[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activities Against All the Policymakers by Zih-Cing Liao and Yu-Tung Chang
•
0 likes•95 views
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials. The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals. CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle. In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust. In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection. In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
Report
Share
More Related Content
What's hot
What's hot (20)
Similar to [cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activities Against All the Policymakers by Zih-Cing Liao and Yu-Tung Chang
Similar to [cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activities Against All the Policymakers by Zih-Cing Liao and Yu-Tung Chang (20)
More from CODE BLUE
More from CODE BLUE (20)
Recently uploaded
Recently uploaded (20)
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activities Against All the Policymakers by Zih-Cing Liao and Yu-Tung Chang
- 1. CloudDragon’s Credential Factory is Powering Up Its Espionage Activities Against All the Policymakers 2022.10.28 Zih-Cing Liao, Yu-Tung Chang
- 2. $whoami 2 u Zih-Cing Liao aka DuckLL u Senior Threat Intelligence Researcher @ TeamT5 u Speaker of Conferences: Black Hat Asia, HITB, HITCON, CODE BLUE ... u Yu-Tung Chang u Threat Intelligence Researcher @ TeamT5 u Focus on APAC APT
- 4. Introduction
- 5. CloudDragon 5 u Kimsuky subgroup u Cyber Espionage / Cyber Crime u Phishing operation u Malware u JamBog (AppleSeed) u BabyShark u PMSDoor u KGHRAT (KGH_SPY)
- 8. Credential Factory Vitcim List Phishing Sites Credentials Email Files Target Employee External Service Phishing Doc Phishing Sites Malware Credentials Vulnerability Intranet Internal Service Files Hacktool Credentials Target
- 9. Daily Cycle Vitcim List Phishing Sites Credentials Email Files Target Employee External Service Phishing Doc Phishing Sites Malware Credentials Vulnerability Intranet Internal Service Files Hacktool Credentials Target
- 10. Phishing 10
- 11. Proxy Mirror 11 Fetch Login page Modify Form username password Real Site Login Sucess ./logs/{user_id}.cfm index.php confirm.php
- 12. Phishing Bot 12 ajax Phishing Bot Phishing Site Browser
- 13. Campaign Cycle Vitcim List Phishing Sites Credentials Email Files Target Employee External Service Phishing Doc Phishing Sites Malware Credentials Vulnerability Intranet Internal Service Files Hacktool Credentials Target
- 14. Phishing Doc 14 TBS TV_Qs.docx Interview memo_patrick.docx Kyodo News_Niklas.docx Upholding the RBO in the INdo-Pac.docx
- 15. BabyShark 15 VBS VBS DOTM VBS C2 Server C2 Server C2 Server r.php ca.php d.php/OneDrive recon AV info download fetch command dot_eset.gif, vbs_kasp.gif, video.gif, start1.gif, start2.gif, secur32.gif, ... vbtmp, battmp
- 17. BabyShark 17 u Detect and Bypass
- 18. AFMail 18 VBS vbtmp battmp BabyShark VBS C2 Server upload ttmp.log upload_dat_files.vbs fetch command write browser info. C2 Server d.php upload.php ps1 getChrome.ps1, getWhale.ps1, ... ttmp.log ... ps1 download & execute download & drop read
- 20. AFMail 20 VBS vbtmp battmp BabyShark download & install C2 Server bg.js dev.html manifest.json dev.js Preferences Secure Preferences set background script set devtool_page fetch cd1.js fetch cd2.js load dev.ps1 load open DevTools plugin.bat json ps1
- 22. AFMail 22 u cd2.js : filter target mail services
- 23. AFMail 23 u cd1.js : backup email and attachment to C2
- 24. Dust 24 u Shellcode module backdoor u DNS version u MD5: 48be981d814e38a00f70892e826a12f8 u PDB: D:9dustx64Releasescdll.pdb u HTTP version u MD5: 1bbb234b56b344222784b95cbab0fcb2
- 25. Dust DNS 25 Shellcode Loader regsvr32 XOR Backdoor (in memory) Launch prefix function cdn connect api send data post get data Base16(Enc(Data)) DNS cdn.50a0f04191e13282d22373c31464b405.foo[.]bar
- 27. Dust HTTP 27 Shellcode Loader regsvr32 XOR Backdoor (in memory) Launch header csrf-token: Base64(php code) body Base64(Enc(Data)) C2
- 28. Dust HTTP 28 u PHP code
- 29. Dust HTTP 29 u Dial and connect u No persistent files Compromised C2 123.s 123.c Client: 123 code + data code + command
- 30. Dust 30 u Function table command function 0 exectue shell command 1 get computer information 2 change work directory 3 inject shellcode to other process 4 setup sleep interval 5 download file 6 upload file 7 pipe data (with plugin) 8 self-terminate
- 31. Dust 31 u Loader + Cobalt Strike u 2fe72ac40801ff02b1a58dac3f29c780 u C2: 10.30.0.3 u Cobalt Strike Plugin u abd3926fd5db8294951b801e92801077 u pdb: D:9dustx64Releaseexe.pdb u C2: 10.10.12.150 u 3bf13d241c438a5df7c6b1d4d2c2dfd6 u ITW: https://github.com/systemplugin/base u C2: e86d-109-236-81-161.eu.ngrok.io
- 32. Post-exploit Cycle Vitcim List Phishing Sites Credentials Email Files Target Employee External Service Phishing Doc Phishing Sites Malware Credentials Vulnerability Intranet Internal Service Files Hacktool Credentials Target
- 33. Hacktool 33 u Kimsuky develop u screenshot u keylogger u credential (stealer) u tgcd u ngrok u XMRig
- 35. Keylogger 35 ps1 VBS 2.crp 2.ps1 decrypt keylogger write read C2 Server ttmp.log ieCert.vbs upload
- 36. Credential (stealer) 36 u Triger at user login
- 37. AnyDesk 37 adplus.bat system.conf smss.bat AnyDesk.exe rvv.exe VBS func.txt decrypt load drop drop.crp C2 Server service.conf load launch ieUpSrv.exe ieUpdate.exe set services launch fetch command hide install config config backdoor
- 38. Hide AnyDesk 38 u ieUpdate.exe u PDB: H:공유실공유ZangHideTray&Window(Any)HideTray&Window(Any)x64Rel easeHideTray.pdb u Hide Component u Window u System Tray u Toolbar
- 39. Hide AnyDesk 39 u Window u System Tray u Toolbar
- 40. Hide AnyDesk 40 u Window u System Tray u Toolbar
- 41. AnyDesk Config 41 u %AppData%AnyDesk u %ProgramData%AnyDesk system.conf service.conf
- 42. AnyDesk 42 system.conf AnyDesk.exe service.conf Setup config: known id known password system.conf AnyDesk.exe service.conf load deploy to config path config config config config AnyDesk with known credential
- 43. Case Study
- 44. KAERI 44 u Confirmed hacking incident u Malicious VPN access
- 46. SSH Login Log 46 u Root login from C2
- 47. SSH Vulnerability 47 u Default root password u 279 posseble vulnerable servers
- 49. Web Vulneravility 49 u upload file without permission check
- 50. Web Vulneravility 50 u 117 posseble vulnerable servers
- 51. MemzipRAT 51 u whatthe.exe(MD5: 4c45c89774d974671809116564800bf2) Installer Loader Zip Resource Drop Write Registry Load Load config Compromised C2 Zip file (RC4+XOR+Base64) Backdoor (in memory)
- 52. MemzipRAT 52 u Injector u Keylogger u Browser u Screenshot u Remote desktop command argument field function 0 F-f4:fSNFW exectue shell command 1 Lp(f*f34 change dirctory 4 83hT$GT$# connect to ip port 5 LF*F434ht3 set sleep time(day) 6 f41FP-bdgr set sleep time(minute) 7 self-delete 8 841F6PbdgO inject self to other process 9 PK0F6PbdgO inject dll 10 GNEI7807H self-upgrade 11 GNEI7807H install module 12 GKPI7807H start module 14 :G$43tHogreg update config Function Table
- 53. VPN-0day 53 Compromise VPN company VPN Phishing Site SSH key leak Get credentail Compromise KAERI MemzipRAT
- 54. Victims 54
- 55. Conclusion
- 56. Key Takeaways 56 u The APT group CloudDragon u Credential Factory u Phishing & social engineering u Target tatic & malware u Post-exploit with legal tool u VPN-0day case study
- 57. Mitigation 57 u Double check E-mail u Check browser extenion u Avoid using remote desktop tools u Change product default password u Update software to latest
- 58. Zih-Cing Liao duckll@teamt5.org THANK YOU! Yu-Tung Chang tako@teamt5.org
- 59. Reference 59 u Dmitry Tarakanov. (2013) The “Kimsuky” Operation: A North Korean APT? (https://securelist.com/thekimsuky-operation-a-north- korean-apt/57915/) u Mark Lim. (2019) BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat(https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/) u Cybersecurity and Infrastructure Security Agency. (2020) North Korean Advanced Persistent Threat Focus: Kimsuky (https://www.cisa.gov/uscert/ncas/alerts/aa20-301a ) u 360威胁情报中心. (2021) Kimsuky组织网络攻击活动追溯分析报告(https://mp.weixin.qq.com/s/pkCK1ryXvGWFuoHQk9Rahg) u KAERI (2021) [설명자료] 시사저널 "원자력연구원, 서버 뚫렸다. 북해킹의심...은폐의혹" 기사 관련 (https://www.kaeri.re.kr/board/view?menuId=MENU00326&linkId=9181) u AhnLab Security Emergency response Center. (2021) Analysis Report of Kimsuky Group's APT Attacks (AppleSeed, PebbleDash) (https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf) u Darien Huss and Selena Larson (2021) Triple Threat: North Korea-Aligned TA406 Steals, Scams and Spies (https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406- steals-scams-spies.pdf) u Jhih-Lin Kuo & Zih-Cing Liao (2021) "We Are About to Land": How CloudDragon Turns a Nightmare Into Reality (https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-HowCloudDragon-Turns-A-Nightmare-Into- Reality.pdf)
- 60. Reference 60 u Jhih-Lin Kuo & Zih-Cing Liao. (2021) Story of the 'Phisherman' - Dissecting Phishing Techniques of CloudDragon APT (https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20- %20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf) u Malwarebytes LABS. (2021) Kimsuky APT continues to target South Korean government using AppleSeed backdoor (https://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government- using-appleseed-backdoor) u AhnLab Security Emergency response Center. (2022) 발주서, 품의서를 위장한 AppleSeed 유포 (https://asec.ahnlab.com/ko/35781/) u AhnLab Security Emergency response Center. (2022) 특정 군부대 유지보수 업체 대상으로 AppleSeed 유포 (https://asec.ahnlab.com/ko/36918/) u John Hammond. (2022) Targeted APT Activity: BABYSHARK Is Out for Blood (https://www.huntress.com/blog/targeted-apt-activity- babyshark-is-out-for-blood) u Paul Rascagneres, Thomas Lancaster. (2022) SharpTongue Deploys Clever Mail-Stealing Browser Extension "SHARPEXT" (https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/) u Jason Reaves and Joshua Platt. (2022) Pivoting on a SharpExt to profile Kimusky panels for great good (https://medium.com/walmartglobaltech/pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9)