Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


an example of using threat intelligence data platform to expand apt attack clues

Posted by barkins at 2020-04-11

When we talk about the discovery of apt attack clues, it seems to be a quite mysterious thing. Security manufacturers often say that there is a cloud and a cloud. If you ask how to know something now, the answer is often: "well, we use machine learning". People outside the industry can hardly get useful information except for high-end ones. However, is it necessary to use advanced analysis methods to discover advanced directed attacks? The answer is: not necessarily. Today, let's take a simple example. The analysis object is our old friend: Lotus apt gang.


On May 14, 2017, fireeye released an analysis of the latest activities of apt32 (Lotus) Gang, describing the details of the attack process and some tools and network related IOC. Links to the article are as follows:

Of course, this information has been included in the 360 Threat Intelligence Center data platform. Search one of the C & C domain names:, and we get the following output page:

The visualization analysis in the lower right corner has shown all the IOC involved in the fireeye report. In the related security report on the left, we also naturally provide the original link of the fireeye article. In addition, we also found another link to a sample execution sandbox result information on the famous sandbox payload security. The corresponding file sha256 is e56905579c84941dcdb2088d68d28108b135a4e407fb3d5c901f8e16f5ebc. Click to see the details:

Well, a sample of Vietnamese file names, this is a sea lotus. Take a look at its network behavior:

You can see that the sample involves a set of 4 C & C domain names:

This is also the style of lotus related samples. Generally, 4-5 domain names will be registered on the same day for C & C communication. We know that there are a large number of sandbox behavior log data stored on payload security, so can we find more similar samples on it? It's worth a try. How to do it? Try the simplest keyword matching.


Notice the process name of the above known sample connection C & C IP? Years of experience in malicious code analysis tell us that this signerif.exe process is not common in malicious code activities. So we can use signerif.exe as a keyword to try to search, instead of using the search option of the payload security website itself. In fact, Google provides more powerful full-text search function. Using "site:" specify the target website and keyword "signerif.exe", Google only gives us two pages of results. The following is the results on page 1:

The last item in the hit list output here is the lotus sample that we know will connect to the C & C domain name. Since the total number of hit items is not large, we can check the similarity between each hit sample and the known sample one by one. Check the first sample in the list. The file sha256 is 2bbffbc72a59eff74028ef52f5b637aada59650d65735773cc9ff3a9edffca5. The corresponding malicious behavior is determined as follows:

Looking forward to our cue sample behavior determination (process call relationship and string), we can confirm that they are almost identical, which should be another lotus sample with the same function. Next, check the C & C domain name and IP address of this sample connection:

Here we find four other previously unknown C & C domain names:

The domain names were registered on August 10, 2016, and privacy protection was made. The label information of these domain names can not be found on various Threat Intelligence platforms due to the customary operation of hailianhua gang. They have all resolved to IP The domain name and IP are not related to other known lotus attacks. They are completely isolated in terms of infrastructure, which is also the trend of lotus attacks in the near future. According to the 360 Threat Intelligence Center's monitoring of these domains, there is no sign of connection in China, so the relevant samples are likely to be used for attacks against targets outside China. In this way, we start from a known domain name, extract its static characteristics and search for the same kind of samples through the associated samples, and finally mine the previously unknown samples and C & C infrastructure.


In essence, the analysis on the event level of apt activities is a game to find the connection points and expand them based on data. The following is the connection points based on the Loma cyber kill chain model sorted out by the 360 Threat Intelligence Center:

The attack and defense of apt will eventually fall into the confrontation between people and data. Most of the time, the data will be there. In the hands of analysts who understand the attack and defense details of adversary TTP and are highly sensitive to data, through layer upon layer analysis, they can get more threat intelligence by expanding their horizons. 360 Threat Intelligence Center labels a large number of data based on its own judgment. Some of the labels are exported. These labels are actually Threat Intelligence, and all users have to do is ask the right questions.


Threat Intelligence newly discovered by hailianhua Gang