----- ### Contents Chapter 1 INTRODUCTION ............................................................................................................. 2 Main Discovery .......................................................................................................................... 2 Chapter 2 Persistent Cyber-espionage ........................................................................................... 3 1. Initial attacks ..................................................................................................................... 3 Lure documents................................................................................................................. 3 2. Attack procedures ............................................................................................................. 9 Dropper ........................................................................................................................... 10 USB Worms...................................................................................................................... 11 ICEFOG Backdoor............................................................................................................. 14 3. Persistent monitoring & concentrated attacks ................................................................ 14 Chapter 3 Vulnerability Analysis .................................................................................................. 17 1. Introduction .................................................................................................................... 17 2. Exploit mechanism .......................................................................................................... 18 Chapter 4 Command and Control Mechanisms ........................................................................... 24 1. Onion.City ........................................................................................................................ 25 2. Fixed IP ............................................................................................................................ 25 Chapter 5 ICEFOG “Rebirth”:aimed at misleading or false flagging? ........................................ 27 1. Inertial thinking in relevance analysis ............................................................................. 27 2. Truth behind the “smoke curtain” ................................................................................... 29 Chapter 6 Special clues ................................................................................................................ 32 1. PDB path .......................................................................................................................... 32 2. File property of lure documents...................................................................................... 33 3. Information in Korean ..................................................................................................... 33 Chapter 7 Conclusion ................................................................................................................... 36 ----- # Chapter 1 INTRODUCTION ## Main Discovery On February 25[th], 2016, the Lazarus Group and its APT attacks were analyzed and released to the public by the industry alliance led by Novetta[1] which is composed of Kaspersky Labs[2], Alien Vault Labs[3]and other security companies. Coincidentally, the Group is also the organization behind DarkSeoul Operation[4] targeting Korean financial institutions and media houses in 2013 and the cyber-attack targeting Sony Pictures Entertainment (SPE)[5] in 2014. This group mainly targets some Asian countries like Korea and the victim industries include government, entertainment & media houses, army, aeronautical & astronautical institutes, financial entities and instruction industries, etc. In the year of 2015, we also detected an APT organization targeting government entities, transportation companies and energy industries. Through our further investigations, it hasn’t been found to be connected with the Lazars Group for the time being. Due to the fact that the Trojans dropped by this organization uses Onion.City[6] as their C&C and that their malware document names all contain dog.jpg, this organization’s APT attacks which stretched from 2013 to 2015 is code-named as Operation OnionDog. The initial malicious code dated back in May, 2011, followed by at least three concentrated attacks which happened in 2013, July-August in 2014 and July - September in 2015, respectively. Afterwards, we identified 96 pieces of malware along with 14 C&C domains and IP addresses. 1Operation Blockbuster, https://www.operationblockbuster.com/resources/index.html 2Operation Blockbuster revealed, https://securelist.com/blog/incidents/73914/operation-blockbuster-revealed/ 3Operation BlockBuster unveils the actors behind the Sony attacks, [https://www.alienvault.com/open-threat-exchange/blog/operation-blockbuster-unveils-the-actors-behind-the-so](https://www.alienvault.com/open-threat-exchange/blog/operation-blockbuster-unveils-the-actors-behind-the-sony-attacks) ny-attacks 42013 South Korea cyberattack, https://en.wikipedia.org/wiki/2013_South_Korea_cyberattack 5https://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation 6http://onion.link ----- The malware of OnionDog spread itself by taking full advantage of the vulnerability in Hangul popular office software in Korean speaking countries; in the meanwhile, it infected targets through USB Worms inside an isolated network. What also caught our attention is that members of this organization communicated via Onion.City so that they could visit domains in the Deep Web without the help of Tor browser. This has created an ideal invisible cloak for the hackers in the anonymous environment of Tor. In addition, our in-depth analysis prevails that this threat actor tried to fly false flags or mislead investigators by adopting the techniques and resources of other APT organizations that are already revealed to the world. # Chapter 2 Persistent Cyber-espionage ## 1. Initial attacks Seeing from the current data we collected, malicious program spread itself mainly by either taking advantage of the vulnerability of HWP documents or pretending to be HWP documents. Attacks in this kind of guise usually are carried out via spearfishing emails. Hangul is prevalent local office software in South Korea with the file format of HWP (Hangul Word Processor)[7]. The fact that the threat actor is using HWP documents as a shield as well as adopting HWP exploit file suggests that the targeted users must be using or at least be familiar with Hangul. ### Lure documents **Sample MD5** **Content of the lure documents** **588eef80e6f2515a2e96c9d8f4d67d5a** Government information security **700e94d4e52c4c15ebed24ec07f91f33** VTS in the ports **b9164dd8260e387a061208b89df7bb6b** Training **3c983b300c533c6909a28cef7d7469ba** IT, resumes **3df1c88a4a7dae7fdf9282d2c4375433** Investigation Report on the Korean Railway Accident 7http://www.hancom.com/group.eng_main.main.do ----- **4ad5d70d79ea5b186d48a10dfdf8085d** Welfare of civil servants **5fbe59513167be2197c9f8fbf0afa7dd** Holiday system of civil servants **cbcf18e559b87afdd059cae1f03b18d1** Salary of Korean electric companies **3e9ac32a9418723c93e8de269ad63077** Check plan during summer vacation **90b36bd4d12f34d556f363d6e5f9564f** Business plan of Korean Ministry Of Land Infrastructure and Transport Table 1 Examples of the lure documents Picture 1 Lure document - Investigation Report on the Korean Railway Accident ----- Picture 2 Lure Document - Current installation situation of VTS in important ports across the country ----- Picture 3 Lure document - Responsive solutions against information leakage ----- Picture 4 Lure document - 2015 Security-Check Plan for Ulchi-Freedom Guardian (UFG) exercise ----- Picture 5 File property of typical lure HWP document **File Property** **Details** **Sample MD5** cbcf18e559b87afdd059cae1f03b18d1 **Lure document MD5** 9a4fafb0aa9f79dee2a117d237eaa931 **Content** Salary of Korea Electric Power Corp **File size** 25,088 **Program writer** test1234 **Creation time** 13:43:54, July 23[rd], 2014 **Last edit time** 8:41:30, July 24[th], 2014 **Last edit** APT-WebServer Table 2 File property of typical HWP lure document ----- ## 2. Attack procedures Picture 6 Attack procedures Once the Trojan (whether guise or exploit) is installed successfully, it will check if the installation time is within the specific attacking time (please refer to the attacking time in the table below). If the attacking time is over, it will stop the task and delete itself; otherwise, it will send requests to Control and Command (C&C) servers. The communication method evolves over time, for example, ----- the malicious program in 2014 requested the same IP and then it downloaded other Trojans though HTTP while in the 2015 malware version, all the C&C domains are consolidated into one “Onion.City”. More details about it will be introduced in the chapter of “Command and Control Mechanisms”. Among all the downloaded Trojans through HTTP, USB Worm is one of them. The Worm will infect any USB that is connected to the infected device. Then it will pass back data including the current time, the name of the computer, MAC address, the status of the infection (successful/failed), etc. to its C&C server. In addition, besides the above procedures, once the HWP exploit is successfully triggered, it will also release a backdoor. **September 8[th], 2015** **August 8[th], 2015** **July 13[th], 2015** **August 9[th], 2014** **July 31[st], 2014** **October 25[th], 2013** Table 3 Ending time of each attacks ### Dropper The types of droppers are different depending on whether to use a guise Trojan or to drop an HWP exploit file. Furthermore, based on the difference of C&C addresses, the Trojan have some variations, namely Trojans with fixed IP, Onion.City Trojan and test Trojan which have very little in common on the code architecture. To be more specific, the 2014 version malware sent request to a fixed IP, but in the 2015 malware, the C&C domain was changed a consolidated one called Onion.City. Another kind of Trojan was also detected in those two years. We captured malware samples that didn’t have C&C addresses with only downloaded pictures simply named “hello” or have the same IP “127.0.0.1”. Therefore we inferred they are the test Trojans. ----- As we mentioned, when the dropper is installed successfully and the date matches the attacking time, the dropper will send request to its C&C address to download other Trojans. The downloaded Trojans are saved in the file directory %temp% following the filename pattern of “XXX_YYY.jpg”. Together with the discoveries on lure documents, we figured out that these file names has special meanings - usually referring to a specific industry. The correspondences are as below: **Time** **File name** **Correspondent Industry** leepink_kosep Korea South-East Power Co, Ltd. (KOSEP) jhryum12_komipo Korea Midland Power Co, Ltd. (KOMIPO) **2014** wypark_kwater Korea Water Resources Corporation lhyuny_kospo Korea South Power Co, Ltd. (KOSPO) vts_korea VTS Corporation zerotaek_korea Korea ports andong4_seoulmetro2 Seoul Metro **2015** dydgh80_kdhc Korea District Heating Corp. myforce_humetro2 Busan Metro 2060262_smrt3 Seoul Metropolitan Rapid Transit Corporation Table 4 Meaning of different file names From the analysis above, it is obvious that the threat actor of OnionDog concentrated their forces on Korean Speaking countries’ instruction industry with diplomatic selection. In 2015, hackers cyber-attacked some transportation organizations including but not limited to ports, VTS, subway corporation, bus company, etc., while back in 2014, the attacks were focused on energy industry when several electric companies and water companies became the victims. ### USB Worms USB Worm is one of the Trojans downloaded. It affects any USB that is connected to the infected device and then passes back the required information to the C&C server. ----- The detailed execution flow can be found in the picture below. If it successfully connects to the Internet, it will send information to a specific server (hXXp://strj3ya55r367jqd.onion.city/main.php, port 80). The delivered information includes the current time, computer name, IP, MAC address, drive, the special string’ USB 감염성공’ and ‘USB 감염실패’ (meaning the infection is success or failed). If there are logs about USB, it will create a file named as ‘drive\deviceId’ to record the user’s actions and send files to the specific sever. Picture 7 USB Worm execution flow (USBman.dll) ----- Picture 8 usbrun.exe execution flow ----- Picture 9 Successful/failed USB infection ### ICEFOG Backdoor Regarding the connection between the backdoor and Operation OnionDog, please see Chapter 5 _ICEFOG “Rebirth”: aiming at misleading or false flagging? To know more about the functionality_ of the backdoor, please see the published research from Kaspersky Lab[8]. ## 3. Persistent monitoring & concentrated attacks Picture 10 Attack timeline Except for the backdoor, if other malicious Trojans want to execute all the functionalities, they will need to check whether the time on the host computer is within the effective time of the attack. Judging from the time slot between malware compile dates and ending dates, we concluded that the average survival time of the OnionDog Trojans should be 15 days. Picture 10 8 The Icefog APT: A Tale of Cloak and Three Daggers,https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/ ----- shows the attack timeline over the past few years. From 2013, the OnionDog gang carried out attacks on yearly basis and each session lasted very short time. Curiously, the ending time of the criminal campaigns are very similar, for instance, four campaigns in 2015 ended on August 8[th] with one day earlier than two campaigns in 2014. **Ending date** **Compile date** **Survival time** September 8[th], 2015 August 27[th], 2015 12 August 8[th], 2015 August 5[th], 2015 3 August 8[th], 2015 August 3[rd], 2015 5 August 8[th], 2015 July 23[rd], 2015 16 August 8[th], 2015 July 10[th], 2015 29 July 13[th], 2015 July 10[th], 2015 3 August 9[th], 2014 July 18[th], 2014 22 August 9[th], 2014 July 15[th], 2014 25 July 31[st], 2014 July 13[th], 2014 18 October 25[th], 2013 October 10[th], 2013 15 ----- Picture 11 Codes for Ending-date checking ----- # Chapter 3 Vulnerability Analysis ## 1. Introduction Through our in-depth analysis, we are sure that the vulnerability of HWP is not a zero-day one but an already revealed one that was unveiled in the APT report from nProtect[9] back in 2011. When Hangul Word Processor (HWP) reads documents in HWP 2.0, it uses function strcpy to process the front name and has no limits on the length of bits which results in buffer overflow and covers the SEH records. After triggering the memory access exception, the actors executed malicious codes by running the shellcode in Next SEH Record with the instruction sequence of ‘pop/pop/ret’. The vulnerability exists in HWP 2010 and some earlier versions. Please see the details below: **Affected versions** HWP 2002 5.7.9.3047 and earlier version HWP 2004 6.0.5.764 and earlier version HWP 2005 6.7.10.1053 and earlier version HWP 2007 7.5.12.604 and earlier version HWP 2010 8.0.3.726 and earlier version **Unaffected versions** HWP 2002 5.7.9.3049 and later versions HWP 2004 6.0.5.765 and later versions HWP 2005 6.7.10.1055 and later versions HWP 2007 7.5.12.614 and later versions 9[Warning] Detected malicious file using HWP file’s vulnerability, http://en-erteam.nprotect.com/2011/07/caution-detected-malicious-file-using.html ----- HWP 2010 8.0.3.748 and later versions Table 5 Affected HWP versions by the vulnerability The table here lists the exploit documents in Operation OnionDog: **MD5** **CVE number** **26b416d686ce57820e13e572e9e33cce[10]** none **de00286f6128fb92002e0c0760855566[11]** none Table 6 List of malicious HWP document ## 2. Exploit mechanism HWP supports documents in formats of .hwp, .doc, .wps, .ppt and so on. .hwp format includes HWP 2.0, HWP 3.0 and HWP 5.0. HWP 2.0 is a very old version, so when HWP process HWP 2.0 documents, it will switch the format to HWP 3.0 automatically. 10https://cryptam.com/docsearch.php?md5=26b416d686ce57820e13e572e9e33cce 11https://cryptam.com/docsearch.php?md5=de00286f6128fb92002e0c0760855566 ----- Picture 12 File format of HWP vulnerable documents The offset of the font structure in HWP 2.0 is 0x48E. The first two bytes in the font structure are the number of font names. Each font name has the length of 0x28. When HWP is processing a HWP 2.0 document, function ConvertFilterFileToWorkFile in Class CHwp20ToHwp30FilterLibrary will be called to convert the document into an HWP 3.0 document. Function Set20FontList will be called to process font structure. ----- Picture 13 Function Set20FontList Function Set20FontList will read 28 bytes from the HWP 2.0 document into the array arySrc[0x28], then loop copy bytes into aryDest[0x28] until the byte equals zero. But in the computer memory, arySrc is followed by aryDest. So the attacker took advantage of it. In the process, when the last byte of arySrc is 0x3C instead of zero, the loop will not stop and continue to copy the bytes in aryDest until it triggered the access exception C0000005. ----- Picture 14 Memory structure of arySrc aryDest The overwritten data includes the SEH of the function CHwp20ToHwp30FilterLibrary::ConvertFilterFileToWorkFile. Picture 15 SEH record is covered While copying the 00130000, it will trigger the access exception C0000005, then it will jump to the Windows exception handling process and call SEH Handler(7FFAC1B1) with the second parameter pointing to 12E4B8. ----- Picture 16 Call SEH Handler Picture 17 pop pop ret instruction sequence This is the instruction sequence ‘pop/pop/ret in’ ntdll.7FFAC1B1. After executing the two ‘pop’, ESP pointing to 12E4B8 where the initial position of malicious shellcode is that will be executed after the ‘Retn’ instruction. ----- Picture 18 The execution of shellcode In the end, it will create a normal HWP document in temp path and launch hwp.exe in HWP 2007 path, then load the document tmp.hwp and release the malicious msserver.exe. The interesting thing is that ICEFOG malware is not even released. ----- # Chapter 4 Command and Control Mechanisms We differentiate the versions of OnionDog by the communication methods in the operations. Through the sample analysis, we found that there are two main types of communication methods: one is based on fixed IP (operation in 2014) and the other one is based on Onion.City (operation in 2015). This map points out the correspondence between OnionDog samples and their C&C. Picture 19 Correspondence between samples malware and their C&C ----- ## 1. Onion.City **Related Onion.City URLs** **hXXp://uudv6kfdmm4pdbdm.onion.city/main.php** **hXXp://strj3ya55r367jqd.onion.city/main.php** **hXXp://u6y2j2ggtyplvzfm.onion.city/index2.php** **hXXp://qp4xhrnjuzq6glwx.onion.city/index2.php** **hXXp://j2kiphmeb4m4ek66.onion.city/index2.php** **hXXp://bcn5w6eqglytlnnn.onion.city/index2.php** Table 7 Related Onion.City URLs In 2015, the communication method within the OnionDog gang has been fully upgraded to Onion.City which is a much more high-end and covert communication method compared to the existing APT attacks. The role of URLs related to “index2.php” is to download other malicious codes while the URLs related to “main.php” are used to steal data from the pass-back process. Onion.City is the communication method where web search engine adopts Tor2web proxy technology so that users can visit domains in the Deep Web without the help of Tor browser. This has created an ideal invisible cloak for the attackers in the anonymous environment of Tor. ## 2. Fixed IP The communication C&C in the malicious Trojans in 2014 and 2015 are all directly connected to a fixed IP which has been hard-coded in the malicious codes. Coincidentally, the geo locations of the IP addresses are all in Korea. However, this doesn’t necessarily indicate the threat actor is in Korea because these IPs may only be some botnets or redirectors. **C&C IP** **Geo location** **218.153.172.53** Korea **218.145.131.130** Korea **222.107.13.113** Korea ----- **221.149.32.213** Korea **221.149.223.209** Korea **220.85.160.3** Korea **112.169.154.65** Korea **121.133.8.2** Korea Table 8 Associations between the fixed IPs and their geo locations ----- # Chapter 5 ICEFOG “Rebirth”:aimed at misleading or false flagging? ## 1. Inertial thinking in relevance analysis Our analysis of Operation OnionDog is mainly based on the data from 360 Threat Intelligence Center to uncover the associations between different resources. Our major discoveries are the guise files that pretend to be HWP files and the HWP exploit files taking advantage of HWP files’ vulnerability. They both contain lure documents and OnionDog samples. But HWP exploit files has one more malicious file type – backdoor (please see the picture below). Picture 21 Three kinds of derivatives of HWP exploit files We scanned the malware with our own AntiVirus engine. The result shows the backdoor belongs to ICEFOG malware families. Further manual analysis verifies that result because distinct features are recognized. For example, the encrypted memory is saved in the location “%TMP%\mstmpdata.dat”. The encrypted data will be decrypted based on XOR logical operation [with the string ‘&*^*@~^%9?i0h’. The C&C of the backdoor is www.sejonng.org. Signs like these](http://www.sejonng.org/) seems all point to the same conclusion. ICEFOG was revealed by Kaspersky in 2013. HWP exploit files appeared in July, 2014. Through comparison between the timestamp of the ICEFOG backdoor and its first show-up timein third-party (VirusTotal) analysis (see table below), it has been proven that the compile timestamp of ICEFOD backdoor is credible. The fact that the relevant samples already existed before Kaspersky’s report also directs to the conclusion that the backdoor sample belongs to ICEFOG. **MD5 samples of ICEFOG** **84f5ede1fcadd5f62420c6aae04aa75a** **ICEFOG sample compile time** 23:39:10, May 1[st], 2013 **The first show-up of ICEFOG sample Virustotal** May 6[th], 2013 ----- **Publication time of the ICEFOG report by** **Kaspersky[12]** September 25[th], 2013 **Sample C&C of ICEFOG** www.sejonng.org **C&C exposure time on media (ICEFOG report)** September 25[th], 2013 Table 9 Relevant info of ICEFOG samples in HWP exploit files **HWP exploit file 1** **HWP exploit file 2** **MD5** 26b416d686ce57820e13e572e9e 33cce de00286f6128fb92002e0c07608 55566 **Malware tracker** July 25[th], 2014 August 18[th], 2014 **VirusTotal** July 25[th], 2014 August 18[th], 2014 **MD5** **that** **releases** **“OnionDog”** **Compile** **time** **of** **OnionDog** bb27df0608e657215bd5fabd0e0c 4d1e 869527bcbc6e95d46103589e83 c37b7e 10:36:46, July 18[th], 2014 10:36:46, July 18[th], 2014 **ICEFOG MD5** 84f5ede1fcadd5f62420c6aae04aa 75a 84f5ede1fcadd5f62420c6aae04a a75a **ICEFOG compile time** 23:39:10, May 1[st], 2015 23:39:10, May 1[st], 2015 **MD5 of lure document** 9a4fafb0aa9f79dee2a117d237ea a931 843c6952e47564586a9094320f8 d8c22 **Creation time of lure** **document** July 23[rd], 2014 July 23[rd], 2014 Table 10 Relevant info of HWP exploit files We have testified the backdoor is from ICEFOG samples. The samples of ICEFOG and OnionDog are both released by the same HWP exploit file. With that said, according to our initial thinking, we almost believed that the ICEFOG must be associated with OnionDog; furthermore, ICEFOG even might be the organization behind Operation OnionDog, but is that true? 12 The Icefog APT: A Tale of Cloak and Three Daggers,https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/ ----- ## 2. Truth behind the “smoke curtain” At the very beginning, we assumed the organization behind OnionDog should be ICEFOG, but further investigations make us begin to doubt. The active time of OnionDog malicious files is around the month of July in 2014. Activities of other samples were active in the similar time windows like October in 2013, July to August in 2017 and July to September in 2015. In addition, Kaspersky published its report on ICEFOG at the end of September. Usually, after being exposed by security vendors, it is time when APT organization would cease their attacks and stop using relevant C&C or backdoors. This time, the threat actor doesn’t follow the regular rule. Of course, the possibility still exists that the attackers was exposing themselves on purpose as long as they can reach their goal maximally. However, it makes us begin to doubt our original assumption. According to the attack time listed above and our experience in APT analysis, there must be other intentions to explain why the attackers used previous attack methods even though some of the backdoors and C&C have been unveiled and detected. Regarding their real intentions, our speculations are: a. Lack of attack capabilities leave the attackers no choice but to use previous techniques and resources; b. Attackers are very confident that they can reach the same goal even if they use old techniques and resources because they know very well about the targets; c. Their real purpose is to fly false flags on other APT organizations or to confuse and mislead security researchers. We did some tests on HWP exploit files in virtual environment and found that actually when the HWP exploit file was triggered, it firstly opened lure documents, and then ran the OnionDog samples. In the whole process, it didn’t release any ICEFOG samples. That is to say, if users’ computers are attacked by HWP exploit file, only OnionDog samples will be released and run rather than ICEFOG samples. This phenomenon aroused questions to us: why the attackers implant a backdoor which they will never use in the following attacks to the HWP exploit? With this question in mind, we pulled out and arranged all the attacks according to chronological order to have a better view of the whole cyber-attack campaign. Besides the timestamp of ICEFOG itself, Kaspersky’s reporting time and the active time of OnionDog samples, there are two ----- time slots that require more attention which is related to the status of C&C domain [www.sejonng.org.](http://www.sejonng.org/) Picture 22 Timeline of HWP exploit and relevant resources In the report of ICEFOG from Kaspersky dated to September 25[th], 2013, the domain www.sejonng.org had yet been marked as “SINKHOLED by Kaspersky Lab”. Later in the historical data of WHOIS owned by DomainTools[13], we noticed the domain was already marked as “serverHold[14]” on January 1st, 2014. What’s more, from the website snapshot[15] provided by DomainTools, it shows that the domain has already been mark as “sinkhole[16]” by Kaspersky on June 4[th], 2014 or even earlier. Additionally, the most recent update about domain [www.sejonng.org](http://www.sejonng.org/) is that it has been taken over and sinkholed in the WHOIS record[17] of virustracker.info. 13https://whois.domaintools.com/ 14https://www.icann.org/en/system/files/files/epp-status-codes-30jun11-en.pdf 15https://research.domaintools.com/research/screenshot-history/sejonng.org/#0 16https://en.wikipedia.org/wiki/DNS_sinkhole 17https://whois.domaintools.com/sejonng.org ----- Picture 23 Historical page record of “www.sejonng.org” (from DomainTools) We deduced that when attackers started to distribute HWP exploit files, the C&C domain of ICEFOG backdoor has no longer belong to themselves. Combining all the factors above, we came to the conclusion that our third assumption should be the OnionDog gang’s real purpose: to fly false flags on other APT organizations or mislead researchers. Similar circumstance happened in the past APT attacks in which APT organizations used fake information to obstruct researcher from security companies. Taking the duqu 2.0 Analysis as an example, researchers from Kaspersky Lab also encountered the situation where the threat actor [added some fake symbols and very rare compression algorithm to direct researchers to believe](javascript:void(0);) the malware was related to APT1 or MiniDuke. ----- Picture 24 Excerpt from Kaspersky technical report about THE DUQU 2.0[18] # Chapter 6 Special clues ## 1. PDB path **Relevant samples** **PDB routes** **PDB1** **19** 10861ed5e2b01ba053d2659eebdce1a2 W:\2014 work\27 **APT-USB\140701** APT\svcInstaller\Release\DeleteService.pdb **PDB2** a38b9bcf692c1d69de74c4ad219a1cb5 W:\2014 work\27 **APT-USB\130701** APT\svcInstaller\Release\DeleteService.pdb **PDB3** **20** 598f2b1b73144d6057bea7ef2f730269 W:\2013 work\130610 **APT\svcInstaller\Release\DeleteService.pdb** Table 11 Typical PDB routes and correspondent samples From the table, we can see that in the PDB path, there are the letters of “APT” with each notation. 18THE DUQU 2.0 Technical Details, [https://cdn.securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_re](https://cdn.securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf) turns.pdf 19http://viruslab.tistory.com/3534 20http://viruslab.tistory.com/3567 ----- Along with it, the website of PDB path viruslab.tistory.com was exposed in front of the researchers. ## 2. File property of lure documents **File property** **Details** **Sample MD5** cbcf18e559b87afdd059cae1f03b18d1 **Lure document MD5** 9a4fafb0aa9f79dee2a117d237eaa931 **Content** Salary info of Korean electric companies **File size** 25,088 bytes **Program writer** test1234 **Creation time** 13:43:54, July 23[rd], 2014 **Last edit time** 8:41:30, July 24[th], 2014 **Last edit** **APT-WebServer** Table 12 Typical file property of HWP lure documents ## 3. Information in Korean A large amount of information in Korean showed up in the malicious codes during our analysis, which is the content in the data pack sent back to C&C servers. ----- Picture 25 Successful/failed infection via USB Picture 26 Successful running of an infection agent ----- Picture 27 USB connection log ----- Picture 28 Successful infection on PC # Chapter 7 Conclusion In recent years, APT attacks targeting instruction industries and large corporations are detected and revealed on a high frequency. Some of them are carried out to damage or destroy industrial control systems, for instance, Stuxnet and Black Energy; some of them are aimed at information theft, examples include the attacks plotted by the Lazarus Group which was finally released by the industry alliance of Kaspersky Labs, Alien Vault Labs and Nevetta. The Operation OnionDog we introduced here is also one of the latter. Such underground cybercrime can cause a great loss as well. In the malicious activities of Operation OnionDog, our researchers noticed that their naming notations are almost obsessive-compulsively consolidated. Ever since the malicious codes were created, their PDB paths are surprisingly coherent, for instance, the path of USB Worm is APT-USB and the one of fishing emails is APT-WebServer. When the Trojan of OnionDog is released successfully, it will send requests to C&C server to download other malicious programs and save them in the file folder %temp% with the file names following the same pattern “XXX_YYY.jpg” and are associated with specific attacking targets. All these signs indicate that the organization behind OnionDog is very cautious to hide their tracks and has a very rigorous system and strategic deployment. In 2014, OnionDog used multiple fixed IPs located in Korea as their server IPs for the Trojans. This ----- doesn’t necessarily indicate the threat actor is in Korea because these IPs may only some botnets or redirectors. In 2015, the network communication of OnionDog has been fully upgraded to Onion.City which is a much more high-end and covert communication method compared to the existing APT attack. The fact that ICEFOG samples were found in the HWP exploit files reminds us that OnionDog may adopt existing techniques and resources of some unveiled APT organizations in order to fly false flags on others or mislead our researchers. More importantly, this also rings the alarm for us that without discrimination between the research methods or between intelligence data, any analysis from single-dimension intending to track the associations has the possibility to lead us to the trap set by attackers. To reach a much more objective conclusion, we need to analyze from all facets or dimensions rigorously to avoid any subjective assumption. In addition, in the speculation of Chapter 5 ICEFOG “Rebirth”, besides building on our own intelligence information, we also reference the published research and resources of some third party security vendors like VirusTotal, DomainTools and Kaspersky. With the cross-validation from multiple resources, the fidelity of the data is greatly guaranteed. Previously, in the contest between security vendors and cybercrime or APT organizations, resources were severely out of balance. We hope that from now on the situation will be greatly improved through the collaboration among security vendors and corporations on APT defense. -----