Stopping Corp-Internal Phishing Attacks with Darktrace
16
Jun 2021
Discover how Darktrace Email stopped a series of multi-language phishing attacks, including an Emotet campaign in Japanese. Learn how Darktrace can help!
Language is deceptive. In the realm of email security, language can deceive a recipient into clicking a link or completing a transaction, and it can trick a security tool into thinking an email is legitimate.
It is for this reason that Darktrace/Email is not reliant on language, but rather uses mathematics to develop an understanding of ‘normal’ for every email user in an organization. This enables it to neutralize anomalous emails indicative of a threat around the world, no matter in what format or language they come.
Natural language processing
When it comes to catching a compromised account or impersonation email, how can you teach a computer to understand intent or a change of tone, compared to the normal way a person corresponds?
One of the most common approaches in email security is natural language processing. NLP looks at how to program computers to analyze natural language, commonly by exposing them to a large volume of data.
The result is a computer capable of ‘understanding’ the contents of documents, including the nuances of the language within them. The technology can then extract information in the documents as well as categorize and organize the documents themselves.
Modern-day limitations
However, using NLP is limited in scope for email security as it will often misunderstand specific jargon or colloquialisms, as well as terms that had not been invented when the computer was programmed, unless it is trained on these too. Each additional language requires the computer to learn from zero every time. NLP only works on the regional languages it has been trained on, and it is not commercially viable to teach the technology to work in all small markets.
If a company hires an email security vendor based in America, therefore, it is probable that the security vendor has invested most of their time in detecting English-based phishing threats. That is fine if the company only communicates in English, but this is often not the case. In a 21st century globalized world, the need for security technology to be language-agnostic is more critical than ever.
Not all AI is the same: Unsupervised machine learning
Darktrace/Email relies on unsupervised machine learning, which can learn on the job and does not need to be fed large data sets. It can glean insights from NLP for good measure, but it does not depend on NLP for detection or understanding.
When working with AI it is crucial to understand how the AI learns: does it learn on the job or was it trained with a labeled data set? This is particularly important when looking to understand the intent behind an email, specifically to uncover solicitation attempts either through spoofing, phishing, impersonation of a supplier or any other form of email attack.
Rather than teaching a computer to understand language in an email, Darktrace Cyber AI dynamically assesses activity across inbound and outbound emails including senders, recipients, links, IP addresses, and attachment types. The movement of all these objects are then used by the AI to create the ‘patterns of life’ for every user across all communications, including communications with external users who frequently correspond with a given business.
By taking a mathematical approach, Darktrace/Email is able to understand ‘normal’ for any user regardless of the dialect they are corresponding in, uniquely interpreting all languages from Norwegian to Latin and Persian, and subsequently identifying subtle anomalies indicative of a phishing attack or an account takeover.
Catching Emotet in Japanese
Last year, Darktrace uncovered a sophisticated Spamware campaign which leveraged Emotet, the infamous banking malware. The campaign targeted various industries with highly sophisticated phishing emails.
At a food production company in Japan, Darktrace detected six phishing emails sent over a two-day period in July.
Figure 1: An email from the Emotet campaign.
In the email above, both the subject line and the filename translate to “Regarding the invoice,” followed by a number and the date. The attacker was clearly trying to imitate a legitimate business email here, spoofing a well-known Japanese company (三菱食品(株)) and a common Japanese name (‘藤沢 昭彦’).
Darktrace/Email revealed key metrics behind the email including that the real sender was using a domain name from GMO, a Japanese company which offers cheap web email services, and that the sender’s location was actually Portugal, not Japan.
Figure 2: Darktrace/Email detects the attempt at inducement.
Darktrace/Email’s models recognized the topic anomalies and inducement attempts in the emails, regardless of the language they had been written in – giving a high anomaly score of 85. Furthermore, Darktrace’s AI determined that the extension and the MIME type in the attachments were anomalous, when compared to the documents which the user normally exchanges via email.
Portuguese threat find
In another instance, a series of malicious emails were sent to an organization in Europe. These emails used several tactics to bypass the company’s security tools, including personalized subject lines and hidden malicious URLs.
Figure 3: An interactive snapshot of Darktrace/Email’s user interface. The subject line reads ‘Notice of transfer.’
As displayed above, the email contained a link that appeared to lead to a CaixaBank domain. However, Darktrace/Email recognized this as a deliberate attempt to mislead the recipient and revealed that the link in fact led to a WordPress domain, which Cyber AI identified as 100% rare for the business.
A closer inspection revealed that these emails were sent from Vietnam. The sender had never been in any previous correspondence with the business, and the isolated link within the email was also marked as a 100% rare domain. Darktrace/Email held these malicious emails back, protecting the organization from harm.
Universal defense
These two examples demonstrate the benefits of an unsupervised machine learning approach. An AI security solution which analyzes hundreds of different metrics and does not rely on pre-existing data is a groundbreaking advantage when faced with global phishing threats that now utilize a wide range of languages.
Email-based attacks are becoming more targeted and more convincing by the day. Targeted social engineering and spear phishing with advanced translation tools bombard companies daily, in all languages.
Whether it’s a phishing attack against a local office in Korea or a solicitation attempt in Arabic – even a malicious email written in Klingon from a Star Trek convention – or any of the thousands of email exchanges which occur in countless vernaculars and tones, Darktrace/Email can keep your company safe across the world, and beyond.
Like this and want more?
Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Newsletter
Stay ahead of threats with the Darktrace blog newsletter
Get the latest insights from the cybersecurity landscape, including threat trends, incident analysis, and the latest Darktrace product developments – delivered directly to your inbox, monthly.
Thanks, your request has been received
A member of our team will be in touch with you shortly.
Oops! Something went wrong while submitting the form.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Mariana Pereira
VP, Cyber Innovation
Mariana is the VP of Cyber Innovation at Darktrace, and works closely with the development, analyst, and marketing teams to advise technical and non-technical audiences on how best to augment cyber resilience, and how to implement AI technology as a means of defense. She speaks regularly at international events, with a specialism in presenting on sophisticated, AI-powered email attacks. She holds an MBA from the University of Chicago, and speaks several languages including French, Italian, and Portuguese.
Navigating buying and adoption journeys for AI cybersecurity tools
Enterprise AI tools go mainstream
In this dawning Age of AI, CISOs are increasingly exploring investments in AI security tools to enhance their organizations’ capabilities. AI can help achieve productivity gains by saving time and resources, mining intelligence and insights from valuable data, and increasing knowledge sharing and collaboration.
While investing in AI can bring immense benefits to your organization, first-time buyers of AI cybersecurity solutions may not know where to start. They will have to determine the type of tool they want, know the options available, and evaluate vendors. Research and understanding are critical to ensure purchases are worth the investment.
Challenges of a muddied marketplace
Key challenges in AI purchasing come from consumer doubt and lack of vendor transparency. The AI software market is buzzing with hype and flashy promises, which are not necessarily going to be realized immediately. This has fostered uncertainty among potential buyers, especially in the AI cybersecurity space.
As Gartner writes, “There is a general lack of transparency and understanding about how AI-enhanced security solutions leverage AI and the effectiveness of those solutions within real-world SecOps. This leads to trust issues among security leaders and practitioners, resulting in slower adoption of AI features” [1].
Given this widespread uncertainty generated through vague hype, buyers must take extra care when considering new AI tools to adopt.
Goals of AI adoption
Buyers should always start their journeys with objectives in mind, and a universal goal is to achieve return on investment. When organizations adopt AI, there are key aspects that will signal strong payoff. These include:
Wide-ranging application across operations and areas of the business
Actual, enthusiastic adoption and application by the human security team
Integration with the rest of the security stack and existing workflows
Business and operational benefits, including but not limited to:
Reduced risk
Reduced time to response
Reduced potential downtime, damage, and disruption
Increased visibility and coverage
Improved SecOps workflows
Decreased burden on teams so they can take on more strategic tasks
Ideally, most or all these measurements will be fulfilled. It is not enough for AI tools to benefit productivity and workflows in theory, but they must be practically implemented to provide return on investment.
Investigation before investment
Before investing in AI tools, buyers should ask questions pertaining to each stage of the adoption journey. The answers to these questions will not only help buyers gauge if a tool could be worth the investment, but also plan how the new tool will practically fit into the organization’s existing technology and workflows.
Figure 1: Initial questions to consider when starting to shop for AI [2].
These questions are good to imagine how a tool will fit into your organization and determine if a vendor is worth further evaluation. Once you decide a tool has potential use and feasibility in your organization, it is time to dive deeper and learn more.
Ask vendors specific questions about their technology. This information will most likely not be on their websites, and since it involves intellectual property, it may require an NDA.
Find a longer list of questions to ask vendors and what to look for in their responses in the white paper “CISO’s Guide to Buying AI.”
Committing to transparency amidst the AI hype
For security teams to make the most out of new AI tools, they must trust the AI. Especially in an AI marketplace full of hype and obfuscation, transparency should be baked into both the descriptions of the AI tool and the tool’s functionality itself. With that in mind, here are some specifics about what techniques make up Darktrace’s AI.
Darktrace as an AI cybersecurity vendor
Darktrace has been using AI technology in cybersecurity for over 10 years. As a pioneer in the space, we have made innovation part of our process.
The Darktrace ActiveAI Security Platform™ uses multi-layered AI that trains on your unique business operations data for tailored security across the enterprise. This approach ensures that the strengths of one AI technique make up for the shortcomings of another, providing well-rounded and reliable coverage. Our models are always on and always learning, allowing your team to stop attacks in real time.
The machine learning techniques used in our solution include:
Unsupervised machine learning
Multiple Clustering Techniques
Multiple anomaly detection models in tandem analyzing data across hundreds of metrics
Bayesian probabilistic methods
Bayesian metaclassifier for autonomous fine-tuning of unsupervised machine learning models
Deep learning engines
Graph theory
Applied supervised machine learning for investigative AI
Neural networks
Reinforcement Learning
Generative and applied AI
Natural Language Processing (NLP) and Large Language Models (LLMs)
Post-processing models
Additionally, since Darktrace focuses on using the customer’s data across its entire digital estate, it brings a range of advantages in data privacy, interpretability, and data transfer costs.
Building trust with Darktrace AI
Darktrace further supports the human security team’s adoption of our technology by building trust. To do that, we designed our platform to give your team visibility and control over the AI.
Instead of functioning as a black box, our products focus on interpretability and sharing confidence levels. This includes specifying the threshold of what triggered a certain alert and the details of the AI Analyst’s investigations to see how it reached its conclusions. The interpretability of our AI uplevels and upskills the human security team with more information to drive investigations and remediation actions.
For complete control, the human security team can modify all the detection and response thresholds for our model alerts to customize them to fit specific business preferences.
Conclusion
CISO’s are increasingly considering investing in AI cybersecurity tools, but in this rapidly growing field, it’s not always clear what to look for.
Buyers should first determine their goals for a new AI tool, then research possible vendors by reviewing validation and asking deeper questions. This will reveal if a tool is a good match for the organization to move forward with investment and adoption.
As leaders in the AI cybersecurity industry, Darktrace is always ready to help you on your AI journey.
Learn more about the most common types of machine learning in cybersecurity in the white paper “CISO’s Guide to Buying AI.”
References
Gartner, April 17, 2024, “Emerging Tech: Navigating the Impact of AI on SecOps Solution Development.”
Triaging Triada: Understanding an Advanced Mobile Trojan and How it Targets Communication and Banking Applications
The rise of android malware
Recently, there has been a significant increase in malware strains targeting mobile devices, with a growing number of Android-based malware families, such as banking trojans, which aim to steal sensitive banking information from organizations and individuals worldwide.
These malware families attempt to access users’ accounts to steal online banking credentials and cookies, bypass multi-factor authentication (MFA), and conduct automatic transactions to steal funds [1]. They often masquerade as legitimate software or communications from social media platforms to compromise devices. Once installed, they use tactics such as keylogging, dumping cached credentials, and searching the file system for stored passwords to steal credentials, take over accounts, and potentially perform identity theft [1].
One recent example is the Antidot Trojan, which infects devices by disguising itself as an update page for Google Play. It establishes a command-and-control (C2) channel with a server, allowing malicious actors to execute commands and collect sensitive data [2].
Despite these malware’s ability to evade detection by standard security software, for example, by changing their code [3], Darktrace recently detected another Android malware family, Triada, communicating with a C2 server and exfiltrating data.
Triada: Background and tactics
First surfacing in 2016, Triada is a modular mobile trojan known to target banking and financial applications, as well as popular communication applications like WhatsApp, Facebook, and Google Mail [4]. It has been deployed as a backdoor on devices such as CTV boxes, smartphones, and tablets during the supply chain process [5]. Triada can also be delivered via drive-by downloads, phishing campaigns, smaller trojans like Leech, Ztorg, and Gopro, or more recently, as a malicious module in applications such as unofficial versions of WhatsApp, YoWhatsApp, and FM WhatsApp [6] [7].
How does Triada work?
Once downloaded onto a user’s device, Triada collects information about the system, such as the device’s model, OS version, SD card space, and list of installed applications, and sends this information to a C2 server. The server then responds with a configuration file containing the device’s personal identification number and settings, including the list of modules to be installed.
After a device has been successfully infected by Triada, malicious actors can monitor and intercept incoming and outgoing texts (including two-factor authentication messages), steal login credentials and credit card information from financial applications, divert in-application purchases to themselves, create fake messaging and email accounts, install additional malicious applications, infect devices with ransomware, and take control of the camera and microphone [4] [7].
For devices infected by unofficial versions of WhatsApp, which are downloaded from third-party app stores [9] and from mobile applications such as Snaptube and Vidmate , Triada collects unique device identifiers, information, and keys required for legitimate WhatsApp to work and sends them to a remote server to register the device [7] [12]. The server then responds by sending a link to the Triada payload, which is downloaded and launched. This payload will also download additional malicious modules, sign into WhatsApp accounts on the target’s phone, and request the same permissions as the legitimate WhatsApp application, such as access to SMS messages. If granted, a malicious actor can sign the user up for paid subscriptions without their knowledge. Triada then collects information about the user’s device and mobile operator and sends it to the C2 server [9] [12].
How does Triada avoid detection?
Triada evades detection by modifying the Zygote process, which serves as a template for every application in the Android OS. This enables the malware to become part of every application launched on a device [3]. It also substitutes system functions and conceals modules from the list of running processes and installed apps, ensuring that the system does not raise the alarm [3]. Additionally, as Triada connects to a C2 server on the first boot, infected devices remain compromised even after a factory reset [4].
Triada attack overview
Across multiple customer deployments, devices were observed making a large number of connections to a range of hostnames, primarily over encrypted SSL and HTTPS protocols. These hostnames had never previously been observed on the customers’ networks and appear to be algorithmically generated. Examples include “68u91.66foh90o[.]com”, “92n7au[.]uhabq9[.]com”, “9yrh7.mea5ms[.]com”, and “is5jg.3zweuj[.]com”.
Figure 1: External Sites Summary Graph showing the rarity of the hostname “92n7au[.]uhabq9[.]com” on a customer network.
Most of the IP addresses associated with these hostnames belong to an ASN associated with the cloud provider Alibaba (i.e., AS45102 Alibaba US Technology Co., Ltd). These connections were made over a range of high number ports over 1000, most commonly over 30000 such as 32091, which Darktrace recognized as extremely unusual for the SSL and HTTPS protocols.
Figure 2: Screenshot of a Model Alert Event log showing a device connecting to the endpoint “is5jg[.]3zweuj[.]com” over port 32091.
On several customer deployments, devices were seen exfiltrating data to hostnames which also appeared to be algorithmically generated. This occurred via HTTP POST requests containing unusual URI strings that were made without a prior GET request, indicating that the infected device was using a hardcoded list of C2 servers.
Figure 3: Screenshot of a Model Alert Event Log showing the device posting the string “i8xps1” to the hostname “72zf6.rxqfd[.]com.
Figure 4: Screenshot of a Model Alert Event Log showing the device posting the string “sqyjyadwwq” to the hostname “9yrh7.mea5ms[.]com”.
These connections correspond with reports that devices affected by Triada communicate with the C2 server to transmit their information and receive instructions for installing the payload.
A number of these endpoints have communicating files associated with the unofficial WhatsApp versions YoWhatsApp and FM WhatsApp [11] [12] [13] . This could indicate that the devices connecting to these endpoints were infected via malicious modules in the unofficial versions of WhatsApp, as reported by open-source intelligence (OSINT) [10] [12]. It could also mean that the infected devices are using these connections to download additional files from the C2 server, which could infect systems with additional malicious modules related to Triada.
Moreover, on certain customer deployments, shortly before or after connecting to algorithmically generated hostnames with communicating files linked to YoWhatsApp and FM WhatsApp, devices were also seen connecting to multiple endpoints associated with WhatsApp and Facebook.
Figure 5: Screenshot from a device’s event log showing connections to endpoints associated with WhatsApp shortly after it connected to “9yrh7.mea5ms[.]com”.
These surrounding connections indicate that Triada is attempting to sign in to the users’ WhatsApp accounts on their mobile devices to request permissions such as access to text messages. Additionally, Triada sends information about users’ devices and mobile operators to the C2 server.
The connections made to the algorithmically generated hostnames over SSL and HTTPS protocols, along with the HTTP POST requests, triggered multiple Darktrace models to alert. These models include those that detect connections to potentially algorithmically generated hostnames, connections over ports that are highly unusual for the protocol used, unusual connectivity over the SSL protocol, and HTTP POSTs to endpoints that Darktrace has determined to be rare for the network.
Conclusion
Recently, the use of Android-based malware families, aimed at stealing banking and login credentials, has become a popular trend among threat actors. They use this information to perform identity theft and steal funds from victims worldwide.
Across affected customers, multiple devices were observed connecting to a range of likely algorithmically generated hostnames over SSL and HTTPS protocols. These devices were also seen sending data out of the network to various hostnames via HTTP POST requests without first making a GET request. The URIs in these requests appeared to be algorithmically generated, suggesting the exfiltration of sensitive network data to multiple Triada C2 servers.
This activity highlights the sophisticated methods used by malware like Triada to evade detection and exfiltrate data. It underscores the importance of advanced security measures and anomaly-based detection systems to identify and mitigate such mobile threats, protecting sensitive information and maintaining network integrity.
Credit to: Justin Torres (Senior Cyber Security Analyst) and Charlotte Thompson (Cyber Security Analyst).
Appendices
Darktrace Model Detections
Model Alert Coverage
Anomalous Connection / Application Protocol on Uncommon Port
Anomalous Connection / Multiple Connections to New External TCP Port
Anomalous Connection / Multiple HTTP POSTS to Rare Hostname
Anomalous Connections / Multiple Failed Connections to Rare Endpoint
Anomalous Connection / Suspicious Expired SSL
Compromise / DGA Beacon
Compromise / Domain Fluxing
Compromise / Fast Beaconing to DGA
Compromise / Sustained SSL or HTTP Increase
Compromise / Unusual Connections to Rare Lets Encrypt
Unusual Activity / Unusual External Activity
AI Analyst Incident Coverage
Unusual Repeated Connections to Multiple Endpoints
![External Sites Summary Graph showing the rarity of the hostname “92n7au[.]uhabq9[.]com” on a customer network.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/670d96b065612663d098df74_670d956f4dda5eb6ac9e650f_Screenshot%25202024-10-14%2520at%25203.04.22%25E2%2580%25AFPM.png)
![Screenshot of a Model Alert Event log showing a device connecting to the endpoint “is5jg[.]3zweuj[.]com” over port 32091.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/670d96b065612663d098df7d_670d959854eb594420fdc971_Screenshot%25202024-10-14%2520at%25203.05.03%25E2%2580%25AFPM.png)
![Screenshot of a Model Alert Event Log showing the device posting the string “i8xps1” to the hostname “72zf6.rxqfd[.]com.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/670d96b065612663d098df80_670d95c562c6e392c7dc3ba8_Screenshot%25202024-10-14%2520at%25203.05.49%25E2%2580%25AFPM.png)
![Screenshot of a Model Alert Event Log showing the device posting the string “sqyjyadwwq” to the hostname “9yrh7.mea5ms[.]com”.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/670d96b065612663d098df7a_670d95e4b1dbad771717553c_Screenshot%25202024-10-14%2520at%25203.06.20%25E2%2580%25AFPM.png)
