We all understand that most legacy antivirus (AV) solutions simply don’t stop the many different threats that exist today. In fact,
The Cylance SPEAR™ team has recently identified a newer family of samples deployed by the threat group Shell Crew that have flown under AV’s radar for more than a year and a half. Shell Crew, first named by RSA in this paper, has been incredibly proficient over time and has already breached numerous high-value targets.
Despite the grandiose marketing claims made by legacy AV vendors, the techniques, tactics, and procedures (TTP) such as trojans, web shells, exploits, compromised credentials, and many more, continue to be used by Shell Crew and are highly effective in evading signature-based detection.
Cylance dubbed the new family of malware StreamEx. The StreamEx family has the ability to access and modify the user’s file system, modify the registry, remotely execute commands, and many other malicious activities. A few of the samples were picked up by AV heuristics within the last few months, but newer samples are still coming back with zero detection rates.
Distribution, Use, and Mitigation
Cylance identified several legitimate compromised Korean websites that were used to distribute StreamEx samples over the course of 2016. One of the most recent samples SPEAR found was served from the compromised website, ‘www(dot)aceactor.co(dot)kr’ and contained a configuration block dated October 16, 2016. At the end of 2016, the group also took care to use private registration when reregistering domains originally purchased from a bulk reseller.
The Power of Prevention To Stop Attacks, Pre-Execution
If you use our endpoint protection product, CylancePROTECT®, you were already protected from this attack. All samples tested by SPEAR were successfully detected as malicious by our artificially intelligent math model.
CylancePROTECT stops this family of malware with its machine learning and artificial intelligence (AI) models that prevent the execution of malicious files. By utilizing Cylance's predictive models on each endpoint, stopping this family of malware and virtually all others, pre-execution, is accomplished easily and efficiently.
True prevention lowers security costs and complexities, and is the best long-term defense against malware. If you don't have CylancePROTECT, contact us to learn how our AI-driven solution can help your enterprise predict and prevent unknown and emerging threats.