Advanced Persistent Adware: Analysis of Nation-State Level Tactics

Written by Jay Novak, Dan Rossell, Ashleigh Moriarty, Fred Frey

Example of Payload

Leveraging built-in windows tools, such as Scheduled Tasks (taskeng.exe) or wscript.exe, the APA decrypts and executes its payload in memory, rather than on disk, which further allows it to avoid anti-virus detection. The first function of the APA is to look for two files in its parent directory. If both files exist, the APA sends an HTTP POST request to a C2 server. All communication to and from the C2 server are encrypted to avoid network-based detection by the SIEM or IDS platform. When an HTTP 200 Response is received from the C2 server, the APA initiates stage two, which involves extracting the contents of the C2’s Response, decrypting the extracted code, and executing the code in memory. The full functionality and impact of stage two is still being analyzed, but from the details that we have uncovered, we can say that the additional code retrieved from the C2 server is advanced and and given its ability to execute arbitrary code could be used as an implant for exfiltrating data and receiving further tasking outside of its adware capabilities.

Sample of Decoded JavaScript

We discovered the APA by leveraging Dark Labs’ Advanced Threat Hunt (ATH) platform, using hypothesis-driven behavioral based analytics. These rules are generalizations based on predictions made about how a threat actor or their weapon will act within a network and behaviors that a threat hunter would expect to see in the data.  We developed methods to elevate EDR functionality in networks, allowing us to query all endpoints and correlate their responses at scale.  Through this process, events related to this APA were automatically identified as potentially malicious by a rule designed to look for wscript execution in atypical or suspicious directories. These events were hay-stacked and presented to our threat hunt team for further investigation.  Our hunters then pivoted to our analytics platform that conducts automated dynamic malware analysis, which determined that the payload was, in-fact, malicious.

While existence of the APA within a network might not be necessarily nefarious, it provides the opportunity for maliciousness, either by the adware creator, a client of theirs, or even through the possibility of hijacking in the future (for example, through a breach of the adware provider’s network).  Elimination and future prevention through behavioral based analytics is advised.

As seen with this APA, cyber adversaries are skilled at defeating reactive, IOC based defenses by constantly developing and evolving malicious tools, techniques, and procedures (TTPs), allowing them to gain access and cause harm to an organization. In contrast to traditional network defenses, our ATH offering involves creating new datasets rich with endpoint data, allowing us to hunt alerts that may be missed by SIEMs, IDSs, and Anti-Virus products. Our proactive approach relies on sophisticated tools and tradecraft, such as automation, threat intelligence, threat analytics, and machine intelligence, to gather and analyze huge reams of data for malicious activity. These tools can identify and mitigate threats at machine speed using customized delivery models.

At Booz Allen, we have spent the last decade refining our tradecraft and assembling teams of analysts who can think like adversaries and know how to identify warning signs. Our analysts specialize in global malware hunt operations, anti-malware research, development of APT countermeasures, and use measurable processes to strengthen network defenses and identify adversary activity. By regularly evaluating their networks for threat activity, organizations can detect attacks in progress and mitigate these risks before it’s too late.

Join our elite Dark Labs Threat Hunting team to protect our nation’s cyber infrastructure.

Experts in the Field

1 - 4 of 8