Security firm OpenDNS claims to have developed a new way to detect and block APTs using natural language processing (NLP) and other analytics to identify the spoofed domains frequently used to serve up malware.
OpenDNS Security Labs analyzed data from the notorious Carbanak attacks as well as DarkHotel and other APT campaigns like Anunak.
From this it created a predictive model to spot “potentially malicious typo-squatting/targeted phishing domains” which often serve as C&C domains in targeted attacks.
Researcher Jeremiah O'Connor explained more in a blog post:
“Essentially we are defining a ‘malicious language’ within the lexical nature of DNS traffic, and applying sentiment analysis on FQDNs [fully qualified domain names]. In an attempt to construct this language, we have created a corpus of domains that elicit a common pattern where adversaries merge together certain dictionary words and tech company strings.”
The resulting tool is NLPRank:
“NLPRank … utilizes heuristics such as NLP, ASN mappings and weightings, WHOIS data patterns, and HTML tag analysis to classify these type of attack domains. NLPRank uses a minimum edit-distance on substrings to check for the word distance between legitimate and typo-squatting domains (ex. malware.com vs. rnalware.com, linkedin.com vs. 1inkedin.net).”
NLPRank also tracks to check whether the underlying ASNs aren't associated with the company the domain in question is spoofing.
Traditional reputation-based checking tools are increasingly being circumvented by cyber-criminals who are able to automatically and speedily generate and register new phishing domains which look convincing to most users.
O’Connor claimed that the tool has already been able to identify some of the domains used in Anunak/Carbanak attacks, as well as some advanced PayPal phishing attacks.
Revealed for the first time last month, the Carbanak campaign targeted around 100 banks worldwide.
The criminal gang responsible began many of those attacks with a simple spear-phishing email which tricked a bank employee into downloading the Carbanak malware.
Reports suggest attackers stole up to $1bn over a two-year period.