This video by HeungSoo Kang (LINE) was presented on 3 October 2019 at VB2019 in London, UK.
This talk presents an overview of the recent APT attack against employees of cryptocurrency exchanges, including LINE. The attack started with email spear phishing, and continued to a Firefox zero-day exploit, stage 1 and stage 2 malware. As a former anti-virus researcher/red teamer and current security team member, I will compare the perspectives of the victim, the attacker, and the security team.
First, the perspective of the victim. The victim is an experienced blockchain programmer using MacBook and iPhone. The attackers were very discreet with their social engineering scheme. The victim receives an email to his personal account – an invitation to become a member of the review board for an industry prize. The email was sent through a legitimate university email server and the sender has a nice LinkedIn profile. After some conversation, the victim receives the university’s site link to login using a temporary ID/password. The victim logs in and gets infected.
Second, the perspective of the attackers. The university has a bold web service that can expose every account in the system. The attackers used an undisclosed method to gain access to a few accounts, which allowed access to the university’s email account and personal web hosting. The attackers made up a LinkedIn profile and added 100+ connections (we all accept connections from strangers, don’t we?). After preparing these, the attackers hosted an HTML page for the fake awards and put the Firefox zero-day exploit there before sending out emails to the set of targets they had collected working for blockchain exchanges.
Third, (briefly) the perspective of the corporate security team. I will describe where we found the attack attempt, how we communicated with the victims, where the attackers were good and where they were not.
Finally, I’ll share other information, such as an analysis of the stage 1 and stage 2 malware and some trivia relating to their operation, such as their C2 servers, how they evaded surveillance (which might as well be coincidence), etc. Neither the stage 1 nor the stage 2 malware was obfuscated, and stage1 only had one detection in VirusTotal at the time. Stage 2 is a QT-based RAT, with about 25,000 functions, so I grabbed QT, OpenSSL, etc. libraries to generate FLIRT, which resulted in 20% of the functions being recognized. The C2 server was hosted by a small VPS service, which accepts Bitcoin for payment.
