Cisco Talos Intelligence Group - Comprehensive Threat Intelligence

Talos’ tips for staying safe while shopping online this holiday season

2021-11-17T09:26:00.004-05:00

By Jon Munshaw.

Attackers will resort to all tactics to trick users into downloading malware, handing over credit card data or completing compromising their machine.

No topic is off-limits, and threat actors have resorted to using everything from PlayStation 5 sales, to COVID-19 cures and news on nuclear weapons as part of their lures over the past year. And these spam attacks will only ramp up over the next month as consumers across the globe shop online for the holidays.

Adobe Insight’s recent “Holiday Shopping Forecast” predicts that spending for e-commerce will top $200 billion during the holiday season for the first time ever. The report also specifically warned that there will be supply chain shortages this year due to the pandemic, which is likely to force online shoppers into long virtual queues or push them to shop even earlier than usual.

While consumers always need to be diligent during the holiday season, supply chain issues this year linked to the COVID-19 pandemic could create even greater challenges and inspiring new cyber scams, especially with popular video game consoles and other electronic products in short supply.

News is likely to move quickly around online shopping scams and cyber attacks starting the week of Thanksgiving, so this should serve as a hub for all of Talos’ advice to stay safe while shopping online this holiday season.

For some quick-and-dirty tips, listen to the Talos Takes episode we recorded last year around this time where we provide a general overview of how to stay safe when shopping online. This is advice that applies any time you are shopping online, not just during the holidays.

We’ll also have a new Talos Takes episode releasing the week of Thanksgiving and Black Friday that covers specific threats shoppers could see this year with additional complications around the supply chain and the pandemic.

In the meantime, you can watch Nick Biasini’s appearance on a local CBS station in North Carolina. The head of Talos Outreach discussed how supply chain shortages are fueling scams this holiday season.

For defenders, be on the lookout for top-level domains like .top, .stream, .trade and .bid, which are traditionally responsible for the majority of spam emails Talos sees during this period.

Here are some other important tips for avoiding holiday shopping scams:

Only download apps from trusted and official app stores like the Google Play store and iOS App Store.
Look out for apps that ask for suspicious permissions, such as access to your text messages, contacts, stored passwords and administrative features.
Some malicious apps will try to masquerade as a legitimate version of the one you could be searching for. Signs of these apps include poor spelling and grammar in app descriptions and interfaces, lack of high-quality performance and a developer contact that uses a free email service (such as @gmail.com).
Avoid clicking on unsolicited emails. Make sure you purposefully subscribed to any marketing emails you receive from retailers before opening it.
Use an ad blocker locally on your browser. These will often block any malvertising campaigns that aim to capitalize on shoppers looking for deals.
Try to use payment services such as Google Pay, Samsung Pay and Apple Pay. These services use tokenization instead of the “Primary Account Number” (your credit card number), making your transaction more secure.
Use complex passwords that are unique, per site. Attackers commonly reuse passwords to compromise multiple accounts with the same username. Use a password locker if you have a hard time creating and remembering secure passwords.
Manually type in URLs to sites you want to visit rather than clicking on links.
Use multi-factor authentication, such as Cisco Duo, to log into your email account to avoid unauthorized access.

Attackers use domain fronting technique to target Myanmar with Cobalt Strike

2021-11-16T07:00:00.000-05:00

By Chetan Raghuprasad, Vanja Svajcer and Asheer Malhotra.

News Summary

Cisco Talos discovered a new malicious campaign using a leaked version of Cobalt Strike in September 2021.
This shows that Cobalt Strike, although it was originally created as a legitimate tool, continues to be something defenders need to monitor, as attackers are using it to set up attacks.
The threat actor in this case uses domain fronting with the Cloudflare Content Delivery Network, redirecting a Myanmar government owned-domain to an attacker-controlled server.
The threat actor employed the tactic of re-registering reputed domains in their attack chains to evade detections.
This threat demonstrates several techniques of the MITRE ATT&CK framework, most notably T1202 - Indirect Command Execution , T1027 - Obfuscated Files or Information, T1105 - Ingress Tool Transfer, T1071.001 - Application Layer Protocols:Web Protocols.

What's New?

Cisco Talos discovered a malicious campaign using an obfuscated Meterpreter stager to deploy Cobalt Strike beacons in September 2021. The actor used a domain owned and operated by the Myanmar government, the Myanmar Digital News network, as a domain front for their beacons.

The evolution of this threat indicates that the attackers have been active since at least August 2021 using a combination of Meterpreter stagers and Cobalt Strike beacons to establish presence on victim's endpoints.

How did it work?

The malware is typically a loader that runs on a victim machine, decodes and executes the Cobalt Strike beacon DLL via reflective injection. It loads several libraries during the runtime and generates the beacon traffic according to the embedded configuration file. The configuration file contains the information related to the command and control (C2) server which instructs the victim's machine to send the initial DNS request attempting to connect to the host of the Myanmar government-owned domain www[.]mdn[.]gov[.]mm. The site is hosted behind the Cloudflare content delivery network and the actual C2 traffic is redirected to an attacker controlled server test[.]softlemon[.]net based on the HTTP host header information specified in the beacon's configuration data.

So what?

Cobalt Strike has been used by many actors in the past and is a de-facto standard tool for post-exploitation activities and pivoting. Attackers use it to deploy a wide range of payloads, from commodity malware, to sophisticated state-sponsored activities.

Cobalt Strike allows actors to shape the traffic of beacons to mimic legitimate traffic patterns. One of the techniques to conceal the traffic from DNS-based filtering is Domain Fronting. Domain fronting uses legitimate or high-reputation domains to remain undetected by defenders. The attacker's choice of Myanmar-specific domains for domain fronting may indicate an interest in the geopolitics of this area of the world.

In this campaign, the actor used staged payloads using the Meterpreter stager, which gives an indication that the beacon will be used for further attacks. The defenders should be constantly vigilant and monitor network traffic to detect Cobalt Strike activities, since it is one of the most commonly used offensive tools by crimeware and APT operators.

Evolution of the campaign

A study of the evolution of the campaign shows the actor experimenting with different combinations of hosts with the intent of perfecting the domain fronting technique.

The earliest beacon discovered around the middle of August 2021 contains the C2 URI set to test[.]softlemon[.]net while the HTTP Get and Post requests headers are pointing to dark-forest-002[.]president[.]workers[.]dev which is a Cloudflare serverless workers domain. The default host header configuration for request contains the host name test[.]softlemon[.]net, which is also used by more recent samples.

Another sample discovered in late August 2021 consisted of the C2 host URI xxx[.]xxxx[.]tk and the host header setting configured to point to test[.]softlemon[.]net.

Beginning September 2021, the attackers started using the Myanmar Digital News domain for fronting their beacons. While the default C2 domain was specified as www[.]mdn[.]gov[.]mm, the beacon's traffic was redirected to the de-facto C2 test[.]softlemon[.]net via HTTP Get and POST metadata specified in the beacon's configuration.

The actor likely changed the configuration to test their infrastructure and the domain fronting functionality before launching the attack. Based on the beacon configuration template and the real C2 host test[.]softlemon[.]net, we assess with moderate confidence that the samples are created by a single actor.

Timeline of malware samples first seen in the wild.

Cobalt Strike beacon configurations

We extracted the beacon config from the payload that showed us the actor has used different values for the User Agent, C2-Server and Host-header in different malwares of this campaign.

The beacon configuration of samples usually has a User Agent, which is Mozilla compatible and of Windows 7.

C2 server, UserAgent and de-facto C2 variations in the beacons.

Watermark

The Cobalt Strike watermark is a number generated from the license file and is unique to a Cobalt Strike license. The watermark on the beacons used in this campaign was 305419896 (hex: 0x12345678).

This particular watermark has previously been attributed to a leaked Cobalt Strike version and is unsurprisingly used by other malicious actors, such as Maze ransomware and Trickbot groups, making attribution based on the watermark number impossible. It is difficult to assess if the usage of the previously registered expired domain for C2 server and the leaked Cobalt Strike point to an increased operational security awareness of the actor or to limited resources available to them.

Domain fronting

The actor in this campaign has used domain fronting, which is a technique which can use high reputation domains to conceal the Cobalt Strike command and control traffic. A government domain of Myanmar www[.]mdn[.]gov[.]mm was used in this particular instance.

The fronted domain mdn[.]gov[.]mm is a legitimate domain of Myanmar Digital News, a state-owned digital newspaper. This website has previously been compromised in February by the Brotherhood of Myanmar group, a collection of militia groups. Although there are no indications that the previous defacement of the domain by the Brotherhood of Myanmar and the campaign described in this post are related, the domain itself is clearly of interest to various actors.

Domain fronting can be achieved with a redirect between the malicious server and the target. Malicious actors may misuse various content delivery networks (CDNs) to set up redirects of serving content to the content served by attacker-controlled C2 hosts. Cloudflare is one of the CDN services that provides its users with a globally distributed cache for files hosted on their servers. Cloudflare identifies distributions by the FQDN used to request resources. Cloudflare users have the option to use their own subdomain and create a DNS record that points to Cloudflare. This subdomain tells Cloudflare to associate that DNS record with a specific distribution.

The beacon calls home www[.]mdn[.]gov[.]mm,/api/3 and has set the Host header to the actual C2 server test[.]softlemon[.]net. The beacon traffic resolves to a Cloudflare IP address. The DNS request that led them there will be lost and relies on other parts of the HTTP request, including the Host header and the actual C2 test[.]softlemon[.]net.

Summary of domain fronting of Myanmar government's domain.

Cobalt Strike payload

The beacons are of particular interest due to the domain fronting technique using a government host as the initial DNS lure. The MITRE ATT&CK framework techniques used by this malware are:

T1202 - Indirect Command Execution
T1027 - Obfuscated Files or Information
T1105 - Ingress Tool Transfer
T1071.001 - Application Layer Protocols:Web Protocols

We also analysed the loader binary to find specifics of its memory loading and functionality.

We spotted a suspicious section .kxrt with the packed and encoded malicious code. The malware links several functions at runtime and has the Meterpreter staging code.

When the malware runs, the .tls section runs first, loads the libraries and starts the execution of the malicious code at the entry point in the .kxrt section. The entry point code calls a function to allocate virtual memory in its own process space.

Function at address 00401550 shows the allocation of virtual memory.

The loader next calls the VirtualProtect function to set the virtual memory page permissions to Read-Write-Execute and writes the image base of the Cobalt Strike beacon which will be executed in a new thread.

Function sets the virtual memory page permission to Read-Write-Execute.

We spotted two libraries linking during runtime. Aside from this, there are several other standard libraries the malware links during the runtime.

Function that loads library during the runtime.

After allocating the virtual memory and setting the page permissions to Read-Write-Execute, a decryption routine is executed that decrypts the remaining malicious code in the .kxrt section and writes it to the virtual memory.

Decoder routine to decrypt the beacon DLL.

The decrypted malicious code is the actual Cobalt Strike beacon. Once decoded, the loader's execution jumps to the beginning of the DLL resulting in a reflective-load of the beacon into the loader process memory. This beacon is now responsible for decoding the configuration.

Stack view of info loaded from the beacon config.

The beacon resolves the proxy by calling WinHTTPGetProxyForUrlEx and WinHTTPCreateProxyResolver to bypass the proxy for the URL.

Function that resolves the victim's system proxy for the URL.

Soon after that, the beacon initiates the Cobalt Strike beacon traffic to the C2 server. The DNS request for the initial host resolves to a Cloudflare-owned IP address that allows the attacker to employ domain fronting and send the traffic to the actual C2 host test[.]softlemon[.]net, also proxied by Cloudflare.

At the time of analysis, the sample C2 host infrastructure was not online and we received a 404 error.

Cobalt Strike beacon traffic.

The beacon contains techniques to detect debuggers using GetTickCount, IsDebuggerPresent and the NtDelayExecution call to delay the execution of the malware for evading sandbox-based dynamic analysis systems. The beacon can also manage the system power policies registry keys to set the minimum and maximum sleep times and the lid open and close action policy.

The beacon modifies the victim's system power and lid open/close policies in the registry.

Command and control

The C2 server - test[.]softlemon[.]net is the subdomain of softlemon[.]net. The domain softlemon[.]net was registered under Google domains until August 2019 and likely expired since then. The malicious actor re-registered this domain on Aug. 5, 2021. The SSL certificate for the domain softlemon[.]net with the serial number 4aa6af6d719bfdd1c6dff3d7b640aed7ee3was issued by Let's Encrypt, a free SSL certificate provider.

The Talos reputation engine has classified it as an untrusted domain and Cisco Umbrella shows a spike in the DNS queries in September 2021. This activity is consistent with the evolution of the Cobalt Strike beacons illustrated earlier the attackers started instrumenting beacons fronted with the Digital News domain at the beginning of September.

DNS spike for test[.]softlemon[.]net queries vs dates.

Our research uncovered that the C2 test[.]softlemon[.]net is a Windows server running Internet Information Services (IIS).

IIS service response rendered from the host test[.]softlemon[.]net.

According to Shodan, the IP address 193[.]135[.]134[.]124 hosted by a Russian provider may be the real C2 IP address protected by the Cloudflare infrastructure as the SSL certificate served on port 8443 belongs to Cloudflare and lists the X509v3 Subject Alternative Name as DNS:*.softlemon.net.

Conclusion

Domain fronting is a technique used by attackers to circumvent protection based on DNS filtering. In this campaign, a malicious Cobalt Strike beacon is configured to take advantage of a mechanism used by Cloudflare and other content distribution networks to instruct the proxy about the host to be used for serving the content.

When the beacon is launched, it will submit a DNS request for a legitimate high-reputation domain hosted behind Cloudflare infrastructure and modify the subsequent HTTPs requests header to instruct the CDN to direct the traffic to an attacker-controlled host.

Defenders should monitor their network traffic even to high reputation domains in order to identify the potential domain fronting attacks with Cobalt Strike and other offensive tools. XDR tools should be deployed to endpoints in order to detect behavior of Cobalt Strike loaders and Meterpreter stagers as they are frequently used by a wide range of actors.

Coverage

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

The following ClamAV signatures have been released to detect this threat:
Win.Backdoor.CobaltStrike-9909816-0

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

IOCs

Hashes

658d550322cefa6efc51fbfd1a3e02839d1e519a20f8f17f01c534c0eaf36f27
e806e55713b9e46dc7896521ffb9a8b3abaa597147ea387ff2e93a2469546ba9
a0aec3e9cb3572a71c59144e9088d190b4978056c5c72d07cb458480213f2964

Network IOCs

Hosts

test[.]softlemon[.]net
dark-forest-002.president[.]workers[.]dev

IP addresses

193[.]135[.]134[.]124

URLs

hxxp://test[.]softlemon[.]net:8081/api/3
hxxp://test[.]softlemon[.]net/
tcp://test[.]softlemon[.]net:8080/
hxxps://193[.]135[.]134[.]124:8443
hxxp://193[.]135[.]134[.]124:8080
hxxp://193[.]135[.]134[.]124:8081

Vulnerability Spotlight: Vulnerabilities in Lantronix PremierWave 2050 could lead to code execution, file deletion

2021-11-15T14:19:00.008-05:00

Matt Wiseman discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered multiple vulnerabilities in Lantronix’s PremierWave 2050, an embedded Wi-Fi module.

There are several vulnerabilities in PremierWave 2050’s Web Manager, a web-accessible application that allows users to configure settings for the 2050 gateway. An attacker could exploit some of these vulnerabilities to carry out a range of malicious actions, including executing arbitrary code and deleting or replacing files on the targeted device.

Twelve of these vulnerabilities could allow a malicious user to manipulate the Web Manager in a way — for example, overflowing a fixed-size buffer — that would allow them to execute arbitrary code. These vulnerabilities all require the attacker to authenticate to the Web Manager first:

TALOS-2021-1312 (CVE-2021-21872)
TALOS-2021-1314 (CVE-2021-21873 - CVE-2021-21875)
TALOS-2021-1315 (CVE-2021-21876 and CVE-2021-21877)
TALOS-2021-1325 (CVE-2021-21881)
TALOS-2021-1326 (CVE-2021-21882)
TALOS-2021-1327 (CVE-2021-21883)
TALOS-2021-1328 (CVE-2021-21884)
TALOS-2021-1331 (CVE-2021-21887)
TALOS-2021-1332 (CVE-2021-21888)
TALOS-2021-1333 (CVE-2021-21889)
TALOS-2021-1335 (CVE-2021-21892)

There are also four directory traversal vulnerabilities that could lead to local file inclusion or overwrite:

TALOS-2021-1323 (CVE-2021-21879)
TALOS-2021-1324 (CVE-2021-21880)
TALOS-2021-1329 (CVE-2021-21885)
TALOS-2021-1337 (CVE-2021-21894 and CVE-2021-21895)

There is another directory traversal vulnerability in the Web Manager’s FsBrowseCleanr function (TALOS-2021-1338/CVE-2021-21896), though in this case, an attacker could delete files on the targeted device. And a sixth directory traversal vulnerability (TALOS-2021-1330/CVE-2021-21886) could lead to the adversary viewing certain file and directory names after sending the targeted device a specially crafted HTTP request.

Lastly, we also discovered TALOS-2021-1322 (CVE-2021-21878), a local file inclusion vulnerability. An attacker could exploit this vulnerability to bypass certain restrictions and disclose contents of previously inaccessible files through the creation of an intermediate symlink.

In adherence to Cisco’s vulnerability disclosure policy, Talos is disclosing these issues, although no formal fix is currently available. Talos tested and confirmed Lantronix PremierWave 2050, version 8.9.0.0R4 could be exploited by these vulnerabilities.

The following SNORTⓇ rules will detect exploitation attempts against this vulnerability: 57753 - 57759, 57764 - 57769, 57777 - 57779, 57783, 57784, 57796, 57800, 57801, 57805, 57806, 57792 - 57795. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Threat Roundup for November 5 to November 12

2021-11-12T14:33:00.000-05:00

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 5 and Nov. 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name	Type	Description
Win.Dropper.Kuluoz-9906192-0	Dropper	Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Trojan.Tofsee-9906687-1	Trojan	Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click-fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator's control.
Win.Dropper.Fareit-9906313-1	Dropper	The Fareit trojan is primarily an information stealer that can download and install other malware.
Win.Dropper.Nymaim-9906679-0	Dropper	Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain-generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Dropper.TrickBot-9906689-0	Dropper	Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VBScripts.

Threat Breakdown

Win.Dropper.Kuluoz-9906192-0

Indicators of Compromise

IOCs collected from dynamic analysis of 69 samples

Registry Keys	Occurrences
`<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159`	69
`<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>`	69
`<HKCU>\SOFTWARE\XNDQWFAL Value Name: saalmdpq`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: vrdsuanh`	1
`<HKCU>\SOFTWARE\UBKDDXHX Value Name: mdjrdtlb`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: dekjtufv`	1
`<HKCU>\SOFTWARE\SXLEVULR Value Name: kmaxhebd`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: rhexocwd`	1
`<HKCU>\SOFTWARE\CPLFEVDG Value Name: srslhwbv`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: oawidcqj`	1
`<HKCU>\SOFTWARE\CPAGQABV Value Name: imlvmnbi`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: joocbsdq`	1
`<HKCU>\SOFTWARE\BNTIPEWG Value Name: ueangwke`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: jgpdveiv`	1
`<HKCU>\SOFTWARE\QTTISAMA Value Name: rnvaxhxh`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: qfhrdtpr`	1
`<HKCU>\SOFTWARE\GNBKNCFN Value Name: jnrqktqb`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: fwhpibmc`	1
`<HKCU>\SOFTWARE\PQTDJSEE Value Name: rbcxmjse`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: tfoxxhqg`	1
`<HKCU>\SOFTWARE\JRMMRSGV Value Name: bemwgapm`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: xrjbjxre`	1
`<HKCU>\SOFTWARE\GWKSMKND Value Name: sdkabnue`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: wmrdbsbk`	1
`<HKCU>\SOFTWARE\FVCPXDNG Value Name: cebigupq`	1

Mutexes	Occurrences
`aaAdministrator`	69
`abAdministrator`	69

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`37[.]59[.]24[.]98`	51
`96[.]30[.]22[.]96`	50
`74[.]221[.]221[.]58`	46
`195[.]28[.]181[.]184`	46
`110[.]77[.]220[.]66`	45
`85[.]12[.]29[.]254`	44
`82[.]165[.]155[.]77`	44
`69[.]64[.]32[.]247`	43

Files and or directories created	Occurrences
`%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe`	69
`%HOMEPATH%\Local Settings\Application Data\efcggqxj.exe`	1

File Hashes

             000bea950f66052cf937547d1f18bc47a1c6ff6d2d7d03bc09d60aa9c9b1c770              00e8fa17d90f77afadd8f255dca53b15d7f4c91719452d616b0cf663f9aeea99              033755fcc85dad80db7a94ea2dc178dc2cc823fe7b46084fd0ed20645b593290              037e90d5a83ea1360c1c74b34e3d648ba8645b32d9de456756e8ba6acac86d6d              04c74fa81fdd718c985fde6a502f1ed93a0d34255dc21b546fcc25425da9f31e              086985abecc0ee9c6b4caa28e74d3190994dbddae40524eb955526ad5be9f067              08de3a669a95eab65d9b95ecf7ed4085e162badd7b11b3ad126be4d9836d33e4              1ba2d5d15ede307fa5a969eb66654f4d485fc144e370531451c43dc6409737d9              1f18d7fcd14fa41d8256a373437ccfd3e0d0d4f80c41daeda99cfd493735acc8              1fb1390e6f86cc5eb108a6a38484fa91baf867622e7384d4777b7b12215cab8c              27862adbd6ba16a82915102b7cfbf36f25c7be6b7e0464a7bcd731c9c5c67316              36971d72adc866b317be68ddf5b3471825049a81231b53c5cfdacb292d49b4d6              39781b0d4b88226ae7cc4711c9d4724ee9010e9f543be7fbd3d31564d89546dd              3a36245e815538d2f84d05af6b1d71f81dd9c284cac1c0ceb2145d9f1bb9a7e9              3ca7c310670af06b7e57e5317283e03c2aa630b72f2d99f93734d960bf19040b              40023d8e643d0c49199f1d34beb4c79856f30cc155ff8f93300b9cca70affb0c              410c8127cf6d7bac2cb13d84dd8415aabc5831bdb617b49e8d28d024db906c51              42ca7b17fa816bf7dfdee073fd077f2327e31ae15f386c087912757894e2ac0a              44837ce7705a1c03338d220d186564930bcb1e739af90f04cd415b37b5719b90              48179cd3f777d239fb1f14ac8ed1472dd8c9dec65414b92953b5d67faad4f9b7              50fd2544836d5623d86f94307583fe7a4c88b11cdaa84f3f6b5a03a8631e8c0a              64d3d27a53d3cde1729f8897a09aac19557121ede477e4a1d18a86ef33b2d675              656ee6200af32f34de24c591ebb45d5652f30a435ce84abb6c8c04cd91e07500              696629d6b4f9965ec8cf1cc9cefe973f907731e8c6fadd1189413d63f4390b30              6a338dd0339ab184d2fa547e4a05b6cf94632dc3a03fb351ca703cea3f7f2262

*See JSON for more IOCs

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Trojan.Tofsee-9906687-1

Indicators of Compromise

IOCs collected from dynamic analysis of 56 samples

Registry Keys	Occurrences
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config4`	56
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES`	56
`<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159`	56
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>`	56
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: Type`	56
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: Start`	56
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: ErrorControl`	56
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: DisplayName`	56
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: WOW64`	56
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: ObjectName`	56
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: Description`	56
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config0`	56
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config1`	56
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config2`	56
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config3`	56
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: ImagePath`	35
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\ffbmdows`	4
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\ccyjaltp`	4
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\bbxizkso`	4
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\vvrctemi`	4
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\eealcnvr`	3
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\qqmxozhd`	3
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\ttparckg`	3
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\xxtevgok`	3
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\hhdofqyu`	3

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`185[.]7[.]214[.]171`	56
`185[.]7[.]214[.]210`	56
`185[.]7[.]214[.]212`	56
`45[.]9[.]20[.]187`	56
`45[.]9[.]20[.]178/31`	56
`85[.]143[.]175[.]153`	56
`193[.]56[.]146[.]146`	56
`192[.]0[.]47[.]59`	54
`157[.]240[.]229[.]174`	53
`144[.]160[.]235[.]143`	50
`103[.]224[.]212[.]34`	49
`125[.]209[.]238[.]100`	49
`211[.]231[.]108[.]46`	48
`74[.]208[.]5[.]20`	47
`117[.]53[.]116[.]15`	46
`96[.]114[.]157[.]80`	45
`212[.]77[.]101[.]4`	45
`64[.]98[.]36[.]4`	44
`67[.]231[.]149[.]140`	44
`64[.]136[.]44[.]37`	43
`51[.]81[.]57[.]58`	43
`216[.]146[.]35[.]35`	36
`67[.]231[.]144[.]94`	35
`172[.]65[.]252[.]97`	35
`193[.]222[.]135[.]150`	34

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`249[.]5[.]55[.]69[.]bl[.]spamcop[.]net`	56
`249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org`	56
`249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net`	56
`249[.]5[.]55[.]69[.]in-addr[.]arpa`	56
`249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org`	56
`249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org`	56
`microsoft-com[.]mail[.]protection[.]outlook[.]com`	56
`microsoft[.]com`	56
`www[.]google[.]com`	56
`quadoil[.]ru`	56
`aspmx[.]l[.]google[.]com`	55
`whois[.]arin[.]net`	54
`whois[.]iana[.]org`	54
`www[.]instagram[.]com`	53
`mail[.]h-email[.]net`	50
`al-ip4-mx-vip1[.]prodigy[.]net`	50
`mx1[.]naver[.]com`	49
`park-mx[.]above[.]com`	49
`mx1[.]hanmail[.]net`	49
`mx-aol[.]mail[.]gm0[.]yahoodns[.]net`	48
`naver[.]com`	48
`hanmail[.]net`	47
`mx00[.]mail[.]com`	47
`www[.]youtube[.]com`	46
`nate[.]com`	46

*See JSON for more IOCs

Files and or directories created	Occurrences
`%SystemRoot%\SysWOW64\config\systemprofile`	56
`%SystemRoot%\SysWOW64\config\systemprofile:.repos`	56
`%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'>`	56
`%TEMP%\<random, matching '[a-z]{8}'>.exe`	52
`\Users\user\AppData\Local\Temp\wfowkckt.exe`	2
`%TEMP%\zsnzdsd.exe`	1
`%TEMP%\afpfty.exe`	1
`%TEMP%\atoaete.exe`	1
`%TEMP%\cvqcgvg.exe`	1
`\Users\user\AppData\Local\Temp\hdssxekb.exe`	1
`\Users\user\AppData\Local\Temp\gzkalibu.exe`	1
`\Users\user\AppData\Local\Temp\hzryxozg.exe`	1
`\Users\user\AppData\Local\Temp\cumtsjub.exe`	1
`\Users\user\AppData\Local\Temp\xtiinuar.exe`	1
`\Users\user\AppData\Local\Temp\fsbyzeqd.exe`	1
`\Users\user\AppData\Local\Temp\xhmzgbap.exe`	1
`\Users\user\AppData\Local\Temp\pqoybuzk.exe`	1
`\Users\user\AppData\Local\Temp\jwfcdiuh.exe`	1
`\Users\user\AppData\Local\Temp\lqaqej.exe`	1
`\Users\user\AppData\Local\Temp\msnqziid.exe`	1
`\Users\user\AppData\Local\Temp\uniuyny.exe`	1
`\Users\user\AppData\Local\Temp\xqbrczsl.exe`	1
`\Users\user\AppData\Local\Temp\vocogacp.exe`	1
`\Users\user\AppData\Local\Temp\uzjzns.exe`	1
`\Users\user\AppData\Local\Temp\yvgljtqn.exe`	1

*See JSON for more IOCs

File Hashes

             0116e2cc42cc67d4ee0fbd26b113a2883c9ef920dc84bb7ab622d1bf8851763f              02c7359dcb84754d1582eab7ef5f16938ee9cf88a83d150c1470a6b3b24bf31c              03fb15b85a5b40369f8e392427ea5f004447c90273b01ccbcbdff27d0fd5620b              0c4c84401bc57951c1add588817d96cae70469c0ad699b2c154855a730cf8afa              11bb33bf6c4dcf920e28a36b061353e87e314236faebe4563c3fa5c877230404              158001d30d5d3768e6fe0f1a1d7bf1ad0da65241a6f01196150b5cf8a52b9623              1d5f62d3687343709946d1bf46ed5e91b4659e376261a499722cf071d14a2e32              20db1c12886f165778eaabff78196c7166b43b18767d802373150408870b7d99              2a6ff1d92b275b5479f724cacbef20a3757227d7bf7f943c5a91609a370cf006              2aa24f0c26531e9222de7e2ce6f0453e0465a6545ac7accb5f9ffc1983fa4f9d              2ee90707f21676ebaf7e821bf02f24d56d1a7be273c8aa129eb60cacd09f19df              2fbb49dd038c61306b7c32663dcf6f6f5545b1538c90464c148980c69f4331b3              322f25513dc717ec609771e4988d5a962dd5b980bc4bf372d206ab991c092382              345af13820aaefd07456b97821b597c8c020c907541e25c32f304c4a1a3f324a              348d21e49e7bad86d434423c8052dd72bb27d9a9f43d6b2471a1063261c69c35              354f4a167b2bbdbdd1e8d36f26c4524f1454abb79e745c1a0a3945e9bb1ddeef              35b7bbf1581e93fad329c50307ae2f68964bf8866e437d308c56eda819acb8d7              40bfcd3518b19ded7d92a6930ab6e410002c333fe327044800599a95ee67e225              41f7a9f6f6ec0cd336288c833ba746c5d40dc7d49f3f5717e89d8dc74714d478              4de8148701b1fe0a054b13829fb3763a8645b6468463de3e38f33526307f9e8b              5d21753e0586d127c06cde17551bd702e449dfa8a4aca6ff1116251ff1fe7177              5e6fb10b614e5ea6832ca853f3c43c4943499ac63097fd57c980babf7e707cd4              5f5b0da28419c1a133e4949a129f2ae17db34fb3e64ce2c9dc84d91239c50082              5faa85eae77192413b213ae22e30a68a6e0b20e1c1d78a2663ed0c70a713be67              61cbe9585ff80a96da97ce3afcaccce268b72d089ba88abc417642aa3365dddf

*See JSON for more IOCs

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella
WSA

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Fareit-9906313-1

Indicators of Compromise

IOCs collected from dynamic analysis of 17 samples

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\WINRAR`	17
`<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159`	17
`<HKCU>\SOFTWARE\WINRAR Value Name: HWID`	17
`<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9 Value Name: F`	17
`<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5 Value Name: F`	17
`<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC Value Name: F`	17

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`192[.]187[.]111[.]219`	7
`63[.]141[.]242[.]46`	4
`81[.]17[.]18[.]194`	3
`81[.]17[.]29[.]146`	3
`209[.]85[.]201[.]94`	1
`173[.]194[.]204[.]94`	1
`101[.]99[.]75[.]152`	1
`74[.]125[.]192[.]138`	1
`173[.]194[.]206[.]100`	1
`209[.]85[.]144[.]99`	1
`173[.]194[.]205[.]84`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`ru[.]agulino[.]com`	17
`wpad[.]example[.]org`	2
`computer[.]example[.]org`	1
`vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com`	1
`clientconfig[.]passport[.]net`	1

Files and or directories created	Occurrences
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\filename.vbe`	17
`%APPDATA%\subfolder`	17
`%APPDATA%\subfolder\filename.bat`	17
`%TEMP%\-<random, matching '[0-9]{9}'>.bat`	17
`%HOMEPATH%\Start Menu\Programs\Startup\filename.vbe`	1
`%TEMP%\748562.bat`	1
`\Users\user\AppData\Local\CrashDumps\506825654.exe.2384.dmp`	1
`\Users\user\AppData\Local\Temp\WAXBDBC.tmp`	1
`\Users\user\AppData\Local\Temp\WERBF82.tmp.appcompat.txt`	1
`\Users\user\AppData\Local\Temp\WERBFB2.tmp.WERInternalMetadata.xml`	1
`\Users\user\AppData\Local\Temp\WERCABC.tmp.WERInternalMetadata.xml`	1
`\Users\user\AppData\Local\CrashDumps\506825708.exe.3876.dmp`	1
`\Users\user\AppData\Local\Temp\WAX3C1E.tmp`	1
`\Users\user\AppData\Local\Temp\WER3F0D.tmp.appcompat.txt`	1
`\Users\user\AppData\Local\Temp\WER3F6C.tmp.WERInternalMetadata.xml`	1

File Hashes

             03eee9c470a2987fe0a045530c2efd0bbbab9eeb5b91a893e682cf144e252107              18e5a593d4a89648b43f86383568469612c4f61d4b8361df299e1fdbe9ac42f5              34c862548b46506e25df6187be15486a2bc0de85b7e2b02b12745df7145faf5d              56d50fb071eb481a83ae011eb7a31fd6bee268fba1b0fe7aa880f6a108f9f682              5bdaafdaeb1ad0f8455de525022d95d40362d2766e78bd9eeecf7acf3426564e              666fdac0254a22535178f4cc056de7c43372359a1a9fc83c9b558770d278bc84              6be0f0991eebcdd021444994c3c812a89924b04b8ed27282e18b747305f27bf7              71ca1ab8c327e81b97f9b93684f6a2f8de7b194f4d20b65bad89660fdb04982c              94c9c78a6d2e0b1808bbbde2a69f32464c74c8ad0f902b0a7aea75d443db1866              9523e53935a018bbe2a297ba95578a7e988a0a402eed2a97cf46a41f797de971              9edb3091593479d03685b13b2eaa0104fb84bdc785c46cf70bb8e105e6589620              b46d16b74e5c430126372a5027108704074ebf5a87b1dc0634f41bc119b460dc              c94368d73c897f193f7dd20d749d2348fa80f818d19b27888c28bc8e41ccd262              d3873c324768de351219c9e50a33cecc3d15ab568064591ff9857fff86780c76              e0e0854a4bcd7bb49292b001954e76ea3aaa8639839073e35a72adf88e3a25cc              e1a572394b381e7ae7cca254ab171eb975f9e4e0be7480b01fb751be14712fe0              ea1c77d4d703fe6825dfa9e406b84375384719f21f3250b93cd3e7550c685bec

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella
WSA

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Nymaim-9906679-0

Indicators of Compromise

IOCs collected from dynamic analysis of 23 samples

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\MICROSOFT\GOCFK`	23
`<HKCU>\SOFTWARE\MICROSOFT\GOCFK Value Name: mbijg`	23
`<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159`	22

Mutexes	Occurrences
`Local\{1181F583-B634-69BF-E703-D4756599024F}`	23
`Local\{180BBEAD-0447-044A-68BD-247EB6D0E352}`	23
`Local\{18DD7903-1E96-FEAF-92BF-014008A1248C}`	23
`Local\{92502033-C012-7F46-D6A8-0AC972DF6662}`	23
`Local\{25754F3F-7A37-56CA-31BB-3C9D33DA226B}`	23
`Local\{8B75523D-CAF4-D06B-A2AD-13EEF593AC52}`	23
`Local\{D2CC4CCA-CB77-CF10-8293-17C78DEC853F}`	23
`Local\{67EB9FBC-0AC5-BAD6-80A0-015E2C7D43E8}`	23
`Local\{F78DA135-BD1C-3BA1-2EC7-6B375301FFDF}`	23

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`microsoft[.]com`	23
`google[.]com`	23
`hkzqekcz[.]net`	23
`zrailjorqed[.]pw`	23
`nckynkrjg[.]in`	23
`xxrwudfhbr[.]net`	23
`iuojcbwlb[.]in`	23
`gjlngkx[.]net`	23
`nmovreiit[.]in`	23
`gpuxnhtdhztg[.]in`	23
`xpbyti[.]pw`	23
`nlaoyufe[.]in`	23
`syffllqlu[.]pw`	23
`phgrcrm[.]net`	23
`qbpqbucz[.]in`	23
`hdrqny[.]pw`	23
`emcqaelhfn[.]pw`	23
`www[.]msftncsi[.]com`	4
`wpad[.]example[.]org`	4
`neolx[.]com`	1
`rqdptmnlyy[.]pw`	1
`arlllswc[.]com`	1
`gjyttpvb[.]net`	1
`ytfalkcclaw[.]in`	1
`afoctlamhq[.]in`	1

*See JSON for more IOCs

Files and or directories created	Occurrences
`%ProgramData%\ph`	23
`%ProgramData%\ph\fktiipx.ftf`	23
`%TEMP%\gocf.ksv`	23
`%ProgramData%\<random, matching '[a-z0-9]{3,7}'>`	23
`%APPDATA%\<random, matching '[a-z0-9]{3,7}'>`	23
`%LOCALAPPDATA%\<random, matching '[a-z0-9]{3,7}'>`	23
`%ProgramData%\jzk\icolry.ylg`	5
`\Users\user\AppData\Local\Temp\qnvgtx.eww`	5
`%TEMP%\aneba.qsz`	1
`\Documents and Settings\All Users\wrg\orjdwj.ppt`	1

File Hashes

             0a5a39e943850137bf7296a9b11e9af5c0e05e391c3381733cc2f03020208b12              1657415b3e51540e23ecb6fdc619978af4463ce9e9c880f5e4f0ef1558297040              1984124ab6ba6f3fdb04ff885408c9f4f35f22d8d07746ddd2a585cb412fde6a              2f9fd8377a8e7bfbe6b13198d578d06b883402a5084f6c1c5c4cdebabfbd8fce              305b0c43a3c29d6153f0636d77032debf4fceabc2c035d48268a09692ae6cd20              31181eee5991422042784e1f845d11a32e1381aea1d8009e7090d88393ba98bc              386f665bedb4efaef8d7c12d11e49d1fd488a5a2a543588762897fdc64caf858              3a95f93f80be8d0cd76705da445da77c1d498a8aba99ee222f8e451e81aa1454              3f438f5360c449ba9d1d9349c6a0fa2fcab962a89cdc16581ebc1fea79051768              51e01e124b5faa392ae3517603049fea41a5c13a6ec82aa3fc23c2db41961189              5395c7598ca1145728fe0ed9f2422bf8d7cdc5a4aefee9c66e9a4be014a39753              5d94592ee0b18888cec53c526984a7a2505c757b66d17986f3f237c3ac843c20              61753686a9b172316b339850fe425602122dadc8b9a880b6d8fe11a2061faf77              6300fa292145cb7ad0810ae32eb5742f3eb71fe36986eb15bc5bccf6a7c15b50              73f6323cdc4c439a7ee8626daf5a8219f5d2d91498acf3161abc8764e3150277              75df28107d722b325ca55f1639be556839b1ab5ae99256008edc8bcd469b30f8              84d6081d0a956de98053024cc863b23e15b842d6677a4ee22b00c5d63b10ee6b              a9c642d3899cf12cceff9fef3c83a36794b6ccb6539c8a778b0809ecc74ee6ce              b28275a44a8d9a4e8ac0740384d48df297fd59b12d6c0a22c74256bc6cbc4cb5              d91e71f0ccf719c2242aa8ffa03d675ce6c536c50b5da571f6ae87f1076c7c9b              dad54799bb4ffc4866978c7c655eae50bb1274b586dcf194f3fd64863d301e84              de1c74e3225d1170fa8494b327b2944b7e31968f4f5fedf17390ead6f3fd7691              f79946e8464c138f028b3d4ce15f04579b16600f49680a5e53a1c99ffae31007

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella
WSA

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.TrickBot-9906689-0

Indicators of Compromise

IOCs collected from dynamic analysis of 26 samples

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER Value Name: DisableAntiSpyware`	25
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND Value Name: DeleteFlag`	25
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND Value Name: Start`	25
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION Value Name: DisableBehaviorMonitoring`	25
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION Value Name: DisableIOAVProtection`	25
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER`	25
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION`	25
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION Value Name: DisableOnAccessProtection`	25
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION Value Name: DisableScanOnRealtimeEnable`	25
`<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159`	25

Mutexes	Occurrences
`Global\316D1C7871E10`	25

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`72[.]22[.]185[.]200`	15
`72[.]22[.]185[.]208`	9
`160[.]72[.]43[.]240`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`crl[.]microsoft[.]com`	25

Files and or directories created	Occurrences
`%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5`	25
`%ProgramData%\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_d19ab989-a35f-4710-83df-7b2db7efe7c5`	25
`%System32%\Tasks\Windows Network`	25
`%APPDATA%\wnetwork`	25
`%APPDATA%\wnetwork\Data`	25
`%APPDATA%\WNETWORK\<original file name>.exe`	25
`%System32%\Microsoft\Protect\S-1-5-18\User\496a850c-d71a-4ccc-b3de-e64e84a540af`	18
`%System32%\Microsoft\Protect\S-1-5-18\User\13022768-a353-4a4c-8032-ece2f429bad3`	7
`%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt`	7
`%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp`	7

File Hashes

             0205f7cb31c95adeab976245edd2808d58a066e39f8bc953a3e10347189f61ca              0295aa15b36df5df2c8beba2e056a50efe5a88bcc8d07adefaf262a54d27ac18              0ec324720fb6f0af3f230556949689f2fee2ecd529c8a513c7f12c096eae0758              157958a490ec7591a3318c783691ce26e8f525f5c88367341cbfa5aca577586e              1a3cd06480513c10bd6c487e9bb015111ec4e17bfe26312f769233ab7e22f7f7              2413d734d5844c4bda1641d3a06669c6918f22308f45fef63e0b3a3d32c815a6              342477e56614066942a58b31dfb00f2dbaddc041738bde17bb701eb7c2a6c012              442cf13192bc89185839b955a2a21f6a16a1ca028208cb332f930a33367e2814              4bb1d3c102a9319ee88afed519dea172735f763b55859085ca0a145ceeee6b82              54eec51d0cc063797c45dc68f4a0b4376246893b8c799cabaa62be3b288947b7              586126be0b9bf36790dfbd9dea8ceb927df1d4c94745c306e93062aec647b0b0              6086f48f02196b9db367b87819e0d4b8ecc381971c63fde3b8dbb871341a2e5a              7fc8d238f3ff3bd7d77e18111763ac554c2d289643dc077b2253f8ee1d575926              94b83154ffbc39c28cd5a461ad264bb5cea73822d7d1a4ca5471a6ff8b28569c              967366fbebcf26142423b0df333ea09ae01cc728d5ab54edbcd387030afcccde              a36b2cac421b101c599d704dd66407e652cc056e9d58abf52d46b5f8b23f20f1              a3bf700a4f33a7852820daa9d580c2e9f8a9e21e04670212d64a9a4884ae065c              a412aa575f67c189ea62191942acbe30db28548f2a900019c8a3368ce8d3ec81              ba1ff4f69508562ea2c62a39861c7281176b979e200d1ebb95e32338f936a490              bc775c4705a8724ff10e0a946b510017c5e762ea1877a22a1897db34a1e6fabe              c082233374ed32db6a234c6901cda079466eb9e0746a07c4625c1e68d2ffbccc              c4c1ced7f088f61260705540b870ffe4e33af54ef4a1e86f1ef5729ef349bb75              cd133a17f8aeaa36f510595c5fc11e22fb40fbb88150fab1971d1094e75e7611              d294e9b17cbda134bfe607cc2e214d2c689c582bc7a94f24588df028814bd928              d32532cc718758d511caf22a6238049d422c0e12b60a0146a845e760b34e2d1a

*See JSON for more IOCs

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Talos Takes Ep. #76: What is Kimsuky phishing around for?

2021-11-12T11:37:00.004-05:00

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

Blog posts aren't just for sharing your darkest secrets from high school anymore. They're also used by attackers to spread malware and steal international secrets.

On this week's episode of Talos Takes, Asheer Malhotra, part of the research team who recently discovered a campaign from the Kimsuky state-sponsored actor, joins us to talk about a recent campaign that had some pretty high stakes. Kimsuky, a known APT out of North Korea, recently used a series of fake blog posts to spread malware to high-profile targets in South Korea.

Asheer discusses what information the attackers may have been after, how they infected victims, exactly, and how to detect future bad blog posts.