Phishing
Phishing is the practice of sending fraudulent communications that appear to come from a reputable source. It is usually done through email. The goal is to steal sensitive data like credit card and login information or to install malware on the victim’s machine.
Malware/Threat actors
| Name | Type | Years | Source |
|---|---|---|---|
| Operation Cleaver | threat actor | 2012-2013 | Cylance_Operation_Cleaver_Report.pdf
stamp.jsp?tp=&arnumber=7460498&tag=1 |
| Epic Turla | threat actor | < Known years active > | The_Epic_Turla_Operation.pdf
KL_Epic_Turla_Technical_Appendix_20140806.pdf ICIT-Brief-Know-Your-Enemies-2.0.pdf Turla_2_Penquin.pdf |
| Energetic Bear | threat actor | 2010-2014 | EB-YetiJuly2014-Public.pdf
|
| APT37 | threat actor | 2014-2017 | rpt_APT37.pdf
|
| GRIZZLY STEPPE | threat actor | 2015-2018 | GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity
AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf |
| Operation Potato | threat actor | 2011-2015 | Operation-Potao-Express_final_v2.pdf
|
| PlugX | malware | 2014 | GlobalThreatIntelReport.pdf
plugx-goes-to-the-registry-and-india.pdf ASERT%20Threat%20Intelligence%20Brief%202015-05%20PlugX%20Threat%20Activity%20in%20Myanmar.pdf P2P_PlugX_Analysis.pdf |
Preventions
- Utilize up to date web browsers on the network for increased security enhancements. These improvements may include a sandboxing feature that would allow the browser to contain any malicious content and protect the endpoint if an emailed link is clicked.
Detections
- Look for domain typo-squat domains(Real domain: google.com, Typo-squat: googlw.com).
- Detect messages being received by unknown/unverified SMTP servers.
- E-mail being sent on port SMTP port 25 with no encryption.
- Monitor HTTP GET requests for resources like
/SDKJbsdfs - Bro Phishing Detection Module - A simple phishing detection for mass phishing campaigns like Dridex. Detects the same email attachment being sent to many recipients.
- Bro Phishing Detection Module - Detection of emails from domains close to domains within Site::local_zones.
Toolkit
<Toolkit instructions, if applicable>