Monnappa KA  Info Security Cisco  Core Member of SecurityXploded  Focus on Threat Intelligence  Reverse Engineering, Malware Analysis,

Slides:



Advertisements
Similar presentations
Decision Group Forensics Investigation Toolkit (FIT) Layer 7 Content Reconstruction Tool.
Advertisements

Being Proactive and Less Reactive in Security Operations and Cyber Attack Response Christina Raftery, MCSE, CISSP FBI Los Angeles Field Office.
Digital Investigations of Any Kind ONE COMPANY Cyber Intelligence Response Technology (CIRT)
MIRAGE MALWARE SIDDARTHA ELETI CLEMSON UNIVERSITY.
Jeffrey Bernardino Nikko Tamaña Stealth by Legitimacy: Malware’s Use of Legitimate Services 2012 年 5 月 2 日.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
New trends on cyber security - Cyber Espionage & Identity theft By K S Yash, CRO 1.
國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage.
CHINESE HACKERS. Where do they come from? In 2007 private security firm Mandiant was hired by the New York Times to trace cyber-attacks on their network.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
Threat Intelligence with Open Source tools Cornerstones of
MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.
MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.
Automated Malware Analysis
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Norman SecureSurf Protect your users when surfing the Internet.
Client-Server collaborative scanning Dumitru Codreanu R&D, BitDefender.
Hands-on: Capturing an Image with AccessData FTK Imager
Advanced Persistent Threats CS461/ECE422 Spring 2012.
Forensic and Investigative Accounting
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
A Comprehensive Guide to Mobile Targeted Attacks (and What Can You Do About It) Ohad Bobrov, CTO twitter.com/LacoonSecurity.
APT29 HAMMERTOSS Jayakrishnan M.
Malware Hunter How To Guide for SecurityCenter Continuous View™
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
What is FORENSICS? Why do we need Network Forensics?
Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.
WHAT IS VIRUS? NAE GRAND CHALLENGE SECURE CYBERSPACE.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.
Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics 
ANTIVIRUS SOFTWARE.  Antivirus software is the most widespread mechanism for defending individual hosts against threats associated with malicious software,
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES Lesson №18 Telecommunication software design for analyzing and control packets on the networks by using.
Cyber Espionage Chien-Chung Shen
Sky Advanced Threat Prevention
AQA A2 COMP 3: Internet Security. Lesson Aim By the end of the lesson: By the end of the lesson: Describe different security issues and recommend tools/techniques.
BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
RAT-based APT Detection for Provenance Graph Analytics
Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
Mac OS X backdoor Trojan, now in beta? 報告人:劉旭哲. Introduction It targets users of Mac OS X As even the malware itself admits, it is not yet finished. It.
Managing End Point Security Starts at the Perimeter DIR ISF April 14&15, 2016 Randy Guin, CISSP, CGEIT.
1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.
Week-14 (Lecture-1) Malicious software and antivirus: 1. Malware A user can be tricked or forced into downloading malware comes in many forms, Ex. viruses,
On the Analysis of the Zeus Botnet Crimeware Toolkit H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, and L. Wang Presented.
Integrating Lawful Hacking with NiceTrack Target360° Daniele Milan, Hacking Team Omri Kletter, NICE Systems.
Surveillance and Security Systems Cyber Security Integration.
Air Force Research Labs Dept Homeland Security (HSARPA)
Air Force Research Labs Dept Homeland Security (HSARPA)
Chapter 40 Internet Security.
Advanced Endpoint Security Data Connectors-Charlotte January 2016
Abusing 3rd-Party Services For Command And Control
IoT Security Part 2, The Malware
Detect Malware No One Else Can… Rapidly Identify it’s capabilities, Mitigate the Threat with Actionable Risk Intelligence.
Malware Reverse Engineering Process
Enterprise Botnet Detection and Mitigation System
Defeat Tomorrow’s Threats Today
Intelligence Driven Defense, The Next Generation SOC
Malware Reverse Engineering Process
Advanced Security Architecture for System Engineers Cisco Dumps Get Full Exam Info From: /cisco-question-answers.html.
SPRING DRAGON APT - A CASE STUDY OF TARGETED ATTACKS IN APAC COUNTRIES
The Next Generation Cyber Security in the 4th Industrial Revolution
Counter APT Counter APT HUNT operations combine best of breed endpoint detection response technology with an experienced cadre of cybersecurity experts.
Presentation transcript:

Monnappa KA  Info Security Cisco  Core Member of SecurityXploded  Focus on Threat Intelligence  Reverse Engineering, Malware Analysis, Memory Forensics    Linkedin:  Blog:

 Ghost RAT Introduction  Network communications of Ghost RAT  Video Demo 1 – Understanding Network Traffic Pattern of Ghost RAT  Video Demo 2 – Decrypting the Communications of Ghost RAT  Video Demo 3– Hunting Ghost RAT using Memory Forensics  References  Q&A

 RAT (Remote Access Trojan)  used in many APT/targeted attacks like "Gh0stnet" against Private Office of the Dalai Lama  used to attack large corporations in the oil and gas industry dubbed as "Operation Night Dragon"  When a host is infected with Gh0stRat, the malware collects the system information, encrypts the collected information and sends it to the C2 (command and control) server

Traffic contains 13 byte header, the first 5 bytes (called the Magic header) is a keyword in clear text like 'Gh0st' and the rest of the bytes are encrypted using zlib compression algorithm

Below screenshots shows variants of Gh0stRat using different magic headers

The malware sends the OS information and the hostname to the C2 server

 Organization might not have a full packet capture solution  It is not possible to trace back the malicious process even if the packet capture (pcap) is available  It is not possible to trace back the malicious DLL using the packet capture  Memory Forensics can help in overcoming above challenges.

Gh0stRat follows a pattern in its network communication which can be detected using the regular expression. /[a-zA-z0-9:]{5,16}..\x00\x00..\x00\x00\x78\x9c/

Once the magic header is determined the malicious process can be narrowed down. The below screenshot shows the process (svchost.exe with pid 408) which contains the magic keyword (Gh0st).

I wrote a Volatility plugin (ghostrat), which automates the investigation process by:  Looking for the Gh0stRat network traffic pattern in kernel memory  Extracting the magic keyword from detected pattern and decrypting the communication.  Determining the malicious process by searching for the magic keyword in the user process memory  Determining the network connections made by the malicious process  Determine the DLL's loaded by the malicious process

a) Michael Ligh b) Andrew Case c) Jamie Levy d) Aaron Walters

a) Hunting and Decrypting Communications of Gh0st RAT in Memory b) 2014 Volatility Plugin Contest c) Ghost RAT Volatility Plugin Download d) Tracking GhostNet e) Know Your Digital Enemy

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.