In the process of investigating and analyzing targeted attacks, we have seen that attacks which may not be related at first glance may in fact be linked; conversely attacks that may seem unrelated may turn out to be connected. Knowing which is which can provide useful information in determining how to respond to an attack.
Why Are Separate Attacks “Related”?
Before a cybercriminal or threat actor can launch an attack, many things have to be prepared in advance. The list of recipients have to be compiled, command-and-control (C&C) servers brought online, malware payloads chosen, etcetera. Ideally, attackers would use separate ones, but that isn’t the case: they are just as prone to reuse items or tactics that have worked before. Knowing these similarities between attacks can help determine what is an appropriate response.
There are many ways that seemingly independent attacks can be correlated, but here are some of the most common ones:
- Same IP address sends different email messages
- Same email address sends different messages
- The same malware is attached to different messages
- Multiple (similar) backdoors use the same C&C server
- Different backdoor types use the same C&C server
- Multiple domains registered using the same email address
- Similarities in the way command-and-control network traffic is organized
How can this information be used?
Typically, organizations face two kinds of threats: highly sophisticated attacks that target them specifically, or more “random” attacks that are aimed at wider audiences. It can be difficult to tell just by examining the specifics of a particular attack which it is, but examination of the similarities above – using additional information provided by the Smart Protection Network – may be useful. It’s best to illustrate this with a hypothetical example.
A company received an apparently targeted email that contained a malicious attachment. The malware installed tries to contact an external C&C server for instructions using HTTP. It would appear, at first, that this was a sophisticated targeted attack.
However, more in-depth analysis would reveal that the malware only accessed two files on the C&C server: /kc1/data.bin and /kc1/gate.php. Accessing two files located in the same directory with the .BIN and .PHP extensions is common behavior by ZeuS/ZBOT variants. In addition, the domain of the C&C server was registered using an email address that was also used to register another domain on the well-known ZeuS Tracker blacklist. All this strongly suggests that it was not a sophisticated attack, but instead a more ordinary ZeuS/ZBOT infection. This can still pose a threat, but it’s a different nature compared to a sophisticated attack.
This information can also be used to gauge the seriousness of an attack. For example, in October, we found a new Poison Ivy variant (BKDR_POISON.AB) had infected 15 different machines, belonging both to individuals and various organizations. What we also found was that there had been a similar attack earlier in the year which distributed a very similar Poison Ivy variant (BKDR_POISON.BJX). Similarities included the malware’s mutexes and the emails used to spread the attack.
From there, one can conclude that both attacks were not meant to directly target anyone, but more to gather information across a wide number of possible targets that could be used for more direct attacks at a later time.
The links between attacks can also be used to discover other potential attacks as well. For example, examining the email and IP addresses linked to domains used as C&C servers in a current attack can lead to other domains. The added information can be used as indicators for potential attacks that may not have been detected at the time.
Gathering information about the connections between attacks can reveal much about the attacks in the first place. Organizations that use this kind of threat intelligence can use it to gain a more accurate picture of the attacks facing them. It can reveal that apparently unrelated attacks may turn out to be related, and have been launched by a single group of attackers. Alternately, it can make clear if an organization is under attack from multiple groups – which may or may not be working together. Whatever the case, this kind of information can be useful in creating a proportional response to threats.
For more discussions on malicious network traffic, you can read our report titled Malicious Network Communications: What Are You Overlooking?.
We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.