In the last few years, APT attacks conducted by individual cybercriminals, organized crime and state-sponsored groups have become prevalent and sophisticated, bypassing standard security controls such as
APT, or Advanced Persistent Threat, is a sophisticated attack in which a person or group attains access to a network and remains undetected for an extended period of time.
The DarkHydrus APT Attack
Let’s have a closer look at how APT threat actors operate by looking at a recent APT attack, in this case the DarkHydrus advanced persistent threat (APT) group. DarkHydrus returned in January 2019 abusing Windows vulnerabilities to infect victims and using Google Drive as an alternative communications channel using the following modus operandi.
DarkHydrus initiated its APT attack using open-source phishing tools. It sent out fake emails with Word attachments to targeted organizations, in particular government and educational institutions in the Middle East. These Word attachments contained embedded VBA macros that were triggered once the Word files were opened. The macro dropped a text file to a temporary directory before utilizing the legitimate regsvr32.exe to run the text file. A PowerShell script was also dropped, which unpacked Base64 content to execute OfficeUpdateService.exe (a backdoor written in C#). This backdoor was a variant of the RogueRobin Trojan. The malware created new registry files and deployed anti-analysis techniques, including avoidance of machine detection and sandbox detection, and an anti-debug code. The backdoor also contained a PDB path with the project name "DNSProject", quite likely to be used in future attacks. The malware went on to steal system information, including hostnames. The stolen data was sent to DarkHydrus’s Command & Control (C2) server through a DNS tunnel. If this DNS tunnel is not available to communicate with the C2 server, the Trojan went on to execute its "x_mode", using Google Drive as an alternative file server. Once executed, the Trojan received a unique identifier to use Google Drive API requests.
This latest example illustrates how APT groups use the full spectrum of known and available intrusion techniques to get results. These groups also have the expertise and technology to create custom malware (in this case the RogueRobin Trojan) and techniques to achieve their goals.
The Signs of an APT Attack
Due to its obfuscated nature, detection of APT attacks is challenging. However, there are some signs that organizations can pay attention to:
Unexpected traffic in the form of unusual data flows from internal devices to other internal or external devices. This could be a sign that communication with a C2 server is taking place.
Suspicious logons, when privileges accounts are being accessed outside business hours. This could indicated that APTs are spreading rapidly throughout the network, collecting valuable information.
Recurring malware, especially malware creating backdoors. This type of breach allows the APT threat actors to exploit in the future. A backdoor is present when mitigated malware keeps on returning and infiltrating the network.
Unexpected data bundles consisting of gigabytes of data appearing at locations where that data should not be present. This could indicate APT activity, especially if the data is compressed in archive formats that the organization normally would not use.
As we have seen in the DarkHydrus APT attack, cybercriminals go after specific targets. If certain employees in the organization keep on being targeted by spear-phishing emails, APT attackers could be at work.
When it comes to the cybersecurity framework, the initial intrusion phase is the most crucial part of the kill chain for APT attackers, therefore in this stage it is critical to try to prevent possible attacks. This requires a proactive approach that will contribute to preventing cybercrime damage that is currently estimated by Forbes to reach $2 trillion annually by 2019.
Protection Against an APT Attack
There are various ways that organizations can protect themselves against APT attacks:
Building and maintaining a strong cybersecurity framework, based on layers of defenses (security solutions, policies, employee awareness) that are deployed across the organization.
Testing the organization’s security posture by using Breach & Attack Simulation (BAS) which will analyze vulnerabilities and suggest improvements to boost security.
Investing in automated solutions that allow for running assessments at prescheduled times, as well as ad hoc in case of a new threat in the wild.
Developing strategic and tactical threat intelligence tailored to the organization for identifying potential risks and vulnerabilities.
Investing in a top-notch cybersecurity team and CISO (depending on the size of the organization) and giving them the tools they need.
As part of having a having strong cybersecurity framework in place, testing the organization’s security posture with a Breach & Attack Simulation (BAS) is essential. It will allow the CISO or cybersecurity team to analyze vulnerabilities and suggest improvements to boost security. An automated solution such as Cymulate’s BAS platform allows for running assessments at prescheduled times, as well as ad hoc in case of a new threat in the wild.
To find out how Cymulate’s BAS platform can help your organization to be protected against APT attacks, start your free trial.