Presentation is loading. Please wait.

Presentation is loading. Please wait.

SPRING DRAGON APT - A CASE STUDY OF TARGETED ATTACKS IN APAC COUNTRIES

Published byΙσίδωρος Κοντόσταυλος Modified over 6 years ago

Similar presentations

Presentation on theme: "SPRING DRAGON APT - A CASE STUDY OF TARGETED ATTACKS IN APAC COUNTRIES"— Presentation transcript:

1 SPRING DRAGON APT - A CASE STUDY OF TARGETED ATTACKS IN APAC COUNTRIES
NOUSHIN SHABAB Senior Security Researcher

2 ABOUT ME Senior Security Researcher at Kaspersky Lab
Areas of interest: APT Attack Investigation Malware Analysis Reverse Engineering Forensics Analysis

3 WHO IS SPRING DRAGON?

4 4 - Long running APT actor with a massive scale of operation - Main targets are countries around South China Sea - Active since More than 200 C2 servers - Over 700 customised backdoor samples

5 BACKGROUND OF THE RESEARCH

6 Start of Spring Dragon Attacks
2012 Start of Spring Dragon Attacks

7 STARTED IN 2012 Elise Backdoor was used in cyberespionage attacks against targets in South East Asia

8 Research on Spring Dragon Attack Techniques
2015 Research on Spring Dragon Attack Techniques 2012 Start of Spring Dragon Attacks

9 Infiltration Techniques
2012 Start of Spring Dragon Attacks 2015 Research on Spring Dragon Attack Techniques Infiltration Techniques Spearphish Exploits Watering Holes Web Compromises

10 INFILTRATION TECHNIQUES
Spearphish Exploits Web Compromises Watering Holes

11 Adobe Flash Player Exploits
SPEARPHISH EXPLOITS Adobe Flash Player Exploits PDF Exploits MS Word Exploits

12 WATERING HOLES – WEB COMPROMISES
Compromised websites to target organizations in Myanmar

13

14 WATERING HOLES – WEB COMPROMISES
Another technique used against government targets A spoofed flash installer website

15

16 Research on Spring Dragon capabilities and tools
2017 2015 Research on Spring Dragon Attack Techniques 2012 Start of Spring Dragon Attacks

17 Possible origins of Spring Dragon
2012 Start of Spring Dragon Attacks 2015 Research on Spring Dragon Attack Techniques Research on Spring Dragon capabilities and tools 2017 Victims Tools Possible origins of Spring Dragon C2 Servers

18 IN THE BEGINNING OF 2017 - News about new attacks arrived from a research partner in Taiwan - Kaspersky Lab decided to investigate the attacker’s techniques and review their toolset

19 SPRING DRAGON VICTIMS

20 WHO ARE THE VICTIMS High profile governmental organisations
Political parties Educational institutions and universities Telecommunication industry

21 GEOGRAPHIC MAP OF THE VICTIMS

22 SPRING DRAGON TOOLSET

23 SPRING DRAGON SET OF BACKDOORS
Elise Backdoor Backdoor Loader Emissary Backdoor Installer Backdoor Injector ShadowLess Backdoor (midimap Hijacker)

24 BACKDOOR LOADER TOOL Backdoor Loader module has the main backdoor dll contents encrypted and embedded Backdoor module connects to C2 servers It also creates a service for the loader module

25 BACKDOOR LOADER TOOL Decoding
Each sample has a customised config block, encoded inside the loader module Loader module pushes the config block into the stack before loading the backdoor Backdoor module decodes the config block

26 BACKDOOR INJECTOR TOOL
26 BACKDOOR INJECTOR TOOL This module is similar to Backdoor Loader module with an extra feature to inject itself into a target process Injects its own file into the web browser processprocess Looks for default web browser Loads the backdoor inside the web browser process

27 BACKDOOR TOOLS Backdoor modules are either encrypted and embedded in Installers, Backdoor Loader and Backdoor Injector modules or attached to installer modules as a resource entry in palin text in older samples

28 BACKDOOR TOOLS Different backdoor samples have customized set of C2 server addresses and customized service details encrypted inside loader or installer modules Almost all the backdoor families have a similar structure for C2 configuration data after decryption

29 BACKDOOR TOOLS Some backdoor families use hardcoded user-agent strings while they are communicating with their C2 servers Some backdoor families use specific GET requests while they are contacting their C2 servers

30 BACKDOOR TOOLS Backdoor Capabilities:
Update C2 configuration on victim’s system in order to connect to new servers Steal any type of file from the victim’s machine and upload to C2 servers Download more malicious files from C2 servers to victim’s machine Load and run a DLL module Unload a previously loaded DLL module, which will allow the backdoor to uninstall itself or unload other applications’ DLLs to disrupt their functionality Run any executable file on victim’s system which will allow the installation of further modules Execute different system commands on victim’s machine to collect more information from the victim

31 EVOLUTION OF SPRING DRAGON TOOLSET
2012 2013 2014 2015 2016 2017 More features were added. More obfuscation was applied to backdoor codes ShadowLess Backdoor was introduced End of Elise Backdoor Variant A, B and C Start of Elise Backdoor Variant D, Backdoor Loader and Backdoor Injector modules Start of the attacks with Elise Backdoor variant A, B and C New feature was introduced to escalate privileges Obfuscation Start of Emissary Backdoor

32 SPRING DRAGON C2 SERVERS

33 C2 INFRASTRUCTURE The attackers have registered domain names and used IP addresses from different geographical locations to hide their real location More than 40% are located in Hong Kong Followed by US, Germany, China and Japan

34 POSSIBLE ORIGINS OF SPRING DRAGON

35 HISTOGRAM OF MALWARE TIMESTAMPS
GMT +8 TIMEZONE Another group of malware developers 1- Working from another timezone 2- Working on a second shift

36 CONCLUSION - Spring dragon is a long running apt actor with a massive scale of operation - The attackers have been constantly developing and improving their tools since 2012 - Main targets have been in different countries and territories in APAC region

37 STAY VIGILANT! THE NEXT TARGET MIGHT BE US!
CONCLUSION Spring dragon is going to continue resurfacing regularly in the APAC region with more tools and new targets STAY VIGILANT! THE NEXT TARGET MIGHT BE US!

38 LET’S TALK? @NoushinShbb

Download ppt "SPRING DRAGON APT - A CASE STUDY OF TARGETED ATTACKS IN APAC COUNTRIES"

Similar presentations

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
MIRAGE MALWARE SIDDARTHA ELETI CLEMSON UNIVERSITY.

MIRAGE MALWARE SIDDARTHA ELETI CLEMSON UNIVERSITY.
Jeffrey Bernardino Nikko Tamaña Stealth by Legitimacy: Malware’s Use of Legitimate Services 2012 年 5 月 2 日.

Jeffrey Bernardino Nikko Tamaña Stealth by Legitimacy: Malware’s Use of Legitimate Services 2012 年 5 月 2 日.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Video Streaming Services Justin Hourigan, Senior Network Engineer, HEAnet Limited

Video Streaming Services Justin Hourigan, Senior Network Engineer, HEAnet Limited
1 Code/DLL Injection ECE4112 – Internetwork Security Georgia Institute of Technology By Andrei Bersatti and Brandon Harrington.

1 Code/DLL Injection ECE4112 – Internetwork Security Georgia Institute of Technology By Andrei Bersatti and Brandon Harrington.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.

What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.
Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from www.mandrake.com www.mandrake.com.

Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
Authors: Thomas Ristenpart, et at.

Authors: Thomas Ristenpart, et at.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.

MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.
Advanced Persistent Threats CS461/ECE422 Spring 2012.

Advanced Persistent Threats CS461/ECE422 Spring 2012.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
IT 210 The Internet & World Wide Web introduction.

IT 210 The Internet & World Wide Web introduction.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
13Computer Intrusions Dr. John P. Abraham Professor UTPA.

13Computer Intrusions Dr. John P. Abraham Professor UTPA.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack

Similar presentations

Ads by Google