Shulou(Shulou.com)05/31 Report--

This article analyzes "how to use DarkPulsar, the new APT framework of NSA". The content is detailed and easy to understand, and friends who are interested in "how to use NSA's new APT framework DarkPulsar" can follow the editor's train of thought to read it deeply. I hope it will be helpful to everyone after reading. Let's follow the editor to learn more about "how to use DarkPulsar, the new APT framework of NSA".

Preface

In March 2017, ShadowBrokers released a classified document that shocked the world, including two frameworks: DanderSpritz and FuzzBunch.

DanderSpritz consists entirely of plug-ins for gathering intelligence, exploiting vulnerabilities, and manipulating devices that have been taken over. It is based on Java and provides a graphical interface similar to the botnet management panel and a control panel similar to Metasploit tools. It also integrates backdoors and plug-ins for non-FuzzBunch controlled devices.

DanderSprit interface

Overview

Fuzzbunch provides a framework for different utilities to interact and work together, including various types of plug-ins designed to analyze objects, exploit vulnerabilities, implant tasks, and so on. There are three types of files in the FuzzBunch framework plug-in package:

% pluginName%-version.fb

This is the utility file for the framework. It copies the header from the XML and contains the plug-in's ID.

% pluginName%-version.exe

Run this executable when FuZZbuNch receives the execution command.

% pluginName%-version.xml

This configuration file describes the name, type, and description of the input and output parameters of the plug-in. All this information can be displayed through the FuzzBunch interface. This file type division standardizes the setting of default parameters, thus improving the availability of the framework.

ImplantConfig is a Fuzzbunch callable toolkit that contains a management module called DarkPulsar, a plug-in for managing controlled devices, and a remote control backdoor named "sipauth42.tsp".

It supports the following commands:

BurnRawShellcodeEDFStagedUploadDisableSecurityEnableSecurityUpgradeImplantPingPong

Burn, RawShellcode, UpgradeImplant, and PingPong support removing / upgrading implanted software, running arbitrary code, and checking that backdoors are installed on remote machines. The purpose of other commands is unclear.

When analyzing DarkPulsar, Kaspersky Labs found several constants used to encrypt traffic between CleavC and the implanted software:

Kaspersky believes that these constants can be used as a starting point for further investigation, so he built a detector. A few months later, the mysterious DarkPulsar backdoor surfaced and included 32-bit and 64-bit versions. The researchers found about 50 cases, in Russia, Iran and Egypt, commonly infected with Windows 2003 Universe 2008 servers in nuclear energy, telecommunications, IT, aerospace and research and development.

The highlight of DarkPulsar technology

DarkPulsar populates a dynamic library file, and from the functions exported by its workload, it can achieve the following functions:

Two anonymous functions are used to install backdoors in the system.

Name the function associated with the TSPI (telephone service provider interface) operation to ensure that the backdoor exists in the autorun list and starts automatically.

The name of a function related to the SSPI (Security support provider Interface) operation, mainly used to run malicious code.

The implementation of the SSPI and TSPI interfaces is simple so that the DarkPulsar exported function has the same name as the interface function, except that the correct phone service is replaced by malicious code.

This dynamic library is installed in the system through anonymous functions, calling Secur32.AddSecurityPackage with administrator privileges and the path of its own library in the parameters to start the backdoor, so that lsass.exe loads DarkPulsar as SSP/AP and calls its exported function SpLsaModeInitialize, and DarkPulsar initializes the backdoor. Where AddSecurityPackage is used to inject code into lsass.exe. It also adds its library file name to HKLM\ Software\ Microsoft\ Windows\ CurrentVersion\ Telephony\ Providers.

As a result, Telephony API (TapiSrv) starts loading as the remote access connection Manager (RasMan) service starts loading, setting the startup type to automatic. When the phone service provider's library is loaded, TapiSrv calls TSPI_lineNegotiateTSPIVersion, which contains a call to AddSecurityPackage to inject malicious code into lsass.exe.

DarkPulsar implements malicious functions by installing hooks for SpAcceptLsaModeContext, the function responsible for authentication. Such injection occurs in multiple system authentication packets in the process lsass.exe and allows Darkpulsar to control the authentication process according to the following protocols:

1. Msv1_0.dll-for NTLM protocol

2. Kerberos.dll-for Kerberos protocol

3. Schannel.dll-for TLS / SSL protocol

4. Wdigest.dll-for summary protocol

5. Lsasrv.dll- is used to negotiate agreements.

After completing this process, Darkpulsar is able to embed malware traffic into the system protocol. Because this kind of network activity is carried out according to the system standard, it is only reflected in the system process, that is, it uses the system port reserved for the above protocol and does not hinder its normal operation.

Network traffic successfully connected to DarkPulsar implanted software

The second advantage of controlling the authentication process is that you can bypass input username and password protection to gain access to objects that require authentication, such as process lists, remote registries, and SMB file systems. After sending the DisableSecurity command of Darkpulsar, the backdoor hook of the controlled device will call the SpAcceptLsaModeContext function so that the credentials passed by the function are valid, and then the system will provide access to the client's protected object.

Use DarkPulsar

Darkpulsar-1.1.0.exe provides a management interface based on the principle of "one command + one launch". The command to be executed must be specified in the configuration file Darkpulsar-1.1.0.9.xml, or as a command line argument, at least in detail:

Does the target machine use a 32-bit or 64-bit system

Protocol (supports SMB, NBT, SSL, RDP protocols) to provide commands and port numbers

The private RSA key used to decrypt the session AES key.

Darkpulsar-1.1.0 is a plug-in to the Fuzzbunch framework that manages parameters and coordinates different components. The following is an example of the DisableSecurity command in Fuzzbunch:

The following is an example of the process table after running DisableSecurity, which allows you to execute any plug-in without valid credentials and operate through general system functions (remote registry service):

DanderSpritz

DanderSpritz is a framework for controlling infected machines, unlike FuZZbuNch, which provides some toolkits for later stages of development with specific functions, such as DisableSecurity and DarkSeuls's EnableSecurity.

DanderSpritz is suitable for a wider range of backdoors, using PeedleCheap in controlled devices to launch an attacker's malware. PeddleCheap is a plug-in for DanderSpritz that can be used to configure implanted software and connect to infected machines. After the connection is established, all DanderSpritz post-development features are available.

This is how DarkPulsar in EDFStagedUpload mode infects devices by implanting malware: PCDllLauncher (plug-in for Fuzzbunch) deploys PeddleCheap implants on the side of controlled devices, and DanderSpritz provides a user-friendly development interface. So, the full name of PCDllLauncher is' PeddleCheap DLL Launcher'.

There are four steps to integrate DanderSpritz scheme, PeddleCheap plug-in, DarkPulsar plug-in and PCDllLauncher to implement malicious features:

From FuZZbuNch, run the command EDFStagedUpload to start DarkPulsar.

In DanderSpritz, run the command pc_prep (PeedelCheap Preparation) to prepare the malicious code and the library file to start.

In DanderSpritz, run the command pc_old (which is the default alias for the command pc_listen-reuse-nolisten-key), which sets it to wait for socket from Pcdlllauncher.

Start Pcdlllauncher through FuZZbuNch and specify a valid path prepared using the command pc_prep in the ImplantFilename parameter.

DanderSpritz

File system plug-in

Summary

The FuzzBunch and DanderSpritz frameworks provide a lot of flexibility, including a number of plug-ins designed for different tasks, such as the FuzzBunch plug-in for monitoring and attacking devices, and the plug-ins in the DanderSpritz framework for managing infected victims.

The discovery of the DarkPulsar backdoor helps to understand its role as a bridge between two leaked frameworks and how they become part of the same attack platform. These platforms are designed for long-term latent attacks, and the developers behind them can be seen from DarkPulsar's persistence and latent capabilities, such as encapsulating its traffic into legitimate protocols and bypassing password protection for authentication.

Detect malicious network activity

When EDFStagedUpload is executed on an infected computer, a permanent connection is established, which is why port 445 traffic occurs. There is also a pair of bound socket in lsass.exe:

When DanderSpritz deploys malicious code from PeddleCheap through the PcDllLauncher plug-in, network activity increases dramatically:

When the connection to the infected computer is terminated, network activity stops and only the two bound socket in the lsass.exe are left:

IOC

Implant-96f10cfa6ba24c9ecd08aa6d37993fe4

File path -% SystemRoot%\ System32\ sipauth42.tsp

Registry-HKLM\ Software\ Microsoft\ Windows\ CurrentVersion\ Telephony\ Providers

So much for sharing about how NSA's new APT framework, DarkPulsar, is used. I hope the above content can improve everyone. If you want to learn more knowledge, please pay more attention to the editor's updates. Thank you for following the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.