For Attackers, It's a Game of Hide-and-Seek
February 15, 2013
Once the attacker’s tool is inside the network, the attacker must not waste his opportunity. The malware is now the attacker’s eyes and ears inside enemy territory. The attacker must establish a means of communication with the malware in order to give commands and the malware must be able to send useful information about the network. On top of this, the attacker must be careful to make sure these activities cannot be detected.
Command and Control Communications
Typically, once the initial malware has been executed, it will download other files that have more of the functionality that the attacker needs to conduct next steps. The downloaded malware in most cases will be a remote access tool or Trojan. The RAT is ideal because it gives the attacker the level of control needed to proceed.
RATs like gh0st or Poison Ivy communicate with a remote command and control server to send information and receive further instructions. However, doing so can leave traces, and intrusion detection systems might flag the attacker’s traffic if it is too noisy or easily identifiable. We have observed attackers utilize stealth and obfuscation techniques to adapt and respond to this.
For instance, LURID, Luckycat and IXESHE all used HTTP protocol when phoning home to the C&C. Instead of using other ports to communicate, the malicious HTTP traffic is likely to get lost in the sea of normal Internet traffic. IXESHE, in particular, made use of encrypted Base64 blobs so in the event the HTTP traffic is identified, it will be of little use to IT admins unaware of the format the attacker uses. In other cases, malware use webmail accounts because these sessions are protected by SSL encryption.
As to the remote C&C servers themselves, our researchers have seen attacks use a number of techniques to either ensure redundancy or make their campaigns difficult to track. For instance, our researchers noted that LURID used a diverse set of sub-domains that resolve to 10 IP addresses across 3 different IP address ranges and 2 different ISPs. Meanwhile, Luckycat used a mix of domains in free webhosting providers and virtual private servers, and IXESHE actually used compromised computers inside the network so that very little traffic gets outside.
The threat actor moves deeper into the network by issuing shell commands to the RAT or some other attack tool. To do this, the threat actor needs to gain higher privileges that will enable him to maneuver throughout the network and access information-rich resources like a mail server or a database server. Techniques like “pass the hash” and brute force attacks are sometimes used for this purpose.
The campaign simply progresses as more and more information is extracted and used to either get deeper into the network or accomplish the attacker’s overall goal.
||Used a diverse set of sub-domains
||Used free webhosting services and virtual private servers
||Used compromised machines and proxy server
|Second stage malware
||MECIV, OTORUN, etc.
||WIMMIE variants (TROJ_WIMMIE or VBS_WIMMIE)
- HTTP protocol
- Malware requests specific URL paths
- HTTP protocol
- Compromised computer posts data to a PHP script on server
- Created files contain commands
- Used Base64 blobs to send info
- Malware waits for commands
Importance of External and Local Threat Intelligence
In Trends in Targeted Attacks, Villeneuve emphasizes the need for enterprises to develop threat intelligence. This intelligence should be derived both from external reports such as those written by security experts like Trend Micro research but more so from local observation of an enterprise’s unique circumstances. Threat visibility becomes highly important, and enterprises must endeavor to make use of a combination of an intimate knowledge of the specific network, specialized detection technology and empowered human analysts to combat these kinds of threats.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.