Malware typically makes headlines in the form of international espionage or breaches that exposed large amounts of customer data. This is understandable – Jason Bourne style malware that can sabotage a centrifuge in a nuclear plant makes for a great story even for those who aren’t typically interested in information security. Likewise, a breach at a big online retailer that I used last week is definitely going to grab my attention. Yet since these are the stories that get the lion’s share of coverage in the press, it can lead people to mistakenly assume that these types of networks are the only focus of targeted attacks. However, targeted attacks occur across most all industries and at all levels of the supply chain; a fact I was recently reminded of during an investigation of malware discovered at a customer site.
The investigation began based on malware detected by the next-generation firewalls the customer had deployed, allowing the customer’s firewall to identify files that have never been seen before, and then copy those files to a safe virtual environment where the files can be executed and observed for malicious behaviors. One sample in particular caught the attention of our malware analysts based on how targeted the sample was and its rather encyclopedic feature set of spying capabilities.
It became quite clear very early on in the analysis that this particular malware was special. The target network in this case was a very large producer of raw materials based in Asia, and the malware was obviously very new as it had no listing in the VirusTotal database, and it was not being detected by leading antivirus engines in our test labs. Secondly, the infecting malware file was completely unique to this one site. In many cases, even rapidly evolving malware will be observed in many different networks over a short period of time, and this sample seemed to drop in out of the blue without ever showing up in other networks. This was an intriguing start, but the closer we looked the more interesting the sample became.
As researchers dug into the inner workings of the sample, they were very surprised to find that the malware used no complex obfuscation whatsoever. There were no strange encodings or anti-analysis tricks that have become a staple of modern malware attempting to avoid the prying eyes of security. This was interesting in itself because the malware was otherwise quite sophisticated. The authors of the malware seemingly knew that their malware was unique and believed that there was no need to go to great lengths to obscure it.
However, the truly interesting part of the malware was the expansive feature set. When the Flame malware began making news, many in the industry marveled at all of the features that were included, and this malware sample was reminiscent in that respect. This new sample not only had the ability to search for, upload or delete files on the target system, but it also took a particular interest in databases with ability to compress and send SQL data as well as the ability to modify DB2 databases. Additionally, the malware did quite a bit of footprinting and enumeration once on the device including capturing the hardware configuration of the machine, stealing the extended TCP table of the infected machine to map out all the other machines that the infected target has talked to in the past, and even capturing a list of all the wireless access points and networks that were in the vicinity of the device. The malware also included a variety of spying features such as the ability to record audio using the laptops built-in microphone, the ability to control the window that was displayed on the desktop and also to take pictures of the desktop to be uploaded. These features were just the tip of the iceberg, and in all the malware included almost 70 features that could be managed by the malware’s command and control capability. This malware was very capable and was absolutely loaded with spying functionality.
All of this was very insightful just from a malware analysis standpoint, but it’s important to go back recall the target of the attack. A large producer of raw materials isn’t necessarily the first enterprise that might come to mind when you are thinking about a targeted attack. Yet we have to keep in mind that this company sits at the root of a large international supply chain that does business with many other very large multinational companies. If an attacker was able to infiltrate such a network, they would have a bird’s eye view into the futures and fortunes of many companies across many industries as well as provide an ideal source of information for infiltrating those partner companies.
And this is the key lesson for security managers – attacks aren’t limited to credit card numbers and email addresses. The relationships you have with partners and your supply chain can be even more valuable to an attacker than a financial breach. And this puts us all on the front lines, because in short, if we have information that is valuable enough to keep private, then there is value for an attacker in stealing it. So while truly targeted attacks remain relatively rare compared to spamming botnets and other generalized malware, simply assuming that a targeted attack “won’t happen to me” is simply setting yourself up to fail.