Investigating the LuminosityLink Remote Access Trojan Configuration

In recent weeks, I’ve spent time investigating the LuminosityLink Remote Access Trojan’s (RAT) embedded configuration. For those unaware, LuminosityLink is a malware family costing $40 that purports to be a system administration utility. However, when executed, the malware leverages a very aggressive keylogger, as well as a number of other malicious features that allow an attacker to gain full control over a victim machine.

Figure 1 LuminosityLink website

At the request of a coworker, I was asked to extract the configuration of a LuminosityLink sample, and while I could have simply executed the malware in a sandboxed environment and pulled the configuration from memory, I chose to see if I could perform the same action against the static binary.

This led to me understanding how the configuration is encrypted within the binary, as well as how to parse that configuration. I’ve created a script to perform this action against an unaltered LuminosityLink malware sample, which I will be sharing within this blog post. Furthermore, I looked at the roughly 18,000 LuminosityLink samples Palo Alto Networks has collected over time, and using this script, I was able to extract the configurations of 14,700 samples. (This data can be found in the Appendix section of this post.)

Overview of LuminosityLink

Originally surfacing in May 2015, LuminosityLink’s popularity has been on the rise, as shown in the following chart. To date, Palo Alto Networks has tracked approximately 50,000 attempted infections of LuminosityLink against our customers.

Figure 2 AutoFocus graph of LuminosityLink sessions over time.

LuminosityLink currently sells for $40 and can be purchased directly from its author. This package allows attackers to host a LuminosityLink server as well as generate customized binaries, which are obfuscated with ConfuserEx 0.4.0. ConfuserEx is an open-source project that obfuscates the underlying .NET code, making it much more difficult for reverse engineers that decompile it. This is important to note for later when we discuss determining how to reverse-engineer the encryption process.

As mentioned previously, a number of configuration options are included, as we can see in the following screenshot.

Figure 3 Client configuration options in LuminosityLink

Once executed, attackers are given a wealth of options, including keylogging, remote desktop, password stealing, and interacting with a shell on the device.

Reverse-Engineering the Configuration

The first step in parsing out the configuration of LuminosityLink is to extract it statically. I initially opened up a clean LuminosityLink sample using a program named dnSpy to search for clues as to where the configuration might be stored. (As a quick aside, I highly recommend dnSpy, as it not only does a great job of decompiling the provided .NET binary, but it also comes equipped with a built-in debugger, which is instrumental in tackling problems such as the one we are facing.)

When initially opening up a sample binary, I didn’t expect much as I knew the sample was obfuscated using ConfuserEx. However, looking at the resources of the sample, I saw some strings that looked promising.

Figure 4 Embedded resource strings in LuminosityLink

As we can see, the malware contains a number of resources that in turn contain what appears to be Base64-encoded data. The “SMARTLOGS”, “XML”, and “CONFIG” resources all contain a wealth of data, which, at this point, is still unknown. Unfortunately, decoding these strings results in garbage, which likely means some other form of encryption is being used underneath.

I continued to investigate the underlying code, which, while obfuscated, still provides a high-level idea of what various classes are doing. Using imported namespaces, API calls and certain un-obfuscated strings, we’re able to get clues as to what is going on within the program. Specifically, we see the fd() class using the namespace of ‘System.Security.Cryptography’, which certainly merits investigation as we suspected crypto being used against the earlier referenced resource strings.

Figure 5 Cryptography namespace being used by LuminosityLink

As we further investigate this class, we see references to the following classes and functions:

  • MD5CryptoServiceProvider
  • ComputeHash
  • FromBase64String
  • RijndaelManaged

At this point, I turned to my debugger in an attempt to see how these strings were handled. I set breakpoints on various calls previously mentioned. Specifically, the breakpoint on the RijndaelManaged class yields excellent results.

Figure 6 Successful recovery of AES-128 key

We’re able to not only verify that AES-128 encryption is used, but also verify that the “SMARTLOGS” resource string is being used. We also are able to identify the string being used as the key, which in this particular example is “\\ecnOnuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS”. Further investigation reveals that this string is hashed using the MD5 algorithm. The first 15 bytes of this hash is concatenated with the entire 16 bytes of the hash, followed by a null byte. We can replicate this decryption process in Python as such:

We can further verify that this is correct using the above code. In the following example, the data variable has been set with the base64-encoded string found within the “SMARTLOGS” resource, and the key_string variable has been set to the reversed registry key previously mentioned.

Using trial and error, we’re able to successfully map each variable witnessed in the above configuration. The last variable proves to be quite interesting, as each character except for ‘1’ maps to a particular configuration option. The following mapping was determined:

  • i : Enable Client Installation/Startup
  • d : Client Persistence Module: Protect Luminosity’s Client Binary
  • s : Silent Mode (Hide Luminosity Window on Client PC)
  • a : Proactive Anti-Malware: Clean Malicious Files and Speed up Client PC
  • n : Power Saver: Prevent Sleep Mode and Turn off Monitor after 15 minutes of inactivity
  • m : Remove File after Execution (Melt)
  • v : Anti-Virtual Machines/Debugging
  • h : Hide File and Directories
  • b : Backup Startup

Using this knowledge, we can parse the above configuration, which yields the following results.

Parsing LuminosityLink Configurations at Scale

Using this knowledge, we created a script to parse the configuration of a given sample. The script searches for strings that appear to be base64-encoded with a length greater than 50 and takes a brute-force approach. While not elegant, it does the job quite successfully. The script can be downloaded in the Appendix section of this blog post.

Going through Palo Alto Networks repository of samples, we found roughly 18,000 files tagged as LuminosityLink. For these 18,000 samples, we applied our static configuration extraction and parsing script and successfully retrieved about 4,500 configurations. The remaining samples were packed beyond the built-in ConfuserEx obfuscation routine, and as such, the raw configuration strings were not present.

These samples were run through a local instance of the open-source Cuckoo Sandbox, where the process dumps were extracted. The same script was applied to these process dumps, where we were able to obtain an additional 10,200 configurations, leaving us with a total of 14,700 parsed LuminosityLink configurations.

As the samples were processed, further keys were discovered to be used by the author. The following additional three strings were used to generate the keys to LuminosityLink samples.

  • This conf’ig contains nothing useful. Quit acting as if you’re cool by decrypting it.
  • Resources.SMARTLOGS
  • Specify a Password

It appears as though the author of LuminosityLink is not without a sense of humor. Additionally, as we parsed older samples, it was discovered that the configuration made a change sometime between February and June of this year. Fewer options were available in the configuration of older samples. The provided script accounts for these differences and various keys used.

Using the aggregated data from the 14,700 configurations, the following high-level statistics were pulled:

Figure 7 Prevalence of enabled settings in LuminosityLink configurations

Top C2 TLDs/IP Addresses

  • [3308] ddns[.]net
  • [2537] duckdns[.]org
  • [904] no-ip[.]biz
  • [670] chickenkiller[.]com
  • [378] no-ip[.]org
  • [377] mooo[.]com
  • [242] fishdns[.]com
  • [174] no-ip[.]info
  • [165] ignorelist[.]com
  • [157] freedns[.]su

Top Build IDs

  • [4829] HOME
  • [83]   Client
  • [82]   crtx1
  • [71]   M4CHINATION
  • [65]   CSGO
  • [65]   NEW
  • [59]   Slave
  • [47]   CAPO
  • [44]   Youtube
  • [42]   PROJECT.D

Top Executable Names

  • [1973] sysmon.exe
  • [1831] client.exe
  • [1254] helper.exe
  • [1207] repair.exe
  • [1087] winlogon.exe
  • [509] svchost.exe
  • [315] Luminosity.exe
  • [83]   WinCOMHost.exe
  • [82]   chrome.exe
  • [61]   windowsbootapp.exe

Top Ports

  • [1866] 6318
  • [1055] 1400
  • [493] 1604
  • [412] 1337
  • [214] 3175
  • [182] 22028
  • [162] 9045
  • [119] 2122
  • [115] 100
  • [113] 9999

The parsed configuration data, provided in the CSV file format, is being freely provided to the security community in the hope that protections will be created against this threat.

Conclusion

LuminosityLink, while marketed as a systems administration utility, is a formidable keylogger and backdoor used by a large number of criminals. To date, Palo Alto Networks has witnessed over 50,000 attempted infections of LuminosityLink, encompassing 18,000 unique samples. The malware is cheap and readily available to the public, making this a dangerous threat to both organizations and individuals alike.

By reverse-engineering LuminosityLink samples, we were able to statically extract and parse the embedded configuration, which in turn provides valuable information about with what hosts and ports the malware is configured to communicate. It also provides information regarding configured protections configured within the executable, as well as installation information.

Palo Alto Networks customers are protected from this threat in the following ways:

An AutoFocus tag can be used to track this malware family

  • All LuminosityLink samples are appropriately marked as malicious in WildFire
  • All identified domains are flagged as malicious
  • Network traffic is appropriately identified and blocked as threat ID #14460 (LumonosityLinkRAT.Gen Command And Control Traffic)

Appendix

An extraction and parsing script for LuminosityLink samples can be found here.

A script to be used to parse plain configuration strings can be found here.

A CSV file containing all of the configuration data extracted from Palo Alto Networks sample set can be found here.

[Palo Alto Networks Research Center]

Mobile Application Security Testing releases its white paper

The Mobile Application Security Testing (MAST) Initiative is a research which aims to help organizations and individuals reduce the possible risk exposures and security threat in using mobile applications. MAST aims define a framework for secure mobile application development, achieving privacy and security by design. Implementation of MAST will result in clearly articulated recommendations and best practices in the use of mobile applications.

Mobile application security testing and vetting processes utilized through MAST involve both static and dynamic analyses to evaluate security vulnerabilities of mobile applications for platforms such as Android, iOS and Windows. These processes cover permissions, exposed communications, potentially dangerous functionality, application collusion, obfuscation, excessive power consumption and traditional software vulnerabilities. It also covers internal communications such as debug flag and activities and external communications such as GPS, NFC access as well as checking the links that are written in the source code. In addition to security testing and vetting, the initiative has also proposed processes and procedures for security incidence response.

The use of mobile applications has become unavoidable, almost a necessity, in today’s world. More people are starting to question the security of mobile applications and it’s about time that you take a look at what the Cloud Security Alliance has to say about mobile application security!

To access the full report visit the download page at: https://cloudsecurityalliance.org/download/mobile-application-security-testing/

[Cloud Security Alliance Research News]

Không bao giờ là thất bại, tất cả chỉ là thử thách

Kết quả trận kịch chiến sáng nay đã làm bao trái tim người hâm mộ đội Đức tan vỡ, nhưng thật ra đó cũng là điều bình thường. Cuộc sống đã chỉ ra rằng không phải lúc nào người chơi giỏi hay hay hơn sẽ thắng. Vẫn còn những điều mà ta không thể hiểu được vẫn diễn ra, và ta gọi đó là số mệnh hay định mệnh. Sáng nay định mệnh đã ưu ái cho đội Pháp với thần tài Antoine Griezmann, nên các bạn hâm mộ Đức cũng không cần phải đau buồn thêm nữa, cũng giống như tôi cũng đã không đau buồn khi đội tuyển của các bạn chiến thắng đội bóng Màu-Thiên-Thanh mà tôi yêu quý.

Cũng vừa hay, một bạn trẻ nhắn trên FB hỏi tôi liệu có cách nào để vượt qua nỗi buồn của việc thi hỏng. Thật ra thi hỏng hay thi trượt là điều rất bình thường trong cuộc sống, nhưng áp lực của cái tôi đã đè nặng lên mỗi chúng ta vì phải giữ thể diện với những người chung quanh. Kiểu như: “Ơ, lại thi hỏng cơ à? Giỏi thế mà cũng thi hỏng à? Đề thi dễ mà, thế mà cũng hỏng!“…vâng vâng và vâng vâng. Tôi có thể nói với bạn rằng tôi thi hỏng như cơm bữa và tần suất thi hỏng của tôi là gấp đôi so với thi đậu. Lần đầu thi hỏng (một kỳ thi rất quan trọng), tôi buồn không thể tả, chẳng thiết cơm nước và thu lu mình vào 1 góc, nước mắt nước mũi đầm đìa, tự nhủ: Thôi, đời mình thế là hết!. Nhưng qua hết cơn đó, lại tự nhủ, phải học hành lại để thi tốt hơn thôi, và thế lại chuyên tâm ôn luyện, và cuối cùng cũng vượt qua được kỳ thi.

Tôi học được một điều quan trọng từ chuyện này: việc thi hỏng hay thi trượt (tạm gói gọn chung là thất bại) cũng có giá trị riêng của nó. Lúc đó bạn sẽ phải xem xét, học hành hay ngâm cứu kỹ càng hơn, cẩn thận hơn và qua đó cũng nhớ & khắc ghi lâu hơn. Và nếu có thể được, lâu lâu cũng nên tự mình thi trượt, thi hỏng để tự nhắc nhở mình phải luôn nỗ lực và cố gắng hơn.

Thất bại là điều cần thiết, vấn đề là chúng ta nhìn nhận như thế nào từ thất bại đó. Mỗi thất bại luôn đi kèm với 1 thử thách để chúng ta vượt lên chính bản thân mình. Và mỗi lần chúng ta vượt lên chính bản thân mình, chúng ta lại thấy mình tiến bộ hơn và vững bước hơn để đi về phía trước. Và sau khi trải qua cả thất bại và thành công, bạn sẽ thấy rằng sự thất bại cũng đẹp đẽ và giá trị không thua kém gì thành công, dĩ nhiên chỉ có bạn mới có thể thấy được sự đẹp đẽ và giá trị này. Nhưng có sao đâu, hãy để sự thành công cho người ngoài thấy, còn tự mình, hãy chiêm ngưỡng sự thất bại cùng vẻ đẹp riêng của nó.

Không bao giờ là thất bại, tất cả chỉ là thử thách
– Chung Ju-Yung, Founder and honorary chairman of Hyundai.

Philip Hung Cao
#tekfarmer
Saigon, 07/2016

Former Pittsburgh Steel Worker and Former New Orleans Saxophonist Partner to Cover Cybersecurity Blind Spots

As a young man growing up in the Pittsburgh, Pennsylvania area working in steel mills, (ISC)2 CEO David Shearer learned early on that a strong work ethic and collaborative spirit were important factors to being successful in business. David met fellow Safety Harbor, Florida-based CEO of PivotPoint Risk Analytics Julian Waits, who was originally a budding saxophone player performing in his hometown of New Orleans, Louisiana at the first annual conference for the International Consortium of Minority Cybersecurity Professionals (ICMCP). After realizing that they both resided in the same town in Florida and worked for organizations that could be mutually beneficial, the two leaders began a business partnership to help advance the automation of cyber insurance decisions in an effort to protect businesses from financial risk in the event of a breach.

By (ISC)² CEO David Shearer

(ISC)² and PivotPoint Risk Analytics have signed a business agreement with the goal of empowering chief information security officers (CISOs) to make more effective security business operations and cyber insurance decisions. The solution, called ‘cyber value-at-risk analytics’ (CyVaR™), aims to support CISOs and information security professionals with the information they need to make more strategic business decisions and mitigate risks.

Some may wonder why we’re venturing into this type of relationship as a longstanding vendor-neutral certification body. Our education and certification programs are based on a Common Body of Knowledge (CBK) and will remain vendor-neutral; however, I’m open to fostering relationships with organizations and companies that can provide benefits to our international membership. We’re doubling up our thought leadership efforts in areas where we see potential blind spots within our membership and the industry.

Simply stated, we know we must do more for our members. When it comes to our certified members, we realize that they use tools and programs for their organizations as part of their jobs. As CEO, I believe that I have an obligation to our members to negotiate discounts—where possible—for existing and/or new offerings that we believe can be helpful in advancing their organizations’ cyber, information, software and infrastructure security. This certainly includes tools and services that can better position their organizations’ ongoing cyber insurance requirements. We are open to discussing opportunities for our membership with any organization or company that wants to present how their offerings can add value to our members, their career development and their respective jobs.

This new partnership provides (ISC)² members with a 35 percent discount for the first year of a CyVaR subscription. The benefit provides our members with another way to demonstrate value to their organization, while also making the job of the CISO more efficient.

Information security professionals can sometimes speak a different language than the leadership they answer to, be it a board of directors, CEO or other executives. The business impact of decisions made by the cybersecurity team needs to be quantified, which is the problem that cyber value-at-risk solutions solves. By changing the conversation from a technical discussion about cybersecurity threats to a business discussion about the potential financial impact of cyber risk, members of the C-suite and board can better position their organizations for increasingly sophisticated cyber threats.

“By quantifying the risk to the most critical corporate information assets and associated software and infrastructure, cyber value-at-risk helps CISOs secure the value of their business and bolster their respect in the boardroom,” said Julian Waits, CEO, PivotPoint RA. “We are excited about this collaboration with (ISC)², a recognized organization that is committed to enhancing the security posture of global organizations.”

CyVaR can help determine, for example, how much money an organization could lose to a cyberattack, how investing in security can reduce their risk and what types of cyber insurance would be advisable to transfer financial risks. The CyVaR approach is endorsed by The World Economic Forum’s “Partnering for Cyber Resilience” initiative and is the common risk quantification for its members.

A webinar will be available on July 12 for (ISC)² members and cybersecurity professionals alike to learn more about the partnership, program and what it can mean for them and their organizations. For more information about the CyVaR solution, please visit http://pivotpointra.com/.

[(ISC)² Blog]

Shock Treatment: Combatting Infosec Negligence

Boring training videos, box-ticking to meet regulations, blacklisting software at the expense of productivity: large enterprise has been reliant on these methods of “cyber security control” for too long. They are outdated and don’t work. Cyber criminals don’t follow the steps outlined in a training video from 2006—they innovate, manipulate, penetrate and steal information in many different ways and by many different means.

Internally, employees can also represent a real and significant danger to corporate information—whether by accident or design—they are the insider threat. Think about it this way. Dropbox might be an easy way to transfer a file to a client—but has it been sanctioned by IT? Ask every knowledge worker in a company that question, and you can guarantee you won’t get a single, clear cut answer. In fact, according to Code42’s 2016 Datastrophe Study, 22% of knowledge workers surveyed said their IT department doesn’t know they use third-party cloud sharing solutions.

So in 2016, what are the right ways to educate your employees about data security from both an internal and external perspective?

Shock therapy
We briefly covered that training videos and generic presentations don’t work that well. Within 10 minutes, staff will have switched off and words will be going in one ear and out of the other—unless you’ve invited Snowden himself to present the training.

To encourage employees to take responsibility and ownership of sensitive corporate data, a more direct approach is needed. Fortunately, cybersecurity consultancy and threat-based penetration testing is something we’re well versed in at First Base Technologies, and we’d recommend the following to drive employee awareness:

  • Faking data loss—by targeting specific departments (or even the entire company) with a well-designed program of phishing attacks, you can easily demonstrate the real risk to the business and start the process of education. No information is actually compromised, and the affected employees are told it’s been a simple training exercise. I can guarantee that over time, with the right messages it’ll hammer home the importance of double-checking whether to click that link, install that file, or respond to that unknown request in the future. Think of it as the cyber security equivalent of regular fire drills.
  • Physical penetration testing—this involves hiring third-party security consultants to visit an office disguised as “help-desk” computer engineers, visitors or even cleaners. In actuality, they are penetration testers evaluating both the physical security of an organization and its network infrastructure, with the goal of demonstrating unauthorized access to sensitive information. The resulting report, often accompanied by video footage of the exercise, provides valuable guidance on security weaknesses and remediation. Staff is briefed on what happened and the potential gravitas of the situation—providing another important lesson as a result.
  • Company-wide warnings—as information security professionals, we are well versed in the latest threats and the results of high-profile breaches. And thanks to the recent media agenda, it does seem to be filtering down to non-IT folk too. According to Datastrophe, 74% of knowledge workers say that IT staff’s ability to protect corporate and customer data is very important to their company’s brand and reputation. To communicate these facts to the remaining 26% of employees, breach and security risk information should be regularly delivered to staff at all levels.

Education. It really is the most important weapon in IT and security professionals’ arsenals. It’s a fact that in 2016 and beyond, organizations are under attack pretty much constantly, and if employees aren’t wise to this, the insider threat they present is realized with devastating results. With Datastrophe highlighting that 36% of knowledge workers think the business they work for may be at risk of a public data breach in the next year, it seems people are fortunately starting to understand the threat. And by IT and senior management enacting some of the training methodology above, knowledge workers will start getting well versed in information security practices too.

Peter Wood, Cyber Security Consultant, Code42

[Cloud Security Alliance Blog]

English
Exit mobile version