Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 26 and Dec. 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name
Type
Description
Win.Malware.Emotet-9910766-0
Malware
Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. It is commonly delivered via Microsoft Office documents with macros sent as attachments on malicious emails.
Win.Trojan.Darkkomet-9912346-0
Trojan
DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool, such as keylogging, webcam access, microphone access, remote desktop, URL download and program execution.
Win.Trojan.Nanocore-9912485-1
Trojan
Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes.
Win.Trojan.Zbot-9912583-0
Trojan
Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing.
Win.Malware.Ponystealer-9912671-0
Malware
Ponystealer is known to steal credentials from more than 100 different applications and may also install other malware such as a remote access tool (RAT).
Win.Malware.Noon-9912872-0
Malware
This family is highly malicious and executes other binaries. These samples contact remote servers, upload information collected on the victim's machine and have persistence.
Win.Trojan.Zeus-9912932-0
Trojan
Zeus is a trojan that steals information such as banking credentials using methods such as key-logging and form-grabbing.
Win.Worm.Vobfus-9913252-0
Worm
Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so it launches when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers.
Threat Breakdown
Win.Malware.Emotet-9910766-0
Indicators of Compromise
IOCs collected from dynamic analysis of 13 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: internat.exe
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP
Value Name: Collection
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
Value Name: DhcpNetbiosOptions
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
Value Name: DhcpNameServer
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
Value Name: DhcpNameServer
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
Value Name: DhcpDomain
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
Value Name: DhcpDomain
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
Value Name: DhcpNameServerList
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
Value Name: DhcpSubnetMaskOpt
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
Value Name: DhcpDefaultGateway
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS
Value Name: DhcpScopeID
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
Value Name: DhcpNameServer
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
Value Name: DhcpNameServer
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
Value Name: DhcpDefaultGateway
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
Value Name: DhcpSubnetMaskOpt
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP
Value Name: Collection
2
<HKCR>\.F6FF
2
<HKCR>\.F6FF\Q
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: c8d0ed15610399e1c1d6a7a477f85dc9
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
Value Name: DhcpInterfaceOptions
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
Value Name: DhcpInterfaceOptions
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
Value Name: DhcpInterfaceOptions
2
Mutexes
Occurrences
Local\Shell.CMruPidlList
13
Local\MidiMapper_modLongMessage_RefCnt
3
_38CQ
2
_38CS
2
IP Addresses contacted by malware. Does not indicate maliciousness