Advanced adware with nation-state tactics.
Dave Bittner: [00:00:03] Hello everyone and welcome to the CyberWire's Research Saturday, presented by the Hewlett Foundation Cyber Initiative. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:26] And now a moment to tell you about our sponsor the Hewlett Foundation Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at hewlett.com/cyber.
Jay Novak: [00:01:03] Adware in general, its purpose is to serve ads to the target and in general, it will you know, persist on disc it will start up in some known way, usually by an autorun.
Dave Bittner: [00:01:17] That's Jay Novak. He's a threat hunter and tech lead at Booz Allen Hamilton's Dark Labs Advanced Threat Hunt Team. The research he's discussing today is called "Advanced Persistent Adware: Analysis of Nation-State Level Tactics."
Jay Novak: [00:01:32] It's generally considered pretty unsophisticated. You know, when you think about the profit margin that, you know, an adware provider is going to get, you know they're not going to be generating a ton of revenue unless it's a very widespread operation. And if it's a company that is creating this piece of adware, or some organization is creating this piece of adware, they're not going to spend a lot of time developing it or utilizing, you know, sophisticated techniques to help it hide. So it's usually pretty easy to detect, pretty easy to find and relatively unsophisticated.
Dave Bittner: [00:02:05] And so the purpose of run-of-the-mill adware is to inject an ad in, I guess, a surreptitious way, and unintentionally onto your system, in sort of a sneaky way, and that's why it's considered malware?
Jay Novak: [00:02:18] Yeah, that's right. So, you're sort of run-of-the-mill adware will be an executable that's on disk, and when it starts in its simplest form it will just launch Internet Explorer and send Internet Explorer to some known page that will serve an ad to the user.
Dave Bittner: [00:02:36] So what you all discovered here is a bit more sophisticated than that. Take us through what you found.
Dave Bittner: [00:05:03] Yeah, walk us through how this works. Take us through it step by step. What did you discover?
Jay Novak: [00:06:38] From there, we did a lot of pivoting analysis, you know, sort of outside of the wire, so to speak, where we took that domain and looked at various enrichment sources. By sort of pivoting off of that domain, we found other domains that were related, and those other domains pointed to older versions of this malware, that then we discovered was part of this overall adware campaign.
Dave Bittner: [00:07:03] So, what is your sense of what the motivation is here? Do you have a feeling that they're targeting particular people?
Jay Novak: [00:07:13] No, this doesn't seem to be particularly targeted. I think that that's one of the things that was kind of interesting to us. Commodity malware, and we sometimes fall into this trap too, but commodity malware, you know, adware, crimeware, certain variants of crimeware, some of these things tend to get ignored during SOC operations because they're not targeted. But I think for us one of the reasons why we wanted to make sure to put out this blog post is because it's not just evidence of adware using advanced persistent, you know, techniques, but it's evidence of a sort of a larger story that, you know, adversaries from adware developers, all the way up to a APTs, cyber criminals, and everything in between, they're starting to use these techniques that we generally thought were were only for a small piece of the adversaries out there.
Jay Novak: [00:08:06] And since they're being used by more people, that means that organizations really have to take a hard look at how they're going to detect that type of behavior. And for us, it's taking a proactive approach to hunting to really go out there find those unknown unknowns, bring them to light and then create this iterative process around creating new analytics, and really kind of keeping up with those adversaries and changing the way that that arms race happens between, you know, us as defenders and them as attackers.
Dave Bittner: [00:08:37] What kind of information was this looking for specifically? Do you have a sense on that?
Jay Novak: [00:08:42] This particular adware, the final stage executable that's downloaded and run, it appears to mostly be for the purpose of serving adware, but not to be overly speculative here, but the adware itself is something that's persisted on disk and does have the ability to execute arbitrary code. So we don't have any evidence that anything more nefarious was going on here, but it's certainly not something that organizations should ignore, just based on the fact that it could be running other executables.
Dave Bittner: [00:09:17] So it could be as simple as serving up adware, but it's possible that it's in a sense a misdirection that could later do other things?
Jay Novak: [00:09:26] Yeah, a misdirection, or you know, there's been evidence in the past of sort of this, you know, malvertising campaigns, where even companies that think that, you know, they're doing something, you know, relatively benign, and by companies I can mean these, you know, these organizations that are doing, that are serving adware. They're doing something that's, you know, relatively benign but really there's some other entity that is utilizing this to do a more targeted attack.
Dave Bittner: [00:09:53] Take me through the process of hypothesis-driven, behavioral-based analytics. That's something that you all used here. Shed some light on that. How does that work?
Jay Novak: [00:10:04] What were attempting to do is use our ideas about how adversaries operate. So we have, you know, a lot of people on the team come from sort of a red team and pentesting background, and some people on the team come from the malware reverse engineering, and some people on our team come from sort of a cyber threat intelligence background. And so we try to you know put on our different hats as we go through and come up with what we call "hunt analytics," and we put these hunt analytics in our hunt analytics library, and we try to take each one of them, which we treat as sort of a hypothesis about how an adversary might act in a particular network.
Jay Novak: [00:10:45] And out of each one of these analytics, what happens is we develop "haystacks," and in these haystacks, we can add all of our enrichment information, such as domain registration information or information from a third party like VirusTotal or RiskIQ. And all that enrichment data comes together to help us quickly triage each haystack. A haystack might have ten things that we have to triage, and another haystack might have a thousand things that need to be triaged, and so we try to bring in as much information as possible. And all this really sort of starts with, to the point about behavioral analysis. It all starts with getting data from these organizations that were trying to protect. And so that data can be network data that's generated by network sensors. But really we find a lot of really really good information when we start querying endpoint detection and response tools to get both the telemetry and the forensic-style data directly from the endpoints for our haystacking.
Dave Bittner: [00:11:46] So, this isn't the sort of thing that a standard antivirus tool would be likely to detect?
Dave Bittner: [00:12:57] I see. So in terms of attribution, do you have any thoughts there?
Jay Novak: [00:13:01] It's not really something that we can comment on at this time. You know, I think from a little "a" attribution, which is maybe a little bit more important when you talk about attribution, you can say, you know, he or she did it. Or you can talk about this is sort of a grouping of activity that's part of an overarching campaign. In terms of the grouping of activity that's part of a overarching campaign, this is adware that is that's very prevalent. If you follow the research in the blog, you probably can connect the dots and find out more information about it. But it's certainly something that's out there and can be tied to this, you know, this campaign of adware for this specific delivery mechanism.
Dave Bittner: [00:13:43] I see. So, in terms of advice for people to protect themselves against this, what do you suggest?
Jay Novak: [00:13:49] For organizations that want to detect this type of threat, specifically to this particular sort of advanced persistent adware, I think that there are some very specific things that you can do. But more importantly I think that for an organization that wants to detect advanced threats it's going to take a little bit of introspection, right? You know, asking yourself as an organization do you have the analytics that say, "I want to look for all wscript execution on all of my endpoints under my control?" If the answer to that is yes, I have that idea that's a hypothesis that I want to follow. Then, you know, the next question is "do I actually have that data?" "How do I collect that data?" And, "how do I query that data," and then finally it's "do I have the people and the processes in place to really go through those haystacks?" It's something like, you know, "give me every single time wscript.exe is executed." That's not necessarily going to be a haystack full of malicious things. The vast majority of that is going to be benign. So you really have to have a well-trained staff that understand when something meets the threshold for malicious behavior.
Dave Bittner: [00:15:10] Our thanks to Jay Novak from Booz Allen's Dark Labs Advanced Threat Hunt Team. Their full report is called "Advanced Persistent Adware: Analysis of Nation-State Level Tactics," and you could find it on their website.
Dave Bittner: [00:15:23] Thanks to the Hewlett Foundation Cyber Initiative for sponsoring our show. You can learn more about them at hewlett.org/cyber.
Dave Bittner: [00:15:31] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cyber security teams and technology. It's produced by Pratt Street Media, the coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.