Arrival and Installation
Security researchers have found evidence indicating a variety of infection vectors are involved in an effort to infiltrate and gain access into a network - including Spear Phishing Emails, Watering Hole attacks, and Trojanized software.
In the case of Spear-Phishing, Phishing emails were sent to selected employees of the target companies which contained malicious content or attachments.
The attackers also employed a Watering Hole type of attack, indicating certain sites were hacked in order to compromise legitimate applications related to software used for daily power grid operation. Subsequently, trojanized applications were then downloaded by the targeted companies, which then compromised their systems.
Product Solutions
Trend Micro products have the ability to block all known related threats with this campaign. Below are the available Trend Micro product solutions to help protect against the Dragonfly 2.0 Campaign:
The following hashes related to the trojanized software and backdoors are already detected using Trend Micro’s Smart Scan and Conventional patterns (13.645.00) and by Spyware Pattern 1.873.00.
| Pattern Detection | SHA1 |
|---|---|
| BKDR_GOODOOR.ASU | f765c448b6a1eb75862ab362897c35fbafcb2a43 |
| TROJ_LISTRIX.A | cd9519127efcc9a65068befe17ae038c94085358 |
| TROJ_KARAGANY.ULT | 95db15c67b48945237af7de61f3dbab92c99edd1 |
| BKDR_DORSHEL.A | c7eae6cd08d0601223b641745f078dffce285066 |
| TROJ_HERIPLOR.A | d6ef3e457819425bf9524e8a7070f3fcf21c3ad5 |
| TROJ_PHISHERLY.A | eff5e2a3ac471a1b5ecdf51a72e003a82c350506 |
| Spyware Pattern Detection | SHA1 |
|---|---|
| HKTL_CREDRIX.A | 4f2faef3d65099c19d617df73af5119dd719240c |
Trend Micro’s high-fidelity machine learning solution is a powerful predictive solution that helps protect an environment from unidentified threats and zero-day attacks. It performs a behavioral analysis on unknown or low-prevalence processes to determine if an emerging or unknown threat is attempting to infect your network. Above hashes related to this campaign are detected as the following:
TROJ.Win32.TRX.XXPE002FF018
Trend Micro’s Web Reputation Services evaluates the potential security risk of all requested URLs at the time of each HTTP request. Depending on the rating returned by the database and the security level configured, web reputation either blocks or approves the request.
The following C&C servers are already identified and marked as dangerous by Trend Micro’s Web Reputation Services:
- hxxp://103[.]41[.]177[.]69/A56WY
- hxxp://37[.]1[.]202[.]26/getimage/622622.jpg
- hxxp://184[.]154[.]150[.]66
Trend Micro Deep Discovery Inspector is helpful in identifying malicious traffic and impacted machines on the network, and it has the following detection rules for detecting phone home behavior from malware used in this campaign:
- Rule 2464 - GOODOR - HTTP (Request)
- Rule 2492 - KARAGANY - HTTP (Request)
Recommendations for IT Admins
- Review logs and consoles from Trend Micro products to check if any detections have been registered, and perform full scanning at the endpoints which are suspected to have had communications with C&C servers.
- Trend Micro gateway web inspection and mail protection products such as InterScan Web Security Virtual Appliance (IWSVA) and InterScan Messaging Security Virtual Appliance (IMSVA) can help check for web reputation and email reputation of the embedded links and block dangerous requests.
- Educating employees about dangers and potential risks related to spear phishing emails can help reduce risk of malware infections.
- Setting up strong passwords, encouraging users to avoid reusing the same passwords, or employing two-factor authentication to offer an additional layer of security for critical systems are recommended.
- Encrypting vital and/or sensitive data in advance and send files via secure channel can also help reduce the risk of potential data leaks from within an enterprise.
For support assistance, please contact Trend Micro Technical Support.