Couple of days ago, we had an email outbreak on our network and it was all started from a Phishing email and a Malware file attached to the email.
After some research, the email seems has gone viral and it is currently affecting the whole UK according to ESET virus radar.
Briefly explanation of how it worksThe fake emails are sent from the infected computer using Microsoft Outlook, the Malware are using the computer software Microsoft Outlook and use the address book to send everyone's a fake email with a attachment that contains malicious file.
The email contains a title "FW: Daily Report", a file attached named "F44907162.zip" and a message of "Please review the attached document". On the other end, the below screenshot is what the recipients have received.
At MX Lab http://www.mxlab.eu, they have posted a similar case lately.
The recipients opened the the .ZIP file and this is what they will see... A file "F44907162.src" screen saver type file in the ZIP attachment. Yes, as you can see the file it is not in a document file format or any other viewable word documents.
Yet, the recipients went and opened it. The anti-virus software were not be able to detect and quarantine it as the Malware were just developed and most anti-virus software companies haven't update their virus definition.
For more info: Cisco has identified and list the threat in outbreak alert database.
How the email outbreak started? - Phishing EmailAssuming one of the user received the email and the user saw the title of the email, the user will generally thought it was be a new report that needs reviewing and as the user opened the email, read the message to review/open the attached file because document files are commonly because attached with the email, if the email has a title of "report" of some sort. Users are not hesitated to open the attachment, as the user know that the email are sent from their "trusted" colleague and not a Random generated email address. So they went ahead and downloaded the attachment and opened, the file did nothing but silently modified some of the system files in the computer.
The email outbreak is how it was started, one to hundreds and hundreds to thousands if you are in a large network... However, luckily it only applies to whom users that are lack awareness of Phishing Emails and only few guys on the network have the caught the Malware.
A great Monday morning were started by email outbreak, identify the Malware (Read Part 2 for Malware Analysis) and apply resolutions to the problems.
Resolutions and Best PracticesYou know when the email outbreak gets serious when you are getting non-stop calls from colleagues asking why they have so many undeliverable emails and receiving same "FW: Daily Report" emails from other colleagues.
a. Emergency Prevention - Stopping the Malware spread even further
First thing first is, shutdown Microsoft Outlook to stop further emails are being sent out.
Second is unplug the network cable from the infected computer.
Falcon IT Services detailed of how to block .zip files on Exchange server, which means all those fake emails will get immediately filtered out and stopping the fake emails sent to recipients.
b. Virus/Malware Removal - Fire up, anti-virus software to scan and in our case the AV software did not pick up anything, next is to try Malwarebytes (Free version will do the job) to scan for Malwares on the users computer. Try quick scan first on both using AV and Malware software, if that did not pick anything up then use Full system scan.
The results were wonderful, Malwarebytes was able to pick up the nasty Malware!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\csc (Spyware.Password) -> Quarantined and deleted succeesfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\GoogleUpdate(Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\csc.sys (Spyware.Password) -> Quarantined and deleted successfully.
c. Training - We have now stopped and cleaned the Malware out on the computers, next is to educate and provide training to employees to increase their awareness of Phishing Emails and basic IT security knowledge.
d. Strengthening the Security - Active Directory Group Policies (Restrict user access to file in execution) and maybe a different vendor of anti-virus and Malware software/Firewall filter