Formatting for Justice crime doesn t pay, neither does rich text. Anthony Kasza Botconf 2017

Size: px

Start display at page:

Download "Formatting for Justice crime doesn t pay, neither does rich text. Anthony Kasza Botconf 2017"

Claire Allison Webster
6 years ago
Views:

1 Formatting for Justice crime doesn t pay, neither does rich text Anthony Kasza Botconf 2017

2 I am rich text. I am plain text.

3 The End

4 Outline File format Common obfuscation Generators and Analysis tools Signature writing Experiments Extra credit

5 Outline File format Common obfuscation Generators and Analysis tools Signature writing Experiments Extra credit

6 RTF File Format Used to format text RIP RTF: "Wrapper" capabilities ASCII based Nestable "tags" Whitespace agnostic

7 RTF File Format Used to format text RIP RTF: "Wrapper" capabilities ASCII based Nestable "tags" Whitespace agnostic Similar to HTML

8 RTF File Format <html> <body> <head> <p> <div> <title> <img>

9 RTF File Format <html> {\rtf} <body> <head> {\info} {\par} <p> <div> <title> {\author} {\title} {\pict} <img> {\blipuid} {\bin} HTML tags RTF Entities

10 RTF File Format: Entities {\rtf Groups Text/Data Control Words Control Symbols {\info } {\author AK} {\company PANW} This is some text {\i This is some italic text} This is some hex \ b7 {\*\AK} }

11 RTF File Format: Entities {\rtf Groups Text/Data Control Words Control Symbols {\info } {\author AK} {\company PANW} This is some text {\i This is some italic text} This is some hex \ b7 {\*\AK} }

12 RTF File Format: Entities {\rtf Groups Text/Data Control Words Control Symbols {\info } {\author AK} {\company PANW} This is some text {\i This is some italic text} This is some hex \ b7 {\*\AK} }

13 RTF File Format: Entities {\rtf Groups Text/Data Control Words Control Symbols {\info } {\author AK} {\company PANW} This is some text {\i This is some italic text} This is some hex \ b7 {\*\AK} }

14 Outline File format Common obfuscation Generators and Analysis tools Signature writing Experiments Extra credit

15 Common Obfuscation Whitespace Headers Nesting Default ignore File Extensions {\rtf {\info {\author AK}}} {\rtf {\info {\author AK } } } {\rtf {\info {\author AK } } }

16 Common Obfuscation Whitespace Headers Nesting Default ignore File Extensions {\rt AK} {\rtf1 AK} {\rtf1xzgen AK} {\rtfxxx AK}

17 Common Obfuscation Whitespace Headers Nesting Default ignore File Extensions {\rtf {\info}} {\rtf {{{\info}}} }

18 Common Obfuscation Whitespace Headers Nesting Default ignore File Extensions Ca{\*\Meow ffff}t H E{\mmmailsubject GOODBYE}L L{\mmmailsubject} O [3]

19 Common Obfuscation Whitespace Headers Nesting Default ignore File Extensions Renaming RTF files with a DOC extension forces the file to be opened with MS Word Often used with OLE exploit RTFs

20 Outline File format Common obfuscation Generators and Analysis tools Signature writing Experiments Extra credit

21 Generators: Legitimate Additional material shared at conference

22 Generators: Malicious

23 Generators: Malicious builder wingd/stone/ooo VT testing Sofacy Monsoon MWI Ancalog AK builder Released a few days after the CVE gained media attention Appends RTF chunks together to create a weaponized file [10]

24 Generators: Malicious builder wingd/stone/ooo VT testing Sofacy Monsoon MWI Ancalog AK builder Additional material shared at conference

25 Generators: Malicious builder wingd/stone/ooo VT testing Sofacy Monsoon MWI Ancalog AK builder Additional material shared at conference

26 Generators: Malicious builder wingd/stone/ooo VT testing Sofacy Monsoon MWI Ancalog AK builder Additional material shared at conference

27 Generators: Malicious builder wingd/stone/ooo VT testing Sofacy Monsoon MWI Ancalog AK builder Additional material shared at conference

28 Generators: Malicious builder wingd/stone/ooo VT testing Sofacy Monsoon MWI Ancalog AK builder , , , , , Commodity PHP scripts Supports file types beyond RTF [7] [8] [9]

29 Generators: Malicious builder wingd/stone/ooo VT testing Sofacy Monsoon MWI Ancalog AK builder [14] [15] [11] [12] [13] [21]

30 Analysis Tools rtfdump - analyze RTF groups and objects rtfobj -dump objects from RTFs, part of oletools pyrtf/pyrtf-ng - generate RTFs from python Yara - find builders/kits with entity reuse CRITs, LaikaBoss, other pipelines [16] [17] Write your own!

31 Outline File format Common obfuscation Generators and Analysis tools Signature writing Experiments Extra credit

32 Signature Writing: Control Words Additional material shared at conference

33 Signature Writing: Metadata Additional material shared at conference

34 Tangent Additional material shared at conference

35 Outline File format Common obfuscation Generators and Analysis tools Signature writing Experiments Extra credit

36 Experiments: Control Word Ratios 1. Gathered mal and benign sample set 2. Counted control words in each sample 3. Calculated a score of maliciousness for control words in RTF Most Popular Mal: \object \objocx \objclass \objw \objemb Most Popular Benign: \blue \green \colortbl \cf \ansi

37 Experiments Additional material shared at conference

38 Outline File format Common obfuscation Generators and Analysis tools Signature writing Experiments Extra credit

39 Extra Credit RTF file on Google Drive Simple challenge to learn RSIDs in RTFs Locate the hidden flag Additional material shared at conference

40 Special Thanks Botconf You all

41 References [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22]

42 The End

EXPLOIT KITS. Tech Talk - Fall Josh Stroschein - Dakota State University

EXPLOIT KITS. Tech Talk - Fall Josh Stroschein - Dakota State University EXPLOIT KITS Tech Talk - Fall 2016 Josh Stroschein - Dakota State University Delivery Methods Spam/Spear-phishing Delivery Methods Spam/Spear-phishing Office Documents Generally refer to MS office suite