Cisco Blogs


Cisco Blog > Threat Research

Malicious PNGs: What You See Is Not All You Get!

This post was authored by Earl Carter and Nick Randolph.

Threat actors are continually evolving their techniques. One of the latest Graftor variants is delivering a Malware DLL via a PNG file delivery mechanism. Graftor basically indicates some type of trojan hiding in a piece of software. Hiding executables and DLLs in PNG files is yet another attempt to avoid detection and deliver malicious content to user systems. In this instance, the malicious content is placed at the end of the real PNG file data.

Read More »

Tags: , , ,

Far East Targeted by Drive by Download Attack

This blog was co-authored by Kevin Brooks, Alex Chiu, Joel Esler, Martin LeeEmmanuel Tacheau, Andrew Tsonchev, and Craig Williams.  

On the 21st of July, 2014, Cisco TRAC became aware that the website dwnews.com was serving malicious Adobe Flash content. This site is a Chinese language news website covering events in East Asia from a US base. The site is extremely popular, rated by Alexa’s global traffic ranking as the 1759th most visited website worldwide, and the 28th most visited in South Korea. In addition the news site also receives a substantial number of visitors from Japan, the United States and China.

This malware campaign does not appear to be tightly targeted. Twenty-seven companies across eight verticals have been affected:

Banking & Finance
Energy, Oil, and Gas
Engineering & Construction
Insurance
Legal
Manufacturing
Pharmaceutical & Chemical
Retail & Wholesale

This is indicative of the campaign acting as a drive-by attack targeting anyone attempting to view one of the affected sites.

Attack Progression

Read More »

Tags: , , , ,

The Art of Escape

Craig Williams and Jaeson Schultz have contributed to this post.

We blogged in September of 2013 about variants of Havex. A month ago on June 2, 2014, I had the chance to give a presentation at AREA41.  In my presentation “The Art of Escape,” I talked about targeted attacks involving watering holes.

If we look at the timeline of the attacks we see two clear impacting factors:

  • CVE release time
  • Timeframe of new PluginDetect

This explains why we saw an increase in watering hole attacks peaking in August

timeline_havex

Read More »

Tags: , , , , ,

Cisco Hosting Amsterdam 2013 FIRST Technical Colloquium

There is still time to register for the upcoming FIRST Technical Colloquium April 2-3 2013. The event has a very exciting program covering, bitsquatting, webthreats, RPZ, Passive DNS, Real-world monitoring examples, Spamhaus, SIE, Cuckoo Sandbox, Malware Analysis and many more current issues facing the incident response community.

The event’s line-up includes notables from Cisco Security Intelligence Operations (SIO), Internet Systems Consortium, Shadowserver foundation, KPN-CERT, NATO, MyCert and ING amongst others. Program details can be found here.
Read More »

Tags: , , , , , , , , , , ,