Malicious Code

Events associated with this classification taxonomy are related to incidents where malicious software is used to compromise systems or services.

This can be more traditional malware like independent trojans or viruses, or modular malware building up a botnet that can be adapted to the current needs of the internet criminals. The different classification types cover different components and activities of this process.

Recommendations:

  • Update the software running on the system.
  • Scan the system for malicious software. Offline scan from CD or USB if possible.
  • Change the access credentials of potentially affected users.
  • Consider reinstalling the operating system.

 

Events with this classification type identify a system that is likely compromised with malicious software acting as a drone in a botnet. These also called zombie computers perform the attacks of the botnet.

This is generally a small piece of malicious software that tries to remain hidden and frequently contacts the command and control (C&C) server. The owner of the system usually unaware that the system is compromised. The command and control server can can instruct the bonet drone to install modules allowing it to perform other malicious actions.

The botnet drone might take several on different roles over its life time depending on the needs of the cyber criminals. While one day it steals credentials of the user, the next day it could send spam for a phishing campaign and a week later participate in DDoS attack, etc.

The system identified by source is most likely infected with malicious software acting as a botnet drone. If available we include additional information like the classification identifier, malware or any other extra information. The system should be regarded as compromised, until further investigation has proven otherwise.

 

Classification Identifier

This malware targets only Windows systems. It is known for its information stealing/manipulation capabilitities (e.g targeting online business applications). Further information on Dridex:

This malware targets only Windows systems. It is known for its information stealing/manipulation capabilitities (e.g targeting online business applications). Further information on Gozi ISFB:

This malware targets only Windows systems. It is used typically to download further malware (e.g. credential stealer, remote access tools, banking trojans, spam module). Further information on Heodo:

The system was detected attempting to break into a WordPress server login page, probably using stolen or brute-forced passwords. This is definitely a hostile act, and such software needs to be stopped immediately.

Events with this classification type identify a system that is likely compromised and acts as a command and control server or distributes malware configurations. These systems are essential to control and manage the botnet drones. They distribute instructions, configurations, modules and malware updates.

Connection and access logs of such systems can be helpful for identifying and informing botnet victims and further investigate the incident. Depending on the data it could be used as evidence in criminal investigations, which has certain requirements. We strongly suggest you get in touch with trusted IT security professionals to help you determine the next steps.

The system identified by `source` is most likely infected with malicious software and acts as a command and control server or configuration distribution server. The system should be regarded as compromised, until further investigation has proven otherwise.

Recommendations:

  • Contact a trusted organization or agency to determine the next steps. Please contact us if you need any assistance. Even if we are not the right partner for you, we might be able to help you get in touch with the the right organization.
  • Contact us if you are willing to share the access information with us.
  • Check access and application logs for unusual activity and additional information.
  • Share the information with the trusted organization or agency to inform the victims.
  • see also Malicious Code

 

Classification Identifier

Banjori is a banking trojan that uses a DGA to identify the C&C and is no longer in apparent use. The DGA takes a domain name as a seed and then generates up to 15,373 domains from there. It is not date-dependent and generates domains between 12 and 27 characters excluding tld.

Reference:

Events with this classification type identify a system distributing malicious software. The infection usually happens by accessing a URL with a web browser. This does not necessarily mean that the malware is directly is hosted on this system or URL, as might simply load the malware from an other server.

There is a wide range of ways to get the visitors to access the URL to get infected. The most common one is to include links or scripts on vulnerable websites. An other way is to compromise the web server and redirect the visitor to an infected website. It is also possible that the website includes third party content, like advertising, etc., which could be providing malicious content, also called malvertising.

The underlying root cause can vary and might include sending spam, participating in DDoS attacks, redirecting users to exploit kits etc. A large subset of these compromises are caused by outdated versions of Content Management Systems such as Joomla/Drupal/Wordpress (or plugins for these) and weak or keylogged FTP credentials.

The system identified by source is most likely distributing malicious software to infect visitors. We strongly recommend against accessing the source.url with a web browser as you might get infected. The system or service should be regarded as compromised, until further investigation has proven otherwise.

Recommendations:

  • Get professional assistance from your hosting provider or webmaster to remove the content.
  • Check the logs for unusual behavior.
  • Check for known vulnerabilities for any service running on the system. Apply the patches and/or configuration changes.
  • see also Malicious Code

Events with this classification type identify a system infected by ransomware. Ransomware refers to malicious software that deny access to files or the system, and asks to provide payment before returning access to the user. This is essentially a local denial of service attack.

The most common ransomware encrypts the files stored on the system and likely also on connected network file shares. It is crucial to act quickly. Sometimes the encryption can be prevented by denying network access as the malware cannot get an encryption key or has to resort to store the key locally, allowing some tools to extract the decryption key.

There is no guarantee that any tools are able to help or are able to recover the data. There are even documented cases then after paying the ransom the criminals were not able to deliver the correct decryption key. The best way to mitigate this risk is to have system and data backups to be able to restore the encrypted files.

The system identified by source is most likely infected with malware with the ransomware functionality. The system should be regarded as compromised, until further investigation has proven otherwise.

Recommendations:

  • Do not pay the ransom.
  • Disconnect the system from the network.
  • Check for further information. https://www.nomoreransom.org/
  • Decide whether to turn off the system or not. (see advanced recommendations)
    Turning off the system could delete the decryption key from memory.
  • Restore system and data from the backup if possible.
  • see also Malicious Code

Advanced Recommendations:

  • Dump the sytem memory, which could contain the encrytption key.
  • Turn the system off to prevent further encryption.