One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 377085 |
| Date de publication | 2017-06-21 13:00:00 (vue: 2017-06-21 13:00:00) |
| Titre | A RAT that Tweets: New ROKRAT Malware Hides behind Twitter, Amazon, and Hulu Traffic |
| Texte |
To carry out attacks, malware and botnets rely on communication with a Command & Control server (C&C or C2) to receive instructions. As a result, today’s security tools have become extremely adept at detecting traffic to and from malicious IP addresses. When a system or device starts talking to a malicious IP or domain, alarms sound and IT security pros roll up their sleeves.
In recent years, however, malicious actors have begun to launch attacks from the depths of Twitter, trying to evade detection and prevent their C2 infrastructure from being found and shut down. In 2016, Twitoor—a widespread Android botnet controlled by Twitter—affected millions of Android devices. And, earlier this year, researchers at University College London discovered a Twitter botnet of over 350K bots called the Star Wars Botnet because, oddly enough, the bots tweet partial Star Wars quotes. (Cue Admiral Ackbar.)
Attackers are increasingly using legitimate websites and servers as infrastructure in their attacks, knowing that it can be more difficult to detect, especially to the untrained eye.
The RAT of Twitter: ROKRAT
In April, security researchers at Cisco Talos uncovered a new malware campaign that does just that. Dubbed ROKRAT, this new piece of malware uses multiple anti-detection techniques, including the use of legitimate websites like Twitter, Amazon, and Hulu to hide its malicious activities.
Researchers found that ROKRAT uses the public APIs of Twitter along with two other legitimate cloud platforms—Mediafire and Yandex—to get commands and to exfiltrate data. According to researchers, the malware can receive orders by checking the most recent message on the Twitter account’s timeline and can also post tweets. The malware uses the Yandex and Mediafire APIs to download and upload stolen data to the cloud.
Going further with its anti-detection tactics, researchers found that ROKRAT has a feature to detect if the victim’s system is running any processes associated with malware detection, debugging tools, or sandbox environments. If detected, the malware will generate dummy HTTP traffic to legitimate websites, including Amazon and Hulu, to mask its malicious activities. To the untrained eye, the victim appears to be watching anime at work.
ROKRAT is the latest example of how today’s sophisticated malware and ransomware campaigns layer on a wide breadth of tools, tactics, and procedures (TTPs) to evade detection. Here’s the full rundown of the TTPs discovered in the ROKRAT campaign, as described by the Cisco Talos researchers:
A spear-phishing email campaign from a compromised university email account
A social engineering tactic, using a conference on unity in Korea as its pretext
A malicious Word file attachment (Hangul Word Processor, used mainly in Korea)
An embedded EPS object to exploit a well-known vulnerability (CVE-2013-0808)
A remote administration tool (RAT) payload disguised a JPG image file
The use of Twitter, Yandex, and Mediafire clouds for C2 communication
A feature that executes an infinite loop of sleep if the OS detected is Windows XP or Windows Server 2003
A feature that detects the use of debugging or sandbox tools like Wireshark or File Monitor and, if detected, generates “normal-looking” dummy HTTP traffic to legitimate Amazon or Hulu pages
A keylogger that also captures the tit |
| Notes | |
| Envoyé | Oui |
| Condensat | “normal 000+ 0808 2003 2013 2016 350k ability about according account account’s ackbar across active activities activity actors adding addition addresses adept administration admiral alarm alarms aliens alienvault along also always amazon android anime anti any apis appears appropriate april are associated attachment attacker attackers attacks bad based because become becoming begun behavior behind being between botnet botnets bots breadth built c&c called campaign campaigns can capabilities captures carry change checking cisco cloud clouds college com/pulse/58ebb0e6bfc4e50565c9c59f/ combat combines command commands communication community complex compromised conference constant continue control controlled correlation create cue cve cybersecurity: data date debugging dedicated defenses depths described detect detected detecting detection detection: detects device devices difficult directive discovered disguised does domain don’t down download dubbed dummy earlier email embedded emerging enable engage engineering enough environments eps especially essential evade evading even events ever evolving example exchange executes executioner exfiltrate exploit extremely eye faceted feature fellow file fireball follow forums found free from full further generate generates get going hangul has have help here here’s hidden hide hides host house how however http https://otx hulu ids image includes including increased increasingly indicate infinite information infrastructure instructions integration intelligence intrusion its jpg just keep keylogger know knowing known korea labs landscape latest launch layer learn legitimate leverage like link list london long looking” loop mainly malicious malware management mask means mediafire message millions monitor more most multi multiple needed network new news nids not note notify object oddly one only open orders other otx out over own pace pages partial payload phishing piece platform’s platforms—mediafire popular post posted pretext prevent prioritize procedures processes processor product professionals pros public pulse quotes ransomware rat receive recent recently related rely remote research researchers researchers: respond result rokrat roll rundown running sandbox security seen server servers several shows shut signatures sleep sleeves social sophisticated sound spear star start starts stay stolen subscribing summary suspicious system tactic tactics talking talos team tear techniques these threat threats timeline title today today’s tool tools traffic truism trying ttps tweet tweets tweets: twitoor—a twitter twitter—affected twitter: two typing uncovered underscores unfortunately unified unity universal university untrained update updated updates upload upside use used user uses using usm vectors victim victim’s vulnerability wannacry wars watching websites well when where whether which wide widespread wild will window windows wireshark word work yandex yandex—to year years your |
| Tags | |
| Stories | Wannacry |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.