Gastone Nencini Country Leader Trend Micro Italy e Senior Technical Manager Trend Micro Southern EuropeTRENDS IN TARGETED ATTACKS Sommario Abstract Gli at ac hi mirati costituiscono una categoria di minac eTargeted at acks constitute a threat category that refers tospecifiche da parte di criminali informatici che, at raverso l’in-computer intrusions staged by threat actors that aggressivelytrusione nel e reti, perseguono obiet ivi e strategie molto preci-pursue and compromise specific targets. Often leveraging socialse. Facendo spesso leva su malware e tecniche di social engi-engineering and malware, these at acks seek to maintain aneering, questa tipologia di at ac hi è finalizzata a stabilire epersistent presence within the victim’s network so that themantenere una presenza persistente nel a rete del 'organizza-at ackers can move lateral y throughout the target’s networkzione colpita, con il fine di potersi muovere al suo interno al aand extract sensitive information. These at acks are most com-ricerca di informazioni sensibili. monly aimed at civil society organizations, business enterprisesQuesto genere di at ac hi ha generalmente come obiet ivoand government/military networks. Given the targeted natu-enti e organismi pubblici, aziende e organizzazioni militari.re of these at acks, the distribution is low; however, the impactConsiderata la loro specifica natura, questi at ac hi mirati nonon compromised institutions remains high.sono molto dif usi, tut avia il loro impat o sul e organizzazio-As a result, targeted at acks have become a priorityni che ne sono vit ima è molto elevato, con possibili gravi con-seguenze; riuscire quindi a prevenire e contrastare in modo ef i-This paper wil examine the stages of a targeted at ackcace questo tipo di minac e è estremamente importante e prio-from the reconnaissance phase through to the data ex-filtrationritario. Questo articolo esamina le varie fasi di un at ac ophase and wil explore trends in the tools, tactics and proce-mirato: dal a ricognizione preliminare fino al a fase di furtodures used in such at acks. It wil conclude with a high-leveldei dati, analizzando in det aglio le tendenze relative ai tool,examination of mitigation strategies that leverage threat intel-al e tat iche e al e procedure utilizzate. Segue un esame appro-ligence and data security in order to provide organizations withfondito del e diverse strategie di risposta, basate sul a ricerca ethe information they need to increase their human capacity, toconoscenza del e varie minac e e del e misure di protezioneanalyze and respond to threats and to customize technicalat ualmente disponibili, fornendo così al e imprese e al e orga-solutions in ways that best fit their own defensive posture.nizzazioni tut e le informazioni necessarie per impostare unaef icace strategia di difesa, identificando soluzioni tecniche per-sonalizzate in funzione del e diverse specifiche esigenze.1. Introduction
Prior to the highly publicized “Aurora” attack on
Targeted attacks that exploit vulnerabilities in
Google in late 2009, which also affected at least 20
popular software in order to compromise specific
other companies, there was little public awareness
target sets are becoming increasingly commonplace.
regarding targeted malware attacks1.
These attacks are not automated and indiscriminate
However, such attacks have been taking place for
nor are they conducted by opportunistic amateurs.
years and continue to affect government, military,
These computer intrusions are staged by threat
corporate, educational, and civil society networks
actors that aggressively pursue and compromise spe-
today. While such attacks against the U.S. govern-
cific targets. Such attacks are typical y part of broa-
ment and related networks are now fairly wel -
der campaigns, a series of failed and success com-
known, other governments and an increasing num-
promises, by specific threat actors and not isolated
ber of companies are facing similar threats. Earlier
attacks. The objective of the attacks is to obtain sen-
this year, the Canadian, South Korean, and French
governments have al experienced serious security
breaches into sensitive networks2. Recently, the
sector, the government and military sector as wel
European Commission and the External Action
as civil society could be linked to the same threat
Service were also compromised and there was a
significant breach at the International Monetary
In 2009, the New York Times revealed the exi-
stence of GhostNet, a cyber-espionage network that
The security firm RSA was also recently compro-
had compromised over 2000 computers in 103 coun-
mised as a result of a targeted malware attack4.
tries15. Among the victims there were high concen-
Fol owing the breach at RSA, the data stolen during
trations of compromised computers at Ministries of
that attack may have aided subsequent attacks against
Foreign Affairs, Embassies and Diplomatic missions
around the world. The attackers used social y engi-
Lockheed Martin5. The trend continues 2011 with
neered emails to lure victims into clicking on malwa-
compromises at the Oak Ridge National Laboratory
re-laden attachments that al owed the attackers to
and the Pacific Northwest National Laboratory in
gain control over the compromised system. After the
the United States6. Such targeted attacks leveraging
initial compromise, the attackers would instruct the
social engineering have been ongoing since at least
compromised computers to download a Trojan,
20027. The first of such campaign to receive signifi-
known as gh0st or gh0stRAT, which al owed the
cant press coverage occurred in March 2004 and was
attackers to take real-time control over the compro-
known as Titan Rain8. The attacks were revealed by
TIME magazine in 2005 and highlighted the emer-
gence of “cyber-espionage” and threat is poses to
attackers’ use of gh0stRAT. The attackers were able
government and military networks. In 2006, The
to maintain persistent control over that compromi-
Guardian reported on a series of attacks against
sed computers. In fact, the average length of com-
British MP’s which leveraged highly targeted emails
promised was 145 days; the longest infection span
and attempted to instal malware capable of stealing
sensitive documents9. The fol owing year Der Spiegel
This discovery highlighted the fact that attackers
reported on attacks against the German government
do not need to be technical y sophisticated or advan-
that used malware embedded in popular office files
ced. With some functional but less-than-impressive
such as Microsoft Word and Excel10. In 2007, the
code along with the publicly available gh0stRAT tool
New York Times revealed that the Oak Ridge
these attackers were able to compromise and main-
National Laboratory in the Unites States was com-
tain persistent control of embassies around the
promised and that the attackers had used targeted
world. This research also showed that attackers can
phishing emails11. In 2008, BusinessWeek documen-
and do make mistakes which al ow researchers to
ted the extension of such threats to defense contrac-
uncover the hidden components of their operations.
tors and other large, private enterprises12. This report
A year later, the New York Times again reported
revealed the social engineering techniques used to
on the existence of another cyber-espionage net-
lure potential victims into executing malware al o-
work16. The report enumerated a complex and tiered
wing the attackers to take ful control of their com-
command and control infrastructure. The attackers
puters. Final y, the BusinessWeek also revealed that
misused a variety of services including Twitter,
the same attackers had expanded their target set to
Google Groups, Blogspot, Baidu Blogs, blog.com
include the civil society sector as wel . In the same
and Yahoo! Mail in order to maintain persistent con-
year, researchers demonstrated the connection bet-
trol over the compromised computers. This top layer
ween targeted malware attacks using social enginee-
directed compromised computers to accounts on
ring and malicious documents13. Several presenta-
free web hosting services, and as the free hosting ser-
tions at security conferences revealed that attackers
vers were disabled, to a stable core of command and
were using exploits in popular software packages to
control servers. While less than 200 computers were
send malicious documents (such as PDFs, DOCs,
compromised, almost al in India, the recovered data
XLSs and PPTs) using contextual y-relevant, social y
included Secret, Confidential and Restricted docu-
engineered emails to a variety of targets. Moreover,
an analysis of the malware as wel as the command
In 2010, the Christian Science Monitor report
and control infrastructure revealed that attacks
that there were significant breaches in the networks
of three major oil companies: Marathon Oil,
loosely considered as targeted, involved the use of
ExxonMobil, and ConocoPhil ips17. The CSM repor-
ZeuS and a wel known cybercrime infrastructure to
ted that senior executives were targeted with social y
extract documents from U.S. government networks25.
engineered emails that contained malware. In 2011,
Moreover, there have been some suggestions that
McAfee reported similar attacks against oil compa-
threat actors involved in cyber-espionage are directly
nies around the world. Companies in the energy and
petrochemical industries were also targeted18.
The boundaries between online crime and espio-
McAfee released another report, “Shady RAT” that
nage appear to be blurring, making issues of attribu-
documented intrusion into at least 70 organizations
tion increasingly more complex. At a minimum,
these developments indicate that attacks that are
Trend Micro discovered an ongoing series of tar-
often considered to be criminal in nature, such as the
geted attacks, known as “LURID,” that have succes-
targeting of banking credentials of individuals, also
sful y compromised 1465 computers in 61 different
pose a threat to those in the government and military
countries. The Lurid Downloader attacks appear to
sectors. It is wel understood that these attackers aim
be another separate but related Enfal network with a
to maximize their financial gain from malware
geographic focus. Although there is clear evidence
attacks. Therefore, these developments may indicate
that the Tibetan community is also a target, intere-
that there is an emerging market for sensitive infor-
stingly the majority of victims of this attack are con-
mation as criminal networks seek to monetize such
centrated in Russia and other CIS countries. From
information and develop their capabilities in this
our analysis, we ascertained that numerous embassies
and government ministries, including some in
Western Europe, have been compromised as wel as
1.1 Targeted Attacks
research institutions and agencies related to the
Targeted attacks constitute a threat category that
While targeted malware attacks are currently used
refers to computer intrusions staged by threat actors
to steal data, future attacks could aim to modify data.
that aggressively pursue and compromise specific
The emergence of Stuxnet in 2010 revealed that tar-
targets. Often leveraging social engineering and mal-
geted malware attacks could be used to interfere with
ware, these attacks seek to maintain a persistent pre-
industrial control systems21. Stuxnet was designed to
sence within the victim’s network so that the attac-
modify the behaviors of programmable logic con-
kers can move lateral y throughout the target’s net-
trol ers (PLCs) for specific frequency converter dri-
work and extract sensitive information. While infor-
ves manufactured by two companies, one in Finland
mation may trickle out in the press about a single vic-
and the other in Iran22. The target of the attack is
tim or a single attack, there are usual y many more.
widely believed to be Iran’s uranium enrichment
Moreover, they are often geographical y diverse and
capability23 Stuxnet demonstrates that future threats
most commonly aimed at civil society organizations,
could focus on sabotage, not just espionage.
business enterprises and government/military net-
While the distribution of targeted attacks remains
works. Given the targeted nature of the attacks, the
low, the impact on high profile institution remains
distribution is low; however, the impact on compro-
high. Most Internet users wil never be victims of
mised institutions remains high. As a result, targeted
targeted attacks and are much more likely to face a
attacks have become a high priority threat.
variety of common threats such as fake security soft-
In a typical targeted attack, a target typical y recei-
ves a social y engineered message—such as an email
SpyEye, Bancos)24. However, the methods used in
or instant message—that encourages the target to
targeted attacks being adopted by the criminal actors
click on a link or open a file. The links and files sent
have a much larger target set. For example, exploits
by the attacker contain malware that exploits vulne-
used in a targeted attack may eventual y find their
rabilities in popular software such as Adobe Reader
way into exploit packs that are sold in underground
(e.g. pdf’s) and Microsoft Office (e.g. doc’s). The
forums. Moreover, those in the cybercrime under-
payload of these exploits is malware that is silently
ground may be increasingly interested in and pos-
executed on the target’s computer. This al ows the
sibly profiting from the extraction of sensitive infor-
attackers to take control of and obtain data from the
mation. In fact, a recent series of attacks, that can be
The attackers may then move lateral y throughout
tion after successful social engineering, that
the target’s network and are often able to maintain
results in a compromise that delivers control
control over compromised computers for extended
of the target system to the attackers.
lengths of time. Ultimately, the attackers locate and
• Command and Control—communication
ex-filtrate sensitive data from the victim’s network.
These targeted attacks are rarely isolated events. It
under the attacker’s control. This could be a
is more useful to think of them as campaigns—a
server component of a remote access Trojan
series of failed and successful attempts to compro-
(RAT) or a server that receives “check ins”
mise a target over a period of time. Therefore the
that notify the attacker of a successful com-
specificity of the attacker’s prior knowledge of the
promise and al ows the attackers to issue com-
victim affects the level of targeting associated with a
single attack. As a result, some attacks appear to be
less precise, or “noisy,” and are aimed at acquiring
• Persistence/Lateral Movement—mecha-
information to be used in a future, more precise
nisms that al ow malware to survive a reboot,
continued remote access (e.g. through legiti-
Such “spearphishing” attacks are “usual y direc-
mate VPN credentials and/or additional back-
ted toward a group of people with a commonality”
doors) and lateral movement throughout the
as opposed to a specific target but are useful for gai-
network enumerating file systems and seeking
ning an initial foothold in a future target of interest29.
When technical information regarding the target’s
• Data Ex-filtration—staging and transmitting
preferred antivirus products and specific versions of
of sensitive data, often involving encryption,
instal ed software is combined with intel igence
compression and chunking, to locations under
acquired from previous attacks and/or harvested
from publicly available information and social net-
The threat actors behind targeted malware attacks
working platforms, an advanced combination of
do not always use zero day vulnerabilities—exploits
social engineering and malicious code can be deplo-
for vulnerabilities for which there is no patch availa-
ble. While some might believe that the threat actors
Analyzing the stages of an attack can provide
behind targeted malware attacks have mythical capa-
insight into the tools, tactics and procedures of the
bilities, both in terms of their operational security
attackers31. This behavior helps indicate whether an
and the exploits and malware tools used, they, in fact,
attack can be linked to a broader campaign and helps
often use older exploits and simple malware32. The
build intel igence that can be used to inform incident
objective of these attacks is to obtain sensitive data;
response procedures and help mitigate future advan-
the malware used in the attacks is just an instrument.
ces by the attacker. While there is considerable over-
They wil use whatever is required to gain entry
lap, the anatomy of an attack can be segmented into
based on reconnaissance. In addition, they wil adjust
their tactics in reaction to the defenses of the victim.
• Reconnaissance/Targeting—profiling the
Therefore, an active defense requires a combina-
target in order to acquire information concer-
tion of technical and human capacity with an empha-
ning their defensive posture and deployed
sis on data protection. First, technical solutions for
software as wel as a contextual understanding
defense, monitoring and remediation must be in
of roles and responsibilities of key personnel
place. While organizations typical y maintain defen-
and relevant themes to inform social enginee-
ses such as antivirus software, intrusion
detection/prevention systems, firewal s and other
• Delivery Mechanism—selection of a deli-
security products, monitoring, logging and analysis
very mechanism, such as Email or IM, in con-
of the outputs of these tools is critical y important33.
junction with social engineering and embed-
The ultimate objective behind targeted attacks is the
ding malicious code into a delivery vehicle
acquisition of sensitive data. Therefore data loss pre-
(such as exploit code and malware embeddd
vention strategies that focus on identifying and pro-
tecting confidential information are critical y impor-
• Compromise/Exploit—execution of mali-
tant. Enhanced data protection and visibility across
cious code, usual y involving human interac-
the enterprise provides the ability control access to
sensitive data and to monitor and log successful and
functions related to the target. Since malware attacks
unsuccessful attempts to access it. Enhanced access
are more likely to be successful if they appear to
controls and logging capabilities al ow security
have originated from someone the target knows, the
analysts to locate and investigate anomalies, respond
delivery mechanism, usual y an email, is often speci-
to incidents and initiate remediation strategies and
fical y addressed to the target and appears to have
originated from someone within the target’s organi-
Building human capacity is an integral compo-
zation or someone in target’s social network35. In
nent of defense. The threat actors behind targeted
extremely targeted cases, attackers may actual y send
attacks make considerable effort to improve their
email directly from a compromised, but real, email
social engineering because they know that exploiting
account of someone the target knows and trusts.
the human factor is a critical component of a suc-
There are a variety of social engineering techni-
cessful compromise. As a result, education and trai-
ques that are commonly seen in the wild. In order to
ning programs are a key. Staff and employees must
masquerade as a real person that is known to the tar-
be aware of targeted attacks and must be expecting
get, attackers wil actual y register email addresses
them. In addition, the policies and procedures must
with popular webmail services such as Gmail,
be in place to both minimize exposure and provide
Yahoo! Mail and Hotmail using the names of the tar-
clear and consistent processes that al ow staff to
get’s col eagues. While there are stil attacks that
report suspected attacks. In order to ensure that
spoof legitimate business or governmental email
reporting and investigation occur, it is important to
addresses in order to convey legitimacy, these
identify who owns that process and can trigger the
attempts may be more easily detected36. The attacke-
remediation and damage assessment strategy if a
r’s shift to personal email addresses also reflects the
fact that employees often check their personal email
Information security analysts armed with threat
accounts from work and sometimes use these
intel igence are a critical component of defense.
Threat intel igence provides information on the
Attackers wil often leverage authority relations-
tools, tactics and procedures of threat actors.
hips, such as boss-employee, in order to communi-
Understanding these processes al ows information
cate a sense of importance so that the target wil
security analysts to customize defensive strategies to
open a malicious attachment. To increase the authen-
counter the specific threats an organization faces. As
ticity, attackers wil also use classification markings of
a result, an organization can integrate threat intel i-
the government and intel igence services38.
gence, increased human capacity, and technical solu-
In order to help detect social engineering attacks,
tions in a customized way that best fits their own
messages can be assessed for accuracy, language,
spel ing and grammar as wel as relevance to the tar-
get. However, attackers are now using techniques
such as forwarding legitimate emails, from mailing
2. Trends in Targeted Attacks
lists or from emails acquired from previously succes-
sful attacks, along with malicious links and attach-
2.1 Reconnaissance/Targeting
ments. As users grow weary of unknown attach-
ments and scan them with anti-malware products,
The use of social engineering in targeted malwa-
attackers are also now sending two or more attach-
re attacks is ubiquitous. Social engineering refers to
ments with one social y engineered email with one of
techniques that “exploit the human element” by
them containing malicious code. If the target
manipulating trust34. The objective of social enginee-
manual y scans one of the attachments and no mal-
ring is to manipulate individuals into revealing sensi-
ware is detected, the user may open the other attach-
tive information or executing malicious code. In
ments, including the malicious one, without having
order to increase the efficacy of social engineering,
manual y scanned them believing that they are al
information gleaned from a variety of public sources
including business profiles and social networking
Attackers engage in reconnaissance not just to
improve the level of social engineering used in an
Social engineering attacks typical y leverage cur-
attack, but to profile the software used by the target.
rent events, subject areas of interest and business
One of the techniques used, in conjunction with
social engineering, leverages the “res://” protocol in
Typical y, attackers hide executables inside of
order to determine the software present in the targe-
compressed file formats such as ZIP or RAR.
t’s environment. This information can then be used
Sometimes, these archive files are encrypted to avoid
in future attacks to identify specific applications in
network-based malware scanning and the attackers
order to select an appropriate exploit39. The res://
provide the password to decrypt the archive within
protocol, which was built into Internet Explorer
since version 4.0, can be used to remotely detect spe-
Final y, rather than include an attachment with a
cific software present on a computer by simply get-
social y engineered email, attackers wil simply inclu-
ting a user to visit a Web page from a browser40.
de links to web pages that contain exploit code.
We have found attacks that have used the res://
Known as “drive by” exploits, these web pages con-
protocol to check a target’s environment for file-sha-
tain code designed to exploit vulnerabilities in popu-
ring programs, web browsers, remote administration
lar browsers and browser plug-ins to instal malware
tools, email clients, download managers, and media
on the target’s computer. Rather than send the target
players. In addition, attackers are able to detect secu-
to a completely unknown web page, attackers are
rity software, including major antivirus products and
now compromising legitimate 39 http:// websites
personal firewal s, as wel as the PGP encryption
that are contextual y relevant to the target and
software and Microsoft security updates. They also
embedding “iframes” that silently load exploits from
check for virtual machine software, such as VMWare,
locations under the attackers control43.
which may indicate that they are being investigated
While email has been the most common delivery
mechanism for targeted attacks, there are increasing
The information obtained via social engineering,
reports of attempts made using instant messaging
whether or not the attack was a success or a failure,
and social networking platforms. There have been
is incorporated by attackers in future attacks.
reports of Facebook messages being used as delivery
mechanisms and the New York Times reported that
2.2 Delivery Mechanism
the “Aurora” attack on Google originated with an
The delivery mechanism in a targeted attack is
typical y an email. However, attackers may also use
2.3 Compromise/Exploit
instant messaging services to entice the target into
clicking a malicious link or downloading malware.
In order to instal malware on the target’s compu-
The emails are often sent from webmail accounts,
ter, attackers wil use malicious code that is designed
especial y Gmail, or from spoofed email addresses,
to exploit a vulnerability, or “bug,” in a particular
such as government email addresses, through com-
piece of software. Typical y, attackers are most often
promised mail servers41. Often, the email wil contain
exploiting flaws in Adobe’s PDF reader, Adobe Flash
an attached document, such as a PDF a Word
and Microsoft Office. The attack surface among
Document, Excel spreadsheet or PowerPoint presen-
these software packages is being extended by embed-
tation. These attachments contain malicious code
ding one file format inside another. For example, a
designed to exploit vulnerabilities is specific version
recent attack involved embedding a malicious Flash
Adobe’s PDF reader or Flash and versions of
object inside a Microsoft Excel spreadsheet45. As the
vulnerabilities are fixed, or “patched” attackers seek
However, attackers stil use executables as attach-
new exploits known as zero day exploits. The term
ments, or provide links to download them. Recently,
“zero day” refers to exploits for which there is no
malware has been discovered that uses Unicode cha-
patch available from the software vendor.
racters to disguise the fact that it is an executable.
While several high profile campaigns, such as the
This technique al ows the attackers to make executa-
“Aurora” attacks against Google and the recent
bles files that end with an “.exe” suffix, appear to end
breach of RSA, have leveraged zero day exploits in
in “.doc.” In order to take advantage of default
order to compromise their targets, many targeted
Windows configurations that do not show file exten-
attacks do not employ the use of zero day exploits46.
sions, attackers have attempted to trick users into
In fact, some older, reliable exploits such as CVE-
thinking that executables are simply directories by
2009-3129, CVE-2010-3333, CVE-2010-2883 for
making their executable’s icon an image of a folder42.
Adobe PDF Readers and Microsoft Office are stil in
use. In addition, attackers may use “drive-by
The attackers wil commonly instruct the com-
exploits,” such as the zero day exploit for Internet
promised computer to download second stage mal-
Explorer that was used in “Aurora” (as described in
ware, such as a remote access tool/Trojan (RAT)
MS10-002), not just malicious documents.
which al ows the attackers to take real time control of
Vulnerabilities in popular webmail services have
been exploited to compromise email accounts.
Keeping the communication channel between the
Personal email is increasingly becoming a target as
compromised machine and the command and con-
users who check their personal email accounts at
trol server open is important to the threat actors
work may provide attackers with sensitive informa-
behind targeted malware attacks. As network moni-
tion that may be related to their company47.
toring software improves and is able to identify mali-
Moreover, their personal email account can be used
cious and even anomalous traffic, an increasing
to stage future targeted attacks. While there was con-
amount of obfuscation and stealth is being used to
siderable media attention regarding a recent phishing
conceal command and control network traffic.
attack on Gmail users, there has been a variety of
Increasingly, malware is making use of cloud-based
recent attacks on popular Webmail platforms48. In
command and control in an attempt to blend in to
addition to attacks that exploited Gmail, Hotmail
normal network traffic52. These services can be used
and Yahoo! Mail users have also been targeted.
as update mechanisms that inform the compromised
While the attacks appear to have been separately
host of new command and control servers, or they
conducted, these have some significant similarities.
can be used as command and control exclusively.
Google also previously revealed that attackers are
For example, there are malware samples that use
exploiting a vulnerability in the MHTML protocol in
webmail accounts as elements of command and con-
order to target political activists who use Google’s
trol. When malware connects to wel known services
services49. Trend Micro researchers in Taiwan revea-
such as Gmail or Yahoo! Mail the session is protec-
led a phishing attack that exploited a vulnerability in
ted by SSL encryption and therefore network moni-
Microsoft’s Hotmail service. In fact, rather than clic-
toring software wil be unable to determine if the
king a malicious link, even the simple act of previe-
subsequent traffic is malicious or not. The attackers
wing the malicious email message can compromise a
use such webmail accounts to send commands to
user’s account50. Trend Micro researchers also
compromised hosts, update compromised hosts with
recently alerted Yahoo! of an attempt to exploit
additional malware tools or components, and ex-fil-
Yahoo! Mail by stealing users’ cookies in order to
trate data from compromised hosts. In addition to
gain access to their email accounts51.
webmail services, could-based storage services are
Attackers are able to successful y exploit their tar-
being used to host additional malware components.
gets because their reconnaissance, along with kno-
The use of such services provides the attackers with
wledge gained from previous attacks, al ows them to
command and control infrastructure that cannot be
determine what exploits to deploy. If certain attack
vectors are wel secured, attackers wil locate areas of
Some threat actors use compromised legitimate
sites as command and control servers. This al ows
the attackers some element of deception because
2.4 Command and Control
even if the network communication is detected as
anomalous, upon further inspection the website wil
When malware is executed on the target’s system,
be determined to be legitimate. One threat actor
it “checks in” with one or more servers under the
simply embeds commands within HTML comment
control of the attackers. Command and control
tags in web pages on compromised, legitimate web
mechanisms al ow the threat actors to confirm that
sites. The malware simply visits these pages and
an attack has succeed, typical y supplies them with
extracts and decodes the commands. The use of
some information about the target’s computer and
custom base64 alphabets and XOR makes decoding
network and al ows the attackers to issue commands
the command and the network traffic increasingly
to the compromised target. The initial malware is
difficult. In addition, attackers are making use of sto-
often a simple, smal “dropper,” so the attackers wil
len or forged SSL certificates in an attempt to make
often instruct the compromised computer to down-
their network traffic appear to be legitimate.
load components that have additional functionality.
Some threat actors continue to register domains
names for their own exclusive use while others rely
However, there are other methods used to main-
on dynamic DNS services for free sub-domains. The
tain persistence that are less wel known. One
free sub-domains provided by Dynamic DNS servi-
method known as “DLL search order hijacking”
ces are often used in conjunction with often off-the-
involves placing malicious DLL’s in specific locations
shelf RAT’s such as gh0st and poisonivy. While the
with specific names so that they are loaded by legiti-
threat actors are offline, the domain names wil often
mate applications leaving no forensic traces56.
resolve to localhost or invalid IP addresses, and when
Once inside the system, attackers wil move late-
they come online the domains wil resolve to the IPs
ral y throughout the network. They typical y down-
of the threat actors. Third-party locations can be
load remoteaccess-Trojans (RATs) or tools that al ow
them to execute shel commands in real time on the
Trend Micro uncovered a campaign of targeted
compromised host. In addition, they may seek to
attacks that have successful y compromised defense
escalate their privileges to that of an administrator
industry companies in Japan, Israel, India and the
using techniques such as “pass the hash” and seek
USA. The second stage of the attacks involved two
out key targets such as mail servers57. The attackers
components one of which contained custom DLLs
often download and use tools to “bruteforce” attack
created for specific targets and the other a RAT
database servers, extract email from Exchange ser-
known as “MFC Hunter.” This RAT contains three
vers and attempt to acquire legitimate access, such as
components, the malware that is instal ed on the vic-
VPN credentials, so that they may maintain access to
tim’s computer, the client through which the attacker
the network even if their malware is discovered. As
controls the victim’s computer and a “hub” which
the attackers move throughout the target’s network
acts as an intermediary disguising the true location of
they explore and col ect information that can be used
the attacker53. Joe Stewart was able to track the use
in future attacks or information that can be prepared
of a similar hub known as “htran” through error
messages that disclosed the attackers’ true loca-
2.6 Data Ex-filtration
In addition to redundancy, the attackers also seek
to obfuscate their malicious network traffic by leve-
The primary objective of the threat actors behind
raging intermediaries and attempts to blend in with
targeted attacks is the transmission of sensitive data
legitimate traffic. As a result, threat actors are able to
to locations under the attacker’s control. In order to
leverage a variety of strategies to maintain communi-
accomplish this objective, the attackers wil col ect
cations between compromised hosts and their com-
the desired data and compress it and then split the
compressed file into chuncks that can be transmitted
to locations under the attacker’s control. A variety of
2.5 Persistence/Lateral Movement
transmission methods are used such as FTP and
HTTP however, attackers are now making use of
Once inside the target’s network, the threat actors
more secure methods such as ex-filtrating data using
engaging in targeted malware attacks seek to accom-
plish two objectives. First, they seek to maintain per-
With some attacks, data ex-filtration wil occur
sistent access to the targets network and second they
quite quickly. Often, the malware wil send directory
seek to move lateral y throughout the network loca-
and file listings to the command and control server.
ting data of interest for ex-filtration. In order to
The attacker may then request specific files or direc-
maintain persistence, the initial malware payload wil
tories to be uploaded. Threat actors that rely on
have some method to ensure that it is restarted after
RATs may use the built-in file transfer functionality
a reboot of the compromised computer. In many
cases, the persistence mechanism wil consist of sim-
In cases where the attackers have an established
ple methods such as adding the malware executable
presence, data, such as the contents of mail servers,
to the windows “startup” folder, modifying the Run
wil be col ected and moved to a staging area for ex-
keys in the Windows Registry or instal ing an appli-
filtration59. The attackers wil typical y use compres-
cation as a Windows Service. The security form
sion tools, such as Rar, to package the data for ex-fil-
Mandiant found that 97% of the targeted malware
tration. The attacker wil then return from time to
they analyzed used these simple mechanisms55. 3. Detection and Mitigation
within an organization that can be processed
for anomalous behaviors that could indicate a
The precise nature of targeted attacks increases
the difficulty of defense. With significant reconnais-
• Integrity Checks—In order to maintain per-
sance, and possibly information gained from pre-
sistence, malware wil make modifications to
viously successful incursions into the target’s net-
the file system and registry. Monitoring such
work, the threat actors behind targeted attacks are
changes can indicate the presence of malware.
able to customize their attacks to increase the proba-
• Empowering the human analyst—Humans
bility of success. For example, they can ensure that
are best positioned to identify anomalous
the malware they send to their targets exploits speci-
fic software on the targets computer and they can
aggregated logs from across the network. This
modify the malware so that it is not detected by the
security solutions deployed in the target’s environ-
custom alerts based on the local and external
ment. Therefore, defenses against targeted attacks
need to focus on detection and mitigation and not
Security solutions that protect at the endpoint
simply on prevention. Moreover, it is important to
and network levels are important, but the technical
recognize that the ultimate objective of target end
solutions deployed against targeted malware attacks
attacks is the acquisition of sensitive data; therefore,
need to empower analysts with both the tools and
defensive strategies need to include the discovery
the threat intel igence required to identify and miti-
and classification of sensitive data and take into
gate targeted attacks. Security analysts with access to
account the context in which the data is being used.
real-time views of the security posture of their orga-
Once identified, appropriate access controls can be
nization are better positioned to detect, analyze and
remediate targeted attacks. In order to do so, they
The ability to develop and act on threat intel i-
require visibility across the network through the use
gence underpins any defensive strategy. Threat intel-
of monitoring and logging tools. Most of the hosts
ligence refers to indicators that can be used to iden-
within a network, whether they are workstations, ser-
tify the tools, tactics and procedures of threat actors
vers or appliances, create logs and event data that,
engaging in targeted attacks. This information can
once aggregated, can be used to detect anomalous
include the domain names and IP addresses used by
behavior indicative of a targeted attack.
attackers to send spear phishing emails or to host
Education and training programs combined with
their command and control servers. It can refer to
explicit policies and procedures that provide avenues
the presence of certain files or registry modifications
for reporting and a clear understanding of roles and
on compromised computers. Threat intel igence not
responsibilities is an essential component of defen-
only refers to such malware artifacts, but also to
se. While traditional training methods are important,
behavioral characteristics such as the preferred tools
simulations and exercises using real spear phishing
and movement patterns of threat actors after the
attempts can be used to engage and educate61. Those
that are trained to expect targeted malware attacks
While organizations wil benefit significantly
are better positioned to report potential threats and
from threat intel igence derived from external sour-
constitute an important source of threat intel igence.
ces, it is important that an organization begin to
Ultimately, education can generate a more security
develop local threat intel igence based on its own
conscious culture within an organization.
unique circumstances. The ability to detect suspi-
Final y, the primary objective of targeted attacks
cious behaviors indicative of targeted attacks wil
is access to sensitive dat Today, sensitive information
depend on how effectively this threat intel igence is
is not only stored in databases but in the cloud and
leveraged. The core components of a defensive stra-
is accessible through a variety of methods including
tegy based on leveraging local and external threat
mobile devices. While securing the network layer
remains an important component of any defensive
• Enhanced Visibility—Logs from endpoints,
strategy, it is also critical y important to specifical y
servers and network monitoring are an impor-
protect data as wel . Identifying and classifying sensi-
tant and often underused resource that can be
tive data al ows the introduction of access controls
and enhanced monitoring and logging technologies
that can alert defenders of attempts to access or
ex-filtration. The impact of successful attacks can be
severe and any data obtained by the attackers can be
used in future, more precise attacks. However, defen-
sive strategies can be dramatical y improved by
5. Conclusion
understanding how targeted attacks work as wel as
trends in the tools, tactics and procedures of the per-
Targeted attacks remain a high priority threat that
petrators. Since such attacks focus on the acquisition
is difficult to defend. These attacks leverage social
of sensitive data, strategies that focus on protecting
engineering and malware that exploits vulnerabilities
the data itself, wherever it resides, are extremely
in popular software to slip past traditional defenses.
important components of defense. By effectively
While such attacks are often seen as isolated
using threat intel igence derived from external and
events, they are better conceptualized as campaigns,
internal sources combined with context-aware data
or a series of failed and successful intrusions. Once
protection and security tools that empower and
inside the network, the attackers are able to move
inform human analysts, organizations are better
lateral y in order to target sensitive information for
positioned to detect and mitigate targeted attacks. BIOGRAFIA
Gastone Nencini vanta una carriera significativa nel settore IT, iniziata oltre 25 anni fa con un’esperienza
come programmatore presso Elsi Informatica e proseguita in Genesys come Technical Manager.
Nel 1998 Nencini approda in Trend Micro Italy dove viene nominato Senior Sales Engineer per il Centro e
Sud Italia, per passare successivamente a un ruolo di maggiore responsabilità e prestigio, diventando prima
Technical Manager South Europe (Italia, Francia, Spagna e Portogal o) per poi focalizzarsi sul mercato
Italiano e assumere l’incarico di Senior Technical Manager Italy, coordinando un team di persone Pre Sales e
Nel 2012 Nencini diventa Senior Technical Manager Southern Europe e, nel 2013 anche Country leader di
Durante questi anni in Trend Micro, Gastone Nencini ha gestito e supervisionato una serie di importanti
progetti di sicurezza per i maggiori clienti, fra cui, a livel o italiano, si possono citare: Telecom, Fiat, Poste,
Vodafone, Ferrari, Banca Nazionale del Lavoro, Banca Intesa San Paolo.
Nencini ha, inoltre, introdotto servizi innovativi di assistenza e supporto per i clienti Enterprise e per il
1) For the attacks on Google, see http://googleblog.blogspot.com/2010/01/new-approach-to-china.html
2) For the compromises in Canada, South Korea and France, see www.cbc.ca/news/technology/story/2011/02/17/cyber-attacks-
www.computerworld.com/s/article/9213741/French_gov_t_gives_more_details_of_hack_150_PCs_compromised,
Http://english.yonhapnews.co.kr/national/2011/03/07/86/0301000000AEN20110307002200315F.html
3) http://euobserver.com/9/32049, www.bbc.co.uk/news/technology-13748488
4) www.rsa.com/node.aspx?id=3872010/01/new-approach-to-china.html, www.comodo.com/Comodo-Fraud-Incident-2011-03-
5) www.eweek.com/c/a/Security/Northrop-Grumman-L3-Communications-Hacked-via-Cloned-RSA-SecurID-Tokens-841662/,
www.nytimes.com/2011/06/04/technology/04security.html
6) www.wired.com/threatlevel/2011/04/oak-ridge-lab-hack/, www.reuters.com/article/2011/07/06/us-energylab-hackers
7) Diplomatic cables leaked by WikiLeaks reveal that the U.S. government suffered ongoing intrusions by one particular threat actor
http://cablesearch.org/cable/view.php?id=08STATE116943. The fol owing overview of targeted attacks build off initial research
www.threatchaos.com/home-mainmenu-1/16-blog/571-strategic-industries-should-go-on-high-alert
8) www.time.com/time/printout/0,8816,1098961,00.html
9) www.guardian.co.uk/politics/2006/jan/19/technology.security
10) www.spiegel.de/international/world/0,1518,502169,00.html
11) www.nytimes.com/2007/12/09/us/nationalspecial3/09hack.html?ref=technology
12) www.businessweek.com/print/magazine/content/08_16/b4080032218430.htm
13) http://events.ccc.de/congress/2007/Fahrplan/attachments/1008_Crouching_Powerpoint_Hidden_Trojan_24C3.pdf,
http://isc.sans.org/presentations/SANSFIRE2008-Is_Troy_Burning_Vanhorenbeeck.pdf, http://isc.sans.edu/diary.html?stor-
14) http://isc.sans.org/presentations/SANSFIRE2008-Is_Troy_Burning_Vanhorenbeeck.pdf
15) www.nytimes.com/2009/03/29/technology/29spy.html, www.nartv.org/mirror/ghostnet.pdf
16) www.nytimes.com/2010/04/06/science/06cyber.html, www.nartv.org/mirror/shadows-in-the-cloud.pdf
17) www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-China-involved
18) www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf
19) www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf
20) http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/12802_trend_micro_lurid_whitepaper.pdf
21) http://threatinfo.trendmicro.com/vinfo/web_attacks/Stuxnet%20Malware%20Targeting%20SCADA%20Systems.html
22) www.symantec.com/connect/blogs/stuxnet-breakthrough
23) http://threatpost.com/en_us/blogs/report-iran-resorts-rip-and-replace-kil -stuxnet-072211
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/wp04_cybercrime_1003017us.pdf
Zeus: http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/zeusapersistentcriminalenterprise.pdf
FAKEAV: http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/unmasking_fakeav_ _
25) www.nartv.org/mirror/kneber_spearphishing_crimeware.pdf, www.nartv.org/2010/08/27/crime-or-espionage/
www.nartv.org/2010/09/09/crime-or-espionage-part-2/, http://krebsonsecurity.com/2011/01/white-house-ecard-dupes-dot-gov-
26) www.theregister.co.uk/2011/09/13/apt_botnet_symbiosis/print.html, http://krebsonsecurity.com/2011/01/ready-for-cyber-
27) www.krebsonsecurity.com/2010/02/zeus-a-virus-known-as-botnet/
28) http://blog.trendmicro.com/how-sophisticated-are-targeted-malware-attacks/
29) www.cisco.com/en/US/prod/col ateral/vpndevc/ps10128/ps10339/ps10354/targeted_attacks.pdf
30) http://blog.trendmicro.com/highly-targeted-attacks-and-the-weakest-links/
31) http://computer-forensics.sans.org/blog/2009/10/14/security-intel igence-attacking-the-kil -chain/,
http://computer-forensics.sans.org/blog/2010/06/21/security-intel igence-knowing-enemy and
www.rsa.com/innovation/docs/SBIC_RPT_0711.pdf
32) http://news4geeks.net/2011/08/04/researcher-fol ows-rsa-hacking-trail-to-china/
33) http://us.trendmicro.com/imperia/md/content/us/pdf/products/enterprise/datalossprevention/wp02_dlp-compliance-solu-
34) http://portal.acm.org/citation.cfm?id=1067721.1067728&col =ACM&dl=ACM
35) www.nartv.org/mirror/shadows-in-the-cloud.pdf and
http://portal.acm.org/citation.cfm?id=1290958.1290968&col =GUIDE&dl=GUIDE&CFID=74760848&CFTOKEN=96817982
36) For example, the information contained in the email headers can be processed for anomalies, and information such as origina-
ting IP address and the route an email took to get to its destination can indicate that an email did not originate from the sender it
37) www.computerworld.com/s/article/print/9015092/White_House_use_of_outside_e_mail_raises_red_flags?taxonomyName=I+
www.computerworld.com/s/article/print/9114934/Update_Hackers_claim_to_break_into_Palin_s_Yahoo_Mail_account?taxonomy
38) www.nartv.org/2010/09/09/crime-or-espionage-part-2/
39) http://blog.trendmicro.com/how-sophisticated-are-targeted-malware-attacks/
40) http://xs-sniper.com/blog/2007/07/20/more-uri-stuff-ies-resouce-uri/
41) http://contagiodump.blogspot.com/2011/04/contagio-data-spear-phish-email-senders.html
42) www.nartv.org/2010/03/07/malware-attacks-on-solid-oak-after-dispute-with-greendam/ and
www.f-secure.com/weblog/archives/00001675.html
43) www.nartv.org/2010/07/29/human-rights-and-malware-attacks/
44) www.nytimes.com/2010/04/20/technology/20google.html and http://blogs.aljazeera.net/asia/2011/03/23/china-and-google-
45) http://contagiodump.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html
46) For example, of the 251 targeted malware attacks received by contagiodump.blogspot.com, only 10 were zeroday.
47) http://blog.trendmicro.com/targeted-attack-exposes-risk-of-checking-personal-webmail-at-work/
48) http://googleblog.blogspot.com/2011/06/ensuring-your-information-is-safe.html and http://blog.trendmicro.com/targeted-
attacks-on-popular-web-mailservices-signal-future-attacks/ http://contagiodump.blogspot.com/2011/08/targeted-attacks-against-
49) http://googleonlinesecurity.blogspot.com/2011/03/mhtml-vulnerability-under-active.html
50) http://blog.trendmicro.com/trend-micro-researchers-identify-vulnerability-in-hotmail
51) http://blog.trendmicro.com/targeted-attacks-on-popular-web-mail-services-signal-future-attacks/
52) www.nartv.org/2010/10/22/command-and-control-in-the-cloud/ and
http://blog.zeltser.com/post/7010401548/bots-command-and-control-via-social-media
53) http://blog.trendmicro.com/japan-us-defense-industries-among-targeted-entities-in-latest-attack/
54) www.secureworks.com/research/threats/htran/
55) www.mandiant.com/products/services/m-trends/
56) http://blog.mandiant.com/archives/1207
57) www.mandiant.com/products/services/m-trends/
58) www.nartv.org/mirror/shadows-in-the-cloud.pdf
59) www.mandiant.com/products/services/m-trends/
60) http://us.trendmicro.com/imperia/md/content/us/pdf/products/enterprise/datalossprevention/esg_outside-in_approach.pdf
61) www.rsa.com/innovation/docs/SBIC_RPT_0711.pdf
62) http://us.trendmicro.com/imperia/md/content/us/pdf/products/enterprise/leakproof/wp01_leakproof_dlp_100105us.pdf
Nigeria: Experts Discover New Malaria Drugs Medical experts in the field of malaria cure in Ibadan have said they have discovered a new drug for the cure of malaria whose sickness they said has claimed the lives of over 300,000 children in the country annually. The experts led by Prof. Akin Sowunmi of the Clinical Pharmacology, University College Hospital, Ibadan had diagonised at the launc
Interpreting Comparative Constructions in Biomedical Text Marcelo Fiszman, 1 Dina Demner-Fushman, 2 Francois M. Lang, 2 Philip Goetz, 2 Thomas C. Rindflesch 2 1University of Tennessee – GSM, Knoxville, TN 37920 2Lister Hill National Center for Biomedical Communications National Library of Medicine, Bethesda, MD 20894 {ddemner|goetzp|flang|trindflesch}@mail.nih.gov Abstract