Malware Callbacks

Today we released our first-ever analysis of malware callbacks. Our report can be accessed here:

FireEye monitored more than 12 million malware communications seeking instructions—or callbacks—across hundreds of thousands of infected enterprise hosts, capturing details of advanced attacks as well as more generic varieties during the course of 2012. Callback activity reveals a great deal about an attacker’s intentions, interests and geographic location. Cyber attacks are a widespread global activity. We’ve built interactive maps that highlight the presence of malware globally:

Our key findings:

  1. Malware has become a multinational activity. Over the past year, callbacks were sent to command and control (CnC) servers in 184 countries—a 42 percent increase when compared to 130 countries in 2010.
  2. Two key regions stand out as hotspots driving advanced cyber attacks: Asia and Eastern Europe. Looking at the average callbacks per company by country, the Asian nations of China, South Korea, India, Japan, and Hong Kong accounted for 24 percent. Not far behind, the Eastern European countries of Russia, Poland, Romania, Ukraine, Kazhakstan, and Latvia comprised 22 percent. (North America represented 44 percent but this is due to CnC servers residing in the United States to help attackers with evasion.)
  3. The majority of Advanced Persistent Threat (APT) callback activities are associated with APT tools that are made in China or that originated from Chinese hacker groups. By mapping the DNA of known APT malware families against callbacks, FireEye Malware Intelligence Lab discovered that the majority of APT callback activities—89 percent—are associated with APT tools that are made in China or that originated from Chinese hacker groups. The main tool is Gh0st RAT.
  4. Attackers are increasingly sending initial callbacks to servers within the same nation in which the target resides. To improve evasion, hackers are increasingly placing CnC servers within target nations. At the same time, this fact gives a strong indicator of which countries are most interesting to attackers.
  5. Technology organizations are experiencing the highest rate of APT callback activity. With a high volume of intellectual property, technology firms are natural targets for attackers and are experiencing heavy APT malware activity.
  6. For APT attacks, CnC servers were hosted in the United States 66 percent of the time, a strong indicator that the U.S. is still the top target country for attacks. As previously mentioned, attackers increasingly put CnC servers in the target country to help avoid detection. With such a high proportion of CnC servers, by a wide margin, the U.S. is subject to the highest rate of malware attacks. This is likely, due to a very high concentration of intellectual property and digitized data that resides in the U.S.
  7. Techniques for disguising callback communications are evolving. To evade detection, CnC servers are leveraging social networking sites like Facebook and Twitter for communicating with infected machines. Also, to mask exfiltrated content, attackers embed information inside common files, such as JPGs, to give network scanning tools the impression of normal traffic.
  8. Attack patterns vary substantially globally:

    1. South Korean firms experience the highest level of callback communications per organization. Due to a robust internet infrastructure, South Korea has emerged as a fertile location for cybercriminals to host their CnC infrastructure. For example, FireEye found that callbacks from technology firms are most likely to go to South Korea.
    2. In Japan, 87 percent of callbacks originated and stayed in country. This may give an indication of the high value of Japanese intellectual property.
    3. In Canada, 99 percent of callbacks exited the country. In the U.K., exit rates were 90 percent. High exit rates indicate attackers are unconcerned about detection. In Canada and the U.K., attackers appear to be unconcerned about detection and pursue low-hanging fruit opportunistically.