Presentation is loading. Please wait.

Presentation is loading. Please wait.

Monnappa KA  Info Security Cisco  Core Member of SecurityXploded  Focus on Threat Intelligence  Reverse Engineering, Malware Analysis,

Published byBilal Lipson Modified over 9 years ago

Similar presentations

Presentation on theme: "Monnappa KA  Info Security Cisco  Core Member of SecurityXploded  Focus on Threat Intelligence  Reverse Engineering, Malware Analysis,"— Presentation transcript:

1

2 Monnappa KA  Info Security Investigator @ Cisco  Core Member of SecurityXploded  Focus on Threat Intelligence  Reverse Engineering, Malware Analysis, Memory Forensics  Email: monnappa22@gmail.com  Twitter: @monnappa22  Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8  Blog: http://malware-unplugged.blogspot.in

3  Ghost RAT Introduction  Network communications of Ghost RAT  Video Demo 1 – Understanding Network Traffic Pattern of Ghost RAT  Video Demo 2 – Decrypting the Communications of Ghost RAT  Video Demo 3– Hunting Ghost RAT using Memory Forensics  References  Q&A

4  RAT (Remote Access Trojan)  used in many APT/targeted attacks like "Gh0stnet" against Private Office of the Dalai Lama  used to attack large corporations in the oil and gas industry dubbed as "Operation Night Dragon"  When a host is infected with Gh0stRat, the malware collects the system information, encrypts the collected information and sends it to the C2 (command and control) server

5

6 Traffic contains 13 byte header, the first 5 bytes (called the Magic header) is a keyword in clear text like 'Gh0st' and the rest of the bytes are encrypted using zlib compression algorithm

7 Below screenshots shows variants of Gh0stRat using different magic headers

8

9 The malware sends the OS information and the hostname to the C2 server

10

11

12

13  Organization might not have a full packet capture solution  It is not possible to trace back the malicious process even if the packet capture (pcap) is available  It is not possible to trace back the malicious DLL using the packet capture  Memory Forensics can help in overcoming above challenges.

14 Gh0stRat follows a pattern in its network communication which can be detected using the regular expression. /[a-zA-z0-9:]{5,16}..\x00\x00..\x00\x00\x78\x9c/

15 Once the magic header is determined the malicious process can be narrowed down. The below screenshot shows the process (svchost.exe with pid 408) which contains the magic keyword (Gh0st).

16 I wrote a Volatility plugin (ghostrat), which automates the investigation process by:  Looking for the Gh0stRat network traffic pattern in kernel memory  Extracting the magic keyword from detected pattern and decrypting the communication.  Determining the malicious process by searching for the magic keyword in the user process memory  Determining the network connections made by the malicious process  Determine the DLL's loaded by the malicious process

17

18

19

20

21

22

23

24 a) Michael Ligh (@iMHLv2) b) Andrew Case (@attrc) c) Jamie Levy (@gleeda) d) Aaron Walters (@4tphi)

25 a) Hunting and Decrypting Communications of Gh0st RAT in Memory http://malware-unplugged.blogspot.in/2015/01/hunting-and-decrypting-communications.html b) 2014 Volatility Plugin Contest http://www.volatilityfoundation.org/#!2014/cjpn c) Ghost RAT Volatility Plugin Download http://downloads.volatilityfoundation.org/contest/2014/MonnappaKa_Gh0stRat.zip d) Tracking GhostNet http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network e) Know Your Digital Enemy http://www.mcafee.com/in/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf

26

27

Download ppt "Monnappa KA  Info Security Cisco  Core Member of SecurityXploded  Focus on Threat Intelligence  Reverse Engineering, Malware Analysis,"

Similar presentations

Decision Group www.edecision4u.com Forensics Investigation Toolkit (FIT) Layer 7 Content Reconstruction Tool.

Decision Group Forensics Investigation Toolkit (FIT) Layer 7 Content Reconstruction Tool.
Being Proactive and Less Reactive in Security Operations and Cyber Attack Response Christina Raftery, MCSE, CISSP FBI Los Angeles Field Office.

Being Proactive and Less Reactive in Security Operations and Cyber Attack Response Christina Raftery, MCSE, CISSP FBI Los Angeles Field Office.
Www.accessdata.com Digital Investigations of Any Kind ONE COMPANY Cyber Intelligence Response Technology (CIRT)

Digital Investigations of Any Kind ONE COMPANY Cyber Intelligence Response Technology (CIRT)
MIRAGE MALWARE SIDDARTHA ELETI CLEMSON UNIVERSITY.

MIRAGE MALWARE SIDDARTHA ELETI CLEMSON UNIVERSITY.
Jeffrey Bernardino Nikko Tamaña Stealth by Legitimacy: Malware’s Use of Legitimate Services 2012 年 5 月 2 日.

Jeffrey Bernardino Nikko Tamaña Stealth by Legitimacy: Malware’s Use of Legitimate Services 2012 年 5 月 2 日.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
New trends on cyber security - Cyber Espionage & Identity theft By K S Yash, CRO 1.

New trends on cyber security - Cyber Espionage & Identity theft By K S Yash, CRO 1.
國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage.

國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage.
CHINESE HACKERS. Where do they come from? In 2007 private security firm Mandiant was hired by the New York Times to trace cyber-attacks on their network.

CHINESE HACKERS. Where do they come from? In 2007 private security firm Mandiant was hired by the New York Times to trace cyber-attacks on their network.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
Threat Intelligence with Open Source tools Cornerstones of

Threat Intelligence with Open Source tools Cornerstones of
MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.

MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.

1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.
MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.

MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.
Automated Malware Analysis

Automated Malware Analysis
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Client-Server collaborative scanning Dumitru Codreanu R&D, BitDefender.

Client-Server collaborative scanning Dumitru Codreanu R&D, BitDefender.

Similar presentations

Ads by Google