CrowdStrike Intelligence Report Putter Panda Crowdstrike Global Intelligence Team This report is part of the series of technical and strategic reporting available to CrowdStrike Intelligence subscribers. It is being released publicly to expose a previously undisclosed PLA unit involved in cyberespionage against Western technology companies. In May 2014, the U.S. Department of Justice charged five Chinese nationals for economic espionage against U.S. corporations. The five known state actors are officers in Unit 61398 of the Chinese People’s Liberation Army (PLA). In response, the Chinese government stated that the claims were “absurd” and based on “fabricated facts”. China then went even further, stating “The Chinese government, the Chinese military and their relevant personnel have never engaged or participated in cyber theft of trade secrets.” We believe that organizations, be they governments or corporations, global or domestic, must keep up the pressure and hold China accountable until lasting change is achieved. Not only did the U.S. Government offer in its criminal indictment the foundation of evidence designed to prove China’s culpability in electronic espionage, but also illustrated that the charges are only the tip of a very large iceberg. Those reading the indictment should not conclude that the People’s Republic of China (PRC) hacking campaign is limited to five soldiers in one military unit, or that they solely target the United States government and corporations. Rather, China’s decade-long economic espionage campaign is massive and unrelenting. Through widespread espionage campaigns, Chinese threat actors are targeting companies and governments in every part of the globe. At CrowdStrike, we see evidence of this activity first-hand as our services team conducts Incident Response investigations and responds to security breaches at some of the largest organizations around the world. We have first-hand insight into the billions of dollars of intellectual property systematically leaving many of the largest corporations - often times unbeknownst to their executives and boards of directors. The campaign that is the subject of this report further points to espionage activity outside of Unit 61398, and reveals the activities of Unit 61486. Unit 61486 is the 12th Bureau of the PLA’s 3rd General Staff Department (GSD) and is headquartered in Shanghai, China. The CrowdStrike Intelligence team has been tracking this particular unit since 2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486. This particular unit is believed to hack into victim companies throughout the world in order to steal corporate trade secrets, primarily relating to the satellite, aerospace and communication industries. With revenues totaling $189.2 billion in 2013, the satellite industry is a prime target for espionage campaigns that result in the theft of high-stakes intellectual property. While the gains from electronic theft are hard to quantify, stolen information undoubtedly results in an improved competitive edge, reduced research and development timetables, and insight into strategy and vulnerabilities of the targeted organization. Parts of the PUTTER PANDA toolset and tradecraft have been previously documented, both by CrowdStrike, and in open source, where they are referred to as the MSUpdater group. This report contains details on the tactics, tools, and techniques used by PUTTER PANDA, and provides indicators and signatures that can be leveraged by organizations to protect themselves against this activity. Our Global Intelligence Team actively tracks and reports on more than 70 espionage groups, approximately half of which operate out of China and are believed to be tied to the Chinese government. This report is part of our extensive intelligence library and was made available to our intelligence subscribers in April 2014, prior to the US Government’s criminal indictment and China’s subsequent refusal to engage in a constructive dialog. Targeted economic espionage campaigns compromise technological advantage, diminish global competition, and ultimately have no geographic borders. We believe the U.S. Government indictments and global acknowledgment and awareness are important steps in the right direction. In support of these efforts, we are making this report available to the public to continue the dialog around this ever-present threat. George Kurtz President/CEO & Co-Founder, CrowdStrike CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team Table of Contents: Executive summary....................................................................................................................... 4 Key Findings........................................................................................................................................ 5 attribution....................................................................................................................................... 7 C2 Indicators................................................................................................................................... 8 Targeting....................................................................................................................................... 10 Connections to Other Adversary Groups.................................................................................. 11 “CPYY”................................................................................................................................................ 12 711 Network Security Team......................................................................................................... 16 Military Connections.................................................................................................................... 17 Unit 61486.......................................................................................................................................... 20 Binary Indicators.......................................................................................................................... 24 conclusions................................................................................................................................... 25 TECHNICAL ANALYSIS...................................................................................................................... 27 3PARA RAT.......................................................................................................................................... 28 PNGDOWNER.................................................................................................................................... 33 HTTPCLIENT......................................................................................................................................... 34 DROPPERS - RC4 AND XOR BASED.................................................................................................. 35 MITIGATION & REMEDIATION........................................................................................................... 38 REGISTRY ARTIFACTS.......................................................................................................................... 39 FILE SYSTEM ARTIFACTS...................................................................................................................... 39 HOST INDICATORS.............................................................................................................................. 39 YARA Rules.................................................................................................................................... 40 NETWORK SIGNATURES...................................................................................................................... 44 Snort Rules.................................................................................................................................. 44 TTPS..................................................................................................................................................... 46 Conclusion................................................................................................................................... 48 APPENDIX 1: 4H RAT SAMPLE METADATA........................................................................................ 50 APPENDIX 2: 3PARA RAT SAMPLE METADATA.................................................................................. 53 APPENDIX 3: PNGDOWNER SAMPLE METADATA............................................................................. 54 APPENDIX 4: HTTPCLIENT SAMPLE METADATA................................................................................. 57 CrowdStrike Falcon Intelligence........................................................................................... 58 CrowdStrike Falcon................................................................................................................... 59 About CrowdStrike...................................................................................................................... 60 2 Executive Summary CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team EXECUTIVE SUMMARY CrowdStrike has been tracking the activity of a cyber espionage group operating out of Shanghai, China, with connections to the People’s Liberation Army Third General Staff Department (GSD) 12th Bureau Military Unit Cover Designator (MUCD) 61486, since 2012. The attribution provided in this report points to Chen Ping, aka cpyy (born on May 29, 1979), as an individual responsible for the domain registration for the Command and Control (C2) of PUTTER PANDA malware. In addition to cpyy, the report identifies the primary location of Unit 61486. PUTTER PANDA is a determined adversary group, conducting intelligence-gathering operations targeting the Government, Defense, Research, and Technology sectors in the United States, with specific targeting of the US Defense and European satellite and aerospace industries. The PLA’s GSD Third Department is generally acknowledged to be China’s premier Signals Intelligence (SIGINT) collection and analysis agency, and the 12th Bureau Unit 61486, headquartered in Shanghai, supports China’s space surveillance network. Domains registered by Chen Ping were used to control PUTTER PANDA malware. These domains were registered to an address corresponding to the physical location of the Shanghai headquarters of 12th Bureau, specifically Unit 61486. The report illuminates a wide set of tools in use by the actors, including several Remote Access Tools (RATs). The RATs are used by the PUTTER PANDA actors to conduct intelligence-gathering operations with a significant focus on the space technology sector. This toolset provides a wide degree of control over a victim system and can provide the opportunity to deploy additional tools at will. They focus their exploits against popular productivity applications such as Adobe Reader and Microsoft Office to deploy custom malware through targeted email attacks. This report contains additional details on the tactics, tools, and techniques used by PUTTER PANDA, and provides indicators and signatures that can be leveraged by organizations to protect themselves against this activity. 4 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team KEY FINDINGS ➔ Putter Panda is a cyber espionage actor that conducts operations from Shanghai, China, likely on behalf of the Chinese People’s Liberation Army (PLA) 3rd General Staff Department 12th Bureau Unit 61486. This unit is supports the space based signals intelligence (SIGINT) mission. ➔ The 12th Bureau Unit 61486, headquartered in Shanghai, is widely accepted to be China’s primary SIGINT collection and analysis agency, supporting China’s space surveillance network. ➔ This is a determined adversary group, conducting intelligencegathering operations targeting the Government, Defense, Research, and Technology sectors in the United States, with specific targeting of space, aerospace, and communications. ➔ The group has been operating since at least 2007 and has been observed heavily targeting the US Defense and European satellite and aerospace industries. ➔ They focus their exploits against popular productivity applications such as Adobe Reader and Microsoft Office to deploy custom malware through targeted email attacks. ➔ CrowdStrike identified Chen Ping, aka cpyy, a suspected member of the PLA responsible for procurement of the domains associated with operations conducted by Putter Panda. ➔ There is infrastructure overlap with Comment Panda, and evidence of interaction between actors tied to both groups. 5 Attribution CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team Attribution There are several pieces of evidence to indicate that the activity tracked by CrowdStrike as PUTTER PANDA is attributable to a set of actors based in China, operating on behalf of the Chinese People’s Liberation Army (PLA). Specifically, an actor known as cpyy (Chen Ping) appears to have been involved in a number of historical PUTTER PANDA campaigns, during which time he was likely working in Shanghai within the 12th Bureau, 3rd General Staff Department (GSD). PUTTER PANDA has several connections to actors and infrastructure tied to COMMENT PANDA, a group previously attributed to Unit 61398 of the PLA. 7 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team C2 Indicators Although some of the domains used for command and control of the tools described later in this report appear to be legitimate sites that have been compromised in some way, many of them appear to have been originally registered by the operators. Table 1 shows the domains that appear to have been registered by these actors, and the original email address used where known. Table 1. C2 Domains and Original Registrant Email Addresses 8 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team C2 Indicators (cont’d) The most significant finding is that an actor known as cpyy appears to have registered a significant number of C2 domains. This actor is discussed in the next section. Many of the domains have had their registrant information changed, likely in an attempt to obfuscate the identity of the operators. For instance, several domains originally registered by cpyy had their email address updated to van.dehaim@gmail.com around the end of 2009; for siseau.com the change occurred between July 2009 and November 2009, and for vssigma.com, the change occurred between August 2009 and December 2009. Historical registrant information for anfoundation.us, rwchateau.com, and succourtion.org was not available prior to 2010, but it is likely that these domains were also originally registered to a personally attributable email account. Similarly, several domains registered to mike.johnson_mj@yahoo.com have had their registrant email updated during March 2014 (see Table 2). These registrant changes may indicate an increased awareness of operational security (OPSEC) from the PUTTER PANDA actors. The recent changes to the domains Table 2. New Registrant Email Addresses for Domains Originally Registered to mike.johnson_mj@ yahoo.com shown in Table 2 may indicate that the operators are preparing new campaigns that make use of this infrastructure, or they are attempting to disassociate all these Although no attributable information was found on the email addresses associated with the domains described above (aside from cpyy and httpchen – see below), several other domains were found to have been registered by some of these addresses. These are shown in Table 3, and may be used for command and control of PUTTER PANDA tools. domains from a single email address, perhaps due to OPSEC concerns or issues with the specific email account. 9 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team C2 Indicators (cont’d) Targeting The subdomains associated with these domains via DNS records, along with some of the domain names themselves, point to some areas of interest for the PUTTER PANDA operators (see also Droppers in the following Technical Analysis section): • Space, satellite, and remote sensing technology (particularly within Europe); • Aerospace, especially European aerospace companies; • Japanese and European telecommunications. It is likely that PUTTER PANDA will continue to attack targets of this nature in future intelligencegathering operations. Table 3. Domains Associated with Registrant Emails Found in PUTTER PANDA C2 Domains 10 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team C2 Indicators (cont’d) The decipherment.net domains resolved to this IP Connections to Other Adversary Groups 2013, and the botanict.com domain resolved from 11 COMMENT PANDA Based on passive DNS records, several PUTTER PANDA associated domains have resolved to IP address 100.42.216.230: • news.decipherment.net • res.decipherment.net • spacenews.botanict.com • spot.decipherment.net Additionally, several subdomains of ujheadph.com resolved to this IP: • chs.ujheadph.com • imageone.ujheadph.com • img.ujheadph.com • klcg.ujheadph.com • naimap.ujheadph.com • neo.ujheadph.com • newspace.ujheadph.com • pasco.ujheadph.com Another subdomain of ujheadph.com has been observed 2 in connection with distinctive traffic originating from the 3PARA RAT (described below), making it probable that this domain is also associated with PUTTER PANDA. address from 11 October 2012 to at least 25 February October 2012 to 24 March 2013. During part of this timeframe (30 June 2012 - 30 October 2012), a domain associated with COMMENT PANDA resolved to this same IP address: login. aolon1ine.com. Additionally, for a brief period in April 2012, update8.firefoxupdata.com also resolved to this IP address. The use of the same IP address during the same time suggests that there is perhaps some cooperation or shared resources between COMMENT PANDA and PUTTER PANDA. VIXEN PANDA Although not as conclusive as the links to COMMENT PANDA, IP address 31.170.110.163 was associated with VIXEN PANDA domain blog. strancorproduct.info from November to December 2013. In February 2014, this IP address was also associated with PUTTER PANDA domain ske.hfmforum. com. While not directly overlapping, this potential infrastructure link is interesting, as VIXEN PANDA has previously displayed TTPs similar to COMMENT PANDA (other CrowdStrike reporting describes VIXEN PANDA malware that extracts C2 commands embedded between delimiters in web content), and has extensively targeted European entities. See http://webcache.googleusercontent.com/search?q=cache:ZZyfzC1Y0UoJ:www.urlquery.net/report. php%3Fid%3D9771458+&cd=2&hl=en&ct=clnk&gl=uk 2 11 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team “CPYY” Several email addresses have been associated with cpyy, who also appears to use the alternate handles cpiyy and cpyy.chen: • cpyy@sina.com • cpyy@hotmail.com • cpyy.chen@gmail.com • cpyy@cpyy.net The cpyy.net domain lists “Chen Ping” as the registrant name, which may be cpyy’s real name, as this correlates with the initials “cp” in “cpyy”. A personal blog for cpyy was found at http://cpiyy.blog.163.com/. The profile on this blog (shown in Figure 2 below) indicates that the user is male, was born on 25 May 1979, and works for the “military/police” (其他- 军人/警察). Figure 2. cpyy Personal Blog on 163.com 12 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team “CPYY” (cont’d) This blog contains two postings in the “IT” category that indicate at least a passing interest in the topics of networking and programming. A related CSDN profile for user cpiyy indicates that cpyy was working on or studying these topics in 2002 and 20033. Another personal blog for cpyy (http://www.tianya.cn/1569234/bbs) appears to have last been updated in 2007. This states that the user lives in Shanghai, and has a birthdate identical to that in the 163.com blog. cpyy was also active on a social networking site called XCar, stating that he lived in Shanghai as early as 2005 through 2007; he said in a post, “Soldier’s duty is to defend the country, as long as our country is safe, our military is excellent”4 , indicating a feeling of patriotism that could be consistent with someone who chose a military or police-based career. Figure 3. cpyy Personal Blog on tianya.cn See postings: http://bbs.csdn. net/users/cpiyy/topics 4 hxxp://www.xcar.com. cn/bbs/viewthread. php?tid=7635725&page=6 3 13 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team “CPYY” (cont’d) On the XCar forum, cpyy.chen used a subforum called POLO (hacker slang for “Volkswagen cars”) to communicate with other users Linxder, peggycat, “Naturally do not understand romance” (天生不懂浪漫), “a wolf” (一只大灰狼), “large tile” (大瓦片), “winter” ( 冬夜), “chunni” (春妮), papaya, kukuhaha, Cranbing, “dusty sub” (多尘子), z11829, “ice star harbor” (冰星港), “polytechnic Aberdeen” (理工仔), “I love pineapple pie” (我爱菠罗派), and “she’s distant” in 2007. Although superficially the discussion is about cars, there is a repeated word in the text, “milk yellow package” or “custard package” or “yoke package” (奶黄包). This could be a hacker slang word, but it is unclear as to the definition. The conversation alludes to Linxder being the “teacher” or “landlord” and the other aforementioned users are his “students”. Linxder references how he has “found jobs” for them. It is possible that this is a reference to hacking jobs wrapped up in car metaphors. Linxder is the handle of an actor associated with the likely Shanghai-based COMMENT PANDA group5 . Linxder, cpyy, and xiaobai have all discussed programming and security related topics on cpyy’s site, cpyy.org6 , which hosted a discussion forum for the 711 Network Security Team (see below). cpyy also appears to have a keen interest in photography; his 163.com blog includes several photographs taken by cpyy in the blog postings and albums section. Some of these photographs also appear in a Picasa site7 (examples are shown in Figures 5 and 6) belonging to a user cpyy.chen. Figure 4. cpyy.chen, from 2005, 2006, and 2007 (left to right) An album in this site named “me” has several shots of what is likely cpyy himself, from 2005, 2006, and 2007, shown to the right: 14 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team “CPYY” (cont’d) An account on rootkit.com, a popular low-level software security site, existed for user cpyy and was accessed in at least May 2004. This account was registered with primary email address cpyy@cpyy.net and backup email address cpyy@hotmail.com; it listed a date of birth as 24 May 1979, consistent with cpyy’s other profiles. The IP address 218.242.252.214 was associated with this account; it is owned by the Oriental Cable Network Co., Ltd., an ISP located in Shanghai. Registration on this forum shows that cpyy had an interest in security-related programming topics, which is backed up by the postings on his personal blog and CSDN account. Figure 5. Sample Photograph from cpyy.chen’s Picasa Albums Figure 6. Example Photograph from 163.com Blog 15 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team “CPYY” (cont’d) 711 Network Security Team One of the sites registered to cpyy was used to host a web-based email service, along with a forum on www. cpyy.net. Both of these services were apparently run by the 711 Network Security Team (711网络安全小组), a group that is now likely defunct, but has previously published security-based articles that have been re-posted on popular Chinese hacking sites such as xfocus.net8. One of these articles, entitled “IMD-based packet filtering firewall to achieve the principles”9, is Figure 7. httpchen Posting on SJTU “GRATEFUL” BBS apparently authored by xiaobai, with email address xiaobai@openfind.com.cn; it was published on the “GRATEFUL” (饮水思源) security digest list10 that is hosted by Shanghai Jiao Tong University (SJTU). This digest list/bulletin board was also frequented by ClassicWind, an actor possibly linked to the Shanghai-based, PLA-sponsored adversary group COMMENT PANDA, as described in. This Tipper also indicates that “the Chinese Communist Party (CCP) and the People’s Liberation Army (PLA) aggressively target SJTU and its School of Information Security Engineering (SISE) as a source of research and student recruitment to conduct network offense and defense campaigns”, so it is possible that the 711 Network Security Team members came to the attention of the Chinese state via this institution. An additional connection to SJTU comes from a C2 domain, checalla.com, used with the 4H RAT in 2008. This domain was registered to httpchen@gmail. com at the time, and this address was also used to make a posting on the GRATEFUL BBS (shown in Figure 7). The posting indicates that httpchen is located at the 闵行 (Minhang) campus of SJTU and was posting using IP address 58.196.156.15, which is associated with the China Education and Research Network (CERNET), a nationwide network managed by the Chinese Ministry of Education. It also states that httpchen is studying at the school of Information Security Engineering within SJTU. For example, hxxp://www.xfocus.net/articles/200307/568.html This article also lists http://cpyy.vicp.net/ as the original source site, although no archived content could be recovered for this. 10 See http://bbs.sjtu.edu.cn/bbsanc,path,/groups/GROUP_3/Security/D44039356/D69C6D2AC/D4C11F438/D6DB67E4E/DA69FF663/ M.1052844461.A.html 8 9 16 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team “CPYY” (cont’d) Military Connections Several pieces of evidence indicate that cpyy probably has connections to, or is part of, the Chinese military – specifically the PLA Army. In addition to his declaration on his personal blog that he works for the “military/ police”, and contacts with actors such as Linxder that have been previously associated with hacking units within the PLA, cpyy’s Picasa site contains several photographs that hint at military connections. First, a monochrome picture from the 大学时代 (“college”) album posted in February 2007 shows several uniformed individuals: It is not clear whether this picture includes cpyy, or just friends/ associates/relatives. A picture from the 中学时代 (“high school”) album posted in February 2007 shows a male – likely cpyy based on the clothing shown in the second picture, which matches the pictures of cpyy shown above – performing exercise in front of a group of likely soldiers and an officer: 17 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team Although somewhat unclear, pictures from the album 2002年的生日 (“2002 birthday”), also posted in February 2007, show the celebrant (likely cpyy) in khaki clothes that are possibly military wear. The most compelling pictures, however, are found in the 宿舍 and 办公室 albums (“dormitory” and “office”). A shot of probably cpyy’s dormitory room shows in the background two military hats that appear to be Type 07 PLA Army officer peak hats: 18 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team This album also contains a shot of the exterior of a building with several large satellite dishes outside: This same building and the satellite dishes also appear in the “office” album. The reflection effects observed on the windows of this building could be due to coatings applied to resist eavesdropping via laser microphones and to increase privacy, which would be consistent with a military installation conducting sensitive work. 19 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team Above is an image from the same album of what appears to be a larger dish, in front of the Oriental Pearl Tower, a significant landmark in Shanghai: UNIT 61486 As mentioned above, checalla.com was used for command and control with the PUTTER PANDA 4H RAT in 2008. This domain was registered to httpchen@gmail.com, and in May 2009 the domain registration details were updated to include a Registrant Address of “shanghai yuexiulu 46 45 202#”. A search for this location reveals an area of Shanghai shown in Figure 812 . Figure 9 shows an enlargement of satellite imagery from within this area, depicting a facility containing several satellite dishes within green areas, sports courts and a large office building. Source: https://www.google.com/maps/place/31%C2%B017’18.0%22N+121%C2%B027’18.7%22E/@31.2882939,121.4554673,658m/ data=!3m1!1e3!4m2!3m1!1s0x0:0x0 12 20 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team Figure 8. Map and Satellite Views of Area of Interest in Shanghai Figure 9. Enlarged Section within Area of Interest 21 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team Satellite imagery from 2009 showing another aspect of this office building, along with a likely vantage point and direction of camera, alongside probably cpyy’s photograph from the same angle, is shown in Figure 10: Figure 10. Satellite Imagery of Facility Alongside Handheld Image from cpyy Based on the Shanghai location, and common features, it is highly likely that the location shown above is the same as that photographed by cpyy and shown in the “office” and “dormitory” albums. Further confirmation can be found from photos uploaded by a user on Panoramio13 who tags the image as being located in Chabei14 , Shanghai, China (31° 17’ 18.86” N 121° 27’ 9.83” E). This image is exceptionally similar to building shown in cpyy’s “office” album (see Figure 11 below). http://www.panoramio.com/user/3305909 Alternately Romanized as Zhabei 13 14 22 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team Figure 11. Panoramio (left) and cpyy Images Compared According to a public report15 on the Chinese PLA’s General Staff Department (GSD), the 12th Bureau of the 3rd GSD is headquartered in the Zhabei district of Shanghai and “appears to have a functional mission involving satellites, likely inclusive of intercept of satellite communications and possibly space-based SIGINT collection”. The same report also lists a Military Unit Cover Designator (MUCD) of 61486 for this bureau. A webpage16 published on a Chinese government site detailing theatrical performances involving members of the PLA lists an address of “闸北区粤秀路46号” (46 Yue Xiu Road, Zhabei District) for “总参61486部队” (61486 Forces General Staff). A search for this location shows an identical area to that shown in Figure 8. It can therefore be concluded with high confidence that the location shown in cpyy’s imagery, along with the satellite images above, is the headquarters of the 12th Bureau, 3rd GSD, Chinese PLA – also known as Unit 61486. This unit’s suspected involvement in “space surveillance”17 and “intercept of satellite communications” fits with their observed targeting preferences for Western companies producing technologies in the space and imaging/remote sensing sectors. The size and number of dishes present in the area is also consistent with these activities. http://project2049.net/documents/pla_third_department_sigint_cyber_stokes_lin_hsiao.pdf http://www.dfxj.gov.cn/xjapp/wtzyps/wtlzy/wyyjysl/zhc/zyc/bd01d910153ffb4d0115a7c12f70042e.html 17 http://project2049.net/documents/china_electronic_intelligence_elint_satellite_developments_easton_stokes.pdf 15 16 23 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team Binary indicators Observed build times for the PUTTER PANDA tools described in this report range from 2007 to late 2013, indicating that the actors have conducted several campaigns against their objectives over a period of several years. A build time analysis of all known samples is shown in Figure 1 below, relative to China time. Figure 1. Build Time Analysis of PUTTER PANDA Malware, Relative to China Time (UTC+8) Although this shows that there is some bias in the build time distribution to daylight or working hours in China, which is more significant if a possible three-shift system of hours is considered (0900-1200, 1400-1700, and 2000-2300), this evidence is not conclusive. There is also some evidence that build times are manipulated by the adversary; for example, the sample with MD5 hash bc4e9dad71b844dd3233cfbbb96c1bd3 has a build time of 18 July 2013, but was supposedly first submitted to VirusTotal on 9 January 2013. This shows that the attackers – at least in 2013 – were aware of some operational security considerations and were likely taking deliberate steps to hide their origins. 24 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team Conclusions There is strong evidence to tie cpyy, an actor who appears to have been involved in historical PUTTER PANDA operations, to the PLA army and a location in Shanghai that is operated by the 12th Bureau, 3rd GSD of the PLA (Unit 61486). Another actor tied to this activity, httpchen, has declared publically that he was attending the School of Information Security Engineering at SJTU. This university has previously been posited as a recruiting ground for the PLA to find personnel for its cyber intelligence gathering units, and there is circumstantial evidence linked cpyy to other actors based at SJTU. Given the evidence outlined above, CrowdStrike attributes the PUTTER PANDA group to PLA Unit 61486 within Shanghai, China with high confidence. It is likely that this organization is staffed in part by current or former students of SJTU, and shares some resources and direction with PLA Unit 61398 (COMMENT PANDA). 25 Technical Analysis CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team Technical Analysis Several RATs are used by PUTTER PANDA. The most common of these, the 4H RAT and the 3PARA RAT, have been documented previously by CrowdStrike in previous CrowdStrike Intelligence reporting. This analysis will be revisited below, along with an examination of two other PUTTER PANDA tools: pngdowner and httpclient. Two droppers have been associated with the PUTTER PANDA toolset; these are also briefly examined below. 4H RAT – EXAMPLE MD5 HASH A76419A2FCA12427C887895E12A3442B This RAT was first analyzed by CrowdStrike in April 2012, but a historical analysis shows that it has been in use since at least 2007 by the PUTTER PANDA actors. A listing of metadata for known samples, including C2 Screenshot of Truecaller information, is shown in Appendix 1. Database Shared by DEADEYE JACKAL on Their The operation of this RAT is described in detail in other CrowdStrike reporting, but isTwitter usefulAccount to revisit here to (names highlight the characteristics of the RAT: redacted) • C2 occurs over HTTP, after connectivity has been verified by making a distinctive request (to the URI / search?qu= at www.google.com). • A victim identifier is generated from the infected machine’s hard disk serial number, XOR’ed with the key ldd46!yo , and finally nibble-wise encoded as upper-case ASCII characters in the range (A-P) – e.g., the byte value 0x1F becomes “BP”. • A series of HTTP requests characterizes the RAT’s C2. The initial beacon uses a request with four parameters (h1, h2, h3, and h4) – as shown in Figure 8 – to register the implant with the C2 server. • Communication to and from the C2 server is obfuscated using a 1-byte XOR with the key 0xBE. • The commands supported by the RAT enable several capabilities, including: o Remote shell o  Listing of running processes (including loaded modules) o Process termination (specified by PID) o File and directory listing o File upload, download, deletion, and timestamp modification 27 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team Figure 8. 4H RAT Example Beacon Screenshot of Truecaller Database Shared by DEADEYE JACKAL on Their Figure 9. Sample Python Code to redacted) Decode Hostname from User-Agent Snippet Twitter Account (names 3PARA RAT – EXAMPLE MD5 HASH BC4E9DAD71B844DD3233CFBBB96C1BD3 The 3PARA RAT was described in some detail in other CrowdStrike reporting, which examined a DLL-based sample with an exported filename of ssdpsvc.dll. Other observed exported filenames are msacem.dll and mrpmsg.dll, although the RAT has also been observed in plain executable (EXE) format. On startup, the RAT attempts to create a file mapping named &*SDKJfhksdf89*DIUKJDSF&*sdfsdf78sdfsdf. This is used to prevent multiple instances of the RAT being executed simultaneously. The RAT will then use a byte-wise subtractionbased algorithm (using a hard-coded modulo value) to decode C2 server details consisting of a server hostname and port number, in this example nsc.adomhn. com, port 80. The decoding algorithm is illustrated in Figure 10 below. The key and modulo values vary on a per-sample basis. Decoded C2 settings, along with sample metadata, are listed in Appendix 2. 28 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team The RAT is programmed in C++ using Microsoft Visual Studio, and it makes use of the object-oriented and parallel programming features of this environment; Standard Template Library (STL) objects are used to represent data structures such as strings and lists, and custom objects are used to represent some of the C2 command handlers (e.g., CCommandCMD). Several threads are used to handle different stages of the C2 protocol, such as receiving data from the server, decrypting data, and processing commands. Standard Windows primitives such as Events are used to synchronize across these threads, with a shared global structure used to hold state. Figure 10. Sample Python Code Illustrating C2 Server Decoding Routine Once running, the RAT will load a binary representation of a date/time value13 from a Screenshot of Truecaller file C:\RECYCLER\restore.dat, and it will sleep until after this date/time has passed.Database This Shared by provides a mechanism for the operators to allow the RAT to remain dormant until aDEADEYE JACKAL on Their Twitter Account (names fixed time, perhaps to allow a means of regaining access if other parts of their toolset redacted) are removed from a victim system. Figure 11. 3PARA RAT Initial Beacon As with the 4H RAT, the C2 protocol used by the 3PARA RAT is HTTP based, using both GET and POST requests. An initial request is made to the C2 server (illustrated in Figure 11 above), but the response value is effectively ignored; it is likely that this request serves only as a connectivity check, as further C2 activity will only occur if this first request is successful. In this case, the RAT will transmit some basic victim information to the C2 server along with a 256-byte hash of the hard-coded string HYF54&%9&jkMCXuiS. It is likely that this request functions as a means to authenticate the RAT to the C2 server and register a new victim machine with the controller. A sample request and its structure are shown in Figure 12. Using the standard Windows SYSTEMTIME structure 13 29 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team Screenshot of Truecaller Database Shared by DEADEYE JACKAL on Their Twitter Account (names redacted) Figure 12. Sample 3PARA RAT Secondary Beacon/ C2 Registration See http://msdn.microsoft.com/en-us/library/windows/desktop/bb759853(v=vs.85).aspx for details of this API, which is rarely used. 14 30 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team If this request is also successful, the RAT will attempt to retrieve tasking from the controller using a further distinctive HTTP request shown in Figure 13, repeating this Screenshot of Truecaller request every two seconds until valid tasking is returned. Database Shared by DEADEYE JACKAL on Their Twitter Account (names redacted) Figure 13. 3PARA RAT Sample Tasking Request 31 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team Returned tasking is decrypted using the DES algorithm in CBC mode with a key derived from the MD5 hash of the string HYF54&%9&jkMCXuiS (as used in the secondary beacon shown above). If this fails, the RAT will fall back to decoding the data using an 8-byte XOR with a key derived from data returned from the HashData API with the same key string. Output data produced by tasking instructions is encrypted in the same manner as it was decrypted and sent back to the C2 server via HTTP POST request to a URI of the form /microsoft/errorpost/ default.aspx?ID=, where the ID value is a random number in decimal representation – as with the initial request shown in Figure 4. The set of commands supported by the RAT is somewhat limited, indicating that perhaps the RAT is intended to be used as a second-stage tool, or as a failsafe means for the attackers to regain basic access to a compromised system (which is consistent with its support for sleeping until a certain date/time). Some of the supported commands are implemented using C++ classes derived from a base CCommand class: •C  CommandAttribe – Retrieve metadata for files on disk, or set certain attributes such as creation/ modification timestamps. • CCommandCD – Change the working directory for the current C2 session. •C  CommandCMD – Execute a command, with standard input/output/error Screenshot of Truecaller redirected over the C2 channel. Database Shared by DEADEYE JACKAL on Their • CCommandNOP – List the current working directory. Twitter Account (names redacted) However, other commands are not implemented in this way. These other commands contain functionality to: • Pause C2 activity for a random time interval. • Shutdown C2 activity and exit. •P  rovide a date and time before which beaconing will not resume, recorded in the file C:\RECYCLER\ restore.dat as noted above. The use of C++ classes that inherit from a base class to carry out some of the tasking commands, along with the use of concurrency features, indicates that the developers of the RAT put some thought into the architecture and design of their tool, although the decision to implement some commands outside of the class-based framework is curious, and may indicate multiple developers worked on the RAT (or a single developer with shifting preferences for his coding style). 32 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team PNGDOWNER – EXAMPLE MD5 HASH 687424F0923DF9049CC3A56C685EB9A5 The pngdowner malware is a simple tool constructed using Microsoft Visual Studio and implemented via single C++ source code file. This sample contains a PDB path of Y:\Visual Studio 2005\Projects\branch-downer\ downer\Release\downer.pdb, but other similar paths Z:\Visual Studio 2005\Projects\pngdowner\Release\ pngdowner.pdb and Z:\Visual Studio 2005\Projects\downer\Release\downer.pdb have also been observed in other samples. Appendix 3 lists metadata for known pngdowner samples. Initially, the malware will perform a connectivity check to a hard-coded URL (http://www.microsoft.com), using a constant user agent Mozilla/4.0 (Compatible; MSIE 6.0;). If this request fails, the malware will attempt to extract proxy details and credentials from Windows Protected Storage, and from the IE Credentials Store using publicly known methods15 , using the proxy credentials for subsequent requests if they enable outbound HTTP access. An initial request is then made to the hard-coded C2 server and initial URI – forming a URL of the form (in this sample) http://login.stream-media.net/files/xx11/index.asp?95027775, where the numerical parameter of Truecaller represents a random integer. A hard-coded user agent of myAgent is used for thisScreenshot request, and subsequent Database Shared by communication with the C2 server. DEADEYE JACKAL on Their Twitter Account (names Content returned from this request to the C2 server will be saved to a file named index.dat in the user’s redacted) temporary directory (i.e., %TEMP%). This file is expected to contain a single line, specifying a URL and a filename. The malware will then attempt to download content from the specified URL to the filename within the user’s temporary directory, and then execute this file via the WinExec API. If this execution attempt succeeds, a final C2 request will be made – in this case to a URL using the same path as the initial request (and a similarly random parameter), but with a filename of success.asp. Content returned from this request will be saved to a file, but then immediately deleted. Finally, the malware will delete the content saved from the first request, and exit. The limited functionality, and lack of persistence of this tool, implies that it is used only as a simple downloadand-execute utility. Although the version mentioned here uses C++, along with Visual Studios Standard Template Library (STL), older versions of the RAT (such as MD5 hash b54e91c234ec0e739ce429f47a317313), built in 2011, use plain C. This suggests that despite the simple nature of the tool, the developers have made some attempts to modify and perhaps modernize the code. Both versions contain debugging/progress messages such as “down file success”. Although these are not displayed to the victim, they were likely used by the developers as a simple means to verify functionality of their code. 33 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team HTTPCLIENT – EXAMPLE MD5 HASH 544FCA6EB8181F163E2768C81F2BA0B3 Like pngdowner, the httpclient malware is a simple tool that provides a limited range of functionality and uses HTTP for its C2 channel. This malware also initially performs a connectivity check to www.microsoft.com using the hard-coded user agent Mozilla/4.0 (Compatible; MSIE 6.0;), although in this variant no attempt is made to extract proxy credentials. The malware will then connect to its configured C2 infrastructure (file.anyoffice.info) and perform a HTTP request of the form shown in Figure 14 below: Screenshot of Truecaller Figure 14. HttpClient Sample Beacon Database Shared by DEADEYE JACKAL on Their Twitter Account (names redacted) Content returned from the C2 server is deobfuscated by XOR’ing the content with a single byte, 0x12. The decoded data is then checked for the string runshell. If this string is not present, the C2 request is repeated every 0.5 seconds. Otherwise, a shell process is started (i.e., cmd.exe), with input/output redirected over the C2 channel. Shell commands from the server are followed by an encoded string $$$, which indicates that the shell session should continue. If the session is ended, two other commands are supported: m2b (upload file) and b2m (download file). Slight variations on the C2 URLs are used for different phases of the C2 interaction: • Shell command: /Microsoft/errorpost/default.asp?tmp= • Shell response: /MicrosoftUpdate/GetUpdate/KB/default.asp?tmp= Both methods are detailed here: http://securityxploded.com/iepasswordsecrets.php 15 34 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team Given the lack of a persistence mechanism and low level of sophistication, it is likely that httpclient – like pngdowner – is used as a second-stage or supplementary/backup tool. Appendix 4 lists metadata for observed httpclient samples. DROPPERS – RC4 AND XOR BASED Other CrowdStrike reporting describes a dropper used by PUTTER PANDA (abc.scr) to install the 4H RAT. This dropper uses RC4 to decrypt an embedded payload from data in an embedded resource before writing the payload to disk and executing it. Several instances of this dropper have been observed, most commonly in association with the 4H RAT, but also in relation to other tools that will be described in forthcoming reporting. Another dropper has been observed, exclusively installing the pngdowner malware (example MD5 hash 4c50457c35e2033b3a03fcbb4adac7b7). This dropper is simplistic in nature, and is compiled from a single C++ source code file. It contains a Word document in plaintext (written to Bienvenue_a_Sahaja_Yoga_Toulouse. doc), along with an executable (Update.exe) and DLL (McUpdate.dll). The executable and DLL are both contained within the .data section of the dropper, obfuscated with a 16-byte XOR key (consisting of the bytes Screenshot of Truecaller 0xA0 – 0xAF). Database Shared by DEADEYE JACKAL on Their Both the document and executable are written to disk and the executed via the ShellExecute API (using the Twitter Account (names verb “open”). The executable is also installed into the ASEP registry key HKCU\Software\Microsoft\Windows\ redacted) CurrentVersion\Run, with a value named McUpdate. Finally, the dropper deletes itself via a batch file. The dropped executable (MD5 hash 38a2a6782e1af29ca8cb691cf0d29a0d) primarily aims to inject the specified DLL (McUpdate.dll, MD5 hash 08c7b5501df060ccfc3aa5c8c41b452f) into a process that would normally be accessing the network, likely in order to disguise the malicious activity. Module names corresponding to Outlook Express (msinm.exe), Outlook (outlook.exe), Internet Explorer (iexplore.exe), and Firefox (firefox.exe) are used. If Internet Explorer is used, then the malware will attempt to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe). Four examples of these droppers were located, using a mixture of decoy PDF and Microsoft Word documents (shown below in Figures 15-18). The common theme throughout these documents is space technology (Bienvenue_a_Sahaja_Yoga_Toulouse.doc does not follow this trend, but could be targeted at workers at the Toulouse Space Centre, the “largest space centre in Europe” ), indicating that the attackers have a keen interest in this sector, which is also reflected in the choice of name for some of the C2 domains used (see the Attribution section above). The API used expects a parameter of the form char**, and is given a char* pointer to the “*/*” string, but the stack data following this pointer is not properly zeroed or cleansed before use, leading to uncontrolled memory being read as other strings. 16 35 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team Figure 15. “Invitation_Pleiades_012012.doc” Dropped by a4e4b3ceb949e8494968c71fa840a516 Screenshot of Truecaller Database Shared by DEADEYE JACKAL on Their Twitter Account (names redacted) Figure 16. “Bienvenue_a_Sahaja_ Yoga_Toulouse.doc” Dropped by 4c50457c35e2033b3a03fcbb4adac7b7 36 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team Figure 17. “50th AIAA Satellite Sciences Conference.pdf” from 6022cf1fcf2b478bed8da1fa3e996ac5 Screenshot of Truecaller Database Shared by DEADEYE JACKAL on Their Twitter Account (names redacted) Figure 18: “Project-Manager-JobDescription-Surrey-Satellite-Technology-world-leader-provision-small-satellite-solutions. pdf” Dropped by 9cb6103e9588d506cfd81961ed41eefe 37 Mitigation & Remediation CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team MITIGATION & REMEDIATION A number of specific and generic detection methods are possible for this RAT, both on a host and on the network. These are detailed below, and are designed to expand upon the indicators reported in other CrowdStrike reporting. Screenshot of Truecaller Database Shared by DEADEYE JACKAL on Their REGISTRY ARTIFACTS Twitter Account (names redacted) The following Windows registry artifacts are indicative of a compromised host: • ASEP registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run, and value named McUpdate FILE SYSTEM ARTIFACTS The presence of the following file system artifacts is indicative of a compromised host: • ssdpsvc.dll, msacem.dll, or mrpmsg.dll • C:\RECYCLER\restore.dat • %TEMP%\index.dat HOST INDICATORS A file mapping named &*SDKJfhksdf89*DIUKJDSF&*sdfsdf78sdfsdf also indicates the victim machine is compromised with PUTTER PANDA malware. 39 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team Yara Rules 40 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team 41 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team 42 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team 43 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team NETWORK SIGNATURES In addition the domains listed in the Appendices and in the Attribution section, the generic signatures below can be used to detect activity from the malware described in this report. Snort Rules Screenshot of Truecaller Database Shared by DEADEYE JACKAL on Their Twitter Account (names redacted) 44 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team Screenshot of Truecaller Database Shared by DEADEYE JACKAL on Their Twitter Account (names redacted) 45 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team TTPS In addition to the indicators described above, PUTTER PANDA have some distinct generic TTPs: • Distinctive connectivity checks to www.google.com • Use of the HashData API to derive key material for authentication and encryption • Use of the ASEP registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run • Deployment of space industry-themed decoy documents during malware installations Screenshot of Truecaller Database Shared by DEADEYE JACKAL on Their Twitter Account (names redacted) 46 Conclusion CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team Conclusion PUTTER PANDA are a determined adversary group who have been operating for several years, conducting intelligence-gathering operations with a significant focus on the space sector. Although some of their tools are simplistic, taken as a whole their toolset provides a wide degree of control over a victim system and can provide the opportunity to deploy additional tools at will. Research presented in this report shows that the PUTTER PANDA operators are Screenshot(GSD) of Truecaller likely members of the 12th Bureau, 3rd General Staff Department of Database Shared by the People’s Liberation Army (PLA), operating from the unit’s headquarters DEADEYE JACKAL on Their Twitter Account (names in Shanghai with MUCD 61486. Strategic objectives for this unit are likely redacted) to include obtaining intellectual property and industrial secrets relating to defense technology, particularly those to help enable the unit’s suspect mission to conduct space surveillance, remote sensing, and interception of satellite communications. PUTTER PANDA is likely to continue to aggressively target Western entities that hold valuable information or intellectual property relevant to these interests. The detection and mitigation guidance given in this report will help to minimize the risk of a successful compromise by these actors, and future CrowdStrike reports will examine other elements of the PUTTER PANDA toolset. 48 Appendices CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team APPENDIX 1: 4H RAT SAMPLE METADATA Screenshot of Truecaller Database Shared by DEADEYE JACKAL on Their Twitter Account (names redacted) 50 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team 51 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team 52 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team APPENDIX 2: 3PARA RAT SAMPLE METADATA Screenshot of Truecaller Database Shared by DEADEYE JACKAL on Their Twitter Account (names redacted) 53 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team APPENDIX 3: PNGDOWNER SAMPLE METADATA Screenshot of Truecaller Database Shared by DEADEYE JACKAL on Their Twitter Account (names redacted) 54 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team Screenshot of Truecaller Database Shared by DEADEYE JACKAL on Their Twitter Account (names redacted) 55 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team 56 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team APPENDIX 4: HTTPCLIENT SAMPLE METADATA Screenshot of Truecaller Database Shared by DEADEYE JACKAL on Their Twitter Account (names redacted) 57 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team CrowdStrike Falcon Intelligence CrowdStrike Falcon Intelligence portal provides enterprises with strategic, customized, and actionable intelligence. Falcon Intelligence enables organizations to prioritize resources by determining targeted versus commodity attacks, saving time and focusing resources on critical threats. With unprecedented insight into adversary tools, tactics, and procedures (TTPs) and multi-source information channels, analysts can identify pending attacks and automatically feed threat intelligence via API to SIEM and thirdparty security tools. Access to CrowdStrike Falcon Intelligence is geared toward all levels of an organization, from the executivewho needs to understand the business threat and strategic business impact, to the front-line securiyt professional struggling to !ght through an adversary’s attack against the enterprise. CrowdStrike Falcon Intelligence is a web-based intelligence subscription that includes full access to a variety of feature sets, including: • Detailed technical and strategic analysis of 50+adversaries’ capabilities, indicators and tradecra!,attribution, and intentions Falcon Intelligence Benefits Incorporate Actionable Intelligence Feeds into your existing enterprise security infrastructure to identify advanced attackers speci!c to your organization and industry Rapidly integrate Falcon Intelligence into custom work”ows and SEIM deployments with a web-based API Quickly understand the capabilities and artifacts of targeted attacker tradecra# with In-depth technical analysis Gain visibility into breaking events that matter to an organization’s brand, infrastructure, and customers Interact with the Intelligence team and leverage customized Cyber Threat Intelligence feedback during Quarterly Executive Brie!ngs Provide malware samples and receive customized and actionable intelligence reporting • Customizable feeds and API for indicators of compromise in a wide variety of formats • Tailored Intelligence that provides visibility into breaking events that matter to Access the Adversary Pro!le Library to gain in-depth information into 50+ adversary groups, to include capabilities and tradecra# and tradecraft an organization’s brand, 58 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team CrowdStrike Falcon Host CrowdStrike Falcon Host is an endpoint threat detection and response product that identifies unknown malware, detects zero-day threats, and prevents damage from targeted attacks in real-time. Falcon Host is comprised of two core components, the cloud-based management console and the on-premises host-based sensor that continuously monitors threat activity at the endpoint to prevent damage in real-time. Falcon Host leverages a lightweight kernel-mode sensor that shadows, captures, and correlates lowlevel operating system events to instantly identify the adversary tradecraft and activities through Stateful Execution Inspection (SEI) at the endpoint and Machine Learning in the cloud. As opposed to focusing on malware signatures, indicators of compromise, exploits, and vulnerabilities, Falcon Host instead identifies mission objectives of the adversary leveraging the Kill Chain model and provides realtime detection by focusing on what the attacker is doing, as opposed to looking nfor a specific, easily changeable indicator used in an attack. Without performing intrusive and performanceimpacting scans of the system, Falcon Host’s highly efficient real-time monitoring of all system activity is the only security solution that provides maximum visibility into all adversary activities, including Adversary-in-Motion: reconnaissance, exploitation, privilege escalation, lateral movement, and exfiltration. Falcon Host delivers insight into past and current attacks not only on a single host, but also across devices and networks. Falcon Host Key Features • Endpoint threat detection and response solution • Cloud-managed application with easily deployed sensors for Mac & Windows • Kernel-mode sensors requires no reboot on updates. Less than 2MB footprint executable • Detects attacks based on adversary activity • Integrates with existing security architecture and SIEM tools through Falcon Host APIs Technology Drivers: Stateful Execution inspection Stateful Execution Inspection (SEI) tracks execution state and links together various stages of the kill chain, from initial code execution to data exfiltration. CrowdStrike’s Real-time Stateful Execution Engine performs inspection and analysis to understand the full context of a cyber attack. SEI is critical to understanding the entire attack life cycle and preventing the damage from advanced malware and targeted attacks. Existing security technologies that focus solely on malware signatures, incidators of compromise, exploits, and vulnerabilities fail to protect against the majority of attacks as they are blind to the full scope of adversary activity. Benefits • Identify and protect against damage from determined attackers who are undetected by existing passive defense solutions • Understand who is attacking you, why and what they want to steal or damage • Alert and stop exfiltration of sensitive information from compromised machines Protect remote users when they are outside of the corporate network • Protect remote users when they are outside of the corporate network • No on-premises equipment needed, reducing overall total cost of ownership 59 CrowdStrike Intelligence Report Crowdstrike Global Intelligence Team About CrowdStrike CrowdStrike is a global provider of security technology and services focused on identifying advanced threats and targeted attacks. Using big-data technologies, CrowdStrike’s next-generation threat protection platform leverages real-time Stateful Execution Inspection (SEI) at the endpoint and Machine Learning in the cloud instead of solely focusing on malware signatures, indicators of compromise, exploits, and vulnerabilities. The CrowdStrike Falcon Platform is a combination of big data technologies and endpoint security driven by advanced threat intelligence. CrowdStrike Falcon enables enterprises to identify unknown malware, detect zero-day threats, pinpoint advanced adversaries and attribution, and prevent damage from targeted attacks in real time. About CrowdStrike Services CrowdStrike Services is a wholly owned subsidiary of CrowdStrike responsible for proactively defending against and responding to cyber incidents with pre and post Incident Response services. CrowdStrike’s seasoned team of Cyber Intelligence professionals, Incident Responders, and Malware Researchers consists of a number of internationally recognized authors, speakers, and experts who have worked on some of the most publicized and challenging intrusions and malware attacks in recent years. The CrowdStrike Services team leverages our Security Operations Center to monitor the full CrowdStrike Falcon Platform and provide cutting-edge advanced adversary intrusion detection services. The full spectrum of proactive and response services helps customers respond tactically as well as continually mature and strategically evolve Incident Response program capabilities. 60 For more information on the intelligence provided in this report or on any of the 70+ actors tracked by the CrowdStrike Global Intelligence team, contact us at intelligence@crowdstrike.com To learn more about the CrowdStrike Falcon Platform or CrowdStrike Services, contact us at sales@crowdstrike.com. www.crowdstrike.com | @CrowdStrike