Ataques dirigidos contra activistas
0 likes1,254 views
The document discusses several targeted malware attacks and surveillance techniques. It describes malware programs like FinFisher, DarkComet RAT, and Hacking Team's RCS that are used to monitor devices, steal files and communications, and enable remote control. It also mentions vulnerabilities exploited in Microsoft Word and Adobe Reader to install malware. Targets discussed include Uyghurs, Tibetans, and activists. Sources cited include CitizenLab.org, Kaspersky, and Symantec reports on commercial spyware vendors and their government clients.
![ddddddasdfsdf
%Temp%dclogs[CURRENT DAY]-[RANDOM
NUMBER].dc
%UserProfile%Start
MenuProgramsStartup(Empty).lnk](https://image.slidesharecdn.com/disidentes-130604104740-phpapp01/85/Ataques-dirigidos-contra-activistas-70-320.jpg)
![ddddddasdfsdf
[] Aleppo Team
[] Aleppo Team
rar
[29/05/2012 18:03:44] Aleppo Team | | ...: Last
modified plan Aleppo time for Jihad
[29/05/2012 18:03:46] Aleppo Team | | ...:
Send the file "plan eventually 2.rar"](https://image.slidesharecdn.com/disidentes-130604104740-phpapp01/85/Ataques-dirigidos-contra-activistas-84-320.jpg)
Ataques dirigidos contra activistas
- 1. Ataques dirigidos a activistas David Barroso Telefonica Digital
- 2. Uyghur
- 3. Uyghur
- 10. Uyghur
- 14. ddddddasdfsdf FinFisher – Gamma Group Instala un driver Modifica MBR Se inyecta en procesos legítimos (winlogon.exe, svchost.exe) Packer & anti-debugging AES-256-CBC C2: 77.69.140.194 (Bahrain) Puertos: 22, 53, 80, 443, 4111
- 15. ddddddasdfsdf FinFisher – Gamma Group Bypassing of 40 regularly tested Antivirus Systems Covert Communication with Headquarters Full Skype Monitoring (Calls, Chats, File Transfers, Video, Contact List) Recording of common communication like Email, Chats and Voice-over-IP Live Surveillance through Webcam and Microphone Country Tracing of Target Silent Extracting of Files from Hard-Disk Process-based Key-logger for faster analysis Live Remote Forensics on Target System Advanced Filters to record only important information Supports most common Operating Systems (Windows, Mac OSX and Linux)
- 16. Source: Rapid7
- 18. ddddddasdfsdf FinFisher – Gamma Group iOS version: install_manager.app Instalación por ‘provisioning profile’ (necesario UDID) Certificado: Martin Muench (Managing Director) /System/Library/LaunchDaemons/com.apple.logind.plis t ‘Dropea’ SyncData.app Roba contactos, SMS, histórico de llamadas, geolocalización, etc. Base64 Versiones para Android, Symbian, BlackBerry
- 20. Uyghur
- 21. ddddddasdfsdf Mamfakinch.com Svp ne mentionnez pas mon nom ni rien du tout je ne veux pas d embrouilles… http://freeme.eu5.org/scandale%20(2).doc Mamfakinch.com Hacking Team – RCS OSX.Crisis / W32.Crisis Fichero adobe.jar -> versión para mac y win32 Win32: CurrentVersion/Run. Infección de procesos Infecta imágenes VMware
- 22. Source: Symantec
- 23. Source: Symantec
- 24. Uyghur
- 25. ddddddasdfsdf Concerns over Uyghur People.doc Hosh Hewer.doc Jenwediki yighingha iltimas qilish Jediwili.doc list.doc Press Release on Commemorat the Day of Mourning.doc The Universal Declaration of Human Rights and the Unrecognized Population Groups.doc Uyghur Political Prisoner.doc 2013-02-04 - Deported Uyghurs.doc Jenwediki yighingha iltimas qilish Jediwili(Behtiyar Omer).doc Kadeer Logistics detail.doc
- 27. ddddddasdfsdf Vulnerabilidad Word para Mac CVE-2012- 0158 Abre documento real y ejecuta binario Keylogger, información de la máquina, control remoto LaunchDaemon ‘systm’ Tiny Shell AES (12345678) y SHA1 ‘me’ como contacto C2: update.googmail.org (207.204.245.192)
- 28. ddddddasdfsdf 1154/0x2610: fstat(0x26, 0xBFFF4CD0, 0x200) = 0 0 1154/0x2610: lseek(0x26, 0x6600, 0x0) = 26112 0 1154/0x2610: open("/tmp/l.sh0", 0x602, 0x1FF) = 40 0 1154/0x2610: open("/tmp/l0", 0x602, 0x1FF) = 41 0 1154/0x2610: open("/tmp/l.doc0", 0x602, 0x1FF) = 42 0 1154/0x2610: read(0x26, "#!/bin/bashnsleep 1n/usr/bin/open /tmp/l.docncp /tmp/l /tmp/mn/tmp/m0", 0x44) = 68 0 1154/0x2610: write(0x28, "#!/bin/bashnsleep 1n/usr/bin/open /tmp/l.docncp /tmp/l /tmp/mn/tmp/m0", 0x44) = 68 0 Source: AlienVault
- 35. ddddddasdfsdf Vulnerabilidad Word para Mac CVE-2012- 0158 Abre documento real y ejecuta binario Keylogger, información de la máquina, control remoto Binario firmado digitalmente C2: 61.178.77.76 TCP/1080
- 39. Targeted Attacks
- 40. Source: Symantec
- 41. Source: Symantec
- 43. ddddddasdfsdf Vulnerabilidad MSWORD CVE-2012-0158 Abre documento real y ejecuta binario Keylogger, información de la máquina, control remoto Binario firmado digitalmente C2: 114.142.147.51
- 44. ddddddasdfsdf Metadata Original Dropped MD5 8882c40ef1786efb 98ea251e247bfbee 40f41c077e03d72a 39eb1bd7bf6e3341 Last saved by HSwallow lebrale Creation date Tue., Jun. 12 09:11:00 2012 Wed., Jun. 13 11:39:00 2012 Last save date Tue., Jun. 12 09:11:00 2012 Wed., Jun. 13 11:39:00 2012
- 45. Targeted Attacks
- 49. ddddddasdfsdf APT1 / GOGGLES vs GLASSES Aplicación simula ser carpeta Instala un PDF no malicioso (job posting en Nepal), un binario spkptdhv.exe en %temp% que se instala en el registro Comandos: sleep / download & run GET /ewpindex.htm HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; Clj26Dbj.XYZ) Host: ewplus.com Cache-Control: no-cache
- 50. Android
- 52. ddddddasdfsdf Spoof en el From Tibetanos generalmente ‘rootean’ los Android para instalar fuentes También instalan APK debido a restricciones en Google Play Apps modificadas Intercepta SMS para dar posición Roba histórico de llamadas, SMS y contactos C2 android.uyghur.dnsd.me
- 55. Android
- 59. ddddddasdfsdf Robo de contactos, SMS, historial de llamadas, datos del teléfono C2: Base64 a 64.78.161.133
- 61. Todo vale
- 69. ddddddasdfsdf Capture webcam activity Disable the notification setting for certain antivirus programs Download and execute arbitrary programs and commands Modify the hosts file Record key strokes Retrieve system information about the computer Start or end processes Steal passwords Update itself
- 70. ddddddasdfsdf %Temp%dclogs[CURRENT DAY]-[RANDOM NUMBER].dc %UserProfile%Start MenuProgramsStartup(Empty).lnk
- 71. ddddddasdfsdf Autor: DarkCoderSc Fecha: 2008 Versión actual: 5 Lamenta lo ocurrido, y ofrece un desinstalador
- 75. Source: EFF
- 76. Source: EFF
- 77. Source: EFF
- 78. Source: EFF
- 79. Malware
- 80. Source: EFF
- 81. Source: EFF
- 82. ddddddasdfsdf DarkComet RAT C:Documents and SettingsAdministratorStart MenuProgramsStartup(Empty).lnk C:DOCUME~1ADMINI~1LOCALS~1Temp .pdf C:DOCUME~1ADMINI~1LOCALS~1Temp Explorer.exe C:DOCUME~1ADMINI~1LOCALS~1Temp msdlg.ocx C:DOCUME~1ADMINI~1LOCALS~1Temp dclogs
- 83. Source: EFF
- 84. ddddddasdfsdf [] Aleppo Team [] Aleppo Team rar [29/05/2012 18:03:44] Aleppo Team | | ...: Last modified plan Aleppo time for Jihad [29/05/2012 18:03:46] Aleppo Team | | ...: Send the file "plan eventually 2.rar"
- 85. Source: EFF
- 86. Source: EFF
- 87. Source: EFF
- 88. ddddddasdfsdf C:Documents and SettingsAdministratorStartMenuProgramsS tartup(empty).lnk C:DOCUME~1ADMINI~1LOCALS~1Temp explorer.exe C:DOCUME~1ADMINI~1LOCALS~1Temp Aleppo plan.pdf C:DOCUME~1ADMINI~1LOCALS~1Temp Firefox.dll
- 89. Skype encryption
- 90. Source: EFF
- 91. Source: EFF
- 92. Source: EFF
- 93. ddddddasdfsdf DarkComet RAT http://skype-encryption.sytes.net/ http://216.6.0.28/SkypeEncryption/Dow nload/skype.exe
- 94. Antihacker
- 95. 73% Source: EFF
- 96. Source: EFF
- 97. Source: EFF
- 98. Source: EFF
- 99. Source: EFF
- 100. Source: EFF
- 101. ddddddasdfsdf DarkComet RAT Se conecta a 216.6.0.28/google.exe Keylogger: C:DOCUME~1ADMINI~1LOCALS~1 Tempdclogs.sys C:Documents and SettingsAdministratorStart MenuProgramsStartup..lnk
- 102. BlackShades
- 104. ddddddasdfsdf With Blackshades Remote Controller you can: - Control several computers at once, performing tasks ranging from viewing their screens to uploading/downloading files from them - Perform maintenance on a Network - Help a client out by using the screen capture feature, even if they are on the other side of the world - Monitor a specific PC, recording the keystrokes and remotely managing the files - Access your computer that you have at home if you are on holiday - Monitor the computers of students and their activity while teaching a computing lesson - Chat with clients that you are connected to
- 105. ddddddasdfsdf Cuentas comprometidas Skype Fichero .PIF ‘Windows Messanger’ – Alta en firewall, Startup C2: alosh66.myftp.org (31.9.170.140) 4444/TCP
- 108. ddddddasdfsdf OSX.Kitm (Kumar in the mac) Rajinder Kumar OSX/Filesteal – OSX/HackBack Source: F-Secure
- 109. Source: F-Secure
- 111. Source: F-Secure
- 112. Source: F-Secure
- 113. Source: F-Secure