Transcript A Case Study of Malware for Political Espionage

Evidence of Advanced
Persistent Threat: A Case
Study of Malware for
Political Espionage
Frankie Li, Anthony Lai, Ddl Ddl
Valkyrie-X Security Research Group
2011 6th International Conference on Malicious and
Unwanted Software
Presenter: 劉力瑋
國立清華大學高速通訊與計算實驗室
NTHU High-Speed Communication & Computing Laboratory
1/9
Outline




APT
A case in Hong Kong
Analysis
Conclusion
國立清華大學高速通訊與計算實驗室
NTHU High-Speed Communication & Computing Laboratory
2/9
Advanced Persistent Threats (APT)

This paper consider an APT as a cyber attack
launched by a group of sophisticated,
determined, and coordinated attackers who
systematically compromise the network of a
specific target machine or entity for a
prolonged period.
國立清華大學高速通訊與計算實驗室
NTHU High-Speed Communication & Computing Laboratory
3/9
A case in Hong Kong


A well design email (2011/7/7)

Title : Democracy Depot meeting

Sender : first_name.p0on@<org_name>.org.hk

Attachments : Democracy Depot meeting
Second email was received on 2011/7/14

It is sent by a political group about the news of a riot
in 廣州
國立清華大學高速通訊與計算實驗室
NTHU High-Speed Communication & Computing Laboratory
4/9
Analysis

The attachments(malware)
which you download will be
a dropper, its “Property”
field contains the command.

Then it creates a Malicious
DLL (droppee)to inject your
explorer.exe.
It also creates a mutex to
avoid duplication of
malware installation on the
victim’s machine.

國立清華大學高速通訊與計算實驗室
NTHU High-Speed Communication & Computing Laboratory
5/9
Analysis




First ,it tries several nonresolved DNS names and a
non-routed IP address.
The droppee triggers the
download of additional
binaries that act as core
modules performing the
actual malicious functions.
After several trails, it
contact the single valid IP
address, using TCP port
number 8080.
Then it run into an infinite
loop and waited for the
response from the C&C
國立清華大學高速通訊與計算實驗室
NTHU High-Speed Communication & Computing Laboratory
6/9
Analysis



Additional binaries downloaded by droppee
perform the actual malicious functions.
All passwords from “foxmail,” “outlook,”
“outlook express,” “IE Form Storage,” “MSN,”
“Passport DotNet,” and “protected storage,” were
collected from the infected machine.
The screen captures will also be collected and
uploaded to the C&C.
國立清華大學高速通訊與計算實驗室
NTHU High-Speed Communication & Computing Laboratory
7/9
Analysis
Filtered information is collected ,
compressed and then uploaded through
encrypted HTTP traffic.
 Afterwards, the information is removed to
hide its temporary presence.

國立清華大學高速通訊與計算實驗室
NTHU High-Speed Communication & Computing Laboratory
8/9
Discussion and Conclusion
APT-type malware does not carry obvious
malicious functions.
 Unlike the other malware it seldom changes
the infected system as a zombie machine.


How to avoid it
國立清華大學高速通訊與計算實驗室
NTHU High-Speed Communication & Computing Laboratory
9/9