Yıl 2019, Cilt 12 , Sayı 3, Sayfalar 253 - 263 2019-07-31

MuddyWater APT Grubu ve Makro Zararlı Yazılım Analizi Metodolojisi Önerisi
MuddyWater APT Group and A Methodology Proposal for Macro Malware Analysis

Mevlut Serkan TOK [1] , Baris CELİKTAS [2]


Microsoft Office belgelerinin özelleştirilmesini ve sık kullanılan görevlerin otomasyonunu sağlayan makrolar uzun süredir kötü niyetli kişilerce zararlı yazılım üretiminde kullanılmaktadır. Son yıllarda ileri düzey kalıcı tehdit gruplarınca da makro zararlı yazılımının atak vektörlerinde kullanıldığı bilinmektedir. 2017 yılından beri Ortadoğu ülkelerinin kamu kurumlarını ve enerji, telekomünikasyon, petrol gibi stratejik alanlarda faaliyet gösteren şirketleri hedef alan, analistler tarafından kendilerini gizleme eğilimleri nedeniyle MuddyWater olarak adlandırılan ve İran ile ilişkilendirilen grup da makro zararlı yazılımı kullanmakta ve Türkiye de dahil olmak üzere bölge ülkelerinde eylemlerini sürdürmektedir.  Bu çalışmamızın temel amacı MuddyWater ileri düzey kalıcı tehdit grubu ile ilgili farkındalığı arttırmak ve örnek bir makro zararlı yazılım analizi metodolojisi sunmaktır. Bu kapsamda, MuddyWater grubunun özellikleri, eylem stratejisi, atak vektörleri ve bulaşma zincirine yönelik elde edilen bilgiler paylaşılmıştır, ayrıca ilk defa 27 Kasım 2018’de uzmanlarca tespit edilmiş, Türkiye ve Katar’ı hedef aldığı değerlendirilen bir zararlı dokümanın ayrıntılı analizi yapılmış, bulgular ve öneriler sunulmuştur.

Macros are consisted of instructions and commands mainly used to automate tasks, embed functionality and provide customization of Microsoft Office documents. However, they have been exploited by malicious hackers by creating malware since they were introduced. Recently, Advanced Persistent Threat (APT) Groups have generally used macros as attack vectors as well. Since 2017, Middle Eastern countries’ governmental institutions, and strategically important oil, telecommunication and energy companies have been targeted by the APT Group probably affiliated with Iran, and the group is named as MuddyWater by analysts due to the techniques they utilized to cover their tracks. The group has generally conducted attacks via macro malware. In this work, we aimed to raise awareness regarding MuddyWater APT Group and provide a detailed methodology for analyzing macro malware. The attributions, strategy, attack vectors, and the infection chain of MuddyWater APT Group have been explained. In addition, a malicious document, targeting Turkey and Qatar, detected first on 27 November 2018 have been analyzed, findings and proposals have been presented for cybersecurity professionals.

  • J. Choi, C. Choi, H. M. Lynn, P. Kim, “Ontology Based APT Attack Behavior Analysis in Cloud Computing”, 2015 10th International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA), Krakow, 375-379, 2015.
  • S. Çelik, B. Çeliktaş, “Güncel Siber Güvenlik Tehditleri: Fidye Yazılımlar”, CyberPolitik Journal, 3(5), 105-132, 2018.
  • S. Cass, “Anatomy of malice [computer viruses]”, IEEE Spectrum, 38(11), 56-60, 2001.
  • L. Garber, “Melissa Virus Creates a New Type of Threat”, Computer, 32(6), 16-19, 1999.
  • R. Bearden, D. C. Lo, “Automated microsoft office macro malware detection using machine learning”, 2017 IEEE International Conference on Big Data (Big Data), 4448-4452, Boston, MA, 11-14 December, 2017.
  • E. Daoud, I. Jebril, “Computer virus strategies and detection methods”, International Journal of Open Problems in Computer Science and Mathematics, 1(2), 2008.
  • C. Beek et al., McAfee Labs Threats Report, Santa Clara, CA, 2018
  • Internet: A dive into MuddyWater APT targeting Middle-East, https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/, 15.12.2019.
  • Internet: Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity, https:// blog.malwarebytes.com/threat-analysis/2017/09/ elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/, 29.12.2019.
  • Internet: T. Lancaster, Muddying the Water: Targeted Attacks in the Middle East, https://unit42. paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/, 10.12.2018.
  • Internet: MuddyWater, https://attack.mitre.org/groups /G0069/, 05.12.2018.
  • Internet: J. Horejsi, Campaign Possibly Connected to MuddyWater Surfaces in the Middle East and Central Asia, https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/, 26.12.2018.
  • F. Li, A. Lai, D. Ddl, “Evidence of Advanced Persistent Threat: A case study of malware for political espionage”, 2011 6th International Conference on Malicious and Unwanted Software, Fajardo, 102-109, 18-19 October, 2011.
  • N. Virvilis, D. Gritzalis, T. Apostolopoulos, “Trusted Computing vs. Advanced Persistent Threats: Can a Defender Win This Game?”, 2013 IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 2013 IEEE 10th International Conference on Autonomic and Trusted Computing, Vietri sul Mere, 396-403, 18-21 December, 2013.
  • Internet: MuddyWater: Hackers Target Middle East Nations, https://securereading.com/muddywater-hackers-target-middle-east-nations/, 06.01.2019.
  • H. Güleç, G. Güreşçi, MuddyWater APT Analiz Raporu, Adeo, Ankara, 2018.
  • Internet: S. Singh et al., Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign, https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html, 05.01.2019.
  • Internet: MuddyWater Infection Chain, https://brica. de/alerts/alert/public/1239693/experts-at-yoroi-cybaze-z-lab-analyzed-muddywater-infection-chain/, 19.12.2018.
  • Internet: Trend Micro, Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor, https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/, 06.01.2019.
  • Internet: Spear-phishing campaign targeting Qatar and Turkey, https://reaqta.com/2018/12/spear-phishing-targeting-qatar-turkey/, 06.01.2019.
  • Trapmine, Threat Report: Parliament Quds Turkiye ve Katari Hedefleyen Siber Espiyonaj Faaliyeti, 2018.
  • L. Zhang, D. Zhang, L. Wang, “Live digital forensics in a virtual machine”, 2010 International Conference on Computer Application and System Modeling (ICCASM 2010), 4, 328-332, Taiyuan, 22-24 October, 2010.
  • B. Celiktas, M.S. Tok, N. Unlu, “Man In the Middle (MITM) Attack Detection Tool Design”, International Journal Of Engineering Sciences & Research Technology, 7(8), 90-100, 2018.
  • B. Celiktas, N. Unlu, E. Karacuha, “An Anti-Ransomware Tool Design by Using Behavioral and Static Analysis Methods”, International Journal of Scientific Research in Computer Science and Engineering, 6(2), 1-9, 2018.
  • B. Celiktas, “The Ransomware Detection and Prevention Tool Design by Using Signature and Anomaly Based Detection Methods”, M.Sc. Thesis, Istanbul Techical University, Informatics Institute, May, 2018.
  • S. Kim, S. Hong, J. Oh, H. Lee, "Obfuscated VBA Macro Detection Using Machine Learning”, 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 490-501, Luxembourg City, 25-28 June, 2018.
  • Internet: C. Elisan, Why Malware Installers Use Tmp Files and The Temp Folder When Infecting Windows, https://www.rsa.com/en-us/blog/2017-04/why-malware-installers-use-tmp-files-and-the-temp-folder, 27.12.2018.
  • Internet: R. Nolen et al., Threat Advisory: “Squiblydoo” Continues Trend of Attackers Using Native OS Tools to “Live off the Land”, https://www. carbonblack.com/2016/04/28/ threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/, 17.12.2018.
  • Internet: AppLocker Bypass Techniques, https:// evi1cg.me/archives/AppLocker_Bypass_Techniques.html, 26.12.2018.
  • Internet: TR-14-001 (E-Posta Üzerinden Yayılan Tehdit “CVE-2012-0158”), https://www.usom.gov.tr/ tehdit/8.html, 21.12.2018.
  • A. Şirikçi, N. Cantürk, “Adli Bilişim İncelemelerinde Birebir Kopya Alınmasının (İmaj Almak) Önemi”, Bilişim Teknolojileri Dergisi, 5(3), 29-34, 2012.
Birincil Dil en
Konular Bilgisayar Bilimleri, Bilgi Sistemleri
Bölüm Makaleler
Yazarlar

Orcid: 0000-0002-5048-8409
Yazar: Mevlut Serkan TOK
Kurum: Department of Computer Engineering, Graduate School of Engineering and Science, TOBB ETU, Ankara, Turkey
Ülke: Turkey


Orcid: 0000-0003-2865-6370
Yazar: Baris CELİKTAS (Sorumlu Yazar)
Kurum: Cyber Security Engineering and Cryptography Department, Institute of Informatics, ITU, Istanbul, Turkey
Ülke: Turkey


Tarihler

Yayımlanma Tarihi : 31 Temmuz 2019

Bibtex @araştırma makalesi { gazibtd512800, journal = {Bilişim Teknolojileri Dergisi}, issn = {1307-9697}, eissn = {2147-0715}, address = {}, publisher = {Gazi Üniversitesi}, year = {2019}, volume = {12}, pages = {253 - 263}, doi = {10.17671/gazibtd.512800}, title = {MuddyWater APT Group and A Methodology Proposal for Macro Malware Analysis}, key = {cite}, author = {TOK, Mevlut Serkan and CELİKTAS, Baris} }
APA TOK, M , CELİKTAS, B . (2019). MuddyWater APT Group and A Methodology Proposal for Macro Malware Analysis. Bilişim Teknolojileri Dergisi , 12 (3) , 253-263 . DOI: 10.17671/gazibtd.512800
MLA TOK, M , CELİKTAS, B . "MuddyWater APT Group and A Methodology Proposal for Macro Malware Analysis". Bilişim Teknolojileri Dergisi 12 (2019 ): 253-263 <https://dergipark.org.tr/tr/pub/gazibtd/issue/47484/512800>
Chicago TOK, M , CELİKTAS, B . "MuddyWater APT Group and A Methodology Proposal for Macro Malware Analysis". Bilişim Teknolojileri Dergisi 12 (2019 ): 253-263
RIS TY - JOUR T1 - MuddyWater APT Group and A Methodology Proposal for Macro Malware Analysis AU - Mevlut Serkan TOK , Baris CELİKTAS Y1 - 2019 PY - 2019 N1 - doi: 10.17671/gazibtd.512800 DO - 10.17671/gazibtd.512800 T2 - Bilişim Teknolojileri Dergisi JF - Journal JO - JOR SP - 253 EP - 263 VL - 12 IS - 3 SN - 1307-9697-2147-0715 M3 - doi: 10.17671/gazibtd.512800 UR - https://doi.org/10.17671/gazibtd.512800 Y2 - 2019 ER -
EndNote %0 Bilişim Teknolojileri Dergisi MuddyWater APT Group and A Methodology Proposal for Macro Malware Analysis %A Mevlut Serkan TOK , Baris CELİKTAS %T MuddyWater APT Group and A Methodology Proposal for Macro Malware Analysis %D 2019 %J Bilişim Teknolojileri Dergisi %P 1307-9697-2147-0715 %V 12 %N 3 %R doi: 10.17671/gazibtd.512800 %U 10.17671/gazibtd.512800
ISNAD TOK, Mevlut Serkan , CELİKTAS, Baris . "MuddyWater APT Group and A Methodology Proposal for Macro Malware Analysis". Bilişim Teknolojileri Dergisi 12 / 3 (Temmuz 2019): 253-263 . https://doi.org/10.17671/gazibtd.512800
AMA TOK M , CELİKTAS B . MuddyWater APT Group and A Methodology Proposal for Macro Malware Analysis. Bilişim Teknolojileri Dergisi. 2019; 12(3): 253-263.
Vancouver TOK M , CELİKTAS B . MuddyWater APT Group and A Methodology Proposal for Macro Malware Analysis. Bilişim Teknolojileri Dergisi. 2019; 12(3): 263-253.