Tuesday, July 26, 2016

Feedly:Understanding Java Code and Malware | Malwarebytes Unpacked. Explained: Advanced Persistent Threat (APT)

from Understanding Java Code and Malware | Malwarebytes Unpacked

An Advanced Persistent Threat (APT) is a prolonged, aimed attack on a specific target with the intention to compromise their system and gain information from or about that target.

The target can be a person, an organization or a business. When these threats were dubbed their targets were governments and military organizations. The word threat doesn’t mean to imply that there is only one kind of malware involved, because an APT usually consists of several different attacks.

Too many professionals in the security field an attack only qualifies as an APT if it is initiated by a government (agency) or a similar organization. Given the needed resources and patience this certainly make sense.

So what does that mean in the current threat landscape?

Threat actors use different “tools” and methods to get a foothold and to widen  the breach once they are in. When it comes to stealing information, an important part of the job is to keep the breach a secret. This is because often the stolen information will lose its value rather fast once the object of the breach is aware of the situation.

Obviously, it’s also important to hide the identity of the attackers, as APT attribution could lead to some real world conflicts. So the attackers will want to hide their tracks. It is not uncommon to see the use of unpatched vulnerabilities (zero-days) in this kind of operations.


Stages of an Advanced Persistent Threat

Not all of the stages listed below will be necessary in every situation and, depending on the target and the information that the attackers are after, the tasks in the list can be very different in time, and the amount of effort, spent on them. These can be very different from case to case.

  • Get to know the target. This can vary from figuring out if there is anything worth stealing to compiling a list of employees, or even better, disgruntled ex-employees. Find out what interests the subjects, so you can use that information. in or spear-phishing attacks.
  • Finding an entrance. This usually involves social engineering techniques like spear phishing and watering holes in order to deliver customized malware.
  • Accomplishing a foothold. Get a target to run the malware on his system which is inside the targets network.
  • Carefully widen the scope from the created foothold. For example reconnaisance of the network from an infected computer. This includes putting malware and other tools on the compromised system and hiding them.
  • Find and steal the sought after or other valuable information. To do so, it may be necessary to raise the privileges of the compromised ssytem in the network.
  • Once a firm grip on the network is established it may be necessary to move or widen the entry points in the network so a more permanent access to the information is secured. If there is no need for a permanent monitoring, the tools will usually be removed to cover up the tracks. Sometimes a backdoor is left in place to make a return easier.

Groaning security professionals

The reason security researchers will groan when they hear the expression APT is the fact that some people tend to use it in cases where the threat does not meet the requirements that we specified in our definition.

Apparently, it sounds less bad when you explain that you have been breached by something “Advanced” rather than by some malware that should have been detected months ago.

For example a worm that attacks only computers that run a certain kind of software, almost exclusively used in hospitals is not an APT. It is targeted at a type of organizations and not at a particular organization.


This article explains that Advanced Persistent Threats are specialized and prolonged attacks aimed at specific targets. They are usually sponsored by nations or very large organizations.


CyberCriminals and their APT and AVT Techniques

Kill chain

Pieter Arntz


April 30, 2012 - Malwarebytes Anti-Malware is under constant attack. 24 hours per day, 7 days per week, 365 days per year. If you read my recent blog post about the development of Malwarebytes Chameleon, you know that we at Malwarebytes have big red ‘X’s on our chests; the bad guys are always out to get us. Malwarebytes Anti-Malware...

April 24, 2012 - The fight against malware is a cat-and-mouse game. It is constant and constantly escalating. They make a move, you counter it, they counter your counter, lather, rinse, repeat. What’s more: malware almost always has the advantage. Our software Malwarebytes Anti-Malware earned a reputation for having a high success rate in combating new in-the-wild malware infections:...

July 4, 2012 - Last week, it was announced that one of the creators of BlackShades NET Remote Access Trojan was arrested along with 23 others in an international assault against cybercrime. As you recall from previous blogs posted on Unpacked, we have given you, the reader, an in-depth look into what kind of dangers are presented by the...

July 23, 2012 - Here at Malwarebytes, we are known to talk a big game and we wanted you to know that we always back it up.  Check out the Top 10 Malwarebytes Removals across the U.S. for June 2012 and see for yourself!   While we applaud the states we listed for using our product to keep themselves...

October 12, 2012 - Instant messaging is not a new concept; in fact, instant messaging software has been around for over 20 years in many different forms.  A more popular method of instant messaging these days is done with the use of the software known as Skype.  Skype allows for more than just text chatting but also calling a...

Web Analytics