SlideShare a Scribd company logo

Hunting The Shadows: In Depth Analysis of Escalated APT Attacks

Download as PPTX, PDF
F _, profile picture
F _

This document analyzes advanced persistent threat (APT) attacks targeting Taiwan, focusing on the "Lstudio" group. It describes the group's infrastructure including command and control servers, use of botnets to control thousands of compromised machines internationally, and development of custom tools. The summary highlights key points about the group's operations since 2007, use of multiple software versions and back-ends, and targeting of both government and private sector victims primarily in Taiwan but also worldwide.

TechnologyNews & Politics
1 of 43
Downloaded 106 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Hunting the Shadows: In Depth Analysis of Escalated APT Attacks Fyodor Yarochkin, Academia Sinica Pei Kan PK Tsung, Academia Sinica Ming-Chang Jeremy Chiu, Xecure Lab Ming-Wei Benson Wu, Xecure Lab 1
Agenda • Why Taiwan? • The “Lstudio” player… fun  • Taking a peek at Weaponry • APT in a Cloud • Victimology or … chicken-logy? 2
whoweare Based in Taiwan Interests in Computer Forensics Access to some raw network traffic data (fun!) Get to fish interesting things (PROFFFIIITT!) @bensonwu [secret] @fygrave [censored] 3
Disclaimer A few words before we move on. - With this research we are primarily interested in understanding the Ops and victims of discussed targeted attacks. We DO NOT attempt to perform any attribution of potential attackers. 4
Taiwan has been a frontline of APT battlefield for some time 5
Many interesting things could be observed (though this is not “Lstudio” group) 6
Elirks: earlier campaign  Reported by Dell/Secureworks as Elirks http://www.secureworks.com/cyber-threat- intelligence/threats/chasing_apt/ 7
Elirks evolution http://tw.myblog.yahoo.com/jw!uzrxZwSGHxowPMGZAaj4I5 http://blog.yam.com/minzhu0906/article/54726977 http://diary.blog.yam.com/bigtree20130514/article/10173342 http://tw.myblog.yahoo.com/jw!uzrxZwSGHxowPMGZAaj4I50 - http://blogs.yahoo.co.jp/sakasesi2013/31805794.html http://www.plurk.com/mdbmdb 8
Elirks 2.0 – silly to reuse the address-space Managed by the same IP addresses (easy to cross-correlate) 9
Another on-going Campaign  On-going: 10
On average, 48 APT emails a week! 11
The “Lstudio” group: Exploring fun things in a greater detail :) 12
They start with a boring spearphhiiissh 13
Almost clean :) 14
The APT Landscape in Taiwan 15
We’ll examine the “LStudio” group today • Unique indicators of the “LStudio” group: • Debug symbols (.pdb) • “horse” label and generator tag • Some curious discoveries from the “Lstudio” backend data center … ;-) 16
LStudio binaries have cute things CSJ-Elise f:toolscodeCSJEliseReleaseEliseDLL.pdb http://scan.xecure-lab.com 17
CSJ-Elise .. TAABAMoGvBjTVXHUHaibnwrAWfchx2x17Rf2roRBnbD/9lu13lWnlAUbBgqw+YNld2vcV5krtXoG__FXI43BxueF4FChFrk SRgNVP2WQ== http://140.105.135.71:443/2995ebc9/page_12180900.html http://118.163.60.73:443/2995ebc9/page_12180912.html 18
They love fast cars  19
Evora 20 FASST CARS 
Lstudio Operations and C2 21
“Lstudio” payload Generator Generator Owner Horse Label Generator-Tag APT Exploit delivery via email 22
We don’t say victim 肉雞 = G 23
The typical botnet model 24
Very advanced Zoo-management skills :) 25
APT advanced farming :)  Operated by roughly 25 “farmers”  Has controlled over 5,884 machines  International coverage over 30 countries  Utilizes 4 different Botnet software families  Active since 2007 26
The “Lstudio” Chicken Cloud  APT Cloud Backend Data Center Farmer Boss? Farmer Group B Farmer Group ACommand Channel (Second phase backdoor) Data Channel (First phase backdoor) Configurable Bounce APT Botnet A 27 APT Botnet B
.. And who are the Chicken ?!  28
International Chicken Farm Corp. 29
chicken farms went international TW 84% US 6% 5,884 chickens 2% 30 KR 1% CN 1%
Share some Chicken  31 http://www.appledaily.com.tw/ http://www.cna.com.tw KMT ? KMT ?
When you travel, your chicken travel too…  32
Lets look at some travelers  33 US Canada France England Taiwan
ANOTHER DISCOVERY!! 34
.. do have 9 to 5 job ;)… 35
Just like some security researchers do  36
AND THE LAST .. SOME HANDY TOOLS TO SHARE  37
XecScan: Free API 38
Yara: a swiss-knife of static sigs ;) 39
Yara use Easy to integrate with your scripts Integration with a proxy server is possible via icap yara plugin: https://github.com/fygrave/c_icap_yara Raw network traffic monitoring project (and http/DNS indexing): https://github.com/fygrave/eyepkflow 40
More cool tools Moloch https://github.com/aol/moloch Yara mail https://github.com/kevthehermit/yaraMail Yara pcap https://github.com/kevthehermit/YaraPcap 41
Conclusions Complex infrastructure Operates since 2007 Multiple software versions Multiple back-ends Victims – government and private sector Mainly Taiwan but also seen world-wide 42
Questions? benson.wu@xecure-lab.com jeremy.chiu@xecure-lab.com pk@hitcon.org f@plurk.com 43

More Related Content

PPTX
How to assign a CVE to yourself?
Ramin Farajpour Cami
 
PPTX
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Ollie Whitehouse
 
PPTX
Common Techniques To Identify Advanced Persistent Threat (APT)
Yuval Sinay, CISSP, C|CISO
 
PDF
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 
PPTX
Malware Analysis
Ramin Farajpour Cami
 
PDF
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Imperva
 
PDF
Advanced red teaming all your badges are belong to us
Priyanka Aash
 
PPTX
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
grecsl
 
How to assign a CVE to yourself?
Ramin Farajpour Cami
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Ollie Whitehouse
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Yuval Sinay, CISSP, C|CISO
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 
Malware Analysis
Ramin Farajpour Cami
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Imperva
 
Advanced red teaming all your badges are belong to us
Priyanka Aash
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
grecsl
 

What's hot (20)

PPTX
Python-Assisted Red-Teaming Operation
Satria Ady Pradana
 
PDF
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
HITCON GIRLS
 
PDF
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
HITCON GIRLS
 
PDF
How secure are your systems
City Unrulyversity
 
PDF
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
 
PDF
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
PDF
Security precognition chaos engineering in incident response
Priyanka Aash
 
PPTX
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
AlienVault
 
PDF
Breaking and entering how and why dhs conducts penetration tests
Priyanka Aash
 
PDF
Hacking ble smartwatch
idsecconf
 
PPT
Security Intelligence: Advanced Persistent Threats
Peter Wood
 
PDF
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
Hacks in Taiwan (HITCON)
 
PPT
The Future of Automated Malware Generation
Stephan Chenette
 
PPTX
Down The Rabbit Hole, From Networker to Security Professional
Satria Ady Pradana
 
PDF
STAAF, An Efficient Distributed Framework for Performing Large-Scale Android ...
Praetorian
 
PDF
Apt sharing tisa protalk 2-2554
TISA
 
PDF
Deception Technology: Use Cases & Implementation Approaches
Priyanka Aash
 
PPT
Networking and penetration testing
Mohit Belwal
 
PDF
Gunadarma workshop security
Rungga Reksya Sabilillah
 
PDF
Syrian Malware
Kaspersky
 
Python-Assisted Red-Teaming Operation
Satria Ady Pradana
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
HITCON GIRLS
 
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
HITCON GIRLS
 
How secure are your systems
City Unrulyversity
 
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
 
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Security precognition chaos engineering in incident response
Priyanka Aash
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
AlienVault
 
Breaking and entering how and why dhs conducts penetration tests
Priyanka Aash
 
Hacking ble smartwatch
idsecconf
 
Security Intelligence: Advanced Persistent Threats
Peter Wood
 
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
Hacks in Taiwan (HITCON)
 
The Future of Automated Malware Generation
Stephan Chenette
 
Down The Rabbit Hole, From Networker to Security Professional
Satria Ady Pradana
 
STAAF, An Efficient Distributed Framework for Performing Large-Scale Android ...
Praetorian
 
Apt sharing tisa protalk 2-2554
TISA
 
Deception Technology: Use Cases & Implementation Approaches
Priyanka Aash
 
Networking and penetration testing
Mohit Belwal
 
Gunadarma workshop security
Rungga Reksya Sabilillah
 
Syrian Malware
Kaspersky
 
Ad

Viewers also liked (16)

PDF
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
RootedCON
 
PPTX
APT 28 :Cyber Espionage and the Russian Government?
anupriti
 
PDF
Does a Bear Leak in the Woods?
ThreatConnect
 
PPS
Giorgia Mia Ok 23 Settembre
Marisa Corapi
 
PDF
Protecting your site by detection
Marko Heijnen
 
PDF
Hacklu2011 tricaud
stricaud
 
PDF
Loggin alerting and hunting technology hub 2016
Scot Berner
 
PDF
The moment my site got hacked
Marko Heijnen
 
PPTX
Cyber espionage nation state-apt_attacks_on_the_rise
Cyphort
 
PPTX
Intrusion prevention system(ips)
Papun Papun
 
PPTX
¿Influyó Rusia en las elecciones a Presidente de los EE.UU. de 2016?
IES Las Musas
 
PPTX
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Santiago Bassett
 
PDF
Visiting the Bear Den
ESET
 
PPTX
Layakk - Atacando 3G Vol. 2 [rootedvlc2]
RootedCON
 
PDF
TEDx Manchester: AI & The Future of Work
Volker Hirsch
 
PDF
Build Features, Not Apps
Natasha Murashev
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
RootedCON
 
APT 28 :Cyber Espionage and the Russian Government?
anupriti
 
Does a Bear Leak in the Woods?
ThreatConnect
 
Giorgia Mia Ok 23 Settembre
Marisa Corapi
 
Protecting your site by detection
Marko Heijnen
 
Hacklu2011 tricaud
stricaud
 
Loggin alerting and hunting technology hub 2016
Scot Berner
 
The moment my site got hacked
Marko Heijnen
 
Cyber espionage nation state-apt_attacks_on_the_rise
Cyphort
 
Intrusion prevention system(ips)
Papun Papun
 
¿Influyó Rusia en las elecciones a Presidente de los EE.UU. de 2016?
IES Las Musas
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Santiago Bassett
 
Visiting the Bear Den
ESET
 
Layakk - Atacando 3G Vol. 2 [rootedvlc2]
RootedCON
 
TEDx Manchester: AI & The Future of Work
Volker Hirsch
 
Build Features, Not Apps
Natasha Murashev
 
Ad

Similar to Hunting The Shadows: In Depth Analysis of Escalated APT Attacks (20)

PPTX
THREAT HUNTING FROM ZERO TO HERO123.pptx
quinnnguyen86vn
 
PDF
Filip palian mateuszkocielski. simplest ownage human observed… routers
Yury Chemerkin
 
PDF
Simplest-Ownage-Human-Observed… - Routers
Logicaltrust pl
 
PDF
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 
PDF
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik
 
PDF
Richard wartell malware is hard. let's go shopping!!
Shakacon
 
PDF
HackIM 2012 CTF Walkthrough
Himanshu Kumar Das
 
PPTX
Find the Hacker
Sysdig
 
PPTX
Steelcon 2015 - 0wning the internet of trash
infodox
 
PDF
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...
PROIDEA
 
PDF
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
Felipe Prado
 
PDF
Getting Started with iBeacons (Designers of Things 2014)
Daniel Luxemburg
 
PDF
Secure Node Code (workshop, O'Reilly Security)
Guy Podjarny
 
PDF
Hacking Exposed: The Mac Attack
Priyanka Aash
 
PDF
Hacking Exposed: The Mac Attack
Priyanka Aash
 
PDF
Fuzzing: Finding Your Own Bugs and 0days! at Arab Security Conference
Rodolpho Concurde
 
PDF
From printed circuit boards to exploits
virtualabs
 
PDF
"egg" - A stealth fine grained code analyzer
FFRI, Inc.
 
PDF
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
Felipe Prado
 
PDF
Web3 + scams = It's a match
Zoltan Balazs
 
THREAT HUNTING FROM ZERO TO HERO123.pptx
quinnnguyen86vn
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Yury Chemerkin
 
Simplest-Ownage-Human-Observed… - Routers
Logicaltrust pl
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik
 
Richard wartell malware is hard. let's go shopping!!
Shakacon
 
HackIM 2012 CTF Walkthrough
Himanshu Kumar Das
 
Find the Hacker
Sysdig
 
Steelcon 2015 - 0wning the internet of trash
infodox
 
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...
PROIDEA
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
Felipe Prado
 
Getting Started with iBeacons (Designers of Things 2014)
Daniel Luxemburg
 
Secure Node Code (workshop, O'Reilly Security)
Guy Podjarny
 
Hacking Exposed: The Mac Attack
Priyanka Aash
 
Hacking Exposed: The Mac Attack
Priyanka Aash
 
Fuzzing: Finding Your Own Bugs and 0days! at Arab Security Conference
Rodolpho Concurde
 
From printed circuit boards to exploits
virtualabs
 
"egg" - A stealth fine grained code analyzer
FFRI, Inc.
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
Felipe Prado
 
Web3 + scams = It's a match
Zoltan Balazs
 

More from F _ (13)

PDF
Rsa2016
F _
 
PDF
Hitcon 2014: Surviving in tough Russian Environment
F _
 
PDF
Honeycon2014: Mining IoCs from Honeypot data feeds
F _
 
PDF
Indicators of Compromise Magic: Living with compromise
F _
 
PDF
Incident Response Tactics with Compromise Indicators
F _
 
PDF
whats wrong with modern security tools and other blurps
F _
 
PDF
Phd III - defending enterprise
F _
 
PDF
HITB2013AMS Defenting the enterprise, a russian way!
F _
 
PDF
Hitbkl 2012
F _
 
PPT
From russia final_bluehat10
F _
 
PDF
Hacklu2012 v07
F _
 
PPT
2011 hk fyodor-anthony_ppt
F _
 
PDF
0nights2011
F _
 
Rsa2016
F _
 
Hitcon 2014: Surviving in tough Russian Environment
F _
 
Honeycon2014: Mining IoCs from Honeypot data feeds
F _
 
Indicators of Compromise Magic: Living with compromise
F _
 
Incident Response Tactics with Compromise Indicators
F _
 
whats wrong with modern security tools and other blurps
F _
 
Phd III - defending enterprise
F _
 
HITB2013AMS Defenting the enterprise, a russian way!
F _
 
Hitbkl 2012
F _
 
From russia final_bluehat10
F _
 
Hacklu2012 v07
F _
 
2011 hk fyodor-anthony_ppt
F _
 
0nights2011
F _
 

Recently uploaded (20)

PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Approach and Philosophy of On baking technology
30anthuong17
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
A Presentation on Artificial Intelligence
memembruh336
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Cloud computing and distributed systems.
kkkkkhan
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Encapsulation theory and applications.pdf
gurumoop
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 

Hunting The Shadows: In Depth Analysis of Escalated APT Attacks

Editor's Notes

  • #20: 整體設計上Elise,將摒棄現行概念底盤以鋁合金打造、車身鈑件也大量採用碳纖維材質的Elise全車重僅1095公斤,而在Lotus的規劃下,未來Elise將搭載擁有約320匹馬力輸出之2.0升四缸引擎。從近來幾部全新發表的Lotus之上,我們能夠看見新一代Lotus係採用源自"鯊魚"的設計概念,並隨著各車型與定位著不同,而各自發展屬於單一車型的獨特風格,而在Elise之上我們也能看見更多銳利的線條與充滿殺氣的勾勒樂手法,以營造出Elise特別的霸氣! http://cool3c.incar.tw/article/34399