Advanced Persistent Threats – the new normal?

By Gabor Szappanos, SophosLabs

In this article, we are going to rewind to the beginning of 2013, and look at the evolution of a specific subset of attacks from the Advanced Persistent Threat (APT) scene.

Rather than try to define “APT” in a way that might please everybody, we are focusing on a specific range of exploits that, back at the start of 2013, were seen almost exclusively in targeted attacks.

These targeted attacks, as far as we could tell, were most likely initiated for intelligence gathering purposes, presumably by hackers paid to conduct national or industrial espionage.

The attacks used exploits specifically targeting Microsoft Office and its related files (e.g. DOC, XLS and RTF), rather than the more widely known attacks against Flash, Adobe Reader, Java and so on.

We found some interesting malware along the way, giving us some insights into the group or groups who were using document-based exploits for intelligence-gathering attacks.

You can read about some of these malware variants in other Sophos Naked Security articles:

(Strictly speaking, the last example didn’t target Microsoft Word or Word files, but instead attacked the popular Japanese word processor Ichitaro. We have included it here out of interest.)

We were interested to know for how long the exploits we were tracking would continue being used, and how widely they would show up over time.

Would they die out as more people patched and the exploits became less effective, or would they carry on being used because they were still working?

Would the exploits stay inside the APT community, or would they spread to more traditional cybercrime gangs?

What we found was that, over the past year, exploits that were once narrowly used in apparent espionage or intelligence-collecting efforts began turning up regularly in broader attacks.

These attacks were mounted by cybercriminals focused on making money through bots and zombies.

So the answers to our questions are, “These exploits continue to be used and to be effective,” and, “These exploits have been adopted widely in the world of cybercrime.”

How we measured these threats

We tracked reports from about fifteen families of exploit detection identities in Sophos’s anti-virus engine.

→ In SophosLabs we use the word identity rather than the commonly-seen terms signature (or just sig) and pattern. The words “signature” and “pattern” are ambiguous because they are also widely used in threat detection circles to describe specific byte strings that are matched against individual malware samples. An identity, in contrast, is a compact recognition algorithm, fed as bytecode into Sophos’s anti-virus engine, that can deliver broad, proactive detection of threats based on their characteristics.

In the process we collected all the samples that used these document-based exploits, using three main sources:

  • Detection reports from users of Sophos products.
  • Google’s VirusTotal malware submission service.
  • Incoming collections from cooperating security organisations.

We then replicated these samples, analysed their system activity and the Windows malware they injected onto the attacked computer, and sorted the incidents into families.

At the beginning, only classic APT malware families showed up, but starting from March 2013, samples from money-stealing malware families began to make a sporadic apperance, most notably variants of Zbot (Zeus) and various examples of ransomware.

→ Zbot is a general-purpose bot, or zombie, with a primary focus on stealing online banking credentials, including usernames, passwords and the one-time access codes used in two-factor authentication. Ransomware is malware that freezes your computer, or, worse, scrambles your data, and offers to undo the damage on payment of a fee, typically $75-$300.

This infiltration of traditional cybercriminal gangs into what had originally seemed to be “APT territory” was a clear tendency that inspired this statement in our 2014 Security Threat Report:

While we can't quantify the increase, SophosLabs has been observing more persistent attacks that seem to be targeted at specific companies or institutions, including organisations not previously seen as prime targets.

Increasingly, these attacks appear to be aimed at compromising financial accounts, indicating the interest of traditional money-stealing cybercriminals in delivery methods previously used in advanced persistent threat (APT) attacks.

By the start of 2014 this trend had become even clearer, and we had enough data to quantify it.

What we found

In the data below, we have included only detection reports coming from the telemetry (remote reporting) features in Sophos’s own products.

NB. Sophos’s remote reporting is optional. We don’t collect data from your network unless you want us to. Reporting can be set independently for each device (e.g. laptop, desktop, server, gateway) if you wish to report in general but to restrict the data leaving critical parts of your network.

This made the overall numbers smaller, but was in our opinion more representative of the real-world situation.

Overall we had 34,248 reports over two months; these reports were for 4335 different sample hashes, denoting 4335 different exploited (booby-trapped) documents.

Looking at the unique samples, we found they belonged to 86 different malware families.

The most prevalent were:

This chart ignores how how widespread each sample was, because each family has the same weight.

Instead, it measures how actively the different families are being updated with new versions, thus providing an indication of how active each malware creator, or malware creation team, has been.

Most of the samples were either downloaders (usually downloading some Zbot variant) or droppers for Zbot Trojans; these are combined into the chart-topping Zbot entry above.

So far in 2014, we have seen a comparatively small amount of activity from traditional APT families such as Smoaler.

The exploits

These samples used a relatively small number of exploits.

Summarising the exploit usage in the reports, we see the following distribution:

In this case, we counted all the reports, rather than the unique samples, because that gives a better indication of the intensity with which each vulnerability was exploited.

The most prevalent exploit is clearly CVE-2012-0158.

But the chart was topped by an interesting combination where both CVE-2010-3333 and CVE-2012-0158 and were exploited within the same document; this method was predominantly used to distribute Zbot variants.

We can’t be certain, but this double-act suggests that the cybercriminals have found that even computers apparently patched up to a particular date (e.g. April 2012 for CVE-2012-0158) may still have missing patches from earlier on, making it worthwhile to combine an older exploit with a newer one.

Another interesting case, making up 1% of the reports, involved RTF files that deliberately avoided exploit shellcode.

Instead, they simply included an embedded .EXE (program) file that was a Zbot variant.

This works because RTF files can contain clickable programs, encoded and stored inside the RTF file, in a similar way that emails can contain inline images, clickable links or runnable attachments.

This sort of attack relies on social engineering to convince the user to double-click and launch the malware, presumably hoping that an executable file embedded inside a non-executable attachment will seem less suspicious to some users.

→ It shouldn’t be less suspicious, but it does have the visual effect of presenting the infected .EXE file inside Microsoft Word, rather than directly inside an email client, where history has taught users to be more suspicious of attachments.

Although low in prevalance, reports of this type of attack have only surfaced recently, turning up in sizeable numbers in our spamtraps.

This is rare for an APT-type attacks, which are usually tightly targeted, and therefore reach our general-purpose spamtraps much more sparingly.

We can expect this sort of infectious document to remain prevalent for the next few weeks or months.

In conclusion

The message is clear.

Exploited documents, once used almost exclusively from players in the APT scene, are now used routinely in the sort of malware that is distributed widely by money-seeking cybercriminals.

This means that a much larger user population is now being targeted and infected by the set of exploits listed above.

When a small number of people end up infected by a narrowly-focused attack mounted by artisan operatives in an intelligence service, that damages our economy.

When a large number of people end up infected by industrial-scale plunderers from the cyberunderworld, that damages our economy even more heavily.

Sadly, these two sorts of digital criminality are no longer as compartmentalised as they used to be.

What to do?

Even though the “A” in APT stands for Advanced, 91% of the boody-trapped documents in our reports from January and February 2014 would have been rendered harmless by just two Microsoft patches, issued two and four years ago.

And even though APTs are often seen as a special subset of the malware threat that can be dealt with separately, a protective split of that sort doesn’t serve much purpose, considering how much overlap there is between espionage-based and money-motivated malware.

So, here are three tips that can help you boost your resilience to all types of malware attack:

Look for an anti-virus that includes a HIPS detection component that can spot exploits before they trigger, as well as blocking the malware that those exploits might implant.
Turn on any Advanced Threat Protection features in your gateway product for an extra layer of defence, so you can detect malware that may have evaded other precautions, and prevent it communicating with attackers on the outside.
Use patch assessment tools to make sure you aren’t missing updates that you thought were protecting you. Don’t let down your recent efforts at patching with one missed patch from years ago.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s