Threat Round-up for Apr 21 – Apr 28

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between April 21 and April 28. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

This week’s most prevalent threats are:

  • Doc.Macro.MaliciousHeuristic-6298845-0
    Office Macro
    Office macro code is used to further compromise a target system. Macros can leverage external system binaries to execute other binaries to further compromise the system. This signature looks for code associated with hiding the core functionality by including junk code.
     
  • Win.Dropper.DarkComet-6301230-0
    Trojan/RAT dropper
    This is a malware dropper. It currently drops the DarkComet RAT. The file is a slightly modified version of wextract.exe, a legitimate Windows tool to unpack archives. The malware payload is stored in the resource section of the binary. The dropper binary is actually a multi-format file, and can be interpreted both as a PE executable as well as a cab archive. The modified Windows binary will extract the payload binary from itself and run the extracted file.
     
  • Win.Trojan.ServStart
    Trojan
    ServStart is a trojan that installs a persistent service on the victim’s machine. The service exfiltrates information about the infected computer including machine name, username, keyboard language, and computer performance specifications. The malware server can respond with commands to download and execute files, or execute shell commands. ServStart has been observed using multiple dynamic DNS providers for its command and control infrastructure.
     
  • Win.Trojan.Agent-6298180-0
    Trojan (credential stealer)
    This sample attempts to collect stored credentials from a number of installed applications and then attempts to transmit those credentials back to a PHP application on a possibly compromised server.
     
  • Win.Trojan.PWS-6299789-0
    Password stealer, injector
    PWS (also known as Fareit or Chisburg) is a credential & sensitive information harvester. Select information such as banking credentials or web browser password databases are queried for on the infected host. Any discovered data is propagated to a C2. These recent samples are protected with the Armadillo packer & rely on both code injections & dropped VBScript code.
     
  • Win.Dropper.Emotet-6301061-0
    Dropper
    This dropper is delivered through different mechanism, most of the time the victims is redirected to a website to get it through malicious pdf, http iframe injected. Once running on the computer the binary is gathering details on volume disk drive and other details, injecting process, dropping itself and contacting internet to execute more. Websites observed delivering ransomware and trojan banker.


    Threats

    Doc.Macro.MaliciousHeuristic-6298845-0

    Indicators of Compromise

    Registry Keys

    • N/A

    Mutexes

    • N/A

    IP Addresses

    • N/A

    Domain Names

    • storefronts[.]pl

    File Hashes

    • 23b90b1c55fdbbd371655da0ccf359e891deb51ed5bbc0ac772c5d572f4b3a42
    • 2471636a92daa0a54095aa66b55ad2fea5fd5d6372b0be9d65d1d1e2cef31bd5
    • 2b24221aabc8cd18e756a579b29a005fc9c33213f5ec963b9b6ccf4e6187b23b
    • 4b781b8370f973b9204b44c8ce3615692fc66c1613967a44924984d35fba7bc4
    • 4ee6b9bb8e903bed9a82c7dad6d62163e3a4f759ade5f5f8fcf899945bfd9264
    • 564c37dcd8322bd6e8cabc788f982a35f7d3e335c3d736ce544fc17a6b090183
    • 59b54e7c4e052adbc1d64dc61623af6f55db1a8692b373cb6ca871ba087feaac
    • 6930d456c506c94b9e19a08659181b7d376254dca652d0e56c305764867578d2
    • 6a0eae0addd6ce84966ac1bd006e9582036eaaa1011a38190f700871cc37de24
    • 7045d8f339cab73cf0ec7f31a7b3a31a84057f0b275f789f4bfed9dffee35564
    • 7638745d08de218fa16e9c0828ed0a1139223d3ebddf4bb528bc3ae185cea90e
    • 81cdded9aa21513ad9c6ae04455a7fce68129135f3358b9c5e28a80139e78f21
    • 93472e054b4b4fcc54a71a32b6275f8b35c8ef84490248d21c094f19a537c773
    • a0bfeb90468ddf50a3c85d5074e002b1d89995d6377eceeb0781ba5292facbcc
    • b3dfdfcfea160ed34eb69da55909294f78d2b5a6320cbf5151a3da01c6449631
    • c185559d0a38e782167beacff78a7a72544d82890b5e5723e6a25a70e6e16d59
    • d2c1b89129e3e26544bfbef3fac4567c3629817a98ded9ce5c7dee485d0364a9
    • f2e4fe273c4a8cc1cd7799d5558c58b8a08dfe160235dfa2eb2a8bad9bba40aa
    • 02481825e922c38ba797ebc18d5a8273ede8c5a4d52eecd2f58eb569533d780b
    • 06736e5f3127a54bbe6bb25f4a82ca95371e5cc8654a893c02d3d4e677e0b916
    • 21b039f3171f26911290dad3e1ce0da6d6d3545e11f9a119408922ac2ae06db6
    • 2643f9f8dce45983eac80feeebd16adbd498e3a644ef8b05bc40448be9342ddf
    • 2ac6b5487c69427476b48bcbbddd7646842e02363a0d4ebe1b1998da6d1f55a8
    • 2dad87b69ee91bfa71d911b791e5468efb6ce689ccc4cde3e91626cbfcfc14ab
    • 2f4853b54c36adf9ca9fbb163dacedee78b6b027fac3c24c72120e9d8cc6f01e

    Coverage

    Detection Screenshots

    AMP

    ThreatGrid

    Umbrella

    Malware


    Win.Dropper.DarkComet-6301230-0

    Indicators of Compromise

    Registry Keys

    • N/A

    Mutexes

    • N/A

    IP Addresses

    • N/A

    Domain Names

    • N/A

    File Hashes

    • 05C8DE4B97737440913F5C714082AD647281FA50F1904B1BF11EDB8560294FAC
    • 07D9D6DA8C6CD162DD9FC78AC48EAF82BC49D4239908AF354E44C4822FE06D62
    • 099ADD24586D77C5F2B8EFB9C33A8A11B5A0C11001A8534D9635A674ADC260AD
    • 0A155F4F20367E4D23B6D238208FA5F943A1341E47BDBB2DBC520CCB27AD120B
    • 150420EDB4BF00DADCF71601781DBE3BD6E34CBA767153B9F82307EDDF391395
    • 15F2BB3B4A12A6F5B0965FDE62AE21B2796D7659BBA8011FC22AF40D465984BE
    • 318B2A4F06345E95C63E4623F52E0E7C57257548C74E0C7A272FCB64D3F49692
    • 4B0BB06E09ED0B2EDB085641E125490E9B1A6CC5652C05C77C78E47CF9448D35
    • 507874BA705282183F928D3AE11ED5497A0F1EAC3368DE75C392D17749CB8EE9
    • 55FDFC65C0C10A958239E0447E5696989FE66557437EB725849BB578D882D74E
    • 5D31C073C4B7322A7DE871D533D520DE2444466D0C944CB06F6244D2CE57D49D
    • 6597E2DD82FC203BA2C609B358B2E0CAE37A4309808626DA27BD58614077D646
    • 6A23031FDD70C6D57D8FE9C8D3EFE6A423C38BF2D46B9B24959E5CA7D0714FCA
    • 6C652B0E4998456F150515EBF50CA569CF373BA709442F6909DD7D4330C83D2E
    • 6EB12C46F0605D8F915C8E895FC70D189D9E8825775EBDB464A9A24834887E60
    • 776B2679819B1E0385E1630EEEC50190DAAAEC0EEF9F659EE728C47991FABFBB
    • 77FA104262E3FF983B3418540FF744E0EAAE5E66388333ED785EF6F5AA2801F9
    • 7D6765A1F6589A554457D9363F702F65E81DDDA52EB62C600250E0F94C473A16
    • 8590486CD299DAA9BF42497EF28028364E4E18B6C60B725736A7D2DDC73BBC2F
    • 92EABA06563800BA670249E90D91C32F9D315889439BCAA73F24D2C08E285B84

    Coverage

    Detection Screenshots

    AMP

    ThreatGrid


    Win.Trojan.ServStart

    Indicators of Compromise

    Registry Keys

    • HKLM\SYSTEM\CONTROLSET001\SERVICES\NATIONALLWC\Description
      “Providesufl a domain server for NI security.”

    Mutexes

    • Nationallwc

    IP Addresses

    • N/A

    Domain Names

    • syhaw1516.codns[.]com
    • wrop0422.codns[.]com
    • ansbase.9966[.]org

    File Hashes

    • fbbc6852ff1947fcd820b90e60ab71af93ffad079bd13a0d2b514955bb1c9d62
    • 40eddfac964b69ee2e26742faaacfe50960fa0232a1b9a11c382e61cecd700ff
    • 6106eda3ae39449fec42db2caf4f1b5f994d72b5a759dddfd77a8a29ebb3f497
    • c106435a2aced27d03ee5531eda025b14cec106106a1c7ca750127090f6d2039
    • 8d4366eff17da1c18ab3fed1692628756a8f41f3145877f895b7ef950055262f
    • 3be7ab79f032cf24b09fc05b08544fd61ec7e3fd355f8ab7b4580eb43d8c3e55
    • ff6b7320d6b75a638c0f2d024f43853dd78993276a8f6b5f7463d6317858dd9c
    • c9a193d273f606860bee0dd4a878a6421233b05ac4c6faf357d9324f0d6a575a
    • 932d8d5829570237e9ab7688dd2d3c03812a05157f72af124cabf530be583789
    • ba07a79a2f4d51eaac585b0f50e3b1e61d8fc555592aadb1e5d3916fb26b0e27

    Coverage

    Detection Screenshots

    AMP

    ThreatGrid

    Umbrella


    Win.Trojan.Agent-6298180-0

    Indicators of Compromise

    Registry Keys

    • N/A

    Mutexes

    • N/A

    IP Addresses

    • 212.129.14[.]211

    Domain Names

    • tranexestin[.]com

    File Hashes

    • afc3ba4941b89a4467e2f1a4ab0df2c88ef5e39264182a4b3a2dbbfa5b022e3f

    Coverage

    Detection Screenshots

    AMP

    ThreatGrid

    Umbrella


    Win.Trojan.PWS-6299789-0

    Indicators of Compromise

    Registry Keys

    • USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
    • \MACHINE\Software\Wow6432Node\Microsoft\Tracing
    • \MACHINE\Software\Wow6432Node\Microsoft\Tracing\tmpVtFw4a_RASMANCS
    • USER\S-1-5-21-2580483871-590521980-3826313501-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
    • USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\Microsoft
    • USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
    • USER\S-1-5-21-2580483871-590521980-3826313501-500\Software\Microsoft\Visual Basic\6.0
    • \MACHINE\Software\Wow6432Node\Microsoft\Tracing\tmpVtFw4a_RASAPI32
    • USER\S-1-5-21-2580483871-590521980-3826313501-500\Software
    • USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History
    • MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
    • USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\MICROSOFT\Visual Basic
    • USER\S-1-5-21-2580483871-590521980-3826313501-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2

    Mutexes

    • N/A

    IP Addresses

    • 92.53.96[.]120

    Domain Names

    • cv42569.tmweb[.]ru

    File Hashes

    • dddde27836842e0f950b5622e1be7a0f51072db573b2f2e41d20d4b4c45028d8
    • dc086f745c35b2abe58675e546b475ed64f15ea6e9d4492a0502476f784ea85c
    • 97cd05c529002b85ae756a9e7b7da7a538026583f0886a235cf48b72c378551a
    • 2992c6ce7ccda6fef751a912eafb8a31e3426bde8964ccf31b0512390bd61615

    Coverage

    Detection Screenshots

    AMP

    ThreatGrid

    Umbrella


    Win.Dropper.Emotet-6301061-0

    Indicators of Compromise

    Registry Keys

    • N/A

    Mutexes

    • N/A

    IP Addresses

    • 188.165.220[.]214

    Domain Names

    • N/A

    File Hashes

    • f566fdc382f6988599cb16894d8a9a92e291d83574834de705d6367b520b6b50
    • dda1fffa38e3f9d30833d201b542422aed15a41253b2a72797ad38dfba8fe535
    • 6d4fa878e2930cb3bedc2078855f6d7db7b6b136464f6dff256d8c62657b505f
    • 8ad1c1655d6d3b2a4931ae2dd9eb4e3b7be488a7f39b9c396fe1eeda2eda05a7
    • c0e8a92ba6ce12d803ecfccd01432f855e6fd9ad19825602a74a081459e25389
    • 5598fdcc6c0c2e7bdb095193a5f986e6cf22fdcca26c2e8451c46d787ef18435

    Coverage

    Detection Screenshots

    AMP

    ThreatGrid

    Umbrella

    from Threat Round-up for Apr 21 – Apr 28

    Advertisements

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s