2. Copyright 2016 Trend Micro Inc.2
Introduction
Who am I?
Just-for-fun area is over
$$$ driven crime
Data exfiltration, espionage
Victim turns into a hostage
APTs, you all know what they are :)
3. Copyright 2016 Trend Micro Inc.3
Plead APT
A Taiwanese government use case
Also target other Taiwanese organizations
Heavy industry (transportation and construction)
Technology and computer industries
Data ex-filtration and espionage as main goals
Ongoing since 2012
4. Copyright 2016 Trend Micro Inc.4
Origin of name
C&C commands that the malware issues
5. Copyright 2016 Trend Micro Inc.5
Distribution
Spear phishing leads the stage (same as other APTs)
Social-engineering, a never ending story
Attachment → Google Drive link
RTLO Trick
6. Copyright 2016 Trend Micro Inc.6
Right-To-Left-Orientation Trick
UNICODE's Right To Left Override character (U+202e)
Designed to support languages that are written right to left,
such as Arabic and Hebrew
Abused for rendering a malicious file as innocuous
CORP_INVOICE_08.14.2011_Pr.phylexe.doc
10. Copyright 2016 Trend Micro Inc.10
Techniques of compromise
HackingTeam's leaked Flash 0-day (CVE-2015-5119)
The never ending story of CVE-2012-0158
Microsoft Word (DOC, DOCX, RTF)
So well-known to be part of the Metasploit Framework:
https://www.exploit-db.com/exploits/18780/
PowerPoint CVE-2014-6352
12. Copyright 2016 Trend Micro Inc.12
Persistence and Capabilities
Harvest saved browser credentials and Outlook
List drives, processes, files, etc…
Command execution
File upload
Data exfiltration, e.g. spying over 'recent'
RC4 is used as data encryption support in C&C communications
On top of XOR
13. Copyright 2016 Trend Micro Inc.13
Going stealth
Use of external exfiltration tool DRIGO
Leverages Google Drive for stealth uploads and data
synchronization (similar to Dropbox)
Gmail SMTP capabilities
Automated mining for documents on victim's endpoint and
network
14. Copyright 2016 Trend Micro Inc.14
C&C dissection
Modern malware = network enabled and dependent
Remote access control tool with functionalities encoded as
C,A,L,E,P,G,G
Request example:
17. Copyright 2016 Trend Micro Inc.17
Conclusions
• APTs are more prevalent than common sense
• Manually conducted, more difficult to detect
• Multi-layer approach needed
• Large-scale data analysis and ML important
• Importance of threat research