BSidesWLG 2017 - Noushin Shabab - Investigation of targeted attacks

hello everybody thanks for coming and sitting for my touch I'm sorry I don't know what happened to my slide some strange line is appearing here sorry for that first of all sorry for my voice I'm sick I try to speak in a way that you can understand what I say so my topic is investigating recent targeted attacks on APEC countries let me start by introducing myself I'm sorry just a second strange things happen I'm notion Shabbat and senior security researcher at Kaspersky Lab areas of interest for me or apt investigation malware analysis reverse engineering and forensic analysis anything that is relevant to investigating cyber attacks I've been with Kaspersky Lab for more than one year one year and a half now

before that I was also working on a antivirus company overseas doing the same thing malware analysis and reverse engineering in Kaspersky Lab I'm part of a team which is called great great stands for global research and analysis team we are about 40 people all around the world working on different cyberattacks focusing on the same region that we are based in that's why I'm talking about attacks on APEC countries my main focus is on Australia and New Zealand and then other countries in APEC region the people you see in this picture or part of the part of the great team we work very closely with our CEO and we they are did the research team of

the company like if you ever and thought and see a webinar or read that report from the company and this is what our team does talking about the research that we have been doing during the years it the big research topics and big cyberattacks that we have been investigating during the years I started with Stuxnet in 2010 I'm sure that all of you know about the Stuxnet it was a very big cyber attack it was actually a revolution in cyber threats and then you can see in this picture that in 2011 we investigated another big big cyber threat Duke you and then in 2012 a few big cyber threats we worked on in 2013 you can see that or

more than five six 2014 15 and 16 you can see that there are a lot of big cyber threats that we have worked on so it means that these targeted acts and be cyber threats and what what we call it a PT's advanced persistent threats they are not on a continent some kind of industry in for country in like Middle East anymore it's everywhere on every industry and every country and so that's why it's very important to investigate these cyber threats I know their techniques and their intentions and what they do and what they and predict what they want to do next talking about cyber espionage and cyber threats in APEC countries and if you see this if you

notice these logos in previous slide we make different logos for different ABT's that we work on so as you see here there are different examples of cyber big cyber threats and cyber espionage campaigns happening in APEC countries there are these are some examples of what we worked on and that the upper ones are current cyber traits and cyber-espionage campaigns targeting APEC countries and the bottom one or the trades that are originating from APEC countries and maybe their targets already by countries as well don't think you can see this slide completely okay so let me talk about some historic cyber trades and some major cyber espionage campaigns that has happened on APEC countries first of all let me start with

the big cyber threat which is reckoning it just started in 2003 and as you see in the map some of the APEC countries are among the main targets of this cyber espionage campaign it was a very complex platform of cyber threats and it had rootkits different trojans and it was very advanced and a lot of companies and countries have been among the targets of this apt actor another one which you can see some other APEC countries like India and Mongolia were among the targets was net traveler we investigated we discovered this trade in 2013 but the first attacks has happened in 2004 and it was again a toolkit of cyber sphere nage it had lots of tools and advanced

techniques and and methods that they used to attack the victims another one which is a very recent one it has sorted in 2016 and we also discovered the trades in 2016 and is started working on it for the service finish campaign operating out of India and some APEC countries like China and Australia are among the targets the cyber espionage and hulky they are very active and they also adopt new techniques that that is coming up to attack more victims and to be up to date and use new new techniques and methods every day but now I want to talk about a few very big cyber threats that it's happening on APEC countries at the moment and are very current first one is

Lazarus I'm sure that most of you know about Lazarus the apt actor which has been active since 2009 at least they have done many serious cyber threats in the past like attack on Sony Pictures Entertainment in 2014 which was very big news another attack another very serious attacks today and they they did was in 2013 an attack on South Korea which we call it operation Troy and other these are serviced finished attacks with by Lazarus group another one was again happened in 2013 we call it operation Dark Soul it also happened on South Korea as you see lots of the cyber espionage campaigns that they have been conducting and doing her on South Korea before but then they changed their air

techniques and then they and they started going after money as well there's an there's a small subset of there it's not a small subset but it's a subset of their operations which which more deals with money and stealing money from different banks and different industries and organizations and companies that deal with money which we call it blue North we actually investigated these treads for about 10 months last year we we did forensic investigation on many big banks that has been infected and attacked with this group and this subject group of Lazarus and they and lots of APEC countries were also among the targets of this of these attacks and they are still ongoing still we find new attacks and new

techniques and new malware every week and every day from this this group and this group of losers you can see in this map it is which shows the geography map of the financial attacks while others group many of the APEC countries like Indonesia and Malaysia among the targets so while I'm talking about the APEC countries is that these are the countries that are close to our countries these are the countries that we deal with in our businesses and it's important if we if you have a business with a country that is a main target of many cyberattacks it's important to know about these cyber attacks and be cautious about that another one which I I spent quite some few monsters on

investigating their attacks it's called a spring dragon it's very interesting apt actor it's been running since 2012 and the main targets are APEC countries many of the APEC countries and they're constantly expanding their targets to more countries it has started with some attacks on Taiwan and then they expanded their attacks on different countries and different industries they have a massive scale of operation like a few times more than many other apt actors that we see III actually I did reverse engineering on more than 700 customers back door samples of this apt actor which is a lot compared to some other if it is compared to most of the if it is that we work they have a very big command and control

infrastructure they maintain more than 200 c2 servers and they use these c2 servers and different customized settings on different on different victims so they it makes the detection more difficult talking about the background of this research they started in 2012 then in that time there was a backup which was called alias a backdoor to assist in cyber sphere not attacks against some countries in in a pike region and some other researchers have worked on this on this apt as well why they called it ELISA backdoor because of the PDB pass the malware developers left inside the sample as you see here and then they and we we spent some time working and investigating the infiltration

techniques that they use they use different spell fish exploits they use they did web compromisers to infect more people and then they also did some watering hole attacks to attack more victims and some targeted victims different just falesha exploits they use they use PDF exploits they still use this kind of this kind of as proficient emails and exploit files PDF exploits MS world exploits Adobe Flash Player exploits so they have have a good and a strong set of skills and tools that they use for attacking the victims talking about watering holes and sometime in 2013 if I'm not mistaken they compromised a web site to target some organizations in Myanmar they this is the website that they targeted as you

can see there are some files that people could download from this website the bottom the zip files this one's had this was meant to have have fun and have phones for Myanmar and I mean have tools to render phones for me on more fond but they're indeed spring dragon attackers they change these files and put some Trojans files there too infected companies and organizations in Myanmar another one they use sports flash installer websites for some targeted attacks on some governmental organizations in some other Asian countries they also put that the same backdoor which which it's already ELISA backdoor inside this downloaded file for Flash Player means that it installs the flash player but it also installed some

background the victim system as well so we spent quite some time on on the techniques that they use back then but then again it started in the beginning of 2017 some news from the attacks on Taiwan and I want arrived from one of our partners we improved our detections and we started receiving lots of detections and lots of attacks happening all around APEC countries soon after we we started looking at them and then we decided to investigate the attackers techniques and toolkits again what they have been doing all these years and what they have been implementing so first of all talking about the new victims the victims are high-profile governmental organizations in APEC countries there

are some political parties among the victims these are common victims for cyber espionage as you may know but some other industries that they went after was very interesting like education on institutions and universities a lot of universities were among the targets off a spring dragon why because I don't think universities have I don't think many universities and care about security that much they of course in governmental organizations they think about security and they want to have security more than universities I don't think most of the universe universities have no idea what securities and if some sometimes some cyber attack would happen on them and then telecommunication industry which is very important and then also some manufacturers of

telecommunication industries which is somehow going after supply chain and trying to be one step ahead of infecting individuals or organizations itself so this is the map of the victims the new victims you can see almost all the APEC countries are among the targets not Australia and New Zealand yet but as they are expanding the targets all the time maybe we are the next victims let me talk about the tool sets of spring dragon they have different kind of backdoors with different characteristics and customized say to servers and customized details for creating service and creating persistence on the victims machine so it makes the detection very difficult as I already said because the audiences are not useful anymore in some

system the file is has one person unique name in another system it changes and it has something else and the c2 servers are also different from victim to another victim different backdoor on tools that they have are also embedded inside the installers or or back door loaders and backdoor modules what you see in this picture is a very old back door installer of this apt actor these are the resource entries of the file as you can see the file the back door file is in plain text inside one of the resource entries but it was back then in 2012 or 13 they don't do this anymore they they made more and they made the tools more office gated and more

advanced they have different encryption techniques and they encrypt backdoor files inside the back door loaders or back to injectors which would inject the backdoor file into the system processes so it makes it more difficult to find out what is going on inside this file different as I said different back your samples have customized set of c2 servers what you see here is the c2 configuration lots of different - different backdoor tools of this apt actor these are all encrypted inside the back door loaders and it would get decrypted with the backdoor so it means that even if you look at the backdoor loader or installer modules you can not understand the c2 servers because it's

encrypted and the decryption routine is not inside the file it's inside an encrypted file inside this file but then after decryption they the c2 contribution block is usually similar from one tool to another tool so they can they can use different tools on the already infected victims and they can use new tools because the configuration block is somehow similar there starts with some unique strings like this and then after decryption it has the c2 servers in this structure in in different tools which is the same different characteristics that they in their tools have had all these years they use hard-coded user agent strings so if you want to connect to the c2 servers it's not possible because they want to see

that that what they have implemented inside the backdoor modules and they have also they use also some custom strings for connecting to the c2 servers so again it makes the investigation more difficult if you want to look at the city server's yourself and understand what it does and what it has inside or maybe attack the city server yourself but what what are these backdoors capable of they more or less have the same capabilities different tools that they have but with different style of coding and with different characteristics so it's somehow customized from four different victims they can update the c2 configuration file every anytime they want and that's why we saw some victims that has been

infected for many years but they constantly updating the situation blog to connect to make this victim connect to new servers they can still any type of file from the system from executable files to documents to images anything that you can imagine they can download more malicious files and install on the system so they can they can infect the system with more tools and more advanced tools and new tools anytime they want they can load and run a DLL module and they can unload the previously loaded module which means they can they can clean the system after they're done or they can uninstall different applications from the system because they can unload any DLL that they want

with their advanced techniques they can run any executable on the victim system so as I said they can download new moon files and install it on the system and they can execute different system commands on the system to collect more information from the system from about the files about the running processes about the I don't know network connections anything that they want so they are almost capable of doing anything that they want when they infect the system let's have a look at the evolution of their tool sets they started in 2012 with with ELISA backdoor 3 version 2 - very true variant story variant a B and C and then in 2013 they introduced another vector module which

we call it shadowless backdoor I don't want to go into the detail of different backdoors because I don't want it to be boring I want I just wanted to tell you that high level information about these traits and then in 2014 they started another variant of ELISA backdoor and they also used different tools like back to loaders and back to injectors to encrypt backdoors inside these modules to make it more difficult to and more ambiguous to understand what is inside the file in 2015 researchers from unit 4 t2 group they publish a report thorough report about this Elisabetta variant a B and C not the other tools and then just after the publication the attackers

stopped developing these three variants but they they continued using the variants and the tools that have not been reported so that's why I don't want to tell all the details about the other tools so they want them to Estill using them and improving them they started using new features to escalate privilege on the systems so they can install their malware's on the systems with with less access they also started another backdoor tool in 2015 so every almost every year they and they developed new tools and new modules and in 2017 they add more features to their files they add more office keishon and on the codes back to modules codes and different tools that they have and also

to the names and strings which are encrypted c2 servers which are encrypted with no more encryption and throughout the years they also added more obfuscation all the time to the different tools that they have they have been using so after investigating that their tools I wanted to understand where are these attackers based and what they what is their intention so I as we usually do do we try to understand the where they have been registering their C 2 servers where all did attack well the malware developers base so I looked at the situation as I said there are a lot of c2 servers for this apt actors so it was easy to look and sort them out

mounted among the countries to see in which country they have been registering their c2 servers as you see more than 40 persons are located in Hong Kong and then some other countries are coming after that and as you know the attackers try to use different techniques or different I mean VPNs or different things to to hide their real location so this is not something very reliable but for for a few years and for a lot of c2 servers it can mean something talking about the origin of the Marvel developers I had quite a lot of malware samples like more than 700 mother samples so I looked at the time stamps of the compilation of these mother

samples and we sorted the time stamps against GMT you can see in this histogram you can perfectly see that the main activity is happening during the years the main activity is happening in GMT plus 8 times on and then there's another small small smaller peak of activity happening in some other time zone maybe it's another time zone they are doing they are operating in different countries or maybe they work in two different shifts and the second one is another shift in the same time zone which starts in the evening we are not sure these are the evidences that we see and we try to understand what after that we cannot be certain about anything so just to wrap it up for the conclusion

the examples like Lazos or this spring dragon or other a PT's that you saw before this or apt actors with massive scale of operation they have lots of they invested a lot in their tools and their techniques and the c to infer structure and everything so they are not going to go a very soon they have been constantly developing and improving their tools and so it's it's not going to be as easy as it was to detect them in the future and then different APEC countries countries and territories actually in APEC region have been among the main targets of this kind of apt actors so it means that the advanced trade actors are interested in

my country's and it's it it makes APEC countries in a dangerous situation and then we are sure that these apt actors are going to continue resurfacing regularly in APEC region maybe with more I mean of course with more tools more advanced tools and more known targets so if you are not among the targets yet we might be the next one thank you and if you have any questions I'm happy to answer [Applause]

you