Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Plead APT @ EECTF 2016

524 views

Published on

European Electronic Crime Task Force Plenary Meeting, Rome - 22/11/2016 (invited talk)

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Plead APT @ EECTF 2016

  1. 1. Plead APT: Case Study Marco Balduzzi, Ph.D.
  2. 2. Copyright 2016 Trend Micro Inc.2 Introduction  Who am I?  Just-for-fun area is over  $$$ driven crime  Data exfiltration, espionage  Victim turns into a hostage  APTs, you all know what they are :)
  3. 3. Copyright 2016 Trend Micro Inc.3 Plead APT  A Taiwanese government use case  Also target other Taiwanese organizations  Heavy industry (transportation and construction)  Technology and computer industries  Data ex-filtration and espionage as main goals  Ongoing since 2012
  4. 4. Copyright 2016 Trend Micro Inc.4 Origin of name  C&C commands that the malware issues
  5. 5. Copyright 2016 Trend Micro Inc.5 Distribution  Spear phishing leads the stage (same as other APTs)  Social-engineering, a never ending story  Attachment → Google Drive link  RTLO Trick
  6. 6. Copyright 2016 Trend Micro Inc.6 Right-To-Left-Orientation Trick  UNICODE's Right To Left Override character (U+202e)  Designed to support languages that are written right to left, such as Arabic and Hebrew  Abused for rendering a malicious file as innocuous  CORP_INVOICE_08.14.2011_Pr.phylexe.doc
  7. 7. Copyright 2016 Trend Micro Inc.7 Spear phishing email
  8. 8. Copyright 2016 Trend Micro Inc.8 Social Engineering  RTLO trick + Decoy document
  9. 9. Copyright 2016 Trend Micro Inc.9 Decoy Document carrying Exploit
  10. 10. Copyright 2016 Trend Micro Inc.10 Techniques of compromise  HackingTeam's leaked Flash 0-day (CVE-2015-5119)  The never ending story of CVE-2012-0158  Microsoft Word (DOC, DOCX, RTF)  So well-known to be part of the Metasploit Framework: https://www.exploit-db.com/exploits/18780/  PowerPoint CVE-2014-6352
  11. 11. Copyright 2016 Trend Micro Inc.11 Email attachments’ file type
  12. 12. Copyright 2016 Trend Micro Inc.12 Persistence and Capabilities  Harvest saved browser credentials and Outlook  List drives, processes, files, etc…  Command execution  File upload  Data exfiltration, e.g. spying over 'recent'  RC4 is used as data encryption support in C&C communications  On top of XOR
  13. 13. Copyright 2016 Trend Micro Inc.13 Going stealth  Use of external exfiltration tool DRIGO  Leverages Google Drive for stealth uploads and data synchronization (similar to Dropbox)  Gmail SMTP capabilities  Automated mining for documents on victim's endpoint and network
  14. 14. Copyright 2016 Trend Micro Inc.14 C&C dissection  Modern malware = network enabled and dependent  Remote access control tool with functionalities encoded as C,A,L,E,P,G,G  Request example:
  15. 15. Copyright 2016 Trend Micro Inc.15 C&C dissection  Response example:
  16. 16. Copyright 2016 Trend Micro Inc.16 C&C dissection  Importance of C&C → DGA, fastflux, steganography  C&C (or relays) hidden in victim's compromised routers
  17. 17. Copyright 2016 Trend Micro Inc.17 Conclusions • APTs are more prevalent than common sense • Manually conducted, more difficult to detect • Multi-layer approach needed • Large-scale data analysis and ML important • Importance of threat research
  18. 18. Copyright 2016 Trend Micro Inc.18 Thanks MARCO_BALDUZZI@TRENDMICRO.COM

×