Thursday, April 18, 2019

Threat Source (April 18): New attacks distribute Formbook, LokiBot


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

If you haven’t yet, there’s still time to register for this year’s Talos Threat Research Summit — our second annual conference by defenders, for defenders. This year’s Summit will take place on June 9 in San Diego — the same day Cisco Live kicks off in the same city. We sold out last year, so hurry to register!

The top news this week is, without a doubt, Sea Turtle. Wednesday, we posted our research related to this DNS hijacking campaign that has impacted countries around the world and is going after government agencies, many dealing with national security. You can check out all the details here. This week’s episode of the Beers with Talos podcast also discusses Sea Turtle.

And while it didn’t grab as many headlines, we also wrote this week about HawkEye Reborn, a variant of the HawkEye malware. The keylogger recently changed ownership, and the new actors behind the malware have recently made a sizable push to infect users.

Also, take a look below to find out new information regarding LokiBot.

Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Upcoming public engagements with Talos


Location: Salt Lake City, Utah
Date: April 25
Speaker: Nick Biasini
Synopsis: Join Nick Biasini as he takes part in a day-long education event on all things Cisco. Nick will be specifically highlighting the work that Talos does as one part of the many breakout sessions offered at Cisco Connect. This session will cover a brief overview of what Talos does and how we operate. Additionally, he'll discuss the threats that are top-of-mind for our researchers and the trends that you, as defenders, should be most concerned about.  

Cyber Security Week in Review

  • Law enforcement agencies are increasingly using location data from Google to find crime suspects. A new report says the company scans mobile devices to create a "net" of people who were in the area of a given crime.
  • Ecuador says it was targeted by nearly 40 million cyber attacks last weekend after the arrest of WikiLeaks' founder Julian Assange. Assange was being held in Ecuador's embassy.
  • Several phony apps on the Google Play store are stealing users' Instagram logins. The apps have been downloaded hundreds of thousands of times and claim to help users boost their number of followers.
  • Oracle's latest quarterly security update includes fixes for nearly 300 vulnerabilities. Forty-two of the bugs could be exploited by attackers with no user credentials.
  • WhatsApp will soon add a new feature that will allow users to block others from taking screen captures of their messages. However, the feature will only be blocked at the local level, not the conversation level.
  • Cisco patched a critical vulnerability in its ASR 9000 line of switches. The most serious bug had a severity score of 9.8 out of a possible 10. An attacker could exploit this flaw to launch denial-of-service attacks against the router's owner.
  • Attackers may have been able to read users' emails in Hotmail, MSN and Outlook. Microsoft confirmed earlier in the week that some of the company's email services were targeted in a cyber attack. But one employee who was witness to the attacks says the attackers were able to read some emails.
  • The fallout of Julian Assange's arrest continues. Some critics say that the indictment against him could have wide-reaching consequences, especially for journalists who publish classified government information.

Notable recent security issues

Title: Formbook, LokiBot attacks target Middle Eastern energy companies
Description: From mid-February through mid-March, Talos monitored phishing campaigns purporting to be sent from a legitimate domain registered to a large organization in the oil and gas industry. Cisco Talos recently discovered yet another campaign using specially crafted, malicious — yet persuasive — emails to target a legitimate organization in the oil and gas industry in the Middle East. The campaign deploys malware that exhibits similarities to the data-stealing malware families of LokiBot and Formbook. At the end of this newsletter, you’ll see a list of IOCs related to these attacks.

Title: Zero-day in Internet Explorer could be exploited even if user isn’t running web browser
Description: A vulnerability in the way Microsoft Internet Explorer handles MHT files. If a user were to open a specially crafted MHT file, an attacker could gain the ability to exfiltrate local files and carry out additional spying on locally installed program version information. The interaction could even be carried out automatically without any user interaction.
Snort SIDs: 49799, 49800

Most prevalent malware files this week

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56
MD5: 4cf6cc9fafde5d516be35f73615d3f00
Typical Filename: max.exe
Claimed Product: 易语言程序
Detection Name: Win.Dropper.Armadillo::1201

SHA 256: 46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044
MD5: b89b37a90d0a080c34bbba0d53bd66df
Typical Filename: cab.exe
Claimed Product: Orgs ps
Detection Name: W32.GenericKD:Trojangen.22ek.1201

SHA 256: 790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd
MD5: 147ba798e448eb3caa7e477e7fb3a959
Typical Filename: ups.exe
Claimed Product: TODO: <产品名>
Detection Name: W32.Variant:XMRig.22fc.1201

SHA 256: d05a8eaf45675b2e0cd6224723ededa92c8bb9515ec801b8b11ad770e9e1e7ed
MD5: 6372f770cddb40efefc57136930f4eb7
Typical Filename: maftask.zip
Claimed Product: N/A
Detection Name: PUA.Osx.Adware.Gt32supportgeeks::tpd

Indicators of compromise


Domains

plenoils[.]com
sharedrive[.]top
alkzonobel[.]com
web2prox[.]com
office[.]webxpo[.]us

IPs

84[.]38[.]132[.]25
173[.]198[.]217[.]123
37[.]49[.]225[.]195
URLs
hxxps://sharedrive[.]top/?qp
hxxp://sunny-displays[.]com:80/old/lk/fre.php
hxxp://sunny-displays[.]com/secured/lk/PvqDq929BSx_A_D_M1n_a.php
hxxp://modernizingforeignassistance[.]net/wp-content/plugins/projects/we.hta
hxxp://37[.]49[.]225[.]195/hook/logs/fre.php

Emails

3a5d7cd294848302f16c47735fe6342c1811c4d2309ff1a250d9bad267c2e278
1ace02fe46edcff8d775e3e3865813d204b138ab50e3edf6b94fc0c3afd9e883
7a47388b6d66aadeb16cf86cc27bab61006ee33f561a99d2f54f3e8b7652361e
cc63041400a7b39fb0560b1e5ecfe980f0ff4915b473881e203b85a14c192e50
33ae7a8b755786de1e56341449c763fa43861a503937b3de0778188814b0f5f2
7a47388b6d66aadeb16cf86cc27bab61006ee33f561a99d2f54f3e8b7652361e
cc63041400a7b39fb0560b1e5ecfe980f0ff4915b473881e203b85a14c192e50
33ae7a8b755786de1e56341449c763fa43861a503937b3de0778188814b0f5f2
45fd204c881bc2002cba8b58eb8f135c8e8f2b290bcede597ab1bd6647028570
8b6819c03ab993eb21adb59f06cb4476eb6ea869f61004b56df7b3a1ee999e28
46a047e141ed8fa151a9e3cf869ed2c56234d0de0b627d998b247150c8f99984
597cab0edaf0034d7aab7b1ecca1bf0dcd25a094cdaf10bca6f7cb38c7f17daf
d6e4818a63a1dc2a1887135563c0591bdb4d524b6bd4d37aa5e5051935aa7578
Email addresses
Nasser[.]K[.]@plenoils[.]com
g9825@live[.]com
mailer@matterbusiness[.]xyz
inf0-greenhillsports@outlook[.]de
youzs@ropasz[.]ml
punker@biven[.]ml
otaz@viotaz[.]ml
riyanlepine@drylnewby[.]cf
webxpoinc@yahoo[.]com
chosipongs@gmail[.]com

Formbook mMutex 

8-3503835SZBFHHZ

Malware SHA256

d667c0c158786889fafa273d81bce9980bdc6ab54ea58bd2a558e248598158ac maldoc
ae55388db9f39945f3aee9e6c2a66bacfe6483eb83341b0982a6741c83a28a34 maldoc
e27d1d4de73d75968cacc3a581e54f71fef372a8661297c59a8d1a8cea60a51d .hta file
8220331b94a0dc7207246b0a2193ba2335bb70c673a085f52de0bb66786c86ce
3497d5897559c595f1ebd982171d74770dd135973eb6ea62f8fad6fec6438acc
2718ac89d522881522af2fb0b552ef55e25308544b594ed64e7f15f31acdec73

Additional Maldocs

62ed293128f4728ef73efb2089d92e68fe21937aca34577d3083d1cda3fab60e
bfce7a05c96bf7ffbafa03f283c0fa2bdc13521f9e2f1664cb522d88def782c6
907c57b17f97570704df5391c2f49ff2a13d513f1da95c0f24f34285bb01dfe4
6d4211fe7b01222bfa653dcc9e3eadd542bbd5b03ab44f2c459508eff9acff39
636fd49f53c72528f7a8780ccb4cf064839a9bd29f3f65499f10919ae5939c0a
5b1392ad890381075aeac3ef5839aace8a42460ca80834320a483202656721d6
0ca5a9a87b301d664c16c9237900adf3e12a48c5a36b7d94e4beb99eeaf127d7
7db875e9bf67c66365778004bcb5e502f91e852ad02f99b7be5160350d3edcf2
ff063e2b52f753778ac92eb436e6b35f6255c11970febc9868c29abd2e3fbeac
0ca5a9a87b301d664c16c9237900adf3e12a48c5a36b7d94e4beb99eeaf127d7
ff063e2b52f753778ac92eb436e6b35f6255c11970febc9868c29abd2e3fbeac
dea7c0f7d5c7b941d1dbae7f271cec5906fd08d529a5165e4bdb825fd502a79f
b9bc454e763b66df9623de4116503f3f1972eaa83beafe062856b214e01dad25
a1f9826d9e376eaca7b6f597fbec52ae6b588d687e083fca09606cbc1bb0ce10
1b60205a11da53b07e53297f26353d65d6e3777de2464b59b73908dec51d8560
3de7152b38fa291592f749037908c01ab85705e138073ede18286dd2ac18fc4a
64fc2ec1ece8ffed4d8d7a94f48fa5ac191b3b7de8a2da8971c75f28aa7dd960
7db875e9bf67c66365778004bcb5e502f91e852ad02f99b7be5160350d3edcf2
e27c409bd463f4d14ee606b71216ef895f8767a6d1845d8a92bd2dd17dd3f797
2acc3bdf6821d27a401376845659040d75dd31d0405da2e1809a22a9b5f65145
461a950af13fe9b1d18c9895b7fa844ab9fcae0b7f17af438bd886fae146502e
97d3a9daa6c215983b340d8b4e8bf89561383e260a2c05f71c6d26014f6bc96d
1c878537a25979839e31f128e8ef4e7f582c196448c8e0e1277f0568e566a067
722be87f72a8e18c0b7f50cdac7e118f64364f519cf59d0b4e0f4798029847d8

Files referring to alkzonobel[.]com

b0dc50e22a2c3fe76831f2990dcd7b1b0ca969113c2d0c962d84c5e8b02ae75f maldoc
1365104bee40dc25b0df2e9102961c9fbce10658cce9f15b9f45d0e60e18d3a9 maldoc
c08fafb05053df47f2f830d0c6d7fe34be30b13bd2280ab2db6249d7dae6b5fb maldoc

Files referring to web2prox[.]com

5b3c39e9d85ac947f830ed02988277f6460b991aa050063545cffb147029fd51 maldoc
PO58609.doc
811c32c017d340fe1d198ff441b14d95c7101bd04cd4fdeaaaf03124700bf3ef
PO58610.doc
1c3c62a64dcb66595eb8140fc73a9e0cbfdc9fe5f73f802489c04a460fa6e6ba

[1] https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/
[2] https://antifraudintl.org/threads/marie-louise-el-ammar-seko-lebanon-sarl.105031/
[3] https://www.reverse.it/sample/811c32c017d340fe1d198ff441b14d95c7101bd04cd4fdeaaaf03124700bf3ef?environmentId=4
[4] https://www.reverse.it/sample/1c3c62a64dcb66595eb8140fc73a9e0cbfdc9fe5f73f802489c04a460fa6e6ba?environmentId=1

No comments:

Post a Comment