Rising Trends in Malware Threats

Email Us - 877.583.2841 - Request A Demo

Use This Form To Have A TruShield Team Member Contact You With More Information.

  • This field is for validation purposes and should be left unchanged.

Use This Form To Contact TruShield Inc Directly. Or you can call us at: 877.583.2841. We will respond back as quickly as possible!

  • This field is for validation purposes and should be left unchanged.

Rising Trends in Malware Threats

This is a security alert for all TruShield clients and the community at large. TruShield has noted several recent trends in malicious activity. These trends include alterations in delivery and composition of malware.

Introduction

Much like the changing of attire based on the weather, cyber criminals are constantly shifting and altering aspects of their operations and tactics to maximize potential for infection. One example of a recent malicious trend is the increasing use of JavaScript by existing malware threats. Another trend on the rise lately is the use of malware with multiple functions or multiple payloads. These trends have even been combined in some instances, such as a recent variation of Nemucod malware discovered by researchers at Checkpoint.

Explanation and Analysis

The maximization of infection from these changes comes in a few different aspects. Small changes in file types, structure of malicious code, or the payload can easily force signature updates, bypass basic security tools, or trick end users that have learned to avoid previous versions. In terms of JavaScript, this is mainly used for further obfuscation of the malicious file. Malicious email campaigns may contain files with double extensions such as “.xls.js” or “.docx.js” with the express purpose of tricking users into executing files they think are an office file format, dodging macro warning messages, or disguising old loader and payload malware. This has already been seen with high distribution threats like Locky as detailed by Proofpoint’s team. In fact, a similar trend involving RTF malware was recently brought to light by experts at FireEye. And while older formats like RTF may have specific vulnerabilities associated, the popularity with cyber criminals has much to do with obfuscation and the ability to embed objects or executable files within RTF documents.

As for the Nemucod variant, it is still meant to install malware from a C&C server, but it is now composed of obfuscated JavaScript. After the C&C communication begins, it writes a ransom note inside of the Temp directory and indicates that files are encrypted with RSA-1024. However, this note is produced prior to the encryption process, which can be prevented. Technical details found also indicate that this is not true RSA-1024 encryption and the scheme contains several flaws that can allow for file recovery. The other trend related operation that makes this variant unique is that following this activity it downloads additional malware, such as Boaxxe adware which can take advantage of a victim’s search activity (such as searches to break or remove the ransomware) to serve certain advertisements. Cerber ransomware is another example of a malware with multiple malicious functions and goals. This ransomware has the additional ability of not only encrypting data, but also turning the infected machine into a bot that can be used for additional spam campaigns and DDoS activity.

Conclusion

The surge of ransomware seen in 2016 is a strong indication that a malicious tactic can quickly catch on among cyber criminals and become standard. As the year continues it is quite likely we will see the noted trends of obfuscation through formats like JavaScript and malware with multiple malicious functions or payloads become even more established as common security woes. It is extremely important that all users learn from these examples. Threats will never be limited to certain file types and multiple layers of defenses and controls have to be implemented. Additionally, even during the process of remediation or recovery on a system with one infection, added care must be taken to search for further malware.

Indicators of Compromise

MD 5 Hashes
95fe78f2a5d8b1451baf924e7d60fcc4
92c3ba44eac7ebe947c43ca90cc7f63e
527290686ec5515f248d4d20c3bb29df

Mitigation and Prevention

  • Filter inbound emails based on attachments and subject lines.
  • Consider blocking file types commonly used for obfuscation.
  • Use application control software with a base deny policy.
  • Do not open suspicious files and compare with known IOCs.
  • Use updated antimalware and antivirus products.
  • Keep systems patched with the latest updates.
  • Isolate infected systems from the network and storage devices.
  • Keep regular backups both on and off-site.
  • Monitor systems for registry or file changes.
  • Continuously monitor network traffic for C&C communication.

References

http://blog.checkpoint.com/2016/05/26/spam-riding-dropper-packs-a-one-two-ransomware-adware-punch/

https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Actors-Turning-to-XORed-JavaScript-to-Bypass-Traditional-Defenses

http://www.welivesecurity.com/2016/05/26/malware-hits-europe-ransomware-locky/

https://www.fireeye.com/blog/threat-research/2016/05/how_rtf_malware_evad.html

https://usblog.kaspersky.com/cerber-multipurpose-malware/7201/

Download the PDF Version

Leave a reply

Copyright © 2016