Background & Timeline

Today, our Threat Guidance team looked at a truly unknown flavor of malware.

With such a high volume of new malware produced 24/7 – numbering into the hundreds of thousands per day – it’s unusual when our Threat Guidance team can’t categorize one into a known family. However, using the CylancePROTECT® Dashboard, a sample was quarantined on an endpoint (as “Unique to Cylance”) of a real customer.

All of the sample’s properties – the location of the file, the compile date, and the lack of similar files on known malware repositories – did not fall into anything which Cylance or any others have seen to date.

What Is It?

This piece of malware was fascinating to us, because it was so beautifully simple – just compiled C++ code, straightforward – only connecting to a single (albeit Korean) IP address, and benign at first glance. But upon further inspection, we learned that this seemingly innocent piece of malware was collecting a ton of information from the victim, much like a legitimate asset management agent.

A great deal of endpoint information was collected – including System, Network, Disk/Memory, and Processes/Services. Taken together, this data could be used to map an individual asset, or “Configuration Item” in Information Technology Infrastructure Library (ITIL) lingo, or could also be used to provide a larger view of the organization and its proprietary network.

And that’s where things get dangerous. For example, understanding various local system and network topology makes this uniquely suited to reconnaissance – especially if it is not performing any unusual or malicious activity itself.

We named the new malware ‘Paipeu,’ the Korean word for ‘Pipes’ (파이프), due to its hardcoded South Korean IP address and its ability to use named pipes, including its enabling of NULL session pipes. Use of named pipes for communication is not unheard of in malware; PlugX and Duqu are two famous examples that have both been known to use them. When found, it’s typically used for communication between different pieces of malware on a host, or between infected systems inside a LAN.   

More information on NULLSessionPipes, including how to enable them and the security implications of that, can be found on Microsoft’s Support site: https://support.microsoft.com/en-us/help/813414/how-to-create-an-anonymous-pipe-that-gives-access-to-everyone

So What is the Danger?

Since we are still investigating exactly how this piece of malware was delivered, we had to derive its purpose by certain non-essential attributes.

First, a compile date so close to discovery (only two days prior) could indicate a targeted attack. This is also why the customer and Cylance did not see it prior to being flagged by a background check (remember, it did not try to actually execute anything – it just collected information. A lot of information.)

Second, we had to look at the code to see what mechanisms it used to communicate. This was done via the aforementioned named pipe communication. The latter proxied command-and-control requests to avoid detection or otherwise talk to blocked hosts.

Finally, a hard-coded IP address shows that it had a sole communication purpose – sending data to an offshore server. This type of nonstandard traffic might be missed by not only antivirus and endpoint detection software, but also advanced cloud access brokers (CASB) which looks for known patterns.

Information Targeted for Exfiltration by Paipeu

System:

  • NetBIOS name of the local computer
  • Standard host name for the local computer
  • Language identifier for the system locale
  • The type and data for a specified value name associated with an open registry key
  • ProcessorNameString, and Major, Minor and Build numbers for the local OS

Network:

  • List of TCP endpoints available to the application
  • Adapter information/network parameters for the local computer
  • List of sessions on a Remote Desktop Session Host server
  • Session information for a Remote Desktop Session Host (RD Session Host) server

Disk/Memory:

  • Retrieves information about the amount of space that is available on a disk volume (total amount of space, free space, and free space available to the user that is associated with the calling thread), drive type (removable, fixed, CD-ROM, RAM disk, or network drive).
  • Also fills a buffer with strings that specify valid drives in the system, and obtains information about the system's current usage of both physical and virtual memory.

Processes and Services

  • Environment variables
  • Active processes (terminal server)
  • Services in control manager database
  • Security identifier (SID) account for this SID and first, all members of a specified local group
  • Adds a user account with a password and privilege level.

Does Cylance Protect Against Paipeu?

This is a key example of the industry’s widespread inability to prevent unknown binaries and blind attacks.

Even though we didn’t witness the actual exfiltration of data (due to CylancePROTECT’s pre-execution quarantine of the malware), all signs lead to a custom attack which could be the work of a professional paid hacker or state actor. In the case of Korea, this wouldn’t be the first – or last – time we’ll see this.

If you use our endpoint protection product CylancePROTECT, you were already protected from this attack. Our artificial-intelligence-driven models have been trained using millions of data points to ‘learn’ exactly what malicious behavior looks like.

Even though this was a brand new, never-before-seen piece of malware, this sample was instantly quarantined and blocked by Cylance. This highlights the inherent weakness of signatures; as no signature exists for this product, any legacy antivirus product that relies on signatures would have never detected it in time. If you are a Cylance customer, as this client was, you can rest assured that you are protected from this and similar types of attack.