Vulnerability Spotlight: AMD ATI Radeon ATIDXX64.DLL shader functionality sincos denial-of-service vulnerability

December 5, 2019, 6:20 am

≫ Next: Threat Source newsletter (Dec. 5, 2019)

≪ Previous: ClamAV team shows off new Mussels dependency build automation tool

Piotr Bania of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered a denial-of-service vulnerability in a specific dll inside of the AMD ATI Radeon line of video cards. This vulnerability can be triggered by supplying a malformed pixel

shader inside a VMware guest operating system. Such an attack can be triggered from VMware guest usermode to cause an out-of-bounds memory read on vmware-vmx.exe process on host, or theoretically through WEBGL.

In accordance with our coordinated disclosure policy, Cisco Talos worked with AMD to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

AMD ATI Radeon ATIDXX64.DLL shader functionality sincos denial-of-service vulnerability (TALOS-2019-0890/CVE-2019-5098)

An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13001.29010. A specially crafted pixel shader can cause out-of-bounds memory read. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from a VMware guest, affecting VMware host.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that AMD ATIDXX64.DLL, version 26.20.13001.29010 running on the Radeon RX 550 / 550 Series inside of VMware Workstation 15 (15.1.0 build-13591040) with Windows 10 x64 as the guest VM.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 51461, 51462

↧

Threat Source newsletter (Dec. 5, 2019)

December 5, 2019, 11:00 am

≫ Next: Threat Roundup for November 29 to December 6

≪ Previous: Vulnerability Spotlight: AMD ATI Radeon ATIDXX64.DLL shader functionality sincos denial-of-service vulnerability

Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We hope everyone had a safe and happy Thanksgiving in the U.S. The holiday shopping season is now in full swing, and there are plenty of deals to be had in stores and online. This also makes it a prime time for attackers to strike. For tips of how to stay safe when shopping this holiday season, check out our full blog post here.

This was also a busy week for vulnerabilities. We disclosed, and released protection, for bugs in the Forma learning management system, Accusoft ImageGear and EmbedThis’ GoAhead Web Server.

We also have a special surprise for you tomorrow. You’ll want to keep an eye on our blog, social media and your podcast feeds.

Upcoming public engagements with Talos

Event: “Signed, Sealed, Compromised: The Past, Present, and Future of Supply Chain Attacks” at CactusCon
Location: Charleston Coliseum & Convention Center, Charleston, WV
Date: Dec. 6 - 7
Speakers: Edmund Brumaghin and Earl Carter
Synopsis: This talk will discuss the common techniques we’re seeing in supply chain attacks. Supply chain attacks are a broad topic, but one that has continued to evolve and mature over the last decade. Nick and Edmund will walk through what a supply chain attack constitutes, the history of how these attacks have evolved, and where we see this attack technique moving in the future.

Cyber Security Week in Review

Italian spyware firm Hacking Team is back under new ownership after cratering in 2015. The new management says they are working toward ensuring the company’s technology isn’t abused.
A popular dark web site for selling spying tools was taken down after an international investigation. U.K. law enforcement officials said more than 14,500 people had purchased software from the site, many of whom are being charged with computer misuse crimes.
RCS, a messaging standard meant to replace SMS, is open to several different types of attacks. Despite the advertisement of RCS being more advanced, attackers could still exploit it to steal text messages and listen in on phone calls.
HackerOne, a bug bounty startup, awarded $20,000 to an independent security researcher who the company mistakenly gave inappropriate access to. An analyst sent a cURL command to the community member, which actually gave the user access to all of the bug reports the analyst had worked on.
The actors behind the Magecart credit card-skimming malware used Salesforce’s Heroku platform to host their scripts and stolen information. The group registered for a free Heroku account, using it as a free web hosting service.
Chinese hackers reportedly stole $1 million from a venture capital firm when it was attempting to wire transfer money to an Israeli startup. The group used man-in-the-middle techniques to impersonate emails from the two sides.
American data center provider CyrusOne was hit with a ransomware attack, believed to be in the Sodinokibi family. While the company had not publicly disclosed anything as of Thursday morning, it reportedly is working with law enforcement agencies to recover from the attack.
Pharmaceutical company Merck is still locked in a battle with the company that supplies its cyber insurance over who should pay for the recovery in the aftermath of the NotPetya infection in 2017. The question of whether the attack is covered could boil down to whether NotPetya should be considered an act of war.
The iPhone 11 Pro attempts to access the user’s location data, even if the user has forbidden all apps from accessing that information. However, Apple says this is simply part of the device’s design.
The FBI released a warning advising users that their new smart TVs could be open to cyber attacks. The advisory states an attacker could gain access to the TV and then begin changing the device’s settings or even display inappropriate content.

Notable recent security issues

Title: Forma LMS open-source program open to SQL injection attacks
Description: There are three SQL injection vulnerabilities in the authenticated portion of the Forma Learning Management System. LMS is a set of software that allows companies to build and host different training courses for their employees. The software operates with an open-source licensing model and now operates under the Forma organization. An attacker can send a web request with parameters containing SQL injection attacks to trigger these bugs.
Snort SIDs: 51611 – 51619 (By Marcos Rodriguez)

Title: Accusoft ImageGear PNG IHDR width code execution vulnerability
Description: Accusoft ImageGear contains two remote code execution vulnerabilities. ImageGear is a document and imaging library from Accusoft that developers can use to build their applications. The library contains the entire document imaging lifecycle. This vulnerability is present in the Accusoft ImageGear library, which is a document-imaging developer toolkit.
Snort SIDs: 3132, 32889, 50806, 50807, 51530, 51531, 52033, 52034 (By Kristen Houser and Mike Bautista)

Most prevalent malware files this week

SHA 256: f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc
MD5: c5608e40f6f47ad84e2985804957c342
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA:2144FlashPlayer-tpd

SHA 256:a97e5396d7dcd103138747ad09486671321fb75e01a70b26c908e7e0b727fad1
MD5: ef048c07855b3ef98bd991c413bc73b1
Typical Filename: xme64-501.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Razy::tpd

SHA 256:49b9736191fdb2eb62b48e8a093418a2947e8d288f39b98d65a903c2ae6eb8f5
MD5: df432f05996cdd0973b3ceb48992c5ce
Typical Filename: xme32-501-gcc.exe
Claimed Product: N/A
Detection Name: W32.49B9736191-100.SBX.TG

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6
MD5: f7145b132e23e3a55d2269a008395034
Typical Filename: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6.bin
Claimed Product: N/A
Detection Name: Unix.Exploit.Lotoor::other.talos

↧

Threat Roundup for November 29 to December 6

December 6, 2019, 10:31 am

≫ Next: Beers with Talos Ep. #67: Inside Incident Response

≪ Previous: Threat Source newsletter (Dec. 5, 2019)

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 29 and Dec. 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat Name	Type	Description
Win.Malware.NetWire-7428720-1	Malware	NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Ransomware.Cerber-7419509-0	Ransomware	Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns, this is no longer the case.
Win.Trojan.LokiBot-7420275-1	Trojan	Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents attached to spam emails.
Win.Dropper.Gh0stRAT-7414189-0	Dropper	Gh0stRAT is a well-known family of RATs designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Trojan.Zbot-7414153-0	Trojan	Zbot, also known as Zeus, is trojan that steals information such as banking credentials using methods like key-logging and form-grabbing.
Doc.Downloader.Emotet-7413880-1	Downloader	Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails.
Win.Dropper.Tofsee-7431752-0	Dropper	Tofsee is multi-purpose malware that features several modules that send spam messages, conduct click fraud, mine cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the overall size of the botnet under the operator’s control.
Win.Downloader.Phorpiex-7428338-0	Downloader	Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide range of payloads, from malware to send spam emails to ransomware and cryptocurrency miners.

Threat Breakdown

Win.Malware.NetWire-7428720-1

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\NETWIRE`	14
`<HKCU>\SOFTWARE\NETWIRE Value Name: HostId`	14
`<HKCU>\SOFTWARE\NETWIRE Value Name: Install Date`	14
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{136PK353-UF88-3GCY-ILP2-6AY4D4SNW644}`	13
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: HKLM`	13
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{136PK353-UF88-3GCY-ILP2-6AY4D4SNW644} Value Name: StubPath`	13
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: MServices`	1

Mutexes	Occurrences
`Global\<random guid>`	16
`imDfesUY`	13
`xtWSWREb`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`cobroserfinansa[.]com`	14

Files and or directories created	Occurrences
`%APPDATA%\Install`	15
`%TEMP%\<random, matching '[a-z]{4,9}'>.exe`	15
`%APPDATA%\Install\winlogon.exe`	14
`%TEMP%\7176.dmp`	1
`%APPDATA%\Install\MServicesNet.exe`	1
`%TEMP%\7134_appcompat.txt`	1

File Hashes

             038157ed389233fc4aae039df0806789f2c92b6e3947f36bc8f086ae16a7fd4e              182dadc51371a709b901f1de489a52ff7295749427a8cf9d112358a605e2ed6d              33d4c44c967c9ab53f3d04b0d11ac38f9fbc3f9d16e65cca170bd8c937589038              3cf7e6a7776e15f8c01bde5788e5e7dbbe25beb37e977abe38b3b4cb256c3ec3              527ff73f2e6d99bbcc7fa02804ab7380e2fe12689b70bb1b0840ac1b02331a93              5aa45dcf729d53a3fc6e5d02980835fe78f3f7b7ae262b8aebf2edb6abb59bc4              5f86aa7181604fadc92f1a976fdfff892cd9b515e59939d93941907a35762888              6485a616654adee2d573a983c687a8d8ea3d126dfbf86df3a065c5e7846bd57b              7746199aba6ad47bf92515db686f3a5e2accbdb2b7f480ac2af1e2c5c377a8eb              79aa89119d9e26dc366a7af72d47c323168d2ad881bca31e9075a41f5ce081f2              905b2347215e7ce0f02f8e7274941982c56c1b817fbfd4b9eaf97d2a65f6146d              91856d29ac1f9720917a40e5533c7dacf528b25acfb5a82a00f6882b053c9b5a              b18a45a4345f442efcc02d6efb9110b9e35bb98fac4613c83a39fecbee78aaa4              d26438798f502364eea85bbf2804165d0709b90833ddf4512f95ac77f881edaf              de8be762d85eb4014992a174acd115de70b89884d21933d7e972e6d4972904fe              def9d601134017c678cbd058f41b4ad7d3dd8d2c8ef1eef01a9a17ebf38ea6fa              e0acbefe824d29143e303ba8596d1436150bf1ad7ec533b56e4ae2b1bafcf07f              ea34a08deaac08c7f79e6cd2e94a74ad5b0c95dec43f81e0a218d957088b8f10

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

Win.Ransomware.Cerber-7419509-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\BCD00000000\OBJECTS\{926583E4-EF64-11E4-BEED-D6738078AD98}\ELEMENTS\16000009 Value Name: Element`	12
`<HKLM>\BCD00000000\OBJECTS\{926583E4-EF64-11E4-BEED-D6738078AD98}\ELEMENTS\250000E0 Value Name: Element`	12
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER Value Name: Run`	12
`<HKCU>\SOFTWARE\MICROSOFT\COMMAND PROCESSOR Value Name: AutoRun`	12
`<HKCU>\CONTROL PANEL\DESKTOP Value Name: SCRNSAVE.EXE`	12
`<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}`	12
`<HKCU>\PRINTERS\DEFAULTS`	12
`<HKLM>\BCD00000000\OBJECTS\{926583E4-EF64-11E4-BEED-D6738078AD98}\ELEMENTS\250000E0`	12
`<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D} Value Name: Component_01`	12
`<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D} Value Name: Component_00`	12
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: dnscacheugc`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: dnscacheugc`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: javaw`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: javaw`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: vssadmin`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: vssadmin`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: TCPSVCS`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: TCPSVCS`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: lodctr`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: lodctr`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: instnm`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: instnm`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: bootcfg`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: bootcfg`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: ctfmon`	1

Mutexes	Occurrences
`shell.{381828AA-8B28-3374-1B67-35680555C5EF}`	12

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`216[.]239[.]38[.]21`	4
`216[.]239[.]32[.]21`	3
`216[.]239[.]36[.]21`	3
`216[.]239[.]34[.]21`	2

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`ipinfo[.]io`	12

Files and or directories created	Occurrences
`%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}`	12
`%System32%\Tasks\dnscacheugc`	2
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\dnscacheugc.lnk`	2
`%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\dnscacheugc.exe`	2
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\bootcfg.lnk`	1
`%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\bootcfg.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\vssadmin.lnk`	1
`%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\vssadmin.exe`	1
`%System32%\Tasks\vssadmin`	1
`%System32%\Tasks\bootcfg`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\ctfmon.lnk`	1
`%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\ctfmon.exe`	1
`%System32%\Tasks\ctfmon`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\resmon.lnk`	1
`%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\resmon.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\newdev.lnk`	1
`%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\newdev.exe`	1
`%System32%\Tasks\mfpmp`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\mfpmp.lnk`	1
`%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\mfpmp.exe`	1
`%System32%\Tasks\javaw`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\javaw.lnk`	1
`%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\javaw.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\TCPSVCS.lnk`	1
`%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\TCPSVCS.EXE`	1

*See JSON for more IOCs

File Hashes

             0e1509af88618c8cb273196c4213e26c2219c3a1fba9ed8c51a22d871e316ccc              1d07399e5b31727fc4dadba07d062f7eff6864e33f17fb1a65f71b9b41b61282              34a0f0bc799b5fd0cf9a89bce7d2ca2da158cf22940212b5c09fb1ec64bc9b65              4a60b63273210c8ebc4e6d07fba9b331011f852f4f5c1b5b1ae7ab5aa7df0f03              8a6c828f54dc34e260698e0347cce9e62d8fbc773e265c39c63e812201533724              8aeadd92f66576dfd9b60ba352a7a61f43da7112eb127c28c5ceb54fb5e7b4c5              b590d46794fad9c62040ce7941cf775282d1939c45267ec955e9be6ee8dd092a              b8058ef9c3394ce2ea9318b06d6cf01080a0ad4ce87ee1cff78e57373192603e              bbd6aadc606953b27f5592a2da7909949616b81b4f767ded89119644a71d2dd7              c8af6329fcfdfd4f9df33f2f4f59fb958e2416eebe8d78ab1444e763cf04d08c              ce2b0b2037810060edbf86fc7ac78c5e0d4771b79181e39718498b02195e3642              efda569c35853456630d1e2fa27973aeb6386338f163ca0f60e3fbb4643a5b87

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA

Screenshots of Detection

AMP

ThreatGrid

Win.Trojan.LokiBot-7420275-1

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS`	17
`<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\SETTINGS\LEAKDIAGNOSISATTEMPTED`	12
`<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\QUOTATION.EXE`	2
`<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\QUOTATION.EXE Value Name: LastDetectionTime`	2
`<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\QUOTATION`	2
`<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\QUOTATION\OPTIONS`	2
`<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\FILENAME`	2
`<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\FILENAME\OPTIONS`	2
`<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\46646D0F2E8E990ABE331586D98FE95A61DC40D7CB2C05144A09FD8B956F7526.EXE Value Name: LastDetectionTime`	1
`<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\2374D2482BFECB87307D036B7E9750A0C28738C8A0AFD4ABF60A9B9EA3B81E83\OPTIONS`	1
`<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\E329CA0B2964C410BA3C5D228A13B27D733D7F9999DEE5A6511F91EA891473A9\OPTIONS`	1
`<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\02B5EF62978197B43A62D05DE25C67A67CB1B4A0F09111E79CC83688E7881674`	1
`<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\2374D2482BFECB87307D036B7E9750A0C28738C8A0AFD4ABF60A9B9EA3B81E83\OPTIONS Value Name: Show Tips at Startup`	1
`<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\E329CA0B2964C410BA3C5D228A13B27D733D7F9999DEE5A6511F91EA891473A9\OPTIONS Value Name: Show Tips at Startup`	1
`<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\02B5EF62978197B43A62D05DE25C67A67CB1B4A0F09111E79CC83688E7881674\OPTIONS`	1
`<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\02B5EF62978197B43A62D05DE25C67A67CB1B4A0F09111E79CC83688E7881674\OPTIONS Value Name: Show Tips at Startup`	1
`<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\938456E91538B5F4267BEDB11D8CCA26229F3DBDB3C24FF3A1132F3970C0D24A\OPTIONS`	1
`<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\938456E91538B5F4267BEDB11D8CCA26229F3DBDB3C24FF3A1132F3970C0D24A\OPTIONS Value Name: Show Tips at Startup`	1
`<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\02B5EF62978197B43A62D05DE25C67A67CB1B4A0F09111E79CC83688E7881674.EXE`	1
`<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\E329CA0B2964C410BA3C5D228A13B27D733D7F9999DEE5A6511F91EA891473A9.EXE`	1
`<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\PAYMENT`	1
`<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\02B5EF62978197B43A62D05DE25C67A67CB1B4A0F09111E79CC83688E7881674.EXE Value Name: LastDetectionTime`	1
`<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\PAYMENT\OPTIONS`	1
`<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\E329CA0B2964C410BA3C5D228A13B27D733D7F9999DEE5A6511F91EA891473A9.EXE Value Name: LastDetectionTime`	1
`<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\PAYMENT\OPTIONS Value Name: Show Tips at Startup`	1

Mutexes	Occurrences
`3749282D282E1E80C56CAE5A`	15
`eDZwOHM3`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`80[.]249[.]144[.]95`	4
`185[.]55[.]225[.]242`	3
`107[.]175[.]150[.]73`	3
`185[.]159[.]153[.]129`	2
`208[.]91[.]199[.]225`	1
`104[.]16[.]154[.]36`	1
`142[.]11[.]234[.]232`	1
`185[.]53[.]90[.]10`	1
`104[.]148[.]41[.]60`	1
`185[.]132[.]53[.]138`	1
`167[.]172[.]184[.]185`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`iranssp[.]ir`	2
`beyondlogx[.]com`	2
`whatismyipaddress[.]com`	1
`phoenixdevs[.]ir`	1
`kontrolreport[.]com`	1
`offsolo-gbb[.]tech`	1
`ray-den[.]xyz`	1
`avertonbullk[.]com`	1
`secure-n2[.]top`	1
`smtp[.]betaflexllc[.]us`	1
`protestlabsmovings[.]es`	1
`oscontinental[.]online`	1
`porno322[.]com`	1

Files and or directories created	Occurrences
`%APPDATA%\D282E1`	15
`%APPDATA%\D282E1\1E80C5.lck`	15
`%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5`	15
`%HOMEPATH%\subfolder`	5
`%HOMEPATH%\subfolder\filename.exe`	2
`%HOMEPATH%\subfolder\filename.vbs`	2
`%HOMEPATH%\subfolder\quotation.exe`	2
`%HOMEPATH%\subfolder\quotation.vbs`	2
`%APPDATA%\pid.txt`	1
`%APPDATA%\pidloc.txt`	1
`%TEMP%\holdermail.txt`	1
`%TEMP%\holderwb.txt`	1
`%TEMP%\bhvC037.tmp`	1
`%HOMEPATH%\subfolder\payment.exe`	1
`%HOMEPATH%\subfolder\payment.vbs`	1

File Hashes

             02b5ef62978197b43a62d05de25c67a67cb1b4a0f09111e79cc83688e7881674              2374d2482bfecb87307d036b7e9750a0c28738c8a0afd4abf60a9b9ea3b81e83              2a3ad80cfac1cd63eeba8f7d8019df51df16e22ef34d2826d0aba9a56cff5c60              2eee4a29498a0d25c8d53e306c3b2414b839363992364cabbbe3fe2fd46caa9c              32f8e0daef5bb91fb0908277ad5f5d2c97398a64a8c9ff60611a103ba0d5004f              46646d0f2e8e990abe331586d98fe95a61dc40d7cb2c05144a09fd8b956f7526              4b4ba6c0f8cbadc871bcc6b3e175a569fe292973499bbf239aaaff7e75495888              548bacb5d7484fd4d4328579d18b3e62fdbf6bb7acdf6ade4ddcf6a0db61847b              7936c85dd96e641541e6e39e7a7388b8b6b16ef97569a81efceaed4abdc62ad6              938456e91538b5f4267bedb11d8cca26229f3dbdb3c24ff3a1132f3970c0d24a              bb71b57a4cbf596fb6978df0e6fbdfbbbdebec8d182a62c6ecfbaa5261117aba              c5bb3fd84e761402d2da77b8c0462e9f670f56d65f3ccd602cfb4326c98c4c9a              c5f72bae432197bdbef019507fe69905549bbb7dcf9c455bd24e6eef008e96ea              cbb00a83c374bcca6a2bf0cbfabaf1f5c655d9cb046437225bbbd04988f22811              df289130d1adda822989a8255dcd2a417ad0a8f19d753dd9ebdaf78a13e3bf7e              e329ca0b2964c410ba3c5d228a13b27d733d7f9999dee5a6511f91ea891473a9              ebe841b611a116cee961119df457aaa5f8b5ada4dc6e93381d59d2bb12bdf522

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Dropper.Gh0stRAT-7414189-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: EM`	25
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Micro`	15
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: SHR`	12
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC Value Name: Start`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS Value Name: Start`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV Value Name: Start`	2
`<HKLM>\SOFTWARE\MICROSOFT\OLE Value Name: EnableDCOM`	2
`<HKLM>\SOFTWARE\MICROSOFT\OLE Value Name: EnableRemoteConnect`	2
`<HKLM>\SYSTEM\CONTROLSET001\CONTROL\LSA Value Name: restrictanonymous`	2
`<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SECURITYPROVIDERS\SCHANNEL\PROTOCOLS\PCT1.0\SERVER Value Name: Enabled`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LANMANSERVER\PARAMETERS Value Name: AutoShareWks`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LANMANSERVER\PARAMETERS Value Name: AutoShareServer`	2
`<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SECURITYPROVIDERS\SCHANNEL\PROTOCOLS\PCT1.0`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Depend`	2
`<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SECURITYPROVIDERS\SCHANNEL\PROTOCOLS\PCT1.0\SERVER`	2
`<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE Value Name: Blob`	1
`<HKCU>\SOFTWARE\CSER_513_2`	1
`<HKCU>\SOFTWARE\CSER_513_2\14B65331773AD534DADA9C7B055E34A1E6AB2A54F3D8EEC4D1DA6298F0477C71`	1
`<HKCU>\SOFTWARE\CSER_513_2\14B65331773AD534DADA9C7B055E34A1E6AB2A54F3D8EEC4D1DA6298F0477C71\GAMESETTING`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: ce`	1

Mutexes	Occurrences
`0x5d65r455f`	25
`Mhost123.zz.am:6658`	25
`host123.zz.am:6658`	25
`107.163.241.193:6520`	17
`M107.163.241.193:6520`	17
`107.163.56.251:6658`	12
`M107.163.56.251:6658`	12
`{1B655094-FE2A-433c-A877-FF9793445069}`	1
`Local\https://pos.baidu.com/`	1
`Global\a80e8341-11ce-11ea-a007-00501e3ae7b5`	1
`D`	1
`CiM`	1
`Crack iN Morroco 2k7`	1
`174.139.81.2:3204`	1
`M174.139.81.2:3204`	1
`Global\a9c98181-11ce-11ea-a007-00501e3ae7b5`	1
`Local\https://www.onlinedown.net/`	1
`root em up`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`107[.]163[.]43[.]143`	25
`107[.]163[.]43[.]235`	25
`107[.]163[.]43[.]236`	25
`49[.]7[.]37[.]126`	23
`107[.]163[.]241[.]193`	17
`107[.]163[.]241[.]185`	15
`107[.]163[.]241[.]186`	15
`107[.]163[.]56[.]251`	12
`107[.]163[.]43[.]161`	12
`107[.]163[.]56[.]240/31`	12
`107[.]163[.]241[.]181`	2
`107[.]163[.]43[.]144`	2
`107[.]163[.]241[.]182`	2
`204[.]79[.]197[.]200`	1
`111[.]202[.]114[.]81`	1
`104[.]192[.]110[.]245`	1
`103[.]235[.]46[.]191`	1
`180[.]163[.]251[.]231`	1
`172[.]217[.]197[.]155`	1
`185[.]10[.]104[.]120`	1
`172[.]217[.]7[.]14`	1
`218[.]30[.]115[.]123`	1
`218[.]30[.]115[.]254`	1
`39[.]156[.]66[.]108`	1
`113[.]96[.]178[.]35`	1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`blogx[.]sina[.]com[.]cn`	25
`blog[.]sina[.]com[.]cn`	25
`host123[.]zz[.]am`	25
`s[.]360[.]cn`	1
`cpro[.]baidustatic[.]com`	1
`flashservice[.]adobe[.]com`	1
`www[.]beian[.]gov[.]cn`	1
`zz[.]bdstatic[.]com`	1
`dup[.]baidustatic[.]com`	1
`www[.]google-analytics[.]com`	1
`stats[.]g[.]doubleclick[.]net`	1
`www[.]yisu[.]com`	1
`js[.]users[.]51[.]la`	1
`ia[.]51[.]la`	1
`www[.]pcsoft[.]com[.]cn`	1
`www[.]onlinedown[.]net`	1
`si[.]trustutn[.]org`	1
`e[.]so[.]com`	1
`sqdownb[.]onlinedown[.]net`	1
`www[.]idc400[.]com`	1
`bgp[.]zzidc[.]com`	1
`hj[.]dun[.]gsxzq[.]com`	1
`news[.]onlinedown[.]net`	1
`s[.]ssl[.]qhres[.]com`	1
`uuid[.]users[.]51[.]la`	1

*See JSON for more IOCs

Files and or directories created	Occurrences
`\1.txt`	55
`%ProgramFiles%\<random, matching '[a-z]{5,9}\[a-z]{3,9}'>.dll`	54
`%TEMP%\<random, matching '[a-z]{4,9}'>.exe`	50
`%ProgramFiles%\<random, matching '[a-z]{5,8}'>`	49
`%ProgramFiles%\<random, matching '[a-z]{5,9}\[a-z]{3,9}'>.exe`	39
`%TEMP%\<random, matching '[a-z]{8}'>.exe`	11
`%TEMP%\1.reg`	2
`%ProgramFiles%\korlu\11221450`	2
`%ProgramFiles%\fsshxf\11271508`	2
`%SystemRoot%\SysWOW64\<random, matching '[a-zA-Z0-9]{4,19}'>.exe`	2
`%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx`	1
`\tre.bat`	1
`%TEMP%\slseyc\nfiav.dll`	1
`\a.bat`	1
`%ProgramFiles%\vpcat\11271508`	1
`%ProgramFiles%\blzmv\11271508`	1
`%ProgramFiles%\zuxlr\11271508`	1
`%ProgramFiles%\hyabka\11271508`	1
`%ProgramFiles%\gkzmahvre\11271508`	1
`%ProgramFiles%\gkzmahvre`	1
`%ProgramFiles%\yudusnhlp\11271508`	1
`%ProgramFiles%\jkixqof\11271508`	1
`%ProgramFiles%\yudusnhlp`	1
`%ProgramFiles%\tjsmc\11271508`	1
`%ProgramFiles%\ezsor\11271508`	1

*See JSON for more IOCs

File Hashes

             00275609032024a2a413b2697b6763c964a5eeb54709ae803b68d5a77d1b46a4              019f88e9cc8c503c1ac8c6054beb978b445922cf5857f347bc8b2193a0592e82              037e1df212fbfc6c77ea55754f52b11366da8e0fd5437834762339a30e705614              04d5f107aa253ca81d99fce0201dcb6da6b21497fce62e2d37a90661951c63d8              06ee23a5be29f166749cd47784c9dafe66c0ca4ec7b70e6e837e59ccd5a02c63              072e4fa823cf7e9646dd7e1aaa3a308d9e789700dccffacfb646bf7c7fad9ad3              07ffdb94e32a95dc75d39528b3bddc362006719fc0970c47259fc8debeaee066              08e84db9a91341f82d0dc50775e75879fc2ac20ede3abffe53cf35dc9a656019              094797bbc7234e18f2a7a30fc182a690f2f7f7b080b889ab5e6c87bb730bc911              0a03aba2e42912a9c43e5cd9c724c4991007ecd6950bda27e82446070a08bb02              0a44d155b4568d97d161d18e90e4c9e719e4c37769c2a32ca5a41d56cc101172              0af079ed6e9914b102d9c3007e7c96318a1fdb659212c35f22e2e5293d8cbeb9              0c7cf7681e128b45acaf925d598acf037177748402ab92fdf114a4d2dc5fd4ae              0dc8ab2ec624c65ff0c071b80b349c8e6de4fc4491e9751e099b63ce98c8c52e              0dd6bc63d982e053c01753cb5819362827bde9338b3d28a0b17669c0523489e0              0f75c94f848e561c2fe1bd90a5260e47267c334444579530ddfe2ad90f0e6806              1035eeb50c81c381f7b2909d062fb6d51d9e6ddc8c68478a3ef67d7b4a67b0f6              10eab7f3db36eacd08880c4998ab351c535f8b728cb0ed484edd0e84b5bdaf03              10fa3fefcb91d40da3285b063a8fd2c2f9187c1990689a487f1f2fea4a2e9240              12ebbeecf708d23ad4b4510374a622df85f5aaa806939204357f3d330b6de8d7              1439afcf233b1c829cbac8747623b3b05332ecd057660bc3639980ada64d1149              1466341e7ff5ca7511306ddd2253a03f5b81cfab21bda6ddd32047bd3f7e4011              14b65331773ad534dada9c7b055e34a1e6ab2a54f3d8eec4d1da6298f0477c71              1564fc8499c21f5426c4f15aaab34acc8936b43df39464f88003209c0ae3ea17              15c6ec4928627e4f9c56c567811e5b0b0b6c20b32374ac931257145d42365b61

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Trojan.Zbot-7414153-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY Value Name: CleanCookies`	1
`<HKCU>\SOFTWARE\MICROSOFT\DUQY Value Name: Sianile`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Uroxiqakh`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101 Value Name: CheckSetting`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103 Value Name: CheckSetting`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100 Value Name: CheckSetting`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102 Value Name: CheckSetting`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104 Value Name: CheckSetting`	1
`<HKCU>\SOFTWARE\MICROSOFT\DUQY`	1

Mutexes	Occurrences
`GLOBAL\{<random GUID>}`	1
`Local\{<random GUID>}`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`5[.]56[.]133[.]47`	1

Files and or directories created	Occurrences
`%System32%\wbem\Logs\wbemprox.log`	1
`%TEMP%\tmp647c181c.bat`	1
`%TEMP%\tmp246f2f8d.bat`	1
`%APPDATA%\Adbe`	1
`%APPDATA%\Adbe\udef.unu`	1
`%APPDATA%\Cukeba`	1
`%APPDATA%\Cukeba\xoafe.idl`	1
`%APPDATA%\Olehse`	1
`%APPDATA%\Olehse\okop.exe`	1
`%APPDATA%\Fireh\isnib.exe`	1
`%APPDATA%\Igyg\cuhia.obu`	1
`%APPDATA%\Igyg\cuhia.tmp (copy)`	1

File Hashes

             072bcc63bca4fa1946c71a3f9562a6d76af8fd1a5034132e2befbbde9aba9c98              15c235fefdfd798bff9bf039155762f0c0674cbf239c10df6aca52a7e2139488              2ccfd0f36677f438ff1120f21d6e5929d91531fd965dda6232ddd6de7a0c52d9              37403ce75f4908eb2e823a4e8c56c410e57441dde38c022819521a7fc3358701              40ecf36a4c2474cfff01980d68602d7bbaacfca2bdfda5ac58390b57c73b424a              522ce96681db4ef5d4731a8cf2007e7a46e650fc2f547f88d492700970b6af61              5409660ef23234d04ad204cb3791a96b3895286e258be036bfb43410e1dca08f              59b94ae4bdf3a3f4291e67e73316632b73a369391fbed4d8f3259d0ff0dc5468              66c6cb07d601f35490752227fe1d4687fbbc47af0f219eb178f89c670adccb0a              8914444fb30823c586d7df581c201dad5f1428284b7880395f2bc49ece5a1611              8daf28936db0201df94f89bd80acaae000fa018f93d6d1a1dc131b91be665382              8ea4ffdbfb16cd39bdf20a5a51ffbd6a523b78ad9a2c78bfffb46fcf0653f550              924f2ea483135213b988584241da5e5b8b152ab427fa933089e493d2dcd92c34              a807970fdd58b833a23e0c8b611a17ea5448399336f3ec0a3ecd5036486c0b08              b22e02f4a2e6a2deabbc8ed5c7ff7d30c07c43d80e8d9d50ca1c85724a008619              b2787b4197407051f4a5fe4ddc6b483d3245222d0b6301ba67e7feae14b87342              b5f339fcebb67c4826f94c31eab0a3e8e8137a65204b03c8ee6a72a1a313a48e              bf315e9e1ac06c214296722191b08a2925e5ed49dfcbba616606b8422047cb63              e014acc73e32e1d1cb74ab4049b46abb2bd5c06ee9d4c82aeca7f4440cbb011d              e3ced6661c4f5fd339cba232c6693c79d30dd5bc8db5882e7a86e959537af18d              f50b78d0ffed37ecbab524a44b4606ab7246711b3487af0a17343fb5fc93ffba              fa58139b16a96c81b415d2cfe950fff73ca98ba9f0e09c753cb16cbb4b18b820

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

AMP

ThreatGrid

Doc.Downloader.Emotet-7413880-1

Indicators of Compromise

Registry Keys	Occurrences
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: ProxyEnable`	15
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: ProxyServer`	15
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: ProxyOverride`	15
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: AutoConfigURL`	15
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: AutoDetect`	15
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA`	13
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: Type`	13
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: Start`	13
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: ErrorControl`	13
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: ImagePath`	13
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: DisplayName`	13
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: WOW64`	13
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: ObjectName`	13
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ONDEMANDINTERFACECACHE`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SESSIONINFO\1\APPLICATIONVIEWMANAGEMENT\W32:0000000000080070`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SESSIONINFO\1\APPLICATIONVIEWMANAGEMENT\W32:0000000000080070 Value Name: VirtualDesktop`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SESSIONINFO\1\APPLICATIONVIEWMANAGEMENT\W32:000000000001025C`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SESSIONINFO\1\APPLICATIONVIEWMANAGEMENT\W32:000000000001025C Value Name: VirtualDesktop`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TITLEHANT`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TITLEHANT Value Name: Type`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TITLEHANT Value Name: Start`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TITLEHANT Value Name: ErrorControl`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TITLEHANT Value Name: ImagePath`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TITLEHANT Value Name: DisplayName`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TITLEHANT Value Name: WOW64`	2

Mutexes	Occurrences
`Global\I98B68E3C`	13
`Global\M98B68E3C`	13
`Global\IC019706B`	2
`Global\MC019706B`	2
`Global\Nx534F51BC`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`59[.]110[.]18[.]236`	15
`103[.]211[.]218[.]205`	15
`45[.]56[.]88[.]91`	12
`51[.]254[.]137[.]156`	8
`192[.]241[.]131[.]79`	7
`51[.]68[.]220[.]244`	6
`206[.]81[.]10[.]215`	4
`217[.]149[.]241[.]121`	3
`74[.]208[.]5[.]15`	2
`169[.]254[.]255[.]255`	2
`17[.]36[.]205[.]74`	1
`173[.]194[.]204[.]109`	1
`94[.]100[.]180[.]160`	1
`107[.]14[.]73[.]68`	1
`81[.]88[.]48[.]66`	1
`184[.]106[.]54[.]11`	1
`208[.]124[.]213[.]186`	1
`95[.]216[.]33[.]71`	1
`64[.]41[.]126[.]110`	1
`64[.]98[.]36[.]173`	1
`94[.]152[.]153[.]134`	1
`143[.]95[.]235[.]37`	1
`216[.]177[.]141[.]15`	1
`52[.]96[.]38[.]82`	1
`173[.]254[.]28[.]125`	1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`headonizm[.]in`	15
`qantimagroup[.]com`	8
`smtp[.]mail[.]com`	2
`smtpout[.]secureserver[.]net`	2
`smtp-mail[.]outlook[.]com`	1
`smtp[.]mail[.]ru`	1
`ssl0[.]ovh[.]net`	1
`smtp[.]qiye[.]163[.]com`	1
`mail1[.]hostingplatform[.]com`	1
`smtp[.]corteshermanos[.]com`	1
`mail[.]rekaicentres[.]com`	1
`mail[.]fusat[.]cl`	1
`mail[.]hces[.]net`	1
`mail[.]mccmh[.]net`	1
`manabi[.]ecuahosting[.]net`	1
`smtp[.]cuttingedgestoneworks[.]com`	1
`p52-smtp[.]mail[.]me[.]com`	1
`smtp[.]siteprotect[.]com`	1
`lawyers-mail[.]com`	1
`mail[.]ec[.]rr[.]com`	1
`just125[.]justhost[.]com`	1
`mail[.]effinger-zentrum[.]ch`	1
`mail[.]smscomm[.]net`	1
`authsmtp[.]securemail[.]pro`	1
`mail[.]lignum[.]com[.]gt`	1

*See JSON for more IOCs

Files and or directories created	Occurrences
`%HOMEPATH%\419.exe`	15
`%ProgramData%\Microsoft\Crypto\RSA\S-1-5-18\9bdfb692c085f99347f09462e5cd5445_9979f91c-9ae8-458a-b442-fe95beaeef26`	2
`%ProgramData%\gny7.exe`	1

File Hashes

             0a574aa7865ad973827f08457d92a690b80c51594c0cc95345062f4838d38aab              1220dd6c5523dc0b6b6409e5b739216bc979826bcb8e43428f0889ff120fd63d              1ff11781388f142f3dd92900380de4501f12f652d20911b502dbea6d4e7c2533              2c9b1c7443421bc46987ae098dd00fa013b9722dfe6b6b518c3ab474d888d984              456f0957a36e00bf03b0e37d18e119d74b3bb08054f6248a2e7e87ddb93d7782              4bbdbcf77feea35ec8ebddead4ed7274c8404c5fe2df5d24029488424f1ce875              81fc2cb7ae6b7006b185b89427136ab8a520cbd687d0bbb5f1fc31b1a1c0f4ba              83fe7400534e8efcc5cec209b9b2835d61be0d88914bbfd6495fb675378aa2dd              8c483708b5b4230562f3d0d4dce10c6168b94ccb6e85ff5052c42513feda741e              9f48da5cd641b0bb9dffd3dec5d2442da67ed23367331eb8c181fc61ee54c41e              c8078630214d7c029d23de03dedb7fab8a2f7f8df12ba99245682e3ca235179b              ce11fa55f6717dadca7bdd3759b3d46217d085e78ea8bb94bb8145754741b5c5              e0ab84847c95820096ec02c1c23c15589320ddc180e6d9f0d61315409b755dc8              e74421edc6c5a113acbd4f754d64ac9502f59cbdae14ffa129357bc5251e9afc              f3de992434fc44f62318ddbe2c209a11af19205bb347dac52d7534e7f3c5579a

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

Win.Dropper.Tofsee-7431752-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES`	14
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>`	14
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: Type`	14
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: Start`	14
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: ErrorControl`	14
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: DisplayName`	14
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: WOW64`	14
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: ObjectName`	14
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: Description`	14
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config0`	14
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config1`	14
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: ImagePath`	11
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config3`	9
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config2`	9
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\lesyxfla`	2
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\slzfemsh`	2
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\rkyedlrg`	2
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\haoutbhw`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\athnmuap`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\jcqwvdjy`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\piwcbjpe`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\dwkqpxds`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\fymsrzfu`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\xqekjrxm`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\qjxdckqf`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`67[.]195[.]228[.]110/31`	15
`172[.]217[.]197[.]26/31`	15
`69[.]55[.]5[.]250`	14
`43[.]231[.]4[.]7`	14
`64[.]233[.]186[.]26/31`	14
`81[.]19[.]78[.]64/30`	14
`98[.]136[.]96[.]74/31`	14
`98[.]136[.]96[.]76/31`	14
`85[.]114[.]134[.]88`	14
`77[.]88[.]21[.]89`	13
`209[.]85[.]202[.]26/31`	13
`172[.]217[.]7[.]132`	13
`213[.]180[.]193[.]89`	12
`67[.]195[.]204[.]72/30`	12
`148[.]163[.]158[.]5`	11
`67[.]195[.]228[.]109`	11
`67[.]195[.]228[.]94`	10
`31[.]31[.]194[.]100/31`	10
`98[.]136[.]96[.]92/31`	10
`46[.]4[.]52[.]109`	9
`67[.]195[.]204[.]79`	9
`46[.]28[.]66[.]2`	9
`78[.]31[.]67[.]23`	9
`188[.]165[.]238[.]150`	9
`93[.]179[.]69[.]109`	9

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`250[.]5[.]55[.]69[.]in-addr[.]arpa`	14
`microsoft-com[.]mail[.]protection[.]outlook[.]com`	14
`list[.]ru`	13
`mx0b-001b2d01[.]pphosted[.]com`	11
`mx[.]yandex[.]ru`	9
`yandex[.]ru`	9
`mta5[.]am0[.]yahoodns[.]net`	9
`mx-aol[.]mail[.]gm0[.]yahoodns[.]net`	9
`aol[.]com`	9
`yahoo[.]co[.]uk`	9
`irina94[.]rusgirls[.]cn`	9
`anastasiasweety[.]rugirls[.]cn`	9
`beautyrus[.]cn`	9
`smtp[.]secureserver[.]net`	8
`mxs[.]mail[.]ru`	8
`mail[.]ru`	8
`mx[.]yandex[.]net`	8
`eur[.]olc[.]protection[.]outlook[.]com`	8
`hotmail-com[.]olc[.]protection[.]outlook[.]com`	8
`mx1[.]emailsrvr[.]com`	8
`mx-apac[.]mail[.]gm0[.]yahoodns[.]net`	7
`bk[.]ru`	7
`mx-eu[.]mail[.]am0[.]yahoodns[.]net`	7
`inbox[.]ru`	7
`smtp-in[.]orange[.]fr`	7

*See JSON for more IOCs

Files and or directories created	Occurrences
`%TEMP%\<random, matching '[a-z]{8}'>.exe`	16
`%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy)`	16
`%SystemRoot%\SysWOW64\config\systemprofile`	14
`%SystemRoot%\SysWOW64\config\systemprofile:.repos`	14
`%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'>`	14
`%TEMP%\hjekdqa.exe`	1
`%TEMP%\yavbuhr.exe`	1

File Hashes

             109ca5f094a4e98b6dac4191043bcbc4a9e849a456ca581226f42fdd7812966a              2835bade0deb4c1f1af1beff0102a7122990fd5b868f82b5f23b5ddea782d862              284d642a2ae70ba3890f39595cf215c06037f514580bcc8766b3c136cb1c4df9              2c84c7ac4fdbcaba7ac72b01a03d5ee7d62db4e4986670d17d420a45872f3158              30cadaa9bbf5f83ebad9e4738db169bacca7f78b4ae4256cc326533099dd64c2              64a3e41af01cf5443314c0d49d7a83f081c99dbadda2dfe2af5d93ff49464f4b              74ac087c43dc71971fddc1d65b4586b57d4b6ec6182914d0d176722a3a70b4bc              7c6e8e91b032ae87eb17d1ff4edfdbf9f3d2b7e6cc1849cadffd40650f073538              84c98359fa8967beb941ffa16550358d39e1fd005dccbc697267b6f170c08aeb              91637560be3528716ac0c5586b39c763c54798a0b03a55db086a3128fa665fee              973e8cb33dae5fab6505ffb140ad80587081f131bb6bb5305582e874ec8d10b0              d0ec6c954e91bde1e104cec6f316aa1d2f94389883d602790aec0128f492547c              e46c3033d16ed60026ee74546aaaf17fe0e0dccfe9c40bd0b434758c01fc8a17              eab97c31815fc018ec26360c575b02ec3cf7595c1c4c6bcd121ee2123335515f              eaf18fa3b771523ea252436b6dd15d1c2e0d6f93a17f5a861251dbc38f0cf951              f551911671d006e8164ba14c2024bbe55646f5e1ec6c4fb16b7f199c51be6864

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Downloader.Phorpiex-7428338-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: AntiVirusOverride`	17
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: AntiVirusDisableNotify`	17
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: FirewallDisableNotify`	17
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: FirewallOverride`	17
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: UpdatesDisableNotify`	17
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE Value Name: DisableSR`	17
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: UpdatesOverride`	17
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: AutoUpdateDisableNotify`	17
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Microsoft Windows Services`	16
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Microsoft Windows Services`	16
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Microsoft Windows Driver`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Microsoft Windows Driver`	1

Mutexes	Occurrences
`<random, matching [a-zA-Z0-9]{5,9}>`	5
`5500330044`	2
`60807405680`	1
`65078708650`	1
`55970850860`	1
`459500033940`	1
`8855858939`	1
`959505030340`	1
`3949400403930`	1
`974795976050`	1
`56495605470`	1
`8800550044`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`193[.]32[.]161[.]77`	10
`94[.]156[.]133[.]65`	6
`92[.]63[.]197[.]153`	5
`92[.]63[.]197[.]59`	5
`92[.]63[.]197[.]60`	3
`95[.]81[.]1[.]43`	3
`193[.]32[.]161[.]73`	2
`199[.]73[.]55[.]48`	2
`193[.]32[.]161[.]69`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`teubeufubg[.]su`	7
`weoghehofu[.]su`	7
`xiheiufisd[.]su`	7
`aieieieros[.]su`	7
`teoghehofu[.]su`	7
`weubeufubg[.]su`	7
`xeoghehofu[.]su`	7
`wniaeninie[.]su`	7
`tieieieros[.]su`	7
`xieieieros[.]su`	7
`aeoghehofu[.]su`	7
`wiaeufaehe[.]su`	7
`weuaueudgs[.]su`	7
`wbaeubuegs[.]su`	7
`wieieieros[.]su`	7
`abaeubuegs[.]su`	7
`tbaeubuegs[.]su`	7
`aniaeninie[.]su`	7
`xbaeubuegs[.]su`	7
`teuaueudgs[.]su`	7
`wiheiufisd[.]su`	7
`xniaeninie[.]su`	7
`tiheiufisd[.]su`	7
`aiheiufisd[.]su`	7
`aeubeufubg[.]su`	7

*See JSON for more IOCs

Files and or directories created	Occurrences
`\_\DeviceManager.exe`	17
`\.lnk`	17
`E:\.lnk`	17
`E:\_`	17
`E:\_\DeviceManager.exe`	17
`%APPDATA%\winsvcs.txt`	16
`%SystemRoot%\2043700216632254`	2
`%SystemRoot%\2043700216632254\winpmmt.exe`	2
`%SystemRoot%\5037867818202168\winxvbc.exe`	1
`%SystemRoot%\1751841511079533\winhlyh.exe`	1
`%SystemRoot%\1927513612308752\winqfmt.exe`	1
`%SystemRoot%\7596387610791212\winthul.exe`	1
`%SystemRoot%\19947372186510550`	1
`%SystemRoot%\19947372186510550\wingtph.exe`	1
`%SystemRoot%\7815933519548311`	1
`%SystemRoot%\7815933519548311\winpyzz.exe`	1
`%SystemRoot%\4232647816716713`	1
`%SystemRoot%\4232647816716713\winzsjy.exe`	1
`%SystemRoot%\9082268219092826`	1
`%SystemRoot%\9082268219092826\winzpox.exe`	1
`%SystemRoot%\6188541715897433`	1
`%SystemRoot%\6188541715897433\winngob.exe`	1
`%SystemRoot%\1917973613436861`	1
`%SystemRoot%\1917973613436861\windcnw.exe`	1
`%SystemRoot%\4140102414092928`	1

*See JSON for more IOCs

File Hashes

             12c7c57286a5c532800495f1b9c8c5415dbaf5539aec177009845e9ac3508be3              22854dc3febbab0b72663b08bbdda7a4ee4dc501764876b2160a8d982700b4f8              22b67655c0bee80c3afb4da0811ab18da62ca2b053f958864131722708c30be1              506e17946a441837e8c42374d565cfc7331bf2e706124aa122710cf19f380fcf              5150389a6d1c556e7d99671f1d3fbed15e5fd5cf01f26ea9638f08708a77a36f              63eb4701bed59eeeeb937dcae9d28631c98c886cf4a72e38e851a0725641922f              6dde1772c9b506f82178de0a14ad8cc7721c5f0dafb22088703b1e8dade3adc6              6f7aa9178d9cfdc6b873d54740d08f8bbb73a53f2d52453ec904d1314f5153b6              75e85527ae7786063af164c13b8c7df2f248cb4e7253d41ef444a3b84aba5219              9c88188624210f684d7aab8447c2fb50882139cca5d1bdac72838c4e76650251              af0e787fd0b006c04b60eb5d69b815d053ef774fa2d0be00a246ce4a018e85cf              be5004b5f58595bfdf4cb2f317bc7dfb2d66f50f1adabb177b76fdab997a21bb              c0c1e55d87fc372bba9454d65f4f99b64ee2002743f4195cba72bae642beb7f9              cbab761baf4042ba54d4471df336c65cecf253e5d2ad0a61e51199bf4355f3a5              cfc2091a57f78ac04de77c5dd72aae7be27d5633d87b0d104430f50ade7b6a73              e2ac54ca79debd49bbe0efc028d43f6793f23a903f4410003c0eba709cdff406              f0b61687dea12c0981e6226eaa6bfe3889c710b1347c6c8a89eb220bd4dc3204

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

CVE-2019-0708 detected - (15141)

An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.

Process hollowing detected - (348)

Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.

Dealply adware detected - (346)

DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.

Kovter injection detected - (334)

A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.

Excessively long PowerShell command detected - (287)

A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.

Gamarue malware detected - (217)

Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.

Installcore adware detected - (110)

Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.

Special Search Offer adware - (40)

Special Search Offer adware displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware has also been known to download and install malware.

Reverse http payload detected - (26)

An exploit payload intended to connect back to an attacker controlled host using http has been detected.

Corebot malware detected - (19)

Corebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking.

↧

Beers with Talos Ep. #67: Inside Incident Response

December 9, 2019, 7:53 am

≫ Next: Vulnerability Spotlight: Multiple vulnerabilities in LEADTOOLS software

≪ Previous: Threat Roundup for November 29 to December 6

By Mitch Neff.

Beers with Talos (BWT) Podcast episode No. 67 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Nov. 21, 2019

Craig is out sick/injured/fighting robots (actually all three), so we brought in Sean Mason from Talos IR to talk shop today and give you the inside scoop on IR (and Sean’s next-level beard care regimen). How do incidents affect the enterprise and consumers? How has the advent of widespread ransomware fundamentally shifted the burden of responsibility in the c-suite and what have been the outcomes? What does a responder have in the bag when they arrive on-site?

The timeline:

01:20 – Roundtable: Nigel heads to Anfield, show and tell with Joel, Matt wants Cats cosplay
12:08 – Meet Sean Mason, head of Talos IR group.
17:20 – Ransomware hand insurance have changed the conversation and shifted the burden for CISOs
22:45 – Being proactive BEFORE the incident even occurs: and being the steadiest hand when it does
30:40 – The moment Sean’s went wrong with “gif” - Tweet Craig for your chance at a Talos loot crate.
34:15 – The crew infiltrates Sean’s teams chat channel, and they deliver top-shelf questions for Sean from the worst incidents they have seen (and USB keys in the parking lot) to the best headphones for travel
45:35 – Sean finally figures out Matt and Mitch are all up in his team chat
47:30 – Closing thoughts and parting shots

Some other links:

No links today

==========

Featuring: Joel Esler (@JoelEsler), Matt Olney (@kpyke), and Nigel Houghton (@EnglishLFC). Special Guest: Sean Mason (@SeanAMason)
Hosted by Mitch Neff (@MitchNeff)

Subscribe via iTunes (and leave a review!)

Check out the Talos Threat Research Blog

Subscribe to the Threat Source newsletter

Follow Talos on Twitter

Give us your feedback and suggestions for topics: beerswithtalos@cisco.com

↧

Vulnerability Spotlight: Multiple vulnerabilities in LEADTOOLS software

December 10, 2019, 10:34 am

≫ Next: Microsoft Patch Tuesday — Dec. 2019: Vulnerability disclosures and Snort coverage

≪ Previous: Beers with Talos Ep. #67: Inside Incident Response

Marcin Towalski and Cory Duplantis of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered multiple vulnerabilities in the LEADTOOLS line of imaging toolkits. LEADTOOLS is a collection of toolkits designed to perform a variety of functions aimed at integrating documents, multimedia and imaging technologies into applications. All of the software is produced by LEAD Technologies Inc. LEADTOOLS offers prebuilt and portable libraries with an SDK for most platforms (Windows, Linux, Android, etc.), that are all geared toward building

applications for medical systems. Various pieces of LEADTOOLS contain vulnerabilities that could be exploited by malicious actors to carry out a number of actions, including denial-of-service conditions and the exposure of sensitive information.

In accordance with our coordinated disclosure policy, Cisco Talos worked with LEAD Technologies to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

LEADTOOLS JPEG2000 Isot parsing memory corruption vulnerability (TALOS-2019-0945/CVE-2019-5154)

An exploitable heap overflow vulnerability exists in the JPEG2000 parsing functionality of LEADTOOLS 20.0.2019.3.15. A specially crafted J2K image file can cause an out of bounds write of a null byte in a heap buffer, potentially resulting in code execution. An attack can specially craft a J2K image to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

LEADTOOLS CMP-parsing code execution vulnerability (TALOS-2019-0877/CVE-2019-5085)

An exploitable code execution vulnerability exists in the DICOM packet-parsing functionality of LEADTOOLS libltdic.so, version 20.0.2019.3.15. A specially crafted packet can cause an integer overflow, resulting in heap corruption. An attacker can send a packet to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

LEADTOOLS libltdic.so DICOM LDicomNet::receive information disclosure vulnerability (TALOS-2019-0882/CVE-2019-5090)

An exploitable information disclosure vulnerability exists in the DICOM packet-parsing functionality of LEADTOOLS libltdic.so, version 20.0.2019.3.15. A specially crafted packet can cause an out-of-bounds read, resulting in information disclosure. An attacker can send a packet to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

LEADTOOLS libltdic.so LDicomAssociate::SetBinary denial-of-service vulnerability (TALOS-2019-0883/CVE-2019-5091)

An exploitable denial-of-service vulnerability exists in the Dicom-packet parsing functionality of LEADTOOLS libltdic.so version 20. A specially crafted packet can cause an infinite loop, resulting in a denial of service. An attacker can send a packet to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

LEADTOOLS libltdic.so LDicomAssociate::SetBinary denial-of-service vulnerability (TALOS-2019-0884/CVE-2019-5092)

An exploitable heap out-of-bounds write vulnerability exists in the UI tag-parsing functionality of the DICOM image format of LEADTOOLS 20. A specially crafted DICOM image can cause an offset beyond the bounds of a heap allocation to be written, potentially resulting in code execution. An attacker can specially craft a DICOM image to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

LEADTOOLS libltdic.so DICOM LDicomNet::SendData code execution vulnerability (TALOS-2019-0885/CVE-2019-5093)

An exploitable code execution vulnerability exists in the DICOM network response functionality of LEADTOOLS libltdic.so version 20.0.2019.3.15. A specially crafted packet can cause an integer overflow, resulting in heap corruption. An attacker can send a packet to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that version 20.0.2019.3.15 of LEADTOOLS is affected by these vulnerabilities.

Coverage

↧

Microsoft Patch Tuesday — Dec. 2019: Vulnerability disclosures and Snort coverage

December 10, 2019, 10:41 am

≫ Next: Vulnerability Spotlight: Two vulnerabilities in RDP for Windows 7, XP

≪ Previous: Vulnerability Spotlight: Multiple vulnerabilities in LEADTOOLS software

By Jon Munshaw.

Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 25 vulnerabilities, two of which are considered critical.

This month’s security update covers security issues in a variety of Microsoft services and software, including Remote Desktop Protocol, Hyper-V and multiple Microsoft Office products.

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here.

Critical vulnerabilities

Microsoft disclosed two critical vulnerabilities this month, both of which we will highlight below.

CVE-2019-1468 is a remote code execution vulnerability in the Windows font library that exists due to the library improperly handling some embedded fonts. An attacker could exploit this bug by using a specially crafted, malicious embedded font on a web page, and then trick the user into visiting that web page. Alternatively, a user would need to open a specially crafted font file on their machine.

CVE-2019-1471 is a remote code execution vulnerability in the Hyper-V hypervisor. Hyper-V can sometimes fail to properly validate input from an authenticated user on a guest operating system. An attacker could exploit this vulnerability by running a specially crafted application on a guest OS, which would cause the Hyper-V host OS to execute arbitrary code on the host operating system.

Important vulnerabilities

This release also contains 23 important vulnerabilities, three of which we will highlight below.

CVE-2019-1458 is an elevation of privilege vulnerability in Windows' Win32k component. An attacker could exploit this vulnerability by logging onto a system, then running a specially crafted application that would allow them to take complete control of the system and execute arbitrary code in kernel mode. Microsoft reports that this vulnerability has been used in the wild.

CVE-2019-1469 is an information disclosure vulnerability in Windows that arises when the win32k component fails to provide kernel information. An attacker could exploit this vulnerability to obtain uninitialized memory and kernel memory, which could then be used in additional attacks.

CVE-2019-1485 is a remote code execution vulnerability in the VBscript engine. An attacker could exploit this vulnerability to corrupt memory of the affected system in a way that would allow them to execute arbitrary code in the context of the current user. To trigger this vulnerability, a user would have to visit a malicious, specially crafted website in the Internet Explorer web browser. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that utilizes Internet Explorer's rendering engine, and then trick the user into opening that file.

The other important vulnerabilities are:

Coverage

In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

These rules are: 52402, 52403, 52410, 52411, 52419, 52420

↧

Vulnerability Spotlight: Two vulnerabilities in RDP for Windows 7, XP

December 10, 2019, 11:46 am

≫ Next: Vulnerability Spotlight: Information leak vulnerability in Adobe Acrobat Reader

≪ Previous: Microsoft Patch Tuesday — Dec. 2019: Vulnerability disclosures and Snort coverage

A Cisco Talos researcher discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered two issues in two implementations of Microsoft Remote Desktop Services: a denial-of-service vulnerability that affects Windows 7/Windows Server 2008 (when RDP 8.0 is enabled), Windows 8/Server 2012, and Windows 10/Server 2016. The Remote Desktop Protocol is used by Remote Desktop Services in order to allow a user or administrator to take control of a remote machine via a network connection. The denial-of-service vulnerability exists after the connection setup when one is able to perform the license exchange, and the information leak vulnerabilities exist during the connection setup of the process where the client and the server negotiate various aspects relevant to the session They could be exploited by an attacker to cause a denial of service or leak information, respectively. Microsoft disclosed these issues as part of December’s Patch Tuesday. For more on the company’s latest security updates, check out Talos’ full blog here, and our Snort coverage here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers. Microsoft is providing a patch for all of the affected versions of Windows with regards to the denial of service vulnerability but has declined to provide a patch for the Windows XP vulnerability due to the fact that it is out of support. It is recommended that users of Windows XP upgrade to a more recent operating system.

Vulnerability details

Microsoft Remote Desktop Services (RDP8) license negotiation denial-of-service vulnerability (TALOS-2019-0901/CVE-2019-1453)

An exploitable denial-of-service vulnerability exists in the RDP8 implementation of Microsoft's Remote Desktop Services. A certain component of license negotiation can allow a remote client to read an arbitrary amount of memory that is controlled by the client. Due to this, a client can coerce the component to either make a repeatable controlled allocation or read from memory that is unmapped, resulting in a denial-of-service condition. An attacker can negotiate capabilities and then send a particular packet type in order to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Microsoft Remote Desktop Services (RDP7) Windows XP multiple information leak vulnerabilities (TALOS-2019-0895/CVE-2019-1489)

Exploitable information leak vulnerabilities exist in the RDP7 implementation of Microsoft's Remote Desktop Services on Windows XP. Various aspects of the T.128 protocol, such as capability negotiation, can cause an information leak, which can provide an attacker with information about the target's address-space. An attacker can trigger these vulnerabilities by simply negotiating capabilities with the target via T.128 and examining the data that is returned.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that Microsoft's Remote Desktop Services running on Windows 7 RdpCoreTS.dll, version 6.2.9200.22828, is affected by TALOS-2019-0901. TALOS-2019-0895 affects RDP on Windows XP only, running RDPWD.sys 5.1.2600.5512 and termdd.sys 5.1.2600.5512.

Coverage

↧

Vulnerability Spotlight: Information leak vulnerability in Adobe Acrobat Reader

December 10, 2019, 11:48 am

≫ Next: Vulnerability Spotlight: Denial-of-service vulnerabilities in Linux kernel, W1.fi

≪ Previous: Vulnerability Spotlight: Two vulnerabilities in RDP for Windows 7, XP

Aleksandar Nikolic of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered an information leak vulnerability in Adobe Acrobat Reader DC. An attacker could exploit this vulnerability by tricking the victim into opening a specially crafted, malicious PDF, likely either via an email attachment or embedded on a web page. Adobe Acrobat Reader DC supports embedded JavaScript code in the PDF to allow for interactive PDF forms. This vulnerability specifically exists in the way Acrobat processes JavaScript.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Adobe to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Adobe Acrobat Reader DC JavaScript gotoNamedDest information leak vulnerability (TALOS-2019-0947/CVE-2019-16463)

A specific JavaScript code embedded in a PDF file can lead to an information leak when opening a PDF document in Adobe Acrobat Reader DC, version 2019.021.20048. With careful memory manipulation, this can lead to sensitive information being disclosed, which could be abused when exploiting another vulnerability to bypass mitigations. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that Adobe Acrobat Reader DC, version 2019.021.20048 is affected by this vulnerability.

Coverage

↧

Vulnerability Spotlight: Denial-of-service vulnerabilities in Linux kernel, W1.fi

December 11, 2019, 9:18 am

≫ Next: Vulnerability Spotlight: Kakadu Software SDK ATK marker code execution vulnerability

≪ Previous: Vulnerability Spotlight: Information leak vulnerability in Adobe Acrobat Reader

Mitchell Frank and Mark Leonard of Cisco discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered two denial-of-service vulnerabilities in the open-source program W1.fi. Both of these vulnerabilities target hostapd. One could allow an attacker to forge authentication requests, while another could trigger a deauthentication, both resulting in a denial of service.

In accordance with our coordinated disclosure policy, Cisco Talos worked with the manager of W1.fi to ensure that these issues are resolved and that an update is available for affected customers. TALOS-2019-0849 relates to TALOS-2019-0900, a denial-of-service vulnerability in the Linux kernel. Linux has also released an update to address that vulnerability, which makes more versions of Linux besides the mainline one safe from these vulnerabilities.

Vulnerability details

W1.fi hostapd CAM table denial-of-service vulnerability (TALOS-2019-0849/CVE-2019-5061)

An exploitable denial-of-service vulnerability exists in hostapd version 2.6. An attacker could exploit this vulnerability by triggering AP to send IAPP location updates for stations before the required authentication process has completed. This could lead to different denial-of-service scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already existing clients in other nearby APs of the same wireless infrastructure. An attacker can forge Authentication and Association Request packets to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

W1.fi hostapd deauthentication denial-of-service vulnerability (TALOS-2019-0850/CVE-2019-5062)

An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of service.

Read the complete vulnerability advisory here for additional information.

Linux kernel CAM table denial-of-service vulnerability (TALOS-2019-0900/CVE-2019-5108)

An exploitable denial-of-service vulnerability exists in the Linux kernel prior to mainline 5.3. An attacker could exploit this vulnerability by triggering AP to send IAPP location updates for stations before the required authentication process has completed. This could lead to different denial-of-service scenarios, either by causing CAM table attacks or by leading to traffic flapping if faking already existing clients in other nearby APs of the same wireless infrastructure. An attacker can forge Authentication and Association Request packets to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that TALOS-2019-0849 affects hostapd version 2.6 and Ubiquiti AP-AC-Pro firmware 4.0.10.9653. TALOS-2019-0850 affects hostapd version 2.6 when running on a Raspberry Pi. TALOS-2019-0900 affects versions 4.14.98-v7 and higher of the Linux operating system.

Coverage

↧

Vulnerability Spotlight: Kakadu Software SDK ATK marker code execution vulnerability

December 11, 2019, 9:21 am

≫ Next: Vulnerability Spotlight: Apple Safari SVG marker element baseVal remote code execution vulnerability

≪ Previous: Vulnerability Spotlight: Denial-of-service vulnerabilities in Linux kernel, W1.fi

Aleksandar Nikolic and Emmanuel Tacheau of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Kakadu Software’s SDK contains an exploitable heap overflow. Kakadu serves as a framework for developers to create a variety of commercial and non-commercial applications. An attacker could exploit this vulnerability by tricking the user into opening a specially crafted, malicious jp2 file to cause a heap overflow, which could then allow them to remotely execute code on the server.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Kakadu to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Kakadu Software SDK ATK marker code execution vulnerability (TALOS-2019-0933/CVE-2019-5144)

An exploitable heap underflow vulnerability exists in the `derive_taps_and_gains` function in `kdu_v7ar.dll` of Kakadu Software SDK 7.10.2. A specially crafted jp2 file can cause a heap overflow, which can result in remote code execution. An attacker could provide a malformed file to the victim to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that Kakadu Software SDK 7.10.2 running on Windows is affected by this vulnerability.

Coverage

↧

Vulnerability Spotlight: Apple Safari SVG marker element baseVal remote code execution vulnerability

December 11, 2019, 9:26 am

≫ Next: Talos Vulnerability Discovery Year in Review — 2019

≪ Previous: Vulnerability Spotlight: Kakadu Software SDK ATK marker code execution vulnerability

Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Apple’s Safari web browser is open to a remote code execution vulnerability via its SVG marker element feature inside the Safari WebKit. Safari uses the WebCore DOM rendering system in WebKit. Rendering engine allows overwriting of the static SVG marker element using JavaScript code which results in memory corruption. An attacker needs to trick the user into opening this web browser in Safari in order to exploit this vulnerability.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Apple to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Apple Safari SVG marker element baseVale remote code execution vulnerability (TALOS-2019-0943/CVE-2019-8846)

A freed memory access vulnerability exists in the SVG Marker Element feature of Apple Safari's WebKit, version 13.0.2. A specially crafted HTML web page can cause a use after free, resulting in memory corruption and possibly arbitrary code execution. To trigger this vulnerability, a specifically crafted HTML web page needs to be opened in the browser.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that version 13.01.2 (15608.2.30.1.1) of Safari utilizing WebKit GIT 497221ef6a94f0603c1e8c4207094fc50e8ccf2a is affected by this vulnerability.

Coverage

↧

Talos Vulnerability Discovery Year in Review — 2019

December 11, 2019, 11:36 am

≫ Next: Threat Source newsletter (Dec. 12, 2019)

≪ Previous: Vulnerability Spotlight: Apple Safari SVG marker element baseVal remote code execution vulnerability

By Martin Zeiser.

Cisco Talos' Systems Security Research Team investigates software, operating system, IoT and ICS vulnerabilities to make sure we find vulnerabilities before the bad guys do.

We provide this information to the affected vendors so that they can create patches and protect their customers as soon as possible. We strive to improve the security of our customers with detection content, which protects them while the vendor is creating, testing, and delivering the patch. These patches ultimately remove the vulnerability in question, which increases security not only for our customers but for everyone.

After these patches become available, the Talos detection content becomes public, as well. Talos regularly releases Vulnerability Spotlights and in-depth analyses of vulnerabilities discovered by us. You can find all of the release information via the Talos vulnerability information page here.

Philosophy

The focus of our work is to make sure our customers and their data stay safe. No matter the vulnerability we uncover, we contact and work closely with the software vendor to quickly and responsibly close any attack vectors we find. Our coordinated disclosure policy outlined below ensures the best possible approach to arrive at this goal.

Timeline of actions to be taken by Cisco:

When it comes to closing security vulnerabilities before the bad guys exploit them, our track record proves our dedication to improving the security of our customers as well as the community. In fiscal year 2019, we published 228 advisories resulting in 237 CVEs, in a wide range of software including operating systems, internet-of-things devices, Microsoft Ofice products, PDF readers and more. This translates to almost one vulnerability discovered per working day in the last year.

Vulnerabilities discovered as percentage of total 2017, 2018, 2019 (August – July)

While we do our best to increase coverage and thus the overall security of the Internet, bulletproof software just doesn't exist. Even vendors with large security teams make mistakes, and many don't even have those. In the end, this just means one cannot fully trust the devices on the network.

Some of our highlights from the past year:

Multiple vulnerabilities in major PDF apps, including Adobe PDF, Foxit PDF, NitroPDF, Aspose PDF, Rainbow PDF and Google PDFium.
Multiple vulnerabilities in each of these IoT/ICS devices: Google Nest Cam, Netgear N300 and the Nighthawk, Cujo Smart Firewalls.
Multiple vulnerabilities in graphics drivers from Intel, Nvidia, AMD and Apple.
More than 22 vulnerabilities in Schneider Modicon.
Eleven vulnerabilities in Sierra Wireless 4G Gateway.
Multiple vulnerabilities in various network routers, including from Linksys, TP-Link and Netgear.
Various vulnerabilities in VMWare, Google V8, Windows and endpoint protection tools.

Below is a breakdown of the amount of advisories we created grouped by product categories in 2019:

Advisories by product category in 2019

Conclusion

Talos' vulnerability research is all about closing attack vectors in software or products before malicious attackers find ways to exploit them. Working closely with vendors all over the planet, our coordinated disclosure policy ensures the best possible protection for our customers, while detection rules based on our work provide coverage where patches cannot help or have not yet been provided by a vendor. This approach has been securing networks for years now, while improving constantly, for the best possible protection and a more immune Internet.

For vulnerabilities Talos has disclosed, please refer to our Vulnerability Report Portal here.

To review our Vulnerability Disclosure Policy, please visit this site here.

↧

Threat Source newsletter (Dec. 12, 2019)

December 12, 2019, 11:00 am

≫ Next: Threat Roundup for December 6 to December 13

≪ Previous: Talos Vulnerability Discovery Year in Review — 2019

Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We’re entering our Year in Review period. Now’s the time to look back on the top stories from 2019 and think about what we learned.

In the vulnerability space, Talos researchers were just as busy as always. We disclosed more than one vulnerability per working day this year, many of which were in internet-of-things and ICS devices. For more on what we can take away from the year in vulnerability disclosures, check out our post here.

Speaking of vulnerabilities, we had many more to add to the yearly count this week. There’s too many to name here, but some highlights include a remote code execution bug in Apple’s Safari web browser and a denial-of-service in the Linux kernel.

Microsoft also disclosed its own set of vulnerabilities as part of the last Patch Tuesday of 2019. Check out our breakdown of the most notable bugs here and our Snort rules to protect against exploitation of them here. Talos discovered two of the bugs patched this month, both in Windows Remote Desktop Protocol in older versions of Windows.

Cyber Security Week in Review

Adobe released its monthly security update Tuesday, fixing 14 critical vulnerabilities across its suite of products. Among the bugs disclosed are 14 critical vulnerabilities in Adobe Acrobat Reader.
A series of news reports this week revealed Ring security cameras are open to serious exploits. In Florida, an attacker took over a Ring’s speaker and shouted racial slurs at the owners. And in Tennessee, another man took over a family’s device after only owning it for four days, potentially spying on three young girls and talking to one of them, saying he was santa.
A new report from the U.S. National Infrastructure Advisory Council warned the White House that a cyber attack on America’s infrastructure poses an “existential threat” to the country. The group also urged U.S. President Donald Trump to take “bold action” to protect ICS systems.
A new decryptor from the makers of the Ryuk ransomware may actually damage larger files. The program is meant to help a victim recover their files after paying the proposed ransom.
The new “Snatch” ransomware evades detection by rebooting Windows machines mid-infection. The malware forces the victim machine to boot in safe mode, and then begin the encryption process.
The city of Pensacola, Florida continues to recover from a ransomware attack, just days after a shooting at a local military base. The city’s phone lines, some email services and other online platforms were still down as of Thursday.
Iran says it fended off a large cyber attack on unspecified “electronic infrastructure.” One government official said he could not provide specific details on the malware, but called the threat actors “very organized” and “governmental.”
U.S. President Donald Trump says he discussed election security with Russian officials during a private meeting this week. Russian Foreign Minister Sergei Lavrov said in a press conference after the meeting Russia has wanted to publish information that would allegedly clear it of any wrongdoing during the 2016 U.S. presidential election, but the U.S. has blocked that release.
Apple released the newest version of iOS this week, which provides new security features for Safari. The mobile version of the web browser now supports NFC, USB and Lightning-complaint keys so users don’t have to rely only on passwords.
A new feature in Google Chrome will alert users if their login credentials were exposed in a data breach. Each time the user logs into a site using the browser, it will check those credentials against a database of known leaked information.

Notable recent security issues

Title: Microsoft discloses two critical bugs as part of monthly security update
Description: Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 25 vulnerabilities, two of which are considered critical. This month’s security update covers security issues in a variety of Microsoft services and software, including Remote Desktop Protocol, Hyper-V and multiple Microsoft Office products.
Snort SIDs: 52402, 52403, 52410, 52411, 52419, 52420

Title: AMD ATI Radeon ATIDXX64.DLL shader functionality sincos denial-of-service vulnerability
Description: Cisco Talos recently discovered a denial-of-service vulnerability in a specific DLL inside of the AMD ATI Radeon line of video cards. This vulnerability can be triggered by supplying a malformed pixel shader inside a VMware guest operating system. Such an attack can be triggered from VMware guest usermode to cause an out-of-bounds memory read on vmware-vmx.exe process on host, or theoretically through WEBGL.
Snort SIDs: 51461, 51462 (By Tim Muniz)

Most prevalent malware files this week

SHA 256: 64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8ddaa01ec8b
MD5: 42143a53581e0304b08f61c2ef8032d7
Typical Filename: myfile.exe
Claimed Product: N/A
Detection Name: Pdf.Phishing.Phishing::malicious.tht.talos

SHA 256: f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc
MD5: c5608e40f6f47ad84e2985804957c342
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA:2144FlashPlayer-tpd

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.

↧

Threat Roundup for December 6 to December 13

December 13, 2019, 10:03 am

≫ Next: Vulnerability Spotlight: Multiple vulnerabilities in WAGO PFC200

≪ Previous: Threat Source newsletter (Dec. 12, 2019)

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 6 and Dec. 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat Name	Type	Description
Doc.Downloader.Emotet-7446804-0	Downloader	Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.Razy-7434602-0	Packed	Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Packed.DarkComet-7433889-1	Packed	DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Trojan.Gamarue-7440316-0	Trojan	Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform activities such as click fraud.
Win.Dropper.Fareit-7431743-0	Dropper	The Fareit trojan is primarily an information stealer with the ability to download and install other malware.
Win.Dropper.Tofsee-7440661-0	Dropper	Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control.
Win.Ransomware.Cerber-7432369-1	Ransomware	Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns, other file extensions are used.
Win.Trojan.ZeroAccess-7432508-1	Trojan	ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.

Threat Breakdown

Doc.Downloader.Emotet-7446804-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{BEF6E003-A874-101A-8BBA-00AA00300CAB}`	16
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: ProxyServer`	7
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: ProxyOverride`	7
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: AutoConfigURL`	7
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: AutoDetect`	7
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA`	7
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: Type`	7
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: Start`	7
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: ErrorControl`	7
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: ImagePath`	7
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: DisplayName`	7
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: WOW64`	7
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: ObjectName`	7
`<HKLM>\SOFTWARE\CLASSES\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}`	1
`<HKLM>\SOFTWARE\CLASSES\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\2.0`	1
`<HKLM>\SOFTWARE\CLASSES\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\2.0\FLAGS`	1
`<HKLM>\SOFTWARE\CLASSES\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\2.0\0`	1
`<HKLM>\SOFTWARE\CLASSES\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\2.0\0\WIN32`	1
`<HKLM>\SOFTWARE\CLASSES\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\2.0\HELPDIR`	1
`<HKCR>\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}`	1
`<HKCR>\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\2.0`	1
`<HKCR>\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\2.0\FLAGS`	1
`<HKCR>\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\2.0\0`	1
`<HKCR>\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\2.0\0\WIN32`	1
`<HKCR>\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\2.0\HELPDIR`	1

Mutexes	Occurrences
`Global\I98B68E3C`	7
`Global\M98B68E3C`	7

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`100[.]107[.]68[.]85`	9
`100[.]79[.]88[.]70`	9
`100[.]94[.]136[.]45`	9
`100[.]90[.]27[.]84`	9
`100[.]112[.]60[.]67`	9
`91[.]74[.]175[.]46`	7
`205[.]144[.]171[.]176`	7
`77[.]90[.]136[.]129`	4
`173[.]255[.]214[.]126`	4
`96[.]38[.]234[.]10`	3
`173[.]194[.]175[.]108`	2
`82[.]223[.]190[.]138`	2
`217[.]116[.]0[.]237`	2
`103[.]6[.]198[.]100`	2
`54[.]88[.]144[.]211`	2
`212[.]227[.]15[.]142`	2
`217[.]116[.]0[.]228`	2
`62[.]149[.]128[.]210`	2
`62[.]149[.]152[.]151`	2
`52[.]96[.]62[.]226`	2
`185[.]102[.]40[.]53`	2
`83[.]219[.]92[.]20`	2
`196[.]44[.]176[.]42`	2
`41[.]190[.]32[.]8`	2
`62[.]149[.]152[.]152`	2

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`www[.]4celia[.]com`	16
`travalogo[.]com`	9
`miracles-of-quran[.]com`	9
`capsaciphone[.]com`	9
`essay[.]essaytutors[.]net`	9
`smtp[.]secureserver[.]net`	2
`pop[.]secureserver[.]net`	2
`mail[.]secureserver[.]net`	2
`secure[.]emailsrvr[.]com`	2
`outlook[.]office365[.]com`	2
`smtp[.]263[.]net`	2
`smtp[.]aruba[.]it`	2
`securepop[.]t-online[.]de`	2
`mail[.]eim[.]ae`	2
`exmail[.]emirates[.]net[.]ae`	2
`mail[.]pec[.]aruba[.]it`	2
`p02-imap[.]mail[.]me[.]com`	2
`mbox[.]cert[.]legalmail[.]it`	2
`smtp[.]pec[.]aruba[.]it`	2
`pop3s[.]pec[.]aruba[.]it`	2
`pop[.]pec[.]istruzione[.]it`	2
`pop3[.]itevelesa[.]com`	2
`smtp[.]mweb[.]co[.]zw`	2
`mail[.]eitelux[.]es`	2
`pop[.]realperfil[.]com[.]br`	2

*See JSON for more IOCs

Files and or directories created	Occurrences
`%HOMEPATH%\245.exe`	16
`%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat`	7
`%TEMP%\CVRA52.tmp`	1

File Hashes

             1de08bdcceee9ce5642c85db384163a76e4de953c2e625c944ef1b087c483f4b              24b7af440ef4ac270373b6f5c9514885a3224c046b73cf8ad2f1f43012b2ab79              2b5e8a119ff94422a9b5213562ea161306d91d255b13e8840b8c6e405ca767ca              342e32ccf662f9fdae9df6d332382b5332fd41f47ae970c42197100ccc29bdb2              3c790759a0f56659200ee93697ec8fef684ac4e241545c7e82399cbe5128ce12              47b2096a5d64d83ce0216c4b577d40567e51bdfb7456f2642dbe2222d0fc9ac9              4810b72b5ce022be0b50fb4cc530fa10f8d4351d66c6384eb86ca6a714f697b1              713407b0e97009b83eb112b7c22588ddf4ccc8418fd548ffe8dded8774698894              902d50419ed4b29f175944cd6d1f59d1b06a26b9a659cd04d282c3685cc478d6              adc96e8b0fdb5d977111b124c655a1821d5c9c0810207aaa82ccb5bacc0c6698              b512845fd39f154b9208e59762e4f136838ca52666e4ca598a3e99c90d332061              c5ea35ff71f952e64d69779eb8dfe98d0a8a77f727fae139a66125ad76c3526f              cb03c4ba3c52376950f5924ac4491ddb0afff6e5c5d5d2f1512e042c8116ff2a              cb33e2134b2670a581eaefc1b800721a0c49e96441027948463c32db39e75fbb              ccba54f7ed9d278c4b0cf8a2b8f5f33d3410349d3fae416fb69388f15874f84d              deb94515bf4c10daa7c26a3c0fa8ed837ee3ad54176a9d4d3d1b5c6230a2447c

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

Win.Packed.Razy-7434602-0

Indicators of Compromise

Mutexes	Occurrences
`frenchy_shellcode_006`	10
`Startup_shellcode_006`	10
`Global\{b0cec92d-4b6c-4178-94fb-bf6cc1add43d}`	10

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`107[.]172[.]83[.]151`	10

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`dec8973[.]duckdns[.]org`	10

Files and or directories created	Occurrences
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5`	10
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs`	10
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator`	10
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat`	10
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe`	10
`%HOMEPATH%\ophan.exe`	10

File Hashes

             02252b22b7b50a36851f97a612057c61a8aeed4a2d7cc18258fe2ba6d70fe6a5              147eace098585f42a45f6a1cabeb4885f47038f1da2e8dbf700795b7f5176165              472334c6964fa75128a812e1f819693c4a3b19d43466fb01e88d16a04366487b              5928dd708f5190db002c2ac530f61b994ef6667e59894ae7f085296e451cb06d              59ef7cbae939ff16e921afa54d76b2ed960a7c982fd1b41b318e2e840fa67690              8f5d1ed403153ce043daabd92c15452f01142a829ebaa0530a690ca7bf16d8b1              9708566442ccfc689c110efa436095f21a6d2e15ab1a5a5d5bf35d9ce1063768              a9844ac5e8f56a958e42500b31d6e902120d385f373599eeafc9d4316c6ff2e7              c7b1a3495bb7fb1f8f4016952f6ee68873bd6d4c39468602bc97e59eb8cc9177              d9e7d0ae7bacf011c0abfee024872bb7662b06b4f5faa87efc8eccb7ad02a633

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA

Screenshots of Detection

AMP

ThreatGrid

Win.Packed.DarkComet-7433889-1

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\DC3_FEXEC`	13
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN`	6
`<HKCU>\SOFTWARE\DC3_FEXEC Value Name: 12/6/2019 at 1:01:19 PM`	4
`<HKCU>\SOFTWARE\DC3_FEXEC Value Name: 12/6/2019 at 1:01:20 PM`	4
`<HKCU>\SOFTWARE\DC3_FEXEC Value Name: 12/6/2019 at 1:01:18 PM`	3
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: MicroUpdate`	3
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: UserInit`	3
`<HKCU>\HKEY_CURRENT_USER`	2
`<HKCU>\HKEY_CURRENT_USER\SOFTWARE`	2
`<HKCU>\HKEY_CURRENT_USER\SOFTWARE\MICROSOFT`	2
`<HKCU>\HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\ACTIVE SETUP`	2
`<HKCU>\HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Java Updater 12.02.3`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: Java Updater`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS Value Name: Load`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: IE Per-User Initialization utility`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: IE Per-User Initialization utility`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: Userinit`	2
`<HKCU>\SOFTWARE\DC3_FEXEC Value Name: 12/6/2019 at 1:01:24 PM`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED Value Name: Hidden`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE Value Name: EnableFirewall`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE Value Name: DisableNotifications`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: AntiVirusDisableNotify`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: UpdatesDisableNotify`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC Value Name: Start`	1

Mutexes	Occurrences
`DC_MUTEX-<random, matching [A-Z0-9]{7}>`	12
`DCPERSFWBP`	4
`Paint`	1
`Administrator5`	1
`zRfBoxVQtvcwCKzfoomrPWdIUUjnqiHWPygjEgky`	1
`cbebf6a3c30e189f1791a07b91284eaf`	1
`UNwehCeiwHcpcPqMLnVm`	1
`Global\c8760b20-185a-11ea-a007-00501e3ae7b5`	1
`wHcpcPqMLnVmYcCcnhzwUpOGDOftPDMkeIKqqMLnVmYcCcnhzwUpOGDOftPDMkeIKqqMLnVmYcCcnhzwUpOGDOftPDMkeIKqqMLnVmYcCcnhzwUpOGDOftPDMkeIKqqMLnVmYcCcnhzwUpOGDOftPDMkeIKq`	1
`yzxDnuCSssIxBsSuZXFtOFvJTDCppRZlOhNkDPDB`	1
`NSaQvFFEJfmtYlkBEHyXmfPxzUwCPMuIhhJReGZF`	1
`IRojNPvPVdSxHIGLipwanmDHJBaphSzCXzESOwLj`	1
`orHcdnwrVlEYrlbHQQOTFxFjvvLPSKixqaILfIMa`	1
`myCQlnwHCfuNhBukQZZY`	1
`Global\c923cf81-185a-11ea-a007-00501e3ae7b5`	1
`uoHEavVNJUlBWJTqlPRxRXfUzJKINkqxcpoFJLDc`	1
`bQvFGEJgmtYlkBFHyYnfQxzUwCPMuIhhJSeGaFdv`	1
`JwuoGEavUaWilBWXgqlPew`	1
`HusmFCYuTZVgjyUVfojNcvPidSxHIGLvpwan`	1
`xXXyHTvPuSkKkvpIrOxJOL`	1
`vkhbtqNjIOKVZnJLUdYCSkFYSInwwvzlelQcc`	1
`iRfFFfoBdwczSrSdXpZvfpvrEUjqsCZUxzgmGOEj`	1
`Global\f44dbcc0-185a-11ea-a007-00501e3ae7b5`	1
`QXCcOehkcBeJsodxoboyhhVHiFRfNeQUu`	1
`ewtQmLRNYbqMNXgbFVnIbVLqyzxDoho`	1

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`78[.]159[.]135[.]230`	4
`94[.]73[.]36[.]254`	2
`104[.]16[.]155[.]36`	1
`94[.]73[.]32[.]235`	1
`94[.]73[.]33[.]36`	1
`173[.]194[.]175[.]108/31`	1
`54[.]231[.]48[.]43`	1
`109[.]220[.]205[.]220`	1
`90[.]197[.]55[.]134`	1
`25[.]109[.]69[.]178`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`simond[.]zapto[.]org`	4
`laloutrecam[.]no-ip[.]org`	2
`botofvps[.]no-ip[.]biz`	2
`whatismyipaddress[.]com`	1
`s3-1[.]amazonaws[.]com`	1
`s3[.]amazonaws[.]com`	1
`zcitizen[.]no-ip[.]org`	1
`server-49[.]sytes[.]net`	1
`bbdl[.]ddns[.]net`	1
`who-is[.]ddns[.]net`	1
`update[.]imagineyourcraft[.]fr`	1
`123[.]105[.]12[.]0[.]in-addr[.]arpa`	1
`alaka[.]no-ip[.]biz`	1

Files and or directories created	Occurrences
`%APPDATA%\dclogs`	11
`%TEMP%\AdobeARM.exe`	10
`%TEMP%\resman.exe`	7
`%TEMP%\dw.log`	4
`%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp`	4
`%TEMP%\<random, matching '[a-z]{4,9}'>.exe`	4
`%HOMEPATH%\My Documents\MSDCSC\msdcsc.exe`	3
`%HOMEPATH%\Documents\MSDCSC`	3
`%HOMEPATH%\Documents\MSDCSC\msdcsc.exe`	3
`%APPDATA%\pid.txt`	2
`%APPDATA%\pidloc.txt`	2
`%TEMP%\garrys mod robot.jpg`	2
`%TEMP%\holderwb.txt`	1
`\Paint`	1
`%ProgramFiles%\Java\jre8\bin\rmiregistry.exe`	1
`%ProgramFiles%\Java\jre8\bin\servertool.exe`	1
`%ProgramFiles%\Java\jre8\bin\tnameserv.exe`	1
`%ProgramFiles%\Java\jre8\bin\unpack200.exe`	1
`%ProgramFiles%\Java\jre8\bin\vjava.ico`	1
`%ProgramFiles%\Java\jre8\bin\vjavacpl.ico`	1
`%ProgramFiles%\Java\jre8\bin\vjavaw.ico`	1
`%ProgramFiles%\Java\jre8\bin\vjavaws.ico`	1
`%ProgramFiles%\Microsoft Silverlight\5.1.30514.0\coregen.exe`	1
`%ProgramFiles%\Microsoft Silverlight\vsllauncher.ico`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Paint.lnk`	1

*See JSON for more IOCs

File Hashes

             2d6da6399671b08e28a10df9bcf76061f4c98a1f65202fb0dffccd918a5554fc              3a7644b928b85c1e448fe7bb7ddf51056e63f49b9455aae7b2e38fb179559066              6001c594a9e3454fb9359b140dc22e106c5946c323029783e9f122ec285e0c65              79a1576d14b171ce34915fe40b021f73a9d607c2ada2be53e335f330b6cb858f              879c8524b93f3699c02ca366b15677c03df4d5e4e8ba03b43907618adde5627f              908792a782735eb16c229b3b2648c8ea22348a2d378d428d4798fbb21cdca541              918928629a8e0059e82aaa4fe2f226f66a334ead2b8f85dd8eef6e5d288325dc              92729ba8ef8eabfc9b4e88443d94fba225c6a643871fddfc6bf9d8d173d4c7f6              a0f6ffb10dd497d92d870642f2ba86639b170486cbaead79d0a82bd2d7e5edf3              a1999cf773b35ebab2b29acc4d0c0fe92de4bea83e4ee118a2b9a2474b19956c              af47feb292bf865a7d0fbf2a8da31f8d04b38c759f5850ef3510a5f2ecaedae1              b1a9a49194c72fe92df017167c753625a80173c81b8a17cb1b20c84093d10c02              bb7b89751f70e99fe62c1edaba821bb95dfab8b0c6d268b845f3f936f09113df              bc49d905ffd3203d51e3684755fd2412fdc75ee977350da40db2cae357419bd9              bd9e2ff72624901bf190a22ba2a9419395024d280e7f9d140918ffaecf96065a              de59098d7862ae86da6c3159093f1afd4aa72dfc7f6b2826e270e94b272fb7fb              df237e6044ad335081f455ce70e0288453ce74c371016def916462e0d93d124e              e8f164fe292feef26582e9af9d8e0fec11768a72fcb2202af7180a5a8efa46fa              f893532e35d7503e3685c70aaf7a23ce371acc1d0e3779297aba47ae65e9e949

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA

Screenshots of Detection

AMP

ThreatGrid

Malware

Win.Trojan.Gamarue-7440316-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: {77E00C05-FC14-92FB-C64D-2FAE1577C98A}`	8
`<HKCR>\CLSID\{B1D503C8-F3D9-54CE-C64D-2FAE1577C98A}`	8
`<HKCR>\CLSID\{EBF02436-D427-0EEB-C64D-2FAE1577C98A}`	8
`<HKCR>\CLSID\{EBF02436-D427-0EEB-C64D-2FAE1577C98A}`	8

Mutexes	Occurrences
`Santiv18`	8

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`217[.]23[.]1[.]27`	8
`212[.]8[.]242[.]104`	8

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`v1[.]eakalra[.]ru`	8
`v1[.]op17[.]ru`	8

Files and or directories created	Occurrences
`%ProgramData%\{DA12294E-A996-195C-0CAA-A4200A7998ED}\77adf9d1.exe`	8
`%SystemRoot%\Tasks\{4602017E-81A6-854C-0CAA-A4200A7998ED}.job`	8
`\{c78b9d89-a44c-8958-2fb4-20d7a387d6e3}\a7c25200-afe3-483f-5c47-c10c3cf1e73a.exe`	8
`%ProgramData%\{EBF02435-D424-0EEB-C64D-2FAE1577C98A}`	8
`E:\{c78b9d89-a44c-8958-2fb4-20d7a387d6e3}`	8
`E:\{c78b9d89-a44c-8958-2fb4-20d7a387d6e3}\a7c25200-afe3-483f-5c47-c10c3cf1e73a.exe`	8
`%ProgramData%\{EBF02435-D424-0EEB-C64D-2FAE1577C98A}\464ff4aa.exe`	8
`%System32%\Tasks\{77E00C05-FC14-92FB-C64D-2FAE1577C98A}`	8
`%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\779425.exe`	1
`%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\743768.exe`	1
`%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\888608.exe`	1
`%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\577671.exe`	1
`%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\898551.exe`	1
`%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\569993.exe`	1
`%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\281727.exe`	1
`%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\469268.exe`	1
`%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\502020.exe`	1
`%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\569087.exe`	1
`%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\630040.exe`	1
`%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\825247.exe`	1
`%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\400602.exe`	1
`%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\445144.exe`	1
`%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\223566.exe`	1
`%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\688135.exe`	1

File Hashes

             0c56ea50a45505f406a4feddcb3b4c055c0d52ca1aa4ca7d8254267fe1e75e52              0f4e733dcf95c9b026b2a081c0bc8883bdcdf8799a31ae2afff8aa12fa980c3f              46e382dadb24dc1dfd6c5ff7faeb088d56a70150ec44015a8370900251b3024e              86251f8acfcf6f5adb20ef8cfb4def27ff42b8248aae488f3a4d3650dda87364              8ffb2571c279e05205e55b169d306f54a574a73c596475f0738593c34dfbb3be              900547463b112df48191a8a950a7375be9c20fb33de917bf5af6d31aa5e5b700              943bdb5be04e4dd27ebf28532a8639eafd6dc7df5e471f733697220a1aee9c93              ab2d58efd6a9c50bfab5b0143009dc25ab0f92d7a9d7bcad39f4edbf1ff6b835              b291fe03d64db56f2dbd01d71364ed39b2a7b83b61161673bea57ab33c27c7e8              bf1a4d2ab6c500f55a8e5d8e9667fc6bfce7cdbd79b2bf9ebbf7a1392ff3956e              c865ae6939ddc9a42481a4f2d410a928f11837e807dbd8d6dad867c13b58019e              ca47206563a8eb9e402d5f5f957e15bf73d6193985281c38127cc2cdd63bcb64              cf5e15aa7027ca86fc3ad768f1684fd619f367c521231970db5a3024230b34f1

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

Win.Dropper.Fareit-7431743-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\WINRAR`	10
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: WindowsMonitorConfigs32`	10
`<HKCU>\SOFTWARE\WINRAR Value Name: HWID`	10
`<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9 Value Name: F`	10
`<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5 Value Name: F`	10
`<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC Value Name: F`	10
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS Value Name: WindowsMonitorConfigs`	10
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS Value Name: WindowsMonitorConfigs32`	10
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\NETWORKLIST\NLA\CACHE\INTRANET Value Name: {9EB90D23-C5F9-4104-85A8-47DD7F6C4070}`	7

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`37[.]10[.]116[.]208`	10

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`loqapeek[.]pw`	10
`xistoons[.]pw`	10

Files and or directories created	Occurrences
`%APPDATA%\SystemDriversReserved`	10
`%APPDATA%\SystemDriversReserved\rynuqeny.exe`	1
`%APPDATA%\SystemDriversReserved\filarifi.exe`	1
`%APPDATA%\SystemDriversReserved\miqonagy.exe`	1
`%APPDATA%\SystemDriversReserved\xuminazy.exe`	1
`%APPDATA%\SystemDriversReserved\qeremuvu.exe`	1
`%APPDATA%\SystemDriversReserved\vywivama.exe`	1
`%APPDATA%\SystemDriversReserved\cuzuluqa.exe`	1
`%APPDATA%\SystemDriversReserved\dufenuxu.exe`	1
`%APPDATA%\SystemDriversReserved\cutypiwu.exe`	1
`%APPDATA%\SystemDriversReserved\rikicuzo.exe`	1
`%APPDATA%\SystemDriversReserved\tihupono.exe`	1
`%APPDATA%\SystemDriversReserved\xomytevu.exe`	1
`%APPDATA%\SystemDriversReserved\xotadyry.exe`	1
`%APPDATA%\SystemDriversReserved\zytecufo.exe`	1
`%APPDATA%\SystemDriversReserved\myciloby.exe`	1
`%APPDATA%\SystemDriversReserved\kebyqyha.exe`	1
`%APPDATA%\SystemDriversReserved\fufolely.exe`	1
`%APPDATA%\SystemDriversReserved\rysopyly.exe`	1
`%APPDATA%\SystemDriversReserved\zazanyge.exe`	1
`%APPDATA%\SystemDriversReserved\niwalefu.exe`	1

File Hashes

             10491d1ce14e3c36f1ff822ff1053604043836d94925de6054482c9ae4673359              15901d3d72c05adea149a9b23a03240e84827ee199119beca4bae58d0f2cf292              28495c8cd716b9047bbdecdeb9acb5883a57dcb887db0aa10d72345c25cccf01              2afda0e3c48ea37e936b0ef7d7efbfc5a6e487f1dee0dd89ec83cba2c054ddd0              31f651b56867fe2a75041c5c053977414f33285d1a8294875ef4082269103f59              4629248f320c9fd7d3b2d9b01e3b0e705a07c52ed8c40baa63395ae95b4e6e43              91a2d95ddf43ee9a47c0b2f781d9aa6752ada642cbd826fc8c0ec2c31932870d              b831abbd0734bcd7cf2262400d70c32b5909d3a38044327b841b5f05cba93567              d27a710d945ee916fa7ab557e3a360f907d06ca37c34aff86133074ddfed9090              ee3cf9966f84454415d0dda42e29ccf65e14f964daef8233077c2509aa84b305

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

Win.Dropper.Tofsee-7440661-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES`	2
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config0`	2
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config1`	2
`<HKCU>\SOFTWARE\MICROSOFT\IAM Value Name: Server ID`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\kdrxwekz`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KDRXWEKZ Value Name: Type`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KDRXWEKZ Value Name: Start`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KDRXWEKZ Value Name: ErrorControl`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KDRXWEKZ Value Name: DisplayName`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KDRXWEKZ Value Name: WOW64`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KDRXWEKZ Value Name: ObjectName`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KDRXWEKZ Value Name: Description`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\piwcbjpe`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PIWCBJPE Value Name: Type`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PIWCBJPE Value Name: Start`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PIWCBJPE Value Name: ErrorControl`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PIWCBJPE Value Name: DisplayName`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PIWCBJPE Value Name: WOW64`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PIWCBJPE Value Name: ObjectName`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PIWCBJPE Value Name: Description`	1
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config3`	1
`<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 Value Name: apiMPQEC`	1
`<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5`	1
`<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE Value Name: Blob`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PIWCBJPE`	1

Mutexes	Occurrences
`Global\syncronize_URN0LVA`	2
`Global\syncronize_URN0LVU`	2
`A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A`	1
`Global\9776ba01-1ac7-11ea-a007-00501e3ae7b5`	1
`Global\990ba241-1ac7-11ea-a007-00501e3ae7b5`	1
`Global\95700cc1-1ac7-11ea-a007-00501e3ae7b5`	1
`{<random GUID>}`	1
`Local\{<random GUID>}`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`69[.]55[.]5[.]250`	2
`13[.]107[.]21[.]200`	2
`43[.]231[.]4[.]7`	2
`104[.]47[.]54[.]36`	2
`172[.]217[.]7[.]164`	2
`85[.]114[.]134[.]88`	2
`172[.]217[.]12[.]164/31`	2
`68[.]178[.]213[.]37`	1
`94[.]100[.]180[.]104`	1
`93[.]158[.]134[.]89`	1
`81[.]19[.]78[.]66`	1
`77[.]88[.]21[.]89`	1
`46[.]4[.]52[.]109`	1
`96[.]114[.]157[.]80`	1
`94[.]100[.]180[.]31`	1
`94[.]100[.]180[.]180`	1
`104[.]47[.]9[.]33`	1
`104[.]47[.]36[.]33`	1
`213[.]209[.]1[.]129`	1
`87[.]250[.]250[.]89`	1
`211[.]231[.]108[.]46`	1
`104[.]47[.]5[.]33`	1
`213[.]180[.]147[.]146`	1
`212[.]227[.]15[.]41`	1
`208[.]89[.]132[.]199`	1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`250[.]5[.]55[.]69[.]in-addr[.]arpa`	2
`microsoft-com[.]mail[.]protection[.]outlook[.]com`	2
`smtp[.]secureserver[.]net`	1
`mx[.]yandex[.]ru`	1
`yandex[.]ru`	1
`list[.]ru`	1
`mx-eu[.]mail[.]am0[.]yahoodns[.]net`	1
`mxs[.]mail[.]ru`	1
`rambler[.]ru`	1
`smtp-in[.]libero[.]it`	1
`mx1[.]comcast[.]net`	1
`libero[.]it`	1
`mail[.]ru`	1
`comcast[.]net`	1
`mx-aol[.]mail[.]gm0[.]yahoodns[.]net`	1
`mx[.]yandex[.]net`	1
`inbox[.]ru`	1
`eur[.]olc[.]protection[.]outlook[.]com`	1
`aol[.]com`	1
`hotmail-com[.]olc[.]protection[.]outlook[.]com`	1
`emx[.]mail[.]ru`	1
`yahoo[.]it`	1
`mx[.]poczta[.]onet[.]pl`	1
`charter[.]net`	1
`inmx[.]rambler[.]ru`	1

*See JSON for more IOCs

Files and or directories created	Occurrences
`%TEMP%\D47F.tmp`	5
`%TEMP%\CC4F.tmp`	3
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\desktop.ini.id-98B68E3C.[admin@sectex.net].bot`	2
`%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\FilterTransforms\1033\StarterKitsFilterTransform80.xml.id-98B68E3C.[admin@sectex.net].bot`	2
`%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\CSharpLangFilter20.xml.id-98B68E3C.[admin@sectex.net].bot`	2
`%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\ControlsTopicTypeFilter80.xml.id-98B68E3C.[admin@sectex.net].bot`	2
`%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\HelpTopicsTopicTypeFilter80.xml.id-98B68E3C.[admin@sectex.net].bot`	2
`%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\InfoPathTechFilter12.xml.id-98B68E3C.[admin@sectex.net].bot`	2
`%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\KBTopicTypeFilter80.xml.id-98B68E3C.[admin@sectex.net].bot`	2
`%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\NetFxTechFilter20.xml.id-98B68E3C.[admin@sectex.net].bot`	2
`%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\SamplesTopicTypeFilter80.xml.id-98B68E3C.[admin@sectex.net].bot`	2
`%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\ServerEntTechFilter20.xml.id-98B68E3C.[admin@sectex.net].bot`	2
`%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\SnippetsTopicTypeFilter80.xml.id-98B68E3C.[admin@sectex.net].bot`	2
`%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\StarterKitsTopicTypeFilter80.xml.id-98B68E3C.[admin@sectex.net].bot`	2
`%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\VBLangFilter80.xml.id-98B68E3C.[admin@sectex.net].bot`	2
`%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\VBScriptLangFilter80.xml.id-98B68E3C.[admin@sectex.net].bot`	2
`%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\VS2005TechFilter80.xml.id-98B68E3C.[admin@sectex.net].bot`	2
`%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\Win32TechFilter80.xml.id-98B68E3C.[admin@sectex.net].bot`	2
`%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\WinFormsTechFilter20.xml.id-98B68E3C.[admin@sectex.net].bot`	2
`%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\WindowsTechLonghornWinFx60.xml.id-98B68E3C.[admin@sectex.net].bot`	2
`%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\XmlLangFilter80.xml.id-98B68E3C.[admin@sectex.net].bot`	2
`%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Pages\1033\VSTAHowDoI80.xml.id-98B68E3C.[admin@sectex.net].bot`	2
`%APPDATA%\Microsoft\Internet Explorer\brndlog.bak.id-3C28B0E4.[admin@sectex.net].bot`	2
`%APPDATA%\Microsoft\Internet Explorer\brndlog.txt.id-3C28B0E4.[admin@sectex.net].bot`	2
`%HOMEPATH%\Cookies\index.dat.id-3C28B0E4.[admin@sectex.net].bot`	2

*See JSON for more IOCs

File Hashes

             1a2997b0927ee1931765cf9b971ee5fd20ca9509f25eed7f2ece2f9b39ec30ec              1b7f2a5950d2d2c9f012c8aa7bb8a7611a19bea54e2ad3a11aaeeb178de91229              45e58500cc320316f3ab9cb9f9bde14446ae10f5ac37c93061b2bfad97b1026d              51fb27ab74d127a6cef6b1aaf416bc28020c93cc62926c25a0aabd64eadd51f0              63bbfc542016858d070ae21bc75f4f507273343ed7552b0fb1041b353891c943              6ac190612aeca2cf29bc2c403afd7ff4f6bd0978611b9879feed907a43d7a44e              7a6ca98d05b91859a323aeb8aa95cea2465223095963a56edd053ea2144d2949              8bd815aac414de71c6c9e8d98af6f3ea99f8f7d9eb99b24bd65aefc6fae62564              9adc16c0e94ecca0bd3bfb7a6913bc439fbeb59ae70ec264b49dc74bf92de628              a3397387c72d6215fbe3d976c0d2a2a96ada6526a1e939326e0a009c1469c748              ac1195f32c230290268c6ac144d386aaa1be9889ed4ba899bbd2078d1985a296              c909a47cc3169954c962a7bba2911694345cca7ecbe809a8e9ae737df9ee1c24              d59f8aa651ab5015619a62efde293097facdabd1a11c019cc0a0748009628126              f05b7128fd81fb67061ede7c279807ab347505762245f77f1ab0180bb4655cb2              fccdacfaf67834441250a0713534ef2d1047e7af6424a09df88a6ee132a3fe86

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Ransomware.Cerber-7432369-1

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\MICROSOFT\SPEECH\VOICES Value Name: DefaultTokenId`	33
`<HKCU>\SOFTWARE\MICROSOFT\SPEECH\VOICES`	33
`<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER`	32
`<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER Value Name: PendingFileRenameOperations`	31
`<HKCU>\SOFTWARE\MICROSOFT\DIRECT3D Value Name: Name`	1

Mutexes	Occurrences
`shell.{381828AA-8B28-3374-1B67-35680555C5EF}`	33
`Local\MidiMapper_modLongMessage_RefCnt`	33
`shell.{<random GUID>}`	27

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`91[.]119[.]216[.]0/27`	33
`91[.]120[.]216[.]0/27`	33
`91[.]121[.]216[.]0/25`	33
`150[.]109[.]231[.]116`	22
`54[.]209[.]0[.]191`	18
`34[.]193[.]185[.]171`	15
`178[.]128[.]255[.]179`	11
`104[.]24[.]105[.]254`	7
`104[.]24[.]104[.]254`	4
`54[.]87[.]5[.]88`	2
`52[.]21[.]132[.]24`	1
`104[.]16[.]150[.]172`	1
`104[.]16[.]149[.]172`	1
`104[.]16[.]152[.]172`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`api[.]blockcypher[.]com`	33
`bc-prod-web-lb-430045627[.]us-east-1[.]elb[.]amazonaws[.]com`	25
`hjhqmbxyinislkkt[.]1j9r76[.]top`	22
`bitaps[.]com`	11
`chain[.]so`	11
`btc[.]blockr[.]io`	11
`hjhqmbxyinislkkt[.]1a8u1r[.]top`	1

Files and or directories created	Occurrences
`%TEMP%\d19ab989`	33
`%TEMP%\d19ab989\4710.tmp`	33
`%TEMP%\d19ab989\a35f.tmp`	33
`%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\03809a07-348b-48cc-b08d-f7b8472c133c.png`	33
`%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\07a5080e-becd-4719-9a79-fe50b59eb55b.png`	33
`%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\0d984a6a-e70e-4747-bded-b92173e85c21.png`	33
`%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\0ec91619-5478-4e5c-aa1b-8da00a066091.png`	33
`%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\115556d6-ba8b-4b18-8439-8e9c81ff63a4.png`	33
`%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\1e81fb27-0aa3-4b11-a764-0d9e7e3272ea.png`	33
`%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\3c6a9801-329c-4eba-9524-2165ac426bef.png`	33
`%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\52c39d7c-6d6b-4ad3-b5e5-c417949d335d.png`	33
`%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\5318eba9-773d-4fec-9366-6e84f8dfbbc5.png`	33
`%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\5394c05d-dc33-4d24-bd45-2d8954648f28.png`	33
`%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\62e3dfa2-4350-445b-8693-d1d04a74543c.png`	33
`%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\6a8b0e06-e9a5-4761-afda-29391149e64d.png`	33
`%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\70c3a864-35fa-4245-802a-dbda1e3f4c00.png`	33
`%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\70d1f452-966e-4e28-8da5-8b2eeadbe078.png`	33
`%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\7b168dd1-e39e-4b39-918c-53b9e78365e9.png`	33
`%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\7dceec06-0991-43f4-8af3-601c0ebeb910.png`	33
`%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\8339d228-5ca6-486f-8793-633aa6af18d8.png`	33
`%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\a4fbc2bf-8cc2-4a6d-b3c7-0ef749399e7f.png`	33
`%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\a507cd65-0038-49e4-8cdb-b6082f566351.png`	33
`%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\a6f0f9a9-e50d-4612-9e8e-f5640793680c.png`	33
`%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\a9e6bb3f-0b62-4410-86f7-68bb36989df7.png`	33
`%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\b1503304-9b12-4d90-89e7-df30e304e6c2.png`	33

*See JSON for more IOCs

File Hashes

             00d8580b7de2d5cfcdeb6d896153cb43aeb8086ad87c320a20528fb0ab382c83              0156cd32b9647dcd19ef44503aa99dfcfb891365a6a1e0a4f364e1b882563a77              049e95486dc15591857897db7e038204ad7669afc52f6e413ad8eef6a042a3f3              0543292cf63218e40d9785a1e6e0b9cc0dddd34cd6cfdbd6e6735e7b2cd7767e              05e6572e963ec98373c94748dba580a9d4c99ced95d2c4e455cf2e952973404c              06d5ae8d97a7b3bb50330f566130ce3b0ceced3a9b92ff1b5be9b2a3b08dec89              09e5adc6762e13f50bbc4b3e233c00c44c77cab958bd3e30212034fe0a2471be              0af56173b6a8d920e8f42c564d590373d8a8c55edda2476deff5013a39d76d87              0cfb5e263ca7a4f5b38cd79c111eeeb7cb6e2e3150fc07996fd7b74a739452e8              0dccb9d4f1369026b350c848d98e0aadddd063ed231c9682419735b25d4cd1e0              0e2f515b821c6995dff04862e4808609e3ebfcb7dbf4cbd2884dc3b737657580              15f59c6041fbb1a8f54e083a4f501076efa61941f5064db404c2914be4973e2f              16f2a805ea445edf5c9cdab4d530235204acccaa50cda907dbb84177f71eda57              179ecfd3969f0f2aef94a99467064e60ef737bac9819439bcbe1b3ca2dffee08              183bad8c045acadaa5cdd8542fae8f05539249c0df2448816b3895a6d949caf3              1860ec3f04583312079795ca661360e723092217e0880ddc7e48345829f571a8              19e65785549059911db9ad54bbdbb8c4f86d6a4cc6710d8572b81afed213250b              1d44d8a762ee2f1f9813482b862428add0c081fab9bb27a4bad082a118b5e509              20122bc23fc55bbc44a920e8b9c06829a13e78258356798a64c224a534e06faf              2070face5382b738dda8e2a42c56b233793a9751fb6722e970d77da207d52f1f              20842d1ad99423e0412187f7f365ce5b9d93c2499df5bcb9da16a8d196b3e94c              244820be643b64929d14af90218aa67f2e9b2cb07d8654c5ead2d60a25f8ead3              2c670078bda065d704ed155173fc59438a15e71244c0f47ccf95d12225e27eaa              2f29ed32c90581269668e03216169207478721f2b9d59ebfb389a647c6a1f51a              2f3bf21023544bc5ade37a16588cf51aa6ac8327685de3953f44de57a3068a8d

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

Win.Trojan.ZeroAccess-7432508-1

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC Value Name: Start`	31
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS Value Name: DeleteFlag`	31
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC Value Name: DeleteFlag`	31
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC Value Name: DeleteFlag`	31
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BROWSER Value Name: Start`	31
`<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32 Value Name: ThreadingModel`	31
`<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32`	31
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Windows Defender`	31
`<HKLM>\SOFTWARE\CLASSES\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\INPROCSERVER32`	31
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS Value Name: Type`	31
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS Value Name: ErrorControl`	31
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC Value Name: Type`	31
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC Value Name: ErrorControl`	31
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC Value Name: DeleteFlag`	31
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC Value Name: Type`	31
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC Value Name: ErrorControl`	31
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC Value Name: Type`	31
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC Value Name: ErrorControl`	31
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000010 Value Name: PackedCatalogItem`	31
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000009 Value Name: PackedCatalogItem`	31
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000008 Value Name: PackedCatalogItem`	31
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000007 Value Name: PackedCatalogItem`	31
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000006 Value Name: PackedCatalogItem`	31
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000005 Value Name: PackedCatalogItem`	31
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000004 Value Name: PackedCatalogItem`	31

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`68[.]58[.]140[.]128`	38
`180[.]254[.]253[.]254`	31
`166[.]254[.]253[.]254`	31
`135[.]254[.]253[.]254`	31
`117[.]254[.]253[.]254`	31
`119[.]254[.]253[.]254`	31
`134[.]254[.]253[.]254`	31
`206[.]254[.]253[.]254`	31
`222[.]254[.]253[.]254`	31
`182[.]254[.]253[.]254`	31
`190[.]254[.]253[.]254`	31
`184[.]254[.]253[.]254`	31
`197[.]254[.]253[.]254`	31
`183[.]254[.]253[.]254`	31
`158[.]254[.]253[.]254`	31
`204[.]254[.]253[.]254`	31
`24[.]149[.]4[.]58`	29
`97[.]95[.]231[.]238`	28
`50[.]68[.]78[.]41`	26
`188[.]26[.]185[.]40`	26
`111[.]250[.]107[.]91`	26
`173[.]175[.]25[.]91`	26
`184[.]166[.]16[.]43`	26
`24[.]98[.]179[.]133`	26
`79[.]115[.]11[.]4`	26

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`j[.]maxmind[.]com`	31

Files and or directories created	Occurrences
`\RECYCLER\S-1-5-18\$ad714f5b8798518b3ccb73fd900fd2ba\@`	38
`\RECYCLER\S-1-5-18\$ad714f5b8798518b3ccb73fd900fd2ba\n`	38
`\RECYCLER\S-1-5-21-1258710499-2222286471-4214075941-500\$ad714f5b8798518b3ccb73fd900fd2ba\@`	38
`\RECYCLER\S-1-5-21-1258710499-2222286471-4214075941-500\$ad714f5b8798518b3ccb73fd900fd2ba\n`	38
`%SystemRoot%\assembly\GAC\Desktop.ini`	38
`\systemroot\assembly\GAC_32\Desktop.ini`	31
`\systemroot\assembly\GAC_64\Desktop.ini`	31
`%System32%\LogFiles\Scm\e22a8667-f75b-4ba9-ba46-067ed4429de8`	31
`%SystemRoot%\assembly\GAC_32\Desktop.ini`	31
`%SystemRoot%\assembly\GAC_64\Desktop.ini`	31
`\$Recycle.Bin\S-1-5-18`	31
`\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f`	31
`\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\@`	31
`\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\L`	31
`\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\U`	31
`\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\n`	31
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f`	31
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\@`	31
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\L`	31
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\U`	31
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\n`	31
`%ProgramFiles%\Windows Defender\MSASCui.exe:!`	31
`%ProgramFiles%\Windows Defender\MpAsDesc.dll:!`	31
`%ProgramFiles%\Windows Defender\MpClient.dll:!`	31
`%ProgramFiles%\Windows Defender\MpCmdRun.exe:!`	31

*See JSON for more IOCs

File Hashes

             0157ed115b5bf4c7be57c400db2d0565f5ad1b6df2bb63d85ca04932d190f83a              02deef08e12b0ca6d311bd47d984587fc2eacee659bccd5b03f470d04baf7fda              05e354a637fc39a732a2042d70be6d4ff0d7250f746a89bda5833787b1d73f77              05e9764e72fd580377b26682b329ede539bab36a7c651f17e78bfed628f29236              070a5d1c0a35171169531caa0583f46ef8ce39d8e8a5f4806ea0060a8311e3c2              08a22538c4474de9d510516b31169eb4bbcb111333f45463387540ee1c802094              094f81ace5dc69455869040c8306a5c89ed318a0209feb9883c65dedfaa1607a              1078cbea870ad246012c3e5d7383a34b73b71d743b8a7814b916afb22dafc052              12092b610aec4b3a4abd1704aa5ca7796afb88ed2d62813f64e69813179bf17e              13297a1a4dae8afcae7683ca66825a041fde54b3a34347c5ae9cd1ca540bfe65              15c92af968516aa50e2434d678099993d616322ed64c28fbedbdf9f58f688cfe              1ccece616c3bf43763c2f4159894df3170e8e017359a432fcf574df86ed4d9c9              1ddede2f503ec591648dee15162794cc8c44bc39b40aaa209a344c4d8741b59e              1e40c41b83c1dfdcf4f62b52a3248f7de7d14e9d20c622f3d58b56e873e90ada              1e6bd842bc6e5a5a27e4c9124f4f8d0cb99bf13fe07f33ae4ebddeaeccddc065              1f213cb034864518007496d9f81834a202e2fbb24f60685c0d38af4127230b7e              23095a64ad977a038141d7a51d9b16fffb690671c4cba65f4aa9cab1ead68d9d              245aa365f4df9a087650d523cfb5685f5e0a22faf3948de28e4516ff7574daec              26fc9dad694e24ab9f22f40ecae7b5ce436d3e7f0fdc7c0dc91a33967ed3bcb3              2afc92a8de98e29db880f1bbd0cde81e4cc2e49dce0bdafb5d992511be97dbca              2fbc30feb2a4a8c926b69b762e898bda305d5333a198b2a1304644a1bff6176a              352d14133cb2f89223d15a81fa44442ef7b033b3646b12a92f69d82d27718f67              38257554ec967969a8e114bb6588b63210b83a0a76a7f1cbf0eb17b6e10ab91f              3852da85c0d4541fea5bb3812eaec3b7247aae76c57c6a4ad7271b76d50acb8d              3be059379396caf75330c4f1fa97adc8f5683cba16eeaabcbdd9ccbd8055b748

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

Exploit Prevention

CVE-2019-0708 detected - (24000)

An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.

Process hollowing detected - (246)

Kovter injection detected - (209)

Dealply adware detected - (191)

Gamarue malware detected - (159)

Excessively long PowerShell command detected - (101)

Installcore adware detected - (88)

Special Search Offer adware - (25)

Fusion adware detected - (20)

Fusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware.

Corebot malware detected - (20)

↧

Vulnerability Spotlight: Multiple vulnerabilities in WAGO PFC200

December 16, 2019, 7:29 am

≫ Next: Beers with Talos Ep. #68: Takes from Talos on IoT (and the NEW “Talos Takes” podcast!)

≪ Previous: Threat Roundup for December 6 to December 13

Kelly Leuschner of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

The WAGO PFC200 and PFC100 controllers contain multiple exploitable vulnerabilities. The PFC200 is one of WAGO’s programmable automation controllers that are used in many industries including automotive, rail, power engineering, manufacturing and building management. The vulnerabilities disclosed here all have their root cause within the protocol handling code of the I/O Check (iocheckd) configuration service used by the controllers. The vulnerabilities discussed here could allow an attacker to remotely execute code, deny service to the device or weaken device login credentials.

In accordance with our coordinated disclosure policy, Cisco Talos worked with WAGO to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

WAGO PFC200 iocheckd service "I/O-Check" external tool information exposure vulnerability (TALOS-2019-0862/CVE-2019-5073)

An exploitable information exposure vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. A specially crafted set of packets can cause an external tool to fail, resulting in uninitialized stack data to be copied to the response packet buffer. An attacker can send unauthenticated packets to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

WAGO PFC200 iocheckd service "I/O-Check" BC_ProductLabel remote code execution vulnerability (TALOS-2019-0863/CVE-2019-5074)

An exploitable stack buffer overflow vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. A specially crafted set of packets can cause a stack buffer overflow, resulting in code execution. An attacker can send unauthenticated packets to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

WAGO PFC200 iocheckd service "I/O-Check" get_coupler_details remote code execution vulnerability (TALOS-2019-0864/CVE-2019-5075)

An exploitable stack buffer overflow vulnerability exists in the command line utility get_coupler_details of the WAGO PFC 200. A specially crafted set of packets sent to the iocheckd service "I/O-Check" can cause a stack buffer overflow in the sub-process get_coupler_details, resulting in code execution. An attacker can send unauthenticated packets to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

WAGO PFC200 iocheckd service "I/O-Check" MAC Address overwrite denial-of-service vulnerability (TALOS-2019-0869/CVE-2019-5077)

An exploitable denial-of-service vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. A specially crafted set of packets can cause a denial of service, resulting in the device entering an error state where it ceases all network communications. An attacker can send unauthenticated packets to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

WAGO PFC200 iocheckd service "I/O-Check" erase denial-of-service vulnerability (TALOS-2019-0870/CVE-2019-5078)

An exploitable denial-of-service vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. A specially crafted set of packets can cause a denial of service, resulting in the device entering an error state where it ceases all network communications. An attacker can send unauthenticated packets to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

WAGO PFC200 iocheckd service "I/O-Check" ReadPSN remote code execution vulnerability (TALOS-2019-0871/CVE-2019-5079)

An exploitable heap buffer overflow vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. A specially crafted set of packets can cause a heap buffer overflow, potentially resulting in code execution. An attacker can send unauthenticated packets to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

WAGO PFC200 iocheckd service "I/O-Check" factory restore denial-of-service vulnerability (TALOS-2019-0872/CVE-2019-5080)

An exploitable denial-of-service vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. A single packet can cause a denial of service and weaken credentials resulting in the default documented credentials being applied to the device. An attacker can send an unauthenticated packet to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

WAGO PFC200 iocheckd service "I/O-Check" ReadPCBManuNum remote code execution vulnerability (TALOS-2019-0873/CVE-2019-5081)

An exploitable heap buffer overflow vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. A specially crafted set of packets can cause a heap buffer overflow, potentially resulting in code execution. An attacker can send unauthenticated packets to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

WAGO PFC200 iocheckd service "I/O-Check" ReadPRGDATE remote code execution vulnerability (TALOS-2019-0874/CVE-2019-5082)

An exploitable heap buffer overflow vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. A specially crafted set of packets can cause a heap buffer overflow, potentially resulting in code execution. An attacker can send unauthenticated packets to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that version 03.00.39(12) of the WAGO PFC200 and PFC100 is affected by these vulnerabilities. Firmware version 03.01.07(13) of the PFC200 was not explicitly tested for some of these bugs, but the vulnerable function in these vulnerabilities do exist in this version. Talos recommended that a fix be applied to that version, as well.

Coverage

↧

Beers with Talos Ep. #68: Takes from Talos on IoT (and the NEW “Talos Takes” podcast!)

December 17, 2019, 7:28 am

≫ Next: Incident Response lessons from recent Maze ransomware attacks

≪ Previous: Vulnerability Spotlight: Multiple vulnerabilities in WAGO PFC200

By Mitch Neff.

Beers with Talos (BWT) Podcast episode No. 68 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Dec. 9, 2019

We have a big announcement to make today! Check your feed for a few episodes of a new podcast from Talos: “Talos Takes."

On this episode of BWT, we welcome Joe Marshall to the table. Joe is a Talos ICS/IoT tech lead and he stops by to discuss issues in the IoT space — macro and micro, from both the vendor and user perspectives. Check out the crew’s advice on staying secure in this IoT gift-giving season.

We will see you in the new year, and thanks for listening in 2019. Happy Holidays to all!

The timeline:

00:55 — Roundtable: The robots come for Craig’s 3-D printer, Matt dunks on the crowd and misses.
08:30 — Meet Joe Marshall, Talos IoT and ICS Security tech lead
09:00 — Quantifying the IoT problem: IoT vulns surpass desktop/PC vulns in 2019
18:00 — The best ways to determine if security matters to an IoT device maker
21:15 — Poor security affects everyone, and why NAT is the most important thing on the internet
31:00 — So, how should we then buy?
34:00 — Trojans in the Python
39:20 — Big announcement! The NEW podcast coming from Talos — Talos Takes
40:45 — Closing thoughts and parting shots

Some other links:

Check out the Talos Takes podcast! (Three episodes coming to the Beers with Talos podcast feed today!)

==========

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff)

Subscribe via iTunes (and leave a review!)

Check out the Talos Threat Research Blog

Subscribe to the Threat Source newsletter

Follow Talos on Twitter

Give us your feedback and suggestions for topics: beerswithtalos@cisco.com

↧

Incident Response lessons from recent Maze ransomware attacks

December 17, 2019, 8:53 am

≫ Next: New Talos Takes podcast puts Talos' spin on the latest cyber news

≪ Previous: Beers with Talos Ep. #68: Takes from Talos on IoT (and the NEW “Talos Takes” podcast!)

By JJ Cummings and Dave Liebenberg

This year, we have been flooded with reports of targeted ransomware attacks. Whether it's a city, hospital, large- or medium-sized enterprise — they are all being targeted. These attacks can result in significant damage, cost, and have many different initial infection vectors. Recently, Talos Incident Response has been engaged with a couple of these attacks, which involved the use of targeted ransomware. The concept of targeted ransomware attacks is simple: Get access to a corporate network, gain access to many systems, encrypt the data on a large chunk of them, ask for a large lump sum payment to regain access to those systems, and profit.

The first widespread targeted ransomware attacks involved the SamSam ransomware, which Cisco Talos researchers first discovered in early 2016 and were incredibly profitable, despite ending in indictments from the U.S. government.

In 2019, there have been multiple players in this space, the most prolific of which has been the Ryuk campaigns that start with Emotet and Trickbot. Other targeted ransomware attacks have involved other types of ransomware and varied attack methodology. Included in this list is ransomware like LockerGoga, MegaCortex, Maze, RobbinHood, and Crysis, among others. More recently, attackers have taken the extra step of exfiltrating data and holding it hostage, which they claim they will release to the public unless payment is received, a form of doxxing.

Recent incidents

Over the past several months, Talos Incident Response responded to two such incidents, where an adversary gained access to an environment, deployed ransomware, and exfiltrated large amounts of data, combining elements of ransomware and doxxing attacks into a single incident.

In the first incident, the attacker leveraged CobaltStrike after obtaining access to the network. CobaltStrike is a widely used framework for offensive and red-teaming, which is also commonly used by adversaries to attack their targets. Once the adversary has access, they spend at least a week laterally moving around the network and gathering systems and data along the way. Combined with CobaltStrike, the actor used a technique commonly associated with APT-29, leveraging a named pipe (i.e. \\.\pipe\MSSE-<number>-server).

Once the actor gained enough access to both data and systems, the payment mechanisms began to take form. First, the actor began exfiltrating the data that they had accumulated. They achieved exfiltration by using PowerShell to connect to a remote FTP server. Below is a snippet of the code used to achieve this exfiltration via PowerShell.

The actor then deployed the Maze ransomware on the systems. Maze has been in the news recently as being the ransomware used in several high-profile targeted ransomware attacks, including those against the city of Pensacola, Florida and staffing firm Allied Universal.

The second incident involves more CobaltStrike, some shared infrastructure, and more exfiltration. In this case, the adversary was again found leveraging CobaltStrike post initial compromise and used PowerShell to dump large amounts of data via FTP out of the network and demanded payment before disclosing this information publicly. The connection to the previously mentioned incident lies in the command and control (C2) infrastructure used. This actor dumped the data to the same C2 server as the aforementioned CobaltStrike incident. In addition to the shared infrastructure, there were a couple other commonalities between the attacks — the first being the deployment and use of 7-Zip to compress the data they were preparing for exfiltration. Additionally, in both incidents, there were interactive logins via Windows Remote Desktop Protocol, remote PowerShell execution, which was achieved via WMIC, and in one case, active reconnaissance observed. Based on all of these facts, Talos assesses with high confidence these incidents were associated with the same adversary.

Conclusion

The use of targeted ransomware attacks isn't new and, unfortunately, it's not going anywhere anytime soon. This is an extremely lucrative attack avenue for adversaries and as such, its popularity is likely only going to increase. What makes these particular attacks interesting is the additional monetization avenue of exfiltrating data in the process. This allows the actor to potentially monetize their attack in multiple different ways. First, the actor can demand the victim pay an additional fee to get the data back. Even if the victim refuses to pay the ransom due to proper precautions, like full backups and reliable recovery plans, money can be made. Second the data itself could have significant value to other adversaries, and selling the data on the black market is highly likely. Finally, there is the public damage that can be done to the victim by releasing the data, which doesn't give the attacker any monetary benefit but can be a very useful way to encourage future victims to pay and avoid the negative press associated with a public data dump.

This trend of achieving maximum monetary gain for their nefarious activities is increasingly common in the crimeware space, as demonstrated by the proliferation of emotet and the millions and millions of dollars in damage that have followed. Expect adversaries to be increasingly aware of the systems and networks they are compromising as all systems and networks are not created equally and some have much higher profit margins, when compromised.

Indicators of Compromise (IoCs)

Hashes:

CobaltStrike

51461b83f3b8afbcae46145be60f7ff11b5609f1a2341283ad49c03121e6cafe
3627eb2e1940e50ab2e7b3ee703bc5f8663233fe71a872b32178cb118fb3e2d9

Maze Ransomware

04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e
067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b
1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78
153defee225de889d2ac66605f391f4aeaa8b867b4093c686941e64d0d245a57
195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9
30b72e83d66cbe9e724c8e2b21179aecd4bcf68b2ec7895616807df380afab54
33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502
4080402553e9a86e954c1d9b7d0bb059786f52aba4a179a5d00e219500c8f43d
5603a16cbf81d183d3ff4ffea5477af1a4be01321865f0978c0e128051ec0a82
58fe9776f33628fd965d1bcc442ec8dc5bfae0c648dcaec400f6090633484806
5c9b7224ffd2029b6ce7b82ea40d63b9d4e4f502169bc91de88b4ea577f52353
6878f7bd90434ac5a76ac2208a5198ce1a60ae20e8505fc110bd8e42b3657d13
6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af
822a264191230f753546407a823c6993e1a83a83a75fa36071a874318893afb8
83f8ce81f71d6f0b1ddc6b4f3add7a5deef8367a29f59b564c9539d6653d1279
877c439da147bab8e2c32f03814e3973c22cbcd112d35bc2735b803ac9113da1
91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1
9751ae55b105ad8ffe6fc5dc7aea60ad723b6df67a959aa2ea6f4fa640d20a71
9ad15385f04a6d8dd58b4390e32d876070e339eee6b8da586852d7467514d1b1
9be70b7fe15cd64aed5b1adc88c2d5270bce534d167c4a42d143ae0059c3da1c
b30bb0f35a904f67d3ac0082c59770836cc415dc5b7225be04e8d7c79bde73be
c040defb9c90074b489857f328d3e0040ac0ddab26cde132f17cccae7f1309cc
c11b964916457579a268a36e825857866680baf1830cd6e2d26d4e1e24dec91b
ea19736c8e89e871974aabdc0d52ad0f0948159d4cf41d2889f49448cbe5e705
ecd04ebbb3df053ce4efa2b73912fd4d086d1720f9b410235ee9c1e529ea52a2
F491fb72f106e879021b0bb1149c4678fb380c255d2ef11ac4e0897378793f49
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f

IP Addresses:

91.218.114[.]4
5.199.167[.]188
185.147.15[.]22

↧

New Talos Takes podcast puts Talos' spin on the latest cyber news

December 17, 2019, 8:32 am

≫ Next: 2019: The year in malware

≪ Previous: Incident Response lessons from recent Maze ransomware attacks

By Jon Munshaw.

Today, Cisco Talos' podcast network is growing with a new show.

Talos Takes is a new podcast that provides Talos analysts' and researchers' opinions and expertise on the hottest topics in cyber security. The first three episodes of the show — covering holiday shopping scams, protecting your new gadget and the basics of malvertising — are in the Beers with Talos podcast feed right now.

In 2020, we will be launching a new, separate podcast feed for Talos Takes that you'll be able to subscribe to on Apple Podcasts, Stitcher, Google Play and any other place where you get your podcasts.

We plan to release episodes on a regular basis, but expect new Talos Takes to be dropping randomly if there's a breaking news story or a major topic we need to discuss.

In each episode, Talos analysts and researchers will outline the topic they're going to discuss, and then put a Talos spin on the topic. We'll cover everything from specific malware families, to different attack vectors and the latest headlines.

Again, you can find the first three episodes in the Beers with Talos feed if you're already subscribed to BWT, or you can check them out on our Podcasts page here.

↧

2019: The year in malware

December 18, 2019, 5:06 am

≫ Next: Threat Source newsletter (Dec. 19, 2019)

≪ Previous: New Talos Takes podcast puts Talos' spin on the latest cyber news

By Jon Munshaw.

From ransomware attacks to DNS deception, attackers were just as active as ever in 2019.

This year saw a number of big-name malware families come onto the scene, including Sea Turtle, one of the most high-profile DNS hijacking attempts in recent memory. BlueKeep also stirred up controversy when the RDP vulnerability was first discovered, but researchers are still holding their breath, waiting for the first major exploits to happen.

To recap this busy year, we’ve compiled a list of the major malware, security news and more that Talos covered this year. Look through the timeline below and click through some of our other blog posts to get caught up on the year that was in malware.

	February Attackers use a malicious PowerPoint presentation to target members of the Tibetan government in the hopes of infecting them with ExileRAT.
	March Talos discovers a new point-of-sale malware for sale online called “GlitchPOS” that is easy enough to use that anyone could set up their own credit card-skimming botnet.
	April Talos publishes a list of malicious groups on Facebook using straightforward names that carry out a range of malicious activities, including the sale of credit card data and other malware services. A campaign known as “Sea Turtle” expands on the growing popularity of DNS hijacking attacks, spoofing legitimate DNS addresses to target public and private entities, including national security organizations, located primarily in the Middle East and North Africa. Yet another DNS hijacking campaign, “Karkoff,” shows that the actors behind DNSpionage are retooling their procedures to avoid detection and improve the efficacy of their operations.
	May The Qakbot banking trojan evolves to maintain persistence and potentially evade detection. Talos discovers “BlackWater,” a trojan that our researchers believed with moderated confidence was associated with the MuddyWater APT. A “wormable” Microsoft vulnerability called “BlueKeep” is discovered, leading researchers to believe the Remote Desktop Protocol bug could lead to a similar attack to WannaCry. Talos released new Snort rules to protect against this vulnerability and outlined how to defend against it using Cisco Firepower.
	June A threat actor merges together multiple open-source projects to install malware on victims’ machines in a campaign Talos called “Frankenstein.” Talos publishes the details of the new Spelevo exploit kit, showing that exploit kits aren’t going anywhere.
	July A wave of RATs and information-stealers use the well-known “Heaven’s Gate” exploit to achieve infection. Sea Turtle returns with new DNS hijacking techniques and a growing pool of targets. A slew of cities around the U.S., most notably Baltimore, suffer ransomware attacks, causing experts to debate whether it’s ever a good idea for a ransomware victim to pay the extortion payment.
	September After going quiet over the summer, Emotet returns with a new group of IOCs, but the same set of protections as always. The Tortoiseshell APT uses a fake hiring website targeted toward U.S. military veterans to infect victims with a malware downloader. The ODT file type becomes increasingly popular among attackers, which can allow malware to avoid traditional detection methods.
	October A rare iOS jailbreak called “checkra1n” hits the scene, leading to some attackers attempting to trick users into downloading a tool that they believe will unlock their devices, but actually just installs malware. Talos uncovers a group of spyware software that exist in a legal and moral gray area, but attackers have been using to carry out malicious actions.
	November The first reports surface of BlueKeep being exploited in the wild, though there is no evidence to suggest it’s part of a broad campaign.

↧

Threat Source newsletter (Dec. 19, 2019)

December 19, 2019, 11:00 am

≫ Next: Threat Roundup for December 13 to December 20

≪ Previous: 2019: The year in malware

Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We have an early holiday present for you! This week, we introduced a new podcast to the Talos family. Talos Takes, a new short-form show, takes listeners through a quick breakdown of a particular topic or security news story, with our Talos spin. The first three episodes are available now on the Talos podcasts page, and on the Beers with Talos feed. In 2020, we’ll give Talos Takes its own feed you’ll be able to subscribe to.

Not to be overshadowed, there is also a new Beers with Talos episode available just in time for your holiday road trip. This week’s episode features special guest Joe Marshall from the Talos Outreach team, who brings his expertise on IoT and ICS security to the table.

To wrap up the year, we released a blog post running through the top malware and cyber news stories of 2019. This post is a perfect place to look back on all the major research we put out this year.

Cisco’s annual winter shutdown begins next week, so this will be the last Threat Source newsletter until Jan. 9. See you in 2020!

Cyber Security Week in Review

The city of New Orleans declared a State of Emergency days after it was hit with a cyber attack. Many government services went down, although emergency services like 911 were not impacted. Local officials say they’ve engaged the FBI to assist with their recovery and an investigation into the attack.
Meanwhile, the city of Pensacola, Florida still recovers from its own ransomware attack. The city brought in an outside firm to launch an investigation into what kind of malware its systems were hit with and provide recommendations on how to recover.
Congress approved $425 million in funding to improve America’s election security. But some lawmakers and security experts say it’s too little, too late, to protect the 2020 presidential election.
GSuite is banning the use of what it considers “less secure” apps. Beginning in June 2020, developers will only Google will only allow users to sign into apps that only rely on a username and password via their Google Account. Google considers secure apps to be those that rely on OAuth tokens.
Ring security cameras continue to come under fire for a series of negative headlines around its security. There are several key security features the service is missing, including the lack of alerts when a new user logs into the account from an unknown IP address or if there are multiple users signed into an account at the same time.
In response to many of these stories, Amazon, the company behind Ring, said many of these hacks are the result of users relying on unsecure username and password combinations. They also recommended opting into two-factor authentication.
Canadian lab testing company LifeLabs says it recently suffered an attack that compromised 15 million individuals’ personal information and paid a ransom to retrieve that data. Representatives from the company say they believe that paying the ransom ensures the compromised data will not be used in additional attacks.
Google released an emergency update for its Chrome web browser after a bug appeared that wiped data from other Android apps. Chrome 79 mistakenly cleared information from apps that are completed unrelated to Chrome, including the Finance app.
Microsoft released an out-of-band security update for SharePoint. CVE-2019-1491 could allow an attacker to obtain sensitive information, and then use that information in additional attacks.

Notable recent security issues

Title: New malware-as-a-service family targets tech, health care companies
Description: The new Zeppelin malware is targeting health care and tech companies in the U.S. and Europe. Researchers believe Zeppelin is a variant of the ransomware-as-a-service family known as Vega. While Vega started out earlier this year targeting Russian-speaking victims, researchers believe the malware could be in a new adversaries’ hands now that they are targeting users elsewhere. Zeppelin is highly configurable and can be deployed as an EXE, DLL, or wrapped in a PowerShell loader.
Snort SIDs: 52451 – 52453 (By Nicholas Mavis)

Title: Gamaredon attacks spread to Ukrainian journalists, law enforcement agencies
Description: A well-known APT is expanding its pool of targets, now going after journalists and law enforcement agencies in Ukraine. The group, which is believed to have Russian ties based on the language used in their malware, previously went after Ukrainian military and government agencies. There are also new TTPs associated with this group, including the use template injection in their malware.
Snort SIDs: 52445 - 52448 (By Joanne Kim)

Most prevalent malware files this week

SHA 256: d73ea76f6f07f96b337335213418b58e3fbc7e4b519fec0ef3fbd19c1d335d81
MD5: 5142c721e7182065b299951a54d4fe80
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::1201

SHA 256: 0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94
MD5: 7c38a43d2ed9af80932749f6e80fea6f
Typical Filename: xme64-520.exe
Claimed Product: N/A
Detection Name: PUA.Win.File.Coinminer::1201

SHA 256: 1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871
MD5: c2406fc0fce67ae79e625013325e2a68
Typical Filename: SegurazoIC.exe
Claimed Product: Digital Communications Inc.
Detection Name: PUA.Win.Adware.Ursu::95.sbx.tg

SHA 256: f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc
MD5: c5608e40f6f47ad84e2985804957c342
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA:2144FlashPlayer-tpd

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.

↧