Securing the Digital World

Kingslayer - A Supply Chain Attack

Feb 13, 2017 | by Amy Blackshaw |

Today, RSA is publishing new research on a sophisticated software supply-chain attack - dubbed "Kingslayer".

RSA Research investigated the source of suspicious, observed beaconing thought to be associated with targeted malware. In the course of their investigation, RSA discovered a sophisticated software supply-chain attack involving a Trojan inserted in otherwise legitimate software; software that is typically used by enterprise system administrators. Targeting an application used almost exclusively by enterprise Windows system administrators gives the attackers direct access to the most sensitive parts on an organization's network used regularly by the "king of the network."

Supply chain attacks provide strategic advantages to attackers for several reasons. First, they provide one compromise vector to multiple potential targets. Second, supply chain exploitation attacks are stealthy and have the potential to provide the attacker access to their targets for a much longer period than malware delivered by other common means, by evading traditional network analysis and detection tools. And finally, software supply chain attacks offer considerable "bang for the buck" against otherwise hardened targets.

We are sharing details of this attack investigation, along with mitigation and detection strategies, to promote awareness and preparation for future or ongoing supply-chain attacks.

Techniques deployed by industry-wide antivirus and endpoint prevention technologies are decidedly poorly equipped for detecting, much less preventing, a remote code-loading backdoor inserted into what would otherwise be a legitimate software product. This is exactly what the Kingslayer actors did in their campaign.

Signature or behavior-based antivirus is unable to differentiate between a network-enabled feature and a backdoor in the product. In fact, RSA Research first identified the Kingslayer backdoor installed on an enterprise system that employed next generation antivirus. The antivirus failed to detect anything, even when it appeared the backdoor had downloaded and loaded the secondary malware into memory, and opened connections for C2.

Preventing such types of compromises from sophisticated actors has always been challenging. The analysts behind the Kingslayer research project subscribe to the philosophy that detecting and responding to a compromise, before it leads to business risk, is an achievable goal - especially if you are utilizing threat detection and response technology like the RSA NetWitness Platform.

To learn more about this RSA Research, as well as how RSA NetWitness® Platform can help - visit the RSA booth (N3610) at the RSA Conference for a question and answer session with Alex Cox, Director, RSA Global Threat Research. Tuesday and Wednesday at 1:45 p.m.