Report Highlights How Cyber Criminals Move Their Infrastructure to Avoid Detection

Damballa just released its Q1 2016 State of Infections Report highlighting exactly how cyber criminals evade detection. The report dives deep into how cyber criminals move their infrastructure and conceal their tracks to avoid detection.

The study cited an example of how the criminals behind the Pony Loader malware are able to propagate widely and remain undetected by consistently creating new domains and establishing new infrastructure. 

The report provides details on how cybercriminals can stay under the radar for long periods of time and highlights the need for enterprises to reassess existing security tools.

Stephen Newman, CTO of Damballa, when commenting on the report said that attackers have a vibrant underground community where they can buy or rent anything from command & control (C&C) infrastructure, sophisticated exploit kits and bare metal malware.

The report is the result of an eight-month study of the Pony Loader malware and the measures cyber criminals took to evade detection. The cyber criminals behind Pony Loader use only a few IPs per provider to help reduce their chances of getting caught. Since Damballa began tracking Pony, the criminals have used 281 domains and more than 120 IPs spread across 100 different ISPs.

Damballa observed fluctuating activity based on the number of IPs in use throughout the time period. During vacation times, such as the summer and Christmas season, the ratio of domains to IPs increased, indicating that the crew had fewer resources available to move the infrastructure. 

In addition to moving their infrastructure, the criminals behind Pony Loader also change up their malware. In May, Pony was configured to download Dyre, a banking Trojan. In September, it was configured to download Vawtrak, another banking Trojan. On December 2, Vawtrak was replaced with Nymaim, a form of ransomware, before flipping back to Vawtrak on December 14.

Using the Destover Trojan as an example, the study also explains how advanced attackers conceal their tracks to throw investigators off the trail. Destover deletes files off an infected device, rendering it useless. Attackers can stay undetected inside the network, expand their presence and exfiltrate Terabytes of sensitive information. Destover is associated with high-profile breaches including Sony Pictures Entertainment and Saudi Aramco.

While researching a new sample of Destover, Damballa’s Threat Discovery Center discovered two utilities closely related to Destover: setMFT and afset. Both are used to evade detection while moving laterally through a network to broaden the attack surface. 

Adversaries can clean and redirect log files and blend them with legitimate system files. As a result, many of the tools and methods security teams use to identify the presence of attackers fail to detect setMFT and afset. Chances are security personnel will miss them altogether unless they have a continuous monitoring solution that looks for threat-related behavior over time.