Pierluigi Paganini
February 23, 2015
Cybercriminals and their techniques in the APT and AVT attacks
“APT is an attack in the persistent memory that resides in the victims machine without getting noticed and the attacker exfiltrates sensitive information from the network. AVT is an attack in volatile memory that wipes its ‘fingerprints’ before leaving and after it has stolen your intellectual property”
Advanced Persistent Threats (APT)
APTs (aka Advanced Persistent Attacks) are designed to gain access to a network, acquire data and secretly monitor the targeted computer systems over long periods of time. Many researchers agree that the term “Advanced Persistent Threat” was first coined by the U.S. Government during 2005 by Security Analysts to describe complex cyber attacks against specific targets for financial or informational gains by a well-funded group of individuals.
The “Advanced” process signifies sophisticated techniques using malware and known vulnerabilities to exploit the internal systems. The “Persistent” process suggests that an external command and control system is continuously monitoring and extracting data from a specific target. The “Threat” process indicates human involvement in orchestrating the attack.
The Stuxnet computer worm, which targeted the computer hardware of Iran’s nuclear program, is one example. In this case, the Iranian government might consider the Stuxnet creators to be an advanced persistent threat.
Advanced Volatile Threat (AVT)
AVTs are a stealthier attack vector when compared with the APTs. Many experts predict that AVTs may cause a huge damage by sophisticated nation-state for cyber espionage. Security Vendor Triumfant, president and CEO John Prisco says “It is an attack in volatile memory that wipes its ‘fingerprints’ before leaving and after it has stolen your intellectual property. An AVT comes in, exfiltrates the data it’s looking for and then immediately wipes its ‘hands’ clean leaving no trace behind as the computer is shut down”
Kevin McAleavey, cofounder and chief architect of the KNOS Project, called AVT a redefinition of the well-known term, memory resident virus. “The first memory resident virus was known as Lehigh, which made the rounds in 1987,” he said. McAleavey agreed that malware that is not persistent is tricky to spot.
“Traditional antivirus solutions depend on the presence of a file existing – that’s what they detect and look for, attempting to intervene in the completion of that file being loaded into memory and run as a program,” he said. “No file, no detection.”
How different is APTs and AVTs?
APTs are persistent or disk-resident and AVTs are volatile or RAM-only. Though AVTs has not emerged as a new cyber threat, they have been present in form of malware for a long time. They can be deployed through a drive-by download and exist only in RAM memory. In this sense they are real-time attacks. AVTs are not persistent in that they disappear without a trace as soon as the PC is turned off, or as soon as they stop running, whichever occurs first. On the other hand, APT attacks persist in memory for a very long period until the attacker steals all the required information from the network. AVTs are almost the exact opposite of APTs which are designed to be low and slow and persist in the network for a very long duration. But AVTs are limited to part of one day in most cases.
Breaking down the APT
The Attacker group can include Intelligence agencies, criminal groups, activist groups and armed forces. They initiate an APT attack and waits patiently searching for security weaknesses and loopholes within the infrastructure of the target organization. Rather than impairing the system, the attacker hides within it and simply engages in stealth data collection.
The lifecycle of APTs can be classified into : Information gathering, Initial Exploitation, Command and Control, Privilege Escalation and Data Exfiltration.
The attackers perform research on threat entry points, key individuals and their responsibilities, key assets and clients of the targeted organization through easily available public data on social networks.
Complex – APTs apply a complex mix of attack methods targeting multiple vulnerabilities identified within the organization. It may involve identifying key individuals of the target organization and apply multiple techniques as listed below:
Slow Infect – Essentially APT try to stay invisible for as long as possible to avoid any detection by following the rule of “low and slow”. Once the foothold is established in the targeted environment, the attacker remotely controls infected hosts with a command-and-control service which is seamlessly installed in the victim’s system replacing a legitimate application software with a compromised components that includes additional functionality for the command and control requirements.
Discover, Control and Persist – The APTs now starts to gather information about computers, servers or storage holding the information they have been instructed to steal. They perform this by using the tools available in the compromised computers. Their next step would definitely involve lateral movement to new systems to explore their content and recursively learn about gaining access to other systems.now starts to gather information about computers, servers or storage holding the information they have been instructed to steal. They perform this by using the tools available in the compromised computers. Their next step would definitely involve lateral movement to new systems to explore their content and recursively learn about gaining access to other systems..now starts to gather information about computers, servers or storage holding the information they have been instructed to steal. They perform this by using the tools available in the compromised computers. Their next step would definitely involve lateral movement to new systems to explore their content and recursively learn about gaining access to other systems.
Once the attacker moves around the network using the compromised credentials of the first few target machines, they try to get privilege escalation from local user to administrator in the systems. The tools used to gain more control are gsecdump, SSH, RDP, Cain&Abel (crack password). Key targets may include administrator in the systems. The tools used to gain more control are gsecdump, SSH, RDP, Cain&Abel (crack password). Key targets may include administrator in the systems. The tools used to gain more control are gsecdump, SSH, RDP, Cain&Abel (crack password). Key targets may include Active Directory (AD) and Certificate PKI servers to establish accounts and gain access privileges to confidential data within the network.
Extract and Take Action – After discovering the data of interest, the APT generally gather the data into an archive and then compress and encrypt the archive. This enables them to hide the content of the archive from deep packet inspection and data loss prevention techniques. The next step involves the exfiltration of the data from the victims system. APTs usually take advantage of FTP services which are left running or use custom data transfer techniques if FTP is disabled. What makes APT attacks different from any other cyber Attacks is the scope, as they exploit vulnerabilities not to disrupt or shutdown systems but to collect sensitive data.victims system. APTs usually take advantage of FTP services which are left running or use custom data transfer techniques if FTP is disabled. What makes APT attacks different from any other cyber Attacks is the scope, as they exploit vulnerabilities not to disrupt or shutdown systems but to collect sensitive data.victims system. APTs usually take advantage of FTP services which are left running or use custom data transfer techniques if FTP is disabled. What makes APT attacks different from any other cyber Attacks is the scope, as they exploit vulnerabilities not to disrupt or shutdown systems but to collect sensitive data.
The APT then persists within the network, to get unnoticed. It is also designed to persist by calling back the command and control centers for updates to download new undetected code to avoid detection by updated antivirus solutions.
If new target data continues to become available (new customer records or updated business plans) and holds value for the attacker, this extraction phase continues for a longer duration.
Eventually, the attack will stop, either because the attacker has achieved their goal or because the victim notices and cuts off the attack. Once the APT steals the data, they then perform multiple criminal activities like
Most popular APT methods are botnet or malware like Regin, Flame, Duqu, and the popular Stuxnet. These cyber attacks bypass the traditional signature based tools and common sandboxes.
In the other hand, AVT is one of the techniques malware uses to avoid analysis. Most experts believe that AVTs are having a far greater likelihood of remaining undetected, thus protecting the identity of the attacker. Most commonly a Meterpreter (The Meta-Interpreter) is used to launch an AVT. It is a simple-to-use exploitation tool included as part of the Metasploit Framework. It allows developers to write their own dll file that can be injected into a running process on the target computer. As conventional AV file scanning methods will not identify AVTs, RAM-monitoring techniques will be required to detect an AVT attack in real-time.
Edited by Pierluigi Paganini
(Security Affairs – APT, cyber espionage)
