PROTECT vs. the Real World: Dyre

A large Financial Services customer of ours, based in NYC, has weekly examples of how CylancePROTECT is finding and stopping advanced malware and targeted attacks which bypass every technology layer they have in place including FireEye, McAfee, MessageLabs, Sourcefire, Palo Alto Networks and Bluecoat, just to name a few. This is their story in their own words.

 

<begin_story>

On Tuesday, January 13th the Service Desk was forwarded a suspicious e-mail from an employee who had received it minutes earlier. Following standard protocol, the Service Desk forwarded the message to the Security Incident Response Team (SIRT) for review, noting that multiple users had reported the e-mail. Initial investigation with our messaging provider revealed that 156 e-mails with the same subject line “Important – New Outlook Settings” had been sent to the firm. These e-mails were sent from a variety of MTA servers and included a variety of URLs, so 69 were blocked by anti-spam technology and 87 were forwarded to the firm’s e-mail servers.

As the SIRT continued to investigate by opening the URLs in a secure environment, we learned that binaries were downloaded and not identified as malicious by web malware detection technology. That tool did identify the actions taken and the behavior of the binary, however it did not flag it as malicious.

The SIRT detonated the initial binary in a sandbox to identify the inner workings of this potentially malicious executable. After the initial dropper, “outlook_setting_pdf.exe” [067D20F630FEE8EFEBD9DB89D893B19A], two other files are dropped and finally the actual payload, “hgdwjhlsfvcmvne.exe” [789B94E94C2793266FE673C578FD8C1B].

dyre-1

Signature-based anti-virus failed to detect the payload as malicious. Cylance detected both the dropper and the final payload as malicious with a 100 score. 

dyre-2

Open source intelligence led the SIRT to believe that this could have been a cryptomalware with the capability to encrypt a user’s folders and data. Given that, a decision was made to push Cylance as a prophylactic measure to any host that we could confirm received the e-mail. After removing duplicates and disabled e-mail accounts from the list of 87, the SIRT determined that the e-mail could have been in a user’s Inbox on 24 hosts and immediately deployed Cylance to them.

After evaluating the payload and correlating with threat intelligence, the SIRT concluded that this was a drive-by/commodity malware campaign with a variant of Dyre malware. The payload was static and associated to the lure, indicating that the firm was not being targeted. However, the payload was new, indicating that the exploit kit used to generate it was likely a new version.

The end result of this investigation is reinforcement that had Cylance been installed on these hosts from the beginning, the product would have protected our users, allowing the SIRT to focus on understanding the malware and attribution without racing the clock against a confirmed infection.

</end_story>

Cylance customers see how we protect people every day. Want to understand how we do it? And talk to the customer in this story? Let us know.