2017 the year of the Non-Malware Attacks

What is a “non-malware” attack?

Image Source: https://www.firstclassassignment.com/value-risk-finance/

A non-malware attack is an attack that does not use malware. Simple.

More realistically, a non-malware attack is one in which an attacker uses existing software or allows (remote access) applications and authorized protocols (e.g., RDP, ssh, etc.) to carry out malicious activities on your network.

In a non-malware attack, the threat actor uses the accessible software to gain entry into the targeted network, control the victimized computers and from this point perform any sort of nefarious actions all within “full view” of all security safeguards.

These native tools grant users exceptional rights and privileges to carry out the most basic commands across a network that will eventually lead to your valuable data. With a non-malware attack, the victim has built into their traditional business model all the tools and access the threat actor needs to have to be successful. Yes, you could have made the bad-guy successful.

Without proper monitoring, the victim has, with legitimate business software (e.g., PowerShell, UltraVNC, TeamViewer, DesktopNow, etc.)[1], opened the front door to their kingdom and welcomed the threat actor with a big, warm hug and a hot cup of coffee.

In a recent Carbon Black report[2] they make note that; “Virtually every organization included in this research was targeted by a non-malware attack in 2016.” Furthermore, in the same report, Carbon Black also states there has been a +92% increase in non-malware based attacks for 2016.

The Carbon Black report says common types of non-malware attacks researches reported seeing and the percentage that saw them were: remote logins (55%); WMI-based attacks (41%); in-memory attacks (39%); PowerShell-based attacks (34%); and attacks leveraging Office macros (31%).[3]

Remember, I am not saying that any of these remote access utilities do not have a legitimate use. What I am pointing out is that non-malware remote access utilities, properly managed and not used in an ad-hoc fashion, can be very useful. However, after you add in the hubris of the Human Element (HE), this is hardly ever the case and security professionals are left scrambling to identify authorized vs. unauthorized use and access which is quite time-consuming.

What makes a non-malware attack work?

What makes a non-malware attack so successful? The answer is simple, we give the threat actor all the tools they need to be successful. We (the royal “we”) fully equip the threat actor with all the necessary tools and access simply by doing our normal daily activity and business.

Some of the more famous non-malware attacks or attack trends include the attack against the Democratic National Committee (DNC) and the “PowerWare”[4]  campaign tracked by the Carbon Black teams.

Remember, the basis of a non-malware attack is to gain a toe-hold with little threat of detection. From this point, the threat actor determines how to promulgate the attack internally.

Why are non-malware attacks so hard to prevent and detect?

Traditional security approaches in detecting non-malware (malicious) attacks will probably be 100% ineffective. This is because traditional security platforms and most modern security platforms were not designed to detect non-malware attacks in mind.

In addition to GuidePoint’s IR experiences, Carbon Black[5] has performed extensive research on non-malware based attacks, and has provided their findings in {https://www.carbonblack.com/2017/02/10/non-malware-fileless-attack/}. Unfortunately, traditional antivirus (A/V) is ineffective in detecting non-malware based attacks, and security professionals should consider the use of technologies that incorporate Artificial Intelligence (AI), Machine Learning (ML), and User and Entity Behavior Analytics (UEBA) to effectively thwart non-malware based attacks.

Traditional A/V was never designed to detect non-malware attacks. They are basically designed as a signature-based threat detection platform that typically only monitors when a known malware signature has been written to disk. Non-malware based attacks are not identified as malware.

Image Ref: www.carbonblack.com

“AI and ML’s roles in preventing cyberattacks have been met with both hope and skepticism. They have been marketed as game-changing technologies though doubts still persist, especially when used in siloes. Their emergence is due largely to the climbing number of breaches, increased prevalence of non-malware attacks, and the waning efficacy of legacy antivirus (AV)”.[6]

Real-World Example

In one real world example, of a non-malware attack the GPS/DFIR team responded to a customer request to analyze some anomalous network activity their security team had been witnessing for a couple of months (yes, months).

The Incident Responders were able to monitor an initial select set of endpoints and network segments.  Soon the GuidePoint Security Digital Forensics & Incident Response (GPS/DFIR) team identified the fact that no remote access malware was present and that network/system access was gained through compromised accounts via non-malware attack.

This was a complex DFIR investigation that involved multiple security and forensic disciplines, 24/7 monitoring of all network segments and an enterprise wide deployment with high fidelity endpoint sensors.  Also, customized onsite databases had to be designed so that all sensor data could be aggregated and analyzed in near-real-time.

The end result was a lengthy engagement with multiple forensic responders chasing and tracking the threat actor inside a global network.  The threat actor was using non-malware techniques, system administration tools and a variety of security tools to compromise user accounts, escalate privileges, access systems and exfiltrate data for profit.

Defense for non-malware based attacks

Remember, non-malware attacks will use legitimate software to perform malicious activity.  However, fielding a proper, holistic security strategy that encompasses enterprise level end point and UEBA advanced analysis that enables your overall investigative, cyber-hunt and security strategy should be carefully considered.

GPS/DFIR has a track record of investigating and analyzing such non-malware based attacks and with the combined strategic arm of GuidePoint’s security experts and knowledge of the security platforms available, we can help define the best short-term and long-term security roadmap for your organization.

As a basic defense, there are some “snap-shot” remedies that can be easily implemented:

  • Allow few (justified) remote access applications to be used (e.g., Windows RDP, TeamViewer, etc.) in your environment on your systems.  Ensure all remote access requires multi-factor authentication.
  • Because some applications can be manipulated and replaced it is important to have forensically hashed versions identified
    • Share those authorized forensic hash values with your security and IR teams
    • Place the authorized hash values into any white listing or AV applications
  • Only allow a pre-defined group of employees with a legitimate business need to use the remote access applications
  • Identify to your internal security and IR teams the list of who is authorized to use the remote access software
  • Have employees read and sign an “Acceptable Use” policy for the software or applications
  • Develop internal security alerts and rules that identify anomalous behavior and/or connections and alert/respond to those “out of parameter” activities
  • Educate your employees as to the vulnerabilities of such applications
  • Incorporate all non-malware investigative and response activities into your IR plans and run-books

The first line of defense in any effective security organization is the Human Element (HE). With proper education and training, employees can and do typically provide significant feedback as to unusual or questionable behavior.  So, open lines of communication within all business units can only benefit the entire security posture of your organization.

Conclusion

In conclusion, as in the real-world example, forensic analysis validated this particular threat actor using a non-malware attack method was active on this global network for over two years.  Essentially, most of their malicious activity was completely cloaked within the victim’s daily business activity and they were able to work autonomously.

This real-world example is being played out every day in companies all over the globe.  And as GPS/DFIR witnessed in this example, talented security teams recognized the threat but also realized their own team’s limitations and asked for outside help.

Non-malware attacks will never go away, rather we strongly believe that they will only increase in count and complexity and we strongly recommend that you ensure your organization is prepared to deal with this growing threat.

[1] https://www.lifewire.com/free-remote-access-software-tools-2625161

[2] https://cdn.www.carbonblack.com/wp-content/uploads/2017/04/Carbon_Black_Threat_Report_Non-Malware_Attacks_and_Ransomware_FINAL.pdf

[3] https://www.networkworld.com/article/3186497/security/non-malware-attacks-grow-there-are-tools-for-it-security-to-fight-back-with.html

[4] https://www.networkworld.com/article/3186497/security/non-malware-attacks-grow-there-are-tools-for-it-security-to-fight-back-with.html

[5] www.carbonblack.com

[6] https://www.carbonblack.com/2017/03/28/beyond-hype-security-experts-weigh-artificial-intelligence-machine-learning-non-malware-attacks/

Author

Bill Corbitt, National Practice Director for Digital Forensics Incident Response & Forensic Intelligence at GuidePoint Security, is a seasoned, results-oriented leader with extensive corporate, federal, and international experience, dealing with cybersecurity, forensic, and Incident Response dilemmas. In addition to his demonstrated success in aligning security results with business requirements, Bill is recognized for his abilities in implementing accurate cyber-countermeasures to protect intellectual property, reduce cybersecurity risk, and protect intellectual property on a global scale. A respected strategist within the forensic and incident response communities, Bill holds a Bachelor of Science degree in Criminal Justice from Valdosta State University.

Android Malware (SonicSpy) “Ludo Coins RAT”

Image Reference: http://www.ludocoins.com/

Android malware is not something I typically perform forensic analysis on, but this one caught my eye. This caught my eye mainly because it was in a threat actor database directory that GuidePoint Security’s (GPS) Digital Forensic and Incident Response (DFIR) team has been watching, and also because it is the first sample of Android malware I have seen posted on this particular threat actors database.

Knowing this threat actor has had some recent successes, I thought I should take a look at this Android malware and give it the ole’ forensic once-over. I’m glad I did.

Considering Google is fighting a massive Android malware outbreak [1], and 99% of all mobile malware is Android malware[2], this would be a good way to “enter” into a targeted environment and start to move laterally.  But wait until you see what this Android Remote Access Trojan (RAT) can do.

GPS DFIR teams perform forensic analysis of malware in an effort to provide OSINT and our customers real, actionable and valid forensic IOCs (e.g., Hash values, IPv4, etc.).  It is these IOCs that allow our customers the ability to “plug” them into security devices for action, detection and prevention.

Background

Because of ongoing threat investigations that I will not disclose in this analysis, I have labeled this Android malware “Ludo Coins” RAT.  Yes, I believe there could be a direct correlation to ludocoins.com and, among other things, this RAT could be used to capitalize on the Ludo Coins business model for cash.

Overview

GPS DFIR harvested this sample directly from the threat actor’s database server and was subsequently analyzed in the GPS forensic malware analysis lab.

Overall impression of this RAT is that it has a good overall design and will capture and control all major components and features of your Android mobile device.  The reader should be quite aware that after installation the victimized user will have no control over that mobile device.

Sample Analyzed

MD5:   ee7fba3487165f00533e4fd90bca531f
SHA256:    7eb6a65a7d9ee2bfc9b8df6442cfa2c76f4753663297d2dabafc023b1bd2370b

Analysis Platform

Android x86 5.1 (“Android 4”)

Analysis Summary

Overall, this RAT has very little visual clues that it has been installed.  Remember, this is a RAT and it will allow a remote threat actor full control of your Android device.

It does have the ability to change the wallpaper so the threat actor can change (android.app.WallpaperManager.setBitmap) if they so wish.

Test Image 1: Android Screen Capture

During testing, I also noted the RAT can access the Android keyguard (lock screen) and allow the remote threat actor to query the phone’s “GPS” location.

The RAT also performs anti-forensic activities once it is initialized:

  • Deletes call logs/history
  • Deletes other (installed) packages (platform dependent)
  • Kills background processes
  • Obfuscates method names

After deployment/installation, the RAT has the capability of performing a variety of command level functions – remotely:

  • Dials phone numbers and sends SMS (SmsManager) in the background
  • Monitors, redirects and/or block calls
  • Records audio (while running in the background)
  • Takes photos
  • Records any audio/media running on the Android device

The RAT also has specific remote access functionality:

  • Uses Download Manager to fetch additional RAT components
  • Redirects camera/video feed
  • Reads call logs & browser history
  • Monitors incoming & outgoing phone calls and SMS messages
  • Conducts remote query
    • Query list of installed applications
    • Camera Information
    • Stored mail
    • Phone contact information
  • Queries the SIM provider ISO country code
  • Queries the network operator ISO country code
  • Queries device unique ID (e.g., IMEI, MEID, etc.)

Spreading

This RAT has the ability to spread throughout a WiFi environment after initial installation.  It can change the (local) WiFi settings in which it can chose to connect and disconnect from selected WiFi networks.  It can also scan access points for available WiFi networks.

Remember, once it conducts these activities it will transmit the information back to the threat actor and with a reasonable level of effort the threat actor will be able to plot your general geographical location and have knowledge of your WiFi preferences and access.

Summary

Overall, if this Android malware (SonicSpy) infects an Android device, the user will have few visual indications that they have been infected and unless the network IOCs are being monitored, there will be little evidence of an infection.

In my opinion, if an Android device has been infected with SonicSpy, it will command root level access, remain persistent, and make other malicious changes to your mobile device. About the only safe thing you can do at that point is to take a hammer to the Android device and physically destroy it.

https://i.ytimg.com/vi/t6198YIn31g/maxresdefault.jpg

At least after you destroy your Android you can buy an iPhone and not worry about being infected with SonicSpy or any Android variant.

SonicSpy IOCs

File name:   SonicSpy.apk

File size:   840735
MD5:   ee7fba3487165f00533e4fd90bca531f
SHA256:   7eb6a65a7d9ee2bfc9b8df6442cfa2c76f4753663297d2dabafc023b1bd2370b

zaraar.ddns[.]net

216.58.201[.]40
64.233.166[.]188
173.194.175[.]188
134.0.16[.]1

Port: 5228 (sample tested seems to always want to connect to CnC to this outbound port)

[1] https://www.forbes.com/sites/thomasbrewster/2017/09/14/massive-google-android-malware-expensivewall/#730a036d477f

[2] http://bgr.com/2014/01/21/android-mobile-malware-report/

Author

Bill Corbitt, National Practice Director for Digital Forensics Incident Response & Forensic Intelligence, is a seasoned, results-oriented leader with extensive corporate, federal, and international experience, dealing with cybersecurity, forensic, and Incident Response dilemmas. In addition to his demonstrated success in aligning security results with business requirements, Bill is recognized for his abilities in implementing accurate cyber-countermeasures to protect intellectual property, reduce cybersecurity risk, and protect intellectual property on a global scale. A respected strategist within the forensic and incident response communities, Bill holds a Bachelor of Science degree in Criminal Justice from Valdosta State University.