Malware Threats Customer Advisory

We have seen a recent increase in malware activity and would like to provide additional information on what has been discovered at this time. Please find below a more detailed investigation into the behavior and mitigation methods applicable to CryptoWall 3.0, Dridex and Dyre/Dyreza malware variants.

What We Know

Behavior of Cryptowall 3.0:

- The latest version of this malicious software is spread mainly via Spam email containing the CryptoWall executable as a ZIP file attachment or as drive-by download attacks facilitated by web browser exploit kits like Angler and Magnitude.

- The result of a CryptoWall infection is having data files on the local system and any connected network file shares encrypted with a strong public-key cipher.

- The only ways to recover the encrypted files is to restore them from a recent backup or to pay the ransom demanded by the cybercriminals in exchange for the decryption key (the ransom amount is reported to be between 2–4 Bitcoin).

Behavior of Dridex:

- Dridex is a banking Trojan designed to steal financial information such as online banking credentials from victims.

- Commonly-seen threat spreading mainly via spam email.

- The usual method of infection is an attached Microsoft Word document containing an embedded macro that downloads and executes the Dridex malware.

- Social engineering techniques are used to get the victim to enable Microsoft Office macros in order to execute the malicious script.

Behavior of Dyre/Dyreza:

- This banking trojan is designed to hook into the victim's web browser and capture online banking credentials as they are typed in by the victim.

- The usual method of infection is via spam email containing malicious attachments or phishing emails containing links to web browser exploit kits that install the malware on the victim's computer.

- Victim must open attachments or visit the links with a vulnerable browser in order to get infected.

eSentire Defenses

eSentire features that help protect you include:

- Executioner can stop the download of malicious payloads over HTTP if you have instructed ESOC to enable it.

- AMP can stop the communication to known command and control servers.

- Behavioral analysis tools can detect anomalous network behavior.

- The ESOC can quarantine suspected systems at your direction or based on established policy.

Further Protection:

In the past 18 months, eSentire has released at least three advisories regarding Cryptolocker/Cryptowall. If the mitigation steps detailed in the advisories have not been performed, we strongly recommend that they be implemented as soon as possible.

However, in general, we recommend that you:

- Do not enable Microsoft Office macros in order to view documents received via unsolicited email.

- Regularly back up your important files to an offline data store that is not usually accessible from the local system.

- Never open attachments or click on URL links in unsolicited email.

- Use a tool such as Qualys BrowserCheck (browsercheck.qualys.com) to keep your web browser software and plugins updated with the latest security patches.

- Utilize browsers extensions that intercept third party application requests through the browser (for example, Flashblock for Chrome).

- Run ad-blocker software or strip out ad networks at the network level (via Proxies/DNS Sinkhole)

- Utilize exploit protection tools like Malwarebytes Anti-Exploit or EMET to stop the exploitation of your browsers/plugins.

- Implement anti-execute technologies such as AppLocker to prevent binary malware payloads from executing.

Resources

esentire.com/news-and-events/security-advisories/ransomware-variant-cryptofortress-advisory/

esentire.com/news-and-events/security-advisories/fin4/