Two Attacks… Two Dyres… All Infrastructure

Over the last few days, we have seen two waves of Dyre. The attackers have changed things up a bit and made it harder to analyze. By using memory forensics techniques, we took a peek into their command and control (C2) infrastructure. The #1 rule of memory forensics…everything has to eventually be decoded, and we’re going to use this to our advantage. Here’s a quick look at the waves of emails we received. (Figures 1 and 2)

Figure 1 phishing fax

Figure 1 — First wave of Dyre


[Read more…]

.NET Keylogger: Watching Attackers Watch You

Throughout life, there are several things that make me smile. Warm pumpkin pie, a well-placed nyan nyan cat, and most of all – running malware online – never fail to lift my mood. So imagine my surprise to see, after running a malware sample, that the attackers were watching me. Here’s a screenshot of a phishing email we received, which contained a keylogger written in .NET.

Figure-1-Phishing-Screenshot

Figure 1 — Screenshot of phishing email

[Read more…]

Bash Vulnerability CVE-2014-6271 – Worm-able and Possibly Worse Than Heartbleed

Post Updated 9/30/2014

Several months ago, the Internet was put to a halt when the Heartbleed vulnerability was disclosed. Webservers, devices, and essentially anything running SSL were affected; as a result, attackers were able to collect passwords, free of charge.

With Heartbleed, the exploit made a splash and many attackers started to use the vulnerability. One of the more high-profile attacks of Heartbleed was the CHS attack, where the attackers siphoned 4.5 million patient records by attacking a Juniper device, then hopping onto their VPN.

So how can something be bigger than Heartbleed? I’m glad you asked. [Read more…]

Small but powerful — shortened URLs as an attack vector

Using tiny URLs to redirect users to phishing and malware domains is nothing new, but just because it’s a common delivery tactic doesn’t mean that attackers aren’t using it to deliver new malware samples. We recently received a report of a phishing email from one of our users here at PhishMe that employed a shortened google URL, and led to some surprising malware.

Through the power of user reporting, we received the report, discovered the malicious nature of the shortened URL, and reported the issue to Google – all within a span of 30 minutes. Google reacted quickly and took the link down shortly after our report. [Read more…]

Attackers using Dropbox to target Taiwanese government

While we have previously mentioned cyber-crime actors using Dropbox for malware delivery, threat actors are now using the popular file-sharing services to target nation-states. According to The Register, attackers targeted a Taiwanese government agency using a RAT known as PlugX (also known as Sogu or Korplug).

From an anti-forensics perspective, PlugX is a very interesting piece of malware. One of the main ways it loads is by using a technique similar to load order hijacking. [Read more…]

Project Dyre: New RAT Slurps Bank Credentials, Bypasses SSL

When analyzing tools, tactics, and procedures for different malware campaigns, we normally don’t see huge changes on the attackers’ part. However, in the Dropbox campaign we have been following, not only have the attackers shifted to a new delivery domain, but they have started to use a new malware strain, previously undocumented by the industry, named “Dyre”. This new strain not only bypasses the SSL mechanism of the browser, but attempts to steal bank credentials. [Read more…]