Advanced threats are changing so often it is getting harder and harder to keep up! In addition to new attacks, hackers are reinventing older ones, making it even more difficult to detect. In this webinar, we will discuss at a high-level some of biggest cybersecurity threats happening right now, including:
--The Resurgence of Ransomware - Locky and other new cryptolockers
--Malvertising, oh My! - No website is safe from unknowingly spreading malware to visitors
--I have RATs - How to defend against Remote Access Trojans stealing your data
1. Ransomware, RATs & other Big Trends
in Cybersecurity
Nick Bilogorskiy
@belogor
StephenHarrison
EverSec Group
2. Agenda
o Eversec intro
o How Ransomware works
o Malvertising
o RATS: Remote Access Trojans
o Wrap-up and Q&A
3. o Security Design, Analysis, & Implementation Assistance
o Security Assessments
o Cyber Penetration Testing
o Remediation Services
o Integration Skills
o Managed Services
o Dark Net Recon
o Customized Hacking/Incident Response Training
3
4. 4
$1+
CYBERCRIME NOW
trillion industry
100+ nations
CYBER WARFARE
✚ Over 95% of breaches occur behind perimeter
firewalls.
✚ 71% of security breaches involve user devices.
✚ 51% of breaches involve corporate servers.
5. o Advanced Breach Detection {ABD}
o End Point Detection & Response {EDR}
o Advanced Data Loss Prevention {ADLP}
o Mobile & BYOD Security
o Threat Intelligence Operationalization
o Incident Response Orchestration
o Cloud Infrastructure Security
5
6. “EverSec Group has pulled away from the pack of me-too security
solution providers … willing to wager on security startups that are turning
network security and endpoint security into outdated concepts.”
- CRN.com, February 26, 2015
6
8. 8
40% of enterprises will have formal plans to address cyber security business
disruption by 2018
60% of enterprise information security budgets will be allocated to rapid detection
and response approaches (up from less than 10% in 2014) by 2020
9.
10. What is Ransomware
Ransomware is any
malware that demands
the user pay a ransom.
There are two types of
ransomware: lockers
and crypters.
14. • easy to use,
• fast,
• publicly available,
• decentralized, and
• Provides anonymity, which
serves to encourage
extortion.
Bitcoin Primer
15. How often do you backup?
Computer Backup Frequency 2008-2015 (BackBlaze data)
Frequency 2008 2009 2010 2011 2012 2013 2014 2015
Daily 6% 6% 8% 6% 10% 10% 9% 8%
Other 56% 57% 58% 60% 10% 59% 63% 67%
Never 38% 37% 34% 34% 31% 29% 28% 25%
16. The Ransomware Business Model
o 90% of people do not backup daily
o Data Theft in place
o Anonymity (TOR, Bitcoin)
o Operating with impunity in Eastern Europe
o Extortion
o Focus on ease of use to drive conversion
o Currently 50% pay the ransom,
it was 41% 2 years ago
18. HOSPITALS
Hollywood Presbyterian
Medical Center , Kentucky
Methodist Hospital,
Alvarado Hospital Medical
Center and King's
Daughters' Health, Kentucky
Methodist Hospital, Chino
Valley Medical Center and
Desert Valley Hospital,
Baltimore’s Union Memorial
Hospital, and many others
POLICE
Tewksbury Police Department
Swansea Police Department
Chicago suburb of Midlothian
Dickson County, Tennessee
Durham, N.H
Plainfield, N.J
Collinsville, Alabama,
hackers in Detroit demanded
$800,000 in bitcoin after they
had encrypted the city's
database.
Known Victims… So far
SCHOOLS GOVERNMENT
321 incident reports of
"ransomware-related
activity" affecting 29
different federal
networks since June
2015, according to the
Department of
Homeland Security.
South Carolina school
district paid $10,000 . A
New Jersey school district
was hit, holding up the
computerized PARCC exams.
Follett Learning's Destiny
library management
software, which is used in
US schools is vulnerable to
SamSam ransomware.
19. Apr 30, 2016:
In the past 48 hours, the House Information Security
Office has seen an increase of attacks on the House
Network […] focused on putting “ransomware” on users’
computers.[…] .As part of that effort, we will be blocking
access to YahooMail on the House Network until further
notice.
22. o network mitigation
o network countermeasures
o loss of productivity
o legal fees
o IT services
o purchase of credit monitoring services for
employees or customers
o Potential harm to an organization’s reputation.
Ransomware: Additional Costs
23. 2016 Ransomware tricks
1. Targeting businesses (e.g. hospitals) rather than
individuals.
2. Deleting files at regular intervals to increase the
urgency to pay ransom faster – Jigsaw
3. Encrypting entire drives - Petya
4. Encrypting web servers data -
RansomWeb, Kimcilware
24. 2016 Ransomware tricks
5. Encrypting data on network drives - even on
those ones that are not mapped - DMA Locker,
Locky, Cerber and CryptoFortress
6. regular intervals to increase the urgency to pay
ransom faster – Jigsaw
7. Deleting or overwriting cloud backups.
8. Encrypt each file with its own unique key - Rokku
25. 2016 Ransomware tricks
9. Targeting non-Windows platforms –
SimpleLocker, DogSpectus, KeRanger
10. Using the computer speaker to speak audio
messages to the victim - Cerber
11. Ransomware as a service – Tox
12. Using counter-detection malware armoring, anti-
VM and anti-analysis functions - CryptXXX
27. Tips to Avoid Ransomware Infection
o Install the latest patches for your software,
especially Adobe, Microsoft and Oracle apps
o Use network protection
o Use a comprehensive endpoint security
solution with behavioral detection
o Turn Windows User Access Control on
o Block Macros
28. Tips to Avoid Ransomware Infection
o Be skeptical: Don’t click on anything
suspicious
o Block popups and use an ad-blocker
o Override your browser’s user-agent*
o Consider Microsoft Office viewers
o Disable Windows Script Host
29. Tips to Avoid Losing Data to Ransomware
o Identify Ransomware and look for a decryptor:
o Shadow Copies
o Turn off computer at first signs of infection
o Remember: the only effective
ransomware defense is backup
https://id-ransomware.malwarehunterteam.com/
30. Tips to Avoid Losing Data to Ransomware
o List of free decryptors: http://bit.ly/decryptors
32. Malvertising is the use of online advertising to spread
malware.
Malvertising involves injecting malicious ads into
legitimate online advertising networks and web pages.
Anti-Malvertising.com
What is Malvertising
33. How Malvertising works
df
User
Visits a popular
website, gets infected
via exploit kit
Website
Serves a banner ad,
sometimes malicious
Attacker
Creates and injects malware
ads into advertising network
Advertising Network
Selects an ad based on
auction, sends to the website
35. Techniques to avoid detection
o Enable malicious
payload after a delay
o Only serve exploits to
every 10th user
o Verifying user agents
and IP addresses
o HTTPS redirectors
36. Who is to blame for Malvertising?
Popular websites
Ad exchanges
Ad networks
Users
Browsers
37. Malvertising
o Advertising networks get millions of submissions, and
it is difficult to filter out every single malicious one.
o Attackers will use a variety of techniques to hide from
detection by analysts and scanners
o Advertising networks should use continuous
monitoring – automated systems for repeated
checking for malware ads, need to scan early and scan
often, picking up changes in the advertising chains.
39. o First seen: Nov 2014, new versions
throught 2015
o Target: North American and European
Banks
o Distribution: Spam mails with Word
Documents
o Some version use p2p over http for
carrying out botnet communication
o Uses web injects to carry out man-in-
browser attack
o Uses VNC
o It is both a RAT tool and a banking Trojan
Dridex malware
41. Summary
1. Ransomware evolved into a major threat allowing criminals
to easily monetize malware infections via Bitcoin
2. Every platform is vulnerable to ransomware.
3. Backup your files! Since decrypting encrypted files is not
always possible frequent backups become even more
critical. And keep your backup offline.
4. Malvertising is on pace to have a record year.
5. Must use defense-in-depth techniques powered by machine
learning to defeat malware at every stage of the kill chain.
Proactive consultative relationship with our clients
Support security requirements of large international organizations
Commitment to providing cutting edge security solutions
Customizable professional services to uniquely address customer needs
Strategic partnership with security and managed services firms
Strong vendor relationships and ability to advocate for our customers
Strong distributor relationships in the US and Europe
International Logistics Assistance
STI Group, RazorPoint,
type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction
Lockers vs Cryptoware. During 2013, Kovter acted as a police ransomware –remaining on the device, listening to the user’s traffic, “waiting” for something to happen. Once a user enters their account credentials or uses file sharing applications to download unsolicited files, Kovter pops up a message stating the user violated the law, demanding they pay a fine. Another similar attack was 2012 Trojan called Reveton. It was claiming that the computer has been used for illegal activities, such as downloading pirated software or child pornography.[41] The warning informs the user that to unlock their system, they would have to pay a fine using a voucher from an anonymous prepaid cash service such as Ukash or Paysafecard. To increase the illusion that the computer is being tracked by law enforcement, the screen also displays the computer's IP address, while some versions display footage from a victim's webcam to give the illusion that the user is being recorded. This threats are very effective, convincing and dangerous. They can even claim a human life. Joseph Edwards, 17, who hanged himself after receiving a scam e-mail which he believed was from the police and referred to indecent photos.
Ransomware encrypts files on a user’s computer and renders them unusable until the victim pays the ransom and obtains the key to decrypt.
Cybercriminals are making millions of dollars from ransomware. According to forecasts and assessments made by experts, the threat of ransomware will continue to rise in the months and years to come. In many cases, victims are left with no other choice than to pay the attackers, and even the FBI often advises victims to pay the ransom as the only recourse. Traditional methods and tools no longer suffice to deal with the fast-evolving landscape of ransomware viruses, and new approaches are needed to detect and counter its devastating effects.
Tor has become a proven means of communication and is ideal for hosting CNC and ransom payment sites.TOR is: The Tor network is used by anyone who wants to maintain their online anonymity.
It does this by routing all traffic from the client to the destination through a series ofrelays called a circuit. Relays are simply Tor clients configured to also act as a router for other clients in order to provide more bandwidth to the network. By default, Tor clients send traffic through a circuit of 3 relays before reaching the final destination.Tor clients encrypt all their traffic so that routers will only know two things: where the traffic came from immediately before it, and where the next stop for the traffic will be. This is done by encrypting the traffic once for each relay in the circuit, using a different key for each layer of encryption. This way, as each relay receives the traffic, it can only strip off one layer of encryption, and then forward the data to the next destination. If the relay is forwarding the data to another relay, all it will see is encrypted ciphertext. The only relay which will see the actual data being sent to the final destination is the exit relay
Hiding the command and control servers in an anonymous Tor network complicates the search for the cybercriminals
Technologies such as bitcoin are contributing to the rising success of ransomware, enabling hackers to stage attacks with more efficiency while hiding their trace. Prior to Bitcoin’s rise in popularity, the principal way that attackers extracted their ransom was by instructing victims to pay by wire transfer or reloadable prepaid debit cards
— principally Greendot cards sold at retailers, convenience stores and pharmacies. But unlike Bitcoin payments, these methods of cashing out are easily traceable if cashed out in within the United States western Union can be traced at U.S. cashout locations, as can Greendot payments. Which means you either need an overseas partner [who takes half of the profit for his trouble] or Bitcoin.”
What is Bitcoin?
Bitcoin is a digital currency that uses consensus in a massive peer-to-peer network to verify transactions.
This results in a system where payments are non-reversible, accounts cannot be frozen, and transaction fees are much lower.
Where do bitcoins come from?
Bitcoins are mined - Some users put their computers to work verifying transactions in the peer-to-peer network mentioned above.
These users are rewarded with new bitcoins proportional to the amount of computing power they donate to the network.
How to get started with Bitcoin
The best way to learn about Bitcoin is to get some and experiment. We have written articles about how to set up your own Bitcoin wallet, how to acquire bitcoins,
What can you buy with bitcoin today?
Over 100,000 merchants accept bitcoin online. You can pay for things you buy on Dell, Microsoft, NewEgg or Expedia.
You can also convert bitcoin into gift cards for Amazon, Target or Walmart.
Criminals prefer Bitcoin because it’s easy to use, fast, publicly available, decentralized, and provides a sense of heightened security/anonymity.
it’s a very successful criminal business model with many copycats.
this is just one of the findings of Ransomware. A Victim’s Perspective: A study on US and European Internet Users (PDF), a report conducted by Bitdefender in November of last year.
Recently, several organizations were badly hit by ransomware, including a police department in Massachusetts, a church in Oregon,schools in South Carolina schools and several medical centers in California and Kentucky,.
one of which ended up paying the attackers 40 bitcoins (approximately $17,000).
In a recent high-profile case, the Hollywood Presbyterian Medical Center declared an internal emergency after suffering on outbreak of ransomware. Ultimately, this hospital decided to ante up the required Bitcoin ransom payment, handing over $17,000 in order to get access to its computers. The original ransom demand was for $3.7 million in Bitcoins, so if nothing else, that is some decent negotiating on the part of the hospital.
YahooMail Is So Bad That Congress Just Banned It
In response to the attacks, the House’s IT desk blocked access to YahooMail “Until further notice.”
how much money
$24 million in hostage payments according to FBi.
But experts say those figures are dwarfed by the actual payments, which likely exceed half a billion dollars per year.24million < x < 500million
cryptowall alone is $325 million (400,000 payments) according to CTA report: http://www.coindesk.com/cryptowall-325-million-bitcoin-ransom/
Cyber-criminals collected $209 million in the first three months of 2016 by extorting businesses and institutions to unlock computer servers.
At that rate, ransomware is on pace to be a $1 billion a year crime this year. The FBI told CNN that the number "is quite high" because a few people "reported large losses."
2014 - 25M2015 - 25M2016 - 1000M (estimate)
The financial impact to victims goes beyond the ransom fee itself, which is typically between $200 and $10,000. Many victims incur additional costs associated with network mitigation, network countermeasures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees or customers
*Corporations have more valuable data and more money for ransom ( ransom increases from roughly $500 per computer to $15,000 for the entire enterprise).
Ransomware operates like this: for every hour that passes in which victims have not paid the ransom, another encrypted file is deleted from the computer, making it unrecoverable even if the ransom is paid or files decrypted via another method. *The malware also deletes an extra 1,000 files every time victims restart their computers and log into Windows.
* ransomware encrypts Master File Table. This table contains all the information about how files and folders are allocated.
* are both families that takes this unusual route - instead of going after users computers, they infect web servers through vulnerabilities and encrypt website databases and hosted files, making the website unusable until ransom is paid.
Encrypting data on network drives - even on those ones that are not mapped. DMA Locker, Locky, Cerber and CryptoFortress are all families that attempt to enumerate all open network Server Message Block (SMB) shares and encrypt any that are found.
Compressing files first is to speed up the encryption process. Maktub ransomware does this.
Deleting or overwriting cloud backups. In the past, backing up your data to cloud storage and file shares was safe. However, newer versions of ransomware have been able to traverse to those shared file systems making them susceptible to the attack.
According to Fabian Wosar, of Emsisoft, when Rokku encrypts a victim's data it will use theSalsa20 algorithm and will encrypt each files with its own unique key. A file's key is then encrypted using RSA and stored in the last 252 bytes of the associated file. This allows the developers to provide individual decryption keys for test file decryption. This is also the first ransomware that I know of that uses the Salsa20 algorithm, which provides much greater encryption speeds compared to AES.
Targeting non-Windows platforms. SimpleLocker encrypts files on Android, while Linux.Encode.1 encrypts files on Linux, and KeRanger on OSX.
Using the computer speaker to speak audio messages to the victim. Cerber ransomware generates a VBScript, entitled “# DECRYPT MY FILES #.vbs,” which allows the computer to speak the ransom message to the victim. It can only speak English but the decryptor website it uses can be customized in twelve different languages. It says “Attention! Attention! Attention!” “Your documents, photos, databases and other important files have been encrypted!”
Ransomware as a service: this model is offered on underground forums networks, it will provide the malicious code and infrastructure to facilitate the transfer of funds and the encryption key for the victim to be able to access their information. Tox ransomware does this.
<BONUS> Using counter-detection malware armoring - Anti-VM and anti-analysis functions. CryptXXX does this.
drive-bye's
and
email (ms office documents, and JS in ZIP)
- Phishing emails may contain malicious attachments. These attachments are not always delivered in executable form; as security vendors and security best practices dictate that receiving executables via email is, in general, something we want to prevent, threat actors have to adapt to the changing landscape. This can be done by indirect delivery mechanisms. In Windows, for example, a malicious actor may opt for a less direct method of delivery: embed an obfuscated Javascript file into an archive, and rely on the end user for the rest. Opening a .JS file on a Windows host will launch the default browser, and the Javascript can then reach out to an external URL to grab an executable, deliver it to the victim, and execute it. At this point, preventing users from receiving executables via email is no longer effective, as the executable is delivered via HTTP.
- Exploit kits (such as Angler, or Neutrino) have been known to deliver ransomware to users by exploiting vulnerable web servers and hosting malicious web scripts on them which exploit visitors when certain criteria are met, and then delivering a malicious payload (Reference)
Install the latest patches for your software, especially Adobe, Microsoft and Oracle apps..A common way in for ransomware is via Exploit Kits, like Angler. These bundle many application vulnerabilities into one kit, and try drive-by exploits for each one in sequence.The more your apps are outdated, the more likely, some of these exploits might work and infect you with ransomware.Use network protectionA very important part of a comprehensive security strategy is to use network traffic monitoring system that is based on machine learning and behavior analysis. As most of these attacks come in via internet channels, make sure your network protection can parse and analyze both email and web traffic.Use a comprehensive endpoint security solution with behavioral detectionThe endpoint (user's computer) is whether the ransomware infection takes place. So it is important to use a modern security solution here as well, with a signature-less approach.Signature-less approach, aka behavior detection is the only way to catch zero-day threats, that are new and do not have signatures written for them yet.Turn Windows User Access Control onWindows has added this security feature to help you stay in control of your computer by informing you when a program makes a change that requires administrator-level permission. UAC works by adjusting the permission level of your user account. If you’re doing tasks that can be done as a standard user, such as reading e‑mail, listening to music, or creating documents, you have the permissions of a standard user—even if you’re logged on as an administrator. Take full advantage of it.Office 16 provides a Group Policy setting that enables you to block macros from running in Word, Excel and PowerPoint files from the Internet.
Be skeptical: Don’t click on anything suspicious--Don’t click on any emails or attachments you don't recognize, and avoid suspicious websites altogether. As most of the infections come from user action - opening attachments or visiting websites, being vigilant is the most effective way to minimize damage.Block popups and use an ad-blocker: Popups are regularly used by criminals to spread malicious software. To avoid accidental clicks on or within popups, it's best to prevent them from appearing in the first place. According to Statista, nearly 200 million people worldwide already followed this advice and use ad-blockers.Override your browser’s user-agent.As some Exploit Kits use your user-agent to tailor the write exploit for your Operating system, it pays to trick them by setting the wrong user-agent on purpose. For instance, when using Firefox on Windows, set your user-agent to say “Firefox on Linux” to confuse malware redirectors and exploits.
Block Macros, Disable Windows Script Host
Locky also removes any Volume Snapshot Service (VSS) files, also known asshadow copies, that you may have made.
Shadow copies are the Windows way of making live backup snapshots without having to stop working – you don’t need to logout or even close your applications first – so they are a quick and popular alternative to a proper backup procedure.
Shadow Copies
Sometimes crypto ransomware can have weaknesses in their implementation which could allow victims to
recover at least some of their files without paying. For example, Windows can be set up to make recovery
points at regular intervals. These backups are called shadow copies. If this service is enabled and if a crypto
ransomware does not interfere with this feature, it may be possible recover some files using this method. This
blog details various Windows tools that can be useful to aid recovery in case of a crypto ransomware attack.
File recovery software
Another point worth noting is that when a file is deleted in Windows, the contents of the file are not usually
scrubbed from the physical disk itself. Instead, the entries defining the file are removed from the disk allocation
tables, freeing up the space. The original data in the freed space is not overwritten until a new file is written to
the same space on the disk. This makes it possible to recover delete files if the disk space has not already been
overwritten by another file. Victims can use file recovery software such as PhotoRec to scan for deleted files and
recover them.
No bullet-proof solution
It should be noted that the more advanced crypto ransomware groups are aware of these techniques and take
steps to prevent their successful use. As a result, some crypto ransomware threats delete shadow copies to
prevent victims from being able to recover files. Similarly, other crypto ransomware threats such as Trojan.
Ransomcrypt.R use a secure deletion tools such as SDelete to ensure that original files are securely erased from
the disk after encryption. In this situation, the only answer is to have a backup of the files as there is no practical
way for the files to be recovered or decrypted without the right key.
Malvertising is the practice of injecting malicious advertisements into legitimate online advertising networks.
It is served with the goal to compromises users and their devices. It can occur through deceptive advertisers
or agencies running ads or compromises to the ad supply chain including ad networks, ad exchanges and ad servers.
Malvertising is not new malware, just a different delivery vehicle.. Malvertising is popular because compromising websites that have high traffic is very effective for malware distrubution. And because attacking these sites ad networks is easier and requires less efforts thatn finding a vulnerability in the site software.
Websites or web publishers unknowingly incorporate a corrupted or malicious advertisement into their page. Once the advertisement is in place, and visitors begin clicking on it, their computer can become infected. Malvertising often involves the exploitation of trustworthy companies. Those attempting to spread malware place "clean" advertisements on trustworthy sites first in order to gain a good reputation, then they later "insert a virus or spyware in the code behind the ad, and after a mass virus infection is produced, they remove the virus", thus infecting all visitors of the site during that time period. The identities of those responsible are often hard to trace because the "ad network infrastructure is very complex with many linked connections between ads and click-through destinations." [8]
Users visit a website and get infected by malware without any action or warning. Website loads a banner ad that has been messed with ( injected with a JavaScript to redirect to a malicious site). That site will load a pack of different drive-by exploits to penetrate the users browser or plugin, achieve remote code execution, and then to install the malware payload. So the lifecycle is:
Website ->
redirect ->
exploit ->
payload.
The goal of these attacks, seen so far, is to make money , and that is achieved by loading a monetization payload. Most popular ones are Ransomware , like Cryptowall and ad-fraud Trojans like Bedep.
Cyphort Labs crawler monitors top sites in the world 24×7 to find cases of malicious code served via drive-by exploits. Most of the sites we see serving exploits are not compromised themselves, but redirect to advertisers poisoned by malware. This technique is called malvertising and we issued a special report on the phenomenal growth of malvertising in August of 2015. Here is the latest update on the numbers of unique domains we have found per year: Year Number of unique domains 2014 910 2015 1654 2016 2102* *estimate based on the number seen so far. As you can see malvertising growth continues, and is on pace for the largest year ever. - See more at: http://www.cyphort.com/malvertising-on-pace-for-a-record-breaking-year/#sthash.d1bzdjaE.dpuf
It’s common practice to outsource the advertising on websites to third-party specialists. These companies re-sell this space, and provide software which allows people to upload their own adverts, bidding a certain amount of money to ‘win’ the right for more people to see them. This often provides a weak point, and cyber criminals have numerous clever ways of inserting their own malicious adverts into this self-service platform. Once loaded, all they have to do is set a price per advert, to compete with legitimate advertisers, and push it live. The ad networks get millions of ads submitted to them and any one of those could be malvertising. They try to detect and filter malicious ads from their systems, but it is challenging. The potential damage is high, as ad networks have a very deep reach and can infect many people quickly. The attackers are accustomed to tricking the networks by making "armored" malverts, where they use various techniques to appear legitimate to the analysts, but infect the users nonetheless. For instance they will enable the malicious payload after a delay of several days after the ad is approved. Another way is to only serve the exploits to every 10th user, or every 20th user who views the ad. Verifying user agents and ip addresses also is a common strategy to hide from analysts and automated malware detection. The attackers can implement various targeting strategies for malware infection, which appear normal in the context of advertisement, but in effect evade certain security detection. The use of redirection via HTTPS is unique (Hypertext Transfer Protocol Secure, a communications protocol for secure encrypted communication). It makes it harder to analyse the origin of attack because even if a security company has the recorded network traffic it is impossible to decrypt and reconstruct the origin of the malware redirect.
Everyone is partly to blame:
Popular websites still using ads exchanges for monetization, ignoring the risk to their users.
Ad exchanges pass the blame onto other entities in the ad food chain , like ad networks.
Ad networks are not filtering their ad creatives completely.
Users do not secure their browsers , do not patch their systems and still use broken technologies from the 90s like Java and Flash.
Browsers do not yet disable all of these technologies by default for “good user experience.”
We even saw a revival of Microsoft Office macros with the latest Cridex variant, referred to as Dridex. This threat has recently been distributed through emails with malicious Word document attachments which download the malware using macros embedded in the document. The emails use the brands of legitimate firms and claim that the attached documents are invoices from these companies. The documents actually contain a VBA macro that downloads the threat onto the user’s computer. Once the malware has compromised the computer, it steals login credentials for online banking sites.
We even saw a revival of Microsoft Office macros with the latest Cridex variant, referred to as Dridex. This threat has recently been distributed through emails with malicious Word document attachments which download the malware using macros embedded in the document. The emails use the brands of legitimate firms and claim that the attached documents are invoices from these companies. The documents actually contain a VBA macro that downloads the threat onto the user’s computer. Once the malware has compromised the computer, it steals login credentials for online banking sites.
Dridex/cridex/Feodo/Bugat:
Infected Users: 904 million records compromised
Target: North American Banks (JP Morgan Chase's breach) ,European banks(Bank of Scotland, Lloyds Bank, Danske Bank,Barclays, Kasikorn Bank, Santander,Triodos Bank)
First Seen : Nov 2014
Delivered by: Spam Messages
Actors: unknown
https://www.proofpoint.com/us/threat-insight/post/LogIn-Waz-Here
http://researchcenter.paloaltonetworks.com/2014/10/dridex-banking-trojan-distributed-word-documents/
We need to holistically examine the entire malware attack kill chain – every stage of it from the download to the data exfiltration, and use defense in depth techniques powered by machine learning.
The business of backing up data will thrive because of recent high-profile ransomware attacks
We need to holistically examine the entire malware attack kill chain – every stage of it from the download to the data exfiltration, and use defense in depth techniques powered by machine learning.