Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

---

S'abonner au fil RSS global de la revue de presse

---

Présentation : Last week on October 7, Raytheon Websense Security Labs noticed an interesting email campaign distributing what at first appeared to be Dridex botnet 220. In a seven-hour window, Raytheon Websense stopped over 16,000 malicious email messages from being delivered to customers, all of which appear to have been Japanese targets. Raytheon Websense customers are protected against this threat via real-time analytics with ACE, the Websense Advanced Classification Engine, at the different stages of the attack detailed below Stage 2 Lure - ACE has protection against the malicious email sent to targets Stage 5 Dropper - ACE has protection against the malicious doc files and the malware files Stage 6 Call Home - ACE has live, real-time protection against the malicious traffic generated by the malware associated with this threat Email Infection Vector ---------------------- An example of one of the email lures can be seen below The email body text is very generic, appearing to be a message received from somebody within the same organization as the intended target. The attached .doc file fa71d6430165d810a6ac9d9199d88620534b14e8 named 20151007112034511.doc contained a macro that attempted to download a payload from the following URL hxxp leelazarow . com 345gfc334 65g3f4.exe This URL pattern is typical of what we see in Dridex botnet 220 campaigns however, in this case, the payload turned out to be the Japanese banking trojan Shifu. The macro used to download this payload contains the obfuscated URL This Visual Basic macro is almost identical to the one used in the Dridex botnet 220 campaign of the following day, October 8 The email distribution methods of Shifu and Dridex are not similar enough to conclude that the same actor is behind both campaigns however, it is highly likely that the same macro builder and obfuscation tool is being used in both cases. In fact, we recently blogged on the shared use of frameworks and infrastructure among malware. The Shifu payload, itself, is quite comprehensively detected by our file sandboxing product Checking for a Man-in-the-Middle -------------------------------- Interestingly, in our analysis of the Shifu sample 476c8baa551fc5d1d9aad5441c7d1c2c4d502944 , it appeared that the malware was trying to determine if a Man-in-the-Middle MiTM interception was operating on the connection, and the malware would not contact its command and control C C if it determined an MiTM was taking place. This check was done by verifying HTTPS connections to several hosts that included microsoft.com, dropbox.com, twitter.com, sendspace.com, etrade.com, facebook.com, instagram.com, github.com, icloud.com and python.org. If any of these attempts resulted in a connection that was subjected to an MiTM interception, then the malware did not contact its C C. However, if no MiTM interception was detected even if previous requests were and if it was able to connect through to one of these hosts, then it proceeded to contact its C C as normal This is not typical malware behavior that we tend to see, because a significantly large percentage of organizations do, in fact, employ MiTM interception for HTTPS in order to detect and stop more threats, meaning that Shifu would refuse to attempt a communication with its C C or domain generation algorithm DGA infrastructure in such a scenario. Blog contributors Nick Griffin, Ran Mosessco, Andy Settle Indicators of Compromise IOCs ------------------------------- Attachment hashes SHA1 27eebb467c0caf35aea15d4a26c865c203426596 7768683584cd0a71d02b89896322099405173fa9 fa71d6430165d810a6ac9d9199d88620534b14e8 Payload URLs hxxp www.profes-decin.kvalitne . cz 345gfc334 65g3f4.exe hxxp rockron . com rockron 345gfc334 65g3f4.exe hxxp leelazarow . com 345gfc334 65g3f4.exe Shifu payload hash SHA1 476c8baa551fc5d1d9aad5441c7d1c2c4d502944 Shifu command-and-control C C server hxxps freewebpj . com news userlogin.php

Les mots clés de la revue de presse pour cet article : trojan distributed
Les videos sur SecuObs pour les mots clés : trojan distributed
Les éléments de la revue Twitter pour les mots clé : trojan distributed





Les derniers articles du site "Security Labs" :

- Dridex Down Under
- Newest Flash Player Exploit Double Nuclear Exploit Kit Payload
- Popular Indonesian Tech News Site Serves Up a Side of Malware
- The iPhone 6S 1 Facebook UK Scam
- Japanese Banking Trojan Shifu Distributed via Malicious Word Documents
- Infrastructure Re-use Shared Frameworks and Attack Vectors
- RaytheonWebsense attend the 2015 EUROPOL - INTERPOL Cybercrime Conference in The Hague
- Virus Bulletin 2015 - RaytheonWebsense Security Labs Are Participating
- Healthcare Industry Sees 340pourcents More Security Incidents Than Other Industries
- Typo-squatting Fast Turnaround for Fast Money

---

S'abonner au fil RSS global de la revue de presse

---