On Friday FireEye posted a brief report on a watering-hole attack it had discovered. The attack uses a zero-day exploit in IE 8 on XP, and IE 9 on Windows 7, although subsequent analysis shows that the vulnerability itself affects IE 7 thru 10. FireEye noted that the vulnerability can be mitigated with Microsoft's EMET pending a formal patch.
FireEye said the exploit has "a large multi-stage shellcode payload," but added, "The second stage isn’t written to a file as with most common shellcode, which usually downloads an executable and runs it from disk." The malware delivered is memory only.
Earlier this year, John Prisco warned about what he called the 'AVT.' "A more sophisticated and dangerous attack vector has emerged and will likely become more and more commonplace among cyber criminals: the Advanced Volatile Threat or AVT.” He suggested that volatile threats – such as that now discovered by FireEye – will be increasingly used by APT-style attackers to hide their tracks.
At the time, the anti-malware industry admitted that 'AVTs,' memory-resident malware, are more difficult but not impossible to detect, and that AV software has been doing so for many years. The industry also pointed out that 'tracks' are still left in the infection process; and it is this that FireEye has detected and utilized in its second blog posting yesterday.
Having located the source of the infections, which it describes as a "strategically important website," FireEye was able to pull down the malware payload and analyze it, even though "the attackers loaded the payload used in this attack directly into memory without first writing to disk."
This memory-only approach has both advantages and disadvantages. The primary advantage is it is a technique that "will further complicate network defenders’ ability to triage compromised systems, using traditional forensics methods," warned FireEye. That is, it leaves no evidence on disk. The disadvantage, however, is that the infection is cleared simply by rebooting the system and clearing the memory.
This, suggests FireEye, indicates that the attackers either had a high level of confidence in their skills and resources to infiltrate laterally within infected organizations, or that they "were confident that their intended targets would simply revisit the compromised website and be re-infected."
That self-confidence may be well founded. Having got hold of and analyzed the payload, FireEye has detected a C&C infrastructure previously used in what it calls Operation DeputyDog. FireEye linked the gang behind DeputyDog to the same gang behind the Bit9 hack; and Symantec had pinned the Bit9 hack on a Chinese gang called Hidden Lynx – which it called a best-of-breed hacking-for-hire group. "This group," it said, "has a hunger and drive that surpass other well-known groups such as APT1/Comment Crew.”
More information on the vulnerability, the exploit, the payload, the infected website and the gang behind it is likely to emerge over the next few weeks; but for the moment it appears that one of the world's most advanced hacking groups has compromised a strategically important US website, and has started to use memory-resident malware in an attempt to remain hidden.