Simple Advanced Persistent Threat Emulation with BreakingPoint Attack Campaigns-Part 2

As introducedhttps://www.ixiacom.com/company/blog/simple-advanced-persistent-threat-emulation-breakingpoint-attack-campaigns in a previous blog, BreakingPoint users now have access to Attack Campaigns — a new type of content to simulate highly active advanced persistent threats (APTs). In this blog, we will dig into the technical details of the first released attack campaigns, how they work, the individual phases of the kill chain that are implemented, and other aspects of interest.

The first attack campaigns were released with Strikepack ATI-2020-06 (here are the release notes and Strikepack direct download), and it includes two attack campaign scenarios:

The Andariel group is a sub-group of the Lazarus group, most well-known for targeting South Korean interests.

To find the currently released Andariel attack campaigns, navigate to Managers -> Strike Lists and in the search box type “Andariel”:

ATP2 1

Andariel 2017 attack campaign simulates an internally-initiated malware compromise of a host, implementing part of an attack pattern described by Ahnlab.

Note: While the traffic may look like SSL, and is sent to port 443, it is not valid SSL traffic

APT2-2

Andariel 2019 attack campaign simulates two possible infection procedures following an externally-initiated attack against a WebLogic Server (as described in this Kaspersky Security Bulletin). In each of the attack scenarios, a web-server exploit is followed by the installation of a shellcode loader, after which a backdoor module is downloaded. Each of the downloaded files is followed by command-and-control (C&C) traffic.

At this point the scenarios diverge – with each scenario simulating an alternate ending

Following either of the downloads, C&C messages are sent from the ‘infected’ server back to malware host.

Note: In the first scenario, after downloading ‘Proto Downloader, the C&C message sent back to the server is an HTTP POST, with the payload being a Base64-encoded string containing host information.

APT2-3

After Base64 decode, the content looks like the following:

APT2-4

Note: In the second scenario, after downloading ‘Rifdoor’, traffic from port 443 can be observed, but it is not valid SSL traffic as described in Andariel 2017 attack campaign.

We hope that the dissection of these first attack campaigns are useful. We will continue to add more blogs that dissect upcoming attack campaigns as we release them.

LEVERAGE SUBSCRIPTION SERVICE TO STAY AHEAD OF ATTACKS

Ixia's Application and Threat Intelligence (ATI) Subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Ixia test platforms. The ATI Research Center continuously monitors threats as they appear in the wild. Customers of BreakingPoint have now access to attack campaigns for different advanced persistent threats, allowing them to test their currently deployed security controls’ ability to detect or block such attacks.

limit
3