Yet another season for trick-or-treating is upon us, and just like I did last year, I wanted to share some of the new tricks we are seeing from targeted adversaries as observed by our Falcon ThreatGraph™, which collects threat data in real-time from our customer endpoint systems distributed in 176 countries.
But before I jump into the latest tradecraft we are observing in the wild, I would be remiss not to discuss the so-called AtomBombing code injection technique that was recently discussed by Tal Liberman as being capable of evading most legacy Anti-Virus products. Variants of this technique which use the NtQueueApcThread syscall to trigger code execution have actually been demonstrated before and used in a number of malware variants over the years. Wayne Low from F-Secure described a ransomware variant using just that type of technique (using Section objects instead of Atoms) in a 2012 Virus Bulletin article.
When the technique was first blogged about on Thursday, one of our engineers was curious to see how it would fare against the Indicator-of-Attack (IOA) based approach of Falcon Host, which doesn’t rely on advanced knowledge of vulnerability or exploit technique to detect a threat. Instead, it looks for the ultimate objective of the threat – in this case getting code execution regardless of what the exact exploitation approach looked like. As predicted, Falcon Host had no trouble picking up an injection using this technique:
Note the mixed capitalization of letters in the Command Line for powershell execution. No doubt the adversary is hoping to bypass legacy detection technologies that are doing direct content/signature matching.
Even when malware is used (often for persistence), we often see Powershell as the method of choice to achieve specific objectives within the environment. Below is an example of an attempted breach we recently detected via multiple IOAs at a client. In this case, the persistent malware is executing a command shell, which in turn runs a powershell command that proceeds to steal credentials from memory and perform reconnaissance.
Last but not least, so as not to leave out our *nix friends, I want to share with you a recent intrusion we picked up on a Linux host. An initial compromise of smtpd mail daemon results in initial system reconnaissance through bash. The attacker performs a directory listing, checks logged in users and collects group and user information. Then they executed the ./a binary, which is a setuid executable designed to give them persistent root access and ultimately started an sshd server to give them persistent access into the environment on a POP3 port to avoid suspicion.
Finally, this being a Halloween blog, I’d be remiss not to share our latest adversary desktop backgrounds for you to decorate your desktops with. And with us being only 8 days before the U.S. election day, what better adversary to provide than FANCY BEAR, the Russian intelligence-affiliated actors that have become the celebrities of sorts during this election campaign.
For more information on how IOAs work and how they contribute to the unique effectiveness of the Falcon Host platform, please download the white paper, “Indicators of Attack vs. Indicators of Compromise.”