APTs Not Always as Advanced as You May Think: Sophos

Advanced persistent threats (APT) – given the moniker, one might think everything about them is sophisticated.

A new paper from Sophos however argues something that may seem counterintuitive at first – common malware authors in some cases are better at the Q&A process than the minds behind APTs.

“It is counter-intuitive for the general audience, who have little insight and major influence by Hollywood movies,” the paper’s author, Gabor Szappanos, principal researcher at SophosLabs, told SecurityWeek. “I was not as much surprised. I was analyzing the exploited documents from these groups on a daily basis. My experience was that samples coming from APT groups were easier to analyze, and the ones coming from the more common groups caused me more trouble. That was only an impression, but this research supported it with some factual data.”

In the paper, Sophos analyzed malware samples using CVE-2014-1761, a vulnerability in Microsoft Word that emerged as the third most popular document-based exploit in the final three months of 2014. While a wide range of Microsoft Office versions were impacted by the vulnerability, only Microsoft Office 2010 SP2 (32-bit) was ever attacked, according to the report.

The research uncovered that not only did the attackers have a “limited understanding of, or ability to modify with success, the initial exploit,” it also revealed that the known APT groups generally showed less sophistication than the more mainstream criminal crews. 

During the research, 70 samples using the exploit were analyzed in detail, covering a wide range of different malware authors and families including Plugx, MiniDuke and Tinba. Though neither the APT or commercial malware authors showed enough knowledge to significantly modify the exploit trigger and the initial ROP chain, most of the more infamous APT groups showed the least sophistication, according to the paper.

“There is one additional factor worthy of consideration: whether the exploited RTF samples work or not,” according to the paper. “The result was more than surprising: in more than half of the samples, the CVE-2014-1761 exploit didn’t work. This doesn’t mean that the “broken” samples were not able to infect their targets: those were dominantly multi-exploit samples, and the other exploits (usually the good old CVE- 2012-0158) were still successful in infection.”

Considering only the RTF samples that use multiple exploits and removing the ones that are seemingly test files, the real-life multi-exploit combos were found to have a success rate of only 30 percent. 

“It is not trivial to test the operability of this exploit, especially if multiple exploits are present,” according to the paper. “Multiple replication environments need to be in place for the proper solution. But this 30% is still a very low number.”

Writing an exploit is definitely more difficult today than it was in the past, Szappanos said.

“But I think that this case more illustrates the segregation in the malware scene: there are a very few people who can build exploits, and a lot of malware groups who try to use the exploit,” he said. “Because of the segregation, the malware groups usually don’t have exploit experts of their own; instead they use whatever is publicly available for them. As much as they can understand of it. The research shows that in case of complicated exploits, they don’t understand the depths of the exploitation.”

The paper can be read here.