Friday, November 2, 2018

Threat Roundup for Oct. 26 to Nov. 2



Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 26 and Nov. 02. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

You can find an additional JSON file here that includes the IOCs in this post, as well as all hashes associated with the cluster. That list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Win.Malware.Zbot-6732674-0
    Malware
    Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing.
     
  • Win.Malware.Sivis-6734391-0
    Malware
    Sivis is a type of trojan that is usually downloaded from the internet and installed by unsuspecting users. This trojan variant also includes sandbox evasion logic. It has the ability to move numerous files to the Recycle Bin.
     
  • Win.Malware.Explorerhijack-6734396-0
    Malware
    A hijacker could use this malware to change the user's browser's home page, redirect the user to suspicious websites, and then lead them to advertisements and commercial content that generates pay-per-click revenue for its developers.
     
  • Xls.Malware.Cwsp-6735643-0
    Malware
    This is an Excel-based downloader that uses PowerShell to retrieve the next stage of the malware executable. Microsoft Office displays a warning to the user before the payload actually gets activated.
     
  • Win.Trojan.Mikey-6735890-0
    Trojan
    This cluster focuses on malware that creates a specific cluster so the malware can achieve persistence. The samples have anti-analysis tricks to complicate the analysis. This family is known for the plugin architecture and for the intense network activity. This week, Mikey used the AppWizard packaging system. It is based on common Microsoft code, using the Microsoft Foundation Classes (MFC) to start a simple application. Malicious programs use this packer to stage process hollowing and obfuscate the malicious code.
     

Threats

Win.Malware.Zbot-6732674-0


Indicators of Compromise


Registry Keys
  • <HKLM>\software\Wow6432Node\microsoft\windows nt\currentversion\winlogon
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
    • Value Name: userinit
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %WinDir%\SysWOW64\ntos.exe
File Hashes
  • 0105bb0a81ceb78f84de07f7336a6ecdd95721545b3e47c96ae45f94a8fe8506
  • 0114885e69a066a72f12eb475c9ae36e0851309ce6902a547dd60915ab785523
  • 01be29f0973f96218bf0554f2212ee60fe8563a9fa5e9f1cc04b948a02a5989a
  • 0280026374e8bc24bd0987abde9c8ded202bc489e0f718c2fbd87d541f2003e0
  • 03262248439bc3ed3af3cc12a50d3595a0230b6a01fd3c6e34838750a01a4b72
  • 03480a5dda4243eec0e9826a386729670c50c9cdcfd12109febf16695e7302ce
  • 03746100716d1a66312b69c03ba2166aab6075f24ca826197972bf30a117dadb
  • 03c2c34bd542dde2d600697bb658399498be9ff74614ab938adb3f77a4183c4c
  • 0462f5a9a36956eb62b958203d66e1ad83268502f7ee6a2676e47d3829db1e03
  • 06c57ae21c9f839895f847a5d8895fdc89e878a615565772246c94887caaf6cb
  • 075b5ad9b36d79b3b14ad43decabdd7f07fbd3d428e890a14ee2af4969ba49e5
  • 08866b56758d4c7b783af2faa3465a9c3dcb2621b19ded098ccb17e25e4f685a
  • 08db11f50735c3f4d34d308bc190ae8db0cc6b291090716781ced208b13743fa
  • 0a00e118d1917356a4598d2e5f3a96f184726cb37e6be4cfa70ad233fcf5be8a
  • 0a0e93af895754435be151f0f09d3fcd542661c9e48314a82bfa4853be9212fe
  • 0a4d7fbd10835ba00bd6518598f0c3a4670207e52e4c8c57a5500f0c4059a017
  • 0a963367e108b56e58559846236f1896adcca5ec6e324330739e3b45d436e1dd
  • 0b675493051c7f99878bca3510c5054bbc071612557acb008e9ae8980c6364ed
  • 0b7143f5062cada3d26a97f59b10ddf8e2a73ea70dc97c7cb55a5ceef7e7e5d8
  • 0b76777a484d6e0304bfc0b0c06576a51bca2a5cf6a648dfdf67f296301af3d4
  • 0bc190d365d58acc24ec202637d87296c69c9f2d2dc4e7120d8f3b61ffc584bc
  • 0c4533fd8ae2a9629f474373ce2697059e978e8f5945b4421d092a7052b9c64c
  • 0e12afb0ec9aca39a02927e158883994dc6110f83880b5075aebcaed8077ce36
  • 0ef146b745e8b57ed0f3b0cd888f650fb8510670731e5c01419e13722178d1d9
  • 114f30f079e04714958728d7364b706dd8e88a241bd0771326d10c445d4fc95c

Coverage


Screenshots of Detection

AMP




ThreatGrid




Win.Malware.Sivis-6734391-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • \$Recycle.Bin\<USER-SID>\$RZ7KADN.txt
  • \$Recycle.Bin\<USER-SID>\$RYGDGS7.lnk
  • %AppData%\Mozilla\Firefox\Profiles\iv5rtgu3.default\key3.db
File Hashes
  • 2073825ad497c12861800c93527e49e8aa4afafe77d1a7af2922ab707c4b258e
  • 2c43a96efe6f36ef0e1e1ca7f4dfe34c83bdd1d99090a056d43955e70bae719f
  • 2ff58a8b69dcb0dbb1ef63430a925068d586860c84faa583988b92e2bb87ef25
  • 30a9b4c8db8eae33a1e9c35f6441e171cb8059a0f6c34bc8d377e064f3000008
  • 32e5b6a36aa94734f0af2cc7d2235bbfeecc915fc0bc0bf46f385f238dc1b69d
  • 32fb050134eefd9bba3f5a1d31c9727c0a25760e8b2342385b24b20a253e9512
  • 34c5950ff21c25a4acbc1801f881d205ba2cae42333bb04358cf5117eef645b2
  • 447e4f61b3e3a5ccf116346d228d1b80328a63e54fc71398e4894d70c22ff51d
  • 4d6ac5ccca2bab50f296a4e34a7bed16131f01fdf6864c2bee8efbfea449697b
  • 51a9bf24550ec6db0e383fbe1e9089558e1d1bd4e57c5d3678a95233efd59dab
  • 581391e344bda3539189aef8252556f916bf27333e755765641a1485844b884f
  • 66ada213ce8d9756c1c711d216d45ef8cc84586a1dc46213ce8275d4f8a7d08f
  • 7d0ab4517139c8347e39af92cf8dafb9c71e80a8848cea25d7e4598292753fac
  • 7f49ac352ec83b003ca00b29acafdf5c08132f0bd060151312157773e06a887d
  • 8564af9b09f0ade9b372d76a0d53355587b28cc89afec83b9287cebe6dbce148
  • 8cca573e22a563ae4074007c9b5c5abd11316a0235f206242baf4936f3cff4fb
  • 91487940c217c106a1f70ea4f850db083396a8fd5c37e81c47d4cd01ef269906
  • 9813d3fa86989ca43ecc0db5684e642823abebca58161d8676276349bb5c53ea
  • b3be19db0aa19fc9588cb90d0ee5c39ae124e797b82ba1eeb02ba0b82c9a55f8
  • beb78637a890b73e150cc67b1c51108dc89e7b3e491ed22cc81695eda729e10f
  • c405942083f1d75a6de07f9270e94594cfd99b59c774f22bd2c214715822a851
  • c5405c94a49bd14155027aea5722bf253eeedd1a3d0d1d73a2580adb70a6def7
  • cc542bacf782757a362d3b6cfc54efe64f8abb860f7c997cf008cc0ae9ffcee6
  • d2f9541628e3178b1e6cead482d9983e1509edd3155244b42ac49f0a6919d690
  • d7ecfd142025e761006a446d1bd68a9f337eaf1f927fbc01fbbe336df39befae

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Malware.Explorerhijack-6734396-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SESSIONINFO\1\LogonSoundHasBeenPlayed
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 103[.]235[.]47[.]123
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %SystemDrive%\347749632.exe
File Hashes
  • 0387a6fcadc71d0fd723b94049d312eb81752994f06d6e11a222c20c81d610a8
  • 39ad7614f81cf505be13fb726d9a68585ebcfb4ba3c156e7974e23a71c8254f1
  • 41569db09055ec3bbd900f943c3049b6362be1fc08e73bf9403c6e0a684b5aed
  • 7f25aa88bb56ce9888d3959344307b5c7423f53ef1409f84534dd82f2520eb92
  • 856c90d502181b0297d792c67ab0d5e3d78fac4879e853beab00e10707e1c5dd
  • 99e9c70014473728f7cfac4704c4961cb9cf1e6cb015bb1da6bb095fea13ecaa
  • a4143241cfa447db8fa7d4ec5ef79a6bd0a78b853d8f461f209e1224ea09f34f
  • e957fa484e5b1b1c84a0f4d3e3561686fe6d289f703ec2ff1f4d9fec886e1344
  • f57061d301bce0ecb0b1caf8b0e0de238ecccd4f038f4e9a397ab1cdde57e9a2
  • fd047bf2512554e75ffe684d07d0cb5ee798409fb504e2db7a13b90cfc7070e0

Coverage


Screenshots of Detection

AMP



ThreatGrid




Xls.Malware.Cwsp-6735643-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 212[.]58[.]244[.]48
  • 208[.]91[.]197[.]13
Domain Names contacted by malware. Does not indicate maliciousness
  • lalecitinadesoja[.]com
  • downloads[.]bbc[.]co[.]uk
Files and or directories created
  • %LocalAppData%\Temp\1ii4ushk.rdy.ps1
  • %LocalAppData%\Temp\i3iu3ax4.unx.psm1
  • %AppData%\23C.exe
File Hashes
  • 05997180a42ca9c01720b1ee3e759bd1a408c0064bbdac0c72f56c9783102a1f
  • 07a8a906e93699e23b1b7fe6a190edf709d499efdb806a334d63d21e87d47fea
  • 0d4e2eeb6402ecbfed9d9f70a4386ba988d96baa4570944ad7d25fda4e1360b5
  • 1007b22475717247803c61a571c881bf50d93199f21559bfaa2b0651e3e88b99
  • 11cd2e32f5b99a2988d75e7c6b7b372645385fa0b2f266084cf79a674fa87d54
  • 12cb9af05b67398d8e32296f872fcf38485cb5bfb248882a039c901f917744c7
  • 199abec0369aa5b56ccf3e40104dec650c0c621a4bf9fe892cde4c649951d96c
  • 2436eb88be5cb4536470f00aa4e0b2204c938a7ccc1ab1512c51371c056083bb
  • 2b99f6c10d40f9437e4f81c102829e5dd177b7ba83f04d0b09ca13fd35d4f37a
  • 2e1d18fa4a0c1b7f1a840f0cbe366bed742fd882ba5ba7c32177fe4384d3feeb
  • 2fcb4649130e60c9ee30bc0109dd276dfc20b58873098466740c95bae14e8b16
  • 2fda76c3f4db61bd48ffefbe06625cbf33c84c9a99bfb5e4b078efab041786be
  • 4c7833eda85621233fcf983d797da0a473e4d17bc8a6b5572eb475e1132f9604
  • 4cf4a24b619e53b5155e2aa5eebcbd4a935b03bc2a99f703e955d26bfdc89834
  • 522dea36276bb7616dabda4f46e9bd93fb5fac7dc8c035e2677febac8a9ac268
  • 53bfd8dcca2dd1a702c80a92e52b6149c3b6d9dd69cfc616c6ece3931920aa0b
  • 56ee72c3cac7e50c20945307e9f58360e097782ee10a5577323f1cee22caeb3d
  • 5b8a7e111e05c20e9499e8a06ea17582b95ae8c8a780406b6969a40886b614b7
  • 5dfef0b6f4f1b612edf80c8ab5cffc7556677bb07c53934963b550b60cf84474
  • 6534a9d590748b2301a3f804b75fe02ffee39acf82d2dbb93800a3f8923c9934
  • 6b83c696d85d8f467ee9ff306ef266c6b64c8cb4e0aad99f4b5627f6e2dd3c33
  • 6c891decc602dc22ae6084be690674afdb405c5b7072a0e8b46d77ba8e331237
  • 6da86b5ba028ddfd9646da6467cdaca4d698b72b165045561bcf7a65449dba85
  • 7546344c7c370e86f9975710269a9c965104d6084fe4b51d8713c37cd277c2da
  • 75a14beabec965f401a21c1809b7fe9563ced7366c863e78dd5c744516aea83d

Coverage


Screenshots of Detection

AMP




ThreatGrid



Umbrella



Malware




Win.Trojan.Mikey-6735890-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • qazwsxedc
IP Addresses contacted by malware. Does not indicate maliciousness
  • 52[.]1[.]22[.]171
Domain Names contacted by malware. Does not indicate maliciousness
  • www[.]easycounter[.]com
Files and or directories created
  • %WinDir%\cer61A0.tmp
  • %TEMP%\adminpak.msi
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\adminpak[1].exe
  • %WinDir%\cluster\clcfgsrv.inf
  • %WinDir%\cluster\cluadmin.exe
File Hashes
  • 04a44c6f9ee4b5f944038452d2669a9915e493f3d4aedd8603af6bcbf9fb157d
  • 075ef3a40de2c10d52140c02fc604654e60eb1231659122640d93884a8f639d8
  • 1ed41ccdce4f7c67dbeb57873ed69a0b53bd8c509a66f391fb4838cd26d32f88
  • 4e8da970321ee8e38f2fe918ce8755ce504d0c54ad579c7a2d388ed65aceca3f
  • 63562fa34ca55cbbc1f007ed6a199b625f277f02487d18c6a9a8e24354af6ea3
  • 72b02849c7cde8ba42dfe04edf18b0ede900c66187a9e38f5d16eaf84ddfbfbe
  • 764947d95583d3a134fc96d6ce06ce4175261d3b9b48d224238367054e187d93
  • 77515fa3f7bea9043e954ac8cb13917edd930d0e5d87f2cbc9fa4d44bd281161
  • 7ea545f0dd17684011d7bbdde7c004faccacd8edb6d011c4e023f2780279ae1f
  • 92e4863e96df84117c1288ceb692823a6d86c0b3a09f29a5cbc4af6a83a03415
  • 9d267ed7cc3efe21afd96a3717cf920376048528e7094c54defb915afbe96a80
  • a36d16238efb3b5f2ba5e9c23dd1db26a6b08fce8fa1d824e3006bc05f12a75f
  • b63310bff942d0fe4f131fbb777737b110ab630876e784ac843e0c4dcdebde44
  • bdc574d0160c6566738b039122d702a47aa10080b096cc3ca2729a2a5ca5f6f6
  • cf7236e1d8783d00cd54d9d821a1067a2c08cd7cb67b0c091f5826784403f67a
  • d7096f8904ebef796193afca1737f99e65c07ac7cf3c999aa46b5e60428ca006
  • dba090f098676f7f4d5bd9e71a5b24cb1dfc71edb6b8a0dc06082a60730a81d0
  • ed2893a0c58fbfaf73acdd4d7a7c9d8626e8609573739e8f0bf11c88d4b07303
  • f9de2da81894bbde4f6baf5909c3f3f6a5d5fc61a8df97836fb8db14fbdb6006
  • ff453440448d5f950a573ab246092a3c80e33c7c9189d97d15539bf09c48211d

Coverage


Screenshots of Detection

AMP



ThreatGrid



No comments:

Post a Comment