European Electronic Crime Task Force Plenary Meeting, Rome - 22/11/2016 (invited talk)

1. Plead APT: Case Study
Marco Balduzzi, Ph.D.

2. Copyright 2016 Trend Micro Inc.2
Introduction
 Who am I?
 Just-for-fun area is over
 $$$ driven crime
 Data exfiltration, espionage
 Victim turns into a hostage
 APTs, you all know what they are :)

3. Copyright 2016 Trend Micro Inc.3
Plead APT
 A Taiwanese government use case
 Also target other Taiwanese organizations
 Heavy industry (transportation and construction)
 Technology and computer industries
 Data ex-filtration and espionage as main goals
 Ongoing since 2012

4. Copyright 2016 Trend Micro Inc.4
Origin of name
 C&C commands that the malware issues

5. Copyright 2016 Trend Micro Inc.5
Distribution
 Spear phishing leads the stage (same as other APTs)
 Social-engineering, a never ending story
 Attachment → Google Drive link
 RTLO Trick

6. Copyright 2016 Trend Micro Inc.6
Right-To-Left-Orientation Trick
 UNICODE's Right To Left Override character (U+202e)
 Designed to support languages that are written right to left,
such as Arabic and Hebrew
 Abused for rendering a malicious file as innocuous
 CORP_INVOICE_08.14.2011_Pr.phylexe.doc

7. Copyright 2016 Trend Micro Inc.7
Spear phishing email

8. Copyright 2016 Trend Micro Inc.8
Social Engineering
 RTLO trick + Decoy document

9. Copyright 2016 Trend Micro Inc.9
Decoy Document carrying Exploit

10. Copyright 2016 Trend Micro Inc.10
Techniques of compromise
 HackingTeam's leaked Flash 0-day (CVE-2015-5119)
 The never ending story of CVE-2012-0158
 Microsoft Word (DOC, DOCX, RTF)
 So well-known to be part of the Metasploit Framework:
https://www.exploit-db.com/exploits/18780/
 PowerPoint CVE-2014-6352

11. Copyright 2016 Trend Micro Inc.11
Email attachments’ file type

12. Copyright 2016 Trend Micro Inc.12
Persistence and Capabilities
 Harvest saved browser credentials and Outlook
 List drives, processes, files, etc…
 Command execution
 File upload
 Data exfiltration, e.g. spying over 'recent'
 RC4 is used as data encryption support in C&C communications
 On top of XOR

13. Copyright 2016 Trend Micro Inc.13
Going stealth
 Use of external exfiltration tool DRIGO
 Leverages Google Drive for stealth uploads and data
synchronization (similar to Dropbox)
 Gmail SMTP capabilities
 Automated mining for documents on victim's endpoint and
network

14. Copyright 2016 Trend Micro Inc.14
C&C dissection
 Modern malware = network enabled and dependent
 Remote access control tool with functionalities encoded as
C,A,L,E,P,G,G
 Request example:

15. Copyright 2016 Trend Micro Inc.15
C&C dissection
 Response example:

16. Copyright 2016 Trend Micro Inc.16
C&C dissection
 Importance of C&C → DGA, fastflux,
steganography
 C&C (or relays) hidden in victim's compromised
routers

17. Copyright 2016 Trend Micro Inc.17
Conclusions
• APTs are more prevalent than common sense
• Manually conducted, more difficult to detect
• Multi-layer approach needed
• Large-scale data analysis and ML important
• Importance of threat research

18. Copyright 2016 Trend Micro Inc.18
Thanks
MARCO_BALDUZZI@TRENDMICRO.COM