These are quick first looks and trend and threats

Written by the security and AV professionals from team K7, meant for the general audience
These are usually articles that go into internals of a virus or deal with security issues
Senior managers speak on areas of interest to them, inside and outside the industry

Shell Team Six:Zero Day After-Party (Part VI)

This is the final part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014. Continuing from the fifth part of our paper…

Data Exfiltration and Cleanup

This stage of the APT involves the assailants collecting the sensitive data and transmitting it stealthily to a remote location. Data extraction can either be a one-time event or spread over a period of time, followed by constant snooping of the victim, all the while remaining hidden.

Once the objective of an APT campaign is achieved, the attackers exit the network in a phased manner after covering their tracks and clearing all the potential evidence of an intrusion.  The attackers could also plant or manipulate data in the target’s environment in an effort to create misdirection.

Extraction methodology

Confidential data that is collected during the period of the APT is copied to a staging server, compressed, encrypted and kept ready for transfer. Outbound sessions are then established that resemble legitimate traffic thereby attempting to fly under the security radar. The confidential data is thus extracted possibly in small chunks over a period of time.

The bad actors could exfiltrate data using any/all of the following methods:

HTTP/FTP/Cloud Storage Uploads

An HTTP/FTP upload or a cloud transfer is initiated by an application which is already approved by the firewall. Additionally, the packets could be SSL or custom encrypted making it difficult for security solutions to sniff.

Outgoing Emails with Password Protected Attachments

Sensitive contents are password protected and then transmitted using either a compromised employee’s email credentials, or by using a custom SMTP server.

Customized DNS Queries

Small chunks of data such as user credentials may be sent as custom DNS requests to DNS servers controlled by the attackers. The packets are then reassembled as required at the attackers end.

Fig.14. shows encrypted data sent as a DNS query

VPN/IPv6 Tunnels

VPN and IPv6 tunnels are created from the staging server to a remotely controlled machine. The contents are then securely transmitted through these tunnels.

The hacking outfit commonly known in computer security circles as Comment Crew [13] has been observed using the above data exfiltration techniques. Sensitive data which could potentially be Gigabytes in size would first be collected in a centralized location & compressed in a password-protected RAR file. The final archives would be split into chunks and uploaded using FTP, custom file transfer tools, etc.

Cleanup Methodology

The attackers tend to delete their malicious code and its associated components by remotely issuing self-destruct commands from their C2C server. A time/event bound kill switch built into the malicious code could also be automatically triggered to avoid being caught.

System logs that maintain login attempts, security logs that maintain protection status, audit files that track system changes, etc. are modified by the attackers to make a forensic reconstruction of the attack impossible.

Indicators of Compromise

Capturing and transmitting confidential data is the raison d’etre of any APT. In order to facilitate this transmission, the attacker must contact external servers from inside the victim’s network.

Here are some of the common symptoms that indicate suspicious activity within the organization’s network:

Wrong Data in the Wrong Place

Movement of encrypted or confidential data from a machine containing sensitive information to a potential upload server with Internet access, all within the organizations internal network could indicate that something is wrong.

Similarly, availability of large quantities of known-encrypted or sensitive data on a machine it’s not supposed be on could also indicate that something is amiss.

Anomalous Traffic

The following anomalies could indicate a compromise:

  1. Connections made directly to IP addresses
  2. HTTP/FTP connections on non-standard ports
  3. Connections to previously unused or high risk geo locations
  4. Accessing algorithmically generated domain names (DGA)

Other Indicators

Inconsistent events in audit logs maintained at network and endpoint level, changes in the system drivers list without an application uninstallation progress, etc. can also be used as indicators of compromise.


Confidential information is the crown jewel of any company and typically it is this information that the attacker is focused on stealing. The following solutions can be involved in protecting the exfiltration of this confidential data:

Hardened DNS Servers

Outgoing DNS queries should be logged and monitored extensively for anomalies. Organizations could also create and maintain their own hardened DNS servers.

Security Solutions

Data aware technologies like Data Leakage Prevention (DLP) can be added to the organization’s existing layer of defense. Once critical and confidential data is identified, DLP solutions track and prevent this data from falling into the wrong hands.

URL scanners with built-in reputation intelligence can be used to detect:

  1. Access to subdomain/domains which are not popular or appear suspicious
  2. Repeated attempts to connect to domains which no longer resolve
  3. Attempts to connect to blacklisted or malicious IP addresses/domains
  4. Newly registered domains

Network scanners with Deep Packet Inspection and machine learning capabilities can be used to build a knowledge base of general network usage trends. Alarms are raised when deviations exceed pre-defined thresholds. This knowledge base includes:

  1. Commonly used protocols with source and destination information
  2. Common geo locations contacted
  3. Number of connections and the length of connections made depending on the time of the day

Software that take disk backups and dump physical memory images at regular intervals are of great help during incident response and forensic analysis of a potential APT attack.


The implications of the complexity and perseverance of Advanced Persistent Threats are of major significance to the existing security infrastructure. The evasion techniques discussed in this paper have exerted colossal pressure on the current methods used to detect and report these threats, especially where the human element is involved.

Safeguarding oneself against APTs requires more than just traditional security solutions. The need of the hour is a comprehensive, holistic security plan that intelligently integrates events reported from numerous forms of security established at various levels of the organization. This solution should be able to handle massive volumes of logs and spot patterns of an attack, find sources of a breach and stop new threats in their tracks.

Things are about to get a whole lot more difficult with compromised mobile devices joining the fray. Strategies to identify and stop sophisticated, multi-pronged APT attacks have been discussed; however coordinated implementation is far from straightforward. We live in interesting times.



Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Comments are closed.