We all know how difficult it is to keep your users from downloading malicious files and/or visiting suspect websites even when you tell them explicit things to look out for (malformed urls, executables, files with multiple extensions, etc). What if the actual malware payload is hidden in Microsoft Office documents that your users send and receive thousands of times daily? One such piece of malware, dubbed “Kraken”, has proven to be highly effective as well as lucrative.
We are seeing a lot of attackers use malware to compromise servers and then repurpose them for their evil ways: adding the servers to their botnet, using them as command & control points or, as we see with Kraken, mining Bitcoins with them. The problem is that Bitcoin mining takes up a lot of computing power and can rob your environment of resources needed for actual business operations. In the case of cloud-based servers falling victim to this attack where resources are elastically allocated when needed (read: a computer that grows in power as you use more), this has a direct financial impact. In fact, we have seen cloud services bills increase tenfold during these attacks. Imagine your AWS bill going from $2,000 a month to $20,000!!
The impact on you can be:
- Abuse of your computing resources impacts performance and could possibly bring down an entire system
- If your cloud-based servers are used in this attack, the financial impact could be devastating to your business
- If resources under your control are used in these types of attacks, your company could be inadvertently associated with criminal behavior
The AlienVault Labs team released an IDS signature and a correlation rule to detect when a system infected by the Kraken RAT communicates with the C&C server. The AlienVault Labs security research team continuously researches evolving threats and delivers new correlation rules to our AlientVault Unified Security Management (USM) platform regularly to keep our customers at the forefront of threat detection.
You can get more details on the latest USM threat intelligence updates here.