More often than not, we come across infamous malicious groups who target different victims using the same piece of malware. In such circumstances, the focus is usually on the group and the different evolving versions of their exploits.
A recent example is a variant of InterPlanetary Storm malware that has recently evolved from targeting Windows and Linux to infect Android and macOS.
However, sometimes, it may be useful to step back and realize that the people behind these groups with very diverse skills too can be monitored, even uncovering their identity in some cases.
Keeping this frame of thought in mind, recently researchers from Checkpoint have devised a method to attach a unique identity to malware developers which will not only allow cybersecurity professionals to know who’s behind a specific exploit but also know of all other exploits that those specific actors may have developed.
To do this, they focused on 2 threat actors known for various zero-day exploits:
- Volodya AKA BuggiCorp
- Playbit AKA luxor2008
Seeing their different exploits, they were able to fingerprint characteristics that were specific to each group. Then these characteristics were sought in other exploits and wherever similar cases were found, it was indicative of the fact that the same authors were behind them. Explaining the story behind it, the researchers stated in a research report that:
When analyzing a complicated attack against one of our customers, we noticed a very small 64-bit executable that was executed by the malware. The sample contained unusual debug strings that pointed at an attempt to exploit a vulnerability on the victim machine.
Using this 64-bit binary, they started the entire process of fingerprinting where initially simple artifacts such as “strings, internal file name, timestamps, and the PDB path” were collected.
The different artifacts the researchers look for in an exploit
Using these then, they found a similar match to another 32-bit executable and it didn’t take long till they could pen down 16 different Windows LPE exploits emerging from the same 2 actors.
Moreover, since 15 of these 16 were launched in 2015-2019, this will also prove to be a blow for the Windows LPE exploits market.
One after the other, dozens of samples started to appear, and with each one, we improved our hunting rules and methodologies. With a careful analysis of the samples, we were able to understand which samples exploited which CVE, and based on that created a timeline to understand whether the exploit was written as a 0-day before it was exposed, or was it a 1-day that was implemented based on patch-diffing and similar techniques.
To conclude, this offers a great way for professionals to track the criminals behind malware instead of just finding ways to protect systems against malware. And this is not the first time that such techniques have been developed or used.
Previously, innovative methods have been used such as the case we covered when the Police used the photo of a drug dealer’s hand to map his fingerprint and then track him.
Not only this but in fact, 3D printers have been found to literally clone fingerprints making impersonation very easy and posing another threat. Therefore, it is essential that tabs be kept on such methods as they can be beneficial if used in the right way.