Presented at
Black Hat Asia 2018,
March 22, 2018, 10:15 a.m.
(60 minutes)
Lazarus, Bluenoroff, and Andariel are three notorious APT groups which are believed from the same country infamous for deconstruction, cyber heist, and espionage attacks. From DarkSeoul to Sony Picture Entertainment breach, the groups conducted several operations that have attracted international public attention.
Starting from 2016, we have observed a significant change in the targets and motivation of these groups. While the groups have a long history of conducting cybercrime and cyber espionage attacks, their operations have become more aggressive and more focused on the cybercrime attacks targeting financial institutions. In February 2016, a series of attacks from Lazarus group - which leveraged the SWIFT banking network used to target Bangladesh banks - were revealed. Later in May, the global WannaCry ransomware attack was also linked back to the nation. However, these attacks were just the tip of the iceberg.
In this talk, we will disclose four recent campaigns conducted by the groups. These campaign targeted banks in South Korea and EMEA, an ATM company and several Bitcoin exchanges service provider. We will introduce the malware, vulnerabilities, IOC, and attack vectors discovered in these attacks. In addition, we will explain how we uncovered the new C&C infrastructure acquired through bitcoin payment and the TTP key-finding we summarized from their recent operations. In the hope of making the world a safer place, we disclose this information to help financial institutions react to the substantial threat.
Presenters:
-
Kyoung-ju Kwak
- Manager, Korea Financial Security Institute
Kyoung-ju Kwak is a Security Researcher at Computer Emergency Analysis Team, FSI (Financial Security Institute in South Korea). Kyoung-ju currently works on threat analysis and dissects potential threats against the Korea Financial Industry. Kyoung-ju audited National SCADA system and the Ministry of Land with "the Board of Audit and Inspection of Korea" as an Auditor General in 2016 and currently acts as a member of National Police Agency Cyber-crime Advisory Committee. Kyoung-ju is the main author of threat intelligence report "Campaign Rifle: Andariel, the Maiden of Anguish" published by FSI in 2017.
-
Min-Chang Jang
- Assistant Manager, KFSI (Korea Financial Security Institute) and Korea University
Min-Chang Jang works on threat analysis on the Computer Emergency Analysis Team for the Financial Security Institute. He is a graduate student pursuing a major in cyber warfare at SANE(Security Analysis aNd Evaluation) Lab. (Supervisor: Prof. Seungjoo Kim), Korea University. He served in the Korea Navy CERT for over two years. He is also interested in malware analysis, collecting embedded devices, and hunting bugs and exploiting them.
-
Chi-en (Ashley) Shen
- Independent Security Researcher,
Chi-en (Ashley) Shen is an independent security researcher focusing on APT research, malware analysis and threat intelligence. Her professional experience includes position as senior threat analyst at security firm Team T5 Inc., where she worked on tracking and monitoring emerging cyber espionage attacks. For supporting women in InfoSec, Ashley is the co-founder of "Hacks in Taiwan for GIRLS (HITCON GIRLS)" – the first security community for women in Taiwan. She is also a frequent speaker at information security conferences, including Troopers, Hack In The Box, CODE BLUE, SecTor, FIRST, HITCON, and VXCON.
Links:
Similar Presentations: