Cisco Blogs


Cisco Blog > Threat Research

Threat Spotlight: Upatre – Say No to Drones, Say Yes to Malware

This post was authored by Nick Biasini and Joel Esler

Talos has observed an explosion of malicious downloaders in 2015 which we’ve documented on several occasions on our blog. These downloaders provide a method for attackers to push different types of malware to endpoint systems easily and effectively. Upatre is an example of a malicious downloader Talos has been monitoring since late 2013. However, in the last 24-48 hours, things have shifted dramatically. We’ve monitored at least fifteen different spam campaigns that are active between one and two days.  While the topic associated with the spam message has varied over time, the common attachment provided is a compressed file (.zip or .rar) that contains an executable made to look like a PDF document by changing the icon.

Execution

When Upatre is executed, a PDF document is quickly downloaded and displayed while Upatre is delivered in the background. The document displayed has been either one of two PDFs.  The first PDF, which was used until March 17, contained some information about Viagra:

Figure 1: Sexual Dysfunction, what’s your function?

Figure 1: Sexual Dysfunction, what’s your function?

Read More »

Tags: , , ,

Three Key Considerations When Evaluating Threat Intelligence Solutions

To address today’s evolving threat landscape, there’s been a shift from traditional event-driven security to intelligence-led security. Threat intelligence plays an integral role in this shift.

When you hear the term “Threat Intelligence,” it’s easy to have preconceived notions of what it means. Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” I like that Gartner’s definition does not include intent. Why? Intent implies that the “menace” is trying to target you, but we know that too often this isn’t the case. Pretty much any piece of malware out there will damage unintended targets. One example is Stuxnet. It targeted Iranian nuclear enrichment facilities. Unfortunately it escaped the purported air-gapped system and has been seen in at least 10 other countries. In more practical terms threat intelligence must be:

  • Tactical
  • Contextual
  • Automated

Read More »

Tags: , , ,

NAB 2015 Attendees: Is Your Security Model Threat-Centric?

Cyber-Security: it has always been important for video entertainment companies. But times have changed- now it’s mission critical. Top of mind again this last few days, the events of the last 6 months have proven this point. If cyber-protection is not bullet-proof, any video entertainment company is living on borrowed time… and that bill is going to come due with potentially disastrous consequences.

There is a second change going on: security at video entertainment companies used to focus on protecting content in the distribution chain – DRM, CAS and the like. But there are many more ways to lose content – many more places in the “connected” production chain where content can be stolen. For instance, as has happened in the last few months, if an attacker can gain access to Read More »

Tags: , , , , , , , , , , , ,

Threat Spotlight: Dyre/Dyreza: An Analysis to Discover the DGA

This post was authored by Alex Chiu & Angel Villegas.

Overview

Banking and sensitive financial information is a highly coveted target for attackers because of the high value and obvious financial implications.  In the past year, a large amount of attention has been centered on Point of Sale (PoS) malware due to its major role in the compromise of several retailers.  While PoS malware is a major concern, attackers have also realized that targeting individual end users is an effective method of harvesting other types of financial data.  As a result, banking malware has become a prevalent category of malware that poses a major threat to users and organizations of all sizes.  One of the more well known examples of banking malware is Zeus.

Table of Contents

Overview
Technical Analysis
Domain Generation Algorithm
Other Thoughts
Conclusion
Appendix

Banking malware typically operates by redirecting users to malicious phishing sites where victim’s input their banking credentials thinking they are logging into their bank’s website.  Banking malware can also operate more stealthily by hooking into a browser’s functionality, capturing the victim’s credentials as they are typed in, and exfiltrating them.  Once an attacker has a victim’s banking credentials, attackers can then sell it or use it to perform illicit transactions (such as transferring funds to another account on behalf of the victim). Read More »

Tags: , , , , ,

Dridex Attacks Target Corporate Accounting

In February, Cisco Managed Threat Defense (MTD) security investigators detected a rash of Dridex credential-stealing malware delivered via Microsoft Office macros. It’s effective, and the lures appear targeted at those responsible for handling purchase orders and invoices. Here’s a breakdown of the types of emails we’ve observed phishing employees and inserting trojans into user devices.

Subjects captured from Dridex campaign in February 2015

Subjects captured from Dridex campaign in February 2015

Read More »

Tags: , , , , ,