmp_ {21 random alphanumeric}, which is used to hide the behavior of Trojans' user-mode processes.

The functions of the subhook prefix are excerpted from the source code (Appendix 2). For more information, please go to github. I won't repeat it in this article.

The functions of the fake prefix are mainly used to combat the process and command records of common HIDS. Fork and execve are called directly through syscall instead of using glibc encapsulation, avoiding the HIDS of hook glibc mode.

Fake_bash_add_history invalidates the audit function of bash commands.

3. Rmgr_daemon

This process is released by rmgr.ko and written to disk with the path / tmp/.tmp_ {21 random alphanumeric}. Developed by C++, compiled upx shell compression, directly with the open source software upx-d rmgr_daemon can be shelled, and no special treatment.

Its main functions are:

1) monitor the status of kernel modules and interact with kernel rootkit information

2) Update

3) generate rmgr_fake_sshd, and patchELF, modify the dependent dynamic library, that is, add rmgr_fake_libc.so, with the function as mentioned above

Get the path from the kernel

Return path

Patch ELF

4) Connect C2 hm2.yrnykx.com;5) manage rmgr_fake_sshd

The patchELF code is extracted from GitHub-NixOS/patchelf (Appendix 3)

4. Rmgr_fake_sshd

The file is written to disk by rmgr_daemon with the path / tmp/.tmp_ {21 random alphanumeric}, and its operation is managed by rmgr_daemon.

As a backdoor, it hard-codes PRIVATE KEY, as shown below:

Because there are some functions through patchELF hook, it realizes the concealment of command execution and other behaviors after ssh login. The rmgr_fake_sshd itself, as well as the child processes derived from the ssh login, are hidden through rmgr.ko through patch kernel calls according to the above analysis.

The hard-coded sshd_config is loaded when rmgr_fake_sshd starts, please note several key configurations. Listen on local port 26657, and rmgr_daemon connects to this port to forward ssh instructions to C2. The common network protocols of fitting business environment are realized here, so that the conventional NIDS detection logic is bypassed.

Step 3: eliminate

This mainly refers to reinforcement to avoid being attacked by attackers in the same way. The specific measures are as follows:

Breakthrough reinforcement, patch update, ACL reinforcement.

Operation and maintenance channel, deactivate the old account, modify the server account in the attack link, and apply two-factor authentication.

Limit the scope of the accessible system according to the user's role.

The victimized system dump saves virtual machine images to be checked.

Reinstall the victim system and republish and deploy the business environment.

The loading of the new system kernel module requires signature verification.

Step 4: use

After the completion of the emergency response work and the analysis of the incident scene and documents, the key information extracted from the whole incident will be precipitated into threat intelligence. In this paper, the content of the threat intelligence pyramid model is reduced to two parts: iocs and ttps, and ttps is summarized by att&ck matrix model. Threat intelligence pyramid model

1. Iocs

1) md5:

7d859a22f38f0bcd55a46bc8b67c40df

Fa73b2fd914a0cfd5e7d3161af903b6c

2) c2:

Hm2.yrnykx.com

2. Ttps

Step 5: analyze

As can be seen from the ttps in the previous section, the att&ck matrix can not fully cover all the concealment means used by the Trojan horse against the security system.

Rough classification of its concealment (process, network, file) means include:

C2 avoids NIDS detection through fake_sshd

Audit HIDS through patchELF commands to bypass hook libc

Invalidate shell audit through fake_bash_add_history

Through the return of reading the file information under / proc by the patch seq_show modification system, the concealment of Trojan related files, processes and network connection information is realized.

Hiding Trojan files through patch vfs_readdir

By removing the kernel process and module linked list information, the traces of Trojans in the kernel can be avoided by rookit detection tools.

It can be seen that this Trojan set has a lot of technical details to fight against the security system, but it is mainly aimed at some old HIDS and ex post forensics investigation tools that are known on the market. Syscall hook and inotify+ cloud kill derived from kernel-state processes can still be found.

The confrontation Dimension between Trojan Horse and Security system

A complete Trojan horse system can not be developed just because of a penetration intrusion, it is bound to learn from a lot of open source or family code. So from a traceability point of view, we can do code "archaeology" work, while the relevant code style and Trojan behavior into the security system feature library. Limited to space, I will not repeat it here for the time being.

Step 6: spread

Communication is the article itself.

Summary

In fact, the order of the actual event response disposal process cannot be completely consistent with the above process. However, following a complete set of procedures, the author believes that it can be regarded as a successful end of security incident disposal. In fact, the F3EAD process pays more attention to intelligence from analysis to application (improving security countermeasures), especially the repeated iterations in the "analysis" phase.

Analysis phase of the F3EAD cycle (iteration)

From cold intelligence to landing to the improvement of the security capability of our security system, the real value of threat intelligence is realized.

The above is the analysis of the APT Trojan horse based on the threat intelligence cycle model shared by the editor. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.