(130119) #fitalk apt, cyber espionage threat
2 likes•476 views
The document discusses several advanced persistent threats (APTs) that have targeted systems in Korea and other countries, including the LuckyCat, Heartbeat, and Flashback malware campaigns. It provides details on the attacks, malware components, command and control infrastructure, and technical analysis of the threats. The document aims to help the digital forensics community in Korea understand these sophisticated cyber espionage activities and improve defenses against similar attacks.
![forensicinsight.org
OSX/Dockster.A
n0fate@n0fate-MacBook-Pro:~/Dropbox/malware/OSXDockster_Trojanaxmo/OSX$ file *
destmarc.jar: Zip archive data, at least v2.0 to extract
n0fate@n0fate-MacBook-Pro:~/Dropbox/malware/OSXDockster_Trojanaxmo/OSX$
n0fate@n0fate-MacBook-Pro:~/Dropbox/malware/OSXDockster_Trojanaxmo/OSX$
n0fate@n0fate-MacBook-Pro:~/Dropbox/malware/OSXDockster_Trojanaxmo/OSX$ unzip -d test
destmarc.jar
Archive: destmarc.jar
creating: test/META-INF/
... [SNIP] ....
inflating: test/file.tmp
n0fate@n0fate-MacBook-Pro:~/Dropbox/malware/OSXDockster_Trojanaxmo/OSX$ file test/*
test/META-INF: directory
test/Union1.class: compiled Java class data, version 50.0 (Java 1.6)
test/a.class: compiled Java class data, version 50.0 (Java 1.6)
test/b.class: compiled Java class data, version 50.0 (Java 1.6)
test/c.class: compiled Java class data, version 50.0 (Java 1.6)
test/d.class: compiled Java class data, version 50.0 (Java 1.6)
test/e.class: compiled Java class data, version 50.0 (Java 1.6)
test/f.class: compiled Java class data, version 50.0 (Java 1.6)
test/file.tmp: Mach-O universal binary with 2 architectures
test/file.tmp (for architecture ppc): Mach-O executable ppc
test/file.tmp (for architecture i386): Mach-O executable i386
n0fate@n0fate-MacBook-Pro:~/Dropbox/malware/OSXDockster_Trojanaxmo/OSX$](https://image.slidesharecdn.com/130119fitalk-aptcyberespionagethreat-160901142113/85/130119-fitalk-apt-cyber-espionage-threat-70-320.jpg)
(130119) #fitalk apt, cyber espionage threat
- 2. forensicinsight.org Contents • APT? • LuckyCat APT • Heartbeat APT • Flashback & Dockster.A • Conclusion
- 5. forensicinsight.org Classification Cyber-espionage, spying Criminal syndicate money, money, moneyEnemy secrets leaked
- 6. forensicinsight.org APT • Advanced Persistent Threat • 외국 정부기관과 같은 그룹의 정보를 지속적 이고 효과적으로 유출하는 위협을 말함 • 정보 수집 기술을 통해 민감한 정보에 접근하 는 인터넷을 통한 스파이 활동 뿐만 아니라 고 전 스파이 활동을 포함.
- 7. forensicinsight.org APT • Advanced : intelligence-gathering techniques (such as telephone- interception, satellite imaging) • Persistent :“low-and-slow” approach • Threat : they have both capability and intent.
- 8. forensicinsight.org APT - Life Cycle Reference : http://en.wikipedia.org/wiki/File:Advanced_Persistent_Threat_Chart.png
- 9. forensicinsight.org Case • LuckyCat APT • Inside an APT Campaign with Multiple Targets in India and Japan : http:// www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white- papers/wp_luckycat_redux.pdf • The HeartBeat APT • The HeartBeat APT Campaign : http://www.trendmicro.com/cloud- content/us/pdfs/security-intelligence/white-papers/wp_the-heartbeat-apt- campaign.pdf • Flashback and Dockster.A Malware
- 12. forensicinsight.org Diversity of Target India Military Research Institution Japanese Tibetan Activist Community
- 13. forensicinsight.org Diversity of Target • ~ June, 2011 • has been linked to 90 attacks against targets in japan and india as well as tibetan activists • Luckycat campaign managed to compromise 233 computers • Target OS :Windows, Mac OS X,Android
- 14. forensicinsight.org Example of Luckycat attacks (Japan) • Time : the confusion after the Great East Japan Earthquake and the Fukushima Nuclear Power Plant accident. • Vulnerability :Adobe Reader-CVE-2010-2883 • decoy document : radiation dose measurement results which where published on the Tokyo Power Electric Company (TEPCO) website.
- 15. forensicinsight.org Example of Luckycat attacks (Japan)
- 16. forensicinsight.org Example of Luckycat attacks (India) • Time : 2010 ~ 2012 • Vulnerability : Microsoft Office- CVE-2010-3333 • decoy document : information on India’s ballistic missile defense program.
- 17. forensicinsight.org Example of Luckycat attacks (India)
- 18. forensicinsight.org Example of Luckycat attacks (Tibet) • Time : 2010 ~ 2012 • Vulnerability : Microsoft Office- CVE-2010-3333 • decoy document : .DOC attachments that leverage Tibetan themes
- 19. forensicinsight.org Example of Luckycat attacks (Tibet)
- 20. forensicinsight.org Diversity of Malware • five malware families either utilized by or hosted on the same dedicated server • first-stage malware prove very simplistic • Some were used as second-stage malware • attackers pushed to victims whose network were compromised by first- stage malware
- 21. forensicinsight.org Diversity of Infrastructure • Luckycat use free web-hosting services that provide a diversity of domain name as well as IP addresses • the attackers alse made use of Virtual Private Servers(VPSs) that not only housed their primary malware - TROJ_WIMMIE but other as well. • These servers may also act an anchors
- 22. forensicinsight.org Diversity of Infrastructure ... free web-hosting services Victims Virtual Private Server Attacker
- 23. forensicinsight.org Operations TROJ_WIMMIE 1. send to spear phishing email(or SMS) 3. connects to a C&C server via HTTP over port 80 VBS_WIMMIE
- 24. forensicinsight.org LuckyCat • VBS_WIMMIE registers a script that work as a backdoor to the WMI event handler and deletes files associated with it or TROJ_WIMMIE • TROJ_WIMMIE is a remote access malware that make it easy to gather data form the infected computer without noticing what is happening
- 25. forensicinsight.org Initial Communication • The compromised computer posts data to PHP script that runs on the C&C server
- 26. forensicinsight.org Initial Communication • The initial communication results in the creation of a empty file on the C&C server that contains information on the compromised computer. • attackers use to identify which malware attack caused the compromise: • The attacker then creates a file with a name that ends in @.c
- 27. forensicinsight.org Initial Communication • The compromised computer then downloads the file and executes the specified command • Download/Upload file, Get external IP Address, Execute shell command • The compromised computer then sends the output to the C&C server and delete the command file
- 28. forensicinsight.org Initial Communication • One of the common initial commands instructs the compromised computer to upload the results of information-gathering commands • The resulting files are compressed using the CAB compression format and uploaded to the C&C server
- 31. forensicinsight.org Campaign Connections • ShadowNet • Duojeen • Sparksrv • Comfoo
- 32. forensicinsight.org ShadowNet • sample targeted email with both Luckycat and ShadowNet malware attachments
- 33. forensicinsight.org ShadowNet • Relationship between Luckycat and shadowNet
- 34. forensicinsight.org ShadowNet • malware was configured to connect to two blogs and aYahoo Group in order to find the C&C server’s location.
- 36. forensicinsight.org Time • The Heartbeat campaign has been successfully executing targeted attacks since Nov 2009 to June 2012.
- 37. forensicinsight.org Targets • The HeartBeat campaign appears to target government organizations and institutions or communities that are in some way related to the South Korean government.
- 38. forensicinsight.org Targets Source : http://games.renpy.org/site_media/media/ screenshot/title-heartbeats-final.png 정당 작은 중소 업체 각 군 정책연구소 언론사
- 39. forensicinsight.org Context • June 2012 : first Heartbeat RAT component was discovered in a Korean newspaper company network • Further investigation revealed that the campaign has been actively distributing their RAT component to their targets in 2011 and the first half of 2012. • Earlier versions of the HeartBeat campaign’s RAT component contained the following strings in their codes:
- 40. forensicinsight.org AttackVector • 악성코드의 구성 • 여러 파일이 포함된 하나의 실행파일 형태 • 확장자는 xxx.pdf.exe 형태로 구성 • 실행 파일의 아이콘은 문서 파일과 동일 • 실행 파일 내부에 정상 문서와 악성코드를 포함 • 정상적인 문서 파일에 암호가 걸려 있음 • 메일에 써있는 암호를 입력해야 함
- 41. forensicinsight.org AttackVector • Example of a decoy Adobe Reader documents
- 42. forensicinsight.org AttackVector • 대통령에게 건의사항.hwp (Nov 2011)
- 44. forensicinsight.org The RAT Component • Backdoor Functionalities • 동작 중인 프로세스 목록과 관련 프로세스 ID • 파일 존재여부/생성시간/업로드/다운로드/실행/삭제 • 자기 자신을 업데이트/삭제 • 프로세스 생성/종료 • 제거 가능한/고정 드라이브 목록 • 원격 커맨드 쉘 오픈, 시스템 재부팅
- 45. forensicinsight.org The RAT Component • 설치와 영속성 설정 RAT executable files • %System%msrt.exe • %Program Files%Common FilesAcroRd32.exe • %Program Files%Common Filesconfig.exe • %Program Files%Common Filesexplorer.exe .DLL component which contains the backdoor capabilities • %Program Files%Common FilesServices6to4nt.dll • %Program Files%Common FilesSystem6to4nt.dll • %Program Files%Windows NTAccessories6to4nt.dll • %Program Files%Windows NThtrn.dll • %Program Files%Windows NThtrn_jls.dll • %Program Files%Windows NThyper.dll • %System%Network Remote.dll • %System%SvcHost.dll
- 46. forensicinsight.org The RAT Component • 설치와 영속성 설정 • A DLL that uses fake file properties
- 47. forensicinsight.org The RAT Component • 설치와 영속성 설정 • 특정 경우에는 RAT 설치 시 2개의 DLL 파일을 생성함. • 하나는 다른 DLL의 로더 역할을 수행함. • 다른 하나는 백도어 페이로드를 가짐 • DLL 컴포넌트는 레지스트리 값을 추가하여 서비스를 등 록함. • 서비스 등록은 설치 시점에 수행함.
- 48. forensicinsight.org The RAT Component • 설치와 영속성 설정
- 49. forensicinsight.org The RAT Component • 설치와 영속성 설정 • DLL은 매번 시스템이 실행될 때마다 서비스 형태로 로드. • DLL은 로딩 시점에 svchost.exe 프로세스에 인젝션 됨. • 설치 후에 RAT 설치관리자는 자기 자신을 삭제함. • 시스템에는 DLL과 관련 레지스트리만 남음. • 실제론 이 DLL이 모든 임무를 수행함.
- 50. forensicinsight.org C&C Communication • RAT의 . DLL 컴포넌트가 svchost.exe에 인젝 션되면, C&C 서버에 자기자신을 동록함. • Computer name, Local IP, Service pack • 그리고 패스워드(ex.“qawsed”)를 전송함. • RAT은 보통 80포트를 사용하지만, 최근 버전 은 443이나 5600, 8080 포트를 사용하기도 함
- 51. forensicinsight.org C&C Communication • RAT’s C&C communication is encrypted with XOR encryption using a sing byte key, 02H
- 52. forensicinsight.org C&C Communication • RAT’s decryption code upon receiving data from the C&C server
- 54. forensicinsight.org C&C Communication • the port, C&C address, campaign code and password are hardcoded in the RAT’s malware body in plain text • however, In some RAT versions are encrypted and are decrypted only during run-time.
- 55. forensicinsight.org Command and Control • 도메인 중심으로 운영됨. • 각 C&C사이트는 아르메니아, 미국, 일본, 인도, 대 한민국이 소유한 IP로 리다이렉트 됨. • 모든 IP 주소는 합법적인 ISP의 소유 • 조사 결과 감염된 호스트를 프록시 서버로 이용하 여 모든 트래픽을 실제 C&C서버로 전송함. • 즉, 중간에 하나의 레이어를 두어서 익명성을 향상
- 56. forensicinsight.org Command and Control ... C&C proxy server (compromised host) Victims C&C Server Attacker
- 58. forensicinsight.org Relationships among Domain, IPs, Campaigns
- 59. forensicinsight.org Attribution • 공격자의 흔적을 찾기가 쉽지 않음 • 점령된 호스트를 C&C 프록시 서버로 활용 • 몇몇 첨부문서 명이 중국어로 되어 있었음 • guohui, xuehui, minzhu • C&C 도메인 명이나 도구의 문구는 모두 영문으로 작 성 • 제한적인 정보로 인해 가해자를 찾기 어려웠음.
- 60. forensicinsight.org Defending against the heartbeat campaign • HeartBeat RAT 컴포넌트 관련 서비스를 비활성화 • 시스템 방화벽 활성화 • 소프트웨어와 운영체제 업데이트를 최신버전으로 적용 • 사용하지 않는 포트의 인바운드를 막는다. • 네트워크 연결을 모니터링 한다. • 신뢰 사이트 목록을 정기적으로 업데이트 한다. • 메일에서VBS,BAT,EXE,PIF,SCR 파일을 방어하기 위해 이메일 서버를 재설정 • 알려지지 않은 소스의 링크나 첨부문서를 열지 않는다. • 하나 이상의 확장자가 들어간 파일을 주의한다. • 탐색기에서 숨겨진 파일과 확장자가 보이도록 설정한다.. • 로컬 컴퓨터의 로그인 정보를 저장하지 않는다.
- 62. forensicinsight.org Flashback - Infection • Flashback is a Trojan horse affecting personal computer systems running Mac OS • This Trojan has infected over 600,000 Mac computers forming a botnet that includes 274 bots located in Cupertino, California
- 63. forensicinsight.org Flashback - Details compromised site 1. 점령 후 javascript 공격 코드 삽입 2. 사용자가 해당 사이트 접속 3. 자바 애플릿이 실행되면서 크래쉬 발생 4. Bang!!
- 64. forensicinsight.org Flashback - Resolution • Oracle fixed the vulnerability exploited to install Flashback on Feb 14, 2012. • Apple maintains the Mac OS X version of Java and did not release an update containing Apr 4, 2012 after exploited :( • In Apr 12, 2012, the company issued a further update to remove the most common Flashback variants
- 65. forensicinsight.org OSX/Dockster.A • It has discovered a Dalai Lama related website is compromised and is pushing new Mac malware, call Dockster, using a Java-based exploit. • Java-based exploit uses the same vulnerability as “Flashback”, CVE-2012-0507 • The malware dropped, Backdoor:OSX/ Dockster.A, is basic backdoor with file download and keylogger capabilities.
- 66. forensicinsight.org OSX/Dockster.A • There is also an exploit CVE-2012-4681 with a windows-based payload:Win32/ Trojan.Agent.AXMO • CVE-2012-4681 : Multiple vulnerabilities in the JRE component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code.
- 70. forensicinsight.org OSX/Dockster.A n0fate@n0fate-MacBook-Pro:~/Dropbox/malware/OSXDockster_Trojanaxmo/OSX$ file * destmarc.jar: Zip archive data, at least v2.0 to extract n0fate@n0fate-MacBook-Pro:~/Dropbox/malware/OSXDockster_Trojanaxmo/OSX$ n0fate@n0fate-MacBook-Pro:~/Dropbox/malware/OSXDockster_Trojanaxmo/OSX$ n0fate@n0fate-MacBook-Pro:~/Dropbox/malware/OSXDockster_Trojanaxmo/OSX$ unzip -d test destmarc.jar Archive: destmarc.jar creating: test/META-INF/ ... [SNIP] .... inflating: test/file.tmp n0fate@n0fate-MacBook-Pro:~/Dropbox/malware/OSXDockster_Trojanaxmo/OSX$ file test/* test/META-INF: directory test/Union1.class: compiled Java class data, version 50.0 (Java 1.6) test/a.class: compiled Java class data, version 50.0 (Java 1.6) test/b.class: compiled Java class data, version 50.0 (Java 1.6) test/c.class: compiled Java class data, version 50.0 (Java 1.6) test/d.class: compiled Java class data, version 50.0 (Java 1.6) test/e.class: compiled Java class data, version 50.0 (Java 1.6) test/f.class: compiled Java class data, version 50.0 (Java 1.6) test/file.tmp: Mach-O universal binary with 2 architectures test/file.tmp (for architecture ppc): Mach-O executable ppc test/file.tmp (for architecture i386): Mach-O executable i386 n0fate@n0fate-MacBook-Pro:~/Dropbox/malware/OSXDockster_Trojanaxmo/OSX$
- 72. forensicinsight.org OSX/Dockster.A • hiding .Dockster Binary & process list toms-Mac:~ tom$ ls -al total 2368 drwxr-xr-x+ 22 tom staff 748 11 20 00:21 . drwxr-xr-x 5 root admin 170 7 26 11:45 .. -rw------- 1 tom staff 3 7 26 11:45 .CFUserTextEncoding -rw-r--r--@ 1 tom staff 12292 11 20 00:12 .DS_Store -rwxr-xr-x 1 tom staff 241621 11 29 2012 .Dockset drwx------ 2 tom staff 68 11 19 23:54 .Trash -rw------- 1 tom staff 262 11 20 00:04 .bash_history drwx------+ 3 tom staff 102 7 26 11:45 Desktop drwx------+ 3 tom staff 102 7 26 11:45 Documents toms-Mac:~ tom$
- 73. forensicinsight.org OSX/Dockster.A • Register plist to LaunchAgents (AutoStart) toms-Mac:~ tom$ cd Library/ toms-Mac:Library tom$ cd LaunchAgents/ toms-Mac:LaunchAgents tom$ ls mac.Dockset.deman.plist toms-Mac:LaunchAgents tom$ strings mac.Dockset.deman.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>mac.Dockset.deman</string> <key>OnDemand</key> <false/> <key>Program</key> <string>/Users/tom/.Dockset</string> <key>ProgramArguments</key> <array> <string>first</string> </array> </dict> </plist> toms-Mac:LaunchAgents tom$
- 74. forensicinsight.org OSX/Dockster.A • Dockset 의 인자가 key이면 바로 키로거를 실 행 함. • 아닌 경우 인코딩된 설정 값을 불러와서 디코 딩을 수행 함.
- 75. forensicinsight.org OSX/Dockster.A • 하드코딩된 시간이 현재 시간보다 이전이면, 자기 자신을 삭제 후 종료
- 76. forensicinsight.org OSX/Dockster.A • 악성코드 설치 과정을 진행 함.
- 77. forensicinsight.org OSX/Dockster.A • Function List • list of IPs (itsec.eicp.net) __Z18RunKeyLoggerThreadPv __Z9RunThreadPFPvS_ES_ __Z11consultCS_Qic __Z11cousultCS_Ric .... _inv_shift_sub_rows _aes_set_key _update_encrypt_key_128 _update_decrypt_key_128 _update_encrypt_key_256 _mix_sub_columns _inv_mix_sub_columns _aes_decrypt_256 _aes_encrypt_256 _aes_decrypt_128 _aes_encrypt_128 _aes_decrypt 1.203.100.232 1.203.102.251 1.203.102.63 1.203.103.227 1.203.104.45 1.203.106.150 1.203.107.125 1.203.107.200 1.203.108.46 1.203.109.193 114.248.84.134 114.248.84.170 114.248.84.171 114.248.84.180 114.248.84.201 114.248.84.64 114.248.84.79 114.248.85.150 114.248.85.154 114.248.85.159 114.248.85.188 114.248.85.189 114.248.85.197 114.248.85.204
- 79. forensicinsight.org References • Inside an APT Campaign with Multiple Targets in India and Japan : http://www.trendmicro.com/cloud-content/us/ pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf • The HeartBeat APT Campaign : http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white- papers/wp_the-heartbeat-apt-campaign.pdf • OSX/Dockster.A and Win32/Trojan.Agent.AXMO samples, pcaps, OSX malware analysis tools : http:// contagiodump.blogspot.kr/2012/12/osxdockstera-and-win32trojanagentaxmo.html • New Mac Malware found on Dalai Lama Related website : http://www.f-secure.com/weblog/archives/00002466.html • Kaspersky Lab identifies ‘Red October’ cyber-attack : http://www.neurope.eu/article/kaspersky-lab-identifies-red- october-cyber-attack • The “Red October” Campaign - An Advanced Cyber Espionage Network Targeting Diplomatic and Government Agencies : http://www.securelist.com/en/blog/785/ The_Red_October_Campaign_An_Advanced_Cyber_Espionage_Network_Targeting_Diplomatic_and_Governme nt_Agencies •