Advanced Volatile Threats (AVTs) are memory-resident, RAM-based attacks. The method of attack is not new, but they are making a resurgence. They have recently been renamed Advanced Volatile Threats as a variation of the term Advanced Persistent Threats however these attacks are decidedly more short-term and far more stealthy in comparison to APTs.

AVTs are random access memory-based attacks. They can be deployed through a drive-by download and exist only in RAM memory. In this sense they are real-time attacks. AVTs are not persistent in that they disappear without a trace as soon as the PC is turned off, or as soon as they stop running, whichever occurs first.

As there is no corresponding file saved on disc, AVTs are very difficult to detect. Conventional antivirus technology analyses stored applications and will not identify AVTs. It is this detection difficulty which makes AVTs a dangerous threat and attractive to malware developers. If the malware remains undetected, the attacker is not identified. Recently we have seen much press about attacks attributed to the Chinese and traced back to APT1, the Chinese military unit which conducted the attacks and even the actual building where the attackers are thought to be based. AVTs have a far greater likelihood of remaining undetected, thus protecting the identity of the attacker.

It is due to this ability to remain hidden that we are seeing AVTs becoming more prevalent now – accounting for up to 10% of current attacks according to security vendor Triumfant who were responsible for the re-naming of AVTs. However, it would be impossible to know how many AVT attacks have gone unnoticed, the proportion could be far higher than 10%. Memory-resident attacks are used for corporate espionage where the attacker wants to go in, steal the proprietary information, and then escape detection. Triumfant maintain that AVTs are currently being used by the Chinese, Iranians and Russians for corporate espionage.

The Meterpreter (The Meta-Interpreter) is used to launch an AVT. It is a simple-to-use exploitation tool included as part of the Metasploit Framework. It allows developers to write their own dll file that can be injected into a running process on the target computer. More information about the Metasploit Framework is here.

As conventional AV file scanning methods will not identify AVTs, RAM-monitoring techniques will be required to detect an AVT attack in real-time.