APT players lack deep skills of exploitation, fail at QA

Advanced Persistent Threat (APT) actors are generally considered to be among the most sophisticated cyber exploiters out there. But is this perception correct? Gabor Szappanos, a researcher with SophosLabs Hungary, says no.

“It is always good to know the strength of the enemy at the other side of the gate,” he notes, and for this reason he and his colleagues decided to analyze over a dozen malware samples exploiting the CVE-2014-1761 vulnerability, which allowed them to evaluate the skill of a few different malware author groups.

The flaw – a critical memory corruption vulnerability – affects a wide range of Office versions, both for Windows (including servers) and Mac machines. Still, all the malware samples they analyzed targeted only Microsoft Office 2010 Service Pack 2 (32 bit).

The first known malware sample that exploited the flaw was dubbed Cycoomer, and its author is unknown. Apparently, this document became the source for all other analyzed samples, after having been uploaded to VirusTotal and after a Metasploit exploit module was created from it.

Szappanos and his colleagues discovered that none of the groups were able to modify the attack enough to infect other versions of Office, and that in most cases the modifications resulted in buggy code that made the exploit ineffectual. Others preferred to make minimal changes to the original exploit code to prevent this. Generally, APT groups are clearly clearly lacking in release process quality assessment.

“Malware authors are usually very keen to tweak their samples in order to avoid detection by antivirus programs. The fact that they missed these opportunities indicates that they never completely understood the nature of this exploit,” Szappanos pointed out.

Those that did the best job at modifying the exploit and making it work for them were not the APT groups, but the “mainstream” criminal groups that create and use common commercial malware families.

“This is bad news, because the malware created by these authors reaches a general audience in much higher numbers than the targeted attacks. Therefore, the criminals with larger outreach appear to also be more skilled,” Szappanos noted.

“The APT players lack deep skills of exploitation. They are quick to adopt new exploits, as samples or Metasploit modules become available, but they don’t (usually) develop the exploit themselves and don’t make significant modifications to them. If security researchers and system administrators follow and act upon vulnerability announcements, they are likely to be prepared for these groups,” he pointed out.

Share this