Just like a hammer or wrench, hackers have tools in their digital toolboxes to make advanced persistent threat (APTs) campaigns simpler to manage and launch.
Understanding these tools can help administrators identify APTs, argued Roland Dela Paz, threat researcher at Trend Micro. But there is a problem – hacking tools are grayware, and are not always detected by anti-malware products.
“Unfortunately, this means less visibility in APT forensic investigations,” he blogged.
Among the tools researchers often see are: password recovery tools, which are used to extract passwords or password hashes stored by local applications or the operating systems; user account clone tools; file manipulation tools for manipulating files such as copying, deleting and modifying timestamps; and FTP tools that help in FTP transactions like uploading files to a specific FTP site. Other commonly seen tools include data compression tools and scheduled job tools.
A good sign an organizations has been compromised are suspicious instances of command shell processes, Dela Paz explained.
“The tools listed above are either command line tools or runs both in command line and via GUI,” he blogged. “Attackers use these tools through a hidden command prompt instance thus regularly checking your environment for unknown command shell process can help you identify possible infection. Additionally, using process utilities such as Process Explorer will allow you to see the parameters in a command process. This may help you correlate possible components of an APT.”
Presence of the tools of course can also be a sign of compromise, and users should be wary of such software on their systems, he added. Sometimes, the tools are saved by the attackers using odd file names or with fake file extensions, and being able to identify added files on computer systems is important in detecting an attack.
In addition, organizations should pay attention to FTP connections in the network logs.
“While it is more common to check for malicious C&C connections, checking for FTP connections gives another opportunity to identify a breach in your network,” he blogged. “In a corporate setting, FTP sites are usually Intranet sites. Thus, it is easier to sort out legitimate FTPs from malicious ones. FTP transactions are significantly smaller than other type communications in the network, which may allow you to identify a breach faster. Furthermore, checking for archive files or files with odd file names being uploaded to a remote site may also suggest compromise.”
Finally, he suggested organizations review scheduled jobs, which he called a common auto-start method for APTs and malware in general.
“By understanding targeted attacks from different perspectives, users, security administrators, as well as security researchers are empowered to better combat these threats,” Dela Paz noted. “Highlighting APT components, in this case, extend our visibility in identifying existing compromise by knowing what and where to look for.”
