Malware Callbacks

Today we released our first-ever analysis of
malware callbacks

FireEye monitored more than 12 million malware communications
seeking instructions—or callbacks—across hundreds of thousands of
infected enterprise hosts, capturing details of advanced attacks as
well as more generic varieties during the course of 2012. Callback
activity reveals a great deal about an attacker’s intentions,
interests and geographic location. Cyber attacks are a widespread
global activity. We’ve built interactive maps that highlight the
presence of malware globally:

Our key findings:

  1. Malware has become a multinational activity. Over the past
    year, callbacks were sent to command and control (CnC) servers in
    184 countries—a 42 percent increase when compared to 130 countries
    in 2010.
  2. Two key regions stand out as hotspots driving advanced cyber
    attacks: Asia and Eastern Europe.
    Looking at the average
    callbacks per company by country, the Asian nations of China, South
    Korea, India, Japan, and Hong Kong accounted for 24 percent. Not far
    behind, the Eastern European countries of Russia, Poland, Romania,
    Ukraine, Kazhakstan, and Latvia comprised 22 percent. (North America
    represented 44 percent but this is due to CnC servers residing in
    the United States to help attackers with evasion.)
  3. The majority of Advanced Persistent Threat (APT) callback
    activities are associated with APT tools that are made in China or
    that originated from Chinese hacker groups
    . By mapping the DNA
    of known APT malware families against callbacks, FireEye Malware
    Intelligence Lab discovered that the majority of APT callback
    activities—89 percent—are associated with APT tools that are made in
    China or that originated from Chinese hacker groups. The main tool
    is Gh0st RAT.
  4. Attackers are increasingly sending initial callbacks to servers
    within the same nation in which the target resides
    . To improve
    evasion, hackers are increasingly placing CnC servers within target
    nations. At the same time, this fact gives a strong indicator of
    which countries are most interesting to attackers.
  5. Technology organizations are experiencing the highest rate of APT
    callback activity
    . With a high volume of intellectual
    property, technology firms are natural targets for attackers and are
    experiencing heavy APT malware activity.
  6. For APT attacks, CnC servers were hosted in the United States 66
    percent of the time, a strong indicator that the U.S. is still the
    top target country for attacks
    . As previously mentioned,
    attackers increasingly put CnC servers in the target country to help
    avoid detection. With such a high proportion of CnC servers, by a
    wide margin, the U.S. is subject to the highest rate of malware
    attacks. This is likely, due to a very high concentration of
    intellectual property and digitized data that resides in the
  7. Techniques for disguising callback communications are
    To evade detection, CnC servers are leveraging social
    networking sites like Facebook and Twitter for communicating with
    infected machines. Also, to mask exfiltrated content, attackers
    embed information inside common files, such as JPGs, to give network
    scanning tools the impression of normal traffic.
  8. Attack patterns vary substantially globally:




    1. South Korean firms experience the highest level of callback
      communications per organization
      . Due to a robust internet
      infrastructure, South Korea has emerged as a fertile location
      for cybercriminals to host their CnC infrastructure. For
      example, FireEye found that callbacks from technology firms are
      most likely to go to South Korea.
    2. In Japan, 87 percent of callbacks originated and stayed in
      . This may give an indication of the high value of
      Japanese intellectual property.
    3. In Canada, 99 percent of callbacks exited the country. In the
      U.K., exit rates were 90 percent
      . High exit rates indicate
      attackers are unconcerned about detection. In Canada and the
      U.K., attackers appear to be unconcerned about detection and
      pursue low-hanging fruit opportunistically.





Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips