We all know how difficult it is to keep your users from downloading malicious files and/or visiting suspect websites even when you tell them explicit things to look out for (malformed urls, executables, files with multiple extensions, etc).What if the actual malware payload is hidden in Microsoft Office documents that your users send and receive thousands of times daily? One such piece of malware, dubbed “Kraken”, has proven to be highly effective as well as lucrative.
We are seeing a lot of attackers use malware to compromise servers and then repurpose them for their evil ways: adding the servers to their botnet, using them as command & control points or, as we see with Kraken, mining Bitcoins with them. The problem is that Bitcoin mining takes up a lot of computing power and can rob your environment of resources needed for actual business operations. In the case of cloud-based servers falling victim to this attack where resources are elastically allocated when needed (read: a computer that grows in power as you use more), this has a direct financial impact. In fact, we have seen cloud services bills increase tenfold during these attacks. Imagine your AWS bill going from $2,000 a month to $20,000!!
The impact on you can be:
- Abuse of your computing resources impacts performance and could possibly bring down an entire system
- If your cloud-based servers are used in this attack, the financial impact could be devastating to your business
- If resources under your control are used in these types of attacks, your company could be inadvertently associated with criminal behaviour
The AlienVault Labs team released an IDS signature and a correlation rule to detect when a system infected by the Kraken RAT communicates with the C&C server. The AlienVault Labs security research team continuously researches evolving threats and delivers new correlation rules to our AlientVault Unified Security Management (USM) platform regularly to keep our customers at the forefront of threat detection.
About AlienVault Labs
AlienVault Labs conducts security research on global threats and vulnerabilities. The team of security experts, led by renowned Labs director, Jaime Blasco, constantly monitors, analyzes, reverse engineers, and reports on sophisticated zero-day threats including malware, botnets, phishing campaigns and more.
Using an ever-expanding array of manual and automated techniques, AlienVault Labs researchers ensure that AlienVault’s Unified Security Management™ platform is always up-to-date with the latest threat intelligence. In addition, the Labs also runs AlienVault’s Open Threat Exchange™ (OTX), an open information sharing and analysis network that provides real-time, actionable threat information submitted by over 8,000 contributors from over 140 countries.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.