Looking at the human aspect of offensive cyber operations is one of the most interesting parts of a malware analyst’s day. Malware that was generated by an algorithm, such as a polymorphic PDF, is a little boring because you know you aren’t fighting against a human on the other side of the keyboard. However, when dealing with nation-state sponsored intrusions, or at least deliberate attacks against a specific group of people, it’s interesting to look at the different stages of the attack, from victim selection, to attack method, to what kind of data is exfiltrated. We recently discovered an attack that appeared to be against primarily Russian targets.
Tag Archives: advanced persistent threat
Defining Advanced Malware is as Difficult as Preventing It (Part 1 of 2)
Advanced targeted attacks—or the ubiquitous advanced persistent threat (APT), if you prefer—have captured the attention of the security industry because of their clandestine and sinister nature. Unfortunately, it is almost as challenging to get the security industry to agree on what constitutes an APT as it is to protect against one, but we can identify and agree upon a few common themes.
Before I begin, I do want to make reference to testimony before congress from Richard Bejtlich, currently CSO at Mandiant, and formerly USAF. Rather than summarize, I’ll quote from the hearing on “Developments in China’s Cyber and Nuclear Capabilities:”
“…I use the strict definition of APT as created by the Air Force in 2006, namely as an unclassified reference to intrusions sets ultimately traced back to actors in China.”
This is a very fair and accurate definition. However, at the core, it requires the big “A”—attribution. Private companies (excluding government contractors) rarely have the ability to accurately identify a specific attacker, hence, making the distinction among a PLA unit, university training program, or contracted hacker, difficult. Because of that missing link, and the fact that many have misused the term, many attacks are miscategorized as APT simply due to being “advanced.”
Having said that, whether an attack is APT (or more accurately, if the attacker is the APT), or whether the attack is from another well-financed adversary, the TTPs have significant overlap. A typical scenario combines sophisticated exploits and social engineering to breach networks, execute malware instances, and establish communication with command and control (C&C) servers. As a result, technologies that examine executable files, monitor outbound communication, or analyze suspicious patterns in the network have become very popular; however, the effectiveness of some such solutions is questionable at best since advanced malware is constantly evolving to stay a step ahead of detection.
In this post, I will delineate the key characteristics of an advanced persistent threat and discuss some of the common approaches to mitigation. In a follow-up post, I will deconstruct why these common approaches are little more than a Band-Aid on a gaping wound.
Spear Phishing In Action
Recently, while monitoring an infected system we uncovered activity that showed a good example of attackers selectively emailing malware to a specific group (in this case a country).
After conducting analysis of the threat, network traffic, and hosts involved, we believe that the attackers were directly targeting companies located in the Middle East—Saudi Arabia, to be exact.
In the following examples we can see the sequence of events leading up to the spear phishing as well as the tactics used to seek out targets for the attack (aka the “reconnaissance”).
Zero-Day Season is Not Over Yet
New Java zero-day vulnerability has been spotted in the wild. We have seen this unpatched exploit being used in limited targeted attacks. Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable. In my lab environment, I was able to successfully exploit my test machine against latest version of FireFox with JRE version 1.7 update 6 installed.
Additional Information on Gauss and Flame Leads to Different Conclusion
UPDATE: In our post earlier today, we concluded that there was some sort of relationship between the Gauss and Flame malware actors based on observing CnC communication going to the Flame CnC IP address. At the same time, the CnC domains of Gauss were sink-holed to the same CnC IP. There was no indication or response in the communication originating from the CnC server to indicate that it may have been owned by another member of the security research community. In light of new information shared by the security community, we now know that our original conclusions were incorrect and we cannot associate these two malware families based solely upon these common CnC coordinates.
We apologize for any confusion that has resulted from our earlier assumptions. Unfortunately, the lack of a common information exchange about such activities can result in misleading conclusions.
Like the team at Kaspersky and the many others who actively participate in security research, the FireEye Lab is committed to improving the understanding of the most prevalent and dangerous cyber threats today. As we all know, it is not an easy job. We appreciate the feedback we receive from the security community, and our experience today is just one lesson on the need for even greater intelligence sharing and collaboration among the many talented groups and individuals in our field.
Surprises in our Advanced Threat Awareness Survey
A few weeks ago we conducted a survey to assess the general knowledge of advanced attacks among enterprise security professionals. Though we originally ran the survey to gather data for our own understanding, we found the results so interesting (and frankly, surprising) that we wanted to share them.
As we’ve discussed in the past, there continues to be many myths and misunderstandings regarding advanced persistent threats (“APTs”). What is clear, however, is that there is a significant disconnect in the understanding of what constitutes an advanced targeted attack and which technologies protect against them.
The Case of the PDF Malware
I’ve been working with PDFs for the past few weeks and since I have a large collection of PDF files, going through them all has been taking a lot of time.
I’ve seen a few different exploits, but there is one that especially caught my attention because I thought it was pretty wicked and nicely conceived.
It all started after I ran a couple of samples through a script a while ago.
An Inside Look into a Customized Threat
Recently, we came across a customized threat that, per our current understanding, was customized for a single individual—the president of a billion dollar corporation. As the goal of this posting is to share the findings about the targeted attack, the individual and corporation’s identity have been withheld and will not be discussed in this blog.
Flamer/sKyWIper Malware: Analysis
As widely reported elsewhere, the Flamer/sKyWIper malware has largely been attributed to yet another unknown APT actor, which appears to target various organizations in the Middle East. Its size is massive, with the core components written in Lua and modular support for other languages (e.g., C/C++). Compared to Stuxnet and Duqu, it’s likely this malware framework was authored and developed in parallel, with a broader goal: comprehensive intelligence gathering.
Rather than speculate on attribution or repeat the initial analysis provided by CrySyS Lab, this blog post will focus on additional indicators of compromise that have yet to be documented elsewhere. These indicators are exceptionally useful for confirming whether or not this malware is active on a suspect system.
