The advanced email spoofing attacks of hackers-for-hire group Dark Basin
An overview of the techniques used by hackers-for-hire group Dark Basin, and how AI is well-placed to respond to email impersonation attacks that other tools miss.
A report this week has revealed how the hackers-for-hire group known as ‘Dark Basin’ is targeting thousands of individuals with sophisticated and personalized email threats. The group has set up over 27,000 web pages to enable spear phishing attacks designed to harvest user credentials – most probably with the later intention of compromising the user’s account, eliciting sensitive information or wiring fraudulent payments. Among the thousands of individuals and organizations targeted are advocacy groups, journalists, elected officials, lawyers, and hedge funds.
The methods used by Dark Basin are extremely sophisticated – the emails were targeted to high-value individuals and aimed to gain their trust by falsifying known and trusted brands such as YouTube, DropBox or LinkedIn, or by posing as individual friends or colleagues. However, the reality is that thousands of businesses across the world are targeted by malicious emails crafted with this level of sophistication every single day. Darktrace regularly encounters email threats that leverage this same technique.
In fact, just last month Antigena Email neutralized an attack whereby a cyber-criminal spoofed the identity of a company’s CEO – writing in their exact style and tone – and sent out a heartfelt email to employees asking them to donate to a COVID-19 charity. The attacker had even taken the time to set up an authentic-looking web page with a donation form – all proceeds, of course, went directly into the threat-actor’s pockets.
This methodology of attack – whereby an attacker will impersonate a colleague, a boss, an IT department, or a trusted brand – has seen a significant rise this year. Prior to the outbreak of COVID-19 and the widespread adoption of remote working practices, around 20% of all malicious emails caught by Darktrace would have used some form of spoofing. Since March, we’ve seen that figure rise dramatically – 1 in 2 emails now contain some form of impersonation or spoofing. These sophisticated threats bypass the gateway on a daily basis, before being picked up and neutralized by Darktrace Cyber AI.
Figure 1: A graph showing the rise of impersonation attacks.
This trend reflects the overall success rate of this technique in the context of remote working. Last year, if you received an email from your colleague which seemed a little out of character, you might lean over your desk and ask them if they meant to send it. Today this is no longer possible. What is easier, making a phone call to check, or just clicking the link?
And it is not just individuals that these attackers are impersonating. A recent Darktrace blog gives examples where trusted presentation sites have been exploited to give a feeling of familiarity, and we’re seeing this extend to the full range of recognizable software brands we rely on for remote collaboration.
For example, we’ve seen many emails impersonating the Zoom platform, prompting the victim to accept an incoming ‘chat’ request from a colleague. The huge variety of different mechanisms that we all use to digitally communicate is playing into the hands of the criminals who suddenly find themselves with so many more methods to trick us.
Many of these malicious emails are now virtually indistinguishable from genuine communication — and there are no hard and fast rules for how employees can identify them. One email recently caught by Antigena Email attempted to coax the recipient into landing on a fake login page for the video conference application Zoom. The below illustrates how subtle the differences are between the counterfeit, and the genuine login page from the website.
Figure 2: Comparison of the counterfeit and genuine Zoom login pages.
Email filtering tools that compare emails against blacklists tend not to catch these more sophisticated and well-researched attacks. As discussed in a previous blog, many of these email threats rely on the creation of entirely new domains, which do not appear on these lists, and by default are let through.
An email security system that relies on this binary detection logic has a hard time differentiating between a legitimate email and a close copy, and no amount of employee training can guarantee complete immunity against these highly-convincing spoofing attacks. Furthermore, the ubiquity of information on social networks makes it easy for attackers to create believable emails.
However, technology powered by AI has been extremely successful in stopping these kind of advanced impersonation attacks by spotting subtle anomalies in emails that humans often miss. By understanding the human behind email communications, Antigena Email is the only email security technology that can ask whether it would be weird or unusual for a recipient to receive a given email, or visit a suspicious domain. Correlating insights around a sender’s login location, the extent of prior communication, the rarity and location of links, and over 750 other metrics, the technology detects the subtle hallmarks of an email attack that other tools miss.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
ABOUT ThE AUTHOR
Based in New York, Dan joined Darktrace’s technical team in 2015, helping customers quickly achieve a complete and granular understanding of Darktrace’s product suite. Dan has a particular focus on Darktrace/Email, ensuring that it is effectively deployed in complex digital environments, and works closely with the development, marketing, sales, and technical teams. Dan holds a Bachelor’s degree in Computer Science from New York University.
Attack Trends: VIP Impersonation Across the Business Hierarchy
What is VIP impersonation?
VIP impersonation involves a threat actor impersonating a trusted, prominent figure at an organization in an attempt to solicit sensitive information from an employee.
VIP impersonation is a high-priority issue for security teams, but it can be difficult to assess the exact risks, and whether those are more critical than other types of compromise. Looking across a range of Darktrace/Email™ customer deployments, this blog explores the patterns of individuals targeted for impersonation and evaluates if these target priorities correspond with security teams' focus on protecting attack pathways to critical assets.
How do security teams stop VIP Impersonation?
Protecting VIP entities within an organization has long been a traditional focus for security teams. The assumption is that VIPs, due to their prominence, possess the greatest access to critical assets, making them prime targets for cyber threats.
Email remains the predominant vector for attacks, with over 90% of breaches originating from malicious emails. However, the dynamics of email-based attacks are shifting, as the widespread use of generative AI is lowering the barrier to entry by allowing adversaries to create hyper-realistic emails with minimal errors.
Given these developments, it's worth asking the question – which entities (VIP/non-VIP) are most targeted by threat actors via email? And, more importantly – which entities (VIP/non-VIP) are more valuable if they are successfully compromised?
There are two types of VIPs:
1. When referring to emails and phishing, VIPs are the users in an organization who are well known publicly.
2. When referring to attack paths, VIPs are users in an organization that are known publicly and have access to highly privileged assets.
Not every prominent user has access to critical assets, and not every user that has access to critical assets is prominent.
Darktrace analysis of VIP impersonation
We analyzed patterns of attack pathways and phishing attempts across 20 customer deployments from a large, randomized pool encompassing a diverse range of organizations.
Understanding Attack Pathways
Our observations revealed that 57% of low-difficulty attack paths originated from VIP entities, while 43% of observed low-difficulty attack paths towards critical assets or entities began through non-VIP users. This means that targeting VIPs is not the only way attackers can reach critical assets, and that non-VIP users must be considered as well.
While the sample size prevents us from establishing statistical significance across all customers, the randomized selection lends credence to the generalizability of these findings to other environments.
On average, 1.35% of total emails sent to these customers exhibited significantly malicious properties associated with phishing or some form of impersonation. Strikingly, nearly half of these malicious emails (49.6%) were directed towards VIPs, while the rest were sent to non-VIPs. This near-equal split is worth noting, as attack paths show that non-VIPs also serve as potential entry points for targeting critical assets.
For example, a recent phishing campaign targeted multiple customers across deployments, with five out of 13 emails specifically aimed at VIP users. Darktrace/Email actioned the malicious emails by double locking the links, holding the messages, and stripping the attachments.
Given that non-VIP users receive nearly half of the phishing or impersonation emails, it underscores the critical importance for security teams to recognize their blind spots in protecting critical assets. Overlooking the potential threat originating from non-VIP entities could lead to severe consequences. For instance, if a non-VIP user falls victim to a phishing attack or gets compromised, their credentials could be exploited to move laterally within the organization, potentially reaching critical assets.
This highlights the necessity for a sophisticated security tool that can identify targeted users, without the need for extensive customization and regardless of VIP status. By deploying a solution capable of promptly responding to email threats – including solicitation, phishing attempts, and impersonation – regardless of the status of the targeted user, security teams can significantly enhance their defense postures.
Darktrace vs Traditional Email Detection Methods
Traditional rules and signatures-based detection mechanisms fall short in identifying the evolving threats we’ve observed, due to their reliance on knowledge of past attacks to categorize emails.
Secure Email Gateway (SEG) or Integrated Cloud Email Security (ICES) tools categorize emails based on previous or known attacks, operating on a known-good or known-bad model. Even if tools use AI to automate this process, the approach is still fundamentally looking to the past and therefore vulnerable to unknown and zero-day threats.
Darktrace uses AI to understand each unique organization and how its email environment interoperates with each user and device on the network. Consequently, it is able to identify the subtle deviations from normal behavior that qualify as suspicious. This approach goes beyond simplistic categorizations, considering factors such as the sender’s history and recipient’s exposure score.
This nuanced analysis enables Darktrace to differentiate between genuine communications and malicious impersonation attempts. It automatically understands who is a VIP, without the need for manual input, and will action more strongly on incoming malicious emails based on a user’s status.
Email does determine who is a VIP, without a need of manual input, and will action more strongly on incoming malicious emails.
Darktrace/Email also feeds into Darktrace’s preventative security tools, giving the interconnected AI engines further context for assessing the high-value targets and pathways to vital internal systems and assets that start via the inbox.
Leveraging AI for Enhanced Protection Across the Enterprise
The efficacy of AI-driven security solutions lies in their ability to make informed decisions and recommendations based on real-time business data. By leveraging this data, AI driven solutions can identify exploitable attack pathways and an organizations most critical assets. Darktrace uniquely uses several forms of AI to equip security teams with the insights needed to make informed decisions about which pathways to secure, reducing human bias around the importance of protecting VIPs.
With the emergence of tools like AutoGPT, identifying potential targets for phishing attacks has become increasingly simplified. However, the real challenge lies in gaining a comprehensive understanding of all possible and low-difficulty attack paths leading to critical assets and identities within the organization.
At the same time, organizations need email tools that can leverage the understanding of users to prevent email threats from succeeding in the first instance. For every email and user, Darktrace/Email takes into consideration changes in behavior from the sender, recipient, content, and language, and many other factors.
Integrating Darktrace/Email with Darktrace’s attack path modeling capabilities enables comprehensive threat contextualization and facilitates a deeper understanding of attack pathways. This holistic approach ensures that all potential vulnerabilities, irrespective of the user's status, are addressed, strengthening the overall security posture.
Contrary to conventional wisdom, our analysis suggests that the distinction between VIPs and non-VIPs in terms of susceptibility to impersonation and low-difficulty attack paths is not as pronounced as presumed. Therefore, security teams must adopt a proactive stance in safeguarding all pathways, rather than solely focusing on VIPs.
Attack path modeling enhances Darktrace/Email's capabilities by providing crucial metrics on potential impact, damage, exposure, and weakness, enabling more targeted and effective threat mitigation strategies. For example, stronger email actions can be enforced for users who are known to have a high potential impact in case of compromise.
In an era where cyber threats continue to evolve in complexity, an adaptive and non-siloed approach to securing inboxes, high-priority individuals, and critical assets is indispensable.
Gootloader Malware: Detecting and Containing Multi-Functional Threats with Darktrace
What is multi-functional malware?
While traditional malware variants were designed with one specific objective in mind, the emergence of multi-functional malware, such as loader malware, means that organizations are likely to be confronted with multiple malicious tools and strains of malware at once. These threats often have non-linear attack patterns and kill chains that can quickly adapt and progress quicker than human security teams are able to react. Therefore, it is more important than ever for organizations to adopt an anomaly approach to combat increasingly versatile and fast-moving threats.
Example of Multi-functional malware
One example of a multi-functional malware recently observed by Darktrace can be seen in Gootloader, a multi-payload loader variant that has been observed in the wild since 2020. It is known to primarily target Windows-based systems across multiple industries in the US, Canada, France, Germany, and South Korea .
How does Gootloader malware work?
Once installed on a target network, Gootloader can download additional malicious payloads that allow threat actors to carry out a range of harmful activities, such as stealing sensitive information or encrypting files for ransom.
The Gootloader malware is known to infect networks via search engine optimization (SEO) poisoning, directing users searching for legitimate documents to compromised websites hosting a malicious payload masquerading as the desired file.
If the malware remains undetected, it paves the way for a second stage payload known as Gootkit, which functions as a banking trojan and information-stealer, or other malware tools including Cobalt Strike and Osiris .
Darktrace detection of Gootloader malware
In late 2023, Darktrace observed one instance of Gootloader affecting a customer in the US. Thanks to its anomaly-focused approach, Darktrace DETECT™ quickly identified the anomalous activity surrounding this emerging attack and brought it to the immediate attention of the customer’s security team. All the while, Darktrace RESPOND™ was in place and able to autonomously intervene, containing the suspicious activity and ensuring the Gootloader compromise could not progress any further.
In September 2023, Darktrace identified an instance of the Gootloader malware attempting to propagate within the network of a customer in the US. Darktrace identified the first indications of the compromise when it detected a device beaconing to an unusual external location and performing network scanning. Following this, the device was observed making additional command-and-control (C2) connections, before finally downloading an executable (.exe) file which likely represented the download of a further malicious payload.
As this customer had subscribed to the Proactive Notification Service (PTN), the suspicious activity was escalated to the Darktrace Security Operations Center (SOC) for further investigation by Darktrace’s expert analysts. The SOC team were able to promptly triage the incident and advise urgent follow-up actions.
Gootloader Attack Overview
Initial Beaconing and Scanning Activity
On September 21, 2023, Darktrace observed the first indications of compromise on the network when a device began to make regular connections to an external endpoint that was considered extremely rare for the network, namely ‘analyzetest[.]ir’.
Although the endpoint did not overtly seem malicious in nature (it appeared to be related to laboratory testing), Darktrace recognized that it had never previously been seen on the customer’s network and therefore should be treated with caution. This initial beaconing activity was just the beginning of the malicious C2 communications, with several additional instances of beaconing detected to numerous suspicious endpoints, including funadhoo.gov[.]mv, tdgroup[.]ru’ and ‘army.mil[.]ng.
Soon thereafter, Darktrace detected the device performing internal reconnaissance, with an unusually large number of connections to other internal locations observed. This scanning activity appeared to primarily be targeting the SMB protocol by scanning port 445.
Within seconds of DETECT’s detection of this suspicious SMB scanning activity, Darktrace RESPOND moved to contain the compromise by blocking the device from connecting to port 445 and enforcing its ‘pattern of life’. Darktrace’s Self-Learning AI enables it to learn a device’s normal behavior and recognize if it deviates from this; by enforcing a pattern of life on an affected device, malicious activity is inhibited but the device is allowed to continue its expected activity, minimizing disruption to business operations.
Following the initial detection of this anomalous activity, Darktrace’s Cyber AI Analyst launched an autonomous investigation into the beaconing and scanning activity and was able to connect these seemingly separate events into one incident. AI Analyst analyzes thousands of connections to hundreds of different endpoints at machine speed and then summarizes its findings in a single pane of glass, giving customers the necessary information to assess the threat and begin remediation if necessary. This significantly lessens the burden for human security teams, saving them previous time and resources, while ensuring they maintain full visibility over any suspicious activity on their network.
Darktrace continued to observe the device carrying out beaconing activity over the next few days, likely representing threat actors attempting to establish communication with their malicious infrastructure and setting up a foothold within the customer’s environment. In one such example, the device was seen connecting to the suspicious endpoint ‘fysiotherapie-panken[.]nl’. Multiple open-source intelligence (OSINT) vendors reported this endpoint to be a known malware delivery host .
Once again, Darktrace RESPOND was in place to quickly intervene in response to these suspicious external connection attempts. Over the course of several days, RESPOND blocked the offending device from connecting to suspicious endpoints via port 443 and enforced its pattern of life. These autonomous actions by RESPOND effectively mitigated and contained the attack, preventing it from escalating further along the kill chain and providing the customer’s security team crucial time to take act and employ their own remediation.
Possible Payload Retrieval
A few days later, on September 26, 2023, Darktrace observed the affected device attempting to download a Windows Portable Executable via file transfer protocol (FTP) from the external location ‘ftp2[.]sim-networks[.]com’, which had never previously been seen on the network. This download likely represented the next step in the Gootloader infection, wherein additional malicious tooling is downloaded to further cement the malicious actors’ control over the device. In response, Darktrace RESPOND immediately blocked the device from making any external connections, ensuring it could not download any suspicious files that may have rapidly escalated the attackers’ efforts.
The observed combination of beaconing activity and a suspicious file download triggered an Enhanced Monitoring breach, a high-fidelity DETECT model designed to detect activities that are more likely to be indicative of compromise. These models are monitored by the Darktrace SOC round the clock and investigated by Darktrace’s expert team of analysts as soon as suspicious activity emerges.
In this case, Darktrace’s SOC triaged the emerging activity and sent an additional notice directly to the customer’s security team, informing them of the compromise and advising on next steps. As this customer had subscribed to Darktrace’s Ask the Expert (ATE) service, they also had a team of expert analysts available to them at any time to aid their investigations.
Loader malware variants such as Gootloader often lay the groundwork for further, potentially more severe threats to be deployed within compromised networks. As such, it is crucial for organizations and their security teams to identify these threats as soon as they emerge and ensure they are effectively contained before additional payloads, like information-stealing malware or ransomware, can be downloaded.
In this instance, Darktrace demonstrated its value when faced with a multi-payload threat by detecting Gootloader at the earliest stage and responding to it with swift targeted actions, halting any suspicious connections and preventing the download of any additional malicious tooling.
Darktrace DETECT recognized that the beaconing and scanning activity performed by the affected device represented a deviation from its expected behavior and was indicative of a potential network compromise. Meanwhile, Darktrace RESPOND ensured that any suspicious activity was promptly shut down, buying crucial time for the customer’s security team to work with Darktrace’s SOC to investigate the threat and quarantine the compromised device.
Credit to: Ashiq Shafee, Cyber Security Analyst, Qing Hong Kwa, Senior Cyber Analyst and Deputy Analyst Team Lead, Singapore