Leveraging built-in windows tools, such as Scheduled Tasks (taskeng.exe) or wscript.exe, the APA decrypts and executes its payload in memory, rather than on disk, which further allows it to avoid anti-virus detection. The first function of the APA is to look for two files in its parent directory. If both files exist, the APA sends an HTTP POST request to a C2 server. All communications to and from the C2 server are encrypted to avoid network-based detection by the SIEM or IDS platform. When an HTTP 200 Response is received from the C2 server, the APA initiates stage two, which involves extracting the contents of the C2’s Response, decrypting the extracted code, and executing the code in memory. The full functionality and impact of stage two is still being analyzed, but from the details that we have uncovered, we can say that the additional code retrieved from the C2 server is advanced and given its ability to execute arbitrary code could be used as an implant for exfiltrating data and receiving further tasking outside of its adware capabilities.
We discovered the APA by leveraging Dark Labs’ Advanced Threat Hunt (ATH) platform, using hypothesis-driven
As seen with this APA, cyber adversaries are skilled at defeating reactive, IOC based defenses by constantly developing and evolving malicious tools, techniques, and procedures (
At Booz Allen, we have spent the last decade refining our tradecraft and assembling teams of analysts who can think like adversaries and know how to identify warning signs. Our analysts specialize in global malware hunt operations, anti-malware research, development of APT countermeasures, and use measurable processes to strengthen network defenses and identify adversary activity. By regularly evaluating their networks for threat activity, organizations can detect attacks in progress and mitigate these risks before it’s too late.
Join our elite Dark Labs Threat Hunting team to protect our nation’s cyber infrastructure.