From stealing confidential data to revenue-generating attacks

From stealing confidential data to
revenue-generating attacks
CHA Minseok (Jacky Cha, 車珉錫)
Senior Principal Malware Researcher
AhnLab | ASEC | Analysis Research Team
SECUINSIDE (July 14, 2018)
Activities of Andariel Group in 2014-2018

© AhnLab, Inc. All rights reserved. 2
Before the start
• I don’t believethat any system istotallysecure!
- byMatthewBroderick
* Source:WarGames(1983)

Contents
01
02
03
04
05
06
07
Andariel Group
Infection Vectors
Activities in 2014 – 2015
Activities in 2015 - 2018
Malwares & Tools
Relation
Conclusion

© AhnLab, Inc. All rights reserved.
Activity groups in South Korea
2007 2013 2014 2015 2016 2017
Icefog
Andariel / Labyrinth Chollima (Rifdoor, Ghostrat, Phandoor, Andarat)
Dllbot Xwdoor
OP Black Mine
(Bmdoor)
2011
OP Bitter Biscuit (Bisonal, Dexbia)
RedEyes/APT37/Reap
er/Group 123//Ricochet
Chollima
2018
Kimsuky
2012
Plugx (Korplug)
Xxmm
Lazarus
Operation
ProgasByMe
Hidden Cobra / Silent Chollima (Escad, Loader)
OP Red Dot (Redobot, Escad)
2019

Andariel Group
• AndarielGroup
-Presumedtobeanotherspin-offofLazarus
-MND(2008),DarkSeoul(2013),OperationBlackMine(2014-2015)
-OperationGhostRifle==OperationAnonymousPhantom==OperationGoldenAxe==CampaignRifle
-Targets:DefenseIndustry,CybersecurityCompanies,PoliticalInstitutions,MND(MinistryofNationalDefense),Finance
Sector,EnergyResearchInstitution,TravelAgency,ICT,CryptocurrencyExchange
-InfectionVector:SpearPhishing,WateringHole(Active-Xvulnerability),ITManagementSystemVulnerability,Supply
ChainAttack
-especially familiar with the vulnerabilities of South Korea’s ActiveX and the vulnerabilities on IT
management systems
-Malware:Andarat,Andaratm,Bmdoor,GhostRat,Rifdoor,Phandoor(packedwithUPX,Themida,VMProtect)
-AhnLabpublishedthewhitepaper inJuly,2017andMay,2018.
-FSI(FinancialSecurityInstitute) publishedthewhitepaperinJuly,2017
-ThisgroupisoneofthemostactivegroupsinSouthKorea!

Andariel Group
• Famous incidents
-
* Source:https://www.ibtimes.co.uk/suspects-arrested-south-korea-atm-hacking-probe-aided-by-north-korean-1638293&
https://edition.cnn.com/2017/10/10/politics/north-korea-hackers-us-south-korea-war-plan/index.html

Timeline
2008 2009 2013 2014 2015 2016
3.20Cyber
attack
(DarkSeoul)
&
6.25Cyber
Attack
2017
SeoulADEX
Attendees
Major
companies
MND
(Ministry
of
National
Defense)
ATM
Financial
Sector
Travel
Agency
Energy
Research
Institute
OperationBlackMine(Bmdoor)
OperationGhost Rifle(Rifdoor)
Xwdoor
2012
3.20Cyber-attack
(Gatheringinformation)
OperationAnonymousPhantom(Phandoor)
Security
Firm
Defense
Firms
ActiveX
Vulnerabilities
Attack
Dllbot
Korean
Government
2018
ERP
Update
Cryptocurrency
ExchangeUsers
FakeInstaller
Remote
Support
Update
Payment
Software
OperationGhostRAT
OperationRed Gambler
Politics
Institute

Infection Vectors
Watering hole
(ActiveX)
Email (Spear Phishing)
Update
IT
Management
system
C2
Vulnerability
Attack
Update
Server Supply Chain / IT Maintenance Services
Listening Port
Web
Server
Send file transfer
commands
Listening Port
Port Scanning
Vulnerability Attacks

Infection Vectors

Spear Phishing - Macro
• Macro Downloader(2015)
- AttackagainstSeoulADEX2015ParticipantsMacroDownloader
-> Seoul ADEX Result & visitors list
-> disguising as Headquarters of Seoul ADEX
-> Enable Macro

Spear Phishing - Macro
• Macro Downloader(2017)
- Disguisedasdiplomaticdocuments->intendedtoactivatetheMacrobyshowingblurredtext

ActiveX Vulnerabilities
• ActiveX vulnerabilities(2017)
-CheckvulnerableActiveX

IT Management System

IT Management System Vulnerabilities
• ITManagementProductAexploit(2015-2016)
- V3PScan.exefiledistributedthroughITManagementSystem

• ITManagementProductB exploit(2016-2017)
- TargetIP,DownloadURL,Path
-ProductBfiletransfer(Port7224)

• AntivirusManagementExploit(2016)
- AccessedinternalsystemsofthemilitaryandATMservicesetc.
-Command:SendFile,GetFile,Scan,Update,Run,Restart,ServerUpdate

Supply Chain

03
Activities in 2014 – 2015

2014 - Operation Black Mine
Operation
Black Mine
Energy Transportation
Financial Policital
IT Broadcast

• TargetedAttack
-

• Operation BlackMine
-
* Source:http://www.ahnlab.com/kr/site/securityinfo/newsletter/magazine.do?letterNo=201511

2015 - Attack against SeoulADEX 2015 Participants
• Defensecompaniessufferfrom hacking attacks
- SeoulADEX(Seoul International Aerospace and Defense Exhibition)
*Source:http://www.koreatimes.co.kr/www/news/nation/2015/11/116_191362.html

• AttackagainstSeoulADEX2015Participants(1)
- MacroDownloader
-> Seoul ADEX Result & visitors list
-> disguising as Headquarters of Seoul ADEX

• AttackagainstSeoulADEX2015Participants(1)
-Rifdoordownloaded

2016 - Security Breach of Major Companies
• Malware distributedthrough vulnerable ITmanagementsystem vulnerability
-Hackedintomorethan140,000computersat160SouthKoreancompaniesandgovernmentagencies
-42,608documentswerereportedtohavebeenleaked
-Attackbeganin2014andwasdetectedinFebruary2016
*Source:http://www.reuters.com/article/us-northkorea-southkorea-cyber-idUSKCN0YZ0BE

2017.1 – Viewing other player’s game in gambling
• Spying other player’s screen in online gambling (2016-2017)
-FirstfoundinOctober2016
-Modifiedautilityinstallerbyhackingintoalegitimatewebsiteandreplacingitwithamaliciousfile

2017.1 – Viewing other player’s game in gambling
•Viewing other player’s game in gambling
-
-Baduki(바둑이,Badugi)=The type of card game assumed to have originated in Korea
--> Poker games
in Korean

2017.3 - ATM Hacking
• ATM Hacking
- 230,000credit cardsin totalwere leaked (September2016 ~ February 2017)
-IllegalwithdrawalsthroughATMsinChina,ThailandandTaiwan
-4suspectsarrested→obtainedtheprivatefinancialdatafromamiddlemanwhoclaimedhegottheinformationfroma
NorthKorean
-MalwareusedinthisattackwasverysimilartothemalwareusedintheKoreanMNDhacking
* Source:http://english.yonhapnews.co.kr/news/2017/09/06/0200000000AEN20170906007600315.html&http://www.itworld.co.kr/news/106281

2017.5 – Financial Sector
• Phandoor(DeployedMay 24, 2017)
-DistributionviaFinancialWorkers'UnionWebsite
-DeliveredaPhandoorvariant
-removed‘anonymous?’string

• Andarat
-DeployviatheFinancialWorkersUnionhomepage
-Eachtimeafileisrun,thehashvaluechangesbyaddingameaninglessvaluetotheendofthefile

• Attack using word macros
- GetMacroactivationbyshowingthecontentsofdocumentsdimly->DownloadandcreateV3UI.

2017.10 & 12 – Travel Agency Breaches
• South Korea’sLargestTravelAgencyHacked
-AttackerusedReport Product A and IT Management B vulnerability
-User’spersonalinformationwasleaked.
* Source:https://coinjournal.net/south-koreas-largest-travel-agency-breached-hacker-demands-bitcoin-payment/&

2017.10 & 12 – Travel Agency Breaches
• Diagram
-Databreach
*Source:PressRelease_180207_Ha**Tour-Duetopersonalinformationleakageaccident-Administrativedisposition-Resolution_final-1.hwp

2017.12 – ERP ProductA
• ERPProductAUpdatefilereplacement(2017)
-UpdateFilevsMaliciousFile
- Addedmalwaredownloadaddress->modifiesupdatefile?orthebuildprocess?

2017.12 – RemoteAccess ProductA
• Targeted CryptocurrencyExchangeUsers
- CryptocurrencyExchangehacking softwareused for remote control
- Onlyfilesdownloadedthrough the Cryptocurrency Exchangehomepageinclude maliciouscode
- Attackoccurred inlate 2017and early2018
Remote Access

2018.2 – Disguised as NationalAssembly
• Phishingemaildisguisingas NationalAssembly
-Disguisedasparliamentarydataoncryptocurrency.
* Source:http://english.yonhapnews.co.kr/search1/2603000000.html?cid=AEN20180201010700315&http://blog.alyac.co.kr/1527

Malwares

Dropper - Bmdoor
• Bmdoor
- disguisedaslegitprogram
Encrypted
Data
Legit
Program
BM + Loader #2
Loader #1 JMP

Dropper - Bmdoor
• Checkthe analysisenvironment
- CheckVmware,VirtualBox
- ChecksystemnameandCheckfilename(SANDBOX,VIRUS,MALWARE)

Dropper - Bmdoor
• Insidethe Bmdoor
-

Bakcdoor – GhostRat
• customizedGh0st RAT
- Sourcecodereleased

Backdoor - Rifdoor
• Rifdoor(Rifle+ Bakcdoor)== Operation Ghost Rifle(2015)
-Backdoor(90KB)
-PDB:contain‘rifle’
-Addsrandomdata

Backdoor - Phandoor
• Phandoor(2016-2017)
-OriginalfilenamewasPhantom.exe→Phantom.exe+Backdoor=Phandoor
-S^& Anonymous?
-variantsfoundin2017,‘Anonymous?’ wasremoved

Backdoor - Andaratm
• Andaratm(2016-2018)
-18>variants
-MND(2016)->ATM,FinancialSector(2017)->CryptocurrencyExchangeUsers(2018)
- 2017versionvs2018version

Tools
• GhostRat ManagementKorean Edition
- Koreanbutstrange
Strings (문자렬 -> 문자열)
??? (maybe System Notification)
팁 Tip ???
(typo 암 -> 안)
System Setting (체계설정 -> 설정)
Secret (비밀 -> 암호 Password)User

Tools - Zcon
• Zcon.exe (2015-2017)
-Filename:pcon.exe,portc.exe,ZCON.exe
-toolforcheckingIPandport
-BmdoordropZcon.exein2015

Tools - Wiper
• Wiper
-WhetherWiperisusedinrealattackisnotidentified

Macro
• Macro Comparison
-SeoulADEXattendees(2015)vsFinanceSector(2017)

Script
• Script from Explioit
-Downloader->missingbytes(MZ)recovery
-2017
-2018

Script
• Script
-First5bytesdownloadremoved (MZ...)→First5bytesarerecovered (MZ...)

Backdoor - Phandoor
• Mystery ‘S^’
-‘S^’foundintheXwdoor(2012)&Phandoor(2016-2017)

Comparison of Encryption Codes
• SimilarEncryptionCodes
-
2016.04
defense companies
2016.08
MND 1
2016.08
MND 2
2016.11
Gambling Player
2017.03
ATM

Backdoor - Phandoor
• SimilarEncodingCodes
- Rifdoorvs.Phandoor

Comparison of Attacks

Wrap up
• AndarielGroup
-LazarusSub-GroupinSouthKorea
-This group is one of the most active groups in South Korea.
- RelatedtoNationalIntelligenceServiceattacksin2008,DarkSeoulin2013,andOperationBlackMinein2014
-Target:defenseindustry,politicalorganization,securitycompany,military,gamblinggameuser,ATM,finance,travel
agency,ICT,virtualcurrencyexchange,etc. (Confidential ->expandingtofinancialbenefits)
-Attackmethod:SpearPhishingusingMSOfficeincludingMacro,WateringHole(KoreanActiveXvulnerability,IT
ManagementSystemandSupplyChainAttack)
-TheattackeriswellawareofSouthKorea
-BackdoorusesPackersuchasUPX,ThemidaandVMProtect.
-Additionaltoolsweredisclosedduetoauthor’sOpSecfailure
-Thisgroupisstillactivein2018!

Current Problems
• Not reallya fair fight
* source:http://www.jklossner.com/kopkf22ta931lmnlmaj3h48vplhotb

Current Problems
•
* source:http://www.security-marathon.be/?p=1786

Q&A
email : minseok.cha@ahnlab.com / mstoned7@gmail.com
@mstoned7 / @xcoolcat7
https://www.facebook.com/xcoolcat7, http://xcoolcat7.tistory.com

Reference
• 안랩, ‘검은 광산 작전’의 비밀을 ‘캐내다’
(http://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?curPage=&menu_
dist=1&seq=24229)
• 지속적인 방위산업체 공격 시도, 왜?
(http://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?menu_dist=2&seq
=26565)
• 금융보안원 인텔리전스보고서_국내를 타깃으로 하는 위협그룹 프로파일링
(http://www.fsec.or.kr/user/bbs/fsec/21/13/bbsDataView/910.do)
• TargetedAttackson MajorIndustry Sectorsin SouthKorea (CHAMinseok,AVAR2017)
• 표적형 공격? 중앙 관리 소프트웨어를 수비하라
(http://image.ahnlab.com/file_upload/asecissue_files/ASEC_REPORT_vol.89.pdf)
• 유명 기업 보안 시스템을 연달아 뚫다, 대범한 해킹조직의 공격 -1편
(http://blog.skinfosec.com/221234553836)
• 유명 기업 보안 시스템을 연달아 뚫다, 대범한 해킹조직의 공격 -2편-
(http://blog.skinfosec.com/221234742268)
• 하나투어 개인정보유출...수탁업체서 시작 (https://blog.naver.com/secustory/221213258234)

From stealing confidential data to revenue-generating attacks

From stealing confidential data to revenue-generating attacks

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie From stealing confidential data to revenue-generating attacks

Ähnlich wie From stealing confidential data to revenue-generating attacks (20)

Mehr von Minseok(Jacky) Cha

Mehr von Minseok(Jacky) Cha (16)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

From stealing confidential data to revenue-generating attacks