Blog

No se ha encontrado ningún artículo.

Cómo la IA de Darktrace detecta el malware metamórfico

Cómo la IA de Darktrace detecta el malware metamórficoDefault blog imageDefault blog image
31
Jul 2017
31
Jul 2017

Some of the most insidious threats that Darktrace finds use self-modifying technology to hide their presence on the network. These attacks can dynamically change their threat signatures, automatically extract data, and spread without a human controller.

Recently, we discovered anomalous activity on the network of a major US university. After investigation, we found that the anomaly was the ‘Smoke Malware Loader’ which employs numerous techniques to evade internal security. Most notably, the malware generates fake traffic to hide its presence.

Darktrace observed the initial infection when three anomalous executables were transferred over plain text. The malware did not match any known threat signatures, allowing it to bypass the network’s perimeter controls.

C1ulyq1wLrMBs6LG00 on Thu Sep 8, 13:19:01
Co2eAJ2GifEkWut700 on Thu Sep 8, 12:09:52
CdcZeu200UOsuf5u00 on Wed Sep 14, 16:38:44

The connections originated from a suspicious external domain that the company had never communicated with before:

lago666[.]com (91.243.193.149)

Both the anomalous download and the beaconing activity represented major deviations from the unique ‘pattern of life’ learned by the Enterprise Immune System.

Although the payload circumvented the network’s perimeter security, the company also had an alternate security system monitoring network flow. This tool raised an alert when the download occurred, but it was deemed a ‘false positive’ because the malware proceeded to install new, previously unknown versions of the executable to the Windows registry.

After the self-modifying modules were uploaded to the company device, a large number of HTTP POST requests were sent against /smk/log.php to the following domains:

lago666[.]com
lago666[.]xyz
lago666[.]pw
lago666[.]top
lago666[.]site
lago666[.]bid
www.lago666[.]website
lago666[.]online
www.lago666[.]space
lago666[.]website
lago666[.]space
www.lago666[.]online
lago666[.]trade
lago666[.]webcam
lago666[.]tech
lago666[.]host
lago666[.]press

The malware attempted to transfer data to these external destinations, but to hide its tracks, the remote machine replied with a fake 404 error code. These connections were deemed highly anomalous by Darktrace’s AI algorithms.

Since the payload was designed to be compatible with the password grabber module2 – which is often deployed side-by-side with Smoke Malware Loader – the data attempting to leave the network likely contained user credentials and passwords.

In conjunction with the initial transfer, another anomalous file was then delivered to a different device. This activity indicated that the threat actor was likely attempting to move laterally across the network:

hxxp://cdn.che[.]moe/izgmcx.exe (connection UID: CGH6uV3G5tdKSNY800) to 10.1.105.117 on Mon Sep 12 at 08:02:03.

Darktrace detected each anomaly in real time as the situation developed. By using AI algorithms to continuously learn normal behavior, Darktrace was able to monitor the malware’s changing threat signature.

Traditional security tools – no matter how advanced – are incapable of detecting such sophisticated threats. Legacy controls rely on rules and signatures, and these threats are specifically designed to bypass rules and signatures.

Darktrace’s real-time threat detection allowed the university’s security team to quarantine the infected devices before the malware could burrow deeper into the network, and before the attacker could use the passwords to further compromise the network. Darktrace then assisted the security team as they remediated the situation and changed their security protocols and passwords.

More in this series:

No se ha encontrado ningún artículo.

¿Te gusta esto y quieres más?

Reciba el último blog en su bandeja de entrada
Gracias. Hemos recibido su envío.
¡Ups! Algo salió mal al enviar el formulario.
DENTRO DEL SOC
Darktrace son expertos de talla mundial en inteligencia de amenazas, caza de amenazas y respuesta a incidentes, y proporcionan apoyo al SOC las 24 horas del día a miles de clientes de Darktrace en todo el mundo. Inside the SOC está redactado exclusivamente por estos expertos y ofrece un análisis de los ciberincidentes y las tendencias de las amenazas, basado en la experiencia real sobre el terreno.
AUTOR
SOBRE EL AUTOR
Justin Fier
VP, Riesgo Táctico y Respuesta

Justin is one of the US’s leading cyber intelligence experts, and holds the position of VP, Tactical Risk and Response at Darktrace. His insights on cyber security and artificial intelligence have been widely reported in leading media outlets, including the Wall Street Journal, CNN, The Washington Post, and VICELAND. With over 10 years’ experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Justin is also a highly-skilled technical specialist, and works with Darktrace’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.

CASOS DE USO
No se ha encontrado ningún artículo.
PRODUCTOS DESTACADOS
No se ha encontrado ningún artículo.
Cobertura básica
No se ha encontrado ningún artículo.
Este artículo
Cómo la IA de Darktrace detecta el malware metamórfico
Compartir
Twitter logoLinkedIn logo

Artículos relacionados

No se ha encontrado ningún artículo.

Buenas noticias para su negocio.
Malas noticias para los malos.

Inicie su prueba gratuita

Inicie su prueba gratuita

Entrega flexible
Puedes instalarlo virtualmente o con hardware.
Instalación rápida
Sólo 1 hora de instalación - y aún menos para una prueba de seguridad del correo electrónico.
Elige tu viaje
Pruebe IA de autoaprendizaje donde más lo necesite, incluyendo la nube, la red o el correo electrónico.
Sin compromiso
Acceso completo al visualizador de amenazas Darktrace y a tres informes de amenazas a medida, sin obligación de compra.
Gracias. Hemos recibido su envío.
¡Ups! Algo salió mal al enviar el formulario.

Obtenga una demostración

Entrega flexible
Puedes instalarlo virtualmente o con hardware.
Instalación rápida
Sólo 1 hora de instalación - y aún menos para una prueba de seguridad del correo electrónico.
Elige tu viaje
Pruebe IA de autoaprendizaje donde más lo necesite, incluyendo la nube, la red o el correo electrónico.
Sin compromiso
Acceso completo al visualizador de amenazas Darktrace y a tres informes de amenazas a medida, sin obligación de compra.
Gracias. Hemos recibido su envío.
¡Ups! Algo salió mal al enviar el formulario.