SlideShare una empresa de Scribd logo

AREA41 - Anatomy of attacks aimed at financial sector by the Lazarus group

S
SeongsuPark8

Presentation slides for AREA41 conference about Lazarus group's attack aimed at financial sector

Presentaciones y charlas públicas
1 de 50
Anatomy of attacks aimed at financial sector by the Lazarus group June 28, 2018 Seongsu Park Senior Security Researcher @ Kaspersky Lab GReAT
Who is Lazarus? • Notorious APT group • State-sponsored APT group • Aimed at financial profit and cyber espionage, sabotage LAZARUS Andariel Bluenoroff …… …… Well-known attack case 2013 — DarkSeoul cyber attack 2014 — SPE cyber attack 2016 — Bangladesh bank heist 2017 — WannaCry outbreak
Recent activities of Lazarus
About Manuscrypt • From when?  Start to use Manuscrypt from around 2013  Use it actively until recent • Connection?  Many overlap with known Lazarus code style and C&C infrastructure • Attack where?  Usually attacked national intelligence before  Recently, used when attacked financial sector
5 Attacks on South Korea
Status of cryptocurrency exchange of Korea World TOP 10 Cryptocurrency Exchanges South Korea company
Continuous hacked Korea exchanges
Infection vectors MALICIOUS HWP MALICIOUS OFFICE MALICIOUS APK
Weaponized hwp HWP file format • Hangul (also known as Hangul Word Processor or HWP) is a proprietary word processing application published by the South Korean company Hancom Inc. -Wikipedia • Used by most government agencies and government offices due to national software activation policy of Government • The South Korea is one of the few countries where MS Word does not rank first Recently, postscript mainly used to deliver payload
Decoy and targets Cryptocurrency Any cryptocurrency related news/contents Cryptocurrency market expectation Legal issues Related to lawsuit or audit Forms about legal issues Resume Resume of mainly financial related person Some decoy include victim company name
Relationship Last saved user name Author name Malicious hwp
Postscript Type #1 — Postscript has asciihex-format executable — Drop file %startup% folder for persistence mechanism — Dropped file is Manuscrypt Direct drop from embedded ascii hex string Creation path (+persistence mechanism) asciihex type payload Asciihex type Manuscrypt Postscript to drop executable Drop and execute Structure
Postscript Type #2 — Use Chinese variable name i.e.) yaoshi, yima, yinzi — Decrypt real postscript/shellcode with hardcoded XOR key Has encryption stage with 4-bytes XOR key 4-bytes XOR key Encrypted postscript & Shellcode Postscript to decrypt Decrypt Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Encrypted postscript and shellcode Encrypted Manuscrypt executable
Postscript Type #2 – Decrypted data — Decrypted data contains exploit code and shellcode — Trigger the postscript vulnerability and execute shellcode Has encryption stage with 4-bytes XOR key Encrypted postscript & Shellcode Postscript to decrypt Exploit, Decrypt payload and inject Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Shellcode to decrypt payload and inject Heap-spray Exploit code
Postscript Type #3-4 — Remove decryption process — Malware author elaborate exploit code Elaborated exploit code Shellcode Postscript Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Shellcode Encrypted Manuscrypt Decrypt & Inject
Postscript type #5 – add XOR — Same structure with #3 — Add shellcode decryption script with 1-byte XOR Elaborated exploit code Script for decryption of shellcode Shellcode Postscript Decrypt & Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Decrypt & Inject
Postscript type #6 — Same postscript to trigger vulnerability — No more embedded payload — Shellcode just has download function Change shellcode function Shellcode Postscript Structure Postscript Decrypt & Exploit Download Manuscrypt
Change history of hwp attack Type #2 • Start to use postscript vulnerability • Decrypt shellcode and exploitation postscript with 4-bytes XOR • Decrypt payload with 4-bytes XOR key Type #3 • Remove shellcode/postscript decryption routine • Elaborate postscript to trigger vulnerability • Decrypt payload with 4-bytes XOR key Type #4 • Decrypt payload with AES algorithm Type #5 • Add shellcode encryption postscript with 1-byte XOR Type #6 • Change shellcode just download payload Type #1 • Drop embedded asciihex type payload
Change history of hwp attack Asciihex type Manuscrypt Postscript to drop executable Drop and execute Structure Encrypted postscript & Shellcode Postscript to decrypt Decrypt Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Shellcode Postscript Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Decrypt & Inject Shellcode Postscript Decrypt & Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Decrypt & Inject Shellcode Postscript Structure Postscript Decrypt & Exploit Download Manuscrypt Type #1 Type #2 Type #3, 4 Type #5 Type #6 Decrypt & Inject
Change history of hwp attack Type #1 Type #6Type #2 Type #5Type #4Type #3 4-bytes XOR Shellcode Decryption 1-bytes XOR 1-bytes XOR Shellcode Triggering CVE-2017-8291 (Ghostscript exploit) Shellcode Type Decrypt embedded payload and inject to legit process Download 4-bytes XOR AES Payload Decryption
21 Attacker vs Defender Type #1 Direct drop from asciihex string 2017-04 2017-06 2017-07 2017-08 2017-09 2017-10 2017-11 2017-12 2018-03 Type #2 Start to use Exploit XORed shellcode + exploit trigger script Type #4 Replace to AES algorithm Type #3 Polishing exploit script 4-bytes XOR decryption Type #6 Download payload from remote server Type #5 Decrypt shellcode with 1-byte XOR ATTACKER SIDE DEFENDER SIDE Detect embedded ascii type executable Detect XOR postscript routine Detect embedded shellcode in postscript Detect embedded encrypted payload
Shellcode comparison from each types Different postscripts, but same shellcode
Shellcode comparison from each types Different postscripts, but same shellcode Process searching Get handle
Shellcode Shellcode execution flow Get API by hash Decrypt payload Find decryption key Get Handle Inject to legit process
Payload summary IP-based C&C communication type • Only used up to type #2 • Not seen after November 2017 • Fake SSL communication • Full featured backdoor - File handling - Process handling - Execute commands - Data exfiltration HTTP-based C&C communication type • Usually used this type communications • Using compromised server • Full featured backdoor - System info gathering - Execute commands - and so on
Type of C&C servers COMPROMISED SERVER — Compromised server — Direct connect by IP address — Encryption channel COMPROMISED WEB SERVER IN CHINA — Usually compromised IIS server — Upload attacker’s PHP scripts — DedeCMS vulnerability — Wordpress vulneraility COMPROMISED WEB SERVER IN KOREA — Usually compromised IIS server — Upload attacker’s JSP scripts — Using specific board vulnerability — Using wordpress vulnerability
Not only hwp file
Not only hwp file Persistence attack 2017-07-31 07:40:07 비트코인_지갑주소 _및_거래번호.hwp e3796387 (web) KR 2017-07-31 16:25:00 비트코인_지갑주소 _및_거래번호.doc e3796387 (web) KR 2017-08-03 18:13:23 비트코인 거래내역.xls e3796387 (web) KR Decoy of malicious hwp Decoy of malicious word
29 Attacks on other countries
Attack methodology SPEARPHISHING — Malicious office document — Malicious macro embedded — Decoy : Usually used job description and proposal
Attack methodology Structure of Macro Attribute VB_Name = "Module1" Sub Auto_Open() On Error GoTo gaqz liveOn = "sjop/fyf" liveOff = Environ("temp") + "" For qnx = 1 To Len(liveOn) liveOff = liveOff + Chr(Asc(Mid$(liveOn, qnx, 1)) - 1) Next Dim str(1635) As String str(1) = "F0E72DBDBEBDBDBD………[redacted]……………DBDBDBD" .... [redacted]…. str(1635) = "9D9D9D9D9D9D81…. ……[redacted]…..….……DBDBDBD" Dim offBin(499) As Byte Open liveOff For Binary Access Write As #1 lpdq = 1 For jnx = 0 To 1634 For inx = 0 To 499 offBin(inx) = Val("&H" + Mid(str(jnx + 1), inx * 2 + 1, 2)) offBin(inx) = offBin(inx) Xor 189 Next inx Macro to create payload liveOn = "EFG492:2/ymt" liveOffd = Environ("temp") + "" For qnx = 1 To Len(liveOn) liveOffd = liveOffd + Chr(Asc(Mid$(liveOn, qnx, 1)) - 1) Next qnx Dim strd(239) As String strd(1) = "1906D8296878D328C9C9C9…[redacted]…..36363636363636" ...... [redacted]…… strd(239) = "C9C9C9C9C9C9C9C9C9C9…[redacted]…….D9C9C9C9C9C9C9" Dim offBind(499) As Byte Open liveOffd For Binary Access Write As #2 lpdq = 1 For jnx = 0 To 238 For inx = 0 To 499 offBind(inx) = Val("&H" + Mid(strd(jnx + 1), inx * 2 + 1, 2)) offBind(inx) = offBind(inx) Xor 201 Next inx Put #2, lpdq, offBind lpdq = lpdq + 500 Next jnx Close #2 Macro to create decoy document
Who is target? Finance Engineering Crypto Currency
Payload summary • File search, handling • Process handling • Collect system information • Directory / File listing …… Full-featured backdoor a.k.a Fallchill • IP-based C&C communication - Fake SSL communication (Polar SSL) - Used compromised server • HTTP-based C&C communication - Compromised ASP hosting IIS server - Allegedly used board/CMS vulnerability
34 C&C server Configuration
How did I start this investigation? Malicious hwp dropped Manuscrypt Found 1 C&C server in South Korea — Suspected compromised server Working closely with investigation agency — Investigate compromised server — Found one proxy module Expanding research with our telemetry — Yara magic! — Found additional module from compromised sever
Manuscrypt C2 infrastructure Manuscrypt infected host Send information Multi-stage Proxy Servers Communication Final-stage C2 server
Manuscrypt C2 Geolocations
Malwares/Tools from C&C server Sensing the production process, manipulating the production process Monitoring, supervisory control and automated control of the production process Backdoor Variants Threat actor uses many kind of backdoors - Active backdoor, Passive backdoor, HTTP backdoor, IIS backdoor Proxy Malware Main component of multi stage of proxy structure, forward incoming traffic to other host Information Harvester TCP connection harvester to steal inbound/outbound network connections Other Tools Loader to decrypt and execute encrypted payload, File wiper to wipe out specific file securely
Proxy module Simply forward traffic from incoming host to next hop Firewall punching Add allowed port list using windows command Fake SSL communication Disguised as legit sites SSL handshaking Configuration Stores configuration at registry key Saved configuration as specific file Updating file with data from another hop Decrypt this file when read
Proxy module – P2P proxy another infected host Listening named pipe ((.pipeAnonymousPipe) Connect to external named pipe (%spipeAnonymousPipe) Polar SSL Encryption Thread #1 : Receive data from global P2P and write it to listened named pipe Listening named pipe ((.pipeAnonymousPipe) Thread #2 : Read data from external named pipe and send it to global P2P server Global P2P C&C server (Passive backdoor module installed) P2P-based C&C infrastructures
Active backdoor Has C&C server address, performs backdoor functions IP-based communications - Configuration data in registry key - Full-featured backdoor • File / directory listing • Process handling • Get system information • Execute windows command • Send screenshot HTTP-based communications - Same configuration data with IP-based backdoor - Choose HEAD, GET or POST method randomly when communicate C&C server - Full-featured backdoor
Passive backdoor Doesn’t have C&C server address, Open port and wait connections Get Windows service list and choose one INSTALLATION PROCESS Get display name of service and append “Service” Append decrypted strings at service display name Change service name as small case and append “svc” Drop payload as service name Change file timestamp i.e. Choose “SharedAccess” service i.e. Change “Internet Connection Sharing (ICS)" display name to “Internet Connection Sharing Service” i.e. SharedAccess -> sharedaccesssvc i.e. Drop payload to sharedaccesssvc.dll i.e. Append “is an essential element in Windows System configuration and management.” F/W Punching cmd.exe /c netsh firewall add portopening TCP [Port] "adp" Backdoor functions - Almost same with active backdoor - Some variants has routing functions
Other tools Log Wiper Generate random buffer Overwrite file with that data repeatly Delete file TCP Connection Harvester Choose proper API depends on OS version File name
Malwares/Tools from C&C server Indonesia India Bangladesh Malaysia Vietnam Korea Taiwan Thailand Active Backdoor Passive Backdoor Proxy TCP conn Harvester IIS Backdoor HTTP Backdoor
Malwares/Tools from C&C server India Active backdoor Columbia Dominican Republic GermanyIndonesia South Korea Sri Lanka Case #1 Panama Proxy HTTP Backdoor Passive Backdoor Vietnam TCP Conn Harvester Case #2
Vulnerability information IP Web server ver OS fingerprinting 2xx.xx.xx.xxx N/A Windows Server 2003 R2 5x.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows Server 2003 (91%), Microsoft Windows Server 2003 SP2 (91%) 2xx.xx.xx.xxx IIS 6.0 N/A 1xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows 2003 R2 (93%), Microsoft Windows Server 2003 (93%), Microsoft Windows Server 2003 SP2 (93%) 2xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows XP SP3 or Windows Server 2003 SP2 (97%), Microsoft Windows Server 2003 SP2 (94%), 1xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (99%), Microsoft Windows XP SP3 or Windows Server 2003 SP2 (97%), Microsoft Windows Server 2003 SP2 (94%), 2xx.xx.xx.xxx IIS 6.0 N/A 2xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows Server 2003 SP2 (89%) 5x.xx.xx.xxx N/A Aggressive OS guesses: Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows Server 2003 SP1 - SP2 (92%)
Vulnerability information 2017-03-26 CVE-2017-7269 published 2017-04-11 Attack tool for this exploit was created 2017-03-31 PoC for CVE-2017-7269 added to Metasploit module 2017-06-13 Microsoft published patch for this vulnerability
Let’s put them together Active backdoor Passive backdoor Proxy module TCP harvester ……Victim (Manuscrypt infected) Weaponized hwp/doc Corporate Users Sometimes infect corporate hosts from server C&C server Infrastructure Configure C&C infra Control infected hosts Communicate multi-stage C&C
Takeaways • Never let your server compromised by them • They keep polishing their tools • Their favorite attack vector is spearphishing • Recently, they are changing their TTPs • Let’s head up their TTPs
LET’S TALK? Twitter : @unpacker Mail : seongsup4rk@gmail.com

Recomendados

Journey to cyber resilience
Journey to cyber resilienceJourney to cyber resilience
Journey to cyber resilienceAndrew Bycroft
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
Red team Engagement
Red team EngagementRed team Engagement
Red team EngagementIndranil Banerjee
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
 
Cyber Security Fundamentals
Cyber Security FundamentalsCyber Security Fundamentals
Cyber Security FundamentalsApurv Singh Gautam
 
Analyzing network infrastructure with Neo4j
Analyzing network infrastructure with Neo4jAnalyzing network infrastructure with Neo4j
Analyzing network infrastructure with Neo4jYaroslav Lukyanov
 

Recomendados

Journey to cyber resilience
Journey to cyber resilienceJourney to cyber resilience
Journey to cyber resilienceAndrew Bycroft
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
Red team Engagement
Red team EngagementRed team Engagement
Red team EngagementIndranil Banerjee
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
 
Cyber Security Fundamentals
Cyber Security FundamentalsCyber Security Fundamentals
Cyber Security FundamentalsApurv Singh Gautam
 
Analyzing network infrastructure with Neo4j
Analyzing network infrastructure with Neo4jAnalyzing network infrastructure with Neo4j
Analyzing network infrastructure with Neo4jYaroslav Lukyanov
 
2FA Protocol Presentation
2FA Protocol Presentation2FA Protocol Presentation
2FA Protocol PresentationAkhil Agrawal
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Cyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightCyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightDeep Shankar Yadav
 
Email Forensics
Email ForensicsEmail Forensics
Email ForensicsGol D Roger
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021Management Events
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
Digital Threat Landscape
Digital Threat LandscapeDigital Threat Landscape
Digital Threat LandscapeQuick Heal Technologies Ltd.
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)festival ICT 2016
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdStrike
 
Sony pictures crippled by gop hackers, 2014 cs ala
Sony pictures crippled by gop hackers, 2014 cs alaSony pictures crippled by gop hackers, 2014 cs ala
Sony pictures crippled by gop hackers, 2014 cs alavaibhav tailor
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imagingMarco Alamanni
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityMarketingArrowECS_CZ
 
From email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachFrom email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachMartin Vigo
 
Log Mining: Beyond Log Analysis
Log Mining: Beyond Log AnalysisLog Mining: Beyond Log Analysis
Log Mining: Beyond Log AnalysisAnton Chuvakin
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing RansomwareNapier University
 
Cryptanalysis in the Time of Ransomware
Cryptanalysis in the Time of RansomwareCryptanalysis in the Time of Ransomware
Cryptanalysis in the Time of RansomwareMark Mager
 

Más contenido relacionado

La actualidad más candente

2FA Protocol Presentation
2FA Protocol Presentation2FA Protocol Presentation
2FA Protocol PresentationAkhil Agrawal
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Cyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightCyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightDeep Shankar Yadav
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021Management Events
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)festival ICT 2016
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdStrike
 
Sony pictures crippled by gop hackers, 2014 cs ala
Sony pictures crippled by gop hackers, 2014 cs alaSony pictures crippled by gop hackers, 2014 cs ala
Sony pictures crippled by gop hackers, 2014 cs alavaibhav tailor
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imagingMarco Alamanni
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityMarketingArrowECS_CZ
 
From email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachFrom email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachMartin Vigo
 
Log Mining: Beyond Log Analysis
Log Mining: Beyond Log AnalysisLog Mining: Beyond Log Analysis
Log Mining: Beyond Log AnalysisAnton Chuvakin
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
 

La actualidad más candente (20)

2FA Protocol Presentation
2FA Protocol Presentation2FA Protocol Presentation
2FA Protocol Presentation
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Cyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightCyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to Insight
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Incident response
Incident responseIncident response
Incident response
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
 
Digital Threat Landscape
Digital Threat LandscapeDigital Threat Landscape
Digital Threat Landscape
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
 
Sony pictures crippled by gop hackers, 2014 cs ala
Sony pictures crippled by gop hackers, 2014 cs alaSony pictures crippled by gop hackers, 2014 cs ala
Sony pictures crippled by gop hackers, 2014 cs ala
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imaging
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud Security
 
From email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachFrom email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approach
 
Log Mining: Beyond Log Analysis
Log Mining: Beyond Log AnalysisLog Mining: Beyond Log Analysis
Log Mining: Beyond Log Analysis
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 

Similar a AREA41 - Anatomy of attacks aimed at financial sector by the Lazarus group

Cryptanalysis in the Time of Ransomware
Cryptanalysis in the Time of RansomwareCryptanalysis in the Time of Ransomware
Cryptanalysis in the Time of RansomwareMark Mager
 
Cryptography
CryptographyCryptography
CryptographyRohan04
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderEC-Council
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
Analysing space complexity of various encryption algorithms 2
Analysing space complexity of various encryption algorithms 2Analysing space complexity of various encryption algorithms 2
Analysing space complexity of various encryption algorithms 2IAEME Publication
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsAjay Ohri
 
Webinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamavWebinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamavthc2cat
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentIJERD Editor
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Secured algorithm for gsm encryption & decryption
Secured algorithm for gsm encryption & decryptionSecured algorithm for gsm encryption & decryption
Secured algorithm for gsm encryption & decryptionTharindu Weerasinghe
 
Analysis of Cryptographic Algorithms
Analysis of Cryptographic AlgorithmsAnalysis of Cryptographic Algorithms
Analysis of Cryptographic Algorithmsijsrd.com
 
SE-4128, DRM: From software secrets to hardware protection, by Rod Schultz
SE-4128, DRM: From software secrets to hardware protection, by Rod SchultzSE-4128, DRM: From software secrets to hardware protection, by Rod Schultz
SE-4128, DRM: From software secrets to hardware protection, by Rod SchultzAMD Developer Central
 
Linux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardeningLinux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardeningMender.io
 

Similar a AREA41 - Anatomy of attacks aimed at financial sector by the Lazarus group (20)

Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
 
Cryptanalysis in the Time of Ransomware
Cryptanalysis in the Time of RansomwareCryptanalysis in the Time of Ransomware
Cryptanalysis in the Time of Ransomware
 
Cryptography
CryptographyCryptography
Cryptography
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
 
Cryto Party at CCU
Cryto Party at CCUCryto Party at CCU
Cryto Party at CCU
 
Advances in Open Source Password Cracking
Advances in Open Source Password CrackingAdvances in Open Source Password Cracking
Advances in Open Source Password Cracking
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
Analysing space complexity of various encryption algorithms 2
Analysing space complexity of various encryption algorithms 2Analysing space complexity of various encryption algorithms 2
Analysing space complexity of various encryption algorithms 2
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen Ooms
 
Webinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamavWebinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamav
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and Development
 
Encryption
EncryptionEncryption
Encryption
 
Day5
Day5Day5
Day5
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Secured algorithm for gsm encryption & decryption
Secured algorithm for gsm encryption & decryptionSecured algorithm for gsm encryption & decryption
Secured algorithm for gsm encryption & decryption
 
Analysis of Cryptographic Algorithms
Analysis of Cryptographic AlgorithmsAnalysis of Cryptographic Algorithms
Analysis of Cryptographic Algorithms
 
Nwc rsa
Nwc rsaNwc rsa
Nwc rsa
 
SE-4128, DRM: From software secrets to hardware protection, by Rod Schultz
SE-4128, DRM: From software secrets to hardware protection, by Rod SchultzSE-4128, DRM: From software secrets to hardware protection, by Rod Schultz
SE-4128, DRM: From software secrets to hardware protection, by Rod Schultz
 
Linux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardeningLinux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardening
 

Último

cse-csp batch4 review-1.1.pptx cyber security
cse-csp batch4 review-1.1.pptx cyber securitycse-csp batch4 review-1.1.pptx cyber security
cse-csp batch4 review-1.1.pptx cyber securitysandeepnani2260
 
GESCO SE Press and Analyst Conference on Financial Results 2024
GESCO SE Press and Analyst Conference on Financial Results 2024GESCO SE Press and Analyst Conference on Financial Results 2024
GESCO SE Press and Analyst Conference on Financial Results 2024GESCO SE
 
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...Sebastiano Panichella
 
Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...
Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...
Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...Sebastiano Panichella
 
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunity
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunityDon't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunity
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunityApp Ethena
 
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRINDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRsarwankumar4524
 
Understanding Post Production changes (PPC) in Clinical Data Management (CDM)...
Understanding Post Production changes (PPC) in Clinical Data Management (CDM)...Understanding Post Production changes (PPC) in Clinical Data Management (CDM)...
Understanding Post Production changes (PPC) in Clinical Data Management (CDM)...soumyapottola
 
Sunlight Spectacle 2024 Practical Action Launch Event 2024-04-08
Sunlight Spectacle 2024 Practical Action Launch Event 2024-04-08Sunlight Spectacle 2024 Practical Action Launch Event 2024-04-08
Sunlight Spectacle 2024 Practical Action Launch Event 2024-04-08LloydHelferty
 
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxEngaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxAsifArshad8
 
Scootsy Overview Deck - Pan City Delivery
Scootsy Overview Deck - Pan City DeliveryScootsy Overview Deck - Pan City Delivery
Scootsy Overview Deck - Pan City Deliveryrishi338139
 
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRachelAnnTenibroAmaz
 
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptxerickamwana1
 
Application of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptxApplication of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptxRoquia Salam
 
General Elections Final Press Noteas per M
General Elections Final Press Noteas per MGeneral Elections Final Press Noteas per M
General Elections Final Press Noteas per MVidyaAdsule1
 

Último (14)

cse-csp batch4 review-1.1.pptx cyber security
cse-csp batch4 review-1.1.pptx cyber securitycse-csp batch4 review-1.1.pptx cyber security
cse-csp batch4 review-1.1.pptx cyber security
 
GESCO SE Press and Analyst Conference on Financial Results 2024
GESCO SE Press and Analyst Conference on Financial Results 2024GESCO SE Press and Analyst Conference on Financial Results 2024
GESCO SE Press and Analyst Conference on Financial Results 2024
 
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...
 
Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...
Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...
Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...
 
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunity
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunityDon't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunity
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunity
 
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRINDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
 
Understanding Post Production changes (PPC) in Clinical Data Management (CDM)...
Understanding Post Production changes (PPC) in Clinical Data Management (CDM)...Understanding Post Production changes (PPC) in Clinical Data Management (CDM)...
Understanding Post Production changes (PPC) in Clinical Data Management (CDM)...
 
Sunlight Spectacle 2024 Practical Action Launch Event 2024-04-08
Sunlight Spectacle 2024 Practical Action Launch Event 2024-04-08Sunlight Spectacle 2024 Practical Action Launch Event 2024-04-08
Sunlight Spectacle 2024 Practical Action Launch Event 2024-04-08
 
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxEngaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
 
Scootsy Overview Deck - Pan City Delivery
Scootsy Overview Deck - Pan City DeliveryScootsy Overview Deck - Pan City Delivery
Scootsy Overview Deck - Pan City Delivery
 
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
 
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx
 
Application of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptxApplication of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptx
 
General Elections Final Press Noteas per M
General Elections Final Press Noteas per MGeneral Elections Final Press Noteas per M
General Elections Final Press Noteas per M
 

AREA41 - Anatomy of attacks aimed at financial sector by the Lazarus group

  • 1. Anatomy of attacks aimed at financial sector by the Lazarus group June 28, 2018 Seongsu Park Senior Security Researcher @ Kaspersky Lab GReAT
  • 2. Who is Lazarus? • Notorious APT group • State-sponsored APT group • Aimed at financial profit and cyber espionage, sabotage LAZARUS Andariel Bluenoroff …… …… Well-known attack case 2013 — DarkSeoul cyber attack 2014 — SPE cyber attack 2016 — Bangladesh bank heist 2017 — WannaCry outbreak
  • 4. About Manuscrypt • From when?  Start to use Manuscrypt from around 2013  Use it actively until recent • Connection?  Many overlap with known Lazarus code style and C&C infrastructure • Attack where?  Usually attacked national intelligence before  Recently, used when attacked financial sector
  • 6. Status of cryptocurrency exchange of Korea World TOP 10 Cryptocurrency Exchanges South Korea company
  • 9. Weaponized hwp HWP file format • Hangul (also known as Hangul Word Processor or HWP) is a proprietary word processing application published by the South Korean company Hancom Inc. -Wikipedia • Used by most government agencies and government offices due to national software activation policy of Government • The South Korea is one of the few countries where MS Word does not rank first Recently, postscript mainly used to deliver payload
  • 10. Decoy and targets Cryptocurrency Any cryptocurrency related news/contents Cryptocurrency market expectation Legal issues Related to lawsuit or audit Forms about legal issues Resume Resume of mainly financial related person Some decoy include victim company name
  • 11. Relationship Last saved user name Author name Malicious hwp
  • 12. Postscript Type #1 — Postscript has asciihex-format executable — Drop file %startup% folder for persistence mechanism — Dropped file is Manuscrypt Direct drop from embedded ascii hex string Creation path (+persistence mechanism) asciihex type payload Asciihex type Manuscrypt Postscript to drop executable Drop and execute Structure
  • 13. Postscript Type #2 — Use Chinese variable name i.e.) yaoshi, yima, yinzi — Decrypt real postscript/shellcode with hardcoded XOR key Has encryption stage with 4-bytes XOR key 4-bytes XOR key Encrypted postscript & Shellcode Postscript to decrypt Decrypt Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Encrypted postscript and shellcode Encrypted Manuscrypt executable
  • 14. Postscript Type #2 – Decrypted data — Decrypted data contains exploit code and shellcode — Trigger the postscript vulnerability and execute shellcode Has encryption stage with 4-bytes XOR key Encrypted postscript & Shellcode Postscript to decrypt Exploit, Decrypt payload and inject Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Shellcode to decrypt payload and inject Heap-spray Exploit code
  • 15. Postscript Type #3-4 — Remove decryption process — Malware author elaborate exploit code Elaborated exploit code Shellcode Postscript Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Shellcode Encrypted Manuscrypt Decrypt & Inject
  • 16. Postscript type #5 – add XOR — Same structure with #3 — Add shellcode decryption script with 1-byte XOR Elaborated exploit code Script for decryption of shellcode Shellcode Postscript Decrypt & Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Decrypt & Inject
  • 17. Postscript type #6 — Same postscript to trigger vulnerability — No more embedded payload — Shellcode just has download function Change shellcode function Shellcode Postscript Structure Postscript Decrypt & Exploit Download Manuscrypt
  • 18. Change history of hwp attack Type #2 • Start to use postscript vulnerability • Decrypt shellcode and exploitation postscript with 4-bytes XOR • Decrypt payload with 4-bytes XOR key Type #3 • Remove shellcode/postscript decryption routine • Elaborate postscript to trigger vulnerability • Decrypt payload with 4-bytes XOR key Type #4 • Decrypt payload with AES algorithm Type #5 • Add shellcode encryption postscript with 1-byte XOR Type #6 • Change shellcode just download payload Type #1 • Drop embedded asciihex type payload
  • 19. Change history of hwp attack Asciihex type Manuscrypt Postscript to drop executable Drop and execute Structure Encrypted postscript & Shellcode Postscript to decrypt Decrypt Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Shellcode Postscript Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Decrypt & Inject Shellcode Postscript Decrypt & Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Decrypt & Inject Shellcode Postscript Structure Postscript Decrypt & Exploit Download Manuscrypt Type #1 Type #2 Type #3, 4 Type #5 Type #6 Decrypt & Inject
  • 20. Change history of hwp attack Type #1 Type #6Type #2 Type #5Type #4Type #3 4-bytes XOR Shellcode Decryption 1-bytes XOR 1-bytes XOR Shellcode Triggering CVE-2017-8291 (Ghostscript exploit) Shellcode Type Decrypt embedded payload and inject to legit process Download 4-bytes XOR AES Payload Decryption
  • 21. 21 Attacker vs Defender Type #1 Direct drop from asciihex string 2017-04 2017-06 2017-07 2017-08 2017-09 2017-10 2017-11 2017-12 2018-03 Type #2 Start to use Exploit XORed shellcode + exploit trigger script Type #4 Replace to AES algorithm Type #3 Polishing exploit script 4-bytes XOR decryption Type #6 Download payload from remote server Type #5 Decrypt shellcode with 1-byte XOR ATTACKER SIDE DEFENDER SIDE Detect embedded ascii type executable Detect XOR postscript routine Detect embedded shellcode in postscript Detect embedded encrypted payload
  • 22. Shellcode comparison from each types Different postscripts, but same shellcode
  • 23. Shellcode comparison from each types Different postscripts, but same shellcode Process searching Get handle
  • 24. Shellcode Shellcode execution flow Get API by hash Decrypt payload Find decryption key Get Handle Inject to legit process
  • 25. Payload summary IP-based C&C communication type • Only used up to type #2 • Not seen after November 2017 • Fake SSL communication • Full featured backdoor - File handling - Process handling - Execute commands - Data exfiltration HTTP-based C&C communication type • Usually used this type communications • Using compromised server • Full featured backdoor - System info gathering - Execute commands - and so on
  • 26. Type of C&C servers COMPROMISED SERVER — Compromised server — Direct connect by IP address — Encryption channel COMPROMISED WEB SERVER IN CHINA — Usually compromised IIS server — Upload attacker’s PHP scripts — DedeCMS vulnerability — Wordpress vulneraility COMPROMISED WEB SERVER IN KOREA — Usually compromised IIS server — Upload attacker’s JSP scripts — Using specific board vulnerability — Using wordpress vulnerability
  • 27. Not only hwp file
  • 28. Not only hwp file Persistence attack 2017-07-31 07:40:07 비트코인_지갑주소 _및_거래번호.hwp e3796387 (web) KR 2017-07-31 16:25:00 비트코인_지갑주소 _및_거래번호.doc e3796387 (web) KR 2017-08-03 18:13:23 비트코인 거래내역.xls e3796387 (web) KR Decoy of malicious hwp Decoy of malicious word
  • 30. Attack methodology SPEARPHISHING — Malicious office document — Malicious macro embedded — Decoy : Usually used job description and proposal
  • 31. Attack methodology Structure of Macro Attribute VB_Name = "Module1" Sub Auto_Open() On Error GoTo gaqz liveOn = "sjop/fyf" liveOff = Environ("temp") + "" For qnx = 1 To Len(liveOn) liveOff = liveOff + Chr(Asc(Mid$(liveOn, qnx, 1)) - 1) Next Dim str(1635) As String str(1) = "F0E72DBDBEBDBDBD………[redacted]……………DBDBDBD" .... [redacted]…. str(1635) = "9D9D9D9D9D9D81…. ……[redacted]…..….……DBDBDBD" Dim offBin(499) As Byte Open liveOff For Binary Access Write As #1 lpdq = 1 For jnx = 0 To 1634 For inx = 0 To 499 offBin(inx) = Val("&H" + Mid(str(jnx + 1), inx * 2 + 1, 2)) offBin(inx) = offBin(inx) Xor 189 Next inx Macro to create payload liveOn = "EFG492:2/ymt" liveOffd = Environ("temp") + "" For qnx = 1 To Len(liveOn) liveOffd = liveOffd + Chr(Asc(Mid$(liveOn, qnx, 1)) - 1) Next qnx Dim strd(239) As String strd(1) = "1906D8296878D328C9C9C9…[redacted]…..36363636363636" ...... [redacted]…… strd(239) = "C9C9C9C9C9C9C9C9C9C9…[redacted]…….D9C9C9C9C9C9C9" Dim offBind(499) As Byte Open liveOffd For Binary Access Write As #2 lpdq = 1 For jnx = 0 To 238 For inx = 0 To 499 offBind(inx) = Val("&H" + Mid(strd(jnx + 1), inx * 2 + 1, 2)) offBind(inx) = offBind(inx) Xor 201 Next inx Put #2, lpdq, offBind lpdq = lpdq + 500 Next jnx Close #2 Macro to create decoy document
  • 32. Who is target? Finance Engineering Crypto Currency
  • 33. Payload summary • File search, handling • Process handling • Collect system information • Directory / File listing …… Full-featured backdoor a.k.a Fallchill • IP-based C&C communication - Fake SSL communication (Polar SSL) - Used compromised server • HTTP-based C&C communication - Compromised ASP hosting IIS server - Allegedly used board/CMS vulnerability
  • 35. How did I start this investigation? Malicious hwp dropped Manuscrypt Found 1 C&C server in South Korea — Suspected compromised server Working closely with investigation agency — Investigate compromised server — Found one proxy module Expanding research with our telemetry — Yara magic! — Found additional module from compromised sever
  • 36. Manuscrypt C2 infrastructure Manuscrypt infected host Send information Multi-stage Proxy Servers Communication Final-stage C2 server
  • 38. Malwares/Tools from C&C server Sensing the production process, manipulating the production process Monitoring, supervisory control and automated control of the production process Backdoor Variants Threat actor uses many kind of backdoors - Active backdoor, Passive backdoor, HTTP backdoor, IIS backdoor Proxy Malware Main component of multi stage of proxy structure, forward incoming traffic to other host Information Harvester TCP connection harvester to steal inbound/outbound network connections Other Tools Loader to decrypt and execute encrypted payload, File wiper to wipe out specific file securely
  • 39. Proxy module Simply forward traffic from incoming host to next hop Firewall punching Add allowed port list using windows command Fake SSL communication Disguised as legit sites SSL handshaking Configuration Stores configuration at registry key Saved configuration as specific file Updating file with data from another hop Decrypt this file when read
  • 40. Proxy module – P2P proxy another infected host Listening named pipe ((.pipeAnonymousPipe) Connect to external named pipe (%spipeAnonymousPipe) Polar SSL Encryption Thread #1 : Receive data from global P2P and write it to listened named pipe Listening named pipe ((.pipeAnonymousPipe) Thread #2 : Read data from external named pipe and send it to global P2P server Global P2P C&C server (Passive backdoor module installed) P2P-based C&C infrastructures
  • 41. Active backdoor Has C&C server address, performs backdoor functions IP-based communications - Configuration data in registry key - Full-featured backdoor • File / directory listing • Process handling • Get system information • Execute windows command • Send screenshot HTTP-based communications - Same configuration data with IP-based backdoor - Choose HEAD, GET or POST method randomly when communicate C&C server - Full-featured backdoor
  • 42. Passive backdoor Doesn’t have C&C server address, Open port and wait connections Get Windows service list and choose one INSTALLATION PROCESS Get display name of service and append “Service” Append decrypted strings at service display name Change service name as small case and append “svc” Drop payload as service name Change file timestamp i.e. Choose “SharedAccess” service i.e. Change “Internet Connection Sharing (ICS)" display name to “Internet Connection Sharing Service” i.e. SharedAccess -> sharedaccesssvc i.e. Drop payload to sharedaccesssvc.dll i.e. Append “is an essential element in Windows System configuration and management.” F/W Punching cmd.exe /c netsh firewall add portopening TCP [Port] "adp" Backdoor functions - Almost same with active backdoor - Some variants has routing functions
  • 43. Other tools Log Wiper Generate random buffer Overwrite file with that data repeatly Delete file TCP Connection Harvester Choose proper API depends on OS version File name
  • 44. Malwares/Tools from C&C server Indonesia India Bangladesh Malaysia Vietnam Korea Taiwan Thailand Active Backdoor Passive Backdoor Proxy TCP conn Harvester IIS Backdoor HTTP Backdoor
  • 45. Malwares/Tools from C&C server India Active backdoor Columbia Dominican Republic GermanyIndonesia South Korea Sri Lanka Case #1 Panama Proxy HTTP Backdoor Passive Backdoor Vietnam TCP Conn Harvester Case #2
  • 46. Vulnerability information IP Web server ver OS fingerprinting 2xx.xx.xx.xxx N/A Windows Server 2003 R2 5x.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows Server 2003 (91%), Microsoft Windows Server 2003 SP2 (91%) 2xx.xx.xx.xxx IIS 6.0 N/A 1xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows 2003 R2 (93%), Microsoft Windows Server 2003 (93%), Microsoft Windows Server 2003 SP2 (93%) 2xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows XP SP3 or Windows Server 2003 SP2 (97%), Microsoft Windows Server 2003 SP2 (94%), 1xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (99%), Microsoft Windows XP SP3 or Windows Server 2003 SP2 (97%), Microsoft Windows Server 2003 SP2 (94%), 2xx.xx.xx.xxx IIS 6.0 N/A 2xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows Server 2003 SP2 (89%) 5x.xx.xx.xxx N/A Aggressive OS guesses: Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows Server 2003 SP1 - SP2 (92%)
  • 47. Vulnerability information 2017-03-26 CVE-2017-7269 published 2017-04-11 Attack tool for this exploit was created 2017-03-31 PoC for CVE-2017-7269 added to Metasploit module 2017-06-13 Microsoft published patch for this vulnerability
  • 48. Let’s put them together Active backdoor Passive backdoor Proxy module TCP harvester ……Victim (Manuscrypt infected) Weaponized hwp/doc Corporate Users Sometimes infect corporate hosts from server C&C server Infrastructure Configure C&C infra Control infected hosts Communicate multi-stage C&C
  • 49. Takeaways • Never let your server compromised by them • They keep polishing their tools • Their favorite attack vector is spearphishing • Recently, they are changing their TTPs • Let’s head up their TTPs
  • 50. LET’S TALK? Twitter : @unpacker Mail : seongsup4rk@gmail.com