TY - GEN
T1 - Evidence of advanced persistent threat
T2 - 6th International Conference on Malicious and Unwanted Software, Malware 2011
AU - Li, Frankie
AU - Lai, Anthony
AU - Ddl, Ddl
PY - 2011
Y1 - 2011
N2 - A political figure in Hong Kong continuously receives spear-phishing emails that encourage clicking on shortcuts or opening attachments with file extensions, such as.pdf,.doc(x),.xls(x),.chm, and so on. He suspects that such emails were actively sent from seemingly known parties during the pre- and postelection periods. The emails and samples were sent to us for investigation, and two nearly identical samples were chosen for the case study. These malwares appear to be the first Advanced Persistent Threat (APT) incident to undergo detailed study in Hong Kong. APT is defined by MANDIANT as a cyber attack launched by a group of sophisticated, determined, and coordinated attackers who systematically compromise the network of a specific target or entity for a prolonged period. The malware performs the following functions similar to those of "Operation Shady RAT", it attempts to hide itself from known anti-virus programs, downloads and executes additional binaries, enumerates all file information in the hard disk, gathers email and instant messaging passwords from victims, collects screen captures, establishes outbound encrypted HTTP connections, sends all gathered intelligence to a Command and Control, and deletes all temporary files of the collected information from the victims' machine after uploading. The forensic findings lead us to believe that APT is a real threat in Hong Kong.
AB - A political figure in Hong Kong continuously receives spear-phishing emails that encourage clicking on shortcuts or opening attachments with file extensions, such as.pdf,.doc(x),.xls(x),.chm, and so on. He suspects that such emails were actively sent from seemingly known parties during the pre- and postelection periods. The emails and samples were sent to us for investigation, and two nearly identical samples were chosen for the case study. These malwares appear to be the first Advanced Persistent Threat (APT) incident to undergo detailed study in Hong Kong. APT is defined by MANDIANT as a cyber attack launched by a group of sophisticated, determined, and coordinated attackers who systematically compromise the network of a specific target or entity for a prolonged period. The malware performs the following functions similar to those of "Operation Shady RAT", it attempts to hide itself from known anti-virus programs, downloads and executes additional binaries, enumerates all file information in the hard disk, gathers email and instant messaging passwords from victims, collects screen captures, establishes outbound encrypted HTTP connections, sends all gathered intelligence to a Command and Control, and deletes all temporary files of the collected information from the victims' machine after uploading. The forensic findings lead us to believe that APT is a real threat in Hong Kong.
UR - http://www.scopus.com/inward/record.url?scp=84855859636&partnerID=8YFLogxK
U2 - 10.1109/MALWARE.2011.6112333
DO - 10.1109/MALWARE.2011.6112333
M3 - Conference Paper published in a book
AN - SCOPUS:84855859636
SN - 9781467300339
T3 - Proceedings of the 2011 6th International Conference on Malicious and Unwanted Software, Malware 2011
SP - 102
EP - 109
BT - Proceedings of the 2011 6th International Conference on Malicious and Unwanted Software, Malware 2011
Y2 - 18 October 2011 through 19 October 2011
ER -