One Article Review
| Source |  BAE |
|---|---|
| Identifiant | 352313 |
| Date de publication | 2017-03-06 12:14:07 (vue: 2017-03-06 12:14:07) |
| Titre | A Bumper Harvest - Cryptolocker Address Book Theft |
| Texte |  Written by: Steve Barnes, Cyber researchAttackers use social engineering to exploit trust. An end user is more likely to open a malicious attachment or click a link if it appears to come from a trusted source. Your email client (e.g. Outlook, Thunderbird) maintains a "trust map" in the form of a contact database, aka address book.Microsoft Outlook provides the Personal Address Book, Suggested Contacts and in Exchange environments, the Global Address List (GAL). The GAL typically holds contact information for employees, business partners, external contacts and distribution groups. The Cryptolocker sample discussed on the Heimdal Security Blog piqued our interest, particularly the observations relating to theft of address book content. Our analysis focused on code paths that interact with Microsoft Outlook and the Windows Address Book. Let's take a closer look.Sample information:MD5: 9800562e50cbe9afa1b8d4f9a84eb089SHA1: bba4d156b630ff4d7333f572b0d7fb034af2c10fSHA256: 30ef75ebbbc7c27500dcbbf1db1aaab35be6a8e72e60a7a0ca91a621e4f62e6aCompilation: 2007-08-28 11:12:19Size: 661022 BytesType: PE32 executable for MS Windows (GUI) Intel 80386 32-bitFollowing execution and a common "spawn, inject, resume, terminate" prolog, a second instance of Windows Explorer is launched: This new explorer.exe process contains a code page implanted by its parent that is responsible for establishing persistence via the Windows Registry, communicating with the attacker's servers, locating and encrypting files, displaying ransom payment instructions and harvesting contact information.Harvesting of Outlook contacts is performed using MAPI via COM, starting with calls to MAPIInitialize and MAPILogonEx. The call to MAPILogonEx will silently fail if Outlook isn't running at the time, since the profile name and password arguments are both set to NULL. If this happens, the harvesting thread will sleep for 3 seconds and try again, repeating indefinitely. Cryptolocker does not use (or need) valid credentials, since it can piggyback on the shared session established by Outlook on behalf of the logged-on user.Once the call to MAPILogonEx succeeds, execution continues along the following path:• IMAPISession::OpenAddressBook - returns containers for all address books in the |
| Envoyé | Oui |
| Condensat | an cryptolocker if our since the this we 000 000+ 000d4359 11:12:19size: 2007 2008 2010 2010 client 2013 30ef75ebbbc7c27500dcbbf1db1aaab35be6a8e72e60a7a0ca91a621e4f62e6acompilation: 661022 80386 9800562e50cbe9afa1b8d4f9a84eb089sha1: able address affiliates after again against all along also analysis and exchange any appears are arguments assume attachment attacker attacks available banking barnes based bba4d156b630ff4d7333f572b0d7fb034af2c10fsha256: before behalf behaviour below error bit bitfollowing blog book books boost both bumper business by: bytestype: call calls can cannot case click client closer code com come common communicating completes concatenated congestion contact contacts containers containing contains content contents continues corp create credentials cryptolocker current cyber database demand depending described different discussed display displaying distribution dll does dump dyre each either email email client employees encrypting encryption end engineering entries entry entryid enumerate environment environments established establishing exchange exe executable executes execution execution:we exfiltrate exploit explorer external extract contact fail family field file files find focused following form found from full function function was gal global groups gui hands happens harvest harvesting heimdal holds hone iabcontainer::getcontentstable iaddrbook::getsearchpath iaddrbook::openentry identifiers imapisession::openaddressbook imapitable::getrowcount imapitable::queryrows implanted implementation including income indefinitely indicates information information and information for information:md5: initial inject inspected inspection instance instructions intel interact interest internet isn it could its known launched:this let likely to open link list local locating location logged look loop ltd maintains malicious malware map mapi mapiinitialise mapiinitialize mapilogonex mapilogonex succeeds may means memory microsoft mimics minus more moved name need network new next normalized not null number occurs once only open opens operating operators other outlook outputting over page paired pairs parent particularly partners password path path:• paths payment payments pe32 performance performed persistence personal physical piggyback piqued place plan previously process profile program prolog provides queryrows ransom ransomware registry relating remained repeated repeating repeats represents researchattackers resident responsible results resume returns revenue running running microsoft sale same same: sample sbs search second seconds security server servers session set shared silently simple since size skips sleep social source space:testing spawn specified start starting state steve stolen subject successful successive suggested supplementing support surname table tag take takes terminate test the observations theft thread thunderbird time to theft together total trojan trust trusted try typically unreasonable uploaded use used user using using mapi valid vary version via https victim:following wab32 wait was observed way well which will windows with calls workload and written your • |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.