Another great find. As pointed out by Rui.A too!
The RSA Incident Response (RSA IR) team has developed an in-depth report called Emerging
Threat Profile: Shell_Crew, where they detail the TTPs used by an adversary
that we have dubbed “Shell_Crew.” The Shell_Crew report is based on RSA IR’s
multiple incident response engagements involving a group of advanced threat
actors whose objective is to gain access, stay entrenched and ultimately steal
as much data and intellectual property as possible.
It appears that Shell_Crew has persisted in enterprises of
varying sizes for years without being detected – updating or replacing existing
malicious backdoors and continuing to map the enterprise while installing Web
shells and poisoning existing web pages. These tenacious approaches make it
difficult for an under resourced internal security team to detect and remediate
the actions of this adversary.
The report is now live at http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf,
and a blog detailing the threat is also now live on Speaking of Security
A few of the highlights include:
- Prevalent use of Web shells to maintain low level
persistence in spite of determined remediation efforts;
- Altering or poisoning existing legitimate web pages
maintained by an organization;
- Occasional use of Web application framework exploits to
achieve initial entry versus standard spearfishing attacks;
- Lateral movement and compromise of Digital Code Signing
- Abuse of Code Signing infrastructure to validly sign custom
- Exploiting systems using different SETHC.exe methods
accessible via Remote Desktop Protocol (RDP);
- Long history of IP/DNS telemetry allowing for historical
research and link analysis;
- Placement of malicious proxy tools introduced into the
environment on Windows server based proxies to bypass proxy logging;
- Extensive use of time/date stomping of malicious files to
hinder forensic analysis; and
- Malware leveraging compromised credentials to bypass
authentication NTLM proxies (proxy aware).
Check out the full report. Feel free to add thoughts and comments!