Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Brief Analysis on APT Attack through Cryptocurrency Trading Software

$
0
0

APT-C-26 is an APT group that has been active since 2009. According to the research by an overseas security vendor, the group’s earliest attack may be associated with the “Operation Flame” which was a large-scale DDOS attack on Korean government’s website in 2007. Lazarus may also be the group behind the hacking incident of Sony Pictures in 2014, the data breach of the Bank of Bangladesh in 2016 and other infamous attacks such as the “Wannacry” ransomware that swept across the globe in 2017. Since 2017, the group has been expanding its targets of attack and increasingly aimed at economic interests. In earlier attacks, the group mainly targeted the banking system of traditional financial institutions. Now, it has begun to attack global cryptocurrency organizations and related institutions and individuals.

Recently, the Advanced Threat Response Team of 360 Core Security discovered an APTR attack (code named as APT-C-26) against cryptocurrency institutions and related individuals. The attack is suspected to be initialized by Lazarus. The attackers faked digital currency trading software “Celas Trade Pro” based on the open sourced “Qt Bitcoin Trader “. A backdoor is embedded in the software for targeted attacks against users of Celas. The software has two versions of windows and mac, so it also supports cross-platform attacks. The software collects user information when it starts, and then downloads malicious code from the Cloud to execute.


Brief Analysis on APT Attack through Cryptocurrency Trading Software

The official website of Celas:


Brief Analysis on APT Attack through Cryptocurrency Trading Software

Software promotion email targeting digital cryptocurrency institutions and related individuals:


Brief Analysis on APT Attack through Cryptocurrency Trading Software

The open source software Qt Bitcoin Trader only has one main program


Brief Analysis on APT Attack through Cryptocurrency Trading Software

The modified software added a backdoor module- updater. When the software starts, the backdoor will be running as well.


Brief Analysis on APT Attack through Cryptocurrency Trading Software

The backdoor first collects local information, including the process list, computer name, and system information. Then it encrypts the collected information and sends it to the server.


Brief Analysis on APT Attack through Cryptocurrency Trading Software

Collect process information:


Brief Analysis on APT Attack through Cryptocurrency Trading Software

Collect registry:


Brief Analysis on APT Attack through Cryptocurrency Trading Software

Computer name:


Brief Analysis on APT Attack through Cryptocurrency Trading Software

Execute malicious codes returned by the server:


Brief Analysis on APT Attack through Cryptocurrency Trading Software

Currently, 360 Safe Guards have been able to successfully in detecting and killing the malicious program. It can also intercept the site to prevent further spread of the malicious software.


Brief Analysis on APT Attack through Cryptocurrency Trading Software
Brief Analysis on APT Attack through Cryptocurrency Trading Software

Appendix IOC:

Md5

aeee54a81032a6321a39566f96c822f5

b054a7382adf6b774b15f52d971f3799

C&C

https://www.celasllc.com/checkupdate.php


Viewing all articles
Browse latest Browse all 12749

Latest Images

Trending Articles





Latest Images