“We are about to land.” : How CloudDragon Turns a Nightmare into Reality
Contents
“We are about to land.” :
How CloudDragon Turns a Nightmare
into Reality
Jhih-Lin Kuo & Zih-Cing Liao
Jhih-Lin Kuo
ü Senior Threat Intelligence Analyst
ü Speaker of CODEBLUE, HITCON, etc.
ü APT & Financial Intrusions
Zih-Cing Liao
ü aka DuckLL
ü Senior Threat Intelligence Researcher
ü Speaker of CODEBLUE, HITCON ...
ü Automated threat hunting
Agenda
1
Who is CloudDragon
2
Technique I: Supply Chain Attack
3
Technique II: Be A Phishing King
4
Technique III: From PC to Mobile
5
Going Physical
Who is CloudDragon?
APT 37
Kaspersky 2013
Public
Kimsuky
Kimsuky
Same
Shellcode
Adversary
Malware
• TroiBomb
• RoastMe
• JamBog (AppleSeed)
• BabyShark
• DongMulRAT (WildCommand)
• Lovexxx (GoldDragon variant)
• JinhoSpy (NavRAT variant)
• BoboStealer (FlowerPower)
• MireScript
Target
CloudDragon
KimDragon
2017
2018
2019
2020
2021
TroiBomb
RoastMe
JamBog
BabyShark
DongMulRAT
Incubation → 잠복(JamBog)
Run
JamBog
WSF
WSF
Installer
Installer
Fake
EXE
Fake exe
%APPDATA%\Microsoft\Windows\Defender\AutoUpdate.dll
Drop
regsvr32
Inject
Decoy
decoy
Explorer
JamBog
•
•
•
•
•
CMD Function
•
•
•
•
•
Screenshot
Keylog
Fileupload
Shell
Run Plugin
C2
URL Pattern
JamBog
ping: m=a&p1=[uid]
upload: m=b&p1=[uid]&p2=[type]
down_cmd: m=c&p1=[uid]
delete_cmd: m=d&p1=[uid]
update: m=e&p1=[uid]&p2=[arch]&p3=[sha1]
0x00
Data Structure(cmd, upload file)
Magic Header
Checksum
XOR Key
Enc Data
Technique I: Supply Chain Attack
The Incident
Aug 2020 ~ Oct 2020
Korean Cryptocurrency
Hardware Wallet
NW.js build
On Windows
kasse.exe
kasse_setup.exe
Official Site
C2
constants.bin
index.bin
main.bin
On Android
Modified
• 4ba6baf75625bddc5e1bc3fd40d04b1e
• Steal user preference (seed, passcode)
Original
Official Alert
How we put all together
Technique II: Be A Phishing King
Abuse Public Service
…
How CloudDragon Turns a Nightmare
into Reality
Jhih-Lin Kuo & Zih-Cing Liao
Jhih-Lin Kuo
ü Senior Threat Intelligence Analyst
ü Speaker of CODEBLUE, HITCON, etc.
ü APT & Financial Intrusions
Zih-Cing Liao
ü aka DuckLL
ü Senior Threat Intelligence Researcher
ü Speaker of CODEBLUE, HITCON ...
ü Automated threat hunting
Agenda
1
Who is CloudDragon
2
Technique I: Supply Chain Attack
3
Technique II: Be A Phishing King
4
Technique III: From PC to Mobile
5
Going Physical
Who is CloudDragon?
APT 37
Kaspersky 2013
Public
Kimsuky
Kimsuky
Same
Shellcode
Adversary
Malware
• TroiBomb
• RoastMe
• JamBog (AppleSeed)
• BabyShark
• DongMulRAT (WildCommand)
• Lovexxx (GoldDragon variant)
• JinhoSpy (NavRAT variant)
• BoboStealer (FlowerPower)
• MireScript
Target
CloudDragon
KimDragon
2017
2018
2019
2020
2021
TroiBomb
RoastMe
JamBog
BabyShark
DongMulRAT
Incubation → 잠복(JamBog)
Run
JamBog
WSF
WSF
Installer
Installer
Fake
EXE
Fake exe
%APPDATA%\Microsoft\Windows\Defender\AutoUpdate.dll
Drop
regsvr32
Inject
Decoy
decoy
Explorer
JamBog
•
•
•
•
•
CMD Function
•
•
•
•
•
Screenshot
Keylog
Fileupload
Shell
Run Plugin
C2
URL Pattern
JamBog
ping: m=a&p1=[uid]
upload: m=b&p1=[uid]&p2=[type]
down_cmd: m=c&p1=[uid]
delete_cmd: m=d&p1=[uid]
update: m=e&p1=[uid]&p2=[arch]&p3=[sha1]
0x00
Data Structure(cmd, upload file)
Magic Header
Checksum
XOR Key
Enc Data
Technique I: Supply Chain Attack
The Incident
Aug 2020 ~ Oct 2020
Korean Cryptocurrency
Hardware Wallet
NW.js build
On Windows
kasse.exe
kasse_setup.exe
Official Site
C2
constants.bin
index.bin
main.bin
On Android
Modified
• 4ba6baf75625bddc5e1bc3fd40d04b1e
• Steal user preference (seed, passcode)
Original
Official Alert
How we put all together
Technique II: Be A Phishing King
Abuse Public Service
…