Regin APT:攻击行动评估 - By nEINEI Time:2014-11-24 1) Regin是一款先进的间谍软件,具有罕见的技术能力,被用于针对许多跨国目标的系统性间谍活动中。 2) 攻击目标包括电信运营商,政府机构,多国政治机构,金融机构,研究机构,参与高级数学/密码学研究的个人。 3) 攻击目的,情报收集,协助其它组织发起网络攻击,目前发现在俄罗斯和沙特阿拉伯。该木马针对的其他攻击对象还包括爱尔兰、墨西哥和印度等国家。 Symptoms Backdoor.Regin is an extremely complex back door Trojan that enables stealthy surveillance activities. It can be customized with a wide range of different capabilities, which can be deployed depending on the target. It is a multi-staged, modular threat, meaning that it has a number of components, each depending on each other to perform attack operations. When the Trojan is executed, it creates the following kernel drivers: usbclass.sys adpu160.sys Next, the Trojan creates the following files which contain encrypted virtual file systems (EVSFs) %System%\config\SystemLog.evt %System%\config\SecurityLog.evt %System%\config\ApplicationLog.evt %Windir%\ime\imesc5\dicts\pintlgbp.imd %Windir%\ime\imesc5\dicts\pintlgbs.imd The Trojan then creates the following files: msdcsvc.dat msrdc64.dat ApplicationLog.dat %System%\config\SystemAudit.Evt %Windir%\system32\winhttpc.dll %Windir%\system32\wshnetc.dll %Windir%\SysWow64\wshnetc.dll %Windir%\system32\svcstat.exe %Windir%\system32\svcsstat.exe Next, the Trojan encrypts data and loads components of itself from extended attributes of the following folders: %Windir% %Windir%\cursors %Windir%\fonts %Windir%\System32 %Windir%\System32\drivers The Trojan then creates the following registry subkeys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4F20E605-9452-4787-B793-D0204917CA58} HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4F20E605-9452-4787-B793-D0204917CA5A} HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\RestoreList\VideoBase The attacker controls the Trojan using the following transport protocols: Internet Control Message Protocol (ICMP): Payload information can be encoded and embedded in place of legitimate ICMP/ping data. User Datagram Protocol (UDP): Raw UDP payload Transmission Control Protocol (TCP): Raw TCP payload HTTP: Payload information can be encoded and embedded within cookie data under the names SESSID, SMSWAP, TW, WINKER, TIMESET, LASTVISIT, AST.NET_SessionId, PHPSESSID, or phpAds_d. This information can be combined with another cookie for validation under the names USERIDTK, UID, GRID, UID=PREF=ID, TM, __utma, LM, TMARK, VERSION, or CURRENT The Trojan may then perform the following actions: Sniff low-level network traffic Exfiltrate data through various channels (TCP, UDP, ICMP, and HTTP) Gather computer information Steal passwords Gather process and memory information Navigate through file system Perform low-level forensics operations, such as retrieving files that were deleted Manipulate user interface (UI), such as conducting remote mouse point-and-click activities and capturing screenshots Enumerate Internet Information Services (IIS) web servers and steal logs Sniff GSM BSC administration network traffic 相关样本信息: 187044596bc1328efa0ed636d8aa4a5c 1c024e599ac055312a4ab75b3950040a 26297dc3cd0b688de3b846983c5385e5 2c8b9d2885543d7ade3cae98225e263b 47d0e8f9d7a6429920329207a32ecc2e 4b6b86c7fec1c574706cecedf44abded 6662c390b2bbbd291ec7987388fc75d7 744c07e886497f7b68f6f7fe57b7ab54 b269894f434657db2b15949641a67532 b29ca4f22ae7b7b25f79c1d4a421139d 最小闭合的攻击样本: regin实施攻击分5个阶段,但目前仅搜集到第一个阶段的样本,故根据攻击规模,预估代码在500k。 通过查询我发现了4fac22acf212eb9d71993fdc17021271这个09年底样本,但不确定是哪个攻击阶段的代码。 stage1,loadder:01c2f321b6bfdb9473c079b0797567ba, size = 72192 攻击能力计算: K = 2 (正常安全认知范围) a = 3 (无交互) s = 2 (鱼叉式网络钓鱼,精准攻击) m = 13 (代码注入,rootkit,精准传播,特定人群,范围极广的间谍功能,加密网络,高强度破解难度,武器集合,特种木马,横移渗透,高强度破解难度,特殊持久化隐藏,被发现已有三年以上隐藏时间) p = 2 (攻击2种平台,windows/移动网络) x = 5+3+4 (0day漏洞利用,尚未可知的入侵手段,伪造数字签名); 攻击能力 = (a+s+m+p)^(k) * (1+x)^ 2 + c AT = (3 + 2 + 13 + 2) ^ 2 * (1+5+3+4) ^ 2 + (72192)/1024 +500 = 20^2 * (13^2)+ 571 = 67600 + 571 = 68171 ==> 49026*1000/613623(1T攻击力单位) = 53.274T 参考引用: 1.http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance 2.http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf 3.https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070901/darkhotelappendixindicators_kl.pdf 4.《论高级威胁的本质及攻击能力的量化研究》- www.vxjump.net/files/aptr/aptr.txt