Not all the code in advanced persistent threats is unique, and they do not necessarily use new zero-day exploits. In fact, security firm Cymmetria discovered a new APT that is a patchwork of code that has been copied and pasted from other known threats and online forums.
Cymmetria released a report on the APT, dubbed Patchwork, which has been active since December 2015 and has affected 2,500 organizations and government agencies in Southeast Asia.
The Patchwork APT has two stages: an initial infiltration stage in which the attackers look for valuable information and a second stage that involves the deployment of additional malware to gain more access.
Cymmetria’s analysis shows that the initial infection makes use of the CVE-2014-4114 vulnerability, also known as Sandworm, which Microsoft patched in November 2014. The attackers used a targeted spear-phishing email with a malicious PowerPoint file attachment to infect victims.
“During our investigation, we discovered attacks dating back to December 2015, and potentially even into 2014, but the attack we researched occurred in May 2016,” Gadi Evron, CEO and founder of Cymmetria, told eWEEK.
Evron commented that he has not seen a similar copy-and-paste patchwork for an APT used to the same extent before. That said, as part of the second stage of the attack, in order to gain what is known as a “reverse shell,” or access into a victim, Patchwork used a commonly deployed tool. The open-source Meterpreter technology, which is part of the Metasploit Framework, is used inside Patchwork in order to deploy additional malware to a target.
Cymmetria was able to discover and track the action of Patchwork by way of the company’s MazeRunner deception technology. Evron explained that MazeRunner is configured with deception campaigns, essentially stories that are constructed so that the attacker will believe what is seen when being diverted to a decoy. He added that decoys can be easy to build, but with Patchwork, Cymmetria also built a complicated decoy to be able to capture this threat actor’s specific second-stage malware toolset.
The MazeRunner technology has two main modules: breadcrumbs and decoys. Breadcrumbs are data elements, such as credentials, cookies and file shares, Evron explained, adding that the breadcrumb elements can be placed on an endpoint.
“When they take the bait, they are then directed to a decoy machine, which is a full operating system running real services,” Evron said. “Breadcrumbs and decoys are what deception campaigns are built from.”
Even though Cymmetria was able to determine what the Patchwork APT was doing, the attackers’ overall success was surprising, Evron said. “Its [Patchwork’s] low technical capabilities when compared to its staggering operational success, at scale, are quite mind-boggling. We really don’t understand how they weren’t caught before now.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.