APT attackers getting more evasive, even more persistent

Stealth has always been a hallmark of Advanced Persistent Threats (APTs), but writers of the malignant malware are ratcheting up their efforts to evade detection by system defenders.

Not only have they honed their skills at simulating legitimate documents likely to be opened by the targets they're sent to, but they're also sharpening their delivery techniques to avoid detection.

"The new breed of APT attacks are not monolithic, rather they are blended, relying on numerous infiltration techniques," said FireEye in its Advanced Threat Report for the second half of 2012. The report was released this week.

[See also: In depth: What does APT really mean?]

It cited one APT attack that incorporated well-known documents and white papers into its phishing campaign to infect a target. "The attackers took these normally safe documents and weaponized them," the report said. "These documents were weaponized with a variation of three PDF exploits and two Word exploits."

Two new evasion techniques identified in the report involve recognizing mouse clicks and virtual machines.

With the mouse technique, the malware would not perform an operation unless a computer's mouse was in use. It did that to fool an organization's cyber defenses, according to Rob Rachwald, director of research and communications at Milipitas, Calif.-based FireEye.

"It made it look to detection systems like it was software run by a human," he said in an interview. "We've seen some of this in the past, but we've seen more emphasis on this today."

The tactic may be a reaction to companies "sandboxing" applications to catch bad apps before they can damage a system. "It's an effort to bypass traditional, less-sophisticated sandbox technology," Rachwald said.

The virtual machine ploy is a simple one. The malware won't run if it detects that it has landed on a virtual machine. That tactic addresses a growing trend among defenders to use virtual machines to run sketchy apps to determine whether or not they're malware.

"The problem is some of them aren't doing it in a very sophisticated way," Rachwald noted. That allows infected programs to pass the virtual machine test and continue on their infectious path.

APT mongers are becoming more savvy at countering defensive measures mounted against them, according to Ken Silva, senior vice president of cyber strategy at ManTech International in Fairfax, Va.

"The more common that the defensive tools become, the craftier [malware writers] are about how they get around those tools, how they detect them and how they hide from them," he said in an interview.

Once net marauders breach a system, they're also being more careful about getting detected. "They're not leaving traces on a hard disk," Silva noted. "They're just loading into memory and staying in memory."

That can be precarious because if a machine is rebooted, the malware will disappear. However, Silva explained, "In a large enterprise, you can often find a server that's on 24 hours a day."

Jon Clay, a senior manager at Trend Micro in Cupertino, Calif., agreed that data bandits are getting more adept at covering their tracks after compromising a system. "The bad guys have added a maintenance phase to allow them to remain persistent a lot longer," he said.

"A lot of that involves cleaning up after they're done with a system," he continued. "As they move from one system to another, they're going to wipe their tracks from a previous machine.

"That's happening on a regular basis," he added.

On the plus side for defenders, awareness of APTs has risen over the last year due to some high-profile incidents -- notably the attacks on major U.S. media outlets -- and comments by high-ranking government officials, including President Barack Obama.

"A year ago, these things were happening and they weren't talked about very much," George Tubin, a senior security strategist with Trusteer in Boston, said in an interview. "Enterprises found compromised computers and would keep quiet about it.

"We still see a lot of that today," he continued, "but more and more institutions are becoming more public when they do discover APTs."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecurityAPTslegalFireEyesoftwaresandboxingdata protectionmalwarecybercrimeData Protection | Malware

More about APTFireEyeTrend Micro AustraliaTrusteerTrusteerTrusteer

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts