Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks
by Brian Bartholomew Juan Andres Guerrero-Saade
- Kaspersky Lab, USA. 2017
This paper outlines deception techniques used by various APT groups.
| Remark |
|---|
| in the wild |
| attribution |
| hacking back |
| GReAT |
| attribution is hard |
| threat actor |
| infrastructure reuse as attribution |
| IP address as attribution |
| hostname as attribution |
| even well-resourced TAs reuse infrastructure |
| overlapping infrastructure |
| command and control |
| threat actor clusters |
| threat intelligence |
| Portable Executable |
| timestamps |
| PE files contain compilation timestamps! |
| PE file compilation timestamps can be altered. |
| PE file compilation timestamps can be used to track the development of malware over time. |
| PE file compilation timestamps can be used to determine rough geographic location of an actor. |
| strings |
| strings as attribution |
| debug path (pdb) |
| pdb often contains a username |
| pdb often contains project names in another language |
| pdb often reveal internal naming conventions such as tool names or campaign names. |
| dropper |
| some binary resources contain language IDs that can be used for attribution (PDF/Word doc created in Russian) |
| metadata |
| phishing |
| virtual machines |
| pirated software |
| threat actors using open source or leaked tools to muddy attribution |
| zero-day/0-day |
| Tor |
| attackers often make mistakes when using Tor or anonomyzing services |
| WildPositron malware - Lazarus |
| Lazarus aka DarkSeoul, Operation Troy, WildPositron, TEMP.Hermit |
| malware: Destover, Duuzer, Hangman, SpaSpe |
| Turla |
| code reuse as attribution |
| yara |
| passwords as attribution |
| hard-coded |
| sandbox detection |
| dropper |
| exploits |
| exploits/0-day as attribution |
| 0-day as an indicator of attacker sophistication |
| Equation Group |
| CVE-2013-3918 |
| Aurora group |
| cyberespionage |
| DarkHotel |
| the target of an attack itself can be used to determine attribution or attacker sophistication |
| RUMINT |
| Inception malware - Blue Coat |
| Cloud Atlas previously tracked as Red October |
| geolocation of IP addresses |
| implants |
| Wild Neutron aka Morpho, Butterfly, ZeroWing, Jripbot |
| Java |
| CVE-2013-0422 |
| watering hole |
| Flash |
| Bitcoin |
| iOS |
| Linux |
| hacktivism |
| Sony Pictures Entertainment |
| Guardians of Peace |
| JoongAng Daily |
| Master Boot Record |
| WhoIs Team |
| New Romantic Cyber Army |
| FireEye |
| Sofacy |
| plausible deniability |
| CyberBerkut |
| NATO |
| CyberCaliphate |
| USCENTCOM |
| YouTube |
| Alburqueque Journal |
| Newsweek |
| WBOC Maryland |
| TV5 Monde |
| ISIS |
| Yemen Cyber Army (YCA) |
| Houthi |
| AlHayat |
| Wikileaks |
| Mujahideen |
| Turkey |
| Iran |
| China |
| Russia |
| United States |
| Germany |
| France |
| United Kingdom |
| Yandex |
| Duqu 2.0 |
| CrySyS Lab |
| Stuxnet |
| CVE-2015-2360 |
| persistence |
| NDIS |
| termport.sys |
| magic string |
| termport.sys |
| romanian.antihacker magic string within termport.sys |
| ugly.gorilla string within 64-bit termport.sys |
| Comment Crew/APT1 |
| Want Dong/Jack Wang/Ugly Gorilla |
| PLA |
| TigerMilk |
| Peru |
| CVE-2012-0158 |
| credential-stealing malware |
| position-independent |
| explorer.exe |
| web browser |
| digital certificate |
| Realtek |
| stolen Realtek certificate |
| Europe |
| Eastern Europe |
| Wipbot |
| Quarian malware as a deception technique by Turla |
| Beijing |
| credential dumps |
| botnet |
| pcap or gtfo |
| SIGINT |