Adware Campaign borrows Obfuscation Techniques from Operation Aurora attack

Pierluigi Paganini September 28, 2016

Experts from Carbon Black have spotted a new Adware campaign leveraging on sophisticated obfuscation techniques borrowed from Operation Aurora.

Security experts from Carbon Black have spotted a new Adware campaign leveraging on very sophisticated obfuscation techniques.

The Adware campaign was used by crooks to spread ransomware and according to the malware researchers using tactics to similarities to the nation-state attack known as Operation Aurora.

Carbon Black published a report that detailed the complex obfuscation techniques implemented by threat actors behind the campaign.
“Earlier this week, Carbon Black, in conjunction with the Cb User Exchange Community, discovered anomalies related to well-known Adware variants, including OpenCandy and Dealply, and trojanized Chromium, using highly sophisticated evasion techniques (previously observed by Carbon Black associated with nation-state attacks — specifically Operation Aurora, which targeted major companies including Google, Adobe, etc).” reads the report published by Carbon Black”These obfuscation techniques easily evade sandboxing and other intrusion detection techniques due to Binary Fragmentation. “
As explained in the post, the first clue was spotted by the experts casually when the customer noticed unusual use of command line argument activity that was specific of the Operation Aurora attack.  The attack was known as “cmdline:cop AND cmdline:/b” as explained in the report.

“Just for fun, I asked my customer to the run the query: cmdline:copy AND cmdline:/b. Cb Response showed they had three hits. I bolted upright in my chair. Three years ago, I stumbled upon this attack vector and I’d never seen it since… until last week.” continues the report.

“As we began to triage the event, we began to see .dat files being joined to form all sorts of unusual file types including .txt, .png, .log, .ico, & .dll files. It was highly irregular”

operation aurora like-attack

“So, now for the ‘stranger’ part. As we began to walk backward up the process tree, we began noticing that the parent processes launching these rather advanced obfuscation techniques were ‘routine’ adware, flagged multiple times by Virus Total.” 

The experts from Carbon Black received other similar support requests from their customers that experienced the same attack. According to the malware researchers, the victims from several industries were targeted by variants of adware used to deliver the Enigma ransomware.

According to the lead of the Advanced Consulting Team for Carbon Black, Benjamin Tedesco, the obfuscation techniques borrowed by the Operation Aurora were able to easily evade sandboxing and other detection mechanisms.

Once compromised the target machine, the malware used in the campaign was able to drop more payloads to perform other malicious activities.

This campaign is the demonstration that even behind an adware campaign, it is possible to find a very sophisticated threat.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Adware, Hacking)



you might also like

leave a comment