Saturday, September 06, 2014

Red Sky Weekly: Malware analysis leads to widely used infrastructure, 500+ domains

Normally I lead off with a bit of a story or a lesson, or a gripe. Not this week. This week I'm leading off with a piece of work that we published yesterday --a deep-dive piece of analysis on new malware being leveraged in
targeted cyber crime operations. 
Working from an open sourced lead, Wapack Labs identified and analyzed a new piece of malware. We've dubbed the malware family Backdoor.KLGConfig.  Two variants were identified. One variant was observed specifically targeting credentials for a popular banking application believed used by many Financial Institutions. Further analysis exposed a wide criminal infrastructure consisting of over 500 domains.
Fusion Report 14-023 (FR14-023) was published. It's ten pages of analysis and over 20 pages of indicators. The indicators are available in Threat Recon API* with a "reference" search for "FR14-023". 
(*The Threat Recon web front end is in the works. If you need scripts for the API, you can find them here. If you prefer, we've got a down and dirty desktop application available that will also front-end Threat Recon. It ain't pretty, but for those who prefer point and click, Pizza Cat is on GitHub as well. It works well, parses darn near everything and then runs the queries through our API. Simple stuff. You can find Pizza Cat here.)
BT BT
Now I'll free form it a bit. First, I attended the AT&T Security Conference this week. This is a smaller conference in comparison, but in my opinion, and one of the reasons I've attended for the last few years is because there's something about the AT&T message. Yes, there's a bit of pitch involved, but how many places can you go to hear a full day of talks from a major carrier... folks analyzing 60Pb of data per day. It's a VERY different perspective. Endpoints = mobiles and cloud is the way of the future. And that's something that interests me immensely. Use cases, virtualization, speed, cost, benefit, and of course, my favorites, security, complexity, and new disruptive ways of doing a whole lot of things. When we're looking at endpoints going from millions to billions with the introduction of the internet of things and the only place to hold all that data is, you guessed it, in the cloud! So imagine the opportunity (for good or bad) and what that'll mean for IT and security pros. As a starter, it means you better keep up. For me? This is cool stuff! I'm planning on playing in it in the future! I want to learn as much as I can.
Next, the portal continues to be busy, and more-so, we've begun pushing Beadwindow documents into Threat Connect. That's right. If you'd like to buy Beadwindow reporting and access it through Threat Connect, give us a call. For now we'll sign you up the old fashioned way, over the phone with a credit card, but hopefully that'll change soon.
Red Sky is doing well, but we heard loud and clear that members wanted automated means of accessing intel. If you'd like to access feeds of information, we're all for it. So for that, we now push lab sourced reporting in subscription feeds, or through Threat Recon. If you're one of those users that needs (must have) a web interface, hang in there. It's coming soon and you're API key will still work. If not (yesterday), we wrapped up prototyping our initial Splunk connector. Our friend Seth Bromberger authored a python module and others have contributed connectors to CRITS, and a Maltego transform. The python queries have been converted to Ruby for those who prefer Ruby, and the community and the number of Threat Recon users, and those who wish to integrate/OEM with it grows by the day. In fact, by next blog, I fully expect to announce the integration and availability of a Wapack Labs feed through at least two new OEM partners! 
Threat Recon can be found at threatrecon.co.
Until next week, check out Threat Recon. Give us a call if you'd like to talk OEM, and at Red Sky, when you want full content, this is where you go to get it. And quoting Tom Bodette, Come on in. We'll leave the light on for you!
Have a great weekend! Jeff