Darktrace email finds: Rare file type used to evade gateway tools
26
Aug 2020
26
Aug 2020
Cyber-criminals are increasingly looking to deploy malware via unusual file types as they know these aren’t checked by traditional email security tools. Darktrace’s AI recently detected and stopped a malicious ISO file that slipped through the rest of the security stack.
Darktrace has recently seen a string of email attacks that use some degree of social engineering to convince the recipient to open a misleading link and divulge their credentials. In this blog, we look at an email attack targeting a Spanish customer that involved hiding malicious content in an unusual file type that is not regularly checked by common email security tools.
An ISO file, often referred to as an ISO image, is an archive file that contains an identical copy of data found on an optical disc, like a CD or DVD. They are primarily used for backing up optical discs or distributing large file sets that are intended to be burned onto an optical disc. Since they are relatively unusual – and are typically extremely large files – most standard email controls don’t analyze them in any depth, if at all.
Darktrace detected one cyber-criminal using ISO files to inflict damage on a food distributor in Spain. The organization, which had adopted Antigena Email just two weeks earlier, received around 84 emails from the same sender, each containing a malicious ISO attachment. The emails were received from info@valeplaz[.]com, a clever and well-executed spoof of the email address info@valenplas[.]com, which is the contact email of a legitimate Spanish manufacturer – possibly even a supplier of the victim organization.
Figure 1: A snapshot of Antigena Email’s user interface
Darktrace noticed that the sender had never been seen in any prior correspondences across the business. Additionally, the personal field does not correspond with the header in the email itself – which is what would be visible to the recipient. In the connection IP address and checks, Darktrace’s AI revealed that the true sender does not correspond with the domain valeplaz[.]com.
The subject line suggests that the email is about an order the client made. Analyzing the attachments, Darktrace surfaced a file titled URGENTE_PO_120620.iso. The name of the file suggests the sender is attempting to use the social engineering tactic of urgency in order to alarm the recipients, leading them to jump into action and click a link or open attachments without carefully considering the details of the email.
Darktrace’s AI also recognized that the file extension .iso is highly anomalous for the group, user, and the organization as a whole. Even more suspiciously, the size of the attachment is incredibly small (just 485.4 kB), which makes it highly unlikely that it was, in fact, a genuine invoice in the form of a PDF or Word attachment. These findings, in conjunction with the New Contact and Wide Distribution tags of the email, caused Antigena Email to strip the email of the attachment and hold it back from each recipient’s inbox. In addition, Darktrace’s AI revealed that the email contained an anomalous link which it deemed highly suspicious, and locked the link in all emails while the security team investigated the incident.
Figure 2: The suspicious link in question
Stopping the attack without a Patient Zero
When the security team later checked the file hash on the attachment, they discovered that some anti-virus vendors, including Microsoft, had already labelled it as malware. The crucial challenge is to stop the malicious email in the first instance – before it lands in the first inbox. With a continuously updated understanding of ‘self’, Darktrace’s AI is able to do just that – stopping attacks without requiring a ‘Patient Zero’ be infected.
Moreover, many legacy solutions hadn’t yet recognized this file hash as malicious, suggesting that this was a relatively new attack. This exposes an increasingly obvious limitation of such tools – attackers are refreshing their attack infrastructure so often that no matter how frequently legacy tools or blacklists are updated, they are outdated almost immediately.
Antigena Email caught this attack without relying on any signatures and blacklists, but instead by learning whether or not the email, file, and behavior was normal for the unique business. With Cyber AI protecting their inbox, this organization was able to thwart this attack in the first instance – before any emails landed in an inbox or any employees clicked on the link.
Like this and want more?
Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
NEWSLETTER
Like this and want more?
Stay up to date on the latest industry news and insights.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Mariana Pereira
VP, Cyber Innovation
Mariana is the VP of Cyber Innovation at Darktrace, and works closely with the development, analyst, and marketing teams to advise technical and non-technical audiences on how best to augment cyber resilience, and how to implement AI technology as a means of defense. She speaks regularly at international events, with a specialism in presenting on sophisticated, AI-powered email attacks. She holds an MBA from the University of Chicago, and speaks several languages including French, Italian, and Portuguese.
Detecting Attacks Across Email, SaaS, and Network Environments with Darktrace’s AI Platform Approach
30
Apr 2024
The State of AI in Cybersecurity
In a recent survey outlined in Darktrace’s State of AI Cyber Security whitepaper, 95% of cyber security professionals agree that AI-powered security solutions will improve their organization’s detection of cyber-threats [1]. Crucially, a combination of multiple AI methods is the most effective to improve cybersecurity; improving threat detection, accelerating threat investigation and response, and providing visibility across an organization’s digital environment.
In March 2024, Darktrace’s AI-led security platform was able to detect suspicious activity affecting a customer’s email, Software-as-a-Service (SaaS), and network environments, whilst its applied supervised learning capability, Cyber AI Analyst, autonomously correlated and connected all of these events together in one single incident, explained concisely using natural language processing.
Attack Overview
Following an initial email attack vector, an attacker logged into a compromised SaaS user account from the Netherlands, changed inbox rules, and leveraged the account to send thousands of phishing emails to internal and external users. Internal users fell victim to the emails by clicking on contained suspicious links that redirected them to newly registered suspicious domains hosted on same IP address as the hijacked SaaS account login. This activity triggered multiple alerts in Darktrace DETECT™ on both the network and SaaS side, all of which were correlated into one Cyber AI Analyst incident.
In this instance, Darktrace RESPOND™ was not active on any of the customer’s environments, meaning the compromise was able to escalate until their security team acted on the alerts raised by DETECT. Had RESPOND been enabled at the time of the attack, it would have been able to apply swift actions to contain the attack by blocking connections to suspicious endpoints on the network side and disabling users deviating from their normal behavior on the customer’s SaaS environment.
Nevertheless, thanks to DETECT and Cyber AI Analyst, Darktrace was able to provide comprehensive visibility across the customer’s three digital estate environments, decreasing both investigation and response time which enabled them to quickly enact remediation during the attack. This highlights the crucial role that Darktrace’s combined AI approach can play in anomaly detection cyber defense
Attack Details & Darktrace Coverage
1. Email: the initial attack vector
The initial attack vector was likely email, as on March 18, 2024, Darktrace observed a user device making several connections to the email provider “zixmail[.]net”, shortly before it connected to the first suspicious domain. Darktrace/Email identified multiple unusual inbound emails from an unknown sender that contained a suspicious link. Darktrace recognized these emails as potentially malicious and locked the link, ensuring that recipients could not directly click it.
Figure 1: Suspected initial compromise email from an unknown sender, containing a suspicious link, which was locked by Darktrace/Email.
2. Escalation to Network
Later that day, despite Darktrace/Email having locked the link in the suspicious email, the user proceeded to click on it and was directed to a suspicious external location, namely “rz8js7sjbef[.]latovafineart[.]life”, which triggered the Darktrace/Network DETECT model “Suspicious Domain”. Darktrace was able to identify that this domain had only been registered 4 days before this activity and was hosted on an IP address based in the Netherlands, 193.222.96[.]9.
3. SaaS Account Hijack
Just one minute later, Darktrace/Apps observed the user’s Microsoft 365 account logging into the network from the same IP address. Darktrace understood that this represented unusual SaaS activity for this user, who had only previously logged into the customer’s SaaS environment from the US, triggering the “Unusual External Source for SaaS Credential Use” model.
4. SaaS Account Updates
A day later, Darktrace identified an unusual administrative change on the user’s Microsoft 365 account. After logging into the account, the threat actor was observed setting up a new multi-factor authentication (MFA) method on Microsoft Authenticator, namely requiring a 6-digit code to authenticate. Darktrace understood that this authentication method was different to the methods previously used on this account; this, coupled with the unusual login location, triggered the “Unusual Login and Account Update” DETECT model.
5. Obfuscation Email Rule
On March 20, Darktrace detected the threat actor creating a new email rule, named “…”, on the affected account. Attackers are typically known to use ambiguous or obscure names when creating new email rules in order to evade the detection of security teams and endpoints users.
This rule was seemingly created with the intention of obfuscating the sending of malicious emails, as the rule would move sent emails to the "RSS Feeds” folder, a commonly used tactic by attackers as the folder is often left unchecked by endpoint users. Interestingly, Darktrace identified that, despite the initial unusual login coming from the Netherlands, the email rule was created from a different destination IP, indicating that the attacker was using a Virtual Private Network (VPN) after gaining a foothold in the network.
Figure 2: Hijacked SaaS account making an anomalous login from the unusual Netherlands-based IP, before creating a new email rule.
6. Outbound Phishing Emails Sent
Later that day, the attacker was observed using the compromised customer account to send out numerous phishing emails to both internal and external recipients. Darktrace/Email detected a significant spike in inbound emails on the compromised account, with the account receiving bounce back emails or replies in response to the phishing emails. Darktrace further identified that the phishing emails contained a malicious DocSend link hidden behind the text “Click Here”, falsely claiming to be a link to the presentation platform Prezi.
Figure 3: Darktrace/Email detected that the DocSend link displayed via text “Click Here”, was embedded in a Prezi link.
7. Suspicious Domains and Redirects
After the phishing emails were sent, multiple other internal users accessed the DocSend link, which directed them to another suspicious domain, “thecalebgroup[.]top”, which had been registered on the same day and was hosted on the aforementioned Netherlands-based IP, 193.222.96[.]91. At the time of the attack, this domain had not been reported by any open-source intelligence (OSINT), but it has since been flagged as malicious by multiple vendors [2].
Figure 4: External Sites Summary showing the suspicious domain that had never previously been seen on the network. A total of 11 “Suspicious Domain” models were triggered in response to this activity.
8. Cyber AI Analyst’s Investigation
As this attack was unfolding, Darktrace’s Cyber AI Analyst was able to autonomously investigate the events, correlating them into one wider incident and continually adding a total of 14 new events to the incident as more users fell victim to the phishing links.
Cyber AI Analyst successfully weaved together the initial suspicious domain accessed in the initial email attack vector (Figure 5), the hijack of the SaaS account from the Netherlands IP (Figure 6), and the connection to the suspicious redirect link (Figure 7). Cyber AI Analyst was also able to uncover other related activity that took place at the time, including a potential attempt to exfiltrate data out of the customer’s network.
By autonomously analyzing the thousands of connections taking place on a network at any given time, Darktrace’s Cyber AI Analyst is able to detect seemingly separate anomalous events and link them together in one incident. This not only provides organizations with full visibility over potential compromises on their networks, but also saves their security teams precious time ensuring they can quickly scope out the ongoing incident and begin remediation.
Figure 5: Cyber AI Analyst correlated the attack’s sequence, starting with the initial suspicious domain accessed in the initial email attack vector.
Figure 6: As the attack progressed, Cyber AI Analyst correlated and appended additional events to the same incident, including the SaaS account hijack from the Netherlands-based IP.
Figure 7: Cyber AI Analyst correlated and appended additional events to the same incident, including additional users connecting to the suspicious redirect link following the outbound phishing emails being sent.
Conclusion
In this scenario, Darktrace demonstrated its ability to detect and correlate suspicious activities across three critical areas of a customer’s digital environment: email, SaaS, and network.
It is essential that cyber defenders not only adopt AI but use a combination of AI technology capable of learning and understanding the context of an organization’s entire digital infrastructure. Darktrace’s anomaly-based approach to threat detection allows it to identify subtle deviations from the expected behavior in network devices and SaaS users, indicating potential compromise. Meanwhile, Cyber AI Analyst dynamically correlates related events during an ongoing attack, providing organizations and their security teams with the information needed to respond and remediate effectively.
Credit to Zoe Tilsiter, Analyst Consulting Lead (EMEA), Brianna Leddy, Director of Analysis
What are new entry points cyber attackers are using?
While traditional phishing attacks are very common for attackers, they are not the only method threat actors are using to initiate malware delivery and other malicious campaigns of cyber disruption.
For its End of Year Threat Report, Darktrace analyzed attacks targeting customer environments. While email remains the most common means of attempted initial compromise, the second half of 2023 saw a significant rise in alternative initial access methods.
Much of this is taking advantage of cloud-base applications and collaboration tools including Dropbox, Microsoft Teams, and SharePoint which have become fundamental to how organizations operate in the era of hybrid work.
DarkGate exploits Microsoft Teams
Darktrace analysts have seen threat actors attempting to infect target networks with malware by leveraging Microsoft Teams and SharePoint.
In one example, Darktrace detected an attacker delivering DarkGate a trojan used to download other malware, by sending messages and attachments in Microsoft Teams and SharePoint.
The External Access functionality in Microsoft Teams allows users to contact people who aren’t in their organization. It’s designed as a tool to aid collaboration, but threat actors have realized they can abuse it for their own gain.
Users are told to lookout for suspicious email phishing messages, but often this thinking isn’t applied to Microsoft Teams and other collaboration platforms.
Messages from outside the organization are marked with a note that they are coming from an external source, but a well-designed phishing message with an urgent call to action can persuade the target to ignore this, driving them towards an external SharePoint URL, which tricks the user into downloading and installing malware.
Because this happens outside of the inbox, the activity can be missed by traditional email security solutions. Fortunately, in this case, it was detected by Darktrace DETECT and the activity was contained by Darktrace RESPOND before it could drop any additional malware.
Dropbox has established itself as a leading cloud storage service by allowing users to share and access files, no matter where they are in the world or what device they’re using. But while this is legitimate and useful for organizations, it has also opened a new avenue for threat actors to exploit.
Dropbox as an attack vector
Darktrace recently detected attackers attempting to leverage Dropbox as an initial access method. Emails from ‘no-reply@dropbox[.]com’ – a legitimate email address – were sent to employees at a Darktrace customer.
The emails contained a link to push users towards to a PDF file hosted on Dropbox, which in turn contained a phishing link which if followed, took users to a convincing looking spoof of a Microsoft 365 login page designed to steal usernames and passwords.
A user fell victim to this campaign, unwittingly entering their Microsoft 365 credentials. Shortly after that, Darktrace/Apps started to see suspicious activity relating to the account, with multiple logins from unusual locations which had never been associated with the account previously.
While many traditional security solutions successfully detect and disrupt email-based attacks, many struggle with cloud-based apps and services like Dropbox, Microsoft 365 and others.
There are several reasons for this, including the way in which the use of multiple different cloud services fragments the attack surface, making it hard for network administrators to keep track of everything, alongside the way in which some security solutions don’t take behavior into account in a system which can be accessed from anywhere. That means even from the other side of the world, attackers who have the right cloud credentials could access the network, potentially without being disrupted.
Why are attackers turning to alternative access methods?
Attackers are turning to alternative methods because delivering malicious links and payloads via cloud-based services potentially bypasses traditional cybersecurity protections. That, combined with how attackers can take legitimate login credentials to access system means attackers actions can’t be easily traced.
This rise in alternative initial access methods is likely a result of the continued development and enhancement of traditional email security solutions. But in the cat and mouse game of cybersecurity, threat actors continue to evolve new techniques to get by defenses.
Darktrace’s Self-Learning AI learns the unique digital environment and patterns of each business, meaning it can recognize subtle deviations in activity, even within cloud services, helping to mitigate and neutralize attacks and helping to keep your organization safe from cyber disruption.
