VB2019-A Vine Climbing Over Great Firewall A Long-Term Attack to China Lion Gu, Bowen Pan Qi An Xin Threat Intelligence Center A vine climbing over the Great Firewall: A long-term attack against China w w w . q i a n x i n . c o m About us. RedDrip Team (@RedDrip7) • A team of Qi-AnXin Threat Intelligence Center • Focus on threat intelligence and advanced targeted attacks tracing. • APT threat monitoring and tracing, uncovered several APT Groups. Agenda • Introduction of PoisonVine • Capabilities and resources • Tactics, techniques and procedures(TTP) • Impact • Attribution • Conclusion PoisonVine • PoisonVine(APT-C-01) • a rarely known APT group targeted China • Intent • political & military intelligence • Targets • government agencies • military person • research institutes • maritime agencies PoisonVine - Timeline 2007.12 First discovered trojan which targeted a large shipping company Universities and military industry in China was attacked. Using “API string reverse” and “error API parameters” to evade detection First variant of ZxShell was found. Several military and government targets was attacked. Website compromised with watering hole. 0day was discovered(CVE- 2014-6352) Kanbox RAT 2009-2011 2013 2014. 9. 122012.122008-2009 2015.2 Several spear phishing attacks and using CVE- 2017-8759 2017.10 First disclosed. 2018 Capabilities and Resources • RATs • Commercial or open-source RAT • Poison Ivy, ZxShell • Customized • Kanbox RAT • Exploits • some document vulnerabilities • CVE-2012-0158 • CVE-2014-6352 (0day) • CVE-2017-8759 • Infrastructures • Dynamic domains • Cloud storage PoisonVine Capabilities • Tools • Exploits Resources • Infrastructures Capabilities and Resources • Poison Ivy Capabilities and Resources • ZxShell Open source version Customized command Capabilities and Resources • Kanbox RAT • keywords filtering for collection • “军”或“军事”(War)、“部队”(Army) • Cloud storage API for exfiltration Capabilities and Resources • Customized shellcode loader • discovered in early 2018 • .hta -> CVE-2017-8759 1 triggered .hta execute with CVE-2017-8759 2 drive-by download & execution open directory Capabilities and Resources • CVE-2014-6352 • bypass the patch of CVE-2014-4114 used by Sandworm • 0-day • sample creation time on 4th Sep 2014 • patched on Oct 2014 Capabilities and Resources • Infrastructure DDNS Service Provider Domains ChangeIP 30 No-IP 9 DynDNS 2 Afraid(FreeDNS) 1 dnsExit 1 C&C Legitimate website chinamil.lflink.com Website of Chinese Military www.chinamil.com.cn soagov.sytes.net soagov.zapto.org soasoa.sytes.net State Oceanic Administration www.soa.gov.cn xinhua.redirectme.net Xinhua News www.xinhuanet.com 126mailserver.serveftp.c om mail163.mypop3.net Famous mail service provider in China 126.com, 163.com kav2011.mooo.com safe360.dns05.com cluster.safe360.dns05.co m rising.linkpc.net Chinese anti-virus software Dynamic Domains Domain registers Tactics, techniques and procedures • PoisonVine has a simple TTP. • Reconnaissance • on targets • important conferences in China mainland “Chinese Asia-Pacific Annual Meeting in 2013” Tactics, techniques and procedures • Initial Access & Established Foothold • Spear-phishing with delivery decoys archived PE SFX RLO Filename paddings Tactics, techniques and procedures • Collection & Exfiltration • documents, .doc/.ppt/.xls/.wps • keywords filtering Hardcoded keywords: military, international, technology, national Tactics, techniques and procedures • Defense Evasion API name in reverse order Pass zero window handler to GetClientRect. • Real system Failed • AV heuristic detection Pass Tactics, techniques and procedures • ATT&CK Matrix • T1193 Spearphishing Attachment • T1203 Exploitation for Client Execution • T1204 User Execution • T1170 Mshta • T1064 Scripting • T1102 Web Service • T1022 Data Encrypted • T1005 Data from Local System Impact • Cloud Storage • Token hardcoded in payloads • 3GB file exfiltrated Attribution • Language • Encoding • PMingLiU Attribution • Identify information • email • phone number • region • name or ID {"status":"ok","email":"","phone":"15811848796","spaceQuota":1700807049216,"spaceU sed":508800279,"emailIsActive":0,"phoneIsActive":1} Whois registration Cloud Storage API leak Whois protect service GDPR Attribution • Similar but different with another APT group “BlueMashroom” • same region • different ways of Execution & Persistence • hijacking shortcut file in startup paths • use regsvr32 to execute DLL Conclusion • APT actors not always advanced, PoisonVine find its ways to improve efficient. • APT actors always considered reduce its signature in investigate and hide the attribution. • In the APT tracing process, finding intent of threat and attribution can always be an interesting game. Thank you! Leader of New Generation Cyber Security Thank you!