Between August and October 2017, Darktrace confidently identified traces of the resurgence of a stealthy cyber-attack targeting companies in Latin America. This campaign is particularly interesting because of its targeted nature, writes Max Heinemeyer, Director of Threat Hunting, Darktrace, a company that offers machine learning for cyber security.
In contrast, the vast majority of cyber-attacks are indiscriminate in nature, spreading far and wide at random, in the hopes of infecting as many devices and networks as possible, as quickly as possible. This campaign, however, targeted organizations in Latin America: from all 3,750 deployments of Darktrace’s Enterprise Immune System across 70 countries, the only identified instances of this attack are in Latin American organizations.
This targeted campaign was first observed between March and June this year. Arbor Networks initially labelled the malware used in the campaign ‘Matrix Banker’. The malware used by the attackers appeared to be still under development when the last report came out in June 2017.
Some of the TTPs (tools, techniques, procedures) observed bear close resemblance to those seen in the ‘Matrix Banker’ attacks earlier this year. The campaign is crafted to be particularly stealthy and to blend into certain networks in Latin America, confirming the suspicion of its targeted nature. Darktrace’s machine learning and AI algorithms were able to identify the infected devices almost instantaneously, despite apparent efforts by the malware author to be covert and stealthy.
Unlike the original strain of this attack, which was believed to target financial institutions almost exclusively, this latest variant affected customers across a number of industry verticals, suggesting that the threat actors are diversifying their targets. Darktrace has seen the attack hit companies in the healthcare, telecommunications, food and retail sectors.
The initial infection vector appears to be phishing emails. The users downloaded the initial piece of malware from compromised Mexican websites. The infected files were Windows executables masqueraded as .mp3 and .gif files. Darktrace instantly detected the highly anomalous behavior of these downloads, which occurred from 100% rare external domains for the networks, and alerted the respective security teams.
The ‘Matrix Bankers’ attack tried to conceal malware downloads using masqueraded files in previous attacks. What is interesting about the hacked websites serving the malware is that they are using the .mx top level domain. This localized and targeted technique is used to conceal the traffic and make it blend in with normal network traffic on networks in Mexico.
Following the initial infection, in some cases a second-stage malware was downloaded. Darktrace detected this as more anomalous activity since the downloads took place from more 100pc rare external destinations. Successful second-stage downloads were seen to be followed by suspicious HTTP POST beaconing behavior, resembling command and control communication to various domains. Not all targeted companies were seen to receive a second-stage malware download. This might indicate a sophisticated attack plan where the initial generic, covert backdoor is followed by a targeted second-stage payload that is chosen based on the victim and its potential value to the cyber criminals (long term data exfiltration, ransomware, banking Trojan, etc.).
Affected organisations reported that infected devices had their anti-virus disabled, or removed by the malware: evidence that companies cannot, in today’s era of sophisticated and evolving cyber-threats, rely solely on traditional security tools.
The use of domains hosted on .cat (top level domain used for the Catalan culture and language) indicates that the attackers are highly aware of the cultural context of their target victims and try to make the malware communication blend in with normal network traffic.
