Angler EK goes Fishing

The Network: A well regarded private university with nationally ranked academic programs in the U.S.

The Expectation: A layered defense from edge to endpoint is protecting the network.

The Catch: Unsigned DLLs were executing on a faculty laptop in the AppData\Local\Temp, AppData\Local\Temp folder with names like api-ms-win-system-softpub-l1-1-0.dll.

The Find: This was an exploit launched by a phishing email sent to the faculty member. The attachment was based on the CryptXXX Ransomware family. See for details.

The Fix: Quarantine the infected laptop. Then, review email and browser logs to determine the attack vector, in order to educate the faculty member. And also, re-image the infected laptop before returning to service.

The Lesson: It’s a Mad, Mad, Mad, Mad World.