Page 66 - Veritas
P. 66
• Gets some “base information” (computer name, network configuration,
the OS details, the list of open ports, and the Internet settings) and trans-
mits these to the attacker using the C2 server; and connects to a C2 server
and retrieve actions to perform, including
• “Kill”/”Stop”(same command);
• “Execute” which downloads a payload and inserts it into a PE file using
PEInjection() function; and “DownExec”, this last one downloads a file,
decodes it, and executes it directly.
The Heist (Plan Execution):
The Heist (Plan Execution):
The last act started, but 48 hours after, the target was successfully com-
promised. Most of the logs used to reconstruct the activity were retrieved
from servers. The company that hosted the data centre and operated the
VPN failed to retain all the logs for the VPN concentrator. Using stolen
credentials, the attacker connected to the data center VPN and using the
stolen SSH key, to one of the servers hosting the API server and also the
BitGo proxy server for the company. The attacker went straight for this
server, indicating that he/she had an extremely good understanding of the
company’s infrastructure, possibly due to the documents retrieved from
the target’s computer. A search within the swap file revealed several in-
stances of the “curl” tool used with an authorization key was stolen from
the target’s computer to initiate the bitcoin transfers to different addresses
(See appendix D), for a total slightly below 4,450BC or, as of the end of
December 2017, a bit more than $67 million
Moving The Money:
Moving The Money:
Several professionals banded together to trace the movement of the bit-
coins from address to deal with because the attacker was splitting the “loot”
into smaller amounts. A partial view established shortly after the heist is
presented below.
VERITAS 51
