Windows app privileges subverted

News by Steve Gold

Researchers have spotted new attack vectors being used to exfiltrate company online banking credentials.

A senior threat researcher with Trend Micro's Philippines R&D centre has been dissecting the methodology of the VAWTRAK malware family, which has just been updated with new backdoor and data-stealing attack vectors - including the ability to lift online banking credentials from user's machines

According to Trend's Marilyn Melliang, the malware is notable for downgrading the privileges of security software - a technology known as Software Restriction Policies and first introduced in Windows XP/MS-Server 2003.

"It can be thought of as a very early form of whitelisting or blacklisting feature," she says in her analysis, adding that the original intention was to fight viruses and regulate which ActiveX controls can be downloaded. On top of this, she notes it can also help enforce that only approved software can installed on a system.

Whilst the ability to suppress the actions of security is nothing new, the use of privilege downgrading is a new attack methodology, as is the ability to exfiltrate online banking data - which is normally the preserve of interception malware such as Zeus.

According to Graham Mann, managing director of Encode UK, this level of ingenuity will be of little surprise to the security community, as methods of attack are constantly evolving and this is just one element, which underlines how attackers constantly strive to identify ways to get around security products.

"It also highlights the danger of over reliance on anti-virus, which attacker's either evade or neutralise," he noted.

Mark Sparshott, EMEA director with Proofpoint, meanwhile, says that his team first began noticing a spike in VAWTRAK cybercriminal usage in the third quarter of last year, when it was commonly used as part of targeted `longlining' email campaigns designed to lure victims to install the code.

"Psychologically these lures work well as recipients are quick to click either from the fear of being charged for something they did not order or from the glee of receiving something they did not pay for," he said.

Proofpoint's human factor research, he added, has shown just how lucrative these `longlining' campaigns can be for cybercriminals with an average of a 10 percent click rate on malicious links.

"To put that into context the marketing department of a FTSE 100 company would expect a one to two percent click rate on their marketing campaigns. The research found that fake delivery notifications like those used with VAWTRAK were the third most successful type of lure, however, as fake Financial Account Warning emails (No 2) and fake social networking related emails (No 1) are more dangerous, with LinkedIn invitations scoring by far the highest click rates," he explained.

Over at Lancope, Tim Keanini, the firm's CTO, said it is always interesting to see this type of cybersecurity battle taking place on the front lines.

When people really begin to understand security, they start to see a pattern whereby security features are extremely asymmetrical. This [Windows] feature enforces access to a list and denies everything else or vice versa," he explained.

"In this case the attacker not only gets themselves on some white list to escalate their privileges on the system, but they also put the security guards of the system on a blacklist which deprecated their privileges," he said.

Keanini went on to say that this is further evidence that the game of advanced threat has moved from infiltration to evasion - and remaining hidden while the cybercriminals complete all of their complex operations.

"Defenders need to extended their tactics and raise the cost to the adversary to remain hidden because all they need to do is discover and shut them down in one of these phases of the attack continuum whereas the attackers need to complete all of these phases undetected," he concluded.

Dwayne Melancon, fellow CTO with Tripwire, took a different tack, arguing that the fact that the attack methodology leverages policy capabilities built into Windows has made it easier for attackers to cast a wide net with this exploit.

“Fortunately, most endpoint antivirus products can clean this up as long as they are using up-to-date malware definitions. The risk is that other security settings may reduce the security of users' computers even after the back door is removed,” he said.

“To mitigate that risk - particularly in corporate environments - I recommend using a security configuration management solution to assess the configurations of user workstations and ensure they are secure according to an objective standard, such as CIS benchmarks or an enterprise configuration hardening policy,” he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews