How to find and remove advanced persistent adware in your network

A new report offers methods to hunt and remove the advanced persistent adware in networks.

A unique form of advanced persistent adware (APA) recently found by the Booz Allen Dark Labs’ Advanced Threat Hunt team is lurking on enterprise networks and can evade traditional forms of cyberdefenses. But a new report, published by the same team, offers methods to hunt and remove the adware in networks.

The APA has been classified as an Advanced JavaScript-Based In-Memory Stage 1 Downloader because it is built on JavaScript, runs strictly in memory and functions as the downloader for the second stage of the APA’s attack. The adware is a previously known threat commonly used to inject advertisements into a user’s browser and covertly collect information about the user’s browsing activity. The first-stage loader could then be used to execute an arbitrary code easily repurposed for additional targeted attacks.

The APA is unique because it leverages advanced techniques typically only seen in attacks attributed to nation-state advanced persistent threats.

The Dark Lab’s report illustrated how APA avoids anti-virus detection by:

  • Using hex-encoded JavaScript with thousands of bytes of junk hexadecimal characters to obscure the true intent of the file.
  • Exploiting built-in Windows tools, such as tasking.exe or wscript.exe, to deliver an APA that decrypts its payload in memory, rather than on disk.
  • Exfiltrating data and receiving further tasking outside of its adware capabilities.

The report details steps that IT and security departments can take to detect and remove the APA variant.

The Dark Labs team rated the APA as a moderate risk. However, it serves as an example of new types of advanced techniques being used by a particular class of threat. There are indicators which point to an increased proliferation of these methods and the need for advanced defense capabilities.

Taking a proactive hunt approach “shifts the current imbalance in the arms race between attacker and defender,” the Dark Labs report said.

Traditionally, an attacker can defeat most antivirus solutions by quickly changing the file located on the disk for any given target. But a defender using advanced threat-hunting tactics will have an advantage over attackers because the malware execution will show up in the wscript.exe hunt as suspicious or malicious. That forces an attacker to make large and costly changes to their malware if they want to continue the campaign. If they don’t make those changes, the defender can quickly identify and respond to the malware with little loss in productivity.

Advanced persistent adware is just one example of the kinds of threats Booz Allen Dark Labs is discovering, using a proactive approach that relies on sophisticated tools and tradecraft, such as automation, threat intelligence, threat analytics and machine intelligence to gather and analyze huge reams of data for malicious activity. These tools can identify and mitigate threats at machine speed using customized delivery models.

For more information, read the full report about the adware and how the Dark Labs discovered it.

This article was produced by FedScoop for, and sponsored by, Booz Allen Hamilton.

Latest Podcasts