After a spearphishing email deceives a recipient into introducing malware into a network, diverse protective strategies kick into action. These defensive strategies monitor activity and flag unusual activities. The goal of the attacker is to “stay below the radar” and avoid detection.
FireEye has discovered malware which seeks to hide behind legitimate activity to evade detection. FireEye reports that, unsurprisingly, this malware is introduced as an attachment to a spearphishing email. After the malware, dubbed “Trojan.APT.BaneChant”, is installed, the malware engages in a multi-tiered defensive strategy to evade detection. FireEye summarized the malware’s detection evasion strategies:
1. Evade sandbox by detecting human behaviors (multiple mouse clicks);
2. Evade network binary extraction technology by performing multi-byte XOR encryption on executable file;
3. Social engineer user into thinking that the malware is legitimate;
4. Avoid forensic and incidence response by using fileless malicious codes; and
5. Prevent automated domain blacklisting by using redirection via URL shortening and Dynamic DNS services.
This smarter malware reiterates the cleverness and adaptability of our cyber adversaries. As defenses get better, the attackers will modify their attacks to overcome the new defenses — or even hi-jack the defenses and use compromised defenses to support that attack.
In the face of smarter malware, the need to stop that attack while it is merely an unwanted, but deceitful email, becomes more urgent. Your personnel will receive malicious emails. Your security hangs in the balance when an employee decides to click a link or open an attachment. Telling employees to avoid suspicious emails is good advice. The attackers use this same guidance — that is why cyberattackers use social engineering to craft emails that are not suspicious. IT must intervene in the email processing decision. That is the role of SP Guard. Using SP Guard, IT can determine a list of trusted senders and provide this information to staff at the moment the person is deciding to click or pass. In the SP Guard environment, staff can, for example, easily distinguish a trusted HR email from a spoof HR email.
You can contact us at 408-727-6342,ext 3 or use our online form.