From Flame to Madi, malware used for cyber espionage continues to stay under the radar while silently swiping data from corporation's digital coffers.
In a new report, Dell SecureWorks researcher Joe Stewart went inside this part of the cyber-underworld, uncovering a realm where hundreds of actors make, control and propagate malware designed to spy on institutions around the world.
During the company's 18-month analysis, Stewart tracked more than 200 unique, custom malware families involved in espionage campaigns. He also tracked more than 1,100 domain names registered by cyber-espionage crews for use in hosting malware command-and-controls (C&Cs) or spear phishing, as well as nearly 20,000 subdomains of those 1,100 domains used for malware C&C resolution.
Though awareness of such malware is on the rise, many of these malware families are not new.
"Most of these malware families existed two years ago - they may have been even detected by some antivirus firms at some point," said Stewart, director of malware research. "What we are trying to do is classify the different malware families we are seeing as espionage-related or not. We build this picture using different pieces of evidence such as the malware being dropped by spear-phishes or phoning home to a domain or IP known to be used in previous attacks."
About 95 percent of these malware families are linked to China in some way, Stewart said, either due to language, fingerprints in the malware or in IPs or domain registrations of the malware's C&Cs.
"All of this kind of digital evidence can be forged, however based on our experience back-tracing malware to the hackers either through reused email addresses or HTran TCP relays, or simply based on the types of targets and information being stolen, it appears that the true location of the hackers is indeed China," he said.
"The common theme used by Chinese hackers is many small, custom-written downloaders and backdoors, used in limited distribution," he added. "Keeping the deployment of the malware small increases the length of time between the initial seeding and when an antivirus firm may finally receive a sample of the malware. Using many different backdoors at once allows them to persist on a network even after one or more of the other malware families is detected."
But while China is often a focus of cyber-espionage allegations, other countries have been involved in it extensively as well. Flame for example has been publicly linked to U.S. government cyber operations. According to Stewart, the knowledge that governments are involved in this type of activity could have the effect of legitimizing it for private organizations.
"CTU (SecureWorks' Counter Threat Unit) researchers have uncovered a sizable cyber-espionage operation carried out by a private computer security company in an Asian country (not China) against a foreign military, presumably on behalf of the government of the country where that company resides," he wrote in the report. "Outsourcing of offensive hacking to contractors is to be expected, given that the market demand for such skills often precludes governments from possessing such talent for very long. However, CTU researchers have discovered that the scope of that company's operations also extends to using backdoors and spearphishing to spy on companies in the U.S and Europe, and even journalists native to the same country."
"Ironically, this same company offers ethical hacking courses as part of its services," he added.
Stewart added that while the average botnet that is considered an advanced persistent threat may be small, that is not an effective gauge of the level of activity.
Unlike the large cyber-crime networks that can be composed of millions of infected computers, "cyber-espionage encompasses tens of thousands of infected computers spread across hundreds of botnets, each of which may only control a few to a few hundred computers at a time," he wrote in the report. "Therefore, each time an "APT botnet" is discovered, it tends to look like a fairly small-scale operation. But this illusion belies the fact that for every APT botnet that is discovered and publicized, hundreds more continue to lie undetected on thousands of networks."