Sometimes the simplest techniques can foil the
complex systems created by security firms and large enterprises to
detect malicious programs and files.
Advanced Persistent Threat
(APT) is a term referring to targeted attacks on enterprises and other
organizations and recently referred to what appeared to be nation-state
intelligence agencies using cyber assaults for both conventional
espionage and industrial espionage.
Advanced threats have targeted control systems in the past and these
attacks use commercially available and custom-made advanced malware to
steal information or perpetrate fraud.
Terminator RAT has
been used against Tibetan and Uyghur activists before and while
tracking attack against entities in Taiwan, the Cyber Security company FireEye Labs recently analyzed some new samples of 'Terminator RAT' (Remote Access Tool) that was sent via spear-phishing emails to targets in Taiwan.
This folder “2019” was then configured to be the new start up folder location by changing the registry “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startupdeter forensics investigation.” to deter forensics investigation by changing the startup location.
Also to deter file-based scanning that implements a maximum file size filter, by expanding the size of svchost_.exe to 40MB.
It is clear cybercrime is getting more organized and cybercriminals are becoming so much more sophisticated. Hackers are using stealth or advanced malware, usually to infiltrate hosts in networks and steal valuable data and APT attacks are increasingly becoming more sophisticated and harder to detect.
A word document as an attachment was sent to victims, exploited a vulnerability in Microsoft Office (CVE-2012-0158), which subsequently drops a malware installer named “DW20.exe”.
Sometimes the simplest techniques can foil the complex systems created by security firms and large enterprises to detect malicious programs and files. Lets see - What Evasion techniques this Advance version of Terminator RAT is using:
This executable will first create its working folders located at “%UserProfile%\Microsoft” and “%AppData%\2019”, where it will store configurations and executable files (svchost_.exe and sss.exe).
Sometimes the simplest techniques can foil the complex systems created by security firms and large enterprises to detect malicious programs and files. Lets see - What Evasion techniques this Advance version of Terminator RAT is using:
This executable will first create its working folders located at “%UserProfile%\Microsoft” and “%AppData%\2019”, where it will store configurations and executable files (svchost_.exe and sss.exe).
Malware terminates and remove itself
after installation. The malware will only run after reboot. This is one
effective way to evade sandbox automatic analysis, as malicious activity
will only reveal after a reboot.
The RAT (svchost_.exe) will collaborate with its relay (sss.exe) to communicate with the command and control server at liumingzhen.zapto.org / 123.51.208.69 and liumingzhen.myftp.org / 123.51.208.69.
This component plays the role as a network relay between the malware and the proxy server, by listening over port 8000.
The RAT (svchost_.exe) will collaborate with its relay (sss.exe) to communicate with the command and control server at liumingzhen.zapto.org / 123.51.208.69 and liumingzhen.myftp.org / 123.51.208.69.
This component plays the role as a network relay between the malware and the proxy server, by listening over port 8000.
This folder “2019” was then configured to be the new start up folder location by changing the registry “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startupdeter forensics investigation.” to deter forensics investigation by changing the startup location.
Also to deter file-based scanning that implements a maximum file size filter, by expanding the size of svchost_.exe to 40MB.
It is clear cybercrime is getting more organized and cybercriminals are becoming so much more sophisticated. Hackers are using stealth or advanced malware, usually to infiltrate hosts in networks and steal valuable data and APT attacks are increasingly becoming more sophisticated and harder to detect.
No comments:
Post a Comment
Thanx for all your Feedback .... and don't post to promote your site's ...
I kept the option as Comment moderation mode. So if you try to promote your site from here.. I do delete your comment's ..