Today, Dtex released a new Dtex Systems Threat Advisory. The Dtex User Behavior Intelligence Platform has observed a variant of the PinkSlipBot Worm, which was sophisticated enough to bypass malware detection tools from traditional anti-malware providers including FireEye, McAfee and Palo Alto Networks. Such malware can steal credentials, laterally move over network shares, download files and update its software from a C&C server.
Dtex analysts initially observed that the malware mimicked a decade-old threat and, after further analysis, we were able to confirm that the malware was indeed PinkSlipBot by identifying reads from a directory path, PSlip, on compromised devices.
Malware Profiling
The Dtex analytics platform initially profiled this malware based on the C&C beaconing behavior of the explorer.exe application. Over 100 outbound IP addresses were associated with the explorer.exe application which was identified as an anomaly for the infected devices.
Dtex also detected and produced an alert regarding a Windows Task Scheduler job that was being spawned and executed repeatedly every hour and found that this process of spawning and execution was unique to the infected devices. The command scheduled the execution of a JavaScript file as shown below:
The above alerts helped the SOC analysts to look at the infected machines and understand the details of the malware.
Malware Behavior
Dtex’s User Behavior Intelligence also observed the following malware behavior:
Lateral Movement
The malware moved laterally from infected devices to other devices via the C$ share. Each infected device then proceeded to create an executable with a random file name on the share. This appeared as an anomalous file create, executed by ntoskrnl.exe on the uninfected machines.
Exfiltration
In addition to the use of the C$ share, Dtex also detected the spawning of OneDrive.exe as a background task and random files being uploaded to and downloaded from OneDrive. Dtex analysts believe that this file sharing method establishes a data exfiltration medium which would not typically be blocked by existing security controls. This poses an especially dangerous risk to enterprises.
Solution
Companies that are affected by this strain of malware should isolate the infected endpoints immediately. The goal is to stop the virus from spreading as quickly as possible, which means cutting off all means of lateral movement. It is also important that normal domain user accounts are not granted local administrative rights to each device.
It is also critical that security teams make sure they have the necessary behavioral anomaly detection tools to detect unknown threats before they have the chance to spread, potentially crippling a large portion of the corporate network.
General Advisory
The appearance of this new strain of malware points to a larger, more dangerous trend. This PinkSlipBot variation is just one of several malware strains which Dtex analysts have seen over the past two weeks. These strains have the ability to bypass traditional antimalware solutions. WannaCry is another example, where the impact can be devastating for the victim.
Given the recent alerts related to Ransomware attacks across Europe, it is important to note that while different strains of malware may utilize different techniques to extract value from a victim, there are many parallels in the behaviors observed in these sophisticated attacks, including:
Infiltration typically occurs by compromising a single account (predominantly via phishing, a malicious website or an existing malicious application)The infection spreads laterally via the corporate network (via account compromise or known vulnerabilities in existing file systems, often with randomized file names for example; MS17-010 advisory)Direct attempts are made to disable corporate security defenses (such as endpoint AV, DLP and anti-malware) to further avoid detection and improve persistenceCommon file sharing methods are often utilized for external data transfer (e.g. DropBox, OneDrive etc.)
The important point to note in the face of these attacks is that malware is evolving significantly — often more quickly than traditional security tools are. It is no longer enough to blacklist malware by hash, because these programs are changing and growing at an alarming rate.
Dtex analysts have always asserted that credential theft (and by extension, malware infiltration) is a form of insider threat. This is a shift in traditional thinking, but these recent attacks highlight exactly why it’s necessary: modern malware presents itself as a user on the network (e.g. by controlling a user’s account, and by acting as a user in your system). As a result, the fastest way to detect these unknown unknowns is to recognize and alert on unusual user behavior.
In addition, there’s another layer to recent malware attacks that link back to the insider threat: the ransomware attacks across Europe have been linked back to a stolen NSA tool. As of now, it has not been confirmed how the stolen NSA technology fell into the hands of malicious hackers. However, it is hard to ignore the possibility that these attacks likely originated from insider involvement.
Protection against the cybersecurity attacks of tomorrow, both in malware and other insider threats, lies in the ability of enterprises, security teams, and technology leaders to evolve their ability to pinpoint detection in user behavior.