Booz Allen’s Dark Labs Advanced Threat Hunt team has developed an advanced technique to discover and block new variants of malware that poses a threat to organizations worldwide.
Using an open source indicator of compromise (IOC), the research team was able to identify three additional variants of malware associated with APT34, a group thought to be involved in nation-state cyber-espionage, according to a technical brief from Booz Allen.
The report describes how the team used a combination of open-source reporting and “acquired sources of threat intelligence,” then combined this information with its own tools to perform deep analysis on known APT34 behaviors.
“The life cycle of an openly reported IOC does not end when an operator deploys the indicator to a sensor, or a threat hunter checks their security information and event manager (SIEM),” said the report’s authors, Chad Gray and Will Farrell. “Merging the IOC with internal or external raw sources of cyberthreat intelligence reveals additional IOCs and malware variants.”
The Dark Labs team turned its attention on malware attributed to APT34. The alleged cyber-espionage group is believed to have been operational since at least 2014, according to a report issued by FireEye. APT34 has been known to use BONDUPTATER (used to download software) and POWRUNER (used as a backdoor to exploit software vulnerabilities).
The team discovered the additional malicious binaries, or file compilations, by using a tool that extracts a binary’s metadata, such as a creation date or filename. If matches are found, an analyst can This type of comparative analysis highlights the common functions used by the developer and where any changes to defeat detection may have been implemented.
By using known indicators, analysts discovered additional unreported IOCs that can be used for further malware detection, the report says.
The Booz Allen Dark Labs Advanced Threat Hunt team recently issued a report identifying a unique form of adware that evades traditional forms of cyber defenses, common among nation-state actors; and a related report explaining how to find advanced persistent adware.
Read the complete report describing how the Dark Labs team went about identifying the adware variants.
This article was produced by CyberScoop and sponsored by Booz Allen Hamilton.