Where are all the ‘A’s in APT?

Posted by    on   Sep 20, 2018

In a guest blog post by VB2018 gold partner Kaspersky Lab, Costin Raiu, Director of the company's Global Research and Analysis Team, looks critically at the 'A' in APT.


A little bit of history

In 1994, when I started working in the AV 'industry', I remember the excitement of finding and taking apart a sophisticated polymorphic virus. Although the vast majority of samples we received were pretty unsophisticated, every now and then we would either find, or read about something really complicated. One such piece of malware was Zhengxi, and my colleague, Adrian Marinescu, and I spent many hours taking it apart and thinking about how to write a proper detection mechanism. Time passed and the definition of sophisticated changed. Polymorphism became less common and was replaced with packers and cryptors. Self-spreading network malware became popular during the early 2000s, building on top of Windows-related exploits, shaking the world to its core foundations. Names like CodeRed, Nimda and Slammer kept many of us up at night during those days.

Again, time passed, and sophisticated malware once again took on another definition. The publishing of Operation Aurora, disclosed in January 2010, was a turning point in history – for me, it was obvious that something new had taken over the role of 'sophisticated' malware. However, it wasn't until June 2010, when the world learned about Stuxnet, that it became clear that in the future, sophisticated malware would come not from computer enthusiasts, cybercriminals or hacktivists, but from nation states.

Over the following years, more and more sophisticated malware was discovered – utilizing either zero-days, undocumented functions to bypass protection, or very clever persistence mechanisms. As complex malware – or 'malware platforms' – were discovered and detected by anti-virus products, the attackers adapted and even more sophisticated threats were found.

From the moment the term 'APT' ('advanced persistent threat') was coined in our industry, some people objected that the vast majority of such attacks were neither advanced nor persistent. In some cases, APTs are just insistent to the level of annoyance.

In our opinion, this is what makes a piece of malware or an attack 'advanced':

  • The use of a zero-day exploit – Sofacy (a.k.a. Fancy Bear, APT 28) is probably a champion here when it comes to the number of discovered zero-days.
  • The use of a highly complex, modular platform to carry out various functions (good examples include Regin and ProjectSauron).
  • The use of sophisticated techniques for infection, persistence or exfiltration – for instance, RedOctober used a very clever persistence mechanism in the form of an Office and Adobe Reader plug-in which has the ability to execute code hidden in specially constructed documents; this also includes various bootkit techniques.
  • Slow replication coupled with network-level persistence, an example being Duqu2.
  • Attack on hardware features – such as Equation Group's HDD firmware flasher module.
  • Infection of the BIOS for surviving OS reinstallations – as demonstrated by HackingTeam's UEFI malware dropper.
  • Destructive attacks against hardware – the Stuxnet payload is an example, but also BlackEnergy attacks in which UPS firmware was overwritten with trash.
  • Infection of pro-level network hardware such as core routers – SYNful Knock being a good example.
  • Supply chain attacks – such as Shadowpad and the CCleaner compromise, both launched by the same APT group.
  • The development of multi-platform malware – for instance WildNeutron using malware for Windows, MacOS X and Linux.
  • World-class crypto attacks – as seen in Flame.


The current status of 'sophisticated'

In the last few years, the number of what we consider truly 'sophisticated' and interesting new discoveries appears somehow to have decreased. We do see zero-days used in APT attacks, but this has become pretty much the norm. Sophisticated persistence mechanisms have also become more and more common, ranging from fileless PowerShell-based malware that fires from WMI, to malware operating as LSA plug-ins, browser or Microsoft Exchange extensions. The novelty factor seems to have disappeared for some of these new discoveries.

Of course, this leads to the question: is this really all there is, or is what we are seeing just the tip of the iceberg?

Let's take, for instance, mobile malware. Although mobile malware was expected to become a big problem back in the early 2000s, things are still not as bad as predicted. It is quite rare for a security researcher to spot something like the Pegasus framework. While most Android malware gets installed through social engineering or malicious application updates, it is rare to see mobile device infection through zero-days. Similarly, for iOS-based devices, it is quite rare to see 'sophisticated' malware – which is perhaps why some actors rely on malicious MDM attacks.

Another good example is router malware. Although the Internet is crawling with Mirai variants, sophisticated router malware that leverages exploits or attacks non-Linux-based operating systems such as Cisco IOS is rare. VPNFilter is a significant discovery, but one might wonder whether it is the only router malware currently being used by sophisticated threat actors in 'big' attacks.

To answer the previously formulated question, I believe the most likely scenario is that we are indeed only seeing the tip of the iceberg, and there is probably a lot going on that security companies do not find or report on.


So what is missing?

Looking at the discussions and development of sophisticated attack techniques, there is a significant difference between the theory and in-the-wild observations. So what is missing? Here's a list of possible culprits:

  • Virtualization / hypervisor malware – although the infamous Blue Pill was discussed as far back as 2006, we haven't seen any in-the-wild (ItW) attacks leveraging this.
  • SMM malware – although Dmytro Oleksiuk, a.k.a. Cr4sh, developed an SMM backdoor as far back as 2015, this is something yet to be seen in real-world attacks.
  • UEFI malware – the hacking of HackingTeam revealed that a UEFI persistence module has been available since at least 2014, but we have yet to observe real-world UEFI malware.
  • Hardware implants – although Joe Fitzpatrick and others have covered this subject in great detail, the number of real-world cases where hardware implants have been found is extremely low.
  • Malware abusing or hiding in secure enclaves (SGX).
  • Malware for Intel ME.

Take, for instance, SMM malware. As mentioned above, proofs of concept have existed as far back as 2015, however, such malware hasn't been observed in the wild. The reason is probably the fact that no anti-virus program running even in ring 0 can easily access the SMM memory. This security feature being part of the CPU and OS design effectively prevents anti-viruses from catching any malicious activity occurring in there.

Recently, I had a chat with my friend Ryan Naraine about sophisticated malware and why modern AV products are unable to find them. Ryan asked me: 'if it's technically impossible to find such malware, what do you do?'. I think the answer lies in the weakest link – exfiltration. At some point, all malicious programs need to connect to a C&C server to receive instructions. Although we have seen offline C&C mechanisms, for instance in the Fanny worm, this is rather slow and not always reliable. The moment the invisible malware tries to connect to the C&C, it can be caught. As former head of the NSA's TAO Rob Joyce once said, an out-of-band network tap and a diligent sysadmin who watches the logs can be a nightmare for even the most sophisticated attacker.



Latest posts:

VB2019 paper: APT cases exploiting vulnerabilities in region-specific software

At VB2019, JPCERT/CC's Shusei Tomonaga and Tomoaki Tani presented a paper on attacks that exploit vulnerabilities in software used only in Japan, using malware that is unique to Japan. Today we publish both their paper and the recording of their…

New paper: Detection of vulnerabilities in web applications by validating parameter integrity and data flow graphs

In a follow-up to a paper presented at VB2019, Prismo Systems researchers Abhishek Singh and Ramesh Mani detail algorithms that can be used to detect SQL injection in stored procedures, persistent cross-site scripting (XSS), and server‑side request…

VB2020 programme announced

VB is pleased to reveal the details of an interesting and diverse programme for VB2020, the 30th Virus Bulletin International Conference.

VB2019 paper: Cyber espionage in the Middle East: unravelling OSX.WindTail

At VB2019 in London, Jamf's Patrick Wardle analysed the WindTail macOS malware used by the WindShift APT group, active in the Middle East. Today we publish both Patrick's paper and the recording of his presentation.

VB2019 paper: 2,000 reactions to a malware attack – accidental study

At VB2019 cybercrime journalist and researcher Adam Haertlé presented an analysis of almost 2000 unsolicited responses sent by victims of a malicious email campaign. Today we publish both his paper and the recording of his presentation.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.