USB flows in the Great River: solving unnoticed long-term APT RAT puzzle | Hiroshi Takeuchi
Overseas offices often lack mature security measures compared to headquarters, stemming from cultural and governance disparities.
Presently, internet-facing devices in these offices serve as the primary attack surface.
Alongside vulnerabilities in these devices, another significant threat in APAC is USB attacks, proven to be effective. TA410 exploits USB devices for initial access, with a focus on “Operation USBFlowing,” infecting FlowCloud in Japanese organizations’ overseas branches.
We’ll review FlowCloud activity from 2019 and dissect the infection flow in “Operation USBFlowing.” While prior research covered versions 4.1.3 to 5.0.8, we’ll delve into version 6.0.0 observed in March 2023.
FlowCloud’s complexity, utilizing libraries like boost C++, protocol buffer, and ZThread, challenges analysts in discerning malicious from benign code. Our approach employs IDA Pro FLIRT signatures and BinDiff to address this.
By assessing the compiler used and open source versions, we ascertain that FlowCloud is older than initially believed. We’ll also profile the FlowCloud developer(s) and share our findings. This presentation unveils fresh insights into TA410’s evolving Tactics, Techniques, and Procedures (TTPs) and explains the enduring effectiveness of traditional tradecraft. We’ll conclude by proposing effective countermeasures.
#SAS2023 #OperationUSBFlowing #Kaspersky
by Kaspersky Tech
windows server dns
