Luckycat APT:攻击行动评估
                - By nEINEI

Time：2012-03-29

				
1) 针对日本，印度，西藏活动的军事领域的信息窃取。

2) 攻击目标为韩国的政府分支机构、武装部队、新闻媒体和国家政策研究机构等。
 
Symptoms
	When the Trojan is executed, it drops the following file: 
	%Temp%\WINWORD.EXE 

	The dropped file in turn drops the following file: 
	%Temp%\~temp.vbs 

	Next, the Trojan gathers and sends the following information to the remote attacker: 
	All files with their attributes in all drives from C: drive through I: drive
	Network information
	Information about the compromised computer
	Processes running on the compromised computer

	It stores all of the gathered information in the following folder: 
	%Windir%\NtUninstallKB 

	The Trojan then opens a back door on the compromised computer, allowing the attacker to perform the following actions: 
	Upload and download files
	Execute .cmd commands	 
	

相关样本信息：
	2924339C60D4905AFDAD6664F859DE2C
	324B98DE1F86ADE0817DA0FF4C5A38BA
	40DDB1D8C2F000661AA3031A6FCFA156
	4844982A4B4863505FAFAF8B52A4DC97
	70EDAAA835D0861BE0F675E7A6EB2CDA
	0a927897ab5acff1e6bd45897368253b
	
最小闭合的攻击样本： 
邮件发送DOC文档，安装远控木马，利用cve-2010-333漏洞:
b35c50ed4df030aaa5bde205e6ee255e587949e1b42e7896cd8d6040bceb2fc4,SIZE = 277264;　
 
				
攻击能力计算： 
	K = 2 (正常安全认知理解范围)
	a = 3 (无交互)
	s = 1 (钓鱼邮件为主)
	m = 2 (代码注入，特种木马)
	p = 1 (攻击1种平台)
	x = 2 (利用N/1 day漏洞安装远控RAT TOOLS，CVE-2010-2883，2010-3333，CVE-2010-3654，CVE-2011-0611，CVE-2011-2462)
	
	c = 277264/1024 = 271

	攻击能力 = (a+s+m+p)^(k) * (1+x)^ 2 + c  
	
    AT = (3 + 1 + 2 + 1) ^ 2 * (1 + 2) ^ 2 +　(177722/1024)
	   = 7^2 * (3^2) + 271
	   = 441 + 271
	   = 712

	==> 712* 1000/ 1279625(1T攻击力单位) = 0.556T
				
参考引用：
1.http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_luckycat_hackers.pdf
2.https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf
3.《论高级威胁的本质及攻击能力的量化研究》- www.vxjump.net/files/aptr/aptr.txt