The HeartBeat APT Campaign
Contents
Trend Micro Incorporated
Research Paper
2012
The HeartBeat APT
Campaign
Roland Dela Paz
Contents
About This Paper................................................................................................................................... 1
Introduction............................................................................................................................................ 1
Campaign Targets................................................................................................................................. 2
Context.................................................................................................................................................... 2
Attack Vector......................................................................................................................................... 3
Infection Flow........................................................................................................................................4
The RAT Component............................................................................................................................ 5
Backdoor Functionalities............................................................................................................. 5
Installation and Persistence........................................................................................................ 5
C&C Communication..................................................................................................................... 6
Command and Control.........................................................................................................................8
HeartBeat Campaign Codes and Decoy Documents....................................................................8
Relationships among C&C Domains, IPs, and Campaigns........................................................... 9
Attribution.............................................................................................................................................10
Conclusion.............................................................................................................................................10
Timeline..................................................................................................................................................10
Defending against the HeartBeat Campaign.................................................................................11
Trend Micro Threat Protection Against The HeartBeat Campaign Components.................12
PAGE ii | THE HEARTBEAT APT CAMPAIGN
About This Paper
Introduction
This paper exposes a targeted attack called “HeartBeat,”
which has been persistently pursuing the South Korean
government and related organizations since 2009. This
paper will discuss how their specifically crafted campaigns
infiltrate their targets.
Today’s cybercriminals try to infect as many users as
possible. Their goal is simple—to monetize the resources or
data from infected machines in any way they can. Behind
such attacks are highly covert targeted campaigns known
as APTs.
Compared to most advanced persistent threat (APT)
campaigns with diverse targeted industries, the HeartBeat
campaign is an isolated case. Furthermore, we will examine
their attack methodologies which include …
Research Paper
2012
The HeartBeat APT
Campaign
Roland Dela Paz
Contents
About This Paper................................................................................................................................... 1
Introduction............................................................................................................................................ 1
Campaign Targets................................................................................................................................. 2
Context.................................................................................................................................................... 2
Attack Vector......................................................................................................................................... 3
Infection Flow........................................................................................................................................4
The RAT Component............................................................................................................................ 5
Backdoor Functionalities............................................................................................................. 5
Installation and Persistence........................................................................................................ 5
C&C Communication..................................................................................................................... 6
Command and Control.........................................................................................................................8
HeartBeat Campaign Codes and Decoy Documents....................................................................8
Relationships among C&C Domains, IPs, and Campaigns........................................................... 9
Attribution.............................................................................................................................................10
Conclusion.............................................................................................................................................10
Timeline..................................................................................................................................................10
Defending against the HeartBeat Campaign.................................................................................11
Trend Micro Threat Protection Against The HeartBeat Campaign Components.................12
PAGE ii | THE HEARTBEAT APT CAMPAIGN
About This Paper
Introduction
This paper exposes a targeted attack called “HeartBeat,”
which has been persistently pursuing the South Korean
government and related organizations since 2009. This
paper will discuss how their specifically crafted campaigns
infiltrate their targets.
Today’s cybercriminals try to infect as many users as
possible. Their goal is simple—to monetize the resources or
data from infected machines in any way they can. Behind
such attacks are highly covert targeted campaigns known
as APTs.
Compared to most advanced persistent threat (APT)
campaigns with diverse targeted industries, the HeartBeat
campaign is an isolated case. Furthermore, we will examine
their attack methodologies which include …