This post was co-authored by Jaeson Schultz, Joel Esler, and Richard Harman.
Update 7-8-14: Part 2 can be found here
This is part one in a two-part series due to the sheer amount of data we found on this threat and threat actor. This particular attack was a combined spearphishing and exploit attempt. As we’ve seen in the past, this can be a very effective combination.
In this specific example the attackers targeted a feature within Microsoft Word — Visual Basic Scripting for Applications. While basic, the Office Macro attack vector is obviously still working quite effectively. When the victim opens the Word document, an On-Open macro fires, which results in downloading an executable and launching it on the victim’s machine. This threat actor has particularly lavish tastes. This threat actor seem to target high-profile, money-rich industries such as banking, oil, television, and jewelry.
Discovering the threat
The VRT has hundreds of feeds of raw threat intelligence, ranging from suspicious URLs, files, hashes, etc. We take that intelligence data and apply selection logic to it to identify samples that are worthy of review. Using various methods from machine learning to dynamic sandbox analysis, we gather details about the samples – producing indicator of compromise (IOC), and alerts made up of multiple IOCs.
During our analysis we took the last 45 days’ worth of samples, and clustered them together based on a matching set of alert criteria. This process reduced over a million detailed sample reports to just over 15 thousand sample clusters that exhibit similar behavior. Using this pattern of similar behavior, we were capable of identifying families of malware. This led us to discover a Microsoft Word document that downloaded and executed a secondary sample, which began beaconing to a command and control server.
The Malicious Word documents & Associated Phishing campaign
The attacks we uncovered are an extremely targeted spear phish in the form of an invoice, purchase order, or receipt, written specifically for the recipient. For instance, the following is an example message we observed that purportedly came from “Maesrk”, the shipping company.
Read More »
Tags: botnet, botnets, Intelligence, malware, phishing, security, security research, spear phishing, targeted attacks, TRAC, VRT
The fundamental security problem that many defenders face is securing their environment in a world of continuous change. IT environments change. Threats change. But today’s threat detection technology doesn’t change. It’s stuck in time, point-in-time to be exact.
Sure, detection technologies have evolved. The latest improvements include: executing files in a sandbox for detection and analysis, the use of virtual emulation layers to obfuscate malware from users and operating systems, reputation-based application whitelisting to baseline acceptable applications from malicious ones, and, more recently, attack chain simulation and analysis detection. But predictably, attackers fundamentally understand the static nature of these security technologies and are innovating around the limitations associated with them to penetrate network and endpoint defenses.
These point-in-time detection technologies will never be 100 percent effective and are unable to identify the unfolding follow-on activities of the attacker which require continuous scrutiny. The disconnect stems from the fact that malware is dynamic and three dimensional. It doesn’t just exist in a two-dimensional point-in-time ‘X-Y’ plot waiting to be detected, where X is time and Y is the detection mechanism. Malware exists as an interconnected ecosystem that is constantly in motion. To be even remotely effective, malware defenses have to be multi-dimensional and just as dynamic, taking into account the relationship dimension as well.
Read More »
Tags: Advanced Malware Protection, Cisco AMP, endpoints, malware, security
News agencies like ABC News, CNN, and others have run stories on the FBI sting operation against more than 100 hackers who were involved in using and/or distributing the Blackshades RAT (articles in the hyperlinks for reference). For a mere US$40, a novice computer user can become a hacker and gain access to anyone’s computer, including gaining control over their video camera. If this novice hacker in the making needs help operating the RAT, many video instructions can be found on YouTube. This would be a form of free technical support. With over an estimated 500,000 computers infected, that leaves behind a serious footprint of compromised devices. As Marty Roesch, Cisco VP, Security Architect would say, “If you knew you were going to be compromised, would you do security differently?”
With over a half a million computers compromised from a single remote access toolkit, it is reasonable to think that a high percentage of those compromised computers would unknowingly be brought back to work and connected to the corporate network. Although inexpensive, the Blackshades RAT has an extensive set of capabilities such as keystroke logger, web cam control, full file access, etc. More than enough for the cyber attacker to assume the full identity of the owner of the compromised computer to allow them easy access to the business critical servers inside the data center as depicted in the diagram.
Read More »
Tags: #CLUS14, Blackshades, cisco live, cybersecurity, data center, malware, RAT
We have been clear that we have a distinct approach to Advanced Malware Protection (AMP), specifically the unique way in which we leverage the compute and storage capabilities of the public cloud. Doing so enables us to do a great number of things to help customers more effectively fight malware, particularly when compared to traditional, point-in-time anti-malware systems of the past 20 years.
Read More »
Tags: #CLUS14, Advanced Malware Protection, advanced persistent threat, AMP, APT, malware, ThreatGRID
The news of high-profile targeted data center attacks has dominated security news recently. But data center attacks are even more prevalent than those headlines suggest. In fact, a survey conducted last summer by Network World suggests that 67 percent of data center administrators experienced downtime due to malware and related attacks in the previous 12 months.
A key challenge is that many of today’s security solutions are simply not designed for the data center, with limitations in both provisioning and performance. The situation will likely get worse before it gets better as data center traffic grows exponentially and data centers migrate from physical, to virtual, to next-generation environments like Software-Defined Networks (SDN) and Application Centric Infrastructures (ACI).
Read More »
Tags: #CLUS14, ACI, Adaptive Virtual Security Appliance, application centric infrastructure, ASAv, Cisco Validated Design, CVD, cybersecurity, malware, SDN, security, software defined networks