We have seen a recent increase in malware activity and would like to provide additional information on what has been discovered at this time. Please find below a more detailed investigation into the behavior and mitigation methods applicable to CryptoWall 3.0, Dridex and Dyre/Dyreza malware variants.
What We Know
Behavior of Cryptowall 3.0:
- The latest version of this malicious software is spread mainly via Spam email containing the CryptoWall executable as a ZIP file attachment or as drive-by download attacks facilitated by web browser exploit kits like Angler and Magnitude.
- The result of a CryptoWall infection is having data files on the local system and any connected network file shares encrypted with a strong public-key cipher.
- The only ways to recover the encrypted files is to restore them from a recent backup or to pay the ransom demanded by the cybercriminals in exchange for the decryption key (the ransom amount is reported to be between 2–4 Bitcoin).
Behavior of Dridex:
- Dridex is a banking Trojan designed to steal financial information such as online banking credentials from victims.
- Commonly-seen threat spreading mainly via spam email.
- The usual method of infection is an attached Microsoft Word document containing an embedded macro that downloads and executes the Dridex malware.
- Social engineering techniques are used to get the victim to enable Microsoft Office macros in order to execute the malicious script.
Behavior of Dyre/Dyreza:
- This banking trojan is designed to hook into the victim's web browser and capture online banking credentials as they are typed in by the victim.
- The usual method of infection is via spam email containing malicious attachments or phishing emails containing links to web browser exploit kits that install the malware on the victim's computer.
- Victim must open attachments or visit the links with a vulnerable browser in order to get infected.
eSentire features that help protect you include:
- Executioner can stop the download of malicious payloads over HTTP if you have instructed ESOC to enable it.
- AMP can stop the communication to known command and control servers.
- Behavioral analysis tools can detect anomalous network behavior.
- The ESOC can quarantine suspected systems at your direction or based on established policy.
In the past 18 months, eSentire has released at least three advisories regarding Cryptolocker/Cryptowall. If the mitigation steps detailed in the advisories have not been performed, we strongly recommend that they be implemented as soon as possible.
However, in general, we recommend that you:
- Do not enable Microsoft Office macros in order to view documents received via unsolicited email.
- Regularly back up your important files to an offline data store that is not usually accessible from the local system.
- Never open attachments or click on URL links in unsolicited email.
- Use a tool such as Qualys BrowserCheck (browsercheck.qualys.com) to keep your web browser software and plugins updated with the latest security patches.
- Utilize browsers extensions that intercept third party application requests through the browser (for example, Flashblock for Chrome).
- Run ad-blocker software or strip out ad networks at the network level (via Proxies/DNS Sinkhole)
- Utilize exploit protection tools like Malwarebytes Anti-Exploit or EMET to stop the exploitation of your browsers/plugins.
- Implement anti-execute technologies such as AppLocker to prevent binary malware payloads from executing.