Last month, security researchers released a report about a targeted attack operation which they named Careto, or Mask in Spanish. The attack was noted for encoding its configuration data and encrypting its network traffic, making analysis more difficult.

However, the capabilities of the Mac malware used in Careto was not as sophisticated as its Windows counterpart. (We detect this as OSX_CARETO.A.) It connects to a hardcoded command-and-control (C&C) server and runs /bin/sh to open a shell, which can then run commands sent from the C&C server. This particular backdoor is only approximately 88 kilobytes in size, which is not particularly large (especially since it contains both 32- and 64-bit code.) However, analysis of this malware is still not easy, due to the mentioned encoding and encryption. In this blog post, we look into the details of this encoding and encryption.

Figure 1. File structure of OSX_CARETO.A

Read the rest of this entry »

In targeted attacks, during the lateral movement stage attacks try to gain access to other computers on the same local area network (LAN). One useful tool to achieve this is ARP spoofing, which can be used to carry out a variety of attacks to steal information as well as plant backdoors on other machines. We recently came across a tool that automates ARP attacks, as well as using these kinds of attacks to inject IFRAMEs into websites, deliver fake software updates, and disrupt SSL connections.

ARP Spoofing

Hacking tools that automate ARP attacks are fairly common, so we well not delve too deep into all aspects. The tool can scan for live hosts on the LAN, which are then saved in an encrypted file. These IP addresses can then become the targets of ARP spoofing attacks.

For starters, this tool can be used to  intercept network traffic and extract login credentials of network services. This particular tool that we saw, which we also detect as HKTL_ARPSPOOF , supports a variety of protocols. It has ability to steal the credentials from a wide variety of protocols, such as: FTP, HTTP, IMAP, NetBIOS, POP3, SMB, and SMTP.

For these protocols, the tool scans the network traffic to extract user names and passwords. These are then saved in an encrypted file, which the attacker can upload at their discretion. Because users frequently use the same password across different accounts, these credentials might be used across a wide variety of services, not just the ones they were captured off.

In addition to this, this tool is also capable of carrying out man-in-the-middle attacks against TLS/SSL traffic. If users are not wary and ignore warnings about invalid certificates, any credentials sent to sites that use TLS/SSL, instead of being “secure”, can be captured and used by an attacker. Many high-profile sites already force the usage of TLS/SSL when users attempt to log into their services.

IFRAME Injection

This malware can also inject IFRAMEs into sites the user visits. It monitors the system’s HTTP traffic and injects an invisible IFRAME whenever possible. The results – as gathered in our testing – can be seen below.

Figure 1. Injected IFRAME

In this case, a (non-malicious) IFRAME was injected into the default web site of the HTTP server. An attacker could use this “feature” to send users to a malicious URL, where they can host a page with malicious code to exploit various vulnerabilities on the user’s system.

Fake Update Package

We constantly warn users to always ensure their software is up to date to help protect themselves. However, this tool exploits that to push malware to other users. This tool is also capable of using ARP spoofing to trick the system into thinking that an update for Windows Media Encoder 9 is being offered to the user; however this file is actually malicious.

Figure 2. Fake update code

Possible Target

One function of this tool offers a potential clue as to the identity of the persons responsible for it. A portion of the code is specifically targeted at users of the Central Tibetan Administration, which relies on Google Apps to provide email for its users.

Figure 3. Code for specific target

Conclusion

The capabilities of this tool highlight the effectivity of ARP spoofing to steal information, particularly login credentials. These can be very useful in conducting lateral movement.

IT administrators should consider retiring old, unencrypted protocols in favor of newer, encrypted ones, as these resist attack better than their predecessors. However, user training should also emphasize the importance of listening to alerts about invalid certificates, as these can indicate serious security problems.

A later stage of  advanced persistent threats (APT) attacks is the  “lateral movement” stage, where attackers typically use legitimate computer features to move within the network undetected. This takes place after the initial breach and the establishment of command-and-control links back to the attacker. We earlier discussed the steps in an APT attack in the infographic, Connecting the APT Dots.

As shown below, the impact attackers can have on networks grows larger as APTs go deeper. Upon reaching the lateral stage, attackers are now virtually undetected by traditional security methods. This allows them to gain even more access privileges and move on to the next APT attack stages.

Figure 1. Graph of APT Stage vs. Impact to Network

Lateral Movement Tactics

The lateral movement stage of APT attacks can be further divided into three major steps: reconnaissance, credentials stealing, and computer intrusions.

The first step allows attackers to collect vital intelligence for their next attacks by using built-in OS tools and other popular utilities. These tools may include the netstat command for connection information and port scanning for open ports.

Once well-informed, APTs will then steal legitimate credentials to establish control. Attackers can do this in various ways, such as: spoofing ARP protocol packets, using keyloggers, pass the hash attacks or hooking login authentication processes.

After acquiring legitimate credentials, attackers will target other computers to move closer to their real target. They are more likely to use remote access or administration tools that leave few traces to accomplish this.

What Enterprises Can Do

The use of legitimate computer features can defeat basic perimeter-based and blacklisting security methods. However, there are many measures enterprises can still use to fortify their security, including: the use of application control, security and information event management (SIEM), and adapting a custom defense solution.

Enterprises need to establish solid threat intelligence from internal knowledge of their network and other external indicators. Threat intelligence partnered with the use of custom defense technology will empower IT personnel in detecting anomalous use of legitimate computer features; thus, securing their networks from APT-related activities.
Find out more about these tools and measures as highlighted in the infographic The Danger of Compromise.

You can also read more about the steps APTs take during the lateral movement stage in the Security in Context paper, How Do Threat Actors Move Deeper into Your Network.

Command-and-control (C&C) server communication is essential for botnet creators to control zombie computers (or bots). To hide this from security researchers, they often use rootkits and other “tricks”. However, hiding the network traffic – specifically from monitoring outside an infected computer – is not an easy task, but is something that the botnet creators have improved through the years.

Detecting and blocking C&C communication is one way to protect users against the dangers of botnets. Threat actors know this, thus they have developed different ways to make the C&C communication more resistant to network security products.

In this report, we will discuss how the latest wave of Pushdo variants keep its C&C communication channel under the radar. Known as a spamming botnet, Pusho/Cutwail was taken down several times in the past. They are also known to distribute ZeuS/ZBOT variants.

Pushdo Hides Among the Crowd

If you are a potential attacker, the best way to not get caught is to blend your communications with normal/legitimate traffic and appear as inconspicuous as possible. Pushdo creators understand this and adopted this strategy into their latest malware.

As shown in Figure 1, these Pushdo variants send out numerous HTTP requests. Among them are requests to the real C&C server. However, most of these requests serve as mere distractions.

Figure 1. PUSHDO Network Traffic Snippet

The malware sample we analyzed contains an encrypted list of 200 domains (see Figure 2). It randomly chooses 20 among them and requests either the root path or the path of “?ptrxcz_[random]”. Some of these domains belong to large companies or famous educational institutions, while some are obscure websites. This makes C&C server identification using network traffic analysis more difficult as it can be tough to distinguish real C&C connections among the fake ones.

Figure 2. Decrypted list of the 200 domains

Another by-product of this fake C&C feature is the potential distributed denial-of-denial (DDoS) the malware can initiate against the 200 web severs on the list. Though the true intention is not to execute this attack, the huge of number of useless requests eats up a lot of bandwidth of these websites.

Sandbox analysis is a popular tool in malware analysis. Many organizations have adopted some kind of automatic sandbox system to detect and block unknown malware. This fake C&C feature, however, poses new challenges to these systems. Before adding a server into the C&C blacklist, a system needs to check the whitelist first. If the whitelist is not good enough, there may be some false positives and inadvertently make legitimate websites inaccessible to users.

Pushdo DGA Complicates Matters

Another noteworthy PUSHDO feature is its domain generation algorithm (DGA). DGA is a popular among botnet malware these days. It’s purpose is to make malware more resistant to C&C takedowns.

Pushdo in particular uses calendar date as the seed in its DGA and generates 30 domains for each day. It tries to connect to not only domains for a given day, but also all domains generated from days between 30 days earlier and 15 days latter. In other words, it may try to connect to 1380 domains each day. It seems most of them are parked domains right now and point to an advertisement page (Figure 3).

Figure 3. Screenshot of Pushdo Generated Domain

This DGA feature can be challenging for behavior and sandboxing analysis. Using sandboxing analysis without reverse engineering the malware and figuring its DGA may not be enough to block C&C communication, as the malware generates different domains for each day.

During our analysis, we effectively monitored Pushdo’s C&C using Trend Micro Web Reputation Services feedback. As shown in Figure 4, there were attempts to connect to one of the C&C servers. The query requests came from different locations, suggesting that there are still other computers infected by this malware.

Figure 4. Requests sent to Trend Micro Web Reputation Service

Traditional method of combating malware, such as file-signature detection, may not be sufficient in today’s threat landscape.Malware authors and the likes have developed effective tactics against signature-based detection like polymorphism and use of packers.

Monitoring behavior of a malware inside sandbox is a good approach to address this challenge – but they are not stand alone solution. Malware like PUSHDO proves that a relying on one solution is not enough. Such technology, coupled with deep analysis and tools like Web Reputation Services, provides more robust protection against these threats.