Dridex: the secret in a PostMessage()

Dridex is a well-known banking malware that has been around since 2014. The developers behind it are always at the forefront of innovation and capable of routinely coming up with new tricks.

Taking a Closer Look

Dridex Phishing Email

In this campaign (still active at the time of writing), Dridex comes packaged as a zip file, pretending to be a DHL Document. As seen above, the lure, directed at safeguard-technology.com, is rather simple and not articulate.

The attached zip file contains a Word Document laced with a malicious macro. Opening the document starts the infection chain, and this is where things get really interesting. To understand the general behavior, we started by running the sample through ReaQta-Hive. This is how it looks like.

Dridex behavior as tracked by ReaQta-Hive
Dridex behavior as tracked by ReaQta-Hive

At first glance, it might not look like much – just another WMI execution via Macro – but behind the scenes, Dridex does something interesting. Though the wmic.exe inspection panel (2) shows an empty command line, and the edge connecting winword.exe to wmic.exe doesn’t show any sign of alteration – like a process impersonation or code injection – the WMI somehow starts rundll32.exe (3). How is this possible?

Winword starting an instance of notepad.exe
Winword starting an instance of notepad

The behavioral tree gives us clues into this. As seen from the above image, we can observe a possible anomaly: an instance of notepad.exe pops-out from winword.exe. By zooming in, we also see that notepad opens a .txt file.

The file being processed by notepad is called may_befall.txt. Analyzing the Macro’s code helps better explain what is happening.

Dridex macro analysis

The macro code is obfuscated along the lines of Pride and Prejudice. The developers probably felt poetic.Well, this kind of obfuscation is also more pleasant to the eye of the analysts, so no critiques here. Below we can see where the .txt file opened by notepad is created.

Dridex macro creating notepad’s text file

This file is actually an xsl containing the code that is used by wmic.exe to download and run its malicious Dridex payload.

XSL payload opened by notepad
XSL payload opened by notepad

Additional Macro code analysis shows what is really happening, it can be summarised in this way:

  1. The macro creates an instance of notepad.exe
  2. By using several calls to PostMessageA(), the macro writes the xsl payload in a .txt file
  3. The macro then renames the .txt to .xsl
  4. wmic.exe is started by the macro
  5. The macro searches the wmic console by calling FindWindowExA() using consolewindowclass
  6. Data to the wmic console is again sent using PostMessageA()
  7. wmic.exe runs a squiblytwo attack
  8. wmic.exe downloads and drops the malicious Dridex dlls
  9. wmic.exe finally runs rundll32.exe

Below is a high level view of the macro’s workflow:

Dridex macro workflow
Dridex macro workflow

The malicious payload is downloaded from 2 URLS:

  1. https[:]//batriaruum[.]com/dasruol.dll
  2. https[:]//penotorc[.]com/topwin.dll
Dridex C2 connection
Dridex C2 connection

We have created a quick PoC video that shows this technique at work.

Why the did the Dridex developers go down this convoluted path to start wmic.exe? There are several possible answers:

  1. To hide the commandline and thus prevent static detection, such as from automated Threat Hunting on commandline parameters.
  2. To prevent triggering SIEM’s correlation rules.
  3. To bypass application whitelisting (AWL) solutions.

Indeed the technique is quite effective to thwart such analyses, as the commandline doesn’t show anything anomalous. Also the payloads are written on disk from a trusted process and this might further prevent detection from certain security solutions.

We notice that Dridex behavior changed between the 5th and the 9th of June 2020. Before these dates Dridex was adopting a much simpler technique where rundll32.exe was launched directly.

Conclusions

Attackers keeps evolving at an incredible pace and they are increasingly more creative in their approach. Behavioral monitoring and continuous endpoint monitoring help organisation remain safe and prevent interruption to business continuity, even when facing new and previously unknown threats or techniques.

With a large part of the workforce now operating from home, traditional enterprise defense systems are less effective and attention must be pointed towards those devices that are targeted more often. Behavioral monitoring, infrastructural modeling and automated threat hunting are some of the most important features provided by ReaQta-Hive. Our security experts can help if you suspect that your infrastructure has been breached or if you need to step up your cyber security posture, contact us to discuss with our security team.

MITRE ATT&CK Techniques

Execution: T1047, T1204, T1064, T1085

Defense Evasion: T1055, T1107, T1064, T1085

C2: T1043

MITRE Techniques used by Dridex
ReaQta-Hive MITRE ATT&CK Mapping

IOC

https[:]//batriaruum[.]com/dasruol.dll
https[:]//penotorc[.]com/topwin.dll
ca381193229b547475e5724d5ea9f202b92f72836e9ada71ebad288845de2bbf
7a6e5af86297a254911aff6610aca9bee0fff349434cad5fe76314e51acd66f9
a50a9733f36b1f444efc7336f490d49199f61f34643f9125908bd47b6fcd173b
c45e738d6348324dac8cfedf451e8cb67b35d2ba2ef4c2f1cb7c004ce88edddd
fcc719b587b940009970177f33e85f96973983387c3ea19c698c720935d88af4 
49a686549e78ad7d432af8a8a70973912e569cc1ca1dbe9de49909ed5247c634 
54d2448355d298c883e885dcf56ee943fa926ba42c46bb8d06722772653619b1 
84567037059c961a3ad1e6dffdf598a4c887df6d65b31e9257a7de8a75db9440 
500be83e6624af2302e45bc91e026b776d72824cf84896839e03251c41394110 
89560994f6d6f2717bcb92d4076704690af2d3df30ca7218fd3482903c9719b8 
94737e6b49496356b1df987c498bc4e4f07551d803be346d37cbc33d6cb1cf2d

ReaQta Launches ReaQta-EON and Hive-Guard

ReaQta, the company behind the world’s first and only NanoOS technology, has today announced two new solutions to simplify the fight against modern-day threats.

These solutions leverage proven signature and pre-execution techniques to better defend against known threats in real-time. This includes malware quarantine, pre-execution protection and signature & heuristic matching.

REAQTA-EON: Cloud-Delivered NGAV+

In today’s cyberthreat landscape, organizations without next-generation prevention and attack visibility capabilities are putting themselves at serious risk. Over the past months, organizations that only have legacy AV solutions have been suffering from severe business disruptions and financial losses.  

ReaQta-EON has been designed from the ground-up to replace legacy AV. As an NGAV+, ReaQta-EON has been built with the latest breakthrough technologies in artificial intelligence and machine learning to provide the install-and-forget, essential and real-time security that every organization needs to fight modern-day threats. 

As a cloud-delivered NGAV+, any organization can effortlessly strengthen their operational resilience and defense from unwanted cyber-disruptions without additional infrastructure or maintenance. 

Read more about ReaQta-EON here

HIVE GUARD: Anti-Malware Module for ReaQta-Hive

The Hive Guard Anti-Malware module is the latest addition to ReaQta’s flagship product, ReaQta-Hive. With the introduction of this integrated module, organisations can easily swap out their existing legacy AV, to get an All-in-One Endpoint Protection in their existing ReaQta-Hive’s Platform.

Hive Guard seamlessly integrates foundational prevention capabilities into the ReaQta-Hive platform by leveraging on machine learning, signature-based and pre-execution scanning technologies. This module provides organizations with the complete protection against all known malware, adware and suspicious files.

There is no need for a typical difficult and lengthy anti-malware deployment. After purchase, the Hive Guard simply needs to be turned on by a switch that can be found within the customer’s existing dashboard. Within ~10 minutes, an organization’s endpoints can enable complete Anti-Malware protection.

Read more about Hive Guard here.


About ReaQta

ReaQta was founded by an elite team of offensive and defensive cybersecurity experts and AI/ML researchers. Combining these backgrounds, the team has built a powerful AI Endpoint Security Platform. This innovative approach applies the latest AI algorithms to automate and simplify the process of detecting and handling new threats. Organisations can now eliminate the most advanced threats in the fastest way possible with a beautiful, powerful and easy-to-use platform. Without the need for additional highly skilled personnel, security teams can now do more, with less.

We recently outperformed at the latest MITRE ATT&CK Endpoint Product Evaluation. For a detailed breakdown on our performance, read the evaluation blog here.

Follow us at @ReaQta or on LinkedIn to keep updated on the latest developments at ReaQta.

Meet HIVE GUARD: The Anti-Malware Module

We are excited to introduce Hive Guard, the latest addition to ReaQta-Hive, our AI Endpoint Security Platform (EDR)!

Hive Guard now extends the existing protection coverage even further, by including pre-execution dynamic emulation, behavioral heuristics and signature-based prevention coupled with a new A.I. based analysis module.

We know you might have questions, so let’s begin:

Do organisations still need Anti-Malware if they already have an EDR?

Anti-Malware is one of the cybersecurity building blocks. It helps protect endpoints (workstations, laptops, servers etc.) against known malware, RATs, Trojan horses and other unwanted cyber threats that can put your data and infrastructure in great danger. 

Malware always performs malicious acts, such as deleting files, stealing personal data and using computers to further an attack. Aside from keeping the infrastructure clean from known threats, anti-malware solutions serve as protection to prevent re-entry in the system. 

The pre-execution analysis engine will ensure that malware is identified and removed before it is executed. Such a technology naturally complements the sophisticated behavioral engines currently used in ReaQta-Hive to discover new and previously unknown threats. 

What is the difference between Anti-Malware and EDR?

Anti-malwareEndpoint Detection & Response
Detects and blocks all known threats before they are executedComplete visibility to detect, analyze and respond to unknown threats 

Given the necessity of Anti-Malware, here are some of the key reasons why organizations are choosing the Hive Guard Anti-Malware module. 

1. Manage All Your Endpoint Solutions in a Single Console

We continuously work towards making cybersecurity simple. With this newly integrated module, organisations no longer need to manage their Anti-Malware and EDR on separate platforms. 

Security teams can now streamline and manage all their endpoint security on a single and integrated ReaQta-Hive dashboard.

2. Rapid and Hassle-free Deployment

We have good news for all existing ReaQta-Hive customers: Hive Guard can be switched on as a module directly within your dashboard to enable complete Anti-Malware protection. Your endpoints will be automatically protected within 30 minutes. We designed this process to be extremely seamless and time-efficient for IT teams.

3. Complete End-to-End Endpoint Protection

Hive Guard completes the all-in-one solution to protect against all known and unknown threats. We cannot stress this point enough. 

Unlike other EDR solutions, which attest to some form of signature-based integration, the Hive Guard truly provides the basic building block necessary to complete the entire Endpoint Protection stack for organisations. 

For more information on how to turn on the Hive Guard module in your ReaQta-Hive dashboard, please contact sales@reaqta.com.


About ReaQta

ReaQta was founded by an elite team of offensive and defensive cybersecurity experts and AI/ML researchers. Combining these backgrounds, the team has built a powerful AI Endpoint Security Platform. This innovative approach applies the latest AI algorithms to automate and simplify the process of detecting and handling new threats. Organisations can now eliminate the most advanced threats in the fastest way possible with a beautiful, powerful and easy-to-use platform. Without the need for additional highly skilled personnel, security teams can now do more, with less.

We recently outperformed at the latest MITRE ATT&CK Endpoint Product Evaluation. For a detailed breakdown on our performance, read the evaluation blog here.

Follow us at @ReaQta or on LinkedIn to keep updated on the latest developments at ReaQta.

Oil and Gas Supply-chain Phishing Campaign

ReaQta has been tracking an extensive and long running spear-phishing campaign, targeting the supply-chain in the Oil & Gas industry, most likely for espionage purposes. The campaign started in 2018 and it’s still running today, with a new wave began on the first week of May. It is carefully prepared and executed, with attackers taking advantage of several compromised websites to deliver their malicious payloads.

Due to the length of this campaign, we believe this might be used to obtain and maintain access within a network of suppliers that cater to the Oil & Gas industry and that it might set the stage for a more targeted attack in the future.

Impersonating Petrofac

One of the emails that picked the attention of our team was impersonating Petrofac’s Procurement Proposal Engineer. According to Wikipedia:

Petrofac Limited is a provider of oilfield services to the international oil and gas industry. It is registered in Jersey (number 81792), with its main corporate office on Jermyn Street, London. It has operational centres in Aberdeen, Sharjah, Woking, Chennai, Mumbai, Delhi, Abu Dhabi, Saudi Arabia and Kuala Lumpur.

The impersonated employee describes himself as: “working alongside my team to secure projects. Negotiating with suppliers to provide competitive prices. Cherry-picking vendors“. The other signer describes himself as a “Buyer at Saipem for Thai Oil Clean Fuels Project”. The identities used might therefore look plausible to the victims receiving the emails.

Spear-phishing email impersonating a Petrofac employee.
The lure used to deliver the first stage of the attack

The message contains a request for quotation for a “Ghasha Processing Plant Process”. Petrofac was in fact awarded in February 2020 2 EPC contracts, worth 1.65Bn$, as part of the Gasha Concession offshore Abu Dhabi to develop ultra-sour gas fields. Although both contracts were cancelled on the 16th of April 2020.

Back in 2018, Petrofac together with Saipem and Samsung Engineering was awarded a 4Bn$ contract for the development of a refinery in Sriracha, Thailand. The above message (perhaps in a confusing way) refers to both things as if they were the same.

The email impersonating Petrofac was actually sent by another company, DigiPro Solutions (appearing to be a subsidiary of the Egyptian Al Madina), providing printing and packaging solutions. One of the intended recipients was Team Translation, an Italian company that specializes in translations for machineries in various industries, such as Renewable Energy, Packaging, Refrigeration etc.

We suspect that DigiPro/Al Madina server or website have been compromised and used specifically to target Team Translation. Also the attackers appear to blind copy (BCC) some of their targets instead of emailing them directly.

Targets

This campaign is not limited to a single company, in fact we have identified several targets and the list will probably grow as we keep digging.

WalterTosto SpA: “a leading manufacturer of critical, long lead equipment including heavy wall hydrocracking, hydrotreating, GTL and EO reactors for various applications within Oil&Gas, Petrochemical, Power & Energy, Food & Pharma markets.

ProMinent Group: “The ProMinent group of companies is based in Heidelberg and for over 55 years has been developing and manufacturing components and systems for metering liquids and solutions for water treatment and water disinfection.”

De Palma Thermofluid: “operates to provide products and technologies that produce, detect, regulate and control all industrial fluids such as steam, hot water, thermal oil, chilled water, hot air and cold.

Maber Srl: “Industrial Technologies: Hoists, Winches – Man rider, BOP (Systems), Pumps ARO, Cordless Tools QV20, Cordless Tools QV12, Air Starter-Motors

Interestingly every entity, though part of the same attack campaign, has been targeted via different providers. The attackers are taking care of using a different compromised website/mailserver for each of their targets.

Link to Previous Campaigns

The actor behind this campaign has been active for a long time, we managed to track the activity back to March 2018 (with one of the targets being again Team Translation) and still trying to impersonate Petrofac, using as a lure new contracts won by the company, as it can be seen in the below image.

March 2018 lure
Phishing email from March 2018

And again in March 2019, this time impersonating Saudi Arabian Saipem and taking advantage of a seemingly legitimate domain: ejadarabia[.]com used to deliver again NetWire and AgentTesla.

Phishing email from March 2019 (using ejadarabia[.]com)

In 2019 the attacker used the same lure as the one in 2020, as it can be seen below.

Lure from March 2019 phishing campaign

Targets in the previous years were again companies in the Oil&Gas supply chain: rig building companies, pipeline management, HVACs, oil pumps and tankers.

Technical Analysis

The email impersonating Petrofac contains two attachments, both password protected to reduce the chances of being detected by the anti-spam and antivirus. When opened the document shows a blurred image asking the user to enable Macros.

Request for quotation lure document
Malicious document masked as RFQ

The malicious Macro is quite simple and it’s used to download a MSI file from a domain controlled by the attacker.

Word’s Macro takes care of downloading the MSI and running it.

Macro chain
Mali

Malicious document first stage

The malicious file had, at the time of writing, a remarkably low detection rate, as shown below.

Malicious MSI detection rate

The MSI file is used to load a first stage, which appears to be GuLoader, a small downloader, packed with a variety of AntiVM tricks. Below we can see GuLoader in action using ReaQta-Hive, the storyline shows GuLoader creating a registry persistence and then downloading, decrypting and loading its payload after performing a dynamic impersonation.

Netwire activity and MITRE mapping
GuLoader activity and MITRE mapping

As a final step, GuLoader drops Netwire which begins to acquire data and screenshots from the infected machine. The C2 appears to be located in Singapore as seen from the image below.

Netwire activity
Netwire loaded by GuLoader

Conclusions

This is a long running campaign that can be tracked back to at least 2018. Attackers maintain a certain modus operandi: spear-phishing emails using compromised webservers and email servers, targeting mostly suppliers to the Oil&Gas industry and heavy machineries.

We haven’t found traces of custom tools and so far, only commodity malware such as GuLoader, NetWire and AgentTesla have been used. We suspect the attackers’ motivation to be espionage instead of cybercrime, as we haven’t seen any attempt of extortion or threats against the victims, leading us to believe that the low-profile activity is intentionally aimed at maintaining access for as long as possible.

IOC

Documents

  • 8ba9b9d65b1a62fccb25221c7f99babc6ee332e78bf0ba3621590d9a86ad5cdc
  • 547824ed02828a34efcf44e44213ed24f860a2b74146b83d24577509dd7e4cf8
  • 9a0c4d6096b6dd9a7f1a3d9b7cd815d055d23b6f24b8b03afe37354322301daf
  • 4e9cee1539ffc2009a1ee04f6fb337ded14fa0c24c0a488498f21abc483123ac
  • d0ed4020ef0c0e7db509cf522f860bae3e3d0bd3b3ffffa541180d8e41c4f214
  • 67b442e909787931e3197e09c581bdf0f5c8f51f753906302b21204491adf078
  • 2c2e1fca650410d82a26d9956063b63d057077d064c05ee95b494714653e895a
  • 4a125880adc19550c31f9e5495a96c47fd1bf92f47c6538d50b600caedd3ef44
  • 00a7e9e3dcb0ca820ab352c80c77a1b0b3704fda20eeb87a6ef8a00e5e812b3a
  • c593f1b0cbd9d62d04735291c67f5967a4bba6fb54c78346b9a1f95d080cfb13
  • 4f52d21c5ea8049be9beb199015797164f9c71b5cf9975b4ca5050444b4f4482
  • 1dab026b970f032c67f6e4d89cf0f08447305abdea57e9c22c508c10ba438ac2
  • 65cd60db82dce7d56dc2e2b400768cc8f558acd7d882139c6d1402b8e831b48e
  • 7adb17ce0b5640ca9b7986145e457cd07393aea6fb15f7e24d1879a3bc563004
  • 6a322997b7889e71ef396be8bf188e7f99bccd96bcf76aeab942d8e0d7f7aea9
  • 4db0aa494b11d1be5c4e196ed1af795e0605d25052ea130e2bd0e0e7f5dfb651
  • 8ba9b9d65b1a62fccb25221c7f99babc6ee332e78bf0ba3621590d9a86ad5cdc
  • 239edac0f2120dc3b2e9e251c0adf9a5fadf05da719665b7d8b67456212e67a4

C2

  • souqtajeer[.]com
  • pocketfsa[.]com
  • ejadarabia[.]com
  • 79.134.225[.]35
  • 148.66.137[.]120

MITRE ATT&CK Evaluation Confirms ReaQta-Hive Advanced Detection Capabilities

ReaQta has successfully completed the MITRE evaluation, showing ReaQta-Hive’s capabilities of providing complete coverage of sophisticated attacks, with no human intervention and top-quality alerts. Let us start off with understanding what MITRE evaluation is all about and then discuss how ReaQta performed during the test.

What is MITRE ATT&CK Evaluation

MITRE ATT&CK has defined a set of stages during a cyberattack and evaluates solutions on their ability to detect threats in each of these. Each of the listed stages represents a “tactic” along the kill-chain:

  1. Initial Access
  2. Execution
  3. Persistence
  4. Privilege Escalation
  5. Defense Evasion
  6. Credential Access
  7. Discovery
  8. Lateral Movement
  9. Collection
  10. Exfiltration
  11. Command and Control

MITRE has a set of identified techniques, each of which belongs to a tactic group, based on the threat actor that they select for the evaluation. MITRE chose APT29 for this round of evaluation.

How Does the MITRE Evaluation Help Organisations

The evaluation does not score or grade solutions and it is meant to help organisations identify the most suitable solution that meets their specific security challenges. Organisations do need to note that the evaluation takes place in isolated environments and have limitations. There are times when certain features of a solution are disabled, as they do not support that particular lab infrastructure, like in case of ReaQta, the NanoOS, our live hypervisor used to detect high-level malicious behaviours, could not be used. Nonetheless the platform performed well, even without its core component.

No Manual (MSSP) Detections

Before starting the evaluation ReaQta decided to participate without MSSP, that is without any human interaction during the attack. MITRE is a technology evaluation framework and we felt it would be unfair to introduce humans in the loop. On top of that the contribution of MSSP detections heavily biases the evaluation. The SOC team knows that an attack is happening and they know exactly where and how.

We felt that the MSSP approach wouldn’t have provided our customers with a fair assessment of the technology. MITRE has been very receptive to feedback and starting from Round 3 all companies will be evaluated without humans in the loop

We think MSSPs add great value, customers should be free to choose between MSSP and stand-alone deployments, but we don’t think MSSPs belong to the evaluation framework as it’s easy to skew the results in one’s favour.

As we can see from the graph below, the amount of detections performed by humans had a huge impact on generated detections, in several instances more than 50% of detections – and up to 73% – were created manually. Only 6 companies decided to participate without humans in the loop.

Manual detections generated by each vendor throughout the evaluation process.
Manual detections generated by each vendor.

The configuration used by ReaQta during the evaluation can be found here.

MITRE Evaluation Round 2 – APT29

Vendors were tested on their ability to detect the tactics and techniques used by APT29 (also known as The Dukes, Cozy Bear and CozyDuke), a sophisticated nation-state adversary known for their stealthy approach. APT29 is widely-known for being behind notable attacks: the Pentagon in 2015, the Democratic National Committee in 2016, the Norwegian and Dutch governments in 2017.

The change from the previous round was important: APT3 (Round 1) is a noisy threat actor, adopting a variety of tools with much less regard to maintaining a low profile. APT29 on the other hand is extremely stealthy, operating with a very low-profile and leveraging heavily on LOLbins and file-less malware.

ReaQta Evaluation Results

The attack unfolded over 2 days in which the attackers gradually moved deeper into the network after obtaining initial access. The vast majority of operations were carried out using powershell, as opposed to custom tools and malware, in order to maintain a low detection profile. The evaluation goal is to show how tested solutions respond to the attack and what kind of visibility is provided along the entire kill-chain.

ReaQta-Hive automated detection coverage compared to the average

Visibility Across the ATT&CK Kill-Chain

As is evident from the summary of the evaluation results above, ReaQta-Hive platform provided complete visibility across the entire kill-chain. ReaQta-Hive detected 90% of the Tactics and Techniques tested, proving its ability to respond and remediate threats at every stage of the attack.

“Since there is also a need to detect and respond to unknown, fileless and advanced persistent threats (including those associated with state sponsored attackers), there must also be an assumption that simply trying to prevent all exploits is unrealistic.”

Gartner, Market Guide for Endpoint Detection and Response Solutions

Right Alerts at Critical Stages

The platform detected and generated alerts right from Execution, Persistence, Privilege Escalation and Defense Evasion stages, enabling the security team to track APT29 and their actions as the attack unfolded. The platform alerts were consistent during the later Kill-chain stages: Lateral Movement, Collection, Exfiltration and Command and Control, showing ReaQta-Hive’s ability to respond and limit damages also in the late stages of a cyber attack.

Actionability is the product of Alert Efficiency and Alert Quality […] efficiency of alerts (not too many) and the quality of the alerts (how well they help you understand the story) are both related and critical to understanding how “actionable” a particular alert is going to be.

Forrester

ReaQta-Hive shows one of the world’s top Actionability rates, even when compared against vendors relying on Manual (MSSP) detections. The chart below uses data extracted by Forrester’s analysts.

Alerts actionability rates
Actionability rates (data includes Manual detections for vendors relying on MSSPs)

The Actionability rate highlights the platform’s capability to reduce noise by reducing the amount of alerts generated. The platform captures all tactics and techniques in a few correlated alerts, as compared to one alert per tactic and technique, which would amount to an unmanageable number of alerts for the SOC teams to examine and respond. 

Providing high-fidelity and comprehensive alerts is the criteria that sets a good platform aside from noise generators. With the amount of visibility provided by ReaQta-Hive it is necessary to filter data, correlate it and generate the smallest amount of alerts possible, each containing the largest amount of related information. This is the purpose of our A.I. engines: collect, correlate and summarise the telemetry. Alerts Quality is also confirmed by Forrester’s analysis in the chart below.

Alerts Quality (data includes Manual detections for vendors relying on MSSPs)

Once again, ReaQta-Hive provides high-quality alerts without human intervention, while both the first and third vendors relied on manual analysis during the evaluation.

The graph below shows how ReaQta-Hive behaves compared to other solutions when manual detections are removed. Each bar represents the amount of incident-related information captured under each generated alert. Our engines have captured the largest amount of information, that translates to a sizeable work-load reduction in real environments.

Percentage of attack coverage provided per alert
Percentage of attack coverage provided per alert

To provide an example related to the evaluation, in the image below we can see how an entire stage of the attack has been captured within a single alert. ReaQta-Hive has correlated all the information into an easily comprehensible storyline, thereby providing to a SOC team all the information for timely triage. No human interaction was required and the attack is cleanly explained, and its risk assessed, without requiring any manual activity.

MITRE Evaluation Storyline
ReaQta-Hive correlated Storyline during MITRE evaluation

The ability to provide a unified incident resolution workflow is critical to reduce alert fatigue. It allows analysts to understand and study an active attacker, without being distracted by hundreds of alerts being generated with no direct correlation with the original incident. 

During the entire course of the evaluation, ReaQta-Hive generated just 25 alerts and correctly gathered all the information required to track the attackers within each one of them, instead of creating 158 alerts (one per technique tested), which would have been much harder to handle during a real analysis. ReaQta-Hive approach reduced the alert fatigue by 85% while preserving complete visibility over the entire attack.

ReaQta-Hive is specifically designed to generate the minimal amount of alerts per incident, allowing for a smooth and uninterrupted analysis experience. The ability to maintain everything in a single view helps analysts to respond faster, without requiring jumps to different screen-views, in order to have a complete understanding of the events.

ATT&CK Tactics and Techniques  with Complete Visibility

The platform was able to  maintain correlation between actions at all stages of the ATT&CK kill-chain. Correlating events automatically reduces the time needed to piece together different actions run by the attackers and ultimately it reduces the response time in case of real attacks.

MITRE Techniques Visibility
List of detected Tactics and Techniques

A closer look at the detection of APT29 tactics and techniques, ReaQta-Hive provided visibility right from the early stages of the kill-chain to the more sophisticated stages which are often harder to detect. What is noteworthy here is the platform’s ability to uniformly detect threats at every stage, thereby providing opportunities for response and remediation at every stage.

ReaQta-Hive showed one of the world’s best telemetries, combined with an impressive A.I. engine capable of condensing information and assessing risk, it will prove a powerful tool in the hands of any SOC or team that wants to spend time threat hunting instead of managing alerts constantly.

Amount of telemetry provided by ReaQta-Hive

The Way Ahead

ReaQta’s AI-powered platform was designed to equip security teams with advanced detection and rapid response capabilities, minimizing human intervention, simplifying the entire cybersecurity process and ensuring business continuity for organisations of all sizes. 

We highly value the feedback that the community gives us and MITRE evaluation was a step forward in this direction. This evaluation has validated ReaQta’s approach to the detection of sophisticated threat actors. ReaQta will continue to participate in independent third party testing in the future.

ReaQta appreciates and applauds the work of MITRE in helping organisations from making informed decisions with these evaluations.

Staying Safe while Everyone is Remote

You’re probably reading this from your laptop, likely from home, while connected over WiFi to your corporate VPN and waiting for a remote meeting that’s about to start in 30 minutes. Welcome to the new normal. More than a billion people today are, like you and me, working from home – and chances are that this remote setup  is somewhat of a slapdash arrangement, because COVID-19 (or to be more accurate SARS-CoV-2) has turned our lives upside down.

But the pandemic is not just a health threat and an economic threat. While companies struggle to find ways to survive, cyber crime and threat actors are presented with the opportunity of a lifetime amidst the chaos and confusion: high-profile individuals, system administrators and general users are now working outside the corporate firewall, many of them on an unsecured laptop using a network that, in all likelihood, is more family-friendly than enterprise-secure.

New Environment, New Challenges

When intellectual property and sensitive or personal information is handled, the measures adopted within a company’s network can’t easily be translated to a home environment. Attackers will concentrate on this aspect to try and breach hard targets from a different angle. When a network is shared, every user is a viable candidate and for some targets, it will be easier to first attack a family member and then move laterally to the intended victim.

Access to the corporate network and locally stored documents changed completely as countries went in lockdown or quarantine. Access to a resource is designed around a need to access paradigm. For example, payroll data might not be designed to be accessed from outside the payroll office. So what happens when the payroll office goes remote? That inaccessible data now  has to become accessible from a point that was not thought to be remote. All these issues can be solved, but in time of emergency business continuity becomes a priority, and security inevitably lacks behind.

Let’s Start with Ransomware

This is the low hanging fruit for attackers. There is a convenient access point – remote employees – to the corporate network that can be used to launch highly successful attacks. We have seen the Ryuk and Sodinokibi ransomware gangs exploit corporate networks to launch crippling attacks against large infrastructures. The Maze ransomware gang, known to leak victims’ data when the ransom goes unpaid, allegedly managed to compromise Chubb. Even – perhaps especially –  hospitals, now our first and best line of defense against COVID-19, are being heavily targeted by unscrupulous organizations looking to make a profit.

We will see more ransomware – and wiper – cases like this, simply because it’s easier to access the corporate network from unsecured devices. And what about more sophisticated threat actors?

High-Profile Attacks

High-profile attackers are those that will benefit the most from a remote workforce. Security teams now have slower  reaction times and different response capabilities. Executives are now working in very different environments. It will become much easier for high-profile attackers to get a foothold within a target infrastructure and to maintain persistence, taking advantage of security teams that are now under (even) more stress than usual, having to maintain a large remote user base. Individuals working for high-profile organizations will be targeted even more in their personal capacity and used as a bridge into the corporate network.

Remediation and eradication activities will also have to adapt: it is now harder than usual to take a laptop, reimage it and give it back to the owner when physical access is not even possible. It’s hard to block unwanted traffic at the network level when users are mostly  outside the corporate firewall and it’s not possible to properly inspect traffic when the company proxy is out of reach. All these elements play a huge role in favour of attackers, reducing the chance of spotting an attack early, missing out completely on exfiltration attempts and making threat hunting and remediation even harder than usual. So the question becomes: how do we secure a fleet of endpoints that is barely under the company’s control?

Securing the Endpoints

Firewall and proxies are out of the game, network analysis is limited and critical data is now on a remote device. It’s time to secure the endpoints. It’s reasonable to think that most of the malicious activity will shift to the endpoints in various forms, either via malware taking advantage of our thirst of information about the pandemic or via phishing. Zoom – under community’s scrutiny for the company’s approach to privacy – is an obvious target, as attackers are already preparing phishing campaigns targeting their user base, but the same goes for other productivity tools such as Slack or Microsoft Teams.  If visibility is key to detecting attackers, endpoints are now more than ever were attention should be focused. Working remotely doesn’t have to mean losing visibility and response capabilities. Today platforms like ReaQta-Hive help to save time, reduce the attack surface and maintain complete visibility even with a completely remote workforce.

Threat hunting capabilities remain unaltered when endpoints are monitored and remote response capabilities enable security teams to stop attacks on the onset. Remediating a compromised endpoint doesn’t require physical access as it becomes a routine operation that can be carried out anywhere, in real-time, automatically.

A Completely Free BCP Initiative

We understand that companies are under unusual stress, or better, they’re all facing a situation that has literally no precedents in the modern world, but this doesn’t mean giving way to attackers. Accumulating security debt in favor of remote work is the type of tradeoff that has a terrible return in both the short and the long term.

At ReaQta we have activated a BCP (Business Continuity Plan) to help organizations keep their infrastructures secure at no cost. Our team of volunteer offers business hours monitoring and response via ReaQta-Hive MDR, entirely for free and with no strings attached.

If you think security is something you can’t compromise on and you have no time to waste, just apply and we’ll be happy to help you: ReaQta BCP has been thought to help you, when you need it the most. It’s a difficult time and we are all in it together, if we stick together we’ll make it and hopefully the old normal will be closer than we expect.

Stay safe.

Attackers are Starting to Exploit Vulnerable Drivers – Are Defenders Ready?

When we think about cyber attacks our minds go to ransomware, capable of holding data hostage or malware used to exfiltrate data and this makes sense in many scenarios. But what if an entirely legitimate kernel driver with a valid digital signature, embedded deep into the system is abused to launch an attack? This is exactly what happened with RobbinHood a living-off-the-land attack, which lowers considerably the detection profile of an attacker. RobbinHood was discussed by ReaQta CEO Alberto Pelliccione in his recent LinkedIn post – he pointed out that, in the hands of a sophisticated threat actor this is a very useful weapon: legit and ready to be used.

He explains: “Normally ransomware such as Ryuk or Sodinokibi are plain applications doing some dirty work, RobbinHood instead does its deed from a driver, deep into the system. To use such a driver one needs a specific Digital Certificate with a high level of verification, which normally criminals don’t try to obtain, because they can reuse an existing driver. Bugs are everywhere and drivers are no exception, a bugged driver can allow a malicious party to run code at the highest possible level on an endpoint. This is what RobbinHood does: it uses a bug, in a legitimate driver, to load a malicious (unsigned) driver and wreak havoc. To make matters worse: there are a LOT of legitimate bugged drivers that can be used for this purpose! RobbinHood uses one to avoid anti-ransomware solutions, and it works quite well, normally ransomware analysis is not done on kernel operations (mostly for performance reasons). A good practice is, when possible, to block all known bugged drivers, as many are widely reported and still valid. As usual below how RobbinHood behaviour looks like, hopefully the only place where you’ll see it active.”

[ReaQta-Hive platform detects and blocks new and unknown threats, from ransomware to sophisticated file-less and in-memory attacks.  Download the brochure to understand how ]

RobbinHood Analysis

Team ReaQta ran an analysis to find out how common such vulnerable drivers are within the enterprise. Below ReaQta-Hive shows a support utility from HP that comes by default with certain laptops. The application installs a driver called “activehealth.sys”, ReaQta cloud analysis reports it as safe (because it is) but this driver, signed with a high level certificate, is actually vulnerable and it can be abused to run code with high privileges on a machine. From the point of view of an attacker this is an advantage: there is no need to carry the driver – unlike what RobbinHood does – as it’s already there, and companies cannot just revoke their certificates as the impact on the user base can be severe. Thus an attacker finds itself with a convenient way to run dangerous code, just by reusing what already exists on a computer, this living-off-the-land technique works extremely well for the attacker as it lowers their detection profile- a powerful tool in the hands of a sophisticated threat actor. We can expect to find interesting cases in the near future with more than “just” a ransomware.

[Find out if ReQta-Hive platform can help your  organisation detect and block sophisticated threats – from fileless to in-memory. Get a free demo today.]

Ave_Maria Malware: there's more than meets the eye

Introduction

AVE_MARIA, a malware used in phishing campaigns and so far identified only as an info-stealer, appears to be more complex and insidious, offering a wide range of capabilities, from privilege escalation to camera exfiltration, RDP connections, email extraction and more. For the past few months we have been monitoring various phishing campaign delivering AVE_MARIA and we are now able to prove that AVE_MARIA is in fact a complete and multi-purpose malware.
Continue reading “Ave_Maria Malware: there's more than meets the eye”

Hunting Fileless Malware: Invisible but not Undetected

Fileless malware attacks are a growing concern in cyber-security with an interesting history that dates back to 2001. After remaining almost silent for several years, this type of threat began to gain fresh traction in 2014 with new concepts introduced at a fast pace. Today such attacks are so common that new strategies had to be developed to identify and contain them.
Continue reading “Hunting Fileless Malware: Invisible but not Undetected”

Silence group targeting Russian Banks via Malicious CHM

In November 2018 we followed up on a tweet mentioning a potential malicious code disseminated in CHM (Microsoft Compiled HTML Help). A preliminary analysis caught the attention of our Threat Analysis and Intelligence team as it yielded interesting data that, among other things, shows that the attack campaign was targeting employees from financial entities, specifically in the Russian Federation and the Republic of Belarus. We conclude that the actor behind the attack is Silence group, a relatively new threat actor that’s been operating since mid-2016. Continue reading “Silence group targeting Russian Banks via Malicious CHM”