On February 16, 2016, PhishMe’s Intelligence team identified a number of significantly large sets of emails delivering Word documents containing macro scripts used to download a malware payload. This malware delivery technique has been ubiquitous among many threat actors over the past year but has been most prolifically used by threat actors delivering the Dridex financial crimes trojan. The scope of Locky’s delivery in its first full day of deployment is staggering. As our friends at Palo Alto Networks have shown, over 400,000 endpoints around the world were affected by this encryption ransomware in mere hours. As we pointed out...
A few weeks ago, we posted an article about how Dridex is experimenting with different families of malware and techniques. When one threat actor starts shifting TTP’s, it’s usually a big deal. Attackers get comfy in their infrastructure, some survive sinkholes, and they continue spamming or stealing money. One shift takes time, effort, and money on the attackers part. The part that people often forget is that attackers need people to maintain backends, code the malware, code panels, and patch exploits as researchers find them, or else they are going to be exploited by said researchers.
What first appeared last week to be yet another malspam campaign solely spread to infect victims with Andromeda, also downloaded some interesting second stage payloads; including several keyloggers and what was later discovered to be labeled as the Fluxer proxybot. The initial malspam lures contained Italian language informing its victims that he or she has received an invoice as the message attachment. The message attachment is a ZIP archive which contained the Andromeda malware installer. More information about this campaign can be found by ThreatHQ customers in Threat ID 5316.
The APIs have it – Emphasis on ‘I’– Individuals, Integrate, Investigate, and Incident Response Everyday, PhishMe is helping enterprise employees change their behavior against the top threat leading to many of today’s high profile breaches – phishing. Our customers empower their employees to report suspicious email thereby creating a rich source of actionable intelligence for incident responders. Triage provides security operations center (SOC) analysts and incident responders a way to automate the identification, prioritization, and remediation of these phishing threats. This threat intelligence can then be shared with other teams to better protect your enterprise.
From time to time, there will be an overlap with malware infrastructure where one attacker will compromise another attacker’s infrastructure. Typically, this is part of the “compromised infrastructure” which can fluctuate, and attackers have even been seen to uninstall one another’s malware. However, in this case, we strongly believe that the actors are experimenting with Dridex, Pony, and Neutrino.
1/13/2016 Update: The blog has been updated to reflect the translation of the BlackEnergy word document. On January 4th, ESET released an amazing blog post about the BlackEnergy Trojan being used to attack power companies in the Ukraine to knock out the power in some areas. While this is not the first time we’ve seen cyber attacks become kinetic, the BlackEnergy attacks could have been prevented.
Analysis overview: 8 million emails over a 13 month span 75% of organizations are training more than 1,000 employees Representing organizations from US (86%) and Europe (14%) Representing 23 industries Tackling a mountain of unmined data in search of answers can be a daunting task. Starting from scratch, we understood that we would likely face challenges to our pre-conceived notions of what works well and were prepared to accept what the data would tell us, however challenging it might be. Our goals were simply to understand what and how much data was available for analysis. We began with basic questions;...
During malware analysis we often see attackers using features in creative ways to deliver and obfuscate malware. We’ve recently seen an increase with samples leveraging RTF temp files as a delivery method to encapsulate and drop malware.