Wednesday, February 25, 2015

Be aware of Malware and Spear Phishing


What Is Spear Phishing?

Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. Spear phishing may be defined as “highly targeted phishing aimed at specific individuals or groups within an organization.” Coined as a direct analogue to spearfishing. Spear phishing makes the use of information about a target to make attacks more specific and “personal” to the target. Spear-phishing emails, for instance, may refer to their targets by their specific name, rank, or position instead of using generic titles as in broader phishing campaigns.

Spear phishing significantly raises the chances that targets will read a message that will allow attackers to compromise their networks. In many cases, spear-phishing emails use attachments made to appear as legitimate documents because sharing via email is a common practice among large enterprises and government organizations.

 

Malware 


Malware is malicious software that is installed on your PC usually without your knowledge and it can enter your PC as a result of surfing the Internet and in a variety of different ways. Once it sneaks into your PC, malware is capable of spying on your surfing habits, logging your passwords by observing your keystrokes, stealing your identity, reading your email, hijacking your browser to web pages that "phish" for your personal information, and a variety of other invasive tactics.

Malware Execution Stages

1.    Entry à from an Infected Websites
2.    Distribution à redirect browser to malicious website
3.    Exploit  à An exploit kits probes the users system for a number of vulnerabilities
4.    Infectionàinfects the users system with malware executables
5.    ExecutionàMalware connects to home server and take unauthorized control of the infected computer and Network






The sample, we examine a malware which detecting as W32/Byanga.A!tr, turns out to be a dropper for a bot which, if active in an organization’s system, has the capability to perform malicious activities that can be very damaging to the targeted organization.

ENTRY
The dropper used a Chinese file name, which translates to “Upcoming Events Schedule”.  It also uses a Microsoft Word icon in an effort to fool the user into thinking that it is just a Word document.



http://blog.fortinet.com/uploads/images/DownloadersDecoys-1.png
Word document icon.
Execution

After double-clicking this file, an actual Word document or A Rich Text Format document (RTF) opens.  If the user thinks that the file is just a document, then this might not be considered strange, and the user might even dismiss this file as harmless. 

Opened Word document.



http://blog.fortinet.com/uploads/images/DownloadersDecoys-2.png

Opened RTF document


Another executable file (.exe) is dropped into the user’s Temporary folder and is then executed. This dropped file, also detected as W32/Byanga.A!tr, is the main bot file.  
The malware just used an RTF file as a decoy, but has actually downloaded the         CTB-Locker Trojan (malware that downloads and runs another malware) into the user's system and executed it.
http://blog.fortinet.com/uploads/images/DownloadersDecoys-5.png
CTB – Locker

The Bot

The function of the malware is that of a typical downloader Trojan bot proceeds to communicate with its C&C server.

C & C Communication

It communicates to Command and Control Server via POST requests over port 80, and its network traffic is encrypted and decrypted
Once connected to the C&C server, the bot started to sends information 


Conclusion

In this article analyzed malware that uses a decoy document to trick a user and to hide its malicious intent. However, a deeper analysis need the true nature of the malware this bot is capable of stealing potentially sensitive information from its victim.  If left undetected, it can give the attacker power to cause considerable damage to the organization that it is targeting.
This kind of attack happens all the time. But you don’t have to be a victim
Although malware is really sneaky, you can help to avoid getting malware by being cautious with your Internet surfing habits and by keeping your antivirus program updated. It is also a good idea to activate the firewall protection. Also, make sure your antivirus program includes malware and spyware protection.
When you surf the Internet avoid clicking on pop-up advertisements regardless of how tempting they may seem. Pay attention to the "Site Advisor" in your antivirus program that will tell you if there are any problems with the website you are visiting.
Make it a general practice to only click on links for websites that you trust, do not volunteer any of your information on unknown websites, and avoid downloading free software from sites you are unfamiliar with.
Spear phishing remains the most favored vector for instigating targeted attacks. Why? Because users continue to fall prey to spear-phishing emails, causing substantial damage to their respective organizations. Spear-phishing email attachments are difficult to spot from normal document attachments passed on from user to user each day in a corporate environment, increasing the likelihood of successful computer infection.
Targeted attacks are becoming increasingly common.  Organizations should therefore assume that they will be targeted and make sure that they have a security strategy in place.

Sanoop S
Network & Information Systems Security Architect

SCCM 2012 | MCP | MCTS | MCSA| MCITP | CNA-Netasq | CCNA | ITIL