new wave of attacks in ukraine 2016
TRANSCRIPT
![Page 1: New wave of attacks in Ukraine 2016](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58730c871a28ab99088b6ef3/html5/thumbnails/1.jpg)
NEW WAVE OF ATTACKS IN UKRAINE
Marina Krotofil based on materials from Aleksey Yasinskiy
![Page 2: New wave of attacks in Ukraine 2016](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58730c871a28ab99088b6ef3/html5/thumbnails/2.jpg)
Short description Similarly to last year, the wave of attacks has started in month of July
• It is hot and everybody is in careless summer mood• Embedded macros• Many people are on vacation and those who are not -> performing duties of those
who are on vacation (and open aaaaall the attachments) The attacks grew in sophistication (in comparison to 2015)
• New added routines to detect installed security protections on the infected machine• Improved obfuscation techniques
Similarly to last year, there is a “silence” period• Several C&C center went off line• Now immediate destructive attacks
A new wave of destructive attacks is awaited
![Page 3: New wave of attacks in Ukraine 2016](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58730c871a28ab99088b6ef3/html5/thumbnails/3.jpg)
New wave of infection via spear fishing
July 14, 2016
Angry customer is complaining about financial spam (scam). He received an email from a Diamantbank stating that he took a large credit but did not start paying for it. He now awes bank a large sum of money and is threatened with legal actions against him.
Also the customer understand it was a scam, he OPENED the attachment (and got infected)
![Page 4: New wave of attacks in Ukraine 2016](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58730c871a28ab99088b6ef3/html5/thumbnails/4.jpg)
Discussions on motherhood portalsJuly 14, 2016
Mothers discussing receiving similar financial spam (scam). Although do realize it was spam, they all opened attachment first.
![Page 5: New wave of attacks in Ukraine 2016](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58730c871a28ab99088b6ef3/html5/thumbnails/5.jpg)
Structure of embedded macros
![Page 6: New wave of attacks in Ukraine 2016](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58730c871a28ab99088b6ef3/html5/thumbnails/6.jpg)
Analysis of embedded macros
SandBox and ISP detection routines
![Page 7: New wave of attacks in Ukraine 2016](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58730c871a28ab99088b6ef3/html5/thumbnails/7.jpg)
Anti-spam detection techniquesMalicious code is embedded into romantic lyrics to avoid detection by the spam detection algorithms (e.g. ratio of text to code)
![Page 8: New wave of attacks in Ukraine 2016](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58730c871a28ab99088b6ef3/html5/thumbnails/8.jpg)
Obfuscation techniques
Making code looking like a pure noise
![Page 9: New wave of attacks in Ukraine 2016](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58730c871a28ab99088b6ef3/html5/thumbnails/9.jpg)
Obfuscation techniques
Nesting doll: code in the code
These pieces of code will eventually assemble into malicious line of code
![Page 10: New wave of attacks in Ukraine 2016](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58730c871a28ab99088b6ef3/html5/thumbnails/10.jpg)
False alarmLegitimate security application behaving like a malware. It draw attention during inspection of the machine but turned to be a false alarm. Ugh. Annoying.
![Page 11: New wave of attacks in Ukraine 2016](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58730c871a28ab99088b6ef3/html5/thumbnails/11.jpg)
Afterword There is a version that Ukraine is used among other countries as a playgroud for
testing new attach strategies and techniques• The purpose of the infection is currently still unclear• Malware is becoming more intelligent and more aware of its environment• About 1 month after infection it is very hard to detect malware on the infected machine
For more information about attacks in Ukraine see• Analysis of embedded macros: https://socprime.com/en/blog/infrastructure-infiltration-via-rtf/• Analysis of other malicious activities: https://socprime.com/en/blog/
Aleksey Yasinskiy: Head of ISSP Labs & Research Center@Aleksey_yas; https://Marina Krotofil: Lead Security Researcher at Honeywell Industrial Cyber Security Lab@marmusha
Opinions are our own