Advanced Persistent Threat (APT) groups lack deep exploitation skills and release process QA, while their counterparts that author common malware understand exploits better, according to a surprising new report from Sophos.
Gabor Szappanos, principal researcher at SophosLabs Hungary, analyzed the real-world uses of the recently discovered vulnerability CVE-2014-1761 to compile the report, Exploit This: Evaluating the Exploit Skills of Malware Groups.
“Our deep analysis of malware samples using the CVE-2014-1761 vulnerability gave us a rare opportunity to compare the skill of a few different malware author groups,” he wrote.
“This is not a full and comprehensive test; we could estimate the skills only by a single criterion: the attackers’ understanding of the exploit. But the situation is the same as with any other test: if you know exactly what you are measuring, you can make valid conclusions.”
First reported by Microsoft in April 2014, CVE-2014-1761 is a file format vulnerability in the Rich Text Format (RTF) document parsing library of Microsoft Office and became the third most popular document-based exploit in Q4 2014.
Szappanos analysed 70 samples covering a wide range of malware families and authors, all using the exploit.
Surprisingly, he found that despite a wide range of Office versions being affected by the vulnerability, only Office 2010 Service Pack 2 (32 bit) was ever attacked.
“In fact, we found that the malware groups have limited understanding of, or ability to modify with success, the initial exploit,” he explained.
“Surprisingly, known APT groups showed less sophistication than more mainstream criminal groups. Even so, these groups are able to work with what they have to infect their targets.”
Appraising their skill levels from ‘Zero’ to ‘Neo’, Szappanos placed APT groups including Plugx and Pitty Tiger at the lower end and authors of common commercial malware families at the top.
None were able to understand the exploit well enough to “significantly modify the exploit trigger and the initial ROP chain” and avoid detection by AV tools, but the APT groups generally showed the least understanding.
Another surprise was that more than half of the malware samples studied didn’t work (57%) and had to rely on other samples in multi-exploit attacks to infect the target.
“Considering only the RTF samples that use multiple exploits, and removing the ones that are seemingly test files (e.g., drop and execute calc.exe), the real-life multi-exploit combos have a disappointingly low 30% success rate,” said Szappanos.
There are positive and negative aspects to his conclusions.
Unfortunately, it seems the criminals with the “larger outreach” understand exploits better.
However, on the positive side APT authors lack basic release process QA and, although they are quick to adopt new exploits, their understanding is generally far from advanced.
This gives security teams an opportunity to fortify systems against newly discovered vulnerabilities if they’re quick and proactive enough, Szappanos told Infosecurity.
“If the security team looked a bit deeper into the PoC [for CVE-2014-1761], then it was clear exactly which application version was affected, allowing them to focus security hardening solely on these installations,” he added.
“For example, in the case of CVE-2014-1761, simply replacing one Windows library would secure the installation. But in general, even before the patch is out, there should be information about how to secure systems against the vulnerability. The security teams should follow all this information, determine which are the vulnerable systems, and what are the steps to secure them.”