On Sept. 17, the FBI issued a warning about the possibility of cyber attacks on the financial industry. Recently, we observed another kind of an attack (not Distributed Denial of Service or Denial of Service attack) across at least two major financial institutions. The attack, if successful, will result in the establishment of a malicious communication channel on the victim’s computer. The purpose of this blog is to share the finer technical details about the level of obfuscation which was done to hide the malicious executable in the attack.
Category Archives: Threat Research
Christmas Comes Early For Hackers: Email Attack Trends From 3Q2012
In our first half (1H) of 2012 Advanced Threat Report, we looked at various factors related to email-based attack trends, including exploit vector type (e.g., link/attachment), domain frequency, and attachment polymorphism. With the holiday season starting back up, we’ll refocus our attention on all the corresponding threat data collected quarter-to-date for 2012. To be clear, these statistics reflect the number of malicious attachments seen after initial SPAM and anti-virus filtering across our customer deployments, who share intelligence back to us.
Top 20 Words Used in Spear Phishing Emails
Despite the many security defenses aimed at protecting email communications, email continues to be a critical vulnerability for enterprises.
Between Q1 2012 and Q2 2012 alone, FireEye reported a 56% increase in the amount of malicious emails—and this wasn’t simply an increase in the total number of emails distributed; it was an increase in the number of emails that were able to bypass signature- and reputation-based security defenses, like next-generation firewalls, intrusion prevention systems (IPS), anti-virus (AV), and secure gateways. This means that, while more and more malicious emails are outsmarting traditional security technology, more and more are making their way to your inbox.
Grum—New segement came and gone
Back in July, with the help of Spamhaus and CERT-GIB, FireEye took down Grum, one of the world's largest spam botnets. The whole shutdown operation was like a roller coaster ride and is explained in my previous blog posts here and here. Apart from an unsuccessful recovery attempt made by the bot herders a few days after the takedown, we never noticed any movement from the opposite side. Apparently the Grum guys had given up their botnet.
Possible Update to the Blackhole Exploit Toolkit
Pretty much everyone is aware of the BlackHole toolkit. We previously wrote a blog that compared the prevalence of various toolkits.
At FireEye, we trigger on thousands of BlackHole events every day across our customer base. We have recently seen reports that the toolkit has been updated. The following website gives you good details about what features have been included in the new toolkit: http://malware.dontneedcoffee.com/2012/09/blackhole2.0.html.
We immediately started looking through the FireEye Malware Protection Cloud (MPC) to see if the FireEye Virtual Execution engine in our appliances had seen instances of this new toolkit. (The FireEye Virtual Execution engine is our proprietary virtual machine technology that enables us to detect threats that have never before been seen.) Websense reported finding URLs in their blog, and we found a bunch of URLs—the earliest of which was detected on September 3, 2012.
Analysis of Malware Page
Target and Delivery Method
Malware Page employs the vulnerability in PDFs and has been seen to be delivered via email. Agenda_Web_(8-24-12).pdf is one of the names this malicious sample uses. Per our logs this sample has been seen to target the aviation defense industry, making this malware a critical limited edition threat. When the malicious PDF file is opened, it infects the victim’s machine and a decoy document is generated. When the decoy PDF file is opened in Acrobat Reader, as shown in Figure 1, the victim finds an invitation to an actual defense industry event.
Figure 1. Contents of the decoy PDF file
The purpose of this blog is to share the technical details about this critical limited edition malware.
Getting Tricky With Shellcode
For those who read my previous blog regarding a very interesting shellcode exploit running inside a PDF, I got a little curious during my spare time and, upon further research, I realized that there is yet another way to insert shellcode inside a Windows program.
The assumption here is that the reader knows about the Windows executable format (hence PE headers) and has some knowledge of DEP, ASLR, and some exploit techniques such as ROP chains.
The Story Behind Backdoor.LV
From May of this year, we have seen a sudden uptick in the number of samples of an interesting malware we call Backdoor.LV. We have seen this malware primarily using websites hosting .exes to propagate. The HTTP header below shows one such example from which the malware was downloaded. A quick look up on the location of the IP in the HTTP header "94.129.29.233" shows that the IP is located in Kuwait.
Just Released - FireEye Advanced Threat Report - 1H 2012
The third issue of the FireEye Advanced Threat Report was released today. We are excited to share this report which contains the latest advanced threat information and new insights into the continued evolution of the cyber threat landscape. Advanced malware continues to grow and in the first half of 2012 is up nearly 400% vs. the first half of 2011. On average, an organization is experiencing 643 advanced malware infections per week. Keep in mind that this is advanced malware, which are unknown threats that have not been seen before, and that bypass traditional signature-based security defenses such as next-generation firewalls, IPS, gateways, and AV. The report highlights five key findings, a few of which are included here.
Advanced threats come into organizations via several threat vectors—the Web, email, and files. While web-based threats are significant, the dangers of email-based threats are growing more severe. Links and attachments delivered via email have been the source of some of the high-profile advanced persistent threat (APT) attacks such as the RSA breach, GhostNet, and NightDragon. These targeted spear-phishing emails are up, because they work. But spear phishing emails are evolving with the use of malicious links becoming more prevalent than the use of malicious attachments.
Advanced threats are posing challenges to enterprises and government agencies across the board. Industries with intellectual property, customer information, or critical infrastructure to protect are particularly vulnerable to advanced threats. Notable increases in advanced threats have been seen in the healthcare, financial services, and energy/utility industries while the technology industry continues to experience a high level of advanced threats. No industry or government agency is immune.
We hope you find the report informative and useful. And, more importantly, we hope organizations and government agencies take action to protect themselves from advanced threats. Read more in the FireEye Advanced Threat Report by filling out the form below.
Java Zero-Day - First Outbreak
A few days ago I talked about the existence of a new java zero-day flaw (CVE-2012-4681). Soon after the publication of my blog, the white-hats kicked in and there was Proof Of Concept (POC) code ready overnight. At this point, a major outbreak was inevitable. We soon came to know that the master mind behind the Blackhole exploit kit has plans to add this zero-day to his package. This morning we started getting the first indication of a large scale attack. So far we have observed over a dozen domains actively attacking systems with this exploit, and the count is increasing rapidly. After seeing the reliability of this attack, I have no doubt in my mind that within hours the casualties will be in the thousands.
