Adversary Tricks and CrowdStrike Treats: 2016 Halloween and AtomBombing Edition

Crowdstrike Boo

Yet another season for trick-or-treating is upon us, and just like I did last year, I wanted to share some of the new tricks we are seeing from targeted adversaries as observed by our Falcon ThreatGraph™, which collects threat data in real-time from our customer endpoint systems distributed in 176 countries.

But before I jump into the latest tradecraft we are observing in the wild, I would be remiss not to discuss the so-called AtomBombing code injection technique that was recently discussed by Tal Liberman as being capable of evading most legacy Anti-Virus products. Variants of this technique which use the NtQueueApcThread syscall to trigger code execution have actually been demonstrated before and used in a number of malware variants over the years. Wayne Low from F-Secure described a ransomware variant using just that type of technique (using Section objects instead of Atoms) in a 2012 Virus Bulletin article.

When the technique was first blogged about on Thursday, one of our engineers was curious to see how it would fare against the Indicator-of-Attack (IOA) based approach of Falcon Host, which doesn’t rely on advanced knowledge of vulnerability or exploit technique to detect a threat. Instead, it looks for the ultimate objective of the threat – in this case getting code execution regardless of what the exact exploitation approach looked like. As predicted, Falcon Host had no trouble picking up an injection using this technique:

injection

Falcon Host vs. AtomBombing (1:0)

Last year, I discussed the extensive use of ‘malware-free’ techniques by targeted adversaries for conducting intrusions into corporate networks. However, these techniques are not just used exclusively for targeted intrusions. Increasingly we are seeing mass-distributed malware threats, such as ransomware, leverage Powershell for malicious activity. Here is an example of a process tree that Falcon Host had picked up in the wild of JavaScript-initiated execution of Powershell under the Chrome browser to download and execute malware:

Powershell

Powershell-enabled malware distribution under Chrome

Note the mixed capitalization of letters in the Command Line for powershell execution. No doubt the adversary is hoping to bypass legacy detection technologies that are doing direct content/signature matching.

Even when malware is used (often for persistence), we often see Powershell as the method of choice to achieve specific objectives within the environment. Below is an example of an attempted breach we recently detected via multiple IOAs at a client. In this case, the persistent malware is executing a command shell, which in turn runs a powershell command that proceeds to steal credentials from memory and perform reconnaissance.

Powershell

Powershell-based reconnaissance and credential theft

Last but not least, so as not to leave out our *nix friends, I want to share with you a recent intrusion we picked up on a Linux host. An initial compromise of smtpd mail daemon results in initial system reconnaissance through bash. The attacker performs a directory listing, checks logged in users and collects group and user information. Then they executed the ./a binary, which is a setuid executable designed to give them persistent root access and ultimately started an sshd server to give them persistent access into the environment on a POP3 port to avoid suspicion.

Linux compromise via smtpd exploitation

Finally, this being a Halloween blog, I’d be remiss not to share our latest adversary desktop backgrounds for you to decorate your desktops with. And with us being only 8 days before the U.S. election day, what better adversary to provide than FANCY BEAR, the Russian intelligence-affiliated actors that have become the celebrities of sorts during this election campaign.

Fancy1020x1080

Desktop Background:

1020 x 1080 | 1440 x 900 | 2160 x 1440

For more information on how IOAs work and how they contribute to the unique effectiveness of the Falcon Host platform, please download the white paper, “ Indicators of Attack vs. Indicators of Compromise .”

Dmitri Alperovitch

Co-founder and CTO of Crowdstrike, Dmitri Alperovitch leads the Intelligence, Technology and CrowdStrike Labs teams. Alperovitch has invented 18 patented technologies and has conducted extensive research on reputation systems, spam detection, web security, public-key and identity-based cryptography, malware and intrusion detection/prevention. He is a renowned computer security researcher and thought leader on cybersecurity policies and state tradecraft. Alperovitch’s many honors include being selected as MIT Technology Review’s “Young Innovators under 35” (TR35) in 2013. He also was named Foreign Policy Magazine’s Leading Global Thinker for 2013 and received a Federal 100 Award for his information security contributions.

 

Stop Breaches with CrowdStrike Falcon request a live demo