This document discusses the Plead APT, which has targeted Taiwanese government and industry organizations since 2012 through spear phishing emails containing malicious attachments or links. The attacks utilized exploits like Flash zero-days and Microsoft Word vulnerabilities to compromise victims and establish persistence through credential harvesting and command execution. Stolen data was exfiltrated using tools like DRIGO to synchronize with Google Drive in a stealthy manner. The attacks demonstrate the multi-stage nature of advanced threats and importance of threat intelligence and defense-in-depth protections against sophisticated adversaries.

1. Plead APT: Case Study
Marco Balduzzi, Ph.D.

2. Copyright 2016 Trend Micro Inc.2
Introduction
 Who am I?
 Just-for-fun area is over
 $$$ driven crime
 Data exfiltration, espionage
 Victim turns into a hostage
 APTs, you all know what they are :)

3. Copyright 2016 Trend Micro Inc.3
Plead APT
 A Taiwanese government use case
 Also target other Taiwanese organizations
 Heavy industry (transportation and construction)
 Technology and computer industries
 Data ex-filtration and espionage as main goals
 Ongoing since 2012

4. Copyright 2016 Trend Micro Inc.4
Origin of name
 C&C commands that the malware issues

5. Copyright 2016 Trend Micro Inc.5
Distribution
 Spear phishing leads the stage (same as other APTs)
 Social-engineering, a never ending story
 Attachment → Google Drive link
 RTLO Trick

6. Copyright 2016 Trend Micro Inc.6
Right-To-Left-Orientation Trick
 UNICODE's Right To Left Override character (U+202e)
 Designed to support languages that are written right to left,
such as Arabic and Hebrew
 Abused for rendering a malicious file as innocuous
 CORP_INVOICE_08.14.2011_Pr.phylexe.doc

7. Copyright 2016 Trend Micro Inc.7
Spear phishing email

8. Copyright 2016 Trend Micro Inc.8
Social Engineering
 RTLO trick + Decoy document

9. Copyright 2016 Trend Micro Inc.9
Decoy Document carrying Exploit

10. Copyright 2016 Trend Micro Inc.10
Techniques of compromise
 HackingTeam's leaked Flash 0-day (CVE-2015-5119)
 The never ending story of CVE-2012-0158
 Microsoft Word (DOC, DOCX, RTF)
 So well-known to be part of the Metasploit Framework:
https://www.exploit-db.com/exploits/18780/
 PowerPoint CVE-2014-6352

11. Copyright 2016 Trend Micro Inc.11
Email attachments’ file type

12. Copyright 2016 Trend Micro Inc.12
Persistence and Capabilities
 Harvest saved browser credentials and Outlook
 List drives, processes, files, etc…
 Command execution
 File upload
 Data exfiltration, e.g. spying over 'recent'
 RC4 is used as data encryption support in C&C communications
 On top of XOR

13. Copyright 2016 Trend Micro Inc.13
Going stealth
 Use of external exfiltration tool DRIGO
 Leverages Google Drive for stealth uploads and data
synchronization (similar to Dropbox)
 Gmail SMTP capabilities
 Automated mining for documents on victim's endpoint and
network

14. Copyright 2016 Trend Micro Inc.14
C&C dissection
 Modern malware = network enabled and dependent
 Remote access control tool with functionalities encoded as
C,A,L,E,P,G,G
 Request example:

15. Copyright 2016 Trend Micro Inc.15
C&C dissection
 Response example:

16. Copyright 2016 Trend Micro Inc.16
C&C dissection
 Importance of C&C → DGA, fastflux,
steganography
 C&C (or relays) hidden in victim's compromised
routers

17. Copyright 2016 Trend Micro Inc.17
Conclusions
• APTs are more prevalent than common sense
• Manually conducted, more difficult to detect
• Multi-layer approach needed
• Large-scale data analysis and ML important
• Importance of threat research

18. Copyright 2016 Trend Micro Inc.18
Thanks
MARCO_BALDUZZI@TRENDMICRO.COM