1MCAFEE CONFIDENTIAL

McAfee Confidential

The League of Nations

2MCAFEE CONFIDENTIAL

3MCAFEE CONFIDENTIAL

Innovation

The malicious document launches a PowerShell script.

Script downloads and reads an image file from a remote location

The attackers used the open-source tool Invoke-PSImage, released December 20, to embed the PowerShell script into the image file.

4MCAFEE CONFIDENTIAL

Hidden in Plain Sight

5MCAFEE CONFIDENTIAL

A small history lesson

6MCAFEE CONFIDENTIAL

2013: Re-org

Unit 91

Espionage & Destruction

Unit 110

Tools development and Recon

Unit 128

HUMINT

Unit 180

Financial targeted Operations

Unit 413

Tech. Recon & Social Eng.

7MCAFEE CONFIDENTIAL

8MCAFEE CONFIDENTIAL

9MCAFEE CONFIDENTIAL

Innovation unchained

Capitalizing the NYC Terror attack. Documents sent to military related

personnel

Once opened the document contacts control server to drop first stage of

malware

The document uses the DDE technique to invoke Powershell to download

Seduploader

10MCAFEE CONFIDENTIAL

A global industry

11MCAFEE CONFIDENTIAL

Outsourcing Operations

We've seen an increase in nation-states contracting private companies to accomplish hacking

operations and intelligence gathering. These groups operate with incredible sophistication, while

enjoying a cloak of semi-protected "status" for their malicious activities.

Source: Cybereason

12MCAFEE CONFIDENTIAL

Our work has just got harder

13MCAFEE CONFIDENTIAL

14MCAFEE CONFIDENTIAL

Fightback – still continues…..

10/4/2017

15MCAFEE CONFIDENTIAL

16MCAFEE CONFIDENTIAL

Crime Pays?

10/4/2017

17MCAFEE CONFIDENTIAL

Stay in touch

@Raj_Samani

18MCAFEE CONFIDENTIAL

McAfee, the McAfee logo and [insert <other relevant McAfee Names>] are trademarks or registered trademarks of McAfee LLC or its subsidiaries in the U.S. and/or other countries.

Other names and brands may be claimed as the property of others.

Copyright © 2017 McAfee LLC.