APT – Just *A* Persistent Threat

by on | Leave a comment
Filed under Research Lab and tagged , , .

[2012-11-12 Blog update with new information]

How advanced should a targeted attack be in order to be called an
“Advanced Persistent Threat” (APT)?

Recently, Seculert has encountered many different APTs – from
state-sponsored to hacktivists to unknown adversaries – which seem to be using non-Advanced, yet effective ammo.

In July, the Mahdi malware successfully targeted different entities from specific industries in the middle east. The malware itself was not very sophisticated, however it was able to infect and monitor over 1,000 targeted machines. And the attackers behind Mahdi are continuing to do so today.

In late August, Shamoon arrived targeting the Energy and Oil companies in the Arabian (Persian) Gulf. Again, while it was effectively destructive malware (wiping 30,000 machines), the code itself was not advanced. Moreover, it seems Shamoon was part of a persistent two-stage attack, meaning there was another malware involved that bypassed on-premise security solutions and was wiped by Shamoon to cover the attacker’s real intention.

If we return to the RSA breach, the malware involved in this attack was also not sophisticated. It was a four year old, freely available downloadable Remote Access Tool called Poison Ivy. The attackers were using a non-Advanced malware, but because it took RSA six months to identify the attack, it was Persistent enough to be called APT.

Earlier this week, a targeted attack was identified against the Israeli Police Department, and several other Israeli government offices. The attackers sent an email with a Remote Access Tool called “Xtreme RAT” attached. The RAT malware is communicating with a C&C server which uses a free dynamic dns service (See Figure 1). This APT is not advanced. Like Poison Ivy, there is a publicly available website which allows any attacker to buy “Xtreme RAT”. This time for as low as 40 Euro (See Figure 2).

Therefore, this targeted attack is simply “A Persistent Threat” – effective enough to cause the Israeli Police to disconnect their entire network from the internet, in order to further investigate the persistency of the attack.


Figure 1: “Xtreme RAT” communicating with C&C using loading.myftp.org free subdomain

Figure 2: “Xtreme RAT” website selling the malware for as low as 40 Euro

It is so valuable for any CISO or security manager to understand the persistency of such attacks. The only cost-effective way to do so is to utilize the cloud as a technology enabler and analyze – using CPU intensive machine learning methodologies – the huge amount of log data generated by the corporate’s gateways and proxies, over a long enough period of time – weeks, months, or even years. In general, this is the only type of security solution that allows CISOs to identify and automatically detect even the most persistent attacks, regardless if they are advanced or not.

[2012-11-12 Update] Our friends at Norman have confirmed the persistency of the “Xtreme RAT” attack. According to their report, the attackers initiated the campaign over a year ago, targeting both Palestinian and Israeli entities.

Is your network compromised? Take a free trial of Seculert and discover threats your other security solutions have missed.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>