100 likes | 315 Views
Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage. Frankie Li, Anthony Lai, Ddl Ddl Valkyrie-X Security Research Group 2011 6th International Conference on Malicious and Unwanted Software. Presenter: 劉力瑋. Outline. APT A case in Hong Kong Analysis
E N D
Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage Frankie Li, Anthony Lai, DdlDdl Valkyrie-X Security Research Group 2011 6th International Conference on Malicious and Unwanted Software Presenter: 劉力瑋
Outline APT A case in Hong Kong Analysis Conclusion
Advanced Persistent Threats (APT) This paper consider an APT as a cyber attack launched by a group of sophisticated, determined, and coordinated attackers who systematically compromise the network of a specific target machine or entity for a prolonged period.
A case in Hong Kong • A well design email (2011/7/7) • Title : Democracy Depot meeting • Sender : first_name.p0on@<org_name>.org.hk • Attachments : Democracy Depot meeting • Second email was received on 2011/7/14 • It is sent by a political group about the news of a riot in 廣州
Analysis The attachments(malware) which you download will be a dropper, its “Property” field contains the command. Then it creates a Malicious DLL (droppee)to inject your explorer.exe. It also creates a mutex to avoid duplication of malware installation on the victim’s machine.
Analysis First ,it tries several non-resolved DNS names and a non-routed IP address. The droppee triggers the download of additional binaries that act as core modules performing the actual malicious functions. After several trails, it contact the single valid IP address, using TCP port number 8080. Then it run into an infinite loop and waited for the response from the C&C
Analysis Additional binaries downloaded by droppee perform the actual malicious functions. All passwords from “foxmail,” “outlook,” “outlook express,” “IE Form Storage,” “MSN,” “Passport DotNet,” and “protected storage,” were collected from the infected machine. The screen captures will also be collected and uploaded to the C&C.
Analysis Filtered information is collected ,compressed and then uploaded through encrypted HTTP traffic. Afterwards, the information is removed to hide its temporary presence.
Discussion and Conclusion NEVER OPEN SPEAR-PHISHING EMAILS !! APT-type malware does not carry obvious malicious functions. Unlike the other malware it seldom changes the infected system as a zombie machine. How to avoid it