Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Cybernatural Disaster: Icefog (For Sharing)

For ZeroNights Conference (Russia)
by

Vitaly Kamluk

on 18 November 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Cybernatural Disaster: Icefog (For Sharing)

Cybernatural Disaster: Icefog
Vitaly Kamluk
Principal Security Researcher
Kaspersky Lab
Exploit.MSWord.CVE-2012-0158.bu
Another targeted email
money.cnnpolicy.com
www.securimalware.net/info/update.exe
Infection Vector #2: Java Exploit
1. C:\Program Files\Internet Explorer\sxs.dll
Internet Explorer
(
C:\Program Files\Internet Explorer\iexplore.exe
)
2. C:\Windows\sxs.dll
3. C:\Windows\System32\sxs.dll
Infection Vector #1: MS Office exploit
Infection Vector #3: MS HLP files
MS HLP "non-exploit" operation:
1. Register Routine (RR):
- VirtualAlloc
- strncpy
- CreateThread
2. Jump to the shellcode via above API calls
Infection Vector #4: HWP Exploit
Icefog Daggers Collection (Win32)
Type 1
Type 2
Type 3
Type 4
Type 0
Type NG
Type 1 C&C Admin Panel
Icefog-NG Server App
Operator Activity Logs
Loading Type 2 backdoor
Attacked Organizations
Icefog Server Structure
1. Military Contractors, Associations, Govt. Organizations
2. Telecom Operators
3. Maritime and Shipbuilding Companies
4. Media Companies
5. Hi-Tech Companies
Macfog
Campaigns
Attacker's "Modus Operandi"
1. List My Documents, drive roots
2. Collect network adapters configuration
3. List local network hosts
4. Dump hashes, grab cached passwords
5. Copy address books
6. Steal HWP, DOC, XLS, PDF docs
7. Infect other local hosts and reiterate.
Source of Attacks
1. China
2. South Korea
3. Japan
Code Artifacts
Admin Panel Page Title
ASPX Code Comments
HTTP Redirect Page
Registrants' Email Addresses
Research Results
goo.gl/7D4dyZ
intelreports@kaspersky.com
Public
Private
Thank you!
Questions?

Cybernatural Disaster:
Icefog

Vitaly Kamluk
Principal Security Researcher
Kaspersky Lab

Vitaly.Kamluk[at]kaspersky.com
Twitter: @vkamluk

DEMO?
http://goo.gl/FKigJw
http://goo.gl/psDqx7
This presentation was modified to enable sharing on public resources.
Optimized for 1024x768
Full transcript