Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

APTs Not Always as Advanced as You May Think: Sophos

Advanced persistent threats (APT) – given the moniker, one might think everything about them is sophisticated.

Advanced persistent threats (APT) – given the moniker, one might think everything about them is sophisticated.

A new paper from Sophos however argues something that may seem counterintuitive at first – common malware authors in some cases are better at the Q&A process than the minds behind APTs.

“It is counter-intuitive for the general audience, who have little insight and major influence by Hollywood movies,” the paper’s author, Gabor Szappanos, principal researcher at SophosLabs, told SecurityWeek. “I was not as much surprised. I was analyzing the exploited documents from these groups on a daily basis. My experience was that samples coming from APT groups were easier to analyze, and the ones coming from the more common groups caused me more trouble. That was only an impression, but this research supported it with some factual data.”

In the paper, Sophos analyzed malware samples using CVE-2014-1761, a vulnerability in Microsoft Word that emerged as the third most popular document-based exploit in the final three months of 2014. While a wide range of Microsoft Office versions were impacted by the vulnerability, only Microsoft Office 2010 SP2 (32-bit) was ever attacked, according to the report.

The research uncovered that not only did the attackers have a “limited understanding of, or ability to modify with success, the initial exploit,” it also revealed that the known APT groups generally showed less sophistication than the more mainstream criminal crews. 

During the research, 70 samples using the exploit were analyzed in detail, covering a wide range of different malware authors and families including Plugx, MiniDuke and Tinba. Though neither the APT or commercial malware authors showed enough knowledge to significantly modify the exploit trigger and the initial ROP chain, most of the more infamous APT groups showed the least sophistication, according to the paper.

“There is one additional factor worthy of consideration: whether the exploited RTF samples work or not,” according to the paper. “The result was more than surprising: in more than half of the samples, the CVE-2014-1761 exploit didn’t work. This doesn’t mean that the “broken” samples were not able to infect their targets: those were dominantly multi-exploit samples, and the other exploits (usually the good old CVE- 2012-0158) were still successful in infection.”

Advertisement. Scroll to continue reading.

Considering only the RTF samples that use multiple exploits and removing the ones that are seemingly test files, the real-life multi-exploit combos were found to have a success rate of only 30 percent. 

“It is not trivial to test the operability of this exploit, especially if multiple exploits are present,” according to the paper. “Multiple replication environments need to be in place for the proper solution. But this 30% is still a very low number.”

Writing an exploit is definitely more difficult today than it was in the past, Szappanos said.

“But I think that this case more illustrates the segregation in the malware scene: there are a very few people who can build exploits, and a lot of malware groups who try to use the exploit,” he said. “Because of the segregation, the malware groups usually don’t have exploit experts of their own; instead they use whatever is publicly available for them. As much as they can understand of it. The research shows that in case of complicated exploits, they don’t understand the depths of the exploitation.”

The paper can be read here

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...