Ransomware Rising – Criakl, OSX, and others – PhishMe Tracks Down Hackers, Identifies Them and Provides Timeline of Internet Activities

Over the last few months, the Phishing Intelligence team has observed a huge increase of ransomware. Many attackers are starting to experiment with ransomware as an alternative to quickly monetize. Dridex has employed a new family of ransomware named Locky, which is a pretty drastic shift in what this group is known for doing. We’re even seeing attackers go after OSX with ransomware, something that was once thought to be immune from malware, however there were nearly 6,500 users who downloaded the compromised BitTorrent client.

Follow along with us as we deconstruct a recent ransomware attack and hack the hackers behind the attempt.

More Tax Time Scams

Every year, attackers try to find some way to innovate and steal more money come tax time. Last year, attackers took advantage of e-filing, which led TurboTax to put a halt on all refunds due to a surge in fraudulent state tax returns. Here is a screenshot of a phishing email that the attackers are using to try and obtain W2’s for all employees:

Figure 1

Figure 1. Screenshot of phishing email used by attackers

Be on the lookout for these types of scams! Snapchat recently fell victim to one of these scams and did the responsible thing by notifying the affected parties and called on the assistance of the FBI. HMRC related phishing is something to watch out for as well, as well as anything else tax-themed around tax time. Stay alert!

Dridex Experimenting with New Attack Vectors

A few weeks ago, we posted an article about how Dridex is experimenting with different families of malware and techniques. When one threat actor starts shifting TTP’s, it’s usually a big deal. Attackers get comfy in their infrastructure, some survive sinkholes, and they continue spamming or stealing money. One shift takes time, effort, and money on the attackers part. The part that people often forget is that attackers need people to maintain backends, code the malware, code panels, and patch exploits as researchers find them, or else they are going to be exploited by said researchers.

Translation Update: How to Pwn an Electric Company (or Anyone Else, for That Matter)

1/13/2016 Update: The blog has been updated to reflect the translation of the BlackEnergy word document.

On January 4th, ESET released an amazing blog post about the BlackEnergy Trojan being used to attack power companies in the Ukraine to knock out the power in some areas. While this is not the first time we’ve seen cyber attacks become kinetic, the BlackEnergy attacks could have been prevented.

Macro documents with XOR Encoded Payloads

When reversing malware samples, one of the things that we as analysts look for are places where the attackers slip up. This can be anywhere from using the same strings, to weak obfuscation routines, or re-using the same snippet of code. When we talk about the attackers, there is this misconception that they are these super villains who can only do evil, but keep in mind they are humans too.

Vistaprint Abuse – Free Phish for All

Over the last few months, we’ve been seeing a huge influx of attackers using VistaPrint for business email compromise (BEC) scams. Losses due to account takeovers total over a billion dollars, and given the nature of these wire fraud attempts, it’s pretty easy to get the money, unless you’re the VP of finance for PhishMe. Why are attackers using VistaPrint, and what makes them such a middle-man for these attacks?

Yara CTF – The Answers

Hello everyone, and thank you for coming to check out the Yara CTF answers! We had a TON of folks who were interested in the challenge, many submitted answers, and many folks enjoyed the challenges. Some of the best feedback we received was “This was the shortest plane ride over to Vegas. Thanks, PhishMe!”

Yara CTF, Blackhat 2015

Welcome and good luck on the CTF!

Password: “Go forth and hack!!##one1”, no quotes.

PM_Yara_CTF_2015

One of the challenges is to write an exploit, so please exercise responsible disclosure on this one! We will be working with the developers to get the code patched ASAP!

Please note: Challenge #4 contains a typo, it needs a Yara rule, not a key. Sorry for the error.

Deadline for submissions: We will close the contest at 8 AM (PDT) on Thursday, August 6.