dissection of a Cyber- Espionage attack

More documents

Recommendations

Info

APT 28 Tools EVILTOSS IOCs At system level the malware modifies the Registry in order to ensure persistence. It is dropped and executed, usually, from one of these folders: #RSAC EVILTOSS installation folder %system% %temp% %commonprogramfiles%\System\ Registry Keys and Values Created Modified HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Network Identification Service\parameters\ServiceDll = %EVILTOSS folder%.dll Yes No HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Network Identification Service\parameters\ServiceDllUnloadOnStop = 1 Yes No HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\ntsvcs = Network Identification Service Yes No HKEY_LOCAL_MACHINE\software\microsoft\windowsNT\currentversion\svchost\ntsvcs\CoInitializeSecurityParam ➝ 1 Yes No download files from a remote computer and/or the Internet run executable files log keystrokes send gathered information
APT 28 Tools EVILTOSS ATTRIBUTION BY COMPARISON #RSAC The attribution has been performed in two ways: • by comparison, between the discovered samples and the public ones. • by analysis, looking for indicators related to the date and time of compilation, the time zone and the language of the malware discovered. Also lateral movements have been verified in terms of timeframe of the log and hosts involved.
Page 1 and 2: SESSION ID: CTT-W08 Evolving Threat
Page 3 and 4: Agenda What we discuss today Today
Page 5 and 6: The target: the moat without water
Page 7 and 8: The target: the moat without water
Page 9 and 10: The attack strategy How they break-
Page 11 and 12: Attack Overview: End of First Wave
Page 13 and 14: Attack Overview: End of Second Wave
Page 15 and 16: The attack strategy The infection p
Page 17 and 18: Pwning the core: CVE-2015-1701 AKA
Page 19 and 20: Patient Zero How the victim discove
Page 21 and 22: Patient Zero consequences How the a
Page 23 and 24: What we can bring to the table? #RS
Page 25 and 26: Actionable IoCs What our methodolog
Page 27 and 28: Investigation: first step The Custo
Page 29 and 30: Our investigation Our approach tail
Page 31 and 32: APT 28 Tools APT 28 Tools seen in t
Page 33: APT 28 Tools CORESHELL ATTRIBUTION
Page 37 and 38: APT 28 Tools CHOPSTICK CHOPSTICK i
Page 39 and 40: The attack strategy IOC: C2 list T
Page 41 and 42: Conclusion What I can suggest It i
Page 43 and 44: #RSAC

dissection of a Cyber- Espionage attack

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?