This document analyzes advanced persistent threat (APT) attacks targeting Taiwan, focusing on the "Lstudio" group. It describes the group's infrastructure including command and control servers, use of botnets to control thousands of compromised machines internationally, and development of custom tools. The summary highlights key points about the group's operations since 2007, use of multiple software versions and back-ends, and targeting of both government and private sector victims primarily in Taiwan but also worldwide.

1. Hunting the Shadows:
In Depth Analysis of Escalated APT Attacks
Fyodor Yarochkin, Academia Sinica
Pei Kan PK Tsung, Academia Sinica
Ming-Chang Jeremy Chiu, Xecure Lab
Ming-Wei Benson Wu, Xecure Lab
1

2. Agenda
• Why Taiwan?
• The “Lstudio” player… fun 
• Taking a peek at Weaponry
• APT in a Cloud
• Victimology or … chicken-logy?
2

3. whoweare
Based in Taiwan
Interests in Computer Forensics
Access to some raw network traffic data (fun!)
Get to fish interesting things (PROFFFIIITT!)
@bensonwu [secret] @fygrave
[censored]
3

4. Disclaimer
A few words before we move on.
- With this research we are primarily interested in
understanding the Ops and victims of discussed
targeted attacks. We DO NOT attempt to
perform any attribution of potential attackers.
4

5. Taiwan has been a frontline of
APT battlefield for some time
5

6. Many interesting things could be observed
(though this is not “Lstudio” group)
6

7. Elirks: earlier campaign
 Reported by Dell/Secureworks as Elirks
http://www.secureworks.com/cyber-threat-
intelligence/threats/chasing_apt/
7

8. Elirks evolution
http://tw.myblog.yahoo.com/jw!uzrxZwSGHxowPMGZAaj4I5
http://blog.yam.com/minzhu0906/article/54726977
http://diary.blog.yam.com/bigtree20130514/article/10173342
http://tw.myblog.yahoo.com/jw!uzrxZwSGHxowPMGZAaj4I50
-
http://blogs.yahoo.co.jp/sakasesi2013/31805794.html
http://www.plurk.com/mdbmdb
8

9. Elirks 2.0 – silly to reuse the
address-space
Managed by the same
IP addresses
(easy to cross-correlate)
9

10. Another on-going Campaign
 On-going:
10

11. On average, 48 APT emails a
week!
11

12. The “Lstudio” group:
Exploring fun things in a
greater detail :)
12

13. They start with a boring
spearphhiiissh
13

14. Almost clean :)
14

15. The APT Landscape in Taiwan
15

16. We’ll examine the “LStudio”
group today
• Unique indicators of the “LStudio” group:
• Debug symbols (.pdb)
• “horse” label and generator tag
• Some curious discoveries from the “Lstudio”
backend data center … ;-)
16

17. LStudio binaries have cute things
CSJ-Elise
f:toolscodeCSJEliseReleaseEliseDLL.pdb
http://scan.xecure-lab.com
17

18. CSJ-Elise ..
TAABAMoGvBjTVXHUHaibnwrAWfchx2x17Rf2roRBnbD/9lu13lWnlAUbBgqw+YNld2vcV5krtXoG__FXI43BxueF4FChFrk
SRgNVP2WQ==
http://140.105.135.71:443/2995ebc9/page_12180900.html
http://118.163.60.73:443/2995ebc9/page_12180912.html
18

19. They love fast
cars 
19

20. Evora
20
FASST CARS 

21. Lstudio Operations and C2
21

22. “Lstudio” payload Generator
Generator
Owner
Horse Label
Generator-Tag
APT Exploit delivery via email
22

23. We don’t say victim
肉雞 = G
23

24. The typical botnet model
24

25. Very advanced Zoo-management
skills :)
25

26. APT advanced farming :)
 Operated by roughly 25 “farmers”
 Has controlled over 5,884 machines
 International coverage over 30 countries
 Utilizes 4 different Botnet software families
 Active since 2007
26

27. The “Lstudio” Chicken Cloud 
APT Cloud
Backend Data Center
Farmer
Boss?
Farmer Group B
Farmer Group ACommand Channel
(Second phase backdoor)
Data Channel
(First phase backdoor)
Configurable Bounce
APT Botnet A
27
APT Botnet B

28. .. And who are the Chicken ?! 
28

29. International Chicken Farm Corp.
29

30. chicken farms went international
TW 84%
US 6%
5,884
chickens
2% 30
KR 1% CN 1%

31. Share some Chicken 
31
http://www.appledaily.com.tw/
http://www.cna.com.tw
KMT ?
KMT ?

32. When you travel, your chicken
travel too… 
32

33. Lets look at some travelers 
33
US
Canada
France
England
Taiwan

34. ANOTHER DISCOVERY!!
34

35. .. do have 9 to 5 job ;)…
35

36. Just like some security researchers
do 
36

37. AND THE LAST .. SOME HANDY
TOOLS TO SHARE 
37

38. XecScan: Free API
38

39. Yara: a swiss-knife of static sigs ;)
39

40. Yara use
Easy to integrate with your scripts
Integration with a proxy server is possible via
icap yara plugin:
https://github.com/fygrave/c_icap_yara
Raw network traffic monitoring project (and
http/DNS indexing):
https://github.com/fygrave/eyepkflow
40

41. More cool tools
Moloch https://github.com/aol/moloch
Yara mail
https://github.com/kevthehermit/yaraMail
Yara pcap
https://github.com/kevthehermit/YaraPcap
41

42. Conclusions
Complex infrastructure
Operates since 2007
Multiple software versions
Multiple back-ends
Victims – government and private sector
Mainly Taiwan but also seen world-wide
42

43. Questions?
benson.wu@xecure-lab.com
jeremy.chiu@xecure-lab.com
pk@hitcon.org
f@plurk.com
43