Recently, our friends over at Symantec released a report about an attack named Nitro. This targeted attack allowed unknown attackers to target several types of organizations, the latest known attacks occurring in the chemical sector, where 29 different targets were confirmed.
The attacks follow a standard pattern for tools and techniques used in previous attempts. An email is sent to several recipients within an organization with an attachment or link pointing to a file. These files are repacked variants of Poison Ivy, a very popular Remote Access Tool (RAT). The Command & Control servers for this tool use Dynamic DNS services extensively to provide the hostname and IP address lookup.
Screenshot of the Poison Ivy builder application.
This is precisely why Websense released a Dynamic DNS category earlier this year. In its default configuration, products that have this category will not allow these RATs to successfully communicate. With this new category, our Websense Security Gateway and Hosted Web solutions will not allow traffic from PoisonIvy at all, due to the way it communicates over port 80. In this way, Websense customers remain protected from this popular form of target attack.
For more information about how Websense protects against APTs and Targeted Attacks see our white paper.
Symantec’s full report can be downloaded here.
Leave a reply
