 |
By Alex Cox, Senior Researcher, RSA FirstWatch team Today, Norman and Shadowserver released a paper that revealed a large attack infrastructure in which they detailed an ongoing campaign, running as far back as September 2010. This campaign, reportedly run out of India, used spear-phishing attacks and multiple strains of malware to breach targets of interest and extract data. The details of this case can be researched in the following paper: http://blogs.norman.com/2013/security-research/the-hangover-report Due to our industry ties the RSA FirstWatch team was able to obtain an advanced copy of the paper, and doing so we were able to collect over 700 of the detailed malware samples referenced in the report for analysis. This analysis, focused almost exclusively on network behavior, allowed us to detail effective ways of detecting this malware on the network in real-time. As a general rule, the RSA Security Analytics / RSA NetWitness approach to network analysis for these types of threats has always been a three-part process which is circular in nature:
Detection of Identifying User-Agents In many APT malware cases, a non-standard user agent is observed as part of the command and control communication sequence and this case is no different. There are several case-related user-agent strings detailed in the paper: EMSCBVDFRT Additionally, the following user-agent strings are also present: wininetget/0.1 When these user-agent strings are turned into a Security Analytics application rule they would look like the rule below and would allow a quick pivot on hangover-related malware traffic: Client = emscbvdfrt,emsfrtcbvd,fmbvdfresct,dsmbvctfre, This particular pivot, where we identify meta elements that we don’t expect to exist in our environment, is a very common way of detecting both malware and unwanted applications on the network. Identifying Information in Query Parameters While not as clear cut as identification of unique user-agents, many malware samples, especially Remote Access Trojans (RATs) used by APT attackers, commonly transmit identifying information as part of command and control check-in traffic. In this case, we see similar behavior in which the computer name of the analysis environment “RemotePC” as well as the logged in user “admin” is identified in plaintext during the C2 check-in of many of the identified samples: (click on the image below and zoom to see detail)
Identifying C2 domains Lastly, establishing domain intelligence by using malware analysis and existing known compromise, plus online research, passive DNS and other methods, we are able to build a large feed of domains which identify suspect traffic. In this case, RSA FirstWatch added specific domain intelligence related to the hangover intrusion set on 4/30/13. Historic hits to these domains can be located with the following custom drill: threat.category = research && threat.desc = apt-domain-a-cow_star, apt-domain-a-hanove, apt-domain-a-trojan.apt.snowtime, apt-domain-a-backdoor.apt.anke, apt-domain-a-backdoor.apt.vbupload, apt-domain-a-dragoneyemini_ smackdown, apt-domain-a-smackdown, apt-domain-a-hanove2, apt-domain-a-appinbot, apt-domain-a-hanovelarge These three detection methodologies can be applied to this and future incidents for proactive detection of advanced threats. Special thanks to the researchers at FireEye and Dell Secureworks for their assistance in malware analysis and classification tasks. Happy Hunting! Alex Cox, MSIA, CISSP, GPEN, GSEC is a Senior Consultant and Security Researcher with RSA FirstWatch team responsible for advanced threat intelligence research. Alex has worked more than a decade in IT with a background in desktop architecture, emerging threat research, network forensics and behavioral malware analysis. |
| Update your feed preferences | |
