Where are all the ‘A’s in APT?

Posted by    on   Sep 20, 2018

In a guest blog post by VB2018 gold partner Kaspersky Lab, Costin Raiu, Director of the company's Global Research and Analysis Team, looks critically at the 'A' in APT.


A little bit of history

In 1994, when I started working in the AV 'industry', I remember the excitement of finding and taking apart a sophisticated polymorphic virus. Although the vast majority of samples we received were pretty unsophisticated, every now and then we would either find, or read about something really complicated. One such piece of malware was Zhengxi, and my colleague, Adrian Marinescu, and I spent many hours taking it apart and thinking about how to write a proper detection mechanism. Time passed and the definition of sophisticated changed. Polymorphism became less common and was replaced with packers and cryptors. Self-spreading network malware became popular during the early 2000s, building on top of Windows-related exploits, shaking the world to its core foundations. Names like CodeRed, Nimda and Slammer kept many of us up at night during those days.

Again, time passed, and sophisticated malware once again took on another definition. The publishing of Operation Aurora, disclosed in January 2010, was a turning point in history – for me, it was obvious that something new had taken over the role of 'sophisticated' malware. However, it wasn't until June 2010, when the world learned about Stuxnet, that it became clear that in the future, sophisticated malware would come not from computer enthusiasts, cybercriminals or hacktivists, but from nation states.

Over the following years, more and more sophisticated malware was discovered – utilizing either zero-days, undocumented functions to bypass protection, or very clever persistence mechanisms. As complex malware – or 'malware platforms' – were discovered and detected by anti-virus products, the attackers adapted and even more sophisticated threats were found.

From the moment the term 'APT' ('advanced persistent threat') was coined in our industry, some people objected that the vast majority of such attacks were neither advanced nor persistent. In some cases, APTs are just insistent to the level of annoyance.

In our opinion, this is what makes a piece of malware or an attack 'advanced':

  • The use of a zero-day exploit – Sofacy (a.k.a. Fancy Bear, APT 28) is probably a champion here when it comes to the number of discovered zero-days.
  • The use of a highly complex, modular platform to carry out various functions (good examples include Regin and ProjectSauron).
  • The use of sophisticated techniques for infection, persistence or exfiltration – for instance, RedOctober used a very clever persistence mechanism in the form of an Office and Adobe Reader plug-in which has the ability to execute code hidden in specially constructed documents; this also includes various bootkit techniques.
  • Slow replication coupled with network-level persistence, an example being Duqu2.
  • Attack on hardware features – such as Equation Group's HDD firmware flasher module.
  • Infection of the BIOS for surviving OS reinstallations – as demonstrated by HackingTeam's UEFI malware dropper.
  • Destructive attacks against hardware – the Stuxnet payload is an example, but also BlackEnergy attacks in which UPS firmware was overwritten with trash.
  • Infection of pro-level network hardware such as core routers – SYNful Knock being a good example.
  • Supply chain attacks – such as Shadowpad and the CCleaner compromise, both launched by the same APT group.
  • The development of multi-platform malware – for instance WildNeutron using malware for Windows, MacOS X and Linux.
  • World-class crypto attacks – as seen in Flame.


The current status of 'sophisticated'

In the last few years, the number of what we consider truly 'sophisticated' and interesting new discoveries appears somehow to have decreased. We do see zero-days used in APT attacks, but this has become pretty much the norm. Sophisticated persistence mechanisms have also become more and more common, ranging from fileless PowerShell-based malware that fires from WMI, to malware operating as LSA plug-ins, browser or Microsoft Exchange extensions. The novelty factor seems to have disappeared for some of these new discoveries.

Of course, this leads to the question: is this really all there is, or is what we are seeing just the tip of the iceberg?

Let's take, for instance, mobile malware. Although mobile malware was expected to become a big problem back in the early 2000s, things are still not as bad as predicted. It is quite rare for a security researcher to spot something like the Pegasus framework. While most Android malware gets installed through social engineering or malicious application updates, it is rare to see mobile device infection through zero-days. Similarly, for iOS-based devices, it is quite rare to see 'sophisticated' malware – which is perhaps why some actors rely on malicious MDM attacks.

Another good example is router malware. Although the Internet is crawling with Mirai variants, sophisticated router malware that leverages exploits or attacks non-Linux-based operating systems such as Cisco IOS is rare. VPNFilter is a significant discovery, but one might wonder whether it is the only router malware currently being used by sophisticated threat actors in 'big' attacks.

To answer the previously formulated question, I believe the most likely scenario is that we are indeed only seeing the tip of the iceberg, and there is probably a lot going on that security companies do not find or report on.


So what is missing?

Looking at the discussions and development of sophisticated attack techniques, there is a significant difference between the theory and in-the-wild observations. So what is missing? Here's a list of possible culprits:

  • Virtualization / hypervisor malware – although the infamous Blue Pill was discussed as far back as 2006, we haven't seen any in-the-wild (ItW) attacks leveraging this.
  • SMM malware – although Dmytro Oleksiuk, a.k.a. Cr4sh, developed an SMM backdoor as far back as 2015, this is something yet to be seen in real-world attacks.
  • UEFI malware – the hacking of HackingTeam revealed that a UEFI persistence module has been available since at least 2014, but we have yet to observe real-world UEFI malware.
  • Hardware implants – although Joe Fitzpatrick and others have covered this subject in great detail, the number of real-world cases where hardware implants have been found is extremely low.
  • Malware abusing or hiding in secure enclaves (SGX).
  • Malware for Intel ME.

Take, for instance, SMM malware. As mentioned above, proofs of concept have existed as far back as 2015, however, such malware hasn't been observed in the wild. The reason is probably the fact that no anti-virus program running even in ring 0 can easily access the SMM memory. This security feature being part of the CPU and OS design effectively prevents anti-viruses from catching any malicious activity occurring in there.

Recently, I had a chat with my friend Ryan Naraine about sophisticated malware and why modern AV products are unable to find them. Ryan asked me: 'if it's technically impossible to find such malware, what do you do?'. I think the answer lies in the weakest link – exfiltration. At some point, all malicious programs need to connect to a C&C server to receive instructions. Although we have seen offline C&C mechanisms, for instance in the Fanny worm, this is rather slow and not always reliable. The moment the invisible malware tries to connect to the C&C, it can be caught. As former head of the NSA's TAO Rob Joyce once said, an out-of-band network tap and a diligent sysadmin who watches the logs can be a nightmare for even the most sophisticated attacker.



Latest posts:

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

VB2021 localhost is over, but the content is still available to view!

VB2021 localhost - VB's second virtual conference - took place last week, but you can still watch all the presentations.

VB2021 localhost call for last-minute papers

The call for last-minute papers for VB2021 localhost is now open. Submit before 20 August to have your paper considered for one of the slots reserved for 'hot' research!

New article: Run your malicious VBA macros anywhere!

Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.