Turla Neuron Malware Update

1. TLP WHITE
2. Turla group update Neuron malware
3. Version 1.0 Reference: NCSC-Ops/04-18 18 January 2018  Crown Copyright 2018
4. TLP WHITE
5. Page 1 of 8
6. TLP WHITE
7. About this Document
8. This NCSC report provides new intelligence on the Neuron malware, a tool used by the Turla group to target the UK. It contains IOCs and signatures for detection and network monitoring.
9. Handling of the Report
10. Information in this report has been given a Traffic Light Protocol (TLP) of WHITE, which means it can be shared within and beyond the CiSP community with no handling restrictions.
11. Disclaimer
12. This report draws on reported information, as well as information derived from industry sources.
13. TLP WHITE
14. Page 2 of 8
15. TLP WHITE
16. Contents
17. About this Document ........................................................................................................................... 1 Handling of the Report......................................................................................................................... 2 Disclaimer .............................................................................................................................................. 2 Introduction............................................................................................................................................ 4
18. Summary of changes.......................................................................................................................4 Neuron Updates ................................................................................................................................... 5 Loader ................................................................................................................................................5 Payload .............................................................................................................................................. 6 Encryption...................................................................................................................................... 6 Communications ........................................................................................................................... 6 Associated Files ............................................................................................................................... 6 Neuron Yara...................................................................................................................................... 7
19. TLP WHITE
20. Page 3 of 8
21. TLP WHITE
22. Introduction
23. In November 2017, the NCSC released an advisory highlighting the Turla Group’s use of the tools Neuron and Nautilus.1
24. Since then, the NCSC has identified a new version of the Neuron malware. The new version has been modified to evade previous detection methods.
25. Neuron operates on Microsoft Windows platforms, primarily targeting mail servers and web servers. The NCSC has observed this tool being used by the Turla group to maintain persistent network access and to conduct network operations.
26. The compile times contained within these new binaries show that the actor implemented the required modifications to Neuron approximately five days after public releases by the NCSC and other vendors.
27. This NCSC report provides new intelligence on the Neuron malware, a tool used by the Turla group to target the UK. It contains IOCs and signatures for to be used for network monitoring and detection.
28. The files analysed in this report are available on VirusTotal.
29. Summary of changes to Neuron malware
30. • The .NET payload is loaded in-memory as opposed to being dropped to disk;
31. • Communications have been modified to avoid detection;
32. • Some encryption methods have replaced RC4 with AES;
33. • The modifications are sufficient to avoid previously released signatures & IOCs.
34. 1 https://share.cisp.org.uk/docs/DOC-6912
35. TLP WHITE
36. Page 4 of 8
37. TLP WHITE
38. Neuron Updates
39. A sample of Neuron was recently uploaded to VirusTotal. This sample appears to be an updated version of Neuron. Changes have primarily been made to the dropper and loading mechanisms.
40. The PDB string embedded within the binary supports the assumption that this is a newer version by referring to itself as “neuron2”.
41. This sample contains sufficient modifications to frustrate detection, allowing Turla operations to continue.
42. Loader
43. With previous versions of Neuron, a native dropper was utilised to write the main payload to disk, establish persistence and ensure execution. This latest version uses a native x64 loader to execute the .NET payload in-memory. The payload is encrypted within the loader, which ensures the payload never touches disk in plaintext. This modification has likely been made to evade detection during disk scans performed by anti-virus products, however anti-virus products that scan memory will still likely be able to detect the payload running.
44. The loader has the required exports to enable the configuration as a service, therefore it's believed this will be the method used for persistence.
45. The loader can also specify which endpoints (HTTP(S) or pipe) to listen on by passing them to the .NET executable as arguments. In this sample the endpoints specified are different to previous versions:
46. • http://*:80/OWA/OAB/
47. • https://*:443/OWA/OAB/
48. If no arguments are provided the payload will use the following defaults for HTTP(S) or pipes:
49. • http://*:80/W3SVC/
50. • https://*:443/W3SVC/
51. • pipe://*/Winsock2/baseapi_http
52. Error handling has been added to the new payload. If the webserver encounters an exception it will attempt to use the default values above, if another exception occurs then the payload will revert to using the default HTTP (port 80) value.
53. TLP WHITE
54. D:\Develop\sps\neuron2\x64\Release\dcomnet.pdb
55. Page 5 of 8
56. Associated Files
57. TLP WHITE
58. Payload
59. The main payload is still a .NET executable, but several modifications have been made to its operation which are described below
60. Encryption
61. Previous versions of Neuron used RC4 for the encryption of data stored on disk or sent over the network. Portions of the updated Neuron service have been migrated to AES, however, some components still rely on the RC4 implementation, such as encrypting command information.
62. The actors have configured multiple hardcoded encryption keys rather than using one for everything. For example, one is used for normal communication between nodes, and another is used if the node is proxying a request. These modifications are likely implemented to make detection and decryption by network defenders more difficult.
63. Communications
64. The communication between clients and servers has also changed to avoid detection. The server expects a POST request, but rather than using the previous pre-defined parameter names (cid, cadata etc.), the new function loops through each parameter looking for certain characters within that parameter’s value to determine what functionality should be performed. This will allow the parameter names to be randomly generated and/or regularly changed, making it more difficult for network defenders to reliably detect communications.
65. As an example, the following characters are looked for (in the order shown) to determine which functionality should be performed:
66. Character
67. Functionality
68. #
69. Set the AES salt
70. ( and )
71. Return list of storage files
72. (
73. Get and return defined storage file
74. )
75. Add specified storage file to local storage (write to disk)
76. -
77. Send RSA encrypted encryption key (machine GUID)
78. _
79. Proxy request through to another address
80. , but not _
81. Perform specified command and return result
82. TLP WHITE
83. Page 6 of 8
84. Neuron Yara
85. TLP WHITE
86. Name
87. dcomnet.dll
88. Description
89. Neuron2 Loader (x64)
90. MD5
91. 60bcc6bc746078d81a9cd15cd4f199bb
92. SHA1
93. c9fc7ce10aba20894ef914d2073021a48995db17
94. SHA256
95. 51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927
96. Size
97. 170496
98. Compile Time
99. 28 Nov 2017 06:25:24
100. Name
101. neuron2.exe
102. Description
103. Neuron2 Payload
104. MD5
105. d891c9374ccb2a4cae2274170e8644d8
106. SHA1
107. 2fb145c64263006a95a0771b57e967977f63954d
108. SHA256
109. 83d8922e7a8212f1a2a9015973e668d7999b90e7000c31f57be83803747df015
110. Size
111. 59392
112. Compile Time
113. 28 Nov 2017 04:44:26
114. rule neuron2_loader_strings {
115. meta:
116. description = "Rule for detection of Neuron2 based on strings within the loader" author = "NCSC"
117. hash = "51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927"
118. strings:
119. $ = "dcom_api" ascii
120. $ = "http://*:80/OWA/OAB/" ascii
121. $ = "https://*:443/OWA/OAB/" ascii
122. $ = "dcomnetsrv.cpp" wide
123. $ = "dcomnet.dll" ascii
124. $ = "D:\\Develop\\sps\\neuron2\\x64\\Release\\dcomnet.pdb" ascii
125. condition:
126. (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and 2 of them
127. }
128. TLP WHITE
129. Page 7 of 8
130. TLP WHITE
131. rule neuron2_decryption_routine {
132. meta:
133. description = "Rule for detection of Neuron2 based on the routine used to decrypt the payload"
134. author = "NCSC"
135. hash = "51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927"
136. strings:
137. $ = {81 FA FF 00 00 00 0F B6 C2 0F 46 C2 0F B6 0C 04 48 03 CF 0F B6 D1 8A 0C 14 8D 50 01 43 32 0C 13 41 88 0A 49 FF C2 49 83 E9 01}
138. condition:
139. (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
140. }
141. rule neuron2_dotnet_strings {
142. meta:
143. description = "Rule for detection of the .NET payload for Neuron2 based on strings
144. used"
145. author = "NCSC"
146. hash = "83d8922e7a8212f1a2a9015973e668d7999b90e7000c31f57be83803747df015"
147. strings:
148. $dotnetMagic = "BSJB" ascii
149. $s1 = "http://*:80/W3SVC/" wide
150. $s2 = "https://*:443/W3SVC/" wide
151. $s3 = "neuron2.exe" ascii
152. $s4 = "D:\\Develop\\sps\\neuron2\\neuron2\\obj\\Release\\neuron2.pdb" ascii
153. condition:
154. (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $dotnetMagic and 2 of
155. ($s*) }
156. TLP WHITE
157. Page 8 of 8