Successfully reported this slideshow.
Your SlideShare is downloading. ×

Hunting The Shadows: In Depth Analysis of Escalated APT Attacks

Ad

Hunting the Shadows:
In Depth Analysis of Escalated APT Attacks
Fyodor Yarochkin, Academia Sinica
Pei Kan PK Tsung, Academ...

Ad

Agenda
• Why Taiwan?
• The “Lstudio” player… fun 
• Taking a peek at Weaponry
• APT in a Cloud
• Victimology or … chicken...

Ad

whoweare
Based in Taiwan
Interests in Computer Forensics
Access to some raw network traffic data (fun!)
Get to fish intere...

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Loading in …3
×

Check these out next

1 of 43 Ad
1 of 43 Ad

More Related Content

Slideshows for you (19)

Similar to Hunting The Shadows: In Depth Analysis of Escalated APT Attacks (20)

Hunting The Shadows: In Depth Analysis of Escalated APT Attacks

  1. 1. Hunting the Shadows: In Depth Analysis of Escalated APT Attacks Fyodor Yarochkin, Academia Sinica Pei Kan PK Tsung, Academia Sinica Ming-Chang Jeremy Chiu, Xecure Lab Ming-Wei Benson Wu, Xecure Lab 1
  2. 2. Agenda • Why Taiwan? • The “Lstudio” player… fun  • Taking a peek at Weaponry • APT in a Cloud • Victimology or … chicken-logy? 2
  3. 3. whoweare Based in Taiwan Interests in Computer Forensics Access to some raw network traffic data (fun!) Get to fish interesting things (PROFFFIIITT!) @bensonwu [secret] @fygrave [censored] 3
  4. 4. Disclaimer A few words before we move on. - With this research we are primarily interested in understanding the Ops and victims of discussed targeted attacks. We DO NOT attempt to perform any attribution of potential attackers. 4
  5. 5. Taiwan has been a frontline of APT battlefield for some time 5
  6. 6. Many interesting things could be observed (though this is not “Lstudio” group) 6
  7. 7. Elirks: earlier campaign  Reported by Dell/Secureworks as Elirks http://www.secureworks.com/cyber-threat- intelligence/threats/chasing_apt/ 7
  8. 8. Elirks evolution http://tw.myblog.yahoo.com/jw!uzrxZwSGHxowPMGZAaj4I5 http://blog.yam.com/minzhu0906/article/54726977 http://diary.blog.yam.com/bigtree20130514/article/10173342 http://tw.myblog.yahoo.com/jw!uzrxZwSGHxowPMGZAaj4I50 - http://blogs.yahoo.co.jp/sakasesi2013/31805794.html http://www.plurk.com/mdbmdb 8
  9. 9. Elirks 2.0 – silly to reuse the address-space Managed by the same IP addresses (easy to cross-correlate) 9
  10. 10. Another on-going Campaign  On-going: 10
  11. 11. On average, 48 APT emails a week! 11
  12. 12. The “Lstudio” group: Exploring fun things in a greater detail :) 12
  13. 13. They start with a boring spearphhiiissh 13
  14. 14. Almost clean :) 14
  15. 15. The APT Landscape in Taiwan 15
  16. 16. We’ll examine the “LStudio” group today • Unique indicators of the “LStudio” group: • Debug symbols (.pdb) • “horse” label and generator tag • Some curious discoveries from the “Lstudio” backend data center … ;-) 16
  17. 17. LStudio binaries have cute things CSJ-Elise f:toolscodeCSJEliseReleaseEliseDLL.pdb http://scan.xecure-lab.com 17
  18. 18. CSJ-Elise .. TAABAMoGvBjTVXHUHaibnwrAWfchx2x17Rf2roRBnbD/9lu13lWnlAUbBgqw+YNld2vcV5krtXoG__FXI43BxueF4FChFrk SRgNVP2WQ== http://140.105.135.71:443/2995ebc9/page_12180900.html http://118.163.60.73:443/2995ebc9/page_12180912.html 18
  19. 19. They love fast cars  19
  20. 20. Evora 20 FASST CARS 
  21. 21. Lstudio Operations and C2 21
  22. 22. “Lstudio” payload Generator Generator Owner Horse Label Generator-Tag APT Exploit delivery via email 22
  23. 23. We don’t say victim 肉雞 = G 23
  24. 24. The typical botnet model 24
  25. 25. Very advanced Zoo-management skills :) 25
  26. 26. APT advanced farming :)  Operated by roughly 25 “farmers”  Has controlled over 5,884 machines  International coverage over 30 countries  Utilizes 4 different Botnet software families  Active since 2007 26
  27. 27. The “Lstudio” Chicken Cloud  APT Cloud Backend Data Center Farmer Boss? Farmer Group B Farmer Group ACommand Channel (Second phase backdoor) Data Channel (First phase backdoor) Configurable Bounce APT Botnet A 27 APT Botnet B
  28. 28. .. And who are the Chicken ?!  28
  29. 29. International Chicken Farm Corp. 29
  30. 30. chicken farms went international TW 84% US 6% 5,884 chickens 2% 30 KR 1% CN 1%
  31. 31. Share some Chicken  31 http://www.appledaily.com.tw/ http://www.cna.com.tw KMT ? KMT ?
  32. 32. When you travel, your chicken travel too…  32
  33. 33. Lets look at some travelers  33 US Canada France England Taiwan
  34. 34. ANOTHER DISCOVERY!! 34
  35. 35. .. do have 9 to 5 job ;)… 35
  36. 36. Just like some security researchers do  36
  37. 37. AND THE LAST .. SOME HANDY TOOLS TO SHARE  37
  38. 38. XecScan: Free API 38
  39. 39. Yara: a swiss-knife of static sigs ;) 39
  40. 40. Yara use Easy to integrate with your scripts Integration with a proxy server is possible via icap yara plugin: https://github.com/fygrave/c_icap_yara Raw network traffic monitoring project (and http/DNS indexing): https://github.com/fygrave/eyepkflow 40
  41. 41. More cool tools Moloch https://github.com/aol/moloch Yara mail https://github.com/kevthehermit/yaraMail Yara pcap https://github.com/kevthehermit/YaraPcap 41
  42. 42. Conclusions Complex infrastructure Operates since 2007 Multiple software versions Multiple back-ends Victims – government and private sector Mainly Taiwan but also seen world-wide 42
  43. 43. Questions? benson.wu@xecure-lab.com jeremy.chiu@xecure-lab.com pk@hitcon.org f@plurk.com 43

Editor's Notes

  • 整體設計上Elise,將摒棄現行概念底盤以鋁合金打造、車身鈑件也大量採用碳纖維材質的Elise全車重僅1095公斤,而在Lotus的規劃下,未來Elise將搭載擁有約320匹馬力輸出之2.0升四缸引擎。從近來幾部全新發表的Lotus之上,我們能夠看見新一代Lotus係採用源自"鯊魚"的設計概念,並隨著各車型與定位著不同,而各自發展屬於單一車型的獨特風格,而在Elise之上我們也能看見更多銳利的線條與充滿殺氣的勾勒樂手法,以營造出Elise特別的霸氣! http://cool3c.incar.tw/article/34399

×