In April 2017, a hacker group named The Shadow Brokers released some very advanced cyber weapons. The leaked tools allegedly originate from the hacking arsenal of a powerful intelligence agency.
One of the tools in the leak is a post-exploitation framework called DanderSpritz, which is used for communicating with compromised computers. Forcepoint™ has analyzed the PeddleCheap module of this DanderSpritz framework. The research focuses on network-level communications. To our knowledge, no similar research has previously been published.
Motivation for the research
PeddleCheap and its associated exploits were used by the intelligence community for years before they were leaked to the public. Simply recognizing and blocking initial PeddleCheap infections will not block systems that are already infected from communicating.
The goal with our research was to devise a way to fingerprint PeddleCheap traffic to allow us to detect dormant implants on systems where the initial infection took place before the April 2017 Shadow Brokers dump.
To establish a context for this research, this is the high-level workflow from the attacker’s point of view:
- Victim is infected with the DoublePulsar backdoor using the EternalBlue exploit
- Malicious implant is created and configured
- A PeddleCheap listener is started in the DanderSpritz GUI
- Implant is uploaded to the victim via the DoublePulsar backdoor
- Implant is executed and starts communicating with PeddleCheap
The focus of this research is on the last point: how PeddleCheap and the implant communicate. Our purpose with this research is to help the security community combat the threat of dormant implants by providing fingerprints for use in intrusion detection/prevention systems. This research also provides insight into how a well-resourced intelligence agency may implement encrypted communication.
Download links to our whitepaper and other resources are provided further below.
Communication starts with a three-way handshake where a symmetric session key is securely exchanged. Here is a high-level sequence diagram of the traffic where PeddleCheap is used by the human attacker and the implant resides on a compromised computer:
Forcepoint Next Generation Firewall (NGFW), Forcepoint Web Security Cloud, and Forcepoint Web Security recognize and protect against traffic between PeddleCheap and malicious implants.
Detecting malicious traffic
The whitepaper contains recommendations for how to fingerprint malicious traffic in order to detect and block it.
Download links and other resources
Whitepaper: our technical analysis is available for download here.
A script for parsing and decrypting a network-capture and PCAPs with example traffic are available for download at: https://github.com/johnbergbom/PeddleCheap/
Look out for the second blog in the series
We have now published Part 2 of 2 in this blog series related to evasions used in DoublePulsar and DanderSpritz.