Thursday, July 11, 2019

Malware Mania! What's a Malware Campaign?

Hi Friends,

Sorry for being a flake, you know work, work, work, blah, blah, blah, busy, busy, etc.  :-)  Today I thought I'd talk about what the difference is between a "malware" and a "malware campaign".  It was a new concept for me and I thought I'd explain it in "Neil Speak".

Okay, set the way-back machine back a number of years when I was a System Administrator.  No I'm not going to say how many years.  :-)














When companies I worked for got hit by malware, it was always a mad scramble to try and contain the little beasties from sleazing their way through our network.  Most of them were probably delivered by email, clicked on and then began their nastiness.  Usually that meant network attached drives to Windows Servers were now flooded with malware and moving their way vertically through the company.

As a Sys Admin, my main concern was finding something to neutralize the threat and get production up and running cause business users don't like it when they can't do their work.  No work usually means no revenue for the company.  So get your behind moving Neil!!

Let's back up a little bit, and focus less on the malware itself and more on the campaign.  A malware campaign is just like any other campaign.  You decide what you're going to do, make a plan and then launch that plan.  In the case of malware, a threat actor(s) decides they're going to launch an attack with a certain type of malware, and HOW they're going to get that malware to you.

Remember my example of running around like a chicken with no head trying to stop the malware from spreading?  Those were most likely malware campaigns, but by the time it got to me it was already an end point nightmare.

So what's the differentiation?  Malware is malware, it's the bits and bytes that are going to do the nastiness.  The malware campaign is how it's going to get delivered to you.  Here are some examples:

1.  An email message with the malware right in the email.
The Threat Actor is being pretty bold and just attaching the malware.  If you open it, unfortunately they've got you.  This doesn't seem to be a major delivery method anymore since a lot of anti-malware software will see a .exe, .vbs, etc. and block the file from ever being delivered.

2.  An email message with a link to a website that asks you to download a file once you get there.
Since many anti-malware systems block out questionable files, this seems to be a favorite among threat actors.  The email isn't the malware, the link isn't the malware, the file it downloads MIGHT be the malware, but a lot of times it isn't, it's just another link in the chain, but more on that later.

3.  An email message with a compressed (ZIP) password protected file is included in an email to you with the password to the archive in the email message.
The email is not the malware, it's just the method to expose you to the malware.

4.  This one is really nasty.  A specially written email to someone in a company that handles money, from what seems to be a high ranking officer in the same company.  Typically the threat actor builds up trust and then asks for a large sum of money to be sent to a bank account number for a business transaction.
This is what's called Business Email Compromise (BEC).  In this case NO malware is involved at all.

So you see, the campaign is just as important as the malware itself.  Threat Actors are constantly thinking of new ways to send malware and just because they used a link to the malware in Campaign 1, doesn't mean they'll use the same URL or even a URL at all in Campaign 2.

Before you go running for the hills and throw away all of your technology, just remember, Threat Actors are always trying to kick us in the gut and they do a very good job.  As anti-malware companies build better mouse traps, Threat Actors are continually working on better mice.  This means evolving malware campaigns to new and more nefarious methods.  As you saw in number 4, they don't even use malware, it's just a complex game of smoke, mirrors and misdirection.

Remember I said I'd talk more about number 2.  What's really creepy is Threat Actors have created multi-stage malware campaigns.  Here's an example:
1.  You receive an email that looks like it's from your bank.  There's a link that says you need to go to this link or your account will be deactivated.
2.  You go to the link and to the fake sight which looks legitimate.  You are requested to download a new version of the end user license agreement (EULA).
3.  You download this file and open it up.
4.  A vulnerability in Microsoft's Equation Editor allows for a file to run, NOT the malware.
5.  This file contacts a Command and Control (C&C) server controlled by the Threat Actor.
6.  The Threat Actor puts EMOTET on your desktop.

Here steps 1-5 are the campaign, not the malware.  Emotet, a banking trojan, is put on to your computer after a number of complex steps.  The wild thing is Threat Actors are now using malware to call OTHER malware.  It's just another way to further obscure anti-malware software from stopping the malware.

So how do you avoid all of these shenanigans?
















Unless you live in a cave with no connection to the outside world you can't, but you can be educated and aware of the new tactics Threat Actors are using.  Few things to keep in mind:

1.  If it looks fake, it probably is.
2.  When in doubt, don't click on any links in email.
3.  Password protected ZIPs are suspicious.
4.  If you receive something and you're concerned, DON'T click on links in the email.  Go directly to the official website and log in there.
5.  If you don't want to go to the website, call the vendor.  They normally will have an 800 number for you to call their customer support.
6.  If someone sends you a file in email, ask yourself some questions.
Do I know this person?
Do they normally send me stuff?
Does it seem suspicious?
Can you contact the person and see if they really did send the email and the attachment?
7.  Does the email contain lots of grammatical and spelling mistakes?
That's a good indicator it might be fake.

I know it's a pain in the neck, but welcome to the connected world.  It's both glorious and terrifying at the same time.

Be safe out there!
Neil


No comments:

Post a Comment