Angler EK goes Fishing

The Network: A well regarded private university with nationally ranked academic programs in the U.S.

The Expectation: A layered defense from edge to endpoint is protecting the network.

The Catch: Unsigned DLLs were executing on a faculty laptop in the AppDataLocalTemp, AppDataLocalTemp folder with names like api-ms-win-system-softpub-l1-1-0.dll.

The Find: This was an exploit launched by a phishing email sent to the faculty member. The attachment was based on the CryptXXX Ransomware family. See for details.

The Fix: Quarantine the infected laptop, and review email and browser logs to determine the attack vector. We would also suggest re-imaging the infected laptop before returning to service.

Then you can educate the faculty member on phishing attacks and prevent.

The Lesson: It’s a Mad, Mad, Mad, Mad World.