APT campaigns, cryptolockers pandemics, and banking Trojans running wild – they all generate a lot of trouble for businesses and end-users alike, especially when the “full picture” is seen – when you see the number of infections, the level of activity of different malware and/or APT campaigns. There is one important detail in this picture. However sophisticated, thoughtful, and resourceful malware authors can be, they still make mistakes. Sometimes even comedic ones.
No perfect crime
In mid-February, during the Kaspersky Security Analyst Summit in Cancun, Kris McConkey of PricewaterhouseCoopers spoke specifically on the mistakes that cybercriminals make. They go to great lengths to throw researchers off their scent, but just like in the “offline” crime world they make errors and leave peculiar traces behind, making them look a bit silly, which makes the cyberforensic experts happy.
Free Internet; why not use it?
For instance, members of the notorious Comment Crew (APT1), one of the better-documented APT groups, tied to Chinese Republic’s People Liberation Army Unit 61398, worked at the highest level of professionalism, and still got uncovered. Researchers at Mandiant were able to identify the location of its operational headquarters, malware resources, and the victims they were targeting. How? One of the major pitfalls was the use of victim’s infrastructure to access the attackers’ personal social media platforms.
Yes, they used the victims’ internet access to login into their own social network accounts.
“This was a big giveaway, and it’s likely a result of their government policy,” McConkey said. “Their restricted Internet access made unfettered Internet even more tempting.”
I love my nickname
APT1 operators appear to have been ‘married’ to their online aliases. For instance, one of the group members going under the handle UglyGorilla left this moniker stamped all over malware, injection commands in websites, etc.
A similar story was told when Crowdstrike exposed the PutterPand gang in 2014. They used personal addresses to register early command and control domains and one handle in particular, cpyy, was used throughout the campaign. Researchers were able to eventually link that handle to a Picasa account that was loaded with photos of the hacker behind the handle, photos of the Unit 61398 office, and other data pertinent to the investigation. Thank you, cpyy!
We are Wet Bandits!
Remember Home Alone, 1990 classic? While getting arrested, two burglars proclaim themselves to be Wet Bandits since they flood every house they have robbed. A police officer delightfully answers that now they know every single place they have burglarized.
Something similar took place here. Though these APT groups learned a lesson and removed these giveaways from sight.
The recently revealed APT The Equation also proved to be vulnerable to such mistakes. According to Kaspersky Lab’s Costin Raiu, one member of The Equation group accidentally left the username used on the computer in the code of one of the modules. This proved to be quite helpful.
Cryptoerrors
One of the major cybersecurity headaches today – encrypting ransomware which often goes under the common name ‘cryptolockers’ – is prone to mistakes as well.
While they may use extremely strong encryption, mistakes and imperfections in the code make them likely to be deciphered by third-party antimalware utilities. However, without these errors, breaking cryptos is next to impossible: a 2048-bit RSA key used by the later strains of cryptolockers effectively prohibits any kind of bruteforcing. The only way is to get a grab on their infrastructure, which is what happened with Gameover ZeuS botnet. But now criminals behind such ransomware increasingly use Tor to stay anonymous and conceal their C&C servers.
More on ransomware is available here.
Errare humanum est
The ancient Latin proverb remains true for any kind of software. It’s errors in legitimate software’s code that allow the large part of malware to be effective, but the mistakes the humans make – such as opening the malicious attachments from the e-mail – contribute a lot to it. Ironically, it is coding mistakes and human behavioral errors that make the malware and APT gangs pervious to the efforts of antimalware researchers and fighters.