Weitere ähnliche Inhalte Ähnlich wie Targeted attacks on major industry sectores in south korea 20170927 cha minseok_iscr 2017 (20) Mehr von Minseok(Jacky) Cha (15) Kürzlich hochgeladen (20) Targeted attacks on major industry sectores in south korea 20170927 cha minseok_iscr 20171. TargetedAttacks on
Major Industry Sectors in South Korea
CHA Minseok (Jacky)
Senior Principal Malware Researcher
AhnLab | ASEC | Analysis Team
ISCR 2017 (August 31, 2017)
5. © AhnLab, Inc. All rights reserved.
Timeline
EMC RSA,
LockheedMartin
Hacking
2011 2012 2013 2014 2015 2016
Japanesearms
companyattacked
Operation
Shady
Sykipot Group
TheIcefogAPT
reportreleased
Operation
Anonymous Phantom
(Phandoor)
2017
Operation
GhostRifle
(Rifdoor)
SeoulADEX
Attendees
attacked
TheNitro
Attacks
Operation
Red Dot
(Escad)
Security breachof
majorcompaniesin
SouthKorea
6. © AhnLab, Inc. All rights reserved. 6
The Icefog APT (2013)
Icefog
Period:From2011to2013
Maintargets:GovernmentorganizationsandDefenseindustryin
SouthKoreaandJapan
Targetsystems:WindowsandMacOSsystems
Targetapplicationsandvulnerabilities
-MicrosoftOffice(CVE-2012-1856,CVE-2012-0158)
-Java (CVE-2013-0422,CVE-2012-1723)
-HLP
-ProbablyHancomHangul–alocalwordprocessorinSouthKorea
(But,therelevantfile(.hwp)wasnotfound.)
*Source:https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/icefog.pdf
7. © AhnLab, Inc. All rights reserved. 7
The Icefog APT (2013)
• Icefog-NG
-LatestIcefog
-PDB:‘e:jd4myServer(RegRun)releasejd4(reg).pdb’
PDB
d:jdjd(RegRun)releasejd3(reg).pdb
e:jd4myServer(RegRun)releasejd4(reg).pdb
x:jd(RegRun)releasejd3(reg).pdb
8. © AhnLab, Inc. All rights reserved. 8
The Icefog APT (2013)
• Commands
-
Command Function
SC Execute command prompt (cmd.exe)
UP Upload files
LD Download files
SL sleep
9. © AhnLab, Inc. All rights reserved. 9
The Icefog APT (2013)
• Icefog-NG C2
-npro+ttct+.com=nprottct.com →Thereisawebsite'nprotect.com'inSouthKorea.
10. © AhnLab, Inc. All rights reserved. 10
The Icefog APT (2013)
• C2
- SimilartowebsitesinSouthKorea
C2
fruitloop.8.100911.com/news/upload.aspx
minihouse.website.iiswan.com/update/upload.aspx
www.kreamnnd.com (www.mnd.go.kr ?)
www.nprottct.com (www.nprotect.com ? -> Security vendor)
www.boanews.net (www.boannews.com ? -> Security News)
starwings.net
www.hauurri.com (www.hauri.co.kr ? -> Security vendor)
esdlin.com/news/upload.aspx
www.mnndsc.com/news/upload.aspx
11. © AhnLab, Inc. All rights reserved. 11
Attack against SeoulADEX 2015 Attendees (2015)
• Defensefirms sufferhackingattacks
*Source:http://www.koreatimes.co.kr/www/news/nation/2015/11/116_191362.html
12. © AhnLab, Inc. All rights reserved. 12
Security Breach of Major Companies (2016)
• Malware infiltratedviaa vulnerableasset managementsystem
- 42,608documentswerereportedtohavebeenleaked
*Source:http://www.reuters.com/article/us-northkorea-southkorea-cyber-idUSKCN0YZ0BE
14. © AhnLab, Inc. All rights reserved. 14
Method of Attack
•
Watering hole
(ActiveX)
Email
Update
Management system
16. © AhnLab, Inc. All rights reserved. 16
Operation Red Dot (OP006)
Operation Red Dot (OP006)
Period:Fromearly2014toFebruary2017
Maintargets:DefenseIndustry,politicalinstitutions,majorcompanies,HostingServices ...
Remark:Thishackinggroupispossibly involvedwiththesecuritybreachofSonyPictures
Relevantfiles:AdobeArm.exe,msnconf.exe…
17. © AhnLab, Inc. All rights reserved. 17
Operation Red Dot (OP006)
• Relation
-
* Source:https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf &
https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/
18. © AhnLab, Inc. All rights reserved. 18
Security Breach of Sony Pictures (2014)
SonyPicturesHack
- ErasedSony’scomputerinfrastructure
- Leakedareleaseofconfidentialdata
* Source:http://imgur.com/qXNgFVz&Source:https://gist.github.com/anonymous/7b9a0a0ac94065ccfc5b
19. © AhnLab, Inc. All rights reserved. 19
Attack against SeoulADEX 2015 Attendees (2015)
•News reported,
“There isa possibilitythat thishackinggroupcouldbeconnectedwithSonyPictureshackinggroup”(October2015)
*Source:http://www.boannews.com/media/view.asp?idx=48598&kind=0 &http://www.etnews.com/20151007000172
20. © AhnLab, Inc. All rights reserved. 20
Attack against SeoulADEX 2015 Attendees (2015)
• ADEX2015Attendees (1)
- HWPVulnerability
21. © AhnLab, Inc. All rights reserved. 21
Operation Red Dot (OP006)
• Malware SampleComparison
- SonyPictureshackingvs.attackinSouthKorea
22. © AhnLab, Inc. All rights reserved. 22
Escad Type A analysis
• TypeA(SonyPictureshacking)
23. © AhnLab, Inc. All rights reserved. 23
Escad Type B analysis
• Type B
XOR 0x89
24. © AhnLab, Inc. All rights reserved. 24
Red Dot Relation
• Relation
Sony Pictures 2014.11
(Type A)
2015.9
(Type A & B)
Hwpx vulnerability
(CVE-2015-6585)
Political
Institution
2015.5
(Type C)
Defense Firm
2015.4
(Type B)
Websites against
North Korea
2014 ~ 2015
(Type A & B)
25. © AhnLab, Inc. All rights reserved.
Timeline
2014 2016 20172015
Sony Pictures
Hacking
Loader(1)
Loader(2)
Backdoor(2)
Backdoor
(1)B
Escad
Loader(1)x64
Loader(2)–
Resource
Loader(1)
Backdoor (1)A
Web
Hosting
Service
SeoulADEX
AttendeesPolitics
27. © AhnLab, Inc. All rights reserved. 27
Operation Ghost Rifle (OP017)
Operation Ghost Rifle (OP017)
Period:Fromearly2014toFebruary2017(stillactive?)
Targets:DefenseIndustry,SecurityCompanies,PoliticalInstitutions
Targetapplications:MSOfficeMacro,hackedManagementSystem,Active-X
-Rifdoorpdb
- Backdoor, Wiper
28. © AhnLab, Inc. All rights reserved. 28
Attack against SeoulADEX 2015 Attendees (2015)
• ADEX2015Attendees(2)
-MicrosoftOfficeMacro
29. © AhnLab, Inc. All rights reserved. 29
Attack against SeoulADEX 2015 Attendees (2015)
• ADEX2015Attendees (2)
- DownloadRifdoor
30. © AhnLab, Inc. All rights reserved. 30
Security Breach of Security Vendor (2016)
• Asecurityvendorin SouthKorea has beenhacked
*Source:http://www.etnews.com/20160218000217
31. © AhnLab, Inc. All rights reserved. 31
Security Breach of Major Companies (2016)
• Malware infiltratedviaa vulnerableasset managementsystem
- 42,608documentswerereportedtohavebeenleaked
*Source:http://www.reuters.com/article/us-northkorea-southkorea-cyber-idUSKCN0YZ0BE
32. © AhnLab, Inc. All rights reserved.
Attacker
Insider
Update Server of
Asset Management System
Major companies and
arms companies
C2 and
storage server
for leaked data
Ghostrat
Vendor
Security Breach of Major Companies (2016)
V3PScan.exe was distributed by
Hacked Asset Management
System
33. © AhnLab, Inc. All rights reserved. 33
Malware
•+ Wiper
icon
Attack Route
− Active-X
− Management System
Stealer Tool
− Backdoor (Aryan, Ghostrat,
Rifdoor, Xtream)
− Keylogger
− Privilege Escalation
− OSQL
− Putty Link
− Proxy Server
− Port Scanner, etc
34. © AhnLab, Inc. All rights reserved. 34
Malware - Backdoor
• Rifdoor
- Backdoor(90KB)
-Addsrandomdata
-PDB
35. © AhnLab, Inc. All rights reserved. 35
Malware - Backdoor
• customizedGh0st RAT
- Sourcecodereleased
38. © AhnLab, Inc. All rights reserved. 38
OperationAnonymous Phantom (OP018)
Phandoor(OP018)
Filename:Phantom.exe
-f_lps.exe,ahnV3.exe,12teimong12.exe,Tiemong.exe,v3scan.exe,otuser.exe,v3log.exe
-mysteryS^
Remark:ThishackinggroupispossiblyconnectedwithOperationGhostRifle
39. © AhnLab, Inc. All rights reserved. 39
OperationAnonymous Phantom (OP018)
• Feature
- S^!?
40. © AhnLab, Inc. All rights reserved. 40
OperationAnonymous Phantom (OP018)
• Decoder/Encoder
-
41. © AhnLab, Inc. All rights reserved. 41
OperationAnonymous Phantom (OP018)
• Backdoor
-
43. © AhnLab, Inc. All rights reserved.
Relation
2007 2013 2014 2015 2016 2017
Icefog
OP Red Dot (Escad)
OP Ghost Rifle (Rifdoor)
OP Anonymous Phantom
(Phandoor)
Dllbot Xwdoor
OP Black Mine
(Bmdoor)
2011
OP Red Dot (Loader)
New
Phandoor(?)
44. © AhnLab, Inc. All rights reserved. 44
Relation
• Suspicious‘S^’
- Found‘S^’intheXwdoor(2012),Phandoor(2016)
45. © AhnLab, Inc. All rights reserved. 45
Relation
• EncodingCode
- Rifdoorvs.Phandoor
46. © AhnLab, Inc. All rights reserved. 46
Korean?!
• Ghostrat KoreanEdition
- KoreanwordswhicharenotusedinSouthKorea
47. © AhnLab, Inc. All rights reserved. 47
Korean?!
• Korean?!
-C:UsersKGHDownloads(DONE)TROYS(DONE)(done)1charelease(done)(done)1cha(dll)Installer-dll-service-
win32ReleaseInstallBD.pdb
-KGH-commonKoreannameinitials(?)
-1cha-'cha'hasthesamepronunciationofKoreanordinalnumber
49. © AhnLab, Inc. All rights reserved.
Relation
2007 2013 2014 2015 2016 2017
Icefog
OP Red Dot (Escad)
OP Ghost Rifle (Rifdoor)
OP Anonymous Phantom
(Phandoor)
Dllbot Xwdoor
OP Black Mine
(Bmdoor)
2011
OP Red Dot (Loader)
New
Phandoor(?)
50. © AhnLab, Inc. All rights reserved. 50
Next ?
• SeoulADEX2017
-
* Source:http://www.seouladex.com/intro.asp
51. © AhnLab, Inc. All rights reserved. 51
Q&A
minseok.cha@ahnlab.com / mstoned7@gmail.com
http://xcoolcat7.tistory.com, https://www.facebook.com/xcoolcat7
https://twitter.com/xcoolcat7, https://twitter.com/mstoned7
53. © AhnLab, Inc. All rights reserved. 53
Reference
• TargetedAttackson DefenseIndusty (Korean)
http://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?seq=26565ABC,
http://download.ahnlab.com/kr/site/library/%5bAnalysis%5dDefense_Industry_Threats.pdf)
• Targeted Attacks on Defense Industry
(http://download.ahnlab.com/global/brochure/Tech_Report_Defense%20Industry.pdf)
•