<Rant>

It has been unfortunately established that an attacker does not need to use particularly advanced tools to infiltrate a network, exfiltrate data and not get caught; this is even true for advanced persistent threat (APT) groups, and they seem to know it.

A 2017 Mandiant report outlines the tools used by various advanced persistent threat groups. While there are custom tools in the mix, there are quite a few tools that pop up that you or I could happily employ without needing more than a little primer found through a quick Internet search. Spear-phishing is pretty much ubiquitous as the initial infection vector, a method that’s been available since the adoption of email by companies as a main form of communication. Open source red team tools such as Powersploit, Mimikatz, and plink are also commonly used. Methods you might find in Ethical Hacking 101 are seen: password brute force attacks, password sprays and using the collected passwords to login via VPN or RDP. There’s even the use of third-party tools like SoftPerfect Network Scanner and CCleaner.

For many companies, it is difficult to keep track of what devices are even on their network, let alone lock all of them down with the same scrutiny, or manually monitor the traffic between them. All of these issues form a perfect storm that causes tools and analysts to overlook incidents that are harmful to the networks they defend. Attackers certainly take advantage of this fact, as indicated by an increase in the use of living off the land attacks which utilize tools that are used legitimately on the network.


looking for advanced persistent threats

We’re essentially expecting our analysts to be able to detect a needle in a stack of needles where nothing really distinguishes the needle they are trying to find. Also, there’s a hell of a lot of needles. Of course, this is why many vendors have turned towards AI and ML to address these problems. I agree that while overhyped in some cases, they are invaluable tools when implemented correctly.

</Rant>

Advanced Persistent Troy?

In order to drive home how simple it is to take advantage of the current reality of SOCs today, I created my own proof of concept “advanced persistent threat”. I used the knowledge I’ve gained being a part of and working with various SOCs to create a piece of custom malware that, in my opinion, would be extraordinarily successful in most environments. I didn’t create it just for my own health, although it was fun. I made it to demonstrate how simple it is to design a new effective method of C2 and/or exfiltration using open source tools.

What you need:

  • Very basic understanding of C++ / python
  • Basic understanding of how XMR mining works
  • Basic understanding of the Stratum protocol
  • Some time to put it all to use

All of the above can be gained in a matter of hours by Googling around.

What did I do? I used an open source miner to collect and exfiltrate data from the victim’s machine while actually mining Monero ($$$) in the background. Just like the bad guys using Twitter or Gmail for C2, it avoids most network detection by piggybacking on communication that is not normally viewed as malicious. The data is sent to the mining pool, instead of an attacker owned C2, then the attacker collects the information from said pool. Perhaps (un)surprisingly, most security teams I have talked to consider cryptomining a nuisance, rather than “malicious”. Consequently, most don’t bother remediating. In fact, even when it is remediated, it is likely removed without much of an additional investigation… why would you expect that anything else is occurring when your host-based and network-based detections are both telling you that it’s a cryptominer?

Of course, the attacker would know that. So, the idea is to infect a victim with the modified miner, and if the PoC is detected, then it will be ‘misclassified’ as only a cryptominer, and no further investigation will occur. This allows an attacker to not only avoid detection but also potentially avoid any future analysis since analysts are not likely to revisit something like a cryptominer when looking for artifacts pertaining to a breach. After all, are you going to go back and look at all of your PUP detections when the FBI informs you that you’ve been breached?

advanced persistent threat file scan

Would you think that this detection has anything to do with an advanced persistent threat?

The point is the advanced persistent threat I’ve created is pretty simple, doesn’t take much knowledge, and didn’t take up too much of my time. This is not to belittle the effectiveness of the malicious actors; in fact, why would you do more than you had to in order to be successful? Just like the businesses we aim to protect, malicious actors consider the cost effectiveness of their decisions.

<Shameless Self Promotion>

If you’d like to hear more about the proof of concept, what it looks like in action, and what went into building it, be sure to check out my talk at InfoSecurity North America. Here is what I plan on covering:

  • How our SOC analysts respond to different types of alerts
  • How an attacker can take advantage of that, as an attacker
  • Show a proof of concept of how we can use open source software to exfiltrate data
  • Show why it would be effective in today’s SOC environments
  • Talk about what to do to bridge gaps like these

If you’re going to be there, please don’t hesitate to stop and chat with me. Otherwise, keep an eye out for a link to a recording of the presentation or send us a note.

By Troy Kent
Threat Researcher