Posted by on Sep 20, 2018
In a guest blog post by VB2018 gold partner Kaspersky Lab, Costin Raiu, Director of the company's Global Research and Analysis Team, looks critically at the 'A' in APT.
In 1994, when I started working in the AV 'industry', I remember the excitement of finding and taking apart a sophisticated polymorphic virus. Although the vast majority of samples we received were pretty unsophisticated, every now and then we would either find, or read about something really complicated. One such piece of malware was Zhengxi, and my colleague, Adrian Marinescu, and I spent many hours taking it apart and thinking about how to write a proper detection mechanism. Time passed and the definition of sophisticated changed. Polymorphism became less common and was replaced with packers and cryptors. Self-spreading network malware became popular during the early 2000s, building on top of Windows-related exploits, shaking the world to its core foundations. Names like CodeRed, Nimda and Slammer kept many of us up at night during those days.
Again, time passed, and sophisticated malware once again took on another definition. The publishing of Operation Aurora, disclosed in January 2010, was a turning point in history – for me, it was obvious that something new had taken over the role of 'sophisticated' malware. However, it wasn't until June 2010, when the world learned about Stuxnet, that it became clear that in the future, sophisticated malware would come not from computer enthusiasts, cybercriminals or hacktivists, but from nation states.
Over the following years, more and more sophisticated malware was discovered – utilizing either zero-days, undocumented functions to bypass protection, or very clever persistence mechanisms. As complex malware – or 'malware platforms' – were discovered and detected by anti-virus products, the attackers adapted and even more sophisticated threats were found.
From the moment the term 'APT' ('advanced persistent threat') was coined in our industry, some people objected that the vast majority of such attacks were neither advanced nor persistent. In some cases, APTs are just insistent to the level of annoyance.
In our opinion, this is what makes a piece of malware or an attack 'advanced':
In the last few years, the number of what we consider truly 'sophisticated' and interesting new discoveries appears somehow to have decreased. We do see zero-days used in APT attacks, but this has become pretty much the norm. Sophisticated persistence mechanisms have also become more and more common, ranging from fileless PowerShell-based malware that fires from WMI, to malware operating as LSA plug-ins, browser or Microsoft Exchange extensions. The novelty factor seems to have disappeared for some of these new discoveries.
Of course, this leads to the question: is this really all there is, or is what we are seeing just the tip of the iceberg?
Let's take, for instance, mobile malware. Although mobile malware was expected to become a big problem back in the early 2000s, things are still not as bad as predicted. It is quite rare for a security researcher to spot something like the Pegasus framework. While most Android malware gets installed through social engineering or malicious application updates, it is rare to see mobile device infection through zero-days. Similarly, for iOS-based devices, it is quite rare to see 'sophisticated' malware – which is perhaps why some actors rely on malicious MDM attacks.
Another good example is router malware. Although the Internet is crawling with Mirai variants, sophisticated router malware that leverages exploits or attacks non-Linux-based operating systems such as Cisco IOS is rare. VPNFilter is a significant discovery, but one might wonder whether it is the only router malware currently being used by sophisticated threat actors in 'big' attacks.
To answer the previously formulated question, I believe the most likely scenario is that we are indeed only seeing the tip of the iceberg, and there is probably a lot going on that security companies do not find or report on.
Looking at the discussions and development of sophisticated attack techniques, there is a significant difference between the theory and in-the-wild observations. So what is missing? Here's a list of possible culprits:
Take, for instance, SMM malware. As mentioned above, proofs of concept have existed as far back as 2015, however, such malware hasn't been observed in the wild. The reason is probably the fact that no anti-virus program running even in ring 0 can easily access the SMM memory. This security feature being part of the CPU and OS design effectively prevents anti-viruses from catching any malicious activity occurring in there.
Recently, I had a chat with my friend Ryan Naraine about sophisticated malware and why modern AV products are unable to find them. Ryan asked me: 'if it's technically impossible to find such malware, what do you do?'. I think the answer lies in the weakest link – exfiltration. At some point, all malicious programs need to connect to a C&C server to receive instructions. Although we have seen offline C&C mechanisms, for instance in the Fanny worm, this is rather slow and not always reliable. The moment the invisible malware tries to connect to the C&C, it can be caught. As former head of the NSA's TAO Rob Joyce once said, an out-of-band network tap and a diligent sysadmin who watches the logs can be a nightmare for even the most sophisticated attacker.