Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 21 and May 28. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name
Type
Description
Win.Malware.Dridex-9863247-1
Malware
Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Ircbot.Ircbot-9863290-0
Ircbot
Ircbot, also known as Eldorado, is known for injecting into processes, spreading to removable media, and gaining execution via Autorun.inf files.
Win.Packed.Tofsee-9863322-1
Packed
Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the size of the botnet.
Win.Packed.Zbot-9864764-0
Packed
Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing.
Win.Packed.Razy-9863698-0
Packed
Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data before sending it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Packed.ZeroAccess-9863627-1
Packed
ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.
Win.Dropper.NetWire-9863651-1
Dropper
NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Malware.Nymaim-9863762-0
Malware
Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Trojan.Zegost-9863903-0
Trojan
Zegost is a remote access trojan designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. Zegost appears to be derived from Gh0stRAT, which is a well-known remote access trojan that had its source code leaked, significantly lowering the barrier to entry for actors looking to modify and reuse the code in new attacks.
Threat Breakdown
Win.Malware.Dridex-9863247-1
Indicators of Compromise
IOCs collected from dynamic analysis of 22 samples
Mutexes
Occurrences
{ac5b642b-c225-7367-a847-11bdf3a5e67c}
22
{24d07012-9955-711c-e323-1079ebcbe1f4}
22
IP Addresses contacted by malware. Does not indicate maliciousness
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mssend
9
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY
Value Name: CleanCookies
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Users\Administrator\AppData\Roaming\xrc3u3qyysxakx1bdrcfxnbvxqxzzzhi2\svcnost.exe
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Users\Administrator\AppData\Roaming\xipfdhpxs2y1uidtt2cf1dp1nsxhfhzv2\svcnost.exe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: {45EBDE09-B8AE-3DDD-DDFF-11B333B2A8E0}
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: {900ABDDA-74EE-F199-7D2F-060E7E8C2398}
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Users\Administrator\AppData\Roaming\x1vkixykjptuvcan2w3kxcmncbdke2up2\svcnost.exe
1
<HKCU>\SOFTWARE\MICROSOFT\FEDUO
Value Name: Mykefat
1
<HKCU>\SOFTWARE\MICROSOFT\OCLU
Value Name: Evsauc
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Users\Administrator\AppData\Roaming\x1tj3icmbo33xthrtlk2bschp2skmlsa2\svcnost.exe
1
<HKCU>\SOFTWARE\MICROSOFT\FEDUO
1
<HKCU>\SOFTWARE\MICROSOFT\OCLU
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Users\Administrator\AppData\Roaming\xbzmfecljkddemubtibatcqva3rwrkya2\svcnost.exe
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Users\Administrator\AppData\Roaming\xeelzmrnnktfqyecuwakgjpxewhhvob32\svcnost.exe
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Users\Administrator\AppData\Roaming\xdcjvf3kdsd3rjmtr2ebmtycyshibawe2\svcnost.exe
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Users\Administrator\AppData\Roaming\x2ipsjhqzrqeslkuo1nvhob3hhrpkrez2\svcnost.exe
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Users\Administrator\AppData\Roaming\xoeexpxwjohheodlyfxud2d12wc32usz2\svcnost.exe
1
Mutexes
Occurrences
GLOBAL\{<random GUID>}
2
Local\{<random GUID>}
2
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
212[.]95[.]32[.]68
5
173[.]224[.]125[.]54
3
172[.]217[.]165[.]132
2
217[.]20[.]127[.]169
1
217[.]20[.]112[.]31
1
217[.]20[.]115[.]138
1
217[.]20[.]115[.]192
1
89[.]149[.]242[.]11
1
89[.]149[.]242[.]31
1
89[.]149[.]244[.]18
1
89[.]149[.]244[.]131
1
89[.]149[.]243[.]82
1
217[.]20[.]127[.]170
1
Domain Names contacted by malware. Does not indicate maliciousness
Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
Process hollowing detected - (10061)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Excessively long PowerShell command detected - (4737)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Reverse tcp payload detected - (3026)
An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Kovter injection detected - (633)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
A Microsoft Office process has started a windows utility. - (594)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Trickbot malware detected - (519)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Dealply adware detected - (400)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
CVE-2019-0708 detected - (121)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.