Why Cyber-Criminals Are Always One Step Ahead

 
 
By Karen A. Frenkel  |  Posted 04-01-2016 Email
 
 
 
 
 
 
 
 
 
  • Previous
    Why Cyber-Criminals Are Always One Step Ahead
    Next

    Why Cyber-Criminals Are Always One Step Ahead

    Leave-no-trace malware is one way cyber-criminals are able to avoid exposure and remain undetected on company networks for months at a time.
  • Previous
    The Transient Nature of Criminal Infrastructure
    Next

    The Transient Nature of Criminal Infrastructure

    How Pony Loader works: Pony Loader infects a device. Dropper installs and runs. Malware calls the command-and-control server and downloader site. It receives encrypted binaries. Other malware, such as Dyre, Vawtrack and Nyumaim download and infect host device.
  • Previous
    Few IPs Per Provider
    Next

    Few IPs Per Provider

    Criminals use only a few IPs per provider to reduce their chances of being caught. During two years of tracking, criminals have used 281 domains and 120 IPs spread across 100 different ISPs. Domains per month in 2015 started in May at 21 and peaked in July at 45.
  • Previous
    Establishing Infrastructure and Process
    Next

    Establishing Infrastructure and Process

    The number of IPs decreased in July and August, but the number of domains increased significantly cannot compare to the previous months. There were 45 domains in July and 39 in August.
  • Previous
    Domains Per IP Ratio
    Next

    Domains Per IP Ratio

    Domains were divided over 12 IPs in July and over six IP s in August for a ratio of 6.5 domains per IP in August—twice as many as July.
  • Previous
    Why the Inverse Relationship?
    Next

    Why the Inverse Relationship?

    Time of year may be a factor. Europeans take summer vacations in July and August so there are fewer resources available to maintain the infrastructure. The crew may have been heavily using the few ISPs they had while awaiting the return of their cohorts.
  • Previous
    Momentum Regained
    Next

    Momentum Regained

    In September, Pony Loader regained momentum. Criminals used 45 domains over 16 IPs for a ratio of 2.81 domains per IP.
  • Previous
    High Numbers Retained
    Next

    High Numbers Retained

    October also had high numbers: 45 domains divided over 26 IPs for a ratio of 1.73 domains per IP. The number of ISPs was less than two to one with the number of IPs.
  • Previous
    Slowdown Through the Holidays
    Next

    Slowdown Through the Holidays

    In November, the ratio was 2.29 domains per IP. In December the ratio was 2.7. Again, this can be attributed to vacation time.
  • Previous
    Malware Metamorphoses
    Next

    Malware Metamorphoses

    The criminals behind Pony Loader change their malware. In May it was configured to download the banking trojan Dyre. In Septemberm it downloaded Vawtrak, another banking trojan, which was replaced in December with Nymaim, a form of ransomware. Then it flipped back to Vawtrak.
  • Previous
    Pony Loader Group Well-Organized
    Next

    Pony Loader Group Well-Organized

    The criminal group behind Pony Loader regularly creates several new domains establishing new infrastructure, thereby ensuring that most security products cannot detect their new malware.
  • Previous
    Bulletproof Hosters
    Next

    Bulletproof Hosters

    This group uses bulletproof hosters, or providers in non-cooperative countries, and let's them remain online long enough to switch to different providers, thereby remaining stealthy.
  • Previous
    Bottom Line
    Next

    Bottom Line

    Prevention tools that rely on blacklists and other known indicators will never find these types of attacks. Security teams should look for active command-and-control communications that originate from inside the network and block outbound attempts.
 

Cyber-criminals have an uncanny ability to stay under the radar for long periods of time—making the difficult business of cyber-protection even more difficult. Cyber-security is an ever-evolving undertaking, and the need for enterprises to reassess their security tools is constant. In recent case studies on cyber-security conducted by network security monitoring firm Damballa, a light is cast on the nefarious lives of cyber-thieves. The study, "Q1 2016 State of Infections Report," reveals just how easy it is to purchase or rent havoc-causing malware. "It's no small feat to keep up with how cyber-criminals operate. Attackers have an incredibly vibrant underground community where they can buy or rent anything from command-and-control infrastructure to sophisticated exploit kits to bare metal malware," said Steven Newman, CTO of Damballa. "While this report highlights several themes that our Threat Discovery Center has followed over the past several months, one common factor is that you never know what to expect from threat actors." The findings result from an eight-month study of Pony Loader malware, and the measures cyber-criminals took to evade detection. Leave-no-trace-malware, like Destover, can be wiped, which helps attackers stay under the radar for months. The report also found that the path of least resistance makes "dumb" malware, like MegalodonHTTP, appealing to criminals. Highlights of the findings regarding Pony Loader are below. 

 
 
 
 
 
Karen A. Frenkel writes about technology and innovation and lives in New York City.

 
 
 
 
 
 

Submit a Comment

Loading Comments...