Hunting the Shadows: In-Depth Analysis of Escalated APT Attacks

Presented at Black Hat USA 2013, Aug. 1, 2013, 11:45 a.m. (60 minutes)

APT attacks are a new emerging threat and have made headlines in recent years. However, we have yet to see full-scale assessment of targeted attack operations. Taiwan has been a long term target for these cyber-attacks due to its highly developed network infrastructure and sensitive political position. We had a unique chance to monitor, detect, investigate, and mitigate a large number of attacks on government and private sector companies. This presentation will introduce our results of a joint research between Xecure-Lab and Academia Sinica on targeted attack operations across the Taiwan Strait. We have developed a fully automated system, XecScan 2.0 (http://scan.xecure-lab.com) equipped with unique dynamic (sandbox) and static malicious software forensics technology to analyze nature and behavior of malicious binaries and document exploits. The system performs real-time APT classification and associates the analyzed content with existing knowledge base. In our experiments, the XecScan system has analyzed and successfully identified more than 12,000 APT emails, which include APT Malware and Document Exploits. With this presentation we will also analyze and group the samples from the recent Mandiant APT1(61398) Report and will compare the relationships between APT1 samples to the samples discovered in Taiwan and discuss the history behind APT1 Hacker activities. During this presentation we will release a free, publicly accessible portal to our collaborative APT classification platform and access to the XecScan 2.0 APIs.

Presenters:

• Ming-Wei Benson Wu - Xecure Lab
  Benson came from academia background with strong research interests in formalizing advanced cyber operations, malware analysis, secure coding, and intelligence mining. He got graduated from National Taiwan University with PhD in Electrical Engineering and National Chiao-Tung University with MS in Computer Science. He held ECSP, CEI, CSSLP certifications. Benson had given talks at DEFCON (2011, 2010), NIST SATE 2009, OWASP China 2010, Botnets of Taiwan 2011, Hacks in Taiwan (2012, 2011), AVTokyo 2011 and SyScan 2011. He is also the author of the several government security guidelines for the Taiwanese government since year 2007. In the past ten years, Benson had served at Network Benchmarking Lab (NBL) testing commercial cyber security solution; at Institution for Information Industry (III) implementing all-in-one security gateway; at National Information and Communication Security Taskforce (NICST) as member of think-tank for infosec; at Armorize Technologies, as Director of Engineering for source code analysis and drive-by downloads detection; at Academia Sinica focusing on APT research. Few years ago he co-founded Xecure Lab with Jeremy Chiu, launching the world first DNA-based reversing detection engine for malware analysis and offering a suite of APT countermeasures -visualizing APT risks, determining APT codes, and responding to APT incidents.
• Ming-Chang Chiu - Xecure Lab
  Jeremy Chiu (aka Birdman) has more than ten years of experience with malware analysis, host-based security, exploit research and focusing on kernel technologies for both the Win32 and Linux platforms. In Taiwan, he is recognized as a very senior anti-malware programmer and early pioneer in APT research. For many years, he was a contracted law enforcement instructor at intelligence agencies in Taiwan, and frequently gave talks at security conferences like DEFCON (2011, 2010), SyScan (2011, 2009, 2008), Hacks in Taiwan (2012, 2011, 2007, 2006, 2005), AVTokyo 2011, HTICA (2008, 2006) and OWASP Asia (2008, 2007). He founded X-Solve Inc. in 2005 providing digital forensics and anti-malware solution, then in July 2007, X-Solve was acquired by Armorize Technologies. In Oct 2010, he founded Xecure Lab with a few top security gurus.
• Tsung Pei Kan - Academia Sinica Computing Center
  Peikan (aka PK) has intensive computer forensic, malware and exploit analysis and reverse engineering experience. He has been the speaker in Syscan and HIT (Hack In Taiwan) and teaches various training and workshop for practitioners.
• Fyodor Yarochkin - Academia Sinica
  Fyodor Yarochkin (xecure-lab, o0o.nu) is a Security Researcher at Academia Sinica/Taiwan. He is a happy programmer and AI hobbyist in his free time. He is also a major contributor to Open Source security tools (snort, xprobe, etc). Fyodor has extensive experience in forensic analysis of malicious software, computer crime incidents, and intrusion detection. With his recent interest in large-scale computing he has access to terabytes of interesting data at hand ;-)

Links:

• https://www.blackhat.com/us-13/archives.html#Yarochkin
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2013/video/Black Hat 2013 - Hunting the Shadows - In-Depth Analysis of Escalated APT Attacks.mp4
• https://www.youtube.com/watch?v=8cTCbihPfDo
• https://media.blackhat.com/us-13/US-13-Yarochkin-In-Depth-Analysis-of-Escalated-APT-Attacks-Slides.pdf
• https://media.blackhat.com/us-13/US-13-Yarochkin-In-Depth-Analysis-of-Escalated-APT-Attacks-WP.pdf

Similar Presentations:

• VB2016 / APT Reports and OPSEC Evolution, or: These Are Not the APT Reports You Are Looking For
• DEF CON 19 (2011) / Balancing The Pwn Trade Deficit - APT Secrets in Asia
• Black Hat USA 2011 / Weapons of Targeted Attack: Modern Document Exploit Techniques