Malware for Political Espionage: A Case Study on Advanced Persistent Threat
Explore a case study discussing evidence of an advanced persistent threat (APT) through malware used for political espionage. The study delves into the analysis of a cyber attack involving the systematic compromise of a target's network by sophisticated attackers over an extended period. Details include insights on the attack methods, malicious functionalities, and the impact on targeted systems.
Uploaded on | 0 Views
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage Frankie Li, Anthony Lai, Ddl Ddl Valkyrie-X Security Research Group 2011 6th International Conference on Malicious and Unwanted Software Presenter: NTHU High-Speed Communication & Computing Laboratory 1/9
Outline APT A case in Hong Kong Analysis Conclusion NTHU High-Speed Communication & Computing Laboratory 2/9
Advanced Persistent Threats (APT) This paper consider an APT as a cyber attack launched by a group of sophisticated, determined, and coordinated attackers who systematically compromise the network of a specific target machine or entity for a prolonged period. NTHU High-Speed Communication & Computing Laboratory 3/9
A case in Hong Kong A well design email (2011/7/7) Title : Democracy Depot meeting Sender : first_name.p0on@<org_name>.org.hk Attachments : Democracy Depot meeting Second email was received on 2011/7/14 It is sent by a political group about the news of a riot in NTHU High-Speed Communication & Computing Laboratory 4/9
Analysis The attachments(malware) which you download will be a dropper, its Property field contains the command. Then it creates a Malicious DLL (droppee)to inject your explorer.exe. It also creates a mutex to avoid duplication of malware installation on the victim s machine. NTHU High-Speed Communication & Computing Laboratory 5/9
Analysis First ,it tries several non- resolved DNS names and a non-routed IP address. The droppee triggers the download of additional binaries that act as core modules performing the actual malicious functions. After several trails, it contact the single valid IP address, using TCP port number 8080. Then it run into an infinite loop and waited for the response from the C&C NTHU High-Speed Communication & Computing Laboratory 6/9
Analysis Additional binaries downloaded by droppee perform the actual malicious functions. All passwords from foxmail, outlook, outlook express, IE Form Storage, MSN, Passport DotNet, and protected storage, were collected from the infected machine. The screen captures will also be collected and uploaded to the C&C. NTHU High-Speed Communication & Computing Laboratory 7/9
Analysis Filtered information is collected , compressed and then uploaded through encrypted HTTP traffic. Afterwards, the information is removed to hide its temporary presence. NTHU High-Speed Communication & Computing Laboratory 8/9
Discussion and Conclusion APT-type malware does not carry obvious malicious functions. Unlike the other malware it seldom changes the infected system as a zombie machine. How to avoid it NTHU High-Speed Communication & Computing Laboratory 9/9
