Microsoft Patch Tuesday — Dec. 2019: Vulnerability disclosures and Snort coverage

December 10, 2019, 10:41 am

≫ Next: Vulnerability Spotlight: Two vulnerabilities in RDP for Windows 7, XP

≪ Previous: Vulnerability Spotlight: Multiple vulnerabilities in LEADTOOLS software

$

0

0

By Jon Munshaw.

Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 25 vulnerabilities, two of which are considered critical.

This month’s security update covers security issues in a variety of Microsoft services and software, including Remote Desktop Protocol, Hyper-V and multiple Microsoft Office products.

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here.

Critical vulnerabilities

Microsoft disclosed two critical vulnerabilities this month, both of which we will highlight below.

CVE-2019-1468 is a remote code execution vulnerability in the Windows font library that exists due to the library improperly handling some embedded fonts. An attacker could exploit this bug by using a specially crafted, malicious embedded font on a web page, and then trick the user into visiting that web page. Alternatively, a user would need to open a specially crafted font file on their machine.

CVE-2019-1471 is a remote code execution vulnerability in the Hyper-V hypervisor. Hyper-V can sometimes fail to properly validate input from an authenticated user on a guest operating system. An attacker could exploit this vulnerability by running a specially crafted application on a guest OS, which would cause the Hyper-V host OS to execute arbitrary code on the host operating system.

Important vulnerabilities

This release also contains 23 important vulnerabilities, three of which we will highlight below.

CVE-2019-1458 is an elevation of privilege vulnerability in Windows' Win32k component. An attacker could exploit this vulnerability by logging onto a system, then running a specially crafted application that would allow them to take complete control of the system and execute arbitrary code in kernel mode. Microsoft reports that this vulnerability has been used in the wild.

CVE-2019-1469 is an information disclosure vulnerability in Windows that arises when the win32k component fails to provide kernel information. An attacker could exploit this vulnerability to obtain uninitialized memory and kernel memory, which could then be used in additional attacks.

CVE-2019-1485 is a remote code execution vulnerability in the VBscript engine. An attacker could exploit this vulnerability to corrupt memory of the affected system in a way that would allow them to execute arbitrary code in the context of the current user. To trigger this vulnerability, a user would have to visit a malicious, specially crafted website in the Internet Explorer web browser. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that utilizes Internet Explorer's rendering engine, and then trick the user into opening that file.

The other important vulnerabilities are:

• CVE-2019-1332
• CVE-2019-1400
• CVE-2019-1453
• CVE-2019-1461
• CVE-2019-1462
• CVE-2019-1463
• CVE-2019-1464
• CVE-2019-1465
• CVE-2019-1466
• CVE-2019-1467
• CVE-2019-1470
• CVE-2019-1472
• CVE-2019-1474
• CVE-2019-1476
• CVE-2019-1477
• CVE-2019-1478
• CVE-2019-1480
• CVE-2019-1481
• CVE-2019-1483
• CVE-2019-1484

Coverage 

In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

These rules are: 52402, 52403, 52410, 52411, 52419, 52420

---

Vulnerability Spotlight: Two vulnerabilities in RDP for Windows 7, XP

December 10, 2019, 11:46 am

≫ Next: Vulnerability Spotlight: Information leak vulnerability in Adobe Acrobat Reader

≪ Previous: Microsoft Patch Tuesday — Dec. 2019: Vulnerability disclosures and Snort coverage

$

0

0

A Cisco Talos researcher discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered two issues in two implementations of Microsoft Remote Desktop Services: a denial-of-service vulnerability that affects Windows 7/Windows Server 2008 (when RDP 8.0 is enabled), Windows 8/Server 2012, and Windows 10/Server 2016. The Remote Desktop Protocol is used by Remote Desktop Services in order to allow a user or administrator to take control of a remote machine via a network connection. The denial-of-service vulnerability exists after the connection setup when one is able to perform the license exchange, and the information leak vulnerabilities exist during the connection setup of the process where the client and the server negotiate various aspects relevant to the session  They could be exploited by an attacker to cause a denial of service or leak information, respectively. Microsoft disclosed these issues as part of December’s Patch Tuesday. For more on the company’s latest security updates, check out Talos’ full blog here, and our Snort coverage here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers. Microsoft is providing a patch for all of the affected versions of Windows with regards to the denial of service vulnerability but has declined to provide a patch for the Windows XP vulnerability due to the fact that it is out of support. It is recommended that users of Windows XP upgrade to a more recent operating system.

Vulnerability details

Microsoft Remote Desktop Services (RDP8) license negotiation denial-of-service vulnerability (TALOS-2019-0901/CVE-2019-1453)

An exploitable denial-of-service vulnerability exists in the RDP8 implementation of Microsoft's Remote Desktop Services. A certain component of license negotiation can allow a remote client to read an arbitrary amount of memory that is controlled by the client. Due to this, a client can coerce the component to either make a repeatable controlled allocation or read from memory that is unmapped, resulting in a denial-of-service condition. An attacker can negotiate capabilities and then send a particular packet type in order to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Microsoft Remote Desktop Services (RDP7) Windows XP multiple information leak vulnerabilities (TALOS-2019-0895/CVE-2019-1489)

Exploitable information leak vulnerabilities exist in the RDP7 implementation of Microsoft's Remote Desktop Services on Windows XP. Various aspects of the T.128 protocol, such as capability negotiation, can cause an information leak, which can provide an attacker with information about the target's address-space. An attacker can trigger these vulnerabilities by simply negotiating capabilities with the target via T.128 and examining the data that is returned.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that Microsoft's Remote Desktop Services running on Windows 7 RdpCoreTS.dll, version 6.2.9200.22828, is affected by TALOS-2019-0901. TALOS-2019-0895 affects RDP on Windows XP only, running RDPWD.sys 5.1.2600.5512 and termdd.sys 5.1.2600.5512.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 51649

Vulnerability Spotlight: Information leak vulnerability in Adobe Acrobat Reader

December 10, 2019, 11:48 am

≫ Next: Vulnerability Spotlight: Denial-of-service vulnerabilities in Linux kernel, W1.fi

≪ Previous: Vulnerability Spotlight: Two vulnerabilities in RDP for Windows 7, XP

$

0

0

Aleksandar Nikolic of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered an information leak vulnerability in Adobe Acrobat Reader DC. An attacker could exploit this vulnerability by tricking the victim into opening a specially crafted, malicious PDF, likely either via an email attachment or embedded on a web page. Adobe Acrobat Reader DC supports embedded JavaScript code in the PDF to allow for interactive PDF forms. This vulnerability specifically exists in the way Acrobat processes JavaScript.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Adobe to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Adobe Acrobat Reader DC JavaScript gotoNamedDest information leak vulnerability (TALOS-2019-0947/CVE-2019-16463)

A specific JavaScript code embedded in a PDF file can lead to an information leak when opening a PDF document in Adobe Acrobat Reader DC, version 2019.021.20048. With careful memory manipulation, this can lead to sensitive information being disclosed, which could be abused when exploiting another vulnerability to bypass mitigations. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that Adobe Acrobat Reader DC, version 2019.021.20048 is affected by this vulnerability.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 52097, 52098

Vulnerability Spotlight: Denial-of-service vulnerabilities in Linux kernel, W1.fi

December 11, 2019, 9:18 am

≫ Next: Vulnerability Spotlight: Kakadu Software SDK ATK marker code execution vulnerability

≪ Previous: Vulnerability Spotlight: Information leak vulnerability in Adobe Acrobat Reader

$

0

0

Mitchell Frank and Mark Leonard of Cisco discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered two denial-of-service vulnerabilities in the open-source program W1.fi. Both of these vulnerabilities target hostapd. One could allow an attacker to forge authentication requests, while another could trigger a deauthentication, both resulting in a denial of service.

In accordance with our coordinated disclosure policy, Cisco Talos worked with the manager of W1.fi to ensure that these issues are resolved and that an update is available for affected customers. TALOS-2019-0849 relates to TALOS-2019-0900, a denial-of-service vulnerability in the Linux kernel. Linux has also released an update to address that vulnerability, which makes more versions of Linux besides the mainline one safe from these vulnerabilities.

Vulnerability details

W1.fi hostapd CAM table denial-of-service vulnerability (TALOS-2019-0849/CVE-2019-5061)

An exploitable denial-of-service vulnerability exists in hostapd version 2.6. An attacker could exploit this vulnerability by triggering AP to send IAPP location updates for stations before the required authentication process has completed. This could lead to different denial-of-service scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already existing clients in other nearby APs of the same wireless infrastructure. An attacker can forge Authentication and Association Request packets to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

W1.fi hostapd deauthentication denial-of-service vulnerability (TALOS-2019-0850/CVE-2019-5062)

An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of service.

Read the complete vulnerability advisory here for additional information.

Linux kernel CAM table denial-of-service vulnerability (TALOS-2019-0900/CVE-2019-5108)

An exploitable denial-of-service vulnerability exists in the Linux kernel prior to mainline 5.3. An attacker could exploit this vulnerability by triggering AP to send IAPP location updates for stations before the required authentication process has completed. This could lead to different denial-of-service scenarios, either by causing CAM table attacks or by leading to traffic flapping if faking already existing clients in other nearby APs of the same wireless infrastructure. An attacker can forge Authentication and Association Request packets to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that TALOS-2019-0849 affects hostapd version 2.6 and Ubiquiti AP-AC-Pro firmware 4.0.10.9653. TALOS-2019-0850 affects hostapd version 2.6 when running on a Raspberry Pi. TALOS-2019-0900 affects versions 4.14.98-v7 and higher of the Linux operating system.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 50516

Vulnerability Spotlight: Kakadu Software SDK ATK marker code execution vulnerability

December 11, 2019, 9:21 am

≫ Next: Vulnerability Spotlight: Apple Safari SVG marker element baseVal remote code execution vulnerability

≪ Previous: Vulnerability Spotlight: Denial-of-service vulnerabilities in Linux kernel, W1.fi

$

0

0

Aleksandar Nikolic and Emmanuel Tacheau of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Kakadu Software’s SDK contains an exploitable heap overflow. Kakadu serves as a framework for developers to create a variety of commercial and non-commercial applications. An attacker could exploit this vulnerability by tricking the user into opening a specially crafted, malicious jp2 file to cause a heap overflow, which could then allow them to remotely execute code on the server.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Kakadu to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Kakadu Software SDK ATK marker code execution vulnerability (TALOS-2019-0933/CVE-2019-5144)

An exploitable heap underflow vulnerability exists in the `derive_taps_and_gains` function in `kdu_v7ar.dll` of Kakadu Software SDK 7.10.2. A specially crafted jp2 file can cause a heap overflow, which can result in remote code execution. An attacker could provide a malformed file to the victim to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that Kakadu Software SDK 7.10.2 running on Windows is affected by this vulnerability.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 52020, 52021

Vulnerability Spotlight: Apple Safari SVG marker element baseVal remote code execution vulnerability

December 11, 2019, 9:26 am

≫ Next: Talos Vulnerability Discovery Year in Review — 2019

≪ Previous: Vulnerability Spotlight: Kakadu Software SDK ATK marker code execution vulnerability

$

0

0

Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Apple’s Safari web browser is open to a remote code execution vulnerability via its SVG marker element feature inside the Safari WebKit. Safari uses the WebCore DOM rendering system in WebKit. Rendering engine allows overwriting of the static SVG marker element using JavaScript code which results in memory corruption. An attacker needs to trick the user into opening this web browser in Safari in order to exploit this vulnerability.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Apple to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Apple Safari SVG marker element baseVale remote code execution vulnerability (TALOS-2019-0943/CVE-2019-8846)

A freed memory access vulnerability exists in the SVG Marker Element feature of Apple Safari's WebKit, version 13.0.2. A specially crafted HTML web page can cause a use after free, resulting in memory corruption and possibly arbitrary code execution. To trigger this vulnerability, a specifically crafted HTML web page needs to be opened in the browser.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that version 13.01.2 (15608.2.30.1.1) of Safari utilizing WebKit GIT 497221ef6a94f0603c1e8c4207094fc50e8ccf2a is affected by this vulnerability.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 52048, 52049

Talos Vulnerability Discovery Year in Review — 2019

December 11, 2019, 11:02 am

≫ Next: Threat Source newsletter (Dec. 12, 2019)

≪ Previous: Vulnerability Spotlight: Apple Safari SVG marker element baseVal remote code execution vulnerability

$

0

0

By Martin Zeiser.

Cisco Talos' Systems Security Research Team investigates software, operating system, IoT and ICS vulnerabilities to make sure we find vulnerabilities before the bad guys do.

We provide this information to the affected vendors so that they can create patches and protect their customers as soon as possible. We strive to improve the security of our customers with detection content, which protects them while the vendor is creating, testing, and delivering the patch. These patches ultimately remove the vulnerability in question, which increases security not only for our customers but for everyone.

After these patches become available, the Talos detection content becomes public, as well. Talos regularly releases Vulnerability Spotlights and in-depth analyses of vulnerabilities discovered by us. You can find all of the release information via the Talos vulnerability information pagehere.

Philosophy

The focus of our work is to make sure our customers and their data stay safe. No matter the vulnerability we uncover, we contact and work closely with the software vendor to quickly and responsibly close any attack vectors we find. Our coordinated disclosure policy outlined below ensures the best possible approach to arrive at this goal.

Timeline of actions to be taken by Cisco:

When it comes to closing security vulnerabilities before the bad guys exploit them, our track record proves our dedication to improving the security of our customers as well as the community. In fiscal year 2019, we published 228 advisories resulting in 237 CVEs, in a wide range of software including operating systems, internet-of-things devices, Microsoft Ofice products, PDF readers and more. This translates to almost one vulnerability discovered per working day in the last year.

Vulnerabilities discovered as percentage of total 2017, 2018, 2019 (August – July)

While we do our best to increase coverage and thus the overall security of the Internet, bulletproof software just doesn't exist. Even vendors with large security teams make mistakes, and many don't even have those. In the end, this just means one cannot fully trust the devices on the network.

Some of our highlights from the past year:

• Multiple vulnerabilities in major PDF apps, including Adobe PDF, Foxit PDF, NitroPDF, Aspose PDF, Rainbow PDF and Google PDFium.
• Multiple vulnerabilities in each of these IoT/ICS devices: Google Nest Cam, Netgear N300 and the Nighthawk, Cujo Smart Firewalls.
• Multiple vulnerabilities in graphics drivers from Intel, Nvidia, AMD and Apple.
• More than 22 vulnerabilities in Schneider Modicon.
• Eleven vulnerabilities in Sierra Wireless 4G Gateway.
• Multiple vulnerabilities in various network routers, including from Linksys, TP-Link and Netgear.
• Various vulnerabilities in VMWare, Google V8, Windows and endpoint protection tools.

Below is a breakdown of the amount of advisories we created grouped by product categories in 2019:

Advisories by product category in 2019

Conclusion

Talos' vulnerability research is all about closing attack vectors in software or products before malicious attackers find ways to exploit them. Working closely with vendors all over the planet, our coordinated disclosure policy ensures the best possible protection for our customers, while detection rules based on our work provide coverage where patches cannot help or have not yet been provided by a vendor. This approach has been securing networks for years now, while improving constantly, for the best possible protection and a more immune Internet.

For vulnerabilities Talos has disclosed, please refer to our Vulnerability Report Portalhere.

To review our Vulnerability Disclosure Policy, please visit this sitehere.

Threat Source newsletter (Dec. 12, 2019)

December 12, 2019, 11:00 am

≫ Next: Threat Roundup for December 6 to December 13

≪ Previous: Talos Vulnerability Discovery Year in Review — 2019

$

0

0

Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We’re entering our Year in Review period. Now’s the time to look back on the top stories from 2019 and think about what we learned.

In the vulnerability space, Talos researchers were just as busy as always. We disclosed more than one vulnerability per working day this year, many of which were in internet-of-things and ICS devices. For more on what we can take away from the year in vulnerability disclosures, check out our post here.

Speaking of vulnerabilities, we had many more to add to the yearly count this week. There’s too many to name here, but some highlights include a remote code execution bug in Apple’s Safari web browser and a denial-of-service in the Linux kernel.

Microsoft also disclosed its own set of vulnerabilities as part of the last Patch Tuesday of 2019. Check out our breakdown of the most notable bugs here and our Snort rules to protect against exploitation of them here. Talos discovered two of the bugs patched this month, both in Windows Remote Desktop Protocol in older versions of Windows.

Cyber Security Week in Review

• Adobe released its monthly security update Tuesday, fixing 14 critical vulnerabilities across its suite of products. Among the bugs disclosed are 14 critical vulnerabilities in Adobe Acrobat Reader. 
• A series of news reports this week revealed Ring security cameras are open to serious exploits. In Florida, an attacker took over a Ring’s speaker and shouted racial slurs at the owners. And in Tennessee, another man took over a family’s device after only owning it for four days, potentially spying on three young girls and talking to one of them, saying he was santa. 
• A new report from the U.S. National Infrastructure Advisory Council warned the White House that a cyber attack on America’s infrastructure poses an “existential threat” to the country. The group also urged U.S. President Donald Trump to take “bold action” to protect ICS systems. 
• A new decryptor from the makers of the Ryuk ransomware may actually damage larger files. The program is meant to help a victim recover their files after paying the proposed ransom. 
• The new “Snatch” ransomware evades detection by rebooting Windows machines mid-infection. The malware forces the victim machine to boot in safe mode, and then begin the encryption process. 
• The city of Pensacola, Florida continues to recover from a ransomware attack, just days after a shooting at a local military base. The city’s phone lines, some email services and other online platforms were still down as of Thursday. 
• Iran says it fended off a large cyber attack on unspecified “electronic infrastructure.” One government official said he could not provide specific details on the malware, but called the threat actors “very organized” and “governmental.” 
• U.S. President Donald Trump says he discussed election security with Russian officials during a private meeting this week. Russian Foreign Minister Sergei Lavrov said in a press conference after the meeting Russia has wanted to publish information that would allegedly clear it of any wrongdoing during the 2016 U.S. presidential election, but the U.S. has blocked that release. 
• Apple released the newest version of iOS this week, which provides new security features for Safari. The mobile version of the web browser now supports NFC, USB and Lightning-complaint keys so users don’t have to rely only on passwords. 
• A new feature in Google Chrome will alert users if their login credentials were exposed in a data breach. Each time the user logs into a site using the browser, it will check those credentials against a database of known leaked information.

Notable recent security issues

Title: Microsoft discloses two critical bugs as part of monthly security update
Description: Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 25 vulnerabilities, two of which are considered critical. This month’s security update covers security issues in a variety of Microsoft services and software, including Remote Desktop Protocol, Hyper-V and multiple Microsoft Office products.
Snort SIDs: 52402, 52403, 52410, 52411, 52419, 52420

Title: AMD ATI Radeon ATIDXX64.DLL shader functionality sincos denial-of-service vulnerability
Description: Cisco Talos recently discovered a denial-of-service vulnerability in a specific DLL inside of the AMD ATI Radeon line of video cards. This vulnerability can be triggered by supplying a malformed pixel shader inside a VMware guest operating system. Such an attack can be triggered from VMware guest usermode to cause an out-of-bounds memory read on vmware-vmx.exe process on host, or theoretically through WEBGL.
Snort SIDs: 51461, 51462 (By Tim Muniz)

Most prevalent malware files this week

SHA 256: 64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8ddaa01ec8b
MD5: 42143a53581e0304b08f61c2ef8032d7
Typical Filename: myfile.exe
Claimed Product: N/A
Detection Name: Pdf.Phishing.Phishing::malicious.tht.talos

SHA 256: f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc
MD5: c5608e40f6f47ad84e2985804957c342
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA:2144FlashPlayer-tpd

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin 
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

---

Threat Roundup for December 6 to December 13

December 13, 2019, 10:03 am

≫ Next: Vulnerability Spotlight: Multiple vulnerabilities in WAGO PFC200

≪ Previous: Threat Source newsletter (Dec. 12, 2019)

$

0

0

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 6 and Dec. 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat Name	Type	Description
Doc.Downloader.Emotet-7446804-0	Downloader	Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.Razy-7434602-0	Packed	Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Packed.DarkComet-7433889-1	Packed	DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Trojan.Gamarue-7440316-0	Trojan	Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform activities such as click fraud.
Win.Dropper.Fareit-7431743-0	Dropper	The Fareit trojan is primarily an information stealer with the ability to download and install other malware.
Win.Dropper.Tofsee-7440661-0	Dropper	Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control.
Win.Ransomware.Cerber-7432369-1	Ransomware	Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns, other file extensions are used.
Win.Trojan.ZeroAccess-7432508-1	Trojan	ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.

---

Threat Breakdown

Doc.Downloader.Emotet-7446804-0

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	16
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: ProxyServer	7
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: ProxyOverride	7
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: AutoConfigURL	7
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: AutoDetect	7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA	7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: Type	7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: Start	7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: ErrorControl	7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: ImagePath	7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: DisplayName	7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: WOW64	7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: ObjectName	7
<HKLM>\SOFTWARE\CLASSES\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}	1
<HKLM>\SOFTWARE\CLASSES\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\2.0	1
<HKLM>\SOFTWARE\CLASSES\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\2.0\FLAGS	1
<HKLM>\SOFTWARE\CLASSES\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\2.0\0	1
<HKLM>\SOFTWARE\CLASSES\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\2.0\0\WIN32	1
<HKLM>\SOFTWARE\CLASSES\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\2.0\HELPDIR	1
<HKCR>\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}	1
<HKCR>\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\2.0	1
<HKCR>\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\2.0\FLAGS	1
<HKCR>\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\2.0\0	1
<HKCR>\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\2.0\0\WIN32	1
<HKCR>\TYPELIB\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\2.0\HELPDIR	1

Mutexes	Occurrences
Global\I98B68E3C	7
Global\M98B68E3C	7

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
100[.]107[.]68[.]85	9
100[.]79[.]88[.]70	9
100[.]94[.]136[.]45	9
100[.]90[.]27[.]84	9
100[.]112[.]60[.]67	9
91[.]74[.]175[.]46	7
205[.]144[.]171[.]176	7
77[.]90[.]136[.]129	4
173[.]255[.]214[.]126	4
96[.]38[.]234[.]10	3
173[.]194[.]175[.]108	2
82[.]223[.]190[.]138	2
217[.]116[.]0[.]237	2
103[.]6[.]198[.]100	2
54[.]88[.]144[.]211	2
212[.]227[.]15[.]142	2
217[.]116[.]0[.]228	2
62[.]149[.]128[.]210	2
62[.]149[.]152[.]151	2
52[.]96[.]62[.]226	2
185[.]102[.]40[.]53	2
83[.]219[.]92[.]20	2
196[.]44[.]176[.]42	2
41[.]190[.]32[.]8	2
62[.]149[.]152[.]152	2

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
www[.]4celia[.]com	16
travalogo[.]com	9
miracles-of-quran[.]com	9
capsaciphone[.]com	9
essay[.]essaytutors[.]net	9
smtp[.]secureserver[.]net	2
pop[.]secureserver[.]net	2
mail[.]secureserver[.]net	2
secure[.]emailsrvr[.]com	2
outlook[.]office365[.]com	2
smtp[.]263[.]net	2
smtp[.]aruba[.]it	2
securepop[.]t-online[.]de	2
mail[.]eim[.]ae	2
exmail[.]emirates[.]net[.]ae	2
mail[.]pec[.]aruba[.]it	2
p02-imap[.]mail[.]me[.]com	2
mbox[.]cert[.]legalmail[.]it	2
smtp[.]pec[.]aruba[.]it	2
pop3s[.]pec[.]aruba[.]it	2
pop[.]pec[.]istruzione[.]it	2
pop3[.]itevelesa[.]com	2
smtp[.]mweb[.]co[.]zw	2
mail[.]eitelux[.]es	2
pop[.]realperfil[.]com[.]br	2

*See JSON for more IOCs

Files and or directories created	Occurrences
%HOMEPATH%\245.exe	16
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	7
%TEMP%\CVRA52.tmp	1

File Hashes

1de08bdcceee9ce5642c85db384163a76e4de953c2e625c944ef1b087c483f4b 24b7af440ef4ac270373b6f5c9514885a3224c046b73cf8ad2f1f43012b2ab79 2b5e8a119ff94422a9b5213562ea161306d91d255b13e8840b8c6e405ca767ca 342e32ccf662f9fdae9df6d332382b5332fd41f47ae970c42197100ccc29bdb2 3c790759a0f56659200ee93697ec8fef684ac4e241545c7e82399cbe5128ce12 47b2096a5d64d83ce0216c4b577d40567e51bdfb7456f2642dbe2222d0fc9ac9 4810b72b5ce022be0b50fb4cc530fa10f8d4351d66c6384eb86ca6a714f697b1 713407b0e97009b83eb112b7c22588ddf4ccc8418fd548ffe8dded8774698894 902d50419ed4b29f175944cd6d1f59d1b06a26b9a659cd04d282c3685cc478d6 adc96e8b0fdb5d977111b124c655a1821d5c9c0810207aaa82ccb5bacc0c6698 b512845fd39f154b9208e59762e4f136838ca52666e4ca598a3e99c90d332061 c5ea35ff71f952e64d69779eb8dfe98d0a8a77f727fae139a66125ad76c3526f cb03c4ba3c52376950f5924ac4491ddb0afff6e5c5d5d2f1512e042c8116ff2a cb33e2134b2670a581eaefc1b800721a0c49e96441027948463c32db39e75fbb ccba54f7ed9d278c4b0cf8a2b8f5f33d3410349d3fae416fb69388f15874f84d deb94515bf4c10daa7c26a3c0fa8ed837ee3ad54176a9d4d3d1b5c6230a2447c

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

---

Win.Packed.Razy-7434602-0

Indicators of Compromise

Mutexes	Occurrences
frenchy_shellcode_006	10
Startup_shellcode_006	10
Global\{b0cec92d-4b6c-4178-94fb-bf6cc1add43d}	10

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
107[.]172[.]83[.]151	10

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
dec8973[.]duckdns[.]org	10

Files and or directories created	Occurrences
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5	10
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs	10
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator	10
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat	10
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	10
%HOMEPATH%\ophan.exe	10

File Hashes

02252b22b7b50a36851f97a612057c61a8aeed4a2d7cc18258fe2ba6d70fe6a5 147eace098585f42a45f6a1cabeb4885f47038f1da2e8dbf700795b7f5176165 472334c6964fa75128a812e1f819693c4a3b19d43466fb01e88d16a04366487b 5928dd708f5190db002c2ac530f61b994ef6667e59894ae7f085296e451cb06d 59ef7cbae939ff16e921afa54d76b2ed960a7c982fd1b41b318e2e840fa67690 8f5d1ed403153ce043daabd92c15452f01142a829ebaa0530a690ca7bf16d8b1 9708566442ccfc689c110efa436095f21a6d2e15ab1a5a5d5bf35d9ce1063768 a9844ac5e8f56a958e42500b31d6e902120d385f373599eeafc9d4316c6ff2e7 c7b1a3495bb7fb1f8f4016952f6ee68873bd6d4c39468602bc97e59eb8cc9177 d9e7d0ae7bacf011c0abfee024872bb7662b06b4f5faa87efc8eccb7ad02a633

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA

Screenshots of Detection

AMP

ThreatGrid

---

Win.Packed.DarkComet-7433889-1

Indicators of Compromise

Registry Keys	Occurrences
<HKCU>\SOFTWARE\DC3_FEXEC	13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN	6
<HKCU>\SOFTWARE\DC3_FEXEC Value Name: 12/6/2019 at 1:01:19 PM	4
<HKCU>\SOFTWARE\DC3_FEXEC Value Name: 12/6/2019 at 1:01:20 PM	4
<HKCU>\SOFTWARE\DC3_FEXEC Value Name: 12/6/2019 at 1:01:18 PM	3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: MicroUpdate	3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: UserInit	3
<HKCU>\HKEY_CURRENT_USER	2
<HKCU>\HKEY_CURRENT_USER\SOFTWARE	2
<HKCU>\HKEY_CURRENT_USER\SOFTWARE\MICROSOFT	2
<HKCU>\HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\ACTIVE SETUP	2
<HKCU>\HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS	2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Java Updater 12.02.3	2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: Java Updater	2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS Value Name: Load	2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: IE Per-User Initialization utility	2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: IE Per-User Initialization utility	2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: Userinit	2
<HKCU>\SOFTWARE\DC3_FEXEC Value Name: 12/6/2019 at 1:01:24 PM	2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED Value Name: Hidden	1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE Value Name: EnableFirewall	1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE Value Name: DisableNotifications	1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: AntiVirusDisableNotify	1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: UpdatesDisableNotify	1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC Value Name: Start	1

Mutexes	Occurrences
DC_MUTEX-<random, matching [A-Z0-9]{7}>	12
DCPERSFWBP	4
Paint	1
Administrator5	1
zRfBoxVQtvcwCKzfoomrPWdIUUjnqiHWPygjEgky	1
cbebf6a3c30e189f1791a07b91284eaf	1
UNwehCeiwHcpcPqMLnVm	1
Global\c8760b20-185a-11ea-a007-00501e3ae7b5	1
wHcpcPqMLnVmYcCcnhzwUpOGDOftPDMkeIKqqMLnVmYcCcnhzwUpOGDOftPDMkeIKqqMLnVmYcCcnhzwUpOGDOftPDMkeIKqqMLnVmYcCcnhzwUpOGDOftPDMkeIKqqMLnVmYcCcnhzwUpOGDOftPDMkeIKq	1
yzxDnuCSssIxBsSuZXFtOFvJTDCppRZlOhNkDPDB	1
NSaQvFFEJfmtYlkBEHyXmfPxzUwCPMuIhhJReGZF	1
IRojNPvPVdSxHIGLipwanmDHJBaphSzCXzESOwLj	1
orHcdnwrVlEYrlbHQQOTFxFjvvLPSKixqaILfIMa	1
myCQlnwHCfuNhBukQZZY	1
Global\c923cf81-185a-11ea-a007-00501e3ae7b5	1
uoHEavVNJUlBWJTqlPRxRXfUzJKINkqxcpoFJLDc	1
bQvFGEJgmtYlkBFHyYnfQxzUwCPMuIhhJSeGaFdv	1
JwuoGEavUaWilBWXgqlPew	1
HusmFCYuTZVgjyUVfojNcvPidSxHIGLvpwan	1
xXXyHTvPuSkKkvpIrOxJOL	1
vkhbtqNjIOKVZnJLUdYCSkFYSInwwvzlelQcc	1
iRfFFfoBdwczSrSdXpZvfpvrEUjqsCZUxzgmGOEj	1
Global\f44dbcc0-185a-11ea-a007-00501e3ae7b5	1
QXCcOehkcBeJsodxoboyhhVHiFRfNeQUu	1
ewtQmLRNYbqMNXgbFVnIbVLqyzxDoho	1

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
78[.]159[.]135[.]230	4
94[.]73[.]36[.]254	2
104[.]16[.]155[.]36	1
94[.]73[.]32[.]235	1
94[.]73[.]33[.]36	1
173[.]194[.]175[.]108/31	1
54[.]231[.]48[.]43	1
109[.]220[.]205[.]220	1
90[.]197[.]55[.]134	1
25[.]109[.]69[.]178	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
simond[.]zapto[.]org	4
laloutrecam[.]no-ip[.]org	2
botofvps[.]no-ip[.]biz	2
whatismyipaddress[.]com	1
s3-1[.]amazonaws[.]com	1
s3[.]amazonaws[.]com	1
zcitizen[.]no-ip[.]org	1
server-49[.]sytes[.]net	1
bbdl[.]ddns[.]net	1
who-is[.]ddns[.]net	1
update[.]imagineyourcraft[.]fr	1
123[.]105[.]12[.]0[.]in-addr[.]arpa	1
alaka[.]no-ip[.]biz	1

Files and or directories created	Occurrences
%APPDATA%\dclogs	11
%TEMP%\AdobeARM.exe	10
%TEMP%\resman.exe	7
%TEMP%\dw.log	4
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp	4
%TEMP%\<random, matching '[a-z]{4,9}'>.exe	4
%HOMEPATH%\My Documents\MSDCSC\msdcsc.exe	3
%HOMEPATH%\Documents\MSDCSC	3
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe	3
%APPDATA%\pid.txt	2
%APPDATA%\pidloc.txt	2
%TEMP%\garrys mod robot.jpg	2
%TEMP%\holderwb.txt	1
\Paint	1
%ProgramFiles%\Java\jre8\bin\rmiregistry.exe	1
%ProgramFiles%\Java\jre8\bin\servertool.exe	1
%ProgramFiles%\Java\jre8\bin\tnameserv.exe	1
%ProgramFiles%\Java\jre8\bin\unpack200.exe	1
%ProgramFiles%\Java\jre8\bin\vjava.ico	1
%ProgramFiles%\Java\jre8\bin\vjavacpl.ico	1
%ProgramFiles%\Java\jre8\bin\vjavaw.ico	1
%ProgramFiles%\Java\jre8\bin\vjavaws.ico	1
%ProgramFiles%\Microsoft Silverlight\5.1.30514.0\coregen.exe	1
%ProgramFiles%\Microsoft Silverlight\vsllauncher.ico	1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Paint.lnk	1

*See JSON for more IOCs

File Hashes

2d6da6399671b08e28a10df9bcf76061f4c98a1f65202fb0dffccd918a5554fc 3a7644b928b85c1e448fe7bb7ddf51056e63f49b9455aae7b2e38fb179559066 6001c594a9e3454fb9359b140dc22e106c5946c323029783e9f122ec285e0c65 79a1576d14b171ce34915fe40b021f73a9d607c2ada2be53e335f330b6cb858f 879c8524b93f3699c02ca366b15677c03df4d5e4e8ba03b43907618adde5627f 908792a782735eb16c229b3b2648c8ea22348a2d378d428d4798fbb21cdca541 918928629a8e0059e82aaa4fe2f226f66a334ead2b8f85dd8eef6e5d288325dc 92729ba8ef8eabfc9b4e88443d94fba225c6a643871fddfc6bf9d8d173d4c7f6 a0f6ffb10dd497d92d870642f2ba86639b170486cbaead79d0a82bd2d7e5edf3 a1999cf773b35ebab2b29acc4d0c0fe92de4bea83e4ee118a2b9a2474b19956c af47feb292bf865a7d0fbf2a8da31f8d04b38c759f5850ef3510a5f2ecaedae1 b1a9a49194c72fe92df017167c753625a80173c81b8a17cb1b20c84093d10c02 bb7b89751f70e99fe62c1edaba821bb95dfab8b0c6d268b845f3f936f09113df bc49d905ffd3203d51e3684755fd2412fdc75ee977350da40db2cae357419bd9 bd9e2ff72624901bf190a22ba2a9419395024d280e7f9d140918ffaecf96065a de59098d7862ae86da6c3159093f1afd4aa72dfc7f6b2826e270e94b272fb7fb df237e6044ad335081f455ce70e0288453ce74c371016def916462e0d93d124e e8f164fe292feef26582e9af9d8e0fec11768a72fcb2202af7180a5a8efa46fa f893532e35d7503e3685c70aaf7a23ce371acc1d0e3779297aba47ae65e9e949

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA

Screenshots of Detection

AMP

ThreatGrid

Malware

---

Win.Trojan.Gamarue-7440316-0

Indicators of Compromise

Registry Keys	Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: {77E00C05-FC14-92FB-C64D-2FAE1577C98A}	8
<HKCR>\CLSID\{B1D503C8-F3D9-54CE-C64D-2FAE1577C98A}	8
<HKCR>\CLSID\{EBF02436-D427-0EEB-C64D-2FAE1577C98A}	8
<HKCR>\CLSID\{EBF02436-D427-0EEB-C64D-2FAE1577C98A}	8

Mutexes	Occurrences
Santiv18	8

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
217[.]23[.]1[.]27	8
212[.]8[.]242[.]104	8

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
v1[.]eakalra[.]ru	8
v1[.]op17[.]ru	8

Files and or directories created	Occurrences
%ProgramData%\{DA12294E-A996-195C-0CAA-A4200A7998ED}\77adf9d1.exe	8
%SystemRoot%\Tasks\{4602017E-81A6-854C-0CAA-A4200A7998ED}.job	8
\{c78b9d89-a44c-8958-2fb4-20d7a387d6e3}\a7c25200-afe3-483f-5c47-c10c3cf1e73a.exe	8
%ProgramData%\{EBF02435-D424-0EEB-C64D-2FAE1577C98A}	8
E:\{c78b9d89-a44c-8958-2fb4-20d7a387d6e3}	8
E:\{c78b9d89-a44c-8958-2fb4-20d7a387d6e3}\a7c25200-afe3-483f-5c47-c10c3cf1e73a.exe	8
%ProgramData%\{EBF02435-D424-0EEB-C64D-2FAE1577C98A}\464ff4aa.exe	8
%System32%\Tasks\{77E00C05-FC14-92FB-C64D-2FAE1577C98A}	8
%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\779425.exe	1
%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\743768.exe	1
%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\888608.exe	1
%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\577671.exe	1
%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\898551.exe	1
%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\569993.exe	1
%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\281727.exe	1
%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\469268.exe	1
%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\502020.exe	1
%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\569087.exe	1
%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\630040.exe	1
%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\825247.exe	1
%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\400602.exe	1
%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\445144.exe	1
%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\223566.exe	1
%ProgramData%\{D73F619F-E147-1471-0CAA-A4200A7998ED}\688135.exe	1

File Hashes

0c56ea50a45505f406a4feddcb3b4c055c0d52ca1aa4ca7d8254267fe1e75e52 0f4e733dcf95c9b026b2a081c0bc8883bdcdf8799a31ae2afff8aa12fa980c3f 46e382dadb24dc1dfd6c5ff7faeb088d56a70150ec44015a8370900251b3024e 86251f8acfcf6f5adb20ef8cfb4def27ff42b8248aae488f3a4d3650dda87364 8ffb2571c279e05205e55b169d306f54a574a73c596475f0738593c34dfbb3be 900547463b112df48191a8a950a7375be9c20fb33de917bf5af6d31aa5e5b700 943bdb5be04e4dd27ebf28532a8639eafd6dc7df5e471f733697220a1aee9c93 ab2d58efd6a9c50bfab5b0143009dc25ab0f92d7a9d7bcad39f4edbf1ff6b835 b291fe03d64db56f2dbd01d71364ed39b2a7b83b61161673bea57ab33c27c7e8 bf1a4d2ab6c500f55a8e5d8e9667fc6bfce7cdbd79b2bf9ebbf7a1392ff3956e c865ae6939ddc9a42481a4f2d410a928f11837e807dbd8d6dad867c13b58019e ca47206563a8eb9e402d5f5f957e15bf73d6193985281c38127cc2cdd63bcb64 cf5e15aa7027ca86fc3ad768f1684fd619f367c521231970db5a3024230b34f1

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

---

Win.Dropper.Fareit-7431743-0

Indicators of Compromise

Registry Keys	Occurrences
<HKCU>\SOFTWARE\WINRAR	10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: WindowsMonitorConfigs32	10
<HKCU>\SOFTWARE\WINRAR Value Name: HWID	10
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9 Value Name: F	10
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5 Value Name: F	10
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC Value Name: F	10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS Value Name: WindowsMonitorConfigs	10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS Value Name: WindowsMonitorConfigs32	10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\NETWORKLIST\NLA\CACHE\INTRANET Value Name: {9EB90D23-C5F9-4104-85A8-47DD7F6C4070}	7

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
37[.]10[.]116[.]208	10

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
loqapeek[.]pw	10
xistoons[.]pw	10

Files and or directories created	Occurrences
%APPDATA%\SystemDriversReserved	10
%APPDATA%\SystemDriversReserved\rynuqeny.exe	1
%APPDATA%\SystemDriversReserved\filarifi.exe	1
%APPDATA%\SystemDriversReserved\miqonagy.exe	1
%APPDATA%\SystemDriversReserved\xuminazy.exe	1
%APPDATA%\SystemDriversReserved\qeremuvu.exe	1
%APPDATA%\SystemDriversReserved\vywivama.exe	1
%APPDATA%\SystemDriversReserved\cuzuluqa.exe	1
%APPDATA%\SystemDriversReserved\dufenuxu.exe	1
%APPDATA%\SystemDriversReserved\cutypiwu.exe	1
%APPDATA%\SystemDriversReserved\rikicuzo.exe	1
%APPDATA%\SystemDriversReserved\tihupono.exe	1
%APPDATA%\SystemDriversReserved\xomytevu.exe	1
%APPDATA%\SystemDriversReserved\xotadyry.exe	1
%APPDATA%\SystemDriversReserved\zytecufo.exe	1
%APPDATA%\SystemDriversReserved\myciloby.exe	1
%APPDATA%\SystemDriversReserved\kebyqyha.exe	1
%APPDATA%\SystemDriversReserved\fufolely.exe	1
%APPDATA%\SystemDriversReserved\rysopyly.exe	1
%APPDATA%\SystemDriversReserved\zazanyge.exe	1
%APPDATA%\SystemDriversReserved\niwalefu.exe	1

File Hashes

10491d1ce14e3c36f1ff822ff1053604043836d94925de6054482c9ae4673359 15901d3d72c05adea149a9b23a03240e84827ee199119beca4bae58d0f2cf292 28495c8cd716b9047bbdecdeb9acb5883a57dcb887db0aa10d72345c25cccf01 2afda0e3c48ea37e936b0ef7d7efbfc5a6e487f1dee0dd89ec83cba2c054ddd0 31f651b56867fe2a75041c5c053977414f33285d1a8294875ef4082269103f59 4629248f320c9fd7d3b2d9b01e3b0e705a07c52ed8c40baa63395ae95b4e6e43 91a2d95ddf43ee9a47c0b2f781d9aa6752ada642cbd826fc8c0ec2c31932870d b831abbd0734bcd7cf2262400d70c32b5909d3a38044327b841b5f05cba93567 d27a710d945ee916fa7ab557e3a360f907d06ca37c34aff86133074ddfed9090 ee3cf9966f84454415d0dda42e29ccf65e14f964daef8233077c2509aa84b305

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

---

Win.Dropper.Tofsee-7440661-0

Indicators of Compromise

Registry Keys	Occurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES	2
<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config0	2
<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config1	2
<HKCU>\SOFTWARE\MICROSOFT\IAM Value Name: Server ID	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\kdrxwekz	1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KDRXWEKZ Value Name: Type	1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KDRXWEKZ Value Name: Start	1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KDRXWEKZ Value Name: ErrorControl	1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KDRXWEKZ Value Name: DisplayName	1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KDRXWEKZ Value Name: WOW64	1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KDRXWEKZ Value Name: ObjectName	1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KDRXWEKZ Value Name: Description	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\piwcbjpe	1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PIWCBJPE Value Name: Type	1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PIWCBJPE Value Name: Start	1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PIWCBJPE Value Name: ErrorControl	1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PIWCBJPE Value Name: DisplayName	1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PIWCBJPE Value Name: WOW64	1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PIWCBJPE Value Name: ObjectName	1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PIWCBJPE Value Name: Description	1
<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config3	1
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 Value Name: apiMPQEC	1
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5	1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE Value Name: Blob	1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PIWCBJPE	1

Mutexes	Occurrences
Global\syncronize_URN0LVA	2
Global\syncronize_URN0LVU	2
A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A	1
Global\9776ba01-1ac7-11ea-a007-00501e3ae7b5	1
Global\990ba241-1ac7-11ea-a007-00501e3ae7b5	1
Global\95700cc1-1ac7-11ea-a007-00501e3ae7b5	1
{<random GUID>}	1
Local\{<random GUID>}	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
69[.]55[.]5[.]250	2
13[.]107[.]21[.]200	2
43[.]231[.]4[.]7	2
104[.]47[.]54[.]36	2
172[.]217[.]7[.]164	2
85[.]114[.]134[.]88	2
172[.]217[.]12[.]164/31	2
68[.]178[.]213[.]37	1
94[.]100[.]180[.]104	1
93[.]158[.]134[.]89	1
81[.]19[.]78[.]66	1
77[.]88[.]21[.]89	1
46[.]4[.]52[.]109	1
96[.]114[.]157[.]80	1
94[.]100[.]180[.]31	1
94[.]100[.]180[.]180	1
104[.]47[.]9[.]33	1
104[.]47[.]36[.]33	1
213[.]209[.]1[.]129	1
87[.]250[.]250[.]89	1
211[.]231[.]108[.]46	1
104[.]47[.]5[.]33	1
213[.]180[.]147[.]146	1
212[.]227[.]15[.]41	1
208[.]89[.]132[.]199	1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
250[.]5[.]55[.]69[.]in-addr[.]arpa	2
microsoft-com[.]mail[.]protection[.]outlook[.]com	2
smtp[.]secureserver[.]net	1
mx[.]yandex[.]ru	1
yandex[.]ru	1
list[.]ru	1
mx-eu[.]mail[.]am0[.]yahoodns[.]net	1
mxs[.]mail[.]ru	1
rambler[.]ru	1
smtp-in[.]libero[.]it	1
mx1[.]comcast[.]net	1
libero[.]it	1
mail[.]ru	1
comcast[.]net	1
mx-aol[.]mail[.]gm0[.]yahoodns[.]net	1
mx[.]yandex[.]net	1
inbox[.]ru	1
eur[.]olc[.]protection[.]outlook[.]com	1
aol[.]com	1
hotmail-com[.]olc[.]protection[.]outlook[.]com	1
emx[.]mail[.]ru	1
yahoo[.]it	1
mx[.]poczta[.]onet[.]pl	1
charter[.]net	1
inmx[.]rambler[.]ru	1

*See JSON for more IOCs

Files and or directories created	Occurrences
%TEMP%\D47F.tmp	5
%TEMP%\CC4F.tmp	3
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\desktop.ini.id-98B68E3C.[admin@sectex.net].bot	2
%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\FilterTransforms\1033\StarterKitsFilterTransform80.xml.id-98B68E3C.[admin@sectex.net].bot	2
%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\CSharpLangFilter20.xml.id-98B68E3C.[admin@sectex.net].bot	2
%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\ControlsTopicTypeFilter80.xml.id-98B68E3C.[admin@sectex.net].bot	2
%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\HelpTopicsTopicTypeFilter80.xml.id-98B68E3C.[admin@sectex.net].bot	2
%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\InfoPathTechFilter12.xml.id-98B68E3C.[admin@sectex.net].bot	2
%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\KBTopicTypeFilter80.xml.id-98B68E3C.[admin@sectex.net].bot	2
%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\NetFxTechFilter20.xml.id-98B68E3C.[admin@sectex.net].bot	2
%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\SamplesTopicTypeFilter80.xml.id-98B68E3C.[admin@sectex.net].bot	2
%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\ServerEntTechFilter20.xml.id-98B68E3C.[admin@sectex.net].bot	2
%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\SnippetsTopicTypeFilter80.xml.id-98B68E3C.[admin@sectex.net].bot	2
%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\StarterKitsTopicTypeFilter80.xml.id-98B68E3C.[admin@sectex.net].bot	2
%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\VBLangFilter80.xml.id-98B68E3C.[admin@sectex.net].bot	2
%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\VBScriptLangFilter80.xml.id-98B68E3C.[admin@sectex.net].bot	2
%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\VS2005TechFilter80.xml.id-98B68E3C.[admin@sectex.net].bot	2
%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\Win32TechFilter80.xml.id-98B68E3C.[admin@sectex.net].bot	2
%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\WinFormsTechFilter20.xml.id-98B68E3C.[admin@sectex.net].bot	2
%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\WindowsTechLonghornWinFx60.xml.id-98B68E3C.[admin@sectex.net].bot	2
%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Filters\1033\XmlLangFilter80.xml.id-98B68E3C.[admin@sectex.net].bot	2
%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Pages\1033\VSTAHowDoI80.xml.id-98B68E3C.[admin@sectex.net].bot	2
%APPDATA%\Microsoft\Internet Explorer\brndlog.bak.id-3C28B0E4.[admin@sectex.net].bot	2
%APPDATA%\Microsoft\Internet Explorer\brndlog.txt.id-3C28B0E4.[admin@sectex.net].bot	2
%HOMEPATH%\Cookies\index.dat.id-3C28B0E4.[admin@sectex.net].bot	2

*See JSON for more IOCs

File Hashes

1a2997b0927ee1931765cf9b971ee5fd20ca9509f25eed7f2ece2f9b39ec30ec 1b7f2a5950d2d2c9f012c8aa7bb8a7611a19bea54e2ad3a11aaeeb178de91229 45e58500cc320316f3ab9cb9f9bde14446ae10f5ac37c93061b2bfad97b1026d 51fb27ab74d127a6cef6b1aaf416bc28020c93cc62926c25a0aabd64eadd51f0 63bbfc542016858d070ae21bc75f4f507273343ed7552b0fb1041b353891c943 6ac190612aeca2cf29bc2c403afd7ff4f6bd0978611b9879feed907a43d7a44e 7a6ca98d05b91859a323aeb8aa95cea2465223095963a56edd053ea2144d2949 8bd815aac414de71c6c9e8d98af6f3ea99f8f7d9eb99b24bd65aefc6fae62564 9adc16c0e94ecca0bd3bfb7a6913bc439fbeb59ae70ec264b49dc74bf92de628 a3397387c72d6215fbe3d976c0d2a2a96ada6526a1e939326e0a009c1469c748 ac1195f32c230290268c6ac144d386aaa1be9889ed4ba899bbd2078d1985a296 c909a47cc3169954c962a7bba2911694345cca7ecbe809a8e9ae737df9ee1c24 d59f8aa651ab5015619a62efde293097facdabd1a11c019cc0a0748009628126 f05b7128fd81fb67061ede7c279807ab347505762245f77f1ab0180bb4655cb2 fccdacfaf67834441250a0713534ef2d1047e7af6424a09df88a6ee132a3fe86

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Ransomware.Cerber-7432369-1

Indicators of Compromise

Registry Keys	Occurrences
<HKCU>\SOFTWARE\MICROSOFT\SPEECH\VOICES Value Name: DefaultTokenId	33
<HKCU>\SOFTWARE\MICROSOFT\SPEECH\VOICES	33
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER	32
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER Value Name: PendingFileRenameOperations	31
<HKCU>\SOFTWARE\MICROSOFT\DIRECT3D Value Name: Name	1

Mutexes	Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF}	33
Local\MidiMapper_modLongMessage_RefCnt	33
shell.{<random GUID>}	27

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
91[.]119[.]216[.]0/27	33
91[.]120[.]216[.]0/27	33
91[.]121[.]216[.]0/25	33
150[.]109[.]231[.]116	22
54[.]209[.]0[.]191	18
34[.]193[.]185[.]171	15
178[.]128[.]255[.]179	11
104[.]24[.]105[.]254	7
104[.]24[.]104[.]254	4
54[.]87[.]5[.]88	2
52[.]21[.]132[.]24	1
104[.]16[.]150[.]172	1
104[.]16[.]149[.]172	1
104[.]16[.]152[.]172	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
api[.]blockcypher[.]com	33
bc-prod-web-lb-430045627[.]us-east-1[.]elb[.]amazonaws[.]com	25
hjhqmbxyinislkkt[.]1j9r76[.]top	22
bitaps[.]com	11
chain[.]so	11
btc[.]blockr[.]io	11
hjhqmbxyinislkkt[.]1a8u1r[.]top	1

Files and or directories created	Occurrences
%TEMP%\d19ab989	33
%TEMP%\d19ab989\4710.tmp	33
%TEMP%\d19ab989\a35f.tmp	33
%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\03809a07-348b-48cc-b08d-f7b8472c133c.png	33
%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\07a5080e-becd-4719-9a79-fe50b59eb55b.png	33
%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\0d984a6a-e70e-4747-bded-b92173e85c21.png	33
%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\0ec91619-5478-4e5c-aa1b-8da00a066091.png	33
%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\115556d6-ba8b-4b18-8439-8e9c81ff63a4.png	33
%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\1e81fb27-0aa3-4b11-a764-0d9e7e3272ea.png	33
%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\3c6a9801-329c-4eba-9524-2165ac426bef.png	33
%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\52c39d7c-6d6b-4ad3-b5e5-c417949d335d.png	33
%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\5318eba9-773d-4fec-9366-6e84f8dfbbc5.png	33
%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\5394c05d-dc33-4d24-bd45-2d8954648f28.png	33
%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\62e3dfa2-4350-445b-8693-d1d04a74543c.png	33
%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\6a8b0e06-e9a5-4761-afda-29391149e64d.png	33
%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\70c3a864-35fa-4245-802a-dbda1e3f4c00.png	33
%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\70d1f452-966e-4e28-8da5-8b2eeadbe078.png	33
%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\7b168dd1-e39e-4b39-918c-53b9e78365e9.png	33
%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\7dceec06-0991-43f4-8af3-601c0ebeb910.png	33
%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\8339d228-5ca6-486f-8793-633aa6af18d8.png	33
%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\a4fbc2bf-8cc2-4a6d-b3c7-0ef749399e7f.png	33
%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\a507cd65-0038-49e4-8cdb-b6082f566351.png	33
%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\a6f0f9a9-e50d-4612-9e8e-f5640793680c.png	33
%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\a9e6bb3f-0b62-4410-86f7-68bb36989df7.png	33
%LOCALAPPDATA%\microsoft\onenote\14.0\onenoteofflinecache_files\b1503304-9b12-4d90-89e7-df30e304e6c2.png	33

*See JSON for more IOCs

File Hashes

00d8580b7de2d5cfcdeb6d896153cb43aeb8086ad87c320a20528fb0ab382c83 0156cd32b9647dcd19ef44503aa99dfcfb891365a6a1e0a4f364e1b882563a77 049e95486dc15591857897db7e038204ad7669afc52f6e413ad8eef6a042a3f3 0543292cf63218e40d9785a1e6e0b9cc0dddd34cd6cfdbd6e6735e7b2cd7767e 05e6572e963ec98373c94748dba580a9d4c99ced95d2c4e455cf2e952973404c 06d5ae8d97a7b3bb50330f566130ce3b0ceced3a9b92ff1b5be9b2a3b08dec89 09e5adc6762e13f50bbc4b3e233c00c44c77cab958bd3e30212034fe0a2471be 0af56173b6a8d920e8f42c564d590373d8a8c55edda2476deff5013a39d76d87 0cfb5e263ca7a4f5b38cd79c111eeeb7cb6e2e3150fc07996fd7b74a739452e8 0dccb9d4f1369026b350c848d98e0aadddd063ed231c9682419735b25d4cd1e0 0e2f515b821c6995dff04862e4808609e3ebfcb7dbf4cbd2884dc3b737657580 15f59c6041fbb1a8f54e083a4f501076efa61941f5064db404c2914be4973e2f 16f2a805ea445edf5c9cdab4d530235204acccaa50cda907dbb84177f71eda57 179ecfd3969f0f2aef94a99467064e60ef737bac9819439bcbe1b3ca2dffee08 183bad8c045acadaa5cdd8542fae8f05539249c0df2448816b3895a6d949caf3 1860ec3f04583312079795ca661360e723092217e0880ddc7e48345829f571a8 19e65785549059911db9ad54bbdbb8c4f86d6a4cc6710d8572b81afed213250b 1d44d8a762ee2f1f9813482b862428add0c081fab9bb27a4bad082a118b5e509 20122bc23fc55bbc44a920e8b9c06829a13e78258356798a64c224a534e06faf 2070face5382b738dda8e2a42c56b233793a9751fb6722e970d77da207d52f1f 20842d1ad99423e0412187f7f365ce5b9d93c2499df5bcb9da16a8d196b3e94c 244820be643b64929d14af90218aa67f2e9b2cb07d8654c5ead2d60a25f8ead3 2c670078bda065d704ed155173fc59438a15e71244c0f47ccf95d12225e27eaa 2f29ed32c90581269668e03216169207478721f2b9d59ebfb389a647c6a1f51a 2f3bf21023544bc5ade37a16588cf51aa6ac8327685de3953f44de57a3068a8d

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

---

Win.Trojan.ZeroAccess-7432508-1

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC Value Name: Start	31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS Value Name: DeleteFlag	31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC Value Name: DeleteFlag	31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC Value Name: DeleteFlag	31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BROWSER Value Name: Start	31
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32 Value Name: ThreadingModel	31
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32	31
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Windows Defender	31
<HKLM>\SOFTWARE\CLASSES\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\INPROCSERVER32	31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS Value Name: Type	31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS Value Name: ErrorControl	31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC Value Name: Type	31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC Value Name: ErrorControl	31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC Value Name: DeleteFlag	31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC Value Name: Type	31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC Value Name: ErrorControl	31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC Value Name: Type	31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC Value Name: ErrorControl	31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000010 Value Name: PackedCatalogItem	31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000009 Value Name: PackedCatalogItem	31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000008 Value Name: PackedCatalogItem	31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000007 Value Name: PackedCatalogItem	31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000006 Value Name: PackedCatalogItem	31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000005 Value Name: PackedCatalogItem	31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000004 Value Name: PackedCatalogItem	31

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
68[.]58[.]140[.]128	38
180[.]254[.]253[.]254	31
166[.]254[.]253[.]254	31
135[.]254[.]253[.]254	31
117[.]254[.]253[.]254	31
119[.]254[.]253[.]254	31
134[.]254[.]253[.]254	31
206[.]254[.]253[.]254	31
222[.]254[.]253[.]254	31
182[.]254[.]253[.]254	31
190[.]254[.]253[.]254	31
184[.]254[.]253[.]254	31
197[.]254[.]253[.]254	31
183[.]254[.]253[.]254	31
158[.]254[.]253[.]254	31
204[.]254[.]253[.]254	31
24[.]149[.]4[.]58	29
97[.]95[.]231[.]238	28
50[.]68[.]78[.]41	26
188[.]26[.]185[.]40	26
111[.]250[.]107[.]91	26
173[.]175[.]25[.]91	26
184[.]166[.]16[.]43	26
24[.]98[.]179[.]133	26
79[.]115[.]11[.]4	26

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
j[.]maxmind[.]com	31

Files and or directories created	Occurrences
\RECYCLER\S-1-5-18\$ad714f5b8798518b3ccb73fd900fd2ba\@	38
\RECYCLER\S-1-5-18\$ad714f5b8798518b3ccb73fd900fd2ba\n	38
\RECYCLER\S-1-5-21-1258710499-2222286471-4214075941-500\$ad714f5b8798518b3ccb73fd900fd2ba\@	38
\RECYCLER\S-1-5-21-1258710499-2222286471-4214075941-500\$ad714f5b8798518b3ccb73fd900fd2ba\n	38
%SystemRoot%\assembly\GAC\Desktop.ini	38
\systemroot\assembly\GAC_32\Desktop.ini	31
\systemroot\assembly\GAC_64\Desktop.ini	31
%System32%\LogFiles\Scm\e22a8667-f75b-4ba9-ba46-067ed4429de8	31
%SystemRoot%\assembly\GAC_32\Desktop.ini	31
%SystemRoot%\assembly\GAC_64\Desktop.ini	31
\$Recycle.Bin\S-1-5-18	31
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f	31
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\@	31
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\L	31
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\U	31
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\n	31
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f	31
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\@	31
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\L	31
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\U	31
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\n	31
%ProgramFiles%\Windows Defender\MSASCui.exe:!	31
%ProgramFiles%\Windows Defender\MpAsDesc.dll:!	31
%ProgramFiles%\Windows Defender\MpClient.dll:!	31
%ProgramFiles%\Windows Defender\MpCmdRun.exe:!	31

*See JSON for more IOCs

File Hashes

0157ed115b5bf4c7be57c400db2d0565f5ad1b6df2bb63d85ca04932d190f83a 02deef08e12b0ca6d311bd47d984587fc2eacee659bccd5b03f470d04baf7fda 05e354a637fc39a732a2042d70be6d4ff0d7250f746a89bda5833787b1d73f77 05e9764e72fd580377b26682b329ede539bab36a7c651f17e78bfed628f29236 070a5d1c0a35171169531caa0583f46ef8ce39d8e8a5f4806ea0060a8311e3c2 08a22538c4474de9d510516b31169eb4bbcb111333f45463387540ee1c802094 094f81ace5dc69455869040c8306a5c89ed318a0209feb9883c65dedfaa1607a 1078cbea870ad246012c3e5d7383a34b73b71d743b8a7814b916afb22dafc052 12092b610aec4b3a4abd1704aa5ca7796afb88ed2d62813f64e69813179bf17e 13297a1a4dae8afcae7683ca66825a041fde54b3a34347c5ae9cd1ca540bfe65 15c92af968516aa50e2434d678099993d616322ed64c28fbedbdf9f58f688cfe 1ccece616c3bf43763c2f4159894df3170e8e017359a432fcf574df86ed4d9c9 1ddede2f503ec591648dee15162794cc8c44bc39b40aaa209a344c4d8741b59e 1e40c41b83c1dfdcf4f62b52a3248f7de7d14e9d20c622f3d58b56e873e90ada 1e6bd842bc6e5a5a27e4c9124f4f8d0cb99bf13fe07f33ae4ebddeaeccddc065 1f213cb034864518007496d9f81834a202e2fbb24f60685c0d38af4127230b7e 23095a64ad977a038141d7a51d9b16fffb690671c4cba65f4aa9cab1ead68d9d 245aa365f4df9a087650d523cfb5685f5e0a22faf3948de28e4516ff7574daec 26fc9dad694e24ab9f22f40ecae7b5ce436d3e7f0fdc7c0dc91a33967ed3bcb3 2afc92a8de98e29db880f1bbd0cde81e4cc2e49dce0bdafb5d992511be97dbca 2fbc30feb2a4a8c926b69b762e898bda305d5333a198b2a1304644a1bff6176a 352d14133cb2f89223d15a81fa44442ef7b033b3646b12a92f69d82d27718f67 38257554ec967969a8e114bb6588b63210b83a0a76a7f1cbf0eb17b6e10ab91f 3852da85c0d4541fea5bb3812eaec3b7247aae76c57c6a4ad7271b76d50acb8d 3be059379396caf75330c4f1fa97adc8f5683cba16eeaabcbdd9ccbd8055b748

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

---

Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

CVE-2019-0708 detected - (24000)

An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.

Process hollowing detected - (246)

Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.

Kovter injection detected - (209)

A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.

Dealply adware detected - (191)

DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.

Gamarue malware detected - (159)

Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.

Excessively long PowerShell command detected - (101)

A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.

Installcore adware detected - (88)

Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.

Special Search Offer adware - (25)

Special Search Offer adware displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware has also been known to download and install malware.

Fusion adware detected - (20)

Fusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware.

Corebot malware detected - (20)

Corebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking.

Vulnerability Spotlight: Multiple vulnerabilities in WAGO PFC200

December 16, 2019, 7:29 am

≫ Next: Beers with Talos Ep. #68: Takes from Talos on IoT (and the NEW “Talos Takes” podcast!)

≪ Previous: Threat Roundup for December 6 to December 13

$

0

0

Kelly Leuschner of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

The WAGO PFC200 and PFC100 controllers contain multiple exploitable vulnerabilities. The PFC200 is one of WAGO’s programmable automation controllers that are used in many industries including automotive, rail, power engineering, manufacturing and building management. The vulnerabilities disclosed here all have their root cause within the protocol handling code of the I/O Check (iocheckd) configuration service used by the controllers. The vulnerabilities discussed here could allow an attacker to remotely execute code, deny service to the device or weaken device login credentials.

In accordance with our coordinated disclosure policy, Cisco Talos worked with WAGO to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

WAGO PFC200 iocheckd service "I/O-Check" external tool information exposure vulnerability (TALOS-2019-0862/CVE-2019-5073)

An exploitable information exposure vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. A specially crafted set of packets can cause an external tool to fail, resulting in uninitialized stack data to be copied to the response packet buffer. An attacker can send unauthenticated packets to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

WAGO PFC200 iocheckd service "I/O-Check" BC_ProductLabel remote code execution vulnerability (TALOS-2019-0863/CVE-2019-5074)

An exploitable stack buffer overflow vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. A specially crafted set of packets can cause a stack buffer overflow, resulting in code execution. An attacker can send unauthenticated packets to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

WAGO PFC200 iocheckd service "I/O-Check" get_coupler_details remote code execution vulnerability (TALOS-2019-0864/CVE-2019-5075)

An exploitable stack buffer overflow vulnerability exists in the command line utility get_coupler_details of the WAGO PFC 200. A specially crafted set of packets sent to the iocheckd service "I/O-Check" can cause a stack buffer overflow in the sub-process get_coupler_details, resulting in code execution. An attacker can send unauthenticated packets to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

WAGO PFC200 iocheckd service "I/O-Check" MAC Address overwrite denial-of-service vulnerability (TALOS-2019-0869/CVE-2019-5077)

An exploitable denial-of-service vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. A specially crafted set of packets can cause a denial of service, resulting in the device entering an error state where it ceases all network communications. An attacker can send unauthenticated packets to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

WAGO PFC200 iocheckd service "I/O-Check" erase denial-of-service vulnerability (TALOS-2019-0870/CVE-2019-5078)

An exploitable denial-of-service vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. A specially crafted set of packets can cause a denial of service, resulting in the device entering an error state where it ceases all network communications. An attacker can send unauthenticated packets to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

WAGO PFC200 iocheckd service "I/O-Check" ReadPSN remote code execution vulnerability (TALOS-2019-0871/CVE-2019-5079)

An exploitable heap buffer overflow vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. A specially crafted set of packets can cause a heap buffer overflow, potentially resulting in code execution. An attacker can send unauthenticated packets to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

WAGO PFC200 iocheckd service "I/O-Check" factory restore denial-of-service vulnerability (TALOS-2019-0872/CVE-2019-5080)

An exploitable denial-of-service vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. A single packet can cause a denial of service and weaken credentials resulting in the default documented credentials being applied to the device. An attacker can send an unauthenticated packet to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

WAGO PFC200 iocheckd service "I/O-Check" ReadPCBManuNum remote code execution vulnerability (TALOS-2019-0873/CVE-2019-5081)

An exploitable heap buffer overflow vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. A specially crafted set of packets can cause a heap buffer overflow, potentially resulting in code execution. An attacker can send unauthenticated packets to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.


WAGO PFC200 iocheckd service "I/O-Check" ReadPRGDATE remote code execution vulnerability (TALOS-2019-0874/CVE-2019-5082)

An exploitable heap buffer overflow vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. A specially crafted set of packets can cause a heap buffer overflow, potentially resulting in code execution. An attacker can send unauthenticated packets to trigger this vulnerability. 

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that version 03.00.39(12) of the WAGO PFC200 and PFC100 is affected by these vulnerabilities. Firmware version 03.01.07(13) of the PFC200 was not explicitly tested for some of these bugs, but the vulnerable function in these vulnerabilities do exist in this version. Talos recommended that a fix be applied to that version, as well.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 50786 - 50789, 50790 - 50793, 50797

Beers with Talos Ep. #68: Takes from Talos on IoT (and the NEW “Talos Takes” podcast!)

December 17, 2019, 7:28 am

≫ Next: Incident Response lessons from recent Maze ransomware attacks

≪ Previous: Vulnerability Spotlight: Multiple vulnerabilities in WAGO PFC200

$

0

0

By Mitch Neff.

Beers with Talos (BWT) Podcast episode No. 68 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Dec. 9, 2019 

We have a big announcement to make today! Check your feed for a few episodes of a new podcast from Talos: “Talos Takes."

On this episode of BWT, we welcome Joe Marshall to the table. Joe is a Talos ICS/IoT tech lead and he stops by to discuss issues in the IoT space — macro and micro, from both the vendor and user perspectives. Check out the crew’s advice on staying secure in this IoT gift-giving season.

We will see you in the new year, and thanks for listening in 2019. Happy Holidays to all!

The timeline:

• 00:55 — Roundtable: The robots come for Craig’s 3-D printer, Matt dunks on the crowd and misses.
• 08:30 — Meet Joe Marshall, Talos IoT and ICS Security tech lead
• 09:00 — Quantifying the IoT problem: IoT vulns surpass desktop/PC vulns in 2019
• 18:00 — The best ways to determine if security matters to an IoT device maker
• 21:15 — Poor security affects everyone, and why NAT is the most important thing on the internet
• 31:00 — So, how should we then buy?
• 34:00 — Trojans in the Python
• 39:20 — Big announcement! The NEW podcast coming from Talos — Talos Takes
• 40:45 — Closing thoughts and parting shots

Some other links:

• Check out the Talos Takes podcast! (Three episodes coming to the Beers with Talos podcast feed today!)

==========

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff)

Subscribe via iTunes (and leave a review!)

Check out the Talos Threat Research Blog

Subscribe to the Threat Source newsletter

Follow Talos on Twitter

Give us your feedback and suggestions for topics: beerswithtalos@cisco.com

Incident Response lessons from recent Maze ransomware attacks

December 17, 2019, 11:03 am

≫ Next: New Talos Takes podcast puts Talos' spin on the latest cyber news

≪ Previous: Beers with Talos Ep. #68: Takes from Talos on IoT (and the NEW “Talos Takes” podcast!)

$

0

0

By JJ Cummings and Dave Liebenberg

This year, we have been flooded with reports of targeted ransomware attacks. Whether it's a city, hospital, large- or medium-sized enterprise — they are all being targeted. These attacks can result in significant damage, cost, and have many different initial infection vectors. Recently, Talos Incident Response has been engaged with a couple of these attacks, which involved the use of targeted ransomware. The concept of targeted ransomware attacks is simple: Get access to a corporate network, gain access to many systems, encrypt the data on a large chunk of them, ask for a large lump sum payment to regain access to those systems, and profit.

The first widespread targeted ransomware attacks involved the SamSam ransomware, which Cisco Talos researchers first discovered in early 2016 and were incredibly profitable, despite ending in indictments from the U.S. government.

In 2019, there have been multiple players in this space, the most prolific of which has been the Ryuk campaigns that start with Emotet and Trickbot. Other targeted ransomware attacks have involved other types of ransomware and varied attack methodology. Included in this list is ransomware like LockerGoga, MegaCortex, Maze, RobbinHood, and Crysis, among others. More recently, attackers have taken the extra step of exfiltrating data and holding it hostage, which they claim they will release to the public unless payment is received, a form of doxxing.

Recent incidents

Over the past several months, Talos Incident Response responded to several such incidents, where an adversary gained access to an environment, deployed ransomware, and exfiltrated large amounts of data, combining elements of ransomware and doxxing attacks into a single incident.

In one incident, the attacker leveraged CobaltStrike after obtaining access to the network. CobaltStrike is a widely used framework for offensive and red-teaming, which is also commonly used by adversaries to attack their targets. Once the adversary has access, they spend at least a week laterally moving around the network and gathering systems and data along the way. Combined with CobaltStrike, the actor used a technique commonly associated with APT-29, leveraging a named pipe (i.e. \\.\pipe\MSSE-<number>-server).

Once the actor gained enough access to both data and systems, the payment mechanisms began to take form. First, the actor began exfiltrating the data that they had accumulated. They achieved exfiltration by using PowerShell to connect to a remote FTP server. Below is a snippet of the code used to achieve this exfiltration via PowerShell.

The actor then deployed the Maze ransomware on the systems. Maze has been in the news recently as being the ransomware used in several high-profile targeted ransomware attacks, including those against the city of Pensacola, Florida and staffing firm Allied Universal.

Another incident involved more CobaltStrike, some shared infrastructure, and more exfiltration. In this case, the adversary was again found leveraging CobaltStrike post initial compromise and used PowerShell to dump large amounts of data via FTP out of the network and demanded payment before disclosing this information publicly. The connection to the previously mentioned incident lies in the command and control (C2) infrastructure used. This actor dumped the data to the same C2 server as the aforementioned CobaltStrike incident. In addition to the shared infrastructure, there were a couple other commonalities between the attacks — the first being the deployment and use of 7-Zip to compress the data they were preparing for exfiltration. Additionally, in both incidents, there were interactive logins via Windows Remote Desktop Protocol, remote PowerShell execution, which was achieved via WMIC, and in one case, active reconnaissance observed. Based on all of these facts, Talos assesses with high confidence these incidents were associated with the same adversary.

Conclusion

The use of targeted ransomware attacks isn't new and, unfortunately, it's not going anywhere anytime soon. This is an extremely lucrative attack avenue for adversaries and as such, its popularity is likely only going to increase. What makes these particular attacks interesting is the additional monetization avenue of exfiltrating data in the process. This allows the actor to potentially monetize their attack in multiple different ways. First, the actor can demand the victim pay an additional fee to get the data back. Even if the victim refuses to pay the ransom due to proper precautions, like full backups and reliable recovery plans, money can be made. Second the data itself could have significant value to other adversaries, and selling the data on the black market is highly likely. Finally, there is the public damage that can be done to the victim by releasing the data, which doesn't give the attacker any monetary benefit but can be a very useful way to encourage future victims to pay and avoid the negative press associated with a public data dump.

This trend of achieving maximum monetary gain for their nefarious activities is increasingly common in the crimeware space, as demonstrated by the proliferation of emotet and the millions and millions of dollars in damage that have followed. Expect adversaries to be increasingly aware of the systems and networks they are compromising as all systems and networks are not created equally and some have much higher profit margins, when compromised.

Indicators of Compromise (IoCs)

Hashes:

CobaltStrike

• 51461b83f3b8afbcae46145be60f7ff11b5609f1a2341283ad49c03121e6cafe
• 3627eb2e1940e50ab2e7b3ee703bc5f8663233fe71a872b32178cb118fb3e2d9

Maze Ransomware

• 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e
• 067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b
• 1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78
• 153defee225de889d2ac66605f391f4aeaa8b867b4093c686941e64d0d245a57
• 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9
• 30b72e83d66cbe9e724c8e2b21179aecd4bcf68b2ec7895616807df380afab54
• 33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502
• 4080402553e9a86e954c1d9b7d0bb059786f52aba4a179a5d00e219500c8f43d
• 5603a16cbf81d183d3ff4ffea5477af1a4be01321865f0978c0e128051ec0a82
• 58fe9776f33628fd965d1bcc442ec8dc5bfae0c648dcaec400f6090633484806
• 5c9b7224ffd2029b6ce7b82ea40d63b9d4e4f502169bc91de88b4ea577f52353
• 6878f7bd90434ac5a76ac2208a5198ce1a60ae20e8505fc110bd8e42b3657d13
• 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af 
• 822a264191230f753546407a823c6993e1a83a83a75fa36071a874318893afb8
• 83f8ce81f71d6f0b1ddc6b4f3add7a5deef8367a29f59b564c9539d6653d1279
• 877c439da147bab8e2c32f03814e3973c22cbcd112d35bc2735b803ac9113da1
• 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1
• 9751ae55b105ad8ffe6fc5dc7aea60ad723b6df67a959aa2ea6f4fa640d20a71
• 9ad15385f04a6d8dd58b4390e32d876070e339eee6b8da586852d7467514d1b1
• 9be70b7fe15cd64aed5b1adc88c2d5270bce534d167c4a42d143ae0059c3da1c
• b30bb0f35a904f67d3ac0082c59770836cc415dc5b7225be04e8d7c79bde73be 
• c040defb9c90074b489857f328d3e0040ac0ddab26cde132f17cccae7f1309cc 
• c11b964916457579a268a36e825857866680baf1830cd6e2d26d4e1e24dec91b 
• ea19736c8e89e871974aabdc0d52ad0f0948159d4cf41d2889f49448cbe5e705 
• ecd04ebbb3df053ce4efa2b73912fd4d086d1720f9b410235ee9c1e529ea52a2 
• F491fb72f106e879021b0bb1149c4678fb380c255d2ef11ac4e0897378793f49 
• fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f

IP Addresses:

• 91.218.114[.]4
• 5.199.167[.]188
• 185.147.15[.]22

New Talos Takes podcast puts Talos' spin on the latest cyber news

December 17, 2019, 8:32 am

≫ Next: 2019: The year in malware

≪ Previous: Incident Response lessons from recent Maze ransomware attacks

$

0

0

By Jon Munshaw.

Today, Cisco Talos' podcast network is growing with a new show.

Talos Takes is a new podcast that provides Talos analysts' and researchers' opinions and expertise on the hottest topics in cyber security. The first three episodes of the show — covering holiday shopping scams, protecting your new gadget and the basics of malvertising — are in the Beers with Talos podcast feed right now.

In 2020, we will be launching a new, separate podcast feed for Talos Takes that you'll be able to subscribe to on Apple Podcasts, Stitcher, Google Play and any other place where you get your podcasts.

We plan to release episodes on a regular basis, but expect new Talos Takes to be dropping randomly if there's a breaking news story or a major topic we need to discuss.

In each episode, Talos analysts and researchers will outline the topic they're going to discuss, and then put a Talos spin on the topic. We'll cover everything from specific malware families, to different attack vectors and the latest headlines.

Again, you can find the first three episodes in the Beers with Talos feed if you're already subscribed to BWT, or you can check them out on our Podcasts page here.

2019: The year in malware

December 18, 2019, 5:06 am

≫ Next: Threat Source newsletter (Dec. 19, 2019)

≪ Previous: New Talos Takes podcast puts Talos' spin on the latest cyber news

$

0

0

By Jon Munshaw.

From ransomware attacks to DNS deception, attackers were just as active as ever in 2019.

This year saw a number of big-name malware families come onto the scene, including Sea Turtle, one of the most high-profile DNS hijacking attempts in recent memory. BlueKeep also stirred up controversy when the RDP vulnerability was first discovered, but researchers are still holding their breath, waiting for the first major exploits to happen.

To recap this busy year, we’ve compiled a list of the major malware, security news and more that Talos covered this year. Look through the timeline below and click through some of our other blog posts to get caught up on the year that was in malware.

	February Attackers use a malicious PowerPoint presentation to target members of the Tibetan government in the hopes of infecting them with ExileRAT.
	March Talos discovers a new point-of-sale malware for sale online called “GlitchPOS” that is easy enough to use that anyone could set up their own credit card-skimming botnet.
	April Talos publishes a list of malicious groups on Facebook using straightforward names that carry out a range of malicious activities, including the sale of credit card data and other malware services. A campaign known as “Sea Turtle” expands on the growing popularity of DNS hijacking attacks, spoofing legitimate DNS addresses to target public and private entities, including national security organizations, located primarily in the Middle East and North Africa. Yet another DNS hijacking campaign, “Karkoff,” shows that the actors behind DNSpionage are retooling their procedures to avoid detection and improve the efficacy of their operations.
	May The Qakbot banking trojan evolves to maintain persistence and potentially evade detection. Talos discovers “BlackWater,” a trojan that our researchers believed with moderated confidence was associated with the MuddyWater APT. A “wormable” Microsoft vulnerability called “BlueKeep” is discovered, leading researchers to believe the Remote Desktop Protocol bug could lead to a similar attack to WannaCry. Talos released new Snort rules to protect against this vulnerability and outlined how to defend against it using Cisco Firepower.
	June A threat actor merges together multiple open-source projects to install malware on victims’ machines in a campaign Talos called “Frankenstein.” Talos publishes the details of the new Spelevo exploit kit, showing that exploit kits aren’t going anywhere.
	July A wave of RATs and information-stealers use the well-known “Heaven’s Gate” exploit to achieve infection. Sea Turtle returns with new DNS hijacking techniques and a growing pool of targets. A slew of cities around the U.S., most notably Baltimore, suffer ransomware attacks, causing experts to debate whether it’s ever a good idea for a ransomware victim to pay the extortion payment.
	September After going quiet over the summer, Emotet returns with a new group of IOCs, but the same set of protections as always. The Tortoiseshell APT uses a fake hiring website targeted toward U.S. military veterans to infect victims with a malware downloader. The ODT file type becomes increasingly popular among attackers, which can allow malware to avoid traditional detection methods.
	October A rare iOS jailbreak called “checkra1n” hits the scene, leading to some attackers attempting to trick users into downloading a tool that they believe will unlock their devices, but actually just installs malware. Talos uncovers a group of spyware software that exist in a legal and moral gray area, but attackers have been using to carry out malicious actions.
	November The first reports surface of BlueKeep being exploited in the wild, though there is no evidence to suggest it’s part of a broad campaign.

Threat Source newsletter (Dec. 19, 2019)

December 19, 2019, 11:00 am

≫ Next: Threat Roundup for December 13 to December 20

≪ Previous: 2019: The year in malware

$

0

0

Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We have an early holiday present for you! This week, we introduced a new podcast to the Talos family. Talos Takes, a new short-form show, takes listeners through a quick breakdown of a particular topic or security news story, with our Talos spin. The first three episodes are available now on the Talos podcasts page, and on the Beers with Talos feed. In 2020, we’ll give Talos Takes its own feed you’ll be able to subscribe to.

Not to be overshadowed, there is also a new Beers with Talos episode available just in time for your holiday road trip. This week’s episode features special guest Joe Marshall from the Talos Outreach team, who brings his expertise on IoT and ICS security to the table.

To wrap up the year, we released a blog post running through the top malware and cyber news stories of 2019. This post is a perfect place to look back on all the major research we put out this year.

Cisco’s annual winter shutdown begins next week, so this will be the last Threat Source newsletter until Jan. 9. See you in 2020!

Cyber Security Week in Review

• The city of New Orleans declared a State of Emergency days after it was hit with a cyber attack. Many government services went down, although emergency services like 911 were not impacted. Local officials say they’ve engaged the FBI to assist with their recovery and an investigation into the attack. 
• Meanwhile, the city of Pensacola, Florida still recovers from its own ransomware attack. The city brought in an outside firm to launch an investigation into what kind of malware its systems were hit with and provide recommendations on how to recover. 
• Congress approved $425 million in funding to improve America’s election security. But some lawmakers and security experts say it’s too little, too late, to protect the 2020 presidential election. 
• GSuite is banning the use of what it considers “less secure” apps. Beginning in June 2020, developers will only Google will only allow users to sign into apps that only rely on a username and password via their Google Account. Google considers secure apps to be those that rely on OAuth tokens. 
• Ring security cameras continue to come under fire for a series of negative headlines around its security. There are several key security features the service is missing, including the lack of alerts when a new user logs into the account from an unknown IP address or if there are multiple users signed into an account at the same time. 
• In response to many of these stories, Amazon, the company behind Ring, said many of these hacks are the result of users relying on unsecure username and password combinations. They also recommended opting into two-factor authentication. 
• Canadian lab testing company LifeLabs says it recently suffered an attack that compromised 15 million individuals’ personal information and paid a ransom to retrieve that data. Representatives from the company say they believe that paying the ransom ensures the compromised data will not be used in additional attacks. 
• Google released an emergency update for its Chrome web browser after a bug appeared that wiped data from other Android apps. Chrome 79 mistakenly cleared information from apps that are completed unrelated to Chrome, including the Finance app.  
• Microsoft released an out-of-band security update for SharePoint. CVE-2019-1491 could allow an attacker to obtain sensitive information, and then use that information in additional attacks. 

Notable recent security issues

Title: New malware-as-a-service family targets tech, health care companies
Description: The new Zeppelin malware is targeting health care and tech companies in the U.S. and Europe. Researchers believe Zeppelin is a variant of the ransomware-as-a-service family known as Vega. While Vega started out earlier this year targeting Russian-speaking victims, researchers believe the malware could be in a new adversaries’ hands now that they are targeting users elsewhere. Zeppelin is highly configurable and can be deployed as an EXE, DLL, or wrapped in a PowerShell loader.
Snort SIDs: 52451 – 52453 (By Nicholas Mavis)

Title: Gamaredon attacks spread to Ukrainian journalists, law enforcement agencies
Description: A well-known APT is expanding its pool of targets, now going after journalists and law enforcement agencies in Ukraine. The group, which is believed to have Russian ties based on the language used in their malware, previously went after Ukrainian military and government agencies. There are also new TTPs associated with this group, including the use template injection in their malware.
Snort SIDs: 52445 - 52448 (By Joanne Kim)

Most prevalent malware files this week

SHA 256: d73ea76f6f07f96b337335213418b58e3fbc7e4b519fec0ef3fbd19c1d335d81 
MD5: 5142c721e7182065b299951a54d4fe80
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::1201

SHA 256: 0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94
MD5: 7c38a43d2ed9af80932749f6e80fea6f
Typical Filename: xme64-520.exe
Claimed Product: N/A
Detection Name: PUA.Win.File.Coinminer::1201

SHA 256: 1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871
MD5: c2406fc0fce67ae79e625013325e2a68
Typical Filename: SegurazoIC.exe
Claimed Product: Digital Communications Inc.
Detection Name: PUA.Win.Adware.Ursu::95.sbx.tg

SHA 256: f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc
MD5: c5608e40f6f47ad84e2985804957c342
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA:2144FlashPlayer-tpd

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

---

Threat Roundup for December 13 to December 20

December 20, 2019, 10:07 am

≫ Next: Cisco ASA DoS bug attacked in wild

≪ Previous: Threat Source newsletter (Dec. 19, 2019)

$

0

0

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 13 and Dec. 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat Name	Type	Description
Doc.Downloader.Emotet-7451163-0	Downloader	Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.TrickBot-7455405-0	Dropper	Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Packed.Dridex-7447905-1	Packed	Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Packed.Razy-7450491-0	Packed	Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Dropper.NetWire-7454096-1	Dropper	NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Trojan.Tofsee-7450732-0	Trojan	Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control.
Doc.Downloader.Sagent-7454309-0	Downloader	Sagent downloads and executes a binary using PowerShell from a Microsoft Word document.
Win.Malware.Gandcrab-7454521-1	Malware	Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB," ".CRAB" or ".KRAB". Gandcrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft.
Win.Trojan.HawkEye-7455512-1	Trojan	Hawkeye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.

---

Threat Breakdown

Doc.Downloader.Emotet-7451163-0

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	10
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}	2
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: ProxyEnable	2
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: ProxyServer	2
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: ProxyOverride	2
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: AutoConfigURL	2
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: AutoDetect	2
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} Value Name: WpadDecisionReason	2
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} Value Name: WpadDecision	2
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} Value Name: WpadNetworkName	2
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} Value Name: WpadDetectedUrl	2
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD	2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA	2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: Type	2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: Start	2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: ErrorControl	2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: ImagePath	2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: DisplayName	2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: WOW64	2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: ObjectName	2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: Description	2
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} Value Name: WpadDecisionTime	2
<HKCR>\TYPELIB\{C4EDCADC-BC75-481F-8A40-032075206B43}\2.0\FLAGS	1
<HKCR>\TYPELIB\{C4EDCADC-BC75-481F-8A40-032075206B43}\2.0\0	1
<HKCR>\TYPELIB\{C4EDCADC-BC75-481F-8A40-032075206B43}\2.0\0\WIN32	1

Mutexes	Occurrences
Global\I98B68E3C	2
Global\M98B68E3C	2

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
100[.]108[.]65[.]228	8
100[.]116[.]148[.]111	8
100[.]112[.]136[.]191	8
100[.]89[.]177[.]62	8
100[.]93[.]135[.]190	8
168[.]235[.]82[.]183	2
96[.]234[.]38[.]186	2
120[.]51[.]83[.]89	2
204[.]197[.]244[.]176	2
149[.]202[.]153[.]251	1
103[.]47[.]185[.]215	1
107[.]180[.]41[.]254	1
69[.]16[.]254[.]127	1
82[.]145[.]43[.]153	1
139[.]255[.]47[.]211	1
37[.]228[.]137[.]204	1
157[.]7[.]231[.]227	1
202[.]238[.]198[.]32	1
202[.]238[.]198[.]30	1
60[.]36[.]166[.]212	1
192[.]1[.]4[.]230	1
50[.]31[.]174[.]165	1
113[.]43[.]208[.]199	1
202[.]130[.]62[.]24	1
103[.]253[.]113[.]131	1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
adichip[.]com	10
grafdesign[.]pl	8
dcjohnsonassociates[.]com	8
global-ark[.]co[.]jp	8
acadmi[.]co[.]uk	8
mail[.]1and1[.]com	1
587[.]hexabyte[.]tn	1
child-pro[.]com	1
imap[.]e-apamanshop[.]com	1
sg2plcpnl0259[.]prod[.]sin2[.]secureserver[.]net	1
mx1[.]retailconnection[.]co[.]za	1
smtp[.]consulmexrio[.]com[.]br	1
mail[.]ahg[.]com[.]mx	1
mail[.]cassado[.]com[.]pe	1
pop[.]aoishokai[.]co[.]jp	1
mail[.]thebasechurch[.]org	1
miyataseika[.]sakura[.]ne[.]jp	1
mail[.]uberved[.]com	1
mail[.]victoriasuitehotel[.]com[.]pe	1
pop3[.]jinrikiudon[.]co[.]jp	1
pop[.]e-apamanshop[.]com	1
bh-35[.]webhostbox[.]net	1
pop[.]orange[.]jo	1
mail[.]muzamilglass[.]com	1
mail[.]aceinterioruae[.]com	1

*See JSON for more IOCs

Files and or directories created	Occurrences
%HOMEPATH%\576.exe	10
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	2

File Hashes

24547a6e7ab9766fc85644033e27414deb2409367fae21fdb722174a605a34ad 27e0a7b8c18893b22583e19ef7634fd79fc9cb5daed862f794960ddaa19b58dc 363ecad264cfe3cdef52119a1b78c495d362efa7df5d38d182ce76dbf31facfd 3f0e86777e4a9b3285a9203907f5a7e6f804e7cfda3300b857e8712ac2030e57 5e31045309ab5ecbef3701c9023fc5a4631bf653347447484b652e434b086966 67c3eabb23b74c1a6ee4d384fa6f248c4a2492d998e7aaf0a1ce3f878a8ff715 6ba2589b00a95ff4ce9f7eee550bdffa6ef57dbf0212384ce38696b0c13778bd 7b0c9b63d9e8c6399e13354176e41bde009c94053b0566ef4506b17c14b46ab7 9100a8c4f2f6dd2bde134162d6b70f0d9ac99db4ff1f4551407a8a078ce2c35c c0197a5e801dee8d80df024c32a616c04539a56108b2225b469c7eb5fede5447

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

---

Win.Dropper.TrickBot-7455405-0

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Value Name: Blob	3

Mutexes	Occurrences
Global\316D1C7871E10	20

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
167[.]86[.]123[.]83	4
5[.]34[.]177[.]50	4
193[.]37[.]213[.]110	4
170[.]84[.]78[.]224	3
216[.]239[.]36[.]21	2
216[.]239[.]38[.]21	2
117[.]196[.]233[.]79	2
85[.]143[.]220[.]41	2
5[.]2[.]72[.]84	2
146[.]185[.]219[.]94	2
185[.]62[.]189[.]132	2
107[.]172[.]29[.]108	2
3[.]224[.]145[.]145	1
200[.]21[.]51[.]38	1
31[.]214[.]138[.]207	1
181[.]129[.]104[.]139	1
190[.]142[.]200[.]108	1
181[.]113[.]28[.]146	1
177[.]105[.]242[.]229	1
185[.]66[.]13[.]65	1
212[.]124[.]117[.]25	1
64[.]44[.]133[.]151	1
107[.]172[.]208[.]51	1
146[.]185[.]253[.]132	1
172[.]82[.]152[.]130	1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org	2
myexternalip[.]com	2
ipecho[.]net	1
checkip[.]amazonaws[.]com	1
api[.]ipify[.]org	1
ipinfo[.]io	1

Files and or directories created	Occurrences
%System32%\Tasks\System Network Extensions	20
%APPDATA%\speedlink	20
%APPDATA%\speedlink\data	20
%APPDATA%\speedlink\settings.ini	20
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt	20
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp	20
%APPDATA%\SPEEDLINK\<original file name>.exe	20

File Hashes

14c4ecbdba8a97d3157dcbbe5be3ab9270ba9142e6ea6286634e8b9658db5f20 170f8b900b31d3bcdf5e97d870a4b791c7e28754b15b7c90c4e835c2f7d579b7 22c10541cffa8a6c504202fe909fdbaa87375427fb2918ac1ab78a0656a886f0 26c501cea49207f9482fa293ed361c2bb4c163ed6c0a8cf309aa21624570f0ba 2c5c0a1b1998c1686eb2cc6654681aa933eb123feb972110cb2ddd91ab188429 3247f44c8c5bd8707c2a78e71ae03cc4a98845e1af8f7e283ea0189bf2c578bf 7d97d4c51ba4ad8a562264a9a0f8a09165123eeab47b74370f116778e9507cdf 95ee0f3243a2202f706bd45aaa2d27614059773ecb978671324560dc87fa6c03 9b71918c0db320b9b7ae6501f7b898082678480825b24d6c863bc1c017291db5 9f8aeec6db5f0220c88f6b90777c17f52a0219a5581cd586931782a975d1e068 ae560bec5699185818aa31178b20782fdb5113c202ac29ac9e6e26a4a2ccc091 bbab2020a80bf96b5784d94a395f9239127389e114799d3de605e0a13f0a7f91 c93ab8787073bbbc9cd37a121fa63b1eb782f547ed3a2085c0b09ca3a7549dee d635e095a8694027c0523c7b0ec13409daa295afb99eb40395a3794a948479a5 d7e9dd938f44a2be9163002868973d34bb445ffd008bc007493ee271661fc691 de4ff1ec4bdd8662185ab8776e9ca1a898a402d7c794b8b6f7d4b481a56e3a2b e282e081f44f468e9f12421833b9db629f788b583cc050bf945cb3067be916ae eaab484d0f2cfa0ba4e2ffe301f08e5a2f515195131f023bd8d69b8acafd5bb4 f1265e6373975143d1b68cc5ddde073a615531133a43cc789b425e3d318bd159 f979b407999143cd0d22e46cca3405a14dd0ddb6d022c79aa0f399c7a0b1db9f

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA

Screenshots of Detection

AMP

ThreatGrid

---

Win.Packed.Dridex-7447905-1

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: trkcore	16
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM Value Name: DisableTaskMgr	16
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0 Value Name: CheckSetting	16

Mutexes	Occurrences
2XzfQtwuWo	2
6K6du14uPy	2
Pl97gmRo4e	2
Rn0BgZV5LS	2
VdM3QqPmEf	2
dfSE5V35Cq	2
h7l6vKPM9o	2
qlxcdn1ONT	2
8Uxj8bcq52	1
YCQp73aCwI	1
A9GTS5Q4V7	1
hMRRcbdYM5	1
Oa0iwlf5sY	1
ogQ7oifBn6	1
jZKilZdPlc	1
qBGGGgXckD	1
l4ibeg830v	1
wOMqV2KpkO	1
7blYqMoYMu	1
3YLHr362i4	1
E2Z6XqeW5y	1
SUFSEHTYOK	1
Jm43Qhf6mW	1
SbwW51fbso	1
OM3OWBjT4C	1

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
172[.]217[.]10[.]238	16
104[.]20[.]68[.]143	12
104[.]20[.]67[.]143	4

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
pastebin[.]com	16
www[.]riirnqa3el[.]com	2
www[.]tcofbii6gc[.]com	2
www[.]xkwkb7vwyc[.]com	2
www[.]luzbvsguu7[.]com	2
www[.]e2vqnpqnxa[.]com	2
www[.]ddwnd8uazb[.]com	2
www[.]yg1ihyzjlx[.]com	2
www[.]k3okzy7fbv[.]com	2
www[.]5rmqghqote[.]com	1
www[.]sbbvxwzjds[.]com	1
www[.]lfrmipbwhf[.]com	1
www[.]5tmjtihjrd[.]com	1
www[.]99z7gq8bpa[.]com	1
www[.]fn8bcbak8g[.]com	1
www[.]j3hh3nvc1x[.]com	1
www[.]q6rbctmtup[.]com	1
www[.]6y1kayw2zo[.]com	1
www[.]cngy66afzf[.]com	1
www[.]xwra4vfpbm[.]com	1
www[.]xp9isgvq38[.]com	1
www[.]3upvufuqla[.]com	1
www[.]phtetocd0l[.]com	1
www[.]6komu134jz[.]com	1
www[.]cmckmtegzm[.]com	1

*See JSON for more IOCs

Files and or directories created	Occurrences
<malware cwd>\old_<malware exe name> (copy)	13

File Hashes

01568fc89054049b9f4c65271186513fa9406e5bcaddd2583fa55abea453f3aa 0a07af4ec8798650f1e578f7e48df97980cf18074d2cc8b17955bb129c44607e 2440f0be01bed503a0a4315e8f253d6559063c7dd3dfd7e28379b23cc9fe3929 25effe96a8c27444dac8ff4ff13f75bc56c351faa74ddd0b217bf6c5f8202cbc 282c63152fdf124cba6c392874c96e670ce019b8566c1cba18475701ce06fbac 4d7589c590b5b0e69c5f08c7664bf658fe340b47022299337e9ec0ccf604426e 6b0ab0fb5437d31cef43d3b0cb989832b3d42d4d1c115d2180ffa0e25d6e0be3 6fcbcc1c24bf20ea3dfff5bfad8d0c38e60e46d1c9cbf254d845c58d4cecd1c9 878fd0aa3f953d35e89d4cf6b52183aa3cc0a1ab244665a4262189c065ce04ce 87dabcb18d67440cf631479d6ae1bacb32d82704c3c54e0305c370cd3f122512 a51d3150053e1a9d2176e98f0000acb572ecbe7c33ae596ab9cdfd4a05470b8c a71838cb33ea89f9e3f3201825b7129b8a61f112d946bf9b7671f2af901a07c1 ac29341c883ff743a3213050314bcfe0abffa366fec2abc09434d789bf836bcd b82c549b351a01839d6e3cc9ca60f1aaed2478799f373bcae604b6ede0e0c4e6 bb819890507c80a1cf9e83808d451a00fdae2fb43b1881b3806093bba32c1a8a f8b9bbc15f8697772d577944686a9b9c61547b992d156d0901293b438f359306

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

---

Win.Packed.Razy-7450491-0

Indicators of Compromise

Registry Keys	Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: None	10

Mutexes	Occurrences
frenchy_shellcode_006	10
Global\{259ce387-0d2a-4287-8147-d7e9dfdbdca4}	10

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
79[.]134[.]225[.]121	10

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
jogodo[.]duckdns[.]org	10

Files and or directories created	Occurrences
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5	10
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs	10
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator	10
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat	10
%APPDATA%\None	10
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\catalog.dat	4
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\settings.bin	4
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\storage.dat	4

File Hashes

06b47808b96d08f6ef2089ff0d8eed4a9d448d5e6ebc4fe86321cfaecb774bc0 0815f50eb9877530cdcc6a30e551772d0c4807e2105e7cc5ecd3b510d7d3a019 0950e389cce1b3be7140f1a9ba2ddd6a677fda7fb50020bfc15d80b9aac8ccec 7e0c1895e8a080c7db4faca83b354d5af326920ce4534658e0c947f61328b468 a3bcf7816ef93cacc688c6b7bebac3b46d6826c85cfd215d5da279af11e509ae cf37f002c857a43c1d45189a68368ed643dc506c0260f4fe436d12e4e2b2d22d d2cf31b477c11ba5cb39a341fc7bedddbf1a7ec9541b105bab8e0022849a88c9 dc0714b70cb172c05ccb08424163e8932add81a498b55a556feb706cb80ffc13 f2d9a6acc6b09b4027dc558a268036a1213deecefae9952670bff42a481daaba f8a661f4823d529c13c7e2698f67aa3a00ed9a27f59e810b75cb4ead41dc3cf2

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

---

Win.Dropper.NetWire-7454096-1

Indicators of Compromise

Registry Keys	Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: task	25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: Registry Key Name	25
<HKLM>\SYSTEM\CONTROLSET001\ENUM\SW\\ASYNCMAC Value Name: CustomPropertyHwIdKey	1

Mutexes	Occurrences
-	25
KYIMEShareCachedData.MutexObject.Administrator	8
KYTransactionServer.MutexObject.Administrator	8

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
85[.]206[.]175[.]225	25

Files and or directories created	Occurrences
%TEMP%\~$BOSCH.xlsx	25
%TEMP%\Install\Settings.ini	25
%TEMP%\BOSCH.xlsx	25
%TEMP%\Install	25
%TEMP%\Install\EXCEL.exe	25
%TEMP%\Install\EXCEL.vbs	25

File Hashes

04e12a8dcf9e8f041cf1b5b7f8f48a832df5fd607bf810fb28933fbc188a8c4b 0d9bedadc3e9edbc3b84c20a651d1e0a23609e4a7f039ec36c67276e90eed205 13047457fd3aca8c5d0ce5f165ea513cbdcd128a4e0de5b7322b895e1188f680 13a210e2e5527d08b6018f2463056f1d31011ed10e696b26e10482a4b09045f6 1e4e92c1d2b131e7710726282a014c014089a61bf93f7bd27b0689e4faef0d92 23804d31eb2d20e90df50559281008425b584a77fad856dce360400292bc6a80 291b26c6629d51d69e7856d22f80202b7a97f0a0f364adab27f16006e77d2df2 2e8e1ad0e72ecfc4cef418a8bc25095c4b0893a561c446a6aa1b8fe56c780d8c 36115f2ed9027f14643f000815ec615d44b97e3fb5c14cc0b67fcb9e784d3bda 3ad37750ccdb9ce0a82997c591d7842d9cee5722fc03219d0cf51f6cf7ddcc00 541e9bb6c2ff220ba15fd731000327f54ca8eae9e3df4d3e4193f50bf4f5f63b 5bf1aead7b5e89d92227d0e1daa019c0927de54faad212c35775d79f1c7b5d39 5f738f026c6f20f0d7ea5808ce96f14dbcb21f47b7b98d60e577a09d43d69071 6626bc4952d2a8cf839a47a4ada71ae877b7b89ac230821d9f5f17462eef4f4c 68252e2eb44e02032d53c42fe4b4c3ed6b8773f60aa78ebb7e6d34ee51ad32bc 68aaa21c0a7e40ba3bbc90abd3d9dd259d6c21d354d219b91ccd61e5c3b52089 68fe9505234da0d57d8a6c4898a1948574698fd5d5ddd9222efad0018d3adf3c 6fca62b51ce59dbf722f5f7d242f26c09b7b02cebde3d9b8db7feacc9d76da1a 7697945d1d3d95f66f3337329d8142f709fd153ead6ac8adfce7975b8572ad04 79a505ca4c4497351ee7cdd599212bf22979421f1055527bc11797d49b8ab907 7a291dffa29a8ca2f094af686ba0c8ceff4d432d10e601273f8b9a8779899e48 88edc5c751377aaf23028562d4a979ff2ca95b61d3d128fa42b64e68e42e20b2 895c0c05ba64cbf70bc8a9587194497b3c93f53cb9e17edcaf7d506a1f58b195 8bd10e751e7df59c1ba91a71bbeadbe5dfa12cb75d0fc7fdf65007703745e31c 8f7abac012c0016d87e3f40e14cdae185193aa8a6bfcb3810c010eab9ec495c6

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

---

Win.Trojan.Tofsee-7450732-0

Indicators of Compromise

Registry Keys	Occurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES	16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>	16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: Type	16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: Start	16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: ErrorControl	16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: DisplayName	16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: WOW64	16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: ObjectName	16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: Description	16
<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config1	16
<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config0	16
<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config2	14
<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config3	14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: ImagePath	12
<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config4	8
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\exlrqyet	2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\athnmuap	2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\tmagfnti	2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\xqekjrxm	2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\gzntsagv	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\ibpvucix	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\jcqwvdjy	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\piwcbjpe	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\buionvbq	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\slzfemsh	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
69[.]55[.]5[.]250	16
43[.]231[.]4[.]7	16
85[.]114[.]134[.]88	16
239[.]255[.]255[.]250	14
46[.]4[.]52[.]109	14
192[.]0[.]47[.]59	14
64[.]233[.]186[.]26/31	14
173[.]194[.]66[.]26/31	14
46[.]28[.]66[.]2	14
78[.]31[.]67[.]23	14
188[.]165[.]238[.]150	14
93[.]179[.]69[.]109	14
176[.]9[.]114[.]177	14
67[.]195[.]228[.]110/31	13
98[.]136[.]96[.]76/31	13
67[.]195[.]204[.]72/30	13
104[.]44[.]194[.]232/30	12
98[.]136[.]96[.]74/31	12
172[.]217[.]197[.]26/31	12
98[.]136[.]96[.]92/31	12
172[.]217[.]10[.]67	11
209[.]85[.]202[.]26/31	11
188[.]125[.]72[.]74	11
213[.]205[.]33[.]61	10
65[.]55[.]37[.]104	10

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
250[.]5[.]55[.]69[.]in-addr[.]arpa	16
microsoft-com[.]mail[.]protection[.]outlook[.]com	16
schema[.]org	14
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org	14
250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org	14
mta5[.]am0[.]yahoodns[.]net	14
250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net	14
whois[.]iana[.]org	14
250[.]5[.]55[.]69[.]bl[.]spamcop[.]net	14
whois[.]arin[.]net	14
250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org	14
hotmail-com[.]olc[.]protection[.]outlook[.]com	14
irina94[.]rusgirls[.]cn	14
anastasiasweety[.]rugirls[.]cn	14
mx-eu[.]mail[.]am0[.]yahoodns[.]net	13
mx-aol[.]mail[.]gm0[.]yahoodns[.]net	13
coolsex-finders6[.]com	13
ipinfo[.]io	12
aol[.]com	12
eur[.]olc[.]protection[.]outlook[.]com	11
www[.]google[.]co[.]uk	11
msn-com[.]olc[.]protection[.]outlook[.]com	9
web[.]de	9
mx[.]xtra[.]co[.]nz	9
xtra[.]co[.]nz	9

*See JSON for more IOCs

Files and or directories created	Occurrences
%SystemRoot%\SysWOW64\config\systemprofile	16
%SystemRoot%\SysWOW64\config\systemprofile:.repos	16
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'>	16
%TEMP%\<random, matching '[a-z]{8}'>.exe	16
%HOMEPATH%	11
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy)	11
%TEMP%\gidjcpz.exe	1

File Hashes

0d55086e8221871f10f204087a165112434c8db294fbedfaa6de7d2a11b55943 2b069b741778d0e16246f7a2da8738b6b21e8004cb713efc8ce845b37fc94478 2d3fbb1b7d4da1af0e07fa6fd11f1e946815ce39b3b63fdf299e4acaa9d92ff1 2e02f61e0a99dceab6e026e2e9efb9dcd2466e41e56f3f659f0ee1a4670d502d 59dcd52b18a4badf7803940e05842a52b6af9fa95fdb2ddee26145d6a393c277 60d0cdba9b81f58e4f926e1bbe357d7415771f42819acb79fa4d02313fdac8b9 886ff6f03c5e0a77cf10cbd1461e1ee666901cfdfe26854610b9deef5450bf00 8d9142db7706f1be42d3d048cea675ca6caa5dffd562595124f4e5c95771480a 9403677dc99940afcced72ed29b04a0434417883d929164d279606e9df4fe1db 94568d7086b812c0017455b1d05968726ffd137d8831ddb607fbae5d454ed073 9af4c0927e3565f27e96a8b7fb26ff0ea2d22f6f2a0bd0c6de9f993378024791 a76e2be2b3730324299bd32c7da5a04f494f79a69aeab9649aa53984c852e49a b926e4920a7b454553f73565ce89023af72ae4b6720da4110eb7fa85ff0310bf cbd7701ebc908b3ab059a9d83a3be110e8f63b0e005a41d5e0788044a65f6a14 d9520acee8a753230b372d725a3d4ba4d3caf27fd1eee7d8a8c9779424f2c077 fd1d5902802ada2adc69f071535b1523e2e3580ec2ea960e03a875687913d5de

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Doc.Downloader.Sagent-7454309-0

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	30
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: ProxyEnable	12
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: ProxyServer	12
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: ProxyOverride	12
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: AutoConfigURL	12
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: AutoDetect	12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA	10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: Type	10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: Start	10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: ErrorControl	10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: ImagePath	10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: DisplayName	10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: WOW64	10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: ObjectName	10
<HKCR>\LOCAL SETTINGS\MUICACHE\23\52C64B7E Value Name: LanguageList	2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TITLEHANT Value Name: DisplayName	2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TITLEHANT Value Name: WOW64	2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TITLEHANT Value Name: ObjectName	2
<HKLM>\SOFTWARE\CLASSES\TYPELIB\{C4EDCADC-BC75-481F-8A5F-102075206B43}	2
<HKLM>\SOFTWARE\CLASSES\TYPELIB\{C4EDCADC-BC75-481F-8A5F-102075206B43}\2.0	2
<HKLM>\SOFTWARE\CLASSES\TYPELIB\{C4EDCADC-BC75-481F-8A5F-102075206B43}\2.0\FLAGS	2
<HKLM>\SOFTWARE\CLASSES\TYPELIB\{C4EDCADC-BC75-481F-8A5F-102075206B43}\2.0\0	2
<HKLM>\SOFTWARE\CLASSES\TYPELIB\{C4EDCADC-BC75-481F-8A5F-102075206B43}\2.0\0\WIN32	2
<HKLM>\SOFTWARE\CLASSES\TYPELIB\{C4EDCADC-BC75-481F-8A5F-102075206B43}\2.0\HELPDIR	2
<HKCR>\TYPELIB\{C4EDCADC-BC75-481F-8A5F-102075206B43}	2

Mutexes	Occurrences
Global\I98B68E3C	10
Global\M98B68E3C	10
Global\IC019706B	2
Global\MC019706B	2
Global\SyncRootManager	2
Local\C9E8AF12-FA27-4748-EC04-38CA71239739_RegisterDevice	2
Global\RecentDocumentsUpdate	2

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
100[.]104[.]45[.]107	18
100[.]127[.]143[.]246	18
100[.]109[.]114[.]19	18
100[.]79[.]213[.]246	18
100[.]67[.]20[.]29	18
150[.]95[.]16[.]71	12
113[.]61[.]76[.]239	12
111[.]125[.]71[.]22	12
80[.]11[.]158[.]65	10
173[.]255[.]214[.]126	6
169[.]254[.]255[.]255	2
74[.]202[.]142[.]71	2
96[.]126[.]121[.]64	2
77[.]90[.]136[.]129	2
69[.]28[.]91[.]207	1
200[.]38[.]35[.]102	1
96[.]127[.]149[.]2	1
107[.]190[.]137[.]130	1
191[.]252[.]112[.]194/31	1
200[.]58[.]123[.]102	1
98[.]142[.]107[.]242	1
138[.]128[.]170[.]234	1
65[.]99[.]252[.]200	1
190[.]8[.]176[.]37	1
67[.]217[.]34[.]70	1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
hontam[.]net	30
powayhomevalues[.]com	18
gongxu[.]gfbags[.]com	18
sabrespringshomevalues[.]com	18
1localexpert[.]com	18
smtpout[.]secureserver[.]net	2
smtp[.]prodigy[.]net[.]mx	2
mxa[.]web-hostingmx[.]com	1
mail[.]prosyde[.]com	1
mail[.]ledneonchile[.]cl	1
mail[.]vieracruz[.]com	1
bestsol[.]pe	1
mailserver[.]dtctty[.]com	1
mail[.]alcorsa[.]com[.]gt	1
mail[.]imelsa[.]cl	1
mail[.]jacto[.]com[.]ar	1
lucanodotaciones[.]com	1
mail[.]adevpa[.]com	1
smtp[.]hidroil[.]com[.]ar	1
mail[.]mpcsa[.]com[.]mx	1
mail[.]amadisa[.]com	1
mail[.]confirmeza[.]com[.]co	1
mail[.]inmediprest[.]com[.]mx	1
mail[.]nueratelecom[.]net	1
mail[.]insurcol[.]com	1

*See JSON for more IOCs

Files and or directories created	Occurrences
%HOMEPATH%\223.exe	30
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	10
%System32%\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx	2
%System32%\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx	2
%System32%\winevt\Logs\Microsoft-Windows-NcdAutoSetup%4Operational.evtx	2
%System32%\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx	2
%System32%\winevt\Logs\Microsoft-Windows-TWinUI%4Operational.evtx	2
%System32%\winevt\Logs\Microsoft-Windows-TZSync%4Operational.evtx	2
%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms	2
%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\a4a5324453625195.automaticDestinations-ms	2
%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms	2
\TDLN-2060-41	2
%LOCALAPPDATA%\TileDataLayer\Database\EDB.log	2
\Device\NamedPipe\Sessions\1\AppContainerNamedObjects\S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742	2
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows	2
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History	2
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	2
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache	2
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	2
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	2
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters.dat	2
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	2
%APPDATA%\Microsoft\Windows\Recent\TEMP.lnk	2
\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8	1
%TEMP%\CVRB4F.tmp	1

*See JSON for more IOCs

File Hashes

08214f8f4d27bc90013b2403d515dadfe992e48b104fd2748ae28b4e37c2ddd6 1bf23d80114b94336235bc3b83960f4bcecd4478effa98b92536c1e907bb70b8 26485f44831ed89fabdf3773fd36709e78b560139836a17d784ee84493e6f021 3324b01c88474616fd9701d13708f6c9ff2d2125ed14e7983ae72ea1c5a5edf2 33b3b2a6c822fa356cc251c03b4e25f5a082a126a6d10717a312436250d6682e 3528140e6db34bde7280f4284122fb7190a4606ac61a4030f91504e4a962cb93 38589a48cab122fb15dc5efa82ae023b8b467a99e60c3c183772dc3d58bd43c5 4e1659700f1d599197f6bbe2330e7c91d87578fe23bfe082dce719f6e5372e0c 4f9954159f29d6292d48986cd0ab71952357c48738dda7f59798c66241514ae9 549fa8564e7e677601d557509c9f44336cc07a8c92949cd4928017ade6c072f4 660c09d1e5ae736de0b1fea0ee93040d0240567fe7254953cd8644bb0b2e49f6 664166554198691ddfb441ac33b12f12e5d14e36b0fb5c09d35ee04bd6d68ca2 6661a70c61b67a87302e04706ff07bcb12328d74bf1d8c7c0075d3edeb8064dc 765ba4ac4d0a2d99916dc9b0e844a669c4b5c5217068741c66216d9b291cea10 899e4dff369309ab4c7c5a466dbcf642bce9788307a75efe8371cc1087714eaf 9c1d3857fa6c1dfee066d46f1ce467429e26d020036019b57e9e87aa2f8fc2ab a2717826ba6ed1d778ef8d7585ddae5c1e076da3d9cfaa9c5c8247c3c4f33ccb aa33bd6b5ac85cb8d3a4d7e511b8c513ad22f7e6b130a456e23a2d07aa89304a b35cf729a7cbf201c9b3682441e6edf65031fee775412e9887c751c1add6d3b3 b48575d226d564c2fb7235f4962d1b29e6152dcdab262157bed79c2a02f11157 c894fbda9027f90b827efebd981c2326d8761e843e5e633990bdc756240087e7 d03bed2bf79256ad1c94c6c66570e35ab54943ba921bdf295c2d0c5d12e7e982 d4b9a89ae01db11a9adf508ed1777327145eb205404a1df5020919c19068d4e0 e5c52d8f0bbb10dff3dcb0c7d055fdc5d856e8e9b2805a1560681f383c679b72 e80c5f3eeb9d4cea62abe90a95e27b1c04ee7b02bf021e11cf9da956485c0bea

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

---

Win.Malware.Gandcrab-7454521-1

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Value Name: Blob	22
<HKCU>\SOFTWARE\KEYS_DATA	22
<HKCU>\SOFTWARE\KEYS_DATA\DATA	22
<HKCU>\SOFTWARE\KEYS_DATA\DATA Value Name: public	22
<HKCU>\SOFTWARE\KEYS_DATA\DATA Value Name: private	22
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Value Name: Blob	21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST Value Name: C:\Windows\system32\rundll32.exe	2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST	2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY	2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\FROSTDM	2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\FROSTDM Value Name: Impersonate	2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\FROSTDM Value Name: Asynchronous	2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\FROSTDM Value Name: MaxWait	2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\FROSTDM Value Name: DllName	2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\FROSTDM Value Name: Startup	2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: frostdm	2
<HKCU>\Software\Microsoft\<random, matching '[A-Z][a-z]{3,11}'>	2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: webappsstore.exe	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: bookmarks-2017-10-03.exe	1
<HKCU>\SOFTWARE\MICROSOFT\IRIF Value Name: Pyursy	1
<HKCU>\SOFTWARE\MICROSOFT\KUWY Value Name: Naember	1

Mutexes	Occurrences
Global\8B5BAAB9E36E4507C5F5.lock	22
A16467FA-7343A2EC-6F235135-4B9A74AC-F1DC8406A	10
A9ZLO3DAFRVH1WAE	2
AhY93G7iia	2
B81XZCHO7OLPA	2
BSKLZ1RVAUON	2
F-DAH77-LLP	2
FURLENTG3a	2
FstCNMutex	2
GJLAAZGJI156R	2
I-103-139-900557	2
J8OSEXAZLIYSQ8J	2
LXCV0IMGIXS0RTA1	2
MKS8IUMZ13NOZ	2
OLZTR-AFHK11	2
OPLXSDF19WRQ	2
PLAX7FASCI8AMNA	2
RGT70AXCNUUD3	2
TEKL1AFHJ3	2
TXA19EQZP13A6JTR	2
VSHBZL6SWAG0C	2
chimvietnong	2
drofyunfdou	2
kliaduosix	2
limdouxdaz	2

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
93[.]125[.]99[.]121	22
185[.]135[.]88[.]105	22
146[.]66[.]72[.]87	22
87[.]236[.]16[.]31	22
217[.]160[.]0[.]234	22
69[.]73[.]180[.]151	22
171[.]244[.]34[.]167	22
217[.]174[.]149[.]130	22
178[.]238[.]37[.]162	22
179[.]188[.]11[.]34	22
89[.]252[.]187[.]72	22
77[.]104[.]144[.]25	22
202[.]43[.]45[.]181	22
217[.]160[.]0[.]27	22
92[.]53[.]96[.]201	22
213[.]186[.]33[.]3	22
50[.]87[.]58[.]165	22
77[.]104[.]171[.]238	22
194[.]154[.]192[.]67	22
204[.]11[.]56[.]48	22
23[.]236[.]62[.]147	22
213[.]186[.]33[.]5	22
217[.]70[.]184[.]50	22
52[.]58[.]78[.]16	22
66[.]96[.]147[.]103	22

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
big-game-fishing-croatia[.]hr	22
www[.]lagouttedelixir[.]com	22
www[.]himmerlandgolf[.]dk	22
zaeba[.]co[.]uk	22
bellytobabyphotographyseattle[.]com	22
www[.]wash-wear[.]com	22
www[.]poketeg[.]com	22
boatshowradio[.]com	22
www[.]perfectfunnelblueprint[.]com	22
perovaphoto[.]ru	22
www[.]cakav[.]hu	22
goodapd[.]website	22
www[.]ismcrossconnect[.]com	22
www[.]fabbfoundation[.]gm	22
alem[.]be	22
cevent[.]net	22
mauricionacif[.]com	22
cyclevegas[.]com	22
oceanlinen[.]com	22
6chen[.]cn	22
koloritplus[.]ru	22
asl-company[.]ru	22
www[.]krishnagrp[.]com	22
test[.]theveeview[.]com	22
picusglancus[.]pl	22

*See JSON for more IOCs

Files and or directories created	Occurrences
%HOMEPATH%\ntuser.ini	22
%APPDATA%\Microsoft\Media Player\KRAB-DECRYPT.txt	22
%HOMEPATH%\AppData\KRAB-DECRYPT.txt	22
%APPDATA%\KRAB-DECRYPT.txt	22
%APPDATA%\Media Center Programs\KRAB-DECRYPT.txt	22
%APPDATA%\Microsoft\Credentials\KRAB-DECRYPT.txt	22
%APPDATA%\Microsoft\Internet Explorer\KRAB-DECRYPT.txt	22
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\KRAB-DECRYPT.txt	22
%APPDATA%\Microsoft\KRAB-DECRYPT.txt	22
%APPDATA%\Microsoft\Templates\KRAB-DECRYPT.txt	22
%APPDATA%\Microsoft\Templates\LiveContent\KRAB-DECRYPT.txt	22
%APPDATA%\Microsoft\Templates\LiveContent\Managed\Document Themes\1033\KRAB-DECRYPT.txt	22
%APPDATA%\Microsoft\Templates\LiveContent\Managed\Document Themes\KRAB-DECRYPT.txt	22
%APPDATA%\Microsoft\Templates\LiveContent\Managed\KRAB-DECRYPT.txt	22
%APPDATA%\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\1033\KRAB-DECRYPT.txt	22
%APPDATA%\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\KRAB-DECRYPT.txt	22
%APPDATA%\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\1033\KRAB-DECRYPT.txt	22
%APPDATA%\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\KRAB-DECRYPT.txt	22
%APPDATA%\Microsoft\Templates\LiveContent\User\Document Themes\1033\KRAB-DECRYPT.txt	22
%APPDATA%\Microsoft\Templates\LiveContent\User\Document Themes\KRAB-DECRYPT.txt	22
%APPDATA%\Microsoft\Templates\LiveContent\User\KRAB-DECRYPT.txt	22
%APPDATA%\Microsoft\Templates\LiveContent\User\SmartArt Graphics\1033\KRAB-DECRYPT.txt	22
%APPDATA%\Microsoft\Templates\LiveContent\User\SmartArt Graphics\KRAB-DECRYPT.txt	22
%APPDATA%\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\1033\KRAB-DECRYPT.txt	22
%APPDATA%\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\KRAB-DECRYPT.txt	22

*See JSON for more IOCs

File Hashes

0682b36ae0be779eb1ad4d3e0d8958a08ad8e044609a6cee5af314ed4d94f237 0c7d85f6f2e1e16ca7bef272edffdb0d513ce0f050347578600cdac206e048bd 1483d05311d9c544e404bf3b35e1bc80a154dd9b5d9757a24b99569cc5ddf680 17133d42590782a30f8464c7446d6a202299daf3cf8391ea40883d17e9d367ed 17ef571b3e2bbbb215ebfb291a1a4c17169a7a5ff0720718720eadacd4500830 1d69bee79a17d872422f9aada2d4b4ee4c048a8932ef50885c9d327cf225af4c 20cf2009ca1e7155b428ae8c76ab0baf7196aaa4c0d2bb7b9aa452a595d4a3ac 2135b77151f05d56f91a8c652edaf6b7a28ae26300b1550b5d28672131aee95e 245efbc6f214ff0d5726c671b51ba0569edf83666c557152b54c494821bc0a7f 2481c8679ec7110d1811fd1578862b9f1b7439c1d818bd4102ebe31cb7e706c7 27b4c02d76cf9845056d456244cd093d86880101f4f6971323814a5eabc7e7b0 292ba930f72bbfa23dab563c3f35ec157a0374b8b3f34f122c6a5997a3daa81b 318cff626b73c4508e9860b2d9ad8a5b53f93637a9a4b9b21cec27c0dde10dcf 37bf027ea0235e19e6d72597c45721c99b9ec619982f7d948e8ddfa2742ef6ae 39eb43c190b49a55de56873a0947d32177bb183791d1f696ff102f75c9b1dca2 3debcef78d8f77548491144e69fde1d89f7b5392b09b1b51f4df061aa622c706 420fe4c2431f23d3a7c4044cdcb71d434daded7c127da6fd1a150c322dcde5e4 670cba74908e2755ace9382cbbd26016fa4c66d7794958fe2d51530100aaaa2a 6a6bc4b3e2c460141981ba83a3a933e35adddc4814a3ffca8e329a5c63a149b8 708bf234cb01321625bf94fd58ece8719ce405b0f0895c59b9a1634b532b6307 73aeb522487874825cbe13567a86280273f90b8a4ee2367f758f393fc24a406e 77b0e7632645006d4a456b314a1899c6c0aba73dcaf74cdbe91bf946c7c9ea98 7a8a1c55a55adfea28a36ef6b6c4836990d62dfb941dfe3ba68e6c32fe7d9874 7dd4779ce5a53500c292236d9b9b062c99cec62ef118aae15a752362fd4e0358 87182baddbc7e1915abd036980c7554a7ee4f7281055772fd851ce67284a6616

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Trojan.HawkEye-7455512-1

Indicators of Compromise

Registry Keys	Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED Value Name: Hidden	8
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Windows Update	6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Registry Key Name	1

Mutexes	Occurrences
3749282D282E1E80C56CAE5A	6

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
104[.]16[.]155[.]36	5
82[.]221[.]130[.]149	3
104[.]16[.]154[.]36	3
208[.]91[.]198[.]143	2
204[.]11[.]56[.]48	1
23[.]94[.]43[.]90	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
whatismyipaddress[.]com	8
www[.]macniica[.]com	4
smtp[.]vivaldi[.]net	3
us2[.]smtp[.]mailhostbox[.]com	2
smtp[.]believelogs[.]com	2
www[.]swift-be[.]com	1
smtp[.]umcship-tw[.]com	1

Files and or directories created	Occurrences
%APPDATA%\pid.txt	8
%APPDATA%\pidloc.txt	8
%TEMP%\holdermail.txt	8
%TEMP%\holderwb.txt	8
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp	8
%APPDATA%\D282E1	6
%APPDATA%\D282E1\1E80C5.lck	6
%APPDATA%\WindowsUpdate.exe	6
%TEMP%\subfolder	1
%TEMP%\subfolder\filename.exe	1
%TEMP%\subfolder\filename.vbs	1

File Hashes

1cb99e6bb3f83d21bc06877531beb9bc652e311a5e49747062bbef5c5501cc70 2701a8daf4384bd6842ef6bb2bfc4c0418b204dfce07ef69b251a2c5de593e01 4688f2885e00eea958abbc479e875708c6e9f2347cb9ef5af4e8881c9b3b8439 525dae4004eed37854b1a6ce2046280a3c1d14f9d79c34447a6bf297d3313dca 6ac5e9684bd5bad7070d674da4786eee6827f5d88bd076aa0dc7f7d734d666e3 7036562647bece05ea15c2b3bea5ab4b40c3a965a5272d3a24dcb7af8930d8a5 75f3b9c29533c3b67b040a211d9acc2860ce3f224200d5985b69319210478fb4 7d494230588aedf9bb8700105b6c5cf2383efa5dda79daa3752f9f13b92dad2c a306d0e9ba34a447d09b932a9ab125406872672212534e9aeb3a9d81338ff4d0 af7ff1a7242dbd0d142c03bfe23fd84f24b5dce494cca6545a6409548ae09c9e c24a1e52447710a56f0e1de99401197fd2abebaa15c18de7aa0fa9548d7b15c5 c79783e0d3330fc51bcc92714e8663234c7443ad9245046a5072685c9fa6a86f ceec143cb503f31efadadc2ca82cb74d52b08566ddde6bcba26da248d0fadb20 e52e3ffeb93c7794f2631ee2d9ac0dace29c1be8b4e0723db344879b23e9cfe4

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

CVE-2019-0708 detected - (24210)

An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.

Process hollowing detected - (295)

Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.

Kovter injection detected - (161)

A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.

Gamarue malware detected - (143)

Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.

Installcore adware detected - (112)

Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.

Dealply adware detected - (98)

DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.

Excessively long PowerShell command detected - (89)

A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.

Special Search Offer adware - (45)

Special Search Offer adware displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware has also been known to download and install malware.

Reverse http payload detected - (26)

An exploit payload intended to connect back to an attacker controlled host using http has been detected.

Corebot malware detected - (25)

Corebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking.

Cisco ASA DoS bug attacked in wild

December 20, 2019, 11:33 am

≫ Next: Vulnerability Spotlight: Two buffer overflow vulnerabilities in OpenCV

≪ Previous: Threat Roundup for December 13 to December 20

$

0

0

By Nick Biasini.

  

Cisco Talos has recently noticed a sudden spike in exploitation attempts against a specific vulnerability in our Cisco Adaptive Security Appliance (ASA) and Firepower Appliance. The vulnerability, CVE-2018-0296, is a denial-of-service and information disclosure directory traversal bug found in the web framework of the appliance. The attacker can use a specially crafted URL to cause the ASA appliance to reboot or disclose unauthenticated information.

This vulnerability was first noticed being exploited publicly back in June 2018, but it appeared to increase in frequency in the past several days and weeks. As such, we are advising all customers to ensure they are running a non-affected version of code. Additionally, we want to highlight that there is a Snort signature in place to detect this specific attack (46897). Concerned customers should ensure it is enabled in applicable policies that could detect this exploitation attempt.

Am I vulnerable?

Since this vulnerability lies in the web framework of the ASA/Firepower, not all appliances are affected. If an administrator wants to determine if they are vulnerable, there are a couple of commands that can be run to determine your risk. First, run the following command:

show asp table socket | include SSL|DTLS

If the command shows any listening sockets, then the potential for exploitation exists. The next step is to determine if the vulnerable process is running. That can be achieved by running the following command:

show processes | include Unicorn

If the process is shown as running, the likelihood of a vulnerability existing is elevated and the administrator should validate the running version of code on the appliance to determine if it is one of the affected versions listed in the advisory. If it is listed, then updating to a non-affected version is the most effective mitigation.

Conclusion

This isn't a new vulnerability, but as exploitation continues to increase, customers need to be aware of the risk of both a denial-of-service or unauthenticated information disclosure. Additionally, as we head into the holidays, people take time off, but adversaries do not. Customers should validate if they are vulnerable as soon as possible and plan the appropriate patching/mitigations strategies as necessary to minimize both risk and impact to the organization.

Vulnerability Spotlight: Two buffer overflow vulnerabilities in OpenCV

January 2, 2020, 2:44 pm

≫ Next: Beers with Talos Ep. #69: 2019 Threat Recap - RATs, Turtles, and Worms, Oh My!

≪ Previous: Cisco ASA DoS bug attacked in wild

$

0

0

Dave McDaniel of Cisco Talos discovered these vulnerabilities.

Cisco Talos recently discovered two buffer overflow vulnerabilities in the OpenCV libraries. An attacker could potentially exploit these bugs to cause heap corruptions and potentially code execution. Intel Research originally developed OpenCV in 1999, but it is currently maintained by the non-profit organization OpenCV.org.

OpenCV is used for numerous applications, including facial recognition technology, robotics, motion tracking and various machine learning programs.

In accordance with our coordinated disclosure policy, Cisco Talos worked with OpenCV to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

OpenCV XML persistence parser buffer overflow vulnerability (TALOS-2019-0852/CVE-2019-5063)

An exploitable heap buffer overflow vulnerability exists in the data structure persistence functionality of OpenCV 4.1.0. A specially crafted XML file can cause a buffer overflow, resulting in multiple heap corruptions and potential code execution. An attacker can provide a specially crafted file to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

OpenCV JSON persistence parser buffer overflow vulnerability (TALOS-2019-0853/CVE-2019-5064)

An exploitable heap buffer overflow vulnerability exists in the data structure persistence functionality of OpenCV, version 4.1.0. A specially crafted JSON file can cause a buffer overflow, resulting in multiple heap corruptions and potentially code execution. An attacker can provide a specially crafted file to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that version OpenCV, version 4.1.0 is affected by these vulnerabilities.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 50774, 50775

Beers with Talos Ep. #69: 2019 Threat Recap - RATs, Turtles, and Worms, Oh My!

January 6, 2020, 3:00 pm

≫ Next: Continued Escalation of Tensions in the Middle East

≪ Previous: Vulnerability Spotlight: Two buffer overflow vulnerabilities in OpenCV

$

0

0

By Mitch Neff.

Beers with Talos (BWT) Podcast episode No. 69 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Dec. 20, 2019 

In a shorter year-end EP, we take both a look back and a look forward. It seems everyone else wants to break out the crystal ball this time of year and prognosticate the coming year’s threat landscape. We don’t have one of those, so we used a Magic 8-ball, but we’re pretty confident the results are as-good or better. Most of this EP is dedicated to going through the notable security events of the past year. We take a look at the lasting effects and lessons learned from 2019’s biggest threats.

The timeline:

• 00:50 — Roundtable - Security Fortune Telling. Break out the magic 8-ball!
• 05:50 — Old ASA bug resurfaces, apply the patch from 2018 please. 
• 09:00 — 2019 notable security events: RATs, and sea turtles, and blue worms, oh my!
• 34:40 — Closing thoughts and parting shots

Some other links:

• (Talos blog) ASA DoS bug attacked in wild
• (Talos blog) 2019 The year in malware

==========

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff)

Subscribe via iTunes (and leave a review!)

Check out the Talos Threat Research Blog

Subscribe to the Threat Source newsletter

Follow Talos on Twitter

Give us your feedback and suggestions for topics: beerswithtalos@cisco.com

Continued Escalation of Tensions in the Middle East

January 8, 2020, 2:50 pm

≫ Next: Vulnerability Spotlight: Remote code execution vulnerability in E2fsprogs

≪ Previous: Beers with Talos Ep. #69: 2019 Threat Recap - RATs, Turtles, and Worms, Oh My!

$

0

0

Cisco Talos works with many organizations around the world, monitoring and protecting against sophisticated threats every day. As such, we are watching the current state of events in the Middle East very closely for our customers and partners who may be impacted by the ongoing situation. We are continuing to evaluate potential threats and attack vectors, especially related to critical infrastructure and high-profile businesses and industries.

A challenge with protecting against state-sponsored campaigns is that the primary and ideal targets are potentially already compromised, either by a specific adversary or their allies who would be amenable to acting on their behalf. In previous research, Talos has observed footholds like this that can go undetected for extended periods, waiting to be modified remotely to exact a variety of potential malicious activities.

It may be difficult for primary target organizations to detect activity and defend themselves at the perimeter. Hopefully, they have employed a layered defense, which should include two-factor authentication, network segmentation and endpoint protection.

Of course, the potential also exists for the adversary to move away from a targeted maneuver to more broadly focused disruptions that could incorporate a much wider array of businesses and even consumers. This means that everyone should view this as a wake-up call — shore up defenses, update/patch your devices and focus on cyber hygiene. Employ authentication everywhere, beware of suspicious links, emails, etc. — phishing/credential theft continues to be popular among attackers. Every business should at least take a second look at every strange thing they see — don't ignore anomalous activities, take the time to see if there is something nefarious at the end of the tunnel.

While prior campaigns in the region have heavily relied on wiper malware, this is no guarantee that future campaigns will continue this trend. At times like this, vigilance is key.

Campaigns

According to US-Cert, Iran has been an active adversary since late 2011 and has been responsible for a series of attacks including some large-scale distributed denial-of-service attacks against financial institutions, infiltration of a dam in New York state, and the destructive attacks against targets regionally and globally, including the large-scale Shamoon campaigns and the recent ZeroCleare wipers. They have also conducted a series of espionage campaigns against universities and companies to steal research, proprietary data, and intellectual property.

Additionally, Talos has found several large-scale campaigns based in the region that have included attacks against DNS infrastructure and those leveraging watering hole and social engineering techniques. Since the actors are active in the region DNSpionage, Muddywater, and Tortoiseshell will be included in the coverage list below.

The breadth and variety of both the attacks and the techniques shows the capabilities of the adversary. Apt33/34 Actors have not only attack traditional targets for espionage but have shown an interest in attacking critical infrastructure with the dam attack and have shown a willingness to be destructive in their activities. Actors in the region have also shown a willingness to attack some of the critical components of the internet, most notably DNS. These things combined make for a dangerous adversary that is operating during heightened tensions. As such we are providing a list of the ways that we cover these various attacks and a series of IOCs for organizations to be aware.

In-the-wild activities

We are continually assessing the threat landscape and the activities and actors currently operating. Based on the indicators we have been analyzing our telemetry sources to see if we have noticed any noticeable increases in activity that could be attributable to middle eastern actors. At this point, we do not have any indication that these activities have increased. However, this is an ongoing investigation and this could change at any moment.

Part of the process involved leveraging the mapping US-CERT had undertaken linking the APTs tactics, techniques, and procedures (TTPs) to the associated techniques on the MITRE ATT&CK™ matrix. Keep in mind these are generic techniques not associated with a single actor or nation state. Those organizations that have incorporated the ATT&CK framework should be able to map these techniques to the mitigation and detection strategies already in place. The techniques are listed below, for more details on the way that Cisco Talos maps related Mitre ATT&CK techniques to Cisco detection technologies, see this document.

• Credential dumping
• Obfuscated files or information
• Data compressed
• PowerShell
• User execution
• Scripting
• Registry run keys/Startup folders
• Remote file copy
• Spear-phishing link
• Spear-phishing attachment

Coverage

Additional ways our customers can detect and block this threat are listed below, please note that at the bottom of this document there is a more specific list of signatures and IOCs associated with campaigns and are labeled accordingly.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. Exploit Prevention present within AMP is designed to protect customers from unknown attacks such as this automatically.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

ZeroCleare
Snort
52572-52581

ClamAV
Win.Malware.ZeroCleare*

SCAR Trojan
ClamAV
Win.Trojan.Scar-7509404-0
Win.Trojan.Scar-7509405-0

MagicHound malware
Snort
Sids: 36579, 36580, 41656 - 41659

ClamAV
Win.Trojan.MagicHound-5859368-0
Win.Trojan.MagicHound-5859367-0
Doc.Dropper.MagicHound-5859115-0
Doc.Dropper.MagicHound-5859369-0
Win.Trojan.MagicHound-5859366-0
Win.Trojan.MagicHound-5859365-0

Shamoon
Snort
23903, 23893, 23905 - 23933, 24127, 40906

ClamAV
Win.Dropper.DistTrack-*
Win.Trojan.DistTrack.*
Win.Malware.DistTrack.*

ThreatGrid
Shamoon Malware Detected

AMP Cloud IOCs
W32.Shamoon.ioc
W32.RawDiskDriverUse.ioc

CVE-2018-20250
Snort
49289 - 49292

ClamAV
Win.Exploit.CVE_2018_20250-6869547-0
Win.Exploit.CVE_2018_20250-6869546-1

Tortoiseshell
ClamAV
Win.Dropper.Tortoiseshell*
Win.Trojan.Tortoiseshell*

DNSpionage
Snort
48444, 48445, 50348 - 50355

ClamAV
Xls.Dropper.DNSpionage-6773417-0
Win.Malware.DNSpionage-6759811-1
Win.Trojan.DNSpionage-6975387-0

MuddyWater/Blackwater
Snort
48859, 48860

ClamAV
Doc.Dropper.Agent-6935014-0
Doc.Dropper.Agent-6899904-0
Doc.Dropper.Agent-6961195-0
Doc.Dropper.Agent-6918391-0
Doc.Dropper.Agent-6964920-0
Doc.Dropper.Agent-6932616-0

MacDownloader
Snort
41661 - 41663

ClamAV
Osx.Downloader.MacDownloader-5781857-0

Other (Indicators Not Linked to Specific Campaigns)

ClamAV
Win.Trojan.Turnedup-6598671-1
Win.Trojan.Hacktool-6478864-0
Win.Trojan.Lazagne-6779429-0
Rtf.Exploit.CVE_2017_11882-6584355-0

Indicators of Compromise (IOCs)

Hashes and Associated Campaigns:

WateringHole
afa563221aac89f96c383f9f9f4ef81d82c69419f124a80b7f4a8c437d83ce77
7651f0d886e1c1054eb716352468ec6aedab06ed61e1eebd02bca4efbb974fb6
9e5ab438deb327e26266c27891b3573c302113b8d239abc7f9aaa7eff9c4f7bb
8c8496390c3ad048f2a0a4031edfcdac819ee840d32951b9a1a9337a2dcbea25
5fe0e156a308b48fb2f9577ed3e3b09768976fdd99f6b2d2db5658b138676902
acf24620e544f79e55fd8ae6022e040257b60b33cf474c37f2877c39fbf2308a
7e3c9323be2898d92666df33eb6e73a46c28e8e34630a2bd1db96aeb39586aeb
165f8db9c6e2ca79260b159b4618a496e1ed6730d800798d51d38f07b3653952
55f513d0d8e1fd41b1417a0eb2afff3a039a9529571196dd7882d1251ab1f9bc
bff115d5fb4fd8a395d158fb18175d1d183c8869d54624c706ee48a1180b2361
2df6fe9812796605d4696773c91ad84c4c315df7df9cf78bee5864822b1074c9
8f6f7416cfdf8d500d6c3dcb33c4f4c9e1cd33998c957fea77fbd50471faec88
4442c48dd314a04ba4df046dfe43c9ea1d229ef8814e4d3195afa9624682d763
02f2c896287bc6a71275e8ebe311630557800081862a56a3c22c143f2f3142bd

Win.Dropper.Distrack/ZeroCleare
36a4e35abf2217887e97041e3e0b17483aa4d2c1aee6feadd48ef448bf1b9e6c
2a2a32a7e820e4a15abc96491cb3345161e189d6eaf02b62e2f86aac2c7d6c3d
cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986
2fc39463b6db44873c9c07724ac28b63cdd72f5863a4a7064883e3afdd141f8d

W32.Disttrack/Shamoon

5a2f540018ca7c012a5d674bd929a0f38bf458043d4eeade1e2cdef94aab5eb8
b1c061138ba0cf34ba1dfb84e8ca89336d2a530808b42c363a69abfd6db8bf2a
052f0eb5986e92afc5460eafec293f805851cf2a98bdd2d2aed97eec6c7946a9
448ad1bc06ea26f4709159f72ed70ca199ff2176182619afa03435d38cd53237
735bf8c41e876a82815479f1e22155d0a2a47724b6f3d912c0bb995d10f8bcd9
7c7ff63898d59522bed1e4f0f7bd43a92a3167d66593628e040e36f90bfb2e5d
cd3d50629f0ed6b0ffeddd98b8cde57a6d00ec4b7f930f12ae7c0a980a9e9a00
f1710c802ce590bc737eda6d1845f390a7e7d2cf43313c3362768c5f9f94a807
4f02a9fcd2deb3936ede8ff009bd08662bdb1f365c0f4a78b3757a98c2f40400
61e8f2af61f15288f2364939a30231b8915cdc57717179441468690ac32ced54
7b589d45825c096d42bdf341193d3fd8fd9a0bd612a6ebd7466c26a753304df9
1982c011cdea5520a73ea610f46a243ccd768de87c8df4c428ead79840c38bf4
57fb0ec1eb292956a8d5031d6c2d1369acf5745b94a776aa6957e701003078d6
f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72
ef35a54290d96871a860f80a789460ab10e91844a5184489c96a97b810768d29
cebdf768721473789ebe2fe79ffec7c6de0c52433b40fd02e57747f194fe0e80
7709da093dd9722e80c7c552a0935876b8d17ccf9ecc4784cffb1c1bc38dd9c0
c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a
66fdb7e7d868346e730113ccb9977ca840c4c337434b5fe517f7b1a858fd8317
7076c1d5c8a56820d87681754880013771fcd743a8e8bae8509e1dc682f82a5b
01e860972e621c1bd6c990d1817ebc0309dd9298f0e0819cc14d2ffcaa1820e7
a37b8d77fdbd740d7d214f88521adec17c0d30171ec0dee1372cb8908390c093
9979678be7b89a9f01c2481ea6f420417e67572f52aad66ae4ccce3c65a7b504
128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd
788aca28addbdf2588b160a9471f7421e402f4c6b74dd303a7997be83c9c8768
5902a246ea00defd6371126b352bc3e13432cee18fef427f2ee40a6e0ba995eb
25a3497d69604baf4be4d80b6824c06f1b7120144f98eeb0a13d57d6f72eb8e9
47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34
dbdea08e7b970d395236b8e0aada6fc07fb23e6181485d86f65da1e73ab2ba2e
394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b
04ffee9e574ae7aea7963d1f7e7dd9f9851487a743db8c86a866db7cb1b2f4d8
8cccb478de2c92b548f9976799f1b4da1bd8d6f1c821e7b0479b914939560310
d56dbe26887a4bef9b2c8f0d05f4502b80083e62ba3c7299c02e01b9eefeb2e4
4919436d87d224f083c77228b48dadfc153ee7ad48dd7d22f0ba0d5090b5cf9b
5475f35363e2f4b70d4367554f1691f3f849fb68570be1a580f33f98e7e4df4a
c7f937375e8b21dca10ea125e644133de3afc7766a8ca4fc8376470277832d95
c3ab58b3154e5f5101ba74fccfd27a9ab445e41262cdf47e8cc3be7416a5904f
bd2097055380b96c62f39e1160d260122551fa50d1eccdc70390958af56ac003
0694bdf9f08e4f4a09d13b7b5a68c0148ceb3fcc79442f4db2aa19dd23681afe
0975eb436fb4adb9077c8e99ea6d34746807bc83a228b17d321d14dfbbe80b03
391e7b90bf3f0bfeb2c2602cc65aa6be4dd1c01374b89c4a48425f2d22fe231c
ccb1209122085bed5bded3f923835a65d3cc1071f7e4ad52bc5cf42057dd2150
dab3308ab60d0d8acb3611bf364e81b63cfb6b4c1783864ebc515297e2297589
ee084f2c6fd2cc16f613fadd712641b5742489ca87851739dc868b976867858f
36414012564b88b5a2dcded39fc5ed22301ea2ef2f455bf697fa97a5925cb721
101e74ef7a18d3a790f1d30edc7bd9f4ebf0afb2cb85cffcd5710d0a53df77a6
4d4531f0372d4364e3d9b7e6ea13abf241bbc4a4b761f8a2aea67428d0de8d83

w32.Dropper/Filerase
35ceb84403efa728950d2cc8acb571c61d3a90decaf8b1f2979eaf13811c146b
5203628a89e0a7d9f27757b347118250f5aa6d0685d156e375b6945c8c05eb8a
d9e52663715902e9ec51a7dd2fea5241c9714976e9541c02df66d1a42a3a7d2a
2abc567b505d0678954603dcb13c438b8f44092cfe3f15713148ca459d41c63f

DNSpionage
9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14
15fe5dbcd31be15f98aa9ba18755ee6264a26f5ea0877730b00ca0646d0f25fa
2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec
82285b6743cc5e3545d8e67740a4d04c5aed138d9f31d7c16bd11188a2042969
45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff

Tortoiseshell
c121f97a43f4613d0a29f31ef2e307337fa0f6d4f4eee651ee4f41a3df24b6b5
2a9589538c563c006eaf4f9217a192e8a34a1b371a31c61330ce2b396b67fd10
55b0708fed0684ce8fd038d4701cc321fe7b81def7f1b523acc46b6f9774cb7b
ec71068481c29571122b2f6db1f8dc3b08d919a7f710f4829a07fb4195b52fac
51d186c16cc609ddb67bd4f3ecd09ef3566cb04894f0496f7b01f356ae260424
41db45b0c51b98713bc526452eef26074d034b2c9ec159b44528ad4735d14f4a
78e1f53730ae265a7eb00b65fbb1304bbe4328ee5b7f7ac51799f19584b8b9d4
46873290f58c25845b21ce7e560eae1b1d89000e887c2ff2976d931672390dd8
f31b5e14314388903a32eaa68357b8a5d07cbe6731b0bd97d2ee33ac67ea8817
f1c05ff306e941322a38fffb21dfdb5f81c42a00a118217b9d4e9807743d7275
1848f51d946fa8b348db8ef945a1ebff33ff76803ad26dfd175d9ea2aa56c7d0
ed150d9f6e12b6d669bcede3b7dc2026b7161f875edf26c93296e8c6e99152d5
2682328bde4c91637e88201eda5f5c400a3b3c0bdb87438d35660494feff55cf
e82a08f1514ccf38b3ae6b79e67d7605cb20b8377206fbdc44ddadfb06ae4d0d

Muddywater/Blackwater
0f3cabc7f1e69d4a09856cc0135f7945850c1eb6aeecd010f788b3b8b4d91cad
9d998502c3999c4715c880882efa409c39dd6f7e4d8725c2763a30fbb55414b7
0d3e0c26f7f53dff444a37758b414720286f92da55e33ca0e69edc3c7f040ce2
A3bb6b3872dd7f0812231a480881d4d818d2dea7d2c8baed858b20cb318da981
6f882cc0cddd03bc123c8544c4b1c8b9267f4143936964a128aa63762e582aad
Bef9051bb6e85d94c4cfc4e03359b31584be027e87758483e3b1e65d389483e6
4dd641df0f47cb7655032113343d53c0e7180d42e3549d08eb7cb83296b22f60
576d1d98d8669df624219d28abcbb2be0080272fa57bf7a637e2a9a669e37acf
062a8728e7fcf2ff453efc56da60631c738d9cd6853d8701818f18a4e77f8717

Domains:

Note that these domains were associated with previous, historical campaigns
hxxp[:]//intelchip[.]org
hxxp[:]//windowskernel[.]in
hxxp[:]//nameserver[.]win
hxxp[:]//cloudflare-analyse[.]xyz
hxxp[:]//nasr[.]xyz
hxxp[:]//winupdate64[.]com
hxxp[:]//githubapp[.]online
hxxp[:]//clalit[.]press
hxxp[:]//cloud-analyzer[.]com
hxxp[:]//labs-cloudfront[.]com
hxxp[:]//winupdate64[.]us
hxxp[:]//alkamaihd[.]net
hxxp[:]//fbcdn[.]bid
hxxp[:]//onlinewebcam[.]press
hxxp[:]//cachevideo[.]xyz
hxxp[:]//mswordupdate16[.]com
hxxp[:]//digicert[.]xyz
hxxp[:]//fbstatic-akamaihd[.]com
hxxp[:]//js[.]jguery[.]online
hxxp[:]//ssl-gstatic[.]online
hxxp[:]//trendmicro[.]tech
hxxp[:]//cloudflare[.]news
hxxp[:]//windowkernel[.]com
hxxp[:]//cloudflare-statics[.]com
hxxp[:]//mcafeemonitoring[.]com
hxxp[:]//cortana-search[.]com
hxxp[:]//jguery[.]online
hxxp[:]//sdlc-esd-oracle[.]online
hxxp[:]//cloudmicrosoft[.]net
hxxp[:]//outlook360[.]net
hxxp[:]//windowskernel[.]com
hxxp[:]//mswordupdate17[.]com
hxxp[:]//fb-statics[.]com
hxxp[:]//symcd[.]site
hxxp[:]//patchthiswindows[.]com
hxxp[:]//digicert[.]space
hxxp[:]//kernel4windows[.]in
hxxp[:]//updatedrivers[.]org
hxxp[:]//dnsserv[.]host
hxxp[:]//alkamaihd[.]com
hxxp[:]//un-webmail[.]com
hxxp[:]//intel-api[.]com
hxxp[:]//windowslayer[.]in
hxxp[:]//tehila[.]global
hxxp[:]//chromeupdates[.]online
hxxp[:]//officeapps-live[.]net
hxxp[:]//tehila[.]info
hxxp[:]//ipresolver[.]org
hxxp[:]//microsoft-security[.]host
hxxp[:]//patch7-windows[.]com
hxxp[:]//winupdate64[.]net
hxxp[:]//britishnews[.]press
hxxp[:]//gmailtagmanager[.]com
hxxp[:]//hamedia[.]xyz
hxxp[:]//tehila[.]co
hxxp[:]//1e100[.]tech
hxxp[:]//twiter-statics[.]info
hxxp[:]//githubapp[.]tech
hxxp[:]//windefender[.]org
hxxp[:]//cloudflare-analyse[.]com
hxxp[:]//officeapps-live[.]org
hxxp[:]//cloudflare[.]site
hxxp[:]//win-updates[.]com
hxxp[:]//nsserver[.]host
hxxp[:]//windowkernel14[.]com
hxxp[:]//static[.]news
hxxp[:]//cissco[.]net
hxxp[:]//windowskernel[.]net
hxxp[:]//patch8-windows[.]com
hxxp[:]//microsoft-tool[.]com
hxxp[:]//outlook360[.]org
hxxp[:]//owa-microsoft[.]online
hxxp[:]//google-api-update[.]com
hxxp[:]//broadcast-microsoft[.]tech
hxxp[:]//microsoft-ds[.]com
hxxp[:]//micro-windows[.]in
hxxp[:]//fbstatic-a[.]space
hxxp[:]//githubusecontent[.]tech
hxxp[:]//hotseller[.]info
hxxp[:]//digicert[.]online
hxxp[:]//cachevideo[.]online
hxxp[:]//fbstatic-a[.]xyz
hxxp[:]//officeapps-live[.]com
hxxp[:]//windows-10patch[.]in
hxxp[:]//winupdate64[.]org
hxxp[:]//akamai[.]press
hxxp[:]//azurewebsites[.]tech
hxxp[:]//windowssup[.]in
hxxp[:]//mswordupdate15[.]com
hxxp[:]//big-windowss[.]com
hxxp[:]//newsfeeds-microsoft[.]press
hxxp[:]//walla[.]press
hxxp[:]//cachevideo[.]com
hxxp[:]//windows24-kernel[.]in
hxxp[:]//ads-youtube[.]tech
hxxp[:]//windowskernel14[.]com
hxxp[:]//mssqlupdate[.]com
hxxp[:]//mcafee-analyzer[.]com
hxxp[:]//winfeedback[.]net
hxxp[:]//sphotos-b[.]bid
hxxp[:]//mpmicrosoft[.]com
hxxp[:]//1m100[.]tech
hxxp[:]//twiter-statics[.]com
hxxp[:]//chromium[.]online
hxxp[:]//mywindows24[.]in
hxxp[:]//sphotos-b[.]pw
hxxp[:]//fbexternal-a[.]pw
hxxp[:]//tehila[.]press
hxxp[:]//fdgdsg[.]xyz
hxxp[:]//elasticbeanstalk[.]tech
hxxp[:]//akamaitechnology[.]com
hxxp[:]//google-api-analyse[.]com
hxxp[:]//sharepoint-microsoft[.]co
hxxp[:]//windows-kernel[.]in
hxxp[:]//myservers[.]site
hxxp[:]//win-api[.]com
hxxp[:]//symcd[.]xyz
hxxp[:]//win-update[.]com
hxxp[:]//windows-api[.]com
hxxp[:]//ads-youtube[.]online
hxxp[:]//windows-drive20[.]com
hxxp[:]//jguery[.]net
hxxp[:]//fb-nameserver[.]com
hxxp[:]//f-tqn[.]com
hxxp[:]//qoldenlines[.]net
hxxp[:]//fb-statics[.]info
hxxp[:]//microsoftserver[.]org
hxxp[:]//mcafee-monitoring[.]com
hxxp[:]//akamaitechnology[.]tech
hxxp[:]//fbexternal-a[.]press
hxxp[:]//ssl-gstatic[.]net
hxxp[:]//ads-youtube[.]net
hxxp[:]//windowsupup[.]com
hxxp[:]//javaupdator[.]com
hxxp[:]//windows-india[.]in

IP Addresses:

Note that these IP Addresses were associated with previous, historical campaigns
206[.]221[.]181[.]253
66[.]55[.]152[.]164
68[.]232[.]180[.]122
173[.]244[.]173[.]11
173[.]244[.]173[.]12
173[.]244[.]173[.]13
209[.]190[.]20[.]149
209[.]190[.]20[.]59
209[.]190[.]20[.]62
209[.]51[.]199[.]116
38[.]130[.]75[.]20
185[.]92[.]73[.]194
144[.]168[.]45[.]126
198[.]55[.]107[.]164
104[.]200[.]128[.]126
104[.]200[.]128[.]161
104[.]200[.]128[.]173
104[.]200[.]128[.]183
104[.]200[.]128[.]184
104[.]200[.]128[.]185
104[.]200[.]128[.]187
104[.]200[.]128[.]195
104[.]200[.]128[.]196
104[.]200[.]128[.]198
104[.]200[.]128[.]205
104[.]200[.]128[.]206
104[.]200[.]128[.]208
104[.]200[.]128[.]209
104[.]200[.]128[.]48
104[.]200[.]128[.]58
104[.]200[.]128[.]64
104[.]200[.]128[.]71
107[.]181[.]160[.]138
107[.]181[.]160[.]178
107[.]181[.]160[.]194
107[.]181[.]160[.]195
107[.]181[.]161[.]141
107[.]181[.]174[.]21
107[.]181[.]174[.]228
107[.]181[.]174[.]232
107[.]181[.]174[.]241
188[.]120[.]224[.]198
188[.]120[.]228[.]172
188[.]120[.]242[.]93
188[.]120[.]243[.]11
188[.]120[.]247[.]151
62[.]109[.]2[.]52
188[.]120[.]232[.]157
185[.]118[.]65[.]230
185[.]118[.]66[.]114
141[.]105[.]67[.]58
141[.]105[.]68[.]25
141[.]105[.]68[.]26
141[.]105[.]68[.]29
141[.]105[.]69[.]69
141[.]105[.]69[.]70
141[.]105[.]69[.]77
31[.]192[.]105[.]16
31[.]192[.]105[.]17
31[.]192[.]105[.]28
146[.]0[.]73[.]109
146[.]0[.]73[.]110
146[.]0[.]73[.]111
146[.]0[.]73[.]112
146[.]0[.]73[.]114
217[.]12[.]201[.]240
217[.]12[.]218[.]242
5[.]34[.]180[.]252
5[.]34[.]181[.]13
86[.]105[.]18[.]5
93[.]190[.]138[.]137
212[.]199[.]61[.]51
80[.]179[.]42[.]37
80[.]179[.]42[.]44
176[.]31[.]18[.]29
188[.]165[.]69[.]39
51[.]254[.]76[.]54
158[.]69[.]150[.]163
192[.]99[.]242[.]212
198[.]50[.]214[.]62