The RSA FirstWatch team uses a number of techniques to detect emergent threats and trends.  Much of the output of the analysis process becomes inputs for the RSA FirstWatch Feeds and new rules to detect botnet variants, malicious user-agent strings, and suspicious queries that would be strong indicators of compromise.  One unique executable that was downloaded caught our eye today:

This filename, called “_load.exe” seemed to be downloaded as part of a large Zbot/Tepfir infection package.  Here is the screenshot, from RSA Security Analytics, summarizing the alert types seen post-infection in the sandbox:

But what really got our attention was the falsified manufacturer’s name and author’s name.  In CFF Explorer, we see this:

Of course, given the way the file was downloaded, we knew this wasn’t a legitimate Mandiant binary, but a piece of malware with planted meta-data to use Mandiant’s name.  According to VirusTotal, it had been seen 15 hours earlier and only ESET identifies the file as a malicious downloader.  You can see the VT report here:

https://www.virustotal.com/en/file/2714253ae4686360b45acd3fb2658966b6f61957a0b42d93cccad4a098b0a9da/analysis/

Digging Further

With a bit of further digging, we see that this sample was a secondary download of an initial sample hash of 1aee6a5859ecb9b43cc752244be5bec6.  This hash has been observed in the past multiple times with a filename of:

FedEx Shipment Notification.PDF.exe

This file was first observed on May 5, 2013, also with a fairly low antivirus detection rate at the time of detection (5 out of 46) but is fairly well detected now:

https://www.virustotal.com/en/file/eab3ee7c0c843dec8f6c41193465c6ff93ae914606520bb1a1dfd1e26a8862f0/analysis/

The submitted filename makes this sample highly likely to have been distributed via a “Shipment Notification” mass spam campaign.  This infection vector that has been highly effective over the past few years for spreading cybercrime malware and has garnered the attention of FedEx, who has a warning page warning its customers of this type of attack: http://www.fedex.com/dm/fraud/virusalert.html

Interestingly, both samples appear to be “downloader” malware, which only serve to download other malware on an infected machine.  These types of Trojans are commonly used in Pay-Per-Install campaigns, where criminals pay the owner of an existing botnet to have their infected machines push a piece of malware belonging to the buyer.  This approach significantly simplifies the process of building a new botnet for the buyer.

Further malware analysis reveals that the observed second-stage malware has no built-in persistence mechanism, meaning that a simple reboot clears the malware from memory.  This is somewhat unusual, but may indicate a “single-use” methodology for subsequent infection.  At this time, the RSA FirstWatch team has not observed a third-stage download occur with this sample.

Network Artifacts

Sample 1 – 1aee6a5859ecb9b43cc752244be5bec6 1aee6a5859ecb9b43cc752244be5bec6 has been observed connecting to the following locations for C2, which is known to be a malicious server: hxxp://asdacbxn34.us//area/la.php

and these locations for second-stage downloads were to a religious institution website, which appears to have been compromised, and another site known to host malware:

Hxxp://www.***.uk/_load.exe

hxxp://178.208.82.164/_load.exe

Passive DNS analysis indicates that the following domains have also resided on the C2 IP, all of which are known to be malicious domains:

mesalk.ru

houselle.ru  

davalki-tut.ru

nationalconstruction.ru

Sample 2 – bcadffb2117751fb89a4bb8768681030 – “Mandiant Malware”

This sample, downloaded as noted above as:

Hxxp://www.***.uk/_load.exe

hxxp://178.208.82.164/_load.exe

Connects to the following ip (address known to be associated with cybercrime) to check for additional malware to download:

94.23.234.36

This IP has mapped to the following known malicious domain names:

lamodaesbarata.es

ovh66m.exclust.com

ks307892.kimsufi.com

tusvestidos.com

Detection in RSA Netwitness Security Analytics:

 These particular malware connections can be located in an RSA Security Analytics infrastructure with a number of simple pivots on known infrastructure:

alias.host = asdacbxn34.us, mesalk.ru, houselle.ru, davalki-tut.ru, nationalconstruction.ru, 178.208.82.164, lamodaesbarata.es, ovh66m.exclust.com, ks307892.kimsufi.com, tusvestidos.com

and

ip.dst = 178.208.82.164,94.23.234.36

Generically, suspicious behavior involving executable downloads such as these can be detected by creatively combining observed extension meta data with known filetypes.   In this case:

Extension = exe && filetype != windows executable

Summary

In this particular case, we see a common cybercrime attack methodology, mass spam, a social engineering hook and a downloader Trojan, crossing over into APT space, likely due to all of the recent press coverage of Mandiant and other APT-related investigations.   This is further evidence of the constant evolution of online attacks based on current events.

Happy Hunting!

Alex Cox, MSIA, CISSP, GPEN, GSEC is a Senior Consultant and Security Researcher with RSA FirstWatch team responsible for advanced threat intelligence research. Alex has worked more than a decade in IT with a background in desktop architecture, emerging threat research, network forensics and behavioral malware analysis.

• 

Today, Norman and Shadowserver released a paper that revealed a large attack infrastructure in which they detailed an ongoing campaign, running as far back as September 2010.  This campaign, reportedly run out of India, used spear-phishing attacks and multiple strains of malware to breach targets of interest and extract data.

The details of this case can be researched in the following paper:

http://blogs.norman.com/2013/security-research/the-hangover-report

Due to our industry ties the RSA FirstWatch team was able to obtain an advanced copy of the paper, and doing so we were able to collect over 700 of the detailed malware samples referenced in the report for analysis.

This analysis, focused almost exclusively on network behavior, allowed us to detail effective ways of detecting this malware on the network in real-time.

As a general rule, the RSA Security Analytics / RSA NetWitness approach to network analysis for these types of threats has always been a three-part process which is circular in nature:

1. Identify expected network behavior
2. Examine outliers
3. Link intelligence

Detection of Identifying User-Agents

In many APT malware cases, a non-standard user agent is observed as part of the command and control communication sequence and this case is no different. There are several case-related user-agent strings detailed in the paper:

EMSCBVDFRT
EMSFRTCBVD
FMBVDFRESCT
DSMBVCTFRE
MBESCVDFRT
MBVDFRESCT
TCBFRVDEMS
DEMOMAKE
DEMO
UPHTTP
sendFile

Additionally, the following user-agent strings are also present:

wininetget/0.1
file
test
vbusers
folderwin
smaal
simple
nento
bugmaal

When these user-agent strings are turned into a Security Analytics application rule they would look like the rule below and would allow a quick pivot on hangover-related malware traffic:

Client = emscbvdfrt,emsfrtcbvd,fmbvdfresct,dsmbvctfre,
mbescvdfrt,mbvdfresct,tcbfrvdems, demomake,demo,
uphttp,sendFile,wininetget/0.1,file, test,vbusers,folderwin,
smaal,simple,nento,bugmaal

This particular pivot, where we identify meta elements that we don’t expect to exist in our environment, is a very common way of detecting both malware and unwanted applications on the network.

Identifying Information in Query Parameters

While not as clear cut as identification of unique user-agents, many malware samples, especially Remote Access Trojans (RATs) used by APT attackers, commonly transmit identifying information as part of command and control check-in traffic.

In this case, we see similar behavior in which the computer name of the analysis environment “RemotePC” as well as the logged in user “admin” is identified in plaintext during the C2 check-in of many of the identified samples:

(click on the image below and zoom to see detail)

Identifying C2 domains

Lastly, establishing domain intelligence by using malware analysis and existing known compromise, plus online research, passive DNS and other methods, we are able to build a large feed of domains which identify suspect traffic.

In this case, RSA FirstWatch added specific domain intelligence related to the hangover intrusion set on 4/30/13.    Historic hits to these domains can be located with the following custom drill:

threat.category = research && threat.desc = apt-domain-a-cow_star, apt-domain-a-hanove, apt-domain-a-trojan.apt.snowtime, apt-domain-a-backdoor.apt.anke, apt-domain-a-backdoor.apt.vbupload, apt-domain-a-dragoneyemini_ smackdown, apt-domain-a-smackdown, apt-domain-a-hanove2, apt-domain-a-appinbot, apt-domain-a-hanovelarge

These three detection methodologies can be applied to this and future incidents for proactive detection of advanced threats.

Special thanks to the researchers at FireEye and Dell Secureworks for their assistance in malware analysis and classification tasks.

Happy Hunting!

Alex Cox, MSIA, CISSP, GPEN, GSEC is a Senior Consultant and Security Researcher with RSA FirstWatch team responsible for advanced threat intelligence research. Alex has worked more than a decade in IT with a background in desktop architecture, emerging threat research, network forensics and behavioral malware analysis.

• 

The underground economy is a complex world built by criminal organizations.  These criminal organizations specialize in one or more of the individual elements or services that, collectively, work together form the underground economy.  One such service is mule recruitment.  While mule recruitment may just be a portion of this economy, mules are crucial to its success.  Without mules, cybercriminals have no safe way to move money and product.  There are 2 basic types of mules when it comes to cybercrime — money mules, which help to move money, and reshipping mules, which help to move stolen goods.  Mule recruiter specialize in finding individuals or small businesses that will help them move funds or product.  In most cases, these mules are unwitting accomplices to the crime.  Other criminal elements exist in the underground economy that specialize in acquiring illicit funds or products.  They do this by harvesting banking account credentials to move funds electronically or they will use stolen credit cards to purchase items that the reshipping mules will then send overseas.

Mule recruitment operations have a very short lifespan as evidenced by one of our previous blogs from December.  All three of the mule recruitment sites that were featured here have closed shop and their websites have disappeared.  Unfortunately, that doesn’t mean we won’t see them again.  I can almost guarantee that somewhere in the underground, they have already reopened their digital front doors and are looking for more mules.

Below is an example of one of the latest mule recruitment sites to hit our radar.  Introducing…Transnational Logistics (www.transnationallogistics.com)

Their website certainly has the look and feel of a legitimate business.  It has a company logo, well worded text, information about the company and their locations.  Heck…they even make the claim to have been in business for over 10 years.

But let’s take a closer look at this supposed large, international logistics company.  All of the images on the website are fairly generic with no images of company-branded trucks or shipping containers.  Another clue is how long the website has been active.  This 10+ year organization has only had a corporate for 2 months.  That’s right…the website was registered in February 2013.  Also, they supposedly have offices in the UK, China, USA, and Turkey, but the website is hosted in the Ukraine.  And what about that Madison Ave. address in New York?  Google maps and the Yellow Pages do not show any company by that name in New York located at that address or any address for that matter.  This all seems rather suspicious doesn’t it?

We had the opportunity to speak with an individual who was actively recruited to work as a Project Manager for the company.  The level of professionalism portrayed by Transnational Logistics is *very* impressive.  They have someone making phone calls to the potential candidates; have a quasi-professional pre-employment questionnaire, employee agreement, and training materials that are provided to each candidate.  Furthermore, the terms of employment are enticing. They are offering a base salary of $75,000, medical insurance, sick leave, 12 paid vacation days, federal holidays, and bonuses.  They even have paid training.  Seems just a little too good to be true, doesn’t it?  But they are piquing interest and have had 14 potential candidates in recent days.

So who is behind this scam?  It’s difficult to say as attribution is always challenging.  The aliases that the criminals are currently using are Christine Felton (646-797-xxxx) and Brandon Jones (646-797-xxxx).  If you punch their numbers into your favorite search engine, you might find that there are already complaints filed against at least one of these numbers and further analysis indicates these may be VOIP numbers belonging to a major US telecommunications company.

If you do a little more digging on Brandon Jones, you’ll find his LinkedIn profile.  He has ZERO connections.  Not exactly what you might expect from the HR Manager at a global logistics company.

So are they recruiting money mules or are they looking for reshipping mules?  Honestly, we’re not sure at this point.  Portraying themselves as a logistics company it’s very plausible that they would be looking for reshipping mules.  If you work for a logistics company, it would make sense that you might actually ship something as part of your normal job responsibilities.  Of course, it might also make sense that you would help with the fees/duties/taxes associated with shipments and may have to send a payment somewhere.  We are continuing our investigation and talking regularly with the individuals who were impacted by this scheme.  Until then…just remember…if you get a job offer that seems too good to be true…it probably is.

The good people at State Farm have the right idea…just because you saw it on the Internet doesn’t make it true.

Steven Sipes, MSIA, CISSP, GCIH, GREM, GSEC, GCUX is a Consultant Research Analyst with the RSA FirstWatch team.  Steven has over 15 years of IT security and system administration experience with Fortune 100 companies in the retail, banking, and technology sectors.  He focuses much of his current efforts on exploring and exposing the cyber underground.

• 

The FirstWatch team recently had its team planning meeting, where we discussed plans for the year, current events and experiences.   One of my teammates and fellow analysts, Pat Belcher, raised an interesting point in regards to security analysis, consulting and understanding your environment.

Threat analysts, as a general rule, are often concerned with the minutiae of the day-to-day threat landscape.  Who was hacked this week? Do we have malware involved for this incident? Do we have indicators for the incident?  What about exploits?  Do we need patches?  This is all key information related to properly defending a network, but often, taking a step back and looking at the environment holistically PRIOR to the incident helps to understand where the gaps may be.

This is what I call “The Question”.   As an analyst gets more experience, he’ll eventually understand that certain questions, even though they aren’t “directly” related to an incident, often give the analyst an insight into security posture as a whole and maybe in a counter-intuitive fashion.

Pat’s question was “Can I plug my computer into your network?” What he found was that if the answer is “No”, the environment he was working in was likely overly restrictive, and counter-intuitively, the defenders probably didn’t have a good idea of what was actually occurring on the network and may have problems.

Likewise, when I was consulting with customers, my question was “How is your malware problem?”  This was forged in my mind during a previous job, where an ineffectual SOC and threat management process glossed over the malware problem instead of confronting it.

My question was answered in one of two ways:

“We don’t have a malware problem.”   Or  “We’re not sure.”   What I found was the folks that said “We’re not sure” often had a better handle on their overall security posture than the folks that thought they didn’t have a problem at all.

Historically, the security landscape has evolved around this model, that “No” is the default answer and that this will keep the network safe.   Obviously based on the threats and intrusions that we’ve seen in recent history, the “head in the sand” approach is ineffective.

Today’s analysis approach should use a few key concepts that bear repeating:

1)      Assume you are already compromised

While this is a frightening concept to many organizations, it is the stark reality of the threat landscape.  The bad guys are better at getting in than we are at keeping them out.   Understanding this is a critical concept for the defender.

2)      Understand your allowed paths

All modern businesses require paths to the internet in order to conduct business.  Things like email, web browsing,  b2b connections, remote connectivity, etc. contribute to the success of the business.   These allowed paths also give attackers the ability to remotely control compromised machines while attempting to blend in with legitimate traffic.

3)      Technology solutions alone won’t address your problems

A combination of advanced analysis technologies, talented people and accurate intelligence give you the best chance of quickly identifying attacks.  This is contrary to the long-held industry marketing approach that “this magic technology box alone will fix your problem”.   The magic technology box is only part of the solution.

Apply these concepts and come up with your own “Question”, and the next time you have a security planning session, use your question to reevaluate.  You might be surprised what you discover.

Happy Hunting!

Alex Cox, MSIA, CISSP, GPEN, GSEC is a Senior Consultant and Security Researcher with RSA FirstWatch team responsible for advanced threat intelligence research. Alex has worked more than a decade in IT with a background in desktop architecture, emerging threat research, network forensics and behavioral malware analysis.

• 

We, the RSA FirstWatch team, are always at the forefront of solving the latest malware problems –one of those is malware encryption. Malware encryption is not new. It has been around since the DOS days, but has simply evolved to address the antivirus solutions designed to beat it.

In this multi-part blog, I will discuss how malware encryption has evolved from the simple application of an encryption/decryption engine to the more complicated metamorphic engine.

Malware’s main weakness is  its source code. If the source code is revealed through decompiling or disassembling, anything about the malware is laid bare. It’s darkest secret becomes exposed and solving it becomes much easier. This is why protecting the source code is one of malware’s important directives, especially if it is designed for persistence.

To better discuss the evolution of malware encryption, I will be borrowing from my book, “Malware, Rootkits and Botnets: A Beginner’s Guide.”

Malware encryption is designed to protect the malware code itself. There are three major developments in malware encryption technology:

1.)   Basic malware encryption

2.)   Polymorphism

3.)   Metamorphism.

We will tackle these three one by one but for this part of the blog, we will concentrate on basic malware encryption.

In the early days of malware most were file infectors. So to better understand basic malware encryption, I will discuss them in the context of file infectors.

An encrypted malware has three major components: the encryption/decryption engine, the encrypted malware code, and the decryption key. When the malware is executed, the encryption/decryption engine decrypts the encrypted malware code using the decryption key and then control is passed to the decrypted malware code in memory for it to do its intended purpose. Upon infection, the decrypted malware code is re-encrypted using a different key before it attaches itself to the newly infected host program. The key can be a series of bytes from a specific location in the host program. The location is constant, but the bytes found in that location differ for every target file. This makes the keys different in every infection. Because of this, each malware code that is attached to different host programs differ — no two infections are exactly alike.

Although this method was cutting edge when it was first introduced, the antivirus industry was able to catch up pretty quickly because one out of the three components remained constant. The decryption key was always different, the encrypted malware code was always different, but the encryption/decryption engine remained constant. Using the encryption/decryption engine codes, the antivirus products were able to create a signature to catch this basic form of malware encryption.

Because of this, the malware writers had to come up with a new way of encrypting malware. And so they did. They came up with polymorphism. We will discuss this further in part 2 of The Evolution of Malware Encryption. Stay tuned!

Christopher Elisan is a seasoned reverse engineer and malware researcher. He frequently speaks at various security conferences across the US and provides expert opinion about malware, botnets and advance persistent threats for leading industry and mainstream publications. He is currently the Prinicipal Malware Scientist at RSA NetWitness. Elisan is also the author of “Malware, Rootkits and Botnets: A Beginner’s Guide.”

• 

The Single Event Mentality

Historically, security technologies tend to be focused in a single place, or at most, two places on the kill chain, but lack the entire context behind an event that a complete analysis system imparts. When using the phrase “stalking the kill chain”, we are focusing on the ability to use a structured approach to watching the network with the idea of identifying kill chain events in progress, across the entire kill chain.

- Anti-virus is focused on the delivery and exploitation phases, attempting to detect known shellcode, previously identified malware, or heuristically interesting binaries

- Intrusion Detection is focused on detection of exploitation events or C2, based on known signatures or communication methods.

- Content Filtering and proxy technologies are focused on blocking of known C2 or exploit sites or the categorization of sites for additional analysis.

Tracking an event holistically in NetWitness NextGen

Ultimately, we seek to move our analysis techniques and ability from a single or dual stage approach, to a seamless approach that allows free flowing movement in any direction along the kill chain during an investigation, with the goal of being able to gauge the scope and magnitude of the intrusion quickly.

Using RSA NetWitness Live, a NextGen user is able to consume and leverage related content to help track events across the kill chain.

While the detection of malware is important, a holistic approach to threat detection also needs to focus on the detection of “quiet” activity after a foothold is established by the attacker. According to industry reports, attackers use malware in only 54 percent of a compromise and secondary detection was only possible through holistic analysis.

Signs of Weaponization/Delivery/Exploitation

For detection of weaponization, delivery and exploitation events within NetWitness, the following content can be consumed and utilized from NetWitness Live:

FlexParsers – Malware PDF, Fingerprint office2007, Fingerprint office97-2003, Fingerprint pdf, Fingerprint jar, Exploit Web Pages, HTML Threat Analysis (Spectrum Subscribers), Encoded File Fingerprinting, XOR Executable (Spectrum Subscribers), Advanced Executable (Spectrum Subscribers)

To further augment the security analysis specifically, the following custom drills in Investigator should be employed:

General PDF identification
filetype = pdf
filetype = base64 encoded pdf

Anomalous PDF identification
risk.warning begins pdf || risk.suspicious begins pdf || risk.info begins pdf

Office Documents

General Office Document Identification:
filetype = office2007 || filetype = office97-2003
filetype = base64 encoded office

Suspicious Web Pages (potential exploit or browser fingerprinting activity)

Existence of Java Applets:
filetype = jar

Existence of suspicious HTML elements:
risk.suspicious = js scan for adobe
risk.suspicious = iframe src pdf
risk.suspicious = iframe src cgi
risk.suspicious = iframe src htm
risk.suspicious = iframe src html
risk.info = embedded html applet
risk.info = embedded html applet with params
risk.info = embedded html codebase
risk.info = embedded html object
risk.suspicious = iframe embedded js
risk.suspicious = iframe hidden values
risk.suspicious = iframe inside hidden div
risk.suspicious = iframe src php
risk.suspicious = pdf inside hidden div
risk.warning = iframe src pdf

General Executable Detection
filetype = windows executable
filetype = base64 encoded exe

Anomalous Executable Detection
risk.info begins exe || risk.suspicious begins exe || risk.warning begins exe
risk.warning = potential binary from duqu group
risk.warning = hex encoded executable
risk.warning = xor encoded executable

Signs of Command and Control

For detection of command and control events within NetWitness, the following content can be consumed and utilized from NetWitness Live:

FlexParsers – Botnet Traffic Patterns, Htran, ShadyRat, HTML Header, Verbose DNS, Duqu Binary Detection, Windows Command Shell

To further augment the security analysis specifically, the following custom drills in Investigator should be employed:

Specific Malware C2 Behavior
risk.warning ends “botnet activity”
risk.suspicious = “htran redirector”
risk.suspicious = “shadyrat encoded command”

Generic HTML and DNS Anomaly Detection
risk.info begins http
risk.info begins dns

Remote Windows Shell
risk.warning = windows command shell
risk.suspicious = windows cli admin command

Remote Desktop Connection
service = 3389

Signs of Exfiltration

For detection of command and control events within NetWitness, the following content can be consumed and utilized from NetWitness Live:

FlexParsers – Fingerprint RAR, Encoded Hashes, pkware

To further augment the security analysis specifically, the following custom drills in Investigator should be employed:

Generic FTP Detection
service = 21

Generic Archive File Identification
filetype = rar
filetype = zip
filetype = base64 encoded zip
filetype = base64 encoded rar

Password Hash Exfiltration or Movement
risk.warning begins plaintext pwdump
risk.warning begins xor encoded pwdump
risk.warning begins base64 encoded pwdump

While this is not an exhaustive list, it provides a basic guideline for analysis of advanced threats across the kill chain.

Conclusion

Given the prevalence and velocity of malware production incorporated with sophisticated attack strategies , it is common for advanced threats to successfully infiltrate organizations, despite defenders having “checked all of the blocks” for a robust security infrastructure. Only through a comprehensive understanding of the organization’s current capabilities to detect and respond along the kill chain, the use of pervasive visibility and threat intelligence combined with intelligent security analytics and intuition can a defending organization hope to level the playing field. Let this whitepaper serve as high-level guidance and a starting point for identifying and tracking attacks which may pose a threat to your organization – happy hunting!

Alex Cox, MSIA, CISSP, GPEN, GSEC is a Senior Consultant and Security Researcher with RSA FirstWatch team responsible for advanced threat intelligence research. Alex has worked more than a decade in IT with a background in desktop architecture, emerging threat research, network forensics and behavioral malware analysis.

• 

On July 21, 2012 the RSA FirstWatch team blogged about a new campaign we had identified and discovered – a new campaign that we believed met the criteria for advanced persistent threats (APT) and subversive multi-vector threats (SMT). We conducted intensive, in-depth reconnaissance that saw us collect a wealth of data related to the campaign, its behavioral attributes, and the stages in which it was carried out in addition to the vulnerabilities that were exploited on various domains the world over that led to redirection to malicious payload infecting sites.

We dubbed the campaign ‘VOHO’ and the technique used for luring in parties affiliated with the targets of interest and opportunity the adversarial elements behind the campaign sought to compromise ‘Water Holing’. Now, after three months of intense research, scrutiny and analysis we are pleased to announce the release of the much anticipated and alluded to white paper titled “The VOHO Campaign: An in-depth Analysis.”

We believe the paper will clearly demonstrate through advanced research and analysis the intent behind the campaign while articulating key attributes of this operation which make it quite unique and distinct from other campaigns of a similar nature. Furthermore, we demonstrate the similarities in architecture, malicious code and content employment and reuse in addition to the net effect that this campaign has had on nearly 1,000 unique organizations seeing approximately 35,000 unique hosts impacted with a staggering 12% rate of compromise. The RSA FirstWatch Threat Research team will be happy to answer any inquiries made with respect to this campaign and are working diligently to notify those who have been impacted by VOHO.

The paper can be downloaded at:
VOHO_WP_FINAL_READY FOR Publication 09242012_AC

Will Gragido leads the RSA FirstWatch advanced threat intelligence team at RSA. His career in information security spans more than 18 years in the commercial and defense sectors. He is the co-author of Cybercrime and Espionage: An Analysis of Subversive Multi-Vector Threats.

• 

Recently, there has been some media noise generated by a new malware reportedly attacking targets in the Middle East such as Saudi Aramco. But what exactly does this attack look like once the malware compromised the system?

Most malware nowadays, especially those used in targeted attacks, exhaust all possible stealth techniques to hide their presence and eliminate any chances that might raise any suspicion of their presence. But in the case of Shamoon, it does not fit into this paradigm because its main directive is destruction of the compromised system. Shamoon was designed to express a message and destroy the victim’s file system. The component, SFMSC.EXE, is the one responsible for this mission. Basically, what it does is replace files with an image of a US burning flag, see Figure 1, and ultimately destroys the machine’s file system.

Figure 1: The image used by Shamoon
both as a lure and as part of its malicious
payload

Since its main directive is destruction, this malware does not even attempt to encrypt its body. A simple hex view, as seen in Figure 2, reveals the following string in the malware’s code:

 C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb

Figure 2: Strings found in the malware body

When active, the malware overwrites files with a copy of the US_flag_burning.JPG. So technically, it behaves as an overwriting virus. Among the files overwritten are shortcut files in the Start Menu and in the QuickLaunch bar. The intent of this is for the user to see the image every time a file is opened or a program is executed using the Start Menu or the QuickLaunch bar. I see this as the digital version of a demonstration or rally of anti-US sentiment which usually includes burning of a US flag and other effigies. But because of bugs in the code, the overwriting process fails. The result is not a copy of the US_flag_burning.JPG but a gray box, as seen in Figure 3, with a piece of the picture seen on the upper left.

Figure 3: The resulting gray box with part
of the picture on the upper left

The reason for this is that the overwriting of the host file seems to happen in 400H byte chunks. The piece of the picture seen on the upper left of the gray box represents the first 400H chunk, which includes the file header. But instead of copying the next 400H chunk, the malware copies the same 400H chunk starting at offset 0 of the file instead of the second chunk starting at offset 401H, hence the corruption.  It does this 192 times resulting in a file size of 196,608 bytes (30,000H bytes).

Aside from overwriting files, the malware also drops two files: f1.INF and f2.INF.  From my experiments, f1.INF was also overwritten while f2.INF on the other hand, was not. It contains the full path and filename of the overwritten files.

Once all the overwriting is done, it destroys the machine’s file system resulting in the complete destruction of the operating system and loss of data contained in the compromised machine.

To have a better understanding of Shamoon, watch the video showing the malware in action:

Christopher C. Elisan, CEH, CSM, MCSE is a Principal Malware Scientist with the RSA FirstWatch team, an advanced threat intelligence research group. Christopher is a seasoned reverse engineer and malware researcher. He has a long history of digital threat research and building anti-malware infrastructure. Christopher is also a frequent speaker and a subject matter expert on  malware, botnets and advanced persistent threats.

• 

In 2009, incident responder Mike Cloppert with the Lockheed Martin CERT, published a series of articles that discussed security intelligence and leveraging indicators. In this series, he introduced a concept known as the “attacker kill chain”.

This concept breaks attacker methodology into a series of sequential stages.

Each stage represents a focus on a particular aspect of an attack, both from an attacker perspective, as well as a defender perspective.

“We have found that the phases of an attack can be described by 6 sequential stages. Once again loosely borrowing vernacular, the phases of an operation can be described as a “kill chain.” The importance here is not that this is a linear flow – some phases may occur in parallel, and the order of earlier phases can be interchanged – but rather how far along an adversary has progressed in his or her attack, the corresponding damage, and investigation that must be performed.”

Reconnaissance

With the amount of publicly available information on the Internet, the ability for an attacker to do target reconnaissance in an unnoticed fashion is almost unlimited. Commonly used techniques include:

- Reading company websites for information on key initiatives and personnel
- Reading industry whitepapers to identify projects and personnel associated with those projects.
- Searching Google for email addresses, contact points and other bits of information.
- Identifying social network participation of likely targets, often providing attack vectors through trusted friends and associates.

In the reconnaissance phase, the ability for the defender to take defensive actions is limited, as attacker reconnaissance is often done in a covert and hard to detect manner.

Weaponization and Delivery

At this point, the attacker has established a target or collection of targets, and weaponizes an attack payload and delivers it to the target. Let’s use a spear-phishing attack as an example scenario.

In most APT-style spear-phishing attacks that RSA NetWitness has observed a third party document is used as the delivery method for a malware payload. Typically, it will be a trojaned PDF or Office document. While 100% detection of this phase is difficult, information sharing and intelligence gathering on previous attacks helps to identify repeatable characteristics of attacker “playbooks” which can help identify recycled exploit document filenames, shellcode, PDF structure, etc.

From a RSA NetWitness perspective, the platform looks at the documents from a higher level, by analyzing for threatening characteristics in the sessions rather than specific malware or exploit signatures.

Example 1: Jim in HR receives a PDF via an email link for a job applicant. As Jim downloads the PDF and it crosses from the Internet onto his workstation, the organization’s NetWitness NextGen platform:

1. Identifies that the file is forensically a PDF.
2. Identifies that the PDF has a “Launch” action in it.
3. Identifies that the PDF has embedded javascript.

While these three factors don’t mean that the file is absolutely malicious, they identify enough threatening characteristics to warrant a second look, and to pull it from the likely high volume of PDFs that appear on the network daily; thereby “removing the hay until only needles remain”.

Exploitation

Diverging from Cloppert’s approach here, consider immediate post-compromise activities as secondary parts of the exploitation event. During the exploitation phase of the attack, the host machine is compromised by the attacker and the delivery mechanism typically will take one of two actions:

- Install malware (a dropper) allowing attacker command execution.
- Install malware (a downloader) and download additional malware from the Internet, allowing attacker command execution.

Once a foothold is established inside the network, the attacker will typically download additional tools, attempt privilege escalation, extract password hashes, etc.

At this point, defensive strategies have ultimately failed, and the attacker has control of a resource. We would typically move to a detective model here and focus on identifying second-stage malware and toolsets being downloaded to the compromised workstation post-exploitation.

- Forensically identify executable download, both un-obfuscated and obfuscated.

Obfuscation and encryption methods vary, in some cases custom algorithms or none at all in others. A few methods tend to be re-used:

- Single-Byte XOR
- Base64
- Custom Base64

Command and Control

Once the attacker has successfully exploited and taken control of a workstation, he will usually install malware that has a command and control mechanism. This allows persistent connectivity for continued access to the environment as well as a detective measure for defender activity.

Command and control of a compromised resource is usually accomplished via a beacon over an allowed path out of the network.

Beacons take many forms, but in most cases they tend to be:

- HTTP or HTTPS-based
- Made to look like benign traffic via falsified HTTP headers

In cases that use encrypted communication, beacons tend to use self-signed certificates or use custom encryption over an allowed path (often TCP 443)

Strategies for detection at this stage tend to revolve around:

- Identifying the use of self-signed certificates during encrypted communication.
- Identifying falsified HTTP headers via anomaly detection strategies.
- Identifying recurring, consistent beacon activity to the same domain or IP address over time.
- Identifying the use of non-standard or unapproved encryption over allowed paths.

Keep in mind that immediate takedown of hosts that have identified beacon activity may clue attackers into defender activity (loss of a known beacon), causing them to switch to secondary (and potentially unknown) infrastructure. While incident response, as a program, is out of the scope of this whitepaper, this should be a consideration when faced with this type of discovery.

Exfiltration

The final phase of the kill chain is exfiltration. In this phase, the attacker has successfully entered the target network, taken control of a host and potentially:

- Downloaded and staged tools
- Elevated privileges
- Moved laterally onto other hosts
- Located and packaged information

At this point, the final goal is to gather the packaged information, and deliver it to a location under control by the attacker. These locations are typically hacked hosts that are used as temporary holding areas for stolen data or hosts that reside in an area that is under complete control of the attacker (bulletproof hosting).

Exfiltration commonly takes the form of:

- Encrypted .rar or .zip files
- FTP’d or uploaded to a controlled host

However, in the case of malware such as ZeuS, SpyEye, etc., exfiltration and C2 beacons often take place at the same time (the compromised host will export stolen data on a repeated schedule, basically an information stealing beacon).

Exfiltration marks the point that data loss has occurred. Detection at this phase leads to damage control activities for lost data, invoking an IR process, and a move backwards through the kill chain to establish root cause.

In the last post of the series, I will bring all the concepts together and highlight some tips you can use from an RSA NetWitness perspective.

Alex Cox, MSIA, CISSP, GPEN, GSEC is a Senior Consultant and Security Researcher with RSA’s Advanced Threat Intelligence Research group. Alex has worked more than a decade in IT with a background in desktop architecture, emerging threat research, network forensics and behavioral malware analysis.

• 

In Brazilian Jiu Jitsu (BJJ), a modern martial art focused on ground fighting, a common theme among practitioners is the concept of “position before submission”. In other words, the fighter seeks to establish physical and positional dominance before ending the fight with an attack resulting in submission. Embracing the concept allows the fighter to increase his chances of winning the confrontation by making sure he is in control of the situation prior to attempting a fight-ending attack. BJJ’s philosophical approach has direct relevance to cyber security as the same approach can be taken to establish a more proactive defense based on threat intelligence and network-wide visibility. The notion of establishing an “active defense” can be approached using the following guiding principles:

- Know your enemy
- Know your network
- Know your people

Know Your Enemy
Advanced Persistent Threats (APTs) has been spoken of over the past few years as both a descriptive term for a class of attacker as well as an industry buzzword to describe the effectiveness of a particular product (“Our insert device here stops APTs!”). While this term is most commonly applied to nation-states, the idea of an “Advanced Threat” can be applied almost across the board in today’s threat landscape. Regardless of nation-state attackers, cybercriminals, and hacktivists, all use similar tactics to penetrate a target organization.

Advanced – All modern threats use advanced, blended attacks. This may include targeting specific individuals or organizations with directed email attacks (spear phishing), hacking websites to serve malware from a “known good” or at least “not known bad” location, or using newly discovered zero-day attacks to increase the chances of a successful exploitation. Once entrenched, the attacker may then use encryption or other obfuscation techniques to further mask their presence and intentions.

Persistent – Threat actors understand that repeated and coordinated attacks are likely to garner a penetration eventually. In the nation-state example, this may be repeatedly attacking a “target list” with spear-phishing until someone “takes the bait”, but it could also refer to being watchful for defender activity during a penetration operation and changing tactics as defenders respond, allowing continuous presence in the network. On the cybercrime side, this is increased to large-scale persistent modification of infrastructure, malware and domain names to allow continued operation among the ebb and flow of defender activity.

Threat – Ultimately, for an event to be considered a “threat” it must meet a set of criteria.

Intent + Opportunity + Capability = Threat

Lacking any one of these criteria negates the threat, for example:

Attacker A wants to attack organization B with a PDF-based spear-phishing attack against an HR manager. The attacker is using a known and reliable PDF exploit in Adobe Reader, has a “builder” that builds an attack PDF in a way that makes it undetectable by antivirus, and has the name of an HR manager that is responsible for hiring database developers. Organization B has a patching policy for Adobe Reader, and all organizational workstations are up to the current patch level.

In this scenario, the attacker has the intent to attack, the capability with his attack PDF to compromise a workstation, and a target for the attack via the HR manager. He doesn’t, however, have the opportunity in this case, because the target workstation is patched and non-vulnerable to his attack. In this case, there is no threat because of the lack of opportunity provided by the patched PDF reader.

While real-life scenarios are seldom this simple, it provides an example of things you might want to know about how common attackers operate in order to intelligently defend your network.

- What are the common threat vectors (e.g., spear-phishing)?
- What exploits are commonly used? (Exploit kits target A, B and C vulnerabilities, spear-phishing attacks are often launched using PDF and Microsoft Office exploits)

Attacker groups, especially in the nation-state arena, commonly attack organizations by industry vertical. It might be a good opportunity to establish relationships that may help you identify tactics, techniques and procedures of groups targeting your vertical, including:

- Threat Research groups and vendors
- Threat teams from competitors (the enemy of my enemy is my friend).
- Industry Working Groups – Is there an ISAC that supports your vertical?

Know Your Network
When an RSA NetWitness system engineer gets a new NetWitness deployment up and running at a customer location, a common reaction when network traffic is first observed is the customer being overwhelmed by the volume of data now readily available for analysis. The complexities and idiosyncrasies of a large network are very hard for a human being to visualize without additional framing, and NetWitness NextGen typically becomes that frame among customers. This framing typically leads to a number of “I don’t expect to see that, why is it there?” events over the next few weeks as the customer becomes more intimately acquainted with their network.

The ability to pervasively know what your network looks like on a day-to-day basis is CRITICAL in helping to identify advanced attacks.

If you’ve ever known a hunter that hunts a certain tract of land time and again, year after year, you will have an understanding of how this concept works. The hunter can typically look across a large field into a tree line, maybe even farther than he can really “see” and pick out a deer with a glance. That same deer may be invisible to you and I at that distance because the hunter is accustomed to his land, knows what it looks like on a “normal” day, and can quickly pick out the variance – the deer.

The network hunter is similar. If I know what my network looks like on a day-to-day basis, I can better pick out the anomalies. In NetWitness training courses, we modify the “needle in the hay stack” analogy and refer to this concept as “removing hay until only needles remain”.

This information may include:

- How is my network laid out? What are my allowed paths out of the network?
- Where are my likely weak points, either from a lack of visibility or business needs that require a more relaxed security posture?
- Where is my data? If I have intellectual property, where is it stored and who has access to it?

Know Your People
Ultimately, the success of a modern attack often depends on the activities of the carbon-based unit between the keyboard and the chair. That is, the human being operating the computer and going about their daily business. While it is easy to get lost in the minutiae of the technical, the human operator is decisively the weakest point; as a result, the initial target of most attacks. The strategic objective may be financial data related to the person, or information that the person has access to, or maybe even just a tactical compromise of the computer that belongs to the person.

With this in mind, it’s important to understand a few concepts in the paradigm of your environment.

- Who in your environment has “enhanced access”, be it to critical information or intellectual property, or critical systems or pivotal locations on the network?
- Does your enterprise have a security policy that addresses common attack methodology? It could be as simple as an information security policy that is reviewed yearly, to as complex as common ideas on how to identify a spear-phishing attack. Policy is often looked at as a simple “box-check” for compliance reasons, but the ability to educate the end-user is one more layer in a defensive strategy.
- Who are my likely targets? Do I have employees that are commonly in the press, speak at conferences, or have a job that routinely entails receiving “cold” electronic correspondence from third-parties (e.g., HR, Marketing, Admin, etc). If I search for “@mycompany.com” on Google, whose email addresses show up? How about LinkedIn?
- Am I continuously tracking employees that have been targeted or compromised in the past? Repeat attacks are common and employee behavior that is risky is likely to reoccur.

Alex Cox, MSIA, CISSP, GPEN, GSEC is a Senior Consultant and Security Researcher with RSA’s Advanced Threat Intelligence Research group. Alex has worked more than a decade in IT with a background in desktop architecture, emerging threat research, network forensics and behavioral malware analysis.

•