Malware Attacks: Examining the Impact on Your Business...Example: Trojan: Win32/Meredrop Spyware...
Transcript of Malware Attacks: Examining the Impact on Your Business...Example: Trojan: Win32/Meredrop Spyware...
© 2015 MarkMonitor Inc. All rights reserved.
Malware Attacks: Examining the Impact
on Your Business
November 18, 2015
Jack Johnson, SOC Manager
Stefanie Ellis, AntiFraud Product Marketing Manager
MarkMonitor
Agenda
Malware Attack Cycle, Malware Variations & Types
Examples and Business Impact
Analysis of Mitigation Strategies
Best Practices
2 | Confidential
“2016 will be the Year of Online Extortion”
“Ransomware will remain a major and rapidly growing threat in 2016”
“China will drive mobile malware growth to 20M by the end of 2016”
3 | Confidential
Sources: http://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2016,
http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf
Malware Reach is Growing
Plan
&
Scan
Compromise
& Configure
Create
Payloads
Distribute
&
Deliver
Infect
&
Exploit
Collection
&
Monetization
Malware Attack Lifecycle
• Type of Attack
• Target List
• Scale
• Infrastructure
4 | Confidential
Plan
&
Scan
Compromise
& Configure
Create
Payloads
Distribute
&
Deliver
Infect
&
Exploit
Collection
&
Monetization
Malware Attack Lifecycle
Content Management Systems
Web Server
Domain Name Registrations
Exploit Tool Kit
5 | Confidential
Plan
&
Scan
Compromise
& Configure
Create
Payloads
Distribute
&
Deliver
Infect
&
Exploit
Collection
&
Monetization
Malware Attack Lifecycle
Macro Enabled
Postscript Documents
MS Word Documents
Malicious Java Script
URL
6 | Confidential
Plan
&
Scan
Compromise
& Configure
Create
Payloads
Distribute
&
Deliver
Infect
&
Exploit
Collection
&
Monetization
Malware Attack Lifecycle
Social Media
Text Messages
7 | Confidential
Plan
&
Scan
Compromise
& Configure
Create
Payloads
Distribute
&
Deliver
Infect
&
Exploit
Collection
&
Monetization
Malware Attack Lifecycle
Key loggers
Ransom Ware
Screen Captures
Print Captures
8 | Confidential
Plan
&
Scan
Compromise
& Configure
Create
Payloads
Distribute
&
Deliver
Infect
&
Exploit
Collection
&
Monetization
Funds Transfer
Fake Invoicing
Identity Theft
Propagate Malware
Malware Attack Lifecycle
9 | Confidential
Example:
Trojan:
Win32/Meredrop
Spyware
Example:
Shiz Gozi
Dridex
Banking Trojans
Example:
CryptoWall CryptoLocker
Ransomware
Example:
Back Orifice JSocket
AlienSpy
Remote Access
Trojans (RATs)
Characteristics:
Key logging Screen
Captures
Print Captures Pop Ups
Adware
Characteristics:
Organizational target list
Configuration
Files Key logging
Screen captures Print captures DGAs
HTML Form Injection
Characteristics:
Encrypts files Encrypts hard
disk
Requests payment
Characteristics:
Installed w/ user application
Included
Backdoor Allows remote
access Enables
Administrative
control Key logging
Malware Variations
10 | Confidential
Malware For Sale
11 | Confidential
Ransomware Growth
Source: http://www.mcafee.com/us/resources/reports/rp-threats-predictions -2016.pdf
12 | Confidential
Financial Impact
$100 million in known losses from GameOver Zeus, 2011 to
2014
$30 million paid in ransom due to Cryptolocker ransomware,
Sept to Dec 2013
$18 million in losses and 992 CryptoWall related complaints to
the FBI, Apr 2014 to June 2015
http://money.cnn.com/2014/06/02/technology/security/gameover -zeus-botnet/
https://www.fbi.gov/news/stories/2014/june/gameover-zeus-botnet-disrupted/documents/gameover-zeus-and-cryptolocker-poster-pdf
http://www.ic3.gov/media/2015/150623.aspx
13 | Confidential
Malware in Business Email Compromise Dear Sir/Madam,
The following domain names have been suspended for violation of the
ABCD Registrar, Inc. Abuse Policy:
Domain Name: yourprimarybusinessdomain.com
Registrar: ABCD Registrar, Inc.
Registrant Name: Domain Administrator
Multiple warnings were sent by ABCD Registrar, Inc. Spam and Abuse
Department to give you an opportunity to address the complaints we
have received.
We did not receive a reply from you to these email warnings so we then
attempted to contact you via telephone.
We had no choice but to suspend your domain name when you did not
respond to our attempts to contact you.
Click here and download a copy of complaints we have received.
Please contact us for additional information regarding this
notification.
Sincerely,
ABCD Registrar, Inc.
Spam and Abuse Department
Abuse Department Hotline: XXX-XXX-XXXX
14 | Confidential
Exploiting Brands to Target Consumers
Dear Customer,
This is to confirm that one or more of your parcels has been shipped.
You can review complete details of your order in the find attached.
Yours truly,
John Doe
ABCD Logistics Company
Support Manager Email
Attachment
Credential Theft
The zip file contains a trojan that pulls in
a secondary infection, which could be a
number of different malware types –
Dridex, Cridex, CryptoLocker, Zeus
The real malware then begins
harvesting credentials and sends
them to a collection point, or can be
click-fraud malware sending the user
to advertisement sites.
15 | Confidential
Analysis of Mitigation Strategies
TTPs
Tools
Network/Host Artifacts
Domain Names
IP Addresses
Hash Values Malware Binaries
16 | Confidential
Botnet Communication Points
TTPs
Tools
Network/Host Artifacts
Domain Names
IP Addresses
Hash Values
Analysis of Mitigation Strategies
17 | Confidential
Analysis of Mitigation Strategies
Domain Generation Algorithms (DGAs)
TTPs
Tools
Network/Host Artifacts
Domain Names
IP Addresses
Hash Values
18 | Confidential
Analysis of Mitigation Strategies
Hosting providers/Registrars
TTPs
Tools
Network/Host Artifacts
Domain Names
IP Addresses
Hash Values
19 | Confidential
Exploit Kits/Turnkey Malware Solutions
TTPs
Tools
Network/Host Artifacts
Domain Names
IP Addresses
Hash Values
Analysis of Mitigation Strategies
20 | Confidential
Analysis of Mitigation Strategies
Who, What, Why, Where, When, How
TTPs
Tools
Network/Host Artifacts
Domain Names
IP Addresses
Hash Values
21 | Confidential
Analysis of Mitigation Strategies
Who, What, Why, Where, When, How
Exploit Kits/Turnkey Malware Solutions
Hosting providers/Registrars
Domain Generation Algorithms (DGAs)
Botnet Communication Points
Malware Binaries
TTPs
Tools
Network/Host Artifacts
Domain Names
IP Addresses
Hash Values
22 | Confidential
Employee Education on Email
Delete or report to IT any unsolicited email; do not open first
Be suspicious of pressure to take action quickly or change
business practices; report suspicious emails to IT
When reporting scam email to IT, in an Outlook environment,
select Ctrl+Alt+F to forward the full email as an attachment
Minimize use of email “Reply;” instead, choose “Forward” and
input the email address yourself
23 | Confidential
Best Practices for Business Protection
Digital signatures should be used by both parties in a
transaction
Internal approval processes should be formalized
Pre-establish out of band communications to verify transactions
Pre-establish internal escalation procedures to a primary point
of contact
Build capability to analyze and mitigate malware attacks
For more info & best practices: https://www.ic3.gov/media/2015/150122.aspx
24 | Confidential
Questions?
Thank You!
For information on MarkMonitor solutions, services and
complimentary educational events:
• Contact via email:
• Visit our website at:
www.markmonitor.com
• Contact via phone:
US: 1 (800) 745 9229
Europe: +44 (0) 203 206 2220