Danti’s APT Inferno

Twitter LinkedIn Facebook Google Plus RedditPatrick Bedwell
Patrick Bedwell
In contrast to the many high-profile data breaches being reported under various state or industry guidelines, cyberespionage of political targets (and the resulting loss of data) rarely gets reported. One example of such an attack is Danti, which is an APT that focuses primarily on government organizations in India.

Danti exploits CVE-2015-2545, which was announced and patched by Microsoft in September 2015. However, because of the low deployment rate of the patch by many organizations, the exploits targeting this vulnerability continues to be effective.

The team at Kaspersky Labs has written a detailed report on the evolution of the threat, from its initial use by the Platinum group in August 2015 to its current usage by several threat groups to attack targets in several countries in the Asia/Pacific region. The technique commonly used to penetrate a network is Spearphishing, which uses malicious code embedded in a document from a legitimate-looking source that once opened compromises the victim’s system.

From the Kaspersky Report: “The exploit is based on a malformed embedded EPS (Encapsulated Postscript) object. This contains the shellcode that drops a backdoor, providing full access to the attackers.”

The Kaspersky Lab’s report also illustrates how bad actors will continue to modify attack techniques to improve infection rates and avoid detection. The graphic below illustrates how several groups have developed separate attacks to target the vulnerability:

Timeline of attacks using exploits to CVE-2015-2545

Timeline of Attacks Using Exploits that Target CVE-2015-2545 Source: Kaspersky Labs

Related Pulse:
CVE-2015-2545: overview of current threats
289 DAYS AGO BY CYBERANARCHIST
4 URL 5 HOSTNAME 2 EMAIL 9 IPV4 31 MD5
SUBSCRIBE DOWNLOAD
powered by Open Threat Exchange
Impact on you
CVE-2015-2545 has been with us since September 2015, and MSFT released a fix in update MS15-099, also released in September. That’s the good news. The bad news is that vulnerability affects Microsoft Office versions:

2007 SP3
2010 SP2
2013 SP1 and 2013 RT SP1
2016
In other words, there could be a lot of potentially vulnerable software running in your network. For those of you have deployed MS15-099, you get a gold star. Well done! For those of you who haven’t, your systems are at risk, especially those in government agencies in India, or targeted agencies in other countries like the Philippines, Myanmar and Nepal.

How AlienVault Helps
The AlienVault Labs team performs the threat research that most IT teams simply don’t have the expertise, time, budget, or tools to do themselves on the latest threats, and how to detect and respond to them. The Labs team regularly updates the rulesets that drive the threat detection, prioritization, and response capabilities of the AlienVault Unified Security Management (USM) platform, to keep you up to date with new and evolving threats.

The Labs team recently updated the USM platform’s ability to detect this new APT by adding IDS signatures to detect the malicious traffic and a correlation directive to link events from across a network that indicate a compromised system.

From our weekly Threat Intelligence update:

Emerging Threat - APT.Danti

Danti is an APT actor identified by Kaspersky Labs that has been active at least since 2015, predominantly targeting Indian government organizations. According to Kaspersky’s telemetry, Danti has also been actively hitting targets in Kazakhstan, Kyrgyzstan, Uzbekistan, Myanmar, Nepal and the Philippines. During campaigns in February and March of 2016, the group has been exploiting CVE-2015-2545 via malicious Microsoft Office documents.
We've added IDS signatures and created the following correlation rule to detect Danti:

System Compromise, Targeted Malware, APT.Danti
For more information on APTs, Phishing attacks, and other malware, visit the AlienVault Open Threat Exchange (OTX) to see the research the OTX community has contributed.

New Wave of Malvertising Leverages Latest Flash Exploit
288 DAYS AGO BY K
3 DOMAIN 7 HOSTNAME
SUBSCRIBE DOWNLOAD
powered by Open Threat Exchange
Also, the integration between our OTX and your USM deployment means that you get alerted whenever indicators of compromise (IOCs) being discussed in OTX are present in your network. The result is that USM customers are up to date on the latest threat vectors, attacker techniques and defenses.