4. OUR MISSION
ANALYZE THE DATA AVAILABLE TO PALO ALTO NETWORKS TO
IDENTIFY ADVERSARIES, THEIR MOTIVATIONS, RESOURCES, AND
TACTICS TO BETTER UNDERSTAND THE THREATS OUR
CUSTOMERS FACE
https://unit42.paloaltonetworks.com @Unit42_Intel
5. Cyber Threat Alliance
Charter Members:
Affiliate Members:
Contributing Members:
1. To share threat information in order to
improve defenses against advanced
cyber adversaries across member
organizations and their customers.
2. To advance the cybersecurity of
critical information technology
infrastructures.
3. To increase the security, availability,
integrity and efficiency of information
systems.
6. Mission…
“Foster relationships
with SOC, IR and
CERT teams from
customers, partners
and organisations in
EMEA to collaborate
and share threat
information.”
60+ Members…
Threat Information Sharing Program (TISP)
8. BabyShark “Top Trumps”
Language VBS
Debut year 2018
Key Interests Universities and Think-tanks
Hobbies Espionage
(related to nuclear security and Korean peninsula)
Best friends KimJongRAT and STOLEN PENCIL
Works for Kimsuky Group
(aka Velvet Chollima, THALLIUM, Nickel Foxcroft)
Special powers Cryptocurrency mining
Family members 4
15. • Espionage related to nuclear security;
• Espionage related to Korean peninsula’s national security issues;
• Financial gain with focus on the cryptocurrency
OBJECTIVE
Command Name Description
getfiles Archive all files in the BabyShark base path as a ZIP archive, then upload to the C2
exe_down Download further payloads
redirect_vbs Possible C2 path change
16. OBJECTIVE
Command Name Description
keyhook Start key loggers implemented using PowerShell (available on GitHub) or custom C#
dir list Collect host information using: whoami, hostname, ipconfig, net user, arp -a, dir (various), vol and
tasklist
power com Load DLL component
exe del Clean up all files associated with secondary payload execution
execute Execute payloads
18. ADVERSARY PLAYBOOK CONCEPT
An Adversary's Playbook is the
organized collection of the
Techniques, Tactics and Procedures
(TTP) they employ when launching
cyber-attacks. As adversaries do not
share their playbooks with defenders,
we must derive them through
observations of live attacks, shared
information and intelligence analysis.
19. Deconstructing the Attack Life Cycle
COMMAND
& CONTROL
Custom Command and Control
Fallback Channels
Data Encoding
21. STIX 2.0
Structured Threat
Information
Expression (STIX™)
is a language and
serialization format
used to exchange
cyber threat
intelligence
ATT&CK
MITRE’s Adversarial
Tactics, Techniques,
and Common
Knowledge
(ATT&CK™) is a
curated knowledge
base and model for
cyber adversary
behavior
A linear, phase-
based process an
adversary must
complete to
successfully
execute an attack
STIX 2.0ATT&CK
ATTACK LIFE
CYCLE
PLAYBOOKS
A method of
organizing tactics,
tools, and
procedures
adversaries used in
a structured data
format
ATTACK LIFECYCLE
26. Campaign 1
Recon Weaponize Delivery Exploit Install C2 Act on Obj.
Identify business
relationships
Acquire OSINT data sets
and information
Obtain
templates/branding
materials
Acquire and/or use 3rd
party infrastructure
services
Remote access tool
development
Install and configure
hardware, network, and
systems
Obfuscate or encrypt
code
Obtain/re-use payloads
Buy domain name
Create custom payloads
Conduct social
engineering or HUMINT
operation
Spear phishing messages
with malicious
attachments
Authorized user
performs requested
cyber action
Hidden Files and
Directories
Process Injection
Rundll32
Software Packing
Scripting
Remote File Copy
Data Encoding
Standard Application
Layer Protocol
Process Discovery
Automated Collection
Screen Capture
Clipboard Data
System Network
Configuration Discovery
File and Directory
Discovery
Logon Scripts
Host-based hiding
techniques
Misattributable
credentials
Obtain/re-use payloads
Buy domain name
Create custom payloads
Spear phishing messages
with malicious
attachments
Authorized user
performs requested
cyber action
Confirmation of
launched compromise
achieved
Custom Cryptographic
Protocol
Standard Application
Layer Protocol
Commonly Used Port
System Information
Discovery
Campaign 2
27. Campaign 1
Recon Weaponize Delivery Exploit Install C2 Act on Obj.
Identify business
relationships
Acquire OSINT data sets
and information
Obtain
templates/branding
materials
Acquire and/or use 3rd
party infrastructure
services
Remote access tool
development
Install and configure
hardware, network, and
systems
Obfuscate or encrypt
code
Obtain/re-use payloads
Buy domain name
Create custom payloads
Conduct social
engineering or HUMINT
operation
Spear phishing messages
with malicious
attachments
Authorized user
performs requested
cyber action
Hidden Files and
Directories
Process Injection
Rundll32
Software Packing
Scripting
Remote File Copy
Data Encoding
Standard Application
Layer Protocol
Process Discovery
Automated Collection
Screen Capture
Clipboard Data
System Network
Configuration Discovery
File and Directory
Discovery
Logon Scripts
Host-based hiding
techniques
Misattributable
credentials
Obtain/re-use payloads
Buy domain name
Create custom payloads
Spear phishing messages
with malicious
attachments
Authorized user
performs requested
cyber action
Confirmation of
launched compromise
achieved
Custom Cryptographic
Protocol
Standard Application
Layer Protocol
Commonly Used Port
System Information
Discovery
Campaign 2