1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

BrandPost: Wolves Among Us: Abusing Trusted Providers for Malware Operations

Discussion in 'CSO' started by RSS, Jun 11, 2015.

  1. RSS

    RSS New Member Member

    Within the past year the RSA Incident Response (IR) team has worked multiple APT engagements where they’ve identified the adversary’s malware using a unique method of determining its Command and Control (C2) server. By leveraging trusted content providers, such as popular shopping sites and discussion forums, adversaries can perform operations within a network in plain sight. By replacing a hard-coded beacon address within malware with a simple user name, binaries can transmit a basic lookup for activity made by fake accounts on public discussion forums that contain dynamic IP addresses for communications.

    As an example, RSA IR discovered use of malware known as PNGRAT during a recent response effort. PNGRAT, which has since been publicly documented as ZoxPNG, is a substantially equipped trojan with the ability to manage files, enumerate and control processes, and execute commands. In this particular variant, there were additional features that allowed the malware to collect stored HTTP credentials from the registry of the compromised system, as well as monitor for RDP connections. More importantly, these samples of PNGRAT did not contain a hardcoded IP address or domain for C2 communications.

    To read this article in full or to leave a comment, please click here

    Continue reading...

Share This Page