``` HITB$_ ``` ``` A Deep Dive into the ``` ``` Digital Weapons of North Korean Cyber Army ``` ``` Ashley_Shen@HITB Moonbeom_Park@HITB ``` ``` [RELEASE VERSION] ``` ----- ``` y ###### # Senior Threat Analyst ˃ TeamT5 Inc.Taiwan ˃ HITCON GIRLS ˃ Black Hat Asia Review Board ˃ Tracking APT Attacks & Actors ``` ----- ###### # Deputy General Researcher ˃ TTPA, South Korea ˃ BoB ˃ Speaker of TROOPERS, HITCON, Ekoparty, ``` VXCON ˃ Tracking NK APT group ``` ----- ###### # Why this talk? ###### # Related Work # The Legos, Malwares and Attack Cases # The Exploit and Attack Cases # Takeaways # Q&A ----- ``` y ``` ## WHERE IS NORTH KOREA? ----- ``` y ###### # Reconnaissance General bureau (RGB) (revealed in 2009) # Cyber intelligence operations # Cyber attacks is a long-term mission ``` ----- ###### # Difference in APT Kill Chain ###### Maintain Exploit Execute Control # X ----- ----- ###### # Why this talk? ###### # Related Work ###### # The Legos, Malwares and Attack Cases # The Exploit and Attack Cases # Takeaways # Q&A ----- ###### # 2013 ˃ Operation Troy – cyber espionage and DDOS ``` attacks (MaAfee) # 2016 ˃ Operation Blockbuster - Lazerus group (Novetta) ˃ From Seoul to Sony (BlueCoat) # 2017 ˃ Lazarus under the hood - Bluenoroff group (Kaspersky) ˃ Campaign Rifle : Andariel, the Maiden of Anguish (K FSI) ``` ----- ``` p Group Lazarus Bluenoroff Andariel ``` ``` Targeted Global and domestic finance, Industry financial institutes broadcasting Financial profit Purpose Social chaos motivation ``` |Lazarus|Bluenoroff| |---|---| |Domestic government, finance, broadcasting|Global and domestic financial institutes| |Social chaos|Financial profit motivation| - `2015-2016 SWIFT` ``` banking attack ``` - `2017 Polish bank` - `2017 South Korea` ``` Domestic financial institutes, SMB IT companies and large corporations. Defense industry Information gathering and profit ``` - `2016 Attack on cyber` ``` command center ``` - `2017 South Korea ATM` ``` breach ``` ``` Historical major incidents ``` - `2013 320 DarkSeoul` - `2014 Sony Picture` ``` Entertainment breach ``` - `2017 WannaCry` ----- ###### # Why this talk? # Related Work ###### # The Legos, Malwares and Attack Cases ###### # The Exploit and Attack Cases # Takeaways # Q&A ----- ``` y ###### # Software vulnerabilities ˃ Developing 0 day of specific software # Watering hole attack ˃ Deploying exploit on compromised website to spread payload # Spear-phishing email ˃ Attaching malicious document in the spear phishing email to infect targets ``` ----- ###### # Case: 2016 Compromised Online Shopping Site in South Korea ###### ① Phishing attack ``` Attacker ###### ② ``` Family Pictures Target’s Cloud Drive Spear-phishing email with malware-laden family’s photo screen saver program `Employee of` ``` Shopping Site ``` Trojan Our Family ----- ``` j p ###### # Incorporating OpenSSL library into the file, causing large file size (about 900M) # Supporting the following commands: ``` **Command Code** **Action** **C2F24BB19A401D** Gather victim’s information and transmit to C&C **E8AFAB73D2BE55** Load specific DLL and call function for export **C7D3D97AE85AC1** Delete itself to ielowutil.exe **03AAEFA36E0646** Gather specific files in My Documents and transmit to C&C **E2CE1DAA84A3B1** Detect to virtual mode(Environment) **2486C09D576ADA** Gather active process information and transmit to C&C **4462929641CD6F** Gather Windows OS information and transmit to C&C **653E648F2B3003** Download data of iehmmap.dll from other server ----- ``` j p ###### # Three C&C servers in configuration ``` Discovered in Sony Picture Entertainment Case **C&C Server IP** **Country** **190.185.124.125 (Port 443)** Honduras **220.132.191.110 (Port 443)** Taiwan **202.137.244.198 (Port 443)** New Zealand ###### # 2017 Linked to WannaCry Ransomware by Symantec ``` Download Sample C&C server ``` |Col1|Country| |---|---| ||Honduras| ||| ``` 2014 SPE ``` ``` 2016 O li 2017 WannaCry ``` ----- ###### # Using both customized version of public ``` available malware and self-developed malware. # Reuse shared code (lego) code heavily. ˃ Shared code are reused among different groups ˃ One of the keys to recognize attacks from DPRK • Very difficult to correlate with C&C infrastructure ˃ We called these shared code “legos”! ``` ----- ###### # Lego1: Multi_Keys_xor Function ----- ###### # Frequently used for ``` decode strings and APIs # Sometimes applied with base64 or other legos! ``` ``` Frequently used for decode strings and Sometimes applied with base64 or other legos! ``` ----- ###### # Lego2: FE_XOR Function ----- ----- ###### # Lego3: TABLE_LOOKUP_Decode Function ----- ###### # Lego3: TABLE_LOOKUP_Decode Function Table =[0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xF F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF ,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0 xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0x FF,0xFF,0xFF,0xFF,0xFF,0xFF,0x3E,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0x3F,0x00,0x 34,0x00,0x35,0x00,0x36,0x00,0x37,0x00,0x38,0x00,0x39,0x00,0x3A,0x00,0x3B,0x0 0,0x3C,0x00,0x3D,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0x FF,0xFF,0xFF,0x00,0x00,0x01,0x00,0x02,0x00,0x03,0x00,0x04,0x00,0x05,0x00,0x06, 0x00,0x07,0x00,0x08,0x00,0x09,0x00,0x0A,0x00,0x0B,0x00,0x0C,0x00,0x0D,0x00,0 x0E,0x00,0x0F,0x00,0x10,0x00,0x11,0x00,0x12,0x00,0x13,0x00,0x14,0x00,0x15,0x0 0,0x16,0x00,0x17,0x00,0x18,0x00,0x19,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0x FF,0xFF,0xFF,0xFF,0xFF,0x1A,0x00,0x1B,0x00,0x1C,0x00,0x1D,0x00,0x1E,0x00,0x1F, 0x00,0x20,0x00,0x21,0x00,0x22,0x00,0x23,0x00,0x24,0x00,0x25,0x00,0x26,0x00,0x 27,0x00,0x28,0x00,0x29,0x00,0x2A,0x00,0x2B,0x00,0x2C,0x00,0x2D,0x00,0x2E,0x0 0,0x2F,0x00,0x30,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0 Table =[0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xF F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF ,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0 xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0x FF,0xFF,0xFF,0xFF,0xFF,0xFF,0x3E,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0x3F,0x00,0x 34,0x00,0x35,0x00,0x36,0x00,0x37,0x00,0x38,0x00,0x39,0x00,0x3A,0x00,0x3B,0x0 0,0x3C,0x00,0x3D,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0x FF,0xFF,0xFF,0x00,0x00,0x01,0x00,0x02,0x00,0x03,0x00,0x04,0x00,0x05,0x00,0x06, 0x00,0x07,0x00,0x08,0x00,0x09,0x00,0x0A,0x00,0x0B,0x00,0x0C,0x00,0x0D,0x00,0 x0E,0x00,0x0F,0x00,0x10,0x00,0x11,0x00,0x12,0x00,0x13,0x00,0x14,0x00,0x15,0x0 0,0x16,0x00,0x17,0x00,0x18,0x00,0x19,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0x FF,0xFF,0xFF,0xFF,0xFF,0x1A,0x00,0x1B,0x00,0x1C,0x00,0x1D,0x00,0x1E,0x00,0x1F, 0x00,0x20,0x00,0x21,0x00,0x22,0x00,0x23,0x00,0x24,0x00,0x25,0x00,0x26,0x00,0x 27,0x00,0x28,0x00,0x29,0x00,0x2A,0x00,0x2B,0x00,0x2C,0x00,0x2D,0x00,0x2E,0x0 0,0x2F,0x00,0x30,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0 ----- ###### # Lego3: TABLE_LOOKUP_DECODE Function ###### Input String: "mszHzxmKH6E2zGE=” Output String: ExitProcess ###### Input String: "mNHa6zuXE6cgzFpuyho="” Output String: G P H ----- ###### # Lego4: S_Hat_DECODE Function ----- ###### # OK… so how do ``` we going to do with these legos? ``` ----- ###### GHOSTRAT 2016 Mar Aug 2017 DESERTWOLF ###### VANATM Mar ----- ``` 2016.03 ``` ### Removed from Release version ----- ###### # Gh0st Variant # Rifdoor (on C&C) # Hacking Tool for DRM A # Hacking Tool for DRM B # Gh0st Origi Variant ``` Gh0st Variant Rifdoor (on C&C) Hacking Tool for DRM A Hacking Tool for DRM B Gh0st Origi Variant ``` ----- ###### # Coined Rifle because of the pdb string ``` E:\Data\My Projects\Troy Source Code\tcp1st\rifle\Release\rifle.pdb # A simple backdoor # Encode string with xor 0F # Support commands ˃ $downloadexec (download sec.exe) ˃ $internal (sleep) ˃ $download (download file) ``` ----- ----- ###### # 2016.08 ˃ South Korean Ministry of National Defense (Cyber ``` Command) announced that North Korean infiltrated a military network. ˃ 3200 hosts were compromised, 700 military intranet. ˃ 39 samples collected, 20 confirmed linked to NK groups. ˃ Cyber command announced that found Shenyang IP address. ``` ----- ###### # Type A Backdoor # Type B (Phandoor) # Type C Backdoor # Keylogger A ----- ###### # Loading API dynamically with Lego4 ----- ###### ˃ Upon execution, ``` getting victim IP address with GetAdaptorInfo and encode it. ˃ Sending encode IP ``` ``` Upon execution, getting victim IP address with GetAdaptorInfo and encode it. Sending encode IP address & MAC address with a special string “Anonymous” to test C&C server connection. ``` ----- ###### ˃ Attacker tailored ``` this trojan for different cases. The supported functions vary across different incidents. ``` ``` 8 Execute Windows command ``` ``` 9 ``` ``` Get disk information or search file ``` ``` 10 Find file and send ``` ``` 11 ``` ``` Receive data and save it to a file ``` ``` 15 Terminate ``` ``` 16 18 ``` ``` Close connection and reconnect Copy and move nehomegpa.dll to another path ``` ``` 26 Search process ``` ----- ###### # 2017.03 ˃ Attacker attacks an ATM service provider ˃ Compromised internal network with Antivirus ``` vaccine update server (VMS). ˃ Lateral movement was taken to compromised ATM management server connected with the VMS server. ˃ More than 600 ATM machines were infected with RAT and keylogger ˃ Malware connects to same C2 discovered in DesertWolf case ``` ----- ### Removed from Release version ----- ###### # Rifdoor # Gh0st # Hacking Tool (Sniffer) # Keylogger A # Trojan D ----- ###### GHOSTRAT ###### VANATM ###### DESERTWOLF ----- ###### # Other TTP on ``` binaries ˃ PACKERS! PACKERS! PACKERS! ˃ Love VMP (Feel the pain!!) ˃ Aspacker,upx, Armadillo v1 71 Themid ``` ----- ``` Encode every strings and loads dynamically Sometimes encode ``` ----- ``` p y ### Removed from Release version ``` ----- ``` p y ### Removed from Release version ``` ----- ``` p y ### Removed from Release version ``` ----- ``` p y ### Removed from Release version ``` ----- ###### # Why this talk? # Related Work # The Legos, Malwares and Attack Cases ###### # The Exploit and Attack Cases ###### # Takeaways # Q&A ----- ``` p ###### # HWP exploit documents ˃ Hangul Word Processor (HWP) is a proprietary word processing application published by the South Korean company Hancom Inc. ˃ The most popular word processor in South Korea. (similar to Ichitaro in Japan) ˃ Attacker deployed HWP exploit documents in attacks targeting Korea individual/organization. ``` ----- ``` p ###### # CVE 2013-0808 ˃ EPS Viewer buffer overflow vulnerability ˃ Trigger by Ghostscript in HWP (Hangul word) ``` ----- ``` p ###### # Dropping EPS file with NOP sled and shellcode # Downloading payload from C&C server ``` ``` NOP Sled For Heap Spray Shellcode Ghostscript commands ``` ----- ``` p ###### # CVE 2017-0621 ˃ EPS restore Use-After-Free ˃ Applied frequently in recent attacks targeting financial industry in South Korea by Bluenoroff. • Targeting a lot of Bitcoin companies recently. ˃ No alert and error would be trigger during exploitation. ˃ Triggering in HWP files. ``` ----- ----- ###### Embedded PE 64 bits ----- ``` p ``` ###### # Trojan ``` Manuscryt encoded with XOR. # Manuscrypt packed with VMP. # Decoded by shellcode and inject into “explorer.ex e” process directly ``` ----- Korean in the Macro script ----- ``` p g ###### # CVE 2016-0189 ˃ Vulnerability works on Internet Explorer 9-11 ˃ Remote execute Javascript ˃ Compromised website to targeted North Korea defectors ``` ``` works on Internet ``` ----- ###### # Interesting PDB Strings ### Removed from Release version ----- ###### # Why this talk? # Related Work # The Malwares and Attack Cases # The Exploit and Attack Cases ###### # Takeaways ###### # Q&A ----- ``` y ###### ˃ We introduce some “legos” codes, exploits and webshell for identify attacks from DPRK cyber army. ˃ Cyber attacker from DPRK frequently reuse function codes in their attacks. ˃ We are building a shared code library called “The Legos” project. Encouraging researchers to release the YARA rules of lego functions. ˃ The legos indicates a share code database or dedicated group responsible for tools development. ˃ More attacks from Lazarus/Bluenoroff/Andariel are exceptive, be prepared and update to the latest ``` ----- ``` Questions? ``` ``` ashley_shen_920 ``` ``` krNeoTra ``` ----- ###### # Reports ˃ Financial Security Institute - Campaign Rifle : ``` Andariel, the Maiden of Anguish ˃ https://www.vxsecurity.sg/2016/11/22/technical teardown-exploit-malware-in-hwp-files/ ˃ https://www.fireeye.com/blog/threat research/2017/05/eps-processing-zero-days.html ``` -----