GReAT Ideas follow-up
On June 17, we hosted our first “GReAT Ideas. Powered by SAS” session, in which several experts from our Global Research and Analysis Team shared insights into APTs and threat actors, attribution, and hunting IoT threats.
Here is a brief summary of the agenda from that webinar:
- Linking attacks to threat actors: case studies by Kurt Baumgartner
- Threat hunting with Kaspersky’s new malware attribution engine by Costin Raiu
- Microcin-2020: GitLab programmers ban, async sockets and the sock by Denis Legezo
- The next generation IoT honeypots by Dan Demeter, Marco Preuss, and Yaroslav Shmelev
Sadly, the two hours of the session were not enough for answering all of the questions raised, therefore we try to answer them below. Thanks to everyone who participated, and we appreciate all the feedback and ideas!
Questions about threat actors and APTs
- How do you see Stonedrill deployment comparing now? Its discovery was based on lucky structural similarities with Shamoon, but do you see it actively used or correlating to the spread of this malware?
There is some 2020 activity that looks like it could be Stonedrill related, but, in all likelihood, it is not. We are digging through details and trying to make sense of the data. Regardless, wiper activity in the Middle East region from late 2019 into early 2020 deployed code dissimilar to Stonedrill but more similar to Shamoon wipers. We stuck with the name “Dustman” – it implemented the Eldos ElRawDsk drivers. Its spread did not seem Stonedrill related.
At the same time, no, the Stonedrill discovery was not based on luck. And, there are multiple overlaps between Shamoon 2.0 and Stonedrill that you may review under “Download full report” in ‘From Shamoon to StoneDrill‘ blogpost. You might note that Stonedrill is a somewhat more refined and complex code, used minimally.
While the Shamoon spreader shared equivalent code with Orangeworm’s Kwampirs spreader, and are closely linked, we have not seen the same level of similarity with Stonedrill. However, several of the Shamoon 2.0 executables share quite a few unique genotypes with both Stonedrill and Kwampirs. In the above paper, we conclude that Stonedrill and Shamoon are most likely spread by two separate groups with aligned interests for reasons explained in the report PDF. Also, it may be that some of the codebase, or some of the resources providing the malware, are shared.
- Do the authors of Shamoon watch these talks?
Perhaps. We know that not only do offensive actors and criminals attempt to reverse-engineer and evade our technologies, but they attempt to attack and manipulate them over time. Attending a talk or downloading a video later is probably of interest to any group.
- Are there any hacker-for-hire groups that are at the top level? How many hacker-for-hire groups do you see? Are there any hacker-for-hire groups coming out of the West?
Yes. There are very capable and experienced hack-for-hire groups that have operated for years. We do not publicly report on all of them, but some come up in the news every now and then. At the beginning of 2019, Reuters reported insightful content on a top-level mercenary group and their Project Raven in the Middle East, for example. Their coordination, technical sophistication and agile capabilities were all advanced. In addition to the reported challenges facing the Project Raven group, some of these mercenaries may be made up of a real global mix of resources, presenting moral and ethical challenges.
- I assume Sofacy watches these presentations. Has their resistance to this analysis changed over time?
Again, perhaps they do watch. In all likelihood, what we call “Sofacy” is paying attention to our research and reporting like all the other players.
Sofacy is an interesting case as far as their resistance to analysis: their main backdoor, SPLM/CHOPSTICK/X-Agent, was modular and changed a bit over the course of several years, but much of that code remained the same. Every executable they pushed included a modified custom encryption algorithm to hide away configuration data if it was collected. So, they were selectively resistant to analysis. Other malware of theirs, X-Tunnel, was re-coded in .Net, but fundamentally, it is the same malware. They rotated through other malware that seems to have been phased out and may be re-used at some point.
They are a prolific and highly active APT. They added completely new downloaders and other new malware to their set. They put large efforts into non-executable-based efforts like various credential harvesting techniques. So, they have always been somewhat resistant to analysis, but frequently leave hints in infrastructure and code across all those efforts.
Zebrocy, a subset of Sofacy, pushed malware with frequent changes by recoding their malware in multiple languages, but often maintain similar or the same functionality over the course of releases and re-releases. This redevelopment in new and often uncommon languages can be an issue, but something familiar will give it away.
- Have we seen a trend for target countries to pick up and use tools/zero-days/techniques from their aggressors? Like, is Iran more likely to use Israeli code, and vice versa?
For the most part, no, we don’t see groups repurposing code potentially only known to their adversary and firing it right back at them, likely because the adversary knows how to, and probably is going to watch for blowback.
Tangentially, code reuse isn’t really a trend, because offensive groups have always picked up code and techniques from their adversaries, whether or not these are financially motivated cybercriminal groups or APT. And while we have mentioned groups “returning fire” in the past, like Hellsing returning spear-phish on the Naikon APT, a better example of code appropriation is VictorianSambuca or Bemstour. We talked about it at our T3 gathering in Cancun in October. It was malware containing an interesting zero-day exploit that was collected, re-purposed, touched up and re-deployed by APT3, HoneyMyte and others. But as far as we know, the VictorianSambuca package was picked up and used against targets other than its creator.
Also, somewhere in the Darkhotel/Lazarus malware sets, there may be some code blowback, but those details haven’t yet been hammered out. So, it does happen here and there, maybe out of necessity, maybe to leave a calling card and shout-out, or to confuse matters.
- If using API-style programming makes it easier to update malware, why don’t more threat actors use it?
I think here we are talking about Microcin last-stage trojan exported function callbacks. Nobody could tell for sure, but from my point of view, it’s a matter of the programmer’s experience. The “senior” one takes a lot into consideration during development, including architectural approach, which could make maintenance easier in the future.
The “junior” one just solves the trojan’s main tasks: spying capabilities, adds some anti-detection, anti-analysis tricks, and it’s done. So maybe if the author has “normal” programming experience, he carefully planned data structures, software architecture. Seems like not all of the actors have developers like that.
- Have you seen proxying/tunneling implants using IOTs for APT operations, such as the use of SNMP by CloudAtlas? Do you think that’s a new way to penetrate company networks? Have you ever encountered such cases?
We watched the massive Mirai botnets for a couple years, waiting to see an APT takeover or repurposing, and we didn’t find evidence that it happened. Aside from that, yes, APT are known to have tunneled through a variety of IOT to reach their intended targets. IOT devices like security web cams and their associated network requirements need to be hardened and reviewed, as their network connections may lead to an unintended exposure of internal resources.
With elections around the world going on, municipalities and government agencies contracting with IT companies need to verify attack surface hardening and understand that everything, from their Internet-connected parking meters to connected light bulbs, can be part of a targeted attack, or be misused as a part of an incident.
- How often do you see steganography like this being used by other actors? Any other examples?
Steganography isn’t used exclusively by the SixLittleMonkeys actor for sure. We could also mention here such malware as NetTraveller, Triton, Shamoon, Enfal, etc. So, generally, we could say the percentage of steganography usage among all the malicious samples is quite low, but it happens from time to time.
The main reason to use it from malefactors’ point of view is to conceal not just the data itself but the fact that data is being uploaded or downloaded. E.g. it could help to bypass deep packet inspection (DPI) systems, which is relevant for corporate security perimeters. Use of steganography may also help bypass security checks by anti-APT products, if the latter cannot process all image files.
Questions about KTAE (Kaspersky Threat Attribution Engine)
For more information, please also have a look at our previous blogpost, Looking at Big Threats Using Code Similarity. Part 1, as well as at our product page.
- What are “genotypes”?
Genotypes are unique fragments of code, extracted from a malware sample. - How fine-grained do you attribute the binaries? Can you see shared authors among the samples?
KTAE does not include author information per se. You can see shared relevant code and strings overlaps. - Are genotypes and YARA rules connected?
Not directly. But you can use genotypes to create effective YARA rules, since the YARA engine allows you to search for byte sequences. - How many efforts do you see for groups to STEAL+REUSE attribution traces on purpose?
We have seen such efforts and reported about them, for example with OlympicDestroyer - How do you go about removing third-party code sharing?
We incorporated our own intelligence to only match on relevant parts of the samples. - Do genotypes work on different architectures, like MIPS, ARM, etc.? I’m thinking about IoT malware.
Yes, they work with any architecture. - What determines your “groundtruth”?
Groundtruth is a collection of samples based on our 20+ years of research and classification of malware. - Can KATE be implemented in-house?
We offer multiple options for deploying KTAE. Please get in touch with us for more info: https://www.kaspersky.com/enterprise-security/cyber-attack-attribution-tool. - For the attribution engine, would you expect APT-group malware authors to start integrating more external code chunks from other groups to try to evade attribution?
We see such behavior; please refer to Question 12 above. - Do you feel more manufacturers will follow Kaspersky’s suit in letting victims know the threat actors behind malware detections on endpoints?
At the moment, KTAE is a standalone solution not integrated in endpoints. - What is the parameter for looking at the similarity in malware code? Strings? Packer? Code? What else?
KTAE uses genotypes to match similarities. - How do I make a difference, if for example, I am a threat actor and reuse the code form some APT Group? How to define it is really the same actor and not just an impersonator who used the same code or malware, or reused the malware for my operation?
KTAE handles code similarities for malware samples to provide relevant information on that basis. Further information to be used for attribution may be TTPs, etc. for which you may find our Kaspersky Threat Intelligence Services helpful. - I guess the follow-up is,- will they be able to evade the attribution after watching these webinars, learning about the attribution engine?
It’s known that such techniques can be used to do technical attribution on malware-sample basis. Attempts at evading these would mean knowing all the details and metrics and database entries (including updates) to check against something rather complex and difficult. - Can you start taking the samples submitted by CYBERCOM and just post publicly what KTAE says in the future?
We are posting certain interesting findings, e.g. on Twitter. - How do we buy KTAE? Is it a private instance in our own org or hosted by you?
We offer multiple options for deploying KTAE. Please get in touch with us for more info: https://www.kaspersky.com/enterprise-security/cyber-attack-attribution-tool. - Can you expand on how you identify a genotype and determine that it is unique?
Genotypes are unique fragments of code, extracted from a malware sample. As for uniqueness, there is a good reference: the Fruit Ninja Game. We played Fruit Ninja and extracted (sliced) genotypes from all good programs that are known to us, then we did the same with malicious samples and samples marked as APTs. After that operation, we knew all genotypes that belonged to good programs and removed them from the databases that belonged to bad ones. We also save the numbers of times genotypes appear in the samples, so we can identify the really unique stuff. - How many zero-day vendors do you see with this engine?
KTAE is not handling vulnerabilities but only code fragments and such, for similarity checks. - In the future, do you see a product like KTAE being integrated into security offerings from Kaspersky, so that samples can be automatically scanned when detected as an alert, as opposed to individually uploading them?
We are planning to do cross-product integration. - Have you run The Shadowbrokers samples through KTAE and if so, were there any unexpected overlaps?
Yes, we did. We found an overlap between Regin samples and cnli-1.dll - Could it be easy for a threat actor to change code to avoid KTAE identification?
Theoretically, yes. Assuming they produce never-before-seen genotypes, KTAE might miss classifying that malware. With that being said, generating completely new genotypes requires a lot of time and money, plus a lot of careful work. We wish threat actors good luck with that. 🙂 - When you attribute a campaign, do you also consider some aspects relating to sociopolitical events?
At Kaspersky, we only do technical attribution, such as based on similarities in malware samples or TTPs of groups; we don’t do attribution on any entity, geopolitical or social level.
Questions about IoT threats and honeypots
If you want to join our honeypot project, please get in touch with us at [email protected].
- Do you have any IoT dataset available for academia?
Please get in touch with us via our email address listed above ([email protected]). - How does a system choose which honeypots to direct an attack at?
We developed this modular and flexible infrastructure with defined policies to handle that automatically, based on the attack. - Okay, so, soon, IoT malware will do a vmcheck before it loads…. Then what?
In our honeypots, we use our own methods to defeat anti-VM checks. Depending on future development of malware, we are also prepared to adjust these to match actual vmcheck methods. - Do the honeypots support threat intelligence formats like STIX and TAXII?
Currently, such a feature is not available yet. If there is interest, we can implement this to improve the use for our partners. - Can anyone partner with you guys? Or do they need certain visibility or infrastructure to help out?
Anyone with a spare IP-address and able to host a Linux system to receive attacks can participate. Please get in touch with us at honeypots[at]kaspersky[dot]com.
Questions about Kaspersky products and services
- What new technology has Kaspersky implemented in their endpoint product? As EDR is the latest emerging technology, has Kaspersky implemented it in their endpoint product?
Kaspersky Endpoint product contains EDR besides other cutting-edge technologies. There are more details listed here on the product page. - What do you think of the Microsoft Exchange Memory Corruption Vulnerability bug? How can Kaspersky save the host system in such attacks?
We should know the CVE number of the bug the question refers to. From what we know, one of “loud” bugs that was fixed recently was CVE-2020-0688. It is referenced here. We detect this vulnerability in our products using the Behavior Detection component with the verdict name: PDM:Exploit.Win32.GenericAlso, Kaspersky products have vulnerability scanners that notify you about vulnerabilities in installed software, and we also provide a patch management solution for business environments that helps system administrators handle software updates for all computers and servers on the corporate network. - How can a private DNS protect the Host System from attacks?
While DNS is a key component of the Internet, disrupting DNS queries can impact a large portion of Internet users. We know for sure the people running DNS Root servers are professionals and know their job really well, so we are not worried that much about Root servers being disrupted. Unfortunately, attackers sometimes focus on specific DNS resolvers and manage to disrupt large portions of the Internet, as in the 2016 DDoS against the Dyn DNS resolver. Although it is limited in its use, a private DNS system can protect against large DDoS attacks, because it will be private and may be harder to reach by the attackers.
Advanced questions raised
We are not afraid of tough questions; therefore, we did not filter out the following ones.
- Where can we get one of those shirts Costin is wearing?
We are about to launch a GReAT merchandise shop soon – stay tuned. - Who cut Jeff’s hair?
Edward Scissorhands. He’s a real artist. Can recommend. - Did Costin get a share from the outfits found in the green Lambert’s house when it got raided?
We can neither confirm nor deny. - Who is a better football team, Steelers or Ravens?
Football? Is that the game where they throw frisbees?
We hope you find these answers useful. The next series of the GReAT Ideas. Powered by SAS webinars, where we will share more of our insights and research, will take place on July 22. You can register for the event here: https://kas.pr/gi-sec
As we promised, some of the best questions asked during the webinar will be awarded with a prize from the GReAT Team. The winning questions are:
“Are there any hacker for hire groups that are at the very top level? How many hackers-for-hire groups do you see? Are there any hacker for hire groups coming out of the west?”
“Can you expand on how you identify a genotype and determine that it is unique?”
We will contact those who submitted these questions shortly.
Feel free to follow us on Twitter and other social networks for updates, and feel free to reach out to us to discuss interesting topics.
On Twitter:
- Costin Raiu: @craiu
- Kurt Baumgartner: @k_sec
- Denis Legezo: @legezo
- Dan Demeter: @_xdanx
- Marco Preuss: @marco_preuss
- Yury Namestnikov: @SomeGoodOmens
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.