Stage 3: Redirect
Should users fall for the ScribbleLIVE/CNN lure, they are taken to intermediate websites that redirect victims to sites hosting exploit code, in this case the Blackhole Exploit Kit. The redirect sites, as is often the case, are legitimate websites that have been compromised or injected with malicious code that is hidden and obfuscated in order to abuse the compromised host site's reputation. Real-time analysis of these sites at the point-of-click provides immediate protection and can effectively break the chain before a victim is redirected to an exploit.
Stage 4: Exploit Kit
Another thing we see in these broad topical and global news campaigns is the use of common and accessible exploit kits, such as Blackhole, which allows the cyber-criminals to rapidly deploy their attack infrastructure and snare as many victims as possible. Once the exploit kit URL has been visited, the victim's machine is likely to be assessed for vulnerabilities that can be exploited in order to deliver malicious payloads. In this case, as well as delivering malware, such as Zeus, which is designed to pilfer financial information from victims, the site utilises a social-engineering method to trick the victim into installing a fake Adobe Flash Player update.
Real-time analysis of web content and malicious payloads protects users from both known and unknown threats.
Stage 5: Dropper File
Should exploitation be successful, dropper and/or downloader files are used to install additional malicious payloads onto a victim's machine. In the campaigns detailed so far, one relies on the victim falling for the lure and then being redirected to an exploit site from which this would be delivered, while the other simply attaches a malicious file directly to the initial email lure. These files are often encrypted and packed to thwart detection by traditional signature-based solutions, and, therefore, require more advanced solutions to recognise malicious behaviour. Using the email attachment as an example, the ThreatScope Analysis Report nicely illustrates how the file sent requests to malicious hosts, as well as wrote further executable files to the local file system ...
Stage 6: Call Home
Once a victim's machine has its malicious payload installed, it will attempt to "call home' and contact the C2 infrastructure to receive commands by those behind the campaign. Real-time detection of nefarious outbound communications, in lieu of a threat being caught at an earlier stage, can prevent this call home and prevent attackers from achieving their goals.
Stage 7: Data Theft
The exfiltration of data—be that personally identifiable information (PII) from an individual, company confidential data, or even a list of potential royal baby names—is often the attackers' endgame. Utilising methods such as slowly "drip-feeding" data out of a compromised network or creating custom encryption routines to stay hidden, attackers attempt to steal data, which can then be used for further attacks or simply for criminal gain. Advanced data loss and theft prevention features, such as Drip DLP, OCR analysis, and the detection of custom encryption routines can be deployed to keep your data where it belongs and out of the hands of cyber-criminals.
Sign up for CIO Asia eNewsletters.