Archive for January, 2017

10 Red Flags of Email Phishing

Tuesday, January 17th, 2017

What is Email Phishing?

Email phishing is a technique used by digital adversaries to gain access to a target's computer. Examples can be found as early as the mid-1990s and email phishing continues to be a widely used practice to this day. Adversaries will often use social engineering in phishing emails to trick their targets into allowing system access. It can be easier (and more efficient) for a threat actor to gain access through an end user than attempting to break in forcefully.

However, there are ways that individuals without a background in security can help identify potential email phishing attacks. Security processes may offer some level of protection, but recognizing email phishing at the user level is just as important. Let's examine some of the red flags of a potential email phishing attack.

1. The Email Address

Threat actors may compose their phishing emails to appear as if they are coming from an existing contact. You are more likely to open an email and not question its contents if it is being sent from someone you know. However, adversaries can spoof (or fake) email addresses to trick you into granting them access. One way this is accomplished is by slightly adjusting the domain name in senders the email address.

Here is one example;

Organization Name: ABC Tech
Email Sent From: Jessica McCowen
Real Email Address:
Spoofed Email Address:

At a brief glance, the fake domain may go unnoticed allowing the email to slip under the radar. While the name of your contact may be legitimate, this alternate domain could be a red flag.

What You Can Do

The first step is to compare the sender's email address against your known contacts. Check your email contacts and/or your company directory to be sure the email was sent from a legitimate contact.

After the contact is verified, compare the email addresses (and domains) for discrepancies. If there is a noticeable difference, report the email to your security team so they may investigate it further.  Another step you can take (after verifying the contact) is to call the sender directly to ask if they sent the email. Performing these simple checks will help keep your email and organization a little safer.  

2. Email Attachments

Digital adversaries can use attachments to deliver malware and other malicious payloads. Almost any type of file can be attached to an email, and most people are programmed to open them. Adversaries may model an attachment to resemble others that were previously sent, such as a resume or an invoice. You should be cautious with attachments and take a few precautionary steps before downloading any documents.

What You Can Do

The first thing you can do is examine the attachment name and file type for any discrepancies. If the name or format of the attachment does not seem to match up, it is better to cautious. After verifying the sender, contact them directly and confirm the time the email was sent, the attachment name, and file type.

Possible Discrepancy Example; DavisSmithInvoice.PDF vs. newInvoice1.Docx?

You should also check that the program icon and the corresponding file extension matches up. Every file has a default icon and an extension indicating the file type, such as a Word document, PDF, or zip file. If the attached file is a Word document but has the extension of a zip file, this could be a malicious attachment. It is unlikely that the program icon and the corresponding extension will not match.

Email Phishing Attatchments

For a standard Word document, the icon extension will be .Docx (or .Doc). A mismatched extension (such as .pdf or .exe) could indicate the attachment is hiding a malicious payload.

3. Provided Links

Most people have opened emails containing a link to a product, an invoice, or to process a payment. Threat actors can exploit this practice to trick you into downloading a malicious payload. If you have clicked a link and you are being asked to “sign in” using your email or social media account, this is a red flag. When receiving a link to an invoice or a downloadable form, it is better to be cautious. Double check that the URL has directed you to the proper location.

Email Phishing Log in

What You Can Do

You can train yourself not to assume every site, or link you visit is legitimate. If a link looks like a Flash Player update but the URL reads, it is better to close the link and not proceed. Anytime you need a software update; it is safer to visit the host site directly to look for your update (such as

4. Grammar & Structure

The structure of an email can be a tell tale sign that an adversary may be phishing. An email containing missing tenses, transposed words, or over generalities, should be a red flag. You will rarely send an email without the inclusion of a name, company, or specific subject, especially in a business context. If you spot any of these grammatical or structural errors, don’t disregard them, they may be indicators of a phishing attempt.

What You Can Do

If you do not know the sender, the context, or even what the email is directly referring to, you should contact your security provider to examine the email. Security experts can investigate phishing emails to gather valuable threat intelligence about who may be targeting your organization.

5. Enabling Macros

Sometimes a Word document (for example) contains content that is only viewable by “enabling macros.” Microsoft Word will prompt you to perform this action with the notification below.

enable macros document

Adversaries can hide the trigger to activate and run malicious software into this action of enabling macros. This is one-way threat actors can trick you into installing malicious software on your system. In the Kill Chain, this is called “exploitation.”

What You Can Do

If you are receiving a prompt to enable macros, ask the (verified) sender for another version of the file that does not require this action. Again, check the body of the email and the attachment relevancy before downloading anything. You can also contact the sender directly to be sure there is a reason for the macro enablement. Nothing is 100%, but it is better to be safe than assume anything.

6. Malicious URLs

Let’s examine the use of a spoofed or faked URL more closely. If a threat actor wanted to send you a malicious link pretending to be PayPal, they could not use a functioning URL such as www.PayPal[.]com. However, an adversary could use a URL that looks very similar such as Pay_Pal_info[.]com or PayyPall_info[.]com. If you are not paying attention, these fake URLs might pass as the real thing. Attempting to use a malicious link could result in dangerous malware being downloaded onto your system.

What You Can Do

Checking the legitimacy of a URL is not too complicated. You can open a new web browser, search for the company's homepage, and examine URL of the organization in question (PayPal, Adobe, Etc.). If the home page URL is PayPal[.]com, supplementary information or updates will usually stem from this URL ( If the link or site provided to you is not following this format, this is a red flag.

7. Personal Information Requests

Information is what threat actors are usually after. Any piece of information obtained can potentially lead an adversary to another point of access. Information like your mailing address, passwords, or account numbers should not be sent over email. Threat actors can use even small pieces of information, such as a zip code, and leverage that information against you.

What You Can Do

You should never provide personal information over email. There are very few exceptions to this rule. If an adversary obtains your personal data, they could pivot their intrusion efforts and target other connections in your network. As a general rule, you should not provide any personal information, account numbers, or passwords over email.

8. Assuming to Know You

An email welcoming you to a new organization or claiming to be “John in sales,” could be an adversary using social engineering. Most of us have experienced the feeling of trying to remember the name of somebody who seems to know us. Digital adversaries can utilize this same approach in phishing emails. You may assume the sender is someone you met in passing as you proceed with trying to assist them.

What You Can Do

You should ask who they are, plain and simple. There is nothing wrong with asking for clarification as to who a sender is, who their supervisor is, or what department they are in. This is especially true if you are new to an organization that may have 100’s or even 1000’s of employees. You should not assume anything and ask for clarification as to who the sender is before proceeding.

9. Lacking Sender or Company Information

An email with a clean and robust signature can trick you into a false sense of security. If you have not heard of the company or the individual, you should not assume that either is real. How many adversaries would go through the trouble of creating a fake name, LinkedIn profile, or company website? The answer may be far more than you may think.

What You Can Do

When researching a company or an individual, you will need to do more than visit their website. Examine their social media profiles including the company and sender LinkedIn pages. Lacking or minimal company information, missing profile photos, and/or low connection counts (usually 10-50) are all red flags. If information is not readily available, chances are the email may be a phishing attempt.

Examples of potentially fake LinkedIn profiles

email phishing fake profile
email phishing Linkedin profile

10. Something Just Seems “Off”

At the end of the day, you know the types of emails and messages you receive on a daily basis. If anything just feels off, you should assume that it is. When emails are a staple of your business communication, you become attune to the various tones that senders have in their emails. If the tone of a sender is usually professional and your next email from them is overly casual, this should seem “off” to you. 

If anything feels off, do not hesitate to confirm with the sender directly or contact your security team to examine a suspicious email. Taking a few precautions could keep your organization from experiencing a serious intrusion that could cost millions to recover from.

In Conclusion

Unfortunately, phishing is not going away anytime soon, so it is better you are prepared for what may come your way. As security professionals, we see the pain these phishing emails can cause on a daily basis.  As much as we want our clients to be protected, we also want them to be informed. Responding to an intrusion is a job for the dedicated security team, but individual efforts can help reduce the likelihood of an intrusion.

Most intrusions still come down to the unintentional actions of individuals. When it comes to spotting phishing emails, watch for these red flags and keep your security team notified of anything suspicious.  In short, taking a little more time examining your emails can help prevent your organization from being the victim of an email phishing attack.

Want to learn more about DigiTrust’s managed security services?  Our experts are always available to answer your questions. You can call us directly at (310) 696-4500 or by using the form below. If you are experiencing an intrusion from a phishing email, click the box to below to learn more about our incident response services.  Thank you for visiting The DigiTrust Group.

Continue Reading

Posted in The DigiTrust Group BLOG | No Comments »

The Rise of Agent Tesla

Thursday, January 12th, 2017

In June of 2015, incident response experts at DigiTrust were alerted to a phishing email sent to one of our client organizations. The email contained a link to an order form which was downloaded and opened by an employee. The innocent looking document was not only weaponized with a malicious payload but also contained something new our experts had not seen before.

The malicious payload was called Agent Tesla, a keylogger that could capture keystrokes and email them back to the threat actor. The further our incident response team investigated, the more apparent it became that Agent Tesla was much more than a standard Keylogger.

Agent Tesla many features that have not been seen in keyloggers before.

What is Agent Tesla?

Agent Tesla is a relatively new piece of malware used for tracking keystrokes on a victim's computer. The malware can be secretly used by adversaries to collect account information, usernames, passwords, and credit card numbers. Although keyloggers are not built to extract files or remotely provide access a system, any information typed into documents, browsers, or messaging apps can be recorded. Threat actors can take “snapshots” of keystrokes and see everything that has been typed, searched, or accessed. While Agent Tesla can perform standard keylogging functions, it also has features that set it apart from similar pieces of malware.

Access & Support

Tesla has been growing in popularity for a variety of reasons including availability and price. Agent Tesla is readily available, and pricing varies depending on where the threat actor finds it online. From forums claiming to have free “cracked” versions to www.AgentTesla[.]com providing access ranging from $9-$30, Agent Tesla is not difficult to acquire. Threat actors downloading the keylogger directly from Agent Tesla’s website receive 24/7 support and software updates.

Agent Tesla Pricing

Threat actors are provided with 24/7 support, updates, and a Skype contact for assistance.

Delivery, Access, and Gaining Entry

The delivery of Agent Tesla onto a victim’s computer is often accomplished through phishing, or sending emails with an infected attachment. Agent Tesla also has a feature that allows it to autorun from a USB stick. Currently, Agent Tesla can only be used on Windows operating systems (all versions) while use on other platforms such as Mac or Linux is not an option.

More Than Just a Keylogger

Searching for Agent Tesla online returns pages of results providing access to or discussing Agent Tesla. When we begin to examine Agent Tesla's features, it becomes clear that this keylogger is more robust than most. The capabilities of Agent Tesla pushes the boundaries of what we typically see in keyloggers.

Beyond the Basics

The list of features and options for Agent Tesla is extensive. For clarity and cohesiveness, we have outlined some of the core features and functions in this article. While keyloggers were once only known for capturing keystrokes, Agent Tesla has expanded its capabilities far beyond the standard.

Click the tabs below to learn more

  • Downloader
  • Password recovery
  • Screen capture & Webcam
  • Multi-Language

The ability to do more than just record keystrokes is beyond the standard functionality of most keyloggers. Agent Tesla has a "downloader" feature, allowing the adversary to download and run files on a victim's system. This feature alone shows that Agent Tesla could be used for more involved intrusions than a standard keylogger.

Customization & Control

There are two main pieces to using Agent Tesla. The first is the interface allowing for customization of Agent Tesla's functions.
If a threat actor wants to customize Agent Tesla before sending it to a potential target, this interface allows them this flexibility. From the visibility of the install to how the victim will interact with Agent Tesla is controlled from this interface.

The second piece is the actual dashboard of Agent Tesla. The threat actor monitors the connected systems and controls Agent Tesla from this dashboard. The dashboard is a command center, and the adversary is at the controls. Let’s take a look at both the interface and the dashboard.

The Interface

Agent Tesla needs to be enabled (turned on) by the target themselves; this can require a level of obfuscation. Agent Tesla can create a false message to trick the target into providing access. The false message might read “Update Adobe Flash Player,” after the target clicks “ok” they have just told the computer to “install Agent Tesla.”

Composing Fake Messages

The following shows how Agent Tesla can create a fake pop-up message to deceive a target. The threat actor can create a heading (#1), a message for the pop-up box (#2), and can even include a particular icon (#3). The result is a fake pop-up message used to trick the victim into installing Agent Tesla.

The resulting false message created by Agent Tesla.

The Command Center

The dashboard is a single window with simple navigation tools providing the adversary a clear view of their connected “clients."
All collected information such as keystroke logs (#1), time stamps (#2), and IP addresses (#3) can be found in the dashboard. The column on the left side of the dashboard allows for quick access to collected passwords, screenshots, and keystrokes (#4).

Stealing Keystrokes

Agent Tesla will keep logs of the victim's keystrokes and where those keystrokes occurred.

If the victim opens Notepad, Outlook, or even Facebook, the blue text tells the adversary where these keystrokes were made. Standard black text with no formatting will indicate the actual written text of the victim, such as a username or password. The final indicator color is green; the green text shows the function keys that were used.

The Danger of Automation

The ability to automate may be one of the most dangerous features of Agent Tesla. An adversary can automate the keylogger to take snapshots of keystrokes, the desktop, and webcam images at timed intervals. If the threat actor wanted to take a snapshot every 10 minutes, Agent Tesla could do just that. The adversary can view what was collected in the Agent Tesla logs (or via email) and keep the information they find most valuable.

Although Agent Tesla is not completely hands off, any level of automation can make collecting information faster and simpler for adversaries. Automation, interface simplicity, and advanced features are just some of the reasons Agent Tesla’s use has expanded in 2015 and 2016.

What To Do?

To protect against Agent Tesla, we need to be cautious in opening our email attachments or visiting unknown web links. However, if a keylogger was already inside the system, what would we do? How would we know? When we begin to ask these questions at the enterprise or organizational level, the answers can become much more involved. With malware like Agent Tesla having the ability to download and run additional malware, the possible damage extends beyond collecting keystrokes. Although there are several pieces of software claiming to be able to find keyloggers, these tools are not able to establish any situational context to understand how deep the intrusion may go.

Security Automation, The Hard Truth

Full automation in information security is not yet a reality, which is precisely why security software may only eliminate the symptom as opposed to alleviating the root of the problem. Automated security software cannot determine or evaluate the context behind an intrusion. Security experts need to build as much context as possible around incidents involving malware like Agent Tesla to effectively investigate, contain, and remediate.

DigiTrust Solutions

By performing incident response, we can understand the complete who, what, when, where, and why of Agent Tesla within a victim's system. The ability to root-cause provides a better chance of a thorough recovery and better protection against such intrusions in the future. DigiTrust’s people, processes, and technology are dedicated to not just finding the needle in the haystack, but getting to the root of intrusions like Agent Tesla and eliminating it.

To learn more about DigiTrust’s managed security and consulting services you can contact us using the form below or call (310) 696-4500.

The DigiTrust Group is a managed security services firm that focuses on using advanced people, processes, and technology to proactively provide the highest level of information security at our client organizations. We do this by actively identifying, blocking, and researching attackers hitting our client organizations. In short, we act as a security operations center (SOC) for organizations that either do not have a SOC or require augmented SOC functionality.

Posted in The DigiTrust Group BLOG | No Comments »

The Incident Response Kill Chain

Tuesday, January 10th, 2017

It Was a Friday...

It is a Friday like any other. With coffee in hand, you sit and check the results of your anti-virus security scans. Three alerts have been raised, two have been “quarantined” and the other “cleaned”. You dig in and find two malicious files, you delete them, and rescan. No alarms. It’s a good thing your anti-virus caught these threats early and the issue was contained…or was it?

Did your anti-virus catch it on the way in or on the way out? Was the malicious software actively harvesting data or was its job already done? Was it just lying dormant? Did it move laterally through your organization and what triggered your alert was only the tip of the iceberg?  

What is Incident Response? 

Anti-virus tools are just that, tools. True incident response is the ability to identify an intrusion, investigate, contain, and ultimately remediate it. Incident response teams will hopefully have extracted enough information to know how deep the intrusion goes, what is needed for recovery, and how it could be prevented in the future.  

Incident response means moving away from solely relying on tools or software to magically resolve incidents, and instead, focusing on using people, process, and technology to establish much-needed context. 

Establishing Context

Where do information security experts gain this context? We study our adversaries in a very methodical way. This dedication to understanding their adversarial tradecraft is the critical link that allows us to establish context. To disrupt or deny the adversary, we place ourselves in the mindset of these threat actors to understand what allows them to function as they do.  

The threat actor’s goal is to seek out valuable information that can be leveraged, harvested, sold, or even held for ransom. They follow certain processes and procedures; they invest their time and resources into opportunities that will yield them the greatest return on their efforts.

The Kill Chain®

The information security industry refers to the threat actor’s process as a Kill Chain®, a term coined by Lockheed Martin. The earlier the Kill Chain® can be disrupted, the less chance the threat actor has to execute on his objectives. Let’s take a look at the Kill Chain® and the process a threat actor goes through to access an organization.

The Kill Chain®

1. Reconnaissance: Understanding the Target

The threat actor begins with reconnaissance. The threat actor will often crawl websites gathering information such as email addresses, social media connections, or specific information on your organization’s technologies or processes.

The goal for the attacker is to gather any valuable information that will offer an access point to the target organization.

2. Weaponization: Arming the Payload

What exactly does this malicious threat actor use to gain access? The answer comes in the form of weaponization. Much like the military and camouflage, threat actors don’t want to be noticed.

They want to pair their malicious payload with something that appears normal and benign. A PDF attachment or a standard Word file can be used to camouflage malicious payloads, for example. 

3. Delivery: The Path Inside

The threat actor has his weaponized payload and now he needs to deliver it.  How is the payload delivered into your system when you are already taking security precautions?

Threat actors will pair their payloads with actions you take every day
, such as checking your email or visiting a website. Both of these normal processes can be a gateway for the threat actor.

4. Exploitation: Flipping the Switch

Exploitation is what flips the switch, making the threat active. This could be as simple as opening a macro-enabled Word document, which can execute embedded malicious code.

5. Installation: Building a Back Door
Malicious code is now running on the system.  The payload can begin installation of an implant, allowing access and the ability to maintain position within your environment.

This essentially acts as a “backdoor” allowing the threat actor to enter and exit your system whenever he pleases.

6. Command and Control: Taking the Wheel

The installed implant now needs to connect to an operator, or in this case, connect to a system that allows manual or programmatic control of the threat

Once the connection is made, access is granted. The threat actor now has the platform in place needed to begin executing  his objectives.

7. Actions on Objectives: Access Granted

The attacker can now begin executing his objective.  This may include using the primary access system to move laterally into other systems within your network.

The following is a look at how a threat actor could utilize this Kill Chain® to gain access to your organization. 

Kill Chain Process Example

So where in the Kill Chain® did your anti-virus alert your team?

Incident Response Kill Chain Timeline

You can quickly see the level of investigation the incident response team must be able to undertake. Each link of the chain must be identified. The point of detection (or Kill Chain link) will determine how incident responders should proceed to contain and remediate.

Anti-Virus may sound an alert, but knowing where the threat was found, how long it has been present, where it came from, its intent, and what it has accessed is imperative to successfully closing the loop.

Incident Response vs. Anti-Virus

Due to the automated nature of anti-virus systems, the ability to contextualize and root-cause threats is beyond the reach of anti-virus tools. Applying incident response to an alert requires understanding the paths threat actors travel and their intent. While a “quarantined” anti-virus alert may offer piece of mind, it is a false sense of security.  

Incident Response Final Perspective

Incident response is continuously evolving. When a threat actor attacks and our incident response team stops it, the actor has just provided us with another tool to use against him. The more attempts he makes, the more tools and information he is handing over to us. Our collective information gained, allows our incident response teams to keep client organizations safer while making breach attempts more costly for these threat actors.

To learn more about DigiTrust’s managed security and consulting services you can contact us using the form to the right or
call (310) 696-4500

The DigiTrust Group is a managed security services firm that focuses on using advanced people, processes, and technology to proactively provide the highest level of information security at our client organizations. We do this by actively identifying, blocking, and researching attackers hitting our client organizations. In short, we act as a security operations center (SOC) for organizations that either do not have a SOC or require augmented SOC functionality.

Posted in The DigiTrust Group BLOG | No Comments »

QRAT is Living in The World of JAVA

Thursday, January 5th, 2017

A New RAT Emerges

In May of 2016, DigiTrust was alerted to some malicious activity in one our client organizations. The investigation revealed that a host on the client's network might have been exposed to an unknown threat while visiting a malicious web domain. Incident response experts were able to locate a Remote Access Trojan (RAT) hidden within the client's system.

Peeling back the layers revealed this to be a newer type of RAT built in Java called Quaverse RAT or QRAT for short. Researching QRAT has provided an in-depth understanding as to its functionality and its rapid adoption into threat actor communities.

What is QRAT

QRAT is a Java-based variation of what is known as a RAT or Remote Access Trojan (or tool). A RAT is used by threat actors to gain remote access to a system, usually to harvest valuable information. IT teams have similar remote access tools they can use to connect to a computer remotely when attempting to fix a system issue. In the case of QRAT, whatever the victim can access, a threat actor can also access from anywhere in the world, except the victim won’t even know they are there.With QRAT installed, the threat actor has created a backdoor providing them access to the victim's valuable information. With this backdoor, the threat actor can explore files, capture logins, run programs, activate webcams, and much more.

The Growth of Java RATs

QRAT was introduced in May of 2015 and marketed as an “undetectable Java Rat” by Quaverse. The use of Java is not unique to QRAT, RATs such as Adwind, XPLAT, or RATTY also use Java. RATs such as these are popular due to their ability to function across platforms. The cross-functional nature of Java allows a Java-based RAT to work on Windows, Mac, Linux, and Android. If the system is running Java, it could be vulnerable to a Java-based RAT.

How is This RAT Different? (QRAT vs Standard RAT)

What makes QRAT different than a standard RAT? Functionality, usability, and construction. Threat actors could initially purchase access to QRAT online as a SaaS solution (Software as a Service). The same process someone might use to access Microsoft Office 365 or Salesforce, QRAT works in a similar way. Threat actors could visit the Quaverse website directly and purchase up to one year of QRAT access at a time. It is mainstream, accessible, flexible, and its simple functionality only fuels its appeal.

Simple To Use

QRAT was designed to be user-friendly, appealing to both sophisticated and non-sophisticated threat actors alike. The user interface looks similar to a Customer Relationship Manager program (CRM) that any organization may use and offers an abundance of controls. From this single pane interface, a threat actor can clearly see all of their "client" systems that are connected. Digital adversaries have a multitude of actions they can take on any connected system with just a few clicks of their mouse.

Greater Risks?

What makes QRAT a more of a pronounced risk is the obfuscation it uses to avoid detection. While QRAT is based in Java, QRAT is also hidden under layers of Java encryption when being delivered to a potential target.

This multi-layer encryption makes detection of QRAT much more challenging for systems that are not efficiently monitored. With executable code contained within the Java file, it can be sent directly as an email attachment or compressed into a zip file for delivery. In short, using a Java file or compressing the payload into a zip file only increases the chance of QRAT reaching its target.

Process & Build of QRAT

Payload Delivery Option: Phishing

After the ZIP file is opened and the malicious Java file is clicked:

1.    The payload runs decryption instructions allowing the next level to be opened. (Level 1)

2.    The next level, containing the (QRAT) repeats this process of decryption to install QRAT.
 (Level 2)

3.    With QRAT installed and connection to the host made, the actor now has remote access to the system. (Level 3) 

Qrat Process Option #1


From the QRAT interface, the threat actor can see connected IP addresses, upload and download speeds, OS versions, and much more. Files and information can be accessed just as easily as if they were sitting in front of the victim's computer. Adversaries can gather private documents, capture login credentials, access account information, or move laterally through an organization's connected systems. The depth of intrusion possible with QRAT all depends on the intent of the threat actor.

QRAT is For All Skill Levels

QRAT may be moderately sophisticated in its construction, but it is not difficult to deploy or use. Threat actors of all levels can use QRAT and the damage done is limited only by their intent. The combination of SaaS accessibility, intrusion capabilities, and ease of use, only broadens the appeal to threat actors to add QRAT into their arsenal.

Additional Plugins for Additional Access

If the threat actor wanted to increase the intrusion capabilities of QRAT, they have the ability to expand functionality with additional plugins. Plugins are software components that add additional functions to QRAT and enable customization. In short, adding plugins allows the adversary more flexibility and a greater level of intrusion possibilities with QRAT. Some plugins available for QRAT include:

  • Browser Password Dumper
    This plugin allows the threat actor to steal passwords saved in the web browser. 
  • File Browser
    Provides the threat actor the ability to navigate a connected system and files.
  • Keylogger
    If the threat actor wants to track the user's activity, gain access credentials, additional passwords, etc., this plugin allows them to do this by recording keystrokes.

  • Email Password Dumper
    This plugin captures the user's email password. If a threat actor can log into an email account, they have access to all information sent and received, contacts, schedules, and much more.
  • Screen Streaming
    This Plugin allows the threat actor to monitor real time activity letting them see on their screen exactly what the target sees on theirs.

Prolonged System Access

As security experts, we look at a very critical timeline: the time from “detection to ejection” of a malicious threat. Depending on the intent of the threat actor, they may find value in prolonging their stay within the victim's system. The longer the adversary can remain undetected, the deeper the levels of access they may obtain, including moving laterally to other machines within the network.

DigiTrust uses its defense technologies and incident response experts to make this detection to ejection timeline as limited as possible.

RAT Refinement & Expert Defence

Threat actors continue to refine their tools and methods as quickly as security experts develop techniques to defend against them. This refinement is apparent with the advent of Quaverse RAT. As security experts, we continuously research emerging malicious RATs to provide better protection against them and to better understand the adversaries themselves. Employing a level of adversarial emulation allows us to prepare for future threats by further fine-tuning our technology and processes.

DigiTrust Solutions

Understanding the latest intrusion technology and techniques sets The DigiTrust Group apart in the industry. Our evolving threat intelligence fuels the continuous growth of our managed security capabilities across our client community. To provide targeted security and defense, we move beyond identification, extracting the context behind the malicious intrusion whenever possible. Security software tools are powerful, yet results are limited without the application of rich situational context.

People, Processes, and Technology

The right mix of people, processes, and technology is still required to analyze, investigate, and perform incident response on intrusions that leverage tools such as QRAT. Understanding how QRAT entered the system, what it has accessed, how long it has been in the system, is all critical to effectively root causing the incident. The more we understand about QRAT, the higher the probability that we can prevent intrusions like QRAT in the future.

To learn more about DigiTrust’s managed security and consulting
services contact us using the form to the right or call us at (310) 696-4500.

The DigiTrust Group is a managed security services firm that focuses on using advanced people, processes, and technology to proactively provide the highest level of information security at our client organizations. We do this by actively identifying, blocking, and researching attackers hitting our client organizations. In short, we act as a security operations center (SOC) for organizations that either do not have a SOC or require augmented SOC functionality.

Posted in The DigiTrust Group BLOG | No Comments »

NanoCore Is Not Your Average RAT

Sunday, January 1st, 2017

NanoCore RAT

In September of 2015, a DigiTrust client visited a web link that was providing an Adobe Flash Player update. The client, an international retail organization, attempted to download and run what appeared to be a regular update. The computer trying to download this update was a back office system that processed end of day credit card transactions. This system also had the capability of connecting to the corporate network which contained company sales reports.

DigiTrust experts were alerted to something malicious and blocked the download. The investigation found that what appeared to be an Adobe Flash Player update, was a Remote Access Trojan called NanoCore. If installation had been successful, customer credit card data, personal information, and internal sales information could have been captured and monetized. During the analysis of NanoCore, our experts found that there was much more to this RAT than simply being another Remote Access Trojan.

What Is NanoCore?

The NanoCore RAT has been on the radar of threat actors and security experts since 2013. Several beta versions of NanoCore surfaced on the dark web between 2013 and 2014 before the most recent version was released in March 2015. This current version of NanoCore has expanded beyond the dark web and is readily available online.

Whether the original intent of NanoCore was to be a free tool for intrusions or a paid piece of software to be used legitimately is unknown.

Whatever the case may be, all current versions of NanoCore appear to have all base plugins and functionality available without restriction. Between NanoCore's availability, the low $25 price point, and the free "cracked" versions found online, the use of NanoCore has spread quickly.

The Homepage of the NanoCore Website

Not A Secret

NanoCore is not a secretive piece of malware. This RAT is available directly from NANOCORE[.]io and even provides free support. NanoCore is what is known as a “modular” RAT, meaning that the threat actor can download and activate additional modules for NanoCore. These additional modules (or plugins) can expand the functionality and performance capabilities of NanoCore.

Features & Plugins

Many RATs are being used and leaked in intrusion forums across the internet; it is important to understand what sets NanoCore apart. There are various levels of threat actor, and not all of them possess the technical skills to write their own malicious software to perform intrusions. Tools like NanoCore are highly desirable to these types of threat actors, and its modular functionality only amplifies the appeal.

NanoCore's Plugin Dashboard

While NanoCore has created base plugins to expand its functionality, the NanoCore “community” have been creating additional plugins for more specific malicious actions. A search for NanoCore plugins online provides pages of results and plugins going far beyond the base plugins provided from NanoCore’s website. Plugins ranging from screen lockers to crypto miners are available for download online.

NanoCore’s Base Plugins

NanoCore’s plugins appear to be included in the base $25 purchase. Once a threat actor has downloaded NanoCore, plugins can be acquired from a link on NanoCore’s website. The free “cracked” versions of NanoCore include all of the base plugins shown here as well. The base plugins available include everything necessary to perform a successful and potentially very damaging intrusion.

Explore the Base NanoCore plugins below

  • Core
  • Security
  • Tools
  • Management
  • Network
  • surveillance

The Core Plugin adds various functions, settings, and information about the connected systems such as IP addresses, connection speeds, etc.

Flexible, Damaging, and Popular

With all of this functionality being available even at the base level, NanoCore has become very popular, very quickly. Combining this with the abilities mentioned earlier allow more sophisticated threat actors to build additional plugins that expand NanoCore’s functionality even further. The expansion of NanoCore's capabilities only enhances the damage that could be done.

NanoCore's Interface

NanoCore has a simple yet robust user interface that was built as an all-in-one control center. The top portion of the interface window acts as a live feed with various widgets showing network usage, active “clients”, and polling data (reviews) for new plugins.

Along the left side of the screen are NanoCore’s main categories outlining various functionality areas of NanoCore. Additionally, within each main category are up to eight subcategories to aggregate the data and settings.

Explore the main tabs content below.

  • Clients TAB
  • Builder Tab
  • Systems Tab

If an adversary wanted to steal personal files from a computer and then upload additional software to the system, the Client's tab is where they could do this. From this tab a threat actor can view connected systems, IP addresses, system files, activate webcams, etc.

Another Look at NanoCore

The functionality the threat actor has may depend on the version of NanoCore that is being used. This alternate version (fig 2) of NanoCore from 2014 shows a variation in the dashboard layout and additional “tools."

How Original is NanoCore?

NanoCore claims that their build is completely new, meaning none of the code has been borrowed from any previous RAT. All claims aside, an article from Bot24[.] com found that not all of NanoCore is completely original.

Noted in the article, the password retrieval feature of NanoCore uses a tool from NirSoft, a site offering free password recovery tools. Whether NanoCore is 100% new or not, it does not reduce the access that could be obtained if installed on a system.

Figure 2 (NanoCore 2014)

DigiTrust and NanoCore

The identification, investigation, analysis, containment and ultimate remediation of RATs like NanoCore takes the skills of dedicated security experts. Anti-virus scanners and software tools alone do not have the ability to root-cause a malicious threat or apply contextual threat intelligence to an intrusion. Most standard modern security software would have allowed the NanoCore laced download to be installed and run without much of an issue.

Remediating NanoCore

DigiTrust incident response experts are continuously identifying malicious RATs that need to have in-depth context applied to be effectively remediated. Root-causing allows our experts to uncover more contextual information about RATs like NanoCore. How did NanoCore enter (or attempted to enter) the system? What has NanoCore accessed? Where has NanoCore moved within the system? Knowing where a malicious threat is hiding is valuable, but understanding how it functions is far more powerful.

In short, it is not only about remediating NanoCore from an organization. We also need to extract as much threat intelligence as possible to leave that organization better prepared for the future. There are always ways to be better protected and proactive steps that can be taken to minimize the likelihood and impact of intrusions using NanoCore.

Subscribe to The DigiTrust Group

Get the latest updates, information, and security articles from The DigiTrust Group, subscribe today.

The DigiTrust Group is a managed security services firm that focuses on using advanced people, processes, and technology to proactively provide the highest level of information security at our client organizations. We do this by actively identifying, blocking, and researching attackers hitting our client organizations. In short, we act as a security operations center (SOC) for organizations that either do not have a SOC or require augmented SOC functionality.

Posted in The DigiTrust Group BLOG | No Comments »