Contact Us

1 (800) 723-1166 |



MONSOON - Analysis Of An APT Campaign

MONSOON is the name given to the Forcepoint Security Labs™ investigation into an ongoing espionage campaign that the Special Investigations team have been tracking and analysing since May 2016. We have released our technical analysis in the form of a whitepaper. A download link is provided below.

Uncovering A Malicious Traffic Direction System (Blackhat-TDS)

Recently an actor has been using domains like realstatistics[.]info to direct users to exploit kits. These domains are injected as scripts into compromised websites, resulting in drive-by attacks on browsers. The domains are used as Traffic Direction Systems (TDS) which determine whether or not a target is of interest and should be sent to the malicious site or not.

Cerber Actor Distributing Malware Over E-mail Via WSF Files

Last week we tracked an interesting e-mail campaign that was distributing double zipped files with Windows Script Files (WSFs) inside. When executed, these WSFs downloaded the Cerber crypto-ransomware. Cerber has previously been seen distributed via exploit kits and over e-mail using DOC files with macros. This is the first time that we have seen Cerber distributed via the use of WSFs.

E-mail Lure

The e-mail lures followed a convention of "[someone@somewhere.tld] Invoice-or-bill-related-subject-line". For example:

Top 20 Airline Travel Site Victim to Malvertizing Attack - Redirects Users to Angler EK & Bedep Malware

The popular airline travel site yatra[.]com is currently (01 Feb 2016) redirecting users to Angler Exploit Kit (EK) via a compromised advertising script. The millions of users per month browsing to the yatra[.]com homepage are currently exposed to being redirected to code that silently drops and executes malware in the background by exploiting one of the latest Flash Player vulnerabilities.

Compromised Site

Range Technique Permits Ursnif To Jump Onto Your Machine

On January 5th Raytheon|Websense® researchers noticed an interesting e-mail sample from a recent and ongoing e-mail campaign which contained a malicious document attachment and downloaded malware in a unique way. The Microsoft Office Word document downloaded the malicious payload from a JPG file but, where a normal browsing user would see an image of Kangaroo, the malicious document saw a different file - the Ursnif credential stealer.

fig 1. Actual image hosted on command-and-control server


Executive Summary

An Early Christmas Present Exploits CVE-2015-8446 and Drops CryptoWall 4.0

Today, we came across a website providing free Christmas graphics along with an early but unwanted Christmas present. The website christmas-graphics-plus[.]com is injected with malicious code that leads users on a virtual sleigh ride to Angler Exploit Kit (EK) and drops the new CryptoWall 4.0 ransomware. If you were to visit this grotto, then all of your documents would be encrypted and held to ransom - including your Christmas card address book. The real Nightmare Before Christmas.