타겟형 워터링홀 공격, 그리고 KISA의 사이버 위협 헌팅
Contents
타겟형 워터링홀 공격, 그리고
KISA의 사이버 위협 헌팅
Agenda
1. Target watering hole attack
Analysis of target watering hole attack.
Attribution
2. Cyber Threat Hunting
Threat Hunting
Analysis of target watering hole attack
국내 특정 사이트 방문시 다른 사이트로 연결 되도록 악성 스크립트 삽입 확인
Web Site
연결된 사이트에서 아이피 필터링 후 추가 페이지로 연결
취약점을 통한 악성코드 다운로드(감염) 및 실행
공격 대상 기업
Analysis of target watering hole attack
Target(Victim)
Attacker
Reconnaissance
Initial Infiltration
ip filtering
Watering Hole
Exploit(Software vulnerability)
Downloader
Attacker Resources
Command and Control & Download RAT
Stage1
C2
AWS
Command and Control & Exfiltration
RAT
Stage2
C2
AWS
Analysis of target watering hole attack
Path :
C:\users\public\iexplore.exe
Encoded Malware
Decode Malware
Analysis of target watering hole attack
WinMain
Get System info
IAT
Create Mutex
Fail
N
lnk{22A98A71-67ED-40BB-A5F4-8CCAF6BFA6EB}.tmp
IAT, String
Base64 : A-Za-z0-9+/=
+
RC4 Algorithm( key : 0123456789ABCEDF )
Select C2
C2 Communicate
Y
N
C2 File
Exist C2 File?
Y
Base64 : A-Za-z0-9#$=
Connect
Success
Create C2 File
Command & Control
Read C2 File
Command
Description
Request ID
o
Cmd Command
Tiger102
p
Upload File
Tiger102, Tiger103
q
Download File
Tiger102
r
Terminate Thread
Tiger102
s
Update C2
Tiger102
Command & Control
N
Create Thread
Y
Command == r
N
Y
Exit
Analysis of target watering hole attack
Id=Tiger101
Tiger101
102
103
Send System info
Command Result (OK , Error…)
File Upload
Analysis of target watering hole attack
Operation ByteTiger
Id=Tiger101
Tiger101
Send System info
Analysis of target watering …
KISA의 사이버 위협 헌팅
Agenda
1. Target watering hole attack
Analysis of target watering hole attack.
Attribution
2. Cyber Threat Hunting
Threat Hunting
Analysis of target watering hole attack
국내 특정 사이트 방문시 다른 사이트로 연결 되도록 악성 스크립트 삽입 확인
Web Site
연결된 사이트에서 아이피 필터링 후 추가 페이지로 연결
취약점을 통한 악성코드 다운로드(감염) 및 실행
공격 대상 기업
Analysis of target watering hole attack
Target(Victim)
Attacker
Reconnaissance
Initial Infiltration
ip filtering
Watering Hole
Exploit(Software vulnerability)
Downloader
Attacker Resources
Command and Control & Download RAT
Stage1
C2
AWS
Command and Control & Exfiltration
RAT
Stage2
C2
AWS
Analysis of target watering hole attack
Path :
C:\users\public\iexplore.exe
Encoded Malware
Decode Malware
Analysis of target watering hole attack
WinMain
Get System info
IAT
Create Mutex
Fail
N
lnk{22A98A71-67ED-40BB-A5F4-8CCAF6BFA6EB}.tmp
IAT, String
Base64 : A-Za-z0-9+/=
+
RC4 Algorithm( key : 0123456789ABCEDF )
Select C2
C2 Communicate
Y
N
C2 File
Exist C2 File?
Y
Base64 : A-Za-z0-9#$=
Connect
Success
Create C2 File
Command & Control
Read C2 File
Command
Description
Request ID
o
Cmd Command
Tiger102
p
Upload File
Tiger102, Tiger103
q
Download File
Tiger102
r
Terminate Thread
Tiger102
s
Update C2
Tiger102
Command & Control
N
Create Thread
Y
Command == r
N
Y
Exit
Analysis of target watering hole attack
Id=Tiger101
Tiger101
102
103
Send System info
Command Result (OK , Error…)
File Upload
Analysis of target watering hole attack
Operation ByteTiger
Id=Tiger101
Tiger101
Send System info
Analysis of target watering …