Saturday, August 09, 2014

Red Sky Weekly: What can we learn from the soft targets?

When I asked someone about what the marketing hook at Black Hat was this year he simply replied, “Apparently to scare the $#!^ out of everyone!”   I couldn’t help but laugh but having been to those events before, sounds like business as usual but I doubt it was any less fun this year. :) Back in the lab, the past 72 hours has been incredibly busy chasing down things that should really scare you, if you're not prepared for it!  

About mid-week, one of our honeypot email recipients received several spear phish attempts in rapid succession.  This particular honeypot is one that gets spear phished in more-or-less a, programmatic manner so when we had seen such a quick burst of activity, it caught our attention.  All three samples are currently being reversed by the lab’s analysts but of them, two really caught our attention!  

The first was a very complex piece of malware that we’ve yet to identify completely.  A look at the IDA map, looks like a flowchart for the launch sequence for the space shuttle!  A complex executable with lots of interesting loops and calls with many layers of obfuscation and encryption; this one is going to take a bit to reverse but it should provide for interesting discussion among the Red Sky analysts!  The most interesting attribute of this nasty bug is that it appears to be operating system agnostic, due in part to its unique exploit attributes, with the ability to infect most modern systems.  We’ll see if that is true. With time being limited, we switched gears and took a look at the second piece of malware we found interesting.

When examining this second piece of malware, we identified the C2 node and ran it through Threat Recon.  Immediately, the results came back and we knew we had something very interesting on our hands.   Taking the C2 as the pivot in our analysis, with Threat Recon we were able to identify an additional 3 IP addresses and over a hundred new indicators in a matter of minutes, with context that helped identify the nastiness we were seeing.  As someone who’s been in this game a long time, I think that’s pretty damn cool to get results that fast!  So what did we find and why is it significant?

If you’re in the banking sector, the Win32.Banload Trojan a.k.a. Ikarus, may conjure up some bad memories. First seen as early as 2008, perhaps earlier, the Banload Trojan is associated with thea Win32/Banker Trojan family; Trojans, notorious for stealing banking credentials.  In all, our original pivot point and Threat Recon helped identify several variants of banking Trojans including Malgent, Camec, Orsam!rts being served up from more than two dozen domains.  All that analysis and context is good and should keep analysts busy for a bit, but why is this significant?  

Wapack Labs has been following adversaries targeting political dissidents for some time now.  By doing this, we’ve been able to capture malware samples that have never been seen in the wild, this alone is helpful in identifying new variants of malware quickly and pushing that analysis to the membership for mitigation; however, by examining the targets themselves, another story emerges.

It’s not surprising that malware used to steal banking credentials, even older variants, are being used to target individuals, particularly those who are outspoken towards governments and high profile political causes.   Many of these dissident groups, and those running them, collect millions in donations for the causes they support.   Charitable organizations and non-profits may be perceived as “soft targets” with weak defenses and the disruption of money flowing from these groups could disrupt or even halt the ability of the cause to effect the changes they seek.  By striking at the bottom lines of some of these organizations, adversaries may be able to silence their voices and lessen their effectiveness.  Besides, the disruption of money, compromising the private databases and correspondents of political action groups could be a treasure-trove of information in identifying other targets for future attacks or used as criminal or political leverage.

What we’ve come to realize over the past year or so is that the soft target paradigm is one that security teams should be examining much closer.  The low effort and high return on investment is a value proposition too lucrative for adversaries to ignore.  For us on the defense, the value proposition is equally as high. From our research, targets with inadequate defenses make excellent proving grounds for new malware development without risking leaving breadcrumbs on Virus Total for the world to examine.  Additionally, the wealth of information you capture allows you to develop new tools to systematically process all the pivoted information into actionable information to protect yourself.  This is why Threat Recon was such an important tool for us to build and offer to the security community – it saves time and returns quantified and qualified actionable information very quickly.  As we continue to collect from these soft targets, Threat Recon and the results it provides will only become that much more valuable


The community of Threat Recon users continues to grow and the feedback remains very positive. This week, we’ve heard from several early adopters as to how they’re using Threat Recon in their enterprises and we’re starting to hear the creative ways other cyber security teams have developed tools around Threat Recon’s API.  One example is the integration of the tool into CRITS and another is creating a Java application to do bulk queries.   If you’re one of those working on your own tools using the API, we would love to hear from you, even if you have questions feel free to reach out to us directly!

To that point, this past week, the lab has been working on our own application that we will be publishing on the Threat Recon GitHub that will included the ability to query indicators in bulk against the API.  Pizza Cat, as we call it, is a parsing engine that will be available to those who want to use Threat Recon but may not have the expertise on staff to develop their own tools, or have the time.   If you’re interested in trying it, please drop mean email at or go to

Next week, Jeff should be back to the blog.  With two weeks to clear his mind, I’m sure he’ll have plenty to say.  Thanks for the audience the past two weeks!
Post a Comment