Upload
marina-krotofil
View
217
Download
3
Embed Size (px)
Citation preview
NEW WAVE OF ATTACKS IN UKRAINE
Marina Krotofil based on materials from Aleksey Yasinskiy
Short description Similarly to last year, the wave of attacks has started in month of July
• It is hot and everybody is in careless summer mood• Embedded macros• Many people are on vacation and those who are not -> performing duties of those
who are on vacation (and open aaaaall the attachments) The attacks grew in sophistication (in comparison to 2015)
• New added routines to detect installed security protections on the infected machine• Improved obfuscation techniques
Similarly to last year, there is a “silence” period• Several C&C center went off line• Now immediate destructive attacks
A new wave of destructive attacks is awaited
New wave of infection via spear fishing
July 14, 2016
Angry customer is complaining about financial spam (scam). He received an email from a Diamantbank stating that he took a large credit but did not start paying for it. He now awes bank a large sum of money and is threatened with legal actions against him.
Also the customer understand it was a scam, he OPENED the attachment (and got infected)
Discussions on motherhood portalsJuly 14, 2016
Mothers discussing receiving similar financial spam (scam). Although do realize it was spam, they all opened attachment first.
Structure of embedded macros
Analysis of embedded macros
SandBox and ISP detection routines
Anti-spam detection techniquesMalicious code is embedded into romantic lyrics to avoid detection by the spam detection algorithms (e.g. ratio of text to code)
Obfuscation techniques
Making code looking like a pure noise
Obfuscation techniques
Nesting doll: code in the code
These pieces of code will eventually assemble into malicious line of code
False alarmLegitimate security application behaving like a malware. It draw attention during inspection of the machine but turned to be a false alarm. Ugh. Annoying.
Afterword There is a version that Ukraine is used among other countries as a playgroud for
testing new attach strategies and techniques• The purpose of the infection is currently still unclear• Malware is becoming more intelligent and more aware of its environment• About 1 month after infection it is very hard to detect malware on the infected machine
For more information about attacks in Ukraine see• Analysis of embedded macros: https://socprime.com/en/blog/infrastructure-infiltration-via-rtf/• Analysis of other malicious activities: https://socprime.com/en/blog/
Aleksey Yasinskiy: Head of ISSP Labs & Research Center@Aleksey_yas; https://Marina Krotofil: Lead Security Researcher at Honeywell Industrial Cyber Security Lab@marmusha
Opinions are our own