#### Hun$ng the Shadows: In Depth Analysis of Escalated APT A=acks ###### Fyodor Yarochkin, Academia Sinica Pei Kan PK Tsung, Academia Sinica Ming-­‐Chang Jeremy Chiu, Xecure Lab Ming-­‐Wei Benson Wu, Xecure Lab 1 #### Hun$ng the Shadows: In Depth Analysis of Escalated APT A=acks ----- ###### • Why Taiwan? • The “Lstudio” player… fun J • Taking a peek at Weaponry • APT in a Cloud • VicLmology or … chicken-­‐logy? # Agenda ###### • Why Taiwan? • The “Lstudio” player… fun J • Taking a peek at Weaponry 2 ----- ###### Based in Taiwan Interests in Computer Forensics Access to some raw network traffic data (fun!) Get to fish interesting things (PROFFFIIITT!) # whoweare ###### @bensonwu @fygrave [secret] [censored] Based in Taiwan 3 ----- ###### understanding the Ops and vicLms of discussed targeted aPacks. We DO NOT aPempt to perform any aPribuLon of potenLal aPackers. # Disclaimer ###### A few words before we move on. -­‐ With this research we are primarily interested in understanding the Ops and vicLms of discussed targeted aPacks. We DO NOT aPempt to 4 ----- # Taiwan has been a frontline of APT ba=lefield for some $me 5 ----- ##### Many interes$ng things could be observed (though this is not “Lstudio” group) 6 ----- # Elirks: earlier campaign l ###### Reported by Dell/Secureworks as Elirks hPp:// www.secureworks.com/cyber-­‐threat-­‐intelligence/threats/ chasing_apt/ ----- # Elirks evolu$on ###### hPp://tw.myblog.yahoo.com/jw!uzrxZwSGHxowPMGZAaj4I5 hPp://blog.yam.com/minzhu0906/arLcle/54726977 hPp://diary.blog.yam.com/bigtree20130514/arLcle/10173342 hPp://tw.myblog.yahoo.com/jw! uzrxZwSGHxowPMGZAaj4I50-­‐ 8 ###### uzrxZwSGHxowPMGZAaj4I50-­‐ hPp://blogs.yahoo.co.jp/sakasesi2013/31805794.html hPp://www.plurk.com/mdbmdb ----- # Elirks 2.0 – silly to reuse the address-­‐space ----- # Another on-­‐going Campaign ###### l On-­‐going: 10 ----- # week! ----- ###### The “Lstudio” group: Exploring fun things in a greater detail :) ----- ----- ----- ----- # We’ll examine the “LStudio” group today ###### • Unique indicators of the “LStudio” group: • Debug symbols (.pdb) • “horse” label and generator tag ###### • Some curious discoveries from the “Lstudio” backend data center … ;-­‐) 16 ----- # LStudio binaries have cute things ###### h=p://scan.xecure-­‐lab.com 17 ----- 18 # CSJ-­‐Elise .. ----- ###### They love fast cars J 19 ----- # FASST CARS J Evora 20 ----- ## Lstudio Opera$ons and C2 ----- ## “Lstudio” payload Generator ###### Horse Label Owner Generator-­‐Tag Generator ###### APT Exploit delivery via email 22 ----- # We don’t say victim 肉雞 = G 23 ----- # The typical botnet model 24 ----- # Very advanced Zoo-­‐management skills :) 25 ----- ## APT advanced farming :) ###### ž Operated by roughly 25 “farmers” ž Has controlled over 5,884 machines ž International coverage over 30 countries ž Utilizes 4 different Botnet software families ž Active since 2007 ----- ### The “Lstudio” Chicken Cloud J **APT** **Botnet A** ###### Data Channel (First phase backdoor) APT Cloud Backend Data Center Command Channel Farmer Group A (Second phase backdoor) ----- 28 ----- 29 # Interna$onal Chicken Farm Corp. ----- ###### 2% 30 # chicken farms went interna$onal ----- 31 # Share some Chicken J ----- # When you travel, your chicken travel too… J 32 ----- ## Lets look at some travelers J ###### US England Taiwan Canada ###### France 33 ----- # ANOTHER DISCOVERY!! 34 ----- 35 # .. do have 9 to 5 job ;)… ----- # do J # Just like some security researchers 36 ----- ### AND THE LAST .. SOME HANDY TOOLS TO SHARE J 37 ----- 38 # XecScan: Free API ----- ----- ###### Easy to integrate with your scripts IntegraLon with a proxy server is possible via icap yara plugin: hPps://github.com/fygrave/ c_icap_yara Raw network traffic monitoring project (and hPp/DNS indexing): hPps://github.com/fygrave/eyepkflow # Yara use ###### Easy to integrate with your scripts IntegraLon with a proxy server is possible via icap yara plugin: hPps://github.com/fygrave/ c_icap_yara 40 ----- ###### hPps://github.com/kevthehermit/yaraMail Yara pcap hPps://github.com/kevthehermit/YaraPcap # More cool tools ###### Moloch hPps://github.com/aol/moloch Yara mail hPps://github.com/kevthehermit/yaraMail 41 ----- ###### Complex infrastructure Operates since 2007 MulLple soqware versions MulLple back-­‐ends VicLms – government and private sector Mainly Taiwan but also seen world-­‐wide # Conclusions ###### Complex infrastructure Operates since 2007 MulLple soqware versions 42 ----- ###### Questions? benson.wu@xecure-lab.com jeremy.chiu@xecure-lab.com pk@hitcon.org f@plurk.com 43 -----