Thursday 4 October 11:30 - 12:00, Green room
Lotem Finkelstein (Check Point)
Aseel Kayal (Check Point)
After an investigation some two months long, we recently uncovered a targeted espionage campaign of one of the most colourful APT groups currently active in the Middle East – APT C-23. The group has been targeting politically oriented individuals in the Middle East for almost two years now, using quality spear phishing and mobile applications to lure victims into opening malicious files. Our investigation began with a single campaign, using a decoy document disguised as an official paper by the Palestinian Political and National Guidance Commission to spread a piece of custom malware written in C++ but wrapped as a self-extracting executable. We then gradually exposed a sophisticated, versatile group capable of crafting malware in different code-languages for different platforms. The group has been running several campaigns simultaneously under the radar of the research community, which up until now hasn't succeeded in making connections between the different campaigns. Upon infection, a unique RAT is installed on the victim machine. Unlike most RATs that feature keylogging and credential theft, this RAT was designed to spy – it looks for specific Office documents, features a self-destruction capability and logs specific system info, most likely as a preparation for a second-stage attack.
We will present the full extent of our investigation process, which includes mapping the group's activity over the years while listing the tactics, techniques and procedures (TTP) practised by the group, and depicting a model of a campaign attributed to the group. One procedure stands out among the group's TTPs– its great affection for TV series. The group links each campaign with an iconic TV series and weaves the characters and actors featured in the series into almost every aspect of the campaign. The campaign we exposed in July 2018, for example, used the TV series Big Bang Theory as its source of inspiration, as characters and actor names decorated the malware code and distinguished the campaign from other parallel efforts. After reviewing the group's overall activity as well as analysing several significant campaigns, we are thrilled to share our findings insights.
Aseel is a malware analyst at Check Point and a member of the Threat Intelligence Analysis team. She is a mother tongue speaker of Arabic, Hebrew and English, and has an avid knowledge of multiple programming languages. Her passion for languages is best exemplified in her academic studies, as she received her B.Sc. degree in both computer science and English literature from Tel Aviv University. Aseel's research focuses on targeted attacks and APTs, and includes insights into multiple ransomware families.
Sayeed Abu-Nimeh (Seclytics)
Matthias Leisi (DNS Whitelist (DNSWL))
Alexander Vukcevic (Avira)
Jiri Sejtko (Avast)
Michael Daniel (Cyber Threat Alliance)