### TRACK 1 ## Story of the ‘Phisherman’ - Dissecting Phishing Techniques of CloudDragon APT ###### Linda Kuo & Zih-Cing Liao ----- ##### Linda Kuo ###### • Senior Threat Intelligence Analyst @ TeamT5 • Speaker of BlackHat Asia, CODEBLUE, HITCON, etc. • In love with APT & Financial Intrusions ----- ##### Zih-Cing Liao ###### • aka DuckLL • Senior Threat Intelligence Researcher @ TeamT5 • Speaker of CODEBLUE, BlackHat Asia, etc. • Focus on APAC APT ----- ##### Agenda ###### I. Who is CloudDragon II. As a Phisherman - Techniques III. In the Phisherman’s Toolbox - Malware IV. Key Takeaways ----- # Who is CloudDragon ----- #### Kimsuky APT 37 Kimsuky ###### Same Shellcode ----- # As a Phisherman ###### Favored Techniques ----- ##### Target Scope ----- ##### These are the official ones ----- ##### These are the registered ones….. ###### navor.ml daurn.hol.es claum.cf grnail-signin.ga ----- ###### Microsoft Daum Naver Google ----- ###### Take contacts Attain access Send phishing emails ----- ----- ##### Delivery Method ----- ##### PHPMailer ###### • A full-featured email creation and transfer class for PHP • Support SMTP login • Send from C2 (compromised site) ----- ##### PHPMailer ----- ##### PHPMailer ``` . ├── _modules │ └── PHPMailer-master // PHPMailer release ├── list-test.py // test accounts list ├── list.py // target accounts list ├── mailer.php // send mail └── sender.py // batch script ``` ----- ##### PHPMailer ###### • sender.py ----- ##### PHPMailer ###### sender.py mailer.php list.py PHPMailer ----- ##### PHPMailer ###### • Mail header • Fake sender email ----- ##### SendGrid ###### • Email delivery service • 100 emails /day for free • PHP support ----- ##### SendGrid ----- ##### SendGrid ``` . ├── ch │ ├── change_phone.php // send mail │ ├── change_phone_z3.py // batch script │ ├── cruelty_z1.txt // send log │ └── z1.txt // target list ├── enc_url.php // url encryption └── sendgrid-php // sendgrid release ``` ----- ##### SendGrid ###### • change_phone_z3.py ----- ##### SendGrid enc_url.php change_phone_z3.py change_phone.php ###### z1.txt SendGrid ----- ##### SendGrid ###### • Email Header ----- ##### Delivery Method ###### Web Service Python Target List PHP ----- # As a Phisherman ###### Evolutions in Techniques ----- ##### Traditional Phishing - Case I ----- ##### Traditional Phishing - Case I ###### • http://{cc}/?m=viewInputPasswd&token_help=ZGVtbw== • m: mode • viewInputPasswdForMyInfo • viewInputPasswd • viewDownload • viewChangePasswd • token_help: base64(userid) ----- ##### Traditional Phishing - Case I ``` . ├── Mobile_Detect.php // detect user agent ├── css // css resource ├── download.php // download file ├── error.php // default error page ├── favicon.ico // logo icon ├── index.php // main controller ├── js // javascript resource ``` ----- ##### Traditional Phishing - Case I ``` ├── log.php // log function page ├── mobile_{mode}.php // mobile function page ├── pc_{mode}.php // pc function page ├── reading.php // ip recon page ├── res // image resource ├── result // victim folder │ └── {ip}_log.txt // victim data └── robots.txt // anti bot ``` ----- ##### Traditional Phishing - Case I ###### /result/{ip}_log.txt Mobile_Detect.php Log step pc_{mode}.php log.php index.php include mobile_{mode}.php parse fail success /result/{user_id}cfm error.php ----- ##### Traditional Phishing - Case II ----- ##### Traditional Phishing - Case II ###### • http://{cc}/?token_help=ZGVtbw==&last=login • token_help: base64(userid) • last: exit page index ----- ##### Traditional Phishing - Case II ``` . ├── Merry Christmas.pdf // decoy file ├── Mobile_Detect.php // detect user agent ├── favicon.ico // logo icon ├── iCloud_files // web resource ├── icloud.php // modified login page ├── index.php // main controller ``` ----- ##### Traditional Phishing - Case II ``` ├── link.php // redirect to specific victim ├── log.php // log function page ├── pdf.php // show decoy and redirct ├── reading.php // ip recon page ├── result // victim folder │ └── {ip}_log.txt // victim data └── robots.txt // anti bot ``` ----- ##### Traditional Phishing - Case II ----- ##### Traditional Phishing - Case II ###### /result/{ip}_log.txt redirect pdf.php log step index.php icloud.php log.php include success redirect link.php /result/{user_id}cfm ----- ##### Evolution 1: Proxy Mirror ###### • PHProxy Phishing Site Internet • Auto update Proxy • Replace response content • Verify avaliability ----- ##### Proxy Mirror ###### • Phishing Email ----- ##### Proxy Mirror ###### Hopping point Phishing Site Phishing Email Encrypted URL Decrypt and Redirect Query String URL ----- ##### Proxy Mirror ###### https://{cc1}/?u=Ym1QTkI1VzlaQkZ1L2daMHd2V0gxVWZocWxDaWtWek5DNmd2aXAxN20 2WW8zUVBieGh0ck0ycDNNM1BrL3RFVU51YkFNcWNuTHF5Yi9kUFlBSXhLc3BJMXpQWU NVMXNTQTR0NjhlMmoxSEg0WDBuOEZhVmZOVEFYY2ZtZmYwa0M3RWR5aHhKREdIdEI 1K0J6UTFkQTVKQlZ4cWxsNnFKdzcycEhYQkJRbEtYZFZhYzhmZ0QzbFQ4ZGo1blZpaTNL KEY: SHA256("phpurlproxy.kr") AES-256-CBC IV: SHA256("#@$%^&*()_+=-") https://{cc2}/?page=ZGVtbw==&p=dmlwLzEwMDIvMTAwMw==&u=http%3A%2F%2Fmail.naver.com%2Fbeginn v.nid ----- ##### Proxy Mirror ###### • https://{cc2}/?page=ZGVtbw==&p=dmlwLzEwMDIvMTAwMw== &u=http%3A%2F%2Fmail.naver.com%2Fbeginnv.nid • page: base64({user_id}) • p: base64(vip/{exit_index}/{exit_index}) • u: url_encode(target url) ----- ##### Proxy Mirror ###### • DEMO TIME ----- ##### Proxy Mirror ###### Fetch Login page Naver Modify Form index.php Login username Sucess password ./logs/{user_id}.cfm confirm.php ----- ##### Proxy Mirror ###### • DEMO TIME ----- ##### Evolution 2: Phishing Bot ###### Phishing Site Phishing Bot Browser ajax ----- ##### Phishing Bot ###### • Phishing Email ----- ##### Phishing Bot ###### Hopping point Phishing Site Phishing Email Encrypted URL Decrypt and Redirect Query String URL ----- ##### Phishing Bot ###### https://{cc1}/?u=KzBQNzJXOS96UWdjN0ZRYXlnVGtlcHBGb281WitveVVtRlVCY2V1b0lmR1 Rvc2F0djRMYU44eUU1bitwY1VVWDJRKzdIb2Q1Umx6bUxKYUhHYkVyRERMVDVySTEyTjl 4azEvSEorbkgvTEN5V2RDM1B5T2QvSERIbjZVY3Y5Z2ozZ3loUWZMUi9mamZkb0ZSWHZ YNkx3PT0 KEY: SHA256("phpurlproxy.kr") AES-256-CBC IV: SHA256("#@$%^&*()_+=-") https://{cc2}/?mode=security&token_help={userid}&m=verify&last=info ----- ##### Phishing Bot ###### • https://{cc2}/?mode=security&token_help={userid}&m=verify&last=info • token_help: username • m: mode • login • login_otp • verify • edit • last: exit page index ----- ##### Phishing Bot ###### • m=login ----- ##### Phishing Bot ###### • m=login_otp ----- ##### Phishing Bot ###### • m=verify ----- ##### Phishing Bot ###### • m=edit ----- ##### Phishing Bot ###### • 2FA Phishing ----- ##### Phishing Bot ###### • DEMO TIME ----- # In the Phisherman’s Toolbox ###### Malware ----- ##### Delivery Malware ###### Win PE Win Installer WSF HTA Macro doc Email Exploit hwp ----- ##### BabyShark ###### • 2019 power_dir.gif expres.php power_exe.gif cow.php power_key.gif upload.php ... asist_vbs_backup.gif HTA asist.gif Macro Fetch Commands ... Download cow.gif exe.gif ... ----- ##### BabyShark ###### HTA Decrypt Function ----- ##### BabyShark ###### Encrypted payload Decrypted payload ----- ##### BabyShark ###### • 2020 his.php VBS Macro recon AV info Drop ----- ##### BabyShark ###### Decrypt Function ----- ##### BabyShark ###### Encrypted payload Decrypted payload ----- ##### JamBog ###### • aka AppleSeed, AutoUpdate • First Seen: December 2019 • F:\PC_Manager\Utopia_v0.2\bin\Incubation64.pdb • E:\works\utopia\Utopia_v0.2\bin\AppleSeed64.pdb ----- ##### JamBog ###### • WSF Script ----- ##### JamBog ###### Run DllRegisterServer regsvr32 JamBog WSF Script Drop Inject HWP decoy PDF DOC Explorer ----- ##### JamBog ###### • Presistent ----- ##### JamBog ###### • Encrypted Strings ----- ##### JamBog ###### • Decrypt Function ----- ##### JamBog ###### • Decrypt Function ----- ##### JamBog ###### • Decrypted Strings ----- ##### JamBog ###### %PDF-1.7…4 0 obj CRC Checksum • Data Encryption Key (16 bytes) Compress XOR Enc_data Data ----- ##### JamBog ###### • Data Encryption %PDF-1.7…4 0 obj CRC Checksum Key (16 bytes) Enc_data ----- ##### JamBog ###### • Decrypt function ----- ##### JamBog ###### • Command • 0: execute cmd.exe • 1: run dll with regsvr32 • 2: run dll in memory • 3: upload file ----- ##### JamBog ###### • Flag Function ----- ##### JamBog ###### {Work Folder}/Flags/ • Flag Function Check KeybloardMonitor ScreenMonitor Turn On FolderMonitor UsbMonitor ----- ##### JamBog ###### • Screen Monitor ----- ##### JamBog ###### • keyboard Monitor ----- ##### JamBog ###### • Folder Monitor ----- ##### JamBog ###### • USB Monitor ----- ##### JamBog ###### • Query String ping: m=a&p1=[uid] upload: m=b&p1=[uid]&p2=[type] down_cmd: m=c&p1=[uid] delete_cmd: m=d&p1=[uid] upgrade: m=e&p1=[uid]&p2=[arch]&p3=[sha1] ----- ##### Key Takeaway ###### • The APT group CloudDragon • Advanced and Diverse Phishing Skills • Malware in Use ----- # Thank You ###### Zih-Cing Liao Linda Kuo duckll@teamt5.org linda@teamt5.org ----- ##### Reference ###### • Dmitry Tarakanov. (2013) The “Kimsuky” Operation: A North Korean APT? (https://securelist.com/the- kimsuky-operation-a-north-korean-apt/57915/) • Jaeki Kim, Kyoung-Ju Kwak & Min-Chang Jang. (2018) DOKKAEBI: Documents of Korean and Evil Binary (https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/KimKwakJang-VB2018-Dokkaebi.pdf) • Jaeki Kim, Kyoung-Ju Kwak & Min-Chang Jang. (2019) KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING (https://www.virusbulletin.com/uploads/pdf/magazine/2019/VB2019-Kim-etal.pdf) • Unit 42. (2019) New BabyShark Malware Targets U.S. National Security Think Tanks (https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/) • 한ㆍ미겨냥 캠페인 스모크스크린 실체공개 Alyac. (2019) APT ' ' Kimsuky (https://blog.alyac.co.kr/2243) • AhnLab. (2019) Operation Kabar Cobra (https://global.ahnlab.com/global/upload/download/techreport/[Analysis_Report]Operation%20Kabar%20Co bra%20(1).pdf) • NSHC. (2019) THE DOUBLE LIFE OF SECTORA05 NESTING IN AGORA (OPERATION KITTY PHISHING) (https://redalert.nshc.net/2019/01/30/operation-kitty-phishing/) ----- ##### Reference ###### • Sveva Vittoria Scenarelli . (2020) To catch a Banshee: How Kimsuky’s tradecraft betrays its complementary campaigns and mission (https://vblocalhost.com/uploads/VB2020-46.pdf) • Assaf Dahan, Lior Rochberger, Daniel Frank and Tom Fakterman. (2020) Back to the Future: Inside the Kimsuky KGH Spyware Suite (https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh- spyware-suite) • KrCERT/CC. (2020) Operation muzabi(https://www.krcert.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf) • 탈륨조직의국내암호화폐지갑펌웨어로위장한다차원 공격분석 Alyac. (2020) APT (https://blog.alyac.co.kr/3310) • 스페셜리포트 미국 가고소한탈륨그룹 대한민국상대로 페이크스트라이커 캠페인 Alyac. (2020) [ ] MS , ' ' APT 위협고조 (https://https://blog.alyac.co.kr/3120) • Jhih-Lin Kuo & Zih-Cing Liao (2021) "We Are About to Land": How CloudDragon Turns a Nightmare Into Reality (https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How- CloudDragon-Turns-A-Nightmare-Into-Reality.pdf) -----