Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hunting The Shadows: In Depth Analysis of Escalated APT Attacks

3,686 views

Published on

Blackhat 2013 presentation slides covering the APT analysis topic.

Published in: Technology, News & Politics
  • Be the first to comment

Hunting The Shadows: In Depth Analysis of Escalated APT Attacks

  1. 1. Hunting the Shadows: In Depth Analysis of Escalated APT Attacks Fyodor Yarochkin, Academia Sinica Pei Kan PK Tsung, Academia Sinica Ming-Chang Jeremy Chiu, Xecure Lab Ming-Wei Benson Wu, Xecure Lab 1
  2. 2. Agenda • Why Taiwan? • The “Lstudio” player… fun  • Taking a peek at Weaponry • APT in a Cloud • Victimology or … chicken-logy? 2
  3. 3. whoweare Based in Taiwan Interests in Computer Forensics Access to some raw network traffic data (fun!) Get to fish interesting things (PROFFFIIITT!) @bensonwu [secret] @fygrave [censored] 3
  4. 4. Disclaimer A few words before we move on. - With this research we are primarily interested in understanding the Ops and victims of discussed targeted attacks. We DO NOT attempt to perform any attribution of potential attackers. 4
  5. 5. Taiwan has been a frontline of APT battlefield for some time 5
  6. 6. Many interesting things could be observed (though this is not “Lstudio” group) 6
  7. 7. Elirks: earlier campaign  Reported by Dell/Secureworks as Elirks http://www.secureworks.com/cyber-threat- intelligence/threats/chasing_apt/ 7
  8. 8. Elirks evolution http://tw.myblog.yahoo.com/jw!uzrxZwSGHxowPMGZAaj4I5 http://blog.yam.com/minzhu0906/article/54726977 http://diary.blog.yam.com/bigtree20130514/article/10173342 http://tw.myblog.yahoo.com/jw!uzrxZwSGHxowPMGZAaj4I50 - http://blogs.yahoo.co.jp/sakasesi2013/31805794.html http://www.plurk.com/mdbmdb 8
  9. 9. Elirks 2.0 – silly to reuse the address-space Managed by the same IP addresses (easy to cross-correlate) 9
  10. 10. Another on-going Campaign  On-going: 10
  11. 11. On average, 48 APT emails a week! 11
  12. 12. The “Lstudio” group: Exploring fun things in a greater detail :) 12
  13. 13. They start with a boring spearphhiiissh 13
  14. 14. Almost clean :) 14
  15. 15. The APT Landscape in Taiwan 15
  16. 16. We’ll examine the “LStudio” group today • Unique indicators of the “LStudio” group: • Debug symbols (.pdb) • “horse” label and generator tag • Some curious discoveries from the “Lstudio” backend data center … ;-) 16
  17. 17. LStudio binaries have cute things CSJ-Elise f:toolscodeCSJEliseReleaseEliseDLL.pdb http://scan.xecure-lab.com 17
  18. 18. CSJ-Elise .. TAABAMoGvBjTVXHUHaibnwrAWfchx2x17Rf2roRBnbD/9lu13lWnlAUbBgqw+YNld2vcV5krtXoG__FXI43BxueF4FChFrk SRgNVP2WQ== http://140.105.135.71:443/2995ebc9/page_12180900.html http://118.163.60.73:443/2995ebc9/page_12180912.html 18
  19. 19. They love fast cars  19
  20. 20. Evora 20 FASST CARS 
  21. 21. Lstudio Operations and C2 21
  22. 22. “Lstudio” payload Generator Generator Owner Horse Label Generator-Tag APT Exploit delivery via email 22
  23. 23. We don’t say victim 肉雞 = G 23
  24. 24. The typical botnet model 24
  25. 25. Very advanced Zoo-management skills :) 25
  26. 26. APT advanced farming :)  Operated by roughly 25 “farmers”  Has controlled over 5,884 machines  International coverage over 30 countries  Utilizes 4 different Botnet software families  Active since 2007 26
  27. 27. The “Lstudio” Chicken Cloud  APT Cloud Backend Data Center Farmer Boss? Farmer Group B Farmer Group ACommand Channel (Second phase backdoor) Data Channel (First phase backdoor) Configurable Bounce APT Botnet A 27 APT Botnet B
  28. 28. .. And who are the Chicken ?!  28
  29. 29. International Chicken Farm Corp. 29
  30. 30. chicken farms went international TW 84% US 6% 5,884 chickens 2% 30 KR 1% CN 1%
  31. 31. Share some Chicken  31 http://www.appledaily.com.tw/ http://www.cna.com.tw KMT ? KMT ?
  32. 32. When you travel, your chicken travel too…  32
  33. 33. Lets look at some travelers  33 US Canada France England Taiwan
  34. 34. ANOTHER DISCOVERY!! 34
  35. 35. .. do have 9 to 5 job ;)… 35
  36. 36. Just like some security researchers do  36
  37. 37. AND THE LAST .. SOME HANDY TOOLS TO SHARE  37
  38. 38. XecScan: Free API 38
  39. 39. Yara: a swiss-knife of static sigs ;) 39
  40. 40. Yara use Easy to integrate with your scripts Integration with a proxy server is possible via icap yara plugin: https://github.com/fygrave/c_icap_yara Raw network traffic monitoring project (and http/DNS indexing): https://github.com/fygrave/eyepkflow 40
  41. 41. More cool tools Moloch https://github.com/aol/moloch Yara mail https://github.com/kevthehermit/yaraMail Yara pcap https://github.com/kevthehermit/YaraPcap 41
  42. 42. Conclusions Complex infrastructure Operates since 2007 Multiple software versions Multiple back-ends Victims – government and private sector Mainly Taiwan but also seen world-wide 42
  43. 43. Questions? benson.wu@xecure-lab.com jeremy.chiu@xecure-lab.com pk@hitcon.org f@plurk.com 43

×