Cisco Blogs


Cisco Blog > Threat Research

Malware Meets SysAdmin – Automation Tools Gone Bad

This post was authored by Alex Chiu and Xabier Ugarte Pedrero.

Talos recently spotted a targeted phishing attack with several unique characteristics that are not normally seen. While we monitor phishing campaigns used to distribute threats such as Dridex, Upatre, and Cryptowall, targeted phishing attacks are more convincing because the format of the message is personalized to the targeted user. This targeted attack was more difficult to detect because adversaries chose to leverage AutoIT, a well known freeware administration tool for automating system management in corporate environments. This notable characteristic made this attack worthy of further analysis.

Utilizing AutoIT within a payload is unique because it is a legitimate management tool. In this attack, AutoIT was utilized to install a Remote Access Trojan (RAT) and maintain persistence on the host in a manner that’s similar to normal administration activity. RATs allow adversaries to fully control compromised hosts remotely to conduct malicious operations, such as exfiltrating sensitive information. The use of AutoIT is potentially an extremely effective method of evading detection by traditional anti-virus technologies and remaining hidden on the system if it is used by the target to manage systems. The combination of a legitimate administration tool being used to install a back-door onto a target system is unique and is why this attack caught our attention.

Another characteristic of this attack that was notable is how adversaries went to great lengths to spoof a phishing message that would appear credible to the user. In this attack, an actual business was impersonated, using the logo and physical address of the business, in order to appear legitimate. The bait in this case is a Microsoft Word document containing a macro that downloads and executes a binary from hxxp://frontlinegulf[.]com/tmp/adobefile.exe.

autoit-phish-doc

Figure 1: A screenshot of the Word document, demonstrating how adversaries impersonated a real company to trick the target.

Read More »

Tags: , , , , , ,

Wi-Fi moves to real-time with VoWi-Fi

The recent release of the Cisco® Universal Wi-Fi solution for service providers is the industry’s first end-to-end solution with HD VoWi-Fi (Voice over Wi-Fi) as a key feature. This focus on Voice signals a significant turning point in the role of Wi-Fi in Mobile Network Operator Networks (MNOs).

Up until now, while Wi-Fi access has widespread acceptance by MNOs globally, its focus has been for low $ yield best-effort traffic. Wi-Fi’s significantly lower cost per bit TCO has made it attractive for taking on the bulk of the insatiable mobile device data demand in recent years. However now we see a shift in this approach, from looking at Wi-Fi as a secondary “best-effort” access only to also being a supplementary access for real-time services i.e. Voice.

VoWiFi

The culmination of several enhancements in the Wi-Fi end-to-end solution Read More »

Tags: , , , , , , , , ,

RATs in Your Data Center

News agencies like ABC News, CNN, and others have run stories on the FBI sting operation against more than 100 hackers who were involved in using and/or distributing the Blackshades RAT (articles in the hyperlinks for reference). For a mere US$40, a novice computer user can become a hacker and gain access to anyone’s computer, including gaining control over their video camera. If this novice hacker in the making needs help operating the RAT, many video instructions can be found on YouTube. This would be a form of free technical support. With over an estimated 500,000 computers infected, that leaves behind a serious footprint of compromised devices. As Marty Roesch, Cisco VP, Security Architect would say, “If you knew you were going to be compromised, would you do security differently?”

With over a half a million computers compromised from a single remote access toolkit, it is reasonable to think that a high percentage of those compromised computers would unknowingly be brought back to work and connected to the corporate network. Although inexpensive, the Blackshades RAT has an extensive set of capabilities such as keystroke logger, web cam control, full file access, etc. More than enough for the cyber attacker to assume the full identity of the owner of the compromised computer to allow them easy access to the business critical servers inside the data center as depicted in the diagram.

Read More »

Tags: , , , , , ,