A new report by Damballa highlights not only how cybercriminals
can stay under the radar for long periods of time, but also the need
for enterprises to reassess existing security tools.
“Its’s no small feat to keep up with how cybercriminals operate.
Attackers have an incredibly vibrant underground community where they
can buy or rent anything from C&C infrastructure to sophisticated
exploit kits to bare metal malware,” said Stephen Newman, CTO of
Damballa.
The transience of criminal infrastructure
The findings came from an eight-month study of the Pony Loader
malware and the measures cyber criminals took to evade detection. The
cyber criminals behind Pony Loader use only a few IPs per provider to
help reduce their chances of getting caught. Since Damballa began
tracking Pony, the criminals have used 281 domains and more than 120 IPs
spread across 100 different ISPs.
Damballa observed fluctuating activity based on the number of IPs in
use throughout the time period. During vacation times – the summer and
Christmas season – the ratio of domains to IPs increased, indicating
that the crew had fewer resources available to move the infrastructure.
In addition to moving their infrastructure, the criminals behind Pony
Loader also change up their malware. In May, Pony was configured to
download Dyre, a banking Trojan. In September, it was configured to download Vawtrak,
another banking Trojan. On December 2, Vawtrak was replaced with
Nymaim, a form of ransomware, before flipping back to Vawtrak on
December 14.
Evade detection
Using the Destover Trojan as an example, the study also explains how
advanced attackers conceal their tracks to throw investigators off the
trail. Destover deletes files off an infected device, rendering it
useless. Attackers can stay undetected inside the network, expand their
presence and exfiltrate Terabytes of sensitive information. Destover is
associated with high-profile breaches including Sony Pictures
Entertainment and Saudi Aramco.
While researching a new sample of Destover, Damballa discovered two
utilities closely related to Destover: setMFT and afset. Both are used
to evade detection while moving laterally through a network to broaden
the attack surface.
Adversaries can clean and redirect log files and blend them with
legitimate system files. As a result, many of the tools and methods
security teams use to identify the presence of attackers fail to detect
setMFT and afset. Chances are security personnel will miss them
altogether unless they have a continuous monitoring solution that looks
for threat-related behavior over time.