Invincea detects and blocks a Zeus malware spear-phish disguised as a British Airways fake ticket receipt. Information security and endpoint protection benefits from Invincea.
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Invincea fake british airways ticket spear-phish malware 03-21-2014
1. Fake British AirwaysTicket
Receipt
a spear-phish malware analysis
by InvinceaThreat Research Group Analyst: ARMON BAKHSHI
CHRIS CARLSON
DIRECTOR, PRODUCT MARKETING, INVINCEA
MAR 21 2014
2. Phishing
is the act of attempting to acquire information
such as usernames, passwords, and credit card
details (and sometimes, indirectly, money) by
masquerading as a trustworthy entity in an
electronic communication. (Wikipedia)
First, some definitions…
3. Phishing
is the act of attempting to acquire information
such as usernames, passwords, and credit card
details (and sometimes, indirectly, money) by
masquerading as a trustworthy entity in an
electronic communication. (Wikipedia)
Spear phishing
Phishing attempts directed at specific individuals
or companies with a malicious payload
First, some definitions…
4. “95% of all attacks on enterprise networks
are the result of successful spear-phishing.”
(Allen Paller, director of research, SANS Institute)
5. WHY a 95% success rate??
BECAUSE USERS LOVE…TO…CLICK...!
Sending at least 18
emails in a spear-
phishing campaign
guarantees at
least one click!
(Verizon Data Breach Investigations Report – 2013)
6. Spear-phishing attacks are looking
more official all the time….
2011
Fairly rudimentary – sending fromYahoo, no
images, spelling/typos, etc.
7. Spear-phishing attacks are looking
more official all the time….
2011 2013
Fairly rudimentary – sending fromYahoo, no
images, spelling/typos, etc.
Very advanced – forged “from” address,
embedded images, looks official
8. What we found… an Invincea customer
forwarded a suspicious email to our
Threat Research Group…
10. Let’s analyze it visually first…
Plain text
email
No
personalization
11. Let’s analyze it visually first…
Plain text
email
No
personalization
UK company, but not
using European
time/date formats
12. Let’s analyze it visually first…
Plain text
email
No
personalization
UK company, but not
using European
time/date formats
Formatting
looks
amateurish
13. Let’s analyze it visually first…
Plain text
email
No
personalization
UK company, but not
using European
time/date formats
Formatting
looks
amateurish
14. And the dead giveaway…!
The actual URL is not real
website for British Airways:
“hxxp://topdynamic[.]hu/cache/
pdf_ba_ticket_4W2KUA.zip
15. And the dead giveaway…!
The actual URL is not real
website for British Airways:
“hxxp://topdynamic[.]hu/cache/
pdf_ba_ticket_4W2KUA.zip
16. We used our own product – Invincea
FreeSpace – to analyze the malware.
FreeSpace creates a secure virtual container
to isolate the malware from the host
operating system.
17. We unzipped the ZIP file and opened the PIF file
in the FreeSpace secure virtual container to
let the malware execute.
22. Now we know that this is malware executing.
Let’s look up more details on the malware through
integration with our partner, ThreatGRID:
100%
confidence of a
Zeus banking
Trojan family
variant
23. Summary of Analysis:
- This was not a zero-day attack, but is still effective
o If it was zero-day, Invincea can still contain and detect zero-
day attacks because we analyze behavior, not signatures
24. Summary of Analysis:
- This was not a zero-day attack, but is still effective
o If it was zero-day, Invincea can still contain and detect zero-
day attacks because we analyze behavior, not signatures
- It was a variant of an existing “Zeus Gameover” bankingTrojan
that one can buy cheaply on the black-market
o Logging keystrokes
o Steal bank credentials
o Launch distributed denial-of-service (DDoS) against
financial institutions
25. Summary of Analysis:
- This was not a zero-day attack, but is still effective
o If it was zero-day, Invincea can still contain and detect zero-
day attacks because we analyze behavior, not signatures
- It was a variant of an existing “Zeus Gameover” bankingTrojan
that one can buy cheaply on the black-market
o Logging keystrokes
o Steal bank credentials
o Launch distributed denial-of-service (DDoS) against
financial institutions
- If the payload was encrypted and opened on the client endpoint,
it would sneak past perimeter control systems and execute
successfully – need endpoint protection!
26. And now the clean-up…
Simply closing the infected, contained application removes all
traces of the malware.
This is not a re-image – the machine was never infected in the
first place. Everything was contained inside the Invincea
FreeSpace container.
27. And now the clean-up…
Simply closing the infected, contained application removes all
traces of the malware.
This is not a re-image – the machine was never infected in the
first place. Everything was contained inside the Invincea
FreeSpace container.
Delete
infected
container
28. And now the clean-up…
Simply closing the infected, contained application removes all
traces of the malware.
This is not a re-image – the machine was never infected in the
first place. Everything was contained inside the Invincea
FreeSpace container.
Delete
infected
container
29. And now the clean-up…
Simply closing the infected, contained application removes all
traces of the malware.
This is not a re-image – the machine was never infected in the
first place. Everything was contained inside the Invincea
FreeSpace container.
Delete
infected
container
< 1 second
30. See more malware analysis “Killed in Action”
(KIA) at:
http://www.invincea.com/category/kia/
And learn more about Invincea at:
http://www.invincea.com/why-invincea/