Q

PinkStats: Unique toolkit offers lessons in APT defense

Enterprise threats expert Nick Lewis explores how analysis of a newly discovered APT tool, PinkStats, may help enterprise APT defense.

Chinese attackers have apparently been utilizing PinkStats, an advanced persistent threat (APT) toolkit that is

notable for spreading via its own compromised network. Is there anything unique in the attack methods emphasized in PinkStats?

Ask the Expert!

SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your questions via email. (All questions are anonymous.)

PinkStats has reportedly been used over the past four years by a Chinese APT group that mainly targets South Korean-based networks. PinkStats is the downloader component of the toolkit these hacker groups are using to compromise and control computers in order to steal intellectual property, secrets and other valuable data.

For an APT attack to be successful, it would require more than the PinkStats downloader. First, an initial infection vector, which might include a zero-day exploit or a known exploit, must infiltrate the target system and only then can the downloader component download the rest of the malware used in the attack. Downloads commonly occur over encrypted custom protocols for the malware, standard HTTPS, peer-to-peer connections, and the like.

The only factor that differentiates the PinkStats downloader from other malware attacks is it uses HTTP to access what looks like a Web counter. However, after thorough analysis of the complete stream of communication between the compromised system and the command-and-control server, an analyst could identify that the communication was not just a Web counter, but rather a full-on malware attack. There are several other ways this malware could be detected. An antimalware network appliance could identify the malware by checking the external website against a blacklist of compromised websites. An appliance inspecting all downloaded files could examine the file in a sandbox to determine if any malicious actions are taken. Alternately, an endpoint security tool could accomplish either of these tasks.

This was first published in December 2013

Dig deeper on Malware, Viruses, Trojans and Spyware

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close