FINAL WORD
The June 2017 McAfee Labs
Report examines some of the most
powerful evasion techniques, the
robust dark market for off-the-shelf
evasion technology, how several
contemporary malware families
leverage evasion techniques and
what to expect in the future,
including machine learning evasion
and hardware-based evasion.
Hiding in plain sight: the concealed
threat of steganography
Steganography is the art and science
of hiding secret messages. In the
digital world, it is the practice of
concealing messages in images,
audio tracks, video clips, or text
files. Often, digital steganography
is used by malware authors to avoid
detection by security systems. The
first known use of steganography in a
cyberattack was in the Duqu malware
in 2011. When using a digital image,
secret information is inserted by an
embedding algorithm, the image
is transmitted to the target system
and there the secret information is
extracted for use by malware. The
modified image is often difficult
to detect by the human eye or by
security technology.
McAfee Labs sees network
steganography as the newest form
of this discipline, as unused fields
within the TCP/IP protocol headers
are used to hide data. This method
is on the rise because attackers
can send an unlimited amount of
information through the network
using this technique.
THERE ARE HUNDREDS, IF
NOT THOUSANDS, OF ANTI-
SECURITY, ANTI-SANDBOX
AND ANTI-ANALYST EVASION
TECHNIQUES EMPLOYED BY
HACKERS AND MALWARE
AUTHORS AND MANY OF THEM
CAN BE PURCHASED OFF THE
SHELF FROM THE DARK WEB.
high-profile Democratic National
Committee breach before the 2016
US Presidential election. as Onion Duke and Vawtrak onto the
victims’ systems to carry out
further attacks.
Fareit spreads through mechanisms
such as phishing emails, DNS
poisoning and exploit kits. A victim
could receive a malicious spam
email containing a Word document,
JavaScript, or archive file as an
attachment. Once the user opens
the attachment, Fareit infects the
system, sends stolen credentials to
its control server and then downloads
additional malware based on its
current campaign. “With people, businesses and
governments increasingly dependent
on systems and devices that are
protected only by passwords, these
credentials are weak or easily stolen,
creating an attractive target for
cybercriminals,” Weafer continued.
Fareit: the most infamous
password stealer The 2016 DNC breach was attributed
to a malware campaign known
as Grizzly Steppe. McAfee Labs
identified Fareit hashes in the
indicators of the compromise list
published in the US government’s
Grizzly Steppe report. The Fareit
strain is believed to be specific to
the DNC attack and dropped by
malicious Word documents spread
through phishing email campaigns.
Fareit first appeared in 2011 and
has since evolved in a variety of
ways, including new attack vectors,
enhanced architecture and inner
workings and new ways to evade
detection. There is a growing
consensus that Fareit, now the
most infamous password-stealing
malware, was likely used in the The malware references multiple
control server addresses that are not
commonly observed in Fareit samples
found in the wild. It was likely used
in conjunction with other techniques
in the DNC attack to steal email,
FTP and other important credentials.
McAfee Labs suspects that Fareit also
downloaded advanced threats such
90
INTELLIGENTCIO
“McAfee Labs believes attacks using
password-stealing tactics are likely
to continue to increase in number
until we transition to two-factor
authentication for system access. The
Grizzly Steppe campaign provides a
preview of new and future tactics.”
Q1 2017 threat activity
In the first quarter of 2017,
the McAfee Labs Global Threat
Intelligence network registered
notable trends in cyberthreat
growth and cyberattack incidents
across industries:
•
•
New threats. In Q1 2017, there
were 244 new threats every minute,
or more than four every second.
Security incidents. McAfee Labs
counted 301 publicly disclosed
security incidents in Q1, an
increase of 53% over the Q4
2016 count. The health, public
www.intelligentcio.com