Endpoint Protection

Past week was totaly covered with ransomware samples. We came across 2 incidences. While one case had a totaly new sample of binaries, other was not. Actual ransomware binary was getting detected but the downloader was not. Attack vector used in theses cases was a spear phishing email with a MS office macro enabled word document as an attachment. While this method isn't new and is widely used, it is still very effective and bypasses most of the security measures. Writing a macro isn't very complecated.

Though the attack vector used was same; the way in which they fetch the binaries for second stage of attack is different. One of the samples uses a macro to download the ransomware binary from its web server; while othe makes no network connection whatsoever. This second sample creates and executable file in users temp folder which in turn creates a ransomware binary in user’s profile.

So we decided to test two different endpoint protection policies to address these two issues.

Case 1: Macro enabled document downloads the binary from web server.

In this case we observerd that MS word makes a direct network connection to web server and downloads the binary as the macro executes on opening the word document. So we created a rule in firewall policy to block any network connection attempted by MS office binaries(i.e word, excel, powerpoint etc.) on port 80/443; except to internal web servers. This requires 2 rules to be added to policy. 1^st rule allows connections to internal web servers. 2^nd rule blocks all the connections to 80/443.

Case 2: Macro enabled document creates an executable file in user’s profile

VirusTotal Analysis : https://virustotal.com/en/file/9efc192fae6979799481f42cf411d8c32f1b8e3ad91e2bd3ae72e3506402c5d5/analysis/

In this case, we created an application and device control policy that blocks any attempts of MS office binaries( i.e word, excel, powerpoint etc.) to create executable files.

We tested these policies in test environment and it seems they are serving the purpose.

While this may not be all that we need to protect from ransomware attacks, this will surely offer a good level of defence against MS office macro based attack vectors. We are looking forward to collect and test more sampes against these policies so that we can refine them and make then more robust.