Common Malware Analysis and Threat Detection
Over the past few weeks J2 CSC malware and threat analysis have seen multiple methods to introduce malicious content, exploits and phishing throughout our customer base which were detected and stopped using various tools at our disposal.
With email, the top types of attacks detected are phishing and malware. The largest category are mails that had dangerous, malicious phishing content. Other threats included the common PDFDown-N attachments, these kind of attachments try to steal your login credentials and will prompt you to enter confidential information when you open, what appears to be, a safe pdf. Is has been interesting to see rtf exploits being detected at the gateway. These exploits will leverage vulnerabilities in unpatched office versions that will execute a payload when the rtf file is opened in Microsoft Word.
“A payload is the part of the private user text which could also contain malware such as worms or viruses which perform the malicious action such as deleting data, sending spam or encrypting data”
Monitoring and analysis of the endpoint and internet security protection systems had the team detecting numerous threats. Some of these that our team find interesting are the advanced internet browsing threats and Coinminers. These threats are all quarantined and blocked before any action or malicious activity can take place on the system. We also detected numerous websites that contain ads or click bait content that includes links to phishing websites. These can lead to you visiting unwanted, compromised and malicious sites.
Our Team has seen growth in CoinMiners. Without the right tools these would not be quarantined. There has been a steady increase in these being detected and stopped in recent weeks. CoinMiner viruses are designed to be installed silently and take advantage of your systems resources in order to mine cryptocurrencies for the creator.
A Few Technical Recommendations
- Make sure you are inspecting all inbound emails for malware and Virus at your Mail Gateway long before it ever reaches an inbox or archive. These types of infections should be rejected at the Gateway and you should never risk these being able to reach your mail server or even worse the Endpoint.
- Inspect all traffic on mobile devices all the time, when mobile devices leave the corporate network their internet security shouldn’t remain there. Inspecting internet traffic when outside your protected corporate network is just as important as when you are inside your corporate network.
- Review your endpoints rights and permissions. Endpoint administrative permissions should be restricted so only administrators and authorized personal have access to install and elevate privileges.
Do you trust all your security providers would have detected these? | Jarred Reid-Robertson
- Hits: 492