Monday, March 26, 2012

New Red Sky Fusion Report: FR12-003.pdf : AS4808 Malicious Infrastructure and Malware

FR12-003.pdf: "AS4808 Malicious Infrastructure and Malware" was just posted to the Red Sky Alliance portal. This is our third fusion report. It came about from a seemingly innocuous report from a member reporting the incident. Upon further investigation by members, it appeared that the incident was more widespread than previously thought, and took advantage of individualized emails with different source addresses for each. One member reported approximately 700 emails in an environment of approximately 300,000 users.

"On 18 March 2012, a Red Sky member posted malware from a recent spear phishing incident to the Cyber Intelligence and Analysis Center portal. The malware called backed to malicious domain. Analysis of the domain revealed related infrastructure and open source malware samples. A total of three malware samples were analyzed: one provided by the partner, and two obtained from an open source malware dump. All three samples were linked to Autonomous System 4808 which is described in the report. Correlations between the various samples will be provided in the Malware Data section of this report. While no specific attribution was identified (we don't necessarily look for attribution, Red Sky focuses on IA), several of the IP addresses and domains used were tagged as APT address space by one of our sources."

At least two different sectors reported similar cases, but with individualized targeting characteristics.


If you're not receiving these reports, please contact us (jstutzman@redskyalliance.org) or sign up for our mailing list at launch.redskyalliance.org.

Collaboration is working!
Jeff

No comments: