Download - ложкин From ap ts to criminals cut
![Page 1: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/1.jpg)
COPYCATS: FROM APTS TO CRIMINALS
Sergey LozhkinSenior Security Researcher Kaspersky Lab
![Page 2: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/2.jpg)
AGENDA
SkimerCarbanakMETEL
GCMANAPTs??????
![Page 3: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/3.jpg)
GCMAN
![Page 4: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/4.jpg)
200 USD PER MINUTE
![Page 5: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/5.jpg)
BE PERSISTENT
• 2 months of tries on Sat
— What was your pw?— Sonic17
![Page 6: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/6.jpg)
TROUBLE IN THOUGHT
![Page 7: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/7.jpg)
INFO−.ASP
![Page 8: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/8.jpg)
Ads Web
server
GCMAN ATTACK
Corporate online
banking webserver
Online banking
DBAdmin’s
WorkstationsProcessing Connection
server
![Page 9: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/9.jpg)
GCMAN SUMMARY
1. Knocking to front door2. Avoid whitelisting
techs3. >1 year persistence
![Page 10: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/10.jpg)
CARBANAK
![Page 11: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/11.jpg)
![Page 12: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/12.jpg)
CARBANAK SUMMARY
1. Global criminals’ ATP2. Spear-phishing is
everything 3. It is all about MONEY
![Page 13: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/13.jpg)
METEL
![Page 14: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/14.jpg)
Source http://ageofgeeks.com/wp-content/uploads/2015/04/furious-7-paul-walker.jpg
![Page 15: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/15.jpg)
![Page 16: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/16.jpg)
METEL – TRANSACTIONS ROLLBACK
![Page 17: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/17.jpg)
CHALLENGE
WIPE PATERN
RAND 4096 ALWAYS
![Page 18: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/18.jpg)
METEL SUMMARY
1. IOCs’ horror 2. Spear-phishing is
everything 3. It is all about MONEY
![Page 19: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/19.jpg)
SKIMER
![Page 20: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/20.jpg)
SKIMER
![Page 21: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/21.jpg)
SKIMER–XFS SERVICE PATCH
![Page 22: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/22.jpg)
SKIMER–SERVICE PATCHED
![Page 23: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/23.jpg)
ATM INFECTOR –MAGIC CARD
CARD 1 – INTERFACE COMMANDSCARD 2 – TRACK 2 HARDCODED
![Page 24: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/24.jpg)
SKIMER SUMMARY
1. Silent2. Attack on ATM users3. Attack on banks
![Page 25: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/25.jpg)
LAZARUS
![Page 26: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/26.jpg)
![Page 27: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/27.jpg)
![Page 28: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/28.jpg)
LAZARUS SUMMARY
1. Active from 20092. Attacks on everything3. New group that made
1bln USD after Carba
![Page 29: ложкин From ap ts to criminals cut](https://reader035.vdocuments.site/reader035/viewer/2022081521/5871b9081a28ab55058b510b/html5/thumbnails/29.jpg)
7H@NK Y0U1
Sergey LozhkinPrincipal Security Researcher Kaspersky Lab