Security Labs

Forcepoint Security Labs have encountered an ongoing Trickbot campaign that appears to target crypto-currencies. Trickbot is a banking Trojan that is traditionally known to target financial institutions. Recently, we have observed Trickbot targeting Paypal and expanding its list of target institutions to include those from Nordic countries.

Today’s campaign uses Canadian Imperial Bank of Commerce (CIBC) as a social engineering lure. Below is a screenshot of the email:

The attached document is disguised as a CIBC document. It contains a macro downloader that ultimately downloads and executes a Trickbot variant.... Read more

This blog is part of a series! Read part one ‘Security, Performance, Obfuscation & Compression’ here and part two ‘Camouflage .NETting’ here.

Much attention is paid to the underground economy in the media with a huge focus on the availability of malware on underground and so-called ‘darknet’ forums. These underground services may make a more exciting story, but the recurring theme throughout the past two posts in this series has been the ready availability of commercial tools written without malicious intent which can nonetheless be turned to ill purposes.

Instead of relying on underground sources to... Read more

Click here for part one of this series: ‘Security, Performance, Obfuscation & Compression’.

Since its introduction the majority of malware authors have shunned .NET as a development platform, despite its relative popularity as a platform for developing legitimate Windows software. There are numerous potential reasons for this, but two in particular that likely have a significant influence on malware authors are .NET code’s reliance on external libraries (few people are likely to want to install a specific version of the .NET Framework in order to support someone trying to steal their banking details) and – as... Read more

Recently, Forcepoint Security Labs have encountered a strain of scam emails that attempts to extort money out of users from Australia and France, among other countries. Cyber-extortion is a prevalent cybercrime tactic today wherein digital assets of users and organizations are held hostage in order to extract money out of the victims. Largely, this takes in the form of ransomware although data exposure threats - i.e. blackmail - continue to become popular among cyber crooks.

In light of this trend, we have observed an email campaign that claims to have stolen sensitive information from recipients and demands 320 USD payment in... Read more

Historically, the majority of traditional AV solutions have relied on static signatures to identify known malware. As a result, malware authors naturally started employing a range of tools to obfuscate the underlying code of their software in order to avoid such signature based detection and to hinder (human) static analysis.

These obfuscation tools have proliferated over the past years, with numerous commercial offerings available as even legitimate software authors look to at least hinder the reverse-engineering of their products. While the methods and results vary, the ultimate intention is now usually to make the code... Read more

In January 2016 Forcepoint Security Labs reported an email campaign delivering the Ursnif banking Trojan which used the ‘Range’ feature within its initial HTTP requests to avoid detection.

In July 2017 we discovered a malicious email sample delivering a new variant of Ursnif, attached within an encrypted Word document with the plaintext password within the email body. As recorded in several other Ursnif campaigns reported since April 2017, this Word document contains several obfuscated VBS files which load malicious DLLs through WMI.

However, these samples appear to exhibit new features including anti-sandboxing features... Read more

The June 2017 Petya (Petna, Petrwrap, etc.) outbreak injected some much un-needed excitement into an IT sector just starting to come to terms with the implications of the WannaCry outbreak a few weeks beforehand.

In the immediate wake of WannaCry there was a discussion around what could have been done to reduce the impact of the outbreak, but even without the benefit of hindsight it was easy to point to slow patching cycles and the questionable architectural/configuration decision of allowing SMB traffic from external addresses past the network boundary.

However, as discussed in our earlier blog post, June 2017’s Petya... Read more

Please note:​ This is an update to our original analysis posted on June 27, 2017.

Forcepoint Security Labs will continue to refer to this as a Petya outbreak, although other vendors have chosen to apply additional or alternative names to it.

In straightforward terms, the samples analysed have passed the ‘duck test’ https://en.wikipedia.org/wiki/Duck_test) as Petya which has previously been seen to:

Microsoft Security Advisory 4025685 [1] was released on Tuesday 13 June 2017 and quickly gathered a large amount of attention for fixing a significant number of SMB exploits in supported versions of Windows and for Microsoft's decision, once again, to provide patches for now-unsupported versions of their operating systems.

While Microsoft rate the SMB vulnerabilities as Important rather than Critical, it should be borne in mind that vulnerabilities within network services such as these are inherently 'wormable' as demonstrated by WannaCry's rapid spread via the exploitation of an SMB vulnerability just last month (see https://... Read more

At around 09:00 BST yesterday, Forcepoint Security Labs™ observed a significant malicious email campaign from the Necurs botnet. Necurs is a prevalent botnet that is known to spread Locky ransomware, pump-and-dump stock scams, and more recently the Jaff ransomware.

This time, however, Necurs has been observed spreading the Trickbot banking Trojan for the first time. The malicious email campaign ended at around 18:00 yesterday and nearly 9.6M related emails were captured and stopped by our system. The following is a sample screenshot of a related email:

In addition, below are details of this campaign: