A new report by Damballa highlights not only how cybercriminals can stay under the radar for long periods of time, but also the need for enterprises to reassess existing security tools.
“Its’s no small feat to keep up with how cybercriminals operate. Attackers have an incredibly vibrant underground community where they can buy or rent anything from C&C infrastructure to sophisticated exploit kits to bare metal malware,” said Stephen Newman, CTO of Damballa.
The transience of criminal infrastructure
The findings came from an eight-month study of the Pony Loader malware and the measures cyber criminals took to evade detection. The cyber criminals behind Pony Loader use only a few IPs per provider to help reduce their chances of getting caught. Since Damballa began tracking Pony, the criminals have used 281 domains and more than 120 IPs spread across 100 different ISPs.
Damballa observed fluctuating activity based on the number of IPs in use throughout the time period. During vacation times – the summer and Christmas season – the ratio of domains to IPs increased, indicating that the crew had fewer resources available to move the infrastructure.
In addition to moving their infrastructure, the criminals behind Pony Loader also change up their malware. In May, Pony was configured to download Dyre, a banking Trojan. In September, it was configured to download Vawtrak, another banking Trojan. On December 2, Vawtrak was replaced with Nymaim, a form of ransomware, before flipping back to Vawtrak on December 14.
Using the Destover Trojan as an example, the study also explains how advanced attackers conceal their tracks to throw investigators off the trail. Destover deletes files off an infected device, rendering it useless. Attackers can stay undetected inside the network, expand their presence and exfiltrate Terabytes of sensitive information. Destover is associated with high-profile breaches including Sony Pictures Entertainment and Saudi Aramco.
While researching a new sample of Destover, Damballa discovered two utilities closely related to Destover: setMFT and afset. Both are used to evade detection while moving laterally through a network to broaden the attack surface.
Adversaries can clean and redirect log files and blend them with legitimate system files. As a result, many of the tools and methods security teams use to identify the presence of attackers fail to detect setMFT and afset. Chances are security personnel will miss them altogether unless they have a continuous monitoring solution that looks for threat-related behavior over time.