A Year Hunting In A Bamboo Forest - Sebastien Larinier

you let's go thank you hello everyone thanks to stay Jubilees is this late so my name is Sebastian it's my under on Twitter my name is Robin i senior researcher at epitaph ties an engineering school in paris I create my society called the SCIF I develop certain stuff open-source like ET and first year I'm team on bahnhof and on a web perfect here is my github for all my stuff as I developed I was devoted and my medium with our article I wrote and you have a different article about Chinese actors Indian actors is different when I found 40 stork I walk about Chinese protectors doing 1-1 years I tried to make links between the difference Street actors

because many many founders on many CGI society wrote article on on different actors and I found some stuff about this actors so I can I can make links between between them I was the first guy to reverse engineering the RTF 8 dot file kids its exploit kids used by aesthetic Chinese directors in space fishing is document indicated argument in attachments for spearfishing and with exploitation from rock I make many many links in difference straight title Chinese and for me is not the same group but yeah the they are the same boss so is interesting to to to to have to have that idea in in this mine and I have many many cutters are used between

the different actors with because many other actors use specifically back doors but in back doors you have different function and the function is reused between between back doors the first detection is was an apathy in Vietnam targeting a public administration in in district in Vietnam I have this the first this first detection I've just analyzed sigh window group sigh winners is Indian Street actors is known to target is known to targets the Pakistan and now it I get China so it is very interesting and use an exploit on this view is a exploit before the flow in a question editor on on Microsoft Office document and in this this exploit I found this fingerprint so you have this

this string directly on on the exploit and with this with this extra we see strength I make a euros to make a returned on on virustotal and on virustotal I found many many many many sample of this kit so a little remember this view Avenue variability on come object and this this exhibit rent mathematic formula in of his document the joke is Microsoft a stolen the code of this eggsy because this eggsy is too old so if you found a vulnerability in in this in this exceed its you are you're the king because there's a new patch because then we could sell and no source so it's very is very fun and with the HTF format you can

put directly the oiler annoyingly object with this as silly as say l e SI is his numbers in in the registry to to say to windows you call you just I realize the object can become object with this eggsy so you craft a specific specifically a become object you put directly on the RTF when you you do you click on the RTF document zxz is exploit another i think this XE is compare compiled without i seller so it's open bar to create your own exploit on this eggsy for example you have an open source implementation in Metasploit so you can you can emit a sprite you can you can you can look under you you see as a different

implementation and the first implementation I've seen it just adorn order of STI file to execute execute STL file on the on the on the computer the China's actors use this exploit on Tibetan citizen directly with using the metal the metal preacher three Chopra Georgie with which has pride exploit Dirac sea I like I remember gun Palestinian on the last the last few why why Chinese used it releases this Metasploit Metasploit exploit I think he each try the try the exploit and if the exploit works correctly and either the exploit is reliable they the Chinese actors complexify complexify the export kit and I'll complete the computer I'll make that is very simple in the RTF the

develop this from rock to to use massively in different activity operations you create eight pointy file and you put directly on the document when you make that you create by word a new alloy package and another package as as fortune allottee when you open the document the oral package is directly writen in the tan folder so you can you can you can write easily on the disk directly between the between the documents and released when the this file is put in the temp folder you have an expectation of the before a flaw - to put a shellcode in memory the shellcode in memory decrypt this file in memory and in memory is a result of this

description is a view format directly is an exit and but in memory not on the disk and in memory so execute this pair is lunch and right on the disk or leg it Benari signed in like a vast like simon tag and a dll here is projects to make a side loading and the shellcode exec the legged binary - - to lunch and to map so the ll in memory the malware is this data on this on Vietnam we have the director uses this domain and this domain reserved on this IP I've a connection between our all contain described by fortunate and for fortunate this campaign so you have a multi glue graph if you if you want to read after

the different connection on the campaign's and here you have the IOC private between the between the campaigns and for 440 net is goblin Fonda Google fauna is known Chinese actors with sing or one 1019 subset seen at the beginning this actors begin to target the t between citizen so it's it's very very interesting the road under the road of the Swiss actors is that very very we start with easy target and it complexify the operation to target ministers of God in the south of east southeast of Asia it's it's an integer into the screen shot so it's a payload and the payload of this campaign is a Kris keynote Kris keynote is a version of projects

modified and if you if but for for fortunate on on Vietnam is new Conrad was used but it's interesting because we have we have we have an overlap of the obvious for sister but not is not the same the same back doors and you are and I found of new Korat link an interesting with this malware this malware is used on the campaign in Vietnam in new karate so is the same group like a goblin goblin Paula and you have many you have a big overlap with a b-1 and the function the function of a rapid in this case is a loading of the plugin of the backdoor is the same techniques between goblin and a PT one I've make I've made

I've made a ritual and on on this on this back door I found the SEMA similar with similar with similar malware compiled in 208 so it's it's before the link as a leak of the ap1 so you have a big connection between apps t1 and go Ben Gurion Paulo why because when a p1 was doc seed the developers are splitted in different teams Chinese teams to to to another group and goblin it's it's very very interesting because we have many many similar techniques of apps t1 and on this case the this kit is unique is the first many many people I've seen but I was i I was the first guy to reverse it and I decide to make an anything D

weekly on this kit not the not the back doors why because I searched the top of commander of the operation not the small group I I want to know with which before I spied as is both this exploit or if as a child of the if the Chinese actress who has developed this this exploit for me I've no I've no evidence about that but it's it's a society in China in China as develop as develop tomorrow and that's why we we found this exploit on with the gap fingerprint in in India and in China I found I found only a link in Cambodia with a PT 40 I've infrastructure and careers overlap on the second campaign after the

campaign election against Cambodia we are you have you have the first campaign in election described by Phi I and this campaign it just it just after and they reused the same infrastructure so they use bat flip of of malware I put badly backflip on directly on on on integer and I were up on canoes with new Kohut so it's the same the three or four function is a sandbar we're allies Musa Yuko hot so it's the same developers and the same the same TT fees because they use the same kit and the same functionality of back doors so you have a PT 40 tempura script shared infrastructure with goblin share code with a PT 1 and you have bat flip

mukarat and crispy not like plugs in in Russia I found the same the same kit and I've a connection between between infrastructure and sorry and here the back door is this he's his father his father is the back door like plugs but is not developed develop it by the same guy but you have you have the same functionalities to list processes least to make excitation to letter make the lateral movement so it's the same function but is not the same code for fortunate this fighter and new car at where developed by the same group goblin Pune for me I don't know but we have a mini mini link with this this actors I found a link with River River is a

malware developed by Chinese actors and we have on these actors we have different overlap of the code readers and of the infrastructure and interesting interesting scene for rivers goblin is associated with the MSS the MSS is a Chinese intelligence services for for silence unlike me the detector the Chinese structures shared different software like a PT 40 goblin and an ice fog ively different Avex with with ice phone ice fog is a Chinese apt actors target Central Asia like Mongolia and Kazakhstan but iceberg I sense the exploit he the group not exploit the same part of the code of a question editor but target equation editor he use the same the same package an interesting interesting thing he use a persistent of

Microsoft role because of fraud as a start up folder and if you put a DLL or on eggsy in these folders and you open the document if you ever ever document the DLL or the XE is executed by the expectation system this DLL in instead of follower contact the c2 and download an exec a researcher of fire I Anna Chang make a good a good overview on ice fog and they use the same the same the same techniques the difference is during as time is a backdoor Icefall change the back door for depend on the target and the country I found this in May 202 2019 and Phi I make an article on this on this sample

adju is this sample target Kazakhstan government the Defense Ministry of Defence of the Kazakhstan gobelin ponder and reuse the same kit of ice fog so it changed the exploit but it keep the RTF kid is the same is the same kid but is not the same exploit and it target Vietnam and with this campaign I've many links with Hong Kong Hong Kong is a site actor described by checkpoint and it targets Cambodia Vietnam all of the South East of Asia it's a decoy document and it's the same is the same target you have here it's a goblin document and it's Ronco document and here is the same the same name like here so is exactly the same target in the

dacoit documents this is the ATF was pre-printed and in the screen when you when you open the document here is the article of checkpoint at here it's my my article and make makes a checkpoint make a link in in my article on this campaign with with integer I found a big big overlap of goblin ponder on on this sample so I I've linked between GTP's like like like it and the backdoor is very similar of nuke nuke Oh hot and finally I found a link with Winton always in Vietnam with the same the same kid and the back doors are different or a back door or back door is used by windy but not wind is an umbrella

umbrella award for for Chinese Chinese group for me there are many many different groups who for example guys wants to to target video games wants to target supply chain like a zoos or under some are well or completely different you have root kit you have side loading you have partial so it's for me it was this group it's now it's stupid you you must divide in in small groups and in this one of small groups I've developed a backdoors and this background is used in just in Vietnam and I work with law enforcement in the time and true to explain how the burglars walks the different the different logs and evidence you can find on on forensics operation because many

many people on the an administration as target but by this backdoor so for me all groups I was I described a link with the MSS for me the MSS bulks they exploit and after the exploit was was shared directly in different in different threat actors group the operation and the common man the this following operation to follow in action during operation or the same and the the I've the same the same boss to describe and to write the operation to target the South the South East of Asia and Central Asia why because this this place is very very important for China because many many countries are used by the New Silk Road of of China so

China as an inn and interests Street strategic interest to spy and to make many surveillance directly on this on these countries or our links are the different the different reference I use on my my different findings on these different different compounds of these actors so far the following research is to to demonstrate they to to politics of off cybersecurity operation used in use in this south south of East of Asia and Central Asia and and also actors like a PT 10 or looky mouse for author country like Japan like United States because I've no overlap code or infrastructure between this kind of this kind of group so you have to politics organization sync operation differently

between this is this this country and for me and Felix said said that for during this presentation they said they make they made the training of the south east of Asya and after the group these groups you target another country like Japan or Russia or United States it's over if you have a surgeon Thank You Sebastian awesome are there any questions for Sebastian raise your hands got a ducky no no one all right thank you very much that you're the warm and