There are many ways to spot Advanced Persistent Threats, for example during a forensic analysis on “high rate incident” or having sandbox systems on critical infrastructures or again working as incident responder for big companies, working into a national CERT or building a simple tool performing analysis on Malware streams. Today I’d like to share a little bit of my personal experience on spotting APTs through Malware streams.

First of all let me say that it is the easiest way to spot APTs but it’s also one of the most inaccurate and it needs a lot of manual analysis before being able to confirm the sample belongs to a specific APT. Having said that, you might decide to get a Malware streaming service (or you might build one on your own, this was my case) and decide to perform dynamic or static analysis on it. Few years ago when I approached this problem I decided (in first stage) to exploit static analysis and to build up specific signatures to detect possible APTs on a given Malware stream. So let’s say I do have a personal Malware stream and I do have a personal engine who is able to perform basic static analysis (by comparing YARA rules) over and over again on a given Malware stream, so why don’t write specific signature for APTs and manually check every single output to see for false positives or real APTs ?

Spotting APT with Yara Rules – HERE

So I wrote it up and today after few years I decided to share it with all of my readers ! I hope you might find interesting samples to start analysis and to find nice and interesting samples. Please if you find it useful help me in sharing it by linking HERE so that many cybersecurity analysts might decide to start from here to investigate new samples.

According to static analysis we might build YARA rules to identify specific set of binaries. If we classify those binaries as “related to APT” we might extract from tons of binaries the ones that match classified YARA rules and that could be related to APTs. So here we are ! The following table represents a set of binaries which hit classified YARA rules related to APTs. Of course we might have false positives for mainly two reasons: (i) It’s only static analysis. If you run those Samples on live SandBox you might discover unattended behaviour. (ii) No human analysis. This is the result of a mere algorithms, no human interacted and checked those results.