Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
www.Garage4Hackers.com 
Lessons learned tracking an APT team 
Advance Persistent Threats 
[APT] Tracking for Dummies 
http...
About Me 
[Garage4Hackers ] 
A community of like minded security folks. 
Garage4Hackers 
Forum based community www.Garage4...
Netravler APT Attribution 
This talk would be on how we attributed the APT team 
behind Netravler . 
How we did it and how...
Tracking an APT Team 
Agenda: 
Garage4Hackers 
Exploit/Malware analysis. 
Information gathering . 
Finding security bugs i...
The Attack. 
Spear-phishing :Comes form Spoofed email 
address via email. 
Garage4Hackers 
Watering hole technique (browse...
Step 1: Email header analysis . 
Evidences to Collect. 
http://mxtoolbox.com/Public/Tools/EmailHeaders.aspx 
1) Collect se...
Garage4Hackers 
Step 2: Exploit Analysis 
The objective is to identify/extract the malware dropped using 
the exploit. 
Co...
Automated: MS-office exploit 
analysis. 
These sites should help. 
www.document-analyzer.net/ 
www.joesecurity.org 
http:/...
Extracting Malware out of 
Exploits. 
Manual: MS-office exploit analysis. 
Garage4Hackers 
Run the document file in a virt...
Evidences Collected from Step 
1,2. 
Sent from a spoofed email address . 
The email contained a malicious attachment, whic...
Step 3: Malware Analysis 
Evidences to Collect. 
Command and Control Domain names/ IP address. 
Whois Information about th...
Automated Malware 
Analysis 
http://anubis.iseclab.org/ 
https://aerie.cs.berkeley.edu/ 
http://camas.comodo.com/ 
http://...
Manual: Malware 
Analysis. Reversing Malware: 
• Normally controller 
information would be 
encrypted or encoded 
inside t...
Manual: Malware 
Analysis. 
• You can figure out 
encryption/encoding 
algorithms. 
• The current malware 
compressed data...
Evidences Collected from Step 3. 
Controller Information: 
http://www.faceboak.net/2012nt/nettraveler.asp 
IP: 110.34.193....
Domain Information. 
IP address 110.34.193.13 hosted many 
domains . 
Also each domains we identified were 
behind the fas...
We wrote a Fast Flux 
Monitor 
Garage4Hackers 
• Collected all IP address associated with 
the group. 
• Created another p...
Garage4Hackers 
Step 4: Offensive Attacks on 
C&C 
Collect information about victims. 
Find information about attackers . ...
Find Vulnerabilities. 
On the C&C application . 
On the hosted server . 
Or what ever evil ways you could think about. 
Ga...
Attack the Attackers 
Garage4Hackers
Result 
Huge no of C&C servers were under control. 
Lot of evidences to collect. 
Garage4Hackers
They looked for : 
- .ppt(x) , .xls(x) .doc(x) .pdf 
Encrypted ??: 
• The contents were 
compressed and 
unusable. 
• Deco...
Lots of Data and Lots of 
Victims 
Garage4Hackers 
Source: http://www.kaspersky.com/about/news/virus/2014/NetTraveler-Gets...
Evidences Collected 
Webserver logs, System logs . 
Activity and admin login logs. 
Victim Information. 
IP address and Ma...
Retaliation by AttackersGarage4Hackers 
While analyzing the data on the 
controllers, we were attacked by the 
attackers. ...
Netravler Attribution 
Huge amount spent for the malware infrastructure 
[Military funds]. 
24/7 Working hours [Military w...
The End 
Not really :D 
Garage4Hackers
Tracking the SMTP server. Garage4Hackers 
Finger print IP address of SMTP server from Email 
header analysis . 
Identified...
Chilly Fisher Exploit Kit 
Garage4Hackers 
The kit had a frontend and Backend code . 
The function of the Front end code w...
Victim Database 
Garage4Hackers
Chillyfisher Database 
Garage4Hackers 
The backend database used is MS-Access . All collected 
information is stored in th...
IP attribution. 
All the logged in Admins were from China. 
Garage4Hackers 
There were around 10,000 unique IP address fou...
Chillyfisher Targets. 
Garage4Hackers
Questions 
Garage4Hackers 
info@garage4hackers.com 
www.Garage4Hackers.com
Upcoming SlideShare
Loading in …5
×

Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.

3,049 views

Published on

In 2014 the actors behind global cyber espionage campaign “Operation NetTraveler” celebrate ten years of activity. NetTraveler has targeted more than 350 high-profile victims in 40 countries. So it is high time we make our research public .We were able to attribute Netravler to PLA[People liberation Army] military camp in Lanzhou. We provide our analysis in the form of a PPT slide.

Published in: Internet
  • Login to see the comments

Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.

  1. 1. www.Garage4Hackers.com Lessons learned tracking an APT team Advance Persistent Threats [APT] Tracking for Dummies http:/www.Garage4Hackers.com Garage4Hackers
  2. 2. About Me [Garage4Hackers ] A community of like minded security folks. Garage4Hackers Forum based community www.Garage4Hackers.com. Ranchoddas Series Webcast every month [promoting free info sec education]. :- THN is one of our biggest supporter. www.garage4hackers.com/ranchoddas-webcast https://twitter.com/Garage4Hackers Our views and opinions do not represent those of our employers.
  3. 3. Netravler APT Attribution This talk would be on how we attributed the APT team behind Netravler . How we did it and how you could do the same. Reference: http://www.kaspersky.com/about/news/virus/2013/NetTraveler _is_back_with_new_tricks http://www.kaspersky.com/about/news/virus/2014/NetTraveler -Gets-Makeover-for-Tenth-Anniversary http://kasperskycontenthub.com/wp-content/ uploads/sites/43/vlpdfs/kaspersky-the-net-traveler-part1- final.pdf
  4. 4. Tracking an APT Team Agenda: Garage4Hackers Exploit/Malware analysis. Information gathering . Finding security bugs in attacker infrastructure. Taking over attacker Command and Controller servers. Identifying victims. Countering attacks. What ever mentioned in the talk today is based on data collected over an year. This research was done with active participation from g4h members
  5. 5. The Attack. Spear-phishing :Comes form Spoofed email address via email. Garage4Hackers Watering hole technique (browser exploits, drive by downloads) to infect victims surfing the web
  6. 6. Step 1: Email header analysis . Evidences to Collect. http://mxtoolbox.com/Public/Tools/EmailHeaders.aspx 1) Collect sender time, return path, SMTP address etc. Garage4Hackers
  7. 7. Garage4Hackers Step 2: Exploit Analysis The objective is to identify/extract the malware dropped using the exploit. Collect Metadata embedded in the exploit . Find any piece of information that would help in attribution. Identify CVE using virustotal.com helps when the exploit is not a 0-day .
  8. 8. Automated: MS-office exploit analysis. These sites should help. www.document-analyzer.net/ www.joesecurity.org http://scan.xecure-lab.com/ Garage4Hackers
  9. 9. Extracting Malware out of Exploits. Manual: MS-office exploit analysis. Garage4Hackers Run the document file in a virtual machine and use process monitor to watch system level changes [drops at temp file]. Use Sandboxie to execute the document file and extract the binary. Load office in a debugger and put breakpoints at file write API.
  10. 10. Evidences Collected from Step 1,2. Sent from a spoofed email address . The email contained a malicious attachment, which exploited cve- 2010-333 rtf exploit . Based on initial analysis the same malware samples were used to attacks Korea and Russia. Campaign that have been active since 2009 . Opening the exploit drops a legitimate file with md5: e617348b8947f28e2a280dd93c75a6ad. File Name: Jallianwala Bagh massacre a deeply shameful act.doc It drops the following binaries: c0c093987a55fe9ac61e6e2b5a362d51 netmgr.dll 8dc61b737990385473dca9bfc826727b winlogin.exe Garage4Hackers
  11. 11. Step 3: Malware Analysis Evidences to Collect. Command and Control Domain names/ IP address. Whois Information about the IP address. Registrant Email Address Malware Activities. Interesting strings in Malware . Garage4Hackers
  12. 12. Automated Malware Analysis http://anubis.iseclab.org/ https://aerie.cs.berkeley.edu/ http://camas.comodo.com/ http://eureka.cyber-ta.org/ https://malwr.com/submission/ http://www.threatexpert.com/submit.aspx Garage4Hackers http://www.threattracksecurity.com/resources/sandbox-malware- analysis.aspx Source: http://zeltser.com/reverse-malware/automated-malware-analysis.html
  13. 13. Manual: Malware Analysis. Reversing Malware: • Normally controller information would be encrypted or encoded inside the malware. • Just run the malware in a debugger and then analyze the heap for IP address / Domain patters. • Alternately put breakpoint at Winsock Functions and analyze the stack . http://msdn.microsoft.com/en-us/ library/windows/desktop/ms7413 94(v=vs.85).aspx Garage4Hackers
  14. 14. Manual: Malware Analysis. • You can figure out encryption/encoding algorithms. • The current malware compressed data and then base64 encoded them before sending them to attacker controlled servers. • Registry / File system values malwares write for persistence. Garage4Hackers
  15. 15. Evidences Collected from Step 3. Controller Information: http://www.faceboak.net/2012nt/nettraveler.asp IP: 110.34.193.13 Request: Compressed+B64 encoded Get request Garage4Hackers
  16. 16. Domain Information. IP address 110.34.193.13 hosted many domains . Also each domains we identified were behind the fast flux domain. Registrant email ID were found using whois and was used to reverse query other domains. Source: http://blogs.mcafee.com/mcafee-labs/ travnet-trojan-could-be-part-of-apt-campaign Garage4Hackers
  17. 17. We wrote a Fast Flux Monitor Garage4Hackers • Collected all IP address associated with the group. • Created another program to get whois info of all these IP address registration information.
  18. 18. Garage4Hackers Step 4: Offensive Attacks on C&C Collect information about victims. Find information about attackers . Identify stolen information . Collect tools used by attackers. Learn about attacker tools and tactics. Some time you find 0-days on these server, this would give better protection. “The only real defense is offensive defense” (Mao Zedong)
  19. 19. Find Vulnerabilities. On the C&C application . On the hosted server . Or what ever evil ways you could think about. Garage4Hackers We found a lame bug in the controller application and we had our first non-interactive shell on the controller.
  20. 20. Attack the Attackers Garage4Hackers
  21. 21. Result Huge no of C&C servers were under control. Lot of evidences to collect. Garage4Hackers
  22. 22. They looked for : - .ppt(x) , .xls(x) .doc(x) .pdf Encrypted ??: • The contents were compressed and unusable. • Decompression was needed to convert it back to a usable format. Garage4Hackers
  23. 23. Lots of Data and Lots of Victims Garage4Hackers Source: http://www.kaspersky.com/about/news/virus/2014/NetTraveler-Gets-Makeover-for-Tenth-Anniversary
  24. 24. Evidences Collected Webserver logs, System logs . Activity and admin login logs. Victim Information. IP address and Mac Address. Highlights: 1. Attackers where behind a proxy. 2. Military like working pattern identified 24/7. 3. The controller admins showed lack of technicalskills. (So the developers of Nettravler is not themaintainers of the controllers. ) Garage4Hackers 00 ** ** ** 01 ** ** 02 ** ** ** 03 ** ** 04 ** ** 05 ** ** 06 ** ** 07 ** ** ** 08 ** ** 09 ** ** 10 ** 11 ** ** ** 12 ** ** ** M T W T F S SU
  25. 25. Retaliation by AttackersGarage4Hackers While analyzing the data on the controllers, we were attacked by the attackers. The attacker attacked from 61.178.77.18 IP and tried to sent Ms08- 067 exploit . 61.178.77.* is a notorious IP range and is attributed in many attacks against governments around the world. Some advance googling, we stumbled upon an interesting discovery, soldiers from PLA Lanzhou camp talking about their experiences and the above IP was there . http://tieba.baidu.com/f?ct=335544320&lm=0&rn=30&tn= postBrowserN&sc=0&z=65932096&pn=0&word=%C1%D 9%D4%F3 The Lanzhou Military Region is one of seven military regions in the People's Republic of China.
  26. 26. Netravler Attribution Huge amount spent for the malware infrastructure [Military funds]. 24/7 Working hours [Military working hours] . Low technical skills, developers of Netravler were different from the maintainers [ Trained users not core hackers]. IP address attribution to PLA[People liberation Army] military camp. All evidences were leading to PLA IT department Lanzhou .
  27. 27. The End Not really :D Garage4Hackers
  28. 28. Tracking the SMTP server. Garage4Hackers Finger print IP address of SMTP server from Email header analysis . Identified an Exploit/Phishing mailer kit named Chilly fisher Go to step 4, identify vulnerabilities in the server hosting the exploit kit.
  29. 29. Chilly Fisher Exploit Kit Garage4Hackers The kit had a frontend and Backend code . The function of the Front end code was to send mass phishing/exploit emails to targets. The front end code allowed attackers to mass include target emails, subject and email content. The phishing email sent has a hyperlink with unique callback to the backend code. The kit contained a phishing and browser exploit module .
  30. 30. Victim Database Garage4Hackers
  31. 31. Chillyfisher Database Garage4Hackers The backend database used is MS-Access . All collected information is stored in this database. Chillyfisher instance had "Loginlog" table having information's about ChillyFisher admins who logged into the control panel.
  32. 32. IP attribution. All the logged in Admins were from China. Garage4Hackers There were around 10,000 unique IP address found in target db.
  33. 33. Chillyfisher Targets. Garage4Hackers
  34. 34. Questions Garage4Hackers info@garage4hackers.com www.Garage4Hackers.com

×