Blog

Simple Advanced Persistent Threat Emulation with BreakingPoint Attack Campaigns-Part 2

April 9, 2020 by ATI Blog Team

As introduced in a previous blog, BreakingPoint users now have access to Attack Campaigns — a new type of content to simulate highly active advanced persistent threats (APTs). In this blog, we will dig into the technical details of the first released attack campaigns, how they work, the individual phases of the kill chain that are implemented, and other aspects of interest.

The first attack campaigns were released with Strikepack ATI-2020-06 (here are the release notes and Strikepack direct download), and it includes two attack campaign scenarios:

  • Andariel 2017
  • Andariel 2019

The Andariel group is a sub-group of the Lazarus group, most well-known for targeting South Korean interests. 

To find the currently released Andariel attack campaigns, navigate to Managers -> Strike Lists and in the search box type “Andariel”:

1

Andariel 2017 attack campaign simulates an internally-initiated malware compromise of a host, implementing part of an attack pattern described by Ahnlab in this report

  • The first strike, M20-An3401, simulates the download of the Rifdoor malware; the transport protocol is HTTP (as if a user had clicked on a phishing link)
  • The following strike, B20-An47a1, simulates a ‘successful’ installation of the malware by sending an encoded response back to the server

Note: While the traffic may look like SSL, and is sent to port 443, it is not valid SSL traffic

2

Andariel 2019 attack campaign simulates two possible infection procedures following an externally-initiated attack against a WebLogic Server (as described in this Kaspersky Security Bulletin). In each of the attack scenarios, a web-server exploit is followed by the installation of a shellcode loader, after which a backdoor module is downloaded. Each of the downloaded files is followed by command-and-control (C&C) traffic. 

  • The first strike, E17-3cn31, simulates an attack against a vulnerable WebLogic server in which a serialized exploit is used to achieve remote code execution
  • The next strike, M20-An1371, simulates the download of the ApolloZeus shellcode loader by the ‘exploited’ server
  • Strike B20-An5d31 simulates the encoded exchange that follows the installation

At this point the scenarios diverge – with each scenario simulating an alternate ending

  • In the first scenario, strike M20-An16c1, simulates downloading ‘Proto Downloader’ – digitally signed with a stolen certificate – by the server
  •  In the second scenario, strike M20-An744, simulates downloading ‘Rifdoor’ – again, digitally signed with a stolen certificate – by the server

Following either of the downloads, C&C messages are sent from the ‘infected’ server back to malware host.

Note: In the first scenario, after downloading ‘Proto Downloader, the C&C message sent back to the server is an HTTP POST, with the payload being a Base64-encoded string containing host information.

3

After Base64 decode, the content looks like the following:

4

Note: In the second scenario, after downloading ‘Rifdoor’, traffic from port 443 can be observed, but it is not valid SSL traffic as described in Andariel 2017 attack campaign.

We hope that the dissection of these first attack campaigns are useful. We will continue to add more blogs that dissect upcoming attack campaigns as we release them.

LEVERAGE SUBSCRIPTION SERVICE TO STAY AHEAD OF ATTACKS

Ixia's Application and Threat Intelligence (ATI) Subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Ixia test platforms. The ATI Research Center continuously monitors threats as they appear in the wild. Customers of BreakingPoint have now access to attack campaigns for different advanced persistent threats, allowing them to test their currently deployed security controls’ ability to detect or block such attacks.