More Related Content Similar to Targeted attacks on major industry sectors in south korea 20171201 cha minseok_avar 2017 beijing_full version (20) More from Minseok(Jacky) Cha (17) Targeted attacks on major industry sectors in south korea 20171201 cha minseok_avar 2017 beijing_full version1. TargetedAttacks on
Major Industry Sectors in South Korea
CHA Minseok (Jacky Cha, 車珉錫) – Full Version
Senior Principal Malware Researcher
AhnLab | ASEC | Analysis Team
AVAR 2017 (December 7, 2017)
4. © AhnLab, Inc. All rights reserved. 4
VenusLocker Ransomware
• SpearPhishing
-EmailwritteninKorean
* http://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?seq=26309
5. © AhnLab, Inc. All rights reserved. 5
VenusLocker Ransomware
• Macro Downloader
- ChineseFont?!
6. © AhnLab, Inc. All rights reserved. 6
Erebus Ransomware
• Web hostingcompanyNayana was hit by Erebusransomware
-AttackoccurredinJune10,20171:00am
-Filesin153servershavebeenencrypted.5,496websiteswereaffected.Paidover$1Million
-2similarattacksinNovember(DifferentLinuxRansomware)
* Source:http://securityaffairs.co/wordpress/60281/malware/erebus-ransomware-hit-south-korea.html&http://english.etnews.com/20171109200001&
http://ciobiz.etnews.com/news/article.html?id=20171129120027
7. © AhnLab, Inc. All rights reserved. 7
ATM Hacking
• ATM Hacking(byAndarielGroup)
- 230,000credit cardsin totalwere leaked (September2016 ~ February 2017)
-IllegalwithdrawalsthroughATMsinChina,ThailandandTaiwan
-4suspectsarrested→obtainedtheprivatefinancialdatafromamiddlemanwhoclaimedhegottheinformationfroma
NorthKorean
-MalwareusedinthisattackwasverysimilartothemalwareusedintheKoreanMNDhacking
* Source:http://english.yonhapnews.co.kr/news/2017/09/06/0200000000AEN20170906007600315.html&http://www.itworld.co.kr/news/106281
8. © AhnLab, Inc. All rights reserved. 8
Cryptocurrency Exchange Platform Hacked
• Cryptocurrency ExchangePlatformHacked
-MaliciousHanguldocument(HWP)fileasattackvector
-Customerdataleaked
-maybebythethreatgroupbehindOperationRedDot
* Source:http://uk.businessinsider.com/south-korean-bitcoin-exchange-bithumb-hacked-ethereum-2017-7&
http://www.hani.co.kr/arti/economy/it/801322.html
9. © AhnLab, Inc. All rights reserved. 9
Supply Chain Attack
• SupplyChainAttack
- BackdoorfoundinNetsarangservermanagementsoftware
* Source:https://securelist.com/shadowpad-in-corporate-networks/81432&
http://www.netsarang.co.kr/news/security_exploit_in_july_18_2017_build.html
10. © AhnLab, Inc. All rights reserved. 10
Travel Agency Breached
• South Korea’sLargestTravelAgencyHacked
-
* Source:https://coinjournal.net/south-koreas-largest-travel-agency-breached-hacker-demands-bitcoin-payment/&
http://www.hanatour.com/asp/custcenter/bb-20000.asp
11. © AhnLab, Inc. All rights reserved.
Activity groups/APTs in South Korea
2007 2013 2014 2015 2016 2017
Icefog
OP Red Dot (Escad, Loader)
Andariel (Rifdoor, GhostRat, Phandoor, Andarat)
Dllbot Xwdoor
OP Black Mine
(Bmdoor)
2011
OP Bitter Biscuit (Bisonal, Dexbia)
OP Happy Dragon
2018
Kimsuky
2012
Plugx (Korplug)
13. © AhnLab, Inc. All rights reserved. 13
Infection Vector
Watering hole
(ActiveX)
Email (Spear Phishing)
Update
IT
Management
system
C2
Vulnerability
Attack
Update
Server Supply Chain / IT Maintenace Services
Listening Port
Web
Server
Send file transfer
commands
Listening Port
Port Scanning
Vulnerability Attacks
15. © AhnLab, Inc. All rights reserved. 15
Andariel
• Andariel
-PresumedtobeanotherLazarusspinoff
-DarkSeoul(2013),OperationBlackMine(2014-2015)
-OperationGhostRifle==OperationAnonymousPhantom==OperationGoldenAxe==CampaignRifle
-Targets:DefenseIndustry,CyberSecurityCompanies,PoliticalInstitutions,MND(MinistryofNationalDefense),Finance
Sector,EnergyResearchInstitutionetc.
-AttackVectors:SpearPhishing,WateringHole(Active-Xvulnerability),ITManagementSystemVulnerability,
SupplyChainAttack
-Malware:Andarat,Bmdoor,GhostRat,Rifdoor,Phandoor
-AhnLabpublishedthewhitepaper inJuly,2017
-FSI(FinancialSecurityInstitute) publishedthewhitepaperinAugust,2017
16. © AhnLab, Inc. All rights reserved. 16
Malware
• Theyare usingvariousmalware
icon
Exploits
− Active X
− Flash
− IT Management System
Stealers Tools
− Backdoor (Andarat, Bmdoor,
GhostRat, Phandoor, Rifdoor,
Xtreame)
− Keylogger
− Mimikatz
− OSQL
− Privilege Escalation
− Putty Link
− Proxy Server
− Port Scanner
− Wiper
17. © AhnLab, Inc. All rights reserved.
Andariel Timeline
2008 2009 2013 2014 2015 2016
3.4
DDoS
3.20Cyber
attack
(DarkSeoul)
&
6.25Cyber
Attack
2017
SeoulADEX
participants
7.7
DDoS
Security
breach
of
majorcompanies
MND
hacked
ATM
hacked
Financial
Sector
Breach
of
Travel
Agency
Energy
Research
Institute
OperationBlack Mine (Bmdoor)
OperationGhost Rifle (Rifdoor)
Xwdoor
2011 2012
3.20Cyber-attack
(Gatheringinformation)
OperationAnonymous Phantom(Phandoor)
Security
Company
Defense
Company
ActiveX
Vulnerabilities
Attack
Dllbot
Korean
Government
2018
18. © AhnLab, Inc. All rights reserved. 18
Infection Vector – ActiveX A
• Report ProductAExploit
-Scriptfilecreated→downloaded
19. © AhnLab, Inc. All rights reserved. 19
Infection Vector – ActiveX A
• Script
-First5bytesdownloadremoved (MZ...)→first5bytesrecoverylost (MZ...)
20. © AhnLab, Inc. All rights reserved. 20
Infection Vector – IT Management B
• ITManagementProductB exploit
- V3PScan.exefiledistributedthroughITManagementSystem
21. © AhnLab, Inc. All rights reserved. 21
Infection Vector – IT Management B
• ITManagementProductB Ports
-3511:ClientListenPort
-3523,3524:FileTransfer
* Source:ProductBUserManual (2004)
22. © AhnLab, Inc. All rights reserved. 22
Infection Vector – IT Management C
• ITManagementProductC exploit
- TargetIP,DownloadURL,Path
-ProductCfiletransfer(Port7224)
23. © AhnLab, Inc. All rights reserved. 23
Infection Vector – IT Management C
• Script
-Filedownloadedandrecovered5bytes(MZ)
Argv : DownloadURL
Argv : RemoteFilePath
24. © AhnLab, Inc. All rights reserved. 24
2015 - Attack against SeoulADEX 2015 Participants
• Defensecompaniessufferfrom hacking attacks
- SeoulADEX(Seoul International Aerospace and Defense Exhibition)
*Source:http://www.koreatimes.co.kr/www/news/nation/2015/11/116_191362.html
25. © AhnLab, Inc. All rights reserved. 25
2015 - Attack against SeoulADEX 2015 Participants
• AttackagainstSeoulADEX2015Participants(1)
- MacroDownloader
-> Seoul ADEX Result & visitors list
-> disguising as Headquarters of Seoul ADEX
26. © AhnLab, Inc. All rights reserved. 26
2015 - Attack against SeoulADEX 2015 Participants
• AttackagainstSeoulADEX2015Participants(1)
-Rifdoordownloaded
27. © AhnLab, Inc. All rights reserved. 27
2016 - Security Breach of Major Companies
• Malware distributedthrough vulnerable ITmanagementsystem vulnerability
-Hackedintomorethan140,000computersat160SouthKoreancompaniesandgovernmentagencies
-42,608documentswerereportedtohavebeenleaked
-Attackbeganin2014andwasdetectedinFebruary2016
*Source:http://www.reuters.com/article/us-northkorea-southkorea-cyber-idUSKCN0YZ0BE
28. © AhnLab, Inc. All rights reserved.
Attacker
Major companies and
arms manufacturers
C2 and
storage server to
prevent data loss
GhostRat
2016 - Security Breach of Major Companies
V3PScan.exe was distributed by
IT Management System
Attack IT Management System B
vulnerability
29. © AhnLab, Inc. All rights reserved. 29
2017 – Financial SectorAttack
• Macro Downloader
-Disguisedasnewgovernmentdiplomaticadvisorylist
-V3UI.exedownloaded
30. © AhnLab, Inc. All rights reserved. 30
2017 – Financial SectorAttack
• Macro Comparison
-SeoulADEXattendees(2015)vsFinanceSector(2017)
31. © AhnLab, Inc. All rights reserved. 31
Malware – GhostRat
• customizedGh0st RAT
- Sourcecodereleased
32. © AhnLab, Inc. All rights reserved. 32
Malware - Rifdoor
• Rifdoor(Rifle+ Bakcdoor)== Operation Ghost Rifle(2015)
-Backdoor(90KB)
-PDB:contain‘rifle’
-Addsrandomdata
33. © AhnLab, Inc. All rights reserved. 33
Backdoor - Phandoor
• Phandoor(Phantom.exe+ Backdoor)== OperationAnonymousPhantom(2016-2017)
-OriginalfilenamewasPhantom.exe→Phantom.exe+Backdoor=Phandoor
-S^!?
- Anonymous?
34. © AhnLab, Inc. All rights reserved. 34
Backdoor - Phandoor
• Mystery ‘S^’
-‘S^’foundintheXwdoor(2012)&Phandoor(2016)
35. © AhnLab, Inc. All rights reserved. 35
Backdoor - Phandoor
• SimilarEncodingCodes
- Rifdoorvs.Phandoor
36. © AhnLab, Inc. All rights reserved. 36
Malware - Wiper
• Wiper
-WhetherWiperisusedinrealattackisnotidentified
38. © AhnLab, Inc. All rights reserved. 38
Operation Red Dot
• Operation Red Dot
-Period:Fromearly2014~
-Maintargets:DefenseIndustry,Politicalinstitutions,Majorcompanies(Conglomerates),HostingServices,Financial
Sector,CryptocurrencyExchange…
-Malwares:Escad,Loader
-Remark:Thishackinggroupispossibly involvedwiththesecuritybreachofSonyPictures
39. © AhnLab, Inc. All rights reserved. 39
Operation Red Dot
• Relation
-
* Source:https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf &
https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/
40. © AhnLab, Inc. All rights reserved.
Timeline
2014 2016 20172015
Sony Pictures
Hacking
Loader(1)
x86
Loader(2)
Backdoor(2)
Backdoor
(1)B
Escad
Loader(1)x64
Loader(2)–
Resource
Loader(1)
Backdoor (1)A
Web
Hosting
Services
SeoulADEX
Participants
Political
institutions
Major
CompanyB
Cryptocurrency
Exchange
Major
CompanyA Financial
Sector
Open Type Font Elevation of
Privilege Vulnerability
MS16-132 (CVE-2016-7256)
HWP Files
(with EPS)
HWPx
Vulnerability
(CVE-2015-
6585)
Network
Isolation
Vulnerability
Major
CompanyA
Websites
against
North Korea
Defense
Firms
41. © AhnLab, Inc. All rights reserved. 41
2014 - Security Breach of Sony Pictures
SonyPicturesHack
- EliminatedSony’scomputerinfrastructure
- Leakedconfidentialdata
* Source:http://imgur.com/qXNgFVz&Source:https://gist.github.com/anonymous/7b9a0a0ac94065ccfc5b
42. © AhnLab, Inc. All rights reserved. 42
2015 - Attack against SeoulADEX 2015 Participants
•News reported,
“Thereis a possibility that thishackinggroupcouldbeconnectedwithSonyPictureshackinggroup”
(October2015)
*Source:http://www.boannews.com/media/view.asp?idx=48598&kind=0 &http://www.etnews.com/20151007000172
43. © AhnLab, Inc. All rights reserved. 43
2015 - Attack against SeoulADEX 2015 Participants
• AttackagainstSeoulADEX2015Participants(2)
- HWPxVulnerability (CVE-2015-6585)->Zero-dayvulnerabilityatthetime
-> invitation.hwp
44. © AhnLab, Inc. All rights reserved. 44
Backdoor - Escad
• Malware SampleComparison
- SonyPictureshackvs.attackinSouthKorea
45. © AhnLab, Inc. All rights reserved. 45
Backdoor - Escad
• EscadTypeA(SonyPictureshack)
46. © AhnLab, Inc. All rights reserved. 46
Backdoor - Escad
• EscadType B
XOR 0x89
48. © AhnLab, Inc. All rights reserved. 48
Operation Bitter Biscuit
• Operation BitterBiscuit
-AhnLabreleasedawhitepaperinOctober2017
-OperationBitterBiscuit==HeartBeatAPT@AVAR2012==OperationOrca@VB2017
-ActivitiesinSouthKoreasince2009(2008?)
-Targets:Military,DefenseResearchInstitutes,DefenseIndustry,ICT,Manufacturer
-InfectionVector:Executablefilesdisguisedasdocumentsfiles&Macro
-Malware:Presonal,Bisonal(Biscon,Korlia),Dexbia(Bromall)
-Bisonalscontain‘bisonal’,‘bioazih’,‘biaozih’
-Filenames:6ro4.dll, 6to4nt.dll, ahn.exe, AhnSDsv.exe, ahnupdate.exe, AYagent.exe, chrome.exe,
conhost.exe, conime.exe, ctfmon.exe, deskmvr.exe, dlg.exe, htrn.dll, hyper.dll, lpk.dll, lsass.exe, mfc.exe,
mmc.exe, msacm32.dll, netfxocm.exe, serskt.exe, svcsep.exe, taskmgr.exe, tpcon.exe, tsc.exe,
v3update.exe, winhelp.exe
49. © AhnLab, Inc. All rights reserved. 49
Relation
• Operation BitterBiscuit==The HeartBeatAPT== Operation Orca
-
* Source:https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-heartbeat-apt-campaign&https://camal.coseinc.com/publish/2013Bisonal.pdf&
https://blogs.technet.microsoft.com/mmpc/2015/04/13/bioazih-rat-how-clean-file-metadata-can-help-keep-you-safe/&http://www.cert-in.org.in&https://www.virusbulletin.com/conference/vb2017/abstracts/operation-
orca-cyber-espionage-diving-ocean-least-six-years/
50. © AhnLab, Inc. All rights reserved.
Timeline
2009 2010 2011 2013 2015 2016 2017
Bisonal
Type B
The
HeartBeat
APT
Campaign
ICT
ICT
Manufacturer Manufacturer
IT
Bioazih
RAT
Blog
2018
Japanese
Defense
Industry
Military
Defense
Industry ITPresonal
20142012
Attacks on
Korean
Government
Bisonal
TypeA
MilitarySecurity
Research
Institute
Operation
Orca
Operation
BitterBiscuit
51. © AhnLab, Inc. All rights reserved. 51
Infection Vector
• Executablefiledisguised asdocumentfiles
-
52. © AhnLab, Inc. All rights reserved. 52
Infection Vector
• Documentfilescontainingmacros
- PoliticalSeminarAgenda
53. © AhnLab, Inc. All rights reserved. 53
Decoy documents
• Invitation& Conference& Resume
-
54. © AhnLab, Inc. All rights reserved. 54
Bisonal
• Features
- bisonal,bioazih,biaozih
55. © AhnLab, Inc. All rights reserved. 55
Dexbia (Bromall)
• Dexbia(Bromall)
-
Port
C&C
56. © AhnLab, Inc. All rights reserved.
Process Malware Evoultion
01
2011-2012
02
2013-2014
03
2015-2017
• Bisonal, Bioazih Strings..
• Dynamic DNS
• Bisonal, Bioazih Strings..
• Encrypting Strings
• Dexbia (Bromall) discovered
• Dexbia (Bromall)
• Packed Bisonal
58. © AhnLab, Inc. All rights reserved. 58
Korean?!
• GhostRat ManagementKorean Edition
- Koreanbutstrange
Strings (문자렬 -> 문자열)
??? (maybe when notified)
팁 Tip ???
(typo 암 -> 안)
System Setting (체계설정 -> 설정)
Secret (비밀 -> 암호 Password)User
59. © AhnLab, Inc. All rights reserved. 59
Korean?!
• Korean?!
-C:UsersKGHDownloads(DONE)TROYS(DONE)(done)1charelease(done)(done)1cha(dll)Installer-dll-service-
win32ReleaseInstallBD.pdb
-KGH-commonKoreannameinitials(?)
-1cha-'cha'hasthesamepronunciationforKoreanordinalnumber
-C8:thesamepronunciationasaprofanitywiththemeaningofF-wordinKorea.
61. © AhnLab, Inc. All rights reserved. 61
Conclusion
• Conclusion
-5groupsactiveinSouthKorea-atleast
-AndarielGroup,OperationRedDot:Motivationforattackseemstohavechanged
(ConfidentialInformation→Monetarybenefit)
-SomeofthemknowKoreanverywellandknowKoreancultureandenvironment
-TheyattackvulnerabilitiesinKoreansoftwresanddisguisedasKoreanfamoussoftwares
-SomeofthemareactiveoutsideofKorea
• Cooperation
-We need to cooperate to fight them !
62. © AhnLab, Inc. All rights reserved. 62
Q&A
minseok.cha@ahnlab.com / mstoned7@gmail.com
http://xcoolcat7.tistory.com, https://www.facebook.com/xcoolcat7
https://twitter.com/xcoolcat7, https://twitter.com/mstoned7
64. © AhnLab, Inc. All rights reserved. 64
Reference
• TargetedAttackson DefenseIndusty (Korean)
http://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?seq=26565ABC,
http://download.ahnlab.com/kr/site/library/%5bAnalysis%5dDefense_Industry_Threats.pdf)
• Targeted Attacks on Defense Industry
(http://download.ahnlab.com/global/brochure/Tech_Report_Defense%20Industry.pdf)
• CyberThreat IntelligenceReport (Korean)
(https://www.fsec.or.kr/user/bbs/fsec/21/13/bbsDataView/910.do)