Research Saturday 6.27.20
Ep 141 | 6.27.20

Enter the RAT.


Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: Hey everybody, Dave here, and I want to tell you about CyberWire's new subscription program, CyberWire Pro. It's designed for security professionals and all others who want to stay abreast of cybersecurity news. CyberWire Pro is a premium service that will save you time and keep you informed. You may be saying to yourself, hey, that sounds great, and something my entire organization can benefit from. We think so, too. With a CyberWire Pro Enterprise subscription, you can make that happen. You can help to keep your organization up to date with the latest news, analysis, and trends across the evolving cybersecurity landscape. Save some money and look like a hero at the same time. We've got great discounts for government, commercial teams, and academia, too. To learn more, visit, and click on the "Contact Us" link in the Enterprise box. That's, and then click "Contact Us" in the Enterprise box, and we will help you become that office hero.

Dave Bittner: Thanks to our sponsor, Reservoir Labs. Reservoir knows that cybersecurity teams need full network visibility to discover new threats, tactics, and behaviors. This is true today more than ever. Reservoir Labs provides solutions based on rock-solid, enterprise-class network sensing and spectral hypergraph analytics, using advanced algorithms and mathematics to deliver for your team and your network. Contact Reservoir to learn how you can gain comprehensive threat visibility in minutes. Learn more at That's And we thank Reservoir Labs for sponsoring Research Saturday.

Eric Cornelius: As a cybersecurity firm, we have a continuously ongoing research effort into various campaigns that we see. We track threat actors across the board, and we're always just watching for trends that may be emerging within cybersecurity tactics, tools, and procedures.

Dave Bittner: That's Eric Cornelius. He's Chief Product Architect at BlackBerry. The research we're discussing today is titled, "Decade of the RATs: Novel APT Attacks Targeting Linux, Windows, and Android."

Dave Bittner: Can you give us some of the background here? I mean, when it comes to RATs, what's the underlying history?

Eric Cornelius: Well, remote access tools have a very long history. Ever since computers started getting networked together, there has been this kind of underlying desire to maintain access to other people's networks that has existed within humanity. And one of the key things is you don't want to be redoing work over and over again. So once you go to the effort to compromise a system, one of your first-line priority items is going to be to maintain persistence. So, enter the RAT – a tool that is able to be installed on a system to give you long-term persistent access to that machine.

Dave Bittner: Hmm. Well, let's take a look at some of the research that you all presented here. What are some of the specific areas you're exploring?

Eric Cornelius: Yeah, so, I think there's a few novel points to this. So, first, let me point out that the threat group we're looking at here is nowhere near new. The Winnti umbrella group, if you will, has been studied by numerous research organizations over the years. But what's novel about our discovery is that we have identified a couple areas that we, as an industry, just haven't been looking at seriously enough. This is specifically focusing on compromise of Linux machines, servers, and also the mobile devices. BlackBerry published a report back in September that was focused extensively on mobile malware, again, just kind of as a call to action to the security industry where there seems to be this belief, if you will, that mobile malware Linux malware – it's not really a thing. It's not something we need to focus our time on. And we're suggesting here that that's not true. And that as an industry, you're correct – we don't see a lot of mobile malware. But our hypothesis is that's because we're not looking for it. So now that we've started to look into some of these areas and shine the light, we're realizing that there's a bit more activity there than any of us had realized.

Dave Bittner: Yeah, and you spend quite a bit of time in the report discussing the things that you've discovered when it comes to Linux machines. Take me through – what are you researching here?

Eric Cornelius: Sure. I think the – again, the key takeaway here is that the threat actor in question, this Winnti group – we call them an umbrella group because they're more of an organization than an individual actor or team – that has different individuals coming and going over time, but they maintain a shared set of tools. There are several groups. We identify a new group who specializes in targeting Linux systems. And again, this is germane for a number of reasons.

Eric Cornelius: One, why does it matter? Why is it interesting? We call out in the report that something like seventy-five percent of the Internet's infrastructural backbone is running Linux, which is an interesting statistic. But two, in most enterprises as we know them today, Linux tends to be running on the most critical servers, those that demand the highest uptime, the most reliability. So, if you're an adversary and you're looking to maintain persistent access to a target environment, targeting a machine that you have a relatively high assurance is going to be online nearly all the time – that just makes logical sense, right? A lot of the more common TTPs for targeting individuals – you know, send a spearphishing email, somebody clicks it, and now you're on John Q. Random's laptop, who may or may not have it on or connected to the network when you want to execute some portion of your mission. So, targeting these Linux servers – it just makes sense.

Eric Cornelius: Secondly, what we're trying to call out is that, within enterprises, we tend to see less emphasis put on securing these Linux devices from enterprises writ large. And this is – it shows itself in a number of different ways. One, because of just the overall market share of Linux – it's substantially smaller. There are naturally a smaller number of expert practitioners who have a real-world practical skill set that can be applied to the Linux devices. But there's also a representatively small amount of vendor-available tools for securing Linux. That's not to say there's none – there definitely are some. But the lion's share of security resources, both provided by the vendor community and dollars spent by enterprises, tend to be focused on the Windows core of the network, which makes sense, you know, proportionally, given their numbers. However, in terms of impacts to the organization, what we're suggesting here is that there are other avenues of attack that have the same if not higher level of impacts to the organization that we're not putting enough resources on from a security perspective.

Dave Bittner: And what specifically are we talking about here? What are some of the things that you're seeing?

Eric Cornelius: So, from a little bit more technical perspective, again, we focused on this one particular threat group here, and some of the novel approaches we saw – obviously, we were seeing kernel-side rootkit activity, right? And that's notable for a number of reasons. One, it's relatively sophisticated to create a kernel-side rootkit. But two, it's also pretty unlikely for a security practitioner to take remediation action against that if a particular module is suspected. The reasons for that are – let's say, for example, you are a junior administrator, right? In a lot of cases, you are not – the active administrator day-to-day of a particularly Linux machine is not the individual who built and deployed that system originally. You've inherited these machines as perhaps, you know, career changes occur, et cetera, et cetera. And so therefore, you're not maybe as intimately familiar with it. And when you see a kernel module that may or may not be suspect, you are going to be hesitant to unload that module, because who wants to be the person who brought down a, you know, banking web server, for example, or a critical file share server within an organization, for something you're not certain about?

Eric Cornelius: Secondly, just given the lack of security tools, it's very difficult to identify these modules in the first place. On the Windows side of things, some novel approaches we've seen that I think are really cool – and again, they show the sophistication of the threat actor – where this particular group originally gained notoriety because they were breaking into gaming companies and stealing their private code-signing certificates, signing their rootkits with that. They've gone one step further into a really interesting area, which is to do the same thing, only now they're compromising adware companies and stealing their signing certificates to subsequently sign the malicious RATs. That's really interesting because in a time where you have things like next-generation antivirus that's going to scan these things and flag them as being blatantly malicious. You know, a lot of the technology out there, our technology, for example, doesn't matter who you signed your code with – if it's bad, we're going to find it. So the administrator now sees a flag on this RAT, the administrator goes and looks at it and they go, oh, it's adware. It's signed by an adware company. Yes, it's bad, but in the grand scheme of things, you know, your typical security administrator now sees how many gazillion alerts per day, right? Something they see as adware – that's going to the bottom of the queue. Not to say that they're never going to get to it, just they're not going to get to it right now.

Eric Cornelius: And that observation by this threat actor just shows their, you know, it shows their wit, right? How adaptable they really are to understanding how we as an industry operate. Therefore, when the assumption is, ah, this is just adware, I'll get to it eventually, we're extending the time that they have persistent access to our environments.

Dave Bittner: Yeah, that really is a fascinating insight. That way to buy time, to take advantage of, I guess, you know, as you say, a security professional's perception of adware, how it's sort of ubiquitous and so doesn't really, you know, set off fireworks in their mind.

Eric Cornelius: Precisely.

Dave Bittner: Let's dig into some of the things you found when it came to some Android malware. What can you share with us there?

Eric Cornelius: Yeah, the Android component is equally interesting. And again, we drew some corollaries, right? We're not – we didn't outright say, hey, this is a duck. But we said we've identified something that's got webbed feet that are orange, and a bill, and makes these quacking noises, right? And what I'm alluding to there is there's a toolkit available that's widely considered to be one of the most effective exploitation frameworks out there, that is, I mean, dare I say, masquerading as a company that offers these wares for sale on the open market. But as we started to look at the actual APK structure, what we saw was that the Android rootkit and this toolset that seems to be openly available are so structurally similar that the likelihood of that accidentally happening – I mean, I didn't calculate it out statistically, but I think I might get hit by lightning twice before I see APKs with this level of similarity.

Dave Bittner: (Laughter)

Eric Cornelius: The interesting bit being that the actual state-sponsored malware was stood up years before this company became available. So, what we're suggesting in the report is that there's obviously some relationship here, right? Did the state-sponsored group start this company as a shell organization? Did they otherwise license the code? We didn't go pulling that thread as deeply as we probably will over time, but it was enough that we decided that we wanted to call it out and make it publicly known.

Dave Bittner: Yeah, I mean, that timeline is fascinating. And I mean, is it fair to say that that makes it so that it's worth shining a brighter light or digging a little more closely into that commercially available tool?

Eric Cornelius: Yeah, I mean, I think so. Again, the body of knowledge that we as an industry have is being continually added to by various research organizations, right? No individual company or research group has the amount of resources necessary to pull all of the threads that are interesting in the cybercrime underworld, if you will, right? And there's just so much activity going on across the entire continuum of the hacker spectrum from low-level attackers all the way up to nation-state-sponsored activity, that there's just no way we could be fully comprehensive. And so, naturally, the industry builds on work done by one another. And we're putting this out there to the community to say, hey, we think this is interesting, and hoping that someone else will kind of pick up that ball and run with it.

Dave Bittner: One of the things you point out is the likelihood that the groups who are doing this work or could very well likely be contractors who are working for the Chinese government?

Eric Cornelius: Sure. So, again, we're putting our caveats out there. But I'll tell you the sort of observations we made that lead us to believe that these are not highly trained government operatives. And what we see is a high level of skill. All right, we do see a high level of skill, a high level of adaptability, creativity, all of the things you expect to see in sophisticated threat actor groups. However, what we also see is a more substantial lack of operational security that we would not expect to see from a trained government operative. And so, you're talking about – just, there's too many fingerprints is effectively what I'm saying. There's too many names in the paths, too many easily traceable facts in the infrastructure that they're using. There's just not enough credence given to secrecy for us to believe that this is an actual government organization.

Eric Cornelius: However, they are clearly acting in the interests of the government. Ergo, we conclude that this is probably a civilian contracting network that is paid to do this work, which provides plausible deniability on behalf of the actual government, you know, this is just a rogue criminal group doing whatever it is they do. But when you look at the activities that they're undertaking and you pull the thread on some of the compromises, the data that's coming back and the type of data we see being taken, or at least facilitated the types of data, across these tool infrastructures that we've identified and torn apart, it's not immediately monetizable. And so, you have to beg the question then, if this really is some random threat actor group, why are they targeting this specific type of data? And how are they going to monetize it? And if you look at whose interest that's most likely to be, these are breadcrumbs in a larger campaign, and the – I would call it the most likely benefactor is the government, in this case.

Dave Bittner: Yeah. One of the other interesting things you point out here in the research is the shift in command-and-control infrastructure, the type of stuff that they're using there. Can you give us some of the details when it comes to that?

Eric Cornelius: Yeah, in this particular case, there is nothing really novel, just that what we're seeing is sort of an extensible framework, if you will. So think about it this way – these adversaries who are doing this work, this is their actual day job, right? And every company that they compromise, they have to keep track of that. They have to keep track of their status on each project that they're working on. And in this particular case, the Linux infrastructure, they actually had to recompile the toolkit for each specific version of the target.  Because, I mean, the Linux kernel's a fairly sophisticated thing. You don't know what modules are going to be there. You don't know exactly what kernel version is going to be running there. So when you approach the target, you can dynamically assert the – or identify the infrastructure, recompile appropriately, and then deploy. And so they just built this pretty nice automation framework to help them keep track of all that stuff, do the compilation, deploy the package to the target, and just kind of make that management easier to scale.

Dave Bittner: So what are your recommendations here? What are the take-homes from the report in terms of organizations better protecting themselves?

Eric Cornelius: Sure, so, I think my main takeaway – you know, I spent a lot of time in the field as a practitioner and spent a lot of time with organizations, and one of the things I've always preached over time is that ninety-five percent of cybersecurity is hygiene. It's just really staying on top of understanding your network baseline, who's talking to who, monitoring data flows. A real obvious sign of compromise is looking at the ratio of bytes out to bytes in. And this may not be true in particular – obviously, on file servers it's not going to be true – but for general civilian machines, a huge amount of data leaving typically doesn't occur, right? You send a GET request to the Internet that says "give me a cat video," the Internet gives you a cat video, the data transfer is very asymmetric. And focusing on these fundamental tenets of how networks are organized will help organizations to identify new types of attacks.

Eric Cornelius: The second key takeaway here is that every asset has importance. And while we focus on our traditional user base – because, I mean, imagine your salesforce. You've got all these people getting on airplanes, going to face-to-face meetings, doing a lot of work at, like, the Marriott bar and places that are generally not renowned for their security. So we focus a lot on them and maybe we don't look so much at the infrastructure that we believe to be isolated, maybe within a DMZ or some other type of subnet infrastructure. We get this feeling that there's more security there. And in this particular case, the threat actors have shown a high aptitude for compromising these machines, even within buried network segments, and they're able to route the data out. And so, we really do need to give effort to every machine.

Dave Bittner: Yeah, I have to say, I'm left scratching my head at this – at the notion, as you say, that it's these critical infrastructure, if you will, these Linux machines that have, I suppose, an outsized amount of vulnerability. Can you help me understand that? I guess it's surprising to me that that would be the case, that there wouldn't be more attention paid to these particular machines when they're doing the important work they're doing.

Eric Cornelius: Yeah, I wouldn't say that there's an outsized amount of vulnerability on the machines, right? All code was written by people, ergo all code is fallible.

Dave Bittner: Hmm.

Eric Cornelius: So, I think if you look at just a number of vulnerabilities per lines of code, all things are basically equal. Right. There's tons of studies about open-source, closed-source, vendor-produced – it doesn't matter. There's vulnerabilities everywhere. What we are suggesting is that due to the criticality of these machines, a successful compromise of one has a substantially higher impacts to an organization than a successful compromise of John Q. Random's laptop.

Dave Bittner: I see.

Eric Cornelius: And that's not to say that they don't get the correct John Q. Random and there's some crown-jewel data on it. I'm not suggesting that at all. Everybody gets lucky. But these machines we know are – they tend to be clearinghouses for data. They tend to have high uptime. They tend to have vast amounts of access. They're high-value targets. And we do, as an industry, need to pay a little bit more attention. And I'm not trying to say that the industry is not paying attention to Linux. That's not at all true. We definitely are. But proportionately, and when you go – just go talk to your average security practitioner who's been out of college for, say, five to seven years, kind of the two standard deviations of the workforce, the younger people, you're not going to find a lot of highly skilled Linux practitioners out there. So we just need to do a better job of training and building up these skill sets, particularly as things like cloud take off. You know, we're going to see a lot more influence from the Linux operating system over the next few years.

Dave Bittner: Yeah. That's fascinating. I mean, is it fair to say that the reliability – the fact that these Linux machines run 24/7 without complaining kind of puts them a little bit out of sight, out of mind?

Eric Cornelius: Oh, definitely. And I know many a Linux sysadmin who pride themselves on their uptime. So, they tend to run for a long time, which, again, when you've got a resident compromised, that's a very good thing for a bad guy.

Dave Bittner: Our thanks to Eric Cornelius from BlackBerry for joining us. The research is titled, "Decade of the RATs: Novel APT Attacks Targeting Linux, Windows, and Android." We'll have a link in the show notes.

Dave Bittner: Our thanks to Reservoir Labs for sponsoring this week's Research Saturday. Don't forget, you can learn all about them at

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're building the next generation of cybersecurity teams and technologies are amazing. CyberWire team working from home is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.