###### How take control of All your Systems Silent'RIFLE':'Response'Against'Advanced'Threat HackCon : The Norwegian Cyber Security Convention ----- ###### #About Me Kyoung-Ju Kwak ( ) 郭炅周 Manager, Threat Analysis Team Currently working on FSI (Financial Security Institute) Threat Analysis Team => FSI (Financial Security Institute, Public Company) covers 200 financial companies in South Korea Currently, Member of National Police Agency Cyber-Crime & Threat Intelligence Advisory Committee Minister of Interior's Excellence Award, National Cyber Security Awards 2016 Highlighted Talks 1. The Case study of Incidents in Korea Financial Sector, International Symposium on Cyber Crime Response, 2014 2. Financial Security, Whitehat Contest, 2015 3. Ransomware Overview, SungKyunKwan University, 2016 4. The New Wave of CyberTerror in Korea Financial Sector, PACSEC Tokyo, 2016 5. Fly me to the BLACKMOON, HITCON Taiwan, 2016 6. Kaspersky SAS (Security Analyst Summit, St.Maarten), 2017 (TBE) ----- ###### C'O'N'T'E'N'T'S ###### 01.'Background'Knowledge' 02.'RIFLE'Campaign' 03.'Correlation'Analysis' 04.'Summary'&'Conclusion HackCon : The Norwegian Cyber Security Convention ----- ## 01' ###### Background'Knowledge HackCon : The Norwegian Cyber Security Convention ----- ###### A'Piece'of'Rifle'Campaign' https://www.operationblockbuster.com Blockbuster'Operation' Threat'Actor':''Lazarus'Group ----- ###### http://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0 ----- ###### http://baesystemsai.blogspot.no/2017/02/lazarus-watering-hole-attacks.html ----- ###### 20th'Mar,'2013 3.20'Cyber-terror'(A.K.A'DarkSeoul) ----- ###### 3.20'Cyber-terror'(A.K.A'DarkSeoul) Patch Management Servers were controlled over by attackers Lots of PCs and Servers were shutdown at the same time (20th March, 2013) ----- ###### Victims : Major 3 Banks and Major 3 Broadcasting Companies in South Korea Almost 16,000 CD/ATM and 26,000 PCs & Servers totally Unusable KBS staff member’s Laptop Screen damaged by 3.20 Cyber-terror ----- ###### Cyberterror'Timeline'in'2016 Feb Fake'Softcamp'DRM'Solution' Feb Malware'using'Valid'Codesigning'Certificate'of'Initech' Mar MLSoft'tco!stream'Vulnerability' Mar Nicstech'SafePC'Vulnerability':'Season'1' Mar Malware'using'Valid'Codesigning'Certificate'of'IBLeaders' July Personal'Data'Breach'-'Interpark'Online'Mall' Aug Blacksheep'Operation' Nov Spearing-Hole'attack'using'Initech’s'Valid'Codesign'Certificate' Nov Nicstech'SafePC'Vulnerability':'Season'2' Dec Military'Cyber'Command'Cyber-terror ----- ###### Trend'of'Cyber-terror'in'2016 Focusing�on�3rd'party'IT'Solution'Provider� installed�on�Conglomerates ----- ## 02' ###### RIFLE'Campaign HackCon : The Norwegian Cyber Security Convention ----- ###### 3.20'Cyber-terror'(DarkSeoul) ADEX'Operation Softcamp'DRM'Malware BlackMine'Operation Fake'Initech'Malware Rifle' Campaign Military'Cyber'Command'Cyber-terror MLSoft'tco!stream'Vulnerability Blacksheep'Operation Nicstech'SafePC'Vulnerability ----- ###### 15th'Feb,'2016 SoftCamp'DRM'Malware'Discovered 16th'Feb,'2016 Initech'Malware'Discovered' -�dubbed�“Rifle�Malware” 17th'Feb,'2016 Interesting'Decoding'Method'Discovered Mar,'2016 Correlation'between'Initech'Malware'and'Past'Incidents'Discovered Mar,'2016 Dubbed'RIFLE'Campaign ----- |Type|Features|PDB'(Program'Data'Base)'Path| |---|---|---| |Rifle|Downloadadditionalmalware(sec.exe)|E:\Data\MyProjects\TroySource Code\tcp1st\rifle\Release\rifle.pdb| |Sniffer|SendInfectedPC’sinformationtoC&CServer|E:\Data\MyProjects\TroySource Code\tcp1st\sniffer-Copy\Release\dll_like_exe.pdb| |Server|InstalledonC&CServerandcommunicatewith RifleandSniffer|E:\Data\MyProjects\TroySource Code\tcp1st\server\Release\server.pdb| ###### Rifle'Classification Type Features PDB'(Program'Data'Base)'Path E:\Data\My�Projects\Troy�Source� Rifle �Download�additional�malware�(sec.exe) Code\tcp1st\rifle\Release\rifle.pdb E:\Data\My�Projects\Troy�Source� Sniffer �Send�Infected�PC’s�information�to�C&C�Server Code\tcp1st\sniffer�-�Copy\Release\dll_like_exe.pdb �Installed�on�C&C�Server�and�communicate�with�� E:\Data\My�Projects\Troy�Source� Server �Rifle�and�Sniffer Code\tcp1st\server\Release\server.pdb ----- ###### Related'Cases' HackCon : The Norwegian Cyber Security Convention ----- |File Name|MD5|File Type| |---|---|---| |iniSignCrypto.dll|C2A171716FF72B8C8965DFB3CD3ECCFF|DLL| ||ECA2DFAA11ED41F119346E333B5D8461|EXE| |iniwebssocrypto.exe|275B7AF66726950A895FBD74C6227CAB|EXE| ###### Rifle'Campaign'-'Initech'Malware Sample'Information File Name MD5 File Type iniSignCrypto.dll C2A171716FF72B8C8965DFB3CD3ECCFF DLL ECA2DFAA11ED41F119346E333B5D8461 EXE iniwebssocrypto.exe 275B7AF66726950A895FBD74C6227CAB EXE 40+'Variants ----- ###### Rifle'Campaign'-'Initech'Malware Certification Path Abusing'Valid'Certificate'' stolen'from'IT'Solution'Company'“Initech” Certificate status This certificate is OK ----- ###### Rifle'Campaign'-'Initech'Malware Issued to: Issued by: Valid from to ----- ###### Rifle'Campaign'-'Initech'Malware Flow create�and�execute�guifx.exe� Not'Identified Autorun�Registry� /run�not�exist create�Mutex�->�ASDASDASDSA ### { ###### 0x1055�:�Create�Additional�Malware�(sec.exe) Check'Exec'Args communicate�/w�C2 Get'CMD'from'C2 0x2746,�0x2744�:�Waiting�for�C2�Command { /run�exist # { ###### Username� Computername� ### { Gathering�infected�system’s�info Send'it'to'C2 ###### OS�Version� Network�Adapter�Info ##### { ----- |C&C'Servers|Col2|Col3| |---|---|---| |IP|Country|Allocated| |192.99.223.115:80|Canada|Unknown| |165.194.123.67:443|Republic of Korea|Jung-Ang University| |175.117.144.67|Republic of Korea|Catholic Chant & Contemporary Music Internet Broadcasting (caccm.org)| ###### Rifle'Campaign'-'Initech'Malware C&C'Servers IP Country Allocated 192.99.223.115:80 Canada Unknown 165.194.123.67:443 Republic of Korea Jung-Ang University Catholic Chant & Contemporary Music 175.117.144.67 Republic of Korea Internet Broadcasting (caccm.org) ----- ###### Rifle'Campaign'-'Initech'Malware Created'File � ###### C:\Program�Files\Common�Files\Graphics\guifx.exe� Mutex � ###### ASDASDASDSA,�MUTEX394039_4830023 PDB'Path E:\Data\My�Projects\Troy�Source�Code\tcp1st\rifle\Release\rifle.pdb� E:\Data\My�Projects\Troy�Source�Code\tcp1st\sniffer�-�Copy\Release\dll_like_exe.pdb� E:\Data\My�Projects\Troy�Source�Code\tcp1st\server\Release\server.pdb� ----- ###### Rifle'Campaign'-'ADEX'Spearphishing ADEX' Samsung'Thales' Seoul'International'Aerospace'&'defense'Exhibition' Samsung'Techwin' Agency'for'Defense'Development' Spearphishing,'target'Military'Defense'Industry Doosan'DST'(Defense'Systems'&'Technology)' Hanhwa'Defense' LG'CNS' LIG'Nexone Email'Attachment'' (Weaponized'macro'document)' =>'ADEX'Participants'List ----- ###### Rifle'Campaign'-'ADEX'Spearphishing From':'ADEX'Steering'Committee' To':'xxxxx@lignex1.com' Contents' We�provide�participants�list�as�an�attachment.� If�you’re�not�able�to�open�Excel�file,�please� enable�Macros�in�Excel.� Thanks.' Attachment' 2015�Seoul�Airshow�Result�and�Participants�list.xls Disguised'as'ADEX'Steering'Committee ----- ###### Rifle'Campaign'-'ADEX'Spearphishing Macro After'Deobfuscating' Obfuscated Sub'0x1' http://158.69.115.115/help.php' ahnLab.exe' *'ahnlab'='Well-known'local'Antivirus'Vendor'in'SouthKorea ----- |ahnLab.exe|Col2|Col3| |---|---|---| |File Name|MD5|File Type| |ahnLab.exe|62FDF4822431D4C82B78E602AB3558AD|EXE| ###### Rifle'Campaign'-'ADEX'Spearphishing ahnLab.exe File Name MD5 File Type ahnLab.exe 62FDF4822431D4C82B78E602AB3558AD EXE ----- ###### Rifle'Campaign'-'ADEX'Spearphishing Comparison':'iniWebSSOCrypto.exe'&'ahnLab.exe Same'PDB'Path' E:\Data\My�Projects\Troy�Source� Code\tcp1st\rifle\Release\rifle.pdb ----- ###### Rifle'Campaign'-'ADEX'Spearphishing Comparison':'iniWebSSOCrypto.exe'&'ahnLab.exe Similar'WinMain'Function ----- ###### Rifle'Campaign'-'ADEX'Spearphishing Comparison':'iniWebSSOCrypto.exe'&'ahnLab.exe Same'Created'Filename' GUIFX.exe ----- ###### Rifle'Campaign'-'ADEX'Spearphishing Comparison':'iniWebSSOCrypto.exe'&'ahnLab.exe Same'Autorun'Registry'Path' Software\Microsoft\Windows\CurrentVersion\Run\Graphics\guifx.exe'/run' ----- ###### Rifle'Campaign'-'ADEX'Spearphishing Comparison':'Initech'Malware'Variant'&'ahnLab.exe Same'C&C'Server' 175.117.144.67 ----- ###### Rifle'Campaign'-'How'they'hacked'Initech'and'stole'Certificates “Nicstech”'DLP'Solution'Vulnerability' ※'DLP':'Data'Loss'Prevention Initech�uses�this�solution�for�internal�security� and'67'financial'companies�also�use�this�solution� including�my'company,'FSI ----- ###### Rifle'Campaign'-'How'they'hacked'Initech'and'stole'Certificates “Nicstech”'DLP'Solution'Vulnerability 0day'Vulnerability' File'transfer'&'Remote'Command'Execution' (Encryption�Key�was�hardcoded)� Vulnerable'Port':'5560/tcp ----- ###### Rifle'Campaign'-'How'they'hacked'Initech'and'stole'Certificates “Nicstech”'DLP'Solution'Vulnerability File Transfer & Lateral Movement Command Execution to by using Nicstech Vuln Build Server ATTACKER Product Source code & Code-signing Certificate Leaked Initech Internal Network HackCon : The Norwegian Cyber Security ConventionHITCON Pacific 2016 |Col1|DLP'Solution'Vulnerability|Col3| |---|---|---| ||DLP'Solution'Vulnerability File Transfer & Lateral Movement Command Execution to by using Nicstech Vuln Build Server R|| ||Product Source code & Code-signing Certificate Leaked|| |||| ----- ###### Rifle'Campaign'-'SoftCamp'DRM'Malware Sample'Information ----- |Dropper|Col2|Col3| |---|---|---| |File Name|MD5|File Type| |Unknown (Dropper)|741FADDA07D9C2E41D6D8B0F2E91BC5E|EXE| |Unknown (Dropper)|EE778BE503FDA770EE2F40E51EDFD595|EXE| |Dropped'Files|Col2|Col3| |---|---|---| |File Name|MD5|File Type| |SDSLogin.exe|33E09CF92DD8AB4F75DAC20E088A5709|EXE| |kbinst.exe|BB710DB1C03EBC4F8D6EBB8B8577EE78|EXE| |SDSinst.exe|5CA4562A5BFA15417707D3168161CB23|EXE| |wsupdatemgr.dll|A1F92B84614D7F07AB84C7A97675B299|DLL| ###### Rifle'Campaign'-'SoftCamp'DRM'Malware Sample'Information Dropper File Name MD5 File Type Unknown (Dropper) 741FADDA07D9C2E41D6D8B0F2E91BC5E EXE Unknown (Dropper) EE778BE503FDA770EE2F40E51EDFD595 EXE Dropped'Files File Name MD5 File Type SDSLogin.exe 33E09CF92DD8AB4F75DAC20E088A5709 EXE kbinst.exe BB710DB1C03EBC4F8D6EBB8B8577EE78 EXE SDSinst.exe 5CA4562A5BFA15417707D3168161CB23 EXE wsupdatemgr.dll A1F92B84614D7F07AB84C7A97675B299 DLL ----- ###### Rifle'Campaign'-'SoftCamp'DRM'Malware Flow SDSLogin.exe Not'Identified Dropper 1) Delete�wsupdatemgr�service�and�SDSDec.dll� 2) Create�kbinst.log�(IP�and�Sysinfo�from�infected�system) Send'it'to'C2 kbinst.exe� or� # { ###### 1) Create�ud.bat�to�delete�SDSInst.exe�itself� SDSinst.exe ### { 2) Drop�wsupdatemgr.dll� ###### 3) Launch�service�with�wsupdatemgr.dll�by�using�svchost.exe ----- |C&C'Servers|Col2|Col3| |---|---|---| |IP|Country|Allocated| |165.194.117.35|Republic of Korea|Jung-Ang University| |203.241.248.108|Republic of Korea|In-Jae University| |124.139.210.45|Republic of Korea|Unknown| ###### Rifle'Campaign'-'SoftCamp'DRM'Malware'>'C&C'Server C&C'Servers IP Country Allocated 165.194.117.35 Republic of Korea Jung-Ang University 203.241.248.108 Republic of Korea In-Jae University 124.139.210.45 Republic of Korea Unknown ----- ###### Rifle'Campaign'-'GhostRat'Operation ###### HackCon : The Norwegian Cyber Security ConventionHITCON Pacific 2016 ----- ###### Rifle'Campaign'-'GhostRat'Operation Start'from'C&C'Server'of'Softcamp'DRM'Malware Softcamp Malware C&C Server 0day Attack Transfer Data Data Breach ATTACKER 203.241.248.108' 210.xxx.xxx.241' 175.117.144.67 In-Jae'University (Central'C&C'Server) Victims'(SK'Group,'Hanjin,'Korea'Airline,'KT) HackCon : The Norwegian Cyber Security ConventionHITCON Pacific 2016 ###### 0day Attack ATTACKER 175.117.144.67 ###### Victims'(SK'Group,'Hanjin,'Korea'Airline,'KT) ----- ###### Rifle'Campaign'-'GhostRat'Operation Damage ➊�Stolen�Documents�:�1TB�/�42,600�files� ➋�140,000�PCs�of�27�companies�infected� ➌�Victimized'companies� ���-�Defense�industry�:�Hanjin�Group�affiliates�(Korean�Air)� ���-�Telecommunications�networks�:�17�SK�Group�affiliates,�KT� ���-�They’re�all�Conglomerates HackCon : The Norwegian Cyber Security ConventionHITCON Pacific 2016 ----- ###### Rifle'Campaign'-'How'they'hacked'Victims TCO!Stream'Vulnerability'-'0day'until'March.'2016 TCO!Stream':'PC'asset'management'system' Desktop Integrated management software that manages all the PCs connected to the network. Some of its functions include various types of error management, hardware management, software management, software installation and upgrade and illegal software check-up. ----- |Filename|Service Port|Functionality| |---|---|---| |EtcCmds.exe|3511|TCO!stream Server Health Check| |TXFercli.exe|3523 3524|Administrator can control Client PCs remotely File Transfer & Receive, Deletion, Execution| |tsrvctl_nt.exe|3526|Remotely File/Command Execution| |TClient.exe|3511|TCO!stream Client Main Module Module Update, PC Information Gathering| ###### Rifle'Campaign'-'How'they'hacked'Victims TCO!Stream'Modules Filename Service Port Functionality EtcCmds.exe 3511 TCO!stream Server Health Check 3523 Administrator can control Client PCs remotely TXFercli.exe 3524 File Transfer & Receive, Deletion, Execution tsrvctl_nt.exe 3526 Remotely File/Command Execution TCO!stream Client Main Module TClient.exe 3511 Module Update, PC Information Gathering ----- ###### Rifle'Campaign'-'How'they'choose'Targets'and'How'FSI'detected'it HackCon : The Norwegian Cyber Security ConventionHITCON Pacific 2016 ----- ###### Source':'175.117.144.67'(Korea) Destination':'67'Financial'Companies ###### HackCon : The Norwegian Cyber Security ConventionHITCON Pacific 2016 ----- ###### Rifle'Campaign'-'Military'Cyber'Command'(MCC)'Incidents 3,200'PCs'Infected ----- ## 03' ###### Correlation'Analysis HackCon : The Norwegian Cyber Security Convention ----- ###### RIFLE Campaign ###### Correlation'Analysis':'Trace'their'Footprints Decoding'or'Encoding'Method' Used'Vulnerability' -'Decoding'Code,'Decoding'Key' Created'Files' PDB'Path' Created'Process' C&C'Server' Registry' -'Server'IP'and'Command'Code' Internal'String' Font'(If'Document'malware) MUTEX ----- ###### RIFLE Campaign ###### Correlation'Analysis {} * YARA * Yara / / & #### ''''''''''Maltego ----- |Frequently'Used'Fonts'|Col2| |---|---| |DengXian,DengXianLight|| |KPCheongPong,KPCheonRiMa, KPKwangMyeong|| ###### Correlation'Analysis' Font https://kevinchen.co/blog/installing-north-korea-red-star-os/ [NAME] [EMAIL] Frequently'Used'Fonts' DengXian,�DengXian�Light� Chinese'Fonts KP�CheongPong,�KP�CheonRiMa,�� RedStar'OS'Fonts KP�KwangMyeong ----- ###### Correlation'Analysis':'RIFLE'Campaign Decoding�Method�:�IDA�PseudoCode ----- ###### Correlation'Analysis XOR�Key Be�careful�with�Endian ----- ###### Correlation'Analysis PDB�Path,�C&C�Server,�Dropped�Filename,�Code�Similarity ----- ###### RIFLE Campaign ###### Correlation'Analysis'-'Relationship'Overall'(Maltego) HackCon : The Norwegian Cyber Security ConventionHITCON Pacific 2016 ----- ## 05' ###### Summary'&'Conclusion' HackCon : The Norwegian Cyber Security Convention ----- ###### Cyber'Attack'in'South'Korea' -'Too'busy'from'last'year,'even'until'YESTERDAY!' -'Massive'Cyber'Attack'still'on'going'and'will'Keep'going' -'Attackers'continuously'try'to'find'Vulnerability'of'3RD'Party'Security'Solutions' Correlation'Analysis' -'Know'your'enemies'and'Draw'a'Big'Picture' -'Build'a'Strategy'and'Tactics'to'response'against'Advanced'Threat'in'the'Future More'We'Share,'More'We'Find'Out ----- ###### Thank'You' kjkwak@fsec.or.kr� skype,�hangout�:�kjkwak12@gmail.com HackCon : The Norwegian Cyber Security Convention -----