Determining the possiblility of attack

The basic principles of a successful targeted attack include thorough preparation and a step-by-step strategy. The stages of the kill chain are:

1. RECONNAISSANCE (learning about the target)
2. WEOPANISATION (choosing the method of attack)
3. DELIVERY (deciding on the attack vector)
4. EXPLOITATION (exploiting a vulnerability to gain an initial foothold)
5. INSTALLATION (installing the malware)
6. COMMAND-AND-CONTROL (connecting to the attackers’ server for further instructions)
7. ACTIONS ON OBJECTIVE (achieving the attackers’ goals)

The basic principles behind the work of information security staff are the same as the attackers – careful preparation and a step-by-step strategy. The objectives, of course, are fundamentally different: to prevent incidents and, if one occurs, to restore the initial state of the system as soon as possible.

There are two main stages involved in responding to a specific incident: investigation and system restoration. The investigation must determine

• The initial attack vector
• The malware, exploits and other tools use by the attackers
• The target of the attack (affected networks, systems and data)
• The extent of the damage (including reputational damage) to the organisation
• The stage of the attack (whether or not it was completed and the attackers’ goals were achieved)
• Timeframes (when the attack started and ended, when it was detected and the response time of the information security service)

Once the investigation has been completed, it is necessary to use the information learned to create a system recovery plan or, if one exists, to assess how it can be improved.

The overall strategy includes the following steps.

1. PREPARATION (develop the tools, policies and processes needed to defend the organisation)
2. IDENTIFICATION (decide if an incident has occurred by identifying pre-defined triggers)
3. CONTAINMENT (limit the scope of the incident and maintain business continuity)
4. ERADICATION (restore the system to its pre-incident state)
5. RECOVERY (re-connect the affected systems to the wider network)
6. LESSONS LEARNED (how well did the information security team deal with the incident and what changes need to be made to the strategy)

In the event of the information security team having to respond to multiple incidents simultaneously, it’s important to correctly set priorities and focus on the main threats. The key factors involved in determining the severity of an incident include:

• The network segment where the compromised computer is located
• The value of the data stored on that computer
• The type and number of incidents that affect the same computer
• The reliability of the IoCs (Indicators of Compromise) for this incident

The choice of computer, server or network segment to deal with first will depend on the specific nature of the organisation.

Malware stories The hidden advertising threat

As well as banking Trojans, ransomware and other threats that can clearly be defined as malware, people also face numerous borderline programs – including advertising bots and modules, and partnership programs – which are typically referred to as ‘potentially unwanted programs’. They are borderline because there is sometimes a fine line between classifying something as an outright Trojan or adware. One such program is Magala, a Trojan-Clicker.

Such programs imitate a user click on a particular web page, thus boosting advertisement click counts. Magala doesn’t actually affect the person whose computer it is installed on, other than consuming some of their computer’s resources. The victims are those who pay for the advertising – typically small business owners doing business with unscrupulous advertisers.

The first stage of the infection involves the Trojan checking which version of Internet Explorer is installed and locating it in the system. The Trojan doesn’t run if it’s version 8 or earlier. Otherwise, it initialises a virtual desktop, used to perform all subsequent activities. Then it runs a sequence of utility operations (typical for this type of malware): it sets up autorun, sends a report to a hardcoded URL, and installs the required adware. To interact with the content of an open page, Magala uses IHTMLDocument2, the standard Windows interface that makes it easy to use DOM tree. The Trojan uses it to load the MapsGalaxy Toolbar, installs this on the system and adds the site ‘hxxp://hp.myway.com’ to the system registry, associating it with MapsGalaxy so that it becomes the browser’s home page.

The Trojan then contacts the remote server and requests a list of search queries for the click counts that it needs to boost. The server returns this list in plain text. Magala uses the list to send the requested search queries and clicks on each of the first 10 links in the search results, with an interval of 10 seconds between each click.

The average cost per click in a campaign of this sort is $0.07. So a botnet consisting of 1,000 infected computers clicking 10 web site addresses from each search result, performing 500 search requests with no overlaps in the search results, could earn the cybercriminals up to $350 from each infected computer. However, this is just an estimate as the costs can vary greatly in each situation.

Statistics from March to early June 2017 indicate that most Magala infections occur in the United States and Germany.

This class of program typically doesn’t present as much of a threat to consumers as, for example, banking Trojans or ransomware. However, two things make it tricky to deal with. First, such programs straddle the borderline between legitimate and malicious software and it’s vital to determine whether a specific program is part of a secure and legal advertising campaign or if it’s illegitimate software making use of similar functions. Second, the sheer quantity of such programs means that we need to use a fundamentally different approach to analysis.

It started with a link

Cybercriminals are constantly on the lookout for ways of luring unsuspecting victims into doing things that compromise their security and capture personal data. In August, David Jacoby from Kaspersky Lab and Frans Rosen from Detectify teamed up to expose one such campaign that used Facebook Messenger to infect people.

It started with a link to a YouTube video. The cybercriminals behind the scam used social engineering to trick their victims into clicking on it: the message contained the recipient’s first name, plus the word ‘Video’ – for example ‘David Video’ – and then a bit.ly link.

This link pointed to Google Drive, where the victim would see what looks like a playable movie, with a picture of them in the background and what seems to be a ‘Play’ button.

If the victim tried to play the video in the Chrome browser, they were redirected to what looked like a YouTube video and were prompted to install a Chrome extension –in fact, this was the malware. The malware waited for the victim to sign in to their Facebook account and stole their login credentials. It also captured information about their Facebook contacts and sent malicious links to their friends – so spreading the infection further.

Anyone using a different extension was nagged into updating their Adobe Flash Player instead – but the file they downloaded was adware, earning money for the cybercriminals through advertising.

This attack relied heavily on realistic social interactions, dynamic user content and legitimate domains as middle steps. The core infection point of the spreading mechanism was the installation of a Chrome Extension. It’s really important to be careful about allowing extensions to control your browser interactions and also to make sure that you know exactly what extensions you are running in your browser. In Chrome, you can type ‘chrome://extensions/’ into the address field of your browser to get a list of enabled extensions. On top of this, of course, be wary about clicking on links. If you’re in any doubt about whether it’s legitimate or not, contact the sender to check if it was really them who sent it.