A few weeks ago, we posted an article about how Dridex is experimenting with different families of malware and techniques. When one threat actor starts shifting TTP’s, it’s usually a big deal. Attackers get comfy in their infrastructure, some survive sinkholes, and they continue spamming or stealing money. One shift takes time, effort, and money on the attackers part. The part that people often forget is that attackers need people to maintain backends, code the malware, code panels, and patch exploits as researchers find them, or else they are going to be exploited by said researchers.
What first appeared last week to be yet another malspam campaign solely spread to infect victims with Andromeda, also downloaded some interesting second stage payloads; including several keyloggers and what was later discovered to be labeled as the Fluxer proxybot. The initial malspam lures contained Italian language informing its victims that he or she has received an invoice as the message attachment. The message attachment is a ZIP archive which contained the Andromeda malware installer. More information about this campaign can be found by ThreatHQ customers in Threat ID 5316. [Read more…]
The APIs have it – Emphasis on ‘I’– Individuals, Integrate, Investigate, and Incident Response
Everyday, PhishMe is helping enterprise employees change their behavior against the top threat leading to many of today’s high profile breaches – phishing. Our customers empower their employees to report suspicious email thereby creating a rich source of actionable intelligence for incident responders. Triage provides security operations center (SOC) analysts and incident responders a way to automate the identification, prioritization, and remediation of these phishing threats. This threat intelligence can then be shared with other teams to better protect your enterprise. [Read more…]
In response to the findings that Phishing Scams Cost UK Consumers £174m last year, Ronnie Tokazowski, senior researcher at PhishMe have the following comments on it. Read More
From time to time, there will be an overlap with malware infrastructure where one attacker will compromise another attacker’s infrastructure. Typically, this is part of the “compromised infrastructure” which can fluctuate, and attackers have even been seen to uninstall one another’s malware. However, in this case, we strongly believe that the actors are experimenting with Dridex, Pony, and Neutrino.
1/13/2016 Update: The blog has been updated to reflect the translation of the BlackEnergy word document.
On January 4th, ESET released an amazing blog post about the BlackEnergy Trojan being used to attack power companies in the Ukraine to knock out the power in some areas. While this is not the first time we’ve seen cyber attacks become kinetic, the BlackEnergy attacks could have been prevented.
- 8 million emails over a 13 month span
- 75% of organizations are training more than 1,000 employees
- Representing organizations from US (86%) and Europe (14%)
- Representing 23 industries
Tackling a mountain of unmined data in search of answers can be a daunting task. Starting from scratch, we understood that we would likely face challenges to our pre-conceived notions of what works well and were prepared to accept what the data would tell us, however challenging it might be. Our goals were simply to understand what and how much data was available for analysis. We began with basic questions; how many scenarios are clients running? What type of scenarios are they and what do they contain? Are there any trends based on time, content, type or context?
NEW YORK, NEW YORK — This morning, CNBC Squawk Box anchors tackled the enterprise phishing scourge with the assistance of PhishMe CEO and recognized cybersecurity thought leader, Rohyt Belani. As pointed out by anchor Andrew Ross Sorkin at the beginning of the segment, phishing attacks are responsible for more than 90 percent of the major data breaches taking place today and were cybercriminals’ primary attack vector for recent compromises at the OPM and Anthem.
When reversing malware samples, one of the things that we as analysts look for are places where the attackers slip up. This can be anywhere from using the same strings, to weak obfuscation routines, or re-using the same snippet of code. When we talk about the attackers, there is this misconception that they are these super villains who can only do evil, but keep in mind they are humans too.