Threat Intelligence Spotlight: Hunting Evasive Malware...• Exploiting user behavior: tricking...
Transcript of Threat Intelligence Spotlight: Hunting Evasive Malware...• Exploiting user behavior: tricking...
Hunting Evasive MalwareThreat Intelligence Spotlight:
3 EXECUTIVE SUMMARY
4 INTRODUCTION: A SHIFTING PLAYING FIELD
4 The perimiter is no more
4 Attackers exploit users
5 MALWARE TRENDS IN 2020
5 Notable threats from incidents investigated in 2020
8 Dishonorable mentions: Checking in on other notables
10 EVASION STRATEGIES
10 User Execution
11 LOLBin abuse
14 CONCLUSIONS AND RECOMMENDATIONS
15 REFERENCES
Table of Contents
3Threat Intelligence Spotlight: Hunting Evasive Malware © eSentire and VMWare Carbon Black July 2020
Executive Summary
It is not an exaggeration to say that endpoint protection is more important today than ever before.
Cybercrime operations have adapted to take advantage of the business disruptions that have characterized the
first half of 2020. A global pandemic, workforce shifts to home workstations and rapid migration to more cloud
services to support that shift have altered threat surfaces, placing emphasis on endpoint and cloud security.
The result is that an organization’s network footprint is now dispersed globally across interacting systems and
technologies.
Threat actors, showing their usual agility, have shifted efforts to target remote workers and take advantage
of current events. Because today’s networks have more sophisticated automated defenses than ever before,
attackers are turning to:
• Exploiting user behavior: tricking users into opening and executing a malicious file, going to a malicious
site or handing over information, typically using lures that create urgency (e.g., by masquerading as
payment and invoice notifications) or leverage current crises and events
• Leveraging trusted operating system tools (living-off-the-land binaries, aka LOLBins) and abusing the
capabilities of binaries and processes to achieve malicious goals (e.g., perform domain reconnaissance,
establish persistence, escalate privileges, etc.)
When used in combination, as is frequently the case, these techniques are effective at bypassing automated
defenses to gain initial access. In fact, the majority of successful bypass incidents we observe result from these
tactics. Similar attacks will continue to pose a significant threat throughout 2020: examples in the first half of the
year include Zloader, Valak, SocGholish and More_eggs.
In an incident observed by eSentire in May, a new Zloader variant successfully dropped Silent Night, which then
proceeded to perform domain reconnaissance. This lateral movement activity was detected and traced back to
initial access (Zloader), which had entered the organization through email, hidden in a malicious document that
included a novel LOLBin abuse technique. Upon discovery of the technique, eSentire’s threat response teams
developed and deployed detection across the endpoint customer base.
The challenge in developing automated defenses against user execution and LOLBins is that these activities
in isolation do not indicate intent. It is only when considering the larger context of the action or execution that
the malicious intention becomes clear—and that is why threat hunting is so important. Through continuous
and collaborative research, threat hunters can distinguish between legitimate and malicious use of tools and
processes, which is a necessary precursor to defining automated methods that reliably detect endpoint threats.
4Threat Intelligence Spotlight: Hunting Evasive Malware © eSentire and VMWare Carbon Black July 2020
Introduction: A Shifting Playing Field
By shining a light on cyberthreats, we want to bring data and insights to conversations that can be dominated
by opinion and guesswork. By citing background evidence, links to external sources, high-level overviews and
incident anecdotes in this report, we aspire to raise the level of understanding of cybersecurity, particularly for
leaders tasked with making cybersecurity-related decisions.
The first half of 2020 was eventful, to say the least. The COVID-19 pandemic swept the globe and civil rights
demonstrations filled streets and squares worldwide. Unfortunately for businesses and their employees,
attackers are adept at seizing the opportunities created by chaos, distractions and top-of-mind topics.
The perimeter is no more
When the pandemic struck, it accelerated two trends that had already been underway for quite some time.
First, by forcing widespread adoption of work from home (WFH), one result of the pandemic is that traditional
security perimeters are all but disappearing—or, at the very least, evolving. In the not-too-distant past, most of an
organization’s devices and systems—including its many endpoints—were located on a trusted network behind a
perimeter consisting of firewalls, IDS/IPS and other security solutions. Those days are over.
Second, widespread adoption of cloud-based services was well underway before the pandemic. But the
associated benefits of increased flexibility and reduced management overhead become even more valuable
as employees around the world went home to work. However, with that shift, important applications and
services are no longer housed in a secure data center, behind layers of security that were built and controlled
by the organization.
Additionally, the convenience of the cloud has made disposable, anonymous and trusted infrastructure available
to threat actors—a development which was examined in the 2019 eSentire Annual Threat Intelligence Report.
Attackers exploit users
Each of these trends has serious consequences for an organization’s cybersecurity posture and strategy;
combined, they’re disruptive. Plus, threat actors have adjusted tactics to target unsuspecting home office
workers in an attempt to gain access to corporate networks and valuable data. For instance, attackers have
increased use of Zoom, WebEx and other video conferencing phishing lures in response to the work-from-
home trend.1
Additionally, TrickBot campaigns have adopted themes relating to the Black Lives Matter movement, continuing
a long-favored strategy of leveraging current events to nudge users toward opening malicious documents.2
Unsurprisingly, COVID-themed messages are also in use.3
5Threat Intelligence Spotlight: Hunting Evasive Malware © eSentire and VMWare Carbon Black July 2020
Malware Trends in 2020
Despite the wide variety of functional purpose found within the malware ecosystem, the process by which
endpoints become compromised is fairly universal:
• Infection: Via one or more of a wide variety of mechanisms (e.g., malicious attachment, network service
exploit, infected USB, drive-by-download, etc.) an endpoint is compromised; often a piece of “Dropper”
or “Delivery” malware is downloaded onto (or inserts itself into) an endpoint to establish a beachhead.
In some cases, internet-facing servers are exploited to install malware through remote code execution
• Instruction: Now established, the malware reports a new infection to the associated command-and-
control infrastructure and receives instructions, additional malicious code or functional components.
In sophisticated attacks, this process can involve a human operator who is now armed with any context
and credentials acquired during the initial attack
• Propagation: In parallel, the malware often attempts to spread to additional hosts; as before, it uses one or
more of a long list of techniques (e.g., Common Internet File System/Server Message Block vulnerabilities;
harvesting credentials from web browsers, email clients or the operating system itself). In sophisticated
attacks, this step is performed carefully and quietly by manual operators (particularly in the case of
ransomware deployment, where signaling the user of compromise is an explicit step)
The potential to stop malware delivery in its tracks—or at least to detect it quickly, thereby triggering automated
responses and manual intervention to prevent widespread infection—is a major reason why endpoint protection
is a crucial part of any effective defense-in-depth strategy.
Notable threats from incidents investigated in 2020
Our investigations in the first half of 2020 show the following malware threats to be especially noteworthy.
Silent Night and Zloader
Zloader is a downloader module originally created in 2016 to download the Zeus banking Trojan. In the years
since, Zloader has disappeared and reappeared repeatedly as its authors make modifications and defenses are
updated in response.
In May 2020, while researching living-off-the-land binary (LOLBin) domain reconnaissance tactics, eSentire’s
threat hunters investigated a customer event and traced the initial access back to Zloader.
After this discovery, further research revealed additional tactics, techniques and procedures (TTPs), which
allowed the team to hunt and deploy detection rules across our client base, revealing additional incidents from
April 2020 that were attributable to Zloader.
6Threat Intelligence Spotlight: Hunting Evasive Malware © eSentire and VMWare Carbon Black July 2020
In each incident, initial access leveraged either email attachments or drive-by downloads of malicious payloads.
A typical attachment-based infection workflow is:
• The victim receives an email using a topical lure (e.g., invoice/payment, COVID-19)
• The email contains a password-protected malicious Excel file
• The victim opens the Excel file
• The Excel file executes the malicious payload using Excel 4.0 formulas
The primary goal of these macros is, ultimately, to install the Silent Night banking Trojan, which first appeared in
November 2019. On May 21, Malwarebytes released a comprehensive investigation into Silent Night and Zloader,
and we highly recommend the report.4
Interestingly, a 12-month search of the joint eSentire and VMware Carbon Black customer base showed 190
hashes for Silent Night and only seven for Zloader. The most probable explanation is that Silent Night is more
easily detectable by automated defenses (recall that we wrote a custom detection for Zloader).
Valak
Until recently, Valak was a basic dropper for other malware, but in the first half of 2020 approximately 30
different Valak variants were identified, with improving capabilities such as reconnaissance and information theft.
We directly observed several incidents in the second half of May and have seen three Valak hashes in the last 12
months.
Researchers have observed some overlap between Valak, Gozi and Ursnif, but the exact nature of the
relationship between threat actors is unknown.
Like Zloader, the most common infection vector is a malicious Microsoft Office document (most frequently Word,
housed in a Zip archive and arriving via email), which leverages macros. The Word macro retrieves the payload
and persists via a scheduled task. Also like Zloader, Valak attempts to profile the network using tools within the
operating system and particularly targets domain administrators and Microsoft Exchange.
SocGholish
SocGholish is a JavaScript-based attack framework known for using fake browser and software updates as a
method of entry.
Throughout the first half of 2020, SocGholish utilized fake Chrome updates to gain initial access. After
establishing a foothold, the malware was often found executing domain discovery commands, enumerating
domain administrator accounts and attempting to establish a reverse shell—an indication of a shift to manual
threat actor operation.
In some cases, the malware’s operators attempted to deploy Cobalt Strike, a sophisticated lateral movement
tool. No ransomware deployment was observed directly by the eSentire team, but reports from external sources
indicate a potential business relationship between SocGholish operators and WastedLocker ransomware. 5
In an extensive threat intelligence blog posted on June 25, Symantec’s Critical Attack Discovery and Intelligence
Team wrote that, “Once the attackers gain access to the victim’s network, they use Cobalt Strike commodity
malware in tandem with a number of living-off-the-land tools to steal credentials, escalate privileges, and move
across the network in order to deploy the WastedLocker ransomware on multiple computers."
Malware Trends in 2020 (cont.)
7Threat Intelligence Spotlight: Hunting Evasive Malware © eSentire and VMWare Carbon Black July 2020
More_eggs
More_eggs is a JavaScript backdoor used by the Cobalt Group and FIN6.
While VMware Carbon Black and eSentire have observed fewer instances (two) of More_eggs than we have of
the other malware specifically mentioned in this report, More_eggs warrants attention because the Cobalt Group
is a longstanding and successful threat actor.
Additionally, More_eggs is notable because initial access employs a somewhat unique LOLBin exploit (an
AppLocker bypass technique using the msxsl utility), which is further evidence that threat actors continually
develop, experiment with and roll out new techniques.
Maze
The Maze ransomware group has been very active in the first half of 2020, with evidence suggesting a string of
successful attacks against Cognizant, WorldNet Telecommunications and LG Electronics. In the attack against LG,
which was announced in late June, Maze purports to have stolen 40 GB of source code (Figure 1).6
eSentire observed a single Maze incident in May, and in the last 12 months, we have observed seven
Maze hashes.
Reconnaissance, lateral movement and hands-on-keyboard ransomware
Another notable trend is that initial access malware increasingly includes some domain reconnaissance
capabilities. The examples profiled above have some combination of collection/infostealing and reconnaissance
(e.g., keyloggers, password scrapers, domain scanners) capabilities. Consequently, they could lead to serious
breaches through the installation of backdoors, credential theft and spreading laterally throughout a network.
Once a domain is compromised, it can be maintained for technological and personnel espionage, sold on the
black market or—as is often reported in the news headlines—converted into a ransomware operation.
As predicted in the 2019 eSentire Annual Threat Intelligence Report, an increase was observed in cooperation
between ransomware actors and iInitial access actors. Hypothetically, the initial access actors establish
a foothold and perform reconnaissance activities to prepare for the introduction of hands-on-keyboard
ransomware, but the details and nature of such relationships is not well understood.
Figure 1—Like many ransomware operators, Maze posts teasers and proof of compromise as incentives for victims to pay the recovery ransom; the evidence in this case suggests the source code relates to telecom operator AT&T.
Malware Trends in 2020 (cont.)
8Threat Intelligence Spotlight: Hunting Evasive Malware © eSentire and VMWare Carbon Black July 2020
These sophisticated, targeted operations require much more manual effort and attention and so earn the
qualifier of “hands-on-keyboard.” Legacy ransomware opportunistically infected individual users, largely
through automated means including malicious emails and drive-by downloads; however, automated spreading
mechanisms were often inefficient and functioned poorly in comparison to the modern approach. Today’s
ransomware combines automated reconnaissance with a human operator at the keyboard. A rational actor
with domain control has more agility than automated malware and can quickly work around security controls to
establish backdoors, scrape high-value information and facilitate speedy ransomware deployment.
As a last line of defense against ransomware—and domain compromise, in general—we recommend businesses
maintain frequent secondary and redundant backups of all essential systems and files either offline or in a
segregated environment, extending back for a long period (as ransomware and other persistent malware can lie
dormant for many months).
Additionally, because hands-on-keyboard ransomware is being introduced manually, the dwell time before
activation is growing—giving managed detection services an advantage in detecting threats prior to encryption.
Dishonorable mentions: Checking in on other notables
Through observation and proactive research, we monitor ongoing and emerging threats, but we can’t help but
pay particular attention to those threats that have a proven or recent track record.
TrickBot and Ryuk
TrickBot is a modular infostealer, which has primarily been used to target banking sites and has worked
in concert with Emotet and Ryuk to wreak havoc. The eSentire Annual Threat Intelligence Report for 2019
mentioned TrickBot 15 times. It has attained infamy as arguably the first widespread example of a linkage
between opportunistic mailspam and manual ransomware (Ryuk).
2020 paints a different picture: while we observe TrickBot and Ryuk at a very high frequency (Figure 2), for the
time being it is very rare that they manage to evade defenses. Notably, both of these pieces of malware are
always being tweaked. In the last year, VMware Carbon Black has observed 25 unique hashes for Ryuk and more
than 900 for TrickBot.
Figure 2—A count of the number of observations of different malware families from July 2019 through June 2020 shows enormous variation (note the logarithmic scale).
Malware Trends in 2020 (cont.)
9Threat Intelligence Spotlight: Hunting Evasive Malware © eSentire and VMWare Carbon Black July 2020
REvil (Sodinokibi)
REvil is believed to be run by the same actors who operated the GandCrab ransomware (GandCrab was shut
down shortly after REvil appeared). REvil employs a diverse group of techniques to gain access, including
malicious emails, compromised MSPs, exploit kits, scan-and-exploit techniques, RDP servers and backdoored
software installers. To increase the difficulty of restoring files without paying a ransom, REvil searches for
back-ups and shadow copies of files and deletes them.
As Figure 2 shows, REvil remains very active, but—like TrickBot and Ryuk—successful attacks are relatively rare
(we directly observed one incident at the beginning of April).
Dridex
Dridex is a banking Trojan that has evolved over the last decade, gaining new features including dynamic
configuration, web injections and infecting connected USB devices. In 2019, Dridex also gained new evasion
techniques, including a transition to XML scripts, hashing algorithms, peer-to-peer encryption and peer-to-
command-and-control encryption.
In mid-2019, a new variant of Dridex was spotted, which uses an application whitelisting technique to bypass
mitigation via disabling or blocking of Windows Script Host.7 The technique takes advantage of WMI
command-line (WMIC) utility’s weak execution policy around XLS scripts.
The most common initial access workflow we have observed with Dridex in recent months is to arrive in an email
(commonly presented as an invoice or overdue payment) containing a link to a Zip archive, which itself contains a
VBscript (.vbs file) requiring user execution.
PowerShell Empire
PowerShell Empire (Empire) is a post-exploitation framework available on GitHub and identified by the UK’s
National Cyber Security Centre (NCSC) in their joint report on publicly available hacking tools.8
Empire is often seen as an intermediate phase in ransomware attacks, succeeding the initial access malware to
enable the lateral movement, which precedes widespread activation of encryption.
Malware Trends in 2020 (cont.)
10Threat Intelligence Spotlight: Hunting Evasive Malware © eSentire and VMWare Carbon Black July 2020
Evasion Strategies
Today’s networks are better defended than ever before when it comes to foreign executables being delivered
directly to organizations, forcing threat actors to adopt a combination of user execution and LOLBin abuse to
bypass perimeter controls. In fact, most of the incidents in which we observe successful bypass of antivirus result
from these techniques.
Until automated security measures can reliably detect these techniques, the cybersecurity community will continue
to depend upon human-led threat hunting (as distinct from automated tools) and rapid organization responses.
User execution
User execution is employed as a means of bypassing automated security measures and remains an effective
tactic for threat actors. The overwhelming majority of such events leverage email attachments and links to
malicious files, although drive-by downloads do happen and can be impactful, as observed with SocGholish.
A common tactic in the incidents we directly observed was the use of Zip archives to hide a weaponized
Microsoft Office document. These Zip files are either attached to an email directly or are served via a link
within the email. When attached directly, the Zip files may be password-protected to bypass email attachment
scanners.
Upon opening the Zip archive, the user typically finds a Word or Excel file masquerading as an invoice, a
purchase order or some other business-related file.
These files generally include malicious formulas and macros; if permitted to execute, then simply opening the file
can unwittingly grant an attacker initial access.
Because many organizations have controls in place, it’s common to see instructions (masquerading as a helpful
tip or direction) contained within the documents which explain to the victim how to enable macros.
Figure 3—Attackers encourage users to unwittingly take unsafe actions. 9
11Threat Intelligence Spotlight: Hunting Evasive Malware © eSentire and VMWare Carbon Black July 2020
A similar approach is employed to prompt users to open and execute malicious scripts files (e.g., .vbs, .js , .ps1)
to similar effect.
Another means of gaining initial access is to send the user to a malicious domain, where a browser vulnerability
can be exploited or the user can be tricked into executing malware masquerading as a software update (e.g., a
fake Flash or browser update, as is a common tactic with SocGholish).
As noted previously, threat actors are adept at adjusting their tactics to increase the appearance of legitimacy.
Figure 4 shows a Zoom lure that might appeal to remote workers; we have also directly observed COVID-19
(Zloader) and Black Lives Matter (TrickBot) lures.
LOLBin abuse
There are many mechanisms by which malware attempts to achieve actions on objective. Starting in 2016
and accelerating in 2017, attackers made a strategic shift and began widely employing “fileless” attacks.10 Also
referred to as “non-malware” attacks, fileless attacks leverage existing OS tools, software, permitted applications
and authorized protocols to carry out malicious activities—in contrast to relying upon a dedicated piece of
malware. It’s worth mentioning as a caveat that this technique is often used as an intermediate step to introduce
traditional malware (malicious executables), but more often these function as custom plug-ins introduced after
persistence and evasion measures have been implemented.
A particular trend we are closely monitoring and researching is the use of LOLBins. These are non-malicious
binaries and other trusted processes that attackers and malware abuse to hide malicious activity and to evade
defenses. Because these processes are trusted, it is very difficult to automate detection. The use of a binary isn’t
sufficient to identify an activity as malicious—instead, the context in which the binary is used (e.g., parent-child
relationships, mod loads, associated script files, user context) must be known to determine the intention behind
the execution.
Legitimate software developers, code-savvy system administrators and threat actors can all make use of
system tools in a variety of creative ways. Researching and separating these use cases demands manual—but
necessary—work for security teams to stay at the front of the evolving threat landscape and to address the
corresponding consequences for an organization’s threat surface.
Figure 4—Threat actors are adept at shifting their tactics; in this example, a Zoom lure attempts to trick the user into clicking on a malicious link.
Evasion Strategies (cont.)
12Threat Intelligence Spotlight: Hunting Evasive Malware © eSentire and VMWare Carbon Black July 2020
Example: investigating a Zloader incident
Figure 5 shows the process tree for the first Zloader incident investigated in May 2020. Note that to gain initial
access, the malware leveraged a series of legitimate processes; these processes traced back to a malicious
Excel file, which was opened from within Microsoft Outlook after arriving in an email.
The Excel file relied on a convoluted collection of Excel 4.0 macros (as distinct from VBA macros) to pursue malicious objectives.
Excel 4.0 macros (also called XLM) were introduced in 1992, followed a year later by Visual Basic for Applications (VBA) macros in Excel 5.0. Despite their age, Excel 4.0 macros are still supported in recent Microsoft Office versions; unfortunately, they also provide many offensive opportunities for attackers. Moreover, because they are stored in a different way in Excel files than VBA macros, Excel 4.0 macros are more difficult to analyze.11
In this particular incident, the macros were obfuscated by arranging them in columns of integers that are converted to ASCII characters via the CHAR function.
Housed inside a hidden workbook, the macros ultimately combine to comprise a script which downloads a malicious DLL masquerading as an HTML file, presumably the SilentNight payload.
Figure 5—The process tree for the initial Zloader incident we observed.
Figure 6—This image, from Malwarebytes' deep-dive, shows how Zloader abuses Excel.
Evasion Strategies (cont.)
13Threat Intelligence Spotlight: Hunting Evasive Malware © eSentire and VMWare Carbon Black July 2020
SilentNight was detected performing domainreconnaissance using operating system tools including net and
nltest. For example, it employed the command nltest /domain_trusts /all_trusts to generate a list
of all trusted domains, providing the attacker with information to aid in lateral spread.
We have seen the same tactic used by TrickBot, PowerShell Empire and now SocGholish. It’s also important
to note that, like the binaries in Figure 5, nltest and the corresponding /domain_trusts command are
legitimate tools relied upon by domain administrators, which complicates automating defenses.
Other process paths we observed include:
• Valak and Ursnif: Word macros → regsvr32 → wscript → malicious JavaScript
• More_eggs: Word macros → svchost → wmiprvse → (msxsl, cmstp, regsvr32)
Interrupting the lifecycle
A major focus of next-generation endpoint protection platforms is to detect and to stop the code execution
needed at each stage of the malware lifecycle—thereby preventing the threat from achieving its goals.
Customizable behavioral rules allow for granular control of whitelists for business operations while restricting
unapproved execution of potential threats, thereby achieving protection without interfering with legitimate
business processes and applications. System administrators can also enable macro controls (e.g., per user, per
application) and signing—attach a digital signature to trusted macros and disable unsigned macros—as defense
mechanisms.
Additionally, Microsoft Defender Advanced Threat Protection (ATP) allows use of attack surface reduction (ASR)
rules to target software behaviors that are often abused by attackers, such as:12
• Launching executable files and scripts that attempt to download or run files
• Running obfuscated or otherwise suspicious scripts
• Performing behaviors that apps don't usually initiate during normal day-to-day work
Evasion Strategies (cont.)
14Threat Intelligence Spotlight: Hunting Evasive Malware © eSentire and VMWare Carbon Black July 2020
Conclusions and Recommendations
There’s no question that for the foreseeable future protecting distributed home offices must be a security priority.
And that’s a major reason why endpoint security is so important. But “security” can be an ambiguous term, so
we should be more specific. For an endpoint security strategy to be successful, it requires as a minimum two
functional components:
• Prevention, through next-generation antivirus (NGAV)
• Detection and response, to identify and contain threats that bypass defenses
The most effective way to deliver these functions is to run an agent directly on each endpoint, because doing so
provides unmatched visibility into and—vitally—control over the device’s activity. This approach fills in gaps and
re-strengthens the security posture by equipping security personnel with the tools needed to quickly investigate
threats and take decisive, difference-making action to isolate devices and stop malicious processes.
Importantly, no one knows with any certainty when social distancing measures will be relaxed; moreover, many
organizations are exploring (or have already announced) a permanent shift to a work-from-home model.13
So not only is it truly endpoint’s time to shine, but the investment has tremendous long-term value.
In addition to implementing a modern endpoint protection platform, organizations should pursue a
comprehensive defense-in-depth strategy:
• Recognize the limitations of antivirus solutions, and do not rely on antivirus alone to protect against modern
threats. Employ multiple endpoint solutions, with next-generation antivirus being one
• Because organizations with more distributed locations, systems and people are considerably more
vulnerable than those with only a small number of locations, take special care—especially during times of
aggressive growth or during sudden changes in remote work—to harden endpoints and exposed systems
(e.g., RDP servers)
• Most malware arrives through malicious email attachments or links, both of which exploit user behavior
to initiate the malicious activities. Organizations can attempt to mitigate this risk through regular
user awareness training (e.g., continuous simulated phishing exercises to assess effectiveness and
implementing a process for reporting/responding to suspicious emails) and technical controls
(e.g., implement spam filtering, URL rewriting and attachment sandboxing; only allow email attachments
containing trusted file types; restrict execution from temp directories, such as AppData)
• Because permissive application policies, or a failure or inability to enforce more restrictive policies,
contribute to increasing an organization’s vulnerability, leaders must support IT teams’ efforts to manage
applications and to enforce policies strictly
15Threat Intelligence Spotlight: Hunting Evasive Malware © eSentire and VMWare Carbon Black July 2020
References
[1] https://www.proofpoint.com/us/threat-insight/post/remote-video-conferencing-themes-credential-theft-and-malware-threats
[2] https://www.bleepingcomputer.com/news/security/fake-black-lives-matter-voting-campaign-spreads-trickbot-malware/
[3] https://cyber.gc.ca/en/guidance/cyber-threat-bulletin-impact-covid-19-cyber-threat-activity
[4] https://blog.malwarebytes.com/threat-analysis/2020/05/the-silent-night-zloader-zbot/
[5] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us
[6] https://www.bleepingcomputer.com/news/security/lg-electronics-allegedly-hit-by-maze-ransomware-attack/
[7] James_inthe_box reported observations on June 13th; Brad Duncan posted detailed analysis on June 17th, in Malspam
with password-protected Word docs pushing Dridex
[8] https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools
[9] This example is from https://www.virustotal.com/gui/file/
dcaded58334a2efe8d8ac3786e1dba6a55d7bdf11d797e20839397d51cdff7e1/detection
[10] For more information about fileless attacks, please see Carbon Black’s article What Is a Non-Malware (or Fileless) Attack?,
available at https://www.carbonblack.com/2017/02/10/non-malware-fileless-attack/
[11] For a longer explanation and examples, see Outflank’s blog post Old school: evil Excel 4.0 macros (XLM)
[12] https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction
[13] https://www.bloomberg.com/news/articles/2020-05-21/shopify-is-joining-twitter-in-permanent-work-from-home-shift
Threat Intelligence Spotlight: Hunting Evasive Malware © eSentire and VMWare Carbon Black July 2020
eSentire, Inc., founded in 2001, is the category creator and world’s largest Managed Detection and Response (MDR) company,
safeguarding businesses of all sizes with the industry-defining, cloud-native Atlas platform that removes blind spots and enables
24x7 threat hunters to contain attacks and stop breaches within minutes. Its threat-driven, customer-focused culture makes the
difference in eSentire’s ability to attract the best talent across cybersecurity, artificial intelligence and cloud-native skill sets. Its highly
skilled teams work together toward a common goal to deliver the best customer experience and security efficacy in the industry.
For more information, visit www.esentire.com and follow @eSentire.
VMware software powers the world’s complex digital infrastructure. The company’s cloud, app modernization, networking, security
and digital workspace offerings help customers deliver any application on any cloud across any device. Headquartered in Palo
Alto, California, VMware is committed to being a force for good, from its breakthrough technology innovations to its global impact.
For more information, please visit https://www.vmware.com/company.html
VMware and Carbon Black are registered trademarks or trademarks of VMware, Inc. or its subsidiaries in the United States and
other jurisdictions.
About eSentire:
About VMWare: