SPRING DRAGON APT - A CASE STUDY OF TARGETED ATTACKS IN APAC COUNTRIES NOUSHIN SHABAB Senior Security Researcher

ABOUT ME Senior Security Researcher at Kaspersky Lab Areas of interest: APT Attack Investigation Malware Analysis Reverse Engineering Forensics Analysis

WHO IS SPRING DRAGON?

4 - Long running APT actor with a massive scale of operation - Main targets are countries around South China Sea - Active since 2012 - More than 200 C2 servers - Over 700 customised backdoor samples

BACKGROUND OF THE RESEARCH

Start of Spring Dragon Attacks 2012 Start of Spring Dragon Attacks

STARTED IN 2012 Elise Backdoor was used in cyberespionage attacks against targets in South East Asia

Research on Spring Dragon Attack Techniques 2015 Research on Spring Dragon Attack Techniques 2012 Start of Spring Dragon Attacks

Infiltration Techniques 2012 Start of Spring Dragon Attacks 2015 Research on Spring Dragon Attack Techniques Infiltration Techniques Spearphish Exploits Watering Holes Web Compromises

INFILTRATION TECHNIQUES Spearphish Exploits Web Compromises Watering Holes

Adobe Flash Player Exploits SPEARPHISH EXPLOITS Adobe Flash Player Exploits PDF Exploits MS Word Exploits

WATERING HOLES – WEB COMPROMISES Compromised websites to target organizations in Myanmar

WATERING HOLES – WEB COMPROMISES Another technique used against government targets A spoofed flash installer website

Research on Spring Dragon capabilities and tools 2017 2015 Research on Spring Dragon Attack Techniques 2012 Start of Spring Dragon Attacks

Possible origins of Spring Dragon 2012 Start of Spring Dragon Attacks 2015 Research on Spring Dragon Attack Techniques Research on Spring Dragon capabilities and tools 2017 Victims Tools Possible origins of Spring Dragon C2 Servers

IN THE BEGINNING OF 2017 - News about new attacks arrived from a research partner in Taiwan - Kaspersky Lab decided to investigate the attacker’s techniques and review their toolset

SPRING DRAGON VICTIMS

WHO ARE THE VICTIMS High profile governmental organisations Political parties Educational institutions and universities Telecommunication industry

GEOGRAPHIC MAP OF THE VICTIMS

SPRING DRAGON TOOLSET

SPRING DRAGON SET OF BACKDOORS Elise Backdoor Backdoor Loader Emissary Backdoor Installer Backdoor Injector ShadowLess Backdoor (midimap Hijacker)

BACKDOOR LOADER TOOL Backdoor Loader module has the main backdoor dll contents encrypted and embedded Backdoor module connects to C2 servers It also creates a service for the loader module

BACKDOOR LOADER TOOL Decoding Each sample has a customised config block, encoded inside the loader module Loader module pushes the config block into the stack before loading the backdoor Backdoor module decodes the config block

BACKDOOR INJECTOR TOOL 26 BACKDOOR INJECTOR TOOL This module is similar to Backdoor Loader module with an extra feature to inject itself into a target process Injects its own file into the web browser processprocess Looks for default web browser Loads the backdoor inside the web browser process

BACKDOOR TOOLS Backdoor modules are either encrypted and embedded in Installers, Backdoor Loader and Backdoor Injector modules or attached to installer modules as a resource entry in palin text in older samples

BACKDOOR TOOLS Different backdoor samples have customized set of C2 server addresses and customized service details encrypted inside loader or installer modules Almost all the backdoor families have a similar structure for C2 configuration data after decryption

BACKDOOR TOOLS Some backdoor families use hardcoded user-agent strings while they are communicating with their C2 servers Some backdoor families use specific GET requests while they are contacting their C2 servers

BACKDOOR TOOLS Backdoor Capabilities: Update C2 configuration on victim’s system in order to connect to new servers Steal any type of file from the victim’s machine and upload to C2 servers Download more malicious files from C2 servers to victim’s machine Load and run a DLL module Unload a previously loaded DLL module, which will allow the backdoor to uninstall itself or unload other applications’ DLLs to disrupt their functionality Run any executable file on victim’s system which will allow the installation of further modules Execute different system commands on victim’s machine to collect more information from the victim

EVOLUTION OF SPRING DRAGON TOOLSET 2012 2013 2014 2015 2016 2017 More features were added. More obfuscation was applied to backdoor codes ShadowLess Backdoor was introduced End of Elise Backdoor Variant A, B and C Start of Elise Backdoor Variant D, Backdoor Loader and Backdoor Injector modules Start of the attacks with Elise Backdoor variant A, B and C New feature was introduced to escalate privileges Obfuscation Start of Emissary Backdoor

SPRING DRAGON C2 SERVERS

C2 INFRASTRUCTURE The attackers have registered domain names and used IP addresses from different geographical locations to hide their real location More than 40% are located in Hong Kong Followed by US, Germany, China and Japan

POSSIBLE ORIGINS OF SPRING DRAGON

HISTOGRAM OF MALWARE TIMESTAMPS GMT +8 TIMEZONE Another group of malware developers 1- Working from another timezone 2- Working on a second shift

CONCLUSION - Spring dragon is a long running apt actor with a massive scale of operation - The attackers have been constantly developing and improving their tools since 2012 - Main targets have been in different countries and territories in APAC region

STAY VIGILANT! THE NEXT TARGET MIGHT BE US! CONCLUSION Spring dragon is going to continue resurfacing regularly in the APAC region with more tools and new targets STAY VIGILANT! THE NEXT TARGET MIGHT BE US!

LET’S TALK? @NoushinShbb