Using Behavioral Analytics to Detect Malicious Campaigns and Targeted Attacks

Transcription

1 THREAT ADVISORY Using Behavioral Analytics to Detect Malicious Campaigns and Targeted Attacks Niara Threat Advisories provide timely information regarding new attacks and information on how Niara helps companies quickly detect an attack to limit its impact and prevent it from establishing a persistent presence within the organization. For more details on Niara s capabilities or to schedule a demo to see Niara in action, contact us at info@niara.com or at What did Niara discover? Niara discovered that spoofing of sender domains was a primary infection vector in credential phishing and malicious s despite the complete absence of any suspicious payloads (e.g., known malicious attachments or URLs) in the s that would have triggered perimeter defenses or security monitoring rules. Niara categorized the spoofing of sender s into -based crime campaigns, which were directed at multiple recipients, and targeted attacks, which focused on specific individuals. This distinction is important because it enables security analysts to focus on the attacks that matter. -based crime campaigns are typically meant to probe weak spots and set the stage for future exploits, whereas targeted attacks use personalized knowledge about the target to cause more immediate damage. Through analysis performed by Niara s security research team, Niara also categorized the campaigns and targeted attacks by the TTPs (tools, techniques or procedures) used by attackers. These details help security analysts determine if their organization has been a target of these attacks to ensure that they take the proper steps for remediation. In this threat advisory, Niara also provides concrete indicators of compromise (IoCs) that can be used in conjunction with the Niara solution to combat -borne attacks. Without the visibility and attack detection made possible by Niara s security analytics, the attack would have remained undetected until significant, potentially headline-grabbing, damage had been caused. Attack Findings is still the primary attack vector for cybercriminals. In addition to malicious attachments and URLs, credential phishing is also on the rise. This means that signature- and rule-based detection, the foundation for perimeter defense, are rendered ineffective. Instead, cybercriminals are using advanced attack methods that can only be detected through security analytics such as Niara s, which includes behavioral analytics that are built using a full spectrum of machine learning techniques 1

2 By analyzing traffic for signs of maliciousness, s were clustered into campaigns, based on the common TTPs used. This threat advisory present details about of the malicious campaigns, their TTPs and why Niara s behavioral analytics are needed for rapid attack detection. All but two of the campaigns involved s sent to multiple recipients. This suggests that cybercriminals were looking to infiltrate corporate networks via broad -based crime campaigns, where attackers cast a wide net, in order to find weak spots. For example, if an employee opens an attachment or clicks on a URL from a malicious , they can be exploited and the attacker is given the ability to infiltrate corporate networks. Niara also discovered that attackers maintain intelligence about recipients and when the same campaigns occurred months apart, attackers did not target same recipients. The remaining two campaigns were more targeted, where s were sent to the same recipient but with different attachments. This threat advisory provides examples of how broad -based crime campaigns differ from more targeted attacks. Attackers used a variety of different attachments in the campaigns, with names designed to appear legitimate (e.g., DHL RECEIPT.htm, SCAN_INVOICE_ zip, invoice_ _scan.zip), increasing the likelihood that recipients would open the attachments, compromising their systems. Niara s analytics enables rapid detection of -based crime campaigns and targeted attacks by using contextual evidence and machine learning techniques. By identifying the target of an attack early on, security teams can maintain a heightened level of alertness to better protect high-value assets. By identifying campaigns that provide visibility into how cybercriminals are using TTPs to infect multiple recipients, security analysts receive actionable intelligence, which is immensely helpful as it allows organizations to quickly detect any future campaigns that use the same TTPs. Microsoft Word document attachments with embedded macros appear to be the most popular tool of choice for weaponized attachments. Technical Analysis Niara detected many distinct malicious campaigns throughout its analysis. This threat advisory provides in-depth information on the campaigns that had potential to cause significant damage. 1. PostMoney campaign 2. Locky Ransomware campaign 3. Witness campaign 4. Service-DHL campaign 5. Verify campaign 2

3 PostMoney Campaign This campaign was unique because there was only a single recipient i.e., Niara s analytics classified this as a potential targeted attack. The used in the attack did not have any attachments. Instead the attacker researched the target in advance, and sent a spoofed to a CFO that appeared to come from the organization s CEO. The , which requested a reply, appeared legitimate. Niara detected this targeted attack by applying its multi-dimensional analytics modules to traffic and bubbled it up to the security analysts who prevented any further progress. If the desired outcome of the attack happened as planned, the attacker would have sent another with information about an account to transfer money into. Cybercriminals have been successful with these types of campaigns, costing organizations more than $2.3 billion in losses over the past three years 1. For example, attackers used a very similar tactic at Snapchat to gain access to employee payroll information 2. There have also been instances of human resources and finance employees at many organizations being tricked into revealing employee W2 information because of a spoofed message from the CEO 3. Figure 1: The PostMoney campaign. Locky Ransomware Campaign In this campaign, attackers used malicious s as a vector to compromise systems by installing malware from the Locky Ransomware family. Locky Ransomware encrypts all the files on a compromised system. Figure 2: The Locky Ransomware campaign. 1 FBI: CEO Fraud Skyrockets 270%, Tara Seals, InfoSecurity, 8 April 2016, 2 Snapchat Employee Data Leaks Out Following Phishing Attack, Jon Russell, TechCrunch, 29 Feb Phishing Victims Muddle Tax Fraud Fight, KrebsonSecurity, March

4 Attackers sent the malicious s to all recipients on the same day, which is very typical in a malicious campaign. The s had very similar subject lines (e.g., attn: invoice j ) but with some variance in the invoice number in an attempt to add authenticity to the s. Each recipient was sent two document attachments with the same name (e.g., invoice_m_ ). In addition, all s were sent using the X-mailer MIME::Lite (F2.77; T1.30; A2.06; B3.08; Q3.08) and appeared to come from the same sender. Unbeknownst to the recipients, the Bartallex macro was embedded in in the attachments and when the attachments are opened, Bartallex downloads the Locky Ransomware malware, which drops an executable file called ladybi.exe, onto the now compromised system. Once this occurs, all the files on the system become encrypted and the below message appears, informing the user that her/his files have been encrypted and to follow a set of instructions in order to decrypt the information. Figure 3: Message displayed to a user after the ladbi.exe executable used in the Locky Ransomware campaign has encrypted all files on a compromised system. The compromised systems were also communicating with a command and control (C&C) server. Example communications between the C&C server and the compromised systems are shown below. Figure 4: Download of an executable used to communicate between an external C&C server and a compromised system in the Locky Ransomware campaign. 4

5 Figure 5: Traffic generated by the downloaded executable being used in the Locky Ransomware campaign. Witness Campaign In this campaign, attackers attempted to compromise systems by installing malicious code that belongs to the Pony malware family. Their goal was to steal credentials and install a backdoor to establish a more persistent presence on the endpoint. The Witness campaign, a name inspired by its accompanying attachment (witness_supboena.doc), was the largest campaign with respect to the number of malicious s sent. Lasting over 2 days, it was sent to 335 employees at a single enterprise. Figure 6: The Witness campaign. 5

6 All the s were sent from the same domain and had the same attachment, named witness_subpoena.doc. In an attempt to social engineer employees, the attackers used the name of the company in the subject lines of the followed by the string witness subpoena. For example, employees at a hypothetical company called Acme would have received s with Acme witness subpoena as the subject line. This personalization by the attackers led to a significant number of employees opening the and the attachment. A quick search on VirusTotal using the MD5 sum of the witness_subpoena.doc attachment revealed that a number of companies were impacted by this campaign. The image below, obtained from VirusTotal, shows some of the companies who received the malicious s and provides a glimpse into the extent of the campaign. Figure 7: Example companies affected by the Witness campaign. When the attachment witness_subpoena.doc is opened, a Windows executable called idd3.exe is dropped into the %temp% directory on the user s machine. The executable, which has an MD5 sum of d3c6ed4d9231fb71eba89c9579ee3dc4 belongs to the well-documented Pony malware family. A VBA macro, embedded within witness_subpoena.doc, starts the Windows executable. The image below shows the VBA macro invoking the Shell() function with the path to the dropped executable as the parameter. Figure 8: The VBA macro used in the Witness campaign. Once idd3.exe is executed, it attempts to download another executable called services.exe, from a number of C&C domains. At the time of the investigation, the domains appeared to have been deactivated. However, using other tools, Niara s security researchers determined that services.exe, which had an MD5 sum of 68fd262867c60fb4cf4dd e, was a backdoor and belonged to the Papra malware family. The image below shows the results of idd3.exe attempting to download services.exe. 6

7 Figure 9: C&C server communications in the Witness campaign. Service-DHL Campaign In this campaign, attackers attempted to install a RAT (remote access Trojan) from the well-documented NetWire malware family. This malware has been used in both targeted attacks and crime campaigns. The RAT has many malicious capabilities such as stealing credentials and taking screenshots. The figure below depicts the campaign. The campaign targeted the organization over a month, with attackers sending two malicious s to 29 unique recipients within the organization. Some received an that contained an HTML file called DHL RECEIPT.html, while the remainder received an that contained a ZIP file called 1.zip. Figure 10: The Service-DHL campaign. The ZIP file consists of a malicious document file called DHL details 140.doc with an MD5 sum of bffe075f13e9711b6e8abc7da0fb22c7. When the document is opened, a macro executes and downloads an executable called filess.exe, which communicates over TCP with a C&C server named kelessb.ddns.net. The commands executed by the macro are shown below. 7

8 Figure 11: Commands used in the Service-DHL campaign showing the download of a file that communicates with a C&C server. Verify Campaign In this campaign, attackers sent s to unsuspecting employees, informing them of incorrect and missing details in their accounts with Bank of America. The s, which appeared to have legitimately come from the Bank of America, contained an attachment called Verify.html. When victims opened the attachment, they were taken to the page, pictured below, and asked to provide personal info Figure 12: HTML page that was used in the Verify campaign to collect victim s personal information. 8

9 After a victim fills out the information and submits the form, the information is sent to an attacker-controlled IP ( ) hosted in Iran. The below image of the POST request shows the details being sent to the attacker-controlled IP. Figure 13: POST request showing information sent to attackers in the Verify campaign. How Did Niara Help? Machine learning serves as the foundation for Niara s behavioral and discrete analytics, which analyzes security information and contextual evidence to paint a complete picture about users and hosts. Behavioral analytics also incorporates analyst-provided feedback to adapt the uniqueness of a local environment, automatically determining normal behavior baselines and identifying irregular behaviors. Discrete analytics provide the global intelligence, identifying anomalies that are irrefutably the result of malicious intent, regardless of the company. When discrete analytics do not generate a high confidence security alert, the data is tagged with the analytics results, which is then used as input for other analytics. For example, behavioral analytics determined the historical baselines of the volume of incoming s for each user and surfaced the anomalies created by unusual volumes sent by attackers. In another example, a discrete analytics module processed the individual s to find signs of domain spoofing and tagged the with the findings of the model so it could be used for other analytic modules. A large number of behavioral and discrete analytics were applied to these s and were automatically summarized into user profiles that showed the anomalies and more reliably attributed malicious intent. 9

10 The features used by Niara s machine learning analytics models to cluster the s into campaigns are listed below: 1. Levenshtein distance as the initial pivot 2. Uniqueness of XMailers used in the s of the campaigns 3. Volume of s 4. Similarity in the names of the attachment included in the s 5. Duration of campaigns 6. Country where the was sent from 7. Similarity in subject lines of s What Should You Do? TTPs (Tools, Techniques or Procedures) for Campaigns Look for the following TTPs to determine if attackers are targeting your organization with any of the campaigns or targeted attacks listed in this threat advisory. TTP Witness Locky Services-DHL PostMoney Verify subject <company_name> witness_subpoena attn: invoice j-<random_number> Your parcels arrived at our postoffice (shipment # 140(4)) company acquisition Added security to your debit card Attachment type CDF V2 CDF V2 zip, HTML N/A HTML Campaign duration 2 days 1 day 1 month 1 day 1 day Attachment name witness_subpoena.doc invoice_<character>-<random_number>.doc 1.zip DHL RECEIPT.html N/A Verify.html Sender domain(s) dhlawfirm.net uahoo.co.uk hom .co.uk lyndachase.com services-dhl.cn servises-dhl.com N/A upsidedownyogagames.com onlinebank- ingx3xrqdh2t- JXW7SV1ET@ kqhbjbankofamerica.com Sender IP(s)

11 Locky Ransomware Campaign Provided below are the Snort rules that analysts can use to detect presence of the Locky Ransomware malware. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: Locky Malware Downloading Exe ; content: GET ; content: /34gf5y/r34f3345g.exe ; sid:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: Locky Malware Downloading Exe ; content: POST ; content:! User-Agent ; content: /main.php ; content: Cache-Control: no-cache 0d 0a 0d 0a ; sid:2;)s Attachments Used in Campaigns The list below shows the names of the attachments that were used in the campaigns. Note that the names appear legitimate, making it more likely that the attachment gets opened, resulting in compromised systems. a. -xxxxx pdf b. 1.zip c pdf d. PMC.docx e. DHL RECEIPT.htm f. NoCallerID doc g. PP html h. SCAN_INVOICE_ zip i. SCAN_INVOICE_ zip j. a. SCAN_INVOICE_ zip k. b. SCAN_invoice_ zip l. c. SCAN_invoice_ zip m. d. SCAN_invoice_ zip n. e. Verify.html o. f. copy_invoice_ zip p. g. invoice_ _scan.zip q. h. invoice_ _scan.zip r. i. invoice_ _scan.zip 11

12 Mailers Used in Campaigns The below list shows the names of the mailers that were used in the campaigns. a. Dtkaabo 8 b. Enxccjy gkjdb 7.0 c. Foxmail 4.2 [cn] d. Fpmt 5 e. Fqogwti swkjhsi 1.6 f. Isgxjfg dgxggc 0.6 g. Microsoft Office Outlook 11 h. Microsoft Outlook 14.0 i. Microsoft Outlook Express j. Microsoft Outlook Express k. a. Microsoft Outlook Express l. b. Microsoft Outlook Express m. c. Microsoft Outlook Express n. d. Microsoft Windows Live Mail o. e. Microsoft Windows Live Mail p. f. Microsoft Windows Live Mail q. g. Microsoft Windows Mail r. h. Pegasus Mail for Windows (4.41) s. i. Wuzdvrbej 8 t. j. MIME::Lite (F2.77; T1.30; A2.06; B3.08; Q3.08) Niara Searches Below are the searches that can be used within Niara to determine if your organization is under attack by any of these campaigns. PostMoney Campaign conversation_tags: _domain_spoofing AND src_internal:no and dest_internal:yes and src_ip: Locky Ransomware Campaign Src_internal:no and dest_internal:yes and _xmailer:mime::lite (F2.77; T1.30; A2.06; B3.08; Q3.08) and conversation_tags: _domain_spoofing Src_internal:yes and dest_internal:no and http_method:get and http_url:/34gf5y/ r34f3345g.exe Src_internal:yes and dest_internal:no and http_method:post and not http_user_ agent:* and http_url:*/main.php 12

13 Witness Campaign Src_internal:no and dest_internal:yes and conversation_tags: _domain_spoofing and _attach_filename:*doc Src_internal:yes and dest_internal:no and http_method:get and http_url:/wp-content/plugins/cached_data/services.exe Src_internal:yes and dest_internal:no and http_method:get and http_url:/services. exe Services-DHL Campaign conversation_tags: _domain_spoofing AND src_internal:no AND dest_internal:yes AND _sender_domain:servises-dhl.com conversation_tags: _domain_spoofing AND src_internal:no AND dest_internal:yes AND _sender_domain:services-dhl.cn conversation_tags: _domain_spoofing AND src_internal:no AND dest_internal:yes AND src_ip: conversation_tags: _domain_spoofing AND src_internal:no AND dest_internal:yes AND src_ip: Verify Campaign Src_internal:yes and dest_internal:no and http_method:post and http_ host: Src_internal:yes and dest_internal:no and http_method:post and http_url:/cgi-bin/ die and not dest_port:80 About Niara Niara s security analytics platform automates the detection of attacks that have bypassed an organization s perimeter defenses and dramatically reduces the time and skill needed to investigate and respond to security events. The solution applies machine learning algorithms to data from the network and security infrastructure to detect compromised users, entities, and malicious insiders, reduce the time for incident investigation and response, and speed threat hunting efforts by focusing security teams on the threats that matter. For more information, visit NIARA, NIARA INC., the NIARA logo and PETASECURE are trademarks of Niara Incorporated. All third-party trademarks, trade names, or service marks may be claimed as the property of their respective owners. Niara s technology and products are protected by issued and pending U.S. and foreign patents