Endpoint Protection Requires More than Just Anti-Virus

Binary Defense’s Vision Platform recently detected a new variant of the FedEx invoicing phishing campaign widely used for mass email campaigns. The FedEx campaigns are nothing new and have been around forever. Variants spawn quite frequently, but the techniques are continiously changing. Anytime you can elicit users for action on possible disruption of services (such as FedEx invoices, or missing packages), the success rate jumps up and is still effective today.

Since Vision works differently than other malware detection programs by focusing primarily on behavioral analysis to detect suspicious/abnormal patterns, it was successful in identifying this new variant. At the time, most anti-virus product lines were unable to detect this malicious code. 

Vision alerted Binary Defense’s analysts to svchost.exe beaconing out to a remote address on a client’s computer. When investigating the alarm, it was determined this process was spawning from a parent process of a word document. Performing analysis within Vision, it was a phish disguising itself as a FedEx invoice. While this specific technique is not new, this particular iteration displayed tactics shifting toward downloaders via macro enabled and TOR exfiltration.

Below is a screenshot of the document being opened:

fedexphishing-svchost

Once opened, svchost.exe would go out to the internet and download and execute the TOR browser for command and control. TOR would then start beaconing out to multiple IPs on the dark web, transmitting stolen data from the host computer or allowing the machine to be accessed remotely from a C2 server.

fedex-invoice-svchost

Vision enabled us to detect this attack in the beginning stages. Once detected, our SOC immediately placed the host in Containment Mode, blocking all network access to the machine. This prevented any data from getting out to the internet as well as preventing any other hosts from getting infected. This swift action also prevented any attackers from remotely accessing the machine.

As far as IoCs focusing more on the behavior aspects around child processes and beaconing is more useful than hashes and C&C infrastructure (in this case over TOR). The sites have already been taken down, and the variant changes per campaign. Hash values would be of no use in this specific case. 

At Binary Defense, our goal is to change the industry by making it substantially more difficult for attackers. With our approach to securing endpoints through detection, deception, prevention, and our analysts, an organization can be confident in gaining immediate visibility day zero.

Interested in Vision? Contact us to get a demo!

What is Vision?

Check out the video below:

 

 

Alex Cole

Written by Alex Cole

SOC Analyst at Binary Defense Systems