Israeli police APT is persistent, but not advanced

Research from Seculert shows that the attackers sent an email with a Remote Access Tool called "Xtreme RAT" attached. The RAT malware communicates with a command & control (C&C ) server which uses a free dynamic DNS service.

“This APT is not advanced,” said Seculert CTO Aviv Raff, in a blog. “There is a publicly available website which allows any attacker to buy Xtreme RAT, this time for as low as 40 Euro.”

Therefore, he said, this targeted attack is indeed an APT, but in this case the acronym simply stands for "a persistent threat,” no “advanced” in the mix. But it’s effective enough to cause the Israeli Police to disconnect its entire network from the internet, in order to further investigate the persistency of the attack.

Seculert points out that persistency has been the key to several other attacks as of late, including Shamoon, Mahdi and the RSA breach in 2011. For instance, the malware involved in the RSA attack was a four-year-old, freely available downloadable RAT called Poison Ivy.

“The attackers were using a non-‘advanced’ malware, but because it took RSA six months to identify the attack, it was ‘persistent’ enough to be called APT,” Raff said.

Recently, Seculert has encountered many different non-advanced APTs, he noted, “from state-sponsored to hacktivists to unknown adversaries - which seem to be using non-advanced, yet effective ammo,” Raff said.

In July, the Mahdi malware successfully targeted different entities from specific industries in the Middle East. Raff points out that the malware itself was not very sophisticated, however it was able to infect and monitor more than 1,000 targeted machines. And as to the persistency of the threat, the attackers behind Mahdi are continuing their work today, he said.

This profile also fits one of the most widely publicized attacks this year. In late August, Shamoon arrived targeting the energy and oil companies in the Arabian (Persian) Gulf.

“Again, while it was effectively destructive malware (wiping 30,000 machines), the code itself was not advanced,” Raff said. “Moreover, it seems Shamoon was part of a persistent two-stage attack, meaning there was another malware involved that bypassed on-premise security solutions and was wiped by Shamoon to cover the attacker's real intention.”

The lesson for companies and governments is to maintain a level of analysis sufficient enough to understand the scope of any attack.

“It is so valuable for any CISO or security manager to understand the persistency of such attacks,” Raff said. “The only cost-effective way to do so is to utilize the cloud as a technology enabler and analyze - using CPU intensive machine learning methodologies - the huge amount of log data generated by the corporate's gateways and proxies, over a long enough period of time - weeks, months, or even years. In general, this is the only type of security solution that allows CISOs to identify and automatically detect even the most persistent attacks, regardless if they are advanced or not.”

What’s hot on Infosecurity Magazine?