Cyphort Labs Security Threat Analysis Report: Vandelay Industries Q2 2017
CyphortLabsSecurityThreatAnalysisReport:Vandelay Industries
Q22017
Cyphortsecurityresearchteamcontinuouslymonitorsadvancedthreatsaroundtheworld,deliveringsecurityintelligencetohelpyouadjustyourpostureforongoingadvancedthreatdefense.CustomersinactivePOC(Proof-of-Concept)deploymentsreceiveathreatsummaryreportonthecustomer’sbehalftowardtheendofthePOCperiod.
Becausewebelievethatstrongvisibilityandawarenessgoesalongwayinhelpingwithastrongdefenseposture,weconsolidatedfindingsforbroaderdistributionandbenefitaspartoftheCyphortAnti-SIEM.
Thisreportisdesignedtoprovideamorecomprehensiveviewonsignificantthreatincidentsdiscoveredduringanextendedperiodoftime,typicallyseveralweekssothattrafficfluctuationassociatedwithtime-of-dayactivitypatternsisaccountedfor.Thesewillincludethewholespectrumofalertsincludingseriousthreats,suspiciousactivitiesandadware,andanyinstanceofnoisyalerts.
Visibilitystatsthatshedlightonwhattypes,atwhatvolumeandthroughwhichagents(e.g.humanbrowsingthewebvs.automatedprograms)filesarebeingmovedacrossthecustomernetwork.Advanceddetailsonselectedthreatsandmalwareobjectsbasedondeep-diveresearchconductedbytheCyphortthreatresearcherstorevealthingslikeattackpayloads,threatintent,andotherthreatindicators.
AboutthisReport
3
KeyFindingsMalwareDetected
ThreatCategory
DetectionLocation
DetectionDate
Potential Business Implications
Cerber Ransomware EngineeringLA Office
4/3/17 Product source code exposed to encryption and extortion
Fareit InfoStealer SalesNY Office
4/16/17 Salesforce Credentialsexposedto Leakage
WebTrafficMonitoring
MetricsPeakTrafficMonitored 1.2Gbps
ObjectsAnalyzed 6,383,872
HostsMonitored 5,387
ThreatsDetected 57
HighRiskHostsIdentified
12
EmailMonitoring
Metrics
Emails Monitored 56,456
URLsAnalyzed 11,653
Attachment Analyzed 5,387
ThreatsDetected 145
HighRiskAccountsIdentified 34
Anti-SIEM
CustomerValue
ZeroDayDetectionofMalwareObfuscated Javascript:01eed9bab2d71724df2eb80dec61733e
RansomwareDownloader
• First Cyphortdetection:2017/01/03• Filestillnotavailable onVirusTotal
CyphortDetectsThreatsEarlyMalwareMD5
MalwareName
AheadofVirusTotal by Business Implications
59bff0a38a04c372e4896a4fb2eea8fb
CryptXXXransomware
2.5hours FillIn!!!
85289e698f34e717ac964210623a704f
TrojanWin32-Skeeyah
26hours Fillin
2954e5222920daa142bf699186c0f0be
Adware 7.5hours FillIn
26b2b4089bd56a44c6fceda9083f04b0
TrojanSpySelltim
9hours FillIn
5e1e886b7d427865c01e43bd0f29ce17
TrojanVBKryjetor
24hours Fillin
Proof-of-ConceptReport
TestingResults
Proof-of-ConceptScope
PoC ScopeCoreDeployment NYdatacenter, virtual
Collector Deployment(Incl E-mailCollector)
LA&NYEgressSpan Ports
Integrations SyslogtoSplunk
Duration 3/1/17 - 4/30/17
WeeklyPeakTraffic 1.2 – 1.5Gbps
WeeklyPeakE-mails 42,000 – 49,000
TrafficStatistics
0100020003000400050006000
2016
-11-
2120
16-1
2-05
2016
-12-
1920
17-0
1-02
2017
-01-
1620
17-0
1-30
2017
-02-
1320
17-0
2-20
DailyUniqueIPs
0
200
400
600
800
1000
1200
2016
-11-
14
2016
-11-
28
2016
-12-
12
2016
-12-
26
2017
-01-
09
2017
-01-
23
2017
-02-
06
2017
-02-
20
WeeklyPeakTraffic(Mbps)
Traffic Totals
PeakTraffic 977 Mbps
PeakUniqueIPs
5,364
EmailStatistics
0100020003000400050006000
2016
-11-
21
2016
-12-
05
2016
-12-
19
2017
-01-
02
2017
-01-
16
2017
-01-
30
2017
-02-
13
2017
-02-
20
DailyUniqueRecipients
0
200
400
600
800
1000
1200
2016
-11-
14
2016
-11-
28
2016
-12-
12
2016
-12-
26
2017
-01-
09
2017
-01-
23
2017
-02-
06
2017
-02-
20
WeeklyEmailCount
Email Totals
Peak Emails/Week 977
Peak Unique Recipients 5,364
MostSignificantThreatDetections
ThreatName Detection Locations&Count
BusinessImplications
CriticalSeverity
Cerber Ransomware Eng /LAOffice(1)SFOffice(1)
Productsource codeexposedtoencryptionandextortion
Fareit InfoStealer Sales /NYOffice(3)
Salesforce Credentialsexposedto Leakage
MediumSeverity
Webtoolbar Adware MultipleOrgsNY&LA&SF
BadHygiene mayleadtomoreseriousinfections
ThreatTypes- Web
MalwareTypes
AdwareRansomwareTrojan downloaderInfo Stealer
MalwareFileTypes
Executable Zip files
ThreatTypes- Email
Threat Types
AdwareRansomwareTrojan downloaderInfo stealer
ThreatFileTypes
Executable Zip files
ThreatOrigins
TopCountries DL orIN
China 34
Russia 23
FileStatisticsbyOperatingSystems
ObjectsAnalyzed
MacOS AppleIOS Windows UndeterminedChromeOS Linux Android Debian
ThreatAnalysisName:CerberCategory:Ransomware
• Cerber isdistributedthroughExploitkitandphishingmails.
• TheThreatencryptsdocuments,imagesandasksforransommoney.
• CurrentlyCerber ismostprevalentransomware.
Threatinsight:
https://www.cyphort.com/threat-insights/cerber-ransomware/
MalwareAnalysisName:FareitCategory: InfoStealerFareit isapasswordstealingTrojanthattargetslogincredentialsforwebsites&FTPsstoredinwebbrowsersandFTPclientsoftwareontheinfectedcomputers.Payloadanalysis:
• Onexecutionitcreatesthefollowingregistrykey:
Key:HKU\Software\WinRAR
HWID:{B60FBD1C-5BDF-41BE-A27E-6FB5584B9D1B}
• Ittriestoretrievethestoredwebsitepasswords(incookies)frommostpopularbrowsers:Firefox,InternetExplorer,Opera,Chrome.
• Fareit alsotriestostealservernames(IPaddress)andlogincredentialsfromthefollowingFTPclientsoftware:FTPCommander,CuteFTP,FTP++,FTPExplorer,FileZilla,WinSCP,TotalCommander,WindowsCommander,WebDrive
• Itthensendsallthecollectedinformationtoaremoteserverfnijatodn.cz.cc
MalwareAnalysisName:JSMalwareDropperofransomwareCategory:DownloaderThisJSmalwaredownloaderleadsvictim’sbrowsertodownloadandexecutemalware.Generallythesourcecodeofthedownloaderisheavilyobfuscatedtoavoidstaticdetection.JSmalwaredroppersource:
MalwareAnalysisName:JSMalwareDropperofransomware(Cont’d)
MalwareAnalysisName:MyWebSearchCategory:AdwareToolbar
MyWebSearch isanadwaredevelopedbyMindspark Interactive.Mindsparkasacompanycollectsdataaboutbrowsingbehaviourandwebsearchmetadatafromuser’smachines,whentheseusersareusingMindsparkproducts.Theseproductsincludenumeroustoolbarsandbrowserplugins.
Payload:DropsadynamiclinklibraryfileandinstallsitasabrowserhelperobjectforInternetExplorer.
TopInfectionsMalwareName #Infectedhosts
DEALPLYB2.CY 114
TROJAN_ONLINEGAMES.CY 6
TROJAN_LLAC.CY 5
TROJAN_GENERICKDZ.CY 4
HTTPBROWSER.CY 3
SUSP_MASSFAV.CY 2
TROJAN_Suspicious.CY 2
TROJAN_FakeAv.CY 1
TROJAN_Generic.CY 1
AboutCyphortCyphortdeliverstheAnti-SIEM,aninnovativesecurityanalyticsandadvancedthreatdefenseplatformthataddressestime,cost,andcomplexitychallengesassociatedwithtraditionalSIEMs.Thesoftwareusesmachinelearningandbehavioralanalysistechnologiestodetectadvancedthreatsinweb,email,andlateralspreadtraffic.Threatdataiscorrelatedwitheventandlogdatacollectedfromothersecuritydevicesinthenetwork. Resultsareconsolidatedandpresentedasatimelineviewofeachsecurityincident.One-touchmitigationcancontainbreachesandstrengthenexistingtools. TheAnti-SIEMworkswithorwithoutanexistingSIEMtoreducenoise,improveproductivity,andaccelerateresponse.
AboutCyphortLabsCyphortLabsSecurityResearchTeamcontinuouslymonitorsadvancedthreatsaroundtheworld,deliveringsecurityintelligencetohelpyouadjustyourpostureforongoingadvancedthreatdefense. CustomersinactivePOC(Proof-of-Concept)deploymentsreceiveathreatsummaryreportonthecustomer’sbehalftowardtheendofthePOCperiod.Becausewebelievethatgoodvisibilityandawarenessgoesalongwayinhelpingwithastrongdefenseposture,weconsolidatedfindingsforbroaderdistributionandbenefitaspartoftheCyphortThreatIntelligenceNetwork.
CyphortLabsTeam
GlobalSecurityService
ThreatMonitoring&Research
24X7monitoringforThreatevents
AssistcustomerswiththeirForensicsandIncidentResponse
Discover. Dissect. Destroy.
Weenhancethreatdetectionaccuracy
Falsepositives/negatives
Deep-diveresearch
Security Ecosystem
Collaboration
Weworkwiththesecurityecosystem
ContributetoandlearnfrommalwareKB
Bestof3rdPartymalwaredata
CyphortLabsResearch
ThreatResearchCyphortLabsdiscoveredmalware
NightHunter.NationstatemalwareBabar,EvilBunnyand
Caspar
Uncoveredbroadscalemalvertisingcampaignstargeting
popular&strategicsites
DetailedanalysisandreportingofPoSmalwarefamilies,widely
circulated
InformationSharingMonthlyMalware’sMostWanted
webinarseries
Malwareresearchblogsfollowedbypractitionersandresearchers
FreeAPTscannerservice
PressCoverage
CyphortLabsBlog