APT

Harry, a professional hacker, targeted the IT infrastructure of an organization. After preparing for the attack, he attempts to enter the target network using techniques such as sending spear-phishing emails and exploiting vulnerabilities on publicly available servers. Using these techniques, he successfully deployed malware on the target system to establish an outbound connection. What is the APT lifecycle phase that Harry is currently executing?

Harry, a professional hacker, targeted the IT infrastructure of an organization. After preparing for the attack, he attempts to enter the target network using techniques such as sending spear-phishing emails and exploiting vulnerabilities on publicly available servers. Using these techniques, he successfully deployed malware on the target system to establish an outbound connection.
What is the APT lifecycle phase that Harry is currently executing?

Option 1 : Preparation
Option 2 : Cleanup
Option 3 : Initial instruction
Option 4 : Persistence

1. Preparation

APT attack and exploitation operations typically involve a high degree of preparation. Additional assets and data could also be needed before plans are often administered . Highly complex operations could also be required before executing the exploitation plan against the first target(s). for instance , the breach of RSA’s systems provided access to materials necessary for the actors to subsequently bypass authentication systems and gain remote access to the networks of what appear to possess been their primary targets. within the preparation phase, actors enumerate the components necessary to execute their plan and start their efforts to gather the components. These components commonly include infrastructure, tools, data, information on the targets’ environment and other required assets. Actors also collect intelligence on security controls and procedures they’re likely to encounter to make evasion and response plans. for instance , actors may register new domains or configure domains at dynamic DNS providers, found out malware command and control (C2) servers at hosting sites or on previously compromised systems, allocate web and FTP (File Transfer Protocol) servers to host phishing or exploit sites and data drops, acquire email servers for relaying spam or for data exfiltration, and so on. Even public services like Google code, documents and chat, Twitter, IRC (Internet Relay Chat) and blog sites could also be found out before time to be used as C2 channels. For attack operations, actors may have to construct or rent botnets. The infrastructure needed to hold out an operation will vary supported the target and therefore the objective, but necessary resources are going to be identified and ready before the protest against the target. Monitoring of preparation activities can sometimes provide insight into upcoming targets and objectives. As mentioned earlier, APT actors are tenacious which makes APT a battle of attrition. Attackers can dedicate a month to compromise the e-mail system at the first target’s business partner and to gather documents and target profile information if it means spearphishing attempts are more likely to succeed. Some operations last for years and are focused on such high-value objectives that the time spent within the preparation phase represents alittle investment within the overall operation.

2. Cleanup

This is the last part, wherever associate wrongdoer performs sure steps to prevent detection and deduct proof of compromise. Covering tracks embrace evading detection, eliminating proof of intrusion, and concealment the target of the attack and wrongdoer details. In some cases, covering tracks conjointly embrace manipulating the knowledge within the target surroundings to mislead the security analysts.
It is imperative for attackers to make the system seem because it had been before access was gained and thus the network were compromised. Therefore, it’s essential for associate wrongdoer to cover the tracks and stay unobserved by the security analysts. this allows them to vary any file attributes back to their original state info listed, like file size is just attribute info contained within the file.

3. Initial instruction

After the attacker completes preparations, subsequent step is an effort to realize an edge within the target’s environment. a particularly common entry tactic is that the use of spearphishing emails containing an internet link or attachment. Email links usually cause sites where the target’s browser and related software are subjected to varied exploit techniques or where the APT actors plan to social engineer information from the victim which will be used later. If a successful exploit takes place, it installs an initial malware payload on the victim’s computer. Figure 2 illustrates an example of a spearphishing email that contains an attachment. Attachments are usually executable malware, a zipper or other archive containing malware, or a malicious Office or Adobe PDF (Portable Document Format) document that exploits vulnerabilities within the victim’s applications to ultimately execute malware on the victim’s computer. Once the user has opened a malicious file using vulnerable software, malware is executing on the target system. These phishing emails are often very convincing and difficult to differentiate from legitimate email messages. Tactics to extend their believability include modifying legitimate documents from or associated with the organization. Documents are sometimes stolen from the organization or their collaborators during previous exploitation operations. Actors modify the documents by adding exploits and malicious code then send them to the victims. Phishing emails are commonly sent through previously compromised email servers, email accounts at organizations associated with the target or public email services. Emails also can be sent through mail relays with modified email headers to form the messages appear to possess originated from legitimate sources. Exploitation of vulnerabilities on public-facing servers is another favorite technique of some APT groups. Though this will be accomplished using exploits for known vulnerabilities, 0-days are often developed or purchased to be used in intrusions as required .


Gaining an edge within the target environment is that the primary goal of the initial intrusion. Once a system is exploited, the attacker usually places malware on the compromised system and uses it as a jump point or proxy for further actions. Malware placed during the initial intrusion phase is usually an easy downloader, basic Remote Access Trojan or an easy shell. Figure 3 illustrates a newly infected system initiating an outbound connection to notify the APT actor that the initial intrusion attempt was successful which it’s able to accept commands.

4. Persistence

This section involves maintaining access to the target’s system, ranging from evading termination security devices like IDS .and firewall, getting into the network, establishing access to the system, and to the time once there’s no more use of the knowledge and also the assets. to take care of access to the target system, attackers follow sure techniques or procedures that embrace usage of tailored malware and repackaging tools. These tools are designed in such how that they can’t be detected by the antivirus or the protection tools of the target. to stay up perseverance, attackers use custom malware that has services, executable, and drivers put in on varied systems within the target network. during a different thanks to continue persistence is finding locations for fixing the malware , that don’t seem to be examined of times. These locations embrace routers, servers, firewalls, printers, and thus the likes of .

Learn CEH & Think like hacker


This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

Leave a Comment