Hackers are constantly looking for new ways to breach organizations, changing up their approaches and utilizing multiple attack vectors to sidestep security measures and remain undetected within a network. Their motivation is often simple: Today’s businesses have ever-increasing amounts of sensitive data which can bring quite the payload on underground marketplaces. For this reason, many enterprises are educating themselves on emerging invasion initiatives and the best ways to protect against these threats.
Currently, attackers are increasingly abandoning traditional targeted attacks in favor of more advanced approaches, including network detection evasion. This strategy, also known under the umbrella of advanced evasion techniques, includes the use of several attack methods in an attempt to circumvent network protections across one or a number of protocol layers, Trend Micro noted. Oftentimes, the aim of network detection evasion attacks is to mask malicious traffic so that it blends in with normal, legitimate traffic. This enables hackers to fly under the radar and infiltrate a target without setting off any alarms.
Today, there are a number of malware samples that enable this type of attack. Here we’ll take a look at a few examples as well as several strategies businesses can use to protect themselves.
Trend Micro recently discovered a family of network detection evasion samples which it dubbed FAKEM. These infections are remote access Trojans, or RATs, that are leveraged as second stage malware. The samples include graphical user interfaces and remote desktop capabilities that enable cybercriminals to transfer files, take screenshots, utilize the microphone and carry out other malicious activities on infected computers.
The FAKEM family distinguishes itself from other RATs in that the traffic it produces is much less recognizable to network protections. Other samples, including Gh0st, DRAT and PoisonIvy create well-known traffic patterns that are easily flagged by network safeguards. FAKEM traffic appears like other network protocols resembling Windows Messenger and Yahoo Messenger traffic, making it harder for detection programs to decipher the malicious traffic from the legitimate.
Although recently discovered, FAKEM has been utilized by cybercriminals to mask their activities since September 2009, Trend Micro noted.
“While it is possible to distinguish the network traffic FAKEM RAT variants produce from the legitimate protocols they aim to spoof, doing so in the context of a large network may not be easy,” wrote Nart Villeneuve, Trend Micro senior threat researcher. “The RAT’s ability to mask its traffic may be enough to provide attacks enough cover to survive longer in a compromised environment.”
This is an especially poignant threat, as the longer a hacker is able to camouflage their activities, the more potential there is to steal information and damage the network.
Another network detection evasion threat is known as Rodecap or Mutator. This sample is loosely connected with the Stealrat botnet as it has downloaded certain Stealrat modules that enable it to assimilate with regular network traffic. Trend Micro has discovered several versions of Mutator, each of which leverages its own unique strategy for preventing detection.
One version utilizes HTTP header spoofing, where it disguises its actual host by making it appear to the network that the host is a legitimate site, and not a malicious server. In this case, Mutator tricks the network into thinking that google.com is its host.
“HTTP header spoofing is achieved by first establishing a connection to the actual malicious command-and-control server then modifying the HTTP request header to use ‘www.google.com’ as host,” Trend Micro explained.
Another Mutator variant builds upon this approach by using fake host names that sound legitimate. Such host names include arbmusic.net, freeimags.org and .store-apps.org. This strategy is very similar to cybersquatting, where domain names are registered in the hopes of reselling them for profit.
“While this technique does not strictly fall into the cybersquatting definition, Stealrat’s operators have been known to use domain names similar to those of regular sites (e.g., news, music, picture and app sites) that users would visit,” Trend Micro noted.
With this approach, cybercriminals own the domains instead of adjusting their HTTP header to appear as a legitimate host.
Protecting against network detection evasion
Although safeguarding the network against these types of attacks is very difficult, there are approaches network administrators can use to reduce their chances of being infiltrated. Security Wing recommended that IT teams closely examine all layers of the network and ensure strong security throughout. Within these efforts, it’s important to include safeguards at the network perimeter, as well as on the server and application levels.
While network detection evasion is designed to bypass basic network monitoring programs, a more advanced solution can help enterprises pinpoint any malicious traffic. Trend Micro Deep Discovery is just such a system, and was specially crafted to detect the traffic types and variants used by FAKEM RAT and other samples.