Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Cybernatural Disaster: Icefog (For Sharing)

For ZeroNights Conference (Russia)

Vitaly Kamluk

on 18 November 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Cybernatural Disaster: Icefog (For Sharing)

Cybernatural Disaster: Icefog
Vitaly Kamluk
Principal Security Researcher
Kaspersky Lab
Another targeted email
Infection Vector #2: Java Exploit
1. C:\Program Files\Internet Explorer\sxs.dll
Internet Explorer
C:\Program Files\Internet Explorer\iexplore.exe
2. C:\Windows\sxs.dll
3. C:\Windows\System32\sxs.dll
Infection Vector #1: MS Office exploit
Infection Vector #3: MS HLP files
MS HLP "non-exploit" operation:
1. Register Routine (RR):
- VirtualAlloc
- strncpy
- CreateThread
2. Jump to the shellcode via above API calls
Infection Vector #4: HWP Exploit
Icefog Daggers Collection (Win32)
Type 1
Type 2
Type 3
Type 4
Type 0
Type NG
Type 1 C&C Admin Panel
Icefog-NG Server App
Operator Activity Logs
Loading Type 2 backdoor
Attacked Organizations
Icefog Server Structure
1. Military Contractors, Associations, Govt. Organizations
2. Telecom Operators
3. Maritime and Shipbuilding Companies
4. Media Companies
5. Hi-Tech Companies
Attacker's "Modus Operandi"
1. List My Documents, drive roots
2. Collect network adapters configuration
3. List local network hosts
4. Dump hashes, grab cached passwords
5. Copy address books
6. Steal HWP, DOC, XLS, PDF docs
7. Infect other local hosts and reiterate.
Source of Attacks
1. China
2. South Korea
3. Japan
Code Artifacts
Admin Panel Page Title
ASPX Code Comments
HTTP Redirect Page
Registrants' Email Addresses
Research Results
Thank you!

Cybernatural Disaster:

Vitaly Kamluk
Principal Security Researcher
Kaspersky Lab

Twitter: @vkamluk

This presentation was modified to enable sharing on public resources.
Optimized for 1024x768
Full transcript