State of the Hack: APT41 - Double Dragon: The Spy Who Fragged Me

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey and welcome to state of the hack I'm Nick Carr and I'm Christopher glider and we're here for a little special episode to talk apt 41 with ray Leone and Jackie O'Leary so welcome I think I think Jackie's our first return guest if I'm if I'm correct there so she joined us previously to talk on which report did we talk about apt 38 so check that video out yes ready so we're gonna we're gonna deep dive on apt 41 give you a little bit up front in case you haven't had a chance to read the report and then get into some analytical questions from these two who did a ton of work over a long time to put this report together there's also folks with questions on Twitter about the about the report so yeah people send any questions that was cool and flair couldn't be with us but we're representing the awesome flair team that was a big part of putting a report together so thanks it go for the shirts and to anyone else you're still welcome to send a swag so but before we get started a lot of times as Jackie knows we give a little bit of background about like how you got into the field and kind of what you do here so would you mind even though people hopefully already saw your episode just a little bit of exactly so I'm Jackie I'm on the advanced analysis team I'm an analyst there I've been with fireEye for about four years previous to that I worked for the government I didn't always start out in cybersecurity I had the opportunity in 2013 to kind of move over and I saw it as an industry that was growing a lot so it didn't have a formal kind of educational background but decided to move over and I've been doing it ever since sweet right yeah I've been with the company for about a year before that are actually the walnut team I'm on I'm on the adversary pursuit team which is part of fire as advanced practices team so with the company for about a year and before that I was a senior cyber threat analyst at DoD and also spent a couple years on the FBI cyber task force a focused on nation-state cyber threats and before that it's been a couple years as an Army officer and both technical and traditional army assignments awesome - sweet yeah so I mean Jim right in the report if you haven't read it's 68 pages long that's an undated PDF so happy we did that too you can just get it I mean there's a lot too there's a lot in there don't be scared by the page count sure cuz we get into a lot of those an appendix with a lot of the technical details but it's really I mean yeah I think it's one of the better reports we put out in quite a long time the you know just for those not familiar apt 41 is a you know Chinese based group that we track their little unique in this perspective and that they pursue both espionage aims as well as you know non espionage games I guess double dragon so I don't know if you guys wanna give us a pretty overview or like you know what do they need to know from the report about 41 yeah definitely I think one of the most interesting things is they're doing the espionage missions but they're also pursuing financial gain for their own personal gain we don't assess that that's you know driven by the state itself but they're also using tools that we've kind of traditionally seen for espionage operations also in those moonlighting operations for financial gain they're also doing some really interesting supply chain activity so in terms of the scope and scale of their operations they've been pretty consistent over the last couple years which I think it's interesting because we know that a lot of Chinese groups overall are kind of reorganizing and potentially shifting so it's it's interesting to still see this group kind of consistently the last couple of years is that note of what like do any other Chinese groups that we track do we think do moonlighting on the side for personal gain or what's is that common or uncommon it's uncommon as far as we can tell and we haven't really seen kind of the split espionage financial motivation since apt 38 which people have kind of likened this group to but I think it's an important distinction that we're saying that you know for something like a PT 38 which if you're not familiar as a North Korean group that did a lot of financial hacking that was directed by the North Korean state government whereas were same activity the financial activity was whereas we're saying that this is a nation state group that pursues financial things for their own personal gain not necessarily you know with the knowledge of the state or that's something that's kind of so any other key takeaways I think from the report like for me at least I know there's just years and years of experience that people have a no client let a bunch of IRS into these guys we've been responding for huasos I think pretty cool for a lot of people internally and a lot of people in the community to see this this group they're all familiar with you know they're very busy definitely to your points fire has been tracking this group since 2012 so there's approximately 30 different intrusions and investigations between Mandy and instant responses managed defense investigations and 25-plus intrusions confirmed through telemetry so the scale in that scope and pace their operations is a pretty impressive and consistent I think people ask tell like Brian and Pittsburgh asks a question about the sophistication if we can hit up front I think we all feel sure a very sophisticated group perhaps more sophisticated than some of the other apt groups that have been promoted recently just a little bit on like answering that question why do why do we think they're sophisticated or what are the cool high level takeaways there I think it's multi components on the technical and we see some capabilities that we don't see a lot in various different groups for instance that we see a lot of use of passive backdoors so traditional back doors will be kanata to command control server and with the proper detections and signatures they're easier to detect but these passive backdoors and therefore unique different families they're often accompanied by a rootkit kernel-mode rootkit component that listens for specially crafted beacon from that CT server before beating out and not only that when the communication is established I'll drop that traffic so it's much harder to detect other things we've seen the use of boot kits for persistence we don't always see that a lot of different groups so harder to detect and loads the malicious code before the operating system loads so without proper 10 sections that's a little bit more stealthy and those linux root kits and Windows boot kits right right can you differentiate yeah three kits for us yeah so root kits are code that you would run that would be the goal would be to hide something you could hide a process in memory you could hide the the presence of a network connection you hide a file on disk so there's different things you could choose to hide a registry key etc from the operating system itself so root gets whether it's Windows or Linux which we saw both could be used and in that manner a boot kit is more which is often coupled with a rootkit it is more about how you get code to load and loading prior to the operating system loading it and so this group actually you know somewhat what makes them seen that to me is our very first investigations as I'm going back to 2012 especially in this time Chinese apt groups typically were very cautious and reserved and one of the that made them stood out was we knew they had lots of capabilities but they would only slowly increase their capabilities as they were pressed and they would never jump to their best stuff they'd start with kind of their you know easy true sophistication is restraint right and so they were incredibly restrained and they would only progressively increase you know what they would do well in these moonlighting operations they would jump to their most advanced stuff right these were this was the first group to ever saw actually actually use a boot kit so we've never seen one before at least in a real investigation it's partly what helped us or forced us to have to develop techniques which we've since refined to actually find them at scale I think we put out a blog on that you missed some blogs yeah on boot what and but like this group is actually what got that was the genesis of the initial research going all the way back to 2012 finding MBR boot kits and how to find that at scale we just ran into J Smith as we were grabbing coffee on the flare team and he was talking about that process cuz I was curious like how you even tell consultants to go out and find the MBR code I mean some oldies have process so even once you find that you have a malicious MBR then you need a malware reverse or to basically tell you figure out like where the bytes for the actual backdoor stored on disk so either an unallocated space or something else so it's a it's a multi-step process to even get to the bits that actually have the component which is the backdoor which is running in memory so other things they did they were I think the first group if I remember correctly that used cross-platform malware so our network censors in 2012 I remember an investigation where we were looking and we said hey you know this is a photo backdoor what's this IP address and there I go that's one of our Linux servers right well that's kind of ensuring that was like a first for us so you know Linux malware in 2012 that was actually written cross-platform boot kits root kits Windows and Linux the passive backdoors that dropped to zip resolver dunno if you wanna talk about that a little bit in terms of one of the techniques that we see them use sure we sue so one of the first stage our sometimes second stage malware will be Canal to a legitimate science such as github Microsoft TechNet and these are legitimate websites that aren't gonna flag its malicious from those sensors but they have encoded uh either another situ or executable code world where they'll pull down and then from there they have the true payload that could be cannot to another situ or execute payload the code from there so it's a it's a layer of obfuscation to hide stages of execution got for the Malheur nice the yeah I saw steam community was listed on there too and no there are some hanging questions there about like basically reached out to steam community forums and that was one of the interesting overlaps I think between their personal financial attacks against gaming companies and some of the espionage activity but let's stop there so they're very sophisticated we have tons of background on them so like how do we decide to write this reporter we've talked a little bit before about how we cluster and promote these groups but I'm curious from well Jackie's purse why aren't they a fin group for example yeah like what how long did this take like I know I'm Caitie nickles uh was asking for a mitre she was asking what the process of actually promoting it or graduating or how to make that decision to do this yeah definitely so I think to the first question about lies and in a fin group I think any time that we assess that there's some sort of connection to nation state sponsorship or we believe they're conducting espionage missions we want we elevate that to an apt group opposed to just a fin group which we see as purely financial and we know they have that dual mission for the process obviously we've talked about that we've been tracking this group since 2012 but in terms of how we kind of graduate the group I would say we really the research process is casting a wide net so we're going back to that told you no compromises that we saw them were reviewing that activity we're identifying potential clusters of on categorized activity that we might want to combine or merge together we prioritize those groups based on you know which ones we think are most interesting it's really to understand the the actor from kind of cradle to grave so we go back through all of our equities to see you know what interesting tidbits we can kind of pull out and also I think a big part of it too is just seeing what the community is saying reading Osen understanding how other vendors are tracking this group so that we can define our assessment but also understand how others have made that assessment I thought you guys did a fantastic job in this particular report referencing other were deconflict it like yeah we do and don't track and so there were references to the the shadow pad and shadow hammer or attacks that Kaspersky talked about I think ESET and some of their reports so there were lots of different kind of references actually one one point I think that can be maybe confusing to those listening are in the community or you may hear about like win and TI and either a win in TI umbrella group or malware or like when you guys want to kind of walk through like at least what our view is on that and how we is another one portability using when india to being the group or the malware so when NCI is on our family we track internally as high noon and we saw it first used around at 2013 and since then we see a separate individual and distinct Chinese cluster groups uses Mellor and we don't attribute by Mauer alone we look at multiple data points infrastructure TTP's now we're in targeting so we for instance we see a PT 17 news high name we see a PT 4 you want to use hiding it several Uncategorized groups as well so we describe high noon and slash when NCI more in our family that's used by multiple groups not a group itself so then in terms of like if someone's talking about the umbrella group are they more referring then to kind of the overlaps that may be between seventeen forty one forty one twenty we know it's kind of maybe that image that pops up a little bit behind us with them where overlaps is that what we're is that what we think other people are referring to or it's on too hard to figure out if that's the progress that's a primary data point you're using a piece of malware and that's sherry then you are going to clump several groups of distinct activity into one umbrella group when NCI so like Jackie the way I think of it internally like at any point if I have a sample that we have attributed like it's really easy for as a fireEye employer to just say like have I seen this before as an IR consultant or who is this attributed to or who do we suspect it is like we make that really easy with our graph and with the modeling that the the pursuit team does on all of our engagements like that's easy but how what does it look like to turn this all of that data especially for so many years and so many investigations into this report like how long did it take to make this glossy thing yeah I think when we hit the ground running we probably started well raised team started I believe in April and my team kind of started in May and it's a it's a pretty formal process once we start but I think by mid-june we are writing we just try to collect as much information as possible and then also for things like going back through those IRS those really interesting tidbits that maybe made it into a report but we're never publicly known that's the stuff whether we want to pull out we want to start understanding you know what industry is in particular the group is going after what case studies we can kind of pull out how broad the group is in terms of geography things like that yeah I thought I was entering like I said reading the report and having lived through a bunch of the different its responding agents we almost saw them start is purely financial in terms of at least our you know view of the world and what we see there could be sample bias there but then seeing them actually then mostly start there and then kind of evolve into order then ad espionage related things over time I thought was kind of interesting or notable they also had they were a bunch of the you guys talked about the supply chain attacks so you may have seen in the news things about nets Arang or Asus and the the compromised potentially some overlaps with ccleaner actually do guys want to talk about kind of maybe summarize a little bit like what we talked about in the report CCleaner and what we know or at least don't know because that was one of the ones that was a little bit more if you like this there's a whole supply chain compromise section ready port but yeah if you give an overview of that deconfliction of you sure so wolf ccleaner we didn't fully attribute it to a PT 41 there are some suspicions but we don't have that within our apt one cluster for several reasons well first although they use that TeamViewer as initial entry intrusion vector which apt 41 has used previously they use a domain generation algorithms for first hc2 they use deaddrop resolvers c2s for the second stage but then the second stage payload is of malware family we call black coffee and that's been used by several Chinese Maur groups and we tried to yeah so flare did a very deep dive on this Maori family looking for unique overlaps and could reuse that we've seen apt 41 used in several supply chain compromises asus nets rang and we they weren't present in this now our family so it just it gave us enough pause where if we attribute something to apt 41 we don't want to have high confidence across multiple data points and that wasn't high confidence enough for us from our view yeah so it seems like you know we try our best our goal is to roll as many Uncategorized clusters into here and frankly not branch into a bunch of different apt groups right so if you guys had tackled this and seen that it was a PG 17 it would have been a update report for that this is a PT 17 I know that doesn't really apply but like so it involves like a deep dive on Maur hence wearing the flare shirt so was who was involved in that primarily the big review was willie Ballentine and Willie Ballentine Carlos Tyler Dean Tobias Krueger Mike Drock a so lots of the team yeah I'm sure I'm missing people at home surprising yeah but they gave they did an amazing effort poured the graduation process was we wanted to make sure we clean the classify a lot of using our families the apt 41 uses they use a high number of custom and public Malheur families and we wanted to make sure we could clean it up a little bit as we had suspicions is that some of these Mallard families fell in there into an overarching main malware with various sub variants so throughout this process Flair identified unique overlaps and code reuse unique encoding algorithms identical control and flow structures so for example High Noon there is the High Noon bin variant the High Noon dots white Behrendt behind it up passive honey-nut linux so all within the same code family but distinct sub-variants hmm yeah a couple of things that kind of suits me in the report there were two personas that we talked about you know one which is probably more of a like a moniker and then the other one which could be somebody's real name made I don't know may not be do I go into a little bit about kind of what we talked about or what we found and maybe the significance of that or yeah so we found two personas wolf she and nan Jiang for Jiang we saw evidence on the kind of lent to our assessment that we believe that these personas were contractors so we saw in 2009 of one of them actually advertised kind of hacker for hire services in Chinese language forums and also talked about the development of an injection tool so those were things that kind of lend to our assessment that these are probably individuals who you know or we're offering their services for hire hmm I think as sweet hacked on Twitter was asking about that like the contractor status I know there's a little blurb in the report but where are we at with considerations of whether we thought they were a contractor or directly employed or was your analytical assessment personally yes so we don't have a connection to a specific state organization our SMS assessment is that they're contractors because of things that we talked about previously like the hacker for hire posts in particular we also acknowledge the fact that there's probably more risk involved with being a state employee and moonlighting for financial gain especially using those tools versus being a contractor so that's something that kind of factored into our analysis and and as we mentioned previously you know lends the question of whether the Chinese government was kind of aware of this activity yeah what that was the thing I was looking for technical data points on Oh like whether they had to be aware of it and what there was some interesting areas where they compromised the game companies that what do they use the M game yes not into game yeah I'm game M is a Mary M game there's a gaming company that they you know I think they did you know pretty commonly was they would have you know steel break into a gaming company steal their code signing certificates that you know but developers obviously gonna have and then use that to sign their malware I thought those particular entry in the report that the same companies you know signing certs were also used to sign malware that a pt-17 used a opti 28 PT 31 so that seems to be another indication of supporting espionage and that someone was aware of it right and at least in the one case the the M game certificate I thought signing a PT 41 stuff like it's not like you can just roll into work and have code signing certs and no one's gonna ask questions about it so it seems like you know a tacit understanding that these beside hustles going on for apt 41 yeah some sort of level of collusion between these state-sponsored groups from China mmm-hmm the in turn think of other things that stood out in the report for me the joint talked about a little more on the supply chain aspect of things does I think that it you know at least at the time when there were a lot of ease supply chain to text like it was hard to kind of piece together and I thought the report did a really good job kind of telling a broader narrative of how they all kind of you know work together and you know it some of the details here I think some of the interesting details was on the Asus supply chain compromise we weren't able to independently verify the first stage but it was the second stage that we attributed to apt 41 and what was interesting about the second stage was it delivered something we track as poison plug that shadow but in order to fully execute it needed and a seed for our c5 key and I was from that systems volume volume serial IDs that's unique mm specific to that system and without it it wouldn't execute and call out to the second stage c2 but our friends and Flair were able to brute force that extracted payload it was poison plug and it called out to a Google Docs website and we were able to independently verify that that website or that Google Docs was created by an account HR Simon 50 at gmail.com and that was an attributed previously account to apt 41 along with so along with that data points the unique routines the malware there's TTP's and were able to say with high enough confidence that that second stage was apt 41 yeah I took it took us this long to bring up guardrails and stay back but yeah the use of those in the supply chain compromises make sense seems really cool that's pretty sweet that player brute force that as well it's not just something we're seeing a supply chain compromises we're working for client in Asia just last month we're seeing the same techniques where the poison plug payload need in that specific following serial ID to execute so it's something that they continue to use so you want to go through a little bit maybe so we talked some of how they've made you know hackers for hire lease on the yeah on their own side what have some of things they've done on the Espionage side in terms of you know advancing you know Chinese state games yes we've seen them interested in high-tech entities in particular which we know aligns with China's made in 2025 plan to kind of advance their R&D we've also seen them interested in healthcare entities things like medical devices and biotech in particular which we know is also an element of meet in 2025 or made in China 2025 and as we seeing those recently or like it seems like we saw a lot of the personal financial attacks early in that 2012 23 starting that time but are we still seeing both sets of activity like espionage and personal games still I know we're responding to 41 and managed defense is working something and gonna hopefully blog about that soon I think that's interesting data point as earlier this year it was at you large US research institution and we think that was more lended towards the espionage type work and they had leverage a specific vulnerability I think you had done some research into it yeah so our vulnerability team on the Intel side looked into it and actually was able to locate the proof-of-concept exploit code that was publicly available I think it was April 11th maybe and then the next day we actually saw a PT 41 leverage that exploit again that that research entity so that shows kind of their resourcefulness and as a hint of some their TTP's that once they were able to get remote code execution on that web server your up China chopper or excuse me first they use the legitimate to old cert util to download China chopper and to download high noon and our friends at Flair Traverse hunting traffic saw them non download ace hash it's a Mimi cats like credential dumping tool doing a lot initial constants on that machine what's running what's it connected to etc but our managed defense analyst between the first intrusion to when we were able to triage a report of the client was under two hours so then this client was able to then contain the host before any lateral movement happened yeah and those for not familiar China choppers of a web shell what makes it pretty unique wrenching or difficult to detect is it's basically a JavaScript eval statement or there's a couple different languages you could use but it's like 10 characters long or 15 characters long and it's actually short enough that you can't write an antivirus signature for it because you catch so many other things and all the functionality of it is actually implanted saying JavaScript but on the client side so you connect to this potentially the password and then you basically load all the functionality it really runs it so it's something that we see lots of different groups use patients 8 nomination state etc but China China choppers are always really in tune because it's it's so difficult to find and and it's particularly effective so I thought was kind of interesting great it was the multiple detection angles from that instant so we we saw a signature flag on the use of cert utila to download software we saw a signature flag on China chopper commands and then we saw them use an IP address that they previously use in a different intrusion so we caught them on multiple angles and good enough time so I think it's cool you mentioned that they're watching the public exploits and using them so quickly we believe and we're talking about whether we not we thought the Chinese government is aware of their side hustle I guess they are now right because we expect they read the apt 41 report do we actually know do we know that's the case we do have a an IP address that we previously attributed to apt 41 and we saw them access the the report so they read the apt 41 report but they also read about their friends at apt 40 so maybe some personal connections there and then they with the flare challenge coming on ah maybe we might have some yep give him some rc5 brute-forcing you see if they it looks familiar on the one thing we like to touch on a little bit is like you know when they when when they would try and do things for profit like what how would they monetize that or how how do we actually think they were profiting from targeting how much money do we know how much yeah so earlier on we saw them target a lot of the virtual like in-game currency so in one instance I think you know like pretty Bitcoin yeah yeah I think in maybe 2013 or 2015 maybe in the span of three hours kind of in one client they went after this virtual in-game currency and generated I think you know thousands of dollars of this endgrain in-game currency and then you know laundered it sold it on the black market and we don't know for sure but we could estimate that's probably between somewhere between a hundred thousand to three hundred thousand in terms of profit from that just that alone we've also seen other instances where they attempted to go after in-game currency they weren't successful and then they actually tried to deploy something like ransomware which is super interesting it wasn't successful but they obviously didn't give up on a financial ain gain and you guys actually saw that these ransomware as a service there right with like a 20 percent uplift like we've talked a lot of grants whereas the service thing here I was kind of disappointed to see apt 41 going that route just because they're so interesting and so sophisticated not to overuse it but like that I guess everyone does that because it works and it a quick monetization scheme so yeah and I think more recently they've kind of moved away from those virtual in-game currencies at least from our observations but they're doing things like we saw them compile X Emery which is a Monera cryptocurrency mining tool we've also seen them do some Spearfish - a cryptocurrency exchange so maybe their interests are kind of moving in that direction now it's probably like less work in effort to target a cryptocurrency exchange or yes right come on I think there's anything else we wanted to hit if anything I'll see you guys wanted to highlight definitely again read the report it's it's it's good it's really good anything we didn't hit on that you wanted to flag maybe just briefly that some of the unique third-party intrusion factors we saw oh yeah I'm multiplying seven leverage TeamViewer as an initial entry method and right afterwards drop crosswalk or high noon and TeamViewer publicly admitted they did suffer an intrusion but they since remediated strengthen their networks and that kind of drives what we thought we saw TeamViewer stopped being used as an intrusion mechanism back in fall 2018 so when we say used like I mean they came in with they just we traced it back in the furthest back we got was TeamViewer and that they came in with credentials yeah legitimate credentials through TeamViewer I think something interesting that we're seeing from the group kind of most recently trend wise is they seem to be conducting some sort of kind of surveillance operation so we'll you see them targeting telecom going after things like all data records and text messages we've also seen them compromised a hotel and in one instance variable to gain access to kind of reservation information so it was yeah doing something before you know what high-ranking Chinese official was actually visiting so they seem to kind of be focused in that direction as I believe any plans to talk more about the SMS based yeah I mean so Dan Perez and I will be presenting at C D s more deeper dive on apt forty-one technical T TPS and our capeboys and this malar family we call it message tap and we're going to dive deeper into how it identifies key words and specific people of interest in these telecoms sweet nice what about you like what are you working on now - this like as if this wasn't enough of 68 page report I should take a pretty caress yeah definitely after the rest I think we're going back to kind of look at China from a holistic perspective so how things have changed since the reorg what do we know about China kind of writ large you know groups that we were once seeing all the time are they still active and what does that say about you know post GE agreement awesome nice well thanks so much for your time and thank you oh and you guys are doing a webinar yes yeah if you're checking this out now there's a webinar coming up where you guys are gonna deep dive and go through the report in more detail so please check that out all right back to the Cheers all right thanks [Music]

Info

Channel: FireEye, Inc.

Views: 2,749

Rating: 4.9344263 out of 5

Keywords: zero-day, APT, advanced persistent threats, apt attack, zero day exploit, malware detection, State of the Hack, FireEye, Crowdstrike, Fortinet, Palo Alto Networks, Splunk, Cisco, Symantec, APT41, hacker, china espionage

Id: Gls7S_6iaRE

Channel Id: undefined

Length: 31min 20sec (1880 seconds)

Published: Wed Aug 14 2019