In-Depth Look: APT Attack Tools of the Trade

Recently, we shed some light on APT attack tools and how to identify them. Part of our daily tasks as threat researchers revolves around investigating APT actors, and the tools that they utilize to help better protect our customers. The purpose of this blog is to further investigate the tools that APT actors typically use and what they do with them.

How these tools are used

While many would think these tools are used during the initial compromise phase of an attack- that is not the case with this post. I will be focusing on the tools that are used after the initial compromise is attained. The following diagram illustrates where these tools are commonly used in a traditional APT lifecycle.

Figure 1. Traditional APT lifecycle

Step 1: The attacker sends malware to the victim. This can be done in many ways – an email message with a malicious attachment, a USB flash disk, or a compromised web site are all possibilities.

Step 2: The malware is executed on the affected system. This may require manual steps by the victim, or it could be done without any intervention using exploits.

Step 3: When the malware is run, it drops a backdoor such as STARSYPOUND or BOUNCER. These first stage tools push a backdoor to the attacker for later access. (These could be considered first stage tools). It allows the attacker to maintain persistence and get access to the system at a later time.

Step 4: The attacker then uploads tools to perform data exfiltration, lateral movement, and a litany of other tasks.

Tools overview

The tools listed below include some of the tools APT actors use on a daily basis. These tools are typically employed once the APT actor gets access to the victim’s machine via one of the first stage tools listed above. Keep in mind however, that these tools are not inclusive of first stage tools such as backdoors, Trojans, and other categorical tools.

In addition, this  is not a complete listing of tools since that is  impossible to create based on the ever-changing threat landscape. Many APT actors use custom coded applications that perform similar functionality, and thus may differ from those listed below. Use this list as a baseline of functionality to help identify similar tools in your environment and to demonstrate known tools that are used in common APT campaigns.

Word of caution

Identifying these tools does not necessarily imply that you have been compromised or fallen victim to an APT attack. The IOC’s contain both MD5s of the compiled apps/scripts, and/or unique strings within the code prior to being compiled. Minor modifications to these files can change the MD5 hash, so this is a limited method for identification of these applications/scripts. Also note that the phase of usage is generic for when Trend Micro typically sees these tools used. These tools are sometimes used in other stages of APT attacks. Some of them also have valid use cases where there are business needs for using the application. (Some examples include Netbox, dbgview, sdelete, etc.)

Tool Name Description Typical Phase of Usage Indicators of Compromise (IOC)
GETMAIL Typically used to ascertain mail archives and mail out of those archives. Exfiltration Unique String: Lu’s Crazy Profile (democode) Saved File Name: >=3 digit number-attach.doc
Netbox For hosting tools/drop servers/ C2 servers. Commonly used as infrastructure on the backend to support operational tasks. (Netbox also has valid uses, and is not a direct indicator of compromise) Attack, Exfiltration, Persistence N/A
Pwdump Dumps password hashes from the Windows registry. Typically used to crack passwords for lateral movement throughout the victim environment.  It can also be used in pass-the-hash attacks. Lateral Movement MD5: 0xDD2EF0D6487385839BBF7863FE450CC5
Cachedump A program for extracting cached password hashes from a system’s registry. Typically used to crack passwords for lateral movement throughout the victim environment. It can also be used in pass-the-hash attacks. Lateral Movement MD5: 5065266fbad9362d5a329c5388627ea5
Lslsass Dumps active login session password hashes from  windows processes. It is used to crack passwords for lateral movement throughout the victim environment. It can also be used in pass-the-hash attacks. Persistence, Lateral Movement MD5:ede305561db6f7ca1783e0fc75d0db14
mapiget This is for collecting emails directly from Outlook, prior to ever getting archived. It is then dumped to text files. Persistence, Lateral Movement Unique String: WNetCancelConnection2W Saved File Name: 5-mail.txt, mail.txt
HTRAN Connection bouncer, redirects TCP traffic destinted for one host to an alternate host. It is also used to help obfuscate source IP of  an attacker. It allows the attacker to bounce through several connections in the victim country, confusing incident responders. Attack, Exfiltration, Persistence MD5:e0c14f98c4d4b995f00d49616bf9ba57, 2edfe2b5238c8f49130f2a2f85e33c18, 1725e68e574e4b077f7d16f7fa30d984, 7e3bb01afb4c50da526d142fdf444688, 3548ea689e06a2599bdd1bdb909abb75,
Windows Credential Editor (WCE) A security tool that allows to list logon sessions and add, change, list and delete associated credentials Persistence, Lateral Movement MD5:bd73c74819d8db09c645c738bbd3f5b9, df840ac27051d26555a109cc47d03fe4
Lz77.exe It is used as a compression application to help exfiltrate data. This is commonly seen in  Winrar, 7zip, and Winzip. Exfiltration MD5: 2238453fd8225baff0d52bf64361b4fd
Gsecdump Grabs SAM file, cached credentials, and LSA secrets. Used for lateral movement in victim environment and pass-the-hash style attacks. Lateral Movement MD5: 57F222D8FBE0E290B4BF8EAA994AC641, 875f3fc948c6534804a26176dcfb6af0, 8ee24ad5b849877907304de566fb6dc6
ZXProxy (A.K.A AProxy) Proxy functionality for traffic redirection. This helps redirect HTTP/HTTPS connections for source obfuscation. We have seen it used in data exfiltration. Exfiltration, Persistence MD5: 0xEB36A5EF6A807FB7B2E2912E08B4882D, 0x69F5A988B4F3A3E5D300D489C9707CD6, 286760651edfe6a8b34988004156b894
LSB-Steganography Uses steganography techniques to embed files into images. This helps with data exfiltration as well as during the initial compromise of a traditional APT attack. Initial Compromise, Exfiltration MD5: c188ef350f1ee0e5fa6f6ef2e70231bc
UPX Shell Used to help pack code for malware used in APT campaigns. This tool helps prevent reverse engineering and code analysis. Attack, Persistence MD5: 1281478d409de246777472db99f58751
ZXPortMap Traffic redirection tool, which helps to obfuscate the source of connections. Persistence, Exfiltration MD5: 9a7b9caae7b8b3a2b5d68e6880b6d0a4, 2fdbb3ee0edc5e589ea727bbc2cd6d50
ZXHttpServer Small HTTP server that is deployable and extremely flexible. We have seen it used when attempting transfer of some files. Exfiltration Unique String: ZXHttpServer, ZXHttpServer.exe
Sdelete Secure deletion tool. Allows for secure deletion to make forensic recovery difficult- therefore complicating incident response procedures. Persistence, Cover MD5: e189b5ce11618bb7880e9b09d53a588f
Dbgview An application that lets you monitor debug output on your local system, or any computer on the network that you can reach via TCP/IP Persistence, Lateral Movement MD5: cea66497fa93db4b0dd33438a2a5d6bd

Many of these tools are copied to victim machines, and are often never removed by the APT actors for whatever reason. If you happen to see tools that are similar in function to the tools listed above,  I think it warrants a closer look at the tools, and how they are being used in your environment.

What Can Be Done

There are many things that can be done to help prevent the installation of these applications onto your organizational machines such as the following:

  1. Utilize application white listing where necessary to prevent these items from being installed/used on your systems.
  2. Include SIEM resources in your organizational budget for robust logging. This will help forensically should it be needed.
  3. Remove local administrator rights for users. This will help prevent new applications are installed in the traditional fashion. While some of these applications don’t require install to work, not having administrator rights will limit what these applications can do.

Many of the tools listed above will be blocked by Trend Micro products, which classify them as malicious. Here are some additional recommendations on what to do when you see these applications being used in malicious means:

  1. Look at firewall, system, security, proxy, and other logs that your system is logging to identify usage patterns of the tools. Look for communication on erroneous ports as well as traffic to IP space that is not typical to the user.
  2. Utilize IOCs (indicators of compromise) to locate similar filenames or MD5/SHA hashes for applications similar to above. Focus on path of utilization as well as filename oddities. (Such as an app named xzz.exe, which would raise a red flag)
  3. Utilize WMIC to create a script that can search throughout your entire organizational Active Directory trees and look for unique identifiers of these tools.
  4. Create a list of bad applications unique to your organization. Utilize these lists and native toolsets to each operating system to locate questionable tools. Tools for Windows like PsExec work well for this. On Linux systems, dpkg-query or qpkg work well for this.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

In-Depth Look: APT Attack Tools of the Trade

Read more: In-Depth Look: APT Attack Tools of the Trade

Story added 5. March 2013, content source with full text you can find at link above.