Targeted attacks on major industry sectors in south korea 20171201 cha minseok_avar 2017 beijing_full version

TargetedAttacks on
Major Industry Sectors in South Korea
CHA Minseok (Jacky Cha, 車珉錫) – Full Version
Senior Principal Malware Researcher
AhnLab | ASEC | Analysis Team
AVAR 2017 (December 7, 2017)

Contents
01
02
03
04
05
06
07
Cyber Attacks in South Korea, 2017
Infection Vector
Andariel Group
Operation Red Dot
Operation Bitter Biscuit
Who Is Behind The Attacks?
Conclusion

01
Cyber Attacks in South Korea, 2017

© AhnLab, Inc. All rights reserved. 4
VenusLocker Ransomware
• SpearPhishing
-EmailwritteninKorean
* http://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?seq=26309

VenusLocker Ransomware
• Macro Downloader
- ChineseFont?!

Erebus Ransomware
• Web hostingcompanyNayana was hit by Erebusransomware
-AttackoccurredinJune10,20171:00am
-Filesin153servershavebeenencrypted.5,496websiteswereaffected.Paidover$1Million
-2similarattacksinNovember(DifferentLinuxRansomware)
* Source:http://securityaffairs.co/wordpress/60281/malware/erebus-ransomware-hit-south-korea.html&http://english.etnews.com/20171109200001&
http://ciobiz.etnews.com/news/article.html?id=20171129120027

ATM Hacking
• ATM Hacking(byAndarielGroup)
- 230,000credit cardsin totalwere leaked (September2016 ~ February 2017)
-IllegalwithdrawalsthroughATMsinChina,ThailandandTaiwan
-4suspectsarrested→obtainedtheprivatefinancialdatafromamiddlemanwhoclaimedhegottheinformationfroma
NorthKorean
-MalwareusedinthisattackwasverysimilartothemalwareusedintheKoreanMNDhacking
* Source:http://english.yonhapnews.co.kr/news/2017/09/06/0200000000AEN20170906007600315.html&http://www.itworld.co.kr/news/106281

Cryptocurrency Exchange Platform Hacked
• Cryptocurrency ExchangePlatformHacked
-MaliciousHanguldocument(HWP)fileasattackvector
-Customerdataleaked
-maybebythethreatgroupbehindOperationRedDot
* Source:http://uk.businessinsider.com/south-korean-bitcoin-exchange-bithumb-hacked-ethereum-2017-7&
http://www.hani.co.kr/arti/economy/it/801322.html

Supply Chain Attack
• SupplyChainAttack
- BackdoorfoundinNetsarangservermanagementsoftware
* Source:https://securelist.com/shadowpad-in-corporate-networks/81432&
http://www.netsarang.co.kr/news/security_exploit_in_july_18_2017_build.html

Travel Agency Breached
• South Korea’sLargestTravelAgencyHacked
-
* Source:https://coinjournal.net/south-koreas-largest-travel-agency-breached-hacker-demands-bitcoin-payment/&
http://www.hanatour.com/asp/custcenter/bb-20000.asp

© AhnLab, Inc. All rights reserved.
Activity groups/APTs in South Korea
2007 2013 2014 2015 2016 2017
Icefog
OP Red Dot (Escad, Loader)
Andariel (Rifdoor, GhostRat, Phandoor, Andarat)
Dllbot Xwdoor
OP Black Mine
(Bmdoor)
2011
OP Bitter Biscuit (Bisonal, Dexbia)
OP Happy Dragon
2018
Kimsuky
2012
Plugx (Korplug)

Infection Vector
Watering hole
(ActiveX)
Email (Spear Phishing)
Update
IT
Management
system
C2
Vulnerability
Attack
Update
Server Supply Chain / IT Maintenace Services
Listening Port
Web
Server
Send file transfer
commands
Listening Port
Port Scanning
Vulnerability Attacks

Andariel
• Andariel
-PresumedtobeanotherLazarusspinoff
-DarkSeoul(2013),OperationBlackMine(2014-2015)
-OperationGhostRifle==OperationAnonymousPhantom==OperationGoldenAxe==CampaignRifle
-Targets:DefenseIndustry,CyberSecurityCompanies,PoliticalInstitutions,MND(MinistryofNationalDefense),Finance
Sector,EnergyResearchInstitutionetc.
-AttackVectors:SpearPhishing,WateringHole(Active-Xvulnerability),ITManagementSystemVulnerability,
SupplyChainAttack
-Malware:Andarat,Bmdoor,GhostRat,Rifdoor,Phandoor
-AhnLabpublishedthewhitepaper inJuly,2017
-FSI(FinancialSecurityInstitute) publishedthewhitepaperinAugust,2017

Malware
• Theyare usingvariousmalware
icon
Exploits
− Active X
− Flash
− IT Management System
Stealers Tools
− Backdoor (Andarat, Bmdoor,
GhostRat, Phandoor, Rifdoor,
Xtreame)
− Keylogger
− Mimikatz
− OSQL
− Privilege Escalation
− Putty Link
− Proxy Server
− Port Scanner
− Wiper

Andariel Timeline
2008 2009 2013 2014 2015 2016
3.4
DDoS
3.20Cyber
attack
(DarkSeoul)
&
6.25Cyber
Attack
2017
SeoulADEX
participants
7.7
DDoS
Security
breach
of
majorcompanies
MND
hacked
ATM
hacked
Financial
Sector
Breach
of
Travel
Agency
Energy
Research
Institute
OperationBlack Mine (Bmdoor)
OperationGhost Rifle (Rifdoor)
Xwdoor
2011 2012
3.20Cyber-attack
(Gatheringinformation)
OperationAnonymous Phantom(Phandoor)
Security
Company
Defense
Company
ActiveX
Vulnerabilities
Attack
Dllbot
Korean
Government
2018

Infection Vector – ActiveX A
• Report ProductAExploit
-Scriptfilecreated→downloaded

Infection Vector – ActiveX A
• Script
-First5bytesdownloadremoved (MZ...)→first5bytesrecoverylost (MZ...)

Infection Vector – IT Management B
• ITManagementProductB exploit
- V3PScan.exefiledistributedthroughITManagementSystem

Infection Vector – IT Management B
• ITManagementProductB Ports
-3511:ClientListenPort
-3523,3524:FileTransfer
* Source:ProductBUserManual (2004)

Infection Vector – IT Management C
• ITManagementProductC exploit
- TargetIP,DownloadURL,Path
-ProductCfiletransfer(Port7224)

Infection Vector – IT Management C
• Script
-Filedownloadedandrecovered5bytes(MZ)
Argv : DownloadURL
Argv : RemoteFilePath

2015 - Attack against SeoulADEX 2015 Participants
• Defensecompaniessufferfrom hacking attacks
- SeoulADEX(Seoul International Aerospace and Defense Exhibition)
*Source:http://www.koreatimes.co.kr/www/news/nation/2015/11/116_191362.html

• AttackagainstSeoulADEX2015Participants(1)
- MacroDownloader
-> Seoul ADEX Result & visitors list
-> disguising as Headquarters of Seoul ADEX

-Rifdoordownloaded

2016 - Security Breach of Major Companies
• Malware distributedthrough vulnerable ITmanagementsystem vulnerability
-Hackedintomorethan140,000computersat160SouthKoreancompaniesandgovernmentagencies
-42,608documentswerereportedtohavebeenleaked
-Attackbeganin2014andwasdetectedinFebruary2016
*Source:http://www.reuters.com/article/us-northkorea-southkorea-cyber-idUSKCN0YZ0BE

Attacker
Major companies and
arms manufacturers
C2 and
storage server to
prevent data loss
GhostRat
2016 - Security Breach of Major Companies
V3PScan.exe was distributed by
IT Management System
Attack IT Management System B
vulnerability

2017 – Financial SectorAttack
• Macro Downloader
-Disguisedasnewgovernmentdiplomaticadvisorylist
-V3UI.exedownloaded

2017 – Financial SectorAttack
• Macro Comparison
-SeoulADEXattendees(2015)vsFinanceSector(2017)

Malware – GhostRat
• customizedGh0st RAT
- Sourcecodereleased

Malware - Rifdoor
• Rifdoor(Rifle+ Bakcdoor)== Operation Ghost Rifle(2015)
-Backdoor(90KB)
-PDB:contain‘rifle’
-Addsrandomdata

Backdoor - Phandoor
• Phandoor(Phantom.exe+ Backdoor)== OperationAnonymousPhantom(2016-2017)
-OriginalfilenamewasPhantom.exe→Phantom.exe+Backdoor=Phandoor
-S^!?
- Anonymous?

Backdoor - Phandoor
• Mystery ‘S^’
-‘S^’foundintheXwdoor(2012)&Phandoor(2016)

Backdoor - Phandoor
• SimilarEncodingCodes
- Rifdoorvs.Phandoor

Malware - Wiper
• Wiper
-WhetherWiperisusedinrealattackisnotidentified

Operation Red Dot
• Operation Red Dot
-Period:Fromearly2014~
-Maintargets:DefenseIndustry,Politicalinstitutions,Majorcompanies(Conglomerates),HostingServices,Financial
Sector,CryptocurrencyExchange…
-Malwares:Escad,Loader
-Remark:Thishackinggroupispossibly involvedwiththesecuritybreachofSonyPictures

Operation Red Dot
• Relation
-
* Source:https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf &
https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/

Timeline
2014 2016 20172015
Sony Pictures
Hacking
Loader(1)
x86
Loader(2)
Backdoor(2)
Backdoor
(1)B
Escad
Loader(1)x64
Loader(2)–
Resource
Loader(1)
Backdoor (1)A
Web
Hosting
Services
SeoulADEX
Participants
Political
institutions
Major
CompanyB
Cryptocurrency
Exchange
Major
CompanyA Financial
Sector
Open Type Font Elevation of
Privilege Vulnerability
MS16-132 (CVE-2016-7256)
HWP Files
(with EPS)
HWPx
Vulnerability
(CVE-2015-
6585)
Network
Isolation
Vulnerability
Major
CompanyA
Websites
against
North Korea
Defense
Firms

2014 - Security Breach of Sony Pictures
SonyPicturesHack
- EliminatedSony’scomputerinfrastructure
- Leakedconfidentialdata
* Source:http://imgur.com/qXNgFVz&Source:https://gist.github.com/anonymous/7b9a0a0ac94065ccfc5b

•News reported,
“Thereis a possibility that thishackinggroupcouldbeconnectedwithSonyPictureshackinggroup”
(October2015)
*Source:http://www.boannews.com/media/view.asp?idx=48598&kind=0 &http://www.etnews.com/20151007000172

- HWPxVulnerability (CVE-2015-6585)->Zero-dayvulnerabilityatthetime
-> invitation.hwp

Backdoor - Escad
• Malware SampleComparison
- SonyPictureshackvs.attackinSouthKorea

Backdoor - Escad
• EscadTypeA(SonyPictureshack)

Backdoor - Escad
• EscadType B
XOR 0x89

Operation Bitter Biscuit
• Operation BitterBiscuit
-AhnLabreleasedawhitepaperinOctober2017
-OperationBitterBiscuit==HeartBeatAPT@AVAR2012==OperationOrca@VB2017
-ActivitiesinSouthKoreasince2009(2008?)
-Targets:Military,DefenseResearchInstitutes,DefenseIndustry,ICT,Manufacturer
-InfectionVector:Executablefilesdisguisedasdocumentsfiles&Macro
-Malware:Presonal,Bisonal(Biscon,Korlia),Dexbia(Bromall)
-Bisonalscontain‘bisonal’,‘bioazih’,‘biaozih’
-Filenames:6ro4.dll, 6to4nt.dll, ahn.exe, AhnSDsv.exe, ahnupdate.exe, AYagent.exe, chrome.exe,
conhost.exe, conime.exe, ctfmon.exe, deskmvr.exe, dlg.exe, htrn.dll, hyper.dll, lpk.dll, lsass.exe, mfc.exe,
mmc.exe, msacm32.dll, netfxocm.exe, serskt.exe, svcsep.exe, taskmgr.exe, tpcon.exe, tsc.exe,
v3update.exe, winhelp.exe

Relation
• Operation BitterBiscuit==The HeartBeatAPT== Operation Orca
-
* Source:https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-heartbeat-apt-campaign&https://camal.coseinc.com/publish/2013Bisonal.pdf&
https://blogs.technet.microsoft.com/mmpc/2015/04/13/bioazih-rat-how-clean-file-metadata-can-help-keep-you-safe/&http://www.cert-in.org.in&https://www.virusbulletin.com/conference/vb2017/abstracts/operation-
orca-cyber-espionage-diving-ocean-least-six-years/

Timeline
2009 2010 2011 2013 2015 2016 2017
Bisonal
Type B
The
HeartBeat
APT
Campaign
ICT
ICT
Manufacturer Manufacturer
IT
Bioazih
RAT
Blog
2018
Japanese
Defense
Industry
Military
Defense
Industry ITPresonal
20142012
Attacks on
Korean
Government
Bisonal
TypeA
MilitarySecurity
Research
Institute
Operation
Orca
Operation
BitterBiscuit

Infection Vector
• Executablefiledisguised asdocumentfiles
-

Infection Vector
• Documentfilescontainingmacros
- PoliticalSeminarAgenda

Decoy documents
• Invitation& Conference& Resume
-

Bisonal
• Features
- bisonal,bioazih,biaozih

Dexbia (Bromall)
• Dexbia(Bromall)
-
Port
C&C

Process Malware Evoultion
01
2011-2012
02
2013-2014
03
2015-2017
• Bisonal, Bioazih Strings..
• Dynamic DNS
• Bisonal, Bioazih Strings..
• Encrypting Strings
• Dexbia (Bromall) discovered
• Dexbia (Bromall)
• Packed Bisonal

Korean?!
• GhostRat ManagementKorean Edition
- Koreanbutstrange
Strings (문자렬 -> 문자열)
??? (maybe when notified)
팁 Tip ???
(typo 암 -> 안)
System Setting (체계설정 -> 설정)
Secret (비밀 -> 암호 Password)User

Korean?!
• Korean?!
-C:UsersKGHDownloads(DONE)TROYS(DONE)(done)1charelease(done)(done)1cha(dll)Installer-dll-service-
win32ReleaseInstallBD.pdb
-KGH-commonKoreannameinitials(?)
-1cha-'cha'hasthesamepronunciationforKoreanordinalnumber
-C8:thesamepronunciationasaprofanitywiththemeaningofF-wordinKorea.

Conclusion
• Conclusion
-5groupsactiveinSouthKorea-atleast
-AndarielGroup,OperationRedDot:Motivationforattackseemstohavechanged
(ConfidentialInformation→Monetarybenefit)
-SomeofthemknowKoreanverywellandknowKoreancultureandenvironment
-TheyattackvulnerabilitiesinKoreansoftwresanddisguisedasKoreanfamoussoftwares
-SomeofthemareactiveoutsideofKorea
• Cooperation
-We need to cooperate to fight them !

Q&A
minseok.cha@ahnlab.com / mstoned7@gmail.com
http://xcoolcat7.tistory.com, https://www.facebook.com/xcoolcat7
https://twitter.com/xcoolcat7, https://twitter.com/mstoned7

Reference
• TargetedAttackson DefenseIndusty (Korean)
http://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?seq=26565ABC,
http://download.ahnlab.com/kr/site/library/%5bAnalysis%5dDefense_Industry_Threats.pdf)
• Targeted Attacks on Defense Industry
(http://download.ahnlab.com/global/brochure/Tech_Report_Defense%20Industry.pdf)
• CyberThreat IntelligenceReport (Korean)
(https://www.fsec.or.kr/user/bbs/fsec/21/13/bbsDataView/910.do)

Targeted attacks on major industry sectors in south korea 20171201 cha minseok_avar 2017 beijing_full version

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Targeted attacks on major industry sectors in south korea 20171201 cha minseok_avar 2017 beijing_full version

Similar to Targeted attacks on major industry sectors in south korea 20171201 cha minseok_avar 2017 beijing_full version (20)

More from Minseok(Jacky) Cha

More from Minseok(Jacky) Cha (17)

Recently uploaded

Recently uploaded (20)

Targeted attacks on major industry sectors in south korea 20171201 cha minseok_avar 2017 beijing_full version