Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
TargetedAttacks on Major Industry Sectors in South Korea CHA Minseok (Jacky Cha, 車珉錫) – Full Version Senior Principal Malw...
Contents 01 02 03 04 05 06 07 Cyber Attacks in South Korea, 2017 Infection Vector Andariel Group Operation Red Dot Operati...
01 Cyber Attacks in South Korea, 2017
© AhnLab, Inc. All rights reserved. 4 VenusLocker Ransomware • SpearPhishing -EmailwritteninKorean * http://www.ahnlab.com...
© AhnLab, Inc. All rights reserved. 5 VenusLocker Ransomware • Macro Downloader - ChineseFont?!
© AhnLab, Inc. All rights reserved. 6 Erebus Ransomware • Web hostingcompanyNayana was hit by Erebusransomware -Attackoccu...
© AhnLab, Inc. All rights reserved. 7 ATM Hacking • ATM Hacking(byAndarielGroup) - 230,000credit cardsin totalwere leaked ...
© AhnLab, Inc. All rights reserved. 8 Cryptocurrency Exchange Platform Hacked • Cryptocurrency ExchangePlatformHacked -Mal...
© AhnLab, Inc. All rights reserved. 9 Supply Chain Attack • SupplyChainAttack - BackdoorfoundinNetsarangservermanagementso...
© AhnLab, Inc. All rights reserved. 10 Travel Agency Breached • South Korea’sLargestTravelAgencyHacked - * Source:https://...
© AhnLab, Inc. All rights reserved. Activity groups/APTs in South Korea 2007 2013 2014 2015 2016 2017 Icefog OP Red Dot (E...
02 Infection Vector
© AhnLab, Inc. All rights reserved. 13 Infection Vector Watering hole (ActiveX) Email (Spear Phishing) Update IT Managemen...
03 Andariel Group
© AhnLab, Inc. All rights reserved. 15 Andariel • Andariel -PresumedtobeanotherLazarusspinoff -DarkSeoul(2013),OperationBl...
© AhnLab, Inc. All rights reserved. 16 Malware • Theyare usingvariousmalware icon Exploits − Active X − Flash − IT Managem...
© AhnLab, Inc. All rights reserved. Andariel Timeline 2008 2009 2013 2014 2015 2016 3.4 DDoS 3.20Cyber attack (DarkSeoul) ...
© AhnLab, Inc. All rights reserved. 18 Infection Vector – ActiveX A • Report ProductAExploit -Scriptfilecreated→downloaded
© AhnLab, Inc. All rights reserved. 19 Infection Vector – ActiveX A • Script -First5bytesdownloadremoved (MZ...)→first5byt...
© AhnLab, Inc. All rights reserved. 20 Infection Vector – IT Management B • ITManagementProductB exploit - V3PScan.exefile...
© AhnLab, Inc. All rights reserved. 21 Infection Vector – IT Management B • ITManagementProductB Ports -3511:ClientListenP...
© AhnLab, Inc. All rights reserved. 22 Infection Vector – IT Management C • ITManagementProductC exploit - TargetIP,Downlo...
© AhnLab, Inc. All rights reserved. 23 Infection Vector – IT Management C • Script -Filedownloadedandrecovered5bytes(MZ) A...
© AhnLab, Inc. All rights reserved. 24 2015 - Attack against SeoulADEX 2015 Participants • Defensecompaniessufferfrom hack...
© AhnLab, Inc. All rights reserved. 25 2015 - Attack against SeoulADEX 2015 Participants • AttackagainstSeoulADEX2015Parti...
© AhnLab, Inc. All rights reserved. 26 2015 - Attack against SeoulADEX 2015 Participants • AttackagainstSeoulADEX2015Parti...
© AhnLab, Inc. All rights reserved. 27 2016 - Security Breach of Major Companies • Malware distributedthrough vulnerable I...
© AhnLab, Inc. All rights reserved. Attacker Major companies and arms manufacturers C2 and storage server to prevent data ...
© AhnLab, Inc. All rights reserved. 29 2017 – Financial SectorAttack • Macro Downloader -Disguisedasnewgovernmentdiplomati...
© AhnLab, Inc. All rights reserved. 30 2017 – Financial SectorAttack • Macro Comparison -SeoulADEXattendees(2015)vsFinance...
© AhnLab, Inc. All rights reserved. 31 Malware – GhostRat • customizedGh0st RAT - Sourcecodereleased
© AhnLab, Inc. All rights reserved. 32 Malware - Rifdoor • Rifdoor(Rifle+ Bakcdoor)== Operation Ghost Rifle(2015) -Backdoo...
© AhnLab, Inc. All rights reserved. 33 Backdoor - Phandoor • Phandoor(Phantom.exe+ Backdoor)== OperationAnonymousPhantom(2...
© AhnLab, Inc. All rights reserved. 34 Backdoor - Phandoor • Mystery ‘S^’ -‘S^’foundintheXwdoor(2012)&Phandoor(2016)
© AhnLab, Inc. All rights reserved. 35 Backdoor - Phandoor • SimilarEncodingCodes - Rifdoorvs.Phandoor
© AhnLab, Inc. All rights reserved. 36 Malware - Wiper • Wiper -WhetherWiperisusedinrealattackisnotidentified
04 Operation Red Dot
© AhnLab, Inc. All rights reserved. 38 Operation Red Dot • Operation Red Dot -Period:Fromearly2014~ -Maintargets:DefenseIn...
© AhnLab, Inc. All rights reserved. 39 Operation Red Dot • Relation - * Source:https://www.operationblockbuster.com/wp-con...
© AhnLab, Inc. All rights reserved. Timeline 2014 2016 20172015 Sony Pictures Hacking Loader(1) x86 Loader(2) Backdoor(2) ...
© AhnLab, Inc. All rights reserved. 41 2014 - Security Breach of Sony Pictures SonyPicturesHack - EliminatedSony’scomputer...
© AhnLab, Inc. All rights reserved. 42 2015 - Attack against SeoulADEX 2015 Participants •News reported, “Thereis a possib...
© AhnLab, Inc. All rights reserved. 43 2015 - Attack against SeoulADEX 2015 Participants • AttackagainstSeoulADEX2015Parti...
© AhnLab, Inc. All rights reserved. 44 Backdoor - Escad • Malware SampleComparison - SonyPictureshackvs.attackinSouthKorea
© AhnLab, Inc. All rights reserved. 45 Backdoor - Escad • EscadTypeA(SonyPictureshack)
© AhnLab, Inc. All rights reserved. 46 Backdoor - Escad • EscadType B XOR 0x89
05 Operation Bitter Biscuit
© AhnLab, Inc. All rights reserved. 48 Operation Bitter Biscuit • Operation BitterBiscuit -AhnLabreleasedawhitepaperinOcto...
© AhnLab, Inc. All rights reserved. 49 Relation • Operation BitterBiscuit==The HeartBeatAPT== Operation Orca - * Source:ht...
© AhnLab, Inc. All rights reserved. Timeline 2009 2010 2011 2013 2015 2016 2017 Bisonal Type B The HeartBeat APT Campaign ...
© AhnLab, Inc. All rights reserved. 51 Infection Vector • Executablefiledisguised asdocumentfiles -
© AhnLab, Inc. All rights reserved. 52 Infection Vector • Documentfilescontainingmacros - PoliticalSeminarAgenda
© AhnLab, Inc. All rights reserved. 53 Decoy documents • Invitation& Conference& Resume -
© AhnLab, Inc. All rights reserved. 54 Bisonal • Features - bisonal,bioazih,biaozih
© AhnLab, Inc. All rights reserved. 55 Dexbia (Bromall) • Dexbia(Bromall) - Port C&C
© AhnLab, Inc. All rights reserved. Process Malware Evoultion 01 2011-2012 02 2013-2014 03 2015-2017 • Bisonal, Bioazih St...
06 Who Is Behind The Attacks?
© AhnLab, Inc. All rights reserved. 58 Korean?! • GhostRat ManagementKorean Edition - Koreanbutstrange Strings (문자렬 -> 문자열...
© AhnLab, Inc. All rights reserved. 59 Korean?! • Korean?! -C:UsersKGHDownloads(DONE)TROYS(DONE)(done)1charelease(done)(do...
07 Conclusion
© AhnLab, Inc. All rights reserved. 61 Conclusion • Conclusion -5groupsactiveinSouthKorea-atleast -AndarielGroup,Operation...
© AhnLab, Inc. All rights reserved. 62 Q&A minseok.cha@ahnlab.com / mstoned7@gmail.com http://xcoolcat7.tistory.com, https...
© AhnLab, Inc. All rights reserved. 64 Reference • TargetedAttackson DefenseIndusty (Korean) http://www.ahnlab.com/kr/site...
Targeted attacks on major industry sectors in south korea 20171201 cha minseok_avar 2017 beijing_full version
Upcoming SlideShare
Loading in …5
×
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.
Internet
Dec. 10, 2017
3,653 views

3

Share

Download to read offline

Targeted attacks on major industry sectors in south korea 20171201 cha minseok_avar 2017 beijing_full version

Download to read offline

Internet
Dec. 10, 2017
3,653 views

Targeted Attacks on Major Industry Sectors in South Korea

Andariel group, Threat group behind Operation Red Dot, Threat group behind Operation Bitter Biscuit

Recommended

Related Books

Free with a 30 day trial from Scribd

See all
The Impulse Economy: Understanding Mobile Shoppers and What Makes Them Buy Gary Schwartz
(4.5/5)
Free
Tubes: A Journey to the Center of the Internet Andrew Blum
(4/5)
Free
Emergence: The Connected Lives of Ants, Brains, Cities, and Software Steven Johnson
(4.5/5)
Free
World Wide Mind: The Coming Integration of Humanity, Machines, and the Internet Michael Chorost
(4/5)
Free
An Army of Davids: How Markets and Technology Empower Ordinary People to Beat Big Media, Big Government, and Other Goliaths Glenn Reynolds
(4/5)
Free
In the Plex: How Google Thinks, Works, and Shapes Our Lives Steven Levy
(4.5/5)
Free
Hamlet's BlackBerry: A Practical Philosophy for Building a Good Life in the Digital Age William Powers
(4/5)
Free
The Thank You Economy Gary Vaynerchuk
(4/5)
Free
Talking Back to Facebook: The Common Sense Guide to Raising Kids in the Digital Age James P. Steyer
(4.5/5)
Free
Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live Jeff Jarvis
(3.5/5)
Free
The Nature of the Future: Dispatches from the Socialstructed World Marina Gorbis
(4/5)
Free
Socialnomics: How Social Media Transforms the Way We Live and Do Business Erik Qualman
(3/5)
Free
The End of Business As Usual: Rewire the Way You Work to Succeed in the Consumer Revolution Brian Solis
(5/5)
Free
Blog Schmog: The Truth About What Blogs Can (and Can't) Do for Your Business Robert W. Bly
(4/5)
Free
Google's PageRank and Beyond: The Science of Search Engine Rankings Amy N. Langville
(3/5)
Free
Digital Vertigo: How Today's Online Social Revolution Is Dividing, Diminishing, and Disorienting Us Andrew Keen
(3/5)
Free

Related Audiobooks

Free with a 30 day trial from Scribd

See all
Ten Arguments for Deleting Your Social Media Accounts Right Now Jaron Lanier
(4/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community that Will Listen Kristen Meinzer
(4.5/5)
Free
Stop Checking Your Likes: Shake Off the Need for Approval and Live an Incredible Life Susie Moore
(4/5)
Free
The Dark Net: Inside the Digital Underworld Jamie Bartlett
(3.5/5)
Free
This Machine Kills Secrets: How Wikileakers, Cypherpunks, and Hacktivists Aim to Free the World's Information Andy Greenberg
(4/5)
Free
Who Owns the Future? Jaron Lanier
(4/5)
Free
Instagram for Business for Dummies: 2nd Edition Jenn Herman
(0/5)
Free
The Art of Social Media: Power Tips for Power Users Guy Kawasaki
(4/5)
Free
Kill All Normies: Online Culture Wars From 4Chan And Tumblr To Trump And The Alt-Right Angela Nagle
(4/5)
Free
Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous Gabriella Coleman
(4/5)
Free
Cyberwar: How Russian Hackers and Trolls Helped Elect a President—What We Don't, Can't, and Do Know Kathleen Hall Jamieson
(3/5)
Free
Exploding Data: Reclaiming Our Cyber Security in the Digital Age Michael Chertoff
(4/5)
Free
Internet Riches: The Simple Money-Making Secrets of Online Millionaires Scott Fox
(4/5)
Free
Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World Don Tapscott
(4/5)
Free
The Secret Life: Three True Stories of the Digital Age Andrew O'Hagan
(4/5)
Free
Everybody Has a Podcast (Except You): A How-To Guide from the First Family of Podcasting Justin McElroy
(5/5)
Free

Targeted attacks on major industry sectors in south korea 20171201 cha minseok_avar 2017 beijing_full version

  1. 1. TargetedAttacks on Major Industry Sectors in South Korea CHA Minseok (Jacky Cha, 車珉錫) – Full Version Senior Principal Malware Researcher AhnLab | ASEC | Analysis Team AVAR 2017 (December 7, 2017)
  2. 2. Contents 01 02 03 04 05 06 07 Cyber Attacks in South Korea, 2017 Infection Vector Andariel Group Operation Red Dot Operation Bitter Biscuit Who Is Behind The Attacks? Conclusion
  3. 3. 01 Cyber Attacks in South Korea, 2017
  4. 4. © AhnLab, Inc. All rights reserved. 4 VenusLocker Ransomware • SpearPhishing -EmailwritteninKorean * http://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?seq=26309
  5. 5. © AhnLab, Inc. All rights reserved. 5 VenusLocker Ransomware • Macro Downloader - ChineseFont?!
  6. 6. © AhnLab, Inc. All rights reserved. 6 Erebus Ransomware • Web hostingcompanyNayana was hit by Erebusransomware -AttackoccurredinJune10,20171:00am -Filesin153servershavebeenencrypted.5,496websiteswereaffected.Paidover$1Million -2similarattacksinNovember(DifferentLinuxRansomware) * Source:http://securityaffairs.co/wordpress/60281/malware/erebus-ransomware-hit-south-korea.html&http://english.etnews.com/20171109200001& http://ciobiz.etnews.com/news/article.html?id=20171129120027
  7. 7. © AhnLab, Inc. All rights reserved. 7 ATM Hacking • ATM Hacking(byAndarielGroup) - 230,000credit cardsin totalwere leaked (September2016 ~ February 2017) -IllegalwithdrawalsthroughATMsinChina,ThailandandTaiwan -4suspectsarrested→obtainedtheprivatefinancialdatafromamiddlemanwhoclaimedhegottheinformationfroma NorthKorean -MalwareusedinthisattackwasverysimilartothemalwareusedintheKoreanMNDhacking * Source:http://english.yonhapnews.co.kr/news/2017/09/06/0200000000AEN20170906007600315.html&http://www.itworld.co.kr/news/106281
  8. 8. © AhnLab, Inc. All rights reserved. 8 Cryptocurrency Exchange Platform Hacked • Cryptocurrency ExchangePlatformHacked -MaliciousHanguldocument(HWP)fileasattackvector -Customerdataleaked -maybebythethreatgroupbehindOperationRedDot * Source:http://uk.businessinsider.com/south-korean-bitcoin-exchange-bithumb-hacked-ethereum-2017-7& http://www.hani.co.kr/arti/economy/it/801322.html
  9. 9. © AhnLab, Inc. All rights reserved. 9 Supply Chain Attack • SupplyChainAttack - BackdoorfoundinNetsarangservermanagementsoftware * Source:https://securelist.com/shadowpad-in-corporate-networks/81432& http://www.netsarang.co.kr/news/security_exploit_in_july_18_2017_build.html
  10. 10. © AhnLab, Inc. All rights reserved. 10 Travel Agency Breached • South Korea’sLargestTravelAgencyHacked - * Source:https://coinjournal.net/south-koreas-largest-travel-agency-breached-hacker-demands-bitcoin-payment/& http://www.hanatour.com/asp/custcenter/bb-20000.asp
  11. 11. © AhnLab, Inc. All rights reserved. Activity groups/APTs in South Korea 2007 2013 2014 2015 2016 2017 Icefog OP Red Dot (Escad, Loader) Andariel (Rifdoor, GhostRat, Phandoor, Andarat) Dllbot Xwdoor OP Black Mine (Bmdoor) 2011 OP Bitter Biscuit (Bisonal, Dexbia) OP Happy Dragon 2018 Kimsuky 2012 Plugx (Korplug)
  12. 12. 02 Infection Vector
  13. 13. © AhnLab, Inc. All rights reserved. 13 Infection Vector Watering hole (ActiveX) Email (Spear Phishing) Update IT Management system C2 Vulnerability Attack Update Server Supply Chain / IT Maintenace Services Listening Port Web Server Send file transfer commands Listening Port Port Scanning Vulnerability Attacks
  14. 14. 03 Andariel Group
  15. 15. © AhnLab, Inc. All rights reserved. 15 Andariel • Andariel -PresumedtobeanotherLazarusspinoff -DarkSeoul(2013),OperationBlackMine(2014-2015) -OperationGhostRifle==OperationAnonymousPhantom==OperationGoldenAxe==CampaignRifle -Targets:DefenseIndustry,CyberSecurityCompanies,PoliticalInstitutions,MND(MinistryofNationalDefense),Finance Sector,EnergyResearchInstitutionetc. -AttackVectors:SpearPhishing,WateringHole(Active-Xvulnerability),ITManagementSystemVulnerability, SupplyChainAttack -Malware:Andarat,Bmdoor,GhostRat,Rifdoor,Phandoor -AhnLabpublishedthewhitepaper inJuly,2017 -FSI(FinancialSecurityInstitute) publishedthewhitepaperinAugust,2017
  16. 16. © AhnLab, Inc. All rights reserved. 16 Malware • Theyare usingvariousmalware icon Exploits − Active X − Flash − IT Management System Stealers Tools − Backdoor (Andarat, Bmdoor, GhostRat, Phandoor, Rifdoor, Xtreame) − Keylogger − Mimikatz − OSQL − Privilege Escalation − Putty Link − Proxy Server − Port Scanner − Wiper
  17. 17. © AhnLab, Inc. All rights reserved. Andariel Timeline 2008 2009 2013 2014 2015 2016 3.4 DDoS 3.20Cyber attack (DarkSeoul) & 6.25Cyber Attack 2017 SeoulADEX participants 7.7 DDoS Security breach of majorcompanies MND hacked ATM hacked Financial Sector Breach of Travel Agency Energy Research Institute OperationBlack Mine (Bmdoor) OperationGhost Rifle (Rifdoor) Xwdoor 2011 2012 3.20Cyber-attack (Gatheringinformation) OperationAnonymous Phantom(Phandoor) Security Company Defense Company ActiveX Vulnerabilities Attack Dllbot Korean Government 2018
  18. 18. © AhnLab, Inc. All rights reserved. 18 Infection Vector – ActiveX A • Report ProductAExploit -Scriptfilecreated→downloaded
  19. 19. © AhnLab, Inc. All rights reserved. 19 Infection Vector – ActiveX A • Script -First5bytesdownloadremoved (MZ...)→first5bytesrecoverylost (MZ...)
  20. 20. © AhnLab, Inc. All rights reserved. 20 Infection Vector – IT Management B • ITManagementProductB exploit - V3PScan.exefiledistributedthroughITManagementSystem
  21. 21. © AhnLab, Inc. All rights reserved. 21 Infection Vector – IT Management B • ITManagementProductB Ports -3511:ClientListenPort -3523,3524:FileTransfer * Source:ProductBUserManual (2004)
  22. 22. © AhnLab, Inc. All rights reserved. 22 Infection Vector – IT Management C • ITManagementProductC exploit - TargetIP,DownloadURL,Path -ProductCfiletransfer(Port7224)
  23. 23. © AhnLab, Inc. All rights reserved. 23 Infection Vector – IT Management C • Script -Filedownloadedandrecovered5bytes(MZ) Argv : DownloadURL Argv : RemoteFilePath
  24. 24. © AhnLab, Inc. All rights reserved. 24 2015 - Attack against SeoulADEX 2015 Participants • Defensecompaniessufferfrom hacking attacks - SeoulADEX(Seoul International Aerospace and Defense Exhibition) *Source:http://www.koreatimes.co.kr/www/news/nation/2015/11/116_191362.html
  25. 25. © AhnLab, Inc. All rights reserved. 25 2015 - Attack against SeoulADEX 2015 Participants • AttackagainstSeoulADEX2015Participants(1) - MacroDownloader -> Seoul ADEX Result & visitors list -> disguising as Headquarters of Seoul ADEX
  26. 26. © AhnLab, Inc. All rights reserved. 26 2015 - Attack against SeoulADEX 2015 Participants • AttackagainstSeoulADEX2015Participants(1) -Rifdoordownloaded
  27. 27. © AhnLab, Inc. All rights reserved. 27 2016 - Security Breach of Major Companies • Malware distributedthrough vulnerable ITmanagementsystem vulnerability -Hackedintomorethan140,000computersat160SouthKoreancompaniesandgovernmentagencies -42,608documentswerereportedtohavebeenleaked -Attackbeganin2014andwasdetectedinFebruary2016 *Source:http://www.reuters.com/article/us-northkorea-southkorea-cyber-idUSKCN0YZ0BE
  28. 28. © AhnLab, Inc. All rights reserved. Attacker Major companies and arms manufacturers C2 and storage server to prevent data loss GhostRat 2016 - Security Breach of Major Companies V3PScan.exe was distributed by IT Management System Attack IT Management System B vulnerability
  29. 29. © AhnLab, Inc. All rights reserved. 29 2017 – Financial SectorAttack • Macro Downloader -Disguisedasnewgovernmentdiplomaticadvisorylist -V3UI.exedownloaded
  30. 30. © AhnLab, Inc. All rights reserved. 30 2017 – Financial SectorAttack • Macro Comparison -SeoulADEXattendees(2015)vsFinanceSector(2017)
  31. 31. © AhnLab, Inc. All rights reserved. 31 Malware – GhostRat • customizedGh0st RAT - Sourcecodereleased
  32. 32. © AhnLab, Inc. All rights reserved. 32 Malware - Rifdoor • Rifdoor(Rifle+ Bakcdoor)== Operation Ghost Rifle(2015) -Backdoor(90KB) -PDB:contain‘rifle’ -Addsrandomdata
  33. 33. © AhnLab, Inc. All rights reserved. 33 Backdoor - Phandoor • Phandoor(Phantom.exe+ Backdoor)== OperationAnonymousPhantom(2016-2017) -OriginalfilenamewasPhantom.exe→Phantom.exe+Backdoor=Phandoor -S^!? - Anonymous?
  34. 34. © AhnLab, Inc. All rights reserved. 34 Backdoor - Phandoor • Mystery ‘S^’ -‘S^’foundintheXwdoor(2012)&Phandoor(2016)
  35. 35. © AhnLab, Inc. All rights reserved. 35 Backdoor - Phandoor • SimilarEncodingCodes - Rifdoorvs.Phandoor
  36. 36. © AhnLab, Inc. All rights reserved. 36 Malware - Wiper • Wiper -WhetherWiperisusedinrealattackisnotidentified
  37. 37. 04 Operation Red Dot
  38. 38. © AhnLab, Inc. All rights reserved. 38 Operation Red Dot • Operation Red Dot -Period:Fromearly2014~ -Maintargets:DefenseIndustry,Politicalinstitutions,Majorcompanies(Conglomerates),HostingServices,Financial Sector,CryptocurrencyExchange… -Malwares:Escad,Loader -Remark:Thishackinggroupispossibly involvedwiththesecuritybreachofSonyPictures
  39. 39. © AhnLab, Inc. All rights reserved. 39 Operation Red Dot • Relation - * Source:https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf & https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/
  40. 40. © AhnLab, Inc. All rights reserved. Timeline 2014 2016 20172015 Sony Pictures Hacking Loader(1) x86 Loader(2) Backdoor(2) Backdoor (1)B Escad Loader(1)x64 Loader(2)– Resource Loader(1) Backdoor (1)A Web Hosting Services SeoulADEX Participants Political institutions Major CompanyB Cryptocurrency Exchange Major CompanyA Financial Sector Open Type Font Elevation of Privilege Vulnerability MS16-132 (CVE-2016-7256) HWP Files (with EPS) HWPx Vulnerability (CVE-2015- 6585) Network Isolation Vulnerability Major CompanyA Websites against North Korea Defense Firms
  41. 41. © AhnLab, Inc. All rights reserved. 41 2014 - Security Breach of Sony Pictures SonyPicturesHack - EliminatedSony’scomputerinfrastructure - Leakedconfidentialdata * Source:http://imgur.com/qXNgFVz&Source:https://gist.github.com/anonymous/7b9a0a0ac94065ccfc5b
  42. 42. © AhnLab, Inc. All rights reserved. 42 2015 - Attack against SeoulADEX 2015 Participants •News reported, “Thereis a possibility that thishackinggroupcouldbeconnectedwithSonyPictureshackinggroup” (October2015) *Source:http://www.boannews.com/media/view.asp?idx=48598&kind=0 &http://www.etnews.com/20151007000172
  43. 43. © AhnLab, Inc. All rights reserved. 43 2015 - Attack against SeoulADEX 2015 Participants • AttackagainstSeoulADEX2015Participants(2) - HWPxVulnerability (CVE-2015-6585)->Zero-dayvulnerabilityatthetime -> invitation.hwp
  44. 44. © AhnLab, Inc. All rights reserved. 44 Backdoor - Escad • Malware SampleComparison - SonyPictureshackvs.attackinSouthKorea
  45. 45. © AhnLab, Inc. All rights reserved. 45 Backdoor - Escad • EscadTypeA(SonyPictureshack)
  46. 46. © AhnLab, Inc. All rights reserved. 46 Backdoor - Escad • EscadType B XOR 0x89
  47. 47. 05 Operation Bitter Biscuit
  48. 48. © AhnLab, Inc. All rights reserved. 48 Operation Bitter Biscuit • Operation BitterBiscuit -AhnLabreleasedawhitepaperinOctober2017 -OperationBitterBiscuit==HeartBeatAPT@AVAR2012==OperationOrca@VB2017 -ActivitiesinSouthKoreasince2009(2008?) -Targets:Military,DefenseResearchInstitutes,DefenseIndustry,ICT,Manufacturer -InfectionVector:Executablefilesdisguisedasdocumentsfiles&Macro -Malware:Presonal,Bisonal(Biscon,Korlia),Dexbia(Bromall) -Bisonalscontain‘bisonal’,‘bioazih’,‘biaozih’ -Filenames:6ro4.dll, 6to4nt.dll, ahn.exe, AhnSDsv.exe, ahnupdate.exe, AYagent.exe, chrome.exe, conhost.exe, conime.exe, ctfmon.exe, deskmvr.exe, dlg.exe, htrn.dll, hyper.dll, lpk.dll, lsass.exe, mfc.exe, mmc.exe, msacm32.dll, netfxocm.exe, serskt.exe, svcsep.exe, taskmgr.exe, tpcon.exe, tsc.exe, v3update.exe, winhelp.exe
  49. 49. © AhnLab, Inc. All rights reserved. 49 Relation • Operation BitterBiscuit==The HeartBeatAPT== Operation Orca - * Source:https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-heartbeat-apt-campaign&https://camal.coseinc.com/publish/2013Bisonal.pdf& https://blogs.technet.microsoft.com/mmpc/2015/04/13/bioazih-rat-how-clean-file-metadata-can-help-keep-you-safe/&http://www.cert-in.org.in&https://www.virusbulletin.com/conference/vb2017/abstracts/operation- orca-cyber-espionage-diving-ocean-least-six-years/
  50. 50. © AhnLab, Inc. All rights reserved. Timeline 2009 2010 2011 2013 2015 2016 2017 Bisonal Type B The HeartBeat APT Campaign ICT ICT Manufacturer Manufacturer IT Bioazih RAT Blog 2018 Japanese Defense Industry Military Defense Industry ITPresonal 20142012 Attacks on Korean Government Bisonal TypeA MilitarySecurity Research Institute Operation Orca Operation BitterBiscuit
  51. 51. © AhnLab, Inc. All rights reserved. 51 Infection Vector • Executablefiledisguised asdocumentfiles -
  52. 52. © AhnLab, Inc. All rights reserved. 52 Infection Vector • Documentfilescontainingmacros - PoliticalSeminarAgenda
  53. 53. © AhnLab, Inc. All rights reserved. 53 Decoy documents • Invitation& Conference& Resume -
  54. 54. © AhnLab, Inc. All rights reserved. 54 Bisonal • Features - bisonal,bioazih,biaozih
  55. 55. © AhnLab, Inc. All rights reserved. 55 Dexbia (Bromall) • Dexbia(Bromall) - Port C&C
  56. 56. © AhnLab, Inc. All rights reserved. Process Malware Evoultion 01 2011-2012 02 2013-2014 03 2015-2017 • Bisonal, Bioazih Strings.. • Dynamic DNS • Bisonal, Bioazih Strings.. • Encrypting Strings • Dexbia (Bromall) discovered • Dexbia (Bromall) • Packed Bisonal
  57. 57. 06 Who Is Behind The Attacks?
  58. 58. © AhnLab, Inc. All rights reserved. 58 Korean?! • GhostRat ManagementKorean Edition - Koreanbutstrange Strings (문자렬 -> 문자열) ??? (maybe when notified) 팁 Tip ??? (typo 암 -> 안) System Setting (체계설정 -> 설정) Secret (비밀 -> 암호 Password)User
  59. 59. © AhnLab, Inc. All rights reserved. 59 Korean?! • Korean?! -C:UsersKGHDownloads(DONE)TROYS(DONE)(done)1charelease(done)(done)1cha(dll)Installer-dll-service- win32ReleaseInstallBD.pdb -KGH-commonKoreannameinitials(?) -1cha-'cha'hasthesamepronunciationforKoreanordinalnumber -C8:thesamepronunciationasaprofanitywiththemeaningofF-wordinKorea.
  60. 60. 07 Conclusion
  61. 61. © AhnLab, Inc. All rights reserved. 61 Conclusion • Conclusion -5groupsactiveinSouthKorea-atleast -AndarielGroup,OperationRedDot:Motivationforattackseemstohavechanged (ConfidentialInformation→Monetarybenefit) -SomeofthemknowKoreanverywellandknowKoreancultureandenvironment -TheyattackvulnerabilitiesinKoreansoftwresanddisguisedasKoreanfamoussoftwares -SomeofthemareactiveoutsideofKorea • Cooperation -We need to cooperate to fight them !
  62. 62. © AhnLab, Inc. All rights reserved. 62 Q&A minseok.cha@ahnlab.com / mstoned7@gmail.com http://xcoolcat7.tistory.com, https://www.facebook.com/xcoolcat7 https://twitter.com/xcoolcat7, https://twitter.com/mstoned7
  63. 63. © AhnLab, Inc. All rights reserved. 64 Reference • TargetedAttackson DefenseIndusty (Korean) http://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?seq=26565ABC, http://download.ahnlab.com/kr/site/library/%5bAnalysis%5dDefense_Industry_Threats.pdf) • Targeted Attacks on Defense Industry (http://download.ahnlab.com/global/brochure/Tech_Report_Defense%20Industry.pdf) • CyberThreat IntelligenceReport (Korean) (https://www.fsec.or.kr/user/bbs/fsec/21/13/bbsDataView/910.do)

  • gidhong

    Feb. 27, 2018

  • LyndonWatkins

    Dec. 17, 2017

  • nkokkoon

    Dec. 12, 2017

Targeted Attacks on Major Industry Sectors in South Korea Andariel group, Threat group behind Operation Red Dot, Threat group behind Operation Bitter Biscuit

Views

Total views

3,653

On Slideshare

0

From embeds

0

Number of embeds

167

Actions

Downloads

49

Shares

0

Comments

0

Likes

3

×