![Page 1: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/1.jpg)
WHY CORRUPTED (?) SAMPLES IN
RECENT APT?
-CASE OF JAPAN AND TAIWAN
By Suguru Ishimaru
Dec 2016
![Page 2: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/2.jpg)
Introduction
![Page 3: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/3.jpg)
3 |
Introduction
$ whoami
Suguru_ISHIMARU
$ whois suguru_ishimaru
Job_title: Researcher
Department: Global Research Analysis Team
Organization: Kaspersky Labs
E-mail: suguru.ishimaru[at]kaspersky.com
https://securelist.com/blog/events/75730/conference-report-hitcon-2016-in-taipei/
My last blogpost was Conference Report:
HITCON 2016 in Taipei
![Page 4: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/4.jpg)
Contents
![Page 5: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/5.jpg)
5 |
Contents
$ history | tail -n5
139 problem
140 motivation
141 emdivi
143 elirks
144 conclusion
![Page 6: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/6.jpg)
Problem
![Page 7: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/7.jpg)
7 |
Problem: A lot of targeted attacks
More than 40 APT
![Page 8: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/8.jpg)
8 |
Problem: The biggest issue is...
Question: What is the biggest problem in APT seen from
antivirus side?
Hard work No detectNo sample
We collect mass spread samples. However, we could not get APT samples
easily. Especially, second stage sample is extremely rare.
![Page 9: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/9.jpg)
9 |
Problem: Corrupted samples
We found samples, sometimes they were corrupted. That
means they are executable but crashing:
1. Memory dump
2. Unknown binary data
3. Broken data
4. Cured by Anti Virus
5. Quarantined file
6. Password encrypted archive without password
![Page 10: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/10.jpg)
10 |
Problem: Why corrupted samples?
Question: Why corrupted samples in recent APT?
I will tell you my answerin conclusion
![Page 11: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/11.jpg)
Motivation
![Page 12: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/12.jpg)
12 |
Motivation: What should we do?
Question: What should we do when we got corrupted
malware in APT?
Just Ignore Deep AnalysisMake AV signature
1. Checking really corrupted or not
2. Getting information of related others
![Page 13: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/13.jpg)
13 |
Motivation: Two recent APT cases
Probably corrupted (?) samples have found in two recent APT.
Emdivi Elirks
![Page 14: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/14.jpg)
Emdivi
![Page 15: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/15.jpg)
15 |
Emdivi: Overview
1. The Blue Termite APT campaign
2. Target region is Japan mainly
3. C2s on compromised legitimate sites
4. spear phishing email
5. drive-by dowonload
6. Watering hole attacks
7. CVE-2014-7247
8. CVE-2015-5119
![Page 16: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/16.jpg)
16 |
Japan pension service Emdivi + PlugXMAY 2015
Security report about APT (Emdivi) by MacnicaMAY 2016
Target to web site in Taiwan JUL 2011
Operation CloudyOmega by SymantecNOV 2014
Oldest sample of EmdiviNOV 2013
New activity of the Blue Termite APT by KasperskyAUG 2015
Attacks of Flash Player 0day (CVE-2015-5119) by TrendmicroJUL 2015
Emdivi: History
![Page 17: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/17.jpg)
17 |
Emdivi: Infection vector
spear phishing e-mail
drive by download
watering hole attacks
CVE-2015-5119
self-extracting archives (SFX) file
emdivi t17
emdivi t20
![Page 18: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/18.jpg)
18 |
Emdivi: Target
Industries:
1. Government
2. Universities
3. Financial services
4. Energy
5. Food
6. Heavy industry
7. Chemical
8. News media
9. Health care
10. Insurance
11. Security researcher
12. Internet service provider
Regions:
• Japan
• TaiwanTo create infrastructure
Japan Hosting provider
Taiwan web site
![Page 19: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/19.jpg)
19 |
Emdivi: Corrupted (?) samples
We collected more than 600
samples related to this attacks,
around 25 percents were Emdivi
samples.
Among them, 6 percents did not
work.
![Page 20: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/20.jpg)
20 |
Emdivi: Important data was encrypted
Emdivi family stores encrypted important data:
C2, API name, strings for anti-analysis, value of mutexes, as well as
the md5 checksum of backdoor commands and the internal proxy
information
generate_base_key
salt1 = md5sum(version.c2id...)aes key (16 byte)xxtea key (32 byte)
salt2 = hardcoded long data
Modified xxtea_decrypt
encrypted data %program files%
![Page 21: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/21.jpg)
21 |
Emdivi: Corrupted (?) ustomized samples
Is it possible to analyze?
generate_base_key
salt1 = md5sum(version.c2id...)aes key (16 byte)xxtea key (32 byte)
salt2 = hardcoded long data
xxtea_decrypt + add and sub
encrypted data unknown data
salt3 = SID of specific victim
%program files%
We could brute force a xxtea key
![Page 22: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/22.jpg)
22 |
Emdivi: Corrupted (?) ustomized samples
Is it possible to analyze?
No
We published the details as a blog
in securelist.com
![Page 23: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/23.jpg)
23 |
Emdivi: DEMO
Emdivi t20 AES + SID
![Page 24: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/24.jpg)
Elirks
![Page 25: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/25.jpg)
25 |
Elirks: Overview
1. As known as PLURK
2. The Elirks APT campaign
3. Unique schema to connect real C2
4. Target Regions are Taiwan, Japan
5. Trojan dropper is fake folder icon
6. Decoys were sometimes airline e-ticket
This group uses several types of malware
Elirks, Ymailer, Ymailer-mini and Micrass.
This presentation is forcusing Elirks
![Page 26: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/26.jpg)
26 |
Elirks: History
Chasing Advanced Persistent Threats (APT) by SecureWorksJUL 2012
Let’s Play Hide and Seek In the Cloudby Ashley, BelindaAUG 2015
Oldest Elirks sampleMAR 2010
Hunting the Shadows by Fyodor Yarochkin, Pei Kan PK Tsung,
Ming-Chang Jeremy Chiu, Ming-Wei Benson Wu
JUL 2013
Japan Tourist Bureau (JTB) Elirks + PlugXMAR 2016
NOV 2016 Japan Business Federation Elirks + PlugX
Tracking Elirks Variants in Japan: Similarities to Previous Attacks by paloaltoJUN 2016
MILE TEA: Cyber Espionage Campaign Targets Asia Pacific
Businesses and Government Agencies by paloalto
SEP 2016
BLACKGEAR Espionage Campaign Evolves by trendmicroOCT 2016
![Page 27: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/27.jpg)
27 |
Elirks: Infection vector
spear phishing e-mail Trojan dropper spoofing
folder icon
fake folder icon: 78 %
create dir, decoy and delete it
self
Elirks malware
![Page 28: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/28.jpg)
28 |
Elirks: Target
Regions:
• Taiwan
• Japan
Industries:
1. Government
2. Universities
3. Heavy industry
4. News media
5. Trading
6. Airline
7. Travel agency
Decoys of airline e-ticket
Japan Taiwan
![Page 29: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/29.jpg)
29 |
Elirks: Unique schema to connect real C2
The Elirks malware has unique schema to connect real C2. It connects blogpost of legitimate
site getting encrypted real C2 information.
Decrypt function
Malware config
A post in legitimate blog
Real C2
![Page 30: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/30.jpg)
30 |
Elirks: Corrupted (?) samples
We collected more than 200
samples.
Among them, less than 3 percent
were probably corrupted.
Then we confirmed why these
samples does not work.
![Page 31: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/31.jpg)
31 |
Elirks: Elirks has three encrypted data
0x417530 encrypted data (10768 byte)
0x419F40 encrypted data (10736 byte)
0x41FF88 encrypted data (1504 byte)
aes_decrypt
generate_base_key
data_of_key_salt
aes_expkey_array[4]
0x401000 malware func1 (10768 byte)
0x405CF0 malware func2 (10736 byte)
0x41FF88 malware config (1504 byte)
aes key (16 byte)
anti emu key (1 byte / 2 byte)
![Page 32: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/32.jpg)
32 |
Elirks: Decrypted Elirks
0x401000 unknown data (10768 byte)
0x405cf0 unknown data (10736 byte)
0x41FF88 encrypted data (1504 byte)
0x401000 malware func1 (10768 byte)
0x405CF0 malware func2 (10736 byte)
0x41FF88 malware config (1504 byte)
![Page 33: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/33.jpg)
33 |
Elirks: Corrupted (?) samples
A corrupted (?) sample does not decrypt malware config.
That means does not work and can not analyze.
0x41CE28 encrypted data (1504 byte) 0x41CE28 malware config (1504 byte)
![Page 34: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/34.jpg)
34 |
Elirks: DEMO
Elirks probably corrupted (?) sample
![Page 35: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/35.jpg)
35 |
Elirks: Corrupted (?) ustomized samples
It was customized sample for specific victims
Compare specific dir and current dir to extract 4 bytes xor key as part of generate AES key
0x41CE28 encrypted data (1504 byte)
0x41CE28 malware config (1504 byte)
aes key (16 byte)aes key (16 byte)
![Page 36: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/36.jpg)
Conclusion
![Page 37: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/37.jpg)
37 |
Conclusion: Answer of my title’s question
Question: Why corrupted (?) samples in recent APT?
It’s not corrupted. The attacker developed
customized malware
When you find corrupted sample,It might to be chance of analysis very interesting APT malware
![Page 38: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/38.jpg)
38 |
Conclusion: Whitelist approach in APT
Common malware should work in any environment.
APT malware have to work in specific environment.
This approach and introduced new techniques are very simple ,However it works effectively.
![Page 39: WHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF … · 2016-12-13 · SAMPLES IN RECENT APT? ... samples does not work. 31 | Elirks: Elirks has three encrypted data 0x417530 encrypted](https://reader030.vdocument.in/reader030/viewer/2022041113/5f20574e03c57f64236f03c7/html5/thumbnails/39.jpg)
39 |
Thank You
suguru.ishimaru[at]kaspersky.com