A Bumper Harvest - Cryptolocker Address Book Theft

Steve Barnes, Cyber Research 2 December 2015

Attackers use social engineering to exploit trust. An end user is more likely to open a malicious attachment or click a link if it appears to come from a trusted source...

Attackers use social engineering to exploit trust. An end user is more likely to open a malicious attachment or click a link if it appears to come from a trusted source. Your email client (e.g. Outlook, Thunderbird) maintains a "trust map" in the form of a contact database, aka address book.

Microsoft Outlook provides the Personal Address Book, Suggested Contacts and in Exchange environments, the Global Address List (GAL). The GAL typically holds contact information for employees, business partners, external contacts and distribution groups.

The Cryptolocker sample discussed on the Hiemdal Security Blog piqued our interest, particularly the observations relating to theft of address book content. Our analysis focused on code paths that interact with Microsoft Outlook and the Windows Address Book. Let's take a closer look...

Read this post in full and explore out technical Threat Research Blog.

top

Steve Barnes, Cyber Research 2 December 2015

A Bumper Harvest - Cryptolocker Address Book Theft

Related stories