Lucky number seven: Malware Detection after seven years
By Arie Fred, VP of Product, SecBI
Several APT campaigns were in action for SEVEN years before being identified.
Researchers from endpoint response detection (EDR) company, Cybereason, have uncovered a large-scale APT campaign that had been dwelling for seven years and targeting global telecommunications companies. Dubbed ”Operation softcell”, it was aimed at obtaining CDR (Call Detail Records ) of a large telecommunications provider.
The tools and TTPs (Tactics, Techniques and Procedures) used are commonly associated with Chinese threat actors in the malware attack arena, especially the use of PoisonIvy RAT and hTran. Over seven years, the cyber attackers operated with persistence and patience, abandoning one attack method when it was detected, waiting in the shadows for several months and then returning with new tools and techniques of the next stealthy attack.
Naturally, we applaud the diligent researchers for uncovering this sophisticated attack. However, as alarming as this campaign may be, it’s very uncommon for an APT campaign to go undetected for so many years. The methods used by the perpetrators to communicate and exfiltrate data from the organization were not novel, and could, and should have, been detected much earlier.
One reason it went undetected for so long was that the attackers, using military offensive techniques, were in no rush. They took all the necessary precautions to escape detection. By operating intermittently with suspending for long periods, and constantly changing tools and communication methods, they managed to successfully evade detection by the traditional, signature and behavior- based tools.
But other than the length of the campaign (and the inhuman degree of patience exercised by the attackers), this campaign did not differ radically than other cyber attacks exposed recently.
For instance, Symantec researchers uncovered another targeted campaign called “Turla” or Waterbug, Snake and Venomous Bear that was designed to exfiltrate data from government, education and IT organizations worldwide. The attackers used a previously unknown backdoor called “Neptun” installed on Microsoft Exchange servers. This backdoor was designed to remain undetected by passively listening for malicious commands from external communication channels. Upon receiving its orders, it would download additional tools, upload stolen files and execute shell commands.
Another campaign manifested by cyber-espionage group “Platinum”, used steganography-based attack methods to remain stealthy for years. In fact, researchers from Kaspersky Labs believe this campaign has been going on since 2012- roughly the same time as “Softcell”. This persistent attack used a two-step method, leveraging a legitimate PowerShell script to connect to a remote malware server and download the malware files. In a similar manner to the other campaigns, we’ve discussed, the attackers were after information and were patient enough. They then ran at specific times to fool detection by users and security mechanisms to avoid detection.
The key takeaway is that regardless of the infiltration method and the vulnerability exploited, these hackers avoided detection by exploiting the way that security systems work. They operated over long periods of time, they changed tactics and tools, and extracted tiny pieces of information, all to avoid detection. And they were very successful.
To detect such sophisticated and capable attackers fast and not leaving any part of the malware to dwell behind, SecBI has taken a different approach. Our Autonomous InvestigationTM technology uses machine learning algorithms to look at ALL the data over time. Yes, we’re talking about analyzing years of log data, and detect links that are simply beyond the grasp of human analysts. SecBI groups a collection of events that are significantly correlated and unique in their behavior into distinctive clusters. These clusters evolve based on changes of the network’s activity and enable to detect even the most proficient, tactic-changing hackers. Analysts are presented with a comprehensive incident storyline and uncover the full scope of malicious activities, regardless of time. Using SecBI enables security teams to uncover APT campaigns early and more accurately, way faster than the seven years it took to identify the Softcell hackers.