A Broad View of the Ecosystem ofSocially Engineered Exploit Documents

StevensLeBlond,CédricGilbert,UtkarshUpadhyay,ManuelGomezRodriguezandDavidChoffnes

Challenges with measuring targeted attacks

• Low-volume,sociallyengineeredmessagesthatconvincespecificvictimstoinstallmalware

2

Challenges with measuring targeted attacks

• Low-volume,sociallyengineeredmessagesthatconvincespecificvictimstoinstallmalware• ThreestudiespublishedatUsenixSecurity’14• Tibet(Hardyetal.),MiddleEast(Marczaketal.),andUyghur(LeBlondetal.)

2

Challenges with measuring targeted attacks

• Low-volume,sociallyengineeredmessagesthatconvincespecificvictimstoinstallmalware• ThreestudiespublishedatUsenixSecurity’14• Tibet(Hardyetal.),MiddleEast(Marczaketal.),andUyghur(LeBlondetal.)

2

Challenges with measuring targeted attacks

• Low-volume,sociallyengineeredmessagesthatconvincespecificvictimstoinstallmalware• ThreestudiespublishedatUsenixSecurity’14• Tibet(Hardyetal.),MiddleEast(Marczaketal.),andUyghur(LeBlondetal.)

?

2

Challenges with measuring targeted attacks

• Low-volume,sociallyengineeredmessagesthatconvincespecificvictimstoinstallmalware• ThreestudiespublishedatUsenixSecurity’14• Tibet(Hardyetal.),MiddleEast(Marczaketal.),andUyghur(LeBlondetal.)

Measuringtargetedattacksisalonganddifficultprocess

?

2

Can Anti-Virus Aggregators (VirusTotal) help?

3

Can Anti-Virus Aggregators (VirusTotal) help?

3

Can Anti-Virus Aggregators (VirusTotal) help?

3

Can Anti-Virus Aggregators (VirusTotal) help?

3

VirusTotal Statistics (one week)

4

VirusTotal Statistics (one week)

4

VirusTotal Statistics (one week)

4

VirusTotal Statistics (one week)

4

VirusTotal Statistics (one week)

4

VirusTotal Statistics (one week)

4

VirusTotal as a vantage point to measure targeted attacks

5

VirusTotal as a vantage point to measure targeted attacks

5

VirusTotal as a vantage point to measure targeted attacks

5

VirusTotal as a vantage point to measure targeted attacks

5

Research questions

• DotargetedgroupsuploadexploitdocumentstoVirusTotal?

• Canwescaleouranalysistohundredsofthousandsofsamples?

• Howdoattacksfacedbydifferentgroupscomparewitheachother?

• IsVirusTotalusedbyotheractorssuchasattackersandresearchers?

6

Outline

1) Methodology2) Analysisofexploitdocuments3) Futurework

7

Exploit document infection process

Exploit Decoy Malware

8

Exploit document infection process

Exploit Decoy Malware

8

Exploit document infection process

Exploit Decoy Malware

8

Exploit document infection process

Exploit Decoy Malware

8

Data acquisition and processing workflow

9

Data acquisition and processing workflow

9

Can we scale our analysis to hundreds of thousands of samples? Acquisition

257,635

10

Can we scale our analysis to hundreds of thousands of samples? Acquisition

257,635

10

Can we scale our analysis to hundreds of thousands of samples? Acquisition

257,635 143

10

Data acquisition and processing workflow

11

Can we scale our analysis to hundreds of thousands of samples? Detection

257,635 143

12

Can we scale our analysis to hundreds of thousands of samples? Detection

Officew/EMET Acrobatw/EMET

257,635 143

200320072010

VIIIIXXXI

SP0SP1SP2SP3 0.01.02.03.04.05.0

12

Can we scale our analysis to hundreds of thousands of samples? Detection

Officew/EMET Acrobatw/EMET

257,635 143

200320072010

VIIIIXXXI

SP0SP1SP2SP3 0.01.02.03.04.05.0

12

Can we scale our analysis to hundreds of thousands of samples? Detection

Officew/EMET Acrobatw/EMET

257,635 143

200320072010

VIIIIXXXI

SP0SP1SP2SP3 0.01.02.03.04.05.0

-219,79437,841

-29114

12

How many versions ofreaders do we have to test?

#affectedversions

CDF

13

How many versions ofreaders do we have to test?

Fewexploitsareportableacrossallreaderversions

#affectedversions

CDF

13

Data acquisition and processing workflow

14

Can we scale our analysis to hundreds of thousands of samples? Extraction

Officew/EMET Acrobatw/EMET

257,635 143

200320072010

VIIIIXXXI

SP0SP1SP2SP3 0.01.02.03.04.05.0

-219,79437,841

-29114

15

Can we scale our analysis to hundreds of thousands of samples? Extraction

Acrobatw/driver0.01.02.03.04.05.0

Officew/EMET Acrobatw/EMET

257,635 143

200320072010

VIIIIXXXI

SP0SP1SP2SP3 0.01.02.03.04.05.0Officew/driver200320072010

VIIIIXXXI

SP0SP1SP2SP3

-219,79437,841

-29114

15

Can we scale our analysis to hundreds of thousands of samples? Extraction

Acrobatw/driver0.01.02.03.04.05.0

Officew/EMET Acrobatw/EMET

257,635 143

200320072010

VIIIIXXXI

SP0SP1SP2SP3 0.01.02.03.04.05.0Officew/driver200320072010

VIIIIXXXI

SP0SP1SP2SP3

-219,79437,841

-29114

15

Can we scale our analysis to hundreds of thousands of samples? Extraction

Acrobatw/driver0.01.02.03.04.05.0

Officew/EMET Acrobatw/EMET

257,635 143

200320072010

VIIIIXXXI

SP0SP1SP2SP3 0.01.02.03.04.05.0Officew/driver200320072010

VIIIIXXXI

SP0SP1SP2SP3

-219,79437,841

-29114

-34,0263,815

-11103

15

Data acquisition and processing workflow

16

Can we scale our analysis to hundreds of thousands of samples? Analysis

-29114

-11103

Acrobatw/driver0.01.02.03.04.05.0

Officew/EMET Acrobatw/EMET

257,635

200320072010

VIIIIXXXI

SP0SP1SP2SP3 0.01.02.03.04.05.0Officew/driver200320072010

VIIIIXXXI

SP0SP1SP2SP3

-219,79437,841

-34,0263,815

143

17

Can we scale our analysis to hundreds of thousands of samples? Analysis

Acrobatw/driver0.01.02.03.04.05.0

Officew/EMET Acrobatw/EMET

257,635

200320072010

VIIIIXXXI

SP0SP1SP2SP3 0.01.02.03.04.05.0Officew/driver200320072010

VIIIIXXXI

SP0SP1SP2SP3

-219,79437,841

-34,0263,815

17

Can we scale our analysis to hundreds of thousands of samples? Analysis

Acrobatw/driver0.01.02.03.04.05.0

Officew/EMET Acrobatw/EMET

200320072010

VIIIIXXXI

SP0SP1SP2SP3 0.01.02.03.04.05.0Officew/driver200320072010

VIIIIXXXI

SP0SP1SP2SP3

-219,79437,841

-34,0263,815

TranslatorsMalwaresandboxes

17

Can we scale our analysis to hundreds of thousands of samples? Analysis

Acrobatw/driver0.01.02.03.04.05.0

Officew/EMET Acrobatw/EMET

200320072010

VIIIIXXXI

SP0SP1SP2SP3 0.01.02.03.04.05.0Officew/driver200320072010

VIIIIXXXI

SP0SP1SP2SP3

-219,79437,841

-34,0263,815

TranslatorsMalwaresandboxes

17

Can we scale our analysis to hundreds of thousands of samples? Analysis

Acrobatw/driver0.01.02.03.04.05.0

Officew/EMET Acrobatw/EMET

200320072010

VIIIIXXXI

SP0SP1SP2SP3 0.01.02.03.04.05.0Officew/driver200320072010

VIIIIXXXI

SP0SP1SP2SP3

-219,79437,841

-34,0263,815

TranslatorsMalwaresandboxes

2,447 3,705

17

Outline

1) Methodology2) Analysisofexploitdocuments3) Futurework

18

Do targeted groups upload exploit documents on VirusTotal? Likely targets (inferred from decoys)

19

Do targeted groups upload exploit documents on VirusTotal? Likely targets (inferred from decoys)

19

Do targeted groups upload exploit documents on VirusTotal? Likely targets (inferred from decoys)

19

Do targeted groups upload exploit documents on VirusTotal? Likely targets (inferred from decoys)

VirusTotalgivesvisibilityintoattackstargetingnumerousgroups 19

How attacks faced by different groups compare with each other? Languages of decoys

Fractio

n

20

How attacks faced by different groups compare with each other? Languages of decoys

Fractio

n

20

How attacks faced by different groups compare with each other? Languages of decoys

Fractio

n

20

How attacks faced by different groups compare with each other? Languages of decoys

Fractio

n

20

How attacks faced by different groups compare with each other? Languages of decoys

Decoystendtousetheofficiallanguageofthegroupstheytarget

Fractio

n

20

How attacks faced by different groups compare with each other? Malware targeting

21

How attacks faced by different groups compare with each other? Malware targeting

21

How attacks faced by different groups compare with each other? Malware targeting

21

How attacks faced by different groups compare with each other? Malware targeting

21

How attacks faced by different groups compare with each other? Malware targeting

Fromourdataset,malwarefamiliestendtotargetoneortwocountries 21

Targeted regions

• Chineseinfluence:Tibet,Uyghur,Taiwan

• AsiaPacific:Myanmar,thePhilippines,Thailand,andVietnam

• AsiaPacific,G20:India,Indonesia,Japan,andSouthKorea

• RussiaandUSA

How do attacks faced by different groups compare with each other? Malware targeting (cont.)

Fractio

n

23

How do attacks faced by different groups compare with each other? Malware targeting (cont.)

Fractio

n

23

How do attacks faced by different groups compare with each other? Malware targeting (cont.)

Fractio

n

23

How do attacks faced by different groups compare with each other? Malware targeting (cont.)

Fractio

n

23

How do attacks faced by different groups compare with each other? Malware targeting (cont.)

Malwarefoundinmultiplecountriestendtotargetaconfinedregion

Fractio

n

23

Outline

1) Methodology2) Analysisofexploitdocuments3) Futurework

24

Future work

•Monitoringoperatorbehavioroftargetedmalware

•Analysisofevasionstechniques,attackersoperations,andotherattackvectors

•Deployon-premisesandcloud-basedservicesforanalysisofemailattachments

25

Take home messages

• Complementarymethodologytomeasuretargetedattacksatscale

• At-riskgroupsuploadexploitdocumentstoVirusTotal

• Groupstendtobetargetedwithtailoreddecoysandmalwarefamilies

• Preliminaryimpact• Servicedeployedatemailproviderwith100,000+users• Datasetandacademicserviceavailableathttps://slingshot.dedis.ch

26

Frequently Asked Questions

stevens.leblond@epfl.ch

• WhataretheobservationalbiasesofusingVirusTotal?

• Whatarethecommontypesofmaliciousdocumentsthatyoufilteredout?

• Whydidyoufocusonexploitdocuments?

• Whatprecautionsdidyoutaketoreducefalsenegatives?

• Didyoufindindicationsofsuccessfulcompromises?

27

What are the observational biases of using VirusTotal?

• Coverageoftargetedattacksislimitedtothoseusersandorganizationswhouploadsuspiciousfiles

• VirusTotal’svisibilityislikelyskewedtowardsuserswhoworkwithnon-classifiedmaterial

• VirusTotaldatasetoffersapartialcoverageofattackswhereindividualsandNGOsarelikelyover-represented

What are the most common malicious documents that you filtered out?

Why did you focus on exploit documents?

• Exploitdocumentsarethemostcommonvectoroftargetedattacksidentifiedbyrelatedwork

•Macrosrequireadditionaluserapprovalandcanbeforciblydisabledbysystemadministrators

• UsedagainstarangeoftargetsincludingNGOs,newsagencies,andmilitary,governmentalandintelligenceagencies

What precautions did you take to reduce false negatives?

• ReducingdetectionFNs• CrossvalidatedEMETdetectionresultswithgroundtruthfromtheWUCdataset• 29/143WUCdocumentswerenotdetectedbyEMET,noneofthemFNs(16MacOSX,9wrongreaderversion,2password,and2withoutexploit)

• ReducingextractionFNs• ManuallyinspectedEMETdetectionsthatdidn’twritefilestodisk• 29/4,259documentsdetectedbyEMETdidnotwriteanyfilestodisk,noneofthemFNs(6crashes,4experimental,and19dysfunctional)

• Noneofouranalysesdependsonthelackofevasiontechniquesinthemalwareembeddedinexploitdocuments

Did you find indication of successful compromises?

• Codeddecoysbasedontheirlanguages,thecountriestheyreferto,ethnicgroupsanddates,andwhethertheytargetedspecificindividualsororganizations

• NativespeakersindependentlycodedthedocumentswritteninRussian,TraditionalChinese,Uyghur,andVietnamese

• Identifieddocumentslikelyexfiltratedfromcompromisedsystemsandusedasdecoysinexploitdocumentstargetingnew,relatedvictims

Did you find indication of successful compromises (cont.)?

Fractio

n

Did you find indication of successful compromises (cont.)?

Mostgroupsweretargetedwithreplayeddecoys

Fractio

n

Did you find evidence of zero-day vulnerabilities?

• WecollaboratedwithalargeAVvendortodeterminetheCVEtagsoftheexploitedreadervulnerabilities

• ThevendorscannedalltheexploitdocumentsthatwedetectedandcomparedtheresultingCVEwiththemajorityofVirusTotaltags• IfthetwoCVEsmatched,nofurtheractionwastaken• Otherwise,thesamplewasanalyzedmanually

• SamplesforwhichtheCVEreleasedatewasafterthedateofuploadonVirusTotalwereexaminedmanuallytodeterminetheCVE’scorrectness

• Basedonthismethodology,wedidn’tfindevidenceofzero-dayvulnerabilities

Can you estimate the dates of the decoys?

• Wecodeddecoysaccordingtotheirlanguages,thecountriestheyreferto,ethnicgroupsanddates,andwhethertheytargetedspecificindividualsororganizations

• NativespeakersindependentlycodedthedocumentswritteninRussian,TraditionalChinese,Uyghur,andVietnamese

Can you estimate the dates of the decoys (cont.)?

Fractio

n

Can you estimate the dates of the decoys (cont.)?

Allgroupsexhibiteddecoysreferringtoaleastoneyearin2013-2015

Fractio

n