McAfee Inc. has released its McAfee Labs Threats Report: June 2017, which examines the origins and inner workings of the Fareit password stealer, provides a review of the 30-year history of evasion techniques used by malware authors, explains the nature of steganography as an evasion technique, assesses reported attacks across industries and reveals growth trends in malware, ransomware, mobile malware and other threats in Q1 2017.
“There are hundreds, if not thousands, of anti-security, anti-sandbox and anti-analyst evasion techniques employed by hackers and malware authors and many of them can be purchased off the shelf from the Dark Web,” said Vincent Weafer, Vice President of McAfee Labs. “This quarter’s report reminds us that evasion has evolved from trying to hide simple threats executing on a single box, to the hiding of complex threats targeting enterprise environments over an extended period of time, to entirely new paradigms, such as evasion techniques designed for machine learning based protection.”
30 Years of malware evasion techniques
Malware developers began experimenting with ways to evade security products in the 1980s, when a piece of malware defended itself by partially encrypting its own code, making the content unreadable by security analysts. The term evasion technique groups all the methods used by malware to avoid detection, analysis and understanding. McAfee Labs classifies evasion techniques into three broad categories:
• Anti-security techniques: Used to avoid detection by antimalware engines, firewalls, application containment, or other tools that protect the environment.
• Anti-sandbox techniques: Used to detect automatic analysis and avoid engines that report on the behaviour of malware. Detecting registry keys, files, or processes related to virtual environments lets malware know if it is running in a sandbox.
• Anti-analyst techniques: Used to detect and fool malware analysts, for example, by spotting monitoring tools such as Process Explorer or Wireshark, as well as some process-monitoring tricks, packers, or obfuscation to avoid reverse engineering.
The June 2017 McAfee Labs report examines some of the most powerful evasion techniques, the robust dark market for off-the-shelf evasion technology, how several contemporary malware families leverage evasion techniques and what to expect in the future, including machine learning evasion and hardware-based evasion.
Hiding in plain sight: the concealed threat of steganography
Steganography is the art and science of hiding secret messages. In the digital world, it is the practice of concealing messages in images, audio tracks, video clips, or text files. Often, digital steganography is used by malware authors to avoid detection by security systems. The first known use of steganography in a cyberattack was in the Duqu malware in 2011. When using a digital image, secret information is inserted by an embedding algorithm, the image is transmitted to the target system and there the secret information is extracted for use by malware. The modified image is often difficult to detect by the human eye or by security technology.
McAfee Labs sees network steganography as the newest form of this discipline, as unused fields within the TCP/IP protocol headers are used to hide data. This method is on the rise because attackers can send an unlimited amount of information through the network using this technique.
Fareit: the most infamous password stealer
Fareit first appeared in 2011 and has since evolved in a variety of ways, including new attack vectors, enhanced architecture and inner workings and new ways to evade detection. There is a growing consensus that Fareit, now the most infamous password-stealing malware, was likely used in the high-profile Democratic National Committee breach before the 2016 US Presidential election.
Fareit spreads through mechanisms such as phishing emails, DNS poisoning and exploit kits. A victim could receive a malicious spam email containing a Word document, JavaScript, or archive file as an attachment. Once the user opens the attachment, Fareit infects the system, sends stolen credentials to its control server and then downloads additional malware based on its current campaign.
The 2016 DNC breach was attributed to a malware campaign known as Grizzly Steppe. McAfee Labs identified Fareit hashes in the indicators of compromise list published in the US government’s Grizzly Steppe report. The Fareit strain is believed to be specific to the DNC attack and dropped by malicious Word documents spread through phishing email campaigns.
The malware references multiple control server addresses that are not commonly observed in Fareit samples found in the wild. It was likely used in conjunction with other techniques in the DNC attack to steal email, FTP and other important credentials. McAfee Labs suspects that Fareit also downloaded advanced threats such as Onion Duke and Vawtrak onto the victims’ systems to carry out further attacks.
“With people, businesses and governments increasingly dependent on systems and devices that are protected only by passwords, these credentials are weak or easily stolen, creating an attractive target for cybercriminals,” Weafer continued. “McAfee Labs believes attacks using password-stealing tactics are likely to continue to increase in number until we transition to two-factor authentication for system access. The Grizzly Steppe campaign provides a preview of new and future tactics.”
Q1 2017 threat activity
In the first quarter of 2017, the McAfee Labs Global Threat Intelligence network registered notable trends in cyberthreat growth and cyberattack incidents across industries:
• New threats. In Q1 2017, there were 244 new threats every minute, or more than four every second.
• Security incidents. McAfee Labs counted 301 publicly disclosed security incidents in Q1, an increase of 53% over the Q4 2016 count. The health, public and education sectors comprised more than 50% of the total.
• Malware. New malware samples rebounded in Q1 to 32 million. The total number of malware samples increased 22% in the past four quarters to 670 million known samples. New malware counts rebounded to the quarterly average seen during the past four years.
• Mobile malware. Mobile malware reports from Asia doubled in Q1, contributing to a 57% increase in global infection rates. Total mobile malware grew 79% in the past four quarters to 16.7 million samples. The largest contributor to this growth was Android/SMSreg, a potentially unwanted program detection from India.
• Mac OS malware. During the past three quarters, new Mac OS malware has been boosted by a glut of adware. Although still small compared with Windows threats, the total number of Mac OS malware samples grew 53% in Q1.
• Ransomware. New ransomware samples rebounded in Q1 primarily due to Congur ransomware attacks on Android OS devices. The number of total ransomware samples grew 59% in the past four quarters to 9.6 million known samples.
• Spam botnets. In April, the mastermind behind the Kelihos botnet was arrested in Spain. Kelihos was responsible over many years for millions of spam messages that carried banking malware and ransomware. The US Department of Justice acknowledged international cooperation between United States and foreign authorities, the Shadow Server Foundation and industry vendors.