MTA - Mike's Computer
Example lead - highlighted near the title
Executive Summary
Impact
A user’s system has been infected with a malware family known as Dyreza which can be used to do any of the following:
- Perform man-in-the-middle attacks via browser injections
- Monitor/take screenshots of browser activity
- Steal personal security certificates
- Steal online banking/login credentials
- Track the affected user’s location through STUN (Session Traversal Utilities for NAT).
This malware is most commonly used by criminals to steal bank credentials from individual users rather than attack large corporations. However, any credentials a user enters while infected are forwarded back to the attacker. If a victim works in an account role or in an R&D role, the attack could accidentally gain credentials to company accounts.
More information on Dyrza: The Dire Implications of DYREZA - Threat Encyclopedia
Timeline
| TimeStamp | Activity |
|---|---|
| 2015-02-06-17:07:25 | Email was sent from john.santoro@dascosupply[.]com containing malicious program intended to download an additional payload (document8961294.scr) |
| 2015-02-08 18:31:00 | File was opened by user, initiating additional download of malicious files (SMowFtlw.exe and arrowu.jpg) |
Next Steps
Notification
The initial phishing email came from a dascosuppy[.]com domain but this company may be another vicitim of an attack rather than a malicious party. If DAS Co. Supply is a supplier or customer of the company, reach out via phone call to make company aware of possible breach. Avoid using email communication as we will be blocking the domain and we do not know if the attack still retains control over the email accounts.
Remediation
Search for other hosts impacted by the infection by using the indicators below:
DNS queries/HTTP Requests
- cwvancouver[.]com
- harveyouellet[.]com
Netflow
- Outbound connections to 178.47.141[.]100
Emails
- From the dascosupply[.]com domain
- Originating from 96.57.102[.]59
- Emails containing document8961294.zip
Intel and Detections
Known bad indicators:
| Indicator | Description |
|---|---|
| 96.57.102[.]59 | Attack Controlled Mail Server |
| cwvancouver[.]com | |
| harveyouellet[.]com | |
| 1d38c362198ad67329fdf58b4743165e | MD5 Hash for document8961294.scr |
| 278d5ff287ca2172b5308fe04bb20431 | MD5 Hash for SMowFtlw.exe |
| 6643e36630b9826fc740a79d6212a0cf | MD5 Hash for arrowu.jpg |
Suricata/IDS
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:“Unusual Machine IP Lookup”, sid:1; http.host; content: “checkip.dyndns.org”; http.method; content:“GET”; classtype:external-ip-check;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:“GET Request to suspicious domain cwvancouver - Possible Dyreza Infection”, sid:2; http.host; content: “cwvancouver.com”; http.method; content:“GET”; classtype:trojan-activity;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:“GET Request to suspicious domain harveyouellet - Possible Dyreza Infection”, sid:3; http.host; content: “harveyouellet.com”; http.method; content:“GET”; classtype:trojan-activity;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:“GET Request to suspicious file arrowu.jpg - Possible Dyreza Infection”, sid:3; http.uri; content: “arrowu.jpg”; http.method; content:“GET”; classtype:suspicious-filename-detect;)
YARA
alert http $HOME_NET any -> $EXTERNAL_NET any (msg: “Possible Download”; sid 343123; content; )
Workflow
PCAP
john.santoro@dascosupply.com Subject: Your document
Lessons learned
1d38c362198ad67329fdf58b4743165e - document8961294.scr 278d5ff287ca2172b5308fe04bb20431 SMowFtlw.exe 6643e36630b9826fc740a79d6212a0cf - arrowu.jpg extract_files/extract-1423420287.087185-HTTP-FOZ7nc3YykKIk5TA84: data
2015-02-08 18:31:26.843669 278d5ff287ca2172b5308fe04bb20431 SMowFtlw.exe 1d38c362198ad67329fdf58b4743165e - document8961294.scr
document8961294.scr: PE32 executable (GUI) Intel 80386, for MS Windows