Background
APTs (Advanced Persistent Threats) are a type of threat that targets a specific group of potential victims. For example, they have been used in cyber-espionage campaigns to target governments, anti-government activists, military organizations, as well as private companies. Their goal is to penetrate a targeted system or network, remain hidden for extended periods, and collect and exfiltrate data.
A common compromise technique is for an APT to target the victims with a spear phishing campaign. Spear phishing campaigns are successful in part because of the great deal of information we have posted about ourselves online. With only a few minutes of research, a cyber criminal can usually identify one or more people in our professional circles whose name, when we see it in the ‘from’ field in an email, would likely cause us to open the email.
The attachment exploits a common vulnerability (CVE-2012-0158) which installs the Cmstar downloader onto the compromised system. Cmstar then contacts the Command and Control (C&C) server for the BBSRAT remote access malware to download, and installs it on the compromised system. The attacker can now control the compromised system directly.
Impact on You
- Having any type of malware (especially one designed to steal data) on your network puts your sensitive or regulated information at risk.
- Once installed, Cmstar has the ability to download malware that can infect other machines as well as pull down additional malware variants as needed
- The data-stealing malware can reside inside a network for months or years before detection, giving an attacker virtually unlimited access to data
How AlienVault Helps
APTs are sophisticated attacks conducted by well-resourced teams. Preventive technologies like sandboxing can help block some attacks, but a dedicated, focused adversary will always find a way to penetrate a network.
That’s why you need the ability to detect the presence of compromised systems, downloaders, remote access malware, and other malicious content in your network quickly. And, once you have detected it, you need to be able to minimize the damage that compromised systems can cause. That’s where the AlienVault Labs team can help—the threat research team continues to research and update the ability of the USM platform to detect new downloaders, remote access toolkits (RATs), as well as new variations on existing malware.
The Labs team recently updated the USM platform’s ability to detect the latest version of the Cmstar downloader on your network by adding an IDS signature to detect the malicious traffic and a correlation directive to link events from across your network that indicate that Cmstar has compromised one or more systems.
These updates are included in the latest AlienVault Threat Intelligence update available now:
- New Detection Technique - APT Cmstar
Cmstar is a downloader that is similar to the Lurid and Enfal families of malware. Cmstar is typically delivered through phishing emails that contain malicious Microsoft documents and has recently been used to download BBSRAT. The group that utilizes Cmstar and BBSRAT appears to be targeting Russian victims and most recently have proxied their attacks via compromised systems in Mongolia. It is suspected that the threat group responsible for these attacks is operating out of China.
Related content in Open Threat Exchange:
- https://otx.alienvault.com/pulse/56e71ff467db8c4088b184fe/
- https://otx.alienvault.com/pulse/555a772bb45ff55497b42359/
We've added IDS signatures and created the following correlation rule to detect Cmstar activity:
- System Compromise, Targeted Malware, APT Cmstar
