1 / 9

Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage

Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage. Frankie Li, Anthony Lai, Ddl Ddl Valkyrie-X Security Research Group 2011 6th International Conference on Malicious and Unwanted Software. Presenter: 劉力瑋. Outline. APT A case in Hong Kong Analysis

maxima
Download Presentation

Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage Frankie Li, Anthony Lai, DdlDdl Valkyrie-X Security Research Group 2011 6th International Conference on Malicious and Unwanted Software Presenter: 劉力瑋

  2. Outline APT A case in Hong Kong Analysis Conclusion

  3. Advanced Persistent Threats (APT) This paper consider an APT as a cyber attack launched by a group of sophisticated, determined, and coordinated attackers who systematically compromise the network of a specific target machine or entity for a prolonged period.

  4. A case in Hong Kong • A well design email (2011/7/7) • Title : Democracy Depot meeting • Sender : first_name.p0on@<org_name>.org.hk • Attachments : Democracy Depot meeting • Second email was received on 2011/7/14 • It is sent by a political group about the news of a riot in 廣州

  5. Analysis The attachments(malware) which you download will be a dropper, its “Property” field contains the command. Then it creates a Malicious DLL (droppee)to inject your explorer.exe. It also creates a mutex to avoid duplication of malware installation on the victim’s machine.

  6. Analysis First ,it tries several non-resolved DNS names and a non-routed IP address. The droppee triggers the download of additional binaries that act as core modules performing the actual malicious functions. After several trails, it contact the single valid IP address, using TCP port number 8080. Then it run into an infinite loop and waited for the response from the C&C

  7. Analysis Additional binaries downloaded by droppee perform the actual malicious functions. All passwords from “foxmail,” “outlook,” “outlook express,” “IE Form Storage,” “MSN,” “Passport DotNet,” and “protected storage,” were collected from the infected machine. The screen captures will also be collected and uploaded to the C&C.

  8. Analysis Filtered information is collected ,compressed and then uploaded through encrypted HTTP traffic. Afterwards, the information is removed to hide its temporary presence.

  9. Discussion and Conclusion NEVER OPEN SPEAR-PHISHING EMAILS !! APT-type malware does not carry obvious malicious functions. Unlike the other malware it seldom changes the infected system as a zombie machine. How to avoid it

More Related