OilRig Mango Backdoor Malware

0:00 [Music]

0:00 hello and welcome to the Juniper threat

0:02 Labs attack demo series today's subject

0:05 is the latest oil rig mango back door in

0:08 this video we will demonstrate how this

0:10 militia advanced persistent threat or AP

0:13 group is conducting a new campaign

0:16 targeting organizations in the Middle

0:17 East to install a back door on victim

0:20 systems afterwards we'll show you how

0:22 Juniper customers are protected from

0:24 this malware let's not waste any time

0:27 we'll Begin by introducing you to the

0:29 malicious threat actor oil rig oil rig

0:32 also known by various other names

0:34 including ap34 and Helix kitten is

0:38 believed to be an Iranian threat group

0:39 acting on behalf of the Iranian

0:41 government oil rig has been active since

0:44 at least

0:45 2014 and they operate primarily but not

0:47 exclusively in the Middle East targeting

0:50 organizations in that region they have

0:52 targeted various sectors including

0:54 Financial energy chemical and

0:57 Telecommunications and they've attacked

0:59 government related targets as well so

1:01 how do they do it well attacks

1:04 attributed to the oil rig group

1:06 primarily rely on social engineering to

1:08 exploit the human rather than software

1:10 vulnerabilities think fishing and spear

1:12 fishing on occasion and typically after

1:15 successfully exploiting earlier

1:17 reconnaissance related stages this

1:19 malicious threat actor has exploited

1:21 recently patched vulnerabilities too

1:23 during the delivery phase of their

1:25 attacks in oil rig's most recent attack

1:27 campaign a targeted organization in the

1:30 Middle East Via spear fishing emails

1:32 after breaching the victim system they

1:34 deployed a back door known as mango

1:37 during this campaign oil rig infiltrated

1:39 a legitimate Israeli job portal website

1:42 which they then used for command and

1:43 control CNC Communications in the

1:46 related demo that you're about to see

1:48 mango is named man.exe Mango or manora

1:52 is a primary or first stage back door

1:55 it's coded in sharp.net and is capable

1:58 of exfiltrating data and utilizing

2:00 native apis and additional code for

2:03 evading detection the attack chain is as

2:05 follows it starts with a fishing email

2:08 that malicious email contains a document

2:10 or link to a word doc entitled my cv.

2:13 dooc after the victim opens it and does

2:15 what's requested it then drops the mango

2:17 back door onto the victim's system again

2:20 in this latest case the mango back door

2:22 dropped and running in the background is

2:23 mon.exe the back door then starts

2:26 communicating with its command and

2:27 control server awaiting commands and

2:29 instruction ruction what kind of

2:31 commands through this malicious back

2:32 door think shell commands enumerating

2:35 files and uploading files to the command

2:37 and control server in other instances of

2:39 this campaign it uses a VBS script as

2:42 the dropper for the mango back door and

2:44 this other instance of the campaign the

2:46 malware installs browser data dumpers

2:48 for Edge and chrome designed to

2:50 exfiltrate data like cookies browsing

2:52 history and credentials from these

2:55 browsers all right with all the

2:57 background info out of the way let's

2:59 jump in and start the attack simulation

3:01 for this attack demo here we are on the

3:04 unsuspecting victim system she just

3:06 received this email as you can see the

3:09 email suggests there is an attachment

3:11 but there isn't instead there is this

3:13 malicious URL to download my

3:16 cv. unaware that she's being fished she

3:18 clicks on the malicious

3:28 URL

3:30 when the document is open the Microsoft

3:32 Office application prompts the user to

3:34 enable content effectively granting

3:37 permission for macr scripts to execute

3:39 once the user deceived into clicking

3:41 this prompt the document reveals content

3:44 seemingly aimed at an organization in

3:45 Saudi Arabia as evidenced by the

3:47 presence of prices quoted in the Saudi

3:49 real

3:55 [Music]

3:58 currency

4:08 [Music]

4:10 simultaneously the malicious macro

4:11 script installs the mango back door in

4:13 the background running it as a process

4:16 under the name

4:24 [Music]

4:28 manura to ensure the Persistence of the

4:31 mango back door it establishes a

4:33 scheduled task labeled one drive

4:35 Standalone updator configure to trigger

4:38 execution every day at 11:00

4:40 [Music]

4:46 a.m. have a look at the path notice how

4:49 manora is in the folder office

4:52 356 all this is probably done in an

4:54 attempt to go unnoticed it's not clear

4:57 the close but not quite folder name had

4:59 the intended result in any case at this

5:02 stage the mango back door under the name

5:04 manora establishes communication with

5:06 the command and control server awaiting

5:08 further instructions let's now look and

5:11 see whether or not this attack works as

5:13 successfully with the Juniper SRX

5:14 firewall enhanced with protection from

5:16 Juniper's cloud-based Advanced

5:19 antimalware solution Juniper

5:21 ATP for the demo Juniper threat Labs is

5:24 using the following setup we have a vsrx

5:27 pictured in the center the vs SRX is a

5:30 virtual SRX firewall providing network

5:32 security protection its purpose is to

5:34 inspect Network traffic and with the

5:36 assistance of juniper ATP Cloud to

5:39 detect malware like the oil rig mango

5:42 back door in addition to the virtual

5:44 firewall and cloud-based protections

5:46 we're using Juniper security director

5:48 which is a centralized management system

5:51 security director facilitates our

5:52 configuring and monitoring of the vsrx

5:55 firewall and we're using Juniper's

5:57 policy enforcer as well

6:00 Juniper's policy enforcer enforces

6:02 security policies on endpoints and

6:04 ensures they comply with corporate

6:06 security standards pictured as well are

6:09 several Windows workstations Each of

6:11 which is connected to the vsrx and

6:13 finally there's an Ubuntu Server which

6:16 is acting as the malware download

6:18 server before we proceed and run the oil

6:21 rig mango back door attack simulation

6:23 again with protection provided This Time

6:26 by Juniper's connected Security

6:27 Solutions let's first take a look at the

6:29 threat prevention policy that we've set

6:31 up on our security director and applied

6:33 to the vsrx

6:35 firewall to access the policy we'll

6:37 navigate to the configure Tab and then

6:40 we'll select threat

6:41 prevention and

6:43 policies as you can see we already have

6:45 an existing policy in place let's

6:47 further inspect the protections being

6:49 enforced by the applied policy for this

6:51 demo our policy is configured to block

6:53 command and control traffic at Threat

6:55 Level 8 and above we've also set it to

6:57 block infected hosts at threat level

7:00 eight and above beyond that we

7:02 configured our policy to use ATP Cloud

7:03 for malware detection as you can see

7:06 we've elected to scan both HTTP

7:08 downloads and email attachments finally

7:11 we've chosen to block any and all other

7:13 threats rated at level 7 and above this

7:15 threat prevention policy applied to the

7:17 Juniper vsrx firewall is a critical

7:19 component of our defenses protecting our

7:21 systems against malware related attacks

7:24 including oil rig mango backdoor malware

7:27 it allows us to detect and block most

7:29 malicious traffic as well as the

7:31 activity of potentially infected hosts

7:33 which in doing so then prevents the

7:35 spread of malware throughout our Network

7:37 in the event that one of our systems

7:39 gets

7:40 compromised with that let's proceed and

7:42 demo the attack with our Juniper

7:44 connected Security Solutions in place to

7:46 get started we'll log in Via RDP as the

7:49 wouldbe but hopefully not the victim

7:52 user as you can see we have an email

7:54 with a link to download my cv. dooc

7:58 clicking on that the system opens the

8:00 browser but as you see is pictured on

8:02 the screen the attempt to open this

8:03 malicious file has been blocked the

8:06 explanation given explains that this was

8:08 due to malware being detected for the

8:10 purpose of this demo we also included a

8:12 link to download manora recall manora is

8:15 the mango back door you saw earlier once

8:17 again Juniper's connected Security

8:19 Solutions powered by Juniper ATP also

8:21 blocks this attempt next we can verify

8:24 that these attempts were indeed blocked

8:26 by Juniper to do that we go back to

8:29 security director and we navigate to the

8:31 monitor tab from there we click on

8:34 threat

8:35 prevention and then HTTP file

8:39 download here manora the most recent

8:41 malicious URL to which we tried to

8:43 navigate is pictured on the first line

8:45 with a threat level of 10 on the second

8:48 line the file my cv. dooc is similarly

8:50 flagged with a threat level of 10 recall

8:53 from earlier how we had configured our

8:55 policy to block malicious threats rated

8:56 at level seven and above so the enabled

8:59 Juniper protections are working as

9:01 expected next we'll look at more details

9:03 about the mware to do that we click on

9:06 the my cv. dooc link Juniper's Behavior

9:10 Analysis shows information about the

9:12 malware gathered through sandboxing the

9:18 [Music]

9:22 file and Juniper's network activity

9:24 shows the malare attempts to communicate

9:26 with the site at address te c f RS cyen

9:31 001 sit t1. GTM url.com which is the

9:37 mango backdoor command and control

9:42 server going back to http file download

9:45 we can also click on the manur malware's

9:47 hash Link in Juniper security director

9:50 to find more details about this malware

9:52 including Behavior Analysis network

9:54 activity and behavior

9:58 details

10:04 note that while the attack was

10:06 unsuccessful recall that the security

10:08 policy being enforced on the vsrx locks

10:11 down host network activity when it

10:13 detects threats at level 8 and above

10:15 having just clicked on ATP Cloud hosts

10:17 we can see that the IP address

10:20 10.0.2 16 is flagged at Threat Level 9

10:24 this host then is now included in the

10:26 infected host's feed what this means is

10:28 that this host is now isolated and

10:30 disconnected from the network

10:32 temporarily until an administrator

10:33 confirms that the host is free of

10:36 infection Juniper has a rich command

10:38 line interface for example an

10:40 administrator can verify through the SRX

10:42 CLI console what hosts if any are listed

10:45 in the infected host feed in order to

10:47 take Swift action here you can see that

10:50 the IP address

10:51 10.0.2 2016 is in that

10:58 list

11:01 back on security director under ATP

11:03 Cloud hosts we can click on the affected

11:06 host in doing so Juniper provides us

11:09 with more details as to why it is

11:11 blocked which in this case is because

11:13 the host attempted to download two

11:15 malicious files with Threat Level

11:17 [Music]

11:25 10 we can confirm that this host was

11:28 disconnected as we can neither ping it

11:30 nor connect to it via RDP as

11:33 [Music]

11:40 [Music]

11:53 [Music]

11:57 before once the administrator Ator is

11:59 certain that a host or server found in

12:01 the infected host feed is indeed free

12:04 from infection she can get that device

12:06 back

12:07 online in security director there is

12:09 more than a single way to do this one of

12:12 the ways is covered in several earlier

12:14 videos another way is to go to ATP Cloud

12:17 hosts select the checkbox to the left of

12:20 the host or server in question and then

12:22 click the set investigation status on

12:24 the right to resolved

12:27 fixed doing so change the status of this

12:29 host to clean the result of which

12:31 removes the host or server from the

12:33 infected host feed as you can see the

12:36 device is now marked as excluded from

12:38 this list which is good

12:41 news let's double check this just

12:44 because we can once again using the

12:46 srx's command line interface console

12:49 notice that IP address

12:51 10.0.2 16 is no longer

12:54 listed after a few moments this host

12:57 will be connected back to the network

12:59 again we can verify that's the case by

13:02 both pinging

13:03 it and by reconnecting to it via

13:07 [Music]

13:23 RDP finally for good measure we'll make

13:26 sure that this host can now browse the

13:28 internet

13:45 that completes our demo of the oil rig

13:47 mango back door check out more videos

13:49 from the Juniper threat Labs attack demo

13:51 series by visiting juniper.net thanks

13:54 for watching