Our latest installment in the Hacker Intelligence Initiative (HII) report series, Phishing Trip to Brazil, was just released. This report focuses on the story of one specific malware campaign, as an example of the current cyber security threat-scape. In particular, our focus is on the impact personal security and consumer-oriented malware have on enterprise data security.
As with many infection campaigns, the one we describe in this report starts with Phishing and goes through a description of the malware it distributes and into an analysis of the victim population.
We started our research by analyzing a banker Trojan that monitors the online banking activity of major Brazilian banks. During the analysis process we exposed several command and control (C&C) servers used by multiple hacker groups in separate campaigns based on the same malware family. This was a rare chance to get a “behind the scenes” peek at the malware industry. From these servers we were able to extract a lot of interesting data about the hackers and their victims, including geo-locations, infected industries and the number of campaigns.
Infection Campaigns Insights
The information we collected from the command and control servers provided the following insights about malware and infection campaigns:
“Industrialization” of hacking – the same type of malware was used successfully multiple times by the same group or by a number of groups. It leads us to believe that this is an off-the-shelf malware that can be purchased, from its creator, on the dark web and then used by lower skilled criminal groups
By spreading across multiple unrelated command and control servers, malware can remain operational for long periods of times (some of them lasted continuously since September 2014 to June 2015)
Malware infection campaigns can be made extremely effective even if they are minimally customized for the target population. In our case, the use of Portuguese in the email messages and the format of the message ensured a high rate of success among Brazilian recipients (88% percent of infected machines were in Brazil)
74% of infections took place during work hours (07:00-19:00, victims’ local time). These are the times we expect people to read emails and therefore are more likely to be infected. This is an important data point to notice from an enterprise security perspective. It is, in fact, the point where personal compromise starts to become a corporate breach
Direct evidence shows that enterprise security is heavily impacted by malware targeting consumers, as at least 17% of observed victims are associated with enterprise networks
Impacts on Enterprise Data Security
This malware was primarily targeted at banking customers; nevertheless it had the side effect of compromising machines within corporate networks. Given the modular nature of the malware, it is safe to assume that once the owners of the C&C perform the same analysis we did regarding the ownership of the infected machine, they’ll quickly turn this around into a persistent attack against the corporation – going after business data, and will spin their original intent into a persistent attack against the enterprise.
Recently we received two new Phishing emails that deliver new instances from the same malware family. These instances use a slightly newer version of the infrastructure campaign we described in our HII report. Not surprisingly, we were able to extract the “behind the scenes” data from command and control servers used by these new instances. From these servers we retrieved a victims list formatted slightly differently than the previous ones (it’s a new version after all):
Figure 1: Output of “visualizador.php?ver” (new samples)
Figure 2: Output of “ver.php” (previous samples)
The latest campaigns we observed are from August 2015. We’re pretty sure that similar campaigns will continue to appear over time.
What is the takeaway for enterprises?
While at the consumer level, there is not much one can do to defend against such attacks – other than the minimal protection provided by an AV software, at the corporate level organizations must implement controls that quickly detect any activity that implies a compromised machine being turned into an attack launch pad against internal resources and business data stores. These may include advanced anti-malware solutions but primarily must include detection of enterprise data abuse (e.g. excessive database access, unusual file server copy operations, reconnaissance activity inside data repositories) and protection of that data.
Our HII report can be downloaded here.