Weekly Executive Summary Week Ending September 30, 2016
By Joseph Lorenz on September 30, 2016
Targeted Industries
- Information Technology
- Software
- Internet Hosting
- Retail
- Manufacturing
Active Threats
- CtrlSec
- Anonymous
- APT28 Fancy Bear
- National Security Agency
- Syrian Electronic Army
Major Events
- APT Gang Sofacy is Targeting OS X Machines with “Komplex” Trojan
- Malicious Downloader “Hancitor” Uses API’s and PowerShell Commands
- Ransomware Hits Massachusetts Police Department Saved by Disaster Recovery System
- MarsJoke Malware is Targeting Government Agencies Using Large-Scale Spam Campaign
Conclusions
APT Gang Sofacy is Targeting OS X Machines with “Komplex” Trojan
The notorious APT gang Sofacy that is also known as APT28, Fancy Bear, Sednit and Pawn Storm have been using a new Trojan called Komplex to infect OS X machines. Sofacy has been active for more than two years and has been linked to attacks against the United States government, the German parliament, and the World Anti-Doping Agency(WADA).
According to researchers at Palo Alto Networks Komplex attacks start with a binder component that deploys a decoy document. Emails contain one attachment that binds an encrypted payload of the executable, scripts, and a pdf. When a user double-clicks on the attachment from the email they think they’re opening a pdf document. To avoid suspicion the malware loads a 17-page PDF called (roskosmos_2015-2025.pdf), a researcher at Palo Alto said that “Psychologically, if someone clicks on what they think is a PDF and it opens, they don’t think twice about it after that,”. The tool is capable of downloading additional files to the system, executing and deleting files, as well as directly interacting with the system shell. Komplex trojan has a number of anti-analysis and sandbox checks, one of them is a GET request to Google that determines if the machine has Internet connectivity.
The PDF in the malware is written in Russian and portrays future insights into the Russian Federal Space Program’s projects from 2016 to 2025. Sofacy has also been believed to be a Russia-linked cyber espionage group, based on previous attacks. Although researchers and experts aren’t able to pinpoint which organizations are being targeted with this OS X trojan, they believe one of the likely targets is the aerospace industry.
Source: SOFACY APT TARGETING OS X MACHINES WITH KOMPLEX TROJAN, Russian Cyberspies Use “Komplex” Trojan to Target OS X Systems(Threatpost, SecurityWeek)
Malicious Downloader “Hancitor” Uses API’s and PowerShell Commands
A malicious downloader Hancitor has been upgraded with new delivery techniques that make it more difficult to detect. It still spreads itself through malicious attachments that distribute malware designed to steal data such as Pony and Vawtrak. Experts at FireEye say that the downloader has shifted to a three-pronged delivery approach.
One technique involves using a native but uncommon Windows API “CallWindowProc” to execute shell code. The second method involves piggybacks on the previous technique and relies on another API call back function “EnumResourceTypesA” to interpret and execute the shellcode. Researchers say that macros can call APIs directly, but it isn’t uncommon for them to run shellcode. The third is Hancitor’s ability to conceal malicious PowerShell commands. When a user is tricked into enabling macros, they also open the door to PowerShell command creation. After downloading the executable the code deletes the archive, removing any of it. It then executes to download the Pony password stealer and the Vawtrak Trojan.
Hancritor has been around for about two years and disappeared last year for awhile. The downloader was relying on embedded executables, which is something that normally trips antivirus programs. While delivery of this payload has changed over the past few years, the malware is still being spread through malicious attachments in phishing emails.
Source: HANCITOR DOWNLOADER ABUSING APIS, POWERSHELL COMMANDS, HANCITOR (AKA CHANITOR) OBSERVED USING MULTIPLE ATTACK APPROACHES(Threatpost, FireEye)
Ransomware Hits Massachusetts Police Department Saved by Disaster Recovery System
Ransomware is one of the most discussed and known malware today, we hear about it week-to-week in all of its various forms. Surveys suggest that around 50% of organizations have had a ransomware incident over the last year. But the basic advice still remains the same maintain good backup/disaster recovery, and don’t pay the ransom unless you have any other option. But according to research by Osterman research 40% of companies who become infected with ransomware actually, pay the ransom. In August 2016 the Barnstable Police Department survived and recovered from a ransomware attack by using their Disaster Recovery(DR) System.
Craig Hurwitz, the police department’s Chief Information Officer (CIO) deployed the DR system in July 2016. Though when making the decision to implement the system he was not thinking of ransomware, but rather the importance of protecting the vital data of the department if disaster struck. Hurwitz was notified of the incident as he was driving, he pulled over to a Costco Gas Station where he was able to do the recovery. He reviewed his logs and was able to pinpoint the exact time that encryption had begun, he requested that the systems ‘BackDating’ to just 2 minutes before the encryption started. With his quick response the ransomware was mitigated and eradicated with a maximum downtime of 40 minutes and only 2 minutes of data was lost.
The advantage of implementing a DR over ransomware is that it is fairly easy and actually works, and it doesn’t require using a solution that isn’t already necessary. Ransomware tends to work very quickly for fear of detection and removal before it can encrypt everything. Though with a DR system, your system can be recovered to a backdated clean period, with minimal losses to your data.
Source: Ransomware Attack Hits Cape Cod Police Department, Barnstable Police Department Uses Reduxio BackDating to Recover From Ransomware Attack Within Minutes(SecurityWeek, Yahoo Finance)
MarsJoke Malware is Targeting Government Agencies Using Large-Scale Spam Campaign
Source: New MarsJoke Ransomware Targets Government Agencies, MARSJOKE RANSOMWARE TARGETS .EDU, .GOV AGENCIES(SecurityWeek, Threatpost)
A new ransomware dubbed MarsJoke has been targeting local state/government agencies and education institutions. These organizations are being targeted because they usually don’t have the funding to create robust backups and strong defensive resources to prevent and mitigate infections. It was discovered in a large-scale email campaign last week, where it was being delivered via the Kelihos botnet.
The malware was found in emails containing links to an executable file named “file_6.exe”, which was hosted on numerous sites. To convince victims of the legitimacy of the email the attackers used major national air in the subject line, a convincing email body, and stolen branding. The malware mimics the style of CTB-Locker and creates a .bat and .txt with instructions. Those infected have their Windows desktop background changed to black with a displayed ransom message. A dialogue box indicates that “documents, scripts, photos and other important files have been encrypted with strongest encryption algorithm AES-256 and unique key, generated by this computer,”. Infected users are then prompted to pay the ransom of 0.7 bitcoin($320) in 96 hours before all of their files are deleted.
Proofpoint says that MarsJoke does not appear to be “Just another ransomware”. Because of its large message volume was seen in the campaign and how it focuses on the intended targets. This is a good sign that attackers look to create new variants and old strains can gain potential victims.
Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cyber security and business strategies. In order for this website to serve the community, we need to know your concerns and questions about (for example) proper safeguards for the technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity.
Mail us at: uhwocscc@hawaii.edu
-
Denmark Faces Largest Cybersecurity Incident to Date
Denmark Faces Largest Cybersecurity Incident to Date
12/8/2023 -
Defense Contractor, Japan Aviation Electronics, Falls Victim to a Cyber Attack
Defense Contractor, Japan Aviation Electronics, Falls Victim to a Cyber Attack
12/8/2023 -
North Korea Infiltrates Remote US Jobs to Fund Weapons
North Korea Infiltrates Remote US Jobs to Fund Weapons
11/2/2023