26 March 2016
Reports on cyber-attacks don’t come to an end. Cyber-criminals seem to focus in particular on hospitals this year. In the case of the Norfolk General Hospital attackers modified the hospital’s homepage to serve the Teslacrypt ransomware to clueless visitors. The ransomware is delivered by drive-by download when the page is opened – you won’t even need to click on something on the page.
However, this does not mean that spear-phishing with malicious attachments is no longer modern. Cyber-criminals use a range of attack methods, and outdated application middleware on a server, which is connected to the Internet, is a worthwhile destination.
On Tuesday I got two spear phishing emails directly in my inbox. A short hack on VirusTotal showed that this were two zero days.
Two hours later, now at home, I analyzed the attachments in more details. Both attachments contained the same ransomware, but in different document formats. The attachments were now detected by 6 of 56 anti-malware systems on VirusTotal, e.g. by TrendMicro as W2KM_DRIDEX.YYSSH or by Avira as W2000M/Dldr.Agent.19573. That’s a reasonable result for classic anti-malware systems, although it means, that the anti-malware systems left the users unprotected for about 4 hours.
The VBA project with the auto-open macro was password protected. But LibreOffice writer was able to display the macros; it simply overrides the obviously weak VBA project protection functions of Microsoft Office.
The auto-open macro creates a file dsfsdfsdf.vbe, submits the file to the C&C server, downloads an executable named Fuckyourself.ass and runs it. Fuckyourself.ass is detected as e.g. by Microsoft as Backdoor:Win32/Drixed, by ESET as Win32/Dridex.AA.
A next-gen endpoint protection solution would have containerized or blocked at least the critical event of executing dsfsdfsdf.vbe. An infection with Dridex would have been prevented. And this without any delay for updating malware patterns.