SPRING DRAGON APT A CASE STUDY OF TARGETED

  • Slides: 38
Download presentation
SPRING DRAGON APT A CASE STUDY OF TARGETED ATTACKS IN APAC COUNTRIES NOUSHIN SHABAB

SPRING DRAGON APT A CASE STUDY OF TARGETED ATTACKS IN APAC COUNTRIES NOUSHIN SHABAB Senior Security Researcher

2 ABOUT ME Senior Security Researcher at Kaspersky Lab Areas of interest: ● APT

2 ABOUT ME Senior Security Researcher at Kaspersky Lab Areas of interest: ● APT Attack Investigation ● Malware Analysis ● Reverse Engineering ● Forensics Analysis

3 WHO IS SPRING DRAGON?

3 WHO IS SPRING DRAGON?

4 - Long running APT actor with a massive scale of operation - Main

4 - Long running APT actor with a massive scale of operation - Main targets are countries around South China Sea - Active since 2012 - More than 200 C 2 servers - Over 700 customised backdoor samples

5 BACKGROUND OF THE RESEARCH

5 BACKGROUND OF THE RESEARCH

2012 Start of Spring Dragon Attacks

2012 Start of Spring Dragon Attacks

7 STARTED IN 2012 Elise Backdoor was used in cyberespionage attacks against targets in

7 STARTED IN 2012 Elise Backdoor was used in cyberespionage attacks against targets in South East Asia

2015 2012 Research on Spring Dragon Attack Techniques Start of Spring Dragon Attacks

2015 2012 Research on Spring Dragon Attack Techniques Start of Spring Dragon Attacks

2015 2012 Research on Spring Dragon Attack Techniques Start of Spring Dragon Attacks Infiltration

2015 2012 Research on Spring Dragon Attack Techniques Start of Spring Dragon Attacks Infiltration Techniques Web Compromises Spearphish Exploits Watering Holes

0 INFILTRATION TECHNIQUES Spearphish Exploits Web Compromises Watering Holes

0 INFILTRATION TECHNIQUES Spearphish Exploits Web Compromises Watering Holes

1 1 SPEARPHISH EXPLOITS Adobe Flash Player Exploits PDF Exploits MS Word Exploits

1 1 SPEARPHISH EXPLOITS Adobe Flash Player Exploits PDF Exploits MS Word Exploits

1 2 WATERING HOLES – WEB COMPROMISES Compromised websites to target organizations in Myanmar

1 2 WATERING HOLES – WEB COMPROMISES Compromised websites to target organizations in Myanmar

1 3

1 3

1 4 WATERING HOLES – WEB COMPROMISES Another technique used against government targets A

1 4 WATERING HOLES – WEB COMPROMISES Another technique used against government targets A spoofed flash installer website

1 5

1 5

2017 Research on Spring Dragon capabilities and tools 2015 Research on Spring Dragon Attack

2017 Research on Spring Dragon capabilities and tools 2015 Research on Spring Dragon Attack Techniques 2012 Start of Spring Dragon Attacks

Victims 2017 Research on Spring Dragon capabilities and tools C 2 Servers 2015 2012

Victims 2017 Research on Spring Dragon capabilities and tools C 2 Servers 2015 2012 Research on Spring Dragon Attack Techniques Start of Spring Dragon Attacks Tools Possible origins of Spring Dragon

1 8 IN THE BEGINNING OF 2017 - News about new attacks arrived from

1 8 IN THE BEGINNING OF 2017 - News about new attacks arrived from a research partner in Taiwan - Kaspersky Lab decided to investigate the attacker’s techniques and review their toolset

1 9 SPRING DRAGON VICTIMS

1 9 SPRING DRAGON VICTIMS

WHO ARE THE VICTIMS High profile governmental organisations Educational institutions and universities Political parties

WHO ARE THE VICTIMS High profile governmental organisations Educational institutions and universities Political parties Telecommunication industry

GEOGRAPHIC MAP OF THE VICTIMS

GEOGRAPHIC MAP OF THE VICTIMS

2 2 SPRING DRAGON TOOLSET

2 2 SPRING DRAGON TOOLSET

SPRING DRAGON SET OF BACKDOORS Elise Backdoor Loader Emissary Backdoor Installer Backdoor Injector Shadow.

SPRING DRAGON SET OF BACKDOORS Elise Backdoor Loader Emissary Backdoor Installer Backdoor Injector Shadow. Less Backdoor (midimap Hijacker)

BACKDOOR LOADER TOOL Backdoor Loader module has the main backdoor dll contents encrypted and

BACKDOOR LOADER TOOL Backdoor Loader module has the main backdoor dll contents encrypted and embedded Backdoor module connects to C 2 servers It also creates a service for the loader module

BACKDOOR LOADER TOOL Decoding ● Each sample has a customised config block, encoded inside

BACKDOOR LOADER TOOL Decoding ● Each sample has a customised config block, encoded inside the loader module ● Loader module pushes the config block into the stack before loading the backdoor ● Backdoor module decodes the config block

2 6 BACKDOOR INJECTOR TOOL This module is similar to Backdoor Loader module with

2 6 BACKDOOR INJECTOR TOOL This module is similar to Backdoor Loader module with an extra feature to inject itself into a target process Looks for default web browser Injects its own file into the web browser process Loads the backdoor inside the web browser process

BACKDOOR TOOLS - Backdoor modules are either encrypted and embedded in Installers, Backdoor Loader

BACKDOOR TOOLS - Backdoor modules are either encrypted and embedded in Installers, Backdoor Loader and Backdoor Injector modules or attached to installer modules as a resource entry in palin text in older samples

BACKDOOR TOOLS - Different backdoor samples have customized set of C 2 server addresses

BACKDOOR TOOLS - Different backdoor samples have customized set of C 2 server addresses and customized service details encrypted inside loader or installer modules - Almost all the backdoor families have a similar structure for C 2 configuration data after decryption

BACKDOOR TOOLS - Some backdoor families use hardcoded user-agent strings while they are communicating

BACKDOOR TOOLS - Some backdoor families use hardcoded user-agent strings while they are communicating with their C 2 servers - Some backdoor families use specific GET requests while they are contacting their C 2 servers

BACKDOOR TOOLS Backdoor Capabilities: 1. Update C 2 configuration on victim’s system in order

BACKDOOR TOOLS Backdoor Capabilities: 1. Update C 2 configuration on victim’s system in order to connect to new servers 2. Steal any type of file from the victim’s machine and upload to C 2 servers 3. Download more malicious files from C 2 servers to victim’s machine 4. Load and run a DLL module 5. Unload a previously loaded DLL module, which will allow the backdoor to uninstall itself or unload other applications’ DLLs to disrupt their functionality 6. Run any executable file on victim’s system which will allow the installation of further modules 7. Execute different system commands on victim’s machine to collect more information from the victim

EVOLUTION OF SPRING DRAGON TOOLSET 2012 2013 2014 2015 Shadow. Less Backdoor was introduced

EVOLUTION OF SPRING DRAGON TOOLSET 2012 2013 2014 2015 Shadow. Less Backdoor was introduced Start of the attacks with Elise Backdoor variant A, B and C Start of Elise Backdoor Variant D, Backdoor Loader and Backdoor Injector modules 2016 End of Elise Backdoor Variant A, B and C New feature was introduced to escalate privileges Start of Emissary Backdoor 2017 More features were added. More obfuscation was applied to backdoor codes Obfuscation

3 2 SPRING DRAGON C 2 SERVERS

3 2 SPRING DRAGON C 2 SERVERS

3 3 C 2 INFRASTRUCTURE The attackers have registered domain names and used IP

3 3 C 2 INFRASTRUCTURE The attackers have registered domain names and used IP addresses from different geographical locations to hide their real location More than 40% are located in Hong Kong Followed by US, Germany, China and Japan

3 4 POSSIBLE ORIGINS OF SPRING DRAGON

3 4 POSSIBLE ORIGINS OF SPRING DRAGON

3 5 HISTOGRAM OF MALWARE TIMESTAMPS GMT +8 TIMEZONE Another group of malware developers

3 5 HISTOGRAM OF MALWARE TIMESTAMPS GMT +8 TIMEZONE Another group of malware developers 1 - Working from another timezone 2 - Working on a second shift

3 6 CONCLUSION - Spring dragon is a long running apt actor with a

3 6 CONCLUSION - Spring dragon is a long running apt actor with a massive scale of operation - The attackers have been constantly developing and improving their tools since 2012 - Main targets have been in different countries and territories in APAC region

3 7 CONCLUSION - Spring dragon is going to continue resurfacing regularly in the

3 7 CONCLUSION - Spring dragon is going to continue resurfacing regularly in the APAC region with more tools and new targets STAY VIGILANT! THE NEXT TARGET MIGHT BE US!

LET’S TALK? @Noushin. Shbb

LET’S TALK? @Noushin. Shbb