What Is Spear Phishing?
Spear phishing is an e-mail spoofing fraud attempt that
targets a specific organization, seeking unauthorized access to confidential
data. Spear phishing may be defined as “highly targeted phishing aimed at
specific individuals or groups within an organization.” Coined as a direct
analogue to spearfishing. Spear phishing makes the use of information about a
target to make attacks more specific and “personal” to the target.
Spear-phishing emails, for instance, may refer to their targets by their
specific name, rank, or position instead of using generic titles as in broader
phishing campaigns.
Spear phishing significantly raises the chances that
targets will read a message that will allow attackers to compromise their
networks. In many cases, spear-phishing emails use attachments made to appear
as legitimate documents because sharing via email is a common practice among large
enterprises and government organizations.
Malware
Malware is malicious software that is
installed on your PC usually without your knowledge and it can enter your PC as
a result of surfing the Internet and in a variety of different ways. Once it
sneaks into your PC, malware is capable of spying on your surfing habits,
logging your passwords by observing your keystrokes, stealing your identity,
reading your email, hijacking your browser to web pages that "phish"
for your personal information, and a variety of other invasive tactics.
Malware Execution Stages
1. Entry à from an Infected
Websites
2.
Distribution à redirect browser to malicious
website
3.
Exploit à An exploit kits
probes the users system for a number of vulnerabilities
4.
Infectionàinfects the users system with malware
executables
5.
ExecutionàMalware connects to home server and take
unauthorized control of the infected computer and Network
The sample, we examine a malware which
detecting as W32/Byanga.A!tr, turns out to be a dropper for a bot
which, if active in an organization’s system, has the capability to perform
malicious activities that can be very damaging to the targeted organization.
ENTRY
The dropper used a
Chinese file name, which translates to “Upcoming Events Schedule”. It
also uses a Microsoft Word icon in an effort to fool the user into thinking
that it is just a Word document.
Word document icon.
Execution
After
double-clicking this file, an actual Word document or A Rich Text Format
document (RTF) opens. If the user thinks
that the file is just a document, then this might not be considered strange,
and the user might even dismiss this file as harmless.
Opened Word document.
Opened RTF document
Another executable file (.exe) is dropped into the user’s
Temporary folder and is then executed. This dropped file, also detected as W32/Byanga.A!tr, is the main bot file.
The malware just used an RTF file as a decoy, but has actually
downloaded the CTB-Locker Trojan (malware that downloads and runs another malware) into
the user's system and executed it.
CTB – Locker
The Bot
The function of the malware is that
of a typical downloader Trojan bot proceeds to communicate with its C&C
server.
C & C Communication
It communicates to Command and
Control Server via POST requests over port 80, and its network traffic is
encrypted and decrypted
Once connected to
the C&C server, the bot started to sends information
Conclusion
In this article
analyzed malware that uses a decoy document to trick a user and to hide its
malicious intent. However, a deeper analysis need the true nature of the
malware this bot is capable of stealing potentially sensitive information from
its victim. If left undetected, it can give the attacker power to cause
considerable damage to the organization that it is targeting.
This kind of attack
happens all the time. But you don’t have to be a victim
Although malware is
really sneaky, you can help to avoid getting malware by being cautious with
your Internet surfing habits and by keeping your antivirus program updated. It
is also a good idea to activate the firewall protection. Also, make sure your antivirus
program includes malware and spyware protection.
When you surf the
Internet avoid clicking on pop-up advertisements regardless of how tempting
they may seem. Pay attention to the "Site Advisor" in your antivirus
program that will tell you if there are any problems with the website you are
visiting.
Make it a general
practice to only click on links for websites that you trust, do not volunteer
any of your information on unknown websites, and avoid downloading free
software from sites you are unfamiliar with.
Spear phishing remains the most favored vector for
instigating targeted attacks. Why? Because users continue to fall prey to
spear-phishing emails, causing substantial damage to their respective
organizations. Spear-phishing email attachments are difficult to spot from
normal document attachments passed on from user to user each day in a corporate
environment, increasing the likelihood of successful computer infection.
Targeted attacks
are becoming increasingly common. Organizations should therefore assume
that they will be targeted and make sure that they have a security strategy in
place.
Sanoop S
Network & Information
Systems Security Architect
SCCM 2012 | MCP | MCTS | MCSA|
MCITP | CNA-Netasq | CCNA | ITIL