hunting the shadows: in depth analysis of escalated apt attacks

1

Hunting the Shadows:In Depth Analysis of Escalated APT Attacks

Fyodor Yarochkin, Academia SinicaPei Kan PK Tsung, Academia Sinica

Ming-Chang Jeremy Chiu, Xecure LabMing-Wei Benson Wu, Xecure Lab

2

Agenda

• Why Taiwan?• The “Lstudio” player… fun • Taking a peek at Weaponry • APT in a Cloud • Victimology or … chicken-logy?

3

whoweare

Based in TaiwanInterests in Computer ForensicsAccess to some raw network traffic data (fun!)Get to fish interesting things (PROFFFIIITT!)

@bensonwu [secret] @fygrave [censored]

4

Disclaimer

A few words before we move on.- With this research we are primarily interested in

understanding the Ops and victims of discussed targeted attacks. We DO NOT attempt to perform any attribution of potential attackers.

5

Taiwan has been a frontline of APT battlefield for some time

BACK IN 2003…

6

Many interesting things could be observed (though this is not “Lstudio” group)

7

Elirks: earlier campaign Reported by Dell/Secureworks as Elirks

http://www.secureworks.com/cyber-threat-intelligence/threats/chasing_apt/

8

Elirks evolution

http://tw.myblog.yahoo.com/jw!uzrxZwSGHxowPMGZAaj4I5

http://blog.yam.com/minzhu0906/article/54726977

http://diary.blog.yam.com/bigtree20130514/article/10173342

http://tw.myblog.yahoo.com/jw!uzrxZwSGHxowPMGZAaj4I50-

http://blogs.yahoo.co.jp/sakasesi2013/31805794.html

http://www.plurk.com/mdbmdb

9

Elirks 2.0 – silly to reuse the address-space

Managed by the sameIP addresses(easy to cross-correlate)

10

Another on-going Campaign

On-going:

11

On average, 48 APT emails a week!

12

The “Lstudio” group:

Exploring fun things in a greater detail :)

13

They start with a boring spearphhiiissh

14

Almost clean :)

15

The APT Landscape in Taiwan

16

We’ll examine the “LStudio” group today

• Unique indicators of the “LStudio” group:• Debug symbols (.pdb)• “horse” label and generator tag

• Some curious discoveries from the “Lstudio” backend data center … ;-)

17

LStudio binaries have cute things

CSJ-Elise

f:\tools\code\CSJ\Elise\Release\EliseDLL.pdb

http://scan.xecure-lab.com

18

CSJ-Elise ..

TAABAMoGvBjTVXHUHaibnwrAWfchx2x17Rf2roRBnbD/9lu13lWnlAUbBgqw+YNld2vcV5krtXoG__FXI43BxueF4FChFrkSRgNVP2WQ==

http://140.105.135.71:443/2995ebc9/page_12180900.htmlhttp://118.163.60.73:443/2995ebc9/page_12180912.html

19

They love fast cars

20

Evora

FASST CARS

21

Lstudio Operations and C2

22

“Lstudio” payload Generator

Generator

Owner

Horse Label

Generator-Tag

APT Exploit delivery via email

23

We don’t say victim肉雞 = G

24

The typical botnet model

25

Very advanced Zoo-management skills :)

26

APT advanced farming :)

Operated by roughly 25 “farmers” Has controlled over 5,884 machines International coverage over 30 countries Utilizes 4 different Botnet software families Active since 2007

27

The “Lstudio” Chicken Cloud

APT CloudBackend Data Center

Farmer Boss?

Farmer Group B

Farmer Group ACommand Channel(Second phase backdoor)

Data Channel(First phase backdoor)

Configurable Bounce

APT Botnet A

APT Botnet B

28

.. And who are the Chicken ?!

29

International Chicken Farm Corp.

30

chicken farms went internationalTW 84%

US 6%

5,884chickens

2%

KR 1% CN 1%

31

Share some Chicken

http://www.appledaily.com.tw/http://www.cna.com.tw

KMT ?KMT ? KMT ?KMT ?

32

When you travel, your chicken travel too…

33

Lets look at some travelers

US

Canada

France

England

Taiwan

34

ANOTHER DISCOVERY!!

35

.. do have 9 to 5 job ;)…

36

Just like some security researchers do

37

AND THE LAST .. SOME HANDY TOOLS TO SHARE

38

XecScan: Free API

39

Yara: a swiss-knife of static sigs ;)

40

Yara use

Easy to integrate with your scriptsIntegration with a proxy server is possible via icap yara plugin: https://github.com/fygrave/c_icap_yaraRaw network traffic monitoring project (and http/DNS indexing):https://github.com/fygrave/eyepkflow

41

More cool tools

Moloch https://github.com/aol/moloch

Yara mail https://github.com/kevthehermit/yaraMail

Yara pcap https://github.com/kevthehermit/YaraPcap

42

Conclusions

Complex infrastructureOperates since 2007Multiple software versionsMultiple back-endsVictims – government and private sectorMainly Taiwan but also seen world-wide

43

Questions?benson.wu@xecure-lab.comjeremy.chiu@xecure-lab.com

pk@hitcon.orgf@plurk.com