Christiaan F Beek, McAfee
Jay Rosenberg, Intezer Labs
The Lazarus, Silent Chollima, Group 123, Hidden Cobra, DarkSeoul, Blockbuster, Operation Troy, 10 Days of Rain attacks are all believed to originate from North Korea. But how can they be attributed with certainty? And what connection does a DDoS and disk wiping attack from July 4 2009, have with WannaCry, one of the largest cyber-attacks in the history of the cyber-sphere?
We have conducted a comparative research over more than 10 years of malware and tools being used by North Korean adversaries. The results were intriguing and we will share our discoveries but also hunt tactics during our talk. We discovered new links between campaigns and were able to group malware families towards actor groups and discovere interesting patterns.
7. When you are talented in Computer Science
Gang 1 and 2
Junior High School
Computer Genius
Kim Il Sung
University
Kim Jong Kyo
University of
Technology
Pyongyang
Computer College
8. DPRK Cyber Units after 2013 Reorg
Unit 91
Espionage & Destruction
Unit 110
Tools development and Recon
Unit 128
HUMINT
Unit 180
Financial targeted Operations
Unit 413
Tech. Recon & Social Eng.
9. Benefits for being a state sponsored hacker
Luxury Apartment
Internet Access
Limousine Bus
Lifelong Party Membership
Bonus payments
Foreign travel
23. MITRE ATT&CK
Persistence Defense
Evasion
Credential
Access
Discovery Lateral
Movement
Execution Exfiltration C2
Bootkit Access Token
manipulation
Account
Manipulation
Application
Window
Discovery
RDP CLi Data
Compressed
Commonly
used port
DLL Search
Order
Hijacking
DLL Search
Order Hijacking
Brute Force File & Dir
Discovery
Remote File
Copy
PowerShell Data
Encrypted
Connection
Proxy
New Service Disable
Security tools
Input Capture Process
Discovery
Windows
Remote
mgmt.
Regsvr32 Exfil over alt.
protocol
Custom C2
protocol
Process
Injection
File Deletion System Info Service
Execution
Exfil over C2
channel
Custom
crypto
protocol
Valid Accounts Hidden Files &
Directories
System
Network Info
WMI Data
Encoding
Obfuscated
Files or
Information
System
User/Owner
Info
Data
Obfuscation
Timestomp Fallback
channels
Valid Accounts Multiband
comms
Remote File
copy
Uncommonly
used port
24. ATT&CK Techniques/TTPs Input Data
Campaign 1
Campaign 2
Campaign 3
Process spawning cmd.exe
Quick series of suspicious
commands
Suspicious run locations
Running executables with same
hash and different names
Suspicious Arguments
CMD line using of archiving
software
PowerShell Execution
Outlier parents of cmd.exe
Execution/CMDline
CredentialAccess/Creds Dumping
ExfiltrationData/Data Compressed
Defensive Evasion/Masquerading
Lateral Movement/RDP
Defensive Evasion/Scripting
Defensive Evasion/Scheduled Task
25. Campaign 1
Campaign 2
Campaign 3
Suspicious run locations
Running executables with same
hash and different names
Suspicious Arguments
CMD line using of archiving
software
PowerShell Execution
Outlier parents of cmd.exe
Execution/CMDline
CredentialAccess/Creds Dumping
ExfiltrationData/Data Compressed
Defensive Evasion/Masquerading
Lateral Movement/RDP
Defensive Evasion/Scripting
Defensive Evasion/Scheduled Task
Which code can be used to create
an ‘Actor DNA’ profile?
28. Final Thoughts
Code Re-Usage analysis revealed interesting links
Code DNA blocks can be used for offense/defense
Pay attention to the details of code overlaps
Never jump to conclusions without context