Stephen Coty

Stephen Coty
on August 9, 2018

Threat Report Thursday August 9th 2018

Threat Report

Security researchers at Proofpoint have uncovered Dreambot malware which is a new variant of Ursinif banking Trojan. Though it is still in development, it was seen spreading since July 2016 through exploit kits such as Neutrino, through phishing emails with malicious attachments, and through malvertising. Secondly Palo Alto researchers discovered a threat group named DarkHydrus carrying out credential harvesting attacks using weaponized Word documents, which they delivered via spear-phishing emails to entities within government and educational institutions in the Middle East. Based on the analysis, DarkHydrus used the open-source Phishery tool to host the command and control server to harvest credentials. The use of Phishery further illustrates Dark Hydrus’ reliance on open source tools to conduct their operations.

Malware: Dreambot

Researchers point out that this new variant has new capabilities which includes peer-to-peer (P2P) functionality and Tor communication capability. This Tor-enabled versions are hard to detect because of encrypted and anonymized communications.

For more information there are a few links below:



Some Mitigation Strategies:

  • File Integrity Management (FIM) to monitor for the download of a zipped JavaScript
  • Intrusion detection systems (IDS) would detect peer to peer communications
  • Intrusion detection systems (IDS) would
  • 24x7 Security Monitoring for malicious behavior and immediate incident response

Malware: DarkHydrus

Two Word documents using the domain to harvest credentials were found. These related Word documents were first seen in September and November 2017, which suggests that DarkHydrus has been carrying out this credential harvesting campaign for almost a year.



Some Mitigation Strategies:

  • Web filtration to block
  • Email filtration to detect spear phishing attempts using word files
  • File Integrity Management (FIM) to monitor for downloaded malicious word documents
  • Intrusion detection systems (IDS) to monitor for malicious queries through DNS
  • 24x7 Security Monitoring to check for GPS consistency with locations of vehicles

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to

Next: Threat Report Wednesday August 1st 2018

Share this on:

Stephen Coty

Stephen Coty
on August 9, 2018

Perchy Subscribe to our blog