Recent Malware Strategies

Like so many others I'm seeing an influx of booby-trapped Microsoft Word documents being sent in as email attachments with the end goal of infecting our endpoints with the Feodo/Cridex/Bugat trojan. 

I'm relatively new to the whole malware analysis game, but what stands out to me more than the payload is the evidence of a strategy being played out. If you step back and look at the big picture, its clear that this is the work of an adversary that knows what they want, knows how they might achieve that and, most importantly, understands their target and their defenses. If our enemies are our greatest teachers then we, as security professionals, tasked with detecting and responding to threats can learn a lot from them. Not only can we use what we learn to shore up and improve our defenses but we can also use it to highlight, quantify and demystify our enemies to those we are charged with protecting. That last bit is perhaps most important because it is them, the stakeholders, the business, that typically dictate the availability and scale of our resources.

It all starts with an email 

Malicious .doc including details on enabling macros

If you're not familiar with the threat here is a high level narrative played out over a simplistic infrastructure diagram;

  1. Threat actor sends multiple emails into your organisation with a malicious .doc attachment
    • These emails come from different domains
    • They have different subjects
    • They have different attachment names
  2. Someone in your organisation opens one of these attachments which runs a macro
  3. The macro calls out to a payload URI for the payload (something like http://evil.tld/evil.exe)
  4. Once executed the payload 'phones home' to a check-in server (typically http://IP:8080) and goes about it's wicked business
When you break it down like this it almost seems too simple to be a real threat given the layers of security that you've purchased and have in place, right? However, if you align the narrative with your defenses you'll see just how many this campaign is capable of defeating:

Narrative Vs. Countermeasures

In this particular instance, user awareness is key. It really may be your only defense. If your users are aware then there is no exploitation and consequently no calls out or compromise.

Of course, in the real world, someone will open that email.

When they do, your firewall and DNS logs (in the absence of a mature NSM framework) are your best port of call to determine which users have inadvertently opened the attachment. A lot of the check-in servers I've observed as these attacks have matured have been resolved via unusual (for a predominantly UK business) domains and TLDs. Look for anything not .COM or .CO.UK in your DNS records for a start. If you find any .RO, .AR, .PL, .BR or any other domains with TLDs you don't instantly recognize, they're probably worth checking. When reviewing your firewall logs, check for any connections with a IP listed in the Feodo tracker and/or destination port of 8080.

This is by no means an exhaustive guide to managing this particular issue (nor as it meant to be), but hopefully it has provided some insight into one particular strategy being employed in targeting businesses and individuals. This is just one example of one particular threat, and one which hasn't stopped evolving.

Popular posts from this blog

Tools & Techniques - Kali Linux of a Raspberry Pi

Splunk Security Cheat Sheet

Developing Leeds Scene