THREAT INSIGHTS REPORT

November 2019

THREAT INSIGHTS REPORT NOVEMBER 2019

THREAT LANDSCAPE

The Bromium Threat Insights Report is designed to help our customers become more aware of emerging threats, equip security teams with tools and knowledge to combat today’s attacks, and manage their security posture.

Bromium Secure Platform is deployed on desktops and laptops, capturing any potential threats and allowing them to run inside secure containers. Adding isolation to the endpoint security stack transforms your endpoints into your strongest defence, while giving security teams a unique advantage to be able to monitor, track and trace any malware that tries to enter your networks.

NOTABLE THREATS

High-volume Emotet malicious spam campaigns resumed on 16 September 2019 after the malware’s command and control (C2) infrastructure came online again on 22 August 2019. Emotet spam activity had stopped in early June 2019. Bromium Labs analysed the new campaign and documented the changes to how Emotet infects systems. Notable changes include a different packer, MIME type and document lures. September 2019 also saw an increase in the use of a JScript downloader to download and execute Emotet’s payload. Historically, Emotet’s operators have relied on PowerShell download cradles to download the malware. Bromium Labs analysed the updated JScript downloader in detail.

In early October 2019, German organisations were targeted by a malicious spam campaign delivering Buran ransomware. Buran is a family of commodity ransomware that was discovered being advertised on Russian-speaking forums in May 2019. Buran’s developers market the ransomware to potential operators as a ransomware-as-a-service (RaaS) scheme, taking a 25% cut of any ransom payments in exchange for a “decoder” used to decrypt victims’ files. In this campaign, the emails purported to be messages from a legitimate online fax service called eFax. The emails were effective at bypassing email gateway security controls because they did not contain attachments. Instead, the Buran affiliate registered 24 eFax typosquat domains where they hosted malicious Microsoft Word documents. Running the documents triggered the execution of a Visual Basic for Applications (VBA) AutoOpen macro that would download and start the ransomware. Bromium Labs analysis of the malware indicates that version 5 of Buran was distributed.

Malware type classifications, October 2019

Version 5 signature string found in Buran executable Translated advert from May 2019 for Buran’s affiliate scheme

Ransom note used in campaign targeting German organisations

THREAT INSIGHTS REPORT NOVEMBER 2019

Last month, Bromium Labs also analysed malicious documents that downloaded and ran two families of script-based malware, JasperLoader and FTCODE. JasperLoader is a lightweight loader written in VBScript that was used to download and run FTCODE ransomware. Among ransomware families FTCODE is notable because, like JasperLoader, it is not written in a compiled programming language. Instead, FTCODE is written in PowerShell. The campaign likely targeted Italian speakers because the lure document was composed in Italian. By relying on living off the land binaries such as Windows Script Host (WScript.exe) and PowerShell for execution, script-based malware can avoid detection in environments where the use of high-risk operating system utilities isn’t controlled or monitored.

NOTABLE TECHNIQUES

Character obfuscation (T1027) is a defence evasion technique typically used by malware written in interpreted languages to evade detection. Emotet’s JScript downloader also contains two more unusual anti-analysis measures. The first prevents monitoring the script’s console output by redefining the console output function for all trace levels, for example “info”, “debug” and “trace”. This prevents the deobfuscated values of statements and variables being printed after they have run. The second is the use of an anonymous function template, which effectively disables the script from being debugged. If an analyst tries to debug the script, for instance using a web browser, the protection function will freeze the debugger unless it is removed.

ACTIONABLE INTELLIGENCE

Bromium Secure Platform Recommendations

Bromium customers are always protected because malware is isolated from the host computer and cannot spread onto the corporate network. We recommend updating to the latest Bromium Secure Platform software release and to use the Operational and Threat Dashboards in your Bromium Controller to ensure isolation is running correctly on your endpoint devices.

The case ‘1’ clause of the switch statement redefines [“console”][“LEVEL”] to empty function “am”

THREAT INSIGHTS REPORT NOVEMBER 2019

In your Bromium Secure Platform policy, we recommend that untrusted file support for email clients and Microsoft Office protection options are enabled (these are enabled by default in our recommended policies). Switching on these settings is an easy way to reduce the risk of infection posed by phishing campaigns. Please contact Bromium Support if you need help applying suggested configurations.

General Security Recommendations

Ransomware campaigns continue to pose a significant risk to enterprises. On 2 October 2019 the US Federal Bureau of Investigation published a public service announcement stating that although the number of indiscriminate ransomware incidents has fallen since 2018, the total losses from ransomware has increased. Following enterprise security best practice on patch management, access control and backing up data can limit the impact of such attacks.

Signatures

The malicious documents used to download Buran ransomware each contained four XML files containing junk data. The purpose of the junk data was likely to vary the file size and hash of the document to evade detection using these properties. We’ve provided a YARA rule below that detects the document component of the campaign.

MITRE ATT&CK heatmap showing the range of techniques used by threats isolated in October 2019

Top 10 MITRE ATT&CK techniques used by threats isolated in October 2019

THREAT INSIGHTS REPORT NOVEMBER 2019

rule doc_efax_buran {

meta:

author = "Bromium Labs"

date = "2019-10-10"

sample_1 = "7DD46D28AAEC9F5B6C5F7C907BA73EA012CDE5B5DC2A45CDA80F28F7D630F1B0"

sample_2 = "856D0C14850BE7D45FA6EE58425881E5F7702FBFBAD987122BB4FF59C72507E2"

sample_3 = "33C8E805D8D8A37A93D681268ACCA252314FF02CF9488B6B2F7A27DD07A1E33A"

strings:

$vba = "vbaProject.bin" ascii nocase

$image = "image1.jpeg" ascii nocase

$padding_xml = /[a-zA-Z0-9]{5,40}\d{10}\.xml/ ascii

condition:

all of them and filesize < 800KB

}

STAY CURRENT

The Bromium Threat Insights Report is made possible by customers who opt-in to share their threats on the Bromium Threat Cloud. Alerts that are forwarded to us are analysed by our security experts to reduce false positives and generate higher fidelity alerts. You can also use the threat data collected from isolated malware to protect other critical assets that are not secured by Bromium. To learn more, review the Knowledge Base article on Threat Sharing.

We recommend that customers take the following actions to ensure that they get the most out of their Bromium deployments:

• Enable Bromium Cloud Services and Threat Forwarding. This will keep your endpoints updated with the latest Bromium Rules File (BRF) and make sure we report the latest security incursions to you. Plan to update the Controller with every new release to receive the latest operational and threat intelligence report templates. See the latest release notes and software downloads available on the Customer Portal.

• Update Bromium endpoint software at least twice a year to stay current with emerging attack technique detections added by Bromium Labs.

For the latest threat research, head over to the Bromium Blog, where our researchers regularly dissect new threats and share their findings.

ABOUT THE BROMIUM THREAT INSIGHTS REPORT

Enterprises are most vulnerable from users opening email attachments, clicking on hyperlinks in emails or chats and downloading files from the web. Bromium Secure Platform protects the enterprise by isolating risky activity into micro-VMs, ensuring that malware cannot infect the host computer or spread onto the corporate network. Since the malware is contained, Bromium Secure Platform collects rich forensic data to help our customers harden their entire infrastructure. The Bromium Threat Insights Report addresses key takeaways from the latest reported and analysed threats to ensure that our customers are thoroughly protected.