Cisco Blogs

Cisco Blog > Security

Threat Spotlight: A String of ‘Paerls’, Part One

June 30, 2014 at 7:00 am PST

This post was co-authored by Jaeson SchultzJoel Esler, and Richard Harman

Update 7-8-14: Part 2 can be found hereVRT / TRAC

This is part one in a two-part series due to the sheer amount of data we found on this threat and threat actor. This particular attack was a combined spearphishing and exploit attempt. As we’ve seen in the past, this can be a very effective combination.

In this specific example the attackers targeted a feature within Microsoft Word — Visual Basic Scripting for Applications. While basic, the Office Macro attack vector is obviously still working quite effectively.  When the victim opens the Word document, an On-Open macro fires, which results in downloading an executable and launching it on the victim’s machine. This threat actor has particularly lavish tastes.  This threat actor seem to target high-profile, money-rich industries such as banking, oil, television, and jewelry.

Discovering the threat

The VRT has hundreds of feeds of raw threat intelligence, ranging from suspicious URLs, files, hashes, etc.  We take that intelligence data and apply  selection logic to it to identify samples that are worthy of review.  Using various methods from machine learning to dynamic sandbox analysis, we gather details about the samples -- producing indicator of  compromise (IOC), and alerts made up of multiple IOCs.

During our analysis we took the last 45 days’ worth of samples, and clustered them together based on a matching set of alert criteria.  This process reduced over a million detailed sample reports to just over 15 thousand sample clusters that exhibit similar behavior.  Using this pattern of similar behavior, we were capable of identifying families of malware.  This led us to discover a Microsoft Word document that downloaded and executed a secondary sample, which began beaconing to a command and control server.

The Malicious Word documents & Associated Phishing campaign

The attacks we uncovered are an extremely targeted spear phish in the form of an invoice, purchase order, or receipt, written specifically for the recipient.  For instance, the following is an example message we observed that purportedly came from “Maesrk”, the shipping company.


Read More »

Tags: , , , , , , , , , ,

Steganographic Key Leakage Through Payload Metadata

Steganography is the ancient art of invisible communication, where the goal is to hide the very fact that you are trying to hide something. It adds another layer of protection after cryptography, because encrypted message looks like gibberish and everyone immediately notices that you want to hide something. Steganography embeds the (encrypted) secret message into an innocuous looking object such that the final communication looks perfectly normal. The “analog” form of steganography is the art of writing with invisible ink. The digital version hides the message by a subtle modification of the cover object. Probably the most researched area in digital steganography uses digital images as a cover media into which the message is inserted. The oldest (and very detectable) technique replaces the least significant bit (of each colour channel) with the communicated message. Shown below, the first picture is the cover object and the second one is the stego object.



Read More »

Tags: , , , ,

High Stakes Gambling with Apple Stock

Miscreants are always trying to put new twists on age-old schemes. However, I must admit that this latest twist has me slightly puzzled. Today, Cisco TRAC encountered a piece of stock related spam touting Apple’s stock, AAPL.

AAPL spam

Read More »

Tags: , ,

Zeus Botnet Impersonating Trusteer Rapport Update

July 19, 2013 at 12:50 pm PST

Starting Friday, July 19, 2013 at 14:45 GMT, Cisco TRAC spotted a new spam campaign likely propagated by the Zeus botnet. The initial burst of spam was very short in duration and it’s possible this was intended to help hide the campaign, since it appears to be targeted towards users of a Trusteer product called Rapport. Within minutes of the campaign starting, we were seeing millions of messages.


This spam impersonated a security update from Trusteer. Attached to this file was the “RaportUpdate” file, which contained a trojan. We’ve identified this specific trojan as Fareit. This file is designed to impersonate an update to the legitimate Rapport product, which, as described by Trusteer, “Protects end users against Man-in-the-Browser malware and phishing attacks. By preventing attacks, such as Man-in-the-Browser and Man-in-the-Middle, Trusteer Rapport secures credentials and personal information and stops online fraud and account takeover.”

It’s important to note that while this end-point solution is designed to protect against browser-based threats, this specific attack is email-based. If the user downloads and executes the attachment via their mail client, it could bypass their browser and the protections of a legitimate Rapport client, entirely. If an end user is tricked into running malicious software for an attack via an avenue the attacker can reasonably predict, it becomes much easier to bypass network security devices and software.


Read More »

Tags: , , , , , , ,

Miscreants and the Principle of Least Effort

Back in the old days, when security was much more of an afterthought, it was obvious that miscreants were familiar with the principle of least effort. Information security was still in its Wild West days. Managed disclosure and patching did not really exist. Most companies were just coming to realize they would need to put some effort into securing their assets. I was tasked with most of the security deployments and forensic investigation at a startup hosting company. We had a lot of bandwidth (at the time) and a lot of poorly managed servers. You could watch our gateway and know when a new vulnerability was discovered in the underground. You could see miscreants scanning for a specific service in a specific network. Miscreants had done their homework, and knew where the vulnerable hosts resided. This targeting was efficient. Sure enough, hosts would start being compromised and a few days later some sort of official disclosure would happen detailing the vulnerability the miscreants had been scanning for. Read More »

Tags: , , , ,