Attackers are constantly seeking to develop new techniques to deliver malware to their intended victims and persist undetected within networks. Cisco Talos has recently uncovered an attack spoofing the US Securities and Exchange Commission which uses some novel tricks to evade detection.
The attack is delivered by an email purporting to present changes to the system that publicly traded businesses use to file legal information. The targeted nature of the campaign and the specificity of social engineering suggests that the attackers had researched their targets…a growing trend amongst attackers whose aim is to not arouse any sort of suspicion.
Unlike many attacks, the Word document attached to the email does not contain the malicious payload. Instead the document abuses a ‘feature’ of Microsoft Word which prompts the user to download linked content from an external file. It is this external content hosted on a compromised governmental website which contains the malicious code.
Rather than existing as a file on the hard disk, the malware writes itself into the Windows Registry. Once installed, the malware establishes communication with its controller using DNS information.
Clearly, the threat actor behind this attack had thought long and hard about how to maximise the likelihood of infected, and how to persist for as long as possible without being detected.
Protecting against such threats requires a multi-layered approach. No one technology is going to block 100% of attacks, 100% of the time, from any direction.
Cisco’s Email Security (CES), scans incoming email to identify and block malicious emails. Running Advanced Malware Protection (AMP) on either the email gateway, or on the end points themselves can detect and block malicious files. Cisco Umbrella, with its DNS based detection and blocking capability is ideally suited to prevent malware using DNS traffic for malicious communication.
Solutions such as Stealthwatch, can help organisations identify anomalous traffic on their networks, such as the use of DNS for passing and receiving malicious commands. Coupled with Cisco’s Identity Services Engine (ISE), affected devices can be quarantined from the network to prevent further data loss or attackers spreading from their point of entry.
When threat actors deploy multiple techniques to attempt to hide malware, it is advantageous to apply multiple approaches to the identification and disabling of an infection. Perimeter defences to keep bad stuff out is vital, but it is important not to rely on these, and consider how a threat that does penetrate the perimeter can be found swiftly and blocked without further harm being incurred.
Bad guys are not getting any dumber. At Talos we are committed to ensuring that through our research and threat intelligence activities, Cisco’s security products are more than equal to challenges such as these.
Read more details about the DNS Messenger attack and Talos’ research on the subject