Ataques dirigidosa activistasDavid BarrosoTelefonica Digital
Uyghur
Uyghur
Uyghurhttp://surveillance.rsf.org/es/
https://tails.boum.org
Uyghur
Source: CitizenLab.org
Source: CitizenLab.org
ddddddasdfsdf FinFisher – Gamma Group Instala un driver Modifica MBR Se inyecta en procesos legítimos(winlogon.exe, sv...
ddddddasdfsdf FinFisher – Gamma GroupBypassing of 40 regularly tested Antivirus SystemsCovert Communication with Headquar...
Source: Rapid7
Source: CitizenLab.org
ddddddasdfsdf FinFisher – Gamma Group iOS version: install_manager.app Instalación por ‘provisioning profile’ (necesari...
Source: CitizenLab.org
Uyghur
ddddddasdfsdf Mamfakinch.comSvp ne mentionnez pas mon nom ni rien du tout je neveux pas d embrouilles…http://freeme.eu5.o...
Source: Symantec
Source: Symantec
Uyghur
ddddddasdfsdfConcerns over Uyghur People.docHosh Hewer.docJenwediki yighingha iltimas qilish Jediwili.doclist.docPress Rel...
Source: Kaspersky
ddddddasdfsdf Vulnerabilidad Word para Mac CVE-2012-0158 Abre documento real y ejecuta binario Keylogger, información d...
ddddddasdfsdf1154/0x2610: fstat(0x26, 0xBFFF4CD0, 0x200) = 0 01154/0x2610: lseek(0x26, 0x6600, 0x0) = 26112 01154/0x2610: ...
Targeted AttacksLURK/Gh0stRAT
Source: Citizelab.org
Targeted AttacksDalai Lama
Source: Kaspersky
Source: Kaspersky
ddddddasdfsdf Vulnerabilidad Word para Mac CVE-2012-0158 Abre documento real y ejecuta binario Keylogger, información d...
Source: Kaspersky
Source: Kaspersky
Source: Kaspersky
Targeted Attacks
Source: Symantec
Source: Symantec
Source: CitizenLab.org
ddddddasdfsdf Vulnerabilidad MSWORD CVE-2012-0158 Abre documento real y ejecuta binario Keylogger, información de la má...
ddddddasdfsdfMetadata Original DroppedMD5 8882c40ef1786efb98ea251e247bfbee40f41c077e03d72a39eb1bd7bf6e3341Last saved by HS...
Targeted Attacks
Source: CitizenLab.org
Source: CitizenLab.org
Source: CitizenLab.org
ddddddasdfsdf APT1 / GOGGLES vs GLASSES Aplicación simula ser carpeta Instala un PDF no malicioso (job posting enNepal)...
Android
Source: CitizenLab.org
ddddddasdfsdf Spoof en el From Tibetanos generalmente ‘rootean’ los Androidpara instalar fuentes También instalan APK d...
Source: CitizenLab.org
Source: CitizenLab.org
Android
Source: Kaspersky
Source: Kaspersky
Source: Kaspersky
ddddddasdfsdf Robo de contactos, SMS, historial dellamadas, datos del teléfono C2: Base64 a 64.78.161.133
Source: Kaspersky
Todo vale
Source: https://malwarelab.zendesk.com
http://unremote.org
ddddddasdfsdf Capture webcam activity Disable the notification setting for certainantivirus programs Download and execu...
ddddddasdfsdf %Temp%dclogs[CURRENT DAY]-[RANDOMNUMBER].dc %UserProfile%StartMenuProgramsStartup(Empty).lnk
ddddddasdfsdf Autor: DarkCoderSc Fecha: 2008 Versión actual: 5 Lamenta lo ocurrido, y ofrece undesinstalador
Ingenieria Social
Source: Trendmicro
Source: EFF
Source: EFF
Source: EFF
Source: EFF
Malware
Source: EFF
Source: EFF
ddddddasdfsdf DarkComet RAT C:Documents andSettingsAdministratorStartMenuProgramsStartup(Empty).lnk C:DOCUME~1ADMINI~1L...
Source: EFF
ddddddasdfsdf [] Aleppo Team [] Aleppo Teamrar [29/05/2012 18:03:44] Aleppo Team | | ...: Lastmodified plan Aleppo time...
Source: EFF
Source: EFF
Source: EFF
ddddddasdfsdf C:Documents andSettingsAdministratorStartMenuProgramsStartup(empty).lnk C:DOCUME~1ADMINI~1LOCALS~1Tempexpl...
Skype encryption
Source: EFF
Source: EFF
Source: EFF
ddddddasdfsdf DarkComet RAT http://skype-encryption.sytes.net/ http://216.6.0.28/SkypeEncryption/Download/skype.exe
Antihacker
73%Source: EFF
Source: EFF
Source: EFF
Source: EFF
Source: EFF
Source: EFF
ddddddasdfsdf DarkComet RAT Se conecta a 216.6.0.28/google.exe Keylogger:C:DOCUME~1ADMINI~1LOCALS~1Tempdclogs.sys C:Do...
BlackShades
73%Source: EFFhttp://bshades.eu/bsscmds.php
ddddddasdfsdfWith Blackshades Remote Controller you can:- Control several computers at once, performing tasksranging from ...
ddddddasdfsdf Cuentas comprometidas Skype Fichero .PIF ‘Windows Messanger’ – Alta enfirewall, Startup C2: alosh66.myft...
ddddddasdfsdf OSX.Kitm (Kumar in the mac) Rajinder Kumar OSX/Filesteal – OSX/HackBackSource: F-Secure
Source: F-Secure
Source: F-Secure
Source: F-Secure
Source: F-Secure
GraciasDavid Barroso@lostinsecurity
Ataques dirigidos contra activistas
Ataques dirigidos contra activistas
Ataques dirigidos contra activistas
Ataques dirigidos contra activistas
Ataques dirigidos contra activistas
Ataques dirigidos contra activistas
Ataques dirigidos contra activistas
Ataques dirigidos contra activistas
Ataques dirigidos contra activistas
Ataques dirigidos contra activistas
Ataques dirigidos contra activistas
Ataques dirigidos contra activistas
Ataques dirigidos contra activistas
Ataques dirigidos contra activistas
Ataques dirigidos contra activistas
Upcoming SlideShare
Loading in …5
×

Ataques dirigidos contra activistas

1,107 views

Published on

Resumen de los ataques dirigidos contra disidentes o activistas en diferentes países.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,107
On SlideShare
0
From Embeds
0
Number of Embeds
24
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Ataques dirigidos contra activistas

  1. 1. Ataques dirigidosa activistasDavid BarrosoTelefonica Digital
  2. 2. Uyghur
  3. 3. Uyghur
  4. 4. Uyghurhttp://surveillance.rsf.org/es/
  5. 5. https://tails.boum.org
  6. 6. Uyghur
  7. 7. Source: CitizenLab.org
  8. 8. Source: CitizenLab.org
  9. 9. ddddddasdfsdf FinFisher – Gamma Group Instala un driver Modifica MBR Se inyecta en procesos legítimos(winlogon.exe, svchost.exe) Packer & anti-debugging AES-256-CBC C2: 77.69.140.194 (Bahrain) Puertos: 22, 53,80, 443, 4111
  10. 10. ddddddasdfsdf FinFisher – Gamma GroupBypassing of 40 regularly tested Antivirus SystemsCovert Communication with HeadquartersFull Skype Monitoring (Calls, Chats, File Transfers, Video,Contact List)Recording of common communication like Email, Chatsand Voice-over-IPLive Surveillance through Webcam and MicrophoneCountry Tracing of TargetSilent Extracting of Files from Hard-DiskProcess-based Key-logger for faster analysisLive Remote Forensics on Target SystemAdvanced Filters to record only important informationSupports most common Operating Systems (Windows,Mac OSX and Linux)
  11. 11. Source: Rapid7
  12. 12. Source: CitizenLab.org
  13. 13. ddddddasdfsdf FinFisher – Gamma Group iOS version: install_manager.app Instalación por ‘provisioning profile’ (necesario UDID) Certificado: Martin Muench (Managing Director) /System/Library/LaunchDaemons/com.apple.logind.plist ‘Dropea’ SyncData.app Roba contactos, SMS, histórico de llamadas,geolocalización, etc. Base64 Versiones para Android, Symbian, BlackBerry
  14. 14. Source: CitizenLab.org
  15. 15. Uyghur
  16. 16. ddddddasdfsdf Mamfakinch.comSvp ne mentionnez pas mon nom ni rien du tout je neveux pas d embrouilles…http://freeme.eu5.org/scandale%20(2).docMamfakinch.com Hacking Team – RCS OSX.Crisis / W32.Crisis Fichero adobe.jar -> versión para mac y win32 Win32: CurrentVersion/Run. Infección de procesos Infecta imágenes VMware
  17. 17. Source: Symantec
  18. 18. Source: Symantec
  19. 19. Uyghur
  20. 20. ddddddasdfsdfConcerns over Uyghur People.docHosh Hewer.docJenwediki yighingha iltimas qilish Jediwili.doclist.docPress Release on Commemorat the Day of Mourning.docThe Universal Declaration of Human Rights and theUnrecognized Population Groups.docUyghur Political Prisoner.doc2013-02-04 - Deported Uyghurs.docJenwediki yighingha iltimas qilish Jediwili(BehtiyarOmer).docKadeer Logistics detail.doc
  21. 21. Source: Kaspersky
  22. 22. ddddddasdfsdf Vulnerabilidad Word para Mac CVE-2012-0158 Abre documento real y ejecuta binario Keylogger, información de la máquina, controlremoto LaunchDaemon ‘systm’ Tiny Shell AES (12345678) y SHA1 ‘me’ como contacto C2: update.googmail.org (207.204.245.192)
  23. 23. ddddddasdfsdf1154/0x2610: fstat(0x26, 0xBFFF4CD0, 0x200) = 0 01154/0x2610: lseek(0x26, 0x6600, 0x0) = 26112 01154/0x2610: open("/tmp/l.sh0", 0x602, 0x1FF) = 4001154/0x2610: open("/tmp/l0", 0x602, 0x1FF) = 41 01154/0x2610: open("/tmp/l.doc0", 0x602, 0x1FF) = 4201154/0x2610: read(0x26, "#!/bin/bashnsleep 1n/usr/bin/open/tmp/l.docncp /tmp/l /tmp/mn/tmp/m0", 0x44) = 68 01154/0x2610: write(0x28, "#!/bin/bashnsleep 1n/usr/bin/open/tmp/l.docncp /tmp/l /tmp/mn/tmp/m0", 0x44) = 68 0Source: AlienVault
  24. 24. Targeted AttacksLURK/Gh0stRAT
  25. 25. Source: Citizelab.org
  26. 26. Targeted AttacksDalai Lama
  27. 27. Source: Kaspersky
  28. 28. Source: Kaspersky
  29. 29. ddddddasdfsdf Vulnerabilidad Word para Mac CVE-2012-0158 Abre documento real y ejecuta binario Keylogger, información de la máquina, controlremoto Binario firmado digitalmente C2: 61.178.77.76 TCP/1080
  30. 30. Source: Kaspersky
  31. 31. Source: Kaspersky
  32. 32. Source: Kaspersky
  33. 33. Targeted Attacks
  34. 34. Source: Symantec
  35. 35. Source: Symantec
  36. 36. Source: CitizenLab.org
  37. 37. ddddddasdfsdf Vulnerabilidad MSWORD CVE-2012-0158 Abre documento real y ejecuta binario Keylogger, información de la máquina, controlremoto Binario firmado digitalmente C2: 114.142.147.51
  38. 38. ddddddasdfsdfMetadata Original DroppedMD5 8882c40ef1786efb98ea251e247bfbee40f41c077e03d72a39eb1bd7bf6e3341Last saved by HSwallow lebraleCreation date Tue., Jun. 1209:11:00 2012Wed., Jun. 1311:39:00 2012Last save date Tue., Jun. 1209:11:00 2012Wed., Jun. 1311:39:00 2012
  39. 39. Targeted Attacks
  40. 40. Source: CitizenLab.org
  41. 41. Source: CitizenLab.org
  42. 42. Source: CitizenLab.org
  43. 43. ddddddasdfsdf APT1 / GOGGLES vs GLASSES Aplicación simula ser carpeta Instala un PDF no malicioso (job posting enNepal), un binario spkptdhv.exe en %temp%que se instala en el registro Comandos: sleep / download & runGET /ewpindex.htm HTTP/1.1User-Agent: Mozilla/4.0 (compatible; WindowsNT 5.1; MSIE 7.0; Trident/4.0; Clj26Dbj.XYZ)Host: ewplus.comCache-Control: no-cache
  44. 44. Android
  45. 45. Source: CitizenLab.org
  46. 46. ddddddasdfsdf Spoof en el From Tibetanos generalmente ‘rootean’ los Androidpara instalar fuentes También instalan APK debido a restriccionesen Google Play Apps modificadas Intercepta SMS para dar posición Roba histórico de llamadas, SMS y contactos C2 android.uyghur.dnsd.me
  47. 47. Source: CitizenLab.org
  48. 48. Source: CitizenLab.org
  49. 49. Android
  50. 50. Source: Kaspersky
  51. 51. Source: Kaspersky
  52. 52. Source: Kaspersky
  53. 53. ddddddasdfsdf Robo de contactos, SMS, historial dellamadas, datos del teléfono C2: Base64 a 64.78.161.133
  54. 54. Source: Kaspersky
  55. 55. Todo vale
  56. 56. Source: https://malwarelab.zendesk.com
  57. 57. http://unremote.org
  58. 58. ddddddasdfsdf Capture webcam activity Disable the notification setting for certainantivirus programs Download and execute arbitrary programsand commands Modify the hosts file Record key strokes Retrieve system information about thecomputer Start or end processes Steal passwords Update itself
  59. 59. ddddddasdfsdf %Temp%dclogs[CURRENT DAY]-[RANDOMNUMBER].dc %UserProfile%StartMenuProgramsStartup(Empty).lnk
  60. 60. ddddddasdfsdf Autor: DarkCoderSc Fecha: 2008 Versión actual: 5 Lamenta lo ocurrido, y ofrece undesinstalador
  61. 61. Ingenieria Social
  62. 62. Source: Trendmicro
  63. 63. Source: EFF
  64. 64. Source: EFF
  65. 65. Source: EFF
  66. 66. Source: EFF
  67. 67. Malware
  68. 68. Source: EFF
  69. 69. Source: EFF
  70. 70. ddddddasdfsdf DarkComet RAT C:Documents andSettingsAdministratorStartMenuProgramsStartup(Empty).lnk C:DOCUME~1ADMINI~1LOCALS~1Temp.pdf C:DOCUME~1ADMINI~1LOCALS~1TempExplorer.exe C:DOCUME~1ADMINI~1LOCALS~1Tempmsdlg.ocx C:DOCUME~1ADMINI~1LOCALS~1Tempdclogs
  71. 71. Source: EFF
  72. 72. ddddddasdfsdf [] Aleppo Team [] Aleppo Teamrar [29/05/2012 18:03:44] Aleppo Team | | ...: Lastmodified plan Aleppo time for Jihad [29/05/2012 18:03:46] Aleppo Team | | ...:Send the file "plan eventually 2.rar"
  73. 73. Source: EFF
  74. 74. Source: EFF
  75. 75. Source: EFF
  76. 76. ddddddasdfsdf C:Documents andSettingsAdministratorStartMenuProgramsStartup(empty).lnk C:DOCUME~1ADMINI~1LOCALS~1Tempexplorer.exe C:DOCUME~1ADMINI~1LOCALS~1TempAleppo plan.pdf C:DOCUME~1ADMINI~1LOCALS~1TempFirefox.dll
  77. 77. Skype encryption
  78. 78. Source: EFF
  79. 79. Source: EFF
  80. 80. Source: EFF
  81. 81. ddddddasdfsdf DarkComet RAT http://skype-encryption.sytes.net/ http://216.6.0.28/SkypeEncryption/Download/skype.exe
  82. 82. Antihacker
  83. 83. 73%Source: EFF
  84. 84. Source: EFF
  85. 85. Source: EFF
  86. 86. Source: EFF
  87. 87. Source: EFF
  88. 88. Source: EFF
  89. 89. ddddddasdfsdf DarkComet RAT Se conecta a 216.6.0.28/google.exe Keylogger:C:DOCUME~1ADMINI~1LOCALS~1Tempdclogs.sys C:Documents andSettingsAdministratorStartMenuProgramsStartup..lnk
  90. 90. BlackShades
  91. 91. 73%Source: EFFhttp://bshades.eu/bsscmds.php
  92. 92. ddddddasdfsdfWith Blackshades Remote Controller you can:- Control several computers at once, performing tasksranging from viewing their screens touploading/downloading files from them- Perform maintenance on a Network- Help a client out by using the screen capture feature,even if they are on the other side of the world- Monitor a specific PC, recording the keystrokes andremotely managing the files- Access your computer that you have at home if you areon holiday- Monitor the computers of students and their activity whileteaching a computing lesson- Chat with clients that you are connected to
  93. 93. ddddddasdfsdf Cuentas comprometidas Skype Fichero .PIF ‘Windows Messanger’ – Alta enfirewall, Startup C2: alosh66.myftp.org (31.9.170.140)4444/TCP
  94. 94. ddddddasdfsdf OSX.Kitm (Kumar in the mac) Rajinder Kumar OSX/Filesteal – OSX/HackBackSource: F-Secure
  95. 95. Source: F-Secure
  96. 96. Source: F-Secure
  97. 97. Source: F-Secure
  98. 98. Source: F-Secure
  99. 99. GraciasDavid Barroso@lostinsecurity

×