Blog

Reverse engineering the Shadow Brokers dump: A close look at NOPEN

Posted by Chris Morales on Sep 12, 2016 11:58:00 PM

Find me on:

threat_labs_logo_vertical.pngWhile digging and reversing my way through the Equation Group dump, I’ve come across a few interesting pieces that probably are not getting the attention they deserve.  While a lot of the initial research has focused on the potential 0-days, the dump also gives a glimpse into the backbone tools and operational methods of a serious hacking group.

Certainly 0-days are great, but in my opinion the previously disclosed Fortidoor exploit is 100x more significant than the Fortigate HTTP 0-days disclosed in the dump.  And while most of the dump is around firewall implants and a few exploits, there are some very interesting ops tools in the drop.  One of those tools is NOPEN. It is referenced multiple times in their script/ops/doc, and seem to be one of the cornerstones of their infrastructure.  It is significant both as a backdoor in a target network or as a tool deployed on a listening post to let you create a multi-layer call-back network. So let's take a closer look at this software.

Overview: It's a RAT

Roughly speaking, NOPEN is a complete statically compiled back door in one neat package. As we will see it is a unix RAT with encrypted command channel, tunnels, libnet injection, and privilege escalation among other things. It also supports either being installed on the host and waiting for 3rd party to connect, or as suggested in their doc:

1- you install

2- call yourself / Listening post back

3- when you are done burn it.

Ultimately it gives you a powerful yet simple shell and tunnel capabilities, all nicely wrapped under their now famous RC6 crypto. And while all of this initially looks pretty bad, there is actually some good news in terms of detecting and hunting this tool. So let’s dive into the analysis, and at the end, we will look at some strategies for detection.

I've provided some links to help navigate through the various sections below:

Welcome screen

Commands available from -help

Hidden commands

Supported architectures

Supported operating systems

Detecting and Hunting 

NOPEN Welcome screen

Because you should always welcome people in after all..  be polite..

NOPEN!                             v3.0.5.3
 
sh: 1: scanner: not found
sh: 1: ourtn: not found
sh: 1: scripme: not found
Wed Aug 31 18:07:05 GMT 2016
NHOME: environment variable not set, assuming "NHOME=/root/Firewall/TOOLS/NOPEN/.."
NHOME=/root/Firewall/TOOLS/NOPEN/..
Reading resource file "/root/Firewall/TOOLS/NOPEN/../etc/norc"... /root/Firewall/TOOLS/NOPEN/../etc/norc: No such file or directory
TERM=xterm-256color
Entering connect mode
Attempting connection to 127.0.0.1:32754 (127.0.0.1:32754)... ok
Initiating RSA key exchange
  Generating random number... ok
  Initializing RC6... ok
  Sending random number... ok
  Receiving random number... ok
  Generating session key... 0x0DE6200E48AB016831720B109B8B2874
  Sending first verify string... ok
  Receiving second verify string... ok
  Checking second verify string... ok
RSA key exchange complete
NOPEN server version... 3.0.5.3
 
Connection
  Bytes In / Out     201/94 (213%C) / 63/4 (1575%C)
  Local Host:Port    localhost:41847 (127.0.0.1:41847)
  Remote Host:Port   127.0.0.1:32754 (127.0.0.1:32754)
  Remote Host:Port   kali:32754 (127.0.0.1:32754)
Local
  NOPEN client       3.0.5.3
  Date/Time          Wed Aug 31 18:07:05 UTC 2016
  History             
  Command Out         
  CWD                /root/Firewall/TOOLS/NOPEN
  NHOME              /root/Firewall/TOOLS/NOPEN/..
  PID (PPID)         6904 (6896)
Remote
  NOPEN server       3.0.5.3
  WDIR               NOT SET
  OS                 Linux 4.6.0-kali1-amd64 #1 SMP Debian 4.6.4-1kali1 (2016-07-21) x86_64
  CWD                 
  PID (PPID)         6908 (6889)
 
Reading resource file "/root/Firewall/TOOLS/NOPEN/../etc/norc.linux"... /root/Firewall/TOOLS/NOPEN/../etc/norc.linux: No such file or directory
History loaded from "/root/Firewall/TOOLS/NOPEN/../down/history/kali.127.0.0.1"... ok
Creating command output file "/root/Firewall/TOOLS/NOPEN/../down/cmdout/kali.127.0.0.1-2016-08-31-18:07:05"... ok
Lonely?  Bored?  Need advice?  Maybe "-help" will show you the way. 
We are starting up our virtual autoport



Commands available from -help

 
We are bound and ready to go on port 1025 NO! kali:>-help [08-31-16 18:07:17 GMT][localhost:41847 -> kali.127.0.0.1:32754] [-help]   Remote General Commands: Usage: -elevate   Usage: -getenv   Usage: -gs category|filename [options-if-any] Usage: -setenv VAR=[val] Usage: -shell   Usage: -status   Usage: -time     Remote Server Commands: Usage: -burn   Usage: -call ip port Usage: -listen port Usage: -pid     Remote Network Commands: Usage: -icmptime target_ip [source_ip]   Usage: -ifconfig   Usage: -nslookup name1 ... Usage: -ping -r remote_target_ip [-l local_source_ip] [-i|-u|-t] [-p dest_port] [-s src_port]        -ping host        -ping [-u|-t|-i] host Usage: -trace -r remote_target_ip [-l local_source_ip] [-i|-u|-t] [-p dest_port] [-s src_port]        -trace host        -trace [-u|-t|-i] host   Remote Redirection Commands: Usage: -fixudp port Usage: -irtun target_ip call_back_port [call_back_ip] [ourtn arguements] Usage: -jackpop target_ip target_port source_ip source_port Usage: -nrtun port [toip [toport]] Usage: -nstun toip [toport [localport [srcport [command]]]]        -nstun toip:port Usage: -rawsend tcp_port Usage: -rtun port [toip [toport]] Usage: -scan   Usage: -sentry target_address source_address (tcp|udp) dest_port src_port interface Usage: -stun toip toport [localport [srcport]] Usage: -sutun [-t ttl] toip toport [localport [srcport]] Usage: -tunnel [command_listen_port [udp]] Usage: -vscan  (should add help)   Remote File Commands: Usage: -cat remfile Usage: -chili [-l] [-s lines] [-m max] MM-DD-YYYY remdir remfile [remfile ...] Usage: -cksum remfile ... Usage: -fget [MM-DD-YYYY] loclist Usage: -get [-l] [-q] [-s minimumsize] [-m MM-DD-YYYY] remfile ... Usage: -grep [-d] [-v] [-n] [-i] [-h] [-C number_of_context_lines] pattern file1 [file2 ...]   Usage: -oget [-a] [-q] [-s begoff] [-b begoff] [-e endoff] remfile Usage: -put locfile remfile [mode] Usage: -strings remfile Usage: -tail [+/-n] remfile, + to skip n lines of remfile beginning Usage: -touch [-t mtime:atime | refremfile] remfile Usage: -rm remfile|remdir ... Usage: -upload file port Usage: -mailgrep [-l] [-m maxbytes] [-r "regexp" [-v]] [-f regexpfilename [-v]] [-a "regexp for attachments to eliminate"] [-b MM-DD-YYYY] [-e MM-DD-YYYY] [-d remotedumpfile] remotedir file1 [file2 ...]  ex: -mailgrep -a ".doc" -r "^Fred" -b 2-28-2002 /var/spool/mail G*   Remote Directory Commands: Usage: -find [-M | -m -mkfindsargs] [-x[m|a|c] MM-DD-YYYY] remdir [remdir...] Usage: -ls [-1ihuRt] [-x[m|a|c] MM-DD-YYYY] [remfile|remdir ...] Usage: -cd [remdir] Usage: -cdp     Local Client Commands: Usage: -autopilot port [xml] Usage: -cmdout [locfilename] Usage: -exit   Usage: -help   Usage: -hist   Usage: -readrc [locfile] Usage: -remark [comment] Usage: -rem [comment] Usage: # [comment] Usage: -reset     Local Environment Commands: Usage: -lcd locdir Usage: -lgetenv   Usage: -lpwd   Usage: -lsetenv VAR=[val] Usage: -lsh [[-q] command]   Aliases:

Supported architectures per disassembly.

----

NOPEN is a generic unix system rats, in the dump we have a version that is for Linux i386, but disassembly of the client/server, show that this tools is made for more than that.   

.rodata:0807B04D aI586           db 'i586',0             ; DATA XREF: _serverCpuInfo+1Do
.rodata:0807B04D                                         ; _serverCpuInfo+4Co
.rodata:0807B052 ; char aI686[]
.rodata:0807B052 aI686           db 'i686',0             ; DATA XREF: _serverCpuInfo+73o
.rodata:0807B057 ; char aI486[]
.rodata:0807B057 aI486           db 'i486',0             ; DATA XREF: _serverCpuInfo+8Do
.rodata:0807B05C ; char aI386[]
.rodata:0807B05C aI386           db 'i386',0             ; DATA XREF: _serverCpuInfo+A7o
.rodata:0807B061 ; char aSparc[]
.rodata:0807B061 aSparc          db 'sparc',0            ; DATA XREF: _serverCpuInfo+E0o
.rodata:0807B067 ; char aI86pc[]
.rodata:0807B067 aI86pc          db 'i86pc',0            ; DATA XREF: _serverCpuInfo+FBo
.rodata:0807B06D ; char aI_86[]
.rodata:0807B06D aI?86           db 'i?86',0             ; DATA XREF: _serverCpuInfo+119o
.rodata:0807B072 ; char aAlpha[]
.rodata:0807B072 aAlpha          db 'alpha',0            ; DATA XREF: _serverCpuInfo+137o
.rodata:0807B078 ; char aX86_64[]
.rodata:0807B078 aX86_64         db 'x86_64',0           ; DATA XREF: _serverCpuInfo+155o
.rodata:0807B07F ; char aAmd64[]
.rodata:0807B07F aAmd64          db 'amd64',0            ; DATA XREF: _serverCpuInfo+173o
 
    

Supported Operation system per disassembly

With support for multiple OS also, we found note, or element of code that are specific those those operating system inside the disassembly, so it's safe to presume that code is made to run there. 

  •   FreeBSD
  •   Linux
  •   SunOS
  •   HP-UX
  •   Solaris

Other commands that are hidden from the operator

Other command not listed in the "-help"  

.data:0808220C commandHelp     dd 0                    ; DATA XREF: sub_8059570+746r
"-head"; "[-n] remfile"
"-sget"; "hostname port file [file ...]"
"-srecv"; "port"
"-h"
"-burnBURN"
"-stat"
"-sq"; "remfile"
"-w"
"-lambda"
"-hammy"; "localport toip srcport [toport]"
"-at"; "[-B] time[m] command"
"-listen"; "port"
"-trigger"; "localport toip srcport [toport]"
"-triggerold"; "localport toip srcport [toport]"
"-sniff"; "localfile iface [exclusion filters port"...
"-suc"; "[get|<filename>] | [-s] <pid> [<pid>..]"...
"-jscan"; "[-t timeout] scanType target [dstPort] "...
"-hstun"; "toip [toport [localport [srcport [comma"...
"-hrtun"; "port [toip [toport]]"
"-hutun"; "toip toport [localport [srcport]]"
"-lpid"
"-sha1sum"; "remfile ..."
 

UberControl sub menu

Seem to be mostly related to rootkit like persistence, hidding file, process, socket, etc.  

CardShark sub menu

That part seem mostly related to libnet traffic injection for solaris 2.6+  

Tunnel sub menu

*********Sub commands*******

[t]imeout time
  [r]emote listenport [target [port]]
  [l]ocal  listenport target [port [source_port]]
  [L]ocal  listenport target [port [source_port]]; with one byte extra for socket state
  [u]dp    listenport target [port [source_port]]
  [U]dp    listenport [target [port]]
  [c]lose channel
  [s]tatus  - prints status messages for channels
 
  [q]uit - leaves the tunnel, please do not hit Cntl-C, it makes the tunnel unhappy

 

Detection / Hunting time

As we mentioned earlier, this looks pretty bad on first glance...   Fully encrypted RAT over unix, with tunnel, rootkit, libnet inejction, etc.

If we step a bit back however, it's not that different than previous RATs we have dealt with in the past. Poison Ivy, blackshade, helium, or any RAT really - they might not be as nice, but it they all share common features or behavior.

What is a RAT and how does it behave on the network?

  • Usually give you a shell or similar on the host.  == low bandwidth and interactive communication.
  • Tend to be encrypted to evade basic idp/dlp solution. == higher entropy
  • Goes to listening post, probably not a frequent destination in your network. == unpopular ipv4 address for the network, or at least you would hope.
  • Often protocol won't respect RFC, Machine learning / whitelisting of allowed app / proxy only traffic could help.  == handshake is uncommon.  
  • Is human driven and behave as such. Bot can fake being human, human can't fake being a machine. == fail Turing test.  

All the previous RATs we have dealt with had similar behaviors. So from that point of view, NOPEN is not really new or different.  Yes the actor behind it is more sophisticated, but while the tool might be better, their behavior is still the same.  Do we need all of those behavior to detect such a RAT? Probably not. In fact, we can achieve very high confidence that those sessions are an external remote access with machine learning targeted at just a few of those behaviors.  And while presumably the Equation Group took the time to evade IDP/DLP with encryption, they never bother evading side channel analysis, and this is where we can catch this tool the most easily.  In fact, the exact same machine learning module we trained 3 years ago using RATs ranging from poison ivy, blackshade, helium, core-agent, and others was able to recognize the same behavioral pattern in NOPEN, even though we had never seen it before. So not only is it possible to catch a RAT like NOPEN, it's possible to do so prior to knowing they even exist.

This is where machine learning can really help build a new kind of defense, one that can recognize pattern that would be hard for human to pin point, one that force the attacker to change his pattern and behavior and not just tweak a few bytes to bypass the next av/signature update.

Topics: Malware Attacks, cyber security, Detection

Subscribe to the Vectra Blog



Recent Posts

Posts by Topic

Follow us