Threat Round-up for Apr 14

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 14 and April 21. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

This week's most prevalent threats are:

Win.Tool.MeterPreter-6294292-0
Hacking tool
Meterpreter is a component of the Metasploit, an exploit framework for pen-testing. Meterpreter is injected through a code injection vulnerability and resides only in memory. The component can be extended at run-time via in-memory DLL injection.
Win.Trojan.VBAttachGeneric
Trojan
Various samples that Talos have observed are polymorphic trojans written in Visual Basic and deliviered via spam campaigns. These samples have been observed creating autostart registry keys to establish persistence as well as injecting code in other processes. These samples also beacon back to remote servers with infection information and to await commands. They also contains anti-vm and anti-debugging techniques to hinder manual and dynamic analysis.
Win.Dropper.Skyneos-6192156-1
Dropper
This malware, written in .NET, is installs "Skyneos V1.0" keylogger on the victim machine. It will also send an email with a subject "TripleXannonymous" to a dedicated mailbox indicating infection occurred, where the email is containing username and computername. It also modifies registry keys accordingly to run.
Win.Trojan.Cybergate-5744895-0
Remote Access Trojan
Cybergate is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.
Win.Ransomware.GX40-6290314-0
Ransomware
GX40 is a Windows ransomware family written in Visual Basic .NET. Samples have been distributed via spam as a fake Windows update tool. Files targeted by extension are encrypted using AES-256 ECB with .encrypted as the new extension. Infected hosts are not locked down, but a ransom prompt is still given upon execution. Some samples request contact by e-mail before providing a Bitcoin address for a payment of 0.02 BTC.
Win.Dropper.Gepys
Dropper
Gepys installs a malicious payload on the victim’s machine, and sets the payload to execute each time the computer is restarted. This dropper can be used to install a variety of malware on the victim’s machine.
Doc.Macro.MaliciousHeuristic-6290326-0
Office Macro
Office macro code is used to further compromise a target system. Macros can leverage external system binaries to execute other binaries to further compromise the system. This signature looks for functionality associated with obfuscating strings to execute a Windows command to download and run another sample.
Win.Trojan.Fareit-6296798-0
Trojan (credential stealer)
This sample attempts to collect stored credentials from a number of installed applications and then attempts to transmit those credentials back to a PHP application on a possibly compromised server.
Doc.Downloader.Powload-6296855-0
Office Macro Obfuscation Heuristic
Office macro code is used to further compromise a target system. This heuristic focuses on macro techniques to obfuscate shell commands by leveraging WinExec from the kernel32 library. This week it has been used to deliver various ransomware families.

Threats

Win.Tool.MeterPreter-6294292-0

Indicators of Compromise Registry Keys

N/A Mutexes
N/A IP Addresses
N/A Domain Names
N/A File Hashes
b93a5e2c8068b84aca852899b119577fe3da77f4edd01d41ebc1c92abfbb8203
e21ea550d8307956232df048f2623df436d0903666b257eda95962173100a54d
96c3e2c6e428ac63faa88de3970f50f95ff0a224698bd7e299bf7860b387d2f3
6dc3c45ba6aa3b8551843ef5e38c44b3b6c7d1bde0278948270157c676e82d37
59876794db1a73c00735d7c25fb206e4f5b722788f04d5143883f84d825546b7
29e5a7efb03ec69c3bc19756228e232d539f1b3bdb75b6bb00729fc446cdbf1b
148b6f924f612720619b009ef1cc35c060b0e8553cc403b475f7922220b19e99
c8b27b261222a1d20c5e4d7d569e3a6b95ec763c4973e49d077816cfddf826ff
ae52cd09f3fe264ffe9b1c3c4bdfba1dea47ba4c7306792c139d375373de82dc
9de9e23df4712ec2e496155fb4fb851df8976030eaff5c7e955fb4409604395b
02da7a71eb34ba11778c14599915f400a0f5dbd5f02a4175e0892ed752fef28d
0835abebef4c7c0a0808ab2168f1b58c0f6345160b7ccc689a5df2d95e61fa90
08555875425df997fa72dad869f8a7e389809f25cf90c1e2b4e659e7a0128496
1fbaf79cccadca652db1af811d52ea918dbde09518615510f64a7421f32abeee
cc205ab2f88aea3a021dfd9472d6411d0d52a8a3043f992b225169585128a792
de7939ed67925ca1c824d6b0400aa1f2bf6d955db4ce8becb2ae56403e729164
c92a69d11c1ac5f7d209b8b42fd338ea4123e1dc16dc97f7fc06b31ea7ebb7b8
c38ff8ecd12cdd6be79f76cd59c0c7a279fa51bf806a8cad8159366651b58103
43fa6fe9c0374e7ef960994e519868c22bc4115ae05ddb1ef17a972c4bdd6716
f552b77831e3b5577ff40158e417fee5599931d7e3b4c17075eec47520c2b688

Coverage

Detection Screenshots AMP

ThreatGrid

Win.Trojan.VBAttachGeneric

Indicators of Compromise Registry Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Persistence/Autorun (NAS Manager\[a-z]{6}exe) Mutexes
N/A IP Addresses
89.35.228[.]198
191.101.243[.]120 Domain Names
css.alminvestmentbnk[.]com Created Files
C:\Program Files\NAS Manager\[a-z]{6}.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\[a-zA-Z0-9]{8-10}.exe File Hashes
5514b9f92aecd3b063b3d922dee493ceca4ccfbd0d94b23e506f94c3acdad37c
2d1244bb024cd109e349968a79d0a4d2b9a0490f92f186f4b184326895b33b0b
d375091524f770ee3b648770d9b250f697c5ab6ea64b8768aee9cc0feb7e7632
4bd4bf948e9a0911d21acef4f035145cfeeb76454809edf5675ebb5b41522e2e
754e2d75a93827a5be8194f12e2c28be91b06978c7e95cb862b68e67537c6e2d
b95d95c662abdf6ebdd27c649e6d7d82801f1346f24cee5e9eaf8aefb63a7017
d2ca3c2b3092fc0464c9553f4271aefeb869d1dfcd1c003b80866f0c0f5993c4
3ded24e864722c12ee193bf1481e7f52f901deb9f2babe915668480e02b66f38

Coverage

Detection Screenshots AMP

ThreatGrid

Umbrella

Win.Dropper.Skyneos-6192156-1

Indicators of Compromise Registry Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run %APPDATA%\GxBArVz\WJrYnjU.exe Mutexes
"wJFKrvS" IP Addresses
N/A Domain Names
N/A File Hashes
397b758eb5d29c3fa73fdb554431b91782e9bacec264c7a9fe23ec636b02c8ad
999040d9e578672b56d3af96b0794bf4943d706f148f551e31f4342ff8d74cde
61fdda35c17936282f1ec22781743d7c81838f9283a219826ca3c4be7c556272
c295a62c605d59335f0dd2f5724a3fbf07c5b71173389be19328f4480ffa63f0
579f2dc6bb11b2b748b29b90262bf4e89d2c7c34ea5176904e43d67cecc9b678
a6e74ddaf03536438b9a2eaf72d06a8e2e6f68d0a9c3656efb64883afafd1709
1ec5eb9ef00ac05b36ff81e4b176254f6028b9b6c1d7cbeb4f67548bcbbf5e1b
2e0fb62b32393f13120c8e3db4bef27794db2c96c8e1fffdd9bdd11eb182a9a8
3cc72f3decf89086593d0e862d2537f81e9f82f862725a1018de32be4c60df6c
19a286089d830dfb9cbfaf24f162249d25ec90f13ca180f5eb106fdb6bb3b36a
839a74407ba04a305cbe37aff2e755d46d5cd44b111e6028aa96f3f51b9a09ff
3ee15dfaa1175b574a8b49dfc13995e2990e97746e318cd132903b18a394eeaf
1bf7821d9cedfd63011f9e9db40bad4153ead19891592ef94d5f997059f1c41a
59dcdff902ba56fb6fd3ba7720333e4b95c1fe11199152fb1af70f71da248904
e5559bee38107824f965c228496b74e1e18fd34a79a405f51ea7062bd923449e
f7549cc0889a19fe0619f0cb9545a7c15e3e4c0b57148fd9919be96c032203f9
032bcc041d877bbf957df93d22390a841700789e46aa2d077cd1db4f2e01e76f
9127163c4c6b96ed1dd2eea39f8fe55d4b3be1cb2590a53d1b454ee93124c4b6
dd8b85b8717fbc0d0579bf5a3a0e526648bf9bedca2bc50d2192b9fd2efa5c4f
0a8151ae2fe8c73935df6986243a8f04c6d7de17ddb0f789c753a64ce5d759c1
20f554732e030e8487efa57725ed1bbff5ff44249da04b41ccf42f099d1ab908
c798f885e301a61ede7b2a479c3b75bede7783d3ab602d65ec352e052c2a24d7
4550b5aa76408a448a11f78a2820135a1f705c21ed47a26daafe9453c3a93e38
9cf9084351c33b1b68131bcb89cbc19b819b8b2b9dcc3e4b889ebac1bf0858af
aab799820d4235808a6508f67fd226bb0fd4e87d744469cd1c582f45dd213c88
384a2a36e466f93a66322d727823f5dba1a477469978116e6a84f9874de00dfe

Coverage

Detection Screenshots AMP

ThreatGrid

Win.Trojan.Cybergate-5744895-0

Indicators of Compromise Registry Keys Created

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name: HKLM
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run
Name: HKCU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Name: Policies Mutexes
***MUTEX***
***MUTEX***_SAIR
_x_X_UPDATE_X_x_
_x_X_PASSWORDLIST_X_x_
_x_X_BLOCKMOUSE_X_x_
***MUTEX***_PERSIST IP Addresses
187.32.137[.]66 Domain Names
theprojectxgm.ddns[.]net Files created/modified
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\XX--XX--XX.txt
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UuU.uUu
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\XxX.xXx
C:\WINDOWS\system32\install\server.exe File Hashes
684a4dc6bbd6b006e1976107a67bf6e7d7644a3258484c99402ea619f7f2a616

Coverage

Detection Screenshots AMP

ThreatGrid

Win.Ransomware.GX40-6290314-0

Indicators of Compromise Registry Keys

N/A Mutexes
N/A IP Addresses
N/A (domains resolve to virtual IP's in use by web hosting providers) Domain Names
clowntong[.]com
Ganedata.co[.]uk File Hashes
2d7a92a8ad1271d0544148b7a37de0d2b2180750a6e7753a26f97b801c369fb4
B6cbd7f5f6d9946b27be877ab5bd8205f64a4155ef202694dc2ce9fb2981c18d

Coverage

Detection Screenshots AMP

ThreatGrid

Umbrella

Malware screenshot

Win.Dropper.Gepys

Indicators of Compromise Registry Keys

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\AppInit_DLLs
Value: C:\DOCUME~1\ALLUSE~1\APPLIC~1\Mozilla\[a-z]{7}.dll
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\LoadAppInit_DLLs
Value: 1
Mutexes
N/A IP Addresses
N/A Domain Names
N/A File Hashes
50e9012ae2bf0889f21914acf507a91164df7f7afa3faf87e056ec399262198c
2e3462102717bede243945fcb442d5fedabec308ee358a4d47782362ca4aa06e
6428003415cc2338ed842909d930bf16648737f9b82af7802aaf0f6c25df66b1
a8294b03c2de716d7c186229d80fb6f5739911e365ecbd13bfc9156e79c2c3e4
8689ac26e1df50fa5769327042031172820ab34d74caed21b9156923f57e1bbf
91b1a40f59db3af84c4a2bcaca1a2f55a4622e8b42f1ec0675b7634d6b4a932e
554f21359d5e804135cf4f325d6ead010235622a81f310e690538065ec2726bc
31da4ca9abf91af1b5eb5e3b8ff7e046a24bbb56fa3128c48742f47873272f65
f53e78c57cdae3d01337626d38c1ec9d2566114f3f8d3af3da54caa28738edeb