SlideShare a Scribd company logo

From stealing confidential data to revenue-generating attacks

Minseok(Jacky) Cha, profile picture
Minseok(Jacky) Cha

The Andariel Group has been active in South Korea since 2014, targeting the defense industry, cybersecurity companies, political institutions, and the financial sector. They primarily use spear phishing emails and exploiting vulnerabilities in ActiveX and IT management systems to infect victims. Their malware and tools have evolved over time from 2014 to 2018 to include malware like Bmdoor, Rifdoor, Phandoor, Andarat, and GhostRat. They have conducted operations like Operation Black Mine and hacked into major companies, the Seoul ADEX in 2015, ATMs, and a large travel agency.

Technology
1 of 73
Downloaded 23 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
From stealing confidential data to revenue-generating attacks CHA Minseok (Jacky Cha, 車珉錫) Senior Principal Malware Researcher AhnLab | ASEC | Analysis Research Team SECUINSIDE (July 14, 2018) Activities of Andariel Group in 2014-2018
© AhnLab, Inc. All rights reserved. 2 Before the start • I don’t believethat any system istotallysecure! - byMatthewBroderick * Source:WarGames(1983)
Contents 01 02 03 04 05 06 07 Andariel Group Infection Vectors Activities in 2014 – 2015 Activities in 2015 - 2018 Malwares & Tools Relation Conclusion
© AhnLab, Inc. All rights reserved. Activity groups in South Korea 2007 2013 2014 2015 2016 2017 Icefog Andariel / Labyrinth Chollima (Rifdoor, Ghostrat, Phandoor, Andarat) Dllbot Xwdoor OP Black Mine (Bmdoor) 2011 OP Bitter Biscuit (Bisonal, Dexbia) RedEyes/APT37/Reap er/Group 123//Ricochet Chollima 2018 Kimsuky 2012 Plugx (Korplug) Xxmm Lazarus Operation ProgasByMe Hidden Cobra / Silent Chollima (Escad, Loader) OP Red Dot (Redobot, Escad) 2019
01 Andariel Group
© AhnLab, Inc. All rights reserved. 6 Andariel Group • AndarielGroup -Presumedtobeanotherspin-offofLazarus -MND(2008),DarkSeoul(2013),OperationBlackMine(2014-2015) -OperationGhostRifle==OperationAnonymousPhantom==OperationGoldenAxe==CampaignRifle -Targets:DefenseIndustry,CybersecurityCompanies,PoliticalInstitutions,MND(MinistryofNationalDefense),Finance Sector,EnergyResearchInstitution,TravelAgency,ICT,CryptocurrencyExchange -InfectionVector:SpearPhishing,WateringHole(Active-Xvulnerability),ITManagementSystemVulnerability,Supply ChainAttack -especially familiar with the vulnerabilities of South Korea’s ActiveX and the vulnerabilities on IT management systems -Malware:Andarat,Andaratm,Bmdoor,GhostRat,Rifdoor,Phandoor(packedwithUPX,Themida,VMProtect) -AhnLabpublishedthewhitepaper inJuly,2017andMay,2018. -FSI(FinancialSecurityInstitute) publishedthewhitepaperinJuly,2017 -ThisgroupisoneofthemostactivegroupsinSouthKorea!
© AhnLab, Inc. All rights reserved. 7 Andariel Group • Famous incidents - * Source:https://www.ibtimes.co.uk/suspects-arrested-south-korea-atm-hacking-probe-aided-by-north-korean-1638293& https://edition.cnn.com/2017/10/10/politics/north-korea-hackers-us-south-korea-war-plan/index.html
© AhnLab, Inc. All rights reserved. Timeline 2008 2009 2013 2014 2015 2016 3.20Cyber attack (DarkSeoul) & 6.25Cyber Attack 2017 SeoulADEX Attendees Major companies MND (Ministry of National Defense) ATM Financial Sector Travel Agency Energy Research Institute OperationBlackMine(Bmdoor) OperationGhost Rifle(Rifdoor) Xwdoor 2012 3.20Cyber-attack (Gatheringinformation) OperationAnonymousPhantom(Phandoor) Security Firm Defense Firms ActiveX Vulnerabilities Attack Dllbot Korean Government 2018 ERP Update Cryptocurrency ExchangeUsers FakeInstaller Remote Support Update Payment Software OperationGhostRAT OperationRed Gambler Politics Institute
02 Infection Vectors
© AhnLab, Inc. All rights reserved. 10 Infection Vectors Watering hole (ActiveX) Email (Spear Phishing) Update IT Management system C2 Vulnerability Attack Update Server Supply Chain / IT Maintenance Services Listening Port Web Server Send file transfer commands Listening Port Port Scanning Vulnerability Attacks
© AhnLab, Inc. All rights reserved. Infection Vectors
© AhnLab, Inc. All rights reserved. 12 Spear Phishing - Macro • Macro Downloader(2015) - AttackagainstSeoulADEX2015ParticipantsMacroDownloader -> Seoul ADEX Result & visitors list -> disguising as Headquarters of Seoul ADEX -> Enable Macro
© AhnLab, Inc. All rights reserved. 13 Spear Phishing - Macro • Macro Downloader(2017) - Disguisedasdiplomaticdocuments->intendedtoactivatetheMacrobyshowingblurredtext
© AhnLab, Inc. All rights reserved. 14 ActiveX Vulnerabilities • ActiveX vulnerabilities(2017) -CheckvulnerableActiveX
© AhnLab, Inc. All rights reserved. 15 IT Management System
© AhnLab, Inc. All rights reserved. 16 IT Management System Vulnerabilities • ITManagementProductAexploit(2015-2016) - V3PScan.exefiledistributedthroughITManagementSystem
© AhnLab, Inc. All rights reserved. 17 IT Management System Vulnerabilities • ITManagementProductB exploit(2016-2017) - TargetIP,DownloadURL,Path -ProductBfiletransfer(Port7224)
© AhnLab, Inc. All rights reserved. 18 IT Management System Vulnerabilities • AntivirusManagementExploit(2016) - AccessedinternalsystemsofthemilitaryandATMservicesetc. -Command:SendFile,GetFile,Scan,Update,Run,Restart,ServerUpdate
© AhnLab, Inc. All rights reserved. 19 Supply Chain
03 Activities in 2014 – 2015
© AhnLab, Inc. All rights reserved. Activities of Andariel Group in 2014-2015
© AhnLab, Inc. All rights reserved. 2014 - Operation Black Mine Operation Black Mine Energy Transportation Financial Policital IT Broadcast
© AhnLab, Inc. All rights reserved. 23 2014 - Operation Black Mine • TargetedAttack -
© AhnLab, Inc. All rights reserved. 24 2014 - Operation Black Mine • TargetedAttack -
© AhnLab, Inc. All rights reserved. 25 2014 - Operation Black Mine • TargetedAttack -
© AhnLab, Inc. All rights reserved. 26 2014 - Operation Black Mine • TargetedAttack -
© AhnLab, Inc. All rights reserved. 27 2015 - Operation Black Mine • Operation BlackMine - * Source:http://www.ahnlab.com/kr/site/securityinfo/newsletter/magazine.do?letterNo=201511
04 Activities in 2015 - 2018
© AhnLab, Inc. All rights reserved. Activities of Andariel Group in 2015-2016
© AhnLab, Inc. All rights reserved. 30 2015 - Attack against SeoulADEX 2015 Participants • Defensecompaniessufferfrom hacking attacks - SeoulADEX(Seoul International Aerospace and Defense Exhibition) *Source:http://www.koreatimes.co.kr/www/news/nation/2015/11/116_191362.html
© AhnLab, Inc. All rights reserved. 31 2015 - Attack against SeoulADEX 2015 Participants • AttackagainstSeoulADEX2015Participants(1) - MacroDownloader -> Seoul ADEX Result & visitors list -> disguising as Headquarters of Seoul ADEX
© AhnLab, Inc. All rights reserved. 32 2015 - Attack against SeoulADEX 2015 Participants • AttackagainstSeoulADEX2015Participants(1) -Rifdoordownloaded
© AhnLab, Inc. All rights reserved. 33 2016 - Security Breach of Major Companies • Malware distributedthrough vulnerable ITmanagementsystem vulnerability -Hackedintomorethan140,000computersat160SouthKoreancompaniesandgovernmentagencies -42,608documentswerereportedtohavebeenleaked -Attackbeganin2014andwasdetectedinFebruary2016 *Source:http://www.reuters.com/article/us-northkorea-southkorea-cyber-idUSKCN0YZ0BE
© AhnLab, Inc. All rights reserved. Activities of Andariel Group in 2017-2018
© AhnLab, Inc. All rights reserved. Activities of Andariel Group in 2017-2018
© AhnLab, Inc. All rights reserved. 36 2017.1 – Viewing other player’s game in gambling • Spying other player’s screen in online gambling (2016-2017) -FirstfoundinOctober2016 -Modifiedautilityinstallerbyhackingintoalegitimatewebsiteandreplacingitwithamaliciousfile
© AhnLab, Inc. All rights reserved. 37 2017.1 – Viewing other player’s game in gambling •Viewing other player’s game in gambling - -Baduki(바둑이,Badugi)=The type of card game assumed to have originated in Korea --> Poker games in Korean
© AhnLab, Inc. All rights reserved. 38 2017.3 - ATM Hacking • ATM Hacking - 230,000credit cardsin totalwere leaked (September2016 ~ February 2017) -IllegalwithdrawalsthroughATMsinChina,ThailandandTaiwan -4suspectsarrested→obtainedtheprivatefinancialdatafromamiddlemanwhoclaimedhegottheinformationfroma NorthKorean -MalwareusedinthisattackwasverysimilartothemalwareusedintheKoreanMNDhacking * Source:http://english.yonhapnews.co.kr/news/2017/09/06/0200000000AEN20170906007600315.html&http://www.itworld.co.kr/news/106281
© AhnLab, Inc. All rights reserved. 39 2017.5 – Financial Sector • Phandoor(DeployedMay 24, 2017) -DistributionviaFinancialWorkers'UnionWebsite -DeliveredaPhandoorvariant -removed‘anonymous?’string
© AhnLab, Inc. All rights reserved. 40 2017.5 – Financial Sector • Andarat -DeployviatheFinancialWorkersUnionhomepage -Eachtimeafileisrun,thehashvaluechangesbyaddingameaninglessvaluetotheendofthefile
© AhnLab, Inc. All rights reserved. 41 2017.6 – Financial Sector • Attack using word macros - GetMacroactivationbyshowingthecontentsofdocumentsdimly->DownloadandcreateV3UI.
© AhnLab, Inc. All rights reserved. 42 2017.10 & 12 – Travel Agency Breaches • South Korea’sLargestTravelAgencyHacked -AttackerusedReport Product A and IT Management B vulnerability -User’spersonalinformationwasleaked. * Source:https://coinjournal.net/south-koreas-largest-travel-agency-breached-hacker-demands-bitcoin-payment/&
© AhnLab, Inc. All rights reserved. 43 2017.10 & 12 – Travel Agency Breaches • Diagram -Databreach *Source:PressRelease_180207_Ha**Tour-Duetopersonalinformationleakageaccident-Administrativedisposition-Resolution_final-1.hwp
© AhnLab, Inc. All rights reserved. 44 2017.12 – ERP ProductA • ERPProductAUpdatefilereplacement(2017) -UpdateFilevsMaliciousFile - Addedmalwaredownloadaddress->modifiesupdatefile?orthebuildprocess?
© AhnLab, Inc. All rights reserved. 45 2017.12 – RemoteAccess ProductA • Targeted CryptocurrencyExchangeUsers - CryptocurrencyExchangehacking softwareused for remote control - Onlyfilesdownloadedthrough the Cryptocurrency Exchangehomepageinclude maliciouscode - Attackoccurred inlate 2017and early2018 Remote Access
© AhnLab, Inc. All rights reserved. 46 2018.2 – Disguised as NationalAssembly • Phishingemaildisguisingas NationalAssembly -Disguisedasparliamentarydataoncryptocurrency. * Source:http://english.yonhapnews.co.kr/search1/2603000000.html?cid=AEN20180201010700315&http://blog.alyac.co.kr/1527
05 Malwares & Tools
© AhnLab, Inc. All rights reserved. 48 Malwares
© AhnLab, Inc. All rights reserved. 49 Dropper - Bmdoor • Bmdoor - disguisedaslegitprogram Encrypted Data Legit Program BM + Loader #2 Loader #1 JMP
© AhnLab, Inc. All rights reserved. 50 Dropper - Bmdoor • Checkthe analysisenvironment - CheckVmware,VirtualBox - ChecksystemnameandCheckfilename(SANDBOX,VIRUS,MALWARE)
© AhnLab, Inc. All rights reserved. 51 Dropper - Bmdoor • Insidethe Bmdoor -
© AhnLab, Inc. All rights reserved. 52 Bakcdoor – GhostRat • customizedGh0st RAT - Sourcecodereleased
© AhnLab, Inc. All rights reserved. 53 Backdoor - Rifdoor • Rifdoor(Rifle+ Bakcdoor)== Operation Ghost Rifle(2015) -Backdoor(90KB) -PDB:contain‘rifle’ -Addsrandomdata
© AhnLab, Inc. All rights reserved. 54 Backdoor - Phandoor • Phandoor(2016-2017) -OriginalfilenamewasPhantom.exe→Phantom.exe+Backdoor=Phandoor -S^& Anonymous? -variantsfoundin2017,‘Anonymous?’ wasremoved
© AhnLab, Inc. All rights reserved. 55 Backdoor - Andaratm • Andaratm(2016-2018) -18>variants -MND(2016)->ATM,FinancialSector(2017)->CryptocurrencyExchangeUsers(2018) - 2017versionvs2018version
© AhnLab, Inc. All rights reserved. 56 Tools • GhostRat ManagementKorean Edition - Koreanbutstrange Strings (문자렬 -> 문자열) ??? (maybe System Notification) 팁 Tip ??? (typo 암 -> 안) System Setting (체계설정 -> 설정) Secret (비밀 -> 암호 Password)User
© AhnLab, Inc. All rights reserved. 57 Tools - Zcon • Zcon.exe (2015-2017) -Filename:pcon.exe,portc.exe,ZCON.exe -toolforcheckingIPandport -BmdoordropZcon.exein2015
© AhnLab, Inc. All rights reserved. 58 Tools - Wiper • Wiper -WhetherWiperisusedinrealattackisnotidentified
06 Relation
© AhnLab, Inc. All rights reserved. 60 Macro • Macro Comparison -SeoulADEXattendees(2015)vsFinanceSector(2017)
© AhnLab, Inc. All rights reserved. 61 Script • Script from Explioit -Downloader->missingbytes(MZ)recovery -2017 -2018
© AhnLab, Inc. All rights reserved. 62 Script • Script -First5bytesdownloadremoved (MZ...)→First5bytesarerecovered (MZ...)
© AhnLab, Inc. All rights reserved. 63 Backdoor - Phandoor • Mystery ‘S^’ -‘S^’foundintheXwdoor(2012)&Phandoor(2016-2017)
© AhnLab, Inc. All rights reserved. 64 Comparison of Encryption Codes • SimilarEncryptionCodes - 2016.04 defense companies 2016.08 MND 1 2016.08 MND 2 2016.11 Gambling Player 2017.03 ATM
© AhnLab, Inc. All rights reserved. 65 Backdoor - Phandoor • SimilarEncodingCodes - Rifdoorvs.Phandoor
© AhnLab, Inc. All rights reserved. 66 Comparison of Attacks
07 Conclusion
© AhnLab, Inc. All rights reserved. 68 Wrap up • AndarielGroup -LazarusSub-GroupinSouthKorea -This group is one of the most active groups in South Korea. - RelatedtoNationalIntelligenceServiceattacksin2008,DarkSeoulin2013,andOperationBlackMinein2014 -Target:defenseindustry,politicalorganization,securitycompany,military,gamblinggameuser,ATM,finance,travel agency,ICT,virtualcurrencyexchange,etc. (Confidential ->expandingtofinancialbenefits) -Attackmethod:SpearPhishingusingMSOfficeincludingMacro,WateringHole(KoreanActiveXvulnerability,IT ManagementSystemandSupplyChainAttack) -TheattackeriswellawareofSouthKorea -BackdoorusesPackersuchasUPX,ThemidaandVMProtect. -Additionaltoolsweredisclosedduetoauthor’sOpSecfailure -Thisgroupisstillactivein2018!
© AhnLab, Inc. All rights reserved. 69 Current Problems • Not reallya fair fight * source:http://www.jklossner.com/kopkf22ta931lmnlmaj3h48vplhotb
© AhnLab, Inc. All rights reserved. 70 Current Problems • * source:http://www.security-marathon.be/?p=1786
© AhnLab, Inc. All rights reserved. 71 Q&A email : minseok.cha@ahnlab.com / mstoned7@gmail.com @mstoned7 / @xcoolcat7 https://www.facebook.com/xcoolcat7, http://xcoolcat7.tistory.com
© AhnLab, Inc. All rights reserved. 72 Reference • 안랩, ‘검은 광산 작전’의 비밀을 ‘캐내다’ (http://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?curPage=&menu_ dist=1&seq=24229) • 지속적인 방위산업체 공격 시도, 왜? (http://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?menu_dist=2&seq =26565) • 금융보안원 인텔리전스보고서_국내를 타깃으로 하는 위협그룹 프로파일링 (http://www.fsec.or.kr/user/bbs/fsec/21/13/bbsDataView/910.do) • TargetedAttackson MajorIndustry Sectorsin SouthKorea (CHAMinseok,AVAR2017) • 표적형 공격? 중앙 관리 소프트웨어를 수비하라 (http://image.ahnlab.com/file_upload/asecissue_files/ASEC_REPORT_vol.89.pdf) • 유명 기업 보안 시스템을 연달아 뚫다, 대범한 해킹조직의 공격 -1편 (http://blog.skinfosec.com/221234553836) • 유명 기업 보안 시스템을 연달아 뚫다, 대범한 해킹조직의 공격 -2편- (http://blog.skinfosec.com/221234742268) • 하나투어 개인정보유출...수탁업체서 시작 (https://blog.naver.com/secustory/221213258234)
From stealing confidential data to revenue-generating attacks

More Related Content

PDF
Tick group @avar2019 20191111 cha minseok_publish
Minseok(Jacky) Cha
 
PDF
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
Minseok(Jacky) Cha
 
PDF
Mitre ATT&CK by Mattias Almeflo Nixu
Nixu Corporation
 
PPTX
Cybereason - behind the HackingTeam infection server
Amit Serper
 
PDF
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
CODE BLUE
 
PDF
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
Hacks in Taiwan (HITCON)
 
PDF
Honeypots for Active Defense
Greg Foss
 
PDF
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE - ATT&CKcon
 
Tick group @avar2019 20191111 cha minseok_publish
Minseok(Jacky) Cha
 
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
Minseok(Jacky) Cha
 
Mitre ATT&CK by Mattias Almeflo Nixu
Nixu Corporation
 
Cybereason - behind the HackingTeam infection server
Amit Serper
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
CODE BLUE
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
Hacks in Taiwan (HITCON)
 
Honeypots for Active Defense
Greg Foss
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE - ATT&CKcon
 

What's hot (20)

PDF
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
North Texas Chapter of the ISSA
 
PPTX
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
PDF
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Cybereason
 
PPT
Next Generation Advanced Malware Detection and Defense
Luca Simonelli
 
PDF
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
PDF
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
North Texas Chapter of the ISSA
 
PDF
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE - ATT&CKcon
 
PPTX
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Lancope, Inc.
 
PDF
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE - ATT&CKcon
 
PDF
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
PROIDEA
 
PDF
DEF CON 24 - Gorenc Sands - hacker machine interface
Felipe Prado
 
PDF
[CB20] Explainable malicious domain diagnosis by Tsuyoshi Taniguchi
CODE BLUE
 
PDF
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
PPTX
Extending Network Visibility: Down to the Endpoint
Lancope, Inc.
 
PDF
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE - ATT&CKcon
 
PDF
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
MITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE - ATT&CKcon
 
PPTX
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
PPTX
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
PDF
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
JamieWilliams130
 
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
North Texas Chapter of the ISSA
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Cybereason
 
Next Generation Advanced Malware Detection and Defense
Luca Simonelli
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
North Texas Chapter of the ISSA
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE - ATT&CKcon
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Lancope, Inc.
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE - ATT&CKcon
 
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
PROIDEA
 
DEF CON 24 - Gorenc Sands - hacker machine interface
Felipe Prado
 
[CB20] Explainable malicious domain diagnosis by Tsuyoshi Taniguchi
CODE BLUE
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
Extending Network Visibility: Down to the Endpoint
Lancope, Inc.
 
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE - ATT&CKcon
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE - ATT&CKcon
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
JamieWilliams130
 
Ad

Similar to From stealing confidential data to revenue-generating attacks (20)

PDF
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...
Minseok(Jacky) Cha
 
PDF
Targeted attacks on major industry sectores in south korea 20170927 cha minse...
Minseok(Jacky) Cha
 
PDF
From Mirai to Monero – One Year’s Worth of Honeypot Data
DefCamp
 
PDF
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT
 
PDF
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
Chi En (Ashley) Shen
 
PPTX
IANS Forum Dallas - Technology Spotlight Session
Interset
 
PPTX
Drupalgeddon 2 – Yet Another Weapon for the Attacker
DefCamp
 
PDF
Global Cyber Threat Intelligence
NTT Innovation Institute Inc.
 
PDF
Shamoon
Shakacon
 
PPTX
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Zivaro Inc
 
PDF
Jisheng Wang at AI Frontiers: Deep Learning in Security
AI Frontiers
 
PDF
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Cyren, Inc
 
PDF
Cyber security and attack analysis : how Cisco uses graph analytics
Linkurious
 
PDF
Honeypots, Deception, and Frankenstein
Phillip Maddux
 
PPTX
Conf2013 bchristensen thebig_t
Beau Christensen
 
PDF
POC 2018 - whatever talk_ Let's go OSINT using DeepWeb
DASOM KIM
 
PDF
Threat intelligence at the cloud
Or Katz
 
PDF
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP
 
PDF
Honeypots, Deception, and Frankenstein
Phillip Maddux
 
DOCX
Analysis of a “/0” Stealth Scan From a Botnet
Nexgen Technology
 
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...
Minseok(Jacky) Cha
 
Targeted attacks on major industry sectores in south korea 20170927 cha minse...
Minseok(Jacky) Cha
 
From Mirai to Monero – One Year’s Worth of Honeypot Data
DefCamp
 
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
Chi En (Ashley) Shen
 
IANS Forum Dallas - Technology Spotlight Session
Interset
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
DefCamp
 
Global Cyber Threat Intelligence
NTT Innovation Institute Inc.
 
Shamoon
Shakacon
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Zivaro Inc
 
Jisheng Wang at AI Frontiers: Deep Learning in Security
AI Frontiers
 
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Cyren, Inc
 
Cyber security and attack analysis : how Cisco uses graph analytics
Linkurious
 
Honeypots, Deception, and Frankenstein
Phillip Maddux
 
Conf2013 bchristensen thebig_t
Beau Christensen
 
POC 2018 - whatever talk_ Let's go OSINT using DeepWeb
DASOM KIM
 
Threat intelligence at the cloud
Or Katz
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP
 
Honeypots, Deception, and Frankenstein
Phillip Maddux
 
Analysis of a “/0” Stealth Scan From a Botnet
Nexgen Technology
 
Ad

More from Minseok(Jacky) Cha (16)

PDF
2017년 3분기 정보보안 소식 20180107 차민석
Minseok(Jacky) Cha
 
PDF
2017년 1분기 정보보안 소식 20170528 차민석_공개판
Minseok(Jacky) Cha
 
PDF
2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판
Minseok(Jacky) Cha
 
PDF
2016년 3분기 주요 정보보안 소식 20161227 차민석_공개판
Minseok(Jacky) Cha
 
PDF
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Minseok(Jacky) Cha
 
PDF
사회기반시설 공격 동향 분석보고서 차민석 20161029_레몬 정보보호 세미나
Minseok(Jacky) Cha
 
PDF
2016년 2분기 주요 정보보안 소식 차민석 20160815_공개판
Minseok(Jacky) Cha
 
PDF
2016년 1분기 주요 정보보안 소식 차민석 20160703_공개판
Minseok(Jacky) Cha
 
PDF
2015년 4분기 주요 정보보안 소식 차민석 20160410_공개판
Minseok(Jacky) Cha
 
PDF
2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판
Minseok(Jacky) Cha
 
PDF
Csi cyber season 1 episode 1 차민석 20160113
Minseok(Jacky) Cha
 
PDF
백신 프로그램의 원리와 동작 차민석 20151117_security plus 발표판
Minseok(Jacky) Cha
 
PDF
0과 1의 비밀을 밝히는 악성코드 분석가 차민석 20151117_security plus 발표판
Minseok(Jacky) Cha
 
PDF
2015년 2분기 주요 정보보안 소식 차민석 공개판_20150810
Minseok(Jacky) Cha
 
PDF
2015년 1분기 주요 정보보안 소식 20150512 공개판
Minseok(Jacky) Cha
 
PDF
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Minseok(Jacky) Cha
 
2017년 3분기 정보보안 소식 20180107 차민석
Minseok(Jacky) Cha
 
2017년 1분기 정보보안 소식 20170528 차민석_공개판
Minseok(Jacky) Cha
 
2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판
Minseok(Jacky) Cha
 
2016년 3분기 주요 정보보안 소식 20161227 차민석_공개판
Minseok(Jacky) Cha
 
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Minseok(Jacky) Cha
 
사회기반시설 공격 동향 분석보고서 차민석 20161029_레몬 정보보호 세미나
Minseok(Jacky) Cha
 
2016년 2분기 주요 정보보안 소식 차민석 20160815_공개판
Minseok(Jacky) Cha
 
2016년 1분기 주요 정보보안 소식 차민석 20160703_공개판
Minseok(Jacky) Cha
 
2015년 4분기 주요 정보보안 소식 차민석 20160410_공개판
Minseok(Jacky) Cha
 
2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판
Minseok(Jacky) Cha
 
Csi cyber season 1 episode 1 차민석 20160113
Minseok(Jacky) Cha
 
백신 프로그램의 원리와 동작 차민석 20151117_security plus 발표판
Minseok(Jacky) Cha
 
0과 1의 비밀을 밝히는 악성코드 분석가 차민석 20151117_security plus 발표판
Minseok(Jacky) Cha
 
2015년 2분기 주요 정보보안 소식 차민석 공개판_20150810
Minseok(Jacky) Cha
 
2015년 1분기 주요 정보보안 소식 20150512 공개판
Minseok(Jacky) Cha
 
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Minseok(Jacky) Cha
 

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Teaching material agriculture food technology
LiaRayya
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
A Presentation on Artificial Intelligence
memembruh336
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 

From stealing confidential data to revenue-generating attacks

  • 1. From stealing confidential data to revenue-generating attacks CHA Minseok (Jacky Cha, 車珉錫) Senior Principal Malware Researcher AhnLab | ASEC | Analysis Research Team SECUINSIDE (July 14, 2018) Activities of Andariel Group in 2014-2018
  • 2. © AhnLab, Inc. All rights reserved. 2 Before the start • I don’t believethat any system istotallysecure! - byMatthewBroderick * Source:WarGames(1983)
  • 3. Contents 01 02 03 04 05 06 07 Andariel Group Infection Vectors Activities in 2014 – 2015 Activities in 2015 - 2018 Malwares & Tools Relation Conclusion
  • 4. © AhnLab, Inc. All rights reserved. Activity groups in South Korea 2007 2013 2014 2015 2016 2017 Icefog Andariel / Labyrinth Chollima (Rifdoor, Ghostrat, Phandoor, Andarat) Dllbot Xwdoor OP Black Mine (Bmdoor) 2011 OP Bitter Biscuit (Bisonal, Dexbia) RedEyes/APT37/Reap er/Group 123//Ricochet Chollima 2018 Kimsuky 2012 Plugx (Korplug) Xxmm Lazarus Operation ProgasByMe Hidden Cobra / Silent Chollima (Escad, Loader) OP Red Dot (Redobot, Escad) 2019
  • 6. © AhnLab, Inc. All rights reserved. 6 Andariel Group • AndarielGroup -Presumedtobeanotherspin-offofLazarus -MND(2008),DarkSeoul(2013),OperationBlackMine(2014-2015) -OperationGhostRifle==OperationAnonymousPhantom==OperationGoldenAxe==CampaignRifle -Targets:DefenseIndustry,CybersecurityCompanies,PoliticalInstitutions,MND(MinistryofNationalDefense),Finance Sector,EnergyResearchInstitution,TravelAgency,ICT,CryptocurrencyExchange -InfectionVector:SpearPhishing,WateringHole(Active-Xvulnerability),ITManagementSystemVulnerability,Supply ChainAttack -especially familiar with the vulnerabilities of South Korea’s ActiveX and the vulnerabilities on IT management systems -Malware:Andarat,Andaratm,Bmdoor,GhostRat,Rifdoor,Phandoor(packedwithUPX,Themida,VMProtect) -AhnLabpublishedthewhitepaper inJuly,2017andMay,2018. -FSI(FinancialSecurityInstitute) publishedthewhitepaperinJuly,2017 -ThisgroupisoneofthemostactivegroupsinSouthKorea!
  • 7. © AhnLab, Inc. All rights reserved. 7 Andariel Group • Famous incidents - * Source:https://www.ibtimes.co.uk/suspects-arrested-south-korea-atm-hacking-probe-aided-by-north-korean-1638293& https://edition.cnn.com/2017/10/10/politics/north-korea-hackers-us-south-korea-war-plan/index.html
  • 8. © AhnLab, Inc. All rights reserved. Timeline 2008 2009 2013 2014 2015 2016 3.20Cyber attack (DarkSeoul) & 6.25Cyber Attack 2017 SeoulADEX Attendees Major companies MND (Ministry of National Defense) ATM Financial Sector Travel Agency Energy Research Institute OperationBlackMine(Bmdoor) OperationGhost Rifle(Rifdoor) Xwdoor 2012 3.20Cyber-attack (Gatheringinformation) OperationAnonymousPhantom(Phandoor) Security Firm Defense Firms ActiveX Vulnerabilities Attack Dllbot Korean Government 2018 ERP Update Cryptocurrency ExchangeUsers FakeInstaller Remote Support Update Payment Software OperationGhostRAT OperationRed Gambler Politics Institute
  • 10. © AhnLab, Inc. All rights reserved. 10 Infection Vectors Watering hole (ActiveX) Email (Spear Phishing) Update IT Management system C2 Vulnerability Attack Update Server Supply Chain / IT Maintenance Services Listening Port Web Server Send file transfer commands Listening Port Port Scanning Vulnerability Attacks
  • 11. © AhnLab, Inc. All rights reserved. Infection Vectors
  • 12. © AhnLab, Inc. All rights reserved. 12 Spear Phishing - Macro • Macro Downloader(2015) - AttackagainstSeoulADEX2015ParticipantsMacroDownloader -> Seoul ADEX Result & visitors list -> disguising as Headquarters of Seoul ADEX -> Enable Macro
  • 13. © AhnLab, Inc. All rights reserved. 13 Spear Phishing - Macro • Macro Downloader(2017) - Disguisedasdiplomaticdocuments->intendedtoactivatetheMacrobyshowingblurredtext
  • 14. © AhnLab, Inc. All rights reserved. 14 ActiveX Vulnerabilities • ActiveX vulnerabilities(2017) -CheckvulnerableActiveX
  • 15. © AhnLab, Inc. All rights reserved. 15 IT Management System
  • 16. © AhnLab, Inc. All rights reserved. 16 IT Management System Vulnerabilities • ITManagementProductAexploit(2015-2016) - V3PScan.exefiledistributedthroughITManagementSystem
  • 17. © AhnLab, Inc. All rights reserved. 17 IT Management System Vulnerabilities • ITManagementProductB exploit(2016-2017) - TargetIP,DownloadURL,Path -ProductBfiletransfer(Port7224)
  • 18. © AhnLab, Inc. All rights reserved. 18 IT Management System Vulnerabilities • AntivirusManagementExploit(2016) - AccessedinternalsystemsofthemilitaryandATMservicesetc. -Command:SendFile,GetFile,Scan,Update,Run,Restart,ServerUpdate
  • 19. © AhnLab, Inc. All rights reserved. 19 Supply Chain
  • 21. © AhnLab, Inc. All rights reserved. Activities of Andariel Group in 2014-2015
  • 22. © AhnLab, Inc. All rights reserved. 2014 - Operation Black Mine Operation Black Mine Energy Transportation Financial Policital IT Broadcast
  • 23. © AhnLab, Inc. All rights reserved. 23 2014 - Operation Black Mine • TargetedAttack -
  • 24. © AhnLab, Inc. All rights reserved. 24 2014 - Operation Black Mine • TargetedAttack -
  • 25. © AhnLab, Inc. All rights reserved. 25 2014 - Operation Black Mine • TargetedAttack -
  • 26. © AhnLab, Inc. All rights reserved. 26 2014 - Operation Black Mine • TargetedAttack -
  • 27. © AhnLab, Inc. All rights reserved. 27 2015 - Operation Black Mine • Operation BlackMine - * Source:http://www.ahnlab.com/kr/site/securityinfo/newsletter/magazine.do?letterNo=201511
  • 29. © AhnLab, Inc. All rights reserved. Activities of Andariel Group in 2015-2016
  • 30. © AhnLab, Inc. All rights reserved. 30 2015 - Attack against SeoulADEX 2015 Participants • Defensecompaniessufferfrom hacking attacks - SeoulADEX(Seoul International Aerospace and Defense Exhibition) *Source:http://www.koreatimes.co.kr/www/news/nation/2015/11/116_191362.html
  • 31. © AhnLab, Inc. All rights reserved. 31 2015 - Attack against SeoulADEX 2015 Participants • AttackagainstSeoulADEX2015Participants(1) - MacroDownloader -> Seoul ADEX Result & visitors list -> disguising as Headquarters of Seoul ADEX
  • 32. © AhnLab, Inc. All rights reserved. 32 2015 - Attack against SeoulADEX 2015 Participants • AttackagainstSeoulADEX2015Participants(1) -Rifdoordownloaded
  • 33. © AhnLab, Inc. All rights reserved. 33 2016 - Security Breach of Major Companies • Malware distributedthrough vulnerable ITmanagementsystem vulnerability -Hackedintomorethan140,000computersat160SouthKoreancompaniesandgovernmentagencies -42,608documentswerereportedtohavebeenleaked -Attackbeganin2014andwasdetectedinFebruary2016 *Source:http://www.reuters.com/article/us-northkorea-southkorea-cyber-idUSKCN0YZ0BE
  • 34. © AhnLab, Inc. All rights reserved. Activities of Andariel Group in 2017-2018
  • 35. © AhnLab, Inc. All rights reserved. Activities of Andariel Group in 2017-2018
  • 36. © AhnLab, Inc. All rights reserved. 36 2017.1 – Viewing other player’s game in gambling • Spying other player’s screen in online gambling (2016-2017) -FirstfoundinOctober2016 -Modifiedautilityinstallerbyhackingintoalegitimatewebsiteandreplacingitwithamaliciousfile
  • 37. © AhnLab, Inc. All rights reserved. 37 2017.1 – Viewing other player’s game in gambling •Viewing other player’s game in gambling - -Baduki(바둑이,Badugi)=The type of card game assumed to have originated in Korea --> Poker games in Korean
  • 38. © AhnLab, Inc. All rights reserved. 38 2017.3 - ATM Hacking • ATM Hacking - 230,000credit cardsin totalwere leaked (September2016 ~ February 2017) -IllegalwithdrawalsthroughATMsinChina,ThailandandTaiwan -4suspectsarrested→obtainedtheprivatefinancialdatafromamiddlemanwhoclaimedhegottheinformationfroma NorthKorean -MalwareusedinthisattackwasverysimilartothemalwareusedintheKoreanMNDhacking * Source:http://english.yonhapnews.co.kr/news/2017/09/06/0200000000AEN20170906007600315.html&http://www.itworld.co.kr/news/106281
  • 39. © AhnLab, Inc. All rights reserved. 39 2017.5 – Financial Sector • Phandoor(DeployedMay 24, 2017) -DistributionviaFinancialWorkers'UnionWebsite -DeliveredaPhandoorvariant -removed‘anonymous?’string
  • 40. © AhnLab, Inc. All rights reserved. 40 2017.5 – Financial Sector • Andarat -DeployviatheFinancialWorkersUnionhomepage -Eachtimeafileisrun,thehashvaluechangesbyaddingameaninglessvaluetotheendofthefile
  • 41. © AhnLab, Inc. All rights reserved. 41 2017.6 – Financial Sector • Attack using word macros - GetMacroactivationbyshowingthecontentsofdocumentsdimly->DownloadandcreateV3UI.
  • 42. © AhnLab, Inc. All rights reserved. 42 2017.10 & 12 – Travel Agency Breaches • South Korea’sLargestTravelAgencyHacked -AttackerusedReport Product A and IT Management B vulnerability -User’spersonalinformationwasleaked. * Source:https://coinjournal.net/south-koreas-largest-travel-agency-breached-hacker-demands-bitcoin-payment/&
  • 43. © AhnLab, Inc. All rights reserved. 43 2017.10 & 12 – Travel Agency Breaches • Diagram -Databreach *Source:PressRelease_180207_Ha**Tour-Duetopersonalinformationleakageaccident-Administrativedisposition-Resolution_final-1.hwp
  • 44. © AhnLab, Inc. All rights reserved. 44 2017.12 – ERP ProductA • ERPProductAUpdatefilereplacement(2017) -UpdateFilevsMaliciousFile - Addedmalwaredownloadaddress->modifiesupdatefile?orthebuildprocess?
  • 45. © AhnLab, Inc. All rights reserved. 45 2017.12 – RemoteAccess ProductA • Targeted CryptocurrencyExchangeUsers - CryptocurrencyExchangehacking softwareused for remote control - Onlyfilesdownloadedthrough the Cryptocurrency Exchangehomepageinclude maliciouscode - Attackoccurred inlate 2017and early2018 Remote Access
  • 46. © AhnLab, Inc. All rights reserved. 46 2018.2 – Disguised as NationalAssembly • Phishingemaildisguisingas NationalAssembly -Disguisedasparliamentarydataoncryptocurrency. * Source:http://english.yonhapnews.co.kr/search1/2603000000.html?cid=AEN20180201010700315&http://blog.alyac.co.kr/1527
  • 48. © AhnLab, Inc. All rights reserved. 48 Malwares
  • 49. © AhnLab, Inc. All rights reserved. 49 Dropper - Bmdoor • Bmdoor - disguisedaslegitprogram Encrypted Data Legit Program BM + Loader #2 Loader #1 JMP
  • 50. © AhnLab, Inc. All rights reserved. 50 Dropper - Bmdoor • Checkthe analysisenvironment - CheckVmware,VirtualBox - ChecksystemnameandCheckfilename(SANDBOX,VIRUS,MALWARE)
  • 51. © AhnLab, Inc. All rights reserved. 51 Dropper - Bmdoor • Insidethe Bmdoor -
  • 52. © AhnLab, Inc. All rights reserved. 52 Bakcdoor – GhostRat • customizedGh0st RAT - Sourcecodereleased
  • 53. © AhnLab, Inc. All rights reserved. 53 Backdoor - Rifdoor • Rifdoor(Rifle+ Bakcdoor)== Operation Ghost Rifle(2015) -Backdoor(90KB) -PDB:contain‘rifle’ -Addsrandomdata
  • 54. © AhnLab, Inc. All rights reserved. 54 Backdoor - Phandoor • Phandoor(2016-2017) -OriginalfilenamewasPhantom.exe→Phantom.exe+Backdoor=Phandoor -S^& Anonymous? -variantsfoundin2017,‘Anonymous?’ wasremoved
  • 55. © AhnLab, Inc. All rights reserved. 55 Backdoor - Andaratm • Andaratm(2016-2018) -18>variants -MND(2016)->ATM,FinancialSector(2017)->CryptocurrencyExchangeUsers(2018) - 2017versionvs2018version
  • 56. © AhnLab, Inc. All rights reserved. 56 Tools • GhostRat ManagementKorean Edition - Koreanbutstrange Strings (문자렬 -> 문자열) ??? (maybe System Notification) 팁 Tip ??? (typo 암 -> 안) System Setting (체계설정 -> 설정) Secret (비밀 -> 암호 Password)User
  • 57. © AhnLab, Inc. All rights reserved. 57 Tools - Zcon • Zcon.exe (2015-2017) -Filename:pcon.exe,portc.exe,ZCON.exe -toolforcheckingIPandport -BmdoordropZcon.exein2015
  • 58. © AhnLab, Inc. All rights reserved. 58 Tools - Wiper • Wiper -WhetherWiperisusedinrealattackisnotidentified
  • 60. © AhnLab, Inc. All rights reserved. 60 Macro • Macro Comparison -SeoulADEXattendees(2015)vsFinanceSector(2017)
  • 61. © AhnLab, Inc. All rights reserved. 61 Script • Script from Explioit -Downloader->missingbytes(MZ)recovery -2017 -2018
  • 62. © AhnLab, Inc. All rights reserved. 62 Script • Script -First5bytesdownloadremoved (MZ...)→First5bytesarerecovered (MZ...)
  • 63. © AhnLab, Inc. All rights reserved. 63 Backdoor - Phandoor • Mystery ‘S^’ -‘S^’foundintheXwdoor(2012)&Phandoor(2016-2017)
  • 64. © AhnLab, Inc. All rights reserved. 64 Comparison of Encryption Codes • SimilarEncryptionCodes - 2016.04 defense companies 2016.08 MND 1 2016.08 MND 2 2016.11 Gambling Player 2017.03 ATM
  • 65. © AhnLab, Inc. All rights reserved. 65 Backdoor - Phandoor • SimilarEncodingCodes - Rifdoorvs.Phandoor
  • 66. © AhnLab, Inc. All rights reserved. 66 Comparison of Attacks
  • 68. © AhnLab, Inc. All rights reserved. 68 Wrap up • AndarielGroup -LazarusSub-GroupinSouthKorea -This group is one of the most active groups in South Korea. - RelatedtoNationalIntelligenceServiceattacksin2008,DarkSeoulin2013,andOperationBlackMinein2014 -Target:defenseindustry,politicalorganization,securitycompany,military,gamblinggameuser,ATM,finance,travel agency,ICT,virtualcurrencyexchange,etc. (Confidential ->expandingtofinancialbenefits) -Attackmethod:SpearPhishingusingMSOfficeincludingMacro,WateringHole(KoreanActiveXvulnerability,IT ManagementSystemandSupplyChainAttack) -TheattackeriswellawareofSouthKorea -BackdoorusesPackersuchasUPX,ThemidaandVMProtect. -Additionaltoolsweredisclosedduetoauthor’sOpSecfailure -Thisgroupisstillactivein2018!
  • 69. © AhnLab, Inc. All rights reserved. 69 Current Problems • Not reallya fair fight * source:http://www.jklossner.com/kopkf22ta931lmnlmaj3h48vplhotb
  • 70. © AhnLab, Inc. All rights reserved. 70 Current Problems • * source:http://www.security-marathon.be/?p=1786
  • 71. © AhnLab, Inc. All rights reserved. 71 Q&A email : minseok.cha@ahnlab.com / mstoned7@gmail.com @mstoned7 / @xcoolcat7 https://www.facebook.com/xcoolcat7, http://xcoolcat7.tistory.com
  • 72. © AhnLab, Inc. All rights reserved. 72 Reference • 안랩, ‘검은 광산 작전’의 비밀을 ‘캐내다’ (http://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?curPage=&menu_ dist=1&seq=24229) • 지속적인 방위산업체 공격 시도, 왜? (http://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?menu_dist=2&seq =26565) • 금융보안원 인텔리전스보고서_국내를 타깃으로 하는 위협그룹 프로파일링 (http://www.fsec.or.kr/user/bbs/fsec/21/13/bbsDataView/910.do) • TargetedAttackson MajorIndustry Sectorsin SouthKorea (CHAMinseok,AVAR2017) • 표적형 공격? 중앙 관리 소프트웨어를 수비하라 (http://image.ahnlab.com/file_upload/asecissue_files/ASEC_REPORT_vol.89.pdf) • 유명 기업 보안 시스템을 연달아 뚫다, 대범한 해킹조직의 공격 -1편 (http://blog.skinfosec.com/221234553836) • 유명 기업 보안 시스템을 연달아 뚫다, 대범한 해킹조직의 공격 -2편- (http://blog.skinfosec.com/221234742268) • 하나투어 개인정보유출...수탁업체서 시작 (https://blog.naver.com/secustory/221213258234)