In the anti-malware world, you may hear the term APT which is short for Advanced Persistent Threat. It sounds like a complicated buzzword. What is it really?
Before we start talking about what an “advanced” persistent threat is, let’s just start with a plain ol’ persistent threat. In computer science, the term “persistence” is generally used to mean “existing for a long period of time.” For example, a hard drive, solid state drive, USB memory stick, etc… are all forms of what is called “persistent storage.” The reason why is because this is where computer files are kept for extended periods of time, unlike in RAM which clears out when the machine is turned off and then re-populates once it is turned back on again.
So a persistent threat would mean a threat which sticks around for a length of time rather than one which causes catastrophic damage right away and then the machine must be re-imaged or replaced. This type of malware can be a lot more financially advantageous to criminals because they can watch the behavioral patterns of their victims, collect sensitive financial or other data, and even control the computer or peripherals & devices which are attached to it. For example, it may be a lot more worthwhile to a criminal to install an APT on the machine of someone who has the authority to withdraw funds from a bank account than to simply destroy their machine or deploy a ransomware. This way, the criminal could quietly withdraw small amounts of money over time, or simply monitor for credentials to access the account.
What’s Advanced??
Let’s go over how these types of threats can be “advanced.” Generally, this means a threat which has several components. An enterprise-grade software system or application will have many different modules. Let’s take for example, a common program such as Microsoft Excel. Excel is split into many different modules such as mathematical modules, graphical user interface, file input/output modules to write data to Excel files, and many others. Advanced malware is essentially just another enterprise-grade program. The only difference is obviously the malicious intent and the fact that it is illegal. Advanced malware also has the challenge that there are many anti-malware solutions like PC Matic, operating system developers, and more products who are actively trying to fight it. A legitimate software developer who is not developing malware does not have to worry about trying to hide from the system and subvert security solutions like a malware developer does. For these reasons, APTs contain many components which often utilize exploits in order to gain access to systems undetected. Let’s examine a few challenges of a typical APT:
- Get on the computer (User clicks browser link, email attachment, puts a USB stick into their USB port…)
- Become activated (User double-clicks file, another program sends a command to run the malware, etc…)
- (Optional) Infect the kernel or otherwise gain persistence and hide
- Monitor or actuate events (Record keystrokes, mouse clicks, turn webcam or microphone on, shut down power generator, etc…)
- Report back to a server and/or allow control from a remote server (often called C2 or C&C servers for Command and Control. Also called RATs – Remote Access/Admin Tool)
Generally, steps 1 and or are the most difficult and sensitive because these are the steps in which most anti-malware or user knowledge will thwart the infection attempt. When the malware has accomplished step 3, the other steps are very trivial and become extremely difficult to detect. What this means it that APTs will often unleash a series of exploits in an “exploit chain” in order to accomplish these tasks. For example, a browser such as Chrome or Firefox may be exploited in order to download and automatically run a script file, which in turn contacts a server and downloads and runs another file, which uses another exploit to bypass security software, and finally a solid-state drive driver exploit is used to infect the SSD in the computer and the kernel to completely avoid detection. Programming APTs is not easy and not particularly fast either but if there is a high-value target, they can be developed and deployed just like any other large software projects and they are often very expensive to develop as well.
More About Chaining
The concept of chaining and indirection are critical in today’s modern malware. In the old days, virus writers would simply email an executable file and there was little protection from a user just opening an executable attachment. Another option was sending the user a link to such a file.
Modern security solutions which are built-in to web browsers and even email providers such as Gmail automatically scan for these types of threats, making this type of attack vector no longer very successful. For this reason, APTs often use a combination of social enginering, exploits, and composite delivery methods in order to infect victims. For example, a threat actor can do some reconnaissance on a individual of interest at a business who is in management and then send out an email from a legitimate-looking or spoofed email address and if the victim is not paying close attention to every character in the address or message, the message could say something like: “Good news! We’ve just touched a customer and earned an amazing review. I’ve attached it to this email. I’ve also attached a video in the file. Microsoft Word may try to block the video and if so, you may have to enable macros to see the very enthusiastic customer video.” The attachment is a word doc which is not widely known to be an executable or virus file type. The victim then opens the doc, which appears to be an actual customer testimonial and asks for macros to be enabled. As soon as macros are enabled, the word doc secretly writes a Javascript file to disk and then create a scheduled task to execute it an hour later. In an hour, the Javascript file calls a Powershell command prompt and then executes ransomware from there.
There are many other variations on this which could happen. Instead of Powershell, the malware could use VBScript, or it could just download an executable file and run it. Alternatively, it could try to use a technique such as Process Injection or Process Hollowing to instead of create any file at all, inject malicious code into a legitimate process such as Firefox or Outlook, and force that process to run the malicious code. By doing the latter, the malware is virtually impossible for a victim to detect his or herself and even extremely difficult for less-experienced malware analysts. Another reason injection techniques are so effective is because many antivirus solutions check each file downloaded or created on the drive. However, there is no file with the payload actually created on the drive at all, so it can avoid detection.
An example: Deep Panda
An example of a composite APT is Deep Panda, which infected US government machines in 2015. The main executable for Deep Panda wasn’t particularly malicious and didn’t trigger any conventional blacklist antivirus. This executable sent users to a website which asked them to download an Adobe plugin. This “plugin” was a DLL file malware payload of type Sakula, a remote access tool (RAT) which did not directly execute, but instead relied on legitimate programs to load it into their processes to avoid detection. Furthermore, Deep Panda had valid digital signatures to make it look even more authentic and even directed users to legitimate websites while the payload was executing in the background. It worked and successfully infected millions of US government and commercial machines.
The good news is that PC Matic and PC Matic SuperShield are watching quietly in the background for APTs and will block them from executing as well as alert the user to an attack which may have gone unnoticed for days, weeks, months, or even years.
**If you need support with your PC Matic software, please reach out to our technicians at https://www.pcmatic.com/help