Threat Report
Security researchers at Proofpoint have uncovered Dreambot malware which is a new variant of Ursinif banking Trojan. Though it is still in development, it was seen spreading since July 2016 through exploit kits such as Neutrino, through phishing emails with malicious attachments, and through malvertising. Secondly Palo Alto researchers discovered a threat group named DarkHydrus carrying out credential harvesting attacks using weaponized Word documents, which they delivered via spear-phishing emails to entities within government and educational institutions in the Middle East. Based on the analysis, DarkHydrus used the open-source Phishery tool to host the command and control server to harvest credentials. The use of Phishery further illustrates Dark Hydrus’ reliance on open source tools to conduct their operations.
Malware: Dreambot
Researchers point out that this new variant has new capabilities which includes peer-to-peer (P2P) functionality and Tor communication capability. This Tor-enabled versions are hard to detect because of encrypted and anonymized communications.
For more information there are a few links below:
Some Mitigation Strategies:
- File Integrity Management (FIM) to monitor for the download of a zipped JavaScript
- Intrusion detection systems (IDS) would detect peer to peer communications
- Intrusion detection systems (IDS) would
- 24x7 Security Monitoring for malicious behavior and immediate incident response
Malware: DarkHydrus
Two Word documents using the 0utl00k.net domain to harvest credentials were found. These related Word documents were first seen in September and November 2017, which suggests that DarkHydrus has been carrying out this credential harvesting campaign for almost a year.
Some Mitigation Strategies:
- Web filtration to block Outl00k.net
- Email filtration to detect spear phishing attempts using word files
- File Integrity Management (FIM) to monitor for downloaded malicious word documents
- Intrusion detection systems (IDS) to monitor for malicious queries through DNS
- 24x7 Security Monitoring to check for GPS consistency with locations of vehicles
We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com
Next: Threat Report Wednesday August 1st 2018
Share this on: