Malware Round-up For The Week of Feb 27 – Mar 3

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed over the past week. Unlike our other posts, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Win.Ransomware.Cerber-5901829-0

Ransomware

Cerber is a ransomware variant which encrypts a user’s personal data such as office documents, pictures, and music. Cerber also attempts to exfiltrate browser history. If Cerber is unable to reach C2 server specific domain names, it will ping specific IP Address ranges over TCP on port 6892.

Indicators of Compromise

Registry keys created

Key Value name Value data
HKEY_USERS\Software\Microsoft\ Windows\ShellNoRoam\MUICache C:\WINDOWS\system32\ mshta.exe Microsoft (R) HTML Application host
HKEY_LOCAL_MACHINE\SYSTEM\Cont rolSet001\Control\Session Manager PendingFileRenameOper ations \??\C:\001984854a008441d5a8804 10dd582a0ee6f68bbc0068abeab1f4 df1ae0b8af9.exe

Registry keys modified

  • N/A

Mutex Created

  • shell.{3EB72F14-EB8C-7844-D6B0-CDB105275440}

Files Created

Cerber drops a file named README.hta in all places it’s encrypting files and on disk in the following locations:

  • %HOMEDRIVE%\README.hta
  • %APPDATA%\Microsoft\Windows\Cookies\Low\README.hta
  • %ALLUSERSPROFILE%\Sample Pictures\README.hta
  • %ALLUSERSPROFILE%\Cookies\README.hta
  • %HOMEPATH%\Contacts\README.hta
  • %HOMEPATH%\Desktop\README.hta
  • %TEMP%\README.hta

Note that this is a non-exhaustive list.

    IP Addresses

    • 104.16.149.172
    • 194.165.16.0/24
    • 194.165.17.0/24
    • 194.165.18.0/24
    • 194.165.19.0/24


    Domain Names

    A DGA algorithm is used to generate the host and the domains name in use. Currently hosts contacted look like:

    • vyohacxzoue32vvk.[a-z0-9]{6}.(bid | top)
    • btc.blockr.io

    More generic domains can be identified with with regex: [a-z0-9]{16}.[a-z0-9]{6}.(top|bid)

    Example:

    • hjhqmbxyinislkkt.1mvku2[.]top

    File Hashes

    • 001984854a008441d5a880410dd582a0ee6f68bbc0068abeab1f4df1ae0b8af9
    • f1246caf5b90ffaa5dc03d7c74be88c866627730e79c8da722799b11c576afaa
    • bdb7527abf68bd948502dcbd8663382b822910344c21fce1ac9bc0036cb26274
    • b48cec5ed5334f1526308bd9e40cde4877265fad488fd6d7935bd6b19edb196a
    • 349ed9b9bd21ef37e31b062793b5648f87607b8815a32d425dca5a322d4e5b9e
    • cd96f99b90ed85833ac19508d9c445a7352c971819e68073789aaf827fc21c2a
    • c441013fcffe2b8bc71c4254882341883eab29db3eab05148c25b747113447ab
    • 553d1a73ad634922ad77a317ca3ccd6a0b27a5d67b3429d0f08ea7c7b9967401
    • 11a375d808fe0d440bbb6808766fc648a210b5621ae80908673b4f358ebae8ff
    • 623c520afc9b32b4777accd9cb9b4422f49a53fc9fe6ff7dc21b7ffd783563ed
    • bc753af8a4b203091fb6924e8f88a180e259ac77500eb056b7d04d840ee884e4
    • ffde0727f1b487d1a7b84912a2d923e5a7e5443673bee34e89acfd70ef7b1918
    • 182dee2062bbbefad0090da61a8b4bdf9d95fa7db621fac9725ad165505b4f1b
    • d5ffa9e5b51342eb7c6df5fe7cd60d95ad74955617524148b6e20bc054f0d151
    • 938986cb2e87323e482e9d772200157abcacbbe9f962f197276555f750b24c25
    • e5ecdb92220696f09ad3500d8e52da3ecfb4f6e00cce6d0a9f224b30e7071394
    • b48e859aa8e297cf0bf6bb312c8845f18c4b822e84f6196ffde4d6a08530efd7
    • d2c8cc05a9ff073b7cf20026dee5f75a40125babb3c511e22627c9b2e4cf4c44
    • 435b6935c28a3aad18a0d065c5ed851b797ae6963ae151b96628fff6d1bd8b59
    • 63e1232a12bf86e1bdf9c1527b64eb3e6ae7cd1edb29ce9e2d518912e42d53aa
    • 515e6c0cc23d0f8ff7a57737fbc1a7f06cdc86a46985086f91e39afa6d884da7
    • c8e32211dc0e0f5477d5424831f1261786adbca862c63f581d88d4448ecdbf1a
    • 1180dac56afb5cdb93f910f4f1e9abcb2584462186ec26b7cc7fae8ae4d99db4
    • 082496e6e7f49099ac4fe0f6d0652c3a8a2b87f54b05fcf1efef9e006cfa57a7
    • 8fd920aa1a4d2b7e7082758c3fe6212fa664258862bfd05ca977a7e01456a2bf
    • facb0523eb66f1b2262a81a5fb898c4ab3012c3ade377833906a43d5942ceff0

    Coverage

    Detection Engines

    ThreatGrid

    Umbrella

    Malware Screenshots


    Doc.Macro.Generic-5900096-0

    Macro downloader

    Macro enabled office documents can be used to download malicious software or perform malicious operations on a system. This treat focuses on a common method used in macro code to download malicious software from an external source.

    Indicators of Compromise

    Registry keys created

    • N/A

    Registry keys modified

    • N/A

    Mutex Created

    • N/A

    Files Created

    • C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\<download_file>.exe

    IP Addresses

    • 89.248.103.159

    Domain Names

    File Hashes

    • 3641801c289e5f76ba3a10858567b15a46640ba26ea7d8402eff2016ad4067fc
    • 607aaabcff0390969193e26f2e5c6ecebc879686028ca39e29c1a4cf10267378
    • 433f3d7209ca4be18b5afdef5651c46ec8f5f955a962f3faf7cc472108ff01d4
    • 0e3cc78a6cc51199816d459ba6281e330fee7f4b6e0dd6f9d9c818874651cafa
    • a8996fcc148fd2fd82c1551d3d874d7b4550fcab4ad4bdbdf7c5a7f0db7ec70a
    • 21cb74721704ed761414a3929dec6d4723416594957a3c3b6075855e4f740729
    • 1284cf7a0710e38584d430df6cdabda80c321a124b278e010ca0f2f70ba2e53b
    • 1352bacc05c1f5414a1f1393c87044f533d2e3c293d42fae1753e3f55f6898ce
    • 8f208af31938adbbcf311317e43e14f8ab181b3038e399e2ba1dff2004c5378e
    • f41e5af285ec67f0d08910a91434a5cac4edbcf0bb2713e7773ebe582ccd5d46
    • aed55db2b5be215986d182743f07a64d450b26dc4f29007e9ae2192edaf3b924
    • 9df62b06bb1c7ff1fcd863d072375c46f6c4132be9dbd89619be1e59993e4d94
    • fcc21c98615be7118730e801e15122fad58a8fa75e7d27aff2917694fb465c61
    • e89f1ae146aa47bbf5aff559d19b3a91453ef174759a3c4bb2a67c809f6e22c0
    • ddaeae452c0c61842316f574ef77fcd3fcba80df4afc4e22a444ec500663bef9
    • dd7a69629cc7c0c975bdc18eee9e7b6c38e846854e6ac01900aa0d1ae332fe62
    • d8f52f4f6c8b344dcc421577c77746f7175fb74fa1222578092e10b5c0be07be
    • ba20e30a94e8a815bddfc099df321cdad7d72927f944cb20ec200bf0291d3398
    • b195291047d3c48738c48bbb604f4c5e85aec9dd03ccae29924acc7cff9a03a6
    • 8a6f159fa8d744a384ab0dd5047de64e3bf6e99065afd35e96f42fb832230f9b
    • 814b26f19c396af49ba0d39d434ab30c994984426996dc11c6f7418d80648609
    • 70a18da4a41d5aa74b943f8c9a0572e8324d66826f64de7ea548e58a89cacaa5
    • 4e21a3b4ebc76407f70f2b9d9e3a30eec54e4fbeaa64020ac0648873c52b5905
    • 4b895aaf6631ae677efc53ba9e416a444bc78df3cd2e3da400aa2968a9ae8db2
    • 4b759728a284da96aefe30ea5f4b668d96dccd8c2f9630bf6786eb26b5650a06

    Coverage

    Detection Engines

    ThreatGrid

    Umbrella


    Win.Trojan.Infostealer-5900674-0

    Trojan (credential stealer)

    Infostealer is a Windows trojan & acts as a stealer for credentials submitted through the Mozilla Firefox & Google Chrome web browsers. It uses a SQLite database to store the harvested credentials. Observed samples were written in the Delphi & packed with UPX. With no discernable network traffic during runtime, we suspect that the stolen credentials are held locally for another component in attacks that drop this trojan.

    Indicators of Compromise


    Registry keys created

    • N/A

    Registry keys modified

    • N/A

    Mutex Created

    • \BaseNamedObjects\CTF.LBES.MutexDefaultS-1-5-21-2741372430-2673733078-4290318639-500
    • \BaseNamedObjects\CTF.Compart.MutexDefaultS-1-5-21-2741372430-2673733078-4290318639-500
    • \BaseNamedObjects\CTF.Asm.MutexDefaultS-1-5-21-2741372430-2673733078-4290318639-500
    • \BaseNamedObjects\CTF.Layouts.MutexDefaultS-1-5-21-2741372430-2673733078-4290318639-500
    • \BaseNamedObjects\CTF.TMD.MutexDefaultS-1-5-21-2741372430-2673733078-4290318639-500
    • \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-2741372430-2673733078-4290318639-500MUTEX.DefaultS-1-5-21-2741372430-2673733078-4290318639-500

    Files Created

    • %TEMP%\sqlite3.dll
    • %SystemDrive%\history.txt
    • %APPDATA%\moz.tmp
    • %TEMP%\0.tmp
    • %TEMP%\31379.tmp
    • %SystemDrive%\pass.txt

    IP Addresses

    • N/A

    Domain Names

    • N/A

    File Hashes

    • 68f794cefe42c5b746abea703856036fed7ceaf571220874d8b70782d8d81569
    • 2940298afc9b926b95a501ae12b28024b2e070eabffe28ca3da0f08f33c2c6c8
    • 62aa96177f224e58362278d3424f90ebd4512b61214a36024685b0c7704ec60a
    • 6850b01820037dbf2264f43140ff7780c35abef14d8c6e6bd8da9248a1b88943
    • 864f375840c009d6260e2ac143dd09404e262b012e1ee4a16902f99004cbc862
    • 68f794cefe42c5b746abea703856036fed7ceaf571220874d8b70782d8d81569
    • a38ac23db7f5c3343285e3a17d48823756c56e9a946e56fdd9612265c40f9f99
    • c8badfa7fe40d9bc10a33c118a75b920b4eb8f2f3d831376c095ba02515c7176
    • e8e697802bf0219cb54ab97910d436ef2e7dbe1c2a4abf0b406a42e2507265c1

    Coverage

    Detection Engines

    ThreatGrid


    Doc.Macro.Laroux-5893719-0

    Macro downloader

    Macro enabled office documents can be used to download malicious software or perform malicious operations on a system. This threat focuses on a common method used in this malware family to start code execution.

    Indicators of Compromise

    Registry keys created

    • N/A

    Registry keys modified

    • N/A

    Mutex Created

    • N/A

    Files Created

    • N/A

    IP Addresses

    • N/A

    Domain Names

    • N/A

    File Hashes

    • 0e6dcb17c222cf90bec20d6e2f4e7e8ce3c0a6ea3a9960e5914be4eb8dce6cab
    • 155a0409cecddf0ac869ca2c15a2b55c746c6f940ee3d8a9f08a91554add7b2d
    • d3678428b6939ed19211b5b88a079f33e556d4e547c5acb1eaa148366d0b6e6d
    • 13853b3d52b4e19a7a4b1dfb620f6ee28fc02ff3fb6162ebfca3ee6219a30bbc
    • 78fcadb4d82afe19799c4a47626a8faf75fc56ecde28bd250f33f90e79c65e42
    • 949dcec4d0a79d1296366353794a275b0bea056bb099558f8c231afe8cb9adff
    • be1e11932dd5820dc45e3fdcde360af6634dfc0da5cbf9de9b7a717de50b0ec9
    • 529239d98ee139cc276daff5db157746a2a421cbe0f7bd870a8f10d51452bb20
    • afd854fa48077adb87b3e700f6695c9d5ef74e77353328337ef7c591060f5f89
    • d5111633f192a9a83cc39b4d8c9717a0d284a00acc1af4274f85319ac0034505
    • 0d1a187f252848e219053845351c3b07d440587d55cc624b0b2d59419ea8a896
    • 180caf6d44cdec9c977aac2f2bd2d15ba10477bcba7bccbaba720503dd5eb021
    • 4701392544a60dc493e13179ab0b3a709217961353e6e404a40d2278b4dbd6d2
    • 4c499c70249e9e953c0b63f13c3d2c368e07b04e0a44cb1b3fd05e4aa4f13f56
    • 6921de7df37141ca093a24d1184e4812ce5883cc86383f6435d85ff561c58bc6
    • b2de2b00c0494238c04784e7a03307d1680eee4f2e6a8b40df455bf91db8898a
    • b332cde3d53ff68390f666f86f270ca005926ae66d47322fac839291518db1ef
    • 1bc489abc45a3db159c2d43cb220f3f3e7aaa6d40eba49758150e40c3df03ff2
    • 40e498704f3f4f807e807f59c0644e457e1690847d43dcbd43aa1b4d41b41e4a
    • 5e930fe0323d09a4e7c10edbc8bf8d51e2826be344a3778695c7adb8eda10ca4
    • 66d223fd0f0b2ce642755bb18f876e919c91dfedcdb84ffb79eba2de8b0e10eb
    • 6abffacb8a95bf7d67fe7544f2020e90109be89a0a5ec754def98377b361e81f
    • 6b03f59727e07f63340c1a1603538c107d2008c08fb34f3f47d6ecb352b391f0
    • 7a2e044f1716d2236800dd4dd186cd5224abe779692cd5e0767714798aaa430a
    • 7a750bd06456920deeb26929b5bfd8c9a7a0106c917e0aacd79b7b39ba505675

    Coverage

    Detection Engines

    ThreatGrid

    Source: Cisco’s Talos Intelligence Group Blog @ March 3, 2017 at 03:09PM

    0
    Share