Sharing Cybersecurity Threat Intelligence Is the Only Way We Win

threat-intel-sharing

Cybersecurity is a team sport. The bad guys share information, expertise, and code as they help one another. The good guys must do the same to keep pace. Sharing threat intelligence is a key aspect in which the knowledge gained by the owners of sensor networks can share data with the security analysis community.  This generosity provides the necessary breadth of data to understand trends, new infections, how botnets are communicating, whether directed targeting is occurring, and even if different attackers are collaborating.

Sadly, sharing is not the norm. Many security companies look at this data as a competitive advantage to sell their products and services. They keep it to themselves in hopes they can find a nugget and market it as a way to win new customers. But the cost of this approach is losing the bigger picture of overall effectiveness.

This attitude is slowly changing. Some security firms are stepping up and sharing more and more data, redacted from personal information and containing only attack characteristics. The combined aspects are like pieces of a massive puzzle that analysts can examine for trends. These puzzle pieces are hugely important to everyone.

I am glad to see major security vendors and researchers beginning to share insights and data. Consortiums such as the Cyber Threat Alliance and sites like VirusTotal lead the way.
cyber-threat-allianceThe Information Sharing and Analysis Organization (ISAO), established as part of a US presidential order in 2015, is developing voluntary standards for private and public data sharing.

But we need more sharing! Attacks are occurring at a phenomenal rate. Malware alone is out of control, with about 44,000 unique samples discovered every day. Security organizations must leverage each other’s information to better predict, prevent, detect, and respond to threats that their customers and organizations face.

The battle that should be fought is not between security vendors, but rather between the threats and collective defensive organizations which stand between attackers and their victims. We must work together to stem the tide of cyberattacks. Public sentiment is very important. If we want our technology to be safe, we must send a clear message to our security vendors. Share threat data or we will patronize a different supplier of security products and services. We have a voice and a vote (with our wallets).

 

Interested in more?  Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.

My original post of this blog can be found on DarkReading.

The post Sharing Cybersecurity Threat Intelligence Is the Only Way We Win appeared first on McAfee.

iPhone exploit bounty surges to an eye-popping $1.5 million

Enlarge (credit: Antoine Taveneaux)

A controversial broker of security exploits is offering $1.5 million (£1.2 million) for attacks that work against fully patched iPhones and iPads, a bounty that's triple the size of its previous one.

Zerodium also doubled, to $200,000, the amount it will pay for attacks that exploit previously unknown vulnerabilities in Google's competing Android operating system, and the group raised the amount for so-called zeroday exploits in Adobe's Flash media player to $80,000 from $50,000. After buying the working exploits, the company then sells them to government entities, which use them to spy on suspected criminals, terrorists, enemies, and other targets.

Last year, Zerodium offered $1 million for iOS exploits, up to a total of $3 million. It dropped the price to $500,000 after receiving and paying for three qualifying submissions. On Thursday, Zerodium founder Chaouki Bekrar said the higher prices are a response to improvements the software makers—Apple and Google in particular—have devised that make their wares considerably harder to compromise.

Read 7 remaining paragraphs | Comments

Macro Malware Employs Advanced Sandbox-Evasion Techniques

During the past couple of weeks, McAfee Labs has observed a new variant of macro malware. With this variant when we click on a doc file, we see the message “This document is protected against unauthorized use. Enable Editing and Enable Content to read content” along with a request to enable macros. If a user clicks Enable Content, macros will be enabled and will download malicious content. (By default, Microsoft Windows enables protected view, preventing malicious macros from running unless users enable them.)

Since early March we have seen macro malware using high-obfuscation algorithms to protect itself from static and traditional antimalware detection techniques. Macro malware continues to evolve and use new tricks to evade detection.

1

At first glance, it is difficult to guess the intentions of this macro malware. We further deobfuscated the code and found more readable strings. The obfuscated macro looks like this:

2

In a previous blog, we described how the macro in the document file used the MaxMind service to gather IP-based location data. Previous variants have used fudging techniques such as virtual machine awareness, sandbox awareness, and others. We observed several new checks last week.

Use of painted event

The first major change is that the new variant no longer uses the AutoOpen() or DocumentOpen() function to automatically execute the macro. Instead this variant uses a painted event. This fudging technique bypasses some scanners that expect a payload to be executed with AutoOpen().

3

Checking the filename

Another change is checking the filename. This move is both simple and smart. In most of cases, files submitted to sandboxes contain only hexadecimal characters using SHA256 or MD5 hashes as the filename. If a filename contains only hexadecimal characters, it will not infect the victim’s machine further. In the following code snippet, the malware verifies the filename “TestMacro” for hexadecimal characters.

4

5

 

Number of running processes

The malware also checks for the number of running processes. If count is smaller than 50, then the malware terminates. This is a simple technique to avoid analysis because security researchers often use a fresh copy of a virtual environment with fewer than 50 running processes. The code snippet:

6

 

Blacklist of processes

Because these macro-based downloaders predominantly propagate through spam and phishing emails, the actors have made the effort to infiltrate perimeter devices such as email scanners and gateway products. The malware checks for the presence of processes that may be found running in a sandboxed environment. The checklist is expanded in new variant:

7

Blacklist of networks

We also blogged about how threat actors use the MaxMind service to gather IP-based location data. This variant checks the region Oceania. It has also expanded the list of strings it checks using MaxMind. The list of strings are highly obfuscated and tough to understand. The obfuscated strings looks like the following snippet:

8

The obfuscation algorithm changes frequently. For this variant we deobfuscated the content using a small Python script.

9

The malware checks for the network provider’s name on the victim’s machine. The machine will not be affected by this malware if it verifies that the document file is opened on any of these listed vendors’ networks:

10

Malware authors continue to advance their sandbox-evasion techniques and make security efforts difficult for antimalware products.

Intel Security advises all users to keep their antimalware products up to date. McAfee products detect this malware as W97M/Downloader.

Sample MD5s

  • 05ef99749dec84ffd670ffcfba457c68
  • 2a03a7172b3fe4a8e50eb337643f8a55
  • 317b3f381b8feeb84b7318b1c1bf0970
  • 531364f5afadcadd83aef3158c100c98
  • 535aba8b1a5f0585d2878fd39c8b05d2
  • 73267a21adcf9b587cb44bf54d496b6c

References

https://www.proofpoint.com/us/threat-insight/post/ursnif-banking-trojan-campaign-sandbox-evasion-techniques

 

The post Macro Malware Employs Advanced Sandbox-Evasion Techniques appeared first on McAfee.

Macro Malware Employs Advanced Sandbox-Evasion Techniques

During the past couple of weeks, McAfee Labs has observed a new variant of macro malware. With this variant when we click on a doc file, we see the message “This document is protected against unauthorized use. Enable Editing and Enable Content to read content” along with a request to enable macros. If a user clicks Enable Content, macros will be enabled and will download malicious content. (By default, Microsoft Windows enables protected view, preventing malicious macros from running unless users enable them.)

Since early March we have seen macro malware using high-obfuscation algorithms to protect itself from static and traditional antimalware detection techniques. Macro malware continues to evolve and use new tricks to evade detection.

1

At first glance, it is difficult to guess the intentions of this macro malware. We further deobfuscated the code and found more readable strings. The obfuscated macro looks like this:

2

In a previous blog, we described how the macro in the document file used the MaxMind service to gather IP-based location data. Previous variants have used fudging techniques such as virtual machine awareness, sandbox awareness, and others. We observed several new checks last week.

Use of painted event

The first major change is that the new variant no longer uses the AutoOpen() or DocumentOpen() function to automatically execute the macro. Instead this variant uses a painted event. This fudging technique bypasses some scanners that expect a payload to be executed with AutoOpen().

3

Checking the filename

Another change is checking the filename. This move is both simple and smart. In most of cases, files submitted to sandboxes contain only hexadecimal characters using SHA256 or MD5 hashes as the filename. If a filename contains only hexadecimal characters, it will not infect the victim’s machine further. In the following code snippet, the malware verifies the filename “TestMacro” for hexadecimal characters.

4

5

 

Number of running processes

The malware also checks for the number of running processes. If count is smaller than 50, then the malware terminates. This is a simple technique to avoid analysis because security researchers often use a fresh copy of a virtual environment with fewer than 50 running processes. The code snippet:

6

 

Blacklist of processes

Because these macro-based downloaders predominantly propagate through spam and phishing emails, the actors have made the effort to infiltrate perimeter devices such as email scanners and gateway products. The malware checks for the presence of processes that may be found running in a sandboxed environment. The checklist is expanded in new variant:

7

Blacklist of networks

We also blogged about how threat actors use the MaxMind service to gather IP-based location data. This variant checks the region Oceania. It has also expanded the list of strings it checks using MaxMind. The list of strings are highly obfuscated and tough to understand. The obfuscated strings looks like the following snippet:

8

The obfuscation algorithm changes frequently. For this variant we deobfuscated the content using a small Python script.

9

The malware checks for the network provider’s name on the victim’s machine. The machine will not be affected by this malware if it verifies that the document file is opened on any of these listed vendors’ networks:

10

Malware authors continue to advance their sandbox-evasion techniques and make security efforts difficult for antimalware products.

Intel Security advises all users to keep their antimalware products up to date. McAfee products detect this malware as W97M/Downloader.

Sample MD5s

  • 05ef99749dec84ffd670ffcfba457c68
  • 2a03a7172b3fe4a8e50eb337643f8a55
  • 317b3f381b8feeb84b7318b1c1bf0970
  • 531364f5afadcadd83aef3158c100c98
  • 535aba8b1a5f0585d2878fd39c8b05d2
  • 73267a21adcf9b587cb44bf54d496b6c

References

https://www.proofpoint.com/us/threat-insight/post/ursnif-banking-trojan-campaign-sandbox-evasion-techniques

 

The post Macro Malware Employs Advanced Sandbox-Evasion Techniques appeared first on McAfee.