One of the biggest threats facing networks today are ‘professional’ hackers, often referred to as ‘Advanced Persistent Threats’ or ‘APT’s. These criminals differ from common attackers due to the sophistication of their techniques, the fact that they are usually acting at the behest of a government or corporate entity, and that they have the resources required to launch large-scale and long-lasting attack campaigns.
Recently, FireEye released a great report on one of the more active groups, now known as APT30. This group not only uses spear phishing and social engineering tactics to lure victims in but also delivers several variations of custom malware to carry out the attacks. One known piece of malware is ‘Backspace’, a professionally developed and maintained application that allows for remote administration and data exfiltration.
A related APT group (some suspect they might be working together or even one in the same) is Naikon. Their custom malware (eponymously named ‘Naikon’) is very similar in function to Backspace, with RAT and C&C capabilities built-in.
Impact on you:
- Once a remote control type toolkit is installed, an attacker essentially has complete control of the machine
- Attackers can steal information from infected machines and use their access to pivot around the network
- These malware variants, used in conjunction with other techniques have been known to steal data from air-gapped (isolated from outside network) servers
How AlienVault USM Helps:
AlienVault Unified Security Management (USM) continuously scans your assets for vulnerabilities, alerting you to those that could leave you susceptible to attacks and, in most cases, provides expert remediation advice.
AlienVault Labs has already released several IDS signatures and the following correlation rules to USM so that customers can identify the presence of these pieces of malware:
- System Compromise, Targeted Malware, Backspace
- System Compromise, Targeted Malware, Naikon
Read more about these and other USM threat intelligence updates in our forum.