Part three - the criminal overground

This blog is part of a series! Read part one ‘Security, Performance, Obfuscation & Compression’ here and part two ‘Camouflage .NETting’ here.

Much attention is paid to the underground economy in the media with a huge focus on the availability of malware on underground and so-called ‘darknet’ forums. These underground services may make a more exciting story, but the recurring theme throughout the past two posts in this series has been the ready availability of commercial tools written without malicious intent which can nonetheless be turned to ill purposes.

Instead of relying on underground sources to provide the payload then simply obfuscating and deploying it using publicly available tools, the reality is that an individual with malicious intent could assemble an effective campaign from ‘off-the-shelf’ products available quite openly on the Internet.

The question is, how much skill is required?

The good, the bad & the ugly

While the focus was on their potential applications as part of malicious campaigns, the vast majority of the tools discussed in this series have had legitimate commercial applications, usually for the protection of intellectual property. As an example, the developers of Eazfuscator, a commercially available .NET obfuscation tool, list major organisations including Samsung, Oracle, and Ford amongst their customers.

Of course, there are a number of other tools out there for which the intended legitimate uses can be hard to divine. Agent Tesla, for example, describes itself simply as ‘software for monitoring your personel [sic] computer’ yet this rather feels (for those of us old enough to remember, at least) like Back Orifice’s ostensible primary purpose as a Windows administration tool: there are a number of features which are arguably inconsistent with this design brief, e.g. the ongoing maintenance of antivirus evasion capability (see below).

^{Figure 1: Agent Tesla's changelog entry for 14 July 2017; note the updates being made to the antivirus evasion features}

Although they have not been discussed so far, any number of products ranging from tools targeted at penetration testers and red teams to legitimate remote administration applications have been used within malicious campaigns. Indeed, it was only last month that Forcepoint Security Labs discussed the frequent use of administration tools and capabilities built into Windows for malicious purposes.

An example of the former is the series of attacks against ATMs by the ‘Cobalt’ gang in 2016. This used elements of a number of security tools such as Cobalt Strike (presumably the naming inspiration for the gang but otherwise unrelated). For the latter, TeamViewer – much to the company’s chagrin – seems to be a popular choice.

^{Figure 2: Features of Cobalt Strike's 'Beacon' component}

Putting it all together

The ultimate upshot of this is a very low barrier of entry to cybercrime, even for endeavours such as corporate espionage which are perhaps easier to imagine to be the territory of organised criminals and APT-level threats.

Malicious email campaigns distributing Agent Tesla have been seen targeting individuals within industries ranging from steel production to, rather specifically, procurement managers within the catering departments of Egyptian resort hotels. Given its transparent pricing (see below) and near immediate usability, Agent Tesla is well suited to would-be amateur spies.

^{Figure 3: Agent Tesla's 'as-a-service' pricing structure}

Moving up a league allows slightly more skilled attackers to put together relatively competent packages of malware – still without writing any code – by combining several tools available online, e.g. in the case of the Predator Pain sample noted in the previous post where obfuscation tools were used to hide a relatively old and readily identifiable piece of malware.

Another step up again and a malicious actor can simply use ‘glue code’ to combine the capabilities of various exploits and open-source tools found in repositories online. A significant number of these repositories exist (not linked here for obvious reasons) and provide a code-base from which to build out a semi-customised piece of malware based on pre-existing code.

To those without a development background code reuse like this may sound like an edge-case or the mark of an unskilled attacker, but ‘not reinventing the wheel’ is often key to successful development projects and, as already noted, even highly successful attackers such as the Cobalt gang have employed this technique. (As another example: how many pieces of malware have the ability to communicate via Tor? This capability is unlikely to have been written from scratch…)

Conclusion

Unfortunately for those on the defending team, all of this makes it very easy to avoid static antivirus signatures. Indeed, many of the crypters and packers examined in the previous posts in this series espouse their ability to render malware fully undetectable (‘FUD’) – that is to say, they also evade heuristic antivirus signatures.

While this quickly changes as samples percolate through the security ecosystem, the initial minutes of a malicious campaign are critical. During this time a determination of the sender or author’s intent needs to be made for all files received by an organisation, be that by web or email.

As ever, the human point of contact with data and systems is likely to be the easiest to compromise: despite constant user education programmes people can and do open ‘that’ attachment and click ‘that’ link. The determination of malicious intent therefore needs to happen before a user is exposed to the content.

Fortunately, this is entirely possible using technologies such as Forcepoint Advanced Malware Detection which performs a range of static and dynamic code analyses to provide visibility of previously unseen threats based on file behaviour.