1 / 16

MIRAGE

MIRAGE. CPSC 620 Project By Neeraj Jain Hiranmayi Pai. Table of Contents. Introduction Background Analysis Identification of Victims Threat Factors Conclusion. Introduction. What is a malware? What is a “Mirage” malware?. Background.

connie
Download Presentation

MIRAGE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. MIRAGE CPSC 620 Project By Neeraj Jain HiranmayiPai

  2. Table of Contents • Introduction • Background • Analysis • Identification of Victims • Threat Factors • Conclusion

  3. Introduction • What is a malware? • What is a “Mirage” malware?

  4. Background • Is linked to the same hackers behind the RSA breach last year [1]. • Mirage shares attributes with the malware families JKDDOS and Lingbo • Mirage Trojan targets mid-level to senior-level executivesby sending out spear-phishing email.`

  5. Analysis • Distribution Vector • Behavior Analysis • Control and Command Server Operations • Variants

  6. Distribution Vector • The spear phishing emails contain an attachment that includes a malicious payload that installs a copy of Mirage. • CTU researchers have identified several files that drop and execute a copy of Mirage onto a target system. These "droppers" are designed to look and behave like PDF documents.

  7. Behavior Analysis • There are two main variants of the Mirage Trojan. • Variants are based on the way the trojancommunicates with the command and control (C2) servers. • When Mirage executes, the original file copies itself to a folder under C:\Documents and Settings\<USER>\ or C:\Windows\ and then deletes the original file. • CTU researchers have observed the following filenames created after execution: svchost.exe ,ernel32.dll, thumb.db, csrss.exe, Reader_SL.exe, MSN.exe

  8. Control and Command Server Operations - 1 • Mirage tries to send a system profile by contacting the C2 server using a standard HTTP request. • This profile contains the CPU speed, memory size, system name and username. • It is observed that this communication occurs over ports 80, 443 and 8080

  9. Control and Command Server Operations - 2 • Variant 1

  10. Control and Command Server Operations - 3

  11. Control and Command Server Operations - 4 • The second variant of Mirage uses HTTP GET requests

  12. Variants • Several Mirage variants are customized for specific need, not for widespread targeting. • One of the variant was found configured with the default credentials of the targeted environments web proxy servers.

  13. Identification of Victims

  14. Threat Actors • When investigating the DNS addresses of the C2 servers, CTU researchers identified several IP addresses of hosting companies based in the United States that are running HTran. • In the CTU research team's 2011 analysis of HTran, the software's author was identified as a member of the Chinese hacker group HUC, the Honker Union of China.

  15. Conclusion • Mirage represents only one small piece of malware involved in an ongoing worldwide campaign[2]. • The IP addresses of the systems used by hackers to remotely control Mirage-infected machines belong to the China Beijing Province Network (AS4808), as did three of the IP addresses used in the Sin Digoocampaign [3]. • For companies in the targeted industries, using active intrusion detection and prevention systems as well as DNS monitoring for malicious domains is essential to detecting this activity.

  16. References • http://www.secureworks.com/cyber-threat-intelligence/threats/the-mirage-campaign/ • http://www.securityweek.com/cyber-espionage-campaign-targets-oil-companies • http://www.theregister.co.uk/2012/09/21/mirage_cyberespionage_campaign/

More Related