OilRig Mango Backdoor Malware

Juniper Threat Labs Security
Screen shot from the video of a Juniper Threat Labs diagram with the headline “Attack Chain.”

Fortify your defenses against OilRig Mango Backdoor malware with Juniper Connected Security.

Are you protected from OilRig Mango Backdoor malware? Watch this episode of the Juniper Threat Labs attack demo series to see how OilRig Mango Backdoor malware compromises unsuspecting victims, and how Juniper Connected Security customers with a Juniper Networks SRX Series Firewall and Juniper Advanced Threat Prevention (ATP) are already protected from this threat. 

Protect yourself: Watch additional security demos.

Show more

You’ll learn

  • How threat prevention policies applied to Juniper SRX Series Firewalls protect against malware-related attacks, including OilRig Mango Backdoor malware

  • How to verify an attempted attack was blocked using Juniper Networks Connected Security solutions

Who is this for?

Network Professionals Security Professionals

Transcript

0:00 [Music]

0:00 hello and welcome to the Juniper threat

0:02 Labs attack demo series today's subject

0:05 is the latest oil rig mango back door in

0:08 this video we will demonstrate how this

0:10 militia advanced persistent threat or AP

0:13 group is conducting a new campaign

0:16 targeting organizations in the Middle

0:17 East to install a back door on victim

0:20 systems afterwards we'll show you how

0:22 Juniper customers are protected from

0:24 this malware let's not waste any time

0:27 we'll Begin by introducing you to the

0:29 malicious threat actor oil rig oil rig

0:32 also known by various other names

0:34 including ap34 and Helix kitten is

0:38 believed to be an Iranian threat group

0:39 acting on behalf of the Iranian

0:41 government oil rig has been active since

0:44 at least

0:45 2014 and they operate primarily but not

0:47 exclusively in the Middle East targeting

0:50 organizations in that region they have

0:52 targeted various sectors including

0:54 Financial energy chemical and

0:57 Telecommunications and they've attacked

0:59 government related targets as well so

1:01 how do they do it well attacks

1:04 attributed to the oil rig group

1:06 primarily rely on social engineering to

1:08 exploit the human rather than software

1:10 vulnerabilities think fishing and spear

1:12 fishing on occasion and typically after

1:15 successfully exploiting earlier

1:17 reconnaissance related stages this

1:19 malicious threat actor has exploited

1:21 recently patched vulnerabilities too

1:23 during the delivery phase of their

1:25 attacks in oil rig's most recent attack

1:27 campaign a targeted organization in the

1:30 Middle East Via spear fishing emails

1:32 after breaching the victim system they

1:34 deployed a back door known as mango

1:37 during this campaign oil rig infiltrated

1:39 a legitimate Israeli job portal website

1:42 which they then used for command and

1:43 control CNC Communications in the

1:46 related demo that you're about to see

1:48 mango is named man.exe Mango or manora

1:52 is a primary or first stage back door

1:55 it's coded in sharp.net and is capable

1:58 of exfiltrating data and utilizing

2:00 native apis and additional code for

2:03 evading detection the attack chain is as

2:05 follows it starts with a fishing email

2:08 that malicious email contains a document

2:10 or link to a word doc entitled my cv.

2:13 dooc after the victim opens it and does

2:15 what's requested it then drops the mango

2:17 back door onto the victim's system again

2:20 in this latest case the mango back door

2:22 dropped and running in the background is

2:23 mon.exe the back door then starts

2:26 communicating with its command and

2:27 control server awaiting commands and

2:29 instruction ruction what kind of

2:31 commands through this malicious back

2:32 door think shell commands enumerating

2:35 files and uploading files to the command

2:37 and control server in other instances of

2:39 this campaign it uses a VBS script as

2:42 the dropper for the mango back door and

2:44 this other instance of the campaign the

2:46 malware installs browser data dumpers

2:48 for Edge and chrome designed to

2:50 exfiltrate data like cookies browsing

2:52 history and credentials from these

2:55 browsers all right with all the

2:57 background info out of the way let's

2:59 jump in and start the attack simulation

3:01 for this attack demo here we are on the

3:04 unsuspecting victim system she just

3:06 received this email as you can see the

3:09 email suggests there is an attachment

3:11 but there isn't instead there is this

3:13 malicious URL to download my

3:16 cv. unaware that she's being fished she

3:18 clicks on the malicious

3:28 URL

3:30 when the document is open the Microsoft

3:32 Office application prompts the user to

3:34 enable content effectively granting

3:37 permission for macr scripts to execute

3:39 once the user deceived into clicking

3:41 this prompt the document reveals content

3:44 seemingly aimed at an organization in

3:45 Saudi Arabia as evidenced by the

3:47 presence of prices quoted in the Saudi

3:49 real

3:55 [Music]

3:58 currency

4:08 [Music]

4:10 simultaneously the malicious macro

4:11 script installs the mango back door in

4:13 the background running it as a process

4:16 under the name

4:24 [Music]

4:28 manura to ensure the Persistence of the

4:31 mango back door it establishes a

4:33 scheduled task labeled one drive

4:35 Standalone updator configure to trigger

4:38 execution every day at 11:00

4:40 [Music]

4:46 a.m. have a look at the path notice how

4:49 manora is in the folder office

4:52 356 all this is probably done in an

4:54 attempt to go unnoticed it's not clear

4:57 the close but not quite folder name had

4:59 the intended result in any case at this

5:02 stage the mango back door under the name

5:04 manora establishes communication with

5:06 the command and control server awaiting

5:08 further instructions let's now look and

5:11 see whether or not this attack works as

5:13 successfully with the Juniper SRX

5:14 firewall enhanced with protection from

5:16 Juniper's cloud-based Advanced

5:19 antimalware solution Juniper

5:21 ATP for the demo Juniper threat Labs is

5:24 using the following setup we have a vsrx

5:27 pictured in the center the vs SRX is a

5:30 virtual SRX firewall providing network

5:32 security protection its purpose is to

5:34 inspect Network traffic and with the

5:36 assistance of juniper ATP Cloud to

5:39 detect malware like the oil rig mango

5:42 back door in addition to the virtual

5:44 firewall and cloud-based protections

5:46 we're using Juniper security director

5:48 which is a centralized management system

5:51 security director facilitates our

5:52 configuring and monitoring of the vsrx

5:55 firewall and we're using Juniper's

5:57 policy enforcer as well

6:00 Juniper's policy enforcer enforces

6:02 security policies on endpoints and

6:04 ensures they comply with corporate

6:06 security standards pictured as well are

6:09 several Windows workstations Each of

6:11 which is connected to the vsrx and

6:13 finally there's an Ubuntu Server which

6:16 is acting as the malware download

6:18 server before we proceed and run the oil

6:21 rig mango back door attack simulation

6:23 again with protection provided This Time

6:26 by Juniper's connected Security

6:27 Solutions let's first take a look at the

6:29 threat prevention policy that we've set

6:31 up on our security director and applied

6:33 to the vsrx

6:35 firewall to access the policy we'll

6:37 navigate to the configure Tab and then

6:40 we'll select threat

6:41 prevention and

6:43 policies as you can see we already have

6:45 an existing policy in place let's

6:47 further inspect the protections being

6:49 enforced by the applied policy for this

6:51 demo our policy is configured to block

6:53 command and control traffic at Threat

6:55 Level 8 and above we've also set it to

6:57 block infected hosts at threat level

7:00 eight and above beyond that we

7:02 configured our policy to use ATP Cloud

7:03 for malware detection as you can see

7:06 we've elected to scan both HTTP

7:08 downloads and email attachments finally

7:11 we've chosen to block any and all other

7:13 threats rated at level 7 and above this

7:15 threat prevention policy applied to the

7:17 Juniper vsrx firewall is a critical

7:19 component of our defenses protecting our

7:21 systems against malware related attacks

7:24 including oil rig mango backdoor malware

7:27 it allows us to detect and block most

7:29 malicious traffic as well as the

7:31 activity of potentially infected hosts

7:33 which in doing so then prevents the

7:35 spread of malware throughout our Network

7:37 in the event that one of our systems

7:39 gets

7:40 compromised with that let's proceed and

7:42 demo the attack with our Juniper

7:44 connected Security Solutions in place to

7:46 get started we'll log in Via RDP as the

7:49 wouldbe but hopefully not the victim

7:52 user as you can see we have an email

7:54 with a link to download my cv. dooc

7:58 clicking on that the system opens the

8:00 browser but as you see is pictured on

8:02 the screen the attempt to open this

8:03 malicious file has been blocked the

8:06 explanation given explains that this was

8:08 due to malware being detected for the

8:10 purpose of this demo we also included a

8:12 link to download manora recall manora is

8:15 the mango back door you saw earlier once

8:17 again Juniper's connected Security

8:19 Solutions powered by Juniper ATP also

8:21 blocks this attempt next we can verify

8:24 that these attempts were indeed blocked

8:26 by Juniper to do that we go back to

8:29 security director and we navigate to the

8:31 monitor tab from there we click on

8:34 threat

8:35 prevention and then HTTP file

8:39 download here manora the most recent

8:41 malicious URL to which we tried to

8:43 navigate is pictured on the first line

8:45 with a threat level of 10 on the second

8:48 line the file my cv. dooc is similarly

8:50 flagged with a threat level of 10 recall

8:53 from earlier how we had configured our

8:55 policy to block malicious threats rated

8:56 at level seven and above so the enabled

8:59 Juniper protections are working as

9:01 expected next we'll look at more details

9:03 about the mware to do that we click on

9:06 the my cv. dooc link Juniper's Behavior

9:10 Analysis shows information about the

9:12 malware gathered through sandboxing the

9:18 [Music]

9:22 file and Juniper's network activity

9:24 shows the malare attempts to communicate

9:26 with the site at address te c f RS cyen

9:31 001 sit t1. GTM url.com which is the

9:37 mango backdoor command and control

9:42 server going back to http file download

9:45 we can also click on the manur malware's

9:47 hash Link in Juniper security director

9:50 to find more details about this malware

9:52 including Behavior Analysis network

9:54 activity and behavior

9:58 details

10:04 note that while the attack was

10:06 unsuccessful recall that the security

10:08 policy being enforced on the vsrx locks

10:11 down host network activity when it

10:13 detects threats at level 8 and above

10:15 having just clicked on ATP Cloud hosts

10:17 we can see that the IP address

10:20 10.0.2 16 is flagged at Threat Level 9

10:24 this host then is now included in the

10:26 infected host's feed what this means is

10:28 that this host is now isolated and

10:30 disconnected from the network

10:32 temporarily until an administrator

10:33 confirms that the host is free of

10:36 infection Juniper has a rich command

10:38 line interface for example an

10:40 administrator can verify through the SRX

10:42 CLI console what hosts if any are listed

10:45 in the infected host feed in order to

10:47 take Swift action here you can see that

10:50 the IP address

10:51 10.0.2 2016 is in that

10:58 list

11:01 back on security director under ATP

11:03 Cloud hosts we can click on the affected

11:06 host in doing so Juniper provides us

11:09 with more details as to why it is

11:11 blocked which in this case is because

11:13 the host attempted to download two

11:15 malicious files with Threat Level

11:17 [Music]

11:25 10 we can confirm that this host was

11:28 disconnected as we can neither ping it

11:30 nor connect to it via RDP as

11:33 [Music]

11:40 [Music]

11:53 [Music]

11:57 before once the administrator Ator is

11:59 certain that a host or server found in

12:01 the infected host feed is indeed free

12:04 from infection she can get that device

12:06 back

12:07 online in security director there is

12:09 more than a single way to do this one of

12:12 the ways is covered in several earlier

12:14 videos another way is to go to ATP Cloud

12:17 hosts select the checkbox to the left of

12:20 the host or server in question and then

12:22 click the set investigation status on

12:24 the right to resolved

12:27 fixed doing so change the status of this

12:29 host to clean the result of which

12:31 removes the host or server from the

12:33 infected host feed as you can see the

12:36 device is now marked as excluded from

12:38 this list which is good

12:41 news let's double check this just

12:44 because we can once again using the

12:46 srx's command line interface console

12:49 notice that IP address

12:51 10.0.2 16 is no longer

12:54 listed after a few moments this host

12:57 will be connected back to the network

12:59 again we can verify that's the case by

13:02 both pinging

13:03 it and by reconnecting to it via

13:07 [Music]

13:23 RDP finally for good measure we'll make

13:26 sure that this host can now browse the

13:28 internet

13:45 that completes our demo of the oil rig

13:47 mango back door check out more videos

13:49 from the Juniper threat Labs attack demo

13:51 series by visiting juniper.net thanks

13:54 for watching

Show more