Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Detecting APTs By Analyzing Network Traffic

A new report from Trend Micro highlights how network traffic can be used to detect advanced persistent threats (APTs) through the correlation of threat intelligence.

A new report from Trend Micro highlights how network traffic can be used to detect advanced persistent threats (APTs) through the correlation of threat intelligence.

The paper, ‘Detecting APT Activity with Network Traffic Analysis’, outlines techniques that can be used to identify command-and-control (C&C) communications related to targeted attacks, explained Nart Villeneuve, senior threat researcher at Trend Micro, who authored the report along with Trend Micro Threat Research Engineer James Bennett.

Analyzing Network Traffic“Today’s successful targeted attacks use a combination of social engineering, malware, and backdoor activities,” he blogged. “Though there are a variety of tools available to attackers, they tend to prefer specific ones. While they can routinely create new malware executables with automated builders and embed them in documents designed to exploit vulnerabilities in popular office software, the traffic generated by the malware when communicating with a C&C server tends to remain consistent.”

As examples, the paper cites a number of well-publicized attacks such as Nitro and GhostNet, as well as ongoing campaigns such as Enfal. Also known as “Lurid downloader”, Enfal has been used in targeted attacks going back as far as 2006, according to Trend Micro. Several versions of the malware exist, but the communication between compromised hosts and a command and control server remains consistent.

“Enfal makes requests for files that contain any command that the attackers want the compromised computers to execute,” according to the report. “These requests can be detected because they follow a specific format that includes two directories, followed by the hostname and MAC address of the compromised computer. This consistent pattern is still detected despite modifications made to Enfal.”

In another example, the authors took aim at the Sykipot campaign. While older versions of the Sykipot malware communicated with a C&C via HTTP, newer versions have been spotted using HTTPS, and by 2008, the encryption had made the malware impossible to detect based on URL path. However, the malware remained detectable at the network level because of the use of consistent elements within the secure sockets layer (SSL) certificate, the authors contend. Even when new versions of the malware were detected this year, the SSL certificate on the server remained detectable using an already publicly published SNORT rule.

“[Trend Micro] Deep Discovery specifically detects the SSL certificate Sykipot malware uses,” the report notes. “In addition, generically detecting suspicious SSL certificates has proven quite useful at proactively detecting zero-day malware, including the recently discovered Gauss malware. Looking for default, random, or empty values in SSL certificate fields and restricting such detections to only certificates supplied by hosts outside an organization’s monitored network provides a great balance of proactive detection with manageable false positives.”

“The ability to detect APT activity at the network level is heavily dependent on leveraging threat intelligence,” the report states. “A variety of very successful ongoing campaigns can be detected at the network level because their communications remain consistent over time.”

Advertisement. Scroll to continue reading.

According to the paper, attackers have already begun to adapt. In the case of the Sykipot Trojan for example, which was linked earlier this year to attacks against the aerospace industry, users have switched from utilizing HTTP to encrypted HTTPS communications. This means that pattern matching based on the consistent URL path Sykipot uses can be evaded, the authors note, adding that newer versions of Sykipot have also been seen using different URL paths.

“Modifications made to malware’s network communications can, however, disrupt the ability to detect them,” the report concludes. “As such, the ongoing development of threat intelligence based on increased visibility and information sharing is critical to developing indicators used to detect such activity at the network level.”

The full report is available here in PDF format.

Related: Why IT Needs New Expertise To Combat Today’s Cyberattacks

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...