“When one threat actor starts shifting TTP’s, it’s usually a big deal. Attackers get comfy in their infrastructure, some survive sinkholes, and they continue spamming or stealing money. One shift takes time, effort, and money on the attackers part. The part that people often forget is that attackers need people to maintain backends, code the malware, code panels, and patch exploits as researchers find them, or else they are going to be exploited by said researchers. Over the last few weeks, here at PhishMe, we’ve seen attackers experiment with Word documents with macros (typically Dridex); Neutrino malware; Pony malware; Zip with .js deliveries; straight .js files attached to the document, word exploits (CVE-2012-0158) and CAB attached files.
“While the others are interesting, the most interesting of them all is the exploit for 2012-0158, an exploit for Word. When triggered on a vulnerable system, the document opens, quickly closes, and then opens a second document without user interaction.”
Speaking about what happens once the exploit is triggered, “This specific exploit was a favourite of APT actors for a long time, and was quickly adopted by attackers on the cyber crime side due to the reliable nature of the exploit. The file used for this exploit is an RTF file, however straight .doc files can be used as well. When looking at the file statically, we can see references to “sandworm” in the file.”
Referencing back to the level of experimentation Ronnie highlights in his opening, and to put these changes into perspective, “For all of 2015, Dridex can be broken down by the following percentages, Office Macro, Dridex at 73%; Dridex alone at 22% and everything else at 5%. In 2016, the attackers have already used seven different attachment types…and it’s only February. Given the recent adjustments and tactic shifts with Dridex, this is something that we all will need to watch out for in the coming months. With Dyre out of the picture, this may be an attempt by the Dridex operators to fill in the gaps where Dyre left off.”
PhishMe® is the leading provider of threat management for organisations concerned about human susceptibility to advanced targeted attacks. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report, and mitigate spear phishing, malware, and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare, and manufacturing industries, as well as other Global 1000 entities that understand changing user security behavior will improve security, aid incident response, and reduce the risk of compromise.