Angler EK goes Fishing
The Network: A well regarded private university with nationally ranked academic programs in the U.S.
The Expectation: A layered defense from edge to endpoint is protecting the network.
The Catch: Unsigned DLLs were executing on a faculty laptop in the AppDataLocalTemp, AppDataLocalTemp folder with names like api-ms-win-system-softpub-l1-1-0.dll.
The Find: This was an exploit launched by a phishing email sent to the faculty member. The attachment was based on the CryptXXX Ransomware family. See for details.
The Fix: Quarantine the infected laptop, and review email and browser logs to determine the attack vector. We would also suggest re-imaging the infected laptop before returning to service.
Then you can educate the faculty member on phishing attacks and prevent.
The Lesson: It’s a Mad, Mad, Mad, Mad World.