Suspected cybercrime group known as Lazarus is suspected to be behind numerous attacks against Polish banks. Polish banks reportedly detected previously-undetected Malware variants in their system. They reported usual behavior that included abnormal network traffic to foreign locations, encrypted executable, and malware on user workstations. The hackers conducted the attack by compromising the websites of their target by injecting them with malicious codes that redirects the visitors to an exploit kit that installs the malware.
I thought this is interesting since we had some experience with WebGoat and how attackers can inject codes to web applications. This seems to be the route that this cybercrime group took.
A ransomware variant from the CERBER family has emerged and it is affecting machine learning file based detection solutions. With the emergence of machine learning solutions in the security industry, attackers are getting more crafty in how they evade systems. In this particular case attackers are taking advantage of static file detection solutions that focus on features instead of signatures.
Through their research Trend Micro has discovered that CERBER has the ability to evade a system undetected in a machine learning solution especially if it is static file based solution. As with all ransomware CERBER is distributed through email with a link to a self extracting archive file that is stored and maintained in DropBox by the attacker. The contents of the archive file is a Visual Basic script, a dll file and a configuration file. Once a user clicks on the link the archive file is downloaded and self extracts on to the target system. It then runs the VBscript file that is contained in the archive, loading the contained dll file during the process and decrypting part of the configuration file needed to evade the system. The issue presents itself in static detection tools that use machine learning because it is hard to detect CERBER when it looks like any other self extracting process involving an archived file. Even further once unpacked it may not be able to detect the binary contents and thus allow the non-malware to get in.
All the more reason why it is best to use more than one single approach to secure systems and the network they are in.