Thursday 3 October 15:00 - 15:30, Red room
Niranjan Jayanand (Microsoft)
Ivan Macalintal (Microsoft)
Debalina Ghosh (Microsoft)
This presentation will cover the long-running attack campaigns targeting South Asian officials mainly working in the government, oil, media and maritime sectors as well as defence contractors, universities (particularly those with military research ties) and legal organizations. The main motivation behind these attacks is espionage aligned with commercial and South China Sea issues for intellectual property theft and military espionage.
Attackers use multi-stage attack techniques to target their victims during their campaigns. During the reconnaissance stage, they collect lots of information such as the software and applications that are vulnerable at the customer end. Over the past few years, attackers have been using poisoned Microsoft Office documents as one of their preferred infection vectors for cybercrime and cyber espionage attacks. It doesn’t take long for malware authors to integrate novel techniques into their own exploit kits and attack ordinary users. Attackers quickly adopt most of these application CVEs.
In the campaigns we analysed, it was identified that multiple APT groups (namely Leviathon, Goblin Panda, Winnti and Sidewinder) targeted South Asian countries using the Microsoft Office vulnerabilities CVE-2017-11882, CVE-2017-0199 and CVE-2017-8759. From fellow researchers’ APT research, it was also identified that a unique object dimension present in RTF phishing files was weaponized with CVE-2017-11882 and CVE-2018-0802, which appear to be utilized by numerous Asian APT groups. The identified RTFs all share a unique object height and width, which determine how the object will be rendered in Microsoft Word. We used this to expand our research to track APT groups.
Once the victim executes the poisoned Microsoft Office files, the shellcode that decrypts the final payload in memory was identified to use one constant file name, ‘8.t’, across all the campaigns. Some of the identified payloads are NewCore RAT, Hawkball backdoor, Fucobha, QCRat, PlugX, htpRAT and an unnamed RAT. Most of these remote administration tools relied on the DLL side‑loading technique to survive on reboot. It is very rare to see possibly different APT groups using the same shellcode name and two different shellcode decryption logics to drop and execute final RAT payloads on victim machines, across different identified APT campaigns. It was also identified that attackers came back to target almost the same victim organizations in South Asian countries over this time. At a certain time, the APT groups likely had an infrastructure overlap.
Attackers continued using the same trends and traits with minimum modification to target the same victims, regions and sectors, which makes us belief that they may have shared TTPs, code and infrastructure to steal intellectual data from victim organizations. Many filenames and attacker command-and-control domains collected during the investigation used themes related to the victim country current affairs or organizations.
1) Threat analysis and research, connecting the dots and spotting the needles in the haystack of threat intelligence from advanced persistent threats, targeted attacks, cybercrime campaigns and other threats targeting data confidentiality, integrity and availability;
2) Reverse-engineering, static and dynamic code analysis, Internet forensics, open source intelligence;
3) Industry, partner and customer engagements;
4) Global and regional cross-functional and cross-cultural project and people management for anti-malware, cyber-threat solutions research, planning, and deployment;
5) Correlation and consolidation of big data to protect customers and to further research new emerging threats.
Ivan has published numerous impactful and newsworthy blog articles and presented at various industry conferences: Virus Bulletin, Association of Antivirus Asia Researchers (AVAR), the High Technology Crime Investigation Association (HTCIA), B-Sides, Digital Crimes Consortium (DCC), Microsoft TechEd North America and the Microsoft Security Response Alliance (MSRA) summit, and has been a well-travelled SME, consultant and resource for management and executive teams for customer and threat-marketing related projects and goals.
Haroon Meer (Thinkst)
Adrian Sanabria (Thinkst)
Peter Kalnai (ESET)
Michal Poslusny (ESET)
Bobby Filar (Endgame)