Yes... we know the famous James Bond movie was titled, "From Russia with Love", however, in this case we're going to Russia. What? Well.... as previously noted here, the botnet owners are starting to phone home via encrypted channels. We have a similar situation this afternoon with Russia, specifically Moscow, being the destination. Let's follow the bouncing ball:
An M$ Word file is propagating the Internet currently that drops 27 files and launches Powershell:
Many connections are initiated outbound, mostly on TCP Port 80, but... notice the TCP:443 connection back to Mother Russia:
How many AV Engines are currently protecting against this threat you ask? Not good... only 7 of 58:
Final question - are you decrypting outbound HTTPS connections? Further, are you interrogating the outbound Posts for DLP Violations? Call ESPO Systems if you need help...
What’s more to it is that viruses and Trojans are using Let’s Encrypt to create VALID certificates for those remote command and control sites now. So they look legitimate until the content is decrypted to see what it is actually doing.
ReplyDeleteSee:
https://news.netcraft.com/archives/2017/04/12/lets-encrypt-and-comodo-issue-thousands-of-certificates-for-phishing.html
http://blog.trendmicro.com/trendlabs-security-intelligence/lets-encrypt-now-being-abused-by-malvertisers/
Nice blog thanks for sharing it with us.
ReplyDeleteKaspersky Toll Free Number | Kaspersky Customer Care Number | Kaspersky Helpline Number | Kaspersky Technical Support Number | Kaspersky Customer Support Number | Kaspersky Helpline Number | Kaspersky Tech Support Number | Kaspersky Customer Support | Kaspersky Customer Service Number | Kaspersky Customer Care Service | Kaspersky Tech Support | Kaspersky Customer Care Service | Kaspersky Antivirus | Kaspersky Number