ATLANTA--(BUSINESS WIRE)--Damballa, the experts in network security monitoring, today released its Q1 2016 State of Infections Report highlighting exactly how cyber criminals evade detection. The study cited an example of how the criminals behind the Pony Loader malware are able to propagate widely and remain undetected by consistently creating new domains and establishing new infrastructure.
The analysis highlights not only how cybercriminals can stay under the radar for long periods of time, but also the need for enterprises to reassess existing security tools.
“Its’s no small feat to keep up with how cybercriminals operate. Attackers have an incredibly vibrant underground community where they can buy or rent anything from command & control (C&C) infrastructure to sophisticated exploit kits to bare metal malware,” said Stephen Newman, CTO of Damballa. “While this report highlights several themes that our Threat Discovery Center has followed over the past several months, there is one common factor here and that is you never know what to expect from threat actors. By shedding light on common techniques, our hope is that enterprises can reassess and improve their existing security controls.”
The Transience of Criminal Infrastructure
The findings came from an eight-month study of the Pony Loader malware and the measures cyber criminals took to evade detection. The cyber criminals behind Pony Loader use only a few IPs per provider to help reduce their chances of getting caught. Since Damballa began tracking Pony, the criminals have used 281 domains and more than 120 IPs spread across 100 different ISPs.
Damballa observed fluctuating activity based on the number of IPs in use throughout the time period. During vacation times – the summer and Christmas season – the ratio of domains to IPs increased, indicating that the crew had fewer resources available to move the infrastructure.
In addition to moving their infrastructure, the criminals behind Pony Loader also change up their malware. In May, Pony was configured to download Dyre, a banking Trojan. In September, it was configured to download Vawtrak, another banking Trojan. On December 2, Vawtrak was replaced with Nymaim, a form of ransomware, before flipping back to Vawtrak on December 14.
Leave No Trace
Using the Destover Trojan as an example, the study also explains how advanced attackers conceal their tracks to throw investigators off the trail. Destover deletes files off an infected device, rendering it useless. Attackers can stay undetected inside the network, expand their presence and exfiltrate Terabytes of sensitive information. Destover is associated with high-profile breaches including Sony Pictures Entertainment and Saudi Aramco.
While researching a new sample of Destover, Damballa’s Threat Discovery Center discovered two utilities closely related to Destover: setMFT and afset. Both are used to evade detection while moving laterally through a network to broaden the attack surface. Adversaries can clean and redirect log files and blend them with legitimate system files. As a result, many of the tools and methods security teams use to identify the presence of attackers fail to detect setMFT and afset. Chances are security personnel will miss them altogether unless they have a continuous monitoring solution that looks for threat-related behavior over time.
The full report can be downloaded here: http://landing.damballa.com/SOI-Report-Q1-2016.html
About Damballa
Damballa is a network security monitoring system that provides evidence of threat-related activity needed to prevent data theft. We discover criminal operators that have already bypassed perimeter defenses and pose a business risk. Our automated system works in real-time and over time regardless of the attack vector, device type or OS. Attackers may take time to reveal themselves and when they do, Damballa will expose them and initiate mitigation.
Our patented solutions leverage Big Data from nearly 15 percent of world’s Internet traffic, combined with machine learning, to automatically discover and terminate criminal activity, stop data theft, minimize business disruption, and reduce the time to response and remediation.
Damballa protects any device or OS including PCs, Macs, Unix, iOS, Android, and embedded systems. Damballa protects nearly a half of billion endpoints globally with sensors on five continents, at enterprises in every major market and for the world's largest ISP and telecommunications providers. For more information, visit www.damballa.com, or follow us on Twitter @DamballaInc.