This website uses cookies, including for advertising, social media and analytics purposes. To see what cookies we use and how to change your cookie settings, click here. By continuing to browse this website, you accept our use of cookies. Close

Our Blog

Low volume targeted attack linked to US Government targets, uses multiple evasion tactics

Share

Wednesday, Apr 22, 2015

Over the last few months, Websense® Security Labs™ researchers have tracked and analyzed the attack methods of a low-volume, targeted attack linked to the US Federal government space.  The attack uses a combination of evasion tactics throughout its lifecycle in order to remain elusive.

In this report, we are able to share the evasion tactics used by the attackers.  These include:

  1. Customized payloads delivered by what we believe to be an email lure.
  2. Methods to defeat the anti-evasion techniques employed by file sandboxes.
  3. The use of specific command & control infrastructure relevant to the target industry.
  4. Methods to hide the malware's illegitimacy through suitable naming conventions and certificate use

Let us take a closer look at each of these tactics:

1. Customized payloads delivered by what we believe to be an email lure.

The original lure email exhibits traits typical of the emails used to spread Upatre.  Email subjects are legitimate-sounding ("Incoming Fax Alert") and have a URL in the email body.

The URL in the email lure points to a .zip file that is actually a self-extracting rar file (SFX RAR).  This leads to a PDF file and a further binary file.  The PDF file is shown to the user as a distraction technique during which the executable is run:

distraction technique

The dropped executable (reader_SL.exe) is very different to other payloads we have observed being spread by the Upatre ecosystem, as we describe below.

2.  Methods to defeat the anti-evasion techniques employed by file sandboxes.

It is well-known that file sandboxes have limitations as they typically inspect a suspect file for a limited period of time.  Malware authors have come to realize this, and malicious files have been observed in the wild that delay execution beyond the typical time frame of analysis.  To counter this, an internal system clock within a Virtual Machine or sandbox can be manipulated to trick the malware into executing sooner than it otherwise would.  This targeted attack has the ability to identify when the clock is being accelerated and ceases execution.

The following process is used to achieve this:

  • Take snapshot of system time
  • Sleep for 66 seconds
  • Take second snapshot of system time
  • If the difference in the minute values of the system time is greater than 1 then continue to execute, else cease execution.

This process identifies when a file sandbox is accelerating Sleep calls.  Acceleration of Sleep calls is intended to trick the malware into executing within a shorter period of time.

3.  The use of specific command & control infrastructure relevant to the target industry.

The command and control (C&C)  infrastructure is based around compromised legitimate servers, seen within the Government sector and within the specific targets' industry sector.  This serves to make identification of anomalous traffic difficult.  We have identified these techniques by decrypting the malware's configuration file.

The requests to the C&C result in what look like standard website errors and messages for a page that does not exist. However, these messages rotate and sometimes real encrypted data is sent back. In every response, a tag is sent back.  The purpose of the tag is currently unclear.  For example:

encrypted data

4.  Methods to hide the malware's illegitimacy through suitable naming conventions and certificate use.

This malware tries to disguise all of its files by using legitimate-looking names. It also seems to embed a lot of legitimate-looking strings and functionality copied from genuine files.

Should the file execute successfully, additional files are extracted to the Application Data folder under the directory ATI_Subsystem. The files it extracts to this location are:

  • amdmftdecoder_32.dll - 32bit component
  • amdmftvideodecoder_32.dll - 64bit component
  • aticalcl.dll - 32bit componen
  • atiesrxx.exe - Renamed rundll32.exe Windows component
  • racss.dat - Encrypted XML configuration file

These components have been made to look like legitimate ATI software, and are self-signed with a fake ATI certificate.

Conclusion

As described in our 2015 Threat Report, malware authors are increasingly using complex evasion tactics to bypass various stages of analysis.  The techniques used in this attack highlight the extent of effort employed by cyber-criminals to successfully breach their target.

Contributors: Nicholas Griffin, Abel Toro, Ran Mosessco.

Websense Security Labs will continue to monitor the tactics used in this, and similar, attacks.

 

About the Author

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...