CyberWire Daily - Advanced adware with nation-state tactics. [Research Saturday]
Episode Date: February 3, 2018Adware is generally considered unsophisticated, and because of its low perceived threat level it's often ignored. Researchers at the Booz Allen Dark Labs' Advanced Threat Hunt Team have recently publi...shed research describing a more advanced type of adware, using infection techniques usually attributed to nation-state actors. Jay Novak is a threat hunter and tech lead at Booz Allen, and he takes us through their research. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Adware in general, its purpose is to serve ads to the target.
And in general, it will persist on disk.
It'll start up in some known way, usually by an auto run.
That's Jay Novak.
He's a threat hunter and tech lead at Booz Allen Hamilton's Dark Labs Advanced Threat Hunt team.
The research he's
discussing today is called Advanced Persistent Adware, Analysis of Nation-State Level Tactics.
It's generally considered pretty unsophisticated. When you think about the profit margin that
an adware provider is going to get, they're not going to be generating a ton of revenue unless
it's a very widespread operation. And if it's a company that is creating this piece of adware or some organization that's creating this piece of adware, they're not going to spend a lot of time developing it or utilizing sophisticated techniques to help it hide.
So it's usually pretty easy to detect, pretty easy to find, and relatively unsophisticated. And so the purpose of run-of-the-mill adware is to inject an ad in a, I guess, a surreptitious way
and unintentionally onto your system in sort of a sneaky way, and that's why it's considered malware?
Yeah, that's right. So your sort of run-of-the-mill adware will be an executable that's on disk.
And when it starts in its simplest form, it will just launch Internet Explorer and send Internet Explorer to some known page that will serve an ad to the user.
So what you all discovered here is a bit more sophisticated than that.
Take us through what you found? Yeah, so on the Advanced Threat Hunt team, we've created a set of sort of, you
know, technology analytics and processes around a hypothesis-driven approach to threat hunting.
And when we were looking at a particular network utilizing this process, we were going through
a particular analytic that helps us find WScript use on Windows systems. One of our analysts
saw a WScript executing a piece of JavaScript code that on the command line had a bunch of
obfuscated base64 encoded arguments. And these arguments pointed towards a further obfuscated encrypted blob on disk or semi encrypted blob on disk.
And so essentially what he had found was a JavaScript program that had multiple arguments being passed into it that then was making a call out to the Internet.
was making a call out to the internet and sort of your level of suspicion kind of alarm bells go off at this point. And we decided, you know, this is worth a further look, right? We didn't really
know it was adware at the time, but it was definitely worth diving into. What we discovered
from there through reverse engineering the JavaScript and by doing a little bit of digging
in terms of how this thing was persisted, we sort of found two things. We found that the
program, this malware was utilizing a technique that we generally only see in very sophisticated
campaigns. The only thing that's persisted to disk itself is something that's very lightweight,
very, you know, mutable, so that signatures like, you know, your normal IOCs don't necessarily
work because it can be changed so easily. And it's also lightweight and easy to develop and
easy to change. So if some heuristic based signature is developed for the thing that
that is on disk, you know, that can be changed really easily by the actor. So this this is
kind of a level of sophistication in terms of its, you know, operational security and protecting itself
as a tool that an attacker could use. Definitely pointed us towards thinking that this was
something that was maybe a little bit different than your normal, you know, run of the mill sort
of adware or commodity malware. Yeah, walk us through how this works. Take us
through it step by step. What did you discover? The first thing that we discovered, again,
was this JavaScript. And then after we discovered the JavaScript, we went back and looked at a
different analytic that we run on all of our endpoints that we're trying to hunt in. And that
analytic looks for kind of known persistence
mechanisms. And we discovered a correlation between a scheduled task that was actually
running the WScript and then the WScript, you know, kicking off this JavaScript job.
We actually didn't have access to go back to this particular endpoint and watch what was happening sort of dynamically in
real time so that's why we had to hand off the javascript to our malware reverse engineers
they took a look at the javascript and noticed immediately this uh this call out uh domain also
after de-obfuscating pieces of the javas, realized that what it was doing was calling out to this domain,
downloading an extra little bit of JavaScript
that was encrypted using an algorithm
that we haven't been able to crack yet,
but downloading a second piece of JavaScript
and then allowing that to run only in memory.
That call-out domain was something that then we used
to look in various other environments that we're currently hunting in.
By using that domain, we were actually able to find multiple instances of this,
not only in the first place where we found it, but across a couple of other networks as well.
From there, we did a lot of pivoting analysis, sort of outside of the wire, so to speak,
where we took that
domain and looked at various enrichment sources. By sort of pivoting off of that domain, we found
other domains that were related. And those other domains pointed to older versions of this malware
that then we discovered was part of this overall adware campaign. So what is your sense of what the motivation is here?
Do you have a feeling that they're targeting particular people? No, this doesn't seem to be
particularly targeted. I think that that's one of the things that was kind of interesting to us.
Commodity malware, and we sometimes fall into this trap too, but commodity malware,
you know, adware, crimeware, certain variants of crimeware, some of these things tend to get
ignored during SOC operations because they're not targeted. But I think for us, one of the reasons
why we wanted to make sure to put out this blog post is because it's not just evidence of adware using advanced persistent techniques,
but it's evidence of sort of a larger story that adversaries from adware developers all the way up
to APTs, cyber criminals, and everything in between, they're starting to use these techniques
that we generally thought were only for a small piece of the adversaries out there.
And since they're being used by more people, that means that organizations really have to take a hard look at how they're going to detect that type of behavior.
find those unknown unknowns, bring them to light, and then create this iterative process around creating new analytics and really kind of keeping up with those adversaries and changing the way
that that arms race happens between us as defenders and them as attackers.
What kind of information was this looking for specifically? Do you have a sense on that?
This particular adware, the final stage executable
that's downloaded and run, it appears to mostly be for the purpose of serving adware, but not to be
over speculative here, but the adware itself is something that's persisted on disk and does have
the ability to execute arbitrary code. So we don't have any
evidence that anything more nefarious was going on here, but it's certainly not something that
organizations should ignore just based on the fact that it could be running other executables.
So it could be as simple as serving up adware, but it's possible that it's in a sense a misdirection
that could later do other things.
Yeah, a misdirection or, you know, there's been there's been evidence in the past of sort of this, you know,
malvertising campaigns where even companies that think that, you know, they're doing something, you know, relatively benign.
And by companies, I mean these, you know, these organizations that are organizations that are serving adware.
They're doing something that's relatively benign, but really there's some other entity that is utilizing this to do a more targeted attack.
Take me through the process of hypothesis-driven behavioral-based analytics.
That's something that you all used here.
Shed some light on that.
How does that work? What we're attempting to do is use our ideas
about how adversaries operate. So we have, you know, a lot of people on the team come from sort
of a red team pen testing background. And some people on the team come from the malware reverse
engineering. And some people on our team come from sort of a cyber threat intelligence background. And so we try to put on our different hats as we go through and come up with what we
call hunt analytics. And we put these hunt analytics in our hunt analytics library. And we
try to take each one of them, which we treat as sort of a hypothesis about how an adversary might
act in a particular network. And out of each one of
these analytics, what happens is we develop haystacks. And in these haystacks, we can add
all of our enrichment information, such as domain registration information or information from a
third party like VirusTotal or RiskIQ. And all of that enrichment data comes together to help us
quickly triage each haystack. A haystack might have 10 things that we have to triage and another
haystack might have a thousand things that need to be triaged. And so we try to bring in as much
information as possible. And all of this really sort of starts with, to the point about behavioral
analysis, it all starts with getting data
from these organizations that we're trying to protect. And so that data can be network data
that's generated by network sensors. But really, we find a lot of really, really good information
when we start querying endpoint detection and response tools to get both the telemetry and
the forensic style data directly from the
endpoints for our haystacking. So this isn't the sort of thing that a standard antivirus tool would
be likely to detect? So in this particular case for the advanced persistent adware, an AV could
absolutely write a signature to detect this JavaScript blob that's on disk. And they could write a signature that maybe even triggers off
of something as easy as the MD5 of that blob.
Maybe it triggers off the fact that it's obfuscated JavaScript.
There's certainly things that they could do.
The problem is that the nature of this particular persistence mechanism
of the way that the stage two is being delivered,
is it's so changeable that an attacker could have a library of AVs installed on a computer somewhere. And as soon as you know, their JavaScript blob gets detected, they could
change it such that it would no longer be detected. So it's not necessarily that they're
sort of doing something that's inherently
not able to detect it, but they're certainly able to change things so quickly that an AV
can't really keep up with the large volume of the different permutations of this type of malware.
I see. So in terms of attribution, do you have any thoughts there?
It's not really something that we can comment on at this time.
I think from a little a attribution, which is maybe a little bit more important,
when you talk about attribution, you can say he or she did it,
or you can talk about this is sort of a grouping of activity
that's part of an overarching campaign.
In terms of the grouping of activity that's part of an overarching campaign, this is adware that's very prevalent. If you follow the research in the blog, you probably
can connect the dots and find out more information about it. But it's certainly something that's out
there and can be tied to this campaign of adware for this specific delivery mechanism.
I see. So in terms of advice for people
to protect themselves against this,
what do you suggest?
For organizations that want to detect this type of threat,
specifically to this particular
sort of advanced persistent adware,
I think that there are some very specific things
that you can do.
But more importantly,
I think that for an organization
that wants to
detect advanced threats, it's going to take a little bit of introspection, right? You know,
asking yourself as an organization, do you have the analytics that say, I want to look for all
W script execution on all of my endpoints under my control? If the answer to that is yes, I have that idea,
that's a hypothesis that I want to follow, then the next question is, do I actually have that
data? How do I collect that data? And how do I query that data? And then finally, it's do I have
the people and the processes in place to really go through those haystacks. Because something like,
you know, give me every single time Wscript.exe is executed, that's not necessarily going to be
a haystack full of malicious things. The vast majority of that is going to be benign. So you
really have to have a well-trained staff that understand when something meets the threshold for malicious behavior. And you can find it on their website. is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios
of Data Tribe, where they're co-building the next generation of cybersecurity teams and
technologies. Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Valecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. Thank you.