Wednesday, October 28, 2015

Anatomy of an "Ongoing" Attack

Emails traversing the internet this morning with malicious Word Attachments:



As usual, AntiVirus coverage is spotty as only 5 of 55 Companies currently have a signature available (McAfee and Symantec are MIA again):



Per this Raytheon|Websense File Sandbox Report, and as is typical with today's Blended Threats, this dropper file pulls another malicious file via HTTP from a site in Germany:


However, something interesting is going on with this 2nd bouncing ball, it phones home to a site in Russia.  Of particular interest is the HTTP Post:


Question - are you monitoring outbound HTTP Posts to determine if Intellectual Property or PII is being exfiltrated?  Better Question - if the Post was encrypted via HTTPS... would you be able to decrypt it and gain visibility into the data leak?

Wednesday, October 21, 2015

FBI Takes Down Dridex?

Well... that's what the Register reported earlier this month.  However, emails are propagating the Internet this morning which smell a lot like Dridex:



Why do we at ESPO Systems believe this to be Dridex?  As you see above, the social engineering still revolves around financial concepts and malicious macros are again being leveraged within M$ Office attachments... per this Websense File Sandbox Report.

What's the current AV Detection Rate you ask?  Not good:


Thursday, October 8, 2015

Pick your Poison

Interesting morning in that both M$ Word and Excel files are being distributed with malicious macros/downloaders that reach out for 983bv3.exe:

- Websense File Sandbox details for Word Downloader found here.

- Websense File Sandbox details for Excel Downloader found here.

As is the case all too frequently, if you're counting on your AV Vendor to protect you, your trust is misplaced:








What's the concern regarding this 983bv3.exe?  How about the fact that it will modify 317 Registry Entries... details found here.

In summary, malware is too sophisticated to entrust the AV Vendors with our security.  Call ESPO Systems to implement the next generation of Security Controls.

Thursday, October 1, 2015

Please Open... Not!

Email currently traversing the internet with an M$ Word attachment asking the recipient to "please open".  Would your users respond properly?



Per this Websense File Sandbox report, the file is clearly malicious.   Unfortunately, the "Premium AV Guys (McAfee & Symantec)" are asleep at the wheel again:



As such, you likely want to check your firewall logs to see if your users did indeed open the attachment/dropper and are therefore phoning home to the following IP Addresses: