Saturday, April 26, 2014

Red Sky Weekly - Gh0st RAT

"Ghost Rat (or Gh0st RAT) is a Trojan horse "Remote Access Tool" used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth. It is a cyber spying computer program." While I don't normally quote WikiPedia, their description of Gh0st RAT is actually pretty simple, but pretty good:

The GhostNet system disseminates malware to selected recipients via computer code attached to stolen emails and addresses, thereby expanding the network by allowing more computers to be infected. According to the Infowar Monitor (IWM), "GhostNet" infection causes computers to download a Trojan -"Gh0st Rat" that allows attackers to gain complete, real-time control of the victim computer. The computer can be controlled or inspected by its hackers, and even has the ability to turn on the camera and audio-recording functions of an infected computer that has such capabilities, enabling monitors to see and hear what goes on in a room.

In fact, Gh0st RAT is rarely used alone. It is indeed a remote access and administration tool, but in most cases, the RAT is used to carry out other activities in the victim computer or network. 

This week we published our next Fusion Report, FR14-013 dealt with another variant of Gh0st RAT...  We're not the first to report on Gh0st, nor do I suspect we'll be the last. What we do believe however, was the use of Gh0st this time can be attributed to a group known to be dangerous, very active, and targeting very specific types of technologies. 

In Mid-April 2014, a Red Sky member received two phishing emails originating from the same sender.

  • One email contained a link to an executable file. That executable, upon analysis, was identified as a variant of the Gh0st RAT malware. 
  • The second email contained a download link to malware that was identified as a Microsoft Outlook credential stealer.
Remember when I said Gh0st is often times used in conjunction with other tools? In this case, the attackers were looking for credentials, probably hoping the credentials captured from Outlook would also give them access to the network's front door --the users access credentials. At that point, without good behavioral analysis techniques, detection becomes really hard, really fast.

One of the things we talk about often is the idea of being able to assist a security team with fast classification of activities hitting the sensors and the security management consoles. This, with the vast amount of data coming at a typical defender, is also really (REALLY) hard. How exactly does a security team quickly assess the difference between 'commodity', 'systemic' and 'targeted' events? For dictionary purposes.. 

  • Commodity issues are those that a simple tweak in existing defenses will take care of.. a new virus, a misconfiguration, etc. 
  • Systemic issues are those that might take down your company -or worse, an industry. Interconnected systems with few controls, central services to large scale operations --with built in credentials or trusts could be considered systemic. Help desk systems where every help desk technician has credentials to every computer; hard coded accounts in databases that connect to each other. These issues are usually a bit harder to identify, but once identified, controls can be placed to manage risk and threat. 
  • Targeted issues are a little different. Where the first two require largely mechanical mitigation processes, targeted attacks require users step into the role of "security chess". The game is on, and it's not going to stop. Attackers are skilled. In fact, one guy posted to a group the warning that targeted attackers (that hit his environment) mean business. They want something, and they bring the A-team. You need to be ready.

In this case, this group's use of Gh0st was clearly targeted. How can we assess that?

  • The Gh0st RAT variant that we analyzed, had few known open source variants
  • It leverages dynamic C2 domains previously identified in discussions within the Red Sky portal.  
  • The initial phish 'bait' was clearly used to social engineering of the intended victims of the high tech company that tipped off the community.
  • The products manufactured by this company are known coveted technologies by others in the world (believed associated with the attackers)
  • Last, this group rarely operates without either financial gain or espionage motivations (probably both)
In the end, our reporting analyzed and detailed the infrastructure associated with the RAT, malware details and to wrap it up, we provided the Red Sky members with mitigation information - a snort rule, a Yara rule, full directory-structure artifacts that users can search for, and a couple of pages on indicators in LM's kill chain format. 


In the lab, we began sink-holing operations on a couple of new locations. Within the first day, we collected information suggesting at least four companies had been compromised. The group? The same group associated with Gh0st RAT mentioned above. In two of the victims identified, the RATs used to steal information from these networks appear to have been placed as early as 2009. Three of the four identified were actively sending and receiving information when we identified them. Industries? One company manufactures airplanes and aerospace technologies. Another is a small engineering firm that manufactures propulsion technologies for rockets and spacecraft. The third, an energy company in Asia. The fourth? Apparently we stumbled onto someone else's research network. Sorry guys! ;)

So, we issued three victim notifications. One company never responded, but I was amazed to see how fast the others did. In both cases, we gave them information they hadn't previously known. In both CISOs reacted nearly immediately. These guys were on the ball, and grateful for the heads up. 

The information sharing construct works. Red Sky Alliance isn't the only group out there, and it looks like at least some companies are getting the message. In fact, a Ponema Study on Information Sharing (released last week) polled 701 companies. 71% of them believed (at least according to the survey) that participating in threat intelligence forums (like Red Sky Alliance) improves the security posture of their organizations.

It's apparent, and not a secret, that there have to be better ways to share information. Automated means, faster turn-around, simplified exchange protocols and taxonomies, trust (and anti-trust), and competitive concerns all seemingly get in the way, but for those who love this stuff, they REALLY love it. The rest? Well, I'm reminded of my first junior high school dance where the boys stood on one side of the gym and the girls on the other. Only the boldest dared actually dance. At some point in the future, we'll all be on the floor, but don't wait to long. A small company with high value tech doesn't stand a chance on their own. 

Drop us a note. You may not want to participate in the Red Sky Portal, but it'll be there if you need it. When you (or your lawyers) finally get up the courage to actually participate and dance, there'll be others in the portal waiting to help, and if you don't have the ability to implement the 'help' yourself, we're happy to make recommendations.

Until next time,
Have a great week!