Advanced Threat Research

Increasingly, people around the world depend on technology for their daily activities. Making this technology trustworthy involves a deep understanding of how attacks work. By researching security vulnerabilities, the Advanced Threat Research (ATR) team in Intel Security discovers opportunities to drive toward more secure technology.

Home | Research | Threat Intelligence | CHIPSEC

Threat Landscape Dashboard

Better threat awareness means better protection for your business. Access our threat dashboard to get an overview of key threats being tracked by Intel Security researchers. Go to the Threat Landscape Dashboard

Emerging Threats and Malware

Blog Post: Attacks on SWIFT Banking System Benefit from Insider Knowledge | 2016-05-20

ATR's Christiaan Beek dives into some malware samples used in recent attacks on the banking system. This malware was able to manipulate and read unique messages from SWIFT (Society for Worldwide Interbank Financial Telecommunication), as well as adjust balances and send details to a remote control server. The analysis reveals key capabilities and other SWIFT codes contained in the sample.

Details of the analysis of malware targeting the SWIFT banking system are posted on McAfee Blog Central.

Targeted Ransomware No Longer a Future Threat | 2016-03-01

During recent weeks, we have received information about a new campaign of targeted ransomware attacks. This time the attackers compromised an external-facing server and used that access to move around the victim's network. By separating functions that are usually present in ransomware, the adversaries attempted to avoid detection as much as possible.

The stages of this attack included leveraging access to the external system to gain access to many other systems on the internal network. A series of scripts and tools deleted the volume shadow copies and unlock files that were in use, thereby maximizing the impact and thwarting attempts to restore data. Before the actual encryption started, the ransomware divided the candidate files into categories based on size and encrypted the smallest files first. We assume this was to maximize the number of impacted files, even if the process was shut down before it completed. After the files were encrypted, a ransom note was left on the desktop. The note demanded Bitcoins in exchange for the decryption tool and private key to decrypt each of the files.

A more detailed account of our analysis (combining information from organizations across Intel Security) can be found in the technical report.

Disrupting Adversarial Success - Giving the Bad Guys No Sleep | 2016-03-01

At the upcoming RSA Conference 2016, in their session Disrupting Adversarial Success - Giving the Bad Guys No Sleep, Christiaan Beek of ATR with Raj Samani will deconstruct emerging attack campaigns and techniques, examine pragmatic defense strategies and discuss what to expect in the future.

RSA Conference presentation.

There's a pot of Bitcoins behind the ransomware rainbow | 2015-11-18

Ransomware is one of the threats we have seen rising over the past few years with a huge resurfacing in 2014. Mostly Windows platform but also Linux, Mobile and OSX Operating systems are getting targeted for these campaigns. In this presentation, we will start with an overview of the different crypto-ransomwares we have seen in the past couple of year combined with some of the technical developments in the industry that assisted in making this business-model very lucrative. We continue with some examples of in-depth analysis of behavior patterns we discovered in certain families that helped us identifying them and classifying them. Besides the malware itself we will highlight some insights around how the actors in general are operating, the infrastructure they build-up, the financial infrastructure, the profit and connections with other cybercrime operations.

Microsoft BlueHat v15 presentation

Distributing the Reconstruction of High-Level Intermediate Representation for Large Scale Malwarer Analysis | 2015-08-05

Malware is acknowledged as an important threat and the number of new samples grows at an absurd pace. Additionally, targeted and so called advanced malware became the rule, not the exception. Analysts and companies use different degrees of automation to be able to handle the challenge, but there is always a gap. Reverse engineering is an even harder task due to the increased amount of work and the stricter time-frame to accomplish it. This has a direct impact on the investigative process and thus makes prevention of future threats more challenging.

In this work, the authors discuss distributed reverse engineering techniques, using intermediate representation (thanks Hex-Rays team for support us in this research) in a clustered environment. The results presented demonstrate different uses for this kind of approach, for example to find algorithmic commonalities between malware families.

A higher level abstraction of the malware code is constructed from the abstract syntax tree (ctree) provided by Hex-Rays Decompiler. That abstraction facilitates the extraction of characteristics such as domain generation algorithms (DGA), custom encryption and specific parsers for configuration data. In order to reduce the number of false positives in some C++ metadata identification, such as virtual function tables and RTTI, the authors created the object-oriented artifacts directly from the analyzed malware.

The extracted characteristics of 2 million malware samples are analyzed and the presented results provide a rich dataset to improve malware analysis efforts and threat intelligence initiatives. With that dataset, other researchers will be able to extract a ctree from new samples and compare to the millions we performed.

As an additional contribution, the gathered representation together with all the raw information from the samples will be available to other researchers after the presentation; together with additional ideas for future development. The developed Hex-Rays Decompiler plugin and analysis/automation tools used to extract the characteristics will also be made available to the audience on Github.

Black Hat USA 2015 presentation

HackingTeam's UEFI Rootkit | 2015-07-14

Analysis of the commercial malware developed by HackingTeam has revealed much to the security community. Of particular interest to ATR is the presence of what appears to be a UEFI-based persistent infection mechanism. This analysis describes what was found. read more

Bootkits: Past, Present & Future | 2014-09-24

Bootkit threats have always been a powerful weapon in the hands of cybercriminals, allowing them to establish persistent and stealthy presence in their victims' systems. The most recent notable spike in bootkit infections was associated with attacks on 64-bit versions of the Microsoft Windows platform, which restrict the loading of unsigned kernel-mode drivers. However, these bootkits aren't effective against UEFI-based platforms. So, are UEFI-based machines immune against bootkit threats (or would they be)?

The aim of this presentation is to show how bootkit threats have evolved over time and what we should expect in the near future. Firstly, we will summarize what we've learned about the bootkits seen in the wild targeting the Microsoft Windows platform: from TDL4 and Rovnix (which was used by the Carberp banking trojan) up to Gapz (which employs one of the stealthiest bootkit infection techniques seen so far). We will review their infection approaches and the methods they have employed to evade detection and removal from the system.

Secondly, we will look at the security of the increasingly popular UEFI platform from the point of view of the bootkit author, as UEFI is becoming a target of choice for researchers in offensive security, and proof-of-concept bootkits targeting Windows 8 OS using UEFI have already been released. We will focus on various attack vectors against UEFI and discuss available tools and what measures should be taken to mitigate against them.

By Alex Matrosov with Eugene Rodionov and David Harley from ESET. Read more on Virus Bulletin blog.

Virus Bulletin 2014 presentation and paper