Dtex Threat Advisory: New Malware Variants Spreading Through Network-Connected Endpoints

Company warns similar attacks are likely to continue at scale


SAN JOSE, CA--(Marketwired - May 15, 2017) - Dtex Systems™, a leading insider threat detection provider, has observed a variant of the PinkSlipBot, which was sophisticated enough to bypass malware detection tools from traditional anti-malware providers including FireEye, McAfee and Palo Alto Networks. Dtex also warns that this variant of the PinkSlipBot and Friday's WannaCry ransomware attack across Europe are just two of several strains of malware detected recently that have the ability to circumvent traditional antimalware security solutions.

"The alarming influence of this particular malware is that it's able to laterally migrate over shared networks to download files and update it's software from a command and control server, ultimately evolving to alter its disguise, track and footprint," said Christy Wyatt, CEO at Dtex Systems. "Dtex analysts initially observed that the malware mimicked a decade-old threat and, after further analysis, we were able to confirm that the malware was indeed PinkSlipBot by identifying reads from a directory path, PSlip, on compromised devices."

The Dtex User Behavior Intelligence Platform was able to detect the anomaly even after it bypassed several popular malware detection software tools. Some alarming observations around the PinkSlipBot malware are its ability to:

  • Disguise itself as common executable commands on endpoints and cloud services in order to bypass detection and disseminate rapidly among network-connected machines
  • Execute OneDrive.exe as a background task to serve as a medium for external data transfer
  • Command and control beaconing behavior of the explorer.exe application, a file that is commonly found on a majority of personal and corporate devices
  • Execute Windows Task Scheduler to repeatedly schedule the download, install and upgrade of malicious files to increase persistence

FINAL RECOMMENDATION

"Given the recent alerts related to a significant increase in ransomware attacks across Europe, it is important to note that while different strains of malware may utilize different techniques to extract value from a victim, there are many parallels in the behaviors observed in these sophisticated attacks," said Rajan Koo, SVP of Engineering at Dtex Systems. "Parallels with PinkSlipBot and the recent ransomware attacks such as Friday's WannaCry include compromise of a single account, lateral spread of the infection, attempts to disable corporate security defenses and common file sharing methods being utilized as mechanisms for external data transfer."

Organizations with endpoints exhibiting the described behavior are highly recommended to quarantine and isolate infected machines in order to stop the malware from spreading further. Containing the malware from access to network assets will impede its ability for lateral movement and obviate the threat of data and credential loss.

For more information on this threat please visit https://dtexsystems.com/dtex-systems-threat-advisory-new-malware-variants-spreading-through-network-connected-endpoints.

About Dtex Systems
Dtex Systems arms enterprises across the globe with revolutionary technology to protect against user threats, data breaches, and outsider infiltration. As the only solution combining unparalleled endpoint visibility with advanced analytics, Dtex is able to pinpoint threats with greater accuracy than traditional security methods without adversely impacting user productivity. Dtex established itself as a U.S. Company in 2015 after securing its Series A funding from Norwest Venture Partners and Wing Ventures. To learn more, visit www.dtexsystems.com.

Contact Information:

Press Contact
Erika Kamholz
Bhava Communications for Dtex Systems
949.282.8560