Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

Enhanced Dreambot Trojan is nightmare for Tor networks

Enhanced Dreambot Trojan is nightmare for Tor networks 

The Dreambot malware is still in active development and over the last few months has been observed to spawn multiple versions now spreading in the wild, according to Calif-based cyber security firm Proofpoint, whose researchers have spotted one of the latest versions of the Trojan.

The Tor-enabled version of Dreambot has been active since at least July 2016, when Proofpoint first observed the malware “successfully download the Tor client and connect to the Tor network.”

Dreambot is also often referred to as Ursnif or Gozi ISFB.

“The Tor network allows for encrypted, anonymized communication between individuals and among software applications,” Kevin Epstein, vice president, of threat operations for Proofpoint explains.” In the past, we’ve seen it used infrequently for malware to communicate with command and control (C&C) servers – it appears that may be changing as this particularly active Ursnif variant begins making use of Tor.”

Currently, many Dreambot samples include this functionality, but few use it as their primary mode of communication with their C&C infrastructure. However, in the future this feature may be utilized much more frequently, creating additional problems for defenders, according to Dreambot.

Here’s a link to more information on Dreambot.

“This new version of Dreambot was observed spreading through both malvertising and email-based attacks, effectively doubling the attack surface and challenging organizations’ defenses,” said Epstein. “For the malvertising attacks, we observed Flash-based exploits and malvertising attacks that employ exploit kits that also often target known vulnerabilities.”


Pokemon Go, Trojans, and MDM

The 10 Canadian cities that are ransomware magnets

One interesting example of Dreambot delivery came from an instance of the Niteris exploit kit. Several months after that, Proofpoint spotted the same redirection chain but instead to an undocumented 2-step flash Nuclear Pack. This particular Nuclear Pack behaved similarly to Spartan EK from the same coder in which an initial flash payload acted as a filter before sending the exploit and payload to end users. GooNky and AdGholas actors also commonly used Angler EK to deliver Dreambot while Angler was still highly active, the security firm said.

“Dreambot has been actively distributed via email in 2016,” Proofpoint reported. “We have noted campaigns targeting various regions including Australia, Italy, Switzerland, United Kingdom, United States, Poland, and Canada.”

These campaigns have ranged from thousands to hundreds of thousands of malicious email messages.

In one example, a bogus email in the form of a subpoena from the Federal Court of Australia was sent out. If the user were to follow a link included in the email, she would be greeted by a web page purporting to be the official court site. If the user then followed the instructions, she would be led to a download of a zipped JavaScript file that, when executed, led to a Dreambot download.

In another example, users were sent an email purporting to be associated with Microsoft and Office365. The link in the email led directly to a zipped JavaScript downloader hosted on Microsoft Sharepoint; opening the file would install Dreambot.

Disabling Flash and ensuring that all applicable OS and application patches are installed – a standard best-practice recommendation – is an important defensive measure, Epstein pointed out.

For the email-based campaigns, the attackers employed a range of techniques, from Word document attachments with malicious macro code (a technique that has dominated the threat landscape since early 2015) to links pointing to malicious documents or zipped JavaScript attachments hosted on a variety of servers, some legitimate and some fraudulent.

These require more user interaction to click the link or open the attachment and then run the embedded code, but this has not been an obstacle to these campaigns in the past.

While users should be reminded to avoid opening documents unknown senders and never enable content from an untrusted source, it is also recommended that organizations employ and email gateway and advanced threat solutions that can detect and block these messages before they reach end-users.

 “A best-of-breed advanced threat and email solution is an essential element to defending against both of these attack vectors, since both malicious document attachments and links to malvertising-infected sites spread to users via email – and once it has reached a user it is only a matter of time before someone clicks,” said Epstein.


Related posts