Advanced Persistent Adware: Analysis of nation-state level tactics

Abstract

The Booz Allen Dark Labs’ Advanced Threat Hunt team discovered a unique form of adware lurking on networks that evades all traditional forms of cyber defense. The adware is a previously known threat that is commonly used to inject advertisements into a user’s browser and covertly collect information about the user’s browsing activity. This adware employs advanced techniques commonly seen in Nation-State-level APTs to evade detection, maintain persistence, and connect to Command and Control (C2) servers to initiate a stage 2 attack.

Dark Labs Advance Hunt team identifies adware with Nation State APT behavior – evasion, persistence and C2 connection points

The Booz Allen Dark Labs’ Advanced Threat Hunt team recently discovered a unique form of adware lurking on networks that evades all traditional forms of cyber defenses. The adware is a previously known threat that is commonly used to inject advertisements into a user’s browser and covertly collect information about the user’s browsing activity.

Adware is often ignored during security operations because it is generally considered unsophisticated, is prevalent, and has a low perceived threat level. This adware, which we are calling Advanced Persistent Adware (APA), is unique because it leverages advanced techniques, typically only seen in attacks attributed to Nation-State-level Advanced Persistent Threats (APTs), to evade detection, maintain persistence, and connect to a Command and Control (C2) server to facilitate the second stage of the attack. This APA is similar to adware detected by Carbon Black’s Endpoint Detection and Response (EDR) platform, which is referenced in this article. Both examples demonstrate the growing need for advanced detection as the playing field continues to evolve in favor of these threats.

The APA has been classified as an Advanced JavaScript-Based In-Memory Stage 1 Downloader because it is built on JavaScript, runs strictly in memory, and functions as the downloader for the second stage of the APA’s attack. It is delivered as a Trojan via a third-party installer on the internet and avoids anti-virus detection by leveraging many polymorphic techniques, such as randomizing its file name, file path, and payload. While stored on disk, the payload is comprised of hex encoded JavaScript surrounded by thousands of bytes of junk hexadecimal characters that serve to obscure the true intent of the file and avoid anti-virus detection when scanned.

Example of Payload

Leveraging built-in windows tools, such as Scheduled Tasks (taskeng.exe) or wscript.exe, the APA decrypts and executes its payload in memory, rather than on disk, which further allows it to avoid anti-virus detection. The first function of the APA is to look for two files in its parent directory. If both files exist, the APA sends an HTTP POST request to a C2 server. All communication to and from the C2 server are encrypted to avoid network-based detection by the SIEM or IDS platform. When an HTTP 200 Response is received from the C2 server, the APA initiates stage two, which involves extracting the contents of the C2’s Response, decrypting the extracted code, and executing the code in memory. The full functionality and impact of stage two is still being analyzed, but from the details that we have uncovered, we can say that the additional code retrieved from the C2 server is advanced and and given its ability to execute arbitrary code could be used as an implant for exfiltrating data and receiving further tasking outside of its adware capabilities.

Sample of Decoded JavaScript

We discovered the APA by leveraging Dark Labs’ Advanced Threat Hunt (ATH) platform, using hypothesis-driven behavioral based analytics. These rules are generalizations based on predictions made about how a threat actor or their weapon will act within a network and behaviors that a threat hunter would expect to see in the data.  We developed methods to elevate EDR functionality in networks, allowing us to query all endpoints and correlate their responses at scale.  Through this process, events related to this APA were automatically identified as potentially malicious by a rule designed to look for wscript execution in atypical or suspicious directories. These events were hay-stacked and presented to our threat hunt team for further investigation.  Our hunters then pivoted to our analytics platform that conducts automated dynamic malware analysis, which determined that the payload was, in-fact, malicious.

While existence of the APA within a network might not be necessarily nefarious, it provides the opportunity for maliciousness, either by the adware creator, a client of theirs, or even through the possibility of hijacking in the future (for example, through a breach of the adware provider’s network).  Elimination and future prevention through behavioral based analytics is advised.

As seen with this APA, cyber adversaries are skilled at defeating reactive, IOC based defenses by constantly developing and evolving malicious tools, techniques, and procedures (TTPs), allowing them to gain access and cause harm to an organization. In contrast to traditional network defenses, our ATH offering involves creating new datasets rich with endpoint data, allowing us to hunt alerts that may be missed by SIEMs, IDSs, and Anti-Virus products. Our proactive approach relies on sophisticated tools and tradecraft, such as automation, threat intelligence, threat analytics, and machine intelligence, to gather and analyze huge reams of data for malicious activity. These tools can identify and mitigate threats at machine speed using customized delivery models.

At Booz Allen, we have spent the last decade refining our tradecraft and assembling teams of analysts who can think like adversaries and know how to identify warning signs. Our analysts specialize in global malware hunt operations, anti-malware research, development of APT countermeasures, and use measurable processes to strengthen network defenses and identify adversary activity. By regularly evaluating their networks for threat activity, organizations can detect attacks in progress and mitigate these risks before it’s too late.