Previous thread: Why UAC should be taken seriously
Hello everyone at MalwareTips!
Today I would like to discuss user-intervention and social engineering, both heavily involved in a user becoming infected. It’s very common, it’s a massive threat and the worst thing about it is that security software cannot protect us from the thoughts in our mind, social engineering is very powerful and works by altering your thoughts to persuade you to do something (user-intervention).
What is social engineering?
Social engineering is a technique used to manipulate someone using various techniques to alter their behaviour and thoughts and perform a certain action. Think of it like a method of injecting thoughts and instructions into the targets brain, thus making them do what you want. Social engineering techniques are often used throughout the security industry by hackers with the intent of performing an illegal operation, such as infecting the targets system which may be a personal home user or an enterprise. Depending on the infection depends on the purpose, for example, the purpose for infection could be based on the intent of the attacker committing the crime of identity theft or fraud (although it could be anything malicious).
As an example to explain what the term “social engineering” means, let’s pretend I am a bank manager for a company called “FastGo Banking” called “Burt” and I have access to a PC which is linked to the enterprise server, under an account running with administrative privileges. I am doing my work as a bank manager, however I am interrupted by a new incoming email from someone under the title “Tim” (where Tim is the attacker). The e-mail looks legitimate and contains social engineering techniques to make me fall for the trap and accidentally leave the enterprise infected without me being aware. For this example, let’s pretend the contents of the e-mail were the following:
------------------------------------------------------------------------------------------------------------------------------
Dear FastGo Banking,
My name is Tim, I work at a company called [name of a famous security company] and have more than 21 years of experience with security programming, malware analysis and networking. I work with my team, and we go out to companies on the market and attempt to provide tips on how they can secure their network against malware propagation and how they can identify targeted attacks from hackers towards their company.
My team consists of 317 employees; each employee actively works for more than 27 hours a week. After their shift, they switch round with another employee. The reason they only work for 27 hours a week (and take different shift timings) is to ensure that they get the rest they need, as well as providing them with regular breaks throughout the day to aid with their health at preventing them from health related damages, such as eye strain due to prolonged timings with the computer screen.
We would like to help you at your company, which would be done by providing tips and to help you secure your network against attackers, no matter how experienced they are. Nothing is full-proof until you speak to us, we can guarantee the safety of your systems against malware propagation completely.
Below I have attached a document which outlines the details of our expertise. I recommend you take a look at it, you may be interesting in it.
Best Regards,
Tim.
[ATTACHED DOCUMENT]
------------------------------------------------------------------------------------------------------------------------------
While my example is not the best, and others will be able to create far better examples, hopefully it was good enough to explain this. The intent of this email is to trick the reader into handing over trust to the sender of the email, resulting in the download the attachment, then then the execution of it.
In this case, let’s say the attached document is actually malicious and has been specifically designed for Microsoft Word. When you run the attachment, it will exploit a vulnerability in Microsoft Word 2013 and 2016 and execute the attackers code on the system, which can be used to download malware in-the-background (such as a zero-day rootkit, ransomware, worms, or other malicious software). However, the bank manager, Burt, would not be aware of this occurring in the background. We would run the document on his administrator privileged account with access to the enterprise server, and he would see the document in-front of him. He would read the document, maybe leave it open in the background. Then he would close the document, the Microsoft Word process would terminate (the function ExitProcess would be called to terminate the process). But by then it’s too late, by the time the document is closed, it is most likely too late.
Why would it most likely be too late?
Malware typically incorporates (especially high-end malware where the malware was targeted for a specific enterprise) many propagation techniques, specifically designed to make sure it can continue execution even if the average user terminates one process or closes the office document (in the case of it being an exploit).
To make an example out of the above, let’s say for arguments sake that the code executed which the attacker wrote after exploiting the vulnerability he had found in Microsoft Word was used to inject code into a running process, for example csrss.exe (Client Server Runtime Sub System). Then, even if you found suspicious processes running and terminated them or closed the document after the exploit had been used, you would be unaware of the code written by the attacker executing on a thread in the process it targeted for injection. The reason I specifically used code injection for this example is because it won’t require for example, a DLL to inject, like with DLL injection. I also believe DLL injection is detected easily compared to code injection. For example, it can be as simple as attempting to do something such as view the loaded modules in the process (assuming it wasn’t unlinked due to manual mapping).
The injected code could do anything from use APIs to download malware onto the system (and the loader for loading the malware correctly) to successfully continue the process of compromising the system.
The point of this thread is to make sure you all learn an important lesson for the future: ignore the dodgy emails, don’t click the suspicious link, don’t run the untrusted program… Don’t be that one who gets socially engineered by an attacker!
I apologise for this being a short thread, but hopefully someone found it useful.
Stay safe and never let your guard down,
Wave.
Hello everyone at MalwareTips!
Today I would like to discuss user-intervention and social engineering, both heavily involved in a user becoming infected. It’s very common, it’s a massive threat and the worst thing about it is that security software cannot protect us from the thoughts in our mind, social engineering is very powerful and works by altering your thoughts to persuade you to do something (user-intervention).
What is social engineering?
Social engineering is a technique used to manipulate someone using various techniques to alter their behaviour and thoughts and perform a certain action. Think of it like a method of injecting thoughts and instructions into the targets brain, thus making them do what you want. Social engineering techniques are often used throughout the security industry by hackers with the intent of performing an illegal operation, such as infecting the targets system which may be a personal home user or an enterprise. Depending on the infection depends on the purpose, for example, the purpose for infection could be based on the intent of the attacker committing the crime of identity theft or fraud (although it could be anything malicious).
As an example to explain what the term “social engineering” means, let’s pretend I am a bank manager for a company called “FastGo Banking” called “Burt” and I have access to a PC which is linked to the enterprise server, under an account running with administrative privileges. I am doing my work as a bank manager, however I am interrupted by a new incoming email from someone under the title “Tim” (where Tim is the attacker). The e-mail looks legitimate and contains social engineering techniques to make me fall for the trap and accidentally leave the enterprise infected without me being aware. For this example, let’s pretend the contents of the e-mail were the following:
------------------------------------------------------------------------------------------------------------------------------
Dear FastGo Banking,
My name is Tim, I work at a company called [name of a famous security company] and have more than 21 years of experience with security programming, malware analysis and networking. I work with my team, and we go out to companies on the market and attempt to provide tips on how they can secure their network against malware propagation and how they can identify targeted attacks from hackers towards their company.
My team consists of 317 employees; each employee actively works for more than 27 hours a week. After their shift, they switch round with another employee. The reason they only work for 27 hours a week (and take different shift timings) is to ensure that they get the rest they need, as well as providing them with regular breaks throughout the day to aid with their health at preventing them from health related damages, such as eye strain due to prolonged timings with the computer screen.
We would like to help you at your company, which would be done by providing tips and to help you secure your network against attackers, no matter how experienced they are. Nothing is full-proof until you speak to us, we can guarantee the safety of your systems against malware propagation completely.
Below I have attached a document which outlines the details of our expertise. I recommend you take a look at it, you may be interesting in it.
Best Regards,
Tim.
[ATTACHED DOCUMENT]
------------------------------------------------------------------------------------------------------------------------------
While my example is not the best, and others will be able to create far better examples, hopefully it was good enough to explain this. The intent of this email is to trick the reader into handing over trust to the sender of the email, resulting in the download the attachment, then then the execution of it.
In this case, let’s say the attached document is actually malicious and has been specifically designed for Microsoft Word. When you run the attachment, it will exploit a vulnerability in Microsoft Word 2013 and 2016 and execute the attackers code on the system, which can be used to download malware in-the-background (such as a zero-day rootkit, ransomware, worms, or other malicious software). However, the bank manager, Burt, would not be aware of this occurring in the background. We would run the document on his administrator privileged account with access to the enterprise server, and he would see the document in-front of him. He would read the document, maybe leave it open in the background. Then he would close the document, the Microsoft Word process would terminate (the function ExitProcess would be called to terminate the process). But by then it’s too late, by the time the document is closed, it is most likely too late.
Why would it most likely be too late?
Malware typically incorporates (especially high-end malware where the malware was targeted for a specific enterprise) many propagation techniques, specifically designed to make sure it can continue execution even if the average user terminates one process or closes the office document (in the case of it being an exploit).
To make an example out of the above, let’s say for arguments sake that the code executed which the attacker wrote after exploiting the vulnerability he had found in Microsoft Word was used to inject code into a running process, for example csrss.exe (Client Server Runtime Sub System). Then, even if you found suspicious processes running and terminated them or closed the document after the exploit had been used, you would be unaware of the code written by the attacker executing on a thread in the process it targeted for injection. The reason I specifically used code injection for this example is because it won’t require for example, a DLL to inject, like with DLL injection. I also believe DLL injection is detected easily compared to code injection. For example, it can be as simple as attempting to do something such as view the loaded modules in the process (assuming it wasn’t unlinked due to manual mapping).
The injected code could do anything from use APIs to download malware onto the system (and the loader for loading the malware correctly) to successfully continue the process of compromising the system.
The point of this thread is to make sure you all learn an important lesson for the future: ignore the dodgy emails, don’t click the suspicious link, don’t run the untrusted program… Don’t be that one who gets socially engineered by an attacker!
I apologise for this being a short thread, but hopefully someone found it useful.
Stay safe and never let your guard down,
Wave.
