Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 31 and Feb. 7. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicate maliciousness. The most prevalent threats highlighted in this roundup are:
Threat Name
Type
Description
Doc.Downloader.Emotet-7572697-1
Downloader
Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Malware.Nymaim-7569940-0
Malware
Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain-generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Dropper.Genkryptik-7572204-0
Dropper
Genkryptik is oftentimes a generic detection name for a Windows trojan. Some of the malicious activities that could be performed by these samples, without the user's knowledge, including collecting system information, downloading/uploading files and dropping additional samples.
Win.Worm.Gh0stRAT-7571319-1
Worm
Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Ransomware.Cerber-7571364-0
Ransomware
Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although, in more recent campaigns, other file extensions are used.
Win.Malware.Kovter-7571676-0
Malware
Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries that store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
Win.Dropper.TrickBot-7577793-0
Dropper
Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Packed.Zusy-7572206-0
Packed
Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Threat Breakdown
Doc.Downloader.Emotet-7572697-1
Indicators of Compromise
Registry Keys
Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID
Value Name: Start
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID
Value Name: ErrorControl
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID
Value Name: ImagePath
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID
Value Name: DisplayName
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID
Value Name: WOW64
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID
Value Name: ObjectName
24
Mutexes
Occurrences
Global\I98B68E3C
24
Global\M98B68E3C
24
Global\IC019706B
1
Global\MC019706B
1
Global\8032E0D6835932960
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
169[.]254[.]255[.]255
1
198[.]58[.]114[.]91
1
93[.]189[.]42[.]146
1
5[.]2[.]75[.]167
1
104[.]236[.]28[.]47
25
133[.]130[.]97[.]61
25
Domain Names contacted by malware. Does not indicate maliciousness
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER
Value Name: EnabledV8
36
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER
Value Name: EnabledV9
36
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ozilixas
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: uzurnpuj
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: esalaluj
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: agovoryb
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ozekyzhf
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004109A10090400000000000F01FEC
Value Name: OutlookMAPI2Intl_1033
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ixilxvuv
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: yxazigov
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ewetesyl
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: abizynyw
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: amjsegsd
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: iqapasjj
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: jliwywoc
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: enowivic
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: isydipfb
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: elulyzod
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: yhyhohux
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ewpbizyd
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: orebujyj
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ojofukax
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: yrunyfeb
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: esfdozih
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: uqihevur
1
Mutexes
Occurrences
Global\epugepiqupupamyhatuxadu
19
Global\yladonexilyjabufyfetetawinipipi
19
Global\usysisexaqicuseteqisexe
1
Global\ysywiqujeqikevotevasowogajirube
1
Global\obegahatyqujehinunyfijewydopuva
15
Global\urohamiratototacykojumi
15
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
216[.]239[.]32[.]21
5
216[.]239[.]38[.]21
9
128[.]31[.]0[.]39
25
216[.]239[.]36[.]21
7
216[.]239[.]34[.]21
8
86[.]59[.]21[.]38
21
193[.]23[.]244[.]244
10
208[.]83[.]223[.]34
22
194[.]109[.]206[.]212
27
154[.]35[.]32[.]5
25
171[.]25[.]193[.]9
17
Domain Names contacted by malware. Does not indicate maliciousness
Exploit Prevention Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
CVE-2019-0708 detected - (5540)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Process hollowing detected - (252)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Gamarue malware detected - (177)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Kovter injection detected - (142)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Installcore adware detected - (103)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Excessively long PowerShell command detected - (100)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Dealply adware detected - (58)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Corebot malware detected - (15)
Corebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking.
Trickbot malware detected - (9)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Reverse http payload detected - (6)
An exploit payload intended to connect back to an attacker controlled host using http has been detected.