Phishing Trojan Campaign Morphs at Scale to Defeat Legacy Detection
Phishing attacks are nothing new, but we are noticing a new trend for polymorphism, both in the wrapping document and in the dropped executable. In samples that are literally minutes old, we see the control server is re-obfuscating and updating the malware faster than anti-virus programs are updating their awareness.
The changes made are more than trivial substitution. As a result, there’s nothing in your perimeter or endpoint AV that’s preventing the malicious document from reaching end users and infecting them. It is only possible to detect this kind of fresh malware after you’ve become infected.
Here’s one example we saw earlier today. It’s a fairly standard phishing template and, using data stolen by the Trojan from other infected machines, pretends to be from a friend or acquaintance of the recipient. The email encourages the potential victim to click a link to download an alleged invoice.
Upon clicking the link, a document will download. This is what the email led the user to expect, so they will click on it. Here is the malicious document running inside a micro-VM, opened in front of the user who clicked on the phishing link:
Again, this is fairly standard; and as we see so often, the malware scarily detonates without any user interaction at all. As is often the case, there’s some social engineering to trick users into turning macros on if they have been disabled.
Using Bromium Secure Platform, this document has been isolated in a lightweight micro-VM. This is transparent to the user, but our hardware-based isolation allows us to safely continue execution of the malicious code, giving us a unique insight into what it is doing. This analysis is instantly fed back to our customer’s security team.
Read the entire article here, Phishing Trojan Campaign Morphs at Scale to Defeat Legacy Detection
via the fine folks at Bromium