![Page 1: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/1.jpg)
Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA,
AND BEYOND
--Kyle Yang, CCIE#19065
Director, AV Engine DevelopmentFortinet Inc. Canada
![Page 2: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/2.jpg)
• 3.20 Wiper Attack
• Operation Troy
• Operation 1Mission/Mission
• Operation Nstar
• Operation Eaglexp
• Operation Flame
• Operation Flame2
Agenda
![Page 3: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/3.jpg)
CompanyName
ShinhanBank
NongHyupBank
KBS TV MBC TV YTN TV
Damage 57 Branches6 DB Servers
30 Branches10% of
employeescomputer
50% of ATM
5000 employees computer
800 employees computer
500 employees computer
3.20 Wiper Attack Impact
![Page 4: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/4.jpg)
Dropper
2013-03-20
AgentBase.exe
2013-01-31Windows Wiper
conime.exePCSP from PuTTY suite
~pr1.tmpLinux/Unix
Wiper
alg.exePlink from
PuTTY suite
Wiper Case 1
![Page 5: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/5.jpg)
Wiper Case 1
![Page 6: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/6.jpg)
Wiper Case 1
![Page 7: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/7.jpg)
Dropper
2013-03-20
schsvcsc.exe
2013-03-19Injector
~schsvcsc.dll
2013-03-20Wiper
Wiper Case 2
![Page 8: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/8.jpg)
Wiper Case 2
![Page 9: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/9.jpg)
Wiper Case 3
![Page 10: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/10.jpg)
Huh?
![Page 11: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/11.jpg)
Dropper
2013-03-19
Update.zip
2013-03-19
vmsinit.ini
2013-03-19
Update Configuration
File
vms1014.zip
2010-10-14
OthDown.exe
2013-01-31Wiper Case 3
Wiper Spreader Case 1
![Page 12: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/12.jpg)
Wiper Spreader Case 1
![Page 13: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/13.jpg)
Wiper Spreader Case 1
![Page 14: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/14.jpg)
Wiper Spreader Case 1
![Page 15: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/15.jpg)
Wiper Spreader Case 1
![Page 16: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/16.jpg)
Wiper Spreader Case 1
![Page 17: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/17.jpg)
Wiper Spreader Case 1
![Page 18: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/18.jpg)
Wiper Spreader Case 1
![Page 19: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/19.jpg)
Wiper Spreader Case 1
Abnormal Update Config File Normal Update Config File
![Page 20: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/20.jpg)
Wiper Spreader Case 1
![Page 21: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/21.jpg)
Wiper Spreader Case 1
![Page 22: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/22.jpg)
Wiper Spreader Case 1
![Page 23: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/23.jpg)
Wiper Spreader Case 1
![Page 24: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/24.jpg)
Wiper Spreader Case 1
![Page 25: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/25.jpg)
Wiper Spreader Case 1
![Page 26: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/26.jpg)
Wiper Spreader Case 1
![Page 27: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/27.jpg)
Wiper Spreader Case 1
![Page 28: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/28.jpg)
Wiper Spreader Case 1
![Page 29: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/29.jpg)
Wiper Spreader Case 1
![Page 30: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/30.jpg)
Mpsetup.iniUpdate
Configuration File
Container.exe Wiper Case 1
Wiper Spreader Case 2
![Page 31: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/31.jpg)
Wiper Spreader Case 2
![Page 32: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/32.jpg)
CompanyName
Shinhan Bank NongHyupBank
KBS TV MBC TV YTN TV
Security Management
System
AhnLabPolicy Center
AhnLabPolicy Center
HauriViRobot
ISMS
AhnLabPolicyCenter
HauriViRobot
ISMS
SMS Details
![Page 33: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/33.jpg)
HHuh?
![Page 34: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/34.jpg)
Commons
•No Packer• FileMapping Object• Timebomb
![Page 35: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/35.jpg)
No Packer
Similar FileMapping Object
Timebomb
• HTTP Protocol
• Share similar payload • Z:\Work\Make Troy\Concealment Troy
Operation Troy
![Page 36: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/36.jpg)
Downloader2013-02-03
23:42:32
Dropper2013-02-21
21:47:45
Win XPw7e89.tmp2013-02-21
21:46:37
themeservics.dll2013-02-21
17:56:11
shellservice.exe2013-02-21
21:44:29
Win XP+
SVCHOST.exe2012-11-28
16:40:40
SVCHOST.exe2011-12-09
22:47:28
w7e89.tmp2013-02-21
21:46:37
themeservics.dll2013-02-21
17:56:11
shellservice.exe2013-02-21
21:44:29
Troy Case 1
![Page 37: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/37.jpg)
Dropper2013-02-03
23:31:12
Win XP
w7e89.exe2013-01-22
16:49:04
w8e89.exe2013-02-03
23:30:05
Win XP+
SVCHOST.exe2012-11-28
16:40:40
DLL 1.dll2011-12-09
22:47:28
w7e89.tmp2013-01-22
16:49:04
w8e89.tmp2013-02-03
23:30:05
OS 64bit
SVCHOST.exe2012-11-28
15:55:12
DLL 2.dll2012-09-18
00:38:30
w7e89.tmp2012-11-28
05:02:27
Troy Case 6
![Page 38: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/38.jpg)
Troy Payload - Preparation
Calculate an ID used in HTTP request
![Page 39: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/39.jpg)
Troy Payload - Time bomb
![Page 40: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/40.jpg)
Troy Payload - Communication
• [server_url]?no=0&id=[calc by regqueries]&sn=[random]&sc=[md5sum(id+id+sn+sn)]
• Write server response to 13785.tmp
• Decrypt the file using RC4 with key tp28i!c3gZ@0*3t@
![Page 41: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/41.jpg)
Troy Payload - Commands
• wakeup• interval• downloadexec• mapfs• upload
![Page 42: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/42.jpg)
Payload
FileMapping Obj
xx07-12-31
SUB 4
Calc ID
HTTP ?no=0&id=&sn=&sc=
RC4
Troy Payload - Characteristic
![Page 43: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/43.jpg)
HHHuh?
![Page 44: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/44.jpg)
Dropper2013-03-23
10:49:59
Win XPw7e89.tmp2013-03-23
07:31:31
schedsrv.dll2013-03-23
07:24:28
Win XP+
SVCHOST.exe2012-11-28
16:40:40
w7e89.tmp2013-03-23
07:31:31
OS 64bit
SVCHOST.exe2012-11-28
15:55:12
w7e89.tmp2013-03-23
07:43:59
VACW.dll2013-03-23
07:40:29
Troy Case 7
![Page 45: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/45.jpg)
Troy 7 Payload - Preparation
Calculate an ID used in HTTP request
![Page 46: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/46.jpg)
Troy 7 Payload - Communication
• [server_url]?id=[calc by reg queries]• Write server response to ~09183.tmp• Decrypt the file using RSA• Using UDP protocol to get URL List• HTTP GET more files• Wipe MBR and VBR with 00
![Page 47: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/47.jpg)
Payload
FileMapping Obj
XOR 1st Byte
Calc ID
HTTP ?id=
RSA K1
UDP
Troy 7 Payload - Characteristic
![Page 48: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/48.jpg)
HHHHuh?
![Page 49: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/49.jpg)
No Packer
Similar FileMapping Object
Timebomb
• HTTP & IRC
• Similar payload
• D:\Work\Op\Mission\TeamProject
Operation Mission
![Page 50: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/50.jpg)
Dropper2002-07-11
Ahnlab
Updatekit/
RunCmd.exe2011-06-29
AhnlabUpdate.exe2013-01-15
32bitER1.tmp
2013-01-12DR2.tmp
2013-01-12ER3.tmp
2013-01-12
64bitER1.tmp
2013-01-12DR2.tmp
2013-01-12ER3.tmp
2013-01-12
RunCmd.log
RunCmd.ini
Mission Case
![Page 51: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/51.jpg)
Mission Payload - Preparation
Calculate an ID used in HTTP request
![Page 52: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/52.jpg)
Mission Payload - Communication
• [server_url]?image=1&no=0&num=[calc by regqueries]&id=[OS Ver+IP Addr]&date=[part of md5(id)]
• Write server response to ~[random].tmp• Decrypt the file using Modified Base64 and RSA• HTTP & IRC
![Page 53: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/53.jpg)
Mission Payload - Commands
• Use Integer• Join IRC• Modify registry entry• Change nick name• MapFS• Upload• Download• Report
![Page 54: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/54.jpg)
Payload
FileMapping Obj
XTEA
Calc ID
HTTP ?image=1&no=0&num=
&id=&date=Base64
RSA K2
IRC
Mission Payload - Characteristic
![Page 55: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/55.jpg)
H.uh?
![Page 56: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/56.jpg)
No PackerSimilar FileMapping ObjectTimebombHTTP & IRCSimilar payload Z:\1Mission\Team_Project\ Version 2.1
Operation 1Mission
![Page 57: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/57.jpg)
Dropper2012-07-02
17:00:32
32bit
defaultmsimg64.dll2012-07-02
16:59:48
DR9.tmp2012-07-02
17:00:09
ER92012-07-02
16:59:48
ER8.tmp2012-07-02
17:00:19
64bit
DR9.tmp2012-07-02
17:00:03
ER92012-07-02
16:59:58
ER8.tmp2012-07-02
17:00:26
1Mission Case 1
![Page 58: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/58.jpg)
Dropper2012-07-04
02:43:43
32bit
ER1.tmp2012-07-04
02:43:24
DR1.tmp2012-07-04
02:42:28
64bitDR1.tmp
2012-07-04 02:43:36
1Mission Case 2
![Page 59: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/59.jpg)
Dropper2012-08-27
21:31:52
32bit
5.1.2600SVCHOST.exe
2012-08-27 21:30:44
ER12012-08-27
21:27:35
5.1.6000
SVCHOST.exe2012-07-23
19:09:56
W7e2012-07-23
19:09:11
w7e89.tmp2012-08-27
21:30:44
ER12012-08-27
21:27:35
5.1.7552SVCHOST.exe
2012-08-27 21:30:44
ER12012-08-27
21:27:35
64bit
SVCHOST.exe2012-07-23
19:08:39
W7e2012-07-23
19:07:50
w7e89.tmp2012-08-27
21:31:50
ER12012-08-27
21:28:34
1Mission Case 3
![Page 60: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/60.jpg)
1Mission Payload - Communication
• [server_url?no=0&id=&sn=random&sc=md5(id+id+sn+sn)
• id=YN|Y8|co|YH|D3^[calc by reg queries or mac addr]• Write server response to ~13785.tmp• Decrypt the file using Base64 and RSA • HTTP & IRC• 28 CMD
![Page 61: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/61.jpg)
Payload
FileMapping Obj
No Enc
CalcID
HTTP ?no=0&id=&sn=&sc=
Base64 RSA K0
IRC
MapFS
dkwero38oerA^t@#
1Mission Payload - Characteristic
![Page 62: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/62.jpg)
No PackerSimilar FileMapping ObjectTimebombHTTP & IRCSimilar payload e:\Work\BackUp\2011\nstar_1103 BsDll.pdb Version 2.1
Operation Nstar
![Page 63: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/63.jpg)
Nstar Payload - Communication
• [server_url?no=0&id=H^[calc by reg queries or mac]&sn=random&sc=md5(id+id+sn+sn)
• Write server response to ~13785.tmp• Decrypt the file using Base64 and RSA • HTTP & IRC• 28 CMD
![Page 64: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/64.jpg)
Payload
FileMapping Obj
No Enc
CalcID
HTTP ?no=0&id=&sn=&sc=
Base64 RSA K0
IRC
MapFS
dkwero38oerA^t@#
Nstar Payload - Characteristic
![Page 65: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/65.jpg)
No PackerSimilar FileMapping ObjectTimebombHTTP & IRCSimilar payload d:\VMware\eaglexp(Backup)\BsDll.pdb Version 2.0
Operation Eaglexp
![Page 66: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/66.jpg)
Eaglexp Payload - Communication
• [server_url?no=0&id=M^[calc by reg queries or mac]&sn=random&sc=md5(id+id+sn+sn)
• Write server response to ~13785.tmp• Decrypt the file using Base64 and RSA • HTTP & IRC• 28 CMD
![Page 67: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/67.jpg)
Payload
FileMapping Obj
XOR 4A
CalcID
HTTP ?no=0&id=&sn=&sc=
Base64 RSA K0
IRC
MapFS
dkwero38oerA^t@#
Eaglexp Payload - Characteristic
![Page 68: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/68.jpg)
H.Huh?
![Page 69: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/69.jpg)
BS.DLL
Troy 2013
1Mission 2012
Mission 2013
Nstar2011
Eaglexp 2010
BS.DLL and Operations
![Page 70: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/70.jpg)
Payload
FileMapping Obj
XOR 4A
CalcID
HTTP ?no=0&id=&sn=&sc=
Base64 RSA
IRC
MapFS
dkwero38oerA^t@#
BS.DLL - Characteristic
![Page 71: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/71.jpg)
Operation Flame
• Version 1.0 – 5.3, 2007-3-7• HTTP• ZIP• Plugins {rootkit, USBDumper, MapFS, Keylogger,Email
stealer}
![Page 72: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/72.jpg)
Operation Flame2
• Version 1.1 – 5.6, Year 2008• IRC -> HTTP & IRC• Plugins {rootkit, USBDumper, MapFS, Keylogger,Email
stealer}• armyclass, navylogicom, mndjob,…• RSA K0
![Page 73: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/73.jpg)
Purpose
• Steal Sensitive Documents• Disable System
![Page 74: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/74.jpg)
BS.DLL PDB
• d:\Data\14th\1atest\BsDll-up\Release\BsDll.pdb• e:\working\15th\32기-mmx\HttpBackdoor\bs_dll\Release\BsDll.pdb• e:\wmi\work\backdoor\Release\BsDll.pdb• k:\Ardour\Work\Backdoor\BD_Mail\First\Backdoor\Release\BsDll.pdb• d:\Chang\vmshare\Work\BsDll-up\Release\BsDll.pdb• d:\Work\백도어\BsDll-up\Debug\BsDll.pdb (backdoor)• g:\작전준비\Tong\백도어\17th_Backdoor\BsDll-up\Release\BsDll.pdb (plan) (backdoor)• d:\ZZang\From_Tong\백도어\18th_Backdoor\BsDll-up\Release\BsDll.pdb (backdoor)• e:\Jjjjjjjjjjj\work\24th_Backdoor\BsDll-up\Release\BsDll.pdb• d:\작업\Coding\1차백도어\1th Backdoor\Release\BsDll.pdb (work) (backdoor)
![Page 75: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/75.jpg)
H.H.uh?
![Page 76: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/76.jpg)
HeHe
![Page 77: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/77.jpg)
Year 2009 Year 2011 Year 2013
BS Case 1BS Case
14
BS Case 17
BS Case c
BS Case d
BS Case e
BS Case 10
Troy 8
BS Case f/12/11
Year 2010
BS Case 2
BS Case 3
BS Case 4Eaglexp 1 2
BS Case 6
BS Case 7/8/9
BS Case 15
BS Case 16
BS Case 13
BS Case A/B
Nstar 1
BS Case 18
Troy b
Year 2012
1mission 5/4/1/2
1mission 6
1mission 3
Troy 5
mission
Troy 2/4/6/1
Troy 7
Flame 1
Flame 2
Flame 3
Flame 4
Flame 5
Flame 6
Flame 7
Flame 8
Flame 9
Flame2 1
Flame2 2
Year 2008Year 2007
Development Path
![Page 78: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND … · Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND--Kyle Yang, CCIE#19065 Director, AV Engine Development](https://reader031.vdocuments.mx/reader031/viewer/2022022607/5b8351267f8b9a866e8cca62/html5/thumbnails/78.jpg)
Year 2009 Year 2011 Year 2013
BS Case 1BS Case
14
BS Case 17
BS Case c
BS Case d
BS Case e
BS Case 10
Troy 8
BS Case f/12/11
Year 2010
BS Case 2
BS Case 3
BS Case 4Eaglexp 1 2
BS Case 6
BS Case 7/8/9
BS Case 15
BS Case 16
BS Case 13
BS Case A/B
Nstar 1
BS Case 18
Troy b
Year 2012
1mission 5/4/1/2
1mission 6
1mission 3
Troy 5
mission
Troy 2/4/6/1
Troy 7
Flame 1
Flame 2
Flame 3
Flame 4
Flame 5
Flame 6
Flame 7
Flame 8
Flame 9
Flame2 1
Flame2 2
Year 2008Year 2007
Development Path