In the process of investigating and analyzing targeted attacks, we have seen that attacks which may not be related at first glance may in fact be linked; conversely attacks that may seem unrelated may turn out to be connected. Knowing wh...
In the process of investigating and analyzing targeted attacks, we have seen that attacks which may not be related at first glance may in fact be linked; conversely attacks that may seem unrelated may turn out to be connected. Knowing which is which can provide useful information in determining how to respond to an attack.
Why Are Separate Attacks “Related”?
Before a cybercriminal or threat actor can launch an attack, many things have to be prepared in advance. The list of recipients have to be compiled, command-and-control (C&C) servers brought online, malware payloads chosen, etcetera. Ideally, attackers would use separate ones, but that isn’t the case: they are just as prone to reuse items or tactics that have worked before. Knowing these similarities between attacks can help determine what is an appropriate response.
There are many ways that seemingly independent attacks can be correlated, but here are some of the most common ones:
Same IP address sends different email messages
Same email address sends different messages
The same malware is attached to different messages
Multiple (similar) backdoors use the same C&C server
Different backdoor types use the same C&C server
Multiple domains registered using the same email address
Similarities in the way command-and-control network traffic is organized
How can this information be used?
Typically, organizations face two kinds of threats: highly sophisticated attacks that target them specifically, or more “random” attacks that are aimed at wider audiences. It can be difficult to tell just by examining the specifics of a particular attack which it is, but examination of the similarities above – using additional information provided by the Smart Protection Network – may be useful. It’s best to illustrate this with a hypothetical example.
A company received an apparently targeted email that contained a malicious attachment. The malware installed tries to contact an external C&C server for instructions using HTTP. It would appear, at first, that this was a sophisticated targeted attack.
However, more in-depth analysis would reveal that the malware only accessed two files on the C&C server: /kc1/data.bin and /kc1/gate.php. Accessing two files located in the same directory with the .BIN and .PHP extensions is common behavior by ZeuS/ZBOT variants. In addition, the domain of the C&C server was registered using an email address that was also used to register another domain on the well-known ZeuS Tracker blacklist. All this strongly suggests that it was not a sophisticated attack, but instead a more ordinary ZeuS/ZBOT infection. This can still pose a threat, but it’s a different nature compared to a sophisticated attack.
This information can also be used to gauge the seriousness of an attack. For example, in October, we found a new Poison Ivy variant (BKDR_POISON.AB) had infected 15 different machines, belonging both to individuals and various organizations. What we also found was that there had been a similar attack earlier in the year which distributed a very similar Poison Ivy variant (BKDR_POISON.BJX). Similarities included the malware’s mutexes and the emails used to spread the attack.
From there, one can conclude that both attacks were not meant to directly target anyone, but more to gather information across a wide number of possible targets that could be used for more direct attacks at a later time.
The links between attacks can also be used to discover other potential attacks as well. For example, examining the email and IP addresses linked to domains used as C&C servers in a current attack can lead to other domains. The added information can be used as indicators for potential attacks that may not have been detected at the time.
Conclusion
Gathering information about the connections between attacks can reveal much about the attacks in the first place. Organizations that use this kind of threat intelligence can use it