lazarusholic

Everyday is lazarus.dayβ

The HeartBeat APT Campaign

2013-01-03, TrendMicro
https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/wp_the-heartbeat-apt-campaign.pdf
wp_the-heartbeat-apt-campaign.pdf, 3.0 MB
#HEARTBEAT

Contents

Trend Micro Incorporated
Research Paper
2012

The HeartBeat APT
Campaign

Roland Dela Paz


Contents
About This Paper................................................................................................................................... 1
Introduction............................................................................................................................................ 1
Campaign Targets................................................................................................................................. 2
Context.................................................................................................................................................... 2
Attack Vector......................................................................................................................................... 3
Infection Flow........................................................................................................................................4
The RAT Component............................................................................................................................ 5
Backdoor Functionalities............................................................................................................. 5
Installation and Persistence........................................................................................................ 5
C&C Communication..................................................................................................................... 6
Command and Control.........................................................................................................................8
HeartBeat Campaign Codes and Decoy Documents....................................................................8
Relationships among C&C Domains, IPs, and Campaigns........................................................... 9
Attribution.............................................................................................................................................10
Conclusion.............................................................................................................................................10
Timeline..................................................................................................................................................10
Defending against the HeartBeat Campaign.................................................................................11
Trend Micro Threat Protection Against The HeartBeat Campaign Components.................12

PAGE ii | THE HEARTBEAT APT CAMPAIGN


About This Paper

Introduction

This paper exposes a targeted attack called “HeartBeat,”
which has been persistently pursuing the South Korean
government and related organizations since 2009. This
paper will discuss how their specifically crafted campaigns
infiltrate their targets.

Today’s cybercriminals try to infect as many users as
possible. Their goal is simple—to monetize the resources or
data from infected machines in any way they can. Behind
such attacks are highly covert targeted campaigns known
as APTs.

Compared to most advanced persistent threat (APT)
campaigns with diverse targeted industries, the HeartBeat
campaign is an isolated case. Furthermore, we will examine
their attack methodologies which include …