Upload
blah-
View
112
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Blackhat 2013 presentation slides covering the APT analysis topic.
Citation preview
1
Hunting the Shadows:In Depth Analysis of Escalated APT Attacks
Fyodor Yarochkin, Academia SinicaPei Kan PK Tsung, Academia Sinica
Ming-Chang Jeremy Chiu, Xecure LabMing-Wei Benson Wu, Xecure Lab
2
Agenda
• Why Taiwan?• The “Lstudio” player… fun • Taking a peek at Weaponry • APT in a Cloud • Victimology or … chicken-logy?
3
whoweare
Based in TaiwanInterests in Computer ForensicsAccess to some raw network traffic data (fun!)Get to fish interesting things (PROFFFIIITT!)
@bensonwu [secret] @fygrave [censored]
4
Disclaimer
A few words before we move on.- With this research we are primarily interested in
understanding the Ops and victims of discussed targeted attacks. We DO NOT attempt to perform any attribution of potential attackers.
5
Taiwan has been a frontline of APT battlefield for some time
BACK IN 2003…
6
Many interesting things could be observed (though this is not “Lstudio” group)
7
Elirks: earlier campaign Reported by Dell/Secureworks as Elirks
http://www.secureworks.com/cyber-threat-intelligence/threats/chasing_apt/
8
Elirks evolution
http://tw.myblog.yahoo.com/jw!uzrxZwSGHxowPMGZAaj4I5
http://blog.yam.com/minzhu0906/article/54726977
http://diary.blog.yam.com/bigtree20130514/article/10173342
http://tw.myblog.yahoo.com/jw!uzrxZwSGHxowPMGZAaj4I50-
http://blogs.yahoo.co.jp/sakasesi2013/31805794.html
http://www.plurk.com/mdbmdb
9
Elirks 2.0 – silly to reuse the address-space
Managed by the sameIP addresses(easy to cross-correlate)
10
Another on-going Campaign
On-going:
11
On average, 48 APT emails a week!
12
The “Lstudio” group:
Exploring fun things in a greater detail :)
13
They start with a boring spearphhiiissh
14
Almost clean :)
15
The APT Landscape in Taiwan
16
We’ll examine the “LStudio” group today
• Unique indicators of the “LStudio” group:• Debug symbols (.pdb)• “horse” label and generator tag
• Some curious discoveries from the “Lstudio” backend data center … ;-)
17
LStudio binaries have cute things
CSJ-Elise
f:\tools\code\CSJ\Elise\Release\EliseDLL.pdb
http://scan.xecure-lab.com
18
CSJ-Elise ..
TAABAMoGvBjTVXHUHaibnwrAWfchx2x17Rf2roRBnbD/9lu13lWnlAUbBgqw+YNld2vcV5krtXoG__FXI43BxueF4FChFrkSRgNVP2WQ==
http://140.105.135.71:443/2995ebc9/page_12180900.htmlhttp://118.163.60.73:443/2995ebc9/page_12180912.html
19
They love fast cars
20
Evora
FASST CARS
21
Lstudio Operations and C2
22
“Lstudio” payload Generator
Generator
Owner
Horse Label
Generator-Tag
APT Exploit delivery via email
23
We don’t say victim肉雞 = G
24
The typical botnet model
25
Very advanced Zoo-management skills :)
26
APT advanced farming :)
Operated by roughly 25 “farmers” Has controlled over 5,884 machines International coverage over 30 countries Utilizes 4 different Botnet software families Active since 2007
27
The “Lstudio” Chicken Cloud
APT CloudBackend Data Center
Farmer Boss?
Farmer Group B
Farmer Group ACommand Channel(Second phase backdoor)
Data Channel(First phase backdoor)
Configurable Bounce
APT Botnet A
APT Botnet B
28
.. And who are the Chicken ?!
29
International Chicken Farm Corp.
30
chicken farms went internationalTW 84%
US 6%
5,884chickens
2%
KR 1% CN 1%
31
Share some Chicken
http://www.appledaily.com.tw/http://www.cna.com.tw
KMT ?KMT ? KMT ?KMT ?
32
When you travel, your chicken travel too…
33
Lets look at some travelers
US
Canada
France
England
Taiwan
34
ANOTHER DISCOVERY!!
35
.. do have 9 to 5 job ;)…
36
Just like some security researchers do
37
AND THE LAST .. SOME HANDY TOOLS TO SHARE
38
XecScan: Free API
39
Yara: a swiss-knife of static sigs ;)
40
Yara use
Easy to integrate with your scriptsIntegration with a proxy server is possible via icap yara plugin: https://github.com/fygrave/c_icap_yaraRaw network traffic monitoring project (and http/DNS indexing):https://github.com/fygrave/eyepkflow
41
More cool tools
Moloch https://github.com/aol/moloch
Yara mail https://github.com/kevthehermit/yaraMail
Yara pcap https://github.com/kevthehermit/YaraPcap
42
Conclusions
Complex infrastructureOperates since 2007Multiple software versionsMultiple back-endsVictims – government and private sectorMainly Taiwan but also seen world-wide