This is part one in a two-part series due to the sheer amount of data we found on this threat and threat actor. This particular attack was a combined spearphishing and exploit attempt. As we’ve seen in the past, this can be a very effective combination.
In this specific example the attackers targeted a feature within Microsoft Word — Visual Basic Scripting for Applications. While basic, the Office Macro attack vector is obviously still working quite effectively. When the victim opens the Word document, an On-Open macro fires, which results in downloading an executable and launching it on the victim’s machine. This threat actor has particularly lavish tastes. This threat actor seem to target high-profile, money-rich industries such as banking, oil, television, and jewelry.
Discovering the threat
The VRT has hundreds of feeds of raw threat intelligence, ranging from suspicious URLs, files, hashes, etc. We take that intelligence data and apply selection logic to it to identify samples that are worthy of review. Using various methods from machine learning to dynamic sandbox analysis, we gather details about the samples -- producing indicator of compromise (IOC), and alerts made up of multiple IOCs.
During our analysis we took the last 45 days’ worth of samples, and clustered them together based on a matching set of alert criteria. This process reduced over a million detailed sample reports to just over 15 thousand sample clusters that exhibit similar behavior. Using this pattern of similar behavior, we were capable of identifying families of malware. This led us to discover a Microsoft Word document that downloaded and executed a secondary sample, which began beaconing to a command and control server.
The Malicious Word documents & Associated Phishing campaign
The attacks we uncovered are an extremely targeted spear phish in the form of an invoice, purchase order, or receipt, written specifically for the recipient. For instance, the following is an example message we observed that purportedly came from “Maesrk”, the shipping company.
Earlier this week you learned about the network at Cisco Live! If you attended the event this year, you’ll also have noticed that there was a brand new extension of the event in Moscone West. This was DevNet, the first developer-facing zone Cisco has ever brought to life, just in time for the 25th anniversary of the conference. DevNet featured a whole array of activities for the dev-inclined Cisco customer: learning labs, tech talks on both a main stage for thought leadership and techie details in an API theater, and a hackathon. CMX was one of the key technologies on display in the DevNet zone, and our CMX engineering team was super excited to see our technology in the spotlight.
As many of you know, CMX offers a rich set of APIs enabling developer community to develop, enhance and customize location-enabled applications. The highlight of the show for me was the DevNet Hackathon, a real 24 hour hackathon right in the DevNet Zone--another first for Cisco. Our very own Mobility Services API and CMX SDK were part of the featured technology sets for people to work with to create location-enabled apps using real-time intelligence from the Mobility Services Engine (MSE). It was really fun to be working with developers from many different countries and awesome to see our APIs and SDK brought to life. See for yourself!
This post is co-authored by Martin Lee, Armin Pelkmann, and Preetham Raghunanda.
Cyber security analysts tend to redundantly perform the same attack queries with different input data. Unfortunately, the search for useful meta-data correlation across proprietary and open source data sets may be laborious and time consuming with relational databases as multiple tables are joined, queried, and the results inevitably take too long to return. Enter the graph database, a fundamentally improved database technology for specific threat analysis functions. Representing information as a graph allows the discovery of associations and connection that are otherwise not immediately apparent.
Within basic security analysis, we represent domains, IP addresses, and DNS information as nodes, and represent the relationships between them as edges connecting the nodes. In the following example, domains A and B are connected through a shared name server and MX record despite being hosted on different servers. Domain C is linked to domain B through a shared host, but has no direct association with domain A.
This ability to quickly identify domain-host associations brings attention to further network assets that may have been compromised, or assets that will be used in future attacks.
This post is co-authored by Andrew Tsonchev, Jaeson Schultz, Alex Chiu, Seth Hanford, Craig Williams, Steven Poulson, and Joel Esler. Special thanks to co-author Brandon Stultz for the exploit reverse engineering.
Silverlight exploits are the drive-by flavor of the month. Exploit Kit (EK) owners are adding Silverlight to their update releases, and since April 23rd we have observed substantial traffic (often from Malvertising) being driven to Angler instances partially using Silverlight exploits. In fact in this particular Angler campaign, the attack is more specifically targeted at Flash and Silverlight vulnerabilities and though Java is available and an included reference in the original attack landing pages, it’s never triggered.
HTTP requests for a specific Angler Exploit Kit campaign
Angler exploit content types delivered to victims, application/x-gzip (Java) is notably absent
Today MWC 2014 came to a close in Barcelona having been another resoundingly successful event.
Mobile operators and Service Providers have displayed ever increasing interest in Monitization of their infrastructure especially via WiFi and Cisco’s CMX solution.
During the week I had many conversations with SP’s from across the world while very different geographies and facing different challenges, a common theme among the meetings was how can Cisco help us find ways to generate new revenue streams and new monetization models.
At MWC we showed various demos that show how this can be achieved and provide many interesting ideas to the customers to help them think about their own businesses and how they may be successfully applied.
One demo was how various components of Cisco’s SP Architecture can improve services and provide montitization opportunities to a fictitious hotel resort chain with wired and wireless small cells, SON & Analytics all working together. Read More »