leverage osint to trace apt group v3...infrastructure susedbythe payload relatedactor usedthe same...
TRANSCRIPT
![Page 1: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/1.jpg)
Leverage OSINT to Trace APT Group
Bowen Pan360 Enterprise Security Group
![Page 2: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/2.jpg)
About us.
360 Threat Intelligence Center
• A team of 360 Enterprise Security Group
• Focus on threat intelligence and advanced targeted attackstracing.
• APT threat monitoring and tracing, uncovered several APTGroups.
![Page 3: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/3.jpg)
About us.
![Page 4: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/4.jpg)
Motivation
• Why we need OSINT?
• Tracing of APT Groups is just like ajigsaw game.
• We need more comprehensivethreat intelligence about APTGroups.
• External intelligence will be helpful.
http://sc.chinaz.com/tupian/160415232963.htm
![Page 5: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/5.jpg)
Motivation
Thanks to the collections of APT reports by researchers.• https://github.com/aptnotes/data• https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections
p Update is not timely.p Report is unstructured, cannot use
it directly.p Report is not INTELLIGENCE.
statisticofbetween 2010 to 2018.5
![Page 6: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/6.jpg)
Motivation
Our collections of APT reports from Security Vendors in2018 1H, average 1-1.6 article per day.
![Page 7: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/7.jpg)
Nearly 100+ APT actors are reported publicly, and dozens ofthem still conduct threat activities frequently nowadays.
• Construction of APT actors TTP & Profiles.• Leverage OSINT to trace them.
Motivation
ThreatIntelligence
relevant
accurate
timely
![Page 8: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/8.jpg)
Methodology
Collecting Processing Analysis
Threat Intelligence Lifecycle
![Page 9: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/9.jpg)
Methodology
Collect & classify
OSINTObjects &Relations
ThreatIntelligence
Indicators
ExternalIntelligenceSources &Tools
InternalIntelligenceSources&Tools
APTrelated APT
ProfilesStructured
IOCs
Analysis models
Hunting
![Page 10: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/10.jpg)
Methodology - Collect
Sources of OSINT related to APT:
• Security vendors: websites, vendor research blog.
• Security media and news.
• Social media: Twitter, Blogger.
• Public threat feed.
![Page 11: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/11.jpg)
Besides using spiders, researchers canchoose RSS or similar tools.
RSS Tool
Google AlertsMethodology - Collect
![Page 12: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/12.jpg)
Methodology - Classify
Classify filtered OSINT data
• Threat activities, incidents• Malspam, targeted attack, cybercrime, APT
• Threat analysis• Ransomware, malicious miner, exploit kit, bankbot, etc.• Vulnerability or exploitation.
Reports from security vendors are more valuable, because theyinclude more technical details and even indicators, which benefitfurther threat hunting.
![Page 13: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/13.jpg)
Methodology - Structure
Retrieve information from OSINT data and summarize it.
Based on the STIX, we can easily to describe it and make itsimpler.
Threat Actoralias name
intent
state region
language
target
TTPs
…
![Page 14: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/14.jpg)
Methodology - Structure
Campaigntime range
target
TTP
…
![Page 15: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/15.jpg)
Methodology - Structure
![Page 16: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/16.jpg)
Methodology - Structure
relatedto
useuse
relatedto
objects & relations
alias name state region, languages, TTPs
![Page 17: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/17.jpg)
Methodology - AnalysisWe need to do further analysis:
• Check the OSINT is accurate or not.• Reported threat actor is really THE ACTOR?• Uncovered a new actor or overlapped with the old ones?
• Check the IOCs, sometimes we found these happens in thereport:• Hash string lost 1 byte• subdomain of legal website mixed in the C&C domain list,
may cause false positive
• Update the actor's TTP & profile.• Found the relations & overlapping based on the OSINT and
internal threat data
![Page 18: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/18.jpg)
infrastructures used by thepayload
related actorused thesameinfrastructurebefore
victim ofexfiltration
victim ofinfected thepayload
Methodology - Analysis
delivery,implant, c&c,exfiltration
region,industry,role
Diamond Model in the attack lifecycle.
source:http://www.iacpcybercenter.org/wp-content/uploads/2015/10/cyber_attack_lifecycle.jpg
![Page 19: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/19.jpg)
Example - OceanLotusDecoy document taggedOceanLotus(aka APT32) from Twitter
exploit document malicious macro
https://ti.360.net/blog/articles/oceanlotus-with-cve-2017-8570/
Shellcode loadan dll has sameexport name
![Page 20: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/20.jpg)
Example - OceanLotus
https://ti.360.net/blog/articles/oceanlotus-with-cve-2017-8570/https://ti.360.net/blog/articles/oceanlotus-targets-chinese-university/
OceanLotus uses this DLL module in several activities.
![Page 21: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/21.jpg)
Example - OceanLotus
Update TTPsInitialAccess Spear Phishing
Payload Execution multiple stage scriptPowerShellCobalt Strike
Persistence Hijack CLSID
DefenseEvasion Bypass Applocker• Google Update(old)• Flash Player(new)• Word(new)
C&C/Exfiltration • DNS tunnel• Cobalt Strike beacon with
Malleable-C2-Profiles
![Page 22: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/22.jpg)
Methodology - Analysis
Spear PhishingWatering Hole
Fileless, ScriptletBypass UACBypass Applocker
HTTP/HTTPS/FTP/SMTPDNS TunnelCloud serviceCloud disk
source:http://www.iacpcybercenter.org/wp-content/uploads/2015/10/cyber_attack_lifecycle.jpg
MITRE Adversarial Tactics, Techniques & Common Knowledgein the attack lifecycle.
![Page 23: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/23.jpg)
Example - Analysis
Actors use their own tacticals and techniques.Comparison of delivery from spear-phishing email.
OceanLotus DroppingElephant
Darkhotel APT-C-01 Group123
APT28
decoy document √ √ √ √ √ √
RAR/SFX √
phishing link √ √link tocompromisedwebsite
√ √
drive-bydownload
√ √
![Page 24: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/24.jpg)
Example - Analysis
Comparison of establishing foothold/ 1st implant payload
OceanLotus DroppingElephant Darkhotel APT-C-01 Group 123 APT28
exploit document √ √ √ √ √ √
DDE √
malicious macro √ √ √ √
HTA √
scriptlet √ √ √ √
PowerShell √ √ √ √
LNK √
PE √ √
![Page 25: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/25.jpg)
Example - Analysis
Major techniques used for the payload.
OceanLotus DroppingElephant
Darkhotel
APT-C-01
Group123
APT28
C/C++ √ √ √ √ √ √.Net √ √PowerShell √ √ √ √ √AutoIt √ √Delphi √CobaltStrike
√
OpenSourceCode
√ √ √
OceanLotus DroppingElephant Darkhotel Group 123 APT28
Bypass Applocker √ √
DLL Hijack √ √
UAC Bypass √ √
ImageSteganography
√ √ √
PEReflectiveLoader
√
job schedule √
CLSID hijack √
![Page 26: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/26.jpg)
Example - Analysis
Infrastructures used for C&C or exfiltration
OceanLotus DroppingElephant
Darkhotel APT-C-01 Group 123 APT28
domainregistration
√ √ √ √
DDNS √
Cloud Storage √
DGA
DNS Tunnel √
Compromisedwebsite
√ √
![Page 27: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/27.jpg)
Methodology - AnalysisWe construct APT actors TTP & Profiles as objects andrelations, it can easily find the relation and overlappingbased on the graph database and theory.
• relations of observed data (Internal graph analysis tool from360 Netlab)• hash, IP, domain• PDNS, Whois registration
• relations of actors and its indicators, aim to find therelated technique details. ( neo4j demo )• actor and its alias name• payload used• infrastructure used• etc.
![Page 28: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/28.jpg)
Example1 – actors overlapping & relations
https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html
![Page 29: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/29.jpg)
Example1 – actors overlapping & relations
internal graph analysis tool from 360 Netlab
https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/
![Page 30: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/30.jpg)
Example1 – actors overlapping & relations
internal graph analysis tool from 360 Netlab
https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/
![Page 31: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/31.jpg)
Example1 – actors overlapping & relations
internal graph analysis tool from 360 Netlab
![Page 32: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/32.jpg)
Example1 – actors overlapping & relations
The IP address(91.195.240.82) belongs to SEDO GmbH, a Germanydomain service provider.
![Page 33: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/33.jpg)
Example1 – actors overlapping & relations
Confucius DroppingElephant Bahamut
Target South Asia China, SouthAsia South Asia,Middle East
Target platform PC,Android PC,Android Android
Payload Delphi Delphi,C#
Initial Compromised Social media Spear Phishing, Social media Spear Phishing, Social media
![Page 34: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/34.jpg)
Example2 – actors overlapping & relations
sinkholed.
APT28
DroppingElephant
overlapping?
![Page 35: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/35.jpg)
Summary
Leveraging OSINT give us a more comprehensive insight onAPT groups.
We believe that APT groups have limited resources and time.They may reuse some custom tools or infrastructures.
OSINT can help us correlate evidence of the actor and complete the puzzle.
![Page 36: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/36.jpg)
Summary
Wechat accountTwitter: @360TIC Blog:
https://ti.360.net/blog/
![Page 37: Leverage OSINT to Trace APT Group v3...infrastructure susedbythe payload relatedactor usedthe same infrastructure before victimof exfiltration victimof infectedthe payload Methodology](https://reader030.vdocuments.mx/reader030/viewer/2022040919/5e94a8518c4bac7754137eb5/html5/thumbnails/37.jpg)
THANKS