Re-creating the Snake Rootkit Part 001, Or: How I Learned to Stop Worrying and Love Adversary Emulation — The Shopping List

Source: https://securelist.com/the-epic-turla-operation/65545/

Obligatory disclaimer: all of the information presented here is for research purposes and should only be used in a legitimate and legal manner, the author will not be held responsible for any misdoings or illegal activities.

TL;DR: Adveseries has cool stuff lets get some inspiration and make our own

This post is the first in a series where we will be exploring how we can use existing threat intelligence reporting to get inspiration for our own offensive tooling and how we go from a list of features in APT malware (the shopping list) to a PoC with some of the same key capabilities. We are at no point aiming for a 100% match between what we are doing and the original, but we are looking to be inspired and potentially learn something interesting.

This post will detail the different rough requirements and research for the project, as well as help provide some rough structure to the project and define the general requirements. In the subsequent posts, more detail will be added.

As always if there are better sources available for explaining something I'll refer to those while also trying to be thorough in the documentation of sources and additional information for research on the side.

Motivation — i.e. why are we doing this?

The main reason for this project was a long-term interest in Windows internals and more specifically advanced malware like rootkits, as well as what tools are used by advanced actors to carry out long-haul access operations. And most importantly for fun and to learn something new!

… and most importantly because it's iconic… and I love doing iconic shit!

Prerequisite knowledge

For this series to be anything other than entertainment, the reader should have some familiarity with the following areas:

• Malware development in general
• Advisory emulation and penetration testing
• Windows internals

None less ill try to make the different subjects as tangible as possible and wherever someone is able to better explain something or where I found inspiration ill of course provide links and resources.

Research: What is the snake malware

In short, the snake or Ur0bUr0s malware is a sophisticated piece of malware created by Russian intelligence (FSB), more specifically the activity and malware are closely linked to the APT group Turls, for long-term persistence on hosts. The major features of the malware are the stealth it provides by existing mostly in the kernel, making extensive use of encryption in all layers of its functionality, and also from how C2 communications are done via packet inspection on the host and not by opening a separate port on the host.

All these things come together to provide a highly sophisticated piece of malware. Instead of just repeating what has already been said better please refer to the following posts for a more detailed description of the malware and its features, we will be going into more detail in the posts to come.

Before getting too deep into the malware family and its capabilities, it should be noted that due to the age and complexity of the malware, a number of different versions and capabilities exist within these and these change over time, so do not read this as “there is only one right solution”, but rather as a snapshot of desirable capabilities.

Snake Malware

Hunting Russian Intelligence "Snake" Malware | CISA

https://hitcon.org/2014/downloads/E1_05_Paul Rascagneres — Uroburos Rootkit.pdf

Swallowing the Snake's Tail: Tracking Turla Infrastructure

The Epic Turla Operation

Who is Turla?

Turls is a Russian Advanced Persistent Threat (ATP) group which is believed to be part of the FSB’s Centre 16. The group is suspected to be specialized in advanced long-term information gathering and espionage against everything from pharma companies to governments. In the article below more detail on Turla, their setup and operations are covered.

Russia’s FSB malign activity: factsheet

The group has been responsible for compromising both government and industry targets with the aim of gaining and maintaining long-term access in order to exfiltrate data as part of Russian espionage efforts.

Defining the capabilities we want — the shopping list Method

For this we will be looking at the threat reports linked before and based on these create a list of general and specific capabilities we want, based on these we will create a final “shopping list”. This list will be used to define the scope of our project. We are not going to reverse everything and recreate it bit by bit, but rather look at the capabilities and then choose what we would like and then go about implementing it for ourselves.

We want the following capabilities:

• Intercept incoming communication and look for magic bytes — emulating snakes HTTP “ustart” method
• Use of encoding and encryption for operations and communications
• Use of covert C2 channel by intercepting requests to legitimate applications
• Custom c2 server
• Use of classic rootkit features to hide system artefacts like registry keys, files, and processes

While this is not a full list it should be good enough to get us started, and then we will re-adjust when we come to the different parts.

Development compromises

It would be lovely if we had time to do everything the adversary does, but we don't, so, therefore, we will have to make some compromises along the way, whenever these come up I'll make sure to specify why a compromise was made, and if possible give some insight into how the original method could have been implemented.

This of course means that more or less every aspect of this project has room for improvement, but again the goal is not perfect, the goal is to learn something cool and in the end, have a PoC that can be expanded.

Components:

Now that we have a general idea of what we are aiming for let's look at the overall components that we might like to have to accomplish this. We want the three different files composing the snake/Ur0bUr0s malware

• Initial stager/installer
• Kernel driver/rootkit utilising the Windows Filtering Platform (WFP) for covert communications, also for artefact concealment
• Dll — custom loader for installing the services needed
• Queue file — series of files (might potentially be done using a virtual file system, I don't know yet)containing configuration and operational data as well as tools for operations.

Also, remember that we are not aiming for perfection here, but for fun and learning, so though some of the techniques used here can be easily detectable and very static, it will still be a good first step in learning how to create advanced tooling.

Why a kernel driver?

Looking at our requirements we basically can boil the kernel requirements down to the following:

• Intercept network communications to legitimate services running on a given host

As I was reading the brilliant book “Evading EDR” by Matt Hand at the same time as I was doing this project I started to notice a lot of similarities between what was described in the book on how EDR software does its operations and what I wanted to achieve with my rootkit. This led to additional research culminating in the discovery of the Windows Filtering Platform (WFP), which is the same technology that the Windows firewall is built on, this is perfect for what we are trying to achieve and was also mentioned in one of the sources.

Project structure

Lastly, here is a short overview of how I aim for the project and accompanying articles to be structured, this is a draft list, but I'll try to keep it updated as I go along with the project and complete different components. For my workflow, I have already gone through many of these and made prototypes to ensure that the individual components and aspects are doable.

• Re-creating the Snake Malware Part 001, Or: How I Learned to stop worrying and Love Adversary emulation — The Shopping List
• Re-creating the Snake Malware Part 002: Creating the Kernel Driver — PoC
• Re-creating the Snake malware Part 003: Implementing Covert Communication Using “ustart”
• XXX
• XXX
• XXX
• XXX

References

This section contains a short note on the most important references used throughout the project so far.

• Main document from CISA upon which this endeavour was started and based on: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a
• A short walkthrough of the capabilities of a modern version of the malware: https://atos.net/en/lp/securitydive/snake-malware
• Analysis of an older version of the malware: https://hitcon.org/2014/downloads/E1_05_Paul Rascagneres — Uroburos Rootkit.pdf
• Older analysis of the Ur0bUr0s malware family, attacks, campaigns, adn supporting infrastructure: https://securelist.com/the-epic-turla-operation/65545/
• Older analysis of malware sample: https://www.recordedfuture.com/blog/turla-apt-infrastructure
• Walkthrough of the malware capabilities with excellent focus on the use of a virtual file system and rootkit features: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/20082353/GData_Uroburos_RedPaper_EN_v1.pdf
• Detailed malware analysis of the malware and rootkit components on a file by file and call by call level: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/20082358/uroburos.pdf