Friday, March 1, 2019

Threat Roundup for Feb. 22 to March 1


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 22 and March 01. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Win.Malware.Bladabindi-6872031-8
    Malware
    njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.
     
  • Win.Malware.Vbtrojan-6871444-0
    Malware
    This is a malicious tool used to exploit Visual Basic 5.
     
  • Win.Malware.Ekstak-6871246-0
    Malware
    This malware persists with SYSTEM privileges by installing itself as a new service called "localNETService."
     
  • Win.Trojan.Zbot-6871232-0
    Trojan
    Zbot, also known as Zeus, is trojan that steals information such as banking credentials using a variety of methods, including key-logging and form-grabbing.
     
  • Win.Trojan.Bifrost-6871028-0
    Trojan
    Bifrost is a backdoor with more than 10 variants. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. Bifrost contains standard RAT features including a file manager, screen capture utility, keylogging, video recording, microphone and camera monitoring, and a process manager. In order to mark its presence in the system, Bifrost uses a mutex that may be named "Bif1234," or "Tr0gBot."
     
  • Doc.Malware.Emotet-6866090-1
    Malware
    Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
     

Threats

Win.Malware.Bladabindi-6872031-8


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: internat.exe
  • <HKLM>\System\CurrentControlSet\Services\NapAgent\Shas
  • <HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
  • <HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI
  • <HKCU>\Software\76cbed672042da4827cdb3dabad9650b
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: 76cbed672042da4827cdb3dabad9650b
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: 76cbed672042da4827cdb3dabad9650b
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 75[.]115[.]14[.]18
Domain Names contacted by malware. Does not indicate maliciousness
  • aaasssddd[.]ddns[.]net
Files and or directories created
  • %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\5489098719807719809090807918.exe
  • %LocalAppData%\Temp\rat.exe
  • %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\76cbed672042da4827cdb3dabad9650b.exe
  • %SystemDrive%\Documents and Settings\Administrator\Start Menu\Programs\Startup\5489098719807719809090807918.exe
File Hashes
  • 00c1545a8341307c8fbfbe10315ddd6742ff0a7471e959a25569456e901e3b64
  • 0c828e0e7c690afcf42c619562baf06eb2054fb2a76528c6e3d6374e6deee1b7
  • 17dc39add1ec5e7823521ef2b19f5a38525a20fd8af022f3f984b9b2c52fabcd
  • 23be58294c82887a32eddf964f9aa636092ab0199bbeebbc01027dac24ac741d
  • 2ee7564a6f0efbeb49e5e18a9bc922c9dee4b6a9825b442eab6c24b1e5c178d8
  • 36ac1e4bdb49d9a8e344daedded3f7135e5529b9170448ac640ad9887ec7cc3c
  • 3c49af04461bcf44feff0a1476d4c2aa0e8727589c5bcdd94ff61801dc606cd2
  • 3e6dc73e416087dff822e7b1155dacd150f8f55e522a0ea2c669ffb070b7349b
  • 4011bacd5f28a2ea3d6f5cb8aa6f903a11d724de952efb43fec2c4dc6290b1c0
  • 56f7759b5a937d04cc3b52b4776002621b1cbb4cca2a8c03e9a663dd0685bddc
  • 5710aca5b05ba6e9936dbbb64f09f634bd0d7aabafa805bc1e898af204bc842e
  • 5a8894812ad5ffb8786ece426c56316907d57cf690991eaf1f36ba31abcd8f1d
  • 5ef1459ea87c9092b343f92cae360bdde926b0d160e46fa0202bb2575d4bb16b
  • 6440a66af66551ca6997993e14acca0c00cf7d608b189e62ce9621cf66db371f
  • 64dba074080613d0d1950f4edda64830a5aa5c94dc4170de00b90470b925fcdc
  • 673f48756e3692c5bb50c1e4b73973eace36e1b4e1f23925864d570508efd1ab
  • aa491525b45991154405aa5382b354494d69d24130bc61c96f02b2b13598d2e7
  • b44fa6d7da5bc0dccd76440f17ed79b0accd7229f7f380ebfad498ef4bab71de
  • e0bec776e2059e85dbae9ccead0ad5404f7ff1be4e44fec99fc1905ea9d82dd5
  • fbe3e1d761cc96909caa72abc3443dd15236adb17091abdac00fde2044554496

Coverage


Screenshots of Detection

AMP


ThreatGrid


Win.Malware.Vbtrojan-6871444-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %LocalAppData%\Temp\Ahk2Exe.tmp
  • %LocalAppData%\Temp\AutoHotkeySC.bin
  • %LocalAppData%\Temp\dnfahk.tmp
  • %LocalAppData%\Temp\upx.exe
  • %SystemDrive%\ReadMe.txt
  • %SystemDrive%\SetInterval.bat
  • %SystemDrive%\keyboard.reg
File Hashes
  • 050f57560e1691e7b09ccd86e92ec1c2c4ac361ba09862697ad908d6dfa93090
  • 2d2358fa90431448800c75dce6080b7c6132fcb574a3a0ef7eff8d6d90808ec7
  • 38eb2684819f7ae15b5b66bfabf0a123ff7af22dca1f014d52e8de8f88011cc6
  • 39ef144fefb739ea1ff1582e9c3da0f42566855c6769f9ed4c2d7f9427edf717
  • 4113c20eefdb7e002a631e2216e26b80c654f3e77f80908049176ccc7c105db3
  • 707c28b3f66d708609d8f31b506dade16aad80b157582abbcb90aa1352513160
  • 78bb2e2c086a0252e83307667178ed3e5d64a73dfcef3b82b05f4c64e4496009
  • 7b670e0cfa7367552b892ff42a79c2a79f80d91511f6a34f01dc1250ffe2a538
  • 7da38b9e6dbe8e58d688fe1488505275d54749bf063cf35cba4b151f0bfab0c7
  • 9ea4fceafec0c30c58c33314c97a17084681cfc0caeeec45eead64d3a94f2ba7
  • a82ae00d8c84291c08a8edf86a8ca60bdca351ad94dd06135414636312b64809
  • cfdea8ab0d2f4b82bf9d103b053b8a10eb456bd7e7896f29bed3d1f3649d2001
  • dae4d4b71a86a15defa8f63fe3ef28e11436069d6869092b3b23fd0f95f465dd
  • e3bd392d634b990676115698db9344201480c0cf6fd27bfaa6247f0728d41625
  • e698f2b3d4b2d0b9544592ae05270bedfdedbdd01d356cb6bab740791f5b0263
  • f0c556af8fab1d03cdd7592d0dfd999233555a0e7622b54c5f2cab6fae2d95da

Coverage


Screenshots of Detection

AMP




ThreatGrid


Malware




Win.Malware.Ekstak-6871246-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\localNETService
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\LOCALNETSERVICE
    • Value Name: Start
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\LOCALNETSERVICE
    • Value Name: ImagePath
  • <HKLM>\SOFTWARE\WOW6432NODE\LOCALNETSERVICE
    • Value Name: Value_42632
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 216[.]218[.]206[.]69
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %AllUsersProfile%\localNETService\localNETService.exe
  • %LocalAppData%\Temp\tsc131118.dat
File Hashes
  • 02aebb6edf1d2ae7df3d9adca31b397c9032b6e0844a2796e0028b17c19cf345
  • 055f622eae00bf5cbe062b706bbf55ff4b4d9ac0ae4ac91b0552d2b32f4ccb05
  • 220a6e183611bd6730eeb2cfdd4536eca6829283566e2c0d5c410adc6552a058
  • 387a3f8e33297a952ab2b93dd4f6c0a97fe797e18ead0c9cf050f0918758d1dc
  • 3bd06213aae4214b81d1dd83d8d456a593122584708b86980e02f3f2e0472710
  • 3bd551b75a97dda9d0aa66d9ae24fbee3e0d4dcae0b4a4aa98be994a4ec59d9f
  • 5d6ce39c286eca1777a5e5bd93bd52e76ce042d0249db6ca32648611d30a5b2d
  • 6073475e3a8bd7eba6a13f771a51245c929e49e40afe97c0eccf3887df18826d
  • 63806671769e485496408fd6c1c4e845ef35087c74b02fb104dc06a52b90d636
  • 6f0702d5a7a8a07c0f27da9850c0953634577bbfef272016d26795c40b1e95c7
  • 7372e040d1d26c864f261ac7df8c7a509594c3efce26e03c3e14389e55c526bf
  • 81376a8e386940982bd552e0be5fd0cbfffb9ae39bbb97280e7f6096fc4a7af1
  • 81cc82b599e1cc44fd7dde9366315886f5a1c40e7cae7f4edbbcb2dd104a69e9
  • 825b8e7b877bacf8d24afe1e1082eff72e43633b3a411104d624d0b66e3f8dce
  • 9fbe12ce5275b09a48bd1efdd6208b7ffae37878febf82fd1805db49212578e1
  • a24a1a691d04ff091d2b99970d40108726c188224dc4503b1e3a7f9a22df4ebb
  • a295919ff4794ccccaf3750a5540476e6868766512d13db1a859bb64b4af59db
  • b4ac2fb4da484e90e08e20db2270de2f15d6684e614d239abe2586896076a7f1
  • b52449f5249e1937b6130149f59e6771605a0e64635d151ce8e2f5819c99d93c
  • b5cb0d3df17907248b6d84a57279b26fa39c123c4a240b1507ae7b8233f2ec0d
  • b9b0fea1d1dbc027dd27c1b4d07d5411a35cc60d43ed137d00a958a34292f4bb
  • c48fbacb48492d59dac5fd7d2e9d8474e7282ca84d2605b23794e49f15229693
  • c7974f414e32a93836f9e3a710251a23c4163a89cb2967bc99010c080034d9e3
  • cc4bd522847f7673dcfdc37b7e330b470eacf5e9a47bd0f6d466267f5b152e3e
  • d98eb303771aed9508601074db1e05dedeb028d1c09aa7313b0b15eff40f7eb7

Coverage


Screenshots of Detection

AMP




ThreatGrid


Win.Trojan.Zbot-6871232-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: internat.exe
  • <HKU>\Software\Microsoft\Internet Explorer\PhishingFilter
  • <HKCU>\SOFTWARE\MICROSOFT\Qaygra
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Run
  • <HKU>\Software\Microsoft\Nabu
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 23[.]253[.]126[.]58
  • 104[.]239[.]157[.]210
  • 104[.]239[.]157[.]210
Domain Names contacted by malware. Does not indicate maliciousness
  • macrshops[.]eu
Files and or directories created
  • %LocalAppData%\Temp\tmpa9735385.bat
  • %AppData%\Icda
  • %AppData%\Icda\ehday.exe
  • %AppData%\Vyarqe\erezu.loe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp2ad79550.bat
  • %AppData%\Kyba\ryisl.ubo
  • %AppData%\Leve\yhqy.exe
File Hashes
  • 21a58e23e14143301c847d9f6151d024a8f38db8922e2797b2548a9b1e6b9b47
  • 2531e7bbc454b8b643c5f21fbd7ed88c71aed73dc3a4fcf20815092eefeefbe7
  • 2c8c8e0b5b378425b6a5d2ccff3e2274230734ffe419970a49c87c26d8d41047
  • 399dad77516c27f0b2f5a36605a5fa25aff0e6a0ec66feae6854838336ee8b0d
  • 3f32cdf15d079fe250d8b42a5abd58d1ff3012599f8478b074dd096bb25b537f
  • 48d0fd82b8625c9c789284fc23cd0ee9cb9bb3ef96728c61de4a25ce7d6fc21c
  • 5827e6c1a8a5ca100482c127b7c0402788ca4d870057eed2af089bc9d858bfb2
  • 5c46b61ca41c03433e5ab3f156116e312cda1b50079189af82f1df8721e3a73b
  • 739b9fec48a683f39fd924a24eaa0dcde0207cac1bcad4463223ff731f007ad3
  • 9f3129449f2ece4a84ddef0b071d9721945db8fa93bb06ac6bdb3b7f0388c35c
  • abc68f3b8db8e6a50c56605c2f7fb153717a7c7f96a905b527059182fbdb8688
  • bde83f62cdf8f9565146e44b2796c35368f81b9a38fed73670879cff44bc2956

Coverage


Screenshots of Detection

ThreatGrid




Umbrella




Win.Trojan.Bifrost-6871028-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\Bifrost
  • <HKU>\Software\Bifrost
Mutexes
  • \BaseNamedObjects\Bif1234
IP Addresses contacted by malware. Does not indicate maliciousness
  • 148[.]81[.]111[.]121
  • 204[.]95[.]99[.]100
Domain Names contacted by malware. Does not indicate maliciousness
  • xyinyb[.]com
  • rfyeoc[.]com
  • owiueu[.]com
  • paredx[.]com
  • qlotay[.]com
  • vlocie[.]com
  • wbrthv[.]com
  • pozswe[.]com
  • kucqey[.]com
  • tnsamu[.]com
  • pydquj[.]com
  • lbeewo[.]com
  • pkoitz[.]com
  • ufhspo[.]com
  • qyevsy[.]com
  • qsayev[.]com
  • yvmoie[.]com
  • lybcri[.]com
  • ypauhr[.]com
  • qdhoas[.]com
Files and or directories created
  • %System32%\drivers\etc\hosts
  • %ProgramFiles%\Bifrost\server.exe
File Hashes
  • 0040b9166f09670f4c3b16d247f4fbfae7aa5e989407dcf5237f05594c4c150e
  • 0082f04583eabadaa51f3f4a91c82d363eef5f553973765aacc58462c9b83525
  • 0ea44f69cdee613bd907dc2e4c97fc942d2f4807f28f69914514d1737709f223
  • 1eb3fb26576b32630aaf3f1ae2b81140e083639608a5ff4b695ee7805a70a87a
  • 2225b77359e3ad87306d38a22713167c33846488d0b091fe1a6890b3b6560979
  • 230afd73943ecb538ed51a50fda07b4ba0e37ee805dab7e263e2623a2dbb4dd9
  • 27d6fd04978ac887712c25756e03b14152bcc3a0649307c4d0e6fe491b68a41e
  • 2bbd0c136832d5e091ecae568a017e04ab6f3757e5e1a376c4700a4117e1b94e
  • 31ff3f68aa25f1200040f390297a044ab8d313ff9b1f377e23d016267d092fca
  • 4cf558585a8bef563e37238f9459092c627538e2fadb99ac1dbe9f22b63eb346
  • 4cfa43c370fc0a19826f19f48f60a3abba75ee4811c6df4d0313d0f0c3274f58
  • 50eba44b2ee65fc0c95539b3197a10ccafca91df34717b0f48f60553f6d694ee
  • 59c8baa550d491782d9b3899c2252fc8d71971b2c399a807f81b1917a4e31c65
  • 5e62499136f6391316d72edb7924744f2bc289776308c89a4b3a1a0d3ae081c1
  • 64ddbc85e24f4acf10ca1945110b16e2b7f0d53f68be8ca711b025ae4561dade
  • 6e5a78dc6bc5435005e4b5134d41d2469d76101e561e84dc23ce8bbf80e937d5
  • 778d3552da4d5b5d5586962b6f0d092c2f0b5c029ed514c13ad4f39847f771cb
  • 77b9574204c60ee0eb588ae3afbdf14912634fce0aefca81ffd0822c48f3468d
  • 82858882f23741cd930cff314994761b135b06d8d04cc8be09fa54567dcb94f8
  • 837301f97cdc69d729ab753bf6f284a988c0ff6793fe89924e3f360f467d0fba
  • 872f04d1d11643a224e8535e71139b3074aa4f98c157ade42da7c74dda4208f2
  • 875b76f081746c6299421dad1963ff5f212b43b0bb6217fe6681465e06a5d2b8
  • 8d72e7115a4564541d30649d2f3203306cccab27c543d58ba6267b4752c4528f
  • 914a3fb08cce05e93bfd8b2e41a8202341d8b7857f73b692190477a2bd0a1797
  • 9917d5deaa1b02d329454f1e08e548f750d3f0b09a0f38d55e6c94f84243ab4d

Coverage


Screenshots of Detection

ThreatGrid




Umbrella




Doc.Malware.Emotet-6866090-1


Indicators of Compromise


Registry Keys
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\startedturned
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED
    • Value Name: Start
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED
    • Value Name: ImagePath
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 212[.]83[.]51[.]248
  • 159[.]65[.]186[.]223
  • 74[.]59[.]106[.]11
Domain Names contacted by malware. Does not indicate maliciousness
  • lenkinabasta[.]com
Files and or directories created
  • %UserProfile%\880.exe
  • %WinDir%\SysWOW64\d1Ltzcv.exe
  • %LocalAppData%\Temp\CVR3F73.tmp
  • %LocalAppData%\Temp\ysrbsuxx.yb3.ps1
  • %LocalAppData%\Temp\zh5htpos.q5s.psm1
File Hashes
  • 26bda8a7e04a3b4ba47ff57f776cb65b0ed11870bc5fa65b33353c53ab718566
  • 363371e71bfd3a0f6e8e0ffe1017918d65d5afe7ce1c6d7ea26f5604b26144ce
  • 3a162a09d1f8a4ee0248d72a60ff0ddbc2cef8084c3d2aed1cfb73192f628d42
  • 3d48920206c69924bd3c388e2d7a48845e48ba6a525f06ae466db235deaa6832
  • 415eda47173d571207d420861a66ea7419cea30d59a901f716354c8167c8373b
  • 4c70e7e49082dc78f27ac863bfaf671ce823ed43575d608e309cb6e839f093ce
  • 6055cf5b67690819f88a3a96685386afd8819377dd31454fab559809fc9ef6eb
  • 949bd24349829221977de531f8a1dc80d401bf5e0a8fc69a1b386261b474ee43
  • 9fa9d852c7f7a94a022347e7bf2325d41032163fb7ec61d362bfeb94a0ed9ee8
  • ba0b908255f68bff48e58cc7d2ac0caa55e369b7a282fce5b9d58ae1df34b681
  • bd1f913c5ceaf2042070666fba37fa0a8108f1e82ac19e516a7f74e9d5da5ea8
  • cb83759cf47a4b6e44e5afcf6f85f64b475a6f4bbcd0bff82b31b45f048a64c9
  • d523914940ef79338eeba96e8befae59574d1552f13ddff5c41500bf43d9192d
  • db0478556a516ed5d8508f165251efd10fd3e68c84fda7d720730f6409af61b8
  • e881930c362396744a2338740d28ac26377cf19c33b460cdac987fcb1255f804

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella



Malware



No comments:

Post a Comment