Research Saturday 2.3.18
Ep 21 | 2.3.18

Advanced adware with nation-state tactics.


Dave Bittner: [00:00:03] Hello everyone and welcome to the CyberWire's Research Saturday, presented by the Hewlett Foundation Cyber Initiative. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now a moment to tell you about our sponsor the Hewlett Foundation Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at

Jay Novak: [00:01:03] Adware in general, its purpose is to serve ads to the target and in general, it will you know, persist on disc it will start up in some known way, usually by an autorun.

Dave Bittner: [00:01:17] That's Jay Novak. He's a threat hunter and tech lead at Booz Allen Hamilton's Dark Labs Advanced Threat Hunt Team. The research he's discussing today is called "Advanced Persistent Adware: Analysis of Nation-State Level Tactics."

Jay Novak: [00:01:32] It's generally considered pretty unsophisticated. You know, when you think about the profit margin that, you know, an adware provider is going to get, you know they're not going to be generating a ton of revenue unless it's a very widespread operation. And if it's a company that is creating this piece of adware, or some organization is creating this piece of adware, they're not going to spend a lot of time developing it or utilizing, you know, sophisticated techniques to help it hide. So it's usually pretty easy to detect, pretty easy to find and relatively unsophisticated.

Dave Bittner: [00:02:05] And so the purpose of run-of-the-mill adware is to inject an ad in, I guess, a surreptitious way, and unintentionally onto your system, in sort of a sneaky way, and that's why it's considered malware?

Jay Novak: [00:02:18] Yeah, that's right. So, you're sort of run-of-the-mill adware will be an executable that's on disk, and when it starts in its simplest form it will just launch Internet Explorer and send Internet Explorer to some known page that will serve an ad to the user.

Dave Bittner: [00:02:36] So what you all discovered here is a bit more sophisticated than that. Take us through what you found.

Jay Novak: [00:02:41] Yes, so on the Advanced Threat Hunt Team, we've created a set of, sort of, you know, technology analytics and processes around a hypothesis driven approach to threat hunting. And when we were looking at a particular network utilizing this process, we were going through a particular analytic that helps us find wscript use on Windows systems. One of our analysts saw a wscript executing a piece of JavaScript code that the command line had a bunch of obfuscated base64 encoded arguments, and these arguments pointed towards a further obfuscated encrypted blob on disk, or semi-encrypted blob on disk. And so, essentially what he found was a JavaScript program that had multiple arguments being passed into it, that then was making a call out to the Internet and sort of your level of suspicion, kind of alarm bells go off at this point, and we decided you know this is worth a further look, right?

Jay Novak: [00:03:50] We didn't really know it was adware at the time, but it was definitely worth diving into. What we discovered from there, through reverse engineering the JavaScript, and by doing a little bit of digging in terms of how this thing was persisted, we sort of found two things. We found that the program, this malware was utilizing a technique that we generally only see in very sophisticated campaigns. The only thing that's persisted to disk itself is something that's very lightweight, very you, know mutable so that signatures, like you know your normal IOCs don't necessarily work, because it can be changed so easily. And it's also lightweight and easy to develop, and easy to change so if some heuristic-based signature is developed for the thing that is on disk, you know that can be changed really easily by the actors. So this is kind of a level of sophistication in terms of its you know operational security, and protecting itself as a tool that a attacker can use, definitely pointed us towards thinking that this was something that was maybe a little bit different than your normal you know run-of-the-mill sort of adware commodity malware.

Dave Bittner: [00:05:03] Yeah, walk us through how this works. Take us through it step by step. What did you discover?

Jay Novak: [00:05:08] The first thing that we discovered, again, was this JavaScript. And then after we discovered the JavaScript, we went back and looked at a different analytic that we run on all of our endpoints that we're trying to hunt in, and that analytic looks for kind of known persistence mechanisms, and we discovered a correlation between a scheduled task that was actually running the wscripts, and then the wscripts, you know, kicking off this JavaScript job.

Jay Novak: [00:05:38] We actually didn't have access to go back to this particular endpoint and watch what was happening sort of dynamically in real time. So that's why we had to hand off the JavaScript to our malware reverse engineers. They took a look at the JavaScript and noticed immediately this callout domain. Also, after deobfuscating pieces of the JavaScript, realized that what it was doing was calling out to this domain, downloading an extra little bit of JavaScript, that was encrypted using an algorithm that we haven't been able to crack yet. But downloading a second piece of JavaScript and then allowing that to run only in memory, that callout domain was something that then we used to look in various other environments that were currently hunting in. By using that domain we were actually able to find, you know, multiple instances of this, not only in the first place where we found it, but across a couple of other networks as well.

Jay Novak: [00:06:38] From there, we did a lot of pivoting analysis, you know, sort of outside of the wire, so to speak, where we took that domain and looked at various enrichment sources. By sort of pivoting off of that domain, we found other domains that were related, and those other domains pointed to older versions of this malware, that then we discovered was part of this overall adware campaign.

Dave Bittner: [00:07:03] So, what is your sense of what the motivation is here? Do you have a feeling that they're targeting particular people?

Jay Novak: [00:07:13] No, this doesn't seem to be particularly targeted. I think that that's one of the things that was kind of interesting to us. Commodity malware, and we sometimes fall into this trap too, but commodity malware, you know, adware, crimeware, certain variants of crimeware, some of these things tend to get ignored during SOC operations because they're not targeted. But I think for us one of the reasons why we wanted to make sure to put out this blog post is because it's not just evidence of adware using advanced persistent, you know, techniques, but it's evidence of a sort of a larger story that, you know, adversaries from adware developers, all the way up to a APTs, cyber criminals, and everything in between, they're starting to use these techniques that we generally thought were were only for a small piece of the adversaries out there.

Jay Novak: [00:08:06] And since they're being used by more people, that means that organizations really have to take a hard look at how they're going to detect that type of behavior. And for us, it's taking a proactive approach to hunting to really go out there find those unknown unknowns, bring them to light and then create this iterative process around creating new analytics, and really kind of keeping up with those adversaries and changing the way that that arms race happens between, you know, us as defenders and them as attackers.

Dave Bittner: [00:08:37] What kind of information was this looking for specifically? Do you have a sense on that?

Jay Novak: [00:08:42] This particular adware, the final stage executable that's downloaded and run, it appears to mostly be for the purpose of serving adware, but not to be overly speculative here, but the adware itself is something that's persisted on disk and does have the ability to execute arbitrary code. So we don't have any evidence that anything more nefarious was going on here, but it's certainly not something that organizations should ignore, just based on the fact that it could be running other executables.

Dave Bittner: [00:09:17] So it could be as simple as serving up adware, but it's possible that it's in a sense a misdirection that could later do other things?

Jay Novak: [00:09:26] Yeah, a misdirection, or you know, there's been evidence in the past of sort of this, you know, malvertising campaigns, where even companies that think that, you know, they're doing something, you know, relatively benign, and by companies I can mean these, you know, these organizations that are doing, that are serving adware. They're doing something that's, you know, relatively benign but really there's some other entity that is utilizing this to do a more targeted attack.

Dave Bittner: [00:09:53] Take me through the process of hypothesis-driven, behavioral-based analytics. That's something that you all used here. Shed some light on that. How does that work?

Jay Novak: [00:10:04] What were attempting to do is use our ideas about how adversaries operate. So we have, you know, a lot of people on the team come from sort of a red team and pentesting background, and some people on the team come from the malware reverse engineering, and some people on our team come from sort of a cyber threat intelligence background. And so we try to you know put on our different hats as we go through and come up with what we call "hunt analytics," and we put these hunt analytics in our hunt analytics library, and we try to take each one of them, which we treat as sort of a hypothesis about how an adversary might act in a particular network.

Jay Novak: [00:10:45] And out of each one of these analytics, what happens is we develop "haystacks," and in these haystacks, we can add all of our enrichment information, such as domain registration information or information from a third party like VirusTotal or RiskIQ. And all that enrichment data comes together to help us quickly triage each haystack. A haystack might have ten things that we have to triage, and another haystack might have a thousand things that need to be triaged, and so we try to bring in as much information as possible. And all this really sort of starts with, to the point about behavioral analysis. It all starts with getting data from these organizations that were trying to protect. And so that data can be network data that's generated by network sensors. But really we find a lot of really really good information when we start querying endpoint detection and response tools to get both the telemetry and the forensic-style data directly from the endpoints for our haystacking.

Dave Bittner: [00:11:46] So, this isn't the sort of thing that a standard antivirus tool would be likely to detect?

Jay Novak: [00:11:53] So in this particular case, for the Advanced Persistent Adware, an AV could absolutely write a signature to detect this JavaScript, the blob that's on disk, and they could write a signature that, you know, maybe even triggers off of something as easy as the MD5 of that blob. Maybe it triggers off the fact that it's obfuscated JavaScript. There's certainly things that they could do. The problem is that the nature of this particular, you know, persistence mechanism of the way that is the stage-2 is being delivered, is it's so changeable that an attacker could have a library of AVs installed on a computer somewhere, and as soon as you know their JavaScript blob gets detected they could change it such that it would no longer be detected. So it's not necessarily that they're sort of doing something that's inherently not able to detect it, but they're certainly able to change things so quickly that an AV can't really keep up with the large volume of the different permutations of this type of malware.

Dave Bittner: [00:12:57] I see. So in terms of attribution, do you have any thoughts there?

Jay Novak: [00:13:01] It's not really something that we can comment on at this time. You know, I think from a little "a" attribution, which is maybe a little bit more important when you talk about attribution, you can say, you know, he or she did it. Or you can talk about this is sort of a grouping of activity that's part of an overarching campaign. In terms of the grouping of activity that's part of a overarching campaign, this is adware that is that's very prevalent. If you follow the research in the blog, you probably can connect the dots and find out more information about it. But it's certainly something that's out there and can be tied to this, you know, this campaign of adware for this specific delivery mechanism.

Dave Bittner: [00:13:43] I see. So, in terms of advice for people to protect themselves against this, what do you suggest?

Jay Novak: [00:13:49] For organizations that want to detect this type of threat, specifically to this particular sort of advanced persistent adware, I think that there are some very specific things that you can do. But more importantly I think that for an organization that wants to detect advanced threats it's going to take a little bit of introspection, right? You know, asking yourself as an organization do you have the analytics that say, "I want to look for all wscript execution on all of my endpoints under my control?" If the answer to that is yes, I have that idea that's a hypothesis that I want to follow. Then, you know, the next question is "do I actually have that data?" "How do I collect that data?" And, "how do I query that data," and then finally it's "do I have the people and the processes in place to really go through those haystacks?" It's something like, you know, "give me every single time wscript.exe is executed." That's not necessarily going to be a haystack full of malicious things. The vast majority of that is going to be benign. So you really have to have a well-trained staff that understand when something meets the threshold for malicious behavior.

Dave Bittner: [00:15:10] Our thanks to Jay Novak from Booz Allen's Dark Labs Advanced Threat Hunt Team. Their full report is called "Advanced Persistent Adware: Analysis of Nation-State Level Tactics," and you could find it on their website.

Dave Bittner: [00:15:23] Thanks to the Hewlett Foundation Cyber Initiative for sponsoring our show. You can learn more about them at

Dave Bittner: [00:15:31] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cyber security teams and technology. It's produced by Pratt Street Media, the coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.