The Dreambot malware is still in active development and over the last few months has been observed to spawn multiple versions now spreading in the wild, according to Calif-based cyber security firm Proofpoint, whose researchers have spotted one of the latest versions of the Trojan.
The Tor-enabled version of Dreambot has been active since at least July 2016, when Proofpoint first observed the malware “successfully download the Tor client and connect to the Tor network.”
Dreambot is also often referred to as Ursnif or Gozi ISFB.
“The Tor network allows for encrypted, anonymized communication between individuals and among software applications,” Kevin Epstein, vice president, of threat operations for Proofpoint explains.” In the past, we’ve seen it used infrequently for malware to communicate with command and control (C&C) servers – it appears that may be changing as this particularly active Ursnif variant begins making use of Tor.”
Currently, many Dreambot samples include this functionality, but few use it as their primary mode of communication with their C&C infrastructure. However, in the future this feature may be utilized much more frequently, creating additional problems for defenders, according to Dreambot.
Here’s a link to more information on Dreambot.
“This new version of Dreambot was observed spreading through both malvertising and email-based attacks, effectively doubling the attack surface and challenging organizations’ defenses,” said Epstein. “For the malvertising attacks, we observed Flash-based exploits and malvertising attacks that employ exploit kits that also often target known vulnerabilities.”
One interesting example of Dreambot delivery came from an instance of the Niteris exploit kit. Several months after that, Proofpoint spotted the same redirection chain but instead to an undocumented 2-step flash Nuclear Pack. This particular Nuclear Pack behaved similarly to Spartan EK from the same coder in which an initial flash payload acted as a filter before sending the exploit and payload to end users. GooNky and AdGholas actors also commonly used Angler EK to deliver Dreambot while Angler was still highly active, the security firm said.
“Dreambot has been actively distributed via email in 2016,” Proofpoint reported. “We have noted campaigns targeting various regions including Australia, Italy, Switzerland, United Kingdom, United States, Poland, and Canada.”
These campaigns have ranged from thousands to hundreds of thousands of malicious email messages.
Disabling Flash and ensuring that all applicable OS and application patches are installed – a standard best-practice recommendation – is an important defensive measure, Epstein pointed out.
These require more user interaction to click the link or open the attachment and then run the embedded code, but this has not been an obstacle to these campaigns in the past.
While users should be reminded to avoid opening documents unknown senders and never enable content from an untrusted source, it is also recommended that organizations employ and email gateway and advanced threat solutions that can detect and block these messages before they reach end-users.
“A best-of-breed advanced threat and email solution is an essential element to defending against both of these attack vectors, since both malicious document attachments and links to malvertising-infected sites spread to users via email – and once it has reached a user it is only a matter of time before someone clicks,” said Epstein.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…