- #SCREENSHOT CONTROL COMMAND HOW TO#
- #SCREENSHOT CONTROL COMMAND SERIES#
- #SCREENSHOT CONTROL COMMAND WINDOWS#
This technique provides the malware a high level of obfuscation even from traditional endpoint protection solutions. The network communications then exfiltrate data via that session the malware never directly communicates.
The malware sample used piggy backs on the user's browser session and creates a hidden browser process. The customer felt that this malware is almost impossible to detect, so I decided to obtain a sample and see whether the Digital Guardian endpoint agent would be able to detect (and ultimately block) this activity.
#SCREENSHOT CONTROL COMMAND WINDOWS#
COM provides a means for any application to control certain Windows applications Internet Explorer specifically in our case. The malware we focused on establishes its communications channel using Microsoft APIs for interprocess communications and the component object model (COM). As a result, organisations cannot rely on detection via traditional network intelligence detection must instead be focused on the endpoint, where the malware runs. Use of the Trojan, given the name IcoScript, dates as far back as 2012.ĭetecting this type of communication is quite difficult as most network traffic will look like normal end user activity. This customer was referring to malware similar to a remote access tool (RAT) reported by Virus Bulletin in August 2014. Of particular concern to this customer was the use of encrypted webmail services used as the command and control channel and more specifically the use of a web platform like Yahoo.
#SCREENSHOT CONTROL COMMAND HOW TO#
Reading up on these attacks brought me back to my conversation with this customer on the subject of how to best see through C&C obfuscation techniques. The success of those attacks has been largely attributed to their use of well-engineered phishing emails to deliver the “XTunnel” malware, which uses SMTP and POP3 protocols (among others) to disguise C&C communications as benign email traffic via a feature Microsoft dubbed “ STRONIUM” in an earlier edition of its Security Intelligence Report. Perhaps the most high profile case of attackers using hard-to-detect C&C channels of recent is the hacking attacks on the Democratic National Committee believed to have been carried out by Russian government-sponsored APT groups.
#SCREENSHOT CONTROL COMMAND SERIES#
This is not a new phenomenon this type of channel saw its first appearance circa 2009 and has been followed closely by security researchers ever since (including this excellent series of in-depth analysis articles from Lenny Zeltser on the subject). Last year saw a renewed increase of malware campaigns using social media-based channels for command and control communications, like the Russian malware Hammertoss which uses Twitter. The conversation inspired me to put DG to the test with a particularly sneaky piece of malware, and I thought the results from my demo were worth sharing. In a discussion with a customer's threat analysts earlier in the year we debated various different types of solutions’ abilities when it comes to detecting new and stealthy forms of communication with attackers’ command and control servers. Our latest demo looks at the Digital Guardian endpoint agent’s ability to detect stealthy malware C&C communications designed to evade detection by network security tools.