• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
 

Hunting The Shadows: In Depth Analysis of Escalated APT Attacks

on

  • 855 views

Blackhat 2013 presentation slides covering the APT analysis topic.

Blackhat 2013 presentation slides covering the APT analysis topic.

Statistics

Views

Total Views
855
Views on SlideShare
854
Embed Views
1

Actions

Likes
1
Downloads
20
Comments
0

1 Embed 1

https://twitter.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • 整體設計上Elise,將摒棄現行概念底盤以鋁合金打造、車身鈑件也大量採用碳纖維材質的Elise全車重僅1095公斤,而在Lotus的規劃下,未來Elise將搭載擁有約320匹馬力輸出之2.0升四缸引擎。從近來幾部全新發表的Lotus之上,我們能夠看見新一代Lotus係採用源自"鯊魚"的設計概念,並隨著各車型與定位著不同,而各自發展屬於單一車型的獨特風格,而在Elise之上我們也能看見更多銳利的線條與充滿殺氣的勾勒樂手法,以營造出Elise特別的霸氣! http://cool3c.incar.tw/article/34399

Hunting The Shadows: In Depth Analysis of Escalated APT Attacks Hunting The Shadows: In Depth Analysis of Escalated APT Attacks Presentation Transcript

  • Hunting the Shadows: In Depth Analysis of Escalated APT Attacks Fyodor Yarochkin, Academia Sinica Pei Kan PK Tsung, Academia Sinica Ming-Chang Jeremy Chiu, Xecure Lab Ming-Wei Benson Wu, Xecure Lab 1
  • Agenda • Why Taiwan? • The “Lstudio” player… fun  • Taking a peek at Weaponry • APT in a Cloud • Victimology or … chicken-logy? 2
  • whoweare Based in Taiwan Interests in Computer Forensics Access to some raw network traffic data (fun!) Get to fish interesting things (PROFFFIIITT!) @bensonwu [secret] @fygrave [censored] 3
  • Disclaimer A few words before we move on. - With this research we are primarily interested in understanding the Ops and victims of discussed targeted attacks. We DO NOT attempt to perform any attribution of potential attackers. 4
  • Taiwan has been a frontline of APT battlefield for some time 5
  • Many interesting things could be observed (though this is not “Lstudio” group) 6
  • Elirks: earlier campaign  Reported by Dell/Secureworks as Elirks http://www.secureworks.com/cyber-threat- intelligence/threats/chasing_apt/ 7
  • Elirks evolution http://tw.myblog.yahoo.com/jw!uzrxZwSGHxowPMGZAaj4I5 http://blog.yam.com/minzhu0906/article/54726977 http://diary.blog.yam.com/bigtree20130514/article/10173342 http://tw.myblog.yahoo.com/jw!uzrxZwSGHxowPMGZAaj4I50 - http://blogs.yahoo.co.jp/sakasesi2013/31805794.html http://www.plurk.com/mdbmdb 8
  • Elirks 2.0 – silly to reuse the address-space Managed by the same IP addresses (easy to cross-correlate) 9
  • Another on-going Campaign  On-going: 10
  • On average, 48 APT emails a week! 11
  • The “Lstudio” group: Exploring fun things in a greater detail :) 12
  • They start with a boring spearphhiiissh 13
  • Almost clean :) 14
  • The APT Landscape in Taiwan 15
  • We’ll examine the “LStudio” group today • Unique indicators of the “LStudio” group: • Debug symbols (.pdb) • “horse” label and generator tag • Some curious discoveries from the “Lstudio” backend data center … ;-) 16
  • LStudio binaries have cute things CSJ-Elise f:toolscodeCSJEliseReleaseEliseDLL.pdb http://scan.xecure-lab.com 17
  • CSJ-Elise .. TAABAMoGvBjTVXHUHaibnwrAWfchx2x17Rf2roRBnbD/9lu13lWnlAUbBgqw+YNld2vcV5krtXoG__FXI43BxueF4FChFrk SRgNVP2WQ== http://140.105.135.71:443/2995ebc9/page_12180900.html http://118.163.60.73:443/2995ebc9/page_12180912.html 18
  • They love fast cars  19
  • Evora 20 FASST CARS 
  • Lstudio Operations and C2 21
  • “Lstudio” payload Generator Generator Owner Horse Label Generator-Tag APT Exploit delivery via email 22
  • We don’t say victim 肉雞 = G 23
  • The typical botnet model 24
  • Very advanced Zoo-management skills :) 25
  • APT advanced farming :)  Operated by roughly 25 “farmers”  Has controlled over 5,884 machines  International coverage over 30 countries  Utilizes 4 different Botnet software families  Active since 2007 26
  • The “Lstudio” Chicken Cloud  APT Cloud Backend Data Center Farmer Boss? Farmer Group B Farmer Group ACommand Channel (Second phase backdoor) Data Channel (First phase backdoor) Configurable Bounce APT Botnet A 27 APT Botnet B
  • .. And who are the Chicken ?!  28
  • International Chicken Farm Corp. 29
  • chicken farms went international TW 84% US 6% 5,884 chickens 2% 30 KR 1% CN 1%
  • Share some Chicken  31 http://www.appledaily.com.tw/ http://www.cna.com.tw KMT ? KMT ?
  • When you travel, your chicken travel too…  32
  • Lets look at some travelers  33 US Canada France England Taiwan
  • ANOTHER DISCOVERY!! 34
  • .. do have 9 to 5 job ;)… 35
  • Just like some security researchers do  36
  • AND THE LAST .. SOME HANDY TOOLS TO SHARE  37
  • XecScan: Free API 38
  • Yara: a swiss-knife of static sigs ;) 39
  • Yara use Easy to integrate with your scripts Integration with a proxy server is possible via icap yara plugin: https://github.com/fygrave/c_icap_yara Raw network traffic monitoring project (and http/DNS indexing): https://github.com/fygrave/eyepkflow 40
  • More cool tools Moloch https://github.com/aol/moloch Yara mail https://github.com/kevthehermit/yaraMail Yara pcap https://github.com/kevthehermit/YaraPcap 41
  • Conclusions Complex infrastructure Operates since 2007 Multiple software versions Multiple back-ends Victims – government and private sector Mainly Taiwan but also seen world-wide 42
  • Questions? benson.wu@xecure-lab.com jeremy.chiu@xecure-lab.com pk@hitcon.org f@plurk.com 43