2-Extended Analysis-Full

Recommendations

Info

Communities @ Risk 13EXTENDED ANALYSIS: 2.1 Summary, Methodology and Data <strong>Analysis</strong>counts for the highest number of submissions relative to the other groups as it wasone of the first groups in the study and is persistently targeted. Tibet Groups 2 and4, which joined the study at a later date (April 2012), show a similar submissionrate to Tibet Group 1, suggesting these groups are targeted at a comparable level.FIGURE 2: Malicious emails by type for groups submitting 25 or more emailsWe classify emails as malicious if they include attached malware, a direct link tomalware or a drive-by download site, or a link to a phishing page. Figure 2 shows thenumber of emails of each type for the groups that submitted at least 25 emails to oursystem. The most common technique employed in these emails was a malicious attachmentto the message. However, we observe a higher rate of phishing attacks on theChina Groups and the Rights Groups. In particular, 46% of the emails submitted byChina Group 1, and 50% of the emails submitted by Rights Group 1, direct the userto a phishing website.The rate of submissions to our project meant that it was feasible to manuallyanalyze email attachments for malware as they were submitted. This analysis givesus higher confidence in our results than if we had automated the process. Antivirus(AV) signatures frequently fail to detect new or modified threats, and can overlookthe kind of malicious payloads that can be identified with manual inspection (e.g.,shellcode in an RTF exploit). In total, we analyzed 3,617 payload files and found2,814 (78%) to be malicious.
Communities @ Risk 14EXTENDED ANALYSIS: 2.1 Summary, Methodology and Data <strong>Analysis</strong>MALWARE FAMILIESWe identified malware families through patterns in network traffic and characteristics in thecode, such as strings seen in the binaries or names and locations of dropped files. In total, weidentified 44 separate malware families (not including variants). The most frequently occurringfamilies are Gh0st RAT, Surtr, Shadownet, Conime, Duojeen, and PlugX.FIGURE 3: Malware family timeline(The coloured dots represent attacks using a particular malware family against one of our study groups.)
Page 2 and 3: EXTENDED ANALYSIS:2.1Summary, Metho
Page 4 and 5: Communities @ Risk 3EXTENDED ANALYS
Page 12 and 13: Communities @ Risk 11EXTENDED ANALY
Page 20 and 21: Communities @ Risk 19EXTENDED ANAL
Page 30 and 31: EXTENDED ANALYSIS:2.2Cluster Analys
Page 64:
Communities @ Risk 63EXTENDED ANALY
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Communities @ Risk 100EXTENDED ANAL
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
EXTENDED ANALYSIS:2.3Civil Society
Page 111 and 112:
Page 113 and 114:
Communities @ Risk 112duced new ris
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125:
show all

2-Extended Analysis-Full

Create successful ePaper yourself

Delete template?

Save as template?