DOCSLIB.ORG

(U//FOUO) Cyber Actors Alter Tactics, Techniques & Procedures Used In

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
(U//FOUO) Cyber Actors Alter Tactics, Techniques & Procedures Used In UNCLASSIFIED//FOR OFFICIAL USE ONLY 26 January 2017 (U//FOUO) Cyber Actors Alter Tactics, Techniques & Procedures Used in Persistent Dridex Malware Campaigns, Continue Affecting New England Critical Infrastructure (U//FOUO) Prepared by the DHS Office of Intelligence and Analysis (I&A) in collaboration with the Connecticut Intelligence Center and Massachusetts Commonwealth Fusion Center. (U//FOUO) Scope: This Field Analysis Report (FAR) is intended to provide an assessment of the evolution of tactics, techniques, and procedures (TTPs) used by cyber actors engaged in Dridex malware phishing campaigns impacting critical infrastructure in the New England region. This FAR provides insight into how Dridex indicators have recently evolved to help public and private sector computer network defenders strengthen their cybersecurity posture. (U) Key Judgments • (U//FOUO) Despite a significant disruption to a major malware distribution network in 2016, cyber actors continued to spread Dridex to New England critical infrastructure systems. • (U//FOUO) Cyber actors continually alter Dridex malware code to evade detection by signature-based antivirus software. • (U//FOUO) Cyber actors use the command-line program Certutil and Personal Information Exchange (.PFX) files to deliver Dridex malware, allowing it to pose as a legitimate security certificate. (U//FOUO) Overview of Dridex Malware Activity in New England (U//FOUO) Dridex is distributed via phishing e-mails targeting specific business departments, predominantly accounting, budget, and finance offices. Once Dridex is active on a compromised system, that system can be used to send spam e-mails, execute distributed denial-of-service (DDoS) attacks, or to harvest user credentials for many online services, including banking services.1 Between April 2015 and August 2016, DHS received numerous incident reports involving Dridex malware campaigns targeting critical infrastructure in Connecticut and Massachusetts.2–21 These campaigns targeted several critical infrastructure sectors in both states.22–28 (U//FOUO) The majority of the Dridex phishing e-mails during this period contained malicious Microsoft Word, Excel, or executable file attachments with embedded macros that were hidden through obfuscated Visual Basic script. The attachments were created on an operating system using Cyrillic characters. According to open source reporting, the files most commonly identified were “W97M/Downloader” and “W97M/Bartallex.”29 There were command-and-control (C2) uniform resource locators (URLs) written within the obfuscated Visual Basic script, from which the Dridex payload was be pulled. The C2 URLs typically differed from one attachment to the next.30 The IA-0073-17 (U) Warning: This document is UNCLASSIFIED//FOR OFFICIAL USE ONLY (U//FOUO). It contains information that may be exempt from public release under the Freedom of Information Act (5 U.S.C. 552). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with DHS policy relating to FOUO information and is not to be released to the public, the media, or other personnel who do not have a valid need to know without prior approval of an authorized DHS official. State and local homeland security officials may share this document with authorized critical infrastructure and key resource personnel and private sector security officials without further approval from DHS. (U) This product contains US person information that has been deemed necessary for the intended recipient to understand, assess, or act on the information provided. It has been highlighted in this document with the label USPER and should be handled in accordance with the recipient's intelligence oversight and/or information handling procedures. UNCLASSIFIED//FOR OFFICIAL USE ONLY UNCLASSIFIED//FOR OFFICIAL USE ONLY URLs were identified as recently compromised WordPress websites or other sites based in the United States or elsewhere. The obfuscated text also repeated scripts associated with .txt files, such as random alphanumeric naming conventions, along with text documents entitled “sasa.txt,” “lns.txt,” or “fafa.txt”.31,32 It is unknown what these text files contained. (U//FOUO) Dridex Malware (U) Once Dridex is installed and executed on an infected system, a cyber actor can upload or (U//FOUO) Dridex malware, previously known as Cridex download files from a victim’s computer.33 In addition, or Bugat, is a credential-stealing malicious software that cyber actors can execute files, monitor network traffic, has targeted the financial sector since 2014. According to USPER and take browser screenshots.34 Cyber actors also Dell Secureworks , Dridex steals credentials, certificates, cookies, and other sensitive information from may incorporate the infected system into a botnet for a compromised system, primarily to commit Automated use in DDoS attacks or to further propagate Dridex Clearing House (ACH) and wire fraud. Dridex was 35 malware. Once infected, cyber actors can created from the source code of the Bugat banking Trojan communicate with other peer nodes through the peer- but is distinct from previous Bugat variants, particularly to-peer (P2P) protocol to retrieve configuration with respect to its modular architecture and its use of a details, download and execute additional modules, hybrid peer-to-peer network to mask its backend download and execute additional files, and inject itself infrastructure and complicate takedown attempts. The source code for Dridex, Cridex, and Bugat contains into browser processes for Internet Explorer, Chrome, Cyrillic characters, which is consistent with the theory that and Firefox in order to monitor communications and the developers of Dridex were associated with an Eastern 36 steal information. European gang called “The Business Club,” which developed Gameover ZeuS botnet. (U) Dridex primarily impacts users by stealing their personal information, such as online banking account credentials, through its many personal information theft and browser monitoring routines.37 Stolen login credentials may lead to a victim’s other online accounts, such as social media, being broken into and/or hijacked.38 The screenshots taken may also inadvertently expose more personal information.39 In addition, a system infected with Dridex may be employed to send spam e-mails or execute DDoS attacks.40 (U//FOUO) Dridex Malware Campaigns Continue to Target New England Despite Temporary Disruption of Botnet Primarily used for Distribution (U//FOUO) Despite a temporary disruption between (U//FOUO) Necurs Botnet May and June 2016 of the Necurs botnet, a major distribution network for Dridex, cyber actors continued (U//FOUO) According to Threatpost and Proofpoint, Necurs is one of the world’s largest botnets. Necurs is to distribute the malware to New England critical a malware family known for its rootkit capabilities. Its infrastructure, though at a reduced rate. According rootkit capabilities include both a user mode and a to open source reporting, the Necurs botnet played a kernel mode component, making it a very capable piece critical role in supporting the delivery of malicious of malware that is able to tamper with the system at the e-mails while obfuscating the identifiable details of the lowest level. Necurs is commonly installed by other cyber actors behind the campaigns.41 In May 2016, families of malware (e.g., Zeus, Dorkbot), but reports the Necurs botnet experienced an outage that show that it can also be distributed on its own using exploit kits. Once Necurs gains access to a system, resulted in a sudden drop in Dridex and Locky 42,43 it is able to steal user information, install additional ransomware infections. The botnet outage malware, or send spam e-mails. revealed that the network command-and-control center was actually controlling around 1.1 million hosts, contradicting previous host estimates in the tens of thousands.44,45 (U//FOUO) Dridex malware continued to affect critical infrastructure in New England by harvesting user credentials for online services, including banking services, or leveraging infected systems to engage in DDoS attacks. However, cyber actors are forgoing the use of Dridex malware for more profitable ransomware campaigns using many of the same distribution networks previously used for Dridex.46 The profitability of ransomware may account for the drop in Dridex campaigns more so than disruptions in botnets used for malware distribution.47 UNCLASSIFIED//FOR OFFICIAL USE ONLY Page 2 of 8 UNCLASSIFIED//FOR OFFICIAL USE ONLY (U//FOUO) Cyber Actors May Implement New TTPs to Bypass Signature-based Antivirus Software (U//FOUO) According to information from a credible cybersecurity firm, cyber actors engaged in Dridex malware campaigns have adopted new TTPs in an effort to evade signature-based antivirus software.48 (U//FOUO) Customized or regionalized malware is the (U//FOUO) Signature-Based Malware Detection most difficult form of malware to detect since the signature for the malware is constantly changing to (U//FOUO) When a malware arrives in the hands of an target specific regions, industries, or businesses.49 antivirus software firm, it is analyzed by malware Minor modifications to the malware, such as altering a researchers or by dynamic analysis systems. Then, once single character in the malware code, result in a change it is determined to be a malware, a proper signature of the to the signature algorithm, which allows the malware file file is extracted and added to the signatures database
Load more

Recommended publications
  • Mid-Year Report Cyber Attack Trends 2017
    MID-YEAR REPORT CYBER ATTACK TRENDS 2017 TABLE OF CONTENTS | 2 TABLE OF CONTENTS Introduction ................................................................................................. 3 Global Trends .............................................................................................. 4 Major Cyber Breaches ................................................................................ 5 Americas ................................................................................................. 5 Europe, the Middle East and Africa (EMEA)............................................ 6 Asia-Pacific (APAC) ................................................................................. 6 Global Malware Statistics ........................................................................... 7 Top Malware Families ............................................................................. 7 Top Ransomware ..................................................................................... 9 Top Banking Malware .............................................................................. 10 Top Mobile Malware ................................................................................ 11 Cyber Attack Categories by Region ............................................................ 12 Global Threat Index Map ............................................................................. 13 Additional Observations .............................................................................. 14 Recommendations .....................................................................................
    [Show full text]
  • Fortinet Threat Landscape Report Q3 2017
    THREAT LANDSCAPE REPORT Q3 2017 TABLE OF CONTENTS TABLE OF CONTENTS Introduction . 4 Highlights and Key Findings . 5 Sources and Measures . .6 Infrastructure Trends . 8 Threat Landscape Trends . 11 Exploit Trends . 12 Malware Trends . 17 Botnet Trends . 20 Exploratory Analysis . 23 Conclusion and Recommendations . 25 3 INTRODUCTION INTRODUCTION Q3 2017 BY THE NUMBERS: Exploits nn5,973 unique exploit detections nn153 exploits per firm on average nn79% of firms saw severe attacks nn35% reported Apache.Struts exploits Malware nn14,904 unique variants The third quarter of the year should be filled with family vacations and the back-to-school hubbub. Q3 2017 felt like that for a nn2,646 different families couple of months, but then the security industry went into a nn25% reported mobile malware hubbub of a very different sort. Credit bureau Equifax reported nn22% detected ransomware a massive data breach that exposed the personal information of Botnets approximately 145 million consumers. nn245 unique botnets detected That number in itself isn’t unprecedented, but the public nn518 daily botnet comms per firm and congressional outcry that followed may well be. In a congressional hearing on the matter, one U.S. senator called nn1.9 active botnets per firm the incident “staggering,” adding “this whole industry should be nn3% of firms saw ≥10 botnets completely transformed.” The impetus, likelihood, and extent of such a transformation is yet unclear, but what is clear is that Equifax fell victim to the same basic problems we point out Far from attempting to blame and shame Equifax (or anyone quarter after quarter in this report.
    [Show full text]
  • Cyren Globalviewtm Threat Trends Q3 2016
    JANUARY 2017 CYBERTHREAT Report Botnets The Clone Armies of Cybercrime TABLE OF CONTENTS Botnets Rising ......................................................................................................................................2 Botnets 101: How A Botnet Works .........................................................................................................3 Botnet Anatomy .....................................................................................................................................4 The Growing Threat: Internet of Things Botnets ....................................................................................5 ET Phone Home: Legitimate Botnets .....................................................................................................5 Build, Buy, or Lease? The 15-Minute Botnet ..........................................................................................6 All-Purpose Networks: What Botnets Do ..............................................................................................9 The Evolution of Botnets: A Timeline ...................................................................................................11 Interview with a Botnet Hunter ............................................................................................................12 24 Hours in the Life of a Necurs Bot ....................................................................................................16 Hiding in the Shadows: How Botnets Obscure Communications ..........................................................19
    [Show full text]
  • Analysis of SSL/TLS Handshakes in Malware Encrypted Traffic
    Masaryk University Faculty of Informatics Analysis of SSL/TLS handshakes in malware encrypted traffic Bachelor’s Thesis Daniela Belajová Brno, Fall 2018 Masaryk University Faculty of Informatics Analysis of SSL/TLS handshakes in malware encrypted traffic Bachelor’s Thesis Daniela Belajová Brno, Fall 2018 This is where a copy of the official signed thesis assignment and a copy ofthe Statement of an Author is located in the printed version of the document. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Daniela Belajová Advisor: Mgr. Stanislav Špaček i Acknowledgements I would like to thank my advisor Mgr. Stanislav Špaček for all his guidance, patience, valuable advice and feedback through the whole process of writing this thesis. I would also like to thank my family for their support and encouragement. ii Abstract One of the current trends in cybersecurity is abusing encrypted net- work traffic to mask a malware activity and complicate its detection. Although encryption ensures the confidentiality of transmitted data, at the same time it prevents the use of some detection methods. In this bachelor’s thesis, I focus on the SSL/TLS protocol, which is one of the most widespread encryption protocols providing secure com- munication in nowadays networks. The main aim of this work is to analyze the SSL/TLS traffic gener- ated by malware in recent malware campaigns misusing encryption to hide their activity, concentrating on protocol metadata from the initial handshake of the connection and based on the results of comparison with benign encrypted traffic, find possible distinctive characteristics that would allow malware to be identified in benign encrypted traffic.
    [Show full text]
  • Threat Landscape Report Q2 2019
    QUARTERLY THREAT LANDSCAPE REPORT Q2 2019 nuspire.com Table of Contents About Nuspire.............................................................................. 3 Methodology and Overview............................................................4 Datasets at a Glance.....................................................................5 Highlights from the Headlines.......................................................6 Trending Malware.........................................................................7 Trending Botnets.......................................................................... 12 Trending Exploits..........................................................................16 Conclusions and Recommendations..............................................20 www.nuspire.com 2 About Nuspire Nuspire is the Managed Security Services (MSS) provider of choice, delivering the greatest risk reduction per cyber-dollar spent. The company’s 24x7 Security Operations Centers (SOCs) and managed detection and response (MDR) service combines award-winning threat detection and response technology with human intervention and analysis, providing end-to-end protection across the gateway, network and endpoint ecosystem. Nuspire pioneered distributed, managed security services within the enterprise and franchise market and today protects thousands of locations globally. CONTACT US TODAY TO DISCUSS YOUR UNIQUE SECURITY CHALLENGES. www.nuspire.com 3 METHODOLOGY AND OVERVIEW Data referenced throughout this report is gathered from thousands
    [Show full text]
  • THE RANSOMWARE REVOLUTION: HOW EMERGING ENCRYPTION TECHNOLOGIES CREATED a PRODIGIOUS CYBER THREAT Matthew S. Ryan BA, MA
    THE RANSOMWARE REVOLUTION: HOW EMERGING ENCRYPTION TECHNOLOGIES CREATED A PRODIGIOUS CYBER THREAT Matthew S. Ryan BA, MA, MPICT, MCSSD This thesis is submitted in partial fulfilment for the degree of Doctor of Cyber Security School of Engineering and Information Technology, The University of New South Wales at the Australian Defence Force Academy 20 December 2019 Surname : Ryan Given Name : Matthew Abbreviation for degree : DCybSec - Doctor of Cyber Security (Research) Faculty : UNSW Canberra School : Engineering and Information Technology (SEIT) The ransomware revolution: how emerging encryption technologies created a Thesis Title : prodigious cyber threat Abstract The increasing public availability of encryption technologies, and the parallel emergence of cryptocurrencies, have elevated ransomware to become the most prodigious cyber threat that enterprises now confront. The advent of cryptocurrencies provided the catalyst for increased profitability from ransomware, sparking a phenomenal rise in the number and complexity of ransomware attacks. This thesis is among the first academic works to analyse what has been dubbed the ‘ransomware revolution’ after a series of major attacks beginning in 2013. This threat is compounded by a disconnect between academia, the professional services industry, and vendors. This research brings together two strands of analysis. First, it documents the emergence of encryption-centric technologies that have created an environment conducive to undertaking this type of cyber-attack. The ease of public access to advanced encryption techniques has allowed malicious actors to operate with increased anonymity across the internet. This has enabled increased collaboration between attackers, which has aided the development of new ransomware attacks, and led to an increasing level of technical complexity in ransomware attacks.
    [Show full text]
  • Threat Landscape Report Q4 2016 Table of Contents
    THREAT LANDSCAPE REPORT Q4 2016 TABLE OF CONTENTS TABLE OF CONTENTS Foreword . 3 Q4 2016 Highlights and Key Findings . 4 Sources and Measures . .5 Infrastructure Trends . 7 Global Threat Landscape . 10 Exploits . 11 Mini Focus: IoT . 13 Malware . 14 Mini Focus: Mobile Malware . 16 Botnets . 17 Mini Focus: Ransomware . 19 Regional Threat Landscapes . 20 Industry Threat Landscapes . 23 Exploratory Analysis: Holiday Threat Trends . 26 Conclusion and Recommendations . 28 2 FOREWORD FOREWORD Everything worth doing involves some degree of risk, and this is especially true when it comes to commerce. From ancient expeditions into uncharted territories to modern forays into digital connections and clicks, fame and fortune go to those who understand the risks and manage them well. But at the edge of the unknown, understanding tends to be a scarce commodity and is often replaced with fear, uncertainty, and doubt—a trio so intertwined they’re better known simply as “FUD.” This tendency is illustrated beautifully in the “monster maps” of This report seeks to draw an accurate representation of the cyber old, such as the famous Carta Marina shown here. Real dangers threat landscape in Q4 2016 leveraging the vast information experienced at land and sea were often represented as fantastical resources and expertise of FortiGuard Labs. We seek to share beasts as a warning to fellow travelers. It offers an excellent our perspective on the threats that exist, how often they occur, example of how FUD can lead to a mythical view of legitimate what differs across sectors and regions, and what’s changing over threats. Before chalking this tendency up to primitive ignorance, time.
    [Show full text]
  • The Malware-As-A-Service Emotet
    TLP:WHITE THE MALWARE-AS-A-SERVICE EMOTET 12/02/2021 TLP:WHITE TLP:WHITE The malware-as-a-service Emotet Table of contents 1 Emotet origins ................................................... 3 2 Evolution of Emotet’s activity .......................................... 4 2.1 From a banking trojan to a loader of malwares on behalf of other attackers .............. 4 2.2 Emotet associated chain of infection .................................... 5 2.2.1 Possible vectors of infection ..................................... 5 2.2.2 Proceeding an attack after receiving a phishing email ...................... 6 3 Links with other groups of attackers ...................................... 7 3.1 Customers ................................................... 7 3.2 Links between Emotet and Dridex, Gozi ISFB and QakBot operators .................. 9 4 Conclusion ...................................................... 10 5 Means of detection and monitoring ....................................... 10 6 Appendix : TA542’s customer base over the period 2017-2018 ........................ 11 7 Bibliography .................................................... 12 12/02/2021 Page 2 of 15 TLP:WHITE TLP:WHITE The malware-as-a-service Emotet 1 Emotet origins Emotet (aka Heodo) first appeared in March 2017 and is the fourth iteration of the Geodo malware. The origin of Geodo can be traced back to the Business Club, a cybercriminal group whose activity began around 2008, in collaboration with M. Bogatchev, creator of ZeuS malware [1]. This group successively operated Jab- berZeuS and GameOverZeuS (GoZ). [2, 3]. In parallel to the activities of the Business Club, one of its members, M. Yakubets, and an operator of its bullet- proof hoster1, A. Ghinkul, appear to have operated, or even developed, Bugat malware (aka Cridex, Feodo), which appeared in 2010. One month after the FBI takedown of GoZ’s infrastructure in May 2014, Dridex and Geodo banking trojans emerged.
    [Show full text]
  • 2017 Global Cyber Attack Trends Report TABLE of CONTENTS | 2
    2017 Global Cyber Attack Trends Report TABLE OF CONTENTS | 2 TABLE OF CONTENTS Introduction ................................................................................................. 3 Global Trends .............................................................................................. 4 Global Malware Statistics ........................................................................... 8 Top Malware Families ............................................................................. 8 Top Ransomware ..................................................................................... 10 Top Banking Malware .............................................................................. 11 Top Mobile Malware ................................................................................ 12 Top Crypto Mining Malware..................................................................... 13 Cyber Attack Categories by Region ............................................................ 14 Global Threat Index Map ............................................................................. 14 Global Top Exploited Vulnerabilities ........................................................... 15 Yearly Data Breaches Timeline ............................................................... 16 Top Predictions for 2018 ............................................................................. 17 Additional Observations/Conclusions ........................................................ 19 Appendix 1 – Major Cyber Breaches .........................................................
    [Show full text]
  • The Malware-As-A-Service Emotet
    TLP:WHITE THE MALWARE-AS-A-SERVICE EMOTET 1.1 12/02/2021 TLP:WHITE TLP:WHITE The malware-as-a-service Emotet Table of contents 1 Emotet origins ................................................... 3 2 Evolution of Emotet’s activity .......................................... 4 2.1 From a banking trojan to a loader of malwares on behalf of other attackers .............. 4 2.2 Emotet associated chain of infection .................................... 5 2.2.1 Possible vectors of infection ..................................... 5 2.2.2 Proceeding an attack after receiving a phishing email ...................... 6 3 Links with other groups of attackers ...................................... 7 3.1 Customers ................................................... 7 3.2 Links between Emotet and Dridex, Gozi ISFB and QakBot operators .................. 9 4 Conclusion ...................................................... 10 5 Means of detection and monitoring ....................................... 10 6 Appendix : TA542’s customer base over the period 2017-2018 ........................ 11 7 Bibliography .................................................... 12 12/02/2021 Page 2 of 15 TLP:WHITE TLP:WHITE The malware-as-a-service Emotet 1 Emotet origins Emotet (aka Heodo) first appeared in March 2017 and is the fourth iteration of the Geodo malware. The origin of Geodo can be traced back to the Business Club, a cybercriminal group whose activity began around 2008, in collaboration with M. Bogatchev, creator of ZeuS malware [1]. This group successively operated Jab- berZeuS and GameOverZeuS (GoZ). [2, 3]. In parallel to the activities of the Business Club, one of its members, M. Yakubets, and an operator of its bullet- proof hoster1, A. Ghinkul, appear to have operated, or even developed, Bugat malware (aka Cridex, Feodo), which appeared in 2010. One month after the FBI takedown of GoZ’s infrastructure in May 2014, Dridex and Geodo banking trojans emerged.
    [Show full text]
  • Crimeware in the Modern Era: a Cost We Cannot Ignore Brandon Levene, Chronicle
    1 Crimeware in the Modern Era: A Cost We Cannot Ignore Brandon Levene, Chronicle Executive Summary Chronicle researchers conducted an investigation into the evolution of crimeware from 2013 through 2018. Researchers have concluded that crimeware, traditionally considered a “commodity threat,” has evolved into a highly lucrative business as criminals are constantly improving their techniques and law enforcement activity grows increasingly ineffectual. Attackers and defenders are entrenched in a longstanding game of cat and mouse, resulting in a rapid expansion of the crimeware threat landscape, and growing sophistication of attacks and malware infrastructure. This research examines the rise of financially motivated malware and the impact of attempted countermeasures. The report details the emergence and growth of banking trojans, ransomware, infostealers and cryptomining malware, the impact of a wide variety of crimeware including: GameOver Zeus, Cryptolocker, Dridex, Dyre, Trickbot, Ramnit, and attacks including the targeted attacks on the SWIFT messaging network, the Mirai botnet, the WannaCry ransomware outbreak, and others. Key findings from the investigations include: ● Crimeware risk is underestimated -- Misconceptions around the severity of risk from ​ financially motivated threat actors has hobbled enterprise defense efforts. Rates of losses due to crimeware are climbing, and countermeasures are decreasing in efficacy. Crimeware as a financial risk quantifiably outranks more sophisticated threats such as APTs. The ability of crimeware to disrupt businesses is tremendous and if efforts are not increased, there will be attacks greater in impact, scale and cost. ● Crimeware growth is enduring - Instances of crimeware have grown steadily, year over year. ​ The prevalence and frequency of crimeware has desensitized security teams and crimeware fatigue is a threat to organizations.
    [Show full text]
  • The Malware Dridex: Origins and Uses Sommaire
    TLP:WHITE THE MALWARE DRIDEX: ORIGINS AND USES 17/07/2020 TLP:WHITE TLP:WHITE The malware Dridex: origins and uses Sommaire 1 The malware Dridex ................................................ 3 1.1 Changes in functionality since 2014 ..................................... 3 1.1.1 Functionality ............................................. 3 1.1.2 Modularity ............................................... 3 1.1.3 Development ............................................. 4 1.2 Botnet use ................................................... 4 1.3 Affiliate model ................................................. 5 2 Dridex’ developers: Evil Corp ........................................... 7 2.1 The group’s origins: ZeuS, JabberZeuS and GameOverZeuS ....................... 7 2.2 Evil Corp .................................................... 7 2.2.1 2014: from JabberZeuS to Evil Corp ................................. 7 2.2.2 Evil Corp’s development since 2017 ................................. 9 3 Distribution of Dridex by the main affiliates ................................. 11 3.1 Phishing emails ................................................ 11 3.1.1 The botnet CraP2P (alias Necurs) .................................. 11 3.1.2 The botnet Cutwail .......................................... 11 3.1.3 The botnet Andromeda ........................................ 12 3.2 As a second payload .............................................. 12 3.3 Watering hole ................................................. 13 3.4 Exploit kits ..................................................
    [Show full text]