Discretion in APT: Recent APT attack on crypto exchange employees

Heungsoo Kang/LINE

This talk is to present overview of the recent APT attack against employees of cryptocurrency exchanges including us. The attack started from email spear phishing, and continued to FireFox 0day exploit, stage1, stage2 malware. As a former antivirus researcher/red teamer and current security team member, I would like to compare the perspectives of the victim, attacker, and security team.

First, the perspective of the victim. The victim is an experienced blockchain programmer using MacBook and iPhone. Attackers were very discreet on their social engineering scheme. He receives an email to his personal account, a proposal to become a member of review board of a prize. The email was sent through a legitimate university email server and the sender has a nice LinkedIn profile. After some conversation exchange, he receives the university`s site link to login with a temporary id/password. He logs in and gets infected.

Second, the perspective of the attackers to prepare the attack. The university has a bold web service that can expose every account in the system. The attackers used an undisclosed method to get access to a few accounts, which allowed access to university`s email account, personal web hosting. They made up a LinkedIn profile and added 100+ connections (we all accept connections from strangers, don`t we?). After preparing these, the attackers hosted HTML page for fake awards and put FF 0day exploit there before starting sending out emails to the set of targets they collected to work for a blockchain exchanges.

Third, (shortly) corp security team`s perspective. Where we found the attempt of the attack, where the attackers were good and where they were not.

Lastly, I will share other information, such as malware analysis of stage1,2 and some trivia of their operation like C2 servers, how they evaded the surveillance (which might as well be coincidence), etc. Both malwares are not obfuscated, and stage1 only had 1 detection in VT at the time. Stage2 is QT based RAT, with about 25,000 functions, so I grabbed QT, OpenSSl, etc libraries to generate FLIRT which resulted in 20% of the functions being recognized. The C2 server was hosted by a small VPS service, which accepts Bitcoin for payment.

November 8 at 12:00 - 12:30, Stage B

Heungsoo Kang I`m a security engineer working for LINE in Korea. I work with many colleagues in LINE to secure LINE`s services and infrastructure. I used to work as a malware analyst, a red-team member/security engineer, code (de)obfuscation developer, etc. My interests are reverse engineering, code obfuscation, malware analysis, APT tracking, analyzing exploits, and writing tools for these.