Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    8:55 am (UTC-7)   |    by

    Last November 12-14th, I had this great opportunity to attend AVAR 2012 Conference in Hangzhou, China. There were a lot of great presentations; I must say I feel very privileged to have presented our paper, The HeartBeat APT Campaign, along with these talks.

    I will be honest with you–talking in front of renowned people and colleagues in the industry was outright nerve-racking. However, we believe it is our duty to share our findings about the HeartBeat APT to the industry. This entry aims to further fulfill the same purpose for the industry and for the general public.

    The HeartBeat campaign is an isolated APT case that targets organizations within South Korea only. Based on our research, the campaign have started by at least November 2009. They target organizations that are directly or in some ways related to the South Korean government. Specifically, the HeartBeat campaign targets the following sectors:

    • Political parties
    • Media outfits
    • A national policy research institute
    • A military branch of South Korean armed forces
    • A small business sector organization
    • Branches of South Korean government

    Based on their targets, we suspect that the campaign may be politically motivated.

    In order to gain access over their targets network, they use a custom remote access tool (RAT). Variants of their RAT contains an embedded campaign code that mostly contains strings that describes their respective decoy documents and a campaign date in MMDD format.

    Additionally, the attackers behind HeartBeat campaign made sure that their operation as well as their identity remain concealed. For instance, they used legitimate looking file name and registry names for their RAT. They also used XOR encryption for their network communications. To hide their identities, on the other hand, they used a site redirection service that redirects to compromised hosts from different countries. These compromised hosts acts as a proxy server that hides the real location of their C&C servers.

    More information about the HeartBeat APT campaign can be found at

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • Roland Dela Paz

      Hi Shine,

      You are correct–there is no use of vulnerability involved in the HeartBeat campaign. Instead, they “package” their RAT and a decoy file into one executable file using a binder tool. As a result, both of these files are run once the packaged executable file is opened by an unsuspecting user.

    • shine

      The binder tool means that hackers didn’t use any vulnerability ?

    • f0real

      The HeartBeat RAT has also been used for attacks targeting Tibetans.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice