Once the file is opened, the malware takes advantage of a vulnerability found within the software used to view the file and then again, successfully executing the initial exploit without alerting the targeted victim.
These methods are the most commonly used inbound infiltration mechanisms of an advanced targeted attack today. They begin with an initial vulnerability in a software and that vulnerability leads to an exploit that becomes a boot loader if you will, and set the stage for the remainder of the multi-staged, advanced malware attack.
After the initial exploit occurs the malware will typically make a callback to what is known as the Command and Control server.
Once outbound communication is initiated, a two-way callback communication channel is established from which it can download additional binaries in order to expand its functionality. The tunnel can also be used for data exfiltration, such as stealing valuable credentials to be used in a later stage of the attack.
It's also important to note that these attacks go well beyond the initial desktop infection. The attackers target the desktop, because it is the weakest link in the enterprise architecture. However, once the desktop is compromised, the malware can attempt to spread laterally, infecting and polluting file shares or begin data mining other resources found in the network. This is the very nature of a multi-staged Advanced Malware attack. A good example of this would be the RSA attack and the Secure ID master key database, which was the goal, and ultimately compromised in the highly targeted attack.
What does all that mean for organisations in Asia, particularly those in Singapore, Malaysia, Indonesia, Thailand, the Philippines, Hong Kong, China and India?
We've only just begun to enter these markets and thus, for the threats known within financial organisations across Singapore, Malaysia, Hong Kong for example, they are very interested in addressing this new threat layer and we have been working with them to explore deployment of our solution in their network. They are beginning to realise that despite the extensive investments with firewalls, AVs, secured Gateways, IPS and the likes, they are still vulnerable and exposed to such attacks. This has very much to do with the proliferation and sophistication of malware where traditional technologies are just no longer capable to catch up with these cyber criminals and attacks.
Some of the ASEAN government organisations around these regions are also starting to look at ways on how to draw up the right policies and compliance standards to ensure steps are taken to prevent such attacks in their countries and we are invited to be involved in discussions to help them draft some of these with them. CIOs in these regions are also starting to look into this issue where in the past, they may have delegated the responsibilities to their CISOs but today, they themselves are also starting to have a deep interest in this issue.
Sign up for CIO Asia eNewsletters.