Targeted attacks on major industry sectores in south korea 20170927 cha minseok_iscr 2017

TargetedAttacks on
Major Industry Sectors in South Korea
CHA Minseok (Jacky)
Senior Principal Malware Researcher
AhnLab | ASEC | Analysis Team
ISCR 2017 (August 31, 2017)

© AhnLab, Inc. All rights reserved. 2
AhnLab

Contents
01
02
03
04
05
06
07
Attacks on Defense Industry in South Korea
Method of Attack
Operation Red Dot
Operation Ghost Rifle
Operation Anonymous Phantom
Who Is Behind The Attacks?
Conclusion

01
Attacks on Defense Industry
in South Korea

© AhnLab, Inc. All rights reserved.
Timeline
EMC RSA,
LockheedMartin
Hacking
2011 2012 2013 2014 2015 2016
Japanesearms
companyattacked
Operation
Shady
Sykipot Group
TheIcefogAPT
reportreleased
Operation
Anonymous Phantom
(Phandoor)
2017
Operation
GhostRifle
(Rifdoor)
SeoulADEX
Attendees
attacked
TheNitro
Attacks
Operation
Red Dot
(Escad)
Security breachof
majorcompaniesin
SouthKorea

The Icefog APT (2013)
Icefog
 Period:From2011to2013
 Maintargets:GovernmentorganizationsandDefenseindustryin
SouthKoreaandJapan
 Targetsystems:WindowsandMacOSsystems
 Targetapplicationsandvulnerabilities
-MicrosoftOffice(CVE-2012-1856,CVE-2012-0158)
-Java (CVE-2013-0422,CVE-2012-1723)
-HLP
-ProbablyHancomHangul–alocalwordprocessorinSouthKorea
(But,therelevantfile(.hwp)wasnotfound.)
*Source:https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/icefog.pdf

• Icefog-NG
-LatestIcefog
-PDB:‘e:jd4myServer(RegRun)releasejd4(reg).pdb’
PDB
d:jdjd(RegRun)releasejd3(reg).pdb
e:jd4myServer(RegRun)releasejd4(reg).pdb
x:jd(RegRun)releasejd3(reg).pdb

• Commands
-
Command Function
SC Execute command prompt (cmd.exe)
UP Upload files
LD Download files
SL sleep

• Icefog-NG C2
-npro+ttct+.com=nprottct.com →Thereisawebsite'nprotect.com'inSouthKorea.

• C2
- SimilartowebsitesinSouthKorea
C2
fruitloop.8.100911.com/news/upload.aspx
minihouse.website.iiswan.com/update/upload.aspx
www.kreamnnd.com (www.mnd.go.kr ?)
www.nprottct.com (www.nprotect.com ? -> Security vendor)
www.boanews.net (www.boannews.com ? -> Security News)
starwings.net
www.hauurri.com (www.hauri.co.kr ? -> Security vendor)
esdlin.com/news/upload.aspx
www.mnndsc.com/news/upload.aspx

Attack against SeoulADEX 2015 Attendees (2015)
• Defensefirms sufferhackingattacks
*Source:http://www.koreatimes.co.kr/www/news/nation/2015/11/116_191362.html

Security Breach of Major Companies (2016)
• Malware infiltratedviaa vulnerableasset managementsystem
- 42,608documentswerereportedtohavebeenleaked
*Source:http://www.reuters.com/article/us-northkorea-southkorea-cyber-idUSKCN0YZ0BE

Method of Attack
•
Watering hole
(ActiveX)
Email
Update
Management system

Operation Red Dot (OP006)
 Period:Fromearly2014toFebruary2017
 Maintargets:DefenseIndustry,politicalinstitutions,majorcompanies,HostingServices ...
 Remark:Thishackinggroupispossibly involvedwiththesecuritybreachofSonyPictures
 Relevantfiles:AdobeArm.exe,msnconf.exe…

• Relation
-
* Source:https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf &
https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/

Security Breach of Sony Pictures (2014)
SonyPicturesHack
- ErasedSony’scomputerinfrastructure
- Leakedareleaseofconfidentialdata
* Source:http://imgur.com/qXNgFVz&Source:https://gist.github.com/anonymous/7b9a0a0ac94065ccfc5b

•News reported,
“There isa possibilitythat thishackinggroupcouldbeconnectedwithSonyPictureshackinggroup”(October2015)
*Source:http://www.boannews.com/media/view.asp?idx=48598&kind=0 &http://www.etnews.com/20151007000172

• ADEX2015Attendees (1)
- HWPVulnerability

• Malware SampleComparison
- SonyPictureshackingvs.attackinSouthKorea

Escad Type A analysis
• TypeA(SonyPictureshacking)

Escad Type B analysis
• Type B
XOR 0x89

Red Dot Relation
• Relation
Sony Pictures 2014.11
(Type A)
2015.9
(Type A & B)
Hwpx vulnerability
(CVE-2015-6585)
Political
Institution
2015.5
(Type C)
Defense Firm
2015.4
(Type B)
Websites against
North Korea
2014 ~ 2015
(Type A & B)

Timeline
2014 2016 20172015
Sony Pictures
Hacking
Loader(1)
Loader(2)
Backdoor(2)
Backdoor
(1)B
Escad
Loader(1)x64
Loader(2)–
Resource
Loader(1)
Backdoor (1)A
Web
Hosting
Service
SeoulADEX
AttendeesPolitics

04
Operation Ghost Rifle (OP017)

 Period:Fromearly2014toFebruary2017(stillactive?)
 Targets:DefenseIndustry,SecurityCompanies,PoliticalInstitutions
 Targetapplications:MSOfficeMacro,hackedManagementSystem,Active-X
-Rifdoorpdb
- Backdoor, Wiper

• ADEX2015Attendees(2)
-MicrosoftOfficeMacro

• ADEX2015Attendees (2)
- DownloadRifdoor

Security Breach of Security Vendor (2016)
• Asecurityvendorin SouthKorea has beenhacked
*Source:http://www.etnews.com/20160218000217

• Malware infiltratedviaa vulnerableasset managementsystem
- 42,608documentswerereportedtohavebeenleaked
*Source:http://www.reuters.com/article/us-northkorea-southkorea-cyber-idUSKCN0YZ0BE

Attacker
Insider
Update Server of
Asset Management System
Major companies and
arms companies
C2 and
storage server
for leaked data
Ghostrat
Vendor
V3PScan.exe was distributed by
Hacked Asset Management
System

Malware
•+ Wiper
icon
Attack Route
− Active-X
− Management System
Stealer Tool
− Backdoor (Aryan, Ghostrat,
Rifdoor, Xtream)
− Keylogger
− Privilege Escalation
− OSQL
− Putty Link
− Proxy Server
− Port Scanner, etc

Malware - Backdoor
• Rifdoor
- Backdoor(90KB)
-Addsrandomdata
-PDB

Malware - Backdoor
• customizedGh0st RAT
- Sourcecodereleased

Malware - Wiper
• Wiper
-

05
Operation Anonymous Phantom (OP018)

OperationAnonymous Phantom (OP018)
Phandoor(OP018)
 Filename:Phantom.exe
-f_lps.exe,ahnV3.exe,12teimong12.exe,Tiemong.exe,v3scan.exe,otuser.exe,v3log.exe
-mysteryS^
 Remark:ThishackinggroupispossiblyconnectedwithOperationGhostRifle

• Feature
- S^!?

• Decoder/Encoder
-

• Backdoor
-

Relation
2007 2013 2014 2015 2016 2017
Icefog
OP Red Dot (Escad)
OP Ghost Rifle (Rifdoor)
OP Anonymous Phantom
(Phandoor)
Dllbot Xwdoor
OP Black Mine
(Bmdoor)
2011
OP Red Dot (Loader)
New
Phandoor(?)

Relation
• Suspicious‘S^’
- Found‘S^’intheXwdoor(2012),Phandoor(2016)

Relation
• EncodingCode
- Rifdoorvs.Phandoor

Korean?!
• Ghostrat KoreanEdition
- KoreanwordswhicharenotusedinSouthKorea

Korean?!
• Korean?!
-C:UsersKGHDownloads(DONE)TROYS(DONE)(done)1charelease(done)(done)1cha(dll)Installer-dll-service-
win32ReleaseInstallBD.pdb
-KGH-commonKoreannameinitials(?)
-1cha-'cha'hasthesamepronunciationofKoreanordinalnumber

Next ?
• SeoulADEX2017
-
* Source:http://www.seouladex.com/intro.asp

Q&A
minseok.cha@ahnlab.com / mstoned7@gmail.com
http://xcoolcat7.tistory.com, https://www.facebook.com/xcoolcat7
https://twitter.com/xcoolcat7, https://twitter.com/mstoned7

Reference
• TargetedAttackson DefenseIndusty (Korean)
http://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?seq=26565ABC,
http://download.ahnlab.com/kr/site/library/%5bAnalysis%5dDefense_Industry_Threats.pdf)
• Targeted Attacks on Defense Industry
(http://download.ahnlab.com/global/brochure/Tech_Report_Defense%20Industry.pdf)
•

• 내용 (1Depth)
-
* Source:

Targeted attacks on major industry sectores in south korea 20170927 cha minseok_iscr 2017

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Targeted attacks on major industry sectores in south korea 20170927 cha minseok_iscr 2017

Ähnlich wie Targeted attacks on major industry sectores in south korea 20170927 cha minseok_iscr 2017 (20)

Mehr von Minseok(Jacky) Cha

Mehr von Minseok(Jacky) Cha (15)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Targeted attacks on major industry sectores in south korea 20170927 cha minseok_iscr 2017