Malware attackers leave behind digital clues

FireEye examines the "Digital Bread Crumbs" left behind by a cyber-attacker
FireEye examines the "Digital Bread Crumbs" left behind by a cyber-attacker

In its latest report, 'Digital Bread Crumbs: Seven Clues To Identifying Who's Behind Advanced Cyber Attacks', security firm FireEye identifies prevalent attack characteristics that can significantly help in attributing specific attacks to a particular country or region, helping security professionals better defend organizations from future advanced cyber-attacks.

“In today’s cyber threat landscape, identifying your enemy is a crucial piece of any defense plan,” said Ashar Aziz, CTO and founder of FireEye, in a statement. “When it comes to advanced cyber-attacks, finding out who your attackers are, how they work and what they are after is critical to protecting your data and intellectual property.”

By looking at keyboard layout, malware metadata, embedded fonts, DNS registration, language, remote administration tool configuration and overall behavior (methods and targets), security staff can piece together a likely picture of the perpetrator, much as an FBI profiler builds an identity for serial killers based on investigative clues.

“Attackers give themselves away inside their malware code, phishing emails, command-and-control servers and even basic behaviors,” Aziz observed.

For instance, hidden in phishing attempts is information about the attacker’s choice of keyboard, which varies by language and region. In addition, language artifacts embedded in malware often point to the attacker’s country of origin. Common language mistakes in phishing emails can sometimes be reverse-engineered to determine the writer’s native language.

Also, the fonts used in phishing emails point to the origin of the attack. FireEye said that this is true even when the fonts are not normally used in the attacker’s native language.

Malware source code contains technical details that suggest the attacker’s language, location and ties to other campaigns, while domains used in attacks pinpoint the attacker’s location. Duplicate registration information can tie multiple domains to a common culprit.

Meanwhile, popular malware-creation tools include a bevy of configuration options. These options are often unique to the attacker using the tool, allowing researchers to tie disparate attacks to a common threat actor.

As an example, the report identifies an attack tactic employed by the Chinese military group known as Comment Crew, previously linked to targeted attacks against the US government. An analysis of malware metadata helped to identify the previously undisclosed attack tactic. Malware’s executable code often references the original source directory that organizes source code. In the same way, programs written in C++ reference a project name. This underlying code can reveal the attacker’s language or country of origin, even when the code and other aspects of the attack are tailored to the language of the target.

Within the source code of a previously unpublished second-stage attack examined in the report, there is a reference to a process-debugging (PDB) file in the malware writer’s hard drive – a file that turns out to be a variant of the WEBC2 malware specifically used by Comment Crew.

“Although cyber-attacks have grown more advanced and tenacious in recent years, there is still no such thing as the perfect crime. Every stage of the attack kill chain – reconnaissance, weaponization, delivery, exploitation, installation, command and control and actions on objectives (usually exfiltration) can leave behind a digital paper trail,” FireEye noted in the report.

What’s hot on Infosecurity Magazine?