Incident Report #2.

The Fibonacci Backdoor.

Perception point detected an attack sent to users via email. The backdoor grants the attacker control to remotely execute commands on the compromised computer. The infection process is as following

The email with the attached .tar file

After extracting the script file and executing it, the user will be prompted with the Fibonacci sequence.

Obviously this is a deceptive message because the script continues to run in the background awaiting commands..

The script that runs sends a message to a server controlled by the attacker and waits for a response. The response the script receives is “go to sleep for 8 seconds and ask again”. The script waits and askes again. The issue here is the fact that the attacker can change the response in the server at any time and when he does the script will receive malicious commands and execute them. As long as the server is up the script will forever provide access to the attacker.

The Untrusted Trustee.

A malicious attachment was caught in an email to a Perception Point protected mailbox, in most companies that would be the end of the story, and in some they will also provide an investigation of the payload. However, by leveraging email history data collected when protecting the entire organization, we were able to spot that the display address and name belonged to a business partner of the company with whom regular communication was conducted over the past two and a half months. Further, we were able to spot all the spoofed emails sent to 7 different addresses within the organization from 8 different IPs, including some with none malicious payload.

The attacker somehow knew about the relationship between our client and the business partner, and was targeting the specific person who was in contact with the business partner. By doing so, he was able to leverage the trust that existed between the two parties in order to carry out his malicious intent; be it malicious documents, links or social engineering.

In conclusion, the average user will find it very hard to distinguish these types of attacks from normal daily communications requiring the IT to leverage advanced technologies that deeply inspect communication channels across the digital-first enterprise.