The Booz Allen Dark Labs’ Advanced Threat Hunt team recently discovered a unique form of adware lurking on networks that evades all traditional forms of cyber defenses. The adware is a previously known threat that is commonly used to inject advertisements into a user’s browser and covertly collect information about the user’s browsing activity. But it demonstrates all the traits of nation-state advanced persistent threats (APT), according to a Booz Allen Dark Labs report.
Adware is often ignored during security operations because it is generally considered unsophisticated, is prevalent, and has a low perceived threat level. This adware, which the Booz Allen team is calling Advanced Persistent Adware (APA), is unique because it leverages advanced techniques, typically only seen in attacks attributed to nation-state- APTs, to evade detection, maintain persistence and connect to a command and control (C2) server to facilitate the second stage of the attack. This APA is similar to adware detected by Carbon Black’s Endpoint Detection and Response (EDR) platform, which is referenced in this article. Both examples demonstrate the growing need for advanced detection as the playing field continues to evolve in favor of these threats.
The report describes how built-in Windows tools, such as Scheduled Tasks (taskeng.exe) or wscript.exe, can be exploited to deliver an APA that decrypts and executes its payload in memory, rather than on disk, which further allows it to avoid anti-virus detection. The APA can ultimately exfiltrate data and receive further tasking outside of its adware capabilities.
Advanced persistent adware is just one example of the kinds of threats Booz Allen Dark Labs is discovering, using a proactive approach that relies on sophisticated tools and tradecraft, such as automation, threat intelligence, threat analytics and machine intelligence to gather and analyze huge reams of data for malicious activity. These tools can identify and mitigate threats at machine speed using customized delivery models.
Read the full report about the adware, and how the Dark Labs discovered it.