Malware weaknesses: While it appears that this Malware is highly sophisticated it stillhas few weaknesses due the automation nature of its behavior: 1- When the malware finds more than one mailing list, it sends itselfto all of them within a short period of time.2- The timing when it sends itselfappear to be random, it could have been more convincing if it could have sentitself within business hours or send itself on spread out time frame so not toraise any suspicion.3- Short same exact email body: “Morning, please see attached and confirm””Thank you again!”.
The malware could have randomized the email bodywith different phrases so not raise suspicion especially that this malwareappears to have the capability to generate randomized attachments. How credentials may have been stolen: From what we know so far of the Malware behavior, the stolen credentialsseem to have been exploited by one of these methods: 1- Man-in-the-browser attack through Password manager exploit: Exploiting the browser password manager ismost likely how the credentials were stolen, to confirm this, a forensicexamination has to be performed on the infected machine, or alternatively askingHeather if she used to save the credentials in the browser’s password managerfor quick access to Zimbra. Password manager exploit is a rising threat and potential attack vectorto gain access to company resources.For more information about password managerexploit:https://freedom-to-tinker.
com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/Demo page of browser abuse: https://senglehardt.com/demo/no_boundaries/loginmanager/ 2- Keylogging: it’s also a possibility,although if Heather is using the browser password manager keylogging cannotyield any credentials. Conclusion : Although this malware is primarilydesigned to steal money through spreading itself to active and up to date emaillists in order to steal banking credentials, malicious hackers use it for otherpurposes as well.
Often times, they are part a more complex malware cocktail,that can include rootkits, worms or other malware that enslave a computer to abotnet. If this is becoming a larger trend it puts even more emphasison blocking these attacks at the earliest stage possible, before they have achance to take hold and turn victims into unknowing attackers.Education and awareness are one of the best lines ofdefense, to this day, for phishing attacks. They genuinely prey on the inevitabilitythat someone, somewhere, will click on a link in their mail box. With an emailthat genuinely appears to be from someone the victim works with by picking upand replying to a previous email this is an easy attack to fall for. Steps we could take now to mitigate this threat in the future: – Disable MS Office macros, network-wide, if possible.
– Ensure firewall rules make a Word document flagged as potentially dangerousor quarantined.- Have email servers block attachments that include any VBA/Macro code.- Configure endpoint security on workstations to catch malicious attachments.- Deleting all emails that contain the malware attachment from allrecipients’ mailboxes immediately in order to contain and eradicated thethreat.
– Educate our staff. Awareness training is essential, and it can never end.- Prohibit saving sensitive credentials in all browsers.- Detecting stolen credentials using endpoint monitoring.