Abstract
Many APT groups are best known for their professionally developed malware. Sure enough, backdoors and trojans play a central role in attacks. But they also contain a wealth of information that is useful for attribution. Therefore, this chapter looks at how malware is developed and employed, and how analysts find clues about the perpetrators. The first section discusses the attackers’ perspective in terms of their working environments and trade-offs they have to make. Which type of malware do attackers need for what purposes and how can they acquire it? What is the advantage of investing the effort to develop their own framework when they could also use publicly available tools? The other sections of the chapter cover the work of the analysts. Their data sources are explained and discussed, such as public databases like VirusTotal, telemetry data, and on-site incident response. How does the source of malware samples affect or limit attribution? What kind of evidence comes from the development environment and from functional aspects? How are language resources, timestamps, debug information, crypto implementations, and code similarities used for attribution? Throughout the chapter is becomes clear that information from malware is essential in all phases of attribution—from clustering to country attribution and attribution to organizations and persons.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
WikiLeaks: Development Tradecraft DOs and DON’Ts. In: Vault 7: CIA Hacking Tools Revealed. http://web.archive.org/web/20170725092909/https://wikileaks.org/ciav7p1/cms/page_14587109.html (2017). Accessed 25 July 2017
Pietrek, M.: Peering inside the PE: a tour of the Win32 portable executable file format. In: Microsoft Developer Network. https://msdn.microsoft.com/en-us/library/ms809762.aspx. Accessed 26 July 2017
Symantec: Iran-based attackers use back door threats to spy on Middle Eastern targets. In: Symantec Connect. http://web.archive.org/web/20170726133140/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets (2015). Accessed 26 July 2017
Pricewaterhouse Coopers: Operation Cloud Hopper. In: PwC UK Cyber security and data privacy. https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf (2017). Accessed 26 July 2017
Drozhzhin, A.: Russian-speaking cyber spies exploit satellites. In: Kaspersky Lab Daily. http://web.archive.org/web/20170727075548/https://www.kaspersky.com/blog/turla-apt-exploiting-satellites/9771/ (2015). Accessed 27 July 2017
Haq, T., Gomez, J.: LadyBoyle Comes to Town with a New Exploit. In: FireEye Blog. http://web.archive.org/web/20170727080716/https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html (2013). Accessed 27 July
Fagerland, S., Kravik, M., Camp, J., Moran, S.: Operation Hangover-Unveiling an Indian Cyberattack Infrastructure. http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf (2013). Accessed 27 July 2017
Schneier, B.: Major NSA/Equation Group Leak. In: Schneier on Security. http://web.archive.org/web/20170708101448/https://www.schneier.com/blog/archives/2016/08/major_nsaequati.html (2016). Accessed 28 July 2017
WikiLeaks: What did Equation do wrong, and how can we avoid doing the same? In: Vault 7. http://web.archive.org/web/20170720152522/https://wikileaks.org/ciav7p1/cms/page_14588809.html (2017). Accessed 28 July 2017
Marquis-Boire, M., Guarnieri, C., Gallagherm, R.: Secret Malware In European Union attack linked to U.S. and british intelligence. In: The Intercept. http://web.archive.org/web/20170719231033/https://theintercept.com/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/ (2014). Accessed 28 July 2017
Kaspersky Labs: Equation Group-Questions and Answers. In: Securelist. https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf (2015). Accessed 28 July 2017
Symantec security response: longhorn: tools used by cyberespionage group linked to vault 7. In: Symantec.Connect. http://web.archive.org/web/20170624183052/https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7 (2017). Accessed 4 Aug 2017
Shabab, N.: Spring dragon-updated activity. In: SecureList. http://web.archive.org/web/20170812085701/https://securelist.com/spring-dragon-updated-activity/79067/ (2017). Accessed 12 Aug 2017
Bytepointer: The Undocumented Microsoft ‘Rich’ Header. http://bytepointer.com/articles/the_microsoft_rich_header.htm (2017). Accessed 15 Nov 2019
Kremez, V.: Here we go-crimeware virus & APT journey from ‘robbinhood’ to APT28. In: SentinelOne Blog. https://www.sentinelone.com/blog/here-we-go-crimeware-apt-journey-from-robbinhood-to-apt28/ (2019). Accessed 10 Dec 2019
Webster, G., Kolosnjaji, B: Finding the needle: a study of the PE32 rich header and respective malware triage. In: Detection of Intrusions and Malware, and Vulnerability Assessment: 14th International Conference, DIMVA 2017, Bonn, Germany, July 6–7, 2017, Proceedings (pp. 119–138) https://www.researchgate.netpublication/318145388_Finding_the_Needle_A_Study_of_the_PE32_Rich_Header_and_Respective_Malware_Triage. Accessed 29 Jan 2020
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2020 Springer-Verlag GmbH Germany, part of Springer Nature
About this chapter
Cite this chapter
Steffens, T. (2020). Analysis of Malware. In: Attribution of Advanced Persistent Threats. Springer Vieweg, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-61313-9_3
Download citation
DOI: https://doi.org/10.1007/978-3-662-61313-9_3
Published:
Publisher Name: Springer Vieweg, Berlin, Heidelberg
Print ISBN: 978-3-662-61312-2
Online ISBN: 978-3-662-61313-9
eBook Packages: Computer ScienceComputer Science (R0)