Earlier this year it was reported that security researchers at an Israeli-based security firm had identified the first insider threat Trojan. The malware is considered a game changer, allowing cyber criminals to recruit insiders using the concepts of cyber extortion and social engineering. The backdoor Trojan, which was given the name Delilah, is believed to be in its development stage with cyber-criminals working on enhancing its features and capabilities.
Delilah is a backdoor Trojan that infects employees who visit adult or gaming websites. The malware is downloaded through malicious pop-ups and other methods, and then subsequently executed on the victim’s machine. Delilah scans the computer for sensitive information that can be effectively exploited to blackmail the victim at a later stage. This could include information on the victim’s family, friends, and workplace.
The bot comes with a social engineering plug-in that connects to the victim’s webcam, allowing attackers to record and take regular screenshots of the user’s laptop, while at same time documenting traffic on websites, emails, receipts, and user accounts.
Once the incriminating information has been gathered and filtered by the attackers, the victim system is instructed to deliver the requested data using VPN services and/or TOR browser while concurrently deleting browser histories to remove any audit trails that can be picked up by incident response teams.
The malware does not appear to be automated, so it is likely that a high level of human involvement is needed to identify and prioritise users that could be manipulated into becoming insiders at target organisations. Therefore, it is unlikely that Delilah could be used effectively in large scale campaigns.
The author(s) of the malware remains unknown. However, it is likely to have been intended for use as a ‘Malware-as-a-Service’, as hackers are believed to be spreading the malware through closed underground markets and communities.
The motives of the creators of Delilah reflect the continuous evolution of the threat actors’ tools, techniques, and procedures (TTPs) in an attempt to achieve optimal results with minimal effort. They do this by:
Insider threats remain one of the most serious cyber security threats that an organisation faces today. This is due to an insider’s potential privileged position within the organisation. According to Kaspersky, in 2015 nearly three in four firms suffered an insider threat incident with employees (42%) the largest single cause of data loss.
An insider threat (intentional insider) is generally defined as a current or former employee, contractor, consultant, supplier, business partner, or consumer who has or had access to an organisation’s network system or data, and intentionally misused that access to negatively affect the confidentiality, integrity, or availability of the organisation’s information or information systems. Insider threats to include sabotage, theft, espionage, fraud, and competitive advantage are often carried through abusing access rights, theft of materials, or/and mishandling of physical devices. Insiders do not always act alone, and may not be aware that they are aiding a threat actor (unintentional insider).
The insider threat is increasing with active recruitment by organised criminal gangs (OCGs) operating on the Dark Web. With the existence of malware like Delilah, organisations should expect insider recruitment to increase further.
Having said that, it should be noted that the Delilah malware is not unique in how it operates. Delilah’s Mac equivalent, ‘Backdoor.MAC.Eleanor’, was discovered in July 2016 but has interestingly not been described by security vendors as an insider Trojan, despite the malware being arguably more damaging than Delilah. It is said to control the victim’s webcam from the Dark Web, allowing anyone who knows the name of the hidden service to view the victim’s videos, as well as take control of the Mac.
In fact, most recent RATs (Remote Access Trojans) can be used by hackers to switch on a user’s webcam, take control of the user’s machine, and subsequently blackmail the user with any incriminating information that is identified (videos, files, correspondence etc.). Therefore, perhaps the characterisation of Delilah as the first insider Trojan is a misrepresentation. It might be true that Delilah was the first recorded instance of this particular type of malware being used for insider recruitment via the means of blackmail and extortion, but it certainly is not revolutionary.
Or contact us at firstname.lastname@example.org or +44 (0)20 7148 7475 to speak to a cyber intelligence consultant.