Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

APTs Not Always as Advanced as You May Think: Sophos

Advanced persistent threats (APT) – given the moniker, one might think everything about them is sophisticated.

Advanced persistent threats (APT) – given the moniker, one might think everything about them is sophisticated.

A new paper from Sophos however argues something that may seem counterintuitive at first – common malware authors in some cases are better at the Q&A process than the minds behind APTs.

“It is counter-intuitive for the general audience, who have little insight and major influence by Hollywood movies,” the paper’s author, Gabor Szappanos, principal researcher at SophosLabs, told SecurityWeek. “I was not as much surprised. I was analyzing the exploited documents from these groups on a daily basis. My experience was that samples coming from APT groups were easier to analyze, and the ones coming from the more common groups caused me more trouble. That was only an impression, but this research supported it with some factual data.”

In the paper, Sophos analyzed malware samples using CVE-2014-1761, a vulnerability in Microsoft Word that emerged as the third most popular document-based exploit in the final three months of 2014. While a wide range of Microsoft Office versions were impacted by the vulnerability, only Microsoft Office 2010 SP2 (32-bit) was ever attacked, according to the report.

The research uncovered that not only did the attackers have a “limited understanding of, or ability to modify with success, the initial exploit,” it also revealed that the known APT groups generally showed less sophistication than the more mainstream criminal crews. 

During the research, 70 samples using the exploit were analyzed in detail, covering a wide range of different malware authors and families including Plugx, MiniDuke and Tinba. Though neither the APT or commercial malware authors showed enough knowledge to significantly modify the exploit trigger and the initial ROP chain, most of the more infamous APT groups showed the least sophistication, according to the paper.

“There is one additional factor worthy of consideration: whether the exploited RTF samples work or not,” according to the paper. “The result was more than surprising: in more than half of the samples, the CVE-2014-1761 exploit didn’t work. This doesn’t mean that the “broken” samples were not able to infect their targets: those were dominantly multi-exploit samples, and the other exploits (usually the good old CVE- 2012-0158) were still successful in infection.”

Considering only the RTF samples that use multiple exploits and removing the ones that are seemingly test files, the real-life multi-exploit combos were found to have a success rate of only 30 percent. 

Advertisement. Scroll to continue reading.

“It is not trivial to test the operability of this exploit, especially if multiple exploits are present,” according to the paper. “Multiple replication environments need to be in place for the proper solution. But this 30% is still a very low number.”

Writing an exploit is definitely more difficult today than it was in the past, Szappanos said.

“But I think that this case more illustrates the segregation in the malware scene: there are a very few people who can build exploits, and a lot of malware groups who try to use the exploit,” he said. “Because of the segregation, the malware groups usually don’t have exploit experts of their own; instead they use whatever is publicly available for them. As much as they can understand of it. The research shows that in case of complicated exploits, they don’t understand the depths of the exploitation.”

The paper can be read here

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.