There are new articles available, click to refresh the page.
Before yesterdayCisco Talos

Quarterly Report: Incident Response Trends in Q3 2022

25 October 2022 at 12:00


Ransomware and pre-ransomware engagements make up 40 percent of threats seen this quarter

By Caitlin Huey.

For the first time since compiling these reports, Cisco Talos Incident Response saw an equal number of ransomware and pre-ransomware engagements, making up nearly 40 percent of threats this quarter.  

It can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place. However, Talos IR assesses that the combination of Cobalt Strike and credential-harvesting tools like Mimikatz, paired with enumeration and discovery techniques, indicates a high likelihood that ransomware is the final objective.

This quarter featured a variety of publicly available tools and scripts hosted on GitHub repositories or other third-party websites to support operations across multiple stages of the attack lifecycle. This activity coincides with a general increase in the use of other dual-use tools, such as the legitimate red-teaming tool Brute Ratel and the recently discovered Manjusaka and Alchimist attack frameworks. 



Targeting

Attackers targeted the education sector the most of any vertical this quarter, closely followed by the financial services, government, and energy sectors, respectively. For the first time since Q4 2021, telecommunications was not the top-targeted vertical. While the reason for the education sector being more frequently targeted this quarter is unknown, this is a popular time of year for adversaries to target education institutions as students and teachers return to school.



Ransomware

We observed two previously seen high-profile ransomware families, Vice Society and Hive. This quarter also saw a ransomware family that had yet to be observed in IR engagements, Black Basta, which first emerged in April 2022. 

Talos IR responded to a Vice Society ransomware engagement affecting an education institution in Austria, part of an ongoing trend of Vice Society actors disproportionately targeting the education sector, which is consistent with U.S. Cybersecurity and Infrastructure Security Agency (CISA) reporting. Analysis of the event logs revealed numerous outbound remote desktop protocol (RDP) connection attempts from an infected host to other systems, indicating the adversary moved laterally. Further analysis identified indicators for remote access software AnyDesk and TeamViewer, where over 50 systems were observed reaching out to TeamViewer-related URLs. An exception was also added to the Windows Defender firewall exemption list for “AnyDesk.exe” executions by the SYSTEM account. The likely trigger for ransomware was PsExec execution followed by deployment of ransomware, which was written to the Windows Roaming profile of the compromised user. 

In recent months, Talos observed ongoing Qakbot activity leveraging thread hijacking and password-protected ZIP files to enhance legitimacy. For example, in a ransomware engagement affecting a U.S.-based IT company, Talos IR observed multiple IP addresses associated with command and control (C2) traffic to/from compromised endpoints associated with Qakbot. The attackers likely gained initial access via a phishing email with an HTML attachment that, once opened, initiated JavaScript that subsequently downloaded a malicious password-protected ZIP file. The ZIP file contained a Windows shortcut file (LNK) that, once downloaded and executed on the victim system, delivers Qakbot. The adversaries eventually dropped the ransomware Black Basta, which we had not previously observed in Talos IR engagements. In the past six months, we’ve seen Qakbot use several different infection chains, including potentially moving away from LNK files in some campaigns.

Talos has been monitoring the disclosure of “LockBit Black,” the builder for the LockBit 3.0 ransomware encryptor, leaked publicly in late September 2022 by an alleged LockBit coder/developer. This leak is among many setbacks this group has experienced in recent months, including distributed denial-of-service (DDoS) attacks targeting the group’s data leaks site. While Talos IR did not observe any LockBit ransomware engagements this quarter, the builder could make attribution more difficult involving typical LockBit tactics, techniques, and procedures (TTPs) as more threat actors incorporate the builder in their own ransomware operations. Talos has already begun tracking one new ransomware group dubbed “BlooDy Gang” which has reportedly used the leaked LockBit 3.0 builder in recent ransomware attacks. This could enable even more ransomware groups to save time and resources by relying on leaked builders and source code of other ransomware operations, as opposed to independently developing ransomware. 


Uptick in pre-ransomware behaviors 


While ransomware was the top threat this quarter, we also observed an equal number of engagements involving various pre-ransomware behaviors. Although each pre-ransomware engagement involves unique behaviors and TTPs, the overwhelming similarities among these engagements include host enumeration, multiple credential-harvesting activities, and attempts to escalate privileges via an identified weakness or vulnerability in order to move laterally to other systems. In some instances where ransomware was never deployed, the adversary was likely trying to exfiltrate data at the time of detection, indicating they had broad enough access to cause significant harm at that time.

In a pre-ransomware engagement affecting a European energy company, Talos IR observed the installation of Cobalt Strike and Mimikatz. The customer first observed Cobalt Strike installation and/or Mimikatz invocation affecting nearly 100 servers. Talos IR detected traffic associated with Metasploit Framework’s Meterpreter shell originating from a compromised host. Seven minutes later, the system attempted to reach out to a confirmed Cobalt Strike C2 server. PowerShell commands and scripts revealed a lightweight Cobalt Strike loader likely associated with Cobalt Strike SMB lateral beaconing. Other tools observed in the environment include the Active Directory mapping tool SharpHound and Rubeus, a Kerberoasting tool.


Multiple publicly available tooling and scripts support adversary objectives

We observed adversaries leveraging a variety of publicly available tools and scripts hosted on GitHub repositories or free to download from third-party websites to support operations across multiple stages of the attack lifecycle. To support an adversary's objectives, we commonly observed offensive security and red-team tools, such as the modularized Cobalt Strike framework and Active Directory reconnaissance tools ADFind and BloodHound. However, the presence of these additional scripts and tools indicates that adversaries are continuing to identify publicly available resources, which adds convenience but muddies attribution.

In a pre-ransomware incident affecting a U.S. manufacturer, the adversary logged in and executed a publicly available PowerShell script (“DomainPasswordSpray.ps1”) to perform password spraying against the domain. A technique to obtain credentials, password spraying is performed by using a single password, or a list of commonly used passwords, against many different accounts to attempt to validate credentials and gain access. The PowerShell script will result in large numbers of account lockouts, which match the activity reported by the customer. Talos IR also identified the presence of SharpZeroLogon, an exploit for the Zerologon (CVE-2020-1472) privilege escalation vulnerability, which is publicly available on GitHub. Ultimately, this allows an attacker to take control of a domain controller by resetting the account of the targeted domain controller, potentially leading to a full domain admin compromise.

Talos has been monitoring the increased use of dual-use tools such as Cobalt Strike, Brute Ratel, Sliver, and Manjusaka. Brute Ratel is of particular concern since the toolkit was cracked in late September and is being shared for free across several hacking forums and communities. Additionally, endpoint telemetry revealed an attack chain with Qakbot dropping Brute Ratel. Although we have not yet observed Brute Ratel in any Talos IR engagements, we assess that the tool’s rise in the cyber threat landscape in recent months, coinciding with Qakbot operators’ use and the cracked version, will likely lead to more threat actors adopting the post-exploitation kit into their operations.

Of note, a majority of the publicly available tooling leveraged this quarter appears focused on accessing and collecting credentials, highlighting the role these tools play in potentially furthering an adversary’s objectives.


Initial vectors

This quarter featured several engagements where attackers leveraged valid accounts to gain initial access, especially in cases where accounts were misconfigured, not disabled properly, or had weak passwords. In at least two engagements this quarter, Talos IR investigated the possibility of initial adversary access via a compromised contractor’s network or a contractor’s personal computer.



In nearly 15 percent of engagements this quarter, adversaries identified and/or exploited misconfigured public-facing applications by conducting SQL injection attacks against external websites, exploiting Log4Shell in vulnerable versions of VMware Horizon, and targeting misconfigured and/or publicly exposed servers.

We continued to see successful Log4Shell (CVE-2021-44228, CVE-2021-45046, and related flaws) exploitation attempts followed by a variety of malicious activities, such as cryptocurrency mining and ransomware. In a Hive ransomware incident affecting a U.S. education institution, Talos IR observed multiple Log4Shell exploitation attempts against a vulnerable VMware Horizon server, the most notable of these attempts resulted in a Cobalt Strike beacon dropped on the server. Talos IR also identified high volumes of cryptocurrency miners, which are common post-exploitation payloads associated with activity targeting the Log4j vulnerabilities. While we could not link the Hive affiliate to the Log4j exploitation attempts, VMware and its respective logs revealed that the server was public-facing, suggesting that more than one adversary may have attempted to target this vulnerability.

The next most common initial infection vector came via email followed by user execution of a malicious document or link. In one of the business email compromise (BEC) engagements affecting a U.S. financial services organization, the adversaries used thread-hijacking and a malicious email link which appeared to be a fake authentication page that collected user credentials upon entering. The adversary also enabled email inbox rules in an attempt to gain persistence on the compromised email account. 

It is important to note that for the majority of incidents, Talos IR could not reasonably determine the initial vector because of logging deficiencies or a lack of visibility into the affected environment.


Security weaknesses

A lack of MFA remains one of the biggest impediments to enterprise security. Nearly 18 percent of engagements either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection and response (EDR) solutions. Talos IR recommends disabling VPN access for all accounts that are not using two-factor authentication. 

In what appears to be a prevalent theme this quarter, in 27 percent of engagements password or account access was not properly configured/disabled, leaving these accounts functionally active and allowing adversaries to use valid credentials to enter the environment. In a few cases, organizations did not properly disable account access after an employee left the organization. Talos IR’s recommendation is to disable or delete inactive accounts from Active Directory to prevent suspicious activity. 


Top-observed MITRE ATT&CK techniques

Below is a list of the MITRE ATT&CK techniques observed in this quarter’s IR engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. The table below represents the techniques used with a relevant example, and the approximate number of times seen. However, it is not an exhaustive list.

Key findings from the MITRE ATT&CK appendix include: 

  • Legitimate remote access software, such as AnyDesk and TeamViewer, was leveraged in nearly a quarter of engagements.
  • In an ongoing trend, adversaries leveraged valid accounts for initial access, especially notable where accounts were misconfigured or had weak passwords.
  • We observed adversaries transferring tools or scripts from external systems or adversary-controlled infrastructure into a compromised environment, referred to as ingress tool transfer. The adversaries frequently downloaded these tools from public sites such as GitHub.
  • We observed adversaries deploying Cobalt Strike and Mimikatz across several pre-ransomware engagements. In cases where ransomware encryption took place, PsExec usage played a large role in executing ransomware in 75 percent of ransomware engagements this quarter.



Tactic

Technique

Example

Initial Access (TA0001)

T1078 Valid Accounts

Adversary leveraged stolen or compromised credentials

Reconnaissance (TA0043)

T1592 Gather Victim Host Information

Text file contains details about host

Persistence (TA0003)

T1136 Create Account

Created a user to add to the local administrator’s group

Execution (TA0002)

T1059.001 Command and Scripting Interpreter: PowerShell

Executes PowerShell code to retrieve information about the client's Active Directory environment

Discovery (TA0007)

T1482 Domain Trust Discovery

Use various utilities to identify information on domain trusts

Credential Access (TA0006)

T1003 OS Credential Dumping

Deploy Mimikatz and publicly available password lookup utilities

Privilege Escalation (TA0004)

T1068 Exploitation for Privilege Escalation

Exploit ZeroLogon to escalate privileges with a direct path to a compromised domain

Lateral Movement (TA0008)

T1021.001 Remote Desktop Protocol

Adversary made attempts to move laterally using Windows Remote Desktop

Defense Evasion (TA0005)

T1027 Obfuscated Files or Information

Use base64-encoded PowerShell scripts

Command and Control (TA0011)

T1105 Ingress Tool Transfer

Adversaries transfer/download tools from an external system

Impact (TA0040)

T1486 Data Encrypted for Impact

Deploy Hive ransomware and encrypt critical systems

Exfiltration (TA0010)

T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Actor exfiltrated data to file sharing site mega[.]nz

Collection (TA0009)

T1074 Data Staged

Stage data in separate output files

Software/Tool

S0002 Mimikatz

Use Mimikatz to obtain account logins and passwords

Threat Roundup for October 14 to October 21

21 October 2022 at 19:50

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 14 and Oct. 21. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Dropper.Shiz-9974680-0 Dropper Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information. It is commonly spread via droppers or if a user visits a malicious site.
Win.Dropper.DarkComet-9974770-1 Dropper DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Virus.Xpiro-9975154-1 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Packed.Fareit-9974907-0 Packed The Fareit trojan is primarily an information stealer with functionality to download and install other malware.
Win.Dropper.Kovter-9975143-1 Dropper Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter can reinfect a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
Win.Dropper.Razy-9975201-0 Dropper Razy is often a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data, eventually sending it to a command and control (C2) server. Information collected may include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Dropper.Zegost-9975205-0 Dropper Zegost is a remote access trojan designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam and uploading/executing follow-on malware. It appears to be derived from Gh0stRAT, which is a well-known remote access trojan that had its source code leaked, significantly lowering the barrier to entry for actors looking to modify and reuse the code in new attacks.

Threat Breakdown

Win.Dropper.Shiz-9974680-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 66 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a
63
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c
63
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit
63
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System
63
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load
63
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
63
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit
63
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
1
Mutexes Occurrences
Global\674972E3a 63
Global\MicrosoftSysenterGate7 63
internal_wutex_0x000004b4 63
internal_wutex_0x<random, matching [0-9a-f]{8}> 63
internal_wutex_0x0000043c 63
internal_wutex_0x000004dc 63
Global\4552e841-4aec-11ed-9660-0015175fc6e6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]21[.]200 31
72[.]14[.]185[.]43 15
45[.]33[.]2[.]79 14
45[.]33[.]23[.]183 11
45[.]56[.]79[.]23 11
45[.]33[.]20[.]235 11
45[.]33[.]30[.]197 11
96[.]126[.]123[.]244 10
72[.]14[.]178[.]174 10
45[.]79[.]19[.]196 9
198[.]58[.]118[.]167 8
45[.]33[.]18[.]44 5
173[.]255[.]194[.]134 5
85[.]94[.]194[.]169 4
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
fotaqizymig[.]eu 63
cidufitojex[.]eu 63
xukuxaxidub[.]eu 63
digofasexal[.]eu 63
gatuvesisak[.]eu 63
lyvywyduroq[.]eu 63
puvacigakog[.]eu 63
xuboninogyt[.]eu 63
cicezomaxyz[.]eu 63
dixyjohevon[.]eu 63
fokisohurif[.]eu 63
volugomymet[.]eu 63
maganomojer[.]eu 63
jefecajazif[.]eu 63
qedylaqecel[.]eu 63
nojotomipel[.]eu 63
gahoqohofib[.]eu 63
rytifaquwer[.]eu 63
kepujajynib[.]eu 63
lyrosajupid[.]eu 63
tuwaraqidek[.]eu 63
xuqeqejohiv[.]eu 63
pumebeqalew[.]eu 63
cinycekecid[.]eu 63
divulewybek[.]eu 63
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 63

File Hashes

0fd54a3752516ae74445ba9ba0415ca66b5a97e259c65a288e9f535036a3f6c2 1305af84cd40461bdf053a9e3e9e130dd40cb082587d32b4f2dabc1aa9f55ab5 1700243813648c3620961cc1ebc8fe1bee29db2dd683a9256fbdaffb2c2d3402 1bf4f0d47af94c3e428f3c50510ca420161a6cc36cd044c85db915586da580f0 208b2d3afe6ac66a93f79172ea2e11418b54b5d183e056920129db58e1d7cada 259992be0fa7c7a6471eea5323da77c73dce5f6c4d09339d67cdf54101eb49bf 299cc54b9efd0ba263f4b709d2f65ffad4b3bec567fdaadf79df531a0ef548b6 2caf161a22e4a9e5ee81b07349ef63ab9b01c058ec1bc6c3e7423c5d2621c475 2f5cb0db00e4070a56755a2a79ed5bbd9366dd440f04d269e02d4e0d745195dd 2fbf9be9d28838774f7ff984d54b14b2edbdaaf0133642ad62b58f650d9c838c 360c2da9a5e7b93c1c33b6fb355fbf9b39fce16c80b8260793c15cda636f06d8 3779c8df35e040a8663bd887106c7e68bc2c74abf4d731cb23a1c2c37fe92108 3a01e6f5f0252c5f029faa6ba1a978571a9321d2c1e170e6738846b3c1da153b 3c62093f5be8563dfd2acacbe3dfea0aff14f2bbe7aff863083709921675f5ba 3e042ac3114ead5db3666c001c5a136cb3abc8afa2d9608d86d76232ad47533b 4202970a30e26081bf5151e3ebb1609ec50c9db9dcac1516629656e74ab72292 492ebd011baccdc01e3b6caa42722949a623aa40dd07351681a8a30851504097 4b12cc54948f1a66af4e5c1d6fdc7a3151748fda937b5c7e3a4ce0da32f282b9 4cdaef88227d8e39e9fd8011901ca0de0d9f39f9288160ca8029262e3cb85576 4cf8fb57162c78d93382a75651dd0f4dd32d15e624bd7f205cec46bbec6af6c4 56945e7aea4d8d7eb9629bc72d4e192c720357e5b4d1e11337081ef1e41c37d5 57213b49222d15abc6c759544c50c96bc8e368568701223552725e1fcbb5fbad 5e46885a1e5c8aaf32992bae85afd6513117d6c38df122af9925185914793b7f 5ecdfbbe0acf003531b7329afeedef24939beb3cf97bf7aacef8b9cca39af7f4 626300915d8c7dec6be5f5a7e5959b6f4b0b72fbfed068a86e4c405d05908417
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.DarkComet-9974770-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 41 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\THE SILICON REALMS TOOLWORKS 41
<HKLM>\SOFTWARE\WOW6432NODE\THE SILICON REALMS TOOLWORKS\ARMADILLO 41
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649} 41
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\VERSION 41
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\VERSION 41
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 12
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 11
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
10
<HKCU>\SOFTWARE\DC3_FEXEC 9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKCU
8
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Policies
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Policies
7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKLM
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{Y604YT5M-IS04-2A48-225F-2HB7V6B7W50M} 3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: ctfmon.exe
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: ctfmon.exe
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{Y604YT5M-IS04-2A48-225F-2HB7V6B7W50M}
Value Name: StubPath
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS\DIAG\VSSAPIPUBLISHER 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{13R07N2B-6QLO-B5WO-1EX2-8BTL6INCM2WY} 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{13R07N2B-6QLO-B5WO-1EX2-8BTL6INCM2WY}
Value Name: StubPath
2
<HKCU>\SOFTWARE\MICROSOFT
Value Name: PIDprocess
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdateashiyan
1
Mutexes Occurrences
RN7159F566 41
_x_X_BLOCKMOUSE_X_x_ 15
_x_X_PASSWORDLIST_X_x_ 15
_x_X_UPDATE_X_x_ 15
4A8::DAAEACF2A8 10
***MUTEX*** 8
***MUTEX***_SAIR 7
7B4:DAF 7
7B4::DAAEACF2A8 7
DC_MUTEX-<random, matching [A-Z0-9]{7}> 7
7C0:DAF 6
7C0::DAAEACF2A8 6
334:DAF 5
7BC:DAF 5
7A0::DAAEACF2A8 5
6B4::DAAEACF2A8 5
334::DAAEACF2A8 5
7BC::DAAEACF2A8 5
730::DAAEACF2A8 5
<random, matching '[A-Z0-9]{14}'> 4
34C:DAF 4
730:DAF 4
4A4::DAAEACF2A8 4
34C::DAAEACF2A8 4
238::DAAEACF2A8 4
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
52[.]8[.]126[.]80 2
51[.]89[.]107[.]116 2
13[.]107[.]21[.]200 1
153[.]92[.]0[.]100 1
3[.]64[.]163[.]50 1
78[.]175[.]232[.]186 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
sadeghdng[.]no-ip[.]org 4
dagevleri18[.]zapto[.]org 3
www[.]server[.]com 2
microupdate[.]sytes[.]net 2
joyless[.]persiangig[.]com 2
jetfadil[.]zapto[.]org 2
www[.]bing[.]com 1
bykacak470101[.]zapto[.]org 1
slasherist[.]zapto[.]org 1
images1[.]net46[.]net 1
metalcix5[.]dyndns[.]org 1
dinamik[.]no-ip[.]org 1
mehmetsam1997[.]zapto[.]org 1
www[.]dllindir[.]com 1
managed[.]redirectme[.]net 1
darkhacker33[.]no-ip[.]org 1
baransiker[.]no-ip[.]org 1
Files and or directories created Occurrences
%TEMP%\F827973E.TMP 41
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\699c4b9cdebca7aaea5193cae8a50098_d19ab989-a35f-4710-83df-7b2db7efe7c5 40
%TEMP%\XX--XX--XX.txt 12
%TEMP%\UuU.uUu 12
%TEMP%\XxX.xXx 12
%APPDATA%\logs.dat 12
%TEMP%\x.html 8
%APPDATA%\dclogs 5
%SystemRoot%\SysWOW64\driver 4
%SystemRoot%\SysWOW64\driver\ctfmon.exe 3
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe 2
\TEMP\cmsetac.dll 2
\TEMP\ntdtcstp.dll 2
%TEMP%\DOR.EXE 2
%TEMP%\SMSLOG.EXE 2
\Downloaded.exe 2
%SystemRoot%\SysWOW64\smss\smss.exe 2
%APPDATA%\Microsoft\Windows\((Mutex)).cfg 1
\TEMP\m2k Mod\nocooltime.tga 1
\TEMP\m2k Mod\nofog.tga 1
\TEMP\m2k Mod\noskill.tga 1
\TEMP\m2k Mod\off_0.tga 1
\TEMP\m2k Mod\off_1.tga 1
\TEMP\m2k Mod\off_2.tga 1
\TEMP\m2k Mod\on_0.tga 1
*See JSON for more IOCs

File Hashes

004d9f0b4964ca5529695c3bcfed64c8a5f5004c69cc51940d788f25e842c89f 025db75dd8d43e99090aca0b8b891d1f748e34a8dd164f895e1ddac88cfbea65 04fd3f937baa6b110b8f83577f3eed5470d5ad3f76b77bbed0ed93fe0392936e 0684b108700092d84817509a685b666c0654cdb6abe3240811cc1b4692ede70a 07d5cec6b790243a1af8994c7889b26fb55ea779a31d9911c75f138057298d05 0b95b31db9ebf66c5aafdc5801a4e3f651ad3425f7a42156132da900b582392c 0ee01faf9ed1259b48150317ed4b39199135a917154ac2b161bbc345b03a42f3 1950125c79a4db59cf391297ed0f00a2106d4dab2442ac7cbff5b2257d9e0e2b 1a2e40328a13c1497cd166518ff51e1d7fed74490563d47e29fe45f26e97a05d 1db26d83143a5b1625405f48282b83170fbd2644bacbcca7f51afc10a3e9b035 1e6e592a95806c637aea7b54a9d5cb5236b81af341be18a1a9346b6bbe6571a7 224f4711335c4c0c792d3af80cf5cff14ee6a0a1c3fc6a1eab76eaf1176734d7 2fe3b395c368f1346b1f38e55dadbda2a2c3fb8bfafec9130d99694b13f63fb4 34b775e900f7ebd00b0e8b4f7372cfc55c01ea9e3b424dcba1c9aaa89e1535aa 3536ce470cd6fd310c99c8768cd09cce4eb362e0446dba39ea0faea3ac9837fe 40881ef73d0b9085f256d945aeaeb222d69dca69d584517fa13291811b89925d 473a323f38f889c092e45f1f5c99af8aec175fbd00cb1ea0c00f2db0ea9aef84 47bee0c1952eea7077e47b2c843e7506782727d3f0d8d7d11fb787a73db888e5 548a2e8f5b58857585ad98161fcc86970e2f3f0b70e2610a536df3640de82cd4 58d942e35c3148c20e2dfb6877602a96a39a18b75315bc22972b6ff884bbb33e 5a5f99829e620fe4c98ad9fceb44c4b81087a8b1dac50db37cf2356c018f0493 5d7c90c03d6582b8b067ee14328b93bb08680d12f32d503a308ec0ff410f3dfb 5fe931cef0f656a43daaad1e913d928b6b71c1994b0ab0720c02e786fb79f415 6596911e29d5c531a5454c15da0c39afe35a6adb7b773d1806a99cff6f39c374 696f0c7650dd7b4cdf7bb9884c6a501cb3174f7202de349ef81ed3000262557c
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Virus.Xpiro-9975154-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 52 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Type
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Type
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Type
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Type
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Start
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Type
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Start
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IDSVC
Value Name: Type
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IDSVC
Value Name: Start
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Type
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Start
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Start
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ALG
Value Name: Start
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EHRECVR
Value Name: Start
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EHSCHED
Value Name: Start
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FAX
Value Name: Start
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICROSOFT SHAREPOINT WORKSPACE AUDIT SERVICE
Value Name: Start
52
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS
Value Name: Startup
52
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USER SHELL FOLDERS
Value Name: Startup
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Start
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FAX
Value Name: ObjectName
52
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
52
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
52
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
52
Mutexes Occurrences
Global\mlbjlegc 52
Dmrc_mtx_409a9db1-a045-4296-8d2c-9d71016c846b 1
Files and or directories created Occurrences
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE 52
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 52
%SystemRoot%\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe 52
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 52
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 52
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 52
%System32%\FXSSVC.exe 52
%System32%\alg.exe 52
%System32%\dllhost.exe 52
%System32%\ieetwcollector.exe 52
%System32%\msdtc.exe 52
%SystemRoot%\ehome\ehrecvr.exe 52
%SystemRoot%\ehome\ehsched.exe 52
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log 52
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log 52
%SystemRoot%\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{33EC2C09-9668-4DE7-BCC0-EFC69D7355D7}.crmlog 52
%SystemRoot%\SysWOW64\dllhost.exe 52
%SystemRoot%\SysWOW64\svchost.exe 52
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log 52
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat 52
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat 52
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock 52
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat 52
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock 52
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat 52
*See JSON for more IOCs

File Hashes

0fa71a514b5e2312d782e683c7b8b82ebd67b0065a152b76441ff91b83e6da23 145c2d4b353f28be9b78e5513214b14852fc8a99d7cced2f37bacce230daaffd 14f042ac5b66e562ea9c6ea184c617e34d799f60595e4659f6864e3338a07742 15d8be67493a89397947a1ea5cfef908d1d9961045247ecb62641a5431f6325a 170f4d50e891b04ecff879fd70c80f453617f1df099b2f194e5e68a0abaa95f3 19eab5f0d7753da5d593e00ae183789da3ae9da813f5b0152d81929cc15c18cf 1f84a81265207ed407a4722a74e26272b2e262975c8ca2db70cba557d00a2dee 20f04f98cc2ffabe3a76828ebdc3490209a7e4cf04c628b7786044614f5f923f 274c3133ff51e57baeab008511de7c1f04a312629bf78c6807786da85f4850bc 2758752656221d5eefb68a5067efe930606daa7fa3de0a8f9230dc2609c7e435 292cef0a846fa9c856fb1238cff8aa076c68468c79b65c67b9a444d141592664 2cc9ee1f70633239916fd0c2e6a777ba55f32df18f91e6f08fb3086906953ce9 2ea82cd8c864e59d33a7b4b546b1c3ab2d53e60cce0d5303acb2f282afea22f8 39c29cab4461c3380306315b54ac430d2464458dfb8f3d06a201096667ead6e1 3af8c6cc8d2f40eac1ebd681dcbf72e56f196e364d91be09b7354f65ecd2747c 3d5f8a7db9144123fec5d12cf74d734a440a4aa8a9802f3730dbfd97b69ff4e0 3d6e0c0c4b91715fbc87f73cf02cbfed998b4c2a474222024b47ac3083ddf8e0 41793c107f735657decaf15e1e11fb65261a1a7d6c17d3e1875ab8c0d89860fb 41e80a7842e4686929cd67b7759e6cd3ca51d40ee8be38df7bbc3be42fbd5b47 4b2d6dffa968075b0b61d379680a47d460139fe9bb98195cccbd76671106741c 4e757bb7ef118852b2a9e656d274e857ba009c7e70900ae6415d3d517343ef39 509247e400344991745409d7e21e135979d7b1d2d2b23337788e9df4999b81a1 57bf93718385db7f8cd92a97e1fb35cd48e6a19fb824042d74e21d1272acaccb 6216ec0710801a257aa0d7ca22f513d788f6b0c3cac3aaeac91daa18ab11662c 663bb05df8963e00a346b97dab00a9bee82ddff3a3219450f6fe4e63382e9cfa
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Packed.Fareit-9974907-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 28 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\WINRAR 28
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
28
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
28
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
28
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
28
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
2
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
115[.]47[.]49[.]181 28
Files and or directories created Occurrences
%TEMP%\1587335618.bat 1
%TEMP%\1863428481.bat 1
%TEMP%\-257830400.bat 1
%TEMP%\59942841.bat 1
%TEMP%\59944853.bat 1
%TEMP%\59917069.bat 1
%TEMP%\59931858.bat 1
%TEMP%\60017815.bat 1
%TEMP%\59939612.bat 1
%TEMP%\59939799.bat 1
%TEMP%\59924292.bat 1
%TEMP%\59916258.bat 1
%TEMP%\59914464.bat 1
%TEMP%\60012370.bat 1
%TEMP%\60036395.bat 1
%TEMP%\60038766.bat 1
%TEMP%\60042915.bat 1
%TEMP%\60048469.bat 1
%TEMP%\60018813.bat 1
%TEMP%\60025615.bat 1
%TEMP%\60031590.bat 1
%TEMP%\60109122.bat 1
%TEMP%\60023525.bat 1
%TEMP%\60033399.bat 1
%TEMP%\60111369.bat 1
*See JSON for more IOCs

File Hashes

011a710edb4c7031e145557964c984a8a76d9a58c7f098535e02ba64d2337793 017ff3be15c68dc8bac00f394c06f043e59806208d4f30f94369aab69c11ea0b 0199c2c9eeee554e41e105cf27bd1443f2be823ae5c3896dff6f4b43ffe3d05d 01ce3324eb5cfcb42a793adda8287ccf804af615adac9b2566456da8a31eb4c0 028b27a48376a3809ea1cbbc1a692f3a900dd744f1e7fd48e3c32221e464f330 0336e429ace80150e2fab8032461539701d47d600e57bfb628f65f14a86fec69 03765100f9a8a5e1326d6605ad3ae160a9de07187bb3d3d4317b27e197b56202 0453139aa9789369f9f5737e7d0fe71dd2f7ec46cf7bf20004be3ad3b74bfd74 050caffa4c1cbef758c3768d3ed431ef37e24936da4fad602c2277ba16e3f985 06fe5d203b5b06267ec79e4f790e490018b7a193c9eb367d5a87f263e12b0f2c 0710a90c59b4a0c8c6df827825917d3338603085d4671a2e5b3e3d7f2a4579e1 071d7639419488989c7ba8954e62b1cb8a90b34546deaff192a815f651bf8f12 07910236de058c15cb69df25a5b41061608929c6dacfd6af2f220291b7afa405 095c8d34ff1f7c58db4a5049f9996a071f3e5cc3d3f1e5afefeae644fd6dda89 0a12252ba956422114ffa0ebad1928fe3b5304a1dd55b7ee682635f90e4401be 0acb97162fee61e564807eef753b64705031bf7a256cdd039ad0c685015a7f79 0b7f9d704ffa2a3ad2cf4e5cbc645124f315ffe7580217f02e0df0bf154c4a2a 0c5dcaac2d8cfc42e6a1ab310c5e3dc8333b58addb40cd70d13928bf4641f9e8 0c8cffe638c88dd917111b00b1f1fae6187a953e968f20d7090b64d0050ca5e8 0d645a9bca980d5a1300c104b5e2381439cfcc57d2e3b0d49cc2566883cccc50 0dfba8f0960b4018d8f8b933f3eb9b15f68311cb84ab1d0c18724feb9c1bf2b1 0e8b3e1bd1bffc0691a663bb3c836d44e515c3442af621e1bd2516b5e249342c 0ebe31bf70d96da6be6851cacea1576bfb73b2c202a2e6f228f2726d5f9dd99b 0f0abc8495fdaddfeb6d7ec55fa92718c00b2d842f6f656f64000561c4d7b5c1 0f3a7226d1b0db73f44a6eeec9abcca4f97832f72fe7d257d653bbd66c9dc545
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Kovter-9975143-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 69 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: explorer.exe
69
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: iexplore.exe
69
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: explorer.exe
69
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: iexplore.exe
69
<HKLM>\SOFTWARE\WOW6432NODE\07771B47
Value Name: 18f8f764
69
<HKCU>\SOFTWARE\07771B47
Value Name: 18f8f764
69
<HKLM>\SOFTWARE\WOW6432NODE\07771B47
Value Name: 8de2c2e8
69
<HKCU>\SOFTWARE\07771B47
Value Name: 8de2c2e8
69
<HKLM>\SOFTWARE\WOW6432NODE\07771B47 69
<HKCU>\SOFTWARE\07771B47 69
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: dllhost.exe
69
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: dllhost.exe
69
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 69
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
69
<HKLM>\SOFTWARE\WOW6432NODE\07771B47
Value Name: 013c41ca
21
<HKCU>\SOFTWARE\07771B47
Value Name: 013c41ca
21
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000
7
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
2
<HKLM>\SOFTWARE\WOW6432NODE
Value Name: 23FD5485F667201E
1
<HKLM>\SOFTWARE\WOW6432NODE
Value Name: 13AC3218A55801940237
1
<HKLM>\SOFTWARE\WOW6432NODE
Value Name: BFBE24101FC216F38AD
1
<HKLM>\SOFTWARE\WOW6432NODE
Value Name: 7350F47C4881E3522AA
1
<HKLM>\SOFTWARE\WOW6432NODE
Value Name: 75A5B2D6C31DFACECF3
1
<HKLM>\SOFTWARE\WOW6432NODE
Value Name: 1E49AA067DDD6606D6C
1
<HKLM>\SOFTWARE\WOW6432NODE
Value Name: B93BF1A5F52C340B
1
Mutexes Occurrences
C77D0F25 69
Global\07771b47 69
244F2418 69
906A2669 69
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]72[.]157[.]175 69
23[.]32[.]144[.]26 21
20[.]112[.]52[.]29 17
23[.]197[.]176[.]20 17
20[.]84[.]181[.]62 16
20[.]81[.]111[.]85 15
20[.]103[.]85[.]33 12
104[.]102[.]115[.]212 10
20[.]53[.]203[.]50 9
184[.]28[.]60[.]167 9
23[.]78[.]211[.]217 6
173[.]223[.]180[.]106 4
23[.]192[.]26[.]212 2
38[.]222[.]8[.]117 1
216[.]144[.]169[.]140 1
190[.]151[.]91[.]220 1
195[.]77[.]218[.]54 1
90[.]253[.]157[.]248 1
54[.]118[.]131[.]121 1
63[.]7[.]42[.]244 1
134[.]31[.]30[.]191 1
212[.]168[.]17[.]243 1
96[.]7[.]239[.]29 1
12[.]117[.]214[.]13 1
191[.]218[.]35[.]96 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
microsoft[.]com 69
nitrado[.]net 1
server[.]nitrado[.]net 1
Files and or directories created Occurrences
%TEMP%\install_flash_player_18_active_x.exe 69

File Hashes

0402d9277848f056fd1be4f2aa46ff0638210fd7c365b72068ada36d3e868a8b 0602ff1b8146d5726873600ca0b98dee171f9d3daad20bcc5f79b12248a8d71b 08a52aebf083e7937a90e49e0325287548cb1d8d239ba2de485a53b08e007925 0987c0072b99845d53ae11a875ed8ada3de619652a56e7f91400cc9539059111 115d0a7d170d5d515817118f6ec73a311d3978b04a36a7cf9bba49635d65fb47 11eef232e25b5adfe66de44f535bc9eca11ad53b721aa28d4d447bad26ad71f3 1a96139e6e4d78793c8ca8704f40c3b81dcd43daa875dc9a26f04aa548df8c12 1c5813bbf48871f0ad8320cb6c506840fdd806373de4eda38b03d100e0eff8a7 28d74e5d38dffa594421147811283d9575b17494292bdc2d0a181a9707735116 2919cf8ca913e1f1f8d0f9446dfc6b695e0ea16cd030e422b043819e43815b99 2c8bf08a5cf49fff65b5c0d2592ddb53d846b2f3e158c43117e608e3c34ee994 2e40814652f29db096196953ed3da0c4d998a5133ca2079a5a99b34f9c70904f 33a5c0dd485389660211aab696fe6c943bdf949cdcaf26669adcd9427d1b3a11 3de2a2cfbbcb35bada5669ed5e45368a7b8f1b3792135ce70a74dc1f7ee193eb 4419deafa48e210f15075383ee8a1519f47e707440677fce6bd92ee98eb63072 452599d355d0a3fd5c4fd649762b506b07cf4d98abde9dee9e6ac251b7c541f9 482ff7364de8ad4008c9b7103ce84db4770e0577d3b55248f99cd6c454408e34 4a9aa3bf94487a6b2ba50e8c1275e2007a2a2675c3323d06985739914158d781 4d013e135cfc338203c02b8336c7f6df965d9da91a18b3c964fbf7657b8970f2 4dc044c541903a6407b32535d7d2b2efd45c42f43899c26a22ce5dea254f89e1 52f19b82c010b2b1af726318b13d2e05af13b4a4bd741735643fb8a4c78c6667 53ed26da481ee96d7013ff82885e9a11cfe8e763387e580bc362a614a9273962 56e25f94fc8bec2e7e47b6938496ae2c3754c744238b30cdaa78766148d8bc76 62f929b0aa291c6fd8ffdf994a901c7e3046c5bd1d88f00208e187c02e0efd66 69eef0fb8b6dd17d4c5e5e1b1018b0537eb3135c3e30c7b18e7aff95f5a20613
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Razy-9975201-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\EVENTSUBSYSTEM 17
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
17
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\mlang.dll,-4386
17
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
207[.]36[.]232[.]49 17
Files and or directories created Occurrences
%TEMP%\~36011.tmp 17
%TEMP%\bm87F8.tmp 1
%TEMP%\bm8F1A.tmp 1
%TEMP%\bm8D84.tmp 1
%TEMP%\bm8FD5.tmp 1
%TEMP%\bm9004.tmp 1
%TEMP%\bm8EBC.tmp 1
%TEMP%\bm8B24.tmp 1
%TEMP%\bm86FF.tmp 1

File Hashes

00c25a55c907f4da64d6e80fdd43f670a30bc5fd37ca5112286671adc7277c26 077013b955f429dcee49d7572bc61de3bcc09fea450f8d0ae2cf44a0e160c573 0d2e9fa8818793b6ce7cb85c736f1a5e350b3d9c6d9d86871a5d9f935c4bb6d4 20a91d99298ebb3c71130170cb1efc77ee89f3245695ae71c68c7d5175b5db28 267490d54389d4e6357ac76d4d7beb906f17d5be6d065c2effbff7520dd08f3b 2cbd4e9ba35fc75a6a59af3ecf741573d030a4176916844aa0df7ba5ad23e282 33d5252173b0a5d5530df15fec6a996aacd9368ac1548a7a9a2161880493d6fb 3c895d4f706c5b25ff8e1ba2bac5fbbf5f117551c0981b6d44897cc69521bd97 4c00a38a25a43169c9dac7bd06fa210669f376214e798eb004cffabfaba205ea 4fbc12d1135c2b8bc1697652cf8b32988cd53e6625788b3af5ac08eb0b66e78e 504c71380d5ccac1437dbde8bfa5ed3951e27f60376df761f480b5d24c1160c5 57a70425ff4b8332746ff0b4c67990787735995b7cd6a0e030537affe4275d31 6076ad86cc68fd7fad06f0974bafa6742054f7122b9053a5e8604ff836f1e2b7 6ec9c6bb85241d7a23857f0920fb3092d6a9495e7137ce1ebe73484cc6fa699c 721532d828ee4255e5ba70800e17c1f9bb8e1672b149e6a5b6cc6dd43247da68 76c542ae9f6344a40c6b2ef3cffecaa4dd16f64742a7b766b632aea435a29b19 7734f8c023a134fe40b1d7172ae214966cf24f7b6d58192a8cfbd33ae8808e2b 7ace8603560bfdff49bb444ae08243cedd2dc76b63225be62591cfe37126a78a 7b23d913179f18bb5ed0a3780f0e81525c87dedb45cd752a4d225f9032590528 7c2fae30bee39b849f46a3fa8a3cef0d02b4c2904d814828e8203f47f9d1a4c2 7f78d993bdf895d93903df7ef9b0d463564d09eb1c1553406ca39c7823df3f8a 89441930859acffed2ff63fa63dacb2d2faf9922ef541930e16ec0b4d8025779 923aa17644c5247b9a30137239d64b145cc6875a8aaa46590d1198fed13c194e 96ca0e3695c55a242e1afe22960d784bc04a38bb41bafba4f79a72b2a18dca11 99631681dac2dd1a8ab30f8c581ec68d15c098aee84526b5ea954ff5efff7b69
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Zegost-9975205-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 14 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTPAGE
Value Name: StartMenu_Balloon_Time
1
Mutexes Occurrences
sephardi.f3322.org127.0.0.1127.0.0.1 6
127.0.0.1127.0.0.1127.0.0.1 3
1061683991.3322.org127.0.0.1127.0.0.1 3
Global\46b90721-4e87-11ed-9660-001517ce65a8 1
113.0.208.111127.0.0.1127.0.0.1 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
59[.]53[.]63[.]103 6
113[.]244[.]66[.]10 3
113[.]0[.]208[.]111 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
sephardi[.]f3322[.]org 6
1061683991[.]3322[.]org 3

File Hashes

07a56c13165e20e7a6a8b3c854e01da46ebd88f62e4f21c2078bbab5a4625607 250e8013cd21bffebeeaa7b0cfdcab804e19cac6f87b29fe619308cf4094c33f 3d2ff86702776be8b3febe91c0fdf2364a8d1e115f3341d69d9ec62891da58f4 4d023d552abf14a8c09f0e10f23ab9237cce09668a5ecce28b46ef9a725f4bee 56478049b4d28ec287831b1cbd0dc9d61a9da417649296cf3ed8ed80e41bd1cd 7c6a4350f302a10856246b9fcb1e6c1ceccede4e226e0be9c7a7d61cb576b5e0 7c8f76f149d6b2d9b629ac7875a6595aab0088f7befe13426f1de74eb2dd67be 85753277c9dcc1b39cf228005242113bf6c60554ee93e567f3e84f5d8312e5c5 8ad2aa565365bf7e5b2bc4563c726231be2b10929e6e4f132e5a70479efa81c0 922bb3e1ee1e0952b6dfc692d5b1abdb0476387cefb2d76c033885ba15a5f13c a1794b1ef65b2d507e0b789a5e061d72a7f79360d2e622c26f29be812f8813eb b7b16d0c057f20753cb9918ccf0cb7118d9c6e2458a694f4a2392ee088d8a98f d19a82bdf1b5fb3681ee7b8012aaaaf537faad13efa9c30e9590731f29aa0d71 eb2bb807bb0de7631e7c66655915a8a6b26aa07292842ea9d95544c6f1397278

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK






Threat Source newsletter (Oct. 20, 2022) — Shields Up! No seriously, Shields Waaaaay Up

20 October 2022 at 18:00


By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

I’m very excited about this video I’ve embedded below — it’s a project I’ve been working on with my team for a while now. Building off what I’ve written about in the past regarding fake news, this video examines what essentially equates to the propaganda being spread on social media during Russia’s invasion of Ukraine. 

This includes everything from fake videos of soldiers dancing to Ukrainian laser cats and fairly convincing deepfake videos

The Russia cybersecurity news doesn’t end there, either. State-sponsored actors have been busy over the past month, including the Killnet group, which recently targeted several U.S. local elections offices and major airports. So far, these cyber attacks don’t seem to have had any major effects or disruptions so far, but I just think it’s worth noting that these groups are just as active as ever, which is what the U.S. government has been warning us about since the onset of Russia’s invasion.  

While there are many Russian actors who are incredibly sophisticated and may want to carry out high-profile attacks, Killnet is a less “formal” group and more of a collection of an online angry mob looking to just wreak whatever havoc it can. This group does not have any formal goals in mind, per se, and doesn’t seem to be motivated by specific state interests or trying to generate millions of dollars of revenue. They just want to be disruptive and make life harder for their targets. 

And in some ways, this is worse for defenders because it’s impossible to predict where this group is going to strike next. It’s not easy enough to say, “Well, it’s back-to-school season, so education sectors are more likely to be targeted.”  

Groups like Killnet don’t seem to care about specific timing or trying to “strike while the iron’s hot.” After all, it’s not like last week was a particularly busy travel season in the U.S. so they really wanted to hit the aviation industry when it hurts the most. 

It can be tiring to hear the same warnings repeatedly about how Russian state-sponsored actors are going to target Western entities. But even though they can become repetitive, these warnings are backed up with real-world examples and show that users and defenders from all industries need to be always on their toes.  


The one big thing 


A new attack and C2 framework called "Alchimist” is actively targeting Windows, Linux, and macOS systems in various cyber attacks. Alchimist offers a web-based interface using the Simplified Chinese language is very similar to Manjusaka, another new framework Talos recently discovered and is becoming increasingly popular among Chinese threat actors. Both frameworks have significant similarities, but there are enough technical differences that Talos believes they were likely written by different authors.  

Why do I care? 

This framework provides attackers with an easy method of carrying out a variety of malicious actions, such as executing remote shellcode and taking screenshots without the target noticing. The fact that Alchimist and its associated trojan, Insekt, are targeting all forms of operating systems means anyone could be a target.  

So now what?

Endpoint security teams should implement layered security defense, be constantly vigilant in monitoring the privileged operations in their environments and detect any unauthorized programs attempting to gain root privileges. Network security teams should be looking for any unusual traffic to their organizations' environment and be cautious about suspicious artifacts downloaded to their network. Having controlled download and file execution policies on the endpoints and servers can effectively protect organizational assets from threats.  

 

Top security headlines from the week


The Qakbot access-as-a-service group is active again after a few months of being relatively quiet, this time using several different second-stage payloads to allow other groups to execute follow-on attacks. Qakbot-infected systems have seen the group use Brute Ratel, a simulation platform commonly used by penetration testers, the Emotet botnet and Cobalt Strike. Black Basta is one such group that’s been spotted acquiring access to targeted systems via Qakbot. In that group’s case, it uses Brute Ratel to move laterally to other systems on the network and execute various malicious payloads. (Dark Reading, Decipher

Australia is becoming an increasingly popular target for threat actors, including several high-profile companies that were recently hit with cyber attacks. A new study found there was an 81 percent increase in cybersecurity incidents in Australia between July 2021 and June 2022, with most of that jump coming in 2022. The Australian government is already looking at new cybersecurity standards and laws, including new rules forcing cyber attack targets to notify banks faster if there is a data breach, specifically highlighting a recent breach at Optus, one of the country’s largest telecommunications companies. Medibank, a massive health insurance company, was also hit with a cyber attack this week, although it said there is currently no evidence of sensitive information or customer data being affected. (Computer Weekly, Reuters, Bloomberg

Social media and online advertising platforms have been slow to adopt new rules and regulations around fake news and disinformation related to birth control and abortion care. Several months removed from the Supreme Court’s ruling overturning Roe v. Wade, there are still massive amounts of misleading advertising, fake news links and incorrect information floating around on online platforms without any flags. Abortion rights advocates say that this issue has only gotten worse since the ruling. A new study from the Institute for Strategic Dialogue states that sites like TikTok, YouTube and Meta have allowed disinformation and misinformation about abortion care rights and laws to be monetized and spread. (Axios, Institute for Strategic Dialogue


Can’t get enough Talos? 

Upcoming events where you can find Talos 



Sands Capital Management, Arlington, Virginia 


BSides Lisbon (Nov. 10 - 11)
Cidade Universitária, Lisboa, Portugal 

Most prevalent malware files from Talos telemetry over the past week  


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

MD5: 2c8ea737a232fd03ab80db672d50a17a     
Typical Filename: LwssPlayer.scr     
Claimed Product: 梦想之巅幻灯播放器     
Detection Name: Auto.125E12.241442.in02 

MD5: df0b88dafe7a65295f99e69a67db9e1b 
Typical Filename: avi.exe 
Claimed Product: N/A    
Detection Name: Gen:Variant.Lazy.228707 

MD5: 3d1212389bfcdc91be084e6c093a32a1 
Typical Filename: sysrdsvms.exe 
Claimed Product: N/A    
Detection Name: Gen:[email protected] 

MD5: 147c7241371d840787f388e202f4fdc1
Typical Filename: eksplorasi.exe  
Claimed Product: N/A      
Detection Name: W32.Generic:Rontokbromm.21dz.1201 

Vulnerability Spotlight: Vulnerabilities in Abode Systems home security kit could allow attacker to take over cameras, remotely disable them

20 October 2022 at 13:27


Matt Wiseman of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered several vulnerabilities in the Abode Systems iota All-In-One Security Kit. This kit includes a main security camera and hub that can alert users of unwanted movement in their homes. It also includes several motion sensors that can be attached to windows and doors.  

The devices communicate with the user via a website or app on their mobile device and can connect to smart hubs like Google Home, Amazon Alexa and Apple Homekit. 

The vulnerabilities Talos discovered could lead to a variety of conditions, including providing attackers with the ability to change users’ login passwords, inject code onto the device, manipulate sensitive device configurations, and cause the system to shut down.

The devices contain several format string injection vulnerabilities in various functions of its software that could lead to memory corruption, information disclosure and a denial of service. An attacker could send a malicious XML payload to trigger these vulnerabilities. 

There are four other vulnerabilities — TALOS-2022-1567 (CVE-2022-27804), TALOS-2022-1566 (CVE-2022-29472), TALOS-2022-1563 (CVE-2022-32586) and TALOS-2022-1562 (CVE-2022-30603) — that can also lead to code execution, though it requires the adversary to send a specially crafted HTTP request, rather than XML.  

TALOS-2022-1559 (CVE-2022-33192 - CVE-2022-33195), TALOS-2022-1558 (CVE-2022-33189), TALOS-2022-1557 (CVE-2022-30541) and TALOS-2022-1556 (CVE-2022-32773) are the most serious among the vulnerabilities we discovered, as they have a maximum 10 out of 10 CVSS severity score. An attacker could exploit these vulnerabilities by sending a series of malicious payloads to execute arbitrary system commands with root privileges. 

TALOS-2022-1582 (CVE-2022-35244) can be triggered with a specially crafted XCMD and can lead to memory corruption, information disclosure and denial of service. 

There is also a memory corruption vulnerability, TALOS-2022-1565 (CVE-2022-32574), that is triggered if an attacker sends a malicious, authenticated web request, resulting in a double-free heap corruption and a crash of the device’s software. TALOS-2022-1564 (CVE-2022-32775) is another memory corruption vulnerability triggered via an authenticated web request, but in this case leads to attacker-control of the program counter. 

An HTTP authentication bypass vulnerability — TALOS-2022-1554 (CVE-2022-29477) — could allow an attacker to access several sensitive functions on the device, including triggering a factory reset, simply by setting a particular HTTP header to a hard-coded value. 

TALOS-2022-1552 (CVE-2022-27805) is another authentication bypass vulnerability, this time in a UDP service responsible for handling remote configuration changes, which allows a remote attacker to trigger several sensitive device functions without the proper authentication. This would allow the attacker to manipulate the device in several ways, including disarming the device, reading and writing sensitive configuration values, rebooting the device, enabling the local web interface and changing the local web interface's administrative account username and password. 

Lastly, TALOS-2022-1553 (CVE-2022-29475), could allow an adversary who can execute a man-in-the-middle attack to replay various authorization fields to make sensitive configuration changes to the device without actual knowledge of the device’s password. 

Cisco Talos worked with Abode Systems to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy

Users are encouraged to update these affected products as soon as possible: Abode Systems iota All-In-One Security Kit, versions 6.9X and 6.9Z. Talos tested and confirmed these versions of the security kit could be exploited by these vulnerabilities. 

The following Snort rules will detect exploitation attempts against this vulnerability: 60096 - 60099, 60100 - 60106, 60123 - 60126, 60215 - 60217, 60287, 60288, 60309 – 60311 and 60329 - 60336. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. 

The benefits of taking an intent-based approach to detecting Business Email Compromise 

18 October 2022 at 12:00



By Abhishek Singh.

  • BEC is a multi-stage attack. Adversaries first identify targets, then they establish rapport with the victim before exploiting them for whatever their end goal is. In the case of BEC, a threat actor can impersonate any employee in the organization to trick targets.  
  • A policy that checks for authorized email addresses of the sender can prevent BEC attacks. However, scaling the approach for every employee in a large organization is a challenge.  
  • Building an executive profile based on email analysis using a machine learning model and scanning emails against that profile will detect BEC. Data collection for building and training machine learning algorithms can take time, though, opening a window of opportunity for threat actors to exploit.  
  • Detection of exploitation techniques such as lookalike domains and any differences in the email addresses in the "From" and "Reply-to" fields can also detect BEC messages. However, the final verdict cannot account for the threat actor’s intent.  
  • The intent-based approach detects BEC and then classifies it into the type of scam. It catches BEC messages, irrespective of whether a threat actor is impersonating a C-level executive or any employee in an organization. Classification based on the type of scam can help identify which segment of an organization was targeted and which employees were being impersonated by the threat actor. The additional information will further assist in better designing preventive features to stop BEC. 

Business email compromise (BEC) is one of the most financially damaging online crimes. As per the internet crime 2021 report, the total loss in 2021 due to BEC is around 2.4 billion dollars. Since 2013, BEC has resulted in a 43 billion dollars loss. The report defines BEC as a scam targeting businesses (not individuals) working with foreign suppliers and companies regularly performing wire transfer payments. Fraudsters carry out these sophisticated scams to conduct the unauthorized transfer of funds.

This introduces the challenge of how to detect and block these campaigns as they continue to compromise organizations successfully. There are a variety of approaches to identifying BEC email messages, such as using policy to allow emails from authorized email addresses, detecting exploitation techniques used by threat actors, building profiles by analysis of emails, and validating against the profile to detect BEC. These approaches have a variety of limitations or shortcomings. Cisco Talos is taking a different approach and using an intent-based model to identify and block BEC messages. Before we get too deep into the intent-based model, take a deeper look at the commonly used approaches to block BEC from the simplistic through machine learning (ML) approaches. 


Policy-based detection 

The first place to start is with policy-based detection as it is one of the most common and simplistic approaches to blocking BEC campaigns. Let’s start by looking at an example of a BEC email. 

Here the actor is attempting to impersonate the CEO of an organization, but if we notice the email itself is associated with a Gmail address, obviously not the corporate domain. Threat actors commonly use free email addresses to send BEC emails.  


In a policy-based approach, the names of executives and the email address from which they send emails are kept in a database. For every incoming email, a policy rule is implemented that identifies messages that contain the names of executives in the From field and which originate from outside of the tenant. If the email is not from the email address specified in the database for the executive, an alert for BEC is raised.