A startling new report has revealed how Advanced Persistent Threat (APT) groups operating on the behalf of the Chinese government used adware to target Windows and Android devices.
Decade of the RATs: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android, released by BlackBerry, reveals how these Chinese hackers have managed to successfully target specific systems without detection since 2012.
The attacks particularly focussed on Linux servers, which run nearly all of the top 1 million websites online, 75 per cent of all web servers and 98 per cent of the world’s supercomputers.
The hackers used a number of different techniques to evade the many security systems that are in place, including adware, which is the software that generates online advertisements in a user interface.
By giving malware (malicious software that aims to damage or violate devices) adware code-signing certificates, these APT groups were able to increase the infection rates, as any red flags were simply dismissed as another blip in the constant stream of adware.
According to BlackBerry, this adware technology – that is used so widely in the online advertising ecosystem – offers a way for malicious actors to “hide in plain sight”.
“At first glance, using code-signing certificates belonging to adware developers seems completely counterproductive,” Blackberry says in the report.
“Malware that may previously have gone undetected would now almost surely be immediately noticed. At least a handful of antivirus vendors would flag it, if only on the basis of the adware code-signing certificate.
“Why would an attacker, particularly one aligned with the interests of a nation state, want to do that?”
However, it seems that by giving malware the disguise of adware, these hackers managed to reduce their risk of detection.
“In our judgement, these threat actors would rather be found and then ignored than found and investigated, particularly on the Windows platform where so much of the antivirus attention is focused,” BlackBerry explains.
“Malware masquerading as adware stands a good chance of being overlooked or disregarded if it is detected, especially in busy corporate enterprise environments because they manage a “stack” of multiple security technologies, each with its own set of alerts.”
Networks and host defenders are each day inundated with warnings of a potential breach.
BlackBerry suggests that these findings show the need for security operators to reassess how they determine “run-of-the-mill” nuisances versus malware that is potentially masquerading as adware.
