This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA NetWitness Detects New Phishing Vector

JohnSimmons
Beginner
Beginner
‎2019-03-25 01:33 PM

On a recent engagement, I took a different approach to finding possible malicious files entering the customer's network.  Rather than focusing on the e-mail, I looked for any RAR, macro-enabled office documents, and portable executable files (PE) entering the network where no service was specified.  Of course, this was done using RSA NetWitness and immediately I found a RAR file which contained a malicious executable.  Although, this was a different vector by which it entered the network.  It didn't appear to be a link that someone clicked from an e-mail and it wasn't an attachment from an email either.  It was from a customer configured, cloud based support site.  You can find many customers who use these types of sites.

 

So here's how I believe this was attempted.  A malicious actor goes to the <customer name>.<customer support site>.com site where they open a support ticket for an order they placed. (Of course they probably didn't place an actual order)  Then using the support interface, they upload what appears to be an order list.  In this instance I found the file name was "OrderList_Xlsx.arj" which is a RAR file and inside was a file called "OrderList.exe" all of which was downloaded by the customer support representative using their admin console to the site.

 

pastedImage_3.pngIt's a simple approach.  It involves the actor opening a support ticket on the customer's site but whether they are actually doing this or using a script/automation is another question.  In this instance, I didn't see it as being targeted towards this customer but maybe they're testing the waters.  Without having access to this customers admin console to this service it's hard to determine whether this is happening more frequently because from our perspective, we only see where the employee downloads the file and enters into the customer's network. 

 

I created a quick and easy search to find this type of activity.

 

alias.host = '<customer name>.<customer support site>.com' && (filetype = 'rar' || filetype = 'windows executable' || ((filetype = 'zip' || filetype contains 'office') && filename contains 'vbaproject.bin') || extension contains 'docm','xlsm','pptm' || content contains 'macro')

1 Comment
JohnSimmons
Beginner
Beginner
‎2019-04-01 10:03 AM
‎2019-04-01 10:03 AM

Update: Instead of uploading via a support ticket, they were using the live chat attachment feature.  Still haven't seen any mention of other similar activity anywhere else.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.