An independent test of APT attack detection appliances

[_XaXaXa_]

New anti-APT tools are no silver bullets: An independent test of APT attack detection appliances » CrySyS Blog

Asa ceva a fost folosit in Coreea de Sud in atacul de la centrala nucleara.

Test sample 4 - BAB09

BAB0 is a custom designed sample written in C++ with a server side written in PHP. It was designed to be as stealthy as possible, and utilizes multiple methods to avoid detection. Actually, this test case simulates attackers with moderate resources and some understanding of the state-of-the-art

9 Babo means hobbit in Hungarian. We called this sample Babo, as its objective was to stealthily bypass all state-of-the-art defenses, while actually being very simple, and this situation shows a parallel to the story of the Lord of the Rings, where Frodo, the small hobbit managed to bypass all defenses of the fearsome Sauron, the Lord of Mordor, and reached Amon Amarth, where the One Ring was finally destroyed.

?7

detection tools and how advanced malware work. For example, this can simulate organized criminals when attacking high value targets. On the other hand, nation state attackers surely have more resources and knowledge to develop even stealthier malware.

The executable of BAB0 is downloaded by the victim as part of an HTML page, where it is actually hidden in an image with steganography. Thus, the executable never appears in clear in the network traffic. The downloaded page also contains scripts that extract the executable from the image when the user clicks on it. To avoid extracting the executable in a sandbox environment on the detection tools, the website’s underlying HTML and JavaScript code is misleading for an automated analysis environment, but it has nothing special from a user’s perspective. On the other hand, the page does not use CAPTCHA or other Turing test methods that would be unfair from a testing perspective. The user has to simply click on something that appears to be a download button.

Once the sample is running, it presents a decoy program to the user to appear as an ordinary program. It does not try to modify the registry or any configuration on the machine by itself. Persistence can be achieved later by sending commands that add the executable to the appropriate registry entries or making it start with the system in some other ways.

To hide the C&C network traffic, the client simulates a user clicking on links in a web forum, and downloads full HTML pages with CSS style sheets and images. The real C&C traffic is hidden inside these HTTP requests using data hiding methods. In the tests, we hosted the C&C server on domains with some positive reputation. It helped to simulate a fairly common scenario when the malware author compromised domains without negative reputation to host (part of) the C&C infrastructure. The command types that can be sent to the client include: directory traversal, file download and upload, and command execution.