A technical paper challenges the misconception that APT groups are inevitable “masters of exploitation.”
A technical paper challenges the misconception that APT groups are inevitable “masters of exploitation.”

New research on advanced persistent threat (APT) groups continues to surface, but one analyst has taken a deeper look at the exploit skills these attackers exhibit compared to commercial malware authors.

To conduct his research, Gabor Szappanos, a principal researcher at SophosLabs Hungary, tracked the use of a popular Microsoft Office exploit last year in order to glean an understanding of malware groups' skills levels. In a technical paper released Tuesday (PDF), Szappanos challenged a “common belief that APT groups are masters of exploitation,” as the report puts it.

In follow-up email correspondence with SCMagazine.com, Szappanos explained that earlier research on APT groups indicated that such actors “are not shy to dumb copy-paste to develop their solutions.”

“I was curious to see if these are just outliers, or if this is how it works generally,” Szappanos wrote of his aims.

Throughout his research, 70 malware samples using a specific exploit for a Microsoft Office memory corruption bug, CVE-2014-1761, were analyzed. (Sophos noted that the bug was the third-most popular document-based exploit in the last quarter 2014). The firm also pointed out that, despite the fact that numerous versions of Office were impacted by the vulnerability, Microsoft Office 2010 Service Pack 2 (32-bit) was the only version ever attacked. Among efforts to modify the exploit, APT groups displayed the least skill in modification and quality assurance, Sophos discovered.

"We found that the malware groups have a limited understanding of, or ability to modify with success, the initial exploit," the report said. "Surprisingly, known APT groups showed less sophistication than more mainstream criminal groups," it concluded.

This is not to imply, however, that APT groups present any less of a threat, in the long run, to their targets, Szappanos explained.

In email correspondence with SCMagazine.com, Szappanos said that such groups “don't need to be sophisticated in exploitation,” since social engineering tricks, like malware-laden phishing emails, or the use of old exploits that organizations have failed to patch against, continue to remain a successful route for infiltrating organizations.

In the report, Szappanos also analyzed the exploit activities of infamous APT groups, and found that many showcased exploit skills at the “lower end” of a scale he created, which charted “basic exploit kiddie skills” all the way up to professional exploitation ability. Among the APT groups that fell in the “lower end” of the skill set chart, was a group spreading Plugx malware in the Rotten Tomato APT campaign last summer.

Back in November, Sophos said that the campaign was named, in part, after the Tomato Garden campaign and also referenced some of the malware samples that “were not effectively executed,” or, in other words, “rotten.” At the time, the security firm also suspected that attackers failed to understand the CVE-2014-1761 component of the attack – the same vulnerability Szappanos used to compare exploit skills for his new paper.

In the report, Szappanos did point out that malware authors often opt not to “show the full scope of their knowledge – only [demonstrating] as much as minimally necessary to accomplish the task of infecting the target.”

“However, it is still a good estimation of how comfortable these authors are in the exploitation stage of malware creation,” the paper continued. “In addition, in the cases when the created samples turned out to be non-working, that clearly indicates a point at which the malware authors reached their upper limit in understanding this exploit,” he said.