Luckycat… Just a figurine?
Saar here, resident engineer at Myriad Supply.
You’ve probably seen these cats around. They’re called Luckycats, and are supposed to bring you good luck. They’re also sometimes called the welcoming cat, money cat, happy cat, or fortune cat.
Exciting, we know, but how does it relate to IT? Well, Luckycat was an attack used extensively in 2012, called “The Luckycat Campaign”. The attack was comprised of:
1. Sending you an email with a link
2. Getting you to click that link
- In Japan, for example, they used the Fukushima reactor, as you know was damaged and released radiation. So the link basically said “here are the radiation dose
measurements” in a PDF. Obviously, since everyone was in a panic, a large number of employees clicked it.
3. The PDF that people downloaded used a PDF vulnerability, so that when you opened it, it ran a snippet of code.
The link will have some codes similar to this:
4. The link connects to the C & C command and control server, which is merged by the cracker. C&C is the name of the Crackers server, and the hackers will usually use free web servers or previously hacked servers
5. Now the server has the:
- MAC address- this is the addres that is burned into the network card
- Campaign code- This identifies which attack you fell for (Japan radiation, for example)
- Hostname- Name of your PC
6. The server quickly uses that information to make a script, which the target downloads and run. The script will run:
IPCONFIG
List the drives
SYSTEM INFO
List of Files
7. Now the attacker has an idea of the target and can tell if it is worthwhile. For example, with the list of files, ou can see if there are interesting ones like:
- Bank details
- Merger report
- Social security number list
- Anti Virus file name, so you can tell which AV the target has.
8. Armed with that information, the attacker can tell:
- Whether the target is worth the time and effort
- The details of what protection he has
- The details of which email campaign he fell for
The cracker is now ready to craft his attack. For example, for the Japanese market, he can send another email with gruesome photos of the radiation victims.- This time, with an attack that can avoid the antivirus and allow him to control the PC remotely or send over the files he wants.
So there’s Luckycat for you! You may be thinking “That’s nice, but what can I do or buy to help me?”
1. Get the Anti-Virus, Anti-Spam subscription for that firewall. Yes, I know, it costs a lot. Juniper, Sonical, FOrtinet, and Palo Alto all offer it. That’s why they call their firewall Next-Generation- because they can provide that protection. Technically, if you don’t put it, your firewall is just an old firewall. If it’s within your budget, can an appliance to protect your email server, such as Barracuda.
2. You can also run IPS (intrusion prevention), so you can catch that communication going back and forth with the C&C server and be alerted to it. This is a license on most firewalls.
3. Get a centralized antivirus and deploy it at the company. Make sure it does a full scan without your user being able to stop it (big brands can sell you these).
4. Scan all your mobile emploees’ laptops and BYOD before you allow them on the networking using an NAC (Network Access Control)- a Juniper MAG, for example, can be a NAC.
5. Patch up your applications. In the example above, if the user had had the patch for the Adobe that prevents that script running, it would have been blocked.
And, last, but not least, educate your users. Think before you click, and do not be a victim!
Saar Harel is a resident Engineer at Myriad Supply, and has been in the Networking Field for over 20 years. You can check out his Google+ and ask him questions!