SPRING DRAGON APT A CASE STUDY OF TARGETED
- Slides: 38
SPRING DRAGON APT A CASE STUDY OF TARGETED ATTACKS IN APAC COUNTRIES NOUSHIN SHABAB Senior Security Researcher
2 ABOUT ME Senior Security Researcher at Kaspersky Lab Areas of interest: ● APT Attack Investigation ● Malware Analysis ● Reverse Engineering ● Forensics Analysis
3 WHO IS SPRING DRAGON?
4 - Long running APT actor with a massive scale of operation - Main targets are countries around South China Sea - Active since 2012 - More than 200 C 2 servers - Over 700 customised backdoor samples
5 BACKGROUND OF THE RESEARCH
2012 Start of Spring Dragon Attacks
7 STARTED IN 2012 Elise Backdoor was used in cyberespionage attacks against targets in South East Asia
2015 2012 Research on Spring Dragon Attack Techniques Start of Spring Dragon Attacks
2015 2012 Research on Spring Dragon Attack Techniques Start of Spring Dragon Attacks Infiltration Techniques Web Compromises Spearphish Exploits Watering Holes
0 INFILTRATION TECHNIQUES Spearphish Exploits Web Compromises Watering Holes
1 1 SPEARPHISH EXPLOITS Adobe Flash Player Exploits PDF Exploits MS Word Exploits
1 2 WATERING HOLES – WEB COMPROMISES Compromised websites to target organizations in Myanmar
1 3
1 4 WATERING HOLES – WEB COMPROMISES Another technique used against government targets A spoofed flash installer website
1 5
2017 Research on Spring Dragon capabilities and tools 2015 Research on Spring Dragon Attack Techniques 2012 Start of Spring Dragon Attacks
Victims 2017 Research on Spring Dragon capabilities and tools C 2 Servers 2015 2012 Research on Spring Dragon Attack Techniques Start of Spring Dragon Attacks Tools Possible origins of Spring Dragon
1 8 IN THE BEGINNING OF 2017 - News about new attacks arrived from a research partner in Taiwan - Kaspersky Lab decided to investigate the attacker’s techniques and review their toolset
1 9 SPRING DRAGON VICTIMS
WHO ARE THE VICTIMS High profile governmental organisations Educational institutions and universities Political parties Telecommunication industry
GEOGRAPHIC MAP OF THE VICTIMS
2 2 SPRING DRAGON TOOLSET
SPRING DRAGON SET OF BACKDOORS Elise Backdoor Loader Emissary Backdoor Installer Backdoor Injector Shadow. Less Backdoor (midimap Hijacker)
BACKDOOR LOADER TOOL Backdoor Loader module has the main backdoor dll contents encrypted and embedded Backdoor module connects to C 2 servers It also creates a service for the loader module
BACKDOOR LOADER TOOL Decoding ● Each sample has a customised config block, encoded inside the loader module ● Loader module pushes the config block into the stack before loading the backdoor ● Backdoor module decodes the config block
2 6 BACKDOOR INJECTOR TOOL This module is similar to Backdoor Loader module with an extra feature to inject itself into a target process Looks for default web browser Injects its own file into the web browser process Loads the backdoor inside the web browser process
BACKDOOR TOOLS - Backdoor modules are either encrypted and embedded in Installers, Backdoor Loader and Backdoor Injector modules or attached to installer modules as a resource entry in palin text in older samples
BACKDOOR TOOLS - Different backdoor samples have customized set of C 2 server addresses and customized service details encrypted inside loader or installer modules - Almost all the backdoor families have a similar structure for C 2 configuration data after decryption
BACKDOOR TOOLS - Some backdoor families use hardcoded user-agent strings while they are communicating with their C 2 servers - Some backdoor families use specific GET requests while they are contacting their C 2 servers
BACKDOOR TOOLS Backdoor Capabilities: 1. Update C 2 configuration on victim’s system in order to connect to new servers 2. Steal any type of file from the victim’s machine and upload to C 2 servers 3. Download more malicious files from C 2 servers to victim’s machine 4. Load and run a DLL module 5. Unload a previously loaded DLL module, which will allow the backdoor to uninstall itself or unload other applications’ DLLs to disrupt their functionality 6. Run any executable file on victim’s system which will allow the installation of further modules 7. Execute different system commands on victim’s machine to collect more information from the victim
EVOLUTION OF SPRING DRAGON TOOLSET 2012 2013 2014 2015 Shadow. Less Backdoor was introduced Start of the attacks with Elise Backdoor variant A, B and C Start of Elise Backdoor Variant D, Backdoor Loader and Backdoor Injector modules 2016 End of Elise Backdoor Variant A, B and C New feature was introduced to escalate privileges Start of Emissary Backdoor 2017 More features were added. More obfuscation was applied to backdoor codes Obfuscation
3 2 SPRING DRAGON C 2 SERVERS
3 3 C 2 INFRASTRUCTURE The attackers have registered domain names and used IP addresses from different geographical locations to hide their real location More than 40% are located in Hong Kong Followed by US, Germany, China and Japan
3 4 POSSIBLE ORIGINS OF SPRING DRAGON
3 5 HISTOGRAM OF MALWARE TIMESTAMPS GMT +8 TIMEZONE Another group of malware developers 1 - Working from another timezone 2 - Working on a second shift
3 6 CONCLUSION - Spring dragon is a long running apt actor with a massive scale of operation - The attackers have been constantly developing and improving their tools since 2012 - Main targets have been in different countries and territories in APAC region
3 7 CONCLUSION - Spring dragon is going to continue resurfacing regularly in the APAC region with more tools and new targets STAY VIGILANT! THE NEXT TARGET MIGHT BE US!
LET’S TALK? @Noushin. Shbb
- Apt case study
- Dragon significant details about the character
- Dragon dragon john gardner
- Apt-s study skills framework
- Best case worst case average case
- Hershey's erp failure
- Bae yong-kyun
- Months for spring
- Targeted youth support islington
- Ncach
- Joint commission tst
- Targeted local hire program
- Targeted local hire
- Targeted disabilities
- Targeted local hire program agency referral form
- Mshda dpa
- Targeted early numeracy intervention program
- Marketing involve engaging directly with carefully targeted
- Marketing involve engaging directly with carefully targeted
- Staffing activities
- Targeted delivery
- Ovansertib
- Targeted sales elads
- Consist of your most important targeted or segmented groups
- Which mco cover the south gsa
- Arbitrage pricing theory
- One factor apt
- Model apt
- Cnc apt programming examples
- Capm apt
- Apt teacher meaning
- Apt lateral movement
- Apt agenda
- Diskussionsfrågor till apt
- Apt wtdc
- Apt language
- Parasitologia
- Multifactor asset pricing model
- Capm apt