Threat Background
We all understand that most legacy antivirus (AV) solutions simply don’t stop the many different threats that exist today. In fact, if you're using a signature-based solution, you're lucky if it detects 50% of the threats that come your way on a daily basis.
The Cylance SPEAR™ team has recently identified a newer family of samples deployed by the threat group Shell Crew that have flown under AV’s radar for more than a year and a half. Shell Crew, first named by RSA in this paper, have been incredibly proficient over time and have already breached numerous high-value targets.
Despite the grandiose marketing claims made by legacy AV vendors, the techniques, tactics and procedures (TTP) such as trojans, web shells, exploits and compromised credentials and many more continue to be used by Shell Crew and are highly effective in evading signature-based detection.
Malware Family
Cylance dubbed the new family of malware StreamEx. The StreamEx family has the ability to access and modify the user’s file system, modify the registry, remotely execute commands and many other malicious activities. A few of the samples were picked up by AV heuristics within the last few months, but newer samples are still coming back with zero detection rates.
Distribution, Use and Mitigation
Cylance identified several legitimate compromised Korean websites that were used to distribute StreamEx samples over the course of 2016. One of the most recent samples SPEAR found was served from the compromised website, ‘www(dot)aceactor.co(dot)kr’ and contained a configuration block dated October 16, 2016. At the end of 2016, the group also took care to use private registration when reregistering domains originally purchased from a bulk reseller.
The Power of Prevention to Stop Attacks, Pre-Execution
If you use our endpoint protection product CylancePROTECT®, you were already protected from this attack. All samples tested by SPEAR were successfully detected as malicious by our artificially intelligent math model.
CylancePROTECT stops this family of malware with its machine learning and artificial intelligence (AI) models that prevent the execution of malicious files. By utilizing the predictive models developed to be used on each endpoint, stopping this family of malware and virtually all others, pre-execution, is accomplished easily and efficiently.
True prevention lowers security costs and complexities, and is the best long-term defense against malware. If you don't have CylancePROTECT, contact us to learn how our AI-driven solution can help your enterprise predict and prevent unknown and emerging threats.