DOTMUG: A Threat Model for Target Specific APT Attacks–Misusing Google Teachable Machine

Abstract

Target specific malware is one of the major concerns for many global IT firms and government organizations. In recent times, state-sponsored Advanced Persistent Threat (APT) groups have evolved in developing more intelligent and targeted malware by misusing various legitimate services. This work sheds light on modeling a threat scenario to emphasize how targeted attacks are performed by misusing legitimate services (Google Teachable Machine in our scenario) for malicious purposes in establishing foothold, lateral movement, and data exfiltration phases of APT life cycle. As a proof of concept, we validate our threat model with five different experiments highlighting how an attacker can execute a personalized boot sector ransomware and fileless malware on a targeted individual in corporate networks. Furthermore, assuming the attacker has limited information regarding the target, we use sinGAN to generate synthetic image samples to train a model for identifying the targets. In addition, we present a correlation study between target prediction confidence and effective payload deployment for all experiments. In our observation, targeted file-less malware turned out to be quicker and pestilent, averaging 25.11 seconds to encrypt the whole disk with 80% target prediction confidence.