### “We are about to land.” : How CloudDragon Turns a Nightmare into Reality ###### Jhih-Lin Kuo & Zih-Cing Liao ----- ##### Jhih-Lin Kuo ###### ü Senior Threat Intelligence Analyst ü Speaker of CODEBLUE, HITCON, etc. ü APT & Financial Intrusions ----- ##### Zih-Cing Liao ###### ü aka DuckLL ü Senior Threat Intelligence Researcher ü Speaker of CODEBLUE, HITCON ... ü Automated threat hunting ----- ###### 1 Who is CloudDragon 2 Technique I: Supply Chain Attack 3 Technique II: Be A Phishing King Technique III: From PC to Mobile 4 5 Going Physical ----- ### Who is CloudDragon? ----- ###### Kaspersky 2013 Public #### APT 37 Kimsuky Kimsuky ###### Same Shellcode ----- |Col1|• TroiBomb • RoastMe • JamBog (AppleSeed) • BabyShark • DongMulRAT (WildCommand)|Col3| |---|---|---| ###### • TroiBomb • RoastMe • JamBog (AppleSeed) • BabyShark • DongMulRAT (WildCommand) • Lovexxx (GoldDragon variant) • JinhoSpy (NavRAT variant) • BoboStealer (FlowerPower) • MireScript ----- ----- ----- ###### TroiBomb RoastMe JamBog BabyShark DongMulRAT ----- ###### Run regsvr32 JamBog %APPDATA%\Microsoft\Windows\Defender\AutoUpdate.dll WSF WSF Installer Drop Inject Installer Fake EXE Fake exe Decoy decoy ----- ###### URL Pattern C2 JamBog • ping: m=a&p1=[uid] • upload: m=b&p1=[uid]&p2=[type] • down_cmd: m=c&p1=[uid] • delete_cmd: m=d&p1=[uid] • update: m=e&p1=[uid]&p2=[arch]&p3=[sha1] Data Structure(cmd, upload file) CMD Function 0x00 • Screenshot Magic Header • Keylog Checksum • Fileupload XOR Key • Shell Enc Data • Run Plugin ----- ### Technique I: Supply Chain Attack ----- ###### The Incident Aug 2020 ~ Oct 2020 Korean Cryptocurrency NW.js build Hardware Wallet ----- ###### kasse_setup.exe kasse.exe Official Site C2 constants.bin index.bin main.bin ----- ###### Modified Original 4ba6baf75625bddc5e1bc3fd40d04b1e • Steal user preference (seed, passcode) • ----- #### Official Alert ----- ----- ### Technique II: Be A Phishing King ----- ## Abuse Public Service ----- ###### Outlook #### Domestic to Global services ###### Naver Daum ----- ### TARGET TARGET TARGET ----- # TARGET ----- |Col1|userID|Col3|proxy mode, exit page index|Col5| |---|---|---|---|---| |index.php?page=|dGVzdA==|&p=|dmNwLzEwMDQvMTAwNQ==|&u=| |https%3A%2F%2Fnid.naver.com%2Fpush%2Fotp%3Fsession%3D[sid]||||| ###### userID proxy mode, exit page index index.php?page=dGVzdA==&p=dmNwLzEwMDQvMTAwNQ==&u= https%3A%2F%2Fnid.naver.com%2Fpush%2Fotp%3Fsession%3D[sid] target url Fetch Modify Real Site victim Phishing Site ----- ### Technique III: From PC to Mobile ----- ----- ###### Magic Header URL pattern ----- ###### Update itself Upload file ### Send SMS ###### Upload SMS Execute shell ----- ### Going Physical ----- #### JamBog Plugin ----- #### Key Takeaway ###### Capable of launching Supply Chain Attacks 1 2 Phishing Techniques are improving 3 Spreading to other platforms (Mobile) ----- ###### • Dmitry Tarakanov. (2013) The “Kimsuky” Operation: A North Korean APT? (https://securelist.com/the-kimsuky- operation-a-north-korean-apt/57915/) • Jaeki Kim, Kyoung-Ju Kwak & Min-Chang Jang. (2018) DOKKAEBI: Documents of Korean and Evil Binary (https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/KimKwakJang-VB2018-Dokkaebi.pdf) • Jaeki Kim, Kyoung-Ju Kwak & Min-Chang Jang. (2019) KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING (https://www.virusbulletin.com/uploads/pdf/magazine/2019/VB2019-Kim-etal.pdf) • Unit 42. (2019) New BabyShark Malware Targets U.S. National Security Think Tanks (https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/) • 한ㆍ미겨냥 캠페인 스모크스크린 실체공개 Alyac. (2019) APT ' ' Kimsuky (https://blog.alyac.co.kr/2243) • AhnLab. (2019) Operation Kabar Cobra (https://global.ahnlab.com/global/upload/download/techreport/[Analysis_Report]Operation%20Kabar%20Cobra%20( 1).pdf) • NSHC. (2019) THE DOUBLE LIFE OF SECTORA05 NESTING IN AGORA (OPERATION KITTY PHISHING) (https://redalert.nshc.net/2019/01/30/operation-kitty-phishing/) ----- ###### • Sveva Vittoria Scenarelli . (2020) To catch a Banshee: How Kimsuky’s tradecraft betrays its complementary campaigns and mission (https://vblocalhost.com/uploads/VB2020-46.pdf) • Assaf Dahan, Lior Rochberger, Daniel Frank and Tom Fakterman. (2020) Back to the Future: Inside the Kimsuky KGH Spyware Suite (https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite) • KrCERT/CC. (2020) Operation muzabi(https://www.krcert.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf) • 탈륨조직의국내암호화폐지갑펌웨어로위장한다차원 공격분석 Alyac. (2020) APT (https://blog.alyac.co.kr/3310) • 스페셜리포트 미국 가고소한탈륨그룹 대한민국상대로 페이크스트라이커 캠페인위협 Alyac. (2020) [ ] MS , ' ' APT 고조 (https://https://blog.alyac.co.kr/3120) ----- ### THANK YOU! ###### Jhih-Lin Kuo Zih-Cing Liao linda@teamt5.org duckll@teamt5.org -----