DOCSLIB.ORG

Threat Landscape Report Q2 2019

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Threat Landscape Report Q2 2019 QUARTERLY THREAT LANDSCAPE REPORT Q2 2019 nuspire.com Table of Contents About Nuspire.............................................................................. 3 Methodology and Overview............................................................4 Datasets at a Glance.....................................................................5 Highlights from the Headlines.......................................................6 Trending Malware.........................................................................7 Trending Botnets.......................................................................... 12 Trending Exploits..........................................................................16 Conclusions and Recommendations..............................................20 www.nuspire.com 2 About Nuspire Nuspire is the Managed Security Services (MSS) provider of choice, delivering the greatest risk reduction per cyber-dollar spent. The company’s 24x7 Security Operations Centers (SOCs) and managed detection and response (MDR) service combines award-winning threat detection and response technology with human intervention and analysis, providing end-to-end protection across the gateway, network and endpoint ecosystem. Nuspire pioneered distributed, managed security services within the enterprise and franchise market and today protects thousands of locations globally. CONTACT US TODAY TO DISCUSS YOUR UNIQUE SECURITY CHALLENGES. www.nuspire.com 3 METHODOLOGY AND OVERVIEW Data referenced throughout this report is gathered from thousands of devices at Nuspire customer sites from across the globe. This equates to more than 90 billion traffic logs through the second quarter of 2019. Log data is ingested using the power of Nuspire’s cloud-based SIEM. Aggregated and correlated data from our enterprise and mid-market client set provides a unique vantage point to threat vectors targeting the automotive, franchise, manufacturing, construction and healthcare markets. The report begins with an overview of the most prevalent cybersecurity headlines throughout the quarter. Reported breaches and the headlines they generate play a crucial role in trend identification, as evidenced by findings highlighted throughout the report. Nuspire’s threat report is divided into three main vector datasets; Malware, Botnet and Exploit. These datasets are then analyzed where the most prolific and prevalent threats throughout the quarter are identified. MALWARE BOTNET EXPLOIT www.nuspire.com 4 Q2 2019 DATASETS AT A GLANCE MALWARE 4.6M+ 1198 UNIQUE VARIANTS DETECTED DETECTED 355K+ VARIANTS DETECTED PER WEEK 51K+ VARIANTS DETECTED PER DAY 29% DECREASE IN TOTAL ACTIVITY FROM Q1 BOTNET 3.5M+ 41 UNIQUE BOTNETS DETECTED DETECTED 264K+ INFECTIONS PER WEEK 37K+ INFECTIONS PER DAY 17% DECREASE IN TOTAL ACTIVITY FROM Q1 EXPLOITS 55M+ 406 UNIQUE EXPLOITS DETECTED DETECTED 4.3M+ DETECTIONS PER WEEK 615K+ DETECTIONS PER DAY 46% INCREASE IN TOTAL ACTIVITY FROM Q1 nuspire www.nuspire.com 5 HIGHLIGHTS FROM THE HEADLINES IN Q2 2019 In the second quarter of 2019 we saw some significant headlines about major threats and reported breaches affecting both businesses and consumers alike. We found that many of these threats are older with variants that cannot be protected by signature-based protection. Multiple flaws found in Verizon Fios Routers that could allow remote attackers to take complete control over the affected routers, exposing every other device connected APRIL 9 to it. A team of security researchers discovered several vulnerabilities in various implementations of OpenPGP APRIL 30 and S/MIME email signature verification that could allow attackers to spoof signatures on over a dozen of popular email clients. Hackers Found Exploiting Oracle WebLogic RCE Flaw to Spread Ransomware. MAY 1 A critical remote code execution vulnerability has been MAY 2 discovered in the Dell SupportAssist utility that comes pre-installed on most Dell computers. A ransomware attack on the Baltimore City Hall infected the city’s technology systems causing the entire MAY 8 Baltimore City to shut down most of its servers. MAY 14 Microsoft releases fix for critical RDP Vulnerability. Hacker Discloses 4 New Microsoft Zero-Day Exploits in 24 Hours that are affecting Microsoft’s Windows Error MAY 23 Reporting service and Internet Explorer 11. New Brute-Force Botnet Targeting over 1.5 Million RDP JUNE 7 Servers. GandCrab Ransomware releases a decryption tool that could allow millions of affected users to unlock their JUNE 18 encrypted files for free! Two Florida Cities Paid 1.1 Million in Ransom This Month JUNE 26 to recover encrypted files from two separate ransomware attacks. www.nuspire.com 6 TRENDING MALWARE Studying malware aids in detection and response of attacks and proves to be beneficial in identification of new attacks and techniques when they surface. New attack vectors or techniques are being discovered that traditional measures can’t stop. Ransomware is becoming so common that customers are most likely to just deal with it, which results in system downtime, financial impact and often, lost data. nuspire www.nuspire.com 7 MALWARE BY THE NUMBERS MALWARE 4.6M+ DETECTED 1198 UNIQUE VARIANTS DETECTED 355K VARIANTS DETECTED PER WEEK 51K+ VARIANTS DETECTED PER DAY 63% INCREASE IN UNIQUE VARIANTS DETECTED FROM LAST QUARTER The image below shows average malware activity throughout Q2 as a dashed line, whereas the solid line represents spikes and dips in activity, which in some cases relates to the headlines that we outlined in the beginning of the report. This aids in identifying abnormal activity that is trending throughout our dataset. The dips in activity may showcase malicious actors changing the malware delivery to a different payload. 500K 450K 400K 350K 300K 250K 200K 150K 100K 50K K Apr 1 Apr 16 May 1 May 16 Jun 1 Jun 16 Malware Activity vs. Q2 Average www.nuspire.com 8 MALWARE DELIVERY METHODS The most common Malware activity we saw throughout the quarter were generic detections for VBA/Agent, W32/ Kryptik, PDF/phishing and AutoIt/Injector. These signatures are generic detections for Trojan malware which perform activities without the user’s knowledge. These activities commonly include establishing remote access connections, capturing keyboard input, collecting system information, downloading/uploading files, dropping other malware onto the infected system, performing denial-of-service (DoS) attacks, and running/terminating processes. VBA is delivered via email in the form of Microsoft Office macro-based documents. These office documents typically rely on social engineering in order to trick unsuspecting users into running their malicious VBA scripts. Once the script is executed, the infection process begins and typically can lead to a wide variety of infections. Because VBA scripts have proven to be a successful approach for attackers, this has continued to be a large-scale threat for businesses across all industries. Although we saw a 29% decrease in overall malware activity, we did have a significant 63% increase in unique variants detected. This increase could signify attackers retooling their approach in order to become more sophisticated in their delivery with additional obfuscation to avoid detection. Malware Trends Based on Type W32 PDF Other VBA AutoIt www.nuspire.com 9 MALWARE DELIVERY METHODS (CONTINUED) The image below shows a significant spike in AutoIt from the beginning of April into May with majority of this activity being related to Nanocore RAT. Using AutoIt as a top-level wrapper for its main .NET compiled binary, the AutoIt script constructs the .NET binary, and in turn carries out the infection. Nanocore has been around since 2013 and is known to perform a variety of functions. Some of these functions include installing a keylogger which can pass information to the malware operator and has the ability to tamper with webcams, and download additional files. Although the author was arrested in late 2016 and sentenced in 2018, the Nanocore RAT has continued to make its rounds throughout organizations. Significant Increase in AutoIt Activity 40K 35K 30K 25K 20K 15K 10K 5K K January February March April May June www.nuspire.com 10 MALWARE DELIVERY METHODS (CONTINUED) We saw a 193% increase in PDF Phishing detections from March to May. Through our technology, we were able to identify a phishing campaign related to this spike in which fraudulent emails were sent to recipients to encourage them to view or download a document in Microsoft OneDrive. The link in the email directs the user to an authentic looking OneDrive login designed to harvest their credentials. Once the credentials have been collected, the user is redirected to the real Microsoft page. With the victim’s credentials in hand, the attacker can do many things such as, identity theft, financial loss on the user or business, prevent users from accessing their own accounts, or launch additional business email compromise attacks. 193% Increase in PDF Delivery 100K 90K 80K 70K 60K 50K 40K 30K 20K 10K K January February March April May June This phishing campaign could affect numerous industries and can target any individual within an organization. 30% of the most targeted phishing attacks were directed at generic email accounts, which are typically shared by two or more employees within an organization. Generic addresses like ‘[email protected]’ can be valuable to attackers because they reach multiple targets, they are easy to obtain and usually public facing, and they are harder to protect with multi factor
Load more

Recommended publications
  • Mid-Year Report Cyber Attack Trends 2017
    MID-YEAR REPORT CYBER ATTACK TRENDS 2017 TABLE OF CONTENTS | 2 TABLE OF CONTENTS Introduction ................................................................................................. 3 Global Trends .............................................................................................. 4 Major Cyber Breaches ................................................................................ 5 Americas ................................................................................................. 5 Europe, the Middle East and Africa (EMEA)............................................ 6 Asia-Pacific (APAC) ................................................................................. 6 Global Malware Statistics ........................................................................... 7 Top Malware Families ............................................................................. 7 Top Ransomware ..................................................................................... 9 Top Banking Malware .............................................................................. 10 Top Mobile Malware ................................................................................ 11 Cyber Attack Categories by Region ............................................................ 12 Global Threat Index Map ............................................................................. 13 Additional Observations .............................................................................. 14 Recommendations .....................................................................................
    [Show full text]
  • (U//FOUO) Cyber Actors Alter Tactics, Techniques & Procedures Used In
    UNCLASSIFIED//FOR OFFICIAL USE ONLY 26 January 2017 (U//FOUO) Cyber Actors Alter Tactics, Techniques & Procedures Used in Persistent Dridex Malware Campaigns, Continue Affecting New England Critical Infrastructure (U//FOUO) Prepared by the DHS Office of Intelligence and Analysis (I&A) in collaboration with the Connecticut Intelligence Center and Massachusetts Commonwealth Fusion Center. (U//FOUO) Scope: This Field Analysis Report (FAR) is intended to provide an assessment of the evolution of tactics, techniques, and procedures (TTPs) used by cyber actors engaged in Dridex malware phishing campaigns impacting critical infrastructure in the New England region. This FAR provides insight into how Dridex indicators have recently evolved to help public and private sector computer network defenders strengthen their cybersecurity posture. (U) Key Judgments • (U//FOUO) Despite a significant disruption to a major malware distribution network in 2016, cyber actors continued to spread Dridex to New England critical infrastructure systems. • (U//FOUO) Cyber actors continually alter Dridex malware code to evade detection by signature-based antivirus software. • (U//FOUO) Cyber actors use the command-line program Certutil and Personal Information Exchange (.PFX) files to deliver Dridex malware, allowing it to pose as a legitimate security certificate. (U//FOUO) Overview of Dridex Malware Activity in New England (U//FOUO) Dridex is distributed via phishing e-mails targeting specific business departments, predominantly accounting, budget, and finance
    [Show full text]
  • Fortinet Threat Landscape Report Q3 2017
    THREAT LANDSCAPE REPORT Q3 2017 TABLE OF CONTENTS TABLE OF CONTENTS Introduction . 4 Highlights and Key Findings . 5 Sources and Measures . .6 Infrastructure Trends . 8 Threat Landscape Trends . 11 Exploit Trends . 12 Malware Trends . 17 Botnet Trends . 20 Exploratory Analysis . 23 Conclusion and Recommendations . 25 3 INTRODUCTION INTRODUCTION Q3 2017 BY THE NUMBERS: Exploits nn5,973 unique exploit detections nn153 exploits per firm on average nn79% of firms saw severe attacks nn35% reported Apache.Struts exploits Malware nn14,904 unique variants The third quarter of the year should be filled with family vacations and the back-to-school hubbub. Q3 2017 felt like that for a nn2,646 different families couple of months, but then the security industry went into a nn25% reported mobile malware hubbub of a very different sort. Credit bureau Equifax reported nn22% detected ransomware a massive data breach that exposed the personal information of Botnets approximately 145 million consumers. nn245 unique botnets detected That number in itself isn’t unprecedented, but the public nn518 daily botnet comms per firm and congressional outcry that followed may well be. In a congressional hearing on the matter, one U.S. senator called nn1.9 active botnets per firm the incident “staggering,” adding “this whole industry should be nn3% of firms saw ≥10 botnets completely transformed.” The impetus, likelihood, and extent of such a transformation is yet unclear, but what is clear is that Equifax fell victim to the same basic problems we point out Far from attempting to blame and shame Equifax (or anyone quarter after quarter in this report.
    [Show full text]
  • Cyren Globalviewtm Threat Trends Q3 2016
    JANUARY 2017 CYBERTHREAT Report Botnets The Clone Armies of Cybercrime TABLE OF CONTENTS Botnets Rising ......................................................................................................................................2 Botnets 101: How A Botnet Works .........................................................................................................3 Botnet Anatomy .....................................................................................................................................4 The Growing Threat: Internet of Things Botnets ....................................................................................5 ET Phone Home: Legitimate Botnets .....................................................................................................5 Build, Buy, or Lease? The 15-Minute Botnet ..........................................................................................6 All-Purpose Networks: What Botnets Do ..............................................................................................9 The Evolution of Botnets: A Timeline ...................................................................................................11 Interview with a Botnet Hunter ............................................................................................................12 24 Hours in the Life of a Necurs Bot ....................................................................................................16 Hiding in the Shadows: How Botnets Obscure Communications ..........................................................19
    [Show full text]
  • Analysis of SSL/TLS Handshakes in Malware Encrypted Traffic
    Masaryk University Faculty of Informatics Analysis of SSL/TLS handshakes in malware encrypted traffic Bachelor’s Thesis Daniela Belajová Brno, Fall 2018 Masaryk University Faculty of Informatics Analysis of SSL/TLS handshakes in malware encrypted traffic Bachelor’s Thesis Daniela Belajová Brno, Fall 2018 This is where a copy of the official signed thesis assignment and a copy ofthe Statement of an Author is located in the printed version of the document. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Daniela Belajová Advisor: Mgr. Stanislav Špaček i Acknowledgements I would like to thank my advisor Mgr. Stanislav Špaček for all his guidance, patience, valuable advice and feedback through the whole process of writing this thesis. I would also like to thank my family for their support and encouragement. ii Abstract One of the current trends in cybersecurity is abusing encrypted net- work traffic to mask a malware activity and complicate its detection. Although encryption ensures the confidentiality of transmitted data, at the same time it prevents the use of some detection methods. In this bachelor’s thesis, I focus on the SSL/TLS protocol, which is one of the most widespread encryption protocols providing secure com- munication in nowadays networks. The main aim of this work is to analyze the SSL/TLS traffic gener- ated by malware in recent malware campaigns misusing encryption to hide their activity, concentrating on protocol metadata from the initial handshake of the connection and based on the results of comparison with benign encrypted traffic, find possible distinctive characteristics that would allow malware to be identified in benign encrypted traffic.
    [Show full text]
  • THE RANSOMWARE REVOLUTION: HOW EMERGING ENCRYPTION TECHNOLOGIES CREATED a PRODIGIOUS CYBER THREAT Matthew S. Ryan BA, MA
    THE RANSOMWARE REVOLUTION: HOW EMERGING ENCRYPTION TECHNOLOGIES CREATED A PRODIGIOUS CYBER THREAT Matthew S. Ryan BA, MA, MPICT, MCSSD This thesis is submitted in partial fulfilment for the degree of Doctor of Cyber Security School of Engineering and Information Technology, The University of New South Wales at the Australian Defence Force Academy 20 December 2019 Surname : Ryan Given Name : Matthew Abbreviation for degree : DCybSec - Doctor of Cyber Security (Research) Faculty : UNSW Canberra School : Engineering and Information Technology (SEIT) The ransomware revolution: how emerging encryption technologies created a Thesis Title : prodigious cyber threat Abstract The increasing public availability of encryption technologies, and the parallel emergence of cryptocurrencies, have elevated ransomware to become the most prodigious cyber threat that enterprises now confront. The advent of cryptocurrencies provided the catalyst for increased profitability from ransomware, sparking a phenomenal rise in the number and complexity of ransomware attacks. This thesis is among the first academic works to analyse what has been dubbed the ‘ransomware revolution’ after a series of major attacks beginning in 2013. This threat is compounded by a disconnect between academia, the professional services industry, and vendors. This research brings together two strands of analysis. First, it documents the emergence of encryption-centric technologies that have created an environment conducive to undertaking this type of cyber-attack. The ease of public access to advanced encryption techniques has allowed malicious actors to operate with increased anonymity across the internet. This has enabled increased collaboration between attackers, which has aided the development of new ransomware attacks, and led to an increasing level of technical complexity in ransomware attacks.
    [Show full text]
  • Threat Landscape Report Q4 2016 Table of Contents
    THREAT LANDSCAPE REPORT Q4 2016 TABLE OF CONTENTS TABLE OF CONTENTS Foreword . 3 Q4 2016 Highlights and Key Findings . 4 Sources and Measures . .5 Infrastructure Trends . 7 Global Threat Landscape . 10 Exploits . 11 Mini Focus: IoT . 13 Malware . 14 Mini Focus: Mobile Malware . 16 Botnets . 17 Mini Focus: Ransomware . 19 Regional Threat Landscapes . 20 Industry Threat Landscapes . 23 Exploratory Analysis: Holiday Threat Trends . 26 Conclusion and Recommendations . 28 2 FOREWORD FOREWORD Everything worth doing involves some degree of risk, and this is especially true when it comes to commerce. From ancient expeditions into uncharted territories to modern forays into digital connections and clicks, fame and fortune go to those who understand the risks and manage them well. But at the edge of the unknown, understanding tends to be a scarce commodity and is often replaced with fear, uncertainty, and doubt—a trio so intertwined they’re better known simply as “FUD.” This tendency is illustrated beautifully in the “monster maps” of This report seeks to draw an accurate representation of the cyber old, such as the famous Carta Marina shown here. Real dangers threat landscape in Q4 2016 leveraging the vast information experienced at land and sea were often represented as fantastical resources and expertise of FortiGuard Labs. We seek to share beasts as a warning to fellow travelers. It offers an excellent our perspective on the threats that exist, how often they occur, example of how FUD can lead to a mythical view of legitimate what differs across sectors and regions, and what’s changing over threats. Before chalking this tendency up to primitive ignorance, time.
    [Show full text]
  • The Malware-As-A-Service Emotet
    TLP:WHITE THE MALWARE-AS-A-SERVICE EMOTET 12/02/2021 TLP:WHITE TLP:WHITE The malware-as-a-service Emotet Table of contents 1 Emotet origins ................................................... 3 2 Evolution of Emotet’s activity .......................................... 4 2.1 From a banking trojan to a loader of malwares on behalf of other attackers .............. 4 2.2 Emotet associated chain of infection .................................... 5 2.2.1 Possible vectors of infection ..................................... 5 2.2.2 Proceeding an attack after receiving a phishing email ...................... 6 3 Links with other groups of attackers ...................................... 7 3.1 Customers ................................................... 7 3.2 Links between Emotet and Dridex, Gozi ISFB and QakBot operators .................. 9 4 Conclusion ...................................................... 10 5 Means of detection and monitoring ....................................... 10 6 Appendix : TA542’s customer base over the period 2017-2018 ........................ 11 7 Bibliography .................................................... 12 12/02/2021 Page 2 of 15 TLP:WHITE TLP:WHITE The malware-as-a-service Emotet 1 Emotet origins Emotet (aka Heodo) first appeared in March 2017 and is the fourth iteration of the Geodo malware. The origin of Geodo can be traced back to the Business Club, a cybercriminal group whose activity began around 2008, in collaboration with M. Bogatchev, creator of ZeuS malware [1]. This group successively operated Jab- berZeuS and GameOverZeuS (GoZ). [2, 3]. In parallel to the activities of the Business Club, one of its members, M. Yakubets, and an operator of its bullet- proof hoster1, A. Ghinkul, appear to have operated, or even developed, Bugat malware (aka Cridex, Feodo), which appeared in 2010. One month after the FBI takedown of GoZ’s infrastructure in May 2014, Dridex and Geodo banking trojans emerged.
    [Show full text]
  • 2017 Global Cyber Attack Trends Report TABLE of CONTENTS | 2
    2017 Global Cyber Attack Trends Report TABLE OF CONTENTS | 2 TABLE OF CONTENTS Introduction ................................................................................................. 3 Global Trends .............................................................................................. 4 Global Malware Statistics ........................................................................... 8 Top Malware Families ............................................................................. 8 Top Ransomware ..................................................................................... 10 Top Banking Malware .............................................................................. 11 Top Mobile Malware ................................................................................ 12 Top Crypto Mining Malware..................................................................... 13 Cyber Attack Categories by Region ............................................................ 14 Global Threat Index Map ............................................................................. 14 Global Top Exploited Vulnerabilities ........................................................... 15 Yearly Data Breaches Timeline ............................................................... 16 Top Predictions for 2018 ............................................................................. 17 Additional Observations/Conclusions ........................................................ 19 Appendix 1 – Major Cyber Breaches .........................................................
    [Show full text]
  • The Malware-As-A-Service Emotet
    TLP:WHITE THE MALWARE-AS-A-SERVICE EMOTET 1.1 12/02/2021 TLP:WHITE TLP:WHITE The malware-as-a-service Emotet Table of contents 1 Emotet origins ................................................... 3 2 Evolution of Emotet’s activity .......................................... 4 2.1 From a banking trojan to a loader of malwares on behalf of other attackers .............. 4 2.2 Emotet associated chain of infection .................................... 5 2.2.1 Possible vectors of infection ..................................... 5 2.2.2 Proceeding an attack after receiving a phishing email ...................... 6 3 Links with other groups of attackers ...................................... 7 3.1 Customers ................................................... 7 3.2 Links between Emotet and Dridex, Gozi ISFB and QakBot operators .................. 9 4 Conclusion ...................................................... 10 5 Means of detection and monitoring ....................................... 10 6 Appendix : TA542’s customer base over the period 2017-2018 ........................ 11 7 Bibliography .................................................... 12 12/02/2021 Page 2 of 15 TLP:WHITE TLP:WHITE The malware-as-a-service Emotet 1 Emotet origins Emotet (aka Heodo) first appeared in March 2017 and is the fourth iteration of the Geodo malware. The origin of Geodo can be traced back to the Business Club, a cybercriminal group whose activity began around 2008, in collaboration with M. Bogatchev, creator of ZeuS malware [1]. This group successively operated Jab- berZeuS and GameOverZeuS (GoZ). [2, 3]. In parallel to the activities of the Business Club, one of its members, M. Yakubets, and an operator of its bullet- proof hoster1, A. Ghinkul, appear to have operated, or even developed, Bugat malware (aka Cridex, Feodo), which appeared in 2010. One month after the FBI takedown of GoZ’s infrastructure in May 2014, Dridex and Geodo banking trojans emerged.
    [Show full text]
  • Crimeware in the Modern Era: a Cost We Cannot Ignore Brandon Levene, Chronicle
    1 Crimeware in the Modern Era: A Cost We Cannot Ignore Brandon Levene, Chronicle Executive Summary Chronicle researchers conducted an investigation into the evolution of crimeware from 2013 through 2018. Researchers have concluded that crimeware, traditionally considered a “commodity threat,” has evolved into a highly lucrative business as criminals are constantly improving their techniques and law enforcement activity grows increasingly ineffectual. Attackers and defenders are entrenched in a longstanding game of cat and mouse, resulting in a rapid expansion of the crimeware threat landscape, and growing sophistication of attacks and malware infrastructure. This research examines the rise of financially motivated malware and the impact of attempted countermeasures. The report details the emergence and growth of banking trojans, ransomware, infostealers and cryptomining malware, the impact of a wide variety of crimeware including: GameOver Zeus, Cryptolocker, Dridex, Dyre, Trickbot, Ramnit, and attacks including the targeted attacks on the SWIFT messaging network, the Mirai botnet, the WannaCry ransomware outbreak, and others. Key findings from the investigations include: ● Crimeware risk is underestimated -- Misconceptions around the severity of risk from ​ financially motivated threat actors has hobbled enterprise defense efforts. Rates of losses due to crimeware are climbing, and countermeasures are decreasing in efficacy. Crimeware as a financial risk quantifiably outranks more sophisticated threats such as APTs. The ability of crimeware to disrupt businesses is tremendous and if efforts are not increased, there will be attacks greater in impact, scale and cost. ● Crimeware growth is enduring - Instances of crimeware have grown steadily, year over year. ​ The prevalence and frequency of crimeware has desensitized security teams and crimeware fatigue is a threat to organizations.
    [Show full text]
  • The Malware Dridex: Origins and Uses Sommaire
    TLP:WHITE THE MALWARE DRIDEX: ORIGINS AND USES 17/07/2020 TLP:WHITE TLP:WHITE The malware Dridex: origins and uses Sommaire 1 The malware Dridex ................................................ 3 1.1 Changes in functionality since 2014 ..................................... 3 1.1.1 Functionality ............................................. 3 1.1.2 Modularity ............................................... 3 1.1.3 Development ............................................. 4 1.2 Botnet use ................................................... 4 1.3 Affiliate model ................................................. 5 2 Dridex’ developers: Evil Corp ........................................... 7 2.1 The group’s origins: ZeuS, JabberZeuS and GameOverZeuS ....................... 7 2.2 Evil Corp .................................................... 7 2.2.1 2014: from JabberZeuS to Evil Corp ................................. 7 2.2.2 Evil Corp’s development since 2017 ................................. 9 3 Distribution of Dridex by the main affiliates ................................. 11 3.1 Phishing emails ................................................ 11 3.1.1 The botnet CraP2P (alias Necurs) .................................. 11 3.1.2 The botnet Cutwail .......................................... 11 3.1.3 The botnet Andromeda ........................................ 12 3.2 As a second payload .............................................. 12 3.3 Watering hole ................................................. 13 3.4 Exploit kits ..................................................
    [Show full text]