Most APTs are not so ‘sophisticated’ after all


Advanced persistent threats (APT) have emerged as a new class of malware threat in recent years. APTs are more insidious than your run-of-the-mill malware attacks. They manage to fly under the radar and evade detection. They’re also commonly believed to be more sophisticated than average malware attacks, but new research from Sophos contradicts that theory.

Gabor Szappanos, principal researcher for Sophos Labs Hungary, evaluated the malware and APT campaigns of several groups that all leveraged a particular exploit—a sophisticated attack against a specific version of Microsoft Office. He found that none of the groups were able to modify the attack enough to infect other versions of Office, even though several versions were theoretically vulnerable to the same type of attack.

In the Sophos report, Szappanos describes how the popular exploit (CVE-2014-1761) targeted only one particular version of Microsoft Office despite the fact that 18 different variations of Office were vulnerable. Targeting other versions would require only minor modifications to the initial exploit, but Szappanos discovered that these groups have a very limited understanding of, or ability to modify, the underlying code.

“Surprisingly, known APT groups showed less sophistication than more mainstream criminal groups,” exclaimed Szappanos, adding, “Even so, these groups are able to work with what they have to infect their targets.”

The report reaches a number of interesting conclusions. Despite the aura of skill and complexity that seems to surround APTs, they are much less sophisticated than they’re given credit for. The APT groups are lacking in quality assurance. Many attacks are not thoroughly tested and attackers fail to recognize when some functionality of the attack is not working properly.

Common malware developers appear to have more skill when it comes to modifying code. That’s a problem because APTs are generally aimed at specific targets while common malware is more likely to be blasted out to a much broader audience. Thankfully, Szappanos found that neither APT attackers nor common malware developers demonstrate enough skill to modify the initial exploit significantly—at least for the specific exploit analyzed in this report.

The biggest silver lining of the whole report is that it shows that vulnerability management and timely patch deployment would be sufficient to protect against most attacks. APT players are quick to adopt new exploits as they become available and incorporate them into attacks. Because they lack the ability to significantly modify the exploits or craft unique exploits of their own, simply patching the initial attack vector should be sufficient to guard against attacks.

Silver linings aside, Szappanos summed up the report with a warning: “Despite all this, one should never underestimate the malware authors mentioned in this report. They develop sophisticated Trojan families, and they manage to deploy them successfully to high profile organizations. The fact that they are not the masters of exploitation doesn’t mean that they are any less dangerous.”

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
How much is a data breach going to cost you?