Hunting the Shadows:
In Depth Analysis of Escalated APT Attacks
Fyodor Yarochkin, Academia Sinica
Pei Kan PK Tsung, Academ...
Agenda
• Why Taiwan?
• The “Lstudio” player… fun 
• Taking a peek at Weaponry
• APT in a Cloud
• Victimology or … chicken...
whoweare
Based in Taiwan
Interests in Computer Forensics
Access to some raw network traffic data (fun!)
Get to fish intere...
Disclaimer
A few words before we move on.
- With this research we are primarily interested in
understanding the Ops and vi...
Taiwan has been a frontline of
APT battlefield for some time
5
Many interesting things could be observed
(though this is not “Lstudio” group)
6
Elirks: earlier campaign
 Reported by Dell/Secureworks as Elirks
http://www.secureworks.com/cyber-threat-
intelligence/th...
Elirks evolution
http://tw.myblog.yahoo.com/jw!uzrxZwSGHxowPMGZAaj4I5
http://blog.yam.com/minzhu0906/article/54726977
http...
Elirks 2.0 – silly to reuse the
address-space
Managed by the same
IP addresses
(easy to cross-correlate)
9
Another on-going Campaign
 On-going:
10
On average, 48 APT emails a
week!
11
The “Lstudio” group:
Exploring fun things in a
greater detail :)
12
They start with a boring
spearphhiiissh
13
Almost clean :)
14
The APT Landscape in Taiwan
15
We’ll examine the “LStudio”
group today
• Unique indicators of the “LStudio” group:
• Debug symbols (.pdb)
• “horse” label...
LStudio binaries have cute things
CSJ-Elise
f:toolscodeCSJEliseReleaseEliseDLL.pdb
http://scan.xecure-lab.com
17
CSJ-Elise ..
TAABAMoGvBjTVXHUHaibnwrAWfchx2x17Rf2roRBnbD/9lu13lWnlAUbBgqw+YNld2vcV5krtXoG__FXI43BxueF4FChFrk
SRgNVP2WQ==
h...
They love fast
cars 
19
Evora
20
FASST CARS 
Lstudio Operations and C2
21
“Lstudio” payload Generator
Generator
Owner
Horse Label
Generator-Tag
APT Exploit delivery via email
22
We don’t say victim
肉雞 = G
23
The typical botnet model
24
Very advanced Zoo-management
skills :)
25
APT advanced farming :)
 Operated by roughly 25 “farmers”
 Has controlled over 5,884 machines
 International coverage o...
The “Lstudio” Chicken Cloud 
APT Cloud
Backend Data Center
Farmer
Boss?
Farmer Group B
Farmer Group ACommand Channel
(Sec...
.. And who are the Chicken ?! 
28
International Chicken Farm Corp.
29
chicken farms went international
TW 84%
US 6%
5,884
chickens
2% 30
KR 1% CN 1%
Share some Chicken 
31
http://www.appledaily.com.tw/
http://www.cna.com.tw
KMT ?
KMT ?
When you travel, your chicken
travel too… 
32
Lets look at some travelers 
33
US
Canada
France
England
Taiwan
ANOTHER DISCOVERY!!
34
.. do have 9 to 5 job ;)…
35
Just like some security researchers
do 
36
AND THE LAST .. SOME HANDY
TOOLS TO SHARE 
37
XecScan: Free API
38
Yara: a swiss-knife of static sigs ;)
39
Yara use
Easy to integrate with your scripts
Integration with a proxy server is possible via
icap yara plugin:
https://git...
More cool tools
Moloch https://github.com/aol/moloch
Yara mail
https://github.com/kevthehermit/yaraMail
Yara pcap
https://...
Conclusions
Complex infrastructure
Operates since 2007
Multiple software versions
Multiple back-ends
Victims – government ...
Questions?
benson.wu@xecure-lab.com
jeremy.chiu@xecure-lab.com
pk@hitcon.org
f@plurk.com
43
Upcoming SlideShare
Loading in …5
×

Hunting The Shadows: In Depth Analysis of Escalated APT Attacks

3,027 views

Published on

Blackhat 2013 presentation slides covering the APT analysis topic.

Published in: Technology, News & Politics
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,027
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
84
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide
  • 整體設計上Elise,將摒棄現行概念底盤以鋁合金打造、車身鈑件也大量採用碳纖維材質的Elise全車重僅1095公斤,而在Lotus的規劃下,未來Elise將搭載擁有約320匹馬力輸出之2.0升四缸引擎。從近來幾部全新發表的Lotus之上,我們能夠看見新一代Lotus係採用源自"鯊魚"的設計概念,並隨著各車型與定位著不同,而各自發展屬於單一車型的獨特風格,而在Elise之上我們也能看見更多銳利的線條與充滿殺氣的勾勒樂手法,以營造出Elise特別的霸氣! http://cool3c.incar.tw/article/34399
  • Hunting The Shadows: In Depth Analysis of Escalated APT Attacks

    1. 1. Hunting the Shadows: In Depth Analysis of Escalated APT Attacks Fyodor Yarochkin, Academia Sinica Pei Kan PK Tsung, Academia Sinica Ming-Chang Jeremy Chiu, Xecure Lab Ming-Wei Benson Wu, Xecure Lab 1
    2. 2. Agenda • Why Taiwan? • The “Lstudio” player… fun  • Taking a peek at Weaponry • APT in a Cloud • Victimology or … chicken-logy? 2
    3. 3. whoweare Based in Taiwan Interests in Computer Forensics Access to some raw network traffic data (fun!) Get to fish interesting things (PROFFFIIITT!) @bensonwu [secret] @fygrave [censored] 3
    4. 4. Disclaimer A few words before we move on. - With this research we are primarily interested in understanding the Ops and victims of discussed targeted attacks. We DO NOT attempt to perform any attribution of potential attackers. 4
    5. 5. Taiwan has been a frontline of APT battlefield for some time 5
    6. 6. Many interesting things could be observed (though this is not “Lstudio” group) 6
    7. 7. Elirks: earlier campaign  Reported by Dell/Secureworks as Elirks http://www.secureworks.com/cyber-threat- intelligence/threats/chasing_apt/ 7
    8. 8. Elirks evolution http://tw.myblog.yahoo.com/jw!uzrxZwSGHxowPMGZAaj4I5 http://blog.yam.com/minzhu0906/article/54726977 http://diary.blog.yam.com/bigtree20130514/article/10173342 http://tw.myblog.yahoo.com/jw!uzrxZwSGHxowPMGZAaj4I50 - http://blogs.yahoo.co.jp/sakasesi2013/31805794.html http://www.plurk.com/mdbmdb 8
    9. 9. Elirks 2.0 – silly to reuse the address-space Managed by the same IP addresses (easy to cross-correlate) 9
    10. 10. Another on-going Campaign  On-going: 10
    11. 11. On average, 48 APT emails a week! 11
    12. 12. The “Lstudio” group: Exploring fun things in a greater detail :) 12
    13. 13. They start with a boring spearphhiiissh 13
    14. 14. Almost clean :) 14
    15. 15. The APT Landscape in Taiwan 15
    16. 16. We’ll examine the “LStudio” group today • Unique indicators of the “LStudio” group: • Debug symbols (.pdb) • “horse” label and generator tag • Some curious discoveries from the “Lstudio” backend data center … ;-) 16
    17. 17. LStudio binaries have cute things CSJ-Elise f:toolscodeCSJEliseReleaseEliseDLL.pdb http://scan.xecure-lab.com 17
    18. 18. CSJ-Elise .. TAABAMoGvBjTVXHUHaibnwrAWfchx2x17Rf2roRBnbD/9lu13lWnlAUbBgqw+YNld2vcV5krtXoG__FXI43BxueF4FChFrk SRgNVP2WQ== http://140.105.135.71:443/2995ebc9/page_12180900.html http://118.163.60.73:443/2995ebc9/page_12180912.html 18
    19. 19. They love fast cars  19
    20. 20. Evora 20 FASST CARS 
    21. 21. Lstudio Operations and C2 21
    22. 22. “Lstudio” payload Generator Generator Owner Horse Label Generator-Tag APT Exploit delivery via email 22
    23. 23. We don’t say victim 肉雞 = G 23
    24. 24. The typical botnet model 24
    25. 25. Very advanced Zoo-management skills :) 25
    26. 26. APT advanced farming :)  Operated by roughly 25 “farmers”  Has controlled over 5,884 machines  International coverage over 30 countries  Utilizes 4 different Botnet software families  Active since 2007 26
    27. 27. The “Lstudio” Chicken Cloud  APT Cloud Backend Data Center Farmer Boss? Farmer Group B Farmer Group ACommand Channel (Second phase backdoor) Data Channel (First phase backdoor) Configurable Bounce APT Botnet A 27 APT Botnet B
    28. 28. .. And who are the Chicken ?!  28
    29. 29. International Chicken Farm Corp. 29
    30. 30. chicken farms went international TW 84% US 6% 5,884 chickens 2% 30 KR 1% CN 1%
    31. 31. Share some Chicken  31 http://www.appledaily.com.tw/ http://www.cna.com.tw KMT ? KMT ?
    32. 32. When you travel, your chicken travel too…  32
    33. 33. Lets look at some travelers  33 US Canada France England Taiwan
    34. 34. ANOTHER DISCOVERY!! 34
    35. 35. .. do have 9 to 5 job ;)… 35
    36. 36. Just like some security researchers do  36
    37. 37. AND THE LAST .. SOME HANDY TOOLS TO SHARE  37
    38. 38. XecScan: Free API 38
    39. 39. Yara: a swiss-knife of static sigs ;) 39
    40. 40. Yara use Easy to integrate with your scripts Integration with a proxy server is possible via icap yara plugin: https://github.com/fygrave/c_icap_yara Raw network traffic monitoring project (and http/DNS indexing): https://github.com/fygrave/eyepkflow 40
    41. 41. More cool tools Moloch https://github.com/aol/moloch Yara mail https://github.com/kevthehermit/yaraMail Yara pcap https://github.com/kevthehermit/YaraPcap 41
    42. 42. Conclusions Complex infrastructure Operates since 2007 Multiple software versions Multiple back-ends Victims – government and private sector Mainly Taiwan but also seen world-wide 42
    43. 43. Questions? benson.wu@xecure-lab.com jeremy.chiu@xecure-lab.com pk@hitcon.org f@plurk.com 43

    ×