January 19, 2019 Advance malware

Apart from being purposefully designed and specialized, advanced malware is also well-mannered, as can be witnessed in the courteous way it plans and executes its departure.  This article defines what makes advanced malware, advanced.

While the precise definition of “advanced malware” may be open for debate, it generally refers to malware that uses methods and tools considered to be available only to those with remarkable resources and influence. Malware that manages to maintain long-term presence and dominance over the target could also be considered “advanced”, even when it doesn’t actually employ any specific methods or tools that are rare or difficult to acquire. Also, in connection with malware, the word advanced features prominently in the phrase “Advanced Persistent Threat”. 

This is a program or a software bundle used illicitly to access and gain control over a target for a long period of time (persistence) – though there’s slightly more to it than that.

Let me start by sharing a real-life example.

Some years ago, I was approached by a certain party who wanted to develop a “Digital Rights Management” solution that would rely on virtualization and low-level device drivers and would thus avoid being detected while continuing to maintain complete dominance over the target and, what is more, deliver the promised function as “rights management authority” for legitimate purposes. As a cyber-security professional, I was very interested in finding out more about the project. When asking about the details, I got straight to the point: “How would you like it to be deployed on the target system?” I asked. With little hesitation, the other party responded decisively: “As quietly as possible.”

This highlights another important aspect of advanced malware – its suitability for multiple purposes. Advanced malware is typically designed from the ground up not only to have a perfectly legitimate use-case and purpose, but also to be suitable for malicious use. This kind of approach is well-known in the defence industry, and it’s no coincidence that concepts matured in a military setting are applied in the world of cybersecurity today.

General modus operandi of a malware campaign

It’s worth recalling that malicious software is applied in a social context, and this context plays an integral part in the workings of the malware. The vast majority of malware have relatively limited capabilities, either because they are easily detected or because they fail to work as designed, crash or contain fatal bugs of various kinds. This is perhaps because relatively fewer professional developers are working on malware development compared to the number of amateur “copycat” coders. This apparent maturation of the malware “industry” is advantageous for research purposes and for building malware defence capabilities as it lowers the amount of entropy in the range of methods and tools developed and used in malware. When considering how malware works, it’s important to identify the settings around the malware industry along with the developments and changes happening within them.

Furthermore, advanced malware inherits much of its modus operandi from the military and the defence industry. Thus, unlike more ad-hoc “improvised devices”, modern, advanced malware tends to follow distinctive stages in its operation. These stages are loosely identified as reconnaissance, penetration, exploitation, persistence and withdrawal. Naturally, this is a rough outline of the process, and attack scenarios vary according to the situation, the target and the available resources. It’s interesting to note that this whole process employs multiple malware components, each specializing in one or more of the stages. Although this kind of modularity makes the process more efficient, it also makes it more predictable and thus detectable.

Methods of penetration

The most common “general” attack vector used by advanced malware today is weaponized files, delivered either via email or a physical medium, or unwittingly downloaded by a person working at the target organization. This phase of penetration may have been preceded by another higher-level mechanism such as a vulnerability in the user’s browser or a social engineering attack. Weaponized files appear to be ordinary, non-sensitive files – they might even behave like them, yet they include a shellcode that’s programmed to be executed by the vulnerable application and designed to evade the safe browser or operating system “sandbox” environment. Weaponization could be achieved using macro-type scripting features in an application like Microsoft Office macros, or by rogue input data such as media files. This first stage is typically a “launcher” application with the sole object of downloading and configuring further components and establishing persistence on the target system.

Contemporary advanced malware aims more and more to maintain a “fileless” footprint and persistence. In other words, the malware itself does not write any files on the target system or modify anything, but resides like a parasite in the computer’s memory or in ordinary files, making use of trusted, legitimate mechanisms within the system to serve its malicious purposes. This is typically referred to as a “living-off-the-land technique”.

Exploitation and persistence

During the exploitation phase, advanced malware typically activates a remote-control toolkit or else an autonomous Trojan-like mechanism. In the past, remarkable campaigns were carried out by what, at the time, was referred to as “advanced malware”, yet its unique exploitation phase was designed quite simply to achieve maximum destruction of the target system. Now well known as ransomware, this malicious software encrypts files on the victim’s computer and demands a “ransom” payment for the “release” of the files, typically requiring the victim to transfer the funds in the form of Bitcoin.

A more common tactic in the exploitation phase, however, consists of activating a remote access toolkit, useful in advanced attacks that aim for long-term presence. Powerful remoteaccess toolkits can remain undetected for long enough to allow attackers to conduct further reconnaissance and planning. Maintaining undetected persistence must typically include methods of covert communication so that the “implant” can communicate with command and control entities or with other malware infected systems for spontaneous operations. Obfuscation of network traffic becomes a crucial component here, and advanced malware deploying Tor networks can stay undetected by hiding within regular web traffic or DNS queries.

A clean exit winds up the attack

Apart from being purposefully designed and specialized, advanced malware is also wellmannered, as can be witnessed in the courteous way it plans and executes its departure. Once the attacker’s objective has been completed, advanced malware, at its technical best, can disappear as silently and unobtrusively as it penetrated, without a single trace.

Recent Blogs