While digging and reversing my way through the Equation Group dump, I’ve come across a few interesting pieces that probably are not getting the attention they deserve. While a lot of the initial research has focused on the potential 0-days, the dump also gives a glimpse into the backbone tools and operational methods of a serious hacking group.
Certainly 0-days are great, but in my opinion the previously disclosed Fortidoor exploit is 100x more significant than the Fortigate HTTP 0-days disclosed in the dump. And while most of the dump is around firewall implants and a few exploits, there are some very interesting ops tools in the drop. One of those tools is NOPEN. It is referenced multiple times in their script/ops/doc, and seem to be one of the cornerstones of their infrastructure. It is significant both as a backdoor in a target network or as a tool deployed on a listening post to let you create a multi-layer call-back network. So let's take a closer look at this software.
Overview: It's a RAT
Roughly speaking, NOPEN is a complete statically compiled back door in one neat package. As we will see it is a unix RAT with encrypted command channel, tunnels, libnet injection, and privilege escalation among other things. It also supports either being installed on the host and waiting for 3rd party to connect, or as suggested in their doc:
1- you install
2- call yourself / Listening post back
3- when you are done burn it.
Ultimately it gives you a powerful yet simple shell and tunnel capabilities, all nicely wrapped under their now famous RC6 crypto. And while all of this initially looks pretty bad, there is actually some good news in terms of detecting and hunting this tool. So let’s dive into the analysis, and at the end, we will look at some strategies for detection.
I've provided some links to help navigate through the various sections below:
Because you should always welcome people in after all.. be polite..
NOPEN! v188.8.131.52 sh: 1: scanner: not found sh: 1: ourtn: not found sh: 1: scripme: not found Wed Aug 31 18:07:05 GMT 2016 NHOME: environment variable not set, assuming "NHOME=/root/Firewall/TOOLS/NOPEN/.." NHOME=/root/Firewall/TOOLS/NOPEN/.. Reading resource file "/root/Firewall/TOOLS/NOPEN/../etc/norc"... /root/Firewall/TOOLS/NOPEN/../etc/norc: No such file or directory TERM=xterm-256color Entering connect mode Attempting connection to 127.0.0.1:32754 (127.0.0.1:32754)... ok Initiating RSA key exchange Generating random number... ok Initializing RC6... ok Sending random number... ok Receiving random number... ok Generating session key... 0x0DE6200E48AB016831720B109B8B2874 Sending first verify string... ok Receiving second verify string... ok Checking second verify string... ok RSA key exchange complete NOPEN server version... 184.108.40.206 Connection Bytes In / Out 201/94 (213%C) / 63/4 (1575%C) Local Host:Port localhost:41847 (127.0.0.1:41847) Remote Host:Port 127.0.0.1:32754 (127.0.0.1:32754) Remote Host:Port kali:32754 (127.0.0.1:32754) Local NOPEN client 220.127.116.11 Date/Time Wed Aug 31 18:07:05 UTC 2016 History Command Out CWD /root/Firewall/TOOLS/NOPEN NHOME /root/Firewall/TOOLS/NOPEN/.. PID (PPID) 6904 (6896) Remote NOPEN server 18.104.22.168 WDIR NOT SET OS Linux 4.6.0-kali1-amd64 #1 SMP Debian 4.6.4-1kali1 (2016-07-21) x86_64 CWD PID (PPID) 6908 (6889) Reading resource file "/root/Firewall/TOOLS/NOPEN/../etc/norc.linux"... /root/Firewall/TOOLS/NOPEN/../etc/norc.linux: No such file or directory History loaded from "/root/Firewall/TOOLS/NOPEN/../down/history/kali.127.0.0.1"... ok Creating command output file "/root/Firewall/TOOLS/NOPEN/../down/cmdout/kali.127.0.0.1-2016-08-31-18:07:05"... ok
Lonely? Bored? Need advice? Maybe "-help" will show you the way.
We are starting up our virtual autoport
We are bound and ready to go on port 1025 NO! kali:>-help [08-31-16 18:07:17 GMT][localhost:41847 -> kali.127.0.0.1:32754] [-help] Remote General Commands: Usage: -elevate Usage: -getenv Usage: -gs category|filename [options-if-any] Usage: -setenv VAR=[val] Usage: -shell Usage: -status Usage: -time Remote Server Commands: Usage: -burn Usage: -call ip port Usage: -listen port Usage: -pid Remote Network Commands: Usage: -icmptime target_ip [source_ip] Usage: -ifconfig Usage: -nslookup name1 ... Usage: -ping -r remote_target_ip [-l local_source_ip] [-i|-u|-t] [-p dest_port] [-s src_port] -ping host -ping [-u|-t|-i] host Usage: -trace -r remote_target_ip [-l local_source_ip] [-i|-u|-t] [-p dest_port] [-s src_port] -trace host -trace [-u|-t|-i] host Remote Redirection Commands: Usage: -fixudp port Usage: -irtun target_ip call_back_port [call_back_ip] [ourtn arguements] Usage: -jackpop target_ip target_port source_ip source_port Usage: -nrtun port [toip [toport]] Usage: -nstun toip [toport [localport [srcport [command]]]] -nstun toip:port Usage: -rawsend tcp_port Usage: -rtun port [toip [toport]] Usage: -scan Usage: -sentry target_address source_address (tcp|udp) dest_port src_port interface Usage: -stun toip toport [localport [srcport]] Usage: -sutun [-t ttl] toip toport [localport [srcport]] Usage: -tunnel [command_listen_port [udp]] Usage: -vscan (should add help) Remote File Commands: Usage: -cat remfile Usage: -chili [-l] [-s lines] [-m max] MM-DD-YYYY remdir remfile [remfile ...] Usage: -cksum remfile ... Usage: -fget [MM-DD-YYYY] loclist Usage: -get [-l] [-q] [-s minimumsize] [-m MM-DD-YYYY] remfile ... Usage: -grep [-d] [-v] [-n] [-i] [-h] [-C number_of_context_lines] pattern file1 [file2 ...] Usage: -oget [-a] [-q] [-s begoff] [-b begoff] [-e endoff] remfile Usage: -put locfile remfile [mode] Usage: -strings remfile Usage: -tail [+/-n] remfile, + to skip n lines of remfile beginning Usage: -touch [-t mtime:atime | refremfile] remfile Usage: -rm remfile|remdir ... Usage: -upload file port Usage: -mailgrep [-l] [-m maxbytes] [-r "regexp" [-v]] [-f regexpfilename [-v]] [-a "regexp for attachments to eliminate"] [-b MM-DD-YYYY] [-e MM-DD-YYYY] [-d remotedumpfile] remotedir file1 [file2 ...] ex: -mailgrep -a ".doc" -r "^Fred" -b 2-28-2002 /var/spool/mail G* Remote Directory Commands: Usage: -find [-M | -m -mkfindsargs] [-x[m|a|c] MM-DD-YYYY] remdir [remdir...] Usage: -ls [-1ihuRt] [-x[m|a|c] MM-DD-YYYY] [remfile|remdir ...] Usage: -cd [remdir] Usage: -cdp Local Client Commands: Usage: -autopilot port [xml] Usage: -cmdout [locfilename] Usage: -exit Usage: -help Usage: -hist Usage: -readrc [locfile] Usage: -remark [comment] Usage: -rem [comment] Usage: # [comment] Usage: -reset Local Environment Commands: Usage: -lcd locdir Usage: -lgetenv Usage: -lpwd Usage: -lsetenv VAR=[val] Usage: -lsh [[-q] command] Aliases:
NOPEN is a generic unix system rats, in the dump we have a version that is for Linux i386, but disassembly of the client/server, show that this tools is made for more than that.
.rodata:0807B04D aI586 db 'i586',0 ; DATA XREF: _serverCpuInfo+1Do .rodata:0807B04D ; _serverCpuInfo+4Co .rodata:0807B052 ; char aI686 .rodata:0807B052 aI686 db 'i686',0 ; DATA XREF: _serverCpuInfo+73o .rodata:0807B057 ; char aI486 .rodata:0807B057 aI486 db 'i486',0 ; DATA XREF: _serverCpuInfo+8Do .rodata:0807B05C ; char aI386 .rodata:0807B05C aI386 db 'i386',0 ; DATA XREF: _serverCpuInfo+A7o .rodata:0807B061 ; char aSparc .rodata:0807B061 aSparc db 'sparc',0 ; DATA XREF: _serverCpuInfo+E0o .rodata:0807B067 ; char aI86pc .rodata:0807B067 aI86pc db 'i86pc',0 ; DATA XREF: _serverCpuInfo+FBo .rodata:0807B06D ; char aI_86 .rodata:0807B06D aI?86 db 'i?86',0 ; DATA XREF: _serverCpuInfo+119o .rodata:0807B072 ; char aAlpha .rodata:0807B072 aAlpha db 'alpha',0 ; DATA XREF: _serverCpuInfo+137o .rodata:0807B078 ; char aX86_64 .rodata:0807B078 aX86_64 db 'x86_64',0 ; DATA XREF: _serverCpuInfo+155o .rodata:0807B07F ; char aAmd64 .rodata:0807B07F aAmd64 db 'amd64',0 ; DATA XREF: _serverCpuInfo+173o
With support for multiple OS also, we found note, or element of code that are specific those those operating system inside the disassembly, so it's safe to presume that code is made to run there.
Other command not listed in the "-help"
.data:0808220C commandHelp dd 0 ; DATA XREF: sub_8059570+746r "-head"; "[-n] remfile" "-sget"; "hostname port file [file ...]" "-srecv"; "port" "-h" "-burnBURN" "-stat" "-sq"; "remfile" "-w" "-lambda" "-hammy"; "localport toip srcport [toport]" "-at"; "[-B] time[m] command" "-listen"; "port" "-trigger"; "localport toip srcport [toport]" "-triggerold"; "localport toip srcport [toport]" "-sniff"; "localfile iface [exclusion filters port"... "-suc"; "[get|<filename>] | [-s] <pid> [<pid>..]"... "-jscan"; "[-t timeout] scanType target [dstPort] "... "-hstun"; "toip [toport [localport [srcport [comma"... "-hrtun"; "port [toip [toport]]" "-hutun"; "toip toport [localport [srcport]]" "-lpid" "-sha1sum"; "remfile ..."
UberControl sub menu
Seem to be mostly related to rootkit like persistence, hidding file, process, socket, etc.
CardShark sub menu
That part seem mostly related to libnet traffic injection for solaris 2.6+
Tunnel sub menu
[t]imeout time [r]emote listenport [target [port]] [l]ocal listenport target [port [source_port]] [L]ocal listenport target [port [source_port]]; with one byte extra for socket state [u]dp listenport target [port [source_port]] [U]dp listenport [target [port]] [c]lose channel [s]tatus - prints status messages for channels [q]uit - leaves the tunnel, please do not hit Cntl-C, it makes the tunnel unhappy
As we mentioned earlier, this looks pretty bad on first glance... Fully encrypted RAT over unix, with tunnel, rootkit, libnet inejction, etc.
If we step a bit back however, it's not that different than previous RATs we have dealt with in the past. Poison Ivy, blackshade, helium, or any RAT really - they might not be as nice, but it they all share common features or behavior.
What is a RAT and how does it behave on the network?
- Usually give you a shell or similar on the host. == low bandwidth and interactive communication.
- Tend to be encrypted to evade basic idp/dlp solution. == higher entropy
- Goes to listening post, probably not a frequent destination in your network. == unpopular ipv4 address for the network, or at least you would hope.
- Often protocol won't respect RFC, Machine learning / whitelisting of allowed app / proxy only traffic could help. == handshake is uncommon.
- Is human driven and behave as such. Bot can fake being human, human can't fake being a machine. == fail Turing test.
All the previous RATs we have dealt with had similar behaviors. So from that point of view, NOPEN is not really new or different. Yes the actor behind it is more sophisticated, but while the tool might be better, their behavior is still the same. Do we need all of those behavior to detect such a RAT? Probably not. In fact, we can achieve very high confidence that those sessions are an external remote access with machine learning targeted at just a few of those behaviors. And while presumably the Equation Group took the time to evade IDP/DLP with encryption, they never bother evading side channel analysis, and this is where we can catch this tool the most easily. In fact, the exact same machine learning module we trained 3 years ago using RATs ranging from poison ivy, blackshade, helium, core-agent, and others was able to recognize the same behavioral pattern in NOPEN, even though we had never seen it before. So not only is it possible to catch a RAT like NOPEN, it's possible to do so prior to knowing they even exist.
This is where machine learning can really help build a new kind of defense, one that can recognize pattern that would be hard for human to pin point, one that force the attacker to change his pattern and behavior and not just tweak a few bytes to bypass the next av/signature update.