Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service
-
Upload
chi-en-ashley-shen -
Category
Presentations & Public Speaking
-
view
135 -
download
0
Transcript of Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service
![Page 1: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/1.jpg)
Ashley X Belinda
Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service
![Page 2: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/2.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
• Speakers • APT vs Cloud Service • Hide and Seek in SaaS
– Redirect
– Storage
– Control Channel
• What APT malware love about cloud service? • What can we do?
Outline
![Page 3: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/3.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
Ashley Belinda
Speakers
![Page 4: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/4.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
Ashley • Ashley Shen • Threat Analyst in Team T5 • APT research, Malware analysis • Malicious Document Detection • Member of HITCON GIRLS • [email protected]
![Page 5: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/5.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
Belinda • Belinda Lai • Security Engineer in III • Malware Analysis • Assist organizations handle
information security incidents • Member of HITCON GIRLS • [email protected]
![Page 6: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/6.jpg)
APT vs Cloud Service
![Page 7: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/7.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
Google Trend of Cloud Service
![Page 8: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/8.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
Software as a Service
Platform as a Service
Infrastructure as a Service
Cloud Service Models
![Page 9: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/9.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
![Page 10: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/10.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
Google Trend of APT Attack
![Page 11: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/11.jpg)
Once upon the time…
Stuxnet
Operation Aurora
![Page 12: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/12.jpg)
Recently…
Sony Pictures
Garena Hacked
![Page 13: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/13.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
How do cloud service take part in APT attack?
What can malware do with cloud service?
![Page 14: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/14.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
Web server as C&C server
Code
VPS as C&C server
VM
APT Leverage Cloud Service Models
Cloud Service as Invisibility cloak
IaaS
PaaS
SaaS
![Page 15: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/15.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
Cloud Service as Invisibility cloak
Data
APT Leverage Cloud Service Models
VPS as C&C server
Web server as C&C server
IaaS
PaaS
SaaS
Code
VM
![Page 16: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/16.jpg)
Hide and Seek in SaaS
![Page 17: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/17.jpg)
Redirect
Storage
Control Channel
![Page 18: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/18.jpg)
Redirect
![Page 19: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/19.jpg)
Victim
Cloud Service Second Stage C&C
Encode C&C address
String Command 1
2
3
4 Decode String to
get IP address
![Page 20: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/20.jpg)
The Malwares
![Page 21: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/21.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
Elirks
• Name: Elirks • Targeted Country: Taiwan、
Japan、HK • Targeted Sector: GOV、
ThinkTank • First Seen: 2010 • Infrastructure: Yahoo, Plurk,
Google (blogger), Dropbox, Twitter
• Campaign: Elirks group
![Page 22: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/22.jpg)
• We found that the earliest Elirks post was posted in 2010.
![Page 23: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/23.jpg)
• In 2012~2014, Plurk had been used in several incidents. • Encode C2 information with modified TEA and Base64.
![Page 24: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/24.jpg)
Pattern : <http://google.com.tw/37619834? + C2 information
• In 2014, Elriks start to Hide c2 information in Html tag
![Page 25: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/25.jpg)
• In 2015, Our latest observation shows that Elirks using Japan Blog to targeting JP victim. Encrypt with DES.
![Page 26: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/26.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
WMIgh0st
• Name: WMIghost • Targeted Country: Tibet • Targeted Sector: Various • First Seen: 2009 • Infrastructure:blog.com,
Yahoo, Wordpress, SOSblogs, livejournal
![Page 27: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/27.jpg)
• Used Windows Management Instrumentation (WMI, implement Web-Based Enterprise Management) as a venue to conveniently perform malicious activities
![Page 28: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/28.jpg)
![Page 29: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/29.jpg)
• Download html file and decode blog title
![Page 30: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/30.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
Midhos
30
• Name: Midhos • Targeted: Taiwan, Tibet • Targeted Sector: GOV,
corporation • First Seen: 2012 • Infrastructure: Yahoo, Baidu,
Pixnet, Xuite • Behavior: First Stage C&C
![Page 31: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/31.jpg)
• 2013, Midhos Leverage baidu blog as first stage C2
![Page 32: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/32.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
IXESHE
• Name: IXESHE • Targeted Country: Taiwan、
Japan • Targeted Sector: GOV、
Enterprise、NGO • First Seen: 2009
(2013 start to connect blog) • Infrastructure: Yahoo blog ,
Dropbox, WordPress • Campaign: IXESHE
![Page 33: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/33.jpg)
**********Encoded String**********
RSA and RC4 encryption
![Page 34: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/34.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
Taleret
• Name: Taleret • Targeted Country: Taiwan、
UN • Targeted Sector: GOV、
Enterprise、ORG • First Seen: 2010 (2011 start to connect blog) • Infrastructure: Yahoo, Yam,
Pixnet • Campaign:
Possibly Taidoor
![Page 35: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/35.jpg)
ARTEMIS (base64 string, encoded by RC4, contains C2 IP Port 0x4C) ARTEMIS
![Page 36: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/36.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
PlugX
• Name: Plug X • Targeted Country: Taiwan ;
Japan ; Korean • Targeted Sector: • First Seen: 2012 • Infrastructure: Baidu,
Dropbox, Twitter, MSDN, Linkedin
![Page 37: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/37.jpg)
pattern: DZKSJDADBDCDHDOCADOCADOCBDDZJS
![Page 38: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/38.jpg)
More Tricks - 1
• Using DNS lookup cloud service to obtain second stage C&C address.
• Bypass DNS blocking.
![Page 39: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/39.jpg)
Victim
Cloud DNS Lookup Service
The IP address of Domain is xxx.xxx.xxx.xxx
1 2 Request
Second Stage C&C
Command 3
4
![Page 40: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/40.jpg)
Protux
• Name: Protux • Targeted: TW • Targeted Sector: GOV • First Seen: 2009 • Infrastructure: DNS Watch,
ip138, • Campaign: DragonOK
![Page 41: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/41.jpg)
• The trojan request for the search result of DNS Watch to retrieve C&C address.
![Page 42: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/42.jpg)
• DNS Watch is a public DNS lookup tool.
![Page 43: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/43.jpg)
• Locate the IP address by identify string.
![Page 44: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/44.jpg)
• Try to Query DNS Watch first. If fail then try DNS Server.
Hinet DNS Server Seednet DNS Server
![Page 45: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/45.jpg)
• DNS Watch tried to block by detecting user agent. (However…)
GET /dns/dnslookup?la=en&host=picture.ucparlnet.com&type=A&submit=Resolve HTTP/1.1 User-Agent: Mozilla/5.0 (compatible; MSIE 6.0.1; WININET 5.0) Host: www.dnswatch.info Cache-Control: no-cache GET /dns/dnslookup?la=en&host=picture.ucparlnet.com&type=A&submit=Resolve HTTP/1.1 User-Agent: Mozilla/5.0 (compatible; MSIE 6.0.1) Host: www.dnswatch.info Cache-Control: no-cache
![Page 46: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/46.jpg)
Storage
![Page 47: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/47.jpg)
Victim
1
2
Command
Cloud Storage
Data
Actor
3
4
5
![Page 48: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/48.jpg)
The Malwares
![Page 49: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/49.jpg)
DropNetClient
• Name: DropNetClient • Targeted Country: Taiwan • Targeted Sector: GOV • First Seen: 2015 • Infrastructure: Dropbox • Behavior:
Fetch command from Dropbox and upload victim data to Dropbox.
• Campaign: Taidoor
![Page 50: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/50.jpg)
• Low Detection Rate
![Page 51: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/51.jpg)
• Connect to Dropbox with DropNet Lib
![Page 52: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/52.jpg)
• Use two RC4 Keys. • Key 1: A pubKey use to decrypt the file
“10101” download from dropbox”.
![Page 53: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/53.jpg)
• Use two RC4 Keys. • Key 2: The decrypted key, use to encrypt
the victim files and upload to dropbox.
![Page 54: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/54.jpg)
• We can find accessTokwn, appKey and appSecret in the malware
![Page 55: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/55.jpg)
• With Dropbox python SDK, we were able to access to the folders and the files, and get the account information.
![Page 56: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/56.jpg)
• The actor register a Gmail account for the specific victim
![Page 57: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/57.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
GDrive RAT
• Name: GDrive RAT (aka TSPY_DRIGO.A)
• Targeted Country: Taiwan • Targeted Sector: GOV • First Seen: 2012 • Infrastructure: • Behavior:
Second stage backdoor. Upload victim data to specific google drive
• Campaign: Possibly PLEAD
![Page 58: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/58.jpg)
• Develop with Go programming language.
![Page 59: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/59.jpg)
• Low detection rate.
![Page 60: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/60.jpg)
• Search for • XLSX • XLS • DOC • DOCX • PDF • TXT • PPT • PPTX
![Page 61: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/61.jpg)
• Using OAuth 2.0 protocol to log in to specific Google Drive.
![Page 62: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/62.jpg)
• We can find the access token, client ID, Refresh Token and email address in the process memory.
![Page 63: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/63.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
illitat
• Name: illitat (fc.asp Downloader)
• Targeted Country: TW • Targeted Sector: GOV • First Seen: 2010 (2013 start to use blog) • Infrastructure: Yahoo, Yam,
Pixnet • Behavior: Connect to blog to
download trojan DLL (Taidoor)
• Campaign: Taidoor
![Page 64: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/64.jpg)
• download jpg or yahoo blog article, find pattern yxyyyxyy
• extract 2nd Gen Taidoor DLL • illitat encode C2 pattern:
(random char) yxyyyxyy (base64+RC4) decoded to be Taidoor-RAT DLL version yxyyyxyy (random char)
![Page 65: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/65.jpg)
![Page 66: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/66.jpg)
yxyyyxyyAwAAADMzMwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGFFDWmXB+pydDwdvQc9MPR 8Uoday9yM5lHo+sdPAmzPE0t7LTjjXM9vIOYRCKBytSNICOpSImHuswDN9gz3JMiB Dk0I+ylZG4szjaxDa8ALnyFMzEl0n3GcYujgwwoiZRXdzFyRtG782fvUtVfwNdDWeofS TZEKV9kG3VbZ9XDdwbe7YkiBTt7UYK3VgFf9hpXKFp6VkgBvRj2heFoIwDiKXRusYRf 5Km1KYKaDM7TZMVV5Jtcdyg97Cha7RVosja5lU83f4k0cC7jJkROBICPwIyZbhi8rV5j j2DftJQ01NjnOg2rnUIDfbfkeywxHZQJx4a1AAwMPQyk+pekIwF1bzVF9xhD3dDkjvh db8Hh2QE3IF3jGkcSdUecpTGZr2E2x+fnuNfHrtNbxoRRcebmyIYz9oD0BMrDgiD3T9 x5QnqwrHMjg8TUymCCeWxiUshE81QyS7LUo8ibCmu3+yT9K6eYPiW0AzzH5TohSd D0uIapLsZCRXRk+vodo9i8FBmVnq1+U3W1snM1JkhUJG3SUqdXGulkzB42nL82Ad …… yxyyyxyy
Base 64
Key Length Key
Key xor 02 Î Key for RC4 Î RC4 Decrypt trojan DLL
![Page 67: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/67.jpg)
Control Channel
![Page 68: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/68.jpg)
Victim Cloud Service Actor
Command
Data
![Page 69: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/69.jpg)
The Malwares
![Page 70: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/70.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
Stalk
• Name: Stalk / glooxmail • Targeted Country: • Targeted Sector: • First Seen: 2011 • Infrastructure: G Talk • Campaign: APT1
![Page 71: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/71.jpg)
Victim
1
2
TLS encryption Encoded Command
![Page 72: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/72.jpg)
TROJAN.GTALK functionality
Function Description Create/kill/list processes Send a process listing, kill a
process by name or PID. File upload/download Gather system information Information includes hostname, IP
address, OS version, and the static string “0.0.1” which may be a malware version string.
Interactive shell session Start a cmd.exe child process. Arbitrary commands can be sent from a remote host to the malware to execute
Set sleep interval
![Page 73: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/73.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
Kimsuky
• Name: Kimsuky • Targeted Country: KR • Targeted Sector: GOV;
Military Industry; ThinkTank • First Seen:2013 • Infrastructure: Public email
service,TeamViewer • Behavior: communicated
with its “master” via a public e-mail server and TeamViewer
![Page 74: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/74.jpg)
1
Victim
2
3
4
RC4 Encrypted Data
RSA Encrypted RC4 Key
RC4 Encrypted
![Page 75: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/75.jpg)
Modules
modules Description Keystroke logging Directory listing collection Gather information and
Spy victim HWP document theft Hancom Office
Remote control download and execution
Download extra program from in-coming mail
Remote control access Use modified TeamViewer client
![Page 76: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/76.jpg)
Interesting • The public e-mail server :Bulgarian – mail.bg • Compilation path string : Korean hieroglyphs
•D:\rsh\공격\UAC_dll(완성)\Release\test.pdb •D:\rsh\ATTACK\UAC_dll(COMPLETION)\Release\test.pdb
• Modified TeamViewer
![Page 77: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/77.jpg)
Attacker Thread - IP
![Page 78: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/78.jpg)
Attacker Thread – Mail Account
• Mail accounts : • [email protected] • [email protected]
• DropBox Account : • Names: kimsukyang and “Kim asdfa”
![Page 79: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/79.jpg)
Who are the Target or Targets ....?
![Page 80: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/80.jpg)
What APT malware love about cloud service?
![Page 81: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/81.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
• Easy to change; like DDNS • Bypass passive DNS • Bypass IDS • Bypass AV • Difficult to trace • Cost down • Easy to build/maintenance
![Page 82: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/82.jpg)
What can we do?
![Page 83: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/83.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
• Black List
What can we do?
![Page 84: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/84.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
• CTI (Cyber Threat Intelligence)
What can we do?
• “Cyber threat intelligence is knowledge about adversaries and their motivations, intentions, and methods that is collected, analyzed, and disseminated in ways that help security and business staff at all levels protect the critical assets of the enterprise.”
Jon Friedman et al, 2015, Definitive Guide to Cyber Threat Intelligence
![Page 85: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/85.jpg)
HITCON 2015 Let’s Play Hide and Seek in the Cloud
• Security Guard
• 24x7 monitor、report
• indicator match
• Emergency Response Team
• Emergency Response、Handling Crisis
• malware weapon
• Doctor
• Prescription
• high-level strategy
• Private Detective
• Investigation、Long-term tracking
• Campaign Tactics Techniques and procedure
review
prevent
detect
respond
![Page 86: Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service](https://reader031.fdocuments.in/reader031/viewer/2022030316/5878e3121a28abfa038b4e7b/html5/thumbnails/86.jpg)
Q & A