batloader blog hero

Browser-Based Threat Alert: BATLOADER

Back in February, Mandiant reported on the discovery of a new piece of malware they called “BATLOADER”. The malware is delivered via malicious web sites that are disguised as download sites for legitimate consumer software. To increase the reach of the web sites, the attackers utilized search advertising to drive users who were looking to download certain types of software. A recent blog post by researchers at VMWare Carbon Black indicates that the tool continues to be widely distributed.

The tool can be used to deliver several different payloads and is structured so that the early stages of an attack are difficult to detect by traditional means. Once the loader is executed on a system, it utilizes built-in operating system tools to establish itself without creating an easily detectable signature. In other words, it’s extremely important to stop this malware and the web sites that distribute it before it is executed on a targeted machine, because it is unlikely to be detected during the initial stages of infection.

Unlike some malware that takes advantage of zero-day vulnerabilities to compromise a system without user interaction, BATLOADER requires the user to download and execute the malicious file. The attackers use social engineering and misleading web sites to lead users to believe they are downloading legitimate software.

In one case documented in the Mandiant report, the attackers posted a question in a forum asking where to find a copy of Microsoft Visual Studio 2015. The actor then used a second forum account to post a link to one of their malware delivery pages as the “only” location the downloader could be found. While the page linked from the forum post was made to look like a typical download site and the file had a legitimate-sounding name, the installer instead loaded the malware onto the user’s system.

This attack abuses user trust at several levels. First, by posing as legitimate software in paid advertising and in forum conversations, users may view the source as legitimate. Next, once they click on the links that are posted in seemingly legitimate places like Google search results, the files they download have names of legitimate software, making it more likely users will run them.

Fortunately, ConcealBrowse protects against this attack by making decisions about what to load and how to load it based on facts and data, not on trust. Regardless of where a user might come across the links used by the attackers behind BATLOADER – whether a forum they trust or Google search results – ConcealBrowse scans every URL and opens risky sites in a protected cloud environment, not on a user’s device. This prevents sites from automatically downloading files to the user’s machine and ensures that any files downloaded in the protected environment are scanned and, if necessary, blocked before they ever enter your network.

Because the file never makes it onto the user’s machine, the attack is stopped before it can start. This means that the malware never enters your organization’s network, and your cyber security teams never have to track down and remove the malware, repair damaged systems, or deal with lost data.

Click here to try ConcealBrowse today.

Phishing 2 factor auth

Conceal Threat Alert: Phishing Incident Targeting Dropbox

On November 1st, cloud storage behemoth Dropbox reported that attackers had successfully targeted some of their engineers, capturing credentials for the company’s account on GitHub. This gave the attackers access to the company’s source code for internal prototypes, as well as some of the tools used by Dropbox’s security team.

While users of all levels of sophistication are successfully tricked into providing credentials to phishing sites every day, the Dropbox case is notable for a couple of reasons. First, this attack was highly targeted and relatively sophisticated. The attackers identified a specific piece of software tied to GitHub that the Dropbox development team used and sent an email masquerading as the company that makes that software. Next, although Dropbox had systems in place to identify and quarantine phishing emails, those systems only blocked some of the emails while delivering others straight to users’ inboxes.

Even with protections in place, malicious emails still made it to the engineers’ inboxes and Dropbox’s most technically savvy employees were duped into providing their credentials to the attackers. This incident shows that attackers will go to great lengths to develop targeted campaigns and that conventional tools and security awareness only go so far towards stopping them.

Fortunately, ConcealBrowse offers an extra layer of protection against phishing, distrusting risky web sites by default and providing protection even when email filtering fails. Once a user clicks a phishing link, ConcealBrowse goes into action, scanning the URL and any resources loaded by it to ensure they haven’t been flagged as dangerous. At the same time, ConcealBrowse uses advanced AI to analyze the pages for signs of a phishing attack, and blocks attackers at the browser level before the user has an opportunity to provide credentials.

As attackers grow more sophisticated in their targeting and tactics, companies must build zero trust into their operations. ConcealBrowse works in the browser to stop threats before they reach your network.

zero day hero

WWCD: Staying One Step Ahead of the Attack

Last month, Google announced the existence of CVE-2022-307, a zero-day vulnerability in Chrome and other Chromium-based browsers like Microsoft Edge that was already being actively exploited in the wild. What they didn’t say however, is how long the vulnerability had been exploited, or how long they had known about it before they patched it. Furthermore, while Google released a patch for the vulnerability at the same time as the announcement, the patch still required a browser update before it was remediated. 

With browser zero days being discovered all the time – and frequently not until they’ve already been exploited – how can companies protect themselves during the period between the initial exploitation and when they are able to install the latest browser update? 

What Would Conceal Do (#WWCD)?

Fortunately, infrastructure associated with these attacks is often discovered in the wild even before the zero-day can be fixed and is included in the intelligence sources ConcealBrowse relies on to make security decisions on behalf of the user. In these situations, ConcealBrowse can keep users safe even if their browser is still unable to stop a given attack.

Because ConcealBrowse checks every URL a browser is asked to load, it always has the latest information on indicators of compromise. This means that if a particular piece of infrastructure has already been associated with malicious activity, ConcealBrowse stops it from opening directly in the user’s local browser, and instead opens it in remote browser isolation. Even if the attack is successfully executed, the exploit is run on a virtual machine in the cloud that will be destroyed after the user’s session. The code is never executed in the user’s browser, so it can’t compromise the user’s device or your network. 

ConcealBrowse stays one step ahead of attackers and can protect user’s systems while software vendors discover vulnerabilities and develop and deploy patches. 

The Zero Day Dilemma

press release hero

Conceal Expands Alliance with Jacobs as Global Provider for Protecting Critical Infrastructure from Ransomware

ConcealBrowse Prevents Browser-based Malware from Executing on Any Device

AUGUSTA, Ga., October 25, 2022 — Conceal, the leader in Zero Trust isolation technology, today announced that Jacobs (NYSE:J) has expanded its alliance with Conceal and will provide the ransomware solution to its critical infrastructure clients on a global basis.

Conceal incorporates intelligence-grade, Zero Trust technology in its offerings to protect companies of all sizes from malware. By using ConcealBrowse, Jacobs is able to leverage Zero Trust isolation technology and its increasingly important role in delivering solutions to address critical challenges for national security, civilian infrastructure, maritime, higher education and energy clients around the world. 

The Conceal Platform is available immediately from Jacobs on a worldwide basis.

“Critical infrastructure providers including energy, water, communications and others are a favorite target for ransomware groups due to the downstream disruptions an infection will cause,” said Gordon Lawson, CEO of Conceal. “Through this new relationship with Jacobs we are providing customers of all sizes, on a global basis, with comprehensive protection against ransomware that isolates users and the corporate network from threats.”

The Conceal Platform provides detection of cyber threats before they can infiltrate a network by processing all code to determine whether or not it is malicious and placing suspicious content in isolation so malware cannot execute. It is comprised of three integrated products:

  • ConcealBrowse, which secures users by protecting every endpoint from malicious threats
  • ConcealSearch, which shields the network from reconnaissance and attacks by fortifying online activity without attribution to your enterprise
  • ConcealCloud, which safeguards cloud resources through isolation by regularly churning the underlying network infrastructure

About Conceal

Conceal enables organizations to protect users from malware and ransomware at the edge. The Conceal Platform uses Zero Trust isolation technology to defend against sophisticated cyber threats. Conceal is used by Fortune 500 and government organizations globally to ensure their users and IT operations remain secure, anonymous and isolated from attacks. For more information, visit https://conceal.io/.

Media Contacts:

Carter B. Cromley
(703) 861-7245
[email protected]

#BeCyberSmart – Let’s Talk About Phishing

Let’s talk about phishing.  Phishing is the top action variety in social engineering breaches, causing over 60% according to Verizon’s Data Breach Investigation report for 2022.  Since 2016, phishing has seen an exponential increase in both the email click and do not click rates. Let’s be real – , phishing is an issue, and it is not going anywhere.  This week, the National Cybersecurity Alliance has talked a lot about recognizing and reporting phishing and discussed.  how it’s a problem that affects all businesses no matter the size. In fact, 30% of small businesses consider phishing attacks to be their top cybersecurity concern.

Recognize Phishing

According to CISA, phishing is defined as “Attacks that use email or malicious websites to infect your machine with malware and viruses in order to collect personal and financial information. Cyber Criminals attempt to lure users to click on a link or open an attachment that infects their computers, creating vulnerability to attacks.”

Luckily, in this day and age, there is a lot that can be done to prevent users from falling victim to a phishing attempt.  First and foremost, users need to understand what they are looking for so that they can ‘see it so that they don’t click it’.  While signs can be subtle, the National Cybersecurity Alliance has provided eight tips on how to clearly spot a fake phishing email:

  1. –       Email contains an offer that is too good to be true
  2. –       Email contains language that is urgent, alarming or threatening
  3. –       Email contains poorly crafted writing with misspellings and bad grammar
  4. –       Email is very generic and not personalized to you as the user
  5. –       Email requests your personal information
  6. –       Email requires you to click on a link or attachment
  7. –       Email contains an odd business request
  8. –       Email address looks odd or unidentifiable

 

While these are not the only identifiable characteristics of a phishing email, these are among the most common.  The main takeaway here is that if you recognize an email as “phishy”, make sure you avoid it and report it.

Report Phishing

So, you think you have been phished?  Recognizing the fake email is the most important part of a phishing attempt.  Once a user has identified the phishing expedition, reporting the email to your IT manager or security officer can help ensure others do not fall victim to the same attempt.  Some companies may even have a built-in plugin as part of their email application to maximize the ease in reporting.  The most important thing here is NOT to click on any links.  After reporting, ensure the email is deleted and does not exist on any of your user devices.

Another important aspect of reporting is to ensure users report a phishing attempt even if they have fallen victim.  Sometimes a user does not realize they have been phished until they have clicked on a link or opened an attachment.  In these instances, users need to feel comfortable and empowered to reach out to their IT contact to report the phish so that the IT team can investigate and remediate ASAP.  This communication can minimize the damage and spread of the malware or other threats that may have been a part of the email.  This reality also highlights the importance of investing in a security tool that can minimize the impact of a malicious email.

Invest Against Social Engineering

The reality is, even with cybersecurity awareness training, users are still going to fall victim to clicking a phishing link.  As a result, it is important for organizations to explore their options to minimize the impact.  Here at Conceal, we are able to isolate a user’s session when they click on a malicious link, keeping the harmful content from ever accessing your organization’s network.  Through the investment of Conceal, you can protect your users from malware, spear phishing and browser-based cyber threats with clientless, zero-trust remote browser isolation.  To learn more, request a demo with one of our experts today!

Phishing scam abusing trust

WWCD: Defending Against Browser App Mode Abuse

Bill Toulas at Bleeping Computer recently highlighted a new phishing technique in the wild that is designed to abuse user’s increased likelihood of trusting applications that appear to be desktop applications over those that appear inside a web browser.  As with many other types of attacks in the wild, these are designed to take advantage of the fact that experiences – and most security training – prime users to expect phishing and other malicious sites to look and behave a certain way.

In the attack Toulas describes, threat actors utilize a little-used feature in Chromium-based browsers to launch web pages in “application mode”. In application mode, the website loads in a clean browser window that hides all the tell-tale signs that the user is on a web site. There are no tabs, no URL bar, no toolbars, nor anything else that normally distinguishes a web application from a desktop one. Since users aren’t primed to suspect phishing pages to load in this type of environment, their guard may be down.

So, What Would Conceal Do (#WWCD)?

We have some good news: Conceal would stop this attack. Since ConcealBrowse protects users by scanning URLs and blocking or isolating them as appropriate, the user’s trust – or lack thereof – is irrelevant.

Let’s take a look at how the attack works, and how ConcealBrowse stops it.

  1. An attacker sends a user a Windows shortcut that launches a web page in Chromium application mode when clicked.
    Chromium application mode
  2. When the user clicks on the icon, the malicious page is loaded in a Window that mimics a desktop application but is actually a Chromium window without any of the usual UI elements.
    Desktop mimic
  3. Despite appearances, the page is still a normal web page and ConcealBrowse scans its URL as well as any other URLs it might call or load.
  4. Because Conceal’s decision engine has flagged the URL as malicious, the page is loaded in a virtual environment in the cloud instead of on the user’s computer.
    URL scan
  5. When the page tries to download a malicious file to the user’s computer, the file is scanned and stopped by ConcealBrowse.

ConcealBrowse protects users and organizations from the types of trust abuse that are commonly responsible for successful malware and phishing attacks like this one, regardless of how creative the technique. Want to learn more? Contact us for a demo today!