1. SPRING DRAGON APT - A CASE STUDY OF TARGETED ATTACKS IN APAC COUNTRIES
NOUSHIN SHABAB
Senior Security Researcher

2. ABOUT ME Senior Security Researcher at Kaspersky Lab
Areas of interest:
APT Attack Investigation
Malware Analysis
Reverse Engineering
Forensics Analysis

3. WHO IS SPRING DRAGON?

4. 4
- Long running APT actor with a massive scale of operation - Main targets are countries around South China Sea - Active since More than 200 C2 servers - Over 700 customised backdoor samples

5. BACKGROUND OF THE RESEARCH

6. Start of Spring Dragon Attacks
2012
Start of Spring Dragon Attacks

7. STARTED IN 2012
Elise Backdoor was used in cyberespionage attacks against targets in South East Asia

8. Research on Spring Dragon Attack Techniques
2015
Research on Spring Dragon Attack Techniques
2012
Start of Spring Dragon Attacks

9. Infiltration Techniques
2012
Start of Spring Dragon Attacks
2015
Research on Spring Dragon Attack Techniques
Infiltration Techniques
Spearphish Exploits
Watering
Holes
Web Compromises

10. INFILTRATION TECHNIQUES
Spearphish Exploits
Web Compromises
Watering Holes

11. Adobe Flash Player Exploits
SPEARPHISH EXPLOITS
Adobe Flash Player Exploits
PDF Exploits
MS Word Exploits

12. WATERING HOLES – WEB COMPROMISES
Compromised websites to target organizations in Myanmar

14. WATERING HOLES – WEB COMPROMISES
Another technique used against government targets
A spoofed flash installer website

16. Research on Spring Dragon capabilities and tools
2017
2015
Research on Spring Dragon Attack Techniques
2012
Start of Spring Dragon Attacks

17. Possible origins of Spring Dragon
2012
Start of Spring Dragon Attacks
2015
Research on Spring Dragon Attack Techniques
Research on Spring Dragon capabilities and tools
2017
Victims
Tools
Possible origins of Spring Dragon
C2 Servers

18. IN THE BEGINNING OF 2017
- News about new attacks arrived from a research partner in Taiwan
- Kaspersky Lab decided to investigate the attacker’s techniques and review their toolset

19. SPRING DRAGON VICTIMS

20. WHO ARE THE VICTIMS High profile governmental organisations
Political parties
Educational institutions and universities
Telecommunication industry

21. GEOGRAPHIC MAP OF THE VICTIMS

22. SPRING DRAGON TOOLSET

23. SPRING DRAGON SET OF BACKDOORS
Elise Backdoor
Backdoor Loader
Emissary Backdoor Installer
Backdoor Injector
ShadowLess Backdoor (midimap Hijacker)

24. BACKDOOR LOADER TOOL
Backdoor Loader module has the main backdoor dll contents encrypted and embedded
Backdoor module connects to C2 servers
It also creates a service for the loader module

25. BACKDOOR LOADER TOOL Decoding
Each sample has a customised config block, encoded inside the loader module
Loader module pushes the config block into the stack before loading the backdoor
Backdoor module decodes the config block

26. BACKDOOR INJECTOR TOOL26
BACKDOOR INJECTOR TOOL
This module is similar to Backdoor Loader module with an extra feature to inject itself into a target process
Injects its own file into the web browser processprocess
Looks for default web browser
Loads the backdoor inside the web browser process

27. BACKDOOR TOOLS
Backdoor modules are either encrypted and embedded in Installers, Backdoor Loader and Backdoor Injector modules or attached to installer modules as a resource entry in palin text in older samples

28. BACKDOOR TOOLS
Different backdoor samples have customized set of C2 server addresses and customized service details encrypted inside loader or installer modules
Almost all the backdoor families have a similar structure for C2 configuration data after decryption

29. BACKDOOR TOOLS
Some backdoor families use hardcoded user-agent strings while they are communicating with their C2 servers
Some backdoor families use specific GET requests while they are contacting their C2 servers

30. BACKDOOR TOOLS Backdoor Capabilities:
Update C2 configuration on victim’s system in order to connect to new servers
Steal any type of file from the victim’s machine and upload to C2 servers
Download more malicious files from C2 servers to victim’s machine
Load and run a DLL module
Unload a previously loaded DLL module, which will allow the backdoor to uninstall itself or unload other applications’ DLLs to disrupt their functionality
Run any executable file on victim’s system which will allow the installation of further modules
Execute different system commands on victim’s machine to collect more information from the victim

31. EVOLUTION OF SPRING DRAGON TOOLSET
2012
2013
2014
2015
2016
2017
More features were added.
More obfuscation was applied to backdoor codes
ShadowLess Backdoor was introduced
End of Elise Backdoor Variant A, B and C
Start of Elise Backdoor Variant D, Backdoor Loader and Backdoor Injector modules
Start of the attacks with Elise Backdoor variant A, B and C
New feature was introduced to escalate privileges
Obfuscation
Start of Emissary Backdoor

32. SPRING DRAGON C2 SERVERS

33. C2 INFRASTRUCTURE
The attackers have registered domain names and used IP addresses from different geographical locations to hide their real location
More than 40% are located in Hong Kong
Followed by US, Germany, China and Japan

34. POSSIBLE ORIGINS OF SPRING DRAGON

35. HISTOGRAM OF MALWARE TIMESTAMPS
GMT +8 TIMEZONE
Another group of malware developers
1- Working from another timezone
2- Working on a second shift

36. CONCLUSION
- Spring dragon is a long running apt actor with a massive scale of operation
- The attackers have been constantly developing and improving their tools since 2012
- Main targets have been in different countries and territories in APAC region

37. STAY VIGILANT! THE NEXT TARGET MIGHT BE US!
CONCLUSION
Spring dragon is going to continue resurfacing regularly in the APAC region with more tools and new targets
STAY VIGILANT! THE NEXT TARGET MIGHT BE US!

38. LET’S TALK?
@NoushinShbb