SlideShare a Scribd company logo

APT Targeting Indian Police Agencies.

Download as PPTX, PDF
Rahul Sasi, profile picture
Rahul Sasi

The document discusses advanced persistent threats (APTs) and their implications for organizations, particularly focusing on a targeted attack on Indian police agencies. It introduces 'Sandy', a tool developed for static and dynamic analysis of various file types to detect exploits, and shares findings from a recent incident where a malicious document was used to deploy a backdoor. The document emphasizes the importance of understanding what needs protection and increasing security awareness within organizations to combat such threats.

Technology
1 of 21
Downloaded 40 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Sandy APT: Advance Persistence Threat http://exploit-analysis.com/ Static AND DYnamic analysis Garage4Hackers
About Me [Rahul Sasi ] I work as a Researcher. One of the admins of www.Garage4Hackers.com. https://twitter.com/fb1h2s I spend my free time researching on new attack vectors. Garage4Hackers
Presented my research papers at Garage4Hackers
APT - Attacks Advance Persistent threats: Any exploit | malware that particularly targets a specific organization, country in order to steal confidential information. Garage4Hackers
About this Talk With the rise in number of targeted attacks against government and private companies, there is a certain requirement for an intelligent method for determining these attacks. This talk would be on an un-detected APT attack targeting Indian police organizations which we identified a week back. Sandy is a free tool we have build that is capable of doing exploit analysis on Doc, RTF, XLS,PPT, Jar, Urls. We also will explain the implications and policy Garage4Hackers guidelines for the prevention of these attacks.
APT: Who should be concerned. You need ask yourself what have u got that other people would want . Commercially sensitive information, Intellectual property that has designs. What I have seen is mostly, government, manufactures, financial services. Garage4Hackers
My organization is small! Many attacks I have seen were attacking small companies. And most of the times its the startup that have the innovative technology that can be used. Or could be small organization working for the government. We have seen smaller organizations targeted as much as the larger organizations. Garage4Hackers
Recent APT Incident in news. FBI released a notice on targeted attack on US aviation Industry. Many professionals from the aviation industry was targeted and there computers were infected or an attempt to infect was made. Steal blueprints, new airspace technology and lots of stuffs . Garage4Hackers
APT Steps Garage4Hackers
Step 1: Establishing the backdoor. Use of various Exploits . Uses malicious attachments via email to infect victims. These contained exploits targeting various applications like Adobe Reader and Microsoft Office. Browser based exploits where you visit a particular a web page crafted with an exploits Garage4Hackers
Document Exploits. Uses an exploit. File comes in the form of .doc .rtf file that has the exploit embedded. Once you open these doc files you would be infected. These exploits affect OS with office | pdf installed. Garage4Hackers
What is Sandy A tool built under Indian Honeynet project. Sandy is an online tool (sandbox) capable of doing both static and dynamic analysis of Malicious Office, PDF, Jar, Flash, HTML. The input would be the above mentioned file formats and output would be extracted malwares, controllers, Urls. In the talk I will share information on a particular sample targeting Indian police department that we received via sandy . Garage4Hackers
Sandy Submission Interface www.exploit-analysis.com
Sandy Submission: On 2013-09-03 we received a .doc file on sandy. The exploit email was sent to the company’s top executives of an IT security company. At the time of analysis only 2/34 Anti Virus was detecting it as malicious. The document when opened on windows based machines dropped a backdoor on the users computer. Garage4Hackers
Research on the Attackers We managed to collect 30 other exploits that were used by the same group over a period of 1 year and analyzed them. We tried to understand the attackers tools and techniques, Modus operandi and targets. Out of the 30 exploits none of them was made on a Saturday or Sunday . Garage4Hackers
Based on our research on the Malware infrastructure . We were able to identify that the same group of attackers were targeting Indian police agencies . We were able to locate a new persistence malware with no AV detection, which is digitally signed and is used by this team. Except 1 Chinese AV no other AV company was detecting the threat. The attacks were part of a Cyber spying [ campaign]. Garage4Hackers
Modus operandi & Tools and Techniques The attacker were mainly using phishing based attacks via email to infect there targets. The attackers were manually verifying the infected machines and were adding the new persistence malware to it. So if they found the infected machine of high importance then they added a secondary advance monitoring tool to there systems. Garage4Hackers
Targets Targets were mainly government organizations. Small private companies and contractors to the government. Most of the infected computers were that of the secretaries . Garage4Hackers
A map of the infections. Garage4Hackers
Lessons Learned and Policy Implications. Knowing what you need to protect is the most important task. Active Government and community partnership is necessary. Security awareness among employees: the human firewall. No single layer of fraud prevention or authentication is enough to stop determined attackers. Garage4Hackers
Thank You Contact me at if you need malware samples : https://twitter.com/fb1h2s https://www.facebook.com/loverahulsas fb1h2s@gmail.com Garage4Hackers

More Related Content

PPTX
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Rahul Sasi
 
PDF
Michelle K Webster: Malware - Cryptolocker Research Final
M.K. Webster
 
PDF
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
Chi En (Ashley) Shen
 
PDF
Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics
IBMGovernmentCA
 
PDF
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE - ATT&CKcon
 
PDF
Dissecting and Mitigating the Privacy Risk of Personal Cloud Apps (at PETS 2016)
Hamza Harkous
 
PPTX
Malware Static Analysis
Hossein Yavari
 
PDF
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
North Texas Chapter of the ISSA
 
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Rahul Sasi
 
Michelle K Webster: Malware - Cryptolocker Research Final
M.K. Webster
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
Chi En (Ashley) Shen
 
Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics
IBMGovernmentCA
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE - ATT&CKcon
 
Dissecting and Mitigating the Privacy Risk of Personal Cloud Apps (at PETS 2016)
Hamza Harkous
 
Malware Static Analysis
Hossein Yavari
 
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
North Texas Chapter of the ISSA
 

What's hot (19)

PDF
BSides IR in Heterogeneous Environment
Stefano Maccaglia
 
PDF
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
North Texas Chapter of the ISSA
 
PDF
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
PDF
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Marco Balduzzi
 
PDF
Plead APT @ EECTF 2016
Marco Balduzzi
 
PPTX
Reverse Engineering Malware: A look inside Operation Tovar
Lancope, Inc.
 
PDF
David Bianco - Enterprise Security Monitoring
bsidesaugusta
 
PDF
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE - ATT&CKcon
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
PDF
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
PDF
Carbanak apt eng
Merve Kara
 
PPTX
Threat hunting and achieving security maturity
DNIF
 
PDF
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
PROIDEA
 
PPT
Cloud Security Summit (Boston) - Live Hack Demo
Alert Logic
 
PDF
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Chi En (Ashley) Shen
 
PPTX
Threat hunting in cyber world
Akash Sarode
 
PPTX
DLL Preloading Attack
securityxploded
 
PPTX
Billions & Billions of Logs
Jack Crook
 
PPTX
Hunting on the Cheap
EndgameInc
 
BSides IR in Heterogeneous Environment
Stefano Maccaglia
 
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
North Texas Chapter of the ISSA
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Marco Balduzzi
 
Plead APT @ EECTF 2016
Marco Balduzzi
 
Reverse Engineering Malware: A look inside Operation Tovar
Lancope, Inc.
 
David Bianco - Enterprise Security Monitoring
bsidesaugusta
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE - ATT&CKcon
 
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
Carbanak apt eng
Merve Kara
 
Threat hunting and achieving security maturity
DNIF
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
PROIDEA
 
Cloud Security Summit (Boston) - Live Hack Demo
Alert Logic
 
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Chi En (Ashley) Shen
 
Threat hunting in cyber world
Akash Sarode
 
DLL Preloading Attack
securityxploded
 
Billions & Billions of Logs
Jack Crook
 
Hunting on the Cheap
EndgameInc
 
Ad

Similar to APT Targeting Indian Police Agencies. (20)

DOCX
A Penetration Tester evaluates the security of an information in.docx
aryan532920
 
PDF
Malware analysis and detection using reverse Engineering, Available at: www....
Research Publish Journals (Publisher)
 
PDF
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Sandeep Kumar Seeram
 
DOCX
Assignment ContentA Penetration Tester evaluates the secur.docx
williejgrant41084
 
DOCX
Assignment ContentA Penetration Tester evaluates the secur.docx
luearsome
 
PDF
Practical Incident Response - Work Guide
Eduardo Chavarro
 
PPTX
CSE-Ethical-Hacking-ppt.pptx
VishnuVarma47
 
PDF
Survey on Malware Detection Techniques
Editor IJMTER
 
PPTX
ACTIVITY1 FCS.pptx
LakshayNRReddy
 
PDF
ANDROID MALWARE ANALYSIS : A SURVEY PAPER
hugoshan513
 
PDF
ANDROID MALWARE ANALYSIS : A SURVEY PAPER
hugoshan513
 
PDF
Deep Learning based Threat / Intrusion detection system
Affine Analytics
 
PDF
Basic survey on malware analysis, tools and techniques
ijcsa
 
PPTX
CSE-Ethical-Hacking-ppt.pptx
AnshumaanTiwari2
 
PPTX
Threat hunting for Beginners
SKMohamedKasim
 
PDF
A Comparison Study of Open Source Penetration Testing Tools
ijtsrd
 
PPTX
Cse ethical hacking ppt
shreya_omar
 
PDF
Vulnerability Assessment and Penetration Testing using Webkill
ijtsrd
 
DOCX
7122017 cyber espionage is alive and well apt32 and the thr
smile790243
 
PPTX
Ethical Hacking
Nitheesh Adithyan
 
A Penetration Tester evaluates the security of an information in.docx
aryan532920
 
Malware analysis and detection using reverse Engineering, Available at: www....
Research Publish Journals (Publisher)
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Sandeep Kumar Seeram
 
Assignment ContentA Penetration Tester evaluates the secur.docx
williejgrant41084
 
Assignment ContentA Penetration Tester evaluates the secur.docx
luearsome
 
Practical Incident Response - Work Guide
Eduardo Chavarro
 
CSE-Ethical-Hacking-ppt.pptx
VishnuVarma47
 
Survey on Malware Detection Techniques
Editor IJMTER
 
ACTIVITY1 FCS.pptx
LakshayNRReddy
 
ANDROID MALWARE ANALYSIS : A SURVEY PAPER
hugoshan513
 
ANDROID MALWARE ANALYSIS : A SURVEY PAPER
hugoshan513
 
Deep Learning based Threat / Intrusion detection system
Affine Analytics
 
Basic survey on malware analysis, tools and techniques
ijcsa
 
CSE-Ethical-Hacking-ppt.pptx
AnshumaanTiwari2
 
Threat hunting for Beginners
SKMohamedKasim
 
A Comparison Study of Open Source Penetration Testing Tools
ijtsrd
 
Cse ethical hacking ppt
shreya_omar
 
Vulnerability Assessment and Penetration Testing using Webkill
ijtsrd
 
7122017 cyber espionage is alive and well apt32 and the thr
smile790243
 
Ethical Hacking
Nitheesh Adithyan
 
Ad

Recently uploaded (20)

PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Encapsulation theory and applications.pdf
gurumoop
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
A Presentation on Artificial Intelligence
memembruh336
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Approach and Philosophy of On baking technology
30anthuong17
 

APT Targeting Indian Police Agencies.

  • 1. Sandy APT: Advance Persistence Threat http://exploit-analysis.com/ Static AND DYnamic analysis Garage4Hackers
  • 2. About Me [Rahul Sasi ] I work as a Researcher. One of the admins of www.Garage4Hackers.com. https://twitter.com/fb1h2s I spend my free time researching on new attack vectors. Garage4Hackers
  • 3. Presented my research papers at Garage4Hackers
  • 4. APT - Attacks Advance Persistent threats: Any exploit | malware that particularly targets a specific organization, country in order to steal confidential information. Garage4Hackers
  • 5. About this Talk With the rise in number of targeted attacks against government and private companies, there is a certain requirement for an intelligent method for determining these attacks. This talk would be on an un-detected APT attack targeting Indian police organizations which we identified a week back. Sandy is a free tool we have build that is capable of doing exploit analysis on Doc, RTF, XLS,PPT, Jar, Urls. We also will explain the implications and policy Garage4Hackers guidelines for the prevention of these attacks.
  • 6. APT: Who should be concerned. You need ask yourself what have u got that other people would want . Commercially sensitive information, Intellectual property that has designs. What I have seen is mostly, government, manufactures, financial services. Garage4Hackers
  • 7. My organization is small! Many attacks I have seen were attacking small companies. And most of the times its the startup that have the innovative technology that can be used. Or could be small organization working for the government. We have seen smaller organizations targeted as much as the larger organizations. Garage4Hackers
  • 8. Recent APT Incident in news. FBI released a notice on targeted attack on US aviation Industry. Many professionals from the aviation industry was targeted and there computers were infected or an attempt to infect was made. Steal blueprints, new airspace technology and lots of stuffs . Garage4Hackers
  • 10. Step 1: Establishing the backdoor. Use of various Exploits . Uses malicious attachments via email to infect victims. These contained exploits targeting various applications like Adobe Reader and Microsoft Office. Browser based exploits where you visit a particular a web page crafted with an exploits Garage4Hackers
  • 11. Document Exploits. Uses an exploit. File comes in the form of .doc .rtf file that has the exploit embedded. Once you open these doc files you would be infected. These exploits affect OS with office | pdf installed. Garage4Hackers
  • 12. What is Sandy A tool built under Indian Honeynet project. Sandy is an online tool (sandbox) capable of doing both static and dynamic analysis of Malicious Office, PDF, Jar, Flash, HTML. The input would be the above mentioned file formats and output would be extracted malwares, controllers, Urls. In the talk I will share information on a particular sample targeting Indian police department that we received via sandy . Garage4Hackers
  • 14. Sandy Submission: On 2013-09-03 we received a .doc file on sandy. The exploit email was sent to the company’s top executives of an IT security company. At the time of analysis only 2/34 Anti Virus was detecting it as malicious. The document when opened on windows based machines dropped a backdoor on the users computer. Garage4Hackers
  • 15. Research on the Attackers We managed to collect 30 other exploits that were used by the same group over a period of 1 year and analyzed them. We tried to understand the attackers tools and techniques, Modus operandi and targets. Out of the 30 exploits none of them was made on a Saturday or Sunday . Garage4Hackers
  • 16. Based on our research on the Malware infrastructure . We were able to identify that the same group of attackers were targeting Indian police agencies . We were able to locate a new persistence malware with no AV detection, which is digitally signed and is used by this team. Except 1 Chinese AV no other AV company was detecting the threat. The attacks were part of a Cyber spying [ campaign]. Garage4Hackers
  • 17. Modus operandi & Tools and Techniques The attacker were mainly using phishing based attacks via email to infect there targets. The attackers were manually verifying the infected machines and were adding the new persistence malware to it. So if they found the infected machine of high importance then they added a secondary advance monitoring tool to there systems. Garage4Hackers
  • 18. Targets Targets were mainly government organizations. Small private companies and contractors to the government. Most of the infected computers were that of the secretaries . Garage4Hackers
  • 19. A map of the infections. Garage4Hackers
  • 20. Lessons Learned and Policy Implications. Knowing what you need to protect is the most important task. Active Government and community partnership is necessary. Security awareness among employees: the human firewall. No single layer of fraud prevention or authentication is enough to stop determined attackers. Garage4Hackers
  • 21. Thank You Contact me at if you need malware samples : https://twitter.com/fb1h2s https://www.facebook.com/loverahulsas fb1h2s@gmail.com Garage4Hackers

Editor's Notes

  • #3: I was privilaged to publish my research papers in many prominent Security conferecnes.
  • #5: So in simple terms, the bad guys will install a malicious program on your computer that would allow them to monitor all your confidential data. The malicious programs either uploads all confidential records to a central attaker controlled computer or provides live monitoring.
  • #6: We will introduce a tool named sandy that we build and is free, that helped us in the identification of this risk.
  • #8: It does not mean t
  • #10: Attacker backdoor your system with a malicious program , Then the enumerate the network looking for more valid credentials like user account and passwords. Then then install more persistent utlities .
  • #13: The input of sandy is fileformats. In this talk I will share about the various samples we collected on sandy.
  • #14: The tool has got a web interface and could be accessed from the following locations. So if you receive an email with a suspicious file, you can upload on our tool and the tool would be able to provide you information on whether it is an exploit or a clean file.
  • #16: It is always good to study ur attackers.This means the attackers work form an organized office environment and does not work on week ends.
  • #18: So what we observed was, when a successful attack takes place the attacker log in to there victims computers remotely and then verify whether the infection is of high/low priority .
  • #21: As part of the re-assessment process, an organisation must ensure it understands why it may be attacked. "Every organisation should draw up a risk register that will allow the allocation of funds and resources to protect the assets that are most valuable to the organisation, which may include business processes as well as information. As bessi mentioned an Active gov community partnership is needed where individual researchers are able to communicate identified issues to the gov directly. If the CEO of a company is getting security awarness and all his emails are operated by his secretary , then she is as mush as a target than him.