Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Sandy
APT: Advance Persistence Threat
http://exploit-analysis.com/
Static AND DYnamic
analysis

Garage4Hackers
About Me

[Rahul Sasi ]
I work as a Researcher.
One of the admins of
www.Garage4Hackers.com.
https://twitter.com/fb1h2s
I ...
Presented my research papers at

Garage4Hackers
APT - Attacks
Advance Persistent threats: Any exploit |
malware that particularly targets a specific
organization, country...
About this Talk
With the rise in number of targeted attacks
against government and private companies,
there is a certain r...
APT: Who should be concerned.
You need ask yourself what have u got that other
people would want .

Commercially sensitive...
My organization is small!
Many attacks I have seen were
attacking small companies.
And most of the times its the startup t...
Recent APT Incident in news.
FBI released a notice on
targeted attack on US aviation
Industry.
Many professionals from the...
APT Steps

Garage4Hackers
Step 1: Establishing the backdoor.
Use of various Exploits .
Uses malicious attachments via email to infect
victims.
These...
Document Exploits.
Uses an exploit.

File comes in the form of .doc
.rtf file that has the exploit
embedded.
Once you open...
What is Sandy
A tool built under Indian Honeynet project.
Sandy is an online tool (sandbox) capable of doing
both static a...
Sandy Submission
Interface

www.exploit-analysis.com
Sandy Submission:
On 2013-09-03 we received a .doc file on sandy.
The exploit email was sent to the company’s top
executiv...
Research on the Attackers
We managed to collect 30 other exploits that
were used by the same group over a period of 1
year...
Based on our research on the Malware
infrastructure .
We were able to identify that the same group of
attackers were targe...
Modus operandi
&
Tools and Techniques
The attacker were mainly using phishing based
attacks via email to infect there targ...
Targets
Targets were mainly government organizations.
Small private companies and contractors to the
government.
Most of t...
A map of the infections.

Garage4Hackers
Lessons Learned and Policy
Implications.
Knowing what you need to protect is the most
important task.

Active Government a...
Thank You
Contact me at if you need malware samples :
https://twitter.com/fb1h2s
https://www.facebook.com/loverahulsas
fb1...
Upcoming SlideShare
Loading in …5
×

APT Targeting Indian Police Agencies.

2,401 views

Published on

My Cocon Presentation this was presented at the Non-technical tracks .So slides does not contain any technical details of the malware. If you need the samples mentioned in the slides, please do emails me.

Published in: Technology
  • Be the first to comment

APT Targeting Indian Police Agencies.

  1. 1. Sandy APT: Advance Persistence Threat http://exploit-analysis.com/ Static AND DYnamic analysis Garage4Hackers
  2. 2. About Me [Rahul Sasi ] I work as a Researcher. One of the admins of www.Garage4Hackers.com. https://twitter.com/fb1h2s I spend my free time researching on new attack vectors. Garage4Hackers
  3. 3. Presented my research papers at Garage4Hackers
  4. 4. APT - Attacks Advance Persistent threats: Any exploit | malware that particularly targets a specific organization, country in order to steal confidential information. Garage4Hackers
  5. 5. About this Talk With the rise in number of targeted attacks against government and private companies, there is a certain requirement for an intelligent method for determining these attacks. This talk would be on an un-detected APT attack targeting Indian police organizations which we identified a week back. Sandy is a free tool we have build that is capable of doing exploit analysis on Doc, RTF, XLS,PPT, Jar, Urls. We also will explain the implications and policy Garage4Hackers guidelines for the prevention of these attacks.
  6. 6. APT: Who should be concerned. You need ask yourself what have u got that other people would want . Commercially sensitive information, Intellectual property that has designs. What I have seen is mostly, government, manufactures, financial services. Garage4Hackers
  7. 7. My organization is small! Many attacks I have seen were attacking small companies. And most of the times its the startup that have the innovative technology that can be used. Or could be small organization working for the government. We have seen smaller organizations targeted as much as the larger organizations. Garage4Hackers
  8. 8. Recent APT Incident in news. FBI released a notice on targeted attack on US aviation Industry. Many professionals from the aviation industry was targeted and there computers were infected or an attempt to infect was made. Steal blueprints, new airspace technology and lots of stuffs . Garage4Hackers
  9. 9. APT Steps Garage4Hackers
  10. 10. Step 1: Establishing the backdoor. Use of various Exploits . Uses malicious attachments via email to infect victims. These contained exploits targeting various applications like Adobe Reader and Microsoft Office. Browser based exploits where you visit a particular a web page crafted with an exploits Garage4Hackers
  11. 11. Document Exploits. Uses an exploit. File comes in the form of .doc .rtf file that has the exploit embedded. Once you open these doc files you would be infected. These exploits affect OS with office | pdf installed. Garage4Hackers
  12. 12. What is Sandy A tool built under Indian Honeynet project. Sandy is an online tool (sandbox) capable of doing both static and dynamic analysis of Malicious Office, PDF, Jar, Flash, HTML. The input would be the above mentioned file formats and output would be extracted malwares, controllers, Urls. In the talk I will share information on a particular sample targeting Indian police department that we received via sandy . Garage4Hackers
  13. 13. Sandy Submission Interface www.exploit-analysis.com
  14. 14. Sandy Submission: On 2013-09-03 we received a .doc file on sandy. The exploit email was sent to the company’s top executives of an IT security company. At the time of analysis only 2/34 Anti Virus was detecting it as malicious. The document when opened on windows based machines dropped a backdoor on the users computer. Garage4Hackers
  15. 15. Research on the Attackers We managed to collect 30 other exploits that were used by the same group over a period of 1 year and analyzed them. We tried to understand the attackers tools and techniques, Modus operandi and targets. Out of the 30 exploits none of them was made on a Saturday or Sunday . Garage4Hackers
  16. 16. Based on our research on the Malware infrastructure . We were able to identify that the same group of attackers were targeting Indian police agencies . We were able to locate a new persistence malware with no AV detection, which is digitally signed and is used by this team. Except 1 Chinese AV no other AV company was detecting the threat. The attacks were part of a Cyber spying [ campaign]. Garage4Hackers
  17. 17. Modus operandi & Tools and Techniques The attacker were mainly using phishing based attacks via email to infect there targets. The attackers were manually verifying the infected machines and were adding the new persistence malware to it. So if they found the infected machine of high importance then they added a secondary advance monitoring tool to there systems. Garage4Hackers
  18. 18. Targets Targets were mainly government organizations. Small private companies and contractors to the government. Most of the infected computers were that of the secretaries . Garage4Hackers
  19. 19. A map of the infections. Garage4Hackers
  20. 20. Lessons Learned and Policy Implications. Knowing what you need to protect is the most important task. Active Government and community partnership is necessary. Security awareness among employees: the human firewall. No single layer of fraud prevention or authentication is enough to stop determined attackers. Garage4Hackers
  21. 21. Thank You Contact me at if you need malware samples : https://twitter.com/fb1h2s https://www.facebook.com/loverahulsas fb1h2s@gmail.com Garage4Hackers

×