Recently, we shed some light on APT attack tools and how to identify them. Part of our daily tasks as threat researchers revolves around investigating APT actors, and the tools that they utilize to help better protect our customers. The purpose of this blog is to further investigate the tools that APT actors typically use and what they do with them.
How these tools are used
While many would think these tools are used during the initial compromise phase of an attack- that is not the case with this post. I will be focusing on the tools that are used after the initial compromise is attained. The following diagram illustrates where these tools are commonly used in a traditional APT lifecycle.
Figure 1. Traditional APT lifecycle
Step 1: The attacker sends malware to the victim. This can be done in many ways – an email message with a malicious attachment, a USB flash disk, or a compromised web site are all possibilities.
Step 2: The malware is executed on the affected system. This may require manual steps by the victim, or it could be done without any intervention using exploits.
Step 3: When the malware is run, it drops a backdoor such as STARSYPOUND or BOUNCER. These first stage tools push a backdoor to the attacker for later access. (These could be considered first stage tools). It allows the attacker to maintain persistence and get access to the system at a later time.
Step 4: The attacker then uploads tools to perform data exfiltration, lateral movement, and a litany of other tasks.
The tools listed below include some of the tools APT actors use on a daily basis. These tools are typically employed once the APT actor gets access to the victim’s machine via one of the first stage tools listed above. Keep in mind however, that these tools are not inclusive of first stage tools such as backdoors, Trojans, and other categorical tools.
In addition, this is not a complete listing of tools since that is impossible to create based on the ever-changing threat landscape. Many APT actors use custom coded applications that perform similar functionality, and thus may differ from those listed below. Use this list as a baseline of functionality to help identify similar tools in your environment and to demonstrate known tools that are used in common APT campaigns.