Cisco Blogs


Cisco Blog > Security

Threat Spotlight: “A String of Paerls”, Part 2, Deep Dive

This post has been coauthored by Joel EslerCraig WilliamsRichard HarmanJaeson Schultz, and Douglas Goddard 

In part one of our two part blog series on the “String of Paerls” threat, we showed an attack involving a spearphish message containing an attached malicious Word doc. We also described our methodology in grouping similar samples based on Indicators of Compromise: static and dynamic analysis indicators. In this second part of the blog series we will cover the malicious documents and malicious executables. For the technical deep dive see the write up on the VRT blog here.

 

Tags: , , , , ,

Threat Spotlight: A String of ‘Paerls’, Part One

This post was co-authored by Jaeson SchultzJoel Esler, and Richard Harman

Update 7-8-14: Part 2 can be found hereVRT / TRAC

This is part one in a two-part series due to the sheer amount of data we found on this threat and threat actor. This particular attack was a combined spearphishing and exploit attempt. As we’ve seen in the past, this can be a very effective combination.

In this specific example the attackers targeted a feature within Microsoft Word — Visual Basic Scripting for Applications. While basic, the Office Macro attack vector is obviously still working quite effectively.  When the victim opens the Word document, an On-Open macro fires, which results in downloading an executable and launching it on the victim’s machine. This threat actor has particularly lavish tastes.  This threat actor seem to target high-profile, money-rich industries such as banking, oil, television, and jewelry.

Discovering the threat

The VRT has hundreds of feeds of raw threat intelligence, ranging from suspicious URLs, files, hashes, etc.  We take that intelligence data and apply  selection logic to it to identify samples that are worthy of review.  Using various methods from machine learning to dynamic sandbox analysis, we gather details about the samples – producing indicator of  compromise (IOC), and alerts made up of multiple IOCs.

During our analysis we took the last 45 days’ worth of samples, and clustered them together based on a matching set of alert criteria.  This process reduced over a million detailed sample reports to just over 15 thousand sample clusters that exhibit similar behavior.  Using this pattern of similar behavior, we were capable of identifying families of malware.  This led us to discover a Microsoft Word document that downloaded and executed a secondary sample, which began beaconing to a command and control server.

The Malicious Word documents & Associated Phishing campaign

The attacks we uncovered are an extremely targeted spear phish in the form of an invoice, purchase order, or receipt, written specifically for the recipient.  For instance, the following is an example message we observed that purportedly came from “Maesrk”, the shipping company.

image03

Read More »

Tags: , , , , , , , , , ,

Improving Email at Cisco Part 2 – The Employee Process Side

I’d mentioned earlier (see Improving Email at Cisco Part 1 – The IT Technology Side) that email has its ugly side:

  • Too many
  • Most of them are a waste of time
  • Emails will, occasionally, carry virus payloads (or link you to sites that have worse); and yet
  • I can’t live without it Read More »

Tags: , , , , , , , , , ,

Email Attackers Tune Pitch for Wide Appeal

In recent weeks, the volume of malicious email carrying attachments has increased substantially. To entice recipients into opening those attachments, attackers are employing pitches across a wide range of subjects.  In doing so, they are defeating the often doled out advice to not open attachments in email received unexpectedly.

One of the more striking examples of this is malicious email exploiting bad economic conditions, job loss, and potential loss of home. The combined legal and job categories comprised 33% of malicious email attachments over the past two weeks, with pitches ranging from bogus employment opportunities to court summons for evictions due to overdue payments.

MalEmlCatAll

Other legal-oriented email includes warnings of illegal use of software, copyright infringement, and criminal complaints for alleged non-payment of accounts.

LegalTypes

Assuming you were in dire financial straits, it’s not difficult to imagine you would react to an eviction notice such as the following:

Read More »

Tags: , , ,

Big Data in Security – Part V: Anti-Phishing in the Cloud

TRACIn the last chapter of our five part Big Data in Security series, expert Data Scientists Brennan Evans and Mahdi Namazifar join me to discuss their work on a cloud anti-phishing solution.

Phishing is a well-known historical threat. Essentially, it’s social engineering via email and it continues to be effective and potent. What is TRAC currently doing in this space to protect Cisco customers?

Brennan: One of the ways that we have traditionally confronted this threat is through third-party intelligence in the form of data feeds. The problem is that these social engineering attacks have a high time dependency. If we solely rely on feeds, we risk delivering data to our customers that may be stale so that solution isn’t terribly attractive.  This complicates another issue with common approaches with a lot of the data sources out there:  many attempt to enumerate the solution by listing compromised hosts and  in practice each vendor seems to see just a small slice of the problem space, and as I just said, oftentimes it’s too late.

We have invested a lot of time in looking at how to avoid the problem of essentially being an intelligence redistributor and instead look at the problem firsthand using our own rich data sources – both external and internal – and really develop a system that is more flexible, timely, and robust in the types of attacks it can address.

Mahdi: In principle, we have designed and built prototypes around Cisco’s next generation phishing detection solution.  To address the requirements for both an effective and efficient phishing detection solution, our design is based on Big Data and machine learning.  The Big Data technology allows us to dig into a tremendous amount of data that we have for this problem and extract predictive signals for the phishing problem. Machine learning algorithms, on the other hand, provide the means for using the predictive signals, captured from historical data, to build mathematical models for predicting the probability of a URL or other content being phishing.

Phishing

Read More »

Tags: , , , , , , , , , , , ,