NanoCore RAT delivered through phishing campaigns

/in /by

SonicWall Capture Labs Threat Research team has observed a huge phishing campaign that spreads NanoCore Remote Access Trojan (RAT) through malicious attachments.

As with many other attacks, this campaign starts with a phishing email that distributes the malicious ISO malware as an email attachment.  ISO file is named to look like an image file and the contents of the email messages vary but spoofed to look like it’s coming from one of its vendors and encourages user to open the attached file.

ISO:

An ISO file (referred as an ISO image) is an archive file that contains all the information that would be written to an optical disc. ISO files are commonly used to create a backup of a CD or DVD. They’re also very useful for distributing large programs over the internet as an ISO image can handily contain all of a program’s files in a single file.

ISO file is used in this attack as many email gateway scanners don’t scan ISO file attachments properly. This may be due to the fact that ISO’s tend to be larger in size. In the past, third party software utility is required to open an ISO file, but modern versions of Windows (Win 8 & later) feature a native ISO mounting tool. Opening an ISO is now as simple as double-clicking the file. This increases the chances of the target opening the file. All the ISO files observed in this campaign are of size 1-2MB.

EXE:

The executable file “SKMBT#2019-04.exe” embedded within ISO, is shown below.

AutoIt:

The malicious payload presented as a single exe file, is actually an AutoIt Interpreter with the AutoIt compiled script embedded into it as a resource. Analyzing the file using PEStudio tells that it’s an AutoIt Compiled script.

Using Exe2Aut tool, we successfully retrieved the AutoIt source code from the compiled script but it is heavily obfuscated. Find below  the snippet from the AutoIt source code.

NanoCore RAT:

String “NanoCore.ClientPluginHost” that belong to NanoCore RAT is found in the memory.

NanoCore is one of the most sophisticated RAT (Remote Access Trojan ) out there. This malicious program uses NanoCore’s plugins to take control of victims machine.

Behavior:

Upon execution, it exhibits the following behavior.

  • Anti-debugging:

It exits with an error dialogue if debugger is present.

  • DNS Lookup

It performs the DNS lookup for “billionscome1.duckdns.org” and establishes connection with the server 191.101.150.90. Most of the similar malicious programs used in the campaign perform DNS queries to *.duckdns.org.

  • Files Written:

It creates a copy of itself  and drops it into the AppData directory along with a malicious VBS script.

Later, it creates an entry in the Windows startup directory for persistence. Files under the startup directory execute automatically after every boot up. “ghsdgfsdghfsfsd.url” is written into the startup directory. It is actually a shortcut file that links to the executable file “dfgdjfhdjhfdhdjf.exe” created in the previous step.

  • Schedule Tasks:

Then, it schedules a task using the following command. This task is called “NAT monitor”.

"schtasks.exe" /create /f /tn "NAT Monitor" /xml "C:\Users\gaya3\AppData\Local\Temp\tmpB400.tmp"<

The NAT monitor task is made to run “Regasm.exe” and not “natmon.exe”.

  • Process Hallowing:

Regasm is a Windows command-line utility that’s used to register .NET Component Object Model (COM) assemblies. It’s digitally signed by Microsoft. Adversaries use Regasm.exe to proxy execution of code through a trusted Windows utility. This is done to bypass process white-listing and evade detection

This malware starts Regasm.exe process in the suspended state with CreateProcessA(0x4 CREATE_SUSPENDED process creation flag).  It retrieves the path to itself and passes it as an argument to the process hollowing function. Process hollowing function replaces Regasm content with the malicious executable and resumes execution.  Now the execution of the malicious code is masked under a legitimate process , as the path points to legitimate process “C:\Windows\Microsoft.Net\Framework\v2.0.50727\RegAsm.exe”.

Once poisoned, RegAsm.exe can be used to establish connection to the C2C server, install keylogger/ mouselogger and other elements to steal users credentials and perform financial transactions from the same computer of the client.

  • Keystroke Logging :

It captures all the user keystroke information and writes it into an encrypted file called “KB_28549343.dat”

It also contains functionality to simulate keystroke presses, it may perform financial transactions with the stolen credentials from the same computer.

VT Graph:

VirusTotal threat intelligence graph of this campaign is shown below. 1000’s of similar malicious files with different file hashes observed in this campaign.

 

Threat Graph:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

GAV: 19486 Autoit.OLS
GAV: 2376 NanoBot.DN

SonicWall Capture Advanced Threat Protection (ATP) with RTDMI provides protection against this threat.

Hashes:

Email:
5b1fbbc99e01b8df2de401992bc463b35dcec53432145577fe71c0df5c757c6a
7194eb641b50af49885bb412a08f182ed3b6cde9b43a424db4654937564c38e2

ISO:
2d8fb4fb3d92f7f3fe6d599939afe8efcdf2ce5c045118d35ff016f27a1b16a4
1fb34c5ded3432f601680795e3942673ac55a0c89513a31f45e238ed773ab8e4

Exe:
49c2fe6ba8646341b6ecd869daf6fd8dfa0b522d20996f2321006d8a74d30ab6
4d76a57be034e6bae437b5c06c216cf7131d8db1e69ff6cfa881c38aabdb2818

C2C:
*.duckdns.org

‘Federal Tech Talk’ Hosts SonicWall CEO Bill Conner to Examine Cybercriminal Strategies that Threaten Federal Agencies

/2 Comments/in , /by

During a recent trip to Washington D.C., SonicWall CEO Bill Conner stopped by Federal News Networks studios to join John Gilroy on Federal Tech Talk.

The pair took to the airwaves (and podcast) to focus on emerging cyber threats that impact enterprises, SMBs and federal agencies alike. Atop the list were attacks over non-standard ports, encrypted threats and malicious PDFs and Office files.

“What’s alarming on this one, these new techniques are evading traditional security sandboxes,” Conner told Gilroy on the show.

In mid-April, SonicWall announced new threat data that highlights the growing volume of PDF fraud campaigns. In all of 2018, the SonicWall Capture Advanced Threat Protection (ATP) sandbox discovered more than 47,000 new attack variants in PDF files. In March 2019 alone, the sandbox found more than 73,000 PDF-based attacks.

“It’s incredibly aggressive in terms of the volume. It’s also very evasive,” said Conner on the broadcast. “If you click on that PDF, it might not hit you immediately. It might be delayed before it activates itself. The alarming piece in this city (Washington D.C) — for the Feds — is that it is emanating out of Russia.”

The compelling 40-minute segment, which is available via podcast, also explored the growing volume of IoT attacks, fileless malware and other evolving exploits.

“It’s a cyber arms race,” said Conner. “As many good guys as we have coding to block it and stop it, you’ve got an equal number of bad guys on the other side looking for architecture or feature holes trying to get around [security controls].”

About Federal Tech Talk

Federal Tech Talk looks at the world of high technology in the federal government. Host John Gilroy of The Oakmont Group speaks the language of federal CISOs, CIOs and CTOs, and gets into the specifics for government IT systems integrators. John covers the latest government initiatives and technology news for the federal IT manager and government contractor.

DOWNLOAD PODCAST

SadComputer ransomware gives victims only 5 minutes to pay up

/in /by

The SonicWall Capture Labs Threat Research Team have received reports of ransomware that appears to be in early development called SadComputer.  Although the malware only gives its victim 5 minutes to pay, it also provides a way to recover the files without paying the ransom.  We speculate that this variant is part of an early development release as the attackers seem to have provided a Bitcoin address that they do not control.  The malware does however, permanently delete files after the time expires.

Infection Cycle:

Upon running the executable file the following dialogs are displayed:

 

 

The following text is displayed on the top left of the screen:

 

The trojan encrypts files on the system and appends “.sad” to their filenames.  After the 5 minute timer expires, the encrypted files are permanently deleted.

The trojan adds the following files to the system:

  • %USERPROFILE%\Desktop\sadcomputer_note.txt
  • %USERPROFILE%\Documents\sadcomputer_note.txt
  • %USERPROFILE%\Music\sadcomputer_note.txt
  • %USERPROFILE%\Pictures\sadcomputer_note.txt
  • %USERPROFILE%\Pictures\Camera Roll\sadcomputer_note.txt
  • %USERPROFILE%\Pictures\Saved Pictures\sadcomputer_note.txt
  • %USERPROFILE%\Videos\sadcomputer_note.txt
  • %APPDATA%\Roaming\SadComputer\SadComputer\1.0.0.0\recover (empty file)
  • %APPDATA%\Roaming\SadComputer\SadComputer\1.0.0.0\time

The trojan adds the following key to the registry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <machine name> “<original run path>”

sadcomputer_note.txt contains the following text:

Q: What Happend to my computer?
A: Your Files Have Been Encrypted.

Q: How Do i restore the files?
A: You need to use bitcoin to restore the files.

Q: Can i use other methods?
A: Yes. You can use Paypal.

Q: How can i trust?
A: We dont cheat users. We restore the files.

Pressing “Enter Code” or “Check” in the dialog shown above produces the following dialog:

Providing any random email address for the “E-Mail Address:” field brings up the following dialog:

Using the code provided results in the files being recovered.

The ransom note says that the victim must pay in Bitcoin for file recovery but does not provide an amount to pay.  The bitcoin address (1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2) is from the donation page of Tails, a project that sets out to provide an anonymous, privacy oriented operating system:

SonicWALL Capture Labs provides protection against this threat via the following signatures:

  • GAV: Sadcomputer.RSM (Trojan)

Also, this threat is detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

Cyber Security News & Trends – 04-26-19

/0 Comments/in /by

This week, SonicWall’s recent PDF and Office cyberattack findings back up investigative reporting, a “secure” WhatsApp replacement is anything but, and vulnerabilities in the Internet of Things continue to create headlines.

SonicWall Spotlight

The Growing Partnership Between Russia’s Government and Cybercriminals – 60 Minutes

  • In a new investigative report, CBS examines evidence of increasingly blurred lines between Russia intelligence agencies and the criminal exploits of notorious cybercriminals like Evgeniy Bogachev, better known as the hacker “slavik” and “lucky12345”. The report further supports SonicWall’s recent findings of escalating PDF and Office document-based attacks likely originating from Russia.

Cyber Threat Report: Over 10 Billion Attacks of Various Types Recorded in 2018 – Business Review

  • Business Review reflect on the figures from the 2019 SonicWall Cyber Threat Report and the recently revealed data on the rise of dangerous PDF files.

PDF: The Vehicle of Choice for Malware and Fraud – HelpNet Security

Cyber Security News

How Nest, Designed to Keep Intruders out of People’s Homes, Effectively Allowed Hackers to Get In – Washington Post

  • Internet connected devices, like Google’s Nest family, struggle striking the right balance between making devices very secure and making them easy to use. If too much friction is put in place for security reasons, then brands risks turning potential users off.

FBI: Cybercriminals Set New Record in 2018 by Causing More Than $2.7 Billion in Reported Losses – Washington Times

  • The FBI’s Internet Crime Complaint Center have released their annual report, detailing an almost doubling of financial losses caused by cybercrime in 2018.

Bug in French Government’s WhatsApp Replacement Let Anyone Join ÉLysée Chats – Ars Technica

  • A “secure” messaging app launched by the French government was hacked almost immediately upon release.

An Inside Look at How Credential Stuffing Operations Work – ZDNet

  • ZDNet dig deep into the world of cybercrime to explain how credential stuffing works, detailing both the tools and methods used, but also its place in the criminal economy.

Unauthorized Party Muscles Its Way Into Bodybuilding.Com’s Systems – SC Magazine

  • Bodybuilding.com revealed that it suffered a data breach in February 2019 leaving exposed a trove of data, including the real names, email addresses, physical addresses and phone numbers. Stored financial information beyond partial card numbers was not exposed.

Hacker Finds He Can Remotely Kill Car Engines After Breaking Into GPS Tracking Apps – Motherboard

  • A hacker broke into the accounts of thousands of GPS trackers and claims that “with one touch, I can stop these vehicles engines.” He says that he has carried out this hack to raise awareness of the poor security on the GPS apps.

Cybersecurity: UK Could Build an Automatic National Defence System, Says GCHQ Chief – ZDNet

  • Following a recent UK cybersecurity survey suggesting that only 15% of people say they know how to protect themselves online, the head of the GCHQ in the UK has called for cybersecurity responsibility not to be dependent on individuals but shared by governments, ISPs and businesses.

In Case You Missed It

What to Look for in a CASB Solution

/0 Comments/in , /by

Virtually every organization across major verticals — K-12 and higher education, financial services, retail and hospitality, and government — is undertaking digital transformation endeavors. And this includes migrating applications and data to the cloud.

When organizations do choose to adopt cloud technologies, software-as-a-service (SaaS) is the most popular choice according to a Gartner forecast for public cloud adoption. This is evident in the number of SaaS applications a typical organization uses. According IDG, 73% of organizations have at least one application in the cloud and another 17% plan to do so in the next 12 months.

2018 Cloud Computing Survey

73% of organizations have at least one application in the cloud and another 17% plan to do so in the next 12 months.
IDG

The adoption of SaaS applications brings about new security challenges for IT teams and increases attack surfaces for cybercriminals. The main use case for SaaS security is data protection. How do you protect your corporate data when you no longer have full control of the infrastructure or lack visibility into who can access that data and from which device/location?

The need to address this challenge created a new market segment in 2011 called Cloud Access Security Brokers (CASBs) or Cloud Security Gateways (CSGs). The CASB market segment is one of the fastest growing in information security with Gartner estimating a growth rate of 46% CAGR from 2017 to 2022.

Today, cloud security is not just about limiting or securing access to cloud applications. Cloud security is a shared responsibility where the organization that consumes cloud services is responsible for protecting sensitive data within their SaaS tenants. In fact, according to Gartner, “Through 2022, at least 95% of cloud security failures will be the customer’s fault.”

What is CASB?

At a high level, CASB solutions typically deliver the following four functionalities:

  1. Visibility. Enable cloud discovery to shed light on cloud application usage and shadow IT activities.
  2. Data security. Secure the corporate data uploaded or hosted in the cloud by enabling data loss prevention (DLP) and monitor user activity.
  3. Threat protection. Identify anomalous user behavior and provide anti-malware and sandboxing capabilities to protect against threats in the cloud.
  4. Compliance. Empower organizations with auditing and reporting tools to demonstrate compliance, especially in regulated industries.

CASB: The evolution of cloud security

The early CASB solutions were geared toward large enterprises that were early adopters of cloud services. These solutions required sophisticated on-premise deployments that proxied all traffic (either forward or reverse proxy) to enforce inline policies for cloud usage.

This proxy-mode CASB approach is sometimes known to introduce latency and/or cause breakage in application functionality, creating a bad user experience. In fact, it’s why Microsoft recommends against using proxy-based solutions when securing Office 365.

The next generation of CASB solutions take advantage of the API-based architecture that SaaS platforms are built on. API-mode CASB is the only way to provide complete visibility into SaaS environments.

API-based CASBs are easy to deploy and provide the most coverage for SaaS security use cases across sanctioned IT, shadow IT, managed devices and unmanaged devices (BYOD).

On-Demand Webinar with Guest Michael Osterman

Need more security and control for your cloud applications? View this joint on-demand webinar, “Securing Your SaaS Landscape,” with Osterman Research principal analyst Michael Osterman, to explore the major concerns and issues organizations have with SaaS adoption, what to look for in a CASB solution and an overview of SonicWall Cloud App Security.

WATCH NOW

CASB protects Office 365 deployments

According to the Cybersecurity Insiders 2018 Cloud Security Report, the most popular SaaS app used by organizations of all sizes is Microsoft Office 365.

Many associate Office 365 to email because it’s the most used app within the Office 365 suite. So, when CISOs and IT directors begin migrating on-premise mailboxes to Exchange Online, the default response is to extend the incumbent Secure Email Gateway (SEG) or Mail Transfer Agent (MTA). This approach to secure cloud email creates two significant blind spots:

  1. Causing security gaps. Does not protect other apps within Office 365, so it becomes a point solution that is focused on securing only email.
  2. Missing internal threats. Does not scan internal Office 365 emails, which is becoming increasingly relevant in the current threat landscape with credential compromises and account takeovers.

To address these blind spots, you need to buy an add-on service (to scan internal email) from your email security provider (if they offer one) and deploy a CASB to protect the data residing in OneDrive and SharePoint Online. That’s one more point solution that IT directors need to add to their budget, and IT administrators need to deploy, get trained and manage.

Full-featured CASB solution: SonicWall Cloud App Security

When you view cloud email as a SaaS app, it makes sense that a CASB solution should protect data and provide visibility even if that data is in the form of email messages.

That’s why SonicWall Cloud App Security leverages APIs to directly integrate to SaaS platforms and combine both data security and email security to provide complete protection for SaaS in a single solution. The CASB solution can be implemented in minutes without the need for any on-premise appliances or software installations.

Mongo-Lock Ransomware

/in /by

Overview:

SonicWall Capture Labs Threat Research Team, recently found, MongoLock ransomware. MongoLock tries to remove files, along with formatting drives using special commands through “cmd” and targets databases with weak security settings. MongoLock will drop a ransom note in the form of a “warning.txt” using notepad or as an entry inside any database it may find on the system. This is a new form of MongoLock ransomware that is actively being used in the wild today with a global reach. The ransom note is asking for 0.1 BTC to a specified Bitcoin wallet. A picture of the ransom note is below:

Sample Static Information:

Unpacked Hash Information:

Entropy and Packer Information:

Now that we know what the packer and protector information is we can start to unpack it below.

Unpacking The Sample:

Unpacking this sample is trivial because CFF Explorer allows us to click just a single button to unpack it.

Once you unpack the sample with CFF Explorer press “Save As” to save the unpacked sample. The new hash information now looks like the following:

RDG tells us that the unpacked sample has traces from aPLib compression and it’s using IsDebuggerPresent().

The following crypto signatures were found, Base64, CryptCreateHash, CryptEncrypt, CryptGenRandom, CryptHashData.

Ransom Note:

A long static ransom string is checked, then written to a warning file.

A glimpse into how they write the warning:

Directory List:

SHGetFolderPathW API is a deprecated API. This API gets the path of a folder identified by a CSIDL value.

Removal of Directories and Files:

Formatting:

The string, : /fs:ntfs /q /y will be updated with “format”, a drive letter and “cmd” will be called upon to execute the formatting of your drives.

Supported Systems:

The sample was tested and debugged on (x86) – 32 Bit, Windows 7 Professional.

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: MongoLock.A

Phobos Ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of Phobos ransomware [Phobos.RSM] actively spreading in the wild.

The Phobos ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Contents of the Phobos ransomware

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ info.hta
    • %Userprofile\Desktop %\ info.txt
      • Instruction for recovery
    • %App.path%\ [File Name]. Phobos

Once the computer is compromised, the ransomware runs the following commands:

The ransomware encrypts all the files and appends the [.Phobos]  extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following htm file containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Phobos.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

Cyber Security News & Trends – 04-19-19

/0 Comments/in /by

This week, SonicWall CEO Bill Conner appears on the Chertoff Group podcast, our threat researchers release details on the dramatic rise in PDF-related cyberattacks, and there’s an ongoing legal fight over whether a cyberattack can be considered an act of war.

SonicWall Spotlight

SonicWall Detects, Reports Dramatic Rise in Fraudulent PDF Files in Q1 2019 – SonicWall Press Release

  • SonicWall Capture Labs threat researchers are reporting a substantial increase of fraudulent PDF files. The fraud campaign takes advantage of recipients’ trust in PDF files as a “safe” file format that is widely used and relied upon for business operations.

‘Chase & Capture’: The Chertoff Group Hosts SonicWall CEO Bill Conner on Latest Podcast – Podcast

  • SonicWall CEO Bill Conner speaks on the latest Chertoff Group Insights & Intelligence podcast, “Chase & Capture: Inside the Tactical Advances between Cybercriminals and the Security Industry.” He joins host Katie Montgomery to discuss the SonicWall 2019 Cyber Threat Report.

Of Billions and Trillions: Firewalls, Threats and Sonicwall’s Thriving Business – Sify Finance

  • With around one billion malware attacks detected a week, AI and machine learning are just part of how SonicWall are raising the cybersecurity bar – SonicWall’s Bob Vankirk and Debashish Mukherjee are interviewed by Sify Finance.

Old-school cruel: Dodgy PDF email attachments enjoying a renaissance – The Register (UK)

  • The Register investigates the findings of the SonicWall Capture Labs showing a substantial increase of fraudulent PDF files.

The State of Cyber Arms Race: Unmasking the Threats Coming in 2019 – SonicWall Webcast

  • SonicWall’s John Gordineer presents a Webinar sharing the findings of the 2019 SonicWall Cyber Threat Report and discusses and analyses what this intelligence tells us about the Cyber Arms Race.

Mar-a-Lago Malware Event: A Study in What NOT to do With Unknown USB Keys    – SonicWall Blog

  • Don’t plug it in. Critical advice from SonicWall’s Brook Chelmo on what to do, and what not to do, if you find a USB key lying around your workplace.

Cyber Security News

Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong. – New York Times

  • Zurich Insurance have refused to pay out on a cyberattack insurance claim by Mondelez, citing a “war exemption.” Mondelez originally made the claim after losing business while infected by NotPetya ransomware but, after the United States government tied the NotPetya attack to the Kremlin, Zurich classified the cyberattack as collateral war damage. Mondelez are pursuing a case against Zurich Insurance in the courts.

Facebook Uploaded Email Contacts of 1.5m Users Without Consent – The Guardian

  • Facebook admitted to “unintentionally” uploading the address books of 1.5 million users without their consent, blaming a legacy verification program. They say they will delete the data and notify those affected.

Data on Thousands of Law Enforcement Personnel Exposed in Breach – Dark Reading

  • Hackers leaked personal information on the FBI, police officers, Secret Service and other federal employees after a breach of three websites associated with the FBI National Academy, a 501(c)(3) organization.

A Hacker Has Dumped Nearly One Billion User Records Over the Past Two Months – ZDNet

  • A hacker calling themselves Gnosticplayers has stolen and published almost a billion user records over the past two months. ZDNet investigates the hacker community, finding that some hackers are not only motivated by money but by fame and a desire to be remembered.

In Case You Missed It

New PDF Fraud Campaign Spotlights Shifting Cybercriminal Phishing Tactics

/6 Comments/in /by

PDF cyberattacks are nothing new. They are, however, growing in volume, deception, sophistication and are now used as vehicles to modernize phishing campaigns.

SonicWall Capture Labs Threat Researchers announced a substantial increase of malicious or fraudulent PDF files. These fraud campaigns take advantage of recipients’ trust in PDF files as a “safe” file format that is widely used and relied upon for business operations.

In March 2019 alone, SonicWall Real-Time Deep Memory Inspection (RTDMI™) discovered more than 73,000 new PDF-based attacks. In comparison, we found 47,000 new attack variants in PDF files in all of 2018.

“Increasingly, email, Office documents and PDFs are the vehicle of choice for malware and fraud in the cyber landscape,” said SonicWall President and CEO Bill Conner in the official announcement. “SonicWall Capture ATP with its RTDMI technology is at the forefront of catching new cyberattacks that elude traditional security sandbox technology.”

Last year, RTDMI identified over 74,000 never-before-seen cyberattacks, a number that has already been surpassed in the first quarter of 2019 with more than 173,000 new variants detected.

In March, the patent-pending technology identified over 83,000 unique, never-before-seen malicious events, of which over 67,000 were PDFs linked to scammers and more than 5,500 were PDFs with direct links to other malware.

Since 2017, Capture ATP with RTDMI has discovered increasing volumes of new threats leveraging PDFs and Office files.

Most traditional security controls cannot identify and mitigate malware hidden in PDF file types, greatly increasing the success of the payload. This increase implies a growing, widespread and effective strategy against small- and medium-sized businesses, enterprises and government agencies.

That’s where SonicWall RTDMI is unique. The technology analyzes documents dynamically via proprietary exploit detection technology, along with static inspection, to detect many malicious document categories, including PDFs, Office files, and a wide range of scripts and executables.

PDF malware attacks: A technical autopsy

SonicWall Capture Labs threat researchers dissected specific paths these fraudulent PDF campaigns take victims to infect them with malware.

In one example (see image below), Capture Labs cross-referenced a malicious file, at the time of detection, with popular collaboration tools from VirusTotal and ReversingLabs. No results were found, indicating the effectiveness of the RTDMI engine.

Targets of the scam email campaigns receive malicious documents from businesses luring victims with PDF files that are made to look deceivingly realistic with misleading links to fraudulent pages. The proposed “business offer” within the PDF is enticing to recipients, often promising free and profitable opportunities with just the click of a link.

Pictured below, the victim is sent to a fraudulent landing page masquerading as a legitimate money-making offer.

SonicWall hypothesizes that by using PDFs as delivery vehicles within their phishing campaigns, attackers are attempting to circumvent email security spam filters and next-generation firewalls — a core reason RTDMI is finding so many new malicious PDFs.

What does this PDF fraud campaign mean?

PDFs are becoming a very attractive tool for cybercriminals. Whether or not these are new attacks — or we are just developing the ability to detect them with RTDMI — the volume indicates that they are a serious problem for SMBs, enterprises, governments and organizations across a wide range of industries.

What’s the motive?

While SonicWall data doesn’t help us understand motivation, it does show that the amount of malicious, PDF-related activity is on the rise. We believe that this is happening for a variety of reasons, including:

  • Better awareness. Users have learned that executables sent to them are potential dangerous and could contain viruses, so they are more hesitant to click .exe files, forcing attackers to try new techniques.
  • Deprecation of Flash. Adobe Flash was a key attack vector in the past, but has been deprecated and will be completely end of life in 2020. So, attackers’ ability to use Flash exploits have been greatly reduced, forcing them to change tactics.
  • Must-trust files. Businesses move fast. Users are under constant pressure and don’t have the time, experience or know-how to vet every file type that hits their inbox. As such, users make assumptions that trusted file types (e.g., PDFs, Office files) used daily are, for the most part, safe. So, users are more likely to read and click links within them without considering the source or ramifications.

What is the impact of the PDF fraud campaigns?

This is very difficult to determine. In the 2019 SonicWall Cyber Threat Report, Capture Labs reported that 34% of the new attack variants found by Capture ATP were either PDF or Office files — a figure that had grown from 13% since the last half of 2017. This data implies that this attack vector is growing, is widespread and is an effective strategy.

Who is behind this?

While attribution is difficult, SonicWall believes the latest spike in malicious PDF activity is Russian-based because of the use of many .ru top-level domains leveraged across analyzed campaigns.

How to stop cyberattacks that use PDF and Office files

  • Force attacks to reveal intentions. SonicWall RTDMI operates in parallel with the SonicWall Capture ATP sandbox service to quickly get a verdict on any suspicious piece of code as it operates in memory, including malicious PDFs and Office files.
  • Protect the most common attack vectors. Another important layer of defense against malicious PDFs is email security. SonicWall offers cloudhosted and on-premises email security solutions. SonicWall leverages advanced security controls to examine files, senders, domains and URLs to look for malicious activity.
  • Make training a policy. Improve awareness by implementing employee training protocols to ensure users know how to examine PDF and Office file attachments carefully before opening or clicking unknown links.
  • Use endpoint protection. SonicWall recommends using advanced endpoint security, such as Capture Client powered by SentinelOne, to constantly monitor the behavior of a system to scout for malicious behavior, including PDF attacks.

Stopping PDF Attacks: 5 Ways Users & Organizations Can Work Together

/0 Comments/in /by

Leveraging malicious PDFs is a great tactic for threat actors because the file format and file readers have a long history of exposed and, later, patched flaws.

Because of the useful, dynamic features included in the document format, it’s reasonable to assume further flaws will be exposed and exploited by adversaries; these attacks may not go away for some time. Furthermore, there’s no way for the average user to diagnose a benign or malicious PDF as it opens.

Since the average SonicWall customer will see nearly 5,500 phishing and social engineering attacks targeting their users each year, it’s vital to remain vigilant about the dangers of PDFs and deploy advanced security to prevent attacks.

Why are malicious PDFs being used in cyberattacks?

In many kinds of malicious PDF attacks, the PDF reader itself contains a vulnerability or flaw that allows a file to execute malicious code. Remember, PDF readers aren’t just applications like Adobe Reader and Adobe Acrobat. Most web browsers contain a built-in PDF reader engine that can also be targeted.

In other cases, attackers might leverage AcroForms or XFA Forms, which are scripting technologies used in PDF creation that were intended to add useful, interactive features to a standard PDF document. To the average person, a malicious PDF looks like another innocent document and they have no idea that it is executing code. According to Adobe, “One of the easiest and most powerful ways to customize PDF files is by using JavaScript.”

If you are a threat actor reading this, you are well versed in the above. And your victims are not. If you are an administrator responsible for keeping threats out and their damage to a minimum, it’s time to take some necessary precautions.

Stop PDF attacks with user-side prevention

First, there are a couple of things users can do to help reduce exposure to PDF-based attacks. Most readers and browsers will have some form of JavaScript control that will require adjustment.

  • Change you preferences. In Adobe Acrobat Reader DC, for example, you can disable Acrobat JavaScript in the preferences to help manage access to URLs.
  • Customize controls. Similarly, with a bit of effort, users can also customize how Windows handles NTLM authentication.

While these mitigations are “nice to have” and certainly worth considering, these features were added, just like Microsoft Office Macros, to improve usability and productivity. Therefore, be sure that you’re not disabling functionality that is an important part of your own or your organization’s workflow.

Stop PDF attacks with company-wide protections

Thankfully, SonicWall technology can quickly decode PDFs to see what the malware wants to really do, such as contact malicious domains or steal credentials. Here are three key ways organizations can limit exposure to PDF-based attacks.

  • Implement advanced email security. The first line of defense against malicious PDFs is email security. SonicWall offers cloud, hosted and on-premises email security solutions. SonicWall leverages advanced security controls to examine files, senders, domains and URLs to look for malicious activity.
  • Use endpoint protection. SonicWall recommends using advanced endpoint security, such as Capture Client powered by SentinelOne, to constantly monitor the behavior of a system to scout for malicious behavior. Capture Client stops threats before they execute and has great EDR capabilities to stop them as they do, see where they came from, and remediation steps, such as rollback in case they fully do.
  • Identify new threats. One thing that separates SonicWall from the rest is our patent-pending Real-Time Deep Memory InspectionTM (RTDMI). RTDMI operates in parallel with the SonicWall Capture Advanced Threat Protection (ATP) sandbox service. This is just one of our parallel engines in the sandboxing environment that gives us the ability to quickly get a verdict on any suspicious piece of code as it operates in memory, including malicious PDFs and Office files.

Malicious PDFs will be around for the foreseeable future, but through advanced security and good end-user awareness, your company will be better suited to prevent attacks.

For a more technical view on this, I recommend reading Philip Stokes’ blog from SentinelOne that inspired and supplied part of the content for this story. I also recommend watching our on-demand webinar, “Best Practices for Protecting Against Phishing, Ransomware and Email Fraud.”