Cyber attacks landscape is evolving rapidly, reaching high levels of sophistication and complexity in order to exploit and breach enterprises, government entities, universities, financial institutions, etc… even in presence of properly designed and well maintained defense-in-depth strategies. Basically the main stages of a targeted attacks attack can be summarized in the following five steps:
- Investigate
- Infiltrate
- Explore
- Exfiltrate
- Maintain Access
Each stage needs advanced tools and techniques in order to be completed stealthy and often the tools are very specific for each target. In many cases, that tools are created and coded by cybercriminals few hours ago before their deployment in the targeted network to avoid detection systems and signature based analysis. Besides these tools, however, are also used commercial utilities to perform many other activities like encryption, packaging, remote exec, remote access, etc…
RAR and ZIP archives are commonly used to compress and encrypt stolen data during the exfiltration phase of the attack. RAR format is preferred to ZIP thanks to it’s AES-256 encryption, command line utilities for many architectures and operating systems, archive-content encryption, etc…
Very often this archives are generated automatically by malware, scheduled tasks, command line utilities or attackers actions and could be identified by the filename structure in the infected filesystems or after a Forensics Analysis: YEAR_MONTH_DAY_USERID_HOSTNAME.RAR or similar as example.
If the archive content listing is blocked or encrypted, we cannot understand which data are included in the stolen archives and we have to start a password recovery task in order to open the files.
There are several options to achieve the goal:
- free or commercial tools on a single host
- commercial tools for distributed tasks over several machines
- online password recovery services
- GPU cracking utils
- hardware acceleration based on FPGA
Each method listed above could require hours, days, months or years to be completed depending on the password length and/or complexity used to protect the files, but we can speed up the process using a very specific dictionary file containing malware-related strings.