Dark Labs Advance Hunt team identifies adware demonstrating nation-state APT behavior

The Booz Allen Dark Labs’ Advanced Threat Hunt team discovered a unique form of adware lurking on networks that evades all traditional forms of cyber defense.
dark labs

The Booz Allen Dark Labs’ Advanced Threat Hunt team recently discovered a unique form of adware lurking on networks that evades all traditional forms of cyber defenses. The adware is a previously known threat that is commonly used to inject advertisements into a user’s browser and covertly collect information about the user’s browsing activity. But it demonstrates all the traits of nation-state advanced persistent threats (APT), according to a Booz Allen Dark Labs report.

Adware is often ignored during security operations because it is generally considered unsophisticated, is prevalent, and has a low perceived threat level. This adware, which the Booz Allen team is calling Advanced Persistent Adware (APA), is unique because it leverages advanced techniques, typically only seen in attacks attributed to nation-state- APTs, to evade detection, maintain persistence and connect to a command and control (C2) server to facilitate the second stage of the attack. This APA is similar to adware detected by Carbon Black’s Endpoint Detection and Response (EDR) platform, which is referenced in this article. Both examples demonstrate the growing need for advanced detection as the playing field continues to evolve in favor of these threats.

The APA has been classified as an Advanced JavaScript-Based In-Memory Stage 1 Downloader because it is built on JavaScript, runs strictly in memory and functions as the downloader for the second stage of the APA’s attack. It is delivered as a Trojan via a third-party installer on the internet and avoids anti-virus detection by leveraging many polymorphic techniques, such as randomizing its file name, file path, and payload. While stored on disk, the payload is comprised of hex encoded JavaScript surrounded by thousands of bytes of junk hexadecimal characters that serve to obscure the true intent of the file and avoid anti-virus detection when scanned. An illustration can be found in the Dark Labs report.

The report describes how built-in Windows tools, such as Scheduled Tasks (taskeng.exe) or wscript.exe, can be exploited to deliver an APA that decrypts and executes its payload in memory, rather than on disk, which further allows it to avoid anti-virus detection. The APA can ultimately exfiltrate data and receive further tasking outside of its adware capabilities.

Advanced persistent adware is just one example of the kinds of threats Booz Allen Dark Labs is discovering, using a proactive approach that relies on sophisticated tools and tradecraft, such as automation, threat intelligence, threat analytics and machine intelligence to gather and analyze huge reams of data for malicious activity. These tools can identify and mitigate threats at machine speed using customized delivery models.

Read the full report about the adware, and how the Dark Labs discovered it.

Latest Podcasts