Monday, October 13, 2014

The Most Famous Malwares in APTA

During my talks and during my daily working life people asks me about the most interesting Malware used to perform Advanced Persistent Targeted Attacks (APTA). So I decided to give my personal answer in this post, beeing concious that things would change pretty soon.

Lets start with Stuxnet, maybe one of the most known APTA known in the history, also responsible to giving pubblic begin to the cyber-espionage.

Stuxnet is a computer worm that was discovered in June 2010. It was designed to attack industrial Programmable Logic Controllers or PLCs. PLCs allow the automation of electromechanical processes such as those used to control machinery on factory assembly lines, amusement rides, or centrifuges for separating nuclear material. Exploiting four zero-day flaws, Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 software. Stuxnet reportedly compromised Iranian PLCs, collecting information on industrial systems and causing the fast-spinning centrifuges to tear themselves apart. Stuxnet’s design and architecture are not domain-specific and it could be tailored as a platform for attacking modern SCADA and PLC systems (e.g. in the automobile or power plants), the majority of which reside in Europe, Japan and the US.Stuxnet reportedly ruined almost one-fifth of Iran's nuclear centrifuges.
From TrendMicro Report


Stuxnet has three modules:
  1. a worm that executes all routines related to the main payload of the attack; 
  2. a link file that automatically executes the propagated copies of the worm; and 
  3. a rootkit component responsible for hiding all malicious files and processes, preventing detection of the presence of Stuxnet. 
Stuxnet was able to exploit the following vulnearbilities: CVE-2010-2568, CVE-2008-4250, CVE-2010-2729 and CVE-2010-277. It mainly got started from USB sticks and spread over PCs throught vulns. What it did was to substitute a Siemens DLL getting control of Siemens SCADA systems. A later updated version was also able to exploit the CVE-2010-2772being able to read and write directly on Siemens SCADA database (.DBI).

Another great example is Flame.

also known as Flamer, sKyWIper and Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system. The program is being used for targeted cyber espionage in Middle Eastern countries.Flame can spread to other systems over a local network (LAN) or via USB stick. It can record audio, screenshots, keyboard activity and network traffic. The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth-enabled devices. This data, along with locally stored documents, is sent on to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers.

SecureList Thread

Flame was actualy one of the most complext computer malware ever. Super "heavy" it comes within database server, very uncommon virtual machines (lua), file sharing, specific "red protocols", gzlibs, encryption libs and so on.. A great client analysis can be found here. My favorite Server analysis can be found here.


Duqu is another big name in the APTA's world.

Duqu malware is a variety of software components that together provide services to the attackers. Currently this includes information stealing capabilities and in the background, kernel drivers and injection tools. Part of this malware is written in unknown high level programming language, dubbed "Duqu framework". It is not C++, Python, Ada, Lua and many other checked languages. However, recent evidence suggests that Duqu may have been written in Object Oriented C (OO C) and compiled in Microsoft Visual Studio 2008.

Duqu main components and modules from this report

The  dropper file recovered and disclosed by CrySyS Lab uses a Microsoft Word (.doc) document which exploits the Win32k TrueType font parsing engine and allows execution (btw, a nice article on that vulnerability is here). The Duqu dropper relates to font embedding, and thus relates to the workaround to restrict access to T2EMBED.DLL, which is a TrueType font parsing engine if the patch released by Microsoft in December, 2011 is not yet installed. Microsoft identifier for the threat is MS11-087. Duqu has tons of similarity with Stuxnet, common code have been prooved.


A most recent attack to spy diplomats'name is Turla.

Turla has been used for classic espionage-type operations for at least four years. Because of the targets chosen and the advanced nature of the malware used, Symantec believes that a state-sponsored group was behind these attacks. Turla provides the attacker with powerful spying capabilities. Configured to start every time a computer starts, once the user opens a Web browser it opens a back door that enables communication with the attackers. Through this back door, the attackers can copy files from the infected computer, connect to servers, delete files, and load and execute other forms of malware, among other capabilities. The group behind Turla uses spear phishing emails and watering hole attacks to infect victims. Some of the spear phishing emails purported to come from a military attaché at a Middle Eastern embassy and had an attachment masquerading as the minutes of meetings. Opening the attachment resulted in Trojan.Wipbot being dropped on to the victim’s computer. It is believed that Wipbot may be the delivery mechanism for Turla as they share several similarities in code and structure.

How Turla is pread, from here.
 Turla malware has been used to to facilitate watering hole attacks since 2012, its most advanced feature was to be totally FUD for many years. Later on it has been used to deliver Wipbot, a famous malware used to gather further information about the infected computer. If the attackers deemed the victim of interest, it appears likely that a second back door (Trojan.Turla) with far greater capabilities was downloaded on to the victim’s computer.

In 2012 Gauss Malware hit the Middle east community.

Like Flame and Duqu, the propagation of Gauss seems to be controlled in order to maintain stealth and avoid detection. Gauss is a complex, nation-state sponsored cyber-espionage toolkit designed to steal sensitive data, with a specific focus on browser passwords, online banking account credentials, cookies, and specific configurations of infected machines. The online banking Trojan functionality found in Gauss is a unique characteristic that was not found in any previously known cyber-weapons. Kaspersky write: “The payload is run by infected USB sticks and is designed to surgically target a certain system (or systems) which have a specific program installed. One can only speculate on the purpose of this mysterious payload.” The malware copies itself onto any clean USB inserted into an infected PC, then collects data if inserted into another machine, before uploading the stolen data when reinserted into a Gauss-infected machine.
From kaspersky labs

HiKit is one of the most advanced RootKit used in APTA.

Entirely described by Mandiant (Here and Here) the “Hikit” Malware uses an interesting covert mechanism for command and control. It installs itself as a virtual network adapter layered between the NIC and overlying protocol drivers. This allows it to covertly monitor incoming packets, intercept command and control data as it enters the network stack, and then spawn user-mode threads to parse them accordingly.

(Extracted from Mandiant Analysis)
HiKit writes to the system  two main files :
  1. C:\WINDOWS\system32\wbem\oci.dll 
  2. C:\WINDOWS\system32\drivers\W7fw.sys 
“oci.dll” extracts a number of files from its resources section:
  1. The rootkit driver “W7fw.sys” 
  2.  Several requisite .INF and .CAT files for the driver 
  3. A digital certificate “GlobalSign.cer”, along with a copy of Microsoft’s Certificate Manager tool “certmgr.exe” 
The attacker self-generated “GlobalSign.cer” to masquerade a legitimate certificate issued by GlobalSign – it was not stolen nor legitimate. The malware proceeds to use “certmgr.exe” to install the certificate to the local trust store as a root CA and Trusted Publisher using the following two commands: 
  • certmgr.exe -add GlobalSign.cer -c -s -r localMachine Root
  • certmgr.exe -add GlobalSign.cer -c -s -r localMachineTrustedPublisher 
It then attempts to disable driver signing verification by tampering with several registry keys. Finally, it completes the driver installation process and checks that it is properly loaded.
After the installation and the infection procedure HiKit starts to grab usernames and passwords of Window Locals and Windowns Remote accesses as well as well-known profiles of internet banking and famous serives. It does provide a modular backdoor to manage the malware and the hosting system 

I am aware those are only some of the most famous Malware used in APTA, I am aware this little "list" will change over time as well, but as now, I believe those Malware are the most remarkable in APTA.