Discretion in APT: recent APT attack on crypto exchange employees

Thursday 3 October 14:30 - 15:00, Red room

HeungSoo Kang (LINE)



This talk presents an overview of the recent APT attack against employees of cryptocurrency exchanges, including LINE. The attack started with email spear phishing, and continued to a Firefox zero-day exploit, stage 1 and stage 2 malware. As a former anti-virus researcher/red teamer and current security team member, I will compare the perspectives of the victim, the attacker, and the security team.

First, the perspective of the victim. The victim is an experienced blockchain programmer using MacBook and iPhone. The attackers were very discreet with their social engineering scheme. The victim receives an email to his personal account – an invitation to become a member of the review board for an industry prize. The email was sent through a legitimate university email server and the sender has a nice LinkedIn profile. After some conversation, the victim receives the university’s site link to login using a temporary ID/password. The victim logs in and gets infected.

Second, the perspective of the attackers. The university has a bold web service that can expose every account in the system. The attackers used an undisclosed method to gain access to a few accounts, which allowed access to the university’s email account and personal web hosting. The attackers made up a LinkedIn profile and added 100+ connections (we all accept connections from strangers, don’t we?). After preparing these, the attackers hosted an HTML page for the fake awards and put the Firefox zero-day exploit there before sending out emails to the set of targets they had collected working for blockchain exchanges.

Third, (briefly) the perspective of the corporate security team. I will describe where we found the attack attempt, how we communicated with the victims, where the attackers were good and where they were not.

Finally, I’ll share other information, such as an analysis of the stage 1 and stage 2 malware and some trivia relating to their operation, such as their C2 servers, how they evaded surveillance (which might as well be coincidence), etc. Neither the stage 1 nor the stage 2 malware was obfuscated, and stage1 only had one detection in VirusTotal at the time. Stage 2 is a QT-based RAT, with about 25,000 functions, so I grabbed QT, OpenSSL, etc. libraries to generate FLIRT, which resulted in 20% of the functions being recognized. The C2 server was hosted by a small VPS service, which accepts Bitcoin for payment.

 

 

HeungSoo-Kang-web.jpg

HeungSoo (David) Kang

HeungSoo Kang is a security engineer working for LINE in Korea. He works with many colleagues in LINE to secure LINE's services and infrastructure. HeungSoo used to work as a malware analyst, a red-team member/security engineer, code (de)obfuscation developer, etc. His interests are reverse engineering, code obfuscation, malware analysis, APT tracking, analysing exploits, and writing tools for these.


   Watch video

Back to VB2019 Programme page

Other VB2019 papers

Never before had Stierlitz been so close to failure

Sergei Shevchenko (Sophos)

Domestic Kitten: an Iranian surveillance program

Aseel Kayal (Check Point)
Lotem Finkelstein (Check Point)

Panel: Where is threat intelligence headed?

Derek Manky (Fortinet)
Samir Mody (K7 Computing)
Heather King (CTA)
Warren Mercer (Cisco Talos)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.