Can monitoring help defend against Sanny malware update?

Research by FireEye Inc. found that the group behind the Sanny malware attacks has updated its delivery method. What do these changes consist of and how are users at risk? What's the best way to defend against the new Sanny malware?

Attackers and pen testers continue to make improvements to living off the land with their engagements. Every file that is downloaded or run on an endpoint -- including malware -- may be analyzed or blocked by an enterprise's defenses, but legitimate executables on an endpoint are usually allowed to execute regardless of the operating system in use, whether it be Linux, Windows or iOS.

Legitimate executables, such as setuid root on Unix or Linux systems or similar programs on Windows and iOS, have been targeted by attackers to gain unauthorized access to systems. In particular, attackers are seeking out system utilities that they can run with elevated privileges to gain unauthorized access. Utilities that allow users to download files to an endpoint are also being targeted because they can be exploited to get malicious files or other malware onto the endpoint.

FireEye recently reported that the Sanny malware has been updated to enable attackers to exploit system programs while reducing their chances of being detected. The Sanny malware still uses standard phishing techniques with a Word document containing an embedded macro. The macro initiates the attack and then runs a shell script that uses the Windows utility certutil.exe to download a batch file, which is formatted to look like an SSL certificate to avoid detection.

The update to the Sanny malware also added functionality to download the malware as a CAB file and to use the built-in Windows compression functionality to extract the malware payload onto an endpoint. Furthermore, the malware can now hijack a legitimate Windows service with its own executable to establish persistence on an endpoint and can use a legitimate Windows executable to perform a user access control bypass on Windows 10.

Defenses against the Sanny malware include the standard malware defenses; however, detection may be the most important aspect. While endpoint security tools might block malware, built-in executables do not need to be blocked, as they are already installed on the system. This means that you may need to understand how your endpoint is secured and what security tools handle these executables.

The Sanny malware executes a legitimate utility with an unauthorized privilege level, so enterprises may also want to identify every executable on an endpoint that runs with elevated privileges and send alerts when those programs are running. Defenders can then investigate if there have been other suspicious actions on the endpoint, such as connections to a new external network.

While many of the actions taken by the Sanny malware abuse legitimate functionality that is used to manage an endpoint, it may be difficult to differentiate between legitimate activity and malicious activity.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)