P I S A J o u r n a l
Professional Information Security Association
Targeted Attack Analysis : Know Your Enemy
Figure 2: Detailed Technical Analysis
dress(es) of CnC server(s) The analysis (see Figure 2) shows that once we execute the .xls file, a dmadmin.exe file is created in % UserProfile%\Local Settings\dmadmin.exe with hash value fb850b70f45494b47020272c6bf72e94. The file is executed in the process of svchost.exe. It spoofs as an Adobe application executable. Meanwhile, a registry entry HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\ CURRENTVERSION\RUN\dmadmin
is added for autorun purpose after reboot the operating system.
Figure 3: Identified Exploit
Page 26 of 32
From Figure 3, we could identify the exploit used by the .xls is CVE-2012-0754, which attacks against the Adobe Flash Player vulnerability. The affected platforms are not just limited to Windows only but MacOS and Andorid OS as well.
From Figures 1 to 3, it looks like we could make a complete analysis work. However, the story does not end yet, could you tell whether an individual and enterprise are targeted or not?
We have analyzed all the submitted samples (and it is around 15,000 up to August 2012) and extract various pieces of information among them and become our signature database. We applies Rough set theory [5] on the extracted data fro the samples so as to ensure representative information/strings/data are sufficient to match any existing APT attacker group or simply a new group indeed.
From Figure 4, an APT group map is provided and we could check out whether the submitted suspicious document belongs to any APT attacker group. It looks like the victim company and individual is targeted by a large-scale APT attacker group).
An Organization for Information Security Professionals