While it appears that this Malware is highly sophisticated it still
has few weaknesses due the automation nature of its behavior:
1- When the malware finds more than one mailing list, it sends itself
to all of them within a short period of time.
The timing when it sends itself
appear to be random, it could have been more convincing if it could have sent
itself within business hours or send itself on spread out time frame so not to
raise any suspicion.
3- Short same exact email body: “Morning, please see attached and confirm”
“Thank you again!”. The malware could have randomized the email body
with different phrases so not raise suspicion especially that this malware
appears to have the capability to generate randomized attachments.
How credentials may have been stolen:
From what we know so far of the Malware behavior, the stolen credentials
seem to have been exploited by one of these methods:
Man-in-the-browser attack through Password manager exploit:
Exploiting the browser password manager is
most likely how the credentials were stolen, to confirm this, a forensic
examination has to be performed on the infected machine, or alternatively asking
Heather if she used to save the credentials in the browser’s password manager
for quick access to Zimbra.
Password manager exploit is a rising threat and potential attack vector
to gain access to company resources.
For more information about password manager
Demo page of browser abuse: https://senglehardt.com/demo/no_boundaries/loginmanager/
Keylogging: it’s also a possibility,
although if Heather is using the browser password manager keylogging cannot
yield any credentials.
Although this malware is primarily
designed to steal money through spreading itself to active and up to date email
lists in order to steal banking credentials, malicious hackers use it for other
purposes as well. Often times, they are part a more complex malware cocktail,
that can include rootkits, worms or other malware that enslave a computer to a
If this is becoming a larger trend it puts even more emphasis
on blocking these attacks at the earliest stage possible, before they have a
chance to take hold and turn victims into unknowing attackers.
Education and awareness are one of the best lines of
defense, to this day, for phishing attacks. They genuinely prey on the inevitability
that someone, somewhere, will click on a link in their mail box. With an email
that genuinely appears to be from someone the victim works with by picking up
and replying to a previous email this is an easy attack to fall for.
Steps we could take now to mitigate this threat in the future:
– Disable MS Office macros, network-wide, if possible.
– Ensure firewall rules make a Word document flagged as potentially dangerous
– Have email servers block attachments that include any VBA/Macro code.
– Configure endpoint security on workstations to catch malicious attachments.
– Deleting all emails that contain the malware attachment from all
recipients’ mailboxes immediately in order to contain and eradicated the
– Educate our staff. Awareness training is essential, and it can never end.
– Prohibit saving sensitive credentials in all browsers.
– Detecting stolen credentials using endpoint monitoring.