The Trend Micro Security Intelligence Blog has an interesting article on how hackers are using legitimate tools as part of APT attacks.
In our 2013 predictions, we noted how malware would only gradually evolve without much in the way of significant change. This can be seen in the use of some (otherwise legitimate) hacking tools in APT attacks.
How is this a problem? Hacking tools are grayware which are not always detected by anti-malware products or at least ethico-legal issues are keeping them from doing so. Unfortunately, this means less visibility in APT forensic investigations. In addition, it also saves attackers the trouble of writing their own tools. Some of the common hacking tools we see are:
- Password recovery tools – tools for extracting passwords or password hashes stored by applications or the operating system in the local drive or in registry entries. These are typically used to clone or impersonate user accounts for obtaining administrator rights. Pass the hash technique is one common method for attackers to gain administrator rights via stolen password hashes.
- User account clone tools – used to clone a user account once password has been obtained by the attacker. Upon acquiring enough privileges, the attacker can then execute malicious intent while bypassing the system’s security measures.
- File manipulation tools – tools for manipulating files such as copying, deleting, modifying timestamps, and searching for specific files. It is used for adjusting timestamps of accessed files or for deleting components to cover tracks of compromise. It can also be used for searching key documents for extraction where the attacker can search for files with specific file extensions.
- Scheduled job tools – software for disabling or creating scheduled tasks. This can help the attacker to lower the security of the infected system by disabling scheduled tasks for software updates. Likewise, it can also be used maliciously. For instance, the attackers can create a scheduled task that will allow them to automatically steal files within a certain timeframe.
- FTP tools – tools that aid in FTP transactions like uploading files to a specific FTP site. Since FTP transactions would look less suspicious in the network, some APT threat actors prefer to upload stolen data to a remote FTP site instead of uploading them to the actual C&C server. It should be noted that there are several legitimate FTP applications, which may also be utilized by cybercriminals.
- Data compression tools – these tools are neither malicious nor considered as hacking tools. In most cases, these are legitimate file compression tools, such as WinRAR, being utilized by attackers to compress and archive multiple stolen files. This aids the attacker in the data exfiltration phase where they can upload stolen documents as a single archive. In a few cases, however, we have seen these applications being packaged and configured to compress a predefined set of files.
How can we identify an APT using these tools?
We have seen how these tools are used in APTs to gain administrator rights and collect key documents. So how can IT administrators and power users then use this information to identify an APT that uses these tools?
- Suspicious instances of command shell process may indicate possible compromise. The tools listed above are either command line tools or runs both in command line and via GUI. Attackers use these tools through a hidden command prompt instance thus regularly checking your environment for unknown command shell process can help you identify possible infection. Additionally, using process utilities such as Process Explorer will allow you to see the parameters in a command process. This may help you correlate possible components of an APT.
- The presence of tool(s), whether legitimate or not, can be a sign of compromise. Attackers have long been leveraging legitimate software for malicious purposes. As such, users should be wary on the software present on their systems and should be able to identify what they install. It may be tedious, yes, but being vigilant to files present in your system could spell the difference between mitigating an APT compromise and mass pilfering of your organization’s classified documents.
- In addition, we have observed that these tools are sometimes saved by the attackers using odd file names or with fake file extensions. Being able to identify added files in your system is again key in identifying possible compromise.
- Paying attention to FTP connections in the network logs is a good idea. While it is more common to check for malicious C&C connections, checking for FTP connections gives another opportunity to identify a breach in your network. In a corporate setting, FTP sites are usually Intranet sites. Thus, it is easier to sort out legitimate FTPs from malicious ones. FTP transactions are significantly smaller than other type communications in the network, which may allow you to identify a breach faster. Furthermore, checking for archive files or files with odd file names being uploaded to a remote site may also suggest compromise.
- Review scheduled jobs. Scheduled jobs are a common auto-start method not only for APTs, but to malware in general. Scrutinizing the properties of scheduled jobs will not only allow you identify infection, but will also most likely help you identify components of the attack through the files they execute. Considering the growing number of APT campaigns today, identifying existing APT compromise from an organization’s network is as important as preventing initial APT infection.
By understanding targeted attacks from different perspectives, users, security administrators, as well as security researchers are empowered to better combat these threats. Highlighting APT components, in this case, extend our visibility in identifying existing compromise by knowing what and where to look for.
We previously noted that we will see an increase in attacks that have destructive capacity rather than motivated by espionage. Furthermore, localized attacks with certain defined conditions (like specific language settings, or geographic locations) will increase.