Another great threat Profile... Shell_Crew

Blog Post created by Efd0HAvoOzrPDvO0L1h7YFs5Xi88YvsudWcJsVUmQAQ= Employee on Jan 23, 2014

Another great find.  As pointed out by Rui.A too!

The RSA Incident Response (RSA IR) team has developed an in-depth report called Emerging
Threat Profile: Shell_Crew
, where they detail the TTPs used by an adversary
that we have dubbed “Shell_Crew.” The Shell_Crew report is based on RSA IR’s
multiple incident response engagements involving a group of advanced threat
actors whose objective is to gain access, stay entrenched and ultimately steal
as much data and intellectual property as possible. 


It appears that Shell_Crew has persisted in enterprises of
varying sizes for years without being detected – updating or replacing existing
malicious backdoors and continuing to map the enterprise while installing Web
shells and poisoning existing web pages. These tenacious approaches make it
difficult for an under resourced internal security team to detect and remediate
the actions of this adversary.


The report is now live at http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf,
and a blog detailing the threat is also now live on Speaking of Security


A few of the highlights include:

  • Prevalent use of Web shells to maintain low level
    persistence in spite of determined remediation efforts;
  • Altering or poisoning existing legitimate web pages
    maintained by an organization;
  • Occasional use of Web application framework exploits to
    achieve initial entry versus standard spearfishing attacks;
  • Lateral movement and compromise of Digital Code Signing
    Certificate infrastructure;
  • Abuse of Code Signing infrastructure to validly sign custom
    backdoor malware;
  • Exploiting systems using different SETHC.exe methods
    accessible via Remote Desktop Protocol (RDP);
  • Long history of IP/DNS telemetry allowing for historical
    research and link analysis;
  • Placement of malicious proxy tools introduced into the
    environment on Windows server based proxies to bypass proxy logging;
  • Extensive use of time/date stomping of malicious files to
    hinder forensic analysis; and
  • Malware leveraging compromised credentials to bypass
    authentication NTLM proxies (proxy aware).


Check out the full report.  Feel free to add thoughts and comments!