LISTSERV - SOCI-L Archives - LISTSERV.UTA.EDU

From: Liberal Arts Chairs [mailto:[log in to unmask]] On Behalf Of Bolsterli, Eric J
Sent: Friday, October 17, 2014 10:11 AM
To: [log in to unmask]
Subject: FW: CIS CYBER ALERT - Invoice Phishing Spam Campaign Distributing Dyre Banking Trojan - TLP: WHITE
Importance: High

PLEASE FORWARD TO EVERYONE IN YOUR DEPARTMENT!!

If you can forward it to students too please do so.

From: "Burton, Bobby" <[log in to unmask]<mailto:[log in to unmask]>>
Reply-To: ISA-WORKING-GROUP LIST <[log in to unmask]<mailto:[log in to unmask]>>
Date: Thursday, October 16, 2014 at 4:33 PM
To: "[log in to unmask]<mailto:[log in to unmask]>" <[log in to unmask]<mailto:[log in to unmask]>>
Subject: FW: CIS CYBER ALERT - Invoice Phishing Spam Campaign Distributing Dyre Banking Trojan - TLP: WHITE

Good afternoon all;

Please read the alert below carefully. A massive phishing campaign is underway targeting banking information.

The ISO is working with OIT to block this campaign. Please remind your users of the following:


*         Do not open email attachments from unknown or untrusted sources.

*         Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.

*         Keep all operating system, applications and essential software up to date to mitigate potential exploitation by attackers.

*         Ensure that systems are hardened with industry-accepted guidelines.

*         Make sure all AV products are up-to-date with their signatures.

Best regards,

Bob Burton
Information Security Office
University of Texas at Arlington
817-272-9693

[cid:image001.gif@01CFE95E.F2383040]<http://www.uta.edu/security/events/>

From: MS-ISAC Advisory [mailto:[log in to unmask]]
Sent: Thursday, October 16, 2014 3:46 PM
To: William Pelgrin
Subject: CIS CYBER ALERT - Invoice Phishing Spam Campaign Distributing Dyre Banking Trojan - TLP: WHITE
Importance: High

TLP: WHITE
CIS CYBER ALERT

TO: All Members

DATE ISSUED: October 16, 2014

SUBJECT: Invoice Phishing Spam Campaign Distributing Dyre Banking Trojan

CIS recently became aware of a massive spam campaign targeting users in various sectors. Phishing emails used in the campaign contains a PDF attachment named Invoice621785.pdf. This attachment is a weaponized PDF document exploiting a vulnerability in Adobe Reader (CVE-2013-2729). After successful exploitation, user's system will download additional malware from hxxp://rlmclahore.com/Resources/Search/1510out[.]exe. This is a banking trojan similar to Zeus/Citadel that it targets sensitive user information including banking credentials.  As of this writing, all of the major AV products are detecting this malware as Tojan Dyre/Zbot/Fondu.

Phishing Email Characteristics:

Subject:  "Unpaid invoic" [Please note the typo in the subject line]

Attachment: Invoice621785.pdf

System Level Indicators (If successful in exploitation):

Copies itself under C:\Windows\[RandomName].exe

Created a Service named ""Google Update Service" by setting the following registry keys:

HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\ImagePath: "C:\WINDOWS\pfdOSwYjERDHrdV.exe"

HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\DisplayName: "Google Update Service"
Network Level Indicators:

First Stage Download:
rlmclahore\.com/Resources/Search/1510out[.]exe
Second Stage C2
stun\.rixtelcom\.se
stun\.sip\.telia\.com
stun\.puhe.sonera\.com
stun\.voipbuster\.com
stun.rixtelecom.se
stun.sipgate.com
stun.ideasip.com
37.59.48\.138
62.71.2\.168
188.165.227\.37
77.72.174\.163
77.72.174\.161
77.72.174\.165
77.72.174\.167
217.10.68\.152
208.97.25\.20

Please note that the Domain and IP indicators above were observed during our analysis and the list does not represent all network indicators for this campaign.

We also noted that the network communication is using a certificate with organization name "internet widgits pty ltd".

Recommendations:
Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
Do not open email attachments from unknown or untrusted sources.
Limit user account privileges to those required only.
Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
Keep all operating system, applications and essential software up to date to mitigate potential exploitation by attackers.
Ensure that systems are hardened with industry-accepted guidelines.
Make sure all AV products are up-to-date with their signatures.
Implement filters at your email gateway for filtering out emails with subject line "Unpaid invoic". [Note the typo]


REFERENCES:
PhishLabs:
http://blog.phishlabs.com/enhancements-to-dyre-banking-trojan

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2729

Center for Internet Security (CIS)
Multi-State Information Sharing & Analysis Center (MS-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061
Phone: (518) 266-3485
7x24 SOC: 1-866-787-4722
Email: [log in to unmask]<mailto:[log in to unmask]>


TLP: WHITE
Traffic Light Protocol (TLP): WHITE information may be distributed without restriction, subject to copyright controls.
http://www.us-cert.gov/tlp/
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

To subscribe to SOCI-L, send an electronic mail message to
[log in to unmask] In the body of the message type the
following:

subscribe soci-l your-full-name

There is no charge to subscribe. For information about the Sociology Program at UTA, call 817-272-2661. The information can also be found on the World Wide Web at http://www.uta.edu/sociology.

To remove yourself from SOCI-L, send an electronic mail message to
[log in to unmask]  In the body of the message type the
following:

signoff soci-l

An online interactive subscription page for joining and leaving the list is
located at http://listserv.uta.edu/archives/soci-l.html.
Also:  http://listserv.uta.edu/cgi-bin/wa.exe?SUBED1=soci-l&A=1
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>