Endpoint Protection

 View Only

  • 1.  artifact of a threat

    Posted Apr 06, 2018 08:52 AM

    Hello,

    I have a warning from a higher organization about the distribution of letters with a threat in the attachment.

    There is a distribution of malicious e-mails with a disguised link to download the JAR file from the cloud service DROPBOX.
    Malware refers to RAT Adwind.
    Download     hxxps: // www [.] dropbox.com/s/z6offdjjzr5mn4y/FULL%20ORIGINAL%20DOCUMENTS%202FC1.jar?dl=1
    File               FULL ORIGINAL DOCUMENTS 2FC1.jar
    Themes of the letters      Re: import wholsale

    Details of the attachment on https://www.hybrid-analysis.com/sample/ae745fea5d6f51bd4ab5a913fe4fa08933bd78e9d04b5f2ce1e65cfe1b7f9c5c/5ac71a7f7ca3e1020e7b58b8

    FULL ORIGINAL DOCUMENTS 2FC1.jar

    Labeled as: Trojan.Java

    Report generated by Falcon Sandbox v8.00 © Hybrid Analysis


    I sent the file with a threat to the Symantec(Tracking #42360883). But I was told that this is an artifact. "FULL ORIGINAL DOCUMENTS 2FC1.jar is not malicious itself, but may be an artifact of a threat."
    How can I be sure that Symantec detects a threat when employees will receive such a letter?



  • 2.  RE: artifact of a threat

    Posted Apr 06, 2018 08:55 AM

    It looks as if this artifact came via different malicious file. Was that file detected? If SEP didnt detect anything then you may want to open a case and work with them on the true threat.



  • 3.  RE: artifact of a threat

    Posted Apr 06, 2018 09:07 AM

    Symantec does not detect anything, neither when sending the file as an attachment, nor when saving to disk, nor when manually scanning. I therefore sent the file to the Simantec with the request to add it to the detection.
    In my opinion, a dubious idea to infect a PC and then work with a real threat.



  • 4.  RE: artifact of a threat

    Posted Apr 06, 2018 09:29 AM

    That's the problem: SEP isn't detecting the real threat. However, with all of their resources they should be able to track it down and at least provide some IOCs to isolate what it is.



  • 5.  RE: artifact of a threat

    Posted Apr 06, 2018 09:58 AM

    Yes, now SEP isn't detecting the real threat. But I know that his file is malicious and sent the file to the Symantec with the request to add to the detection.

    Also I hoped that the information from the site https://www.hybrid-analysis.com/sample/ae745fea5d6f51bd4ab5a913fe4fa08933bd78e9d04b5f2ce1e65cfe1b7f9c5c/5ac71a7f7ca3e1020e7b58b8 will help to detect by SEP heuristic analyzers.



  • 6.  RE: artifact of a threat

    Posted Apr 09, 2018 06:10 AM

    Hi AndreyP,

    Thanks for the post, though I suspect you may be posting to the wrong place. &: )  Connect is a peer-support forum.  If you wish for assistance with a specific submission, please contact Symantec Technical Support through the usual official channels. They do not monitor this Connect forum.

    Ideally your mail security solution should block spam emails with suspicious URLs.  Mails with a suspicious URL are indeed Threat Artifacts.  AntiVirus signatures are not the best tool to block suspicious URLs- AntiSpam technologies are much more effective.

    What is a Threat Artifact?
    http://www.symantec.com/docs/TECH228126

    Be sure end users are educated NOT to click on suspicious links. Inform them that Dropbox and other similar services are very often misused to deliver malware.  A couple articles that may help....

    What NOT to Click
    https://www.symantec.com/connect/articles/what-not-click

    What NOT to Click 2: The Legend of Curly's Gold
    https://www.symantec.com/connect/articles/what-not-click-2-legend-curlys-gold

    Fianl note: a quick check shows that Symantec has AV detection in place for the malware associated with that .jar container.

    Hope this helps!