Story of the ‘Phisherman’ - Dissecting Phishing Techniques of CloudDragon APT
2021-05-28,
TeamT5
https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf
D2T120-20The20Phishermen20-20Dissecting20Phishing20Techniques20of2_niDtzJ4.pdf, 11.8 MB
#Kimsuky #CloudDragon
https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf
D2T120-20The20Phishermen20-20Dissecting20Phishing20Techniques20of2_niDtzJ4.pdf, 11.8 MB
#Kimsuky #CloudDragon
Contents
TRACK 1
Story of the ‘Phisherman’ Dissecting Phishing Techniques of
CloudDragon APT
Linda Kuo & Zih-Cing Liao
Linda Kuo
• Senior Threat Intelligence Analyst @ TeamT5
• Speaker of BlackHat Asia, CODEBLUE, HITCON, etc.
• In love with APT & Financial Intrusions
Zih-Cing Liao
• aka DuckLL
• Senior Threat Intelligence Researcher @ TeamT5
• Speaker of CODEBLUE, BlackHat Asia, etc.
• Focus on APAC APT
Agenda
I. Who is CloudDragon
II. As a Phisherman - Techniques
III. In the Phisherman’s Toolbox - Malware
IV. Key Takeaways
Who is CloudDragon
APT 37
Kaspersky 2013
Public
Kimsuky
Kimsuky
Same
Shellcode
As a Phisherman
Favored Techniques
Target Scope
These are the official ones
These are the registered ones…..
navor.ml
daurn.hol.es
claum.cf
grnail-signin.ga
Microsoft
Daum
Naver
Google
Take contacts
Attain access
Send phishing emails
Delivery Method
PHPMailer
• A full-featured email creation and transfer class for PHP
• Support SMTP login
• Send from C2 (compromised site)
PHPMailer
PHPMailer
.
├── _modules
│
└── PHPMailer-master // PHPMailer release
├── list-test.py
// test accounts list
├── list.py
// target accounts list
├── mailer.php
// send mail
└── sender.py
// batch script
PHPMailer
• sender.py
PHPMailer
sender.py
mailer.php
list.py
PHPMailer
PHPMailer
• Mail header
• Fake …
Story of the ‘Phisherman’ Dissecting Phishing Techniques of
CloudDragon APT
Linda Kuo & Zih-Cing Liao
Linda Kuo
• Senior Threat Intelligence Analyst @ TeamT5
• Speaker of BlackHat Asia, CODEBLUE, HITCON, etc.
• In love with APT & Financial Intrusions
Zih-Cing Liao
• aka DuckLL
• Senior Threat Intelligence Researcher @ TeamT5
• Speaker of CODEBLUE, BlackHat Asia, etc.
• Focus on APAC APT
Agenda
I. Who is CloudDragon
II. As a Phisherman - Techniques
III. In the Phisherman’s Toolbox - Malware
IV. Key Takeaways
Who is CloudDragon
APT 37
Kaspersky 2013
Public
Kimsuky
Kimsuky
Same
Shellcode
As a Phisherman
Favored Techniques
Target Scope
These are the official ones
These are the registered ones…..
navor.ml
daurn.hol.es
claum.cf
grnail-signin.ga
Microsoft
Daum
Naver
Take contacts
Attain access
Send phishing emails
Delivery Method
PHPMailer
• A full-featured email creation and transfer class for PHP
• Support SMTP login
• Send from C2 (compromised site)
PHPMailer
PHPMailer
.
├── _modules
│
└── PHPMailer-master // PHPMailer release
├── list-test.py
// test accounts list
├── list.py
// target accounts list
├── mailer.php
// send mail
└── sender.py
// batch script
PHPMailer
• sender.py
PHPMailer
sender.py
mailer.php
list.py
PHPMailer
PHPMailer
• Mail header
• Fake …