Monthly Archives: October 2013

Know Your Enemy: Tracking A Rapidly Evolving APT Actor

| By and | Threat Research

Between Oct. 24–25 FireEye detected two spear-phishing attacks attributed to a threat actor we have previously dubbed admin@338.[1] The newly discovered attacks targeted a number of organizations and were apparently focused on gathering data related to international trade, finance, and economic policy. These two attacks utilized different malware families and demonstrate an ability to quickly adapt techniques, tactics, and procedures (TTPs).

Investor Guide and Contact List Lure

On Friday Oct. 25, 2013, FireEye detected an attempted targeted campaign against the following:

  • The Central Bank of a Western European government
  • An International organization involved in trade, economic, and financial policy
  • A U.S.-based think tank
  • A high-ranking government official for a country in the Far East

This spear-phish email, shown in Figure 1, contained a malicious Word document attachment that exploited the CVE-2012-0158 vulnerability.

admin338-phish
Figure 1: Spear-phish email used in a recent admin@338 attack

The malicious Word document had the following properties:

  • File: Investor Relations Contacts.doc
  • MD5: 875767086897e90fb47a021b45e161b2

Continue reading »

Why Our Risk Assessment Calculations Leave us Exposed to APTs

| By | Business of Security, Security Perspective

Since 2010, the UK’s National Security Strategy has rated cyber attacks as a Tier 1 threat to national and economic security.[1] Emergency management agencies in most other industrialized countries have made similar assessments.

Cyber attacks take many forms, from simple denial of service attacks to sophisticated information theft. But one class of attack stands out as the most effective and damaging: advanced persistent threats, or APTs.

As the name implies, APTs are characterized by the following:

  • Advanced — able to evade detection
  • Persistent — able to move laterally within networks and remain resident to gather information over extended periods of time

While the prevalence and continued success of APTs reflects the increasing sophistication of hackers, they also represent a failure of risk-management calculations.

Continue reading »

Evasive Tactics: Terminator RAT

| By , and | Advanced Malware, Targeted Attack, Threat Intelligence, Threat Research

FireEye Labs has been tracking a variety of advanced persistent threat (APT) actors that have been slightly changing their tools, techniques, and procedures (TTPs) in order to evade network defenses. Earlier, we documented changes to Aumlib, the malware used in the attack against the New York Times, and Taidoor, a malware family that is being used in ongoing cyber-espionage campaigns particularly against entities in Taiwan. In this post we will explore changes made to Terminator RAT (Remote Access Tool) by examining a recent attack against entities in Taiwan.

We recently analyzed a sample that we suspect was sent via spear-phishing emails to targets in Taiwan. As shown in Figure 1, the adversary sends a malicious Word document, “103.doc” (md5: a130b2e578d82409021b3c9ceda657b7), that exploits CVE-2012-0158, which subsequently drops a malware installer named “DW20.exe”. This particular malware is interesting because of the following:

  • It evades sandbox by terminating and removing itself (DW20.exe) after installing. Malicious behavior will only appear after reboot.
  • It deters single-object based sandbox by segregation of roles between collaborating malwares. The RAT (svchost_.exe) will collaborate with its relay (sss.exe) to communicate with the command and control server.
  • It deters forensics investigation by changing the startup location.
  • It deters file-based scanning that implements a maximum file size filter, by expanding the size of svchost_.exe to 40MB. Continue reading »

Update: Ad Vulna Continues

| By , , and | Mobile Threats, Threat Intelligence, Threat Research, Vulnerabilities

This is an update to our earlier blog “Ad Vulna: A Vulnaggressive (Vulnerable & Aggressive) Adware Threatening Millions”.

Since our last notification to Google and Ad Vulna (code name for anonymity), we have noticed a number of changes to the impacted apps that we reported to both companies. We summarize our observations below, although we do not have specific information about the reasons that caused these changes we are reporting.

First, a number of these vulnaggressive apps and their developers’ accounts have been removed from Google Play, such as app developer “Itch Mania”. The total number of downloads of these apps was more than 6 million before the removal. While removing these apps from Google Play prevents more people from being affected, the millions of devices that already downloaded them remain vulnerable. Continue reading »

ASLR Bypass Apocalypse in Recent Zero-Day Exploits

| By | Exploits, Targeted Attack, Threat Research, Vulnerabilities

ASLR (Address Space Layout Randomization) is one of the most effective protection mechanisms in modern operation systems. But it’s not perfect. Many recent APT attacks have used innovative techniques to bypass ASLR.

Here are just a few interesting bypass techniques that we have tracked in the past year:

  • Using non-ASLR modules
  • Modifying the BSTR length/null terminator
  • Modifying the Array object

The following sections explain each of these techniques in detail.

Continue reading »

“Be the Change.” Test Methodologies for Advanced Threat Prevention Products

| By | Security Perspective, Technology

Organizations are under assault by a new generation of cyber attacks that easily evade traditional defenses. These coordinated campaigns are targeted. They are stealthy. And they are persistent. Many exploit zero-day vulnerabilities and orchestrate attacks across multiple vectors (Web, email, file, mobile). The threat actors are dead set on finding an organization’s weaknesses, finding their way into the systems, and stealing intellectual property. Guarding against these advanced threats necessitates, nay demands, a fundamentally different approach to threat defense. Importantly, this is even more true for testing methodologies used to validate the efficacy of these products. This is because legacy test methodologies were developed to test the efficacy of legacy security products that are signature-based and designed to detect known malware and known vulnerabilities – not the advanced threat landscape!

Before we define a good test methodology for advanced security products, it is important to establish what advanced security products must do - for only when we know what the products must accomplish will we know how to test them.

Continue reading »

Ad Vulna: A Vulnaggressive (Vulnerable & Aggressive) Adware Threatening Millions

| By , , and | Mobile Threats, Threat Intelligence, Threat Research, Vulnerabilities

FireEye researchers have discovered a rapidly-growing class of mobile threats represented by a popular ad library affecting apps with over 200 million downloads in total. This ad library, anonymized as “Vulna,” is aggressive at collecting sensitive data and is able to perform dangerous operations such as downloading and running new components on demand. Vulna is also plagued with various classes of vulnerabilities that enable attackers to turn Vulna’s aggressive behaviors against users. We coined the term “vulnaggressive” to describe this class of vulnerable and aggressive characteristics. Most vulnaggresive libraries are proprietary and it is hard for app developers to know their underlying security issues. Legitimate apps using vulnaggressive libraries present serious threats for enterprise customers. FireEye has informed both Google and the vendor of Vulna about the security issues and they are actively addressing it.

Recently FireEye discovered a new mobile threat from a popular ad library that no other anti-virus or security vendor has reported publicly before. Mobile ad libraries are third-party software included by host apps in order to display ads. Because this library’s functionality and vulnerabilities can be used to conduct large-scale attacks on millions of users, we refer to it anonymously by the code name “Vulna” rather than revealing its identity in this blog. Continue reading »

Another Darkleech Campaign

| By | Exploits, Threat Research

Last week got us up close and personal with Darkleech and Blackhole with our external careers web site compromise as described here:

https://www.fireeyesolution.com/blog/technical/cyber-exploits/2013/09/darkleech-says-hello.html

The fun didn’t end there, this week we saw a tidal wave of Darkleech activity linked to a large-scale malvertising campaign identified by the following URL:

hXXp://delivery[.]globalcdnnode[.]com/7f01baa99716452bda5bba0572c58be9/afr-zone.php

Again Darkleech was up to its tricks, injecting URLs and sending victims to a landing page belonging to the Blackhole Exploit Kit, one of the most popular and effective exploit kits available today. Blackhole wreaks havoc on computers by exploiting vulnerabilities in client applications like IE, Java and Adobe, computers that are vulnerable to exploits launched by Blackhole are likely to become infected with one of several flavors of malware including ransomware, Zeus/Zbot variants and clickfraud trojans like ZeroAccess.

We started logging hits at 21:31:00 UTC on Sunday 09/22/2013, the campaign has been ongoing, peaking Monday and tapered down through out the week.

During most of the campaign’s run, delivery[.]globalcdnnode[.]com appeared to have gone dark, no longer serving the exploit kit’s landing page as expected and then stopped resolving altogether, yet tons of requests kept flowing.

This left some scratching their heads as to whether the noise was a real threat.

Continue reading »