This post was authored by Ben Baker and Alex Chiu.
Threat actors and security researchers are constantly looking for ways to better detect and evade each other. As researchers have become more adept and efficient at malware analysis, malware authors have made an effort to build more evasive samples. Better static, dynamic, and automated analysis tools have made it more difficult for attackers to remain undetected. As a result, attackers have been forced to find methods to evade these tools and complicate both static and dynamic analysis.
Table of Contents
The 10,000 Foot View at Rombertik
A Nasty Trap Door
The Actual Malware
Coverage and Indicators of Compromise
It becomes critical for researchers to reverse engineer evasive samples to find out how attackers are attempting to evade analysis tools. It is also important for researchers to communicate how the threat landscape is evolving to ensure that these same tools remain effective. A recent example of these behaviors is a malware sample Talos has identified as Rombertik. In the process of reverse engineering Rombertik, Talos discovered multiple layers of obfuscation and anti-analysis functionality. This functionality was designed to evade both static and dynamic analysis tools, make debugging difficult. If the sample detected it was being analyzed or debugged it would ultimately destroy the master boot record (MBR).
Talos’ goal is to protect our customer’s networks. Reverse engineering Romberik helps Talos achieve that goal by better understanding how attackers are evolving to evade detection and make analysis difficult. Identifying these techniques gives Talos new insight and knowledge that can be communicated to Cisco’s product teams. This knowledge can then be used to harden our security products to ensure these anti-analysis techniques are ineffective and allow detection technologies to accurately identify malware to protect customers. Read More »
Tags: malware, reverse engineering, Rombertik, Talos, Threat Research, threat spotlight
This post was authored by Nick Biasini and Joel Esler
Talos has observed an explosion of malicious downloaders in 2015 which we’ve documented on several occasions on our blog. These downloaders provide a method for attackers to push different types of malware to endpoint systems easily and effectively. Upatre is an example of a malicious downloader Talos has been monitoring since late 2013. However, in the last 24-48 hours, things have shifted dramatically. We’ve monitored at least fifteen different spam campaigns that are active between one and two days. While the topic associated with the spam message has varied over time, the common attachment provided is a compressed file (.zip or .rar) that contains an executable made to look like a PDF document by changing the icon.
When Upatre is executed, a PDF document is quickly downloaded and displayed while Upatre is delivered in the background. The document displayed has been either one of two PDFs. The first PDF, which was used until March 17, contained some information about Viagra:
Figure 1: Sexual Dysfunction, what’s your function?
Read More »
Tags: malware, Talos, threat spotlight, upatre
To address today’s evolving threat landscape, there’s been a shift from traditional event-driven security to intelligence-led security. Threat intelligence plays an integral role in this shift.
When you hear the term “Threat Intelligence,” it’s easy to have preconceived notions of what it means. Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” I like that Gartner’s definition does not include intent. Why? Intent implies that the “menace” is trying to target you, but we know that too often this isn’t the case. Pretty much any piece of malware out there will damage unintended targets. One example is Stuxnet. It targeted Iranian nuclear enrichment facilities. Unfortunately it escaped the purported air-gapped system and has been seen in at least 10 other countries. In more practical terms threat intelligence must be:
Read More »
Tags: forensic investigation, incident response, malware, threat intelligence
Cyber-Security: it has always been important for video entertainment companies. But times have changed- now it’s mission critical. Top of mind again this last few days, the events of the last 6 months have proven this point. If cyber-protection is not bullet-proof, any video entertainment company is living on borrowed time… and that bill is going to come due with potentially disastrous consequences.
There is a second change going on: security at video entertainment companies used to focus on protecting content in the distribution chain – DRM, CAS and the like. But there are many more ways to lose content – many more places in the “connected” production chain where content can be stolen. For instance, as has happened in the last few months, if an attacker can gain access to Read More »
Tags: #NABshow, attacker, Cisco, cyber security, cyber-protection, malware, national association broadcasters, security, security breach, Service Provider, threat-centric security solutions, video business, videoscape
This post was authored by Alex Chiu & Angel Villegas.
Banking and sensitive financial information is a highly coveted target for attackers because of the high value and obvious financial implications. In the past year, a large amount of attention has been centered on Point of Sale (PoS) malware due to its major role in the compromise of several retailers. While PoS malware is a major concern, attackers have also realized that targeting individual end users is an effective method of harvesting other types of financial data. As a result, banking malware has become a prevalent category of malware that poses a major threat to users and organizations of all sizes. One of the more well known examples of banking malware is Zeus.
Table of Contents
Domain Generation Algorithm
Banking malware typically operates by redirecting users to malicious phishing sites where victim’s input their banking credentials thinking they are logging into their bank’s website. Banking malware can also operate more stealthily by hooking into a browser’s functionality, capturing the victim’s credentials as they are typed in, and exfiltrating them. Once an attacker has a victim’s banking credentials, attackers can then sell it or use it to perform illicit transactions (such as transferring funds to another account on behalf of the victim). Read More »
Tags: banking trojan, dga, dyre, malware, Talos, Threat Research