#### To loot or Not to Loot? That Is Not a Question When State-Nexus APT Targets Online Entertainment Industry ###### Charles Li, Che Chang ----- ### Speaker # Charles Li ###### TeamT5 Chief Analyst ----- ### Speaker # Che Chang ###### TeamT5 Senior Analyst ----- #### Agenda ###### I. Introduction: What is Online Entertainment? II. APTs in the Game III. TTPs: What and How in Kill Chain IV. Strategic Analysis V. Mitigation and Key Takeaway ----- ----- # What is Online Entertainment? ----- ##### Online Entertainment Industry Chain ###### - Industry Chain Worldwide (most illegal) - Lucrative Nature - Various way to “Entertain” (to game/gamble) Board Games, Sports, Video games, lotteries… ###### Money & Gamblers ##### Entertainment ###### Engineers & Customer Service ##### Industry Chain ###### - Industry Chain Worldwide (most illegal) Headquarter - Various way to “Entertain” (to game/gamble) Board Games, Sports, Video games, lotteries… ----- ### Players in the Game ###### GreedyTaotie (aka APT27, Emissary Panda ) Amoeba (aka APT41, Winnti) Victim Overlap (Operation DRBControl) Tools Overlap Tools Overlap Tools Overlap ###### menuPass (aka APT10) ----- # TTPs: Initial Access ----- ##### Weaponization & Reconnaissance ###### Weaponization: - Mostly applying off-the-shelf tools or modifying for operations - Proprietary tools developed for maintaining access or LM ###### 3 Hypotheses for Reconnaissance: • Scenario1: Underground or secret sources • Scenario2: Recruiting websites or forums • Scenario 3: Distributors ----- ##### Phishing Employees ###### - Spear phishing employees of targeted companies - Using daily work related documents (web design photos, financial statements, pink slip) to lure users into opening ----- ##### Phishing Customer supports ###### - Spear phishing customer supports of the target - Complaining about system issues and asking supports to open attachments to check ----- ### Phishing via SNP ###### - Crafting profiles on social network platforms, forums - Approaching sales, ITs, RDs of targeted companies - Delivering malware by cloud drives or custom web servers ----- ### Vulnerability ###### Exchange server (CVE-2021-34473) - Using ProxyShell exploit to gain a foothold on an exchange server VPN Server (CVE-2018-13379) - The actor intruded by using a Fortigate exploit to gain VPN credentials Browser (CVE-2021-38001) - The actor used watering hold attacks and hosted exploit codes on seebug[.]updetasrvers.org Web and NAS server vulnerabilities ----- ##### Supply Chain Attack ###### Compromised ERP System - first compromised ERP system of the victim via some web vulnerability - used ERP to distribute several malware include, CrossWalk and FunnySwitch ----- ##### Supply Chain Attack ###### Compromised Official Websites - Compromised the official website of a cryptocurrency company - Replaced some installation package with trojanized version ----- # TTPs: Malware & Post Exp. ----- ### Malware ###### TianWu ###### • Pangolin8RAT • CobaltStrike Beacon • PlugX* • CoinDrop • Hehedalinux • RKORAT ###### SLIME34 ###### • Winnti • FunnySwitch • CrossWalk • Spyder • Sqlcmsps • IISAccept • CobaltStrike beacon • PlugX • HelloKety • HyberBro • ChinaChopper ###### SLIME29 ----- ### IIS Backdoor ###### F:\XProject\Project\Salon4\IISAccept\x64\Release\IISAccept.pdb ----- ### SQL Backdoor https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/ ----- ### Lateral Movement ###### - Mostly Off-the-shelf tools: Nbtscan, PsExec, PwDumps, mimikatz - RAT harvested credentials, dictionary attacks or exploits (e.g., EternalBlue) are used for privileges escalation - Two stages of operations are usually adopted: - Stage1: automatic tools or scripts for environment reconnaissance - Stage2: manually penetrations interleaved with automatic tools for precise strikes ----- ###### - Actors created free accounts on cloud storage platform (堅果雲, DropBox…) - Malware communicates with clouds for concealment ### Exfiltration ###### concealment ----- # TTPs: Deploying Ransomware? ----- ###### • Time: 2021 H2 ~ 2022 H1 • Target: the manufacturing, financial services, engineering, legal, business services, and travel and tourism sectors. • TTP: ###### SLIME34 ###### ProxyShell (CVE-2021-34473) ###### RAT installation Lateral movement (CoblatStrike Beacon) (PetitPotam CVE-2021-36942) ----- ###### Web compromise RAT installation (CoblatStrike Beacon) ###### Lateral movement ###### Ransom! ----- ###### • TTP: Web compromise RAT installation (Sysupdate) ###### Lateral movement Ransom! ----- ###### • Target: Online Entertainment • TTP: Spear phishing RAT installation ###### SLIME29 ###### Lateral movement ###### Encrypt! ----- # Political Motivation behind those APT? ----- ### Should pay much attention to it because... ###### Money Driven Information Collection ----- ### Of Course !! ###### Based on our observation, only SLIME29 focused on financial-gain intrusion operations, the rest all have strong political related operations. SLIME34 ----- ###### Cybercrime VS Cyber Espionage: “Indicator of Money” |“Indicator of Money”|Amoeba|GreedyTaoTie|Slime 34|Tian Wu|Slime 29| |---|---|---|---|---|---| |Deploy Ransomware|Y|Y|Y|N|Y| |Deploy Crypto Miners|Y|Y|N|N|N| |Hacker for Hire|Y|Y|N/A|N/A|N/A| |Only Targeting Industry with Strong Cash Flow|N|N|N|N|Y| ----- ## Why the Chinese Government Puts Significant Pressure to Online Entertainment Industry? ----- ### China’s Crackdown ----- ### Geo-politics/threat landscape ###### China’s crackdown on gambling industry • China’s crackdown on Macau gambling industry forced gamblers to move online • Online gambling skyrocketed during the time of pandemic • Abundant money and data (personal info and cash flow) ----- ### Reason I: Stability ###### Info collected ###### Stop Bribery *Anti-corruption Campaign Clean up related Infrastructures in China Take down involved companies ----- ### Reason II: The Money ----- # So how do we Mitigate such Threats? ----- ###### ADVERSARY ###### 5 Chinese APT Groups:  **Amoeba (APT41, Winnti)**  **GreedyTaotie (APT27, Emissary Panda)**  **TianWu**  **SLIME34**  **SLIME29** ###### CAPABILITY INFRASTRUCTURE  Reconnaissance techniques: off-the###### shelf tools  Delivery methods: Phishing, Supply ###### Chain Attack  Attacking exploit / vulnerability in ###### Exchange server, Web, NAS, etc  Specially Designed RAT, Ransomware  Lateral movement skills and tools: ###### Mostly Off-the-shelf tools  VPS, 堅果雲, Dropbox, etc  **Purpose: Money and Sensitive Data**  **Target countries / regions: APAC**  **Target sectors: Online Entertainment industry** ----- ### Countermeasures ###### • Isolation between Op. Dev. and OA environment. • Catch-up with new hacking tools, techniques, etc.. discussed in security community ----- ### Countermeasures ###### • Patch! Patch & Patch, not only for machines but also humans. • Regular drills will help. ----- ### Countermeasures ###### • RATs usually support various protocols, or leveraging cloud platforms • Protocols or C2 information are seldom covered in firewalls, IPS, IDS and AV products ----- ### Countermeasures ###### • Patch for intra-net is a headache, but you must • Backdoor accounts for management is hackers’ good friends • You need tailored and accurate threat intelligence ----- ### Key Takeaway: Start the Threat Intelligence Cycle ###### 1. China-nexus APT groups have launched massive attacks against the online entertainment business in APAC region. 2. Dissecting the current TTPs is merely the first step. 3. China-nexus APT are closely aligned with the national interests of the Chinese government. ----- ###### Indicator of Compromise (IoC): Command and Control Server (C2) ###### BETWLN520.COM www.kkxx888666.c om 172.16.2.1 update.googletvi.c om 112.175.238.60 103.24.205.128 mod.goodyouxi.co m xinmod.goodyouxi. com 167.179.92.82 mail.bren-inc.info bren-inc.email 112.121.165.138 117.18.14.20 ###### 27.102.106.132 27.102.106.183 27.102.114.246 27.102.115.249 27.102.127.182 27.50.162.19 42.51.22.68 54.180.89.244 api.kaspresksy. com api.microsofts.i nfo microsofts.info onedrive.miscr osofts.com smsapi.tencent chat.net update kaspres ###### ogag.daji8.me plus.daji8.me shopingchina.n et www.shopingc hina.net linux.shopingch ina.net tools.daji8.me linux.daji8.me www.daji8.me 182.16.71.234 103.253.40.126 182.255.63.53 wmgnews.daji8 .me daji8.me av.daji8.me ###### 23.106.122.5 backup.microsupd ate.com line.full- subscription.com time.daytimegame rs.com yd.full- subscription.com login.good- enough-8fe4.com www.orientbate.c om 23.19.58.13 cdn2.twmicrosoft. com 139.180.156.45 ###### normostat.com www.normosta t.com 185.99.133.209 nenasporte.co m update.microso ftlab.top www.microsoft s.info caibi379.com weixin.dptoutia o.cn 162.33.178.57 172.105.162.84 ###### cs.full-subscription.com full-subscription.com line.full- subscription.com yd.full-subscription.com zk.full-subscription.com 206.189.156.0 api.gpk-demo.com api.geming8888.com 45.153.242.41 23.106.123.244 23.106.122.225 45.138.172.138 23.106.125.132 23.106.124.156 45.76.188.46 23.106.122.182 23 106 122 205 ###### 35.187.194.33 47.106.112.106 23.106.123.236 support.office365excel.org update.office365excel.org update.huobibtc.net ssl.360antivirus.org support.symanteprotection. com 103.255.179.54 www.omgod.org yt-sslvpn.itcom888.live 158.247.220.169 vappvcsa.itcom888.live 156.240.104.149 45.77.174.106 ###### 103.79.78.48 52.163.225.199 40.122.105.12 VSVRS3DC02.bren- lnc.com 13.76.136.18 104.209.198.177 47.75.49.32 167.179.92.82 mail.bren-inc.info bren-inc.email 89.35.178.105 103.79.78.48 107.148.131.210 35.187.148.253 ns162.nsakadns.com 104.168.211.246 45 77 250 141 ----- ### Thank You! ###### Website: teamt5.org Twitter: @TeamT5_Official -----