Pulsing the HeartBeat APT
Last November 12-14th, I had this great opportunity to attend AVAR 2012 Conference in Hangzhou, China. There were a lot of great presentations; I must say I feel very privileged to have presented our paper, The HeartBeat APT Campaign, along with these talks.
I will be honest with you–talking in front of renowned people and colleagues in the industry was outright nerve-racking. However, we believe it is our duty to share our findings about the HeartBeat APT to the industry. This entry aims to further fulfill the same purpose for the industry and for the general public.
The HeartBeat campaign is an isolated APT case that targets organizations within South Korea only. Based on our research, the campaign have started by at least November 2009. They target organizations that are directly or in some ways related to the South Korean government. Specifically, the HeartBeat campaign targets the following sectors:
- Political parties
- Media outfits
- A national policy research institute
- A military branch of South Korean armed forces
- A small business sector organization
- Branches of South Korean government
Based on their targets, we suspect that the campaign may be politically motivated.
In order to gain over their targets network, they use a custom remote access tool (RAT). Variants of their RAT contains an embedded campaign code that mostly contains strings that describes their respective decoy documents and a campaign date in MMDD format.
Additionally, the attackers behind HeartBeat campaign made sure that their operation as well as their identity remain concealed. For instance, they used legitimate looking file name and registry names for their RAT. They also used XOR encryption for their network communications. To hide their identities, on the other hand, they used a site redirection service that redirects to compromised hosts from different countries. These compromised hosts acts as a proxy server that hides the real location of their C&C servers.
More information about the HeartBeat APT campaign can be found at http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-heartbeat-apt-campaign.pdf