Very often we’ll see mention in open reporting of a threat actor’s tactics, be they “new” or just what’s being observed, and while we may consider how our technology stack might be used to detect these tactics, or maybe how we’d respond to an incident where we saw these tactics used, how often to do we consider why the tactic was used?
To see the “why”, we have to take a peek behind the curtain of detection and response, if you will.
If you so much as dip your toe into “news” within the cyber security arena, you’ve likely seen mention that Emotet has returned after a brief hiatus [here, here]. New tactics observed associated with the deployment of this malware include the fact that the lure document is an old-style MS Word .doc file, which presents a warning message to the user to copy the file to a ‘safe’ location and reopen it. The lure document itself is in excess of 500MB in size (padded with zeros), and when the macros are executed, a DLL that is similarly zero-padded to over 500MB is downloaded.
Okay, why was this approach taken? Why pad out two files to such a size, albeit with zeros?
Well, consider this…SOC analysts are usually front-line when responding to incident alerts, and they may have a lot of ground to cover while meeting SLAs during their shift, so they aren’t going to have a lot of time to invest in investigations. Their approach to dealing with the .doc or even the DLL file will be to first download them from the endpoint…if they can. That’s right…does the technology they’re using have limits on file sizes for download, and if so, what does it take to change that limit? Can the change be made in a timely manner such that the analyst can simply reissue the request to download the file, or does the change take some additional action. If additional action is required, it likely won’t be followed up on.
Once they have the file, what are they going to do? Parse it? Not likely. Do they have the tools available, and skills for parsing and analyzing old-style/OLE format .doc files? Maybe. But it’s easier to just upload the fil
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: