Friday, August 19, 2011

Inside an APT Covert Communications Channel

For many years, hackers operating out of China have been attacking a myriad of commercial and government systems here in the US and abroad. The term “APT” or Advanced Persistent Threat has often been used to describe these attackers. While HBGary is primarily a product company selling an enterprise incident response product, the team has been deep into APT analysis for over five years. Most of the analysis work is in direct support of Digital DNA – an automated system for detection of unknown malware and APT intrusions. I presented a technical description of how this attribution works, what is solves and what it doesn’t, at the BlackHat Conference last year. The work is about tracking threat groups – that is, tracking the humans and the human factors behind the digital artifacts we see. There are many hacking groups involved in these intrusions. One such group has often been called “Comment Crew” for their use of HTML comments as a means of command and control. This group has been associated with the recent “Shady RAT” intrusion revealed by McAfee. For this article I am going to give you a technical in-depth tour of how such a group operates.


CyberESI - Trojan.Letsgo Analysis

This is malware captured during an ongoing APT attack which utilized various techniques (i.e. Targeted Spear-phishing, HTML Comment Base64 C2, Encoded Binaries in GIFs, etc.) to bypass standard enterprise perimeter-based security measures (e.g. Proxy/Network Reputation Checking, Proxy AV, Proxy File Type Blocking, Firewalls). This attack also included "interaction with the host" by the attacker.

The CyberESI's blog is full of these types of analysis...another example:

Cyber ESI - The PNG Trojan AcroRD32.exe

Again, this is malware using the techniques outlined above (i.e. HTML Comment Based64 C2, Encoded Binaries in PNGs, etc.). Again, the attacker interactions with the host using basic commandline 'administration' command.

No comments:

Post a Comment