A recent report by Symantec documented a campaign of targeted malware attacks that began as early as April 2011 and continued up to October 2011. During this time, the attackers managed to compromise at least 100 computers around the world. This report illustrates some of the key findings in our latest white paper, Trends in Targeted Attacks.
Targeted malware attacks are rarely isolated events. It is more useful to think of them as campaigns – a series of failed and successful attempts to compromise targets over a period of time. An attacker’s prior knowledge of the victim, possibly from a previously successful attack, affects the level of specificity associated with a single attack in a malware campaign. In this case, the attackers used messages with an IT security theme that appeared rather generic but were customized for various targets. The download link in the email messages was made to appear as if it were pointing to the target’s own website. Often, this less-specific level of targeting focuses on communities of interest and is aimed at acquiring information to be used in a future, more precise attack.
Moreover, there is generally a diversity of targets. In this case, the Nitro attackers targeted a concentration of chemical companies but also targeted human rights NGOs, motor companies and defense contractors.
The backdoor used in the Nitro campaign is known as Poison Ivy. It is a freely available Trojan that provides an attacker with full, “real-time” access to a compromised computer. One often overlooked component of targeted malware attacks is the reliance on real time human interaction. This distinguishes them from automated botnets. When the Poison Ivy backdoor connects to the attackers command and control infrastructure there is a human at the other end that can begin exploring the compromised computer and the network to which it belongs. This attacker can steal information, install additional malware and compromise other machines on the same network. Most importantly, the human on the other end of the Poison Ivy Trojan can react to defensive measures taken by the victim.
Attackers need to deploy command and control (C&C) infrastructure in order to maintain connectivity to the computers they compromise. The attackers sometimes maintain distinct sets of C&C infrastructure making it difficult to uncover the full extent of their operations. Using the initial malware samples, domains and IP addresses provided by Symantec, we were able to map out three distinct sets of command and control infrastructure.
The first set of command and control infrastructure contains three domains provided by dynamic DNS services. Attackers often use dynamic DNS services in conjunction with RATs, such as Poison Ivy. These services make it easy for the attackers to update their C&C domains to new IP addresses thus maintaining consistent connectivity with the compromised computers.
The second set of C&C infrastructure centers around three domains which all resolved to the same IP address. The C&C domain, domain.rm6.org was also used in an attack. on the UK government in August 2011.
The third set centers on the domain antivirus-groups.com and the IP address 220.127.116.11 which Symantec has associated with a specific actor which they’ve codenamed “Covert Grove”.
This segmented infrastructure allows the same set of attackers to target different potential victims without having all the attacks linked together. Without additional information, it can be difficult to link together the full scope of targeted malware campaigns. This illustrates how important threat intelligence is to defensive strategies.
Here are some examples of MD5s connecting to the Nitro infrastructure:
Defensive strategies can be dramatically improved by understanding how targeted attacks work as well as trends in the tools, tactics and procedures of the perpetrators. Since such attacks focus on the acquisition of sensitive data, strategies that focus on protecting the data itself, wherever it resides, are extremely important components of defense. By effectively using threat intelligence derived from external and internal sources combined with context-aware data protection and security tools that empower and inform human analysts, organizations are better positioned to detect and mitigate targeted attacks.