SharpTongue pwning your foreign policy, one interview request at a time - Tom Lancaster (Volexity)

Virus Bulletin
9 Nov 202329:16

Summary

TLDRTom AER, a threat intelligence lead at Lexity, discusses the tactics of a North Korean threat actor named Sharine, who compromises experts in foreign policy through sophisticated phishing techniques. The talk focuses on social engineering strategies rather than technical malware details, revealing how Sharine gains access to email accounts to understand geopolitical strategies. AER shares real-world phishing examples, the use of malware like SharpXT, and the challenges of detecting and mitigating such persistent threats.

Takeaways

  • 🔒 The North Korean threat actor 'Sharine' compromises experts, particularly in foreign policy, through sophisticated phishing techniques.
  • 📚 Tom AER's company, VX, is known for memory forensics and offers commercial solutions around the Volatility framework, as well as network security monitoring and threat intelligence services.
  • 🎯 Sharine's primary goal is to gain access to a user's mailbox to collect information, often using credential theft or malware deployment.
  • 🤔 The attackers are interested in uncovering the actual 'red lines' of countries like the United States, European Union, and South Korea regarding North Korea.
  • 📧 Once a user's email data is stolen, it is repurposed to craft targeted phishing attacks on other users, leveraging the stolen information.
  • 💡 Sharine is adept at social engineering, understanding and subverting the typical workflow of their targets to make phishing attempts seem normal and urgent.
  • 🕵️‍♂️ The threat actor is known for spending time building a rapport with targets through email conversations before delivering any malware.
  • 📚 Examples of targeted phishing include requests for conference submissions, organizing meetings, and writing papers, all leading to malware delivery.
  • 🛡 The use of password-protected files on platforms like OneDrive has become prevalent to avoid detection by cloud providers.
  • 🌐 Sharine has transitioned from using compromised websites to self-registered ones to make their phishing attempts appear more legitimate.
  • 🛠 The malware payload is often a variant of 'Baby Shark,' a VB script function known for its alphabet swap encoding technique.

Q & A

  • Who is Tom AER and what is his role at Lexity?

    -Tom AER is the threat intelligence lead at Lexity. He is responsible for analyzing and discussing threats, particularly focusing on the North Korean threat actor known as Sharine in the script.

  • What is the primary focus of Tom AER's talk at the conference?

    -Tom AER's talk focuses on the social engineering and phishing techniques used by the threat actor Sharine to compromise experts in the field of foreign policy, rather than the technical aspects of malware or exploits.

  • What is the significance of the Volatility framework in the context of Lexity?

    -The Volatility framework, which is a memory forensics tool, is significant to Lexity because the people who wrote it primarily work for the company. Lexity now offers commercial solutions around this framework.

  • What is Sharine and how is it related to North Korea?

    -Sharine, also referred to as Sharp Pine or Sharp Tongue, is a North Korean threat actor that has been active since around 2012. They are known for using various malware families to compromise targets.

  • What is the main objective of Sharine when compromising a user's system?

    -Sharine's main objective is to gain access to a user's mailbox, as emails are a primary source of sharing sensitive and valuable information, especially in the realm of politics and NGOs.

  • How does Sharine typically gain access to a user's mailbox?

    -Sharine gains access to a user's mailbox through credential theft, often via phishing links that direct users to fake login pages, or by deploying malware that can steal credentials or directly access email data from the browser.

  • What type of targets does Sharine primarily focus on?

    -Sharine primarily targets think tanks, NGOs, educators, journalists, and government entities, particularly those in the United States, South Korea, and European Union countries, who are involved in foreign policy and North Korea matters.

  • How does Sharine use compromised email data to further their attacks?

    -Sharine repurposes compromised email data to craft convincing phishing emails targeting other users. By understanding the communication patterns and relationships between individuals, they can create more effective and personalized phishing attempts.

  • What is the significance of the 'Sharp XT' malware mentioned in the script?

    -Sharp XT is a piece of malware that operates within Google Chrome or any Chrome-based browser. It is significant because it can steal mail data directly from the user's browser, bypassing some security measures.

  • What challenges do threat actors like Sharine pose to individuals and organizations in terms of security?

    -Threat actors like Sharine pose challenges by using sophisticated social engineering techniques and relentless targeting. They can compromise personal and work devices, making detection difficult, and once a system is infected, it is unlikely to be fully cleaned without human intervention.

  • What strategies can be used to mitigate the threat posed by Sharine?

    -Strategies to mitigate the threat include building a relationship with targeted users, educating them on the signs of phishing, and encouraging them to report suspicious activities. Additionally, closely monitoring and securing personal email usage on work devices is crucial.

Outlines

00:00

🔎 Introduction to Sharine: North Korean Threat Actors

The speaker, Tom AER, introduces the topic of Sharine, a North Korean threat actor group, focusing on their social engineering tactics to compromise experts in foreign policy. He highlights the group's use of phishing techniques to install malware, contrasting this with more technical discussions at the 'Virus Bulletin' conference. Tom's company, VX, is known for memory forensics and threat intelligence, with a customer base in the U.S., particularly NGOs. The talk aims to explore the attackers' motives, social engineering methods, infrastructure, and the malware they use, emphasizing the group's interest in political strategies and confidential information regarding North Korea.

05:01

🎯 Sharine's Targeting and Phishing Strategies

This section delves into Sharine's targeting preferences, focusing on think tanks, educational institutions, and government entities, particularly in the U.S. and South Korea. The attackers exploit the common practice of using personal email for work-related communications, making it a prime target for their phishing attacks. The summary outlines the group's social engineering prowess, noting their ability to mimic legitimate interactions and build trust with targets over time before delivering malware, a strategy that sets them apart from other threat actors.

10:02

📬 Real-world Phishing Examples and Attacker Workflow

The speaker provides real-world examples of Sharine's phishing attempts, illustrating how they initiate contact, engage in seemingly normal conversations, and eventually lead targets to click on malicious links or open infected documents. These examples include organizing fake meetings, requesting papers for submission, and using social pressure to prompt immediate action. The summary emphasizes the attackers' patience and their ability to subvert typical user workflows to increase the likelihood of successful infections.

15:02

🤔 Countermeasures and the Challenge of User Behavior

In this part, the speaker discusses the difficulty of detecting and countering Sharine's attacks, especially when they target personal devices used for work. They point out that users are unlikely to change their behavior and that once a device is compromised, it is challenging to clean without human intervention. The summary stresses the need for a proactive approach, including educating users and building relationships to facilitate the reporting of suspicious activities.

20:06

🛠️ Infrastructure and Malware Analysis

The speaker shares insights into Sharine's infrastructure, including their use of compromised and self-registered websites for phishing campaigns. They also discuss the payload delivered by the attacks, which is often a variant of the 'Baby Shark' malware, known for its unique alphabet swap encoding function. The summary explains the malware's functionality and its effectiveness in evading detection by mimicking normal user activity within web browsers.

25:07

🔚 Conclusion and Outlook

The final paragraph wraps up the discussion by emphasizing the persistence and resilience of Sharine's tactics, highlighting their relentless targeting of individuals and the difficulty in detecting their activities on personal devices. The speaker concludes with the grim outlook that automated solutions are unlikely to resolve infections and stresses the importance of human intervention and user education in mitigating the threat posed by groups like Sharine.

Mindmap

Keywords

💡Threat Intelligence

Threat intelligence is the process of gathering, analyzing, and disseminating information about potential threats to an organization's information assets. In the video, Tom AER, the threat intelligence lead at the company, discusses the strategies used by the North Korean threat actor 'Sharine' to compromise experts in foreign policy, illustrating the importance of threat intelligence in understanding and mitigating such threats.

💡Social Engineering

Social engineering refers to psychological manipulation to trick individuals into divulging confidential information or performing certain actions. The video emphasizes the use of social engineering by 'Sharine' to install malware through clever phishing techniques, showing how attackers exploit human behavior rather than technical vulnerabilities.

💡Phishing Techniques

Phishing techniques are methods used by cybercriminals to deceive targets into providing sensitive information or access through disguised emails or websites. The script describes various phishing scenarios where 'Sharine' tricks experts into clicking on malicious links or opening infected documents, highlighting the sophistication of these techniques in the context of the threat actor's operations.

💡Malware

Malware, short for malicious software, is any software intentionally designed to cause harm to a computer system or its users. The video discusses the use of various malware families by 'Sharine', with a focus on 'SharpXT', a browser extension that steals email data, demonstrating the diverse tools in a threat actor's arsenal.

💡Credential Theft

Credential theft is the act of stealing usernames and passwords to gain unauthorized access to systems or services. The script mentions that 'Sharine' often aims to acquire access to users' mailboxes, sometimes through credential theft via phishing links that direct victims to fake login pages.

💡SharpXT

SharpXT is a specific type of malware mentioned in the video, which operates within Google Chrome or Chrome-based browsers to steal email data. It illustrates the targeted approach of 'Sharine', as this malware is designed to achieve the primary goal of accessing and exfiltrating sensitive email information.

💡Advanced Persistent Threats (APT)

APT refers to a type of threat actor that is highly resourced and motivated, often state-sponsored, and conducts long-term, stealthy cyber-espionage operations. The video script describes 'Sharine' as fitting this profile due to their relentless targeting of specific individuals and organizations over time.

💡钓鱼邮件 (Phishing Emails)

钓鱼邮件是网络钓鱼攻击的一种形式,通过伪造的电子邮件诱骗收件人点击链接或提供敏感信息。在视频中,'Sharine' 通过发送看似合法的电子邮件,如请求论文提交或组织会议,实际上是为了分发恶意软件或窃取凭证,展示了钓鱼邮件在APT攻击中的常见使用。

💡Red Line

In the context of the video, 'red line' refers to the threshold or limit beyond which a particular response or action will be triggered, especially in matters of policy or conflict. The attackers are interested in discovering the true 'red line' of their targets, such as the United States' stance on North Korea, which may differ from public declarations.

💡C2 Management

C2, or command and control, management refers to the infrastructure used by attackers to control compromised systems and conduct their operations. The script discusses how 'Sharine' manages their C2 infrastructure, including the use of compromised websites and self-registered domains, to maintain control over infected systems and evade detection.

💡Baby Shark Malware

Baby Shark is a term used to describe a specific type of malware that uses a VBScript function for alphabet swapping as an encoding mechanism. The video explains that this type of malware is commonly associated with 'Sharine' and is delivered as part of their phishing campaigns to establish a foothold in the compromised systems.

💡Human Intervention

Human intervention implies the need for manual, human-led action to address a situation, as opposed to automated solutions. The video suggests that once a machine is compromised by 'Sharine', it is unlikely to be fully cleaned without human intervention, emphasizing the resilience of the infection and the importance of human expertise in remediation.

Highlights

Tom AER, the threat intelligence lead at Lexity, discusses the North Korean threat actor 'Sharine' and their tactics in compromising experts in foreign policy through phishing.

The talk focuses on social engineering and phishing techniques rather than technical aspects of malware or exploits.

Lexity's background in memory forensics and their commercial solutions around the Volatility framework are highlighted.

The company's network security monitoring and threat intelligence services have a significant customer base in the US NGO sector, including think tanks.

Sharine, also known as Sharp Pine, is a North Korean threat actor active since 2012, known for using various malware families.

The primary goal of Sharine is to gain access to a user's mailbox to monitor the sharing of sensitive information in politics and NGOs.

Credential theft and malware deployment are the two key methods used by Sharine to access user mailboxes.

The attackers aim to understand the strategies and red lines of the US, EU, and South Korea regarding North Korea.

Sharine is adept at repurposing stolen mail data to target other users, making them highly effective at social engineering.

The talk provides real-world examples of phishing attempts, including targeting personal webmail over corporate accounts.

Attackers subvert typical user workflows, understanding and mimicking the daily operations of their targets.

The willingness of Sharine to invest time in building a conversation before delivering malware sets them apart from other threat actors.

Examples of social engineering include organizing fake meetings, asking targets to write papers, and using compromised websites for phishing.

Lexity has been able to insert itself into phishing conversations and even engage with attackers to gather intelligence.

The use of password-protected files on platforms like OneDrive has become prevalent to avoid easy detection by cloud providers.

A unique insight into C2 management by Sharine was gained when Lexity was given access to a compromised server, revealing their logging and ban list tactics.

The payload delivered by Sharine is often a variant of the 'Baby Shark' malware, characterized by a specific VB script function.

SharpXT, a browser extension malware, allows attackers to steal mail data by bypassing web mail provider detection mechanisms.

The persistence of Sharine in targeting individuals and the difficulty in detecting infections on personal devices are highlighted as significant challenges.

The importance of human intervention in remediating infections and the need for a change in approach to deal with persistent threats are emphasized.

Transcripts

00:04

hi everyone uh my name is Tom AER I'm

00:05

the threat intelligence lead at the

00:07

lexity and today I'm here to talk to you

00:09

about a North Korean threat actor that

00:11

we call sharine um and it's about how

00:13

they basically compromise experts

00:15

particularly in the field of foreign

00:17

policy uh through clever fishing

00:19

techniques so a lot of the talks at this

00:21

conference are highly Technical and

00:22

they're about the in and ins and outs of

00:24

how malware works or like particular

00:26

exploits this talk does not touch on

00:28

those things ironic for a talk at a

00:30

conference called virus bulletin there

00:32

is very little discussion of viruses

00:34

instead we're going to focus on the

00:36

social engineering and the fishing that

00:37

these hackers do to install the malware

00:40

that ultimately is what they want to

00:42

do so a little bit of quick background

00:45

about the company I work for VX you

00:46

might be like hey how does Tom have

00:48

access to so much cool stuff um and so

00:50

to know that you've got to understand a

00:52

little bit about

00:53

VX uh the main reason you may know about

00:55

the company is from a memory forensics

00:58

perspective so the people who wrote the

00:59

vol ility framework primarily work for

01:01

vxi now we sell commercial Solutions

01:04

around that Sergey and volcano we also

01:06

do network security monitoring and

01:08

threat intelligence and the network

01:09

security monitoring part of the business

01:10

in particular has a reasonably good

01:13

customer base in the United States

01:15

particularly in the NGO sector so uh

01:17

think tanks places like that and the

01:20

stories I'm going to share with you the

01:22

examples I'm going to share with you

01:23

today come from our kind of monitoring

01:25

of customer networks engaging with

01:26

customers uh in that

01:28

space

01:31

but before we can get to the kind of

01:32

interesting fishing techniques the

01:34

attack is using um we've got to do some

01:36

kind of uh leg workor together so we're

01:38

going to talk a little bit about who the

01:39

attackers are what they want uh and why

01:42

they want it then we're going to talk

01:44

about the social engineering and fishing

01:46

techniques that the attackers use and

01:49

then there's a little bit about the

01:50

infrastructure some unique insights we

01:52

have had in the past in particular into

01:54

how the attackers managed that

01:56

infrastructure um some quick overview of

01:58

the malware and some Outlook and

02:00

thoughts about um what this kind of

02:02

means for people who are targeted by

02:03

this threat group so who is

02:07

sharine so sharp Pine sharp tongue you

02:09

may have realized that the agenda is not

02:11

the same as what I'm going to use in the

02:13

slides today and that's because in the

02:14

summer of 2023 my organization decided

02:17

to change all of these threat actor

02:18

names and so you can basically ignore

02:20

the difference between the two they are

02:21

the same do not worry um and we can now

02:24

move on satisfi that that issue is

02:26

resolved so they're are North Korean

02:28

threat actor active since around 2012 uh

02:31

they use a swath of different maare if

02:33

you read the ap43 report there's like

02:35

100 maare families listed uh the most

02:38

common ones that we see are listed there

02:40

and they've got a numerous an

02:42

innumerable number of aliases just like

02:44

every other threat actor that people

02:46

talk about um yeah if you've read about

02:49

any of these Mal families or these

02:51

threat AC nams before you'll have a

02:52

rough idea of what I'm talking

02:54

about and for the particular stuff we're

02:57

looking at today um I think it's

02:59

interesting for any tractor to think

03:00

about what success looks like for them

03:03

and for this tractor success ultimately

03:05

looks like access to a users's mailbox

03:08

sometimes they'll go after other data on

03:09

the users machine but predominantly what

03:11

they want is the email because the email

03:13

is where people are sharing the most

03:15

interesting information with their peers

03:16

particularly in kind of politics and the

03:18

NGO space um and the way that they get

03:22

access to users mailbox is through two

03:24

kind of key things one is credential

03:25

theft so that's I send you an email uh

03:28

and eventually maybe there's fishing

03:30

link and that fishing link takes you to

03:31

a login page for some service whether

03:33

it's like your actual work email gmail

03:35

whatever it might be uh and then you

03:37

enter your credentials and heho the

03:39

attacker has access and that's becoming

03:40

less common for this attacker as a way

03:42

of doing things um maybe because of

03:44

adoption of tofa maybe for other reasons

03:47

um and the second kind of key way they

03:50

could do this is through use of malware

03:51

so they can deploy any number of malware

03:53

families uh and they could use like a

03:55

key logger to steal all of the users

03:56

passwords and they also have a very

03:59

clever piece of malware that works

04:00

within Google Chrome or any Chrome based

04:02

browser called sharp XT which steals the

04:05

mail uh from the context of the users

04:08

browser and the key outcomes for the

04:10

attacker are basically they want

04:12

insights into what the United States uh

04:14

some European Union countries and South

04:16

Korea are going to do regarding North

04:18

Korea so the types of people they're

04:20

targeting and the information that those

04:22

individuals hold is likely to be key in

04:25

times of like negotiations and red lines

04:28

so the United States might say one thing

04:31

in public about their particular stance

04:33

on what North Korea might do in one

04:35

scenario but behind the scenes the

04:37

United States might actually have like a

04:38

different Red Line like they say if you

04:41

cross this line we'll punish you but

04:43

actually the red line might be much much

04:45

deeper and the attackers are interested

04:47

in knowing what the actual red line is

04:49

not the one you

04:51

say um and the second unique outcome or

04:55

kind of thing that I don't think I

04:56

really hear a lot of other people talk

04:58

about is that having stolen one user's

05:00

mail data they are very good at

05:02

repurposing that mail data to fish other

05:04

users so by fishing one user they gain

05:07

great insight into what would make good

05:09

fishing material or compensation

05:10

material to attack a different

05:14

user and to really kind of hammer home

05:17

the like Publications you might have

05:19

read about the same type of thing there

05:20

are a number of those in the public

05:22

domain so from Google Mandan I think the

05:26

huness article on the left hand side

05:28

there uh is a really good example of

05:30

what you'll find if you find a user

05:32

who's been compromised this group um so

05:35

yeah I think there's a lot of previous

05:37

reporting you can get your hands

05:40

on sometimes we're able to gain insights

05:43

into the types of Target the group have

05:45

not just within our own customer base

05:47

but outside of our customer base um and

05:50

the data in this slide and the next one

05:51

comes from just one wave of emails but

05:53

we think it's relatively representative

05:55

of the types of targets that this group

05:57

is attacking so you can see

06:00

predominantly uh it's kind of think

06:02

tanks NOS on the left hand side uh the

06:05

next bar is education so there are

06:07

professors at universities who are

06:09

essentially experts in uh North Korea

06:12

and there are various kind of

06:13

journalists and government entities as

06:17

well and in terms of where those people

06:19

live a lot of them are in the United

06:21

States they're probably considered one

06:23

of the key kind of influences in global

06:26

politics regarding North Korea and then

06:28

there's obviously South Kore

06:30

uh which is probably also a very key

06:31

issue for the North Koreans and then a

06:34

smattering kind of countries around the

06:36

world as

06:38

well one thing that's going to come up a

06:41

couple times in this talk is the

06:42

differential between targeting a users

06:45

personal web mail and their corporate

06:47

accounts so many of you in the room

06:50

might think it's ludicrous that you

06:51

would use your personal email to talk

06:54

about work stuff however for a lot of

06:57

the targets of these attacks that is not

06:58

the case that that is actually the

07:00

status quo so particularly uh if you

07:03

you're a person who is a professor at

07:05

one University you also hold a board

07:07

position at another place you you end up

07:09

having like five or six emails related

07:11

to your work and what you don't want is

07:13

to log into five or six places so what

07:15

these professors and these other kind of

07:17

professionals and experts do is they try

07:19

to manage all of their email in one

07:21

place which is their personal email and

07:23

log into their work email as little as

07:26

possible and sharine are very good at

07:28

taking advantage of this so once they

07:30

figure out like someone's my work email

07:32

might be T Lancaster of alex.com but if

07:35

they figure out that my personal email

07:37

is like I don't know T Lancaster h.com

07:40

they'll Target that preferentially uh

07:43

because ultimately that's where the best

07:44

data

07:48

is so I uh I said at the start of this

07:51

talk that this talk is primarily about

07:52

social engineering and fishing um and so

07:55

that's what we're going to come on to

07:57

now um and I think this is is a topic

07:59

worthy of discussion because vity tracks

08:02

a a number of different th actors

08:04

Distributing like different malware and

08:06

some of those Thors are very high

08:07

sophistication some of them very low and

08:09

when it comes to social engineering uh

08:11

Shar Pine are relatively good they're at

08:13

the top end of the spectrum I would say

08:15

whereas other tr actors might have the

08:17

best m in the world but if they can't

08:19

convince the user to install it or if

08:21

they don't have an exploit they're out

08:22

of luck um and basically what I would

08:25

just it boils down to is that sharine

08:27

subvert a typical user work flow so they

08:31

have a real understanding of how the

08:33

people they're targeting work on a

08:35

day-to-day basis and these people are

08:37

typically uh so a typical scenario for

08:40

somebody who might be targeted is they

08:42

might receive an email out of the blue

08:43

this is not this is something that would

08:45

happen to them every day they'll receive

08:46

an email out of the blue from a Webmail

08:48

account and that they'll say hey I'm a

08:50

journalist working at this uh newspaper

08:53

I'd like to get interview you on the

08:55

subject of North Korea China relations

08:57

and that is a normal thing to happen to

08:59

them and so the target might reply and

09:00

say oh yeah sure I would love to do the

09:02

interview um and then they might say oh

09:06

I'm going to ask you these questions and

09:07

they sh send them the questions document

09:09

which is going to contain the questions

09:10

that I'll ask you during the interview

09:12

and all of this is normal and so the

09:14

target is quite happy to open the email

09:16

and the attackers understand

09:18

this and the reason they understand this

09:20

is because they have been doing this for

09:22

a long time they've read a lot of email

09:25

between these people and so they

09:27

understand what the conversations look

09:28

like uh and they're able to take those

09:30

conversations and basically replay them

09:32

back to a different user uh and get

09:36

success and unlike a lot of attackers

09:39

the final point is that they're willing

09:40

to spend time building a conversation so

09:43

if you ever talk to a user about what

09:44

fishing looks like you might often say

09:46

oh you'll receive an email and it'll

09:48

contain a suspicious link but what you

09:50

won't say is you'll talk to this person

09:52

for a month and then at the end of that

09:54

month they will send you a suspicious

09:56

link nobody is taught to identify

09:58

fishing that that

10:01

way so uh in the top left of my diagram

10:04

here I've got the attacker and in the

10:06

top right I've got the

10:08

Target and this is just one example of

10:10

how it might look this isn't how it

10:12

looks every time and in some of the

10:14

examples later we'll have cases where

10:15

the attackers didn't wait for so long um

10:18

but this is something that can genuinely

10:20

happen so the attacker can send an email

10:23

on day one and it contains no malicious

10:24

content whatsoever it just says hello

10:27

I'm looking to make a contact and so on

10:28

and so forth the target replies the

10:30

attacker replies this can go back and

10:32

forth for a while we can talk about

10:34

different things and then eventually the

10:37

hook is that they're going to send some

10:39

fishing content uh and the result is

10:41

that the user either has to log into a

10:42

service uh which is a fishing page or

10:45

they have to open a file which contains

10:47

malware those are the two kind of end

10:49

games but that that might take a long

10:50

time to get

10:52

to and what they've done very well is

10:55

they've got these two kind of fishing

10:57

principles that I think are kind of key

10:59

to their operations and I think a lot of

11:01

attackers are very good at the second

11:03

one so I think in the previous slides

11:05

there was an example of like you've got

11:06

to respond to this RFQ it's like a you

11:09

have to do this now and so a lot of like

11:11

commodity spam is very good at making

11:13

people people feel time pressured into

11:15

responding to a fishing message but what

11:17

commodity fishes are less good at doing

11:19

is making people feel comfortable about

11:22

responding to that uh and by engaging in

11:25

that conversation first the attackers

11:26

are able to make people feel not only

11:28

comfortable but feel like they have to

11:29

do it

11:30

now and so now I've got a series of

11:33

examples of Real World Fishing examples

11:35

from this group that hopefully

11:36

illustrate the points I've been trying

11:37

to

11:39

make so we'll start with the simplest

11:42

possible case which is uh sharing a

11:45

document so um the fonts a little small

11:48

so I'll just kind of explain what's

11:49

happening in the emails um on the left

11:51

hand side the attacker sends an email to

11:53

the Target and it says hello did you

11:56

receive my email from three days ago and

11:58

the the gotcha is that there was no

12:00

email three days ago uh this is just to

12:02

see if the person is willing to reply

12:05

and then in the second case the uh in

12:07

the second uh screenshot the target has

12:09

replied and said no I didn't receive

12:11

your email what was it about uh and then

12:13

they say oh sorry here it is again and

12:15

they create an email that looks like

12:16

it's being forwarded again and it

12:19

contains a link to one drive which is

12:20

hosting the maware file and this is the

12:22

kind of simplest rules that the

12:24

attackers will

12:27

use stepping things up to be a little

12:29

bit more maybe maybe you think it's kind

12:31

of lame that's not what he described I

12:32

think this is more along the lines of

12:34

the type of thing you might have been

12:35

expecting so in this case the attack

12:38

opposes as a researcher at the kinu

12:40

which is the Korean Institute for

12:42

National unification Korean Think Tank

12:45

that's focused on making sure or trying

12:47

to make uh unification happen in Korea

12:51

um and they say hello I would like you

12:53

to submit to an upcoming conference this

12:54

is a real event that's happening uh

12:57

please could you uh give me an idea of

12:58

the paper you'd like to submit and

13:00

you're abstract and the target replies

13:03

and says hey yeah I'd like to submit and

13:05

so on and they have a little bit of a

13:06

conversation and eventually the target

13:08

says oh what would you like me to submit

13:10

about what topics you need

13:13

covered and the attacker says thank you

13:16

so much for accepting our invitation

13:17

we'd like you to choose your Pap's topic

13:20

but please review our guidelines and

13:21

code of ethics and they are once again

13:23

hosted on one drive with a password this

13:26

time and generally the password protects

13:28

the content on the uh the one drive or

13:31

whatever it is has become much more

13:32

prevalent for the thr actor and I figure

13:35

that's because they were being kind of

13:36

thwarted by attempts by Microsoft to

13:38

detect their M on one drive and other

13:41

platforms so now they simply password

13:43

protect it meaning the cloud providers

13:45

are unable to um easily detect their M

13:49

being hosted

13:52

there possibly the best example I have

13:55

is an example where the attacker

13:56

proposes an inall life Meetup between

13:58

the attacker the Target and a third

14:01

party so in this example the attacker

14:04

says hello I am a government official at

14:06

the embassy of South Korea in Washington

14:09

DC and our Target also lives in

14:11

Washington DC but does not know this

14:13

person and they say I'd like you to

14:15

organize a meeting they're asking for an

14:17

introduction because they know that our

14:19

Target knows another person who is

14:21

visiting Washington CC from South Korea

14:24

this is a relatively informed attacker

14:26

here who wants to organize a fake in

14:28

real life meeting between these three

14:29

people and asked for a proposal of a

14:34

date they exchange a number of emails

14:36

over a course of a week maybe more and

14:38

they agree a time and a place for this

14:40

in real life meeting to take take place

14:41

and you might be wondering how they can

14:43

convert this into a malware infection

14:46

and just one day before the meeting the

14:47

attackers say oh oh by the way uh could

14:50

you p uh here's the list of the other

14:52

people that will be attending the

14:53

meeting uh please click on this Google

14:55

Drive Link uh which actually I think the

14:58

font a little small but it's not hosted

15:00

on Google Drive at all it's hosted on

15:02

attacker infrastructure in this

15:03

case but in this case the attacker has

15:06

done something fairly outlandish I could

15:07

never have guessed that an attacker

15:09

would ever try to organize an in real

15:11

life Meetup to facilitate a fish the day

15:14

before and by doing it the day before

15:16

they really make sure the attacker has

15:18

to click it I mean the the target has to

15:20

click it that day because they need to

15:22

know the information before the next

15:24

day and because there's no malicious

15:26

content in any of the emails leading out

15:28

to this we only are able to kind of

15:30

piece this back together on the final

15:32

fish so on the final day we're able to

15:35

find the fish but then all the stuff

15:37

coming before we're completely blind

15:44

to another example of a kind of uh

15:48

technique that we've seen use more than

15:49

once is asking people to write a

15:51

paper so in this case the attacker says

15:55

hello I'm a researcher at the sang

15:56

Institute which is a Korean Think Tank

15:58

and says could you please write a 1,200w

16:01

piece for our website on China and North

16:03

Korea relations and they set them a

16:04

deadline by which to do

16:06

so and because this is this is not an

16:09

out of the ordinary request these

16:11

experts are frequently asked to give

16:12

opinion articles for various news

16:14

outlets um and so that is exactly what

16:16

the target does the Target spends a few

16:18

hours writing a long long winded opinion

16:21

piece about the current state of China

16:23

North Korea

16:24

relations and sends it to the

16:27

attacker and the attacker says thank you

16:30

before publishing on this on our website

16:31

I'd like you to review the comments I've

16:33

made on your document uh could you

16:35

please review them and then once more

16:37

you guessed it it's a one Drive Link and

16:39

the one Drive Link has a password and

16:40

within that is the

16:43

malare so to recap the kind of workflow

16:46

that the attackers have here they ask

16:48

the user to do something they would

16:49

usually do for work they maybe engage

16:51

them in a little bit of conversation

16:53

beforehand the user does that thing and

16:55

then the user gets something back from

16:56

the attacker and that thing uh is the

16:59

malware and essentially often it's a

17:01

document but there are other formats

17:02

used as well but essentially all that

17:04

stands between the user being

17:06

compromised and not is the enable

17:09

content bar in Microsoft

17:13

Word so all the examples so far took

17:16

place with real users but in some cases

17:18

vity has been able to insert itself into

17:21

the fishing conversation and try to get

17:23

fished

17:24

ourselves so because of the uh kind of

17:27

workflow that this attacker and some

17:29

others use if you identify the fish

17:31

early on it's kind of disappointing

17:33

because you don't get any malware which

17:34

is maybe what you're interested in and

17:37

so in those cases we will often ask the

17:39

users who are targeted to actually

17:40

follow along in the conversation and

17:42

engage with the attacker until they

17:44

actually give them the malware but

17:46

sometimes the users are not confident

17:48

with that and they don't want to talk to

17:50

a hacker is kind of the way they're

17:51

thinking of it and in those cases

17:54

sometimes we say okay well if you don't

17:55

want to talk to the hacker perhaps you'd

17:57

be willing to introduce them to us and

17:58

we'll create like some kind of fictional

18:00

identity either at the organization or

18:03

on web mail and that's what we've done

18:05

here and here we're talking to Melanie

18:07

who is the attacker and Melanie says she

18:10

works for NK news which is a North

18:12

Korean specific News website and we've

18:15

been talking for Melanie for a while now

18:17

and eventually she says there's kind of

18:19

a security problem with the NK news

18:21

accounts which we've told her we

18:23

have uh and she says you need to

18:25

register your IP to keep your account

18:27

secure by visiting this link and the

18:29

Curious Thing here is that the link that

18:31

she sent is to the real NK News website

18:34

but it's just a 404 because this page

18:36

doesn't exist so we kind of play along

18:38

we say oh Melanie this link doesn't

18:39

exist and she says oh sorry I didn't

18:42

mean to make a mistake here's the real

18:43

link and then link number two uh is the

18:46

one for that fishes for your NK Pro

18:49

credentials now unfortunately in this

18:51

case we don't actually have a

18:52

subscription to NK news so we cannot

18:54

continue playing along uh so we simply

18:57

tell her that when we open up the page

18:59

uh it says that the page is malicious

19:02

like you know that Chrome this is an

19:03

unsafe website uh page and we say oh

19:06

maybe you should scan your website uh

19:09

and Melanie says don't worry about that

19:10

that's okay just send me your username

19:12

and password and I'll sort it out for

19:15

you uh so if all else fails the

19:18

attackers are perfectly happy just to

19:19

ask for your username and password and

19:21

presumably they do this on the basis

19:22

that they've been successful with it at

19:24

least

19:27

once in terms of infrastructure uh there

19:30

is kind of a broad summary that I can

19:33

give you which is that in the past they

19:35

often use compromised websites to

19:37

particularly for the fishing campaigns

19:39

I've described whereas today often

19:41

they're using websites they've

19:42

registered themselves and I figure this

19:44

is mainly around making their fishes

19:46

look better so that the URLs that the

19:48

users see if they were to look at them

19:50

look close to real

19:52

organizations so those are some of the

19:54

organizations uh that they kind of

19:56

impersonated recently in the bottom

19:58

right so they're a mixture of us Korean

20:01

and uh educational and news kind of

20:05

organizations but looking at that older

20:07

cluster

20:09

um we have kind of one interesting story

20:11

to share which is around C2

20:15

management so I don't know how many of

20:18

you work in the kind of or how many of

20:20

you have ever tried to tell somebody you

20:21

do not know that their website is

20:23

compromised but generally is a fruitless

20:25

task because you will tell them that

20:27

their website is compromised and they

20:28

will assume that you were the one who

20:29

did it somehow and therefore they will

20:32

not engage with you but in 2019 we tried

20:35

our luck and we contacted a large range

20:37

of compromised websites explaining that

20:39

their websites were compromised and in

20:40

use by attackers could we help you clean

20:42

it up and we struck gold in one case the

20:46

website owner looked us up figured out

20:48

we were probably legitimate and gave us

20:50

root SSH access onto their web server

20:53

and we were able to basically do

20:54

whatever we wanted for a period of

20:56

around a month and then and then we

20:58

cleaned it up after that and we notified

21:01

everybody we could see was compromised

21:02

through that particular compromised

21:04

website um and there were a few

21:06

interesting things we learned about the

21:08

way the attackers did stuff on the C2

21:10

that maybe worth

21:12

sharing so the first is around logging

21:16

so if you're a threat researcher and

21:17

maybe you interact with c2s every so

21:19

often I think this is like an

21:20

interesting thing about what even a

21:22

relatively low technical skill thre

21:24

actor is doing regarding logging of

21:26

requests to their C2 so let's say it's a

21:29

WordPress site and they've compromised

21:31

suite.com WordPress content and they'll

21:33

have all of their files buried like five

21:35

directories deep and if you make a

21:37

request in that root directory they will

21:38

just log your request your IP and your

21:40

user agent and put it in a file and what

21:42

we would see them do is periodically

21:44

they would review that file copy lists

21:46

of ips from it and add them to the ban

21:48

list and if your IP or user agent got

21:51

added to the ban list no matter what

21:52

your request you were given a for for

21:55

and so it was a way for the attackers to

21:57

try and stop people monitoring their

22:01

activity and the second thing that I'm

22:03

going to use in the slides there's more

22:05

detail in the paper is around help. text

22:08

so what the attackers would do is

22:10

because it's a compromised website they

22:11

would upload a zip file for every attack

22:13

so they were going to fish a virus

22:15

bulletin for example they would create a

22:17

folder called VB and in VB they would

22:19

dump VB do zip they would unzip it and

22:21

then they would be all of the files that

22:22

they were planning to use in that

22:24

particular

22:25

campaign but the interesting aspect at

22:27

least in 9 is that each zip file

22:29

contained a file named help. text and

22:32

help. text explained to a user how they

22:34

would use the different files and how

22:36

they're all meant to link up um and to

22:38

me this strongly suggests that the maare

22:40

author is not the operator which is like

22:43

an interesting thing to know uh in terms

22:45

of this type of

22:49

thing there isn't a lot of time for

22:51

malware talk we're 25 minutes in but

22:53

we'll do a little bit and so you might

22:56

be wondering what is the payload

22:58

delivered uh and more often than not it

23:00

is a variant of what is called the baby

23:02

shark malware which is documented by

23:03

palto in

23:05

2019 and although it has given kind of a

23:07

name and description in that paper in

23:09

practice the industry uses it to

23:10

describe any malware that uses this

23:13

function uh so it's a VB script function

23:15

that uh does an alphabet swap um and

23:18

those scripts have varying functionality

23:20

sometimes they perform some

23:21

reconnaissance on the host sometimes

23:23

they simply download an execute a file

23:25

they do it using different mechanisms

23:26

but generally speak it seems to me that

23:28

the industry has settled on this

23:30

decoding mechanism means baby Shar which

23:33

is fine by

23:34

me and I think it's actually quite a

23:36

clever piece of encoding in terms of how

23:39

it does the work so it's got that

23:41

encoding function it's got a big blob of

23:43

text and it executes the blob of text

23:45

which could contain anything um but I'm

23:47

not really sure if there's any other

23:48

attacker who is doing this particular

23:50

type of encoding so if you take the

23:52

string hello world I think it's worth

23:53

explaining how it would work it

23:55

transposes it into a matrix uh which can

23:57

be of any size uh but in this case they

23:59

chose length of

24:01

three uh and if you go down the columns

24:04

you can see it's spelling hello world

24:05

and then it simply joins The Columns

24:07

back up horizontally uh and that's how

24:09

you get the string on the right which is

24:10

the encoded text and it performs the

24:12

reverse operation the other

24:15

way and beyond that what you get is

24:17

quite a lot of different malware that is

24:19

too much to describe in one talk suffice

24:22

to say that when we investigated one

24:24

compromised device in 2022 we found five

24:27

different one line of scripts all of

24:28

which was like completely different

24:30

which is download to aimed to download

24:32

and execute some remote content uh Miss

24:35

Daisy and then sharp EXT which is the

24:37

most important one from my point of

24:40

view uh so sharp EXT really helps them

24:43

actually achieve their goal so they want

24:45

to steal mail data uh and sharp EXT uses

24:48

the unique position of being an

24:49

installed browser extension to do

24:52

that and essentially what it means is

24:54

when the user opens their browser and

24:56

they have this m installed

24:58

uh the extension will log into their

25:00

Gmail as though it were in the browser

25:03

it will read all the email as though it

25:05

was inside the browser and send it to

25:06

the attacker and so the key thing here

25:09

is that one of the main things that

25:10

stops these attacks from being

25:12

successful is that the big Web Mail

25:14

providers whether it's Google AOL

25:16

Microsoft are looking for kind of

25:18

erroneous patterns in terms of activity

25:20

to use this mailboxes and then they can

25:22

alert those users about suspicious

25:24

activity but by doing it from within the

25:26

context of the browser extension um the

25:30

attackers are able to kind of just

25:31

completely remove all that because from

25:32

the big Web Mail providers point of view

25:34

it just looks like the user is accessing

25:36

their web mail from the correct IP using

25:38

the correct user agent uh and so it's

25:41

relatively good at avoiding that kind of

25:46

detection in terms of uh the Outlook and

25:48

what people can do to identify this uh I

25:51

have a couple thoughts so I think um

25:55

people talk about APS advanced

25:56

persistent threats but sharpan sharine

25:59

might not be so hot on the a but they

26:01

are very hot on the p uh so they are

26:04

very good at taking a Target figuring

26:06

out who they talk to uh who they already

26:09

know who they don't know so they can

26:10

figure out who to impersonate when they

26:11

talk to that person um and they target

26:15

those people again and again

26:16

relentlessly and maybe you think none of

26:18

the examples I showed you in terms of

26:20

fishing emails are like going to fool

26:22

you but if you receive three of those

26:24

three times a week or like you receive

26:27

three emails a week like that for a

26:29

whole year eventually one of them is

26:30

going to slip through the cracks

26:32

especially when you consider that this

26:33

is quite close to a normal interaction

26:35

for these

26:37

people um and there are very few threat

26:39

actors that we know about that take time

26:41

to invest in a conversation before

26:43

delivering any malware most direct

26:44

actors are just happy to send the

26:47

malware straight away or after one or

26:48

two messages there's only maybe I can

26:50

count on one hand the number of tracks

26:52

as we track that would do uh 10 12

26:55

messages before sending an email we

27:00

targeting users personal devices in

27:02

email makes detection difficult um so a

27:05

lot of the times we'll find an infection

27:08

from this group amongst our customer

27:09

base and when we Trace down the root

27:11

cause we'll figure out that the user

27:13

used the personal web mail on their work

27:15

laptop and so we had no visibility of

27:17

any of the emails we just see the malare

27:18

that ends up and we have to retrace all

27:20

of the fishing that took place

27:23

before um and even more difficult on

27:26

personal devices so sometimes uh the

27:29

entire activity takes place off network

27:31

but then the user comes in uses the

27:32

guest Wi-Fi in the work setting and then

27:35

gets picked up that

27:37

way and this makes it difficult not just

27:39

for us but for governments who are

27:40

actually wishing to identify and notify

27:42

users as well so if you think about like

27:44

NCSE in the UK uh trying to notify

27:47

various North Korea experts is that type

27:49

of problem is also more difficult and

27:51

this is a real risk in sectors where

27:53

personal use for device use for work is

27:55

common um you might think think it's

27:58

like you think the users should change

28:00

but if you're working in security and

28:02

you still think the users should change

28:03

I've got bad news the users are not

28:05

going to change uh you just have to

28:07

change your workface to try and deal

28:08

with it

28:10

um and essentially once a user is

28:13

compromised with relatively firmly

28:15

believe that no automated solution will

28:17

fix things so uh most of the time the

28:20

users that get compromised have some AV

28:22

installed and maybe the AV just hexs

28:25

four of the seven malware families which

28:27

would be a not bad result the problem is

28:29

that there are still three mware

28:30

families remaining the next day the

28:32

attacker will just go and install three

28:33

more and keep a very high number of ma

28:36

families running concurrently or running

28:38

on like a schedule each day to download

28:40

a new payload and we think it's very

28:42

unlikely that once infected a machine

28:44

will ever be truly made clean without

28:47

human Intervention which is excellent

28:48

from the attacker's point of

28:50

view and essentially the only way that

28:52

we've really been able to mitigate this

28:54

is by working closely with users so

28:56

often the specific users is they get

28:58

targeted are targeted again and again

29:00

and we're able to build a relationship

29:01

with them explain what this looks like

29:03

make it make them feel comfortable

29:04

reporting it things like

29:07

that all right that's all I have for

29:10

today thank you for your

29:12

[Applause]

29:14

time

Rate This

5.0 / 5 (0 votes)

Related Tags
Cyber EspionageSocial EngineeringPhishing TechniquesThreat ActorNorth KoreaCredential TheftMalware AnalysisTargeted AttacksCybersecurity ConferenceEmail CompromiseAPT Group