Equation Group Dump Analysis and Full RCE on Win7 on MS17-010 with
Cobalt Strike

http://www.trustedsec.com/blog/equation-group-dump-analysis-full-rce-win7-fully
-patched-cobalt-strike/

UPDATE: When posting this blog, we had not done the most recent patches
for patch Tuesday (in March). This SMB flaw apparently was fixed on
Tuesday with MS17-010. When we did our testing, we were out of the patch
cycle for March. Clarified the blog post with the update and link to
Microsoft below. (see previous post)

This blog post contains information that was obtained publicly and not
through classified methods but through the “Shadow Brokers” (suspected
to be Russian) dump of the “Equation Group” (suspected to be NSA). The
techniques here are zero-day in nature and can cause security issues
however the information is now public and should be researched and
disclosed. 

If the facts are indeed true, this is a dark day for our intelligence
community (no, this is a victory against a corrupt US gov't and the deep
state operatives that control it) and can't comprehend the damage this
has done (to a corrupt, power-mad deep state establishment). The only
hope is that while a lot of these exploits date back to research done
back in 2013, that the capabilities (to dominate society's right to
freedom and privacy) continue to grow and expand vs. the disclosed date
of today. Additionally, we don't envy the task ahead from the fine and
hard working crew working over at Microsoft during the holiday weekend
and away from family. Good news is a lot of these have already been
patched (some as early as last week).

Our goal with this post and at TrustedSec is not to cause harm or
damages – but present information that is already exposed in order to
educate and help.

This blog post was written by Justin Elze – Principal Security
Consultant at Trustedsec (with editorial comment from me, VG).

Today we awoke to this link from Martin Bos (@cantcomputer) link here
(thanks for ruining our day off!). Shadow Brokers leaked additional
tools reportedly from the Equation Group. This peaked our interest as a
company and after last week's leak of various 0day exploits and implants
for Linux/Solaris, we knew that it was probably legitimate. Leaks like
this often contain 0day or known exploits with proof of concepts that
have not been seen by the public. This leak was no different and far
surpassed expectations.

https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation

It's also a chance to learn new persistence and command and control
methods used by government and adversaries. These techniques, tactics,
and procedures (TTPs) allow the security industry a much better
understanding on capabilities as well as what we need to do in order to
emulate true adversarial simulation.

The data in the dump is a few years old (around 2013) but as you begin
to dig into it there are multiple 0day day non-patched exploits that
effect various versions of Windows from XP -> Windows 8/Server 2012. The
full extent is still TBD based on the disclosure date, many of these
exploits may be imported to Windows 10 and newer version of Server 2012.

This leak contained 4 files:

odd.tar.xz.gpg – Implant/Backdoor
sha256sum.txt – Contained SHA256 hashes for the files
swift.tar.xz.gpg – Information on the SWIFT/EastNets breach
windows.tar.xz.gpg Contains numerous windows exploits and an
exploitation framework called Fuzzbunch.

Swift.tar contents:
http://www.trustedsec.com/files/shadow_brokers2.png

Odd.tar contents:
http://www.trustedsec.com/files/shadow_brokers3.png

Windows.tar
http://www.trustedsec.com/files/shadow_brokers4.png
http://www.trustedsec.com/files/shadow_brokers5.png

A handful of people on Twitter were already tearing into the dump at
this point we began by attempting to analyze the primary framework. The
framework is built on Python 2.6 and requires PyWin as well as 32-bit
Windows system because most of the exploits are Win32 binaries.

http://www.trustedsec.com/files/shadow_brokers6.png

Moving around this framework called FuzzBunch, it is very similar to
Metasploit as far as an exploitation framework. It has capabilities of
being able to profile targets and suggest exploits that may be
successful on the target as well as a comprehensive framework on exploit
development and exploitation. It even has some pretty amazing ASCII art.
First thing you do in a new environment you are unfamiliar with is type
“help”:

http://www.trustedsec.com/files/shadow_brokers7.png

Similar to Metasploit, the “use” command is available:

http://www.trustedsec.com/files/shadow_brokers8.png

We began by reading various exploit manifests looking at versions of
Windows they supported. EternalBlue seemed to have the widest support.
We quickly spun up a victim Windows 7 system. Note that the patch for
this flaw recently came out last Tuesday in patch Tuesday.

http://www.trustedsec.com/files/shadow_brokers9.png

Next, we attempted to launch on a fully patched Windows 7 test system.

http://www.trustedsec.com/files/shadow_brokers10.png

Once the system is compromised and DoublePulsar is the default implant
installed by the exploit. Switching to the DoublePulsar module context
allows you to interact with the compromised system. Various options
include verifying backdoor is installed, removing the backdoor, DLL
injection, and Raw shell code injection.

We verified the exploit was successful by pinging the backdoor and then
going through the removal process and verifying it was removed.

http://www.trustedsec.com/files/shadow_brokers11.png
http://www.trustedsec.com/files/shadow_brokers12.png
http://www.trustedsec.com/files/shadow_brokers13.png

Once we were sure the exploit was functioning properly we exploited the
host again and attempted the DLL injection function. First attempt
failed because we weren't using the correct DLL ordinal for the payload
however with a quick change we were able to successfully move a
compromised host out of the leaked framework and into Cobalt Strike. If
you're attempting this on something besides a test machine, we wouldn't
suggest injecting into LSASS outside of a test machine.

http://www.trustedsec.com/files/shadow_brokers14.png
http://www.trustedsec.com/files/shadow_brokers15.png

This only scratches the surface of the various exploits and implants in
the framework. There was another component in the windows directory a
Java application called DanderSpritz which appears to be a listener and
command and control framework for compromised hosts.

http://www.trustedsec.com/files/shadow_brokers16.png
http://www.trustedsec.com/files/shadow_brokers17.png
http://www.trustedsec.com/files/shadow_brokers18.png
http://www.trustedsec.com/files/shadow_brokers19.png

It's been many years since there has been a zero user interaction RCE
for Windows operating systems MS08-067 and MS09-050 come to mind. While
the example exploit and others in the framework are currently unpatched
customers should be aware the services exploited in the above example
should never be exposed to the public internet.

Below is videos using DoublePulsar to use a CobaltStirike payload for
our own RCE payload on a fully patched Windows 7 system:

https://player.vimeo.com/video/213300750

This blog post was written by Justin Elze, Principal Security Consultant
at TrustedSec.
--- NewsGate v1.0 gamma 2