Palo Alto NetWorks: The return of malicious software outbreaks under the name Envi
In February 2017, Palo Alto Networks detected the development of malicious software called Infy, formerly known as Foudre, which appears to have benefited from and learned from the procedures previously applied by Palo Alto Networks In order to dismantle and redirect their command and control infrastructure.
Fuder's latest software includes new technologies that can avoid and control acquisitions to avoid attempts to redirect its command and control chain, which Palo Alto Networks has achieved in 2016.
In May 2016, the company documented and published its original research results on campaigns using malicious Envi software over a decade. One month after the results were released, Palo Alto Networks provided a detailed explanation of how it acquired the command and control server traffic For attackers and redirect them.
Claudio Guarnieri and Colin Anderson of Black Hat USA provided evidence and evidence in July 2016 that Iran Telecom Company (AS12880) blocked the command and control subdomains that redirect data by manipulating domain name servers DNS, and Hypertext Transfer Protocol (HTTP) filtering, which prevented redirects from accessing the local domain of Iran.
Palo Alto Networks predicts that one of the domains of DGA generated domain naming and registration before the attack. When target users tried to connect to the command and control servers for that domain, they could not recognize Palo AltoTorx domain because they did not have the key assigned to the encryption system However, Palo Alto Networks has been able to map specific target audiences using GeoIP for GeoIP addresses.
The attacks targeted institutions in the United States, Britain, Iraq, Iran, Sweden, Germany, Canada, Azerbaijan and Seychelles. Palo Alto Networks noted that the very few target audiences in this campaign indicated that there were immaterial motives. For example, In the network, which was previously attacked by malicious Envi software, indicating that the attacker was targeting the same specific organization or even the same computer.
Palo Alto Networks, although the RSA key and the inability to communicate with any of the target parties, have detected that by sending an invalid signature file (because there is no system to validate input into the content / size of the signature file ) To the target, and was able to stop the operation of the rundll32 file, which runs the DLL file of the malicious software, allowing the possibility of blocking the spread of infection of this malicious software until the target of the system restart.
The campaign has been active for at least 10 years and has been active for at least 10 years. Palo Alto Networks has documented its operations to disassemble and redirect the command and control infrastructure of the attacker. So, we should not be surprised by the return of malicious Envi code - so that the same malware targets those previously targeted.
Attackers are aware that they need to have a more robust infrastructure for command and control servers to prevent intrusion. Domain-generation algorithms may provide some flexibility in performing this task, but they are not robust enough to not be acquired. However, the use of digital signatures is an effective defense mechanism for command and control servers.
It is impossible, in the absence of access to the assigned keys, to acquire command and control servers even if the range of generation algorithms generated by the researcher, and can save the keys allocated at the local level within the command server and control, but if the server can not access Command and control, we can not confirm this potential vulnerability in the infrastructure.
the source
https://aitnews.com/2017/07/18/ghost...3%D8%AC%D9%87
Fuder's latest software includes new technologies that can avoid and control acquisitions to avoid attempts to redirect its command and control chain, which Palo Alto Networks has achieved in 2016.
In May 2016, the company documented and published its original research results on campaigns using malicious Envi software over a decade. One month after the results were released, Palo Alto Networks provided a detailed explanation of how it acquired the command and control server traffic For attackers and redirect them.
Claudio Guarnieri and Colin Anderson of Black Hat USA provided evidence and evidence in July 2016 that Iran Telecom Company (AS12880) blocked the command and control subdomains that redirect data by manipulating domain name servers DNS, and Hypertext Transfer Protocol (HTTP) filtering, which prevented redirects from accessing the local domain of Iran.
Palo Alto Networks predicts that one of the domains of DGA generated domain naming and registration before the attack. When target users tried to connect to the command and control servers for that domain, they could not recognize Palo AltoTorx domain because they did not have the key assigned to the encryption system However, Palo Alto Networks has been able to map specific target audiences using GeoIP for GeoIP addresses.
The attacks targeted institutions in the United States, Britain, Iraq, Iran, Sweden, Germany, Canada, Azerbaijan and Seychelles. Palo Alto Networks noted that the very few target audiences in this campaign indicated that there were immaterial motives. For example, In the network, which was previously attacked by malicious Envi software, indicating that the attacker was targeting the same specific organization or even the same computer.
Palo Alto Networks, although the RSA key and the inability to communicate with any of the target parties, have detected that by sending an invalid signature file (because there is no system to validate input into the content / size of the signature file ) To the target, and was able to stop the operation of the rundll32 file, which runs the DLL file of the malicious software, allowing the possibility of blocking the spread of infection of this malicious software until the target of the system restart.
The campaign has been active for at least 10 years and has been active for at least 10 years. Palo Alto Networks has documented its operations to disassemble and redirect the command and control infrastructure of the attacker. So, we should not be surprised by the return of malicious Envi code - so that the same malware targets those previously targeted.
Attackers are aware that they need to have a more robust infrastructure for command and control servers to prevent intrusion. Domain-generation algorithms may provide some flexibility in performing this task, but they are not robust enough to not be acquired. However, the use of digital signatures is an effective defense mechanism for command and control servers.
It is impossible, in the absence of access to the assigned keys, to acquire command and control servers even if the range of generation algorithms generated by the researcher, and can save the keys allocated at the local level within the command server and control, but if the server can not access Command and control, we can not confirm this potential vulnerability in the infrastructure.
the source
https://aitnews.com/2017/07/18/ghost...3%D8%AC%D9%87
Comments
Post a Comment