THE ‘ICEFOG’ APT: A TALE OF CLOAK AND THREE DAGGERS-lazarusholic

THE ‘ICEFOG’ APT: A TALE OF CLOAK AND THREE DAGGERS

2013-09-25, Kaspersky
https://media.kasperskycontenthub.com/wp-content/uploads/sites/58/2013/09/21182446/icefog.pdf
icefog.pdf, 4.7 MB
#ICEFOG

►►THE ‘ICEFOG’ APT: A TALE
OF CLOAK AND THREE
DAGGERS

* “三尖刀” - also known as “three
daggers” or “three knives” is an
ancient Chinese weapon.

K ASPERSK Y L AB GLOBAL RESE ARCH
AND ANALYSIS TE AM (GRE AT )
VERSION: 1.00

(C) 2013 KASPERSKY LAB ZAO

CONTENTS

►►CONTENTS
EXECUTIVE SUMMARY ��3
ATTACK ANALYSIS ��4
>> Spear-phishing attacks - Microsoft Office exploits ��5
>> Spear-phishing attacks - Java exploits��9
>> Spear-phishing attacks - HLP vector �� 10
>> Spear-phishing attacks - HWP vector�� 12
>> Attackers’ “Modus Operandi” �� 12
>> Backdoor Information�� 13
>> Lateral movement tools: �� 22

COMMAND AND CONTROL SERVERS ��24
>> C&C Servers Infrastructure�� 25

INFECTION DATA AND STATISTICS ��33
>> Sinkhole Information�� 34

ATTRIBUTION ��39
MITIGATION INFORMATION ��42
>> Indicators of Compromise (IOCs) �� 42

CONCLUSIONS ��49
APPENDIX A �� 51
>> Malware MD5s�� 51

APPENDIX B ��54
>> Malware Technical Analysis�� 54

APPENDIX C ��60
>> The Icefog-NG Bot Description �� 60

APPENDIX D ��64
>> The Macfog Bot Description �� 64

2

EXECUTIVE SUMMARY

►►EXECUTIVE SUMMARY
“Icefog” is an Advanced Persistent Threat that has been active since at least …

lazarusholic

Everyday is lazarus.day^β

THE ‘ICEFOG’ APT: A TALE OF CLOAK AND THREE DAGGERS

Contents