Post authored by Martin Rehak, Veronica Valeros, Martin Grill and Ivan Nikolaev.
In order to complement the comprehensive information about the Angler exploit kit from our Talos colleagues [Talos Intel: Angler Exposed], let’s have a very brief look at what an Angler and CryptoWall infection looks like from the network perspective. We will present one of the recent Angler incidents discovered by Cognitive Threat Analytics (CTA).
Cognitive Threat Analytics works after the attack. It sifts through the logs produced by the client’s web proxy for any malware that may have slipped through the perimeter defences, such as this specific case here. CTA was able to observe the attack in its entirety (including the phases where the perimeter defence successfully blocked several stages in the attacker’s plan) and notify the security team immediately for follow-up and investigation.
So, how does an incident start for the analyst?
We can see that the incident has been categorised as an Exploit Kit infection. The system asserts 95% confidence in this incident being a true positive, and classifies it on the level 8 (out of 10) on the risk scale.
Read More »
Tags: Advanced Malware Protection, angler, Cognitive Threat Analytics, Cryptowall, exploit kit, ransomware
This post was authored by Nick Biasini with contributions from Craig Williams & Alex Chiu
Update 8/1: To see a video of this threat in action click here
Adversaries are always trying to take advantage of current events to lure users into executing their malicious payload. These campaigns are usually focussed around social events and are seen on a constant basis. Today, Talos discovered a spam campaign that was taking advantage of a different type of current event.
Microsoft released Windows 10 earlier this week (July 29) and it will be available as a free upgrade to users who are currently using Windows 7 or Windows 8. This threat actor is impersonating Microsoft in an attempt to exploit their user base for monetary gain. The fact that users have to virtually wait in line to receive this update, makes them even more likely to fall victim to this campaign.
Read More »
Tags: CTB-Locker, phishing, ransomware, scam, Talos, upgrade, Windows 10
This post was authored by: Andrea Allievi, Earl Carter & Emmanuel Tacheau
Update 4/28: Windows files recompiled with backward compatibility in Visual Studio 2008
Update 5/8: We’ve made the source code available via Github here
After the takedown of Cryptolocker, we have seen the rise of Cryptowall. Cryptowall 2 introduced “features” such as advanced anti-debugging techniques, only to have many of those features removed in Cryptowall 3. Ransomware is becoming an extremely lucrative business, leading to many variants and campaigns targeting even localized regions in their own specific languages. Although it is possible that these multiple variants are sponsored by the same threat actor, the most likely conclusion is that multiple threat actors are jumping in to claim a portion of an ever increasing ransomware market. One of the latest variants is called TeslaCrypt and appears to be a derivative of the original Cryptolocker ransomware. Although it claims to be using asymmetric RSA-2048 to encrypt files, it is making use of symmetric AES instead. Talos was able to develop a tool which decrypts the files encrypted by the TeslaCrypt ransomware.
Click for Larger Image
Read More »
Tags: ransomware, Talos, TeslaCrypt, Threat Research, threat spotlight
This post was authored by Andrea Allievi & Earl Carter
Ransomware continues to impact a large number of organizations and the malware continues to evolve. In January, we examined Cryptowall 2.0 and highlighted new features incorporated into the dropper and Cryptowall binary. When Cryptowall 3.0 appeared, we were interested in seeing what new functionality was incorporated into this latest variant in the Cryptowall series.
The latest 3.0 sample that we analyzed was in a zip file. This zip file contains multiple dropper files which are essentially identical in functionality except for the encryption algorithm used to obfuscate the dropper and eventually build the Cryptowall 3.0 binary.
Read More »
Tags: Cryptowall, ransomware, reverse engineering, Talos, Threat Research
We have detected evidence of a malware distribution campaign using messages masquerading as UPS delivery notification emails. These campaigns attempt to deceive the targets into thinking they are receiving mail from a trusted sender in order to dupe the recipient into installing malware, possibly for financial gain. Once the initial attack vector is installed, further malware may be distributed.
This appears to be part of the same campaign seen by MalwareMustDie (http://pastebin.com/n244xN32) and uses the email subject “UPS Delivery Notification Tracking Number”. We have seen a limited number of customers receiving this spam starting yesterday (Tue Nov 5), suggesting that this is a fairly low volume campaign (at the moment). The message contains an attachment with a filename such as “invoiceU6GCMXGLL2O0N7QYDZ” and extension .txt or .doc which is a disguised rtf file.
Section of the mail attachment containing rtf objocx tag
According to our analysis the malware attempts to download additional files by exploiting CVE-2012-0158 affecting old versions of Microsoft Office, which is detected by Cisco IPS signature 1131 and is available as a Metasploit module. In this case the malware being distributed seems to be a form of ransomware. Ransomware typically encrypts files on an infected machine and requires the user to pay for the release of their data. This particular piece of ransomware appears to be distinct from the samples we have been seeing as part of the Cryptolocker campaign, but comes in the wake of increased interest and discussion of this kind of attack.
Attached malware making a request to the control server at 220.127.116.11
As ever, users should remain vigilant when opening email links and attachments, and be wary of a message purporting to be an automated order confirmation from a company such as FedEx and UPS, as this is a common tactic which has also been identified as a possible method for distributing Cryptolocker.
Additional analysis of this attack can be found here: http://bartblaze.blogspot.com/2013/11/latest-ups-spam-runs-include-exploits.html
Malicious rtf: 7c2fd4abfe8640f8db0d18dbecaf8bb4
Downloaded exe: e5e1ee559dcad00b6f3da78c68249120
Thanks to Cisco researchers Craig Williams and Martin Lee for assistance with this post.
Tags: malware, ransomware, TRAC