Let's name an APT group name!

Transcript

1. Let's name APT groups! Akira Miyata（seraph） AVTOKYO 2016 2016.10.22

2. Are U drinking?

3. Introduction

4. Introduction Akira Miyata Twitter: @Seraph39 Malware analyst ... NOT! AVTOKYO2015

   Speaker Collecting information of targeted attacks by OSINT SANS Lethal Forensicator Coin Holder 2014 Washington D.C. (FOR610)

5. Today's talk What kind of investigation have been done before

   the attacker groups and campaign are given names? What kind of attacker groups and campaign are given names by some companies?

6. Investigation of the features of the attacker

7. IOC Tools Logs Decoy file Infection method Mail Attack target

   area Malware

8. IOC Tools Logs Decoy file Infection method Mail Attack target

   area Malware

9. Mail •  Mail address –  Free mail –  Hijacked and

   used •  Sender IP（Inc. fake） •  Sender Time（UTC＋•） •  Relay mail server

10. Mail •  Distinctive string such as「ご高覧 (Your perusal)」 •  First

    line is blank （Ref.）https://www.ipa.go.jp/files/000053445.pdf

11. IOC Tools Logs Decoy file Infection method Mail Attack Target

    area Malware

12. Decoy file •  Presence – Included in the malware •  this

    case is majority – After extracting the compressed file, if it exists separately •  Font – Display font of decoy file •  Simsun font used on Emdivi's decoy file

13. Decoy file •  Shoddy faction –  Blank files often seen

    in the spreading mail •  Procurement faction –  In many cases, files that have been published –  Although some case are cross off docs, but it's public file. •  Earnest faction –  Obtained file at intrusion •  This file turns out intrusion and information leakage

14. IOC Tools Logs Decoy file Infection method Mail Attack Target

    area Malware

15. Malware •  Icon disguise •  Extension impersonation – using RLO – long

    file name •  Compression technology – zip, lzh, rar, 7z, etc

16. Malware •  Using vulnerability – It is often used immediately after

    a vulnerability found(release) – Vulnerability of Ichitaro •  Clearly, target to Japan •  Original User Agent （Ref.）http://d.hatena.ne.jp/Kango/20141113/1415901362

17. Malware •  C2(C&C) Server –  Register info（Name, Mail, Address, etc）

    –  Which service? –  AVTOKYO 2015 •  Collecting information of targeted attacks by OSINT •  Language information •  Compiled date –  We can see trend but hard to recognize time zone

18. Malware •  Grouping with a name in new species case

    •  Subspecies or new species

19. Malware •  Characteristic – Strings in the packet – Strings in the

    binary – ID – PW – Encryption scheme

20. Malware •  Case of Emdivi –  Recognize of used in

    Japan •  Version –  t17：Used in targeted mail –  t20：Used after intrusion –  From around t17.08.23 –  Campaign name or Attack target ＋ Attack date •  Let's see about some Emdivi we can get it online

21. Ex. MD5: dba397405916869fdbfc66fa57f553ae traffic content: Y3yfO=tuhnrmst%17%7E%09%03%09%0B%7 E%10%0B%09%02%0A&2be78j=a&date=rBQF. 4%60%25%23%3A%24%2C%3A%27%24%3 AS%7C%7D%21%26%26%3A%21r%26q%25 %2C%27%21%20u%27%25%26%24%2C%26

    %1Dh%1DZ%40.4%21%3A%25%3A%26%22 %24%2%1DOqz9AGI%1Dh%1DYQY. 4%25%26%2CY%1Dh%1DSY%40%3C9%22% 3D

22. Ex.：Decoded・・・ •  "date"="fVER: t17.08.30.Ghi522.5f2e18354a312 082 | NT: 5.1.2601& [en-US]MEM: 128M

    | GMT(-6) •  Point is「Ghi522」

23. Ex.：Ghi522 Hotel Grand Hill Ichigaya

24. Ex.：Ghi522 Special info:Ministry of Defense Mutal Aid Associa;on

25. Ex.：Ghi522 •  Compiled date of Emdivi •  2015/05/22 03:51:18(UTC+0) • 

    Hotel Grand Hill Ichigaya attacked （参考）http://www.mod.go.jp/j/press/kisha/2015/07/07.html Cyber attacked at May

26. IOC Tools Logs Decoy file Infection method Mail Attack Target

    area Malware

27. Tools •  Pass-the-hash – e.g., Mimikatz, gsecdump, PwDump7, etc •  Using

    vulnerability – e.g., MS14-068 – Vulnerability in Kerberos could allow elevation of privilege •  Horizontal expansion

28. Tools •  Archiver – rar •  Windows genuine – cmd – csvde, dsquery（ActiveDirectory

    management tool）

29. Tools •  Flow of attack – Horizontal expansion – AD Server compromise

    – Information transmission •  Traces of the tool used – Memory – hiberfil.sys, pagefile.sys

30. IOC Tools Logs Decoy file Infection method Mail Attack Target

    area Malware

31. Infection method •  Targeted attack mail •  Water hole attack

    •  Malvertising •  Thumb drive

32. IOC Tools Logs Decoy file Infection method Mail Attack Target

    area Malware

33. Attack target area •  Critical infrastructure(13fields) – Information and communication, finance,

    aviation, railway, power supply, gas, government services ,health care ,water supply, logistics, chemical, credit, oil •  Other・・・ – Small and medium sized enterprises – University （Ref.）http://www.nisc.go.jp/active/infra/outline.html

34. IOC Tools Logs Decoy files Infection method Mail Attack Target

    area Malware

35. Logs •  eventlog •  access.log •  FW log （Ref）https://www.blackhat.com/docs/us-15/materials/us-15- Metcalf-Red-Vs-Blue-Modern-Active-Directory-Attacks-

    Detection-And-Protection.pdf

36. Data accumulation and visualization

37. Data accumulation and visualization •  accumulation – Using Excel is first

    step – If you do more seriously, use database •  visualization – Loading accumulate data, and analysis – Maltego – Analyst's Notebook

38. Share of IOC

39. Share of IOC •  Snort •  Yara •  Open IOC

    –  Mandiant •  CybOX –  Cyber Observable eXpression •  STIX –  Structed Threat Information eXpression •  TAXII –  Trusted Automated eXchange of Indicator Information –  Secure transfer and exchange of threat information •  STIXVIZ （Ref.）https://github.com/ STIXProject/stix-viz

40. Let's name attacker groups and campaigns！！

41. Naming is difficult •  If treat to characteristic malware, It

    is relatively easy to define name by it. –  However, once define malware name,It will be confusing future •  Since the consolidation of the attacker group name is common ,let's name for the time being. •  Easy to define campaign name –  Add name with characteristics of the attack for now

42. Naming What name is better? Let's see name defined by

    each company

43. FireEye（Mandiant）case •  APT Series –  Seems it is code name

    that US Air Force of the intelligence agencies had been using •  APT1 •  People's Liberation Army General Staff Department Part 3 second station –  PLA Unit 61398 –  Specific locations (Shanghai Pudong New Area) And, it is

44. CrowdStrike case •  Panda Series –  China •  Bear Series

    –  Russia •  Kitten Series –  Iran –  Cat is a revered animal in Islam •  Tiger Series –  India –  National animal：Bengal tiger •  Chollima –  North Korea –  Cheollima (千里馬) is a symbol of socialism

45. Naming（Good） •  Try to name for attacker groups and campaigns

    as easy to uderstand •  Trying to unify the rules of name – Already decided naming rule like Panda blah blah •  Let's make a catchy name – Easy to image by icons

46. Naming（Bad） •  Do not name in the malware and tools

    name – PlugX1, PlugX2 – OK as a classification of malware •  Do not use number – APT1, APT2, ・・・ – Hard to know what is it.

47. Frankly Speaking, Unify it! APT groups and operations is useful！

    （Ref.）https://docs.google.com/spreadsheets/d/ 1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/ edit#gid=361554658

48. Case Study

49. Case:Japan Pension Service Takaido Suginami Tokyo Japan Pension Service headquarters

50. Case:Japan Pension Service （Ref.）http://www.nisc.go.jp/active/kihon/pdf/incident_report.pdf From mail address Attached file compress

    type To mail address Link to online strage service Malware type Domain name to connect Sender IP address Suspicious mail common point ※ line is rerated to

51. Case:Japan Pension Service

52. Case:JTB •  Cases of this year March –  Info lreak

    6,788,443 people •  Possibly aiming on 3 days off •  Attacks using Elirks –  Case of Elirks（Attack on Taiwan） 　（Ref）https://media.blackhat.com/us-13/US-13-Yarochkin- In-Depth-Analysis-of-Escalated-APT-Attacks-Slides.pdf •  May related to Ise-Shima summit 　（Ref.）http://csirt.ninja/?p=772 Convert to IP addr , and connect

53. Case: JTB （Ref.）http://www.pref.mie.lg.jp/NYUSATSU/2015070504.htm Beside JTB, other tourist company has possibility

    to be attacked Ise-Shima summit hotel reservation system provided by 3 tourist company consortium

54. Conclusion

55. Let's see world wide affairs •  If some APT involved

    to some Nation •  It is essential to understand the history and situation of the world. – For example, anniversary in each country, holidays, etc.

56. Conclusion •  There are many attacker groups and campaigns that

    are not well-known •  Please try to compare and link named attacker groups and campaign to published reports •  Share information, improve our security!

57. Thank you so much! @Seraph39