Masked APT:攻击行动评估 - By nEINEI Time:2014-02-11 1) The mask”是一个起始于2007年甚至可能更早,并一直活跃着的网络间谍行动。 2) 主要的攻击目标包括,政府机构,外交办公室,能源天然气公司,私人股本公司,社会积极分子,超过31个国家,包括南北美洲,中国,欧洲,西亚等。 Symptoms The module contains hardcoded locations of the files that are removed and registry keys to be removed or restored. For SGH, these are: HKLM\SYSTEM\*ControlSet*\Services\scsimap %systemroot%\System32\bootfont.bin c:\Windows\System32\bootfont.bin %systemroot%\System32\drivers\scsimap.sys c:\Windows\System32\drivers\scsimap.sys For Careto, it first determines the location of the main module by reading the registry value from: HKLM/HKCU\SOFTWARE\CLASSES\CLSID\{ECD4FC4D-521C-11D0-B792- 00A0C90312E1} The main module is removed and the original registry value is restored from the registry key: SOFTWARE\CLASSES\CLSID\{E6BB64BE-0618-4353-9193- 0AFE606D6F0C}\InprocServer32 %system% \objframe.dll %system% \shlink32.dll %system% \shlink64.dll cdllait32.dll cdllait64.dll cdlluninstallws32.dll cdlluninstallws64.dll cdlluninstallsgh32.dll cdlluninstallsgh64.dll %system% \c_50225.nls %system% \c_50227.nls %system% \c_50229.nls %system% \c_51932.nls [HKLM\Software\Classes\CLSID\{E6BB64BE-0618-4353-9193- 0AFE606D6F0C}\InprocServer32] 相关样本信息: 1f40751f3db07f88c2ffe95b6a5fde86 4dae42d1b80c85b396546ed02a00e328 da1ad4e088ba921c0420428b1f73d5ca 1f40751f3db07f88c2ffe95b6a5fde86 02e75580f15826d20fffb43b1a50344c 1342ac151eea7a03d51660bb5db018d9 最小闭合的攻击样本: 漏洞文件缺失 rat for mac:0710be16ba8a36712c3cac21776c8846e29897300271f09ba0a41983e370e1a0120f9ed8431a24c14b60003260930c37 ,size = 89828 攻击能力计算: MASKED被被纰漏为非常复杂的间谍软件,很多样本都不能被搜集到,故根据kaspersky的分析报告,按照通常恶意代码的完成如此工作量的复杂 程序,给Masked 500k的评估量。 K = 2 (正常安全认知范围) a = 3 (无交互) s = 1 (鱼叉式网络钓鱼,水坑攻击) m = 10 (代码注入,特种木马,rootkit,武器集合,范围极广的间谍功能,攻击安全软件,特定目标感染,高难度&复杂技术实现,特殊持久化隐藏,高强度破解难度) p = 3 (攻击3种平台,WIDNOWS/ANDROID/MAC) x = 4+5+3 ( 伪造数字签名,及0day 漏洞 cve-2012-0773,未曾曝光的攻击手法); 攻击能力 = (a+s+m+p)^(k) * (1+x)^ 2 + c AT = (3 + 1 +10+ 3) ^ 2 * (1+4+5+3) ^ 2 + (89828)/1024 +500 = 17^2 * (13^2)+ 377 = 48841+ 589 = 49430 ==> 49430 *1000/1279625(1T攻击力单位) = 38.628T 参考引用: 1.https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20133638/unveilingthemask_v1.0.pdf 2.《论高级威胁的本质及攻击能力的量化研究》- www.vxjump.net/files/aptr/aptr.txt