The terms targeted attack, spear phishing, and advanced persistent threat (APT) get bandied around in the media a lot these days. With the spate of recent headlines concerning companies being hacked, every company is on its guard to prevent becoming the next victim—and big headline. One of the major problems associated with targeted attacks is identifying whether or not your company is the actual target of any malware found and not just a random victim of a malware gang. There are several ways to try to do this, such as attempting to find the initial source of infection and analyzing the malware itself. However, attackers are clever and deception is part of their game.
If an attacker’s malware is discovered at any point during the initial stage of a targeted attack, the best-case scenario for the attacker would be if the targeted company’s Information Security team investigating the issue decided it was a common, random attack. During the initial stage of a targeted attack, the use of common malware and techniques often seen in the threat landscape could be a good option for an attacker. This way, the attacker’s own specially crafted malware can be kept at a low profile and saved for use only after successful incursions. The Information Security team may also believe that the attack wasn’t specifically designed to access their networks and steal private company data. This may not necessarily lessen the importance of finding out if malware has entered their network; however, it may result in different remediation polices due to a lowered perception of threat damage. This could be advantageous to an attacker in current and future attacks. It may also not seem to be the most successful method of attack, but it does allow for recycled attacks of a similar nature without arousing the suspicion of a targeted attack. This, in turn, increases the likelihood of finding a chink in a company’s armor.
An example scenario of how this attack might work would be to send out what looks to be a typical spam email to numerous employees of a targeted company at the same time. The email may contain social engineering elements, enticing victims to click on a link that leads to a website hosting an exploit kit. By hitting numerous targets within the company, the attacker is broadening the attack base and increasing the likelihood of finding an ingress point with weak security—at the same time making the attack look like common enough spam. If the attack is successful in compromising a computer, the attacker could use a freely available threat with slight modifications (to try to avoid detection) as the payload. One such threat that can be modified is Trojan.Zbot. Zbot has numerous capabilities, one of which is to allow remote access on a compromised computer. This compromised computer with Zbot installed could now be used as a staging point for a further network incursion and for the installation of advanced persistent threats. Zbot could then be removed from the computer in order to decrease the chance of being caught. Since Zbot’s main aim is perceived as monetary gain, it may not arouse suspicion of being a targeted attack if discovered, and may deter an Information Security team from doing a more in-depth investigation into the attack or the potential damage. This could help the attacker hide the fact that additional malware has already penetrated the network.
As always, Symantec recommends that you keep your virus definitions up to date to protect against threats; please also ensure that you use antispam technology. The education of employees about the dangers of spam email messages can also play a major role in protecting your company against such threats.