In March 2018 abuse.ch, a non-profit cybersecurity organization in Switzerland launched project URLhaus with the aim of detecting, collating and sharing URLs that contain malware. In the 10 months since its inception, over 265 security researchers helped takedown nearly 100,000 websites which were distributing malware.
The URLhaus project has been a massive success and is assisting network administrators and security analysts with protecting their environment. Averaging 300 new detections per day, this feed is freely available to anyone via their API, feeds or can be downloaded and imported into non-programmatic protection systems. The URLhaus detections are also being distributed to prevalent blacklisting services such as Google Safe Browsing, Spamhaus DBL and SURBL.
There are some interesting trends that can be identified from analysis of their published statistics. The notable standout from the list of detected malware is Emotet, a banking trojan derived from an earlier banking trojan Feodo. Discovered in June 2014, Emotet has become one of the most costly financial malware infections and, as can be seen from the URLhaus data, is still rampant today.
Although Emotet was initially a banking trojan itself, it has since been repurposed into a more generic botnet with the primary purpose of downloading and running a completely different banking trojan. Emotet is most commonly distributed via email where a small portion of the malware code (known as a dropper) is embedded into document macros that, when opened, download the rest of the malware from websites hosting the malware. Upon launching, Emotet establishes a connection back to its ‘Command & Control’(C&C) server where it retrieves a set of instructions from the operator of the malware detailing it’s next tasks.
Trend Micro recently released an updated analysis of Emotet with some surprising research findings. The most notable finding is that the most prevalent and widespread malware is controlled and orchestrated by only 2 groups. Analysis of the encryption keys used to encrypt network communications between the C&C and the malware only turned up 6 RSA public keys operating across the two groups.
The two groups do not appear to be affiliated in any way and, by observing the next stage of the attack, they appear to have completely different approaches. Whilst one group almost exclusively uses Emotet to download and run ‘Panda Banker’ , the other group choose ‘Trickbot’ and ‘IcedID’.
Vitali Kremez reverse-engineered the Panda Banker and published his analysis which shows that Panda Banker would typically be used to analyse system software; covertly watch/record the user’s screen using VNC; capture anything typed on the user’s keyboard and; steal information from the user’s web browser(s) such as passwords, certificates, form data and session cookies.
By comparison, Trickbot seems to be more focused at stealing financial information, online banking credentials, credit card numbers and attacking Active Directory. Newer features in Trickbot include a password stealer, email scraper and recently started looking for Point-Of-Sale systems present in the network.
It could be safely assumed that no organisation would want either of these groups rampaging through their environment. Fortunately, due to the commonality between in the infiltration-vector, and the brilliant work being done by the volunteers at URLhaus, both these groups can be disrupted simultaneously.
Whilst Phishing Defence Training can be timely and disruptive to the workforce, blocking access to websites has been around for decades. Any internet protection system worth paying for should have the capability to ingest threat-feeds and block connections to known threat websites in real-time.
Protecting yourself from everything in this post starts with ensuring that the short list of security best-practices is implemented and functional within your and your customer’s environments.
- Ensure that your Web Proxy is ingesting the latest URLhaus as well as other threat-feeds and is both blocking and reporting any connection attempts to the security team;
- Audit endpoints to confirm they are running and up-to-date version of an advanced endpoint detection system and are receiving regular signature updates from the vendor;
- Where possible, disable all Microsoft Office macros from executing across the entire organisation. Where there is a legitimate business requirement for Microsoft Office macros to be enabled, consider signing them and implementing a trusted location from which documents with macros can be accessed;
- Implement a DNS Response Policy Zone (also known as a DNS Firewall) and ingest threat-feeds of known-bad domains into a zone which prevents malware ‘dropper’ from finding the IP address of the main portion of the malware. Report any lookups from this zone to the security team;
- Investigate any detections from the above items for the presence of Emotet or other malware on the system that generated the alert;
- Commission a Threat Hunting exercise to search through all DNS and Proxy logs for the presence of any items contained in the full list of submissions from URLhaus.
Article written by Ryan Broadfoot. Email [email protected] to catch up with Ryan.