Think Information. Think Security.
Advanced Persistent Threat (APT) has became a tough security challenge that large organizations and important individuals must be prepared for worst sooner or later. Last year at Defcon 2011, Xecure lab shared their novel DNA approach in detecting and clustering APT document exploits. They  were able to find 8 sizable APT attacker groups from their collections. At that time, it was a pool close to one thousand APT samples. A year later, they expand their study to cover more than a dozen thousand samples. Last week they had shared these interesting results to the attendees of HITCon 2012. In this talk, they co-speak with Mr. Li (Director of Computer Center, National Police Agency of Taiwan) on the current status of APT cyber operations. Highlights of findings include:

  • APT happens almost everywhere. Some locations were confirmed as the targets were willing to share their stories. Other than that, they studied the content of APT samples, looking for clues of the potential targets. The legitimate content could be in some unique languages, e.g. Traditional Chinese, Simplified Chinese, etc. The exploits might required unique environment to be triggered and also found some callback destinations tend to be located near the targets. 
  • Taiwan (28.2%) had most APT callbacks or C2 (command & control) servers, followed by United States (17.2%), South Korea (14.4%) and China (10.5%).
  • Document exploits (97.62%) have been an all-time favorite for APT targeted attacks. Among these malicious documents, PDF (39.31%) ranked the most commonly-seen file type, followed by the office family: RTF (22.92%), DOC (17.45%), XLS (10.51%), and PPT (7.43%).
  • In recent years, the popularity of RTF (51.4%), DOC (14.5%), XLS (24.9%) had increased dramatically, surpassing PDF. And very often RTF is being disguised as DOC.
  • Saw a significant rise of password-protected document starting this year 2012. One particular attacker group leverage this trick heavily (65.9%) as it bypassed all antivirus and sandbox.
  • A great amount of exploits could be dig from these APT documens. A 2-year old RTF exploit CVE-2012-3333 is still very popular. In the wild, this exploit is very easy to be triggered successfully.
  • Identified 33 sizable APT attacker groups around the world. Each node in the graph represents a species (yup, DNA), the color of each species indicate the time it's firstly seen (built). Yellow color means 2012, green is 2011, blue is 2010, orange is 2009, pink/white is 2008, etc. Different species might be linked with one or several edges. Each edge represents there is some similarity of the two nodes. Each cube or rectangular means the nodes inside belong to the same APT family - the same APT attacker group.  

In summary, APT cyber operations are happening around the world. They mostly use document exploits and starting this year password-protection trick is added. At least one callback is located near the target for testing network connection, or it's actually the C2 server with smooth bandwidth. After all, 33 notable APT attacker groups has been identified, indicating advanced cyber operations typically are conducted in groups, well-organized and highly disciplined.

Cross-posted from: Xecure Lab

Leave a Reply.