Threat Round Up for Nov 10 - Nov 17

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between November 10 and November 17. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

  • Doc.Macro.Downloader-6360616-1
    Downloader
    This wave of malicious office documents uses obfuscated macros to launch powershell. The powershell process then downloads and executes a malicious payload executable or VBS script.
     
  • Doc.Macro.Emotet-6374344-0
    Office Macro
    Emotet’s initial attack vector is an Office document with obfuscated macro code. The obfuscation includes junk code, randomly generated variable names, function reassignment, redirection, additional code that overwrites data if not executed in the proper sequence, etc.
     
  • Win.Ransomware.Kovter-6376319-1
    Ransomware
    Kovter is a malware family which has been around since 2013. Currently it is delivering ransomware.
     
  • Win.Trojan.BitCoinMiner-6374577-0
    Miner
    This 64-bit Cryptocurrency miner requires a CUDA-enabled GPU in the infected computer to execute. CUDA (Compute Unified Device Architecture) is a platform for parallel computing developed by NVIDIA.
     
  • Win.Trojan.CosmicDuke-6376318-0
    Trojan
    This family is a known trojan and it is directly related to the infamous MiniDuke APT. The dynamic analysis failed because some DLLs were missing in the instrumented environment. The program, if executed, collects all the credentials stored on the victim’s disk and it contacts a remote server.
     
  • Win.Trojan.MSILTrojan-6376261-0
    Trojan
    This MSIL trojan will take screenshots and place keyboard hooks in order to spy on the user’s activity. Later, it will send emails via legitimate email services such as smtp.live.com, which could be used to exfiltrate the information or propagate the malware. It will also check the external IP of the infected machine using the checkmyip.dyndns.org service. Note that the network IOCs included in this report belong to legitimate services.
     

Threats

Doc.Macro.Downloader-6360616-1


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • procuratorkn[.]top
  • touchlifefoundation[.]biz
  • www[.]bobnew[.]com[.]br
Files and or directories created
  • C:\Users\ADMINI~1\AppData\Local\Temp.exe
  • C:\Users\ADMINI~1\AppData\Local\Temp\S5c.vbs
File Hashes
  • 0b8bcc0c7281c9ad5e2c03b08c881b48015d064906deeccbe7bf944f4ef6d532
  • 1e2833b296489c39f605de502f5c9527270f1a55ce5d0d8ed4453b299ea5840f
  • 4d9f3de7aeca86a1ba1a653e04994eb69d31c6afc5802691ee9178bf8d593ed5
  • 7372b2b16620b1a35fa83f4bd31af1f78fbb3fe7d3235b06c064c4d617461f69
  • 7684aa4355b4992a8e168956e54424f03acca1cab32d0c62a4c87e6b5522d991
  • 7c056f1a930943cd3afcba96555185cb598210f96c1b098b321a6e7d087599a8
  • bac652b6a5cb65db95afdd9628c389f34c0e5609ed60d96f5598e43ebb151b73
  • dd8bd175e95c9bdc963f6b7a188f9a0e4184411097123e2bb76111c9550b12dd
  • e849be0adc49da7cc9b82c7a6ab45a0d082302dddd33c7c04824d14f968ba2cd
  • ecdeeda6b71b88d0367bfb63291afe5ab5e34a5a43244791604c28d43323f59a
  • f1231de08447a85356afedfdad5262e7ebba32bc68d23e73e5385164caf2182b
  • f3fb2e9dcc0544751fb66d9325b5328d59298e7578c877924bc26944cbadb078

Coverage


Screenshots of Detection

AMP



ThreatGrid


Umbrella






Doc.Macro.Emotet-6374344-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • MC8D2645C
  • MF349C666
  • Global\I98B68E3C
  • Global\M98B68E3C
  • M167D3CCB
IP Addresses
  • 77[.]220[.]64[.]49
  • 45[.]73[.]17[.]164
  • 103[.]247[.]96[.]21
  • 195[.]16[.]207[.]211
  • 148[.]251[.]33[.]195
  • 213[.]192[.]1[.]170
  • 95[.]163[.]86[.]154
  • 5[.]63[.]14[.]41
  • 78[.]47[.]56[.]164
Domain Names
  • liansamaneh[.]ir
  • conceptttb[.]in
Files and or directories created
  • \Users\Administrator\Documents\20171117\PowerShell_transcript.PC.w9wNiwMK.20171117113000.txt
File Hashes
  • f93095be43a52d749c6d4dc605958e6ff32ffc37ab117734c61deebbee0fdc28
  • 6d0d7e3180a65517917e9d46f13a0ab6d54bc194edc950130aff9f3bec564d95
  • 201e15ced36c0840b80fc6bb314b404868988155920a19098fb815e4b391f352
  • a2bf120258c17c7153f7b05cc8cb8d74bd10645b472a18bc75dca1f04ae5cff1
  • 6e999d2626bb074d7f5df5b97cdd8b21faa050233b608d4d8395ab941569cd50
  • 81425c15025f0fe9f4314c0130b00fd974f4522eb622f030f613e7940111f8bf
  • 04745cf34ca1dbfee1b638d41675e1ccf6ed65059f839ed8734f34f14b989ee6
  • 7cca822e0fdfeca033762213bf16a3f04d7cac8c345f84a0d740324d97f671c0
  • 9ce688608f54dcedd2497715359c9b19b0c5fc7e5ce441c55f897082b9f1ccae
  • f5142c005f1ebd6c1769b77d58e3614cd9d7bfa28cfcbd64660ef73e392ecd09
  • 3b5df8063fa79a19c231b8d019e150a1821d6ecbf27855ba4aef4bfb3c0f0d77

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella






Win.Ransomware.Kovter-6376319-1


Indicators of Compromise


Registry Keys
  • <HKU>.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyServer
  • <HKU>.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyOverride
Mutexes
  • Global\M98B68E3C
  • MC8D2645C
  • MA008EE15
  • Global\I98B68E3C
  • M772FF100
IP Addresses
  • 77[.]220[.]64[.]57
  • 185[.]94[.]252[.]102
  • 213[.]192[.]1[.]170
  • 78[.]47[.]56[.]190
Domain Names
  • N/A
Files and or directories created
  • N/A
File Hashes
  • c4e37130cc1688d204ef34f8762d9c3182552622bbf61b127b22c0b733a3b700
  • da973bebb2c14bcd3f493ffc1cc2cd6225f3b49fe77c1189de35f2dcfa72bbf8
  • fa0577e117929e21a3881b615a0a3cb087f5bbda6628b7612f036d0753c1b24b
  • 36d5cee0fd6862ae64e0074e12ca1599be7953d7cdfa93ca3993c5f83c9cf1b2
  • b0d41c21e5d8396f711e1224f190b3281bb04d3f797ceb9c77558a5f567e3fe4
  • 6e445be806032f4a73d17d73cb00639f632b23f2731ac0c2267a4bb34237fd32
  • cc714cbf5aac23f09bcc9eea1b8577d2e1673d9fe1433f5658eecc818a2f8469
  • be11330dfb54a48734679f458381d69059c037bd45deb69f70148f9c2e36fc0d
  • e0467fca9d07a69a53cb436d7962499bc25be34295dacf5a5d19ae9596ad2d98
  • 468fdeeba11609d222b9554616dcb8b1ab10f565dcb6291bc5360dda3a97ab08

Coverage


Screenshots of Detection

AMP


ThreatGrid







Win.Trojan.BitCoinMiner-6374577-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS{36B75FF8-A007-46F0-8EEE-76A6D3513381}
    • Value: Path
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
    • Value: winupdate.job.fp
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
    • Value: TB_DEADLINE_START.job
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS{6C1DC24A-11D8-4DD7-A934-6C033C5CB501}
    • Value: DynamicInfo
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS{36B75FF8-A007-46F0-8EEE-76A6D3513381}
    • Value: DynamicInfo
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\TB_DEADLINE_START
    • Value: Index
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\WINUPDATE
    • Value: Index
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS{36B75FF8-A007-46F0-8EEE-76A6D3513381}
    • Value: Hash
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
    • Value: TB_DEADLINE_START.job.fp
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS{6C1DC24A-11D8-4DD7-A934-6C033C5CB501}
    • Value: Path
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\TB_DEADLINE_START
    • Value: Id
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
    • Value: winupdate.job
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS{6C1DC24A-11D8-4DD7-A934-6C033C5CB501}
    • Value: Triggers
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\WINUPDATE
    • Value: Id
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS{6C1DC24A-11D8-4DD7-A934-6C033C5CB501}
    • Value: Hash
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS{36B75FF8-A007-46F0-8EEE-76A6D3513381}
    • Value: Triggers
Mutexes
  • Local\MSCTF.Asm.MutexDefault1
IP Addresses
  • N/A
Domain Names
  • N/A
Files and or directories created
  • %System32%\winupdate.xml
  • %System32%\Tasks\winupdate
  • \TEMP\fdfe3ab063fd7dad96a6492cc1b7f43c169e270868a3541a89e177b8dacaf16b.exe
  • %System32%\cudart32_80.dll
  • %System32%\wsus.exe
  • %System32%\cudart64_80.dll
  • %System32%\config\TxR{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf
  • %System32%\Tasks\TB_DEADLINE_START
  • %System32%\TB_DEADLINE_START.XML
File Hashes
  • fdfe3ab063fd7dad96a6492cc1b7f43c169e270868a3541a89e177b8dacaf16b
  • 3df78335904328db44168cfda613d0aff3761b6d767824476c6d34b582bf7a73
  • 82bbc279515e29a63b38752d3532e6f9e5e36ffb6b4f1dd783c370eb68667b76
  • 019538248027b51c92cef1cc2e8cff4577c30508e0aa06a65adfdcc125c6846c
  • 0487114a1df2852b2f3ba69aaa49930055e04c81ffc1e68dad6b47bec7ba2faa
  • 0e92444bdc28dbd0e645cedb0c7f1d81708e2073b7c7567956b7bc665cb6b648
  • 1814256a36032c226ddd8263395ecbe6fad92b4b11e62120ee4d35354cb670fe
  • 1a736b816b476800c1adb87169100192e503a1737ebedef5b1f14d695a100011
  • 293548f39cdaeac4d59fb55efbce7ac214349aa5ae46df0f905a0ab5cc1ae5ee
  • 29b4419555c41019e98c3a0e5ffa69733b9a1d71d48f0b9879a21581ab548c1e
  • 314fa254bd1da034501300e8766d000aa0ab306bbd19f42e243f9d2370473712
  • 3bcd92e4b5d1961e6b85f140d83698c37f0eba71993e41fc62c80a32e1a091c2
  • 3daa009acb66af54564e8dd02da9f2ec1fbebb8c86382c461600cca5ca63ce20
  • 459a5346ac350d03b7e5fd5b9882afee243f2d1f838ead99ab06a2cde783c522
  • 5927953796300be0c5778fc9e9d6bb52a8640f33cae1c684d5225eed327d547d
  • 63544397a0cfbf53588ad8792a870e6b7ff2fa0cf16dc6a3796a3ea4805776d6
  • 714069902c8b82e636cda415148847f5867a32706eaf4a3a04fcb0efac7cc03a
  • 7a6d865285069c90fcf5b8b3671b6daa7c9e6a9e39a37d4854ab630c6f094178
  • 7b4fbaabf1374e4f6c817f0ed5a359f65eabbda7cbd970cb427d57a8a44773d6
  • 7f783789ba87d344bf6450be97b0466c9b73e8cd1d320c08df8cb3636f09fbff
  • 84dd02debbf2b0c5ed7eebf813305543265e34ec98635139787bf8b882e7c7b4
  • 9d6b9fa1861b72f348a4fa8b209eb7f40f4a497bcf98204ba5fd389f7fa82b93
  • 9dd467e34763c06e251c25d5c679e291030564a0b95b6a23a35bbe5a86889c01
  • a23bdb4e3973bc0a4e746038df90e5834efbd521a59df4d488f226a956144da5
  • a3d46a4fb9c6fa286c5dec80dd70a43c9ad70770b5d1540dea13e16b15d2ad26
  • aecfcd163d2665720b7b63288b6964dcab57960c2c3cd77e7674445c282c3188
  • bc9a756357e8a0d29931d1d9ec1747bb73855cdac99021abe99b444e5332a749
  • cc9e68134aab06089ec5b7404d5b54c572b56b04e61053d068cc8b4e67625cce
  • e9a76ace7562d53aaa889caf517b827427162f8512c01ced0657cb08df4121f2
  • ed78e63401ee4290fb334cb0b159b1e94d86de345706f4fc30a4c1df0bd606f7
  • f26e6efc015b0dc9982b88fa02e3f2b2601173aaa300feb558104ef453c94941
  • ee4a6876f192c6a43f1475fbe16e4c4315282e2bc9165ba4dcdf45f07275ec0d
  • cc075ad3073992532759ac2a31b3c57e25bd3a24f1d5a35958d25afa703d7b26
  • 02ec6e8adf56df5bb0cda19ddd04327658c36d493c6cbe6fba42ab0f25034c88
  • f5b88f4034f9c1e0c2f246b8dc21f7fd875638aba63c133f925b8a03b7078657
  • 3ca1fc58bbe212f901523f9ba8800a8bcc47cd054f0648a571abda66c2cbc9c7
  • 2888cc28bac5a432b2a819e08420e8f7e59f28d56ce8168c5865e6c3cd875776
  • de7d4019549e2f018789c902afe9552bd9127328dc439bbe59d8b79a8565569c
  • 70de06f4911513162eb141787027f2cbe463e4382905e80724ad52ca6bae17bb

Coverage


Screenshots of Detection

AMP


ThreatGrid






Win.Trojan.CosmicDuke-6376318-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • Local\MSCTF.Asm.MutexDefault1
IP Addresses
  • N/A
Domain Names
  • N/A
Files and or directories created
  • %WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb
  • \EVENTLOG
  • %WinDir%\SoftwareDistribution\DataStore\DataStore.edb
  • %WinDir%\WindowsUpdate.log
File Hashes
  • 792536894069dc265ae05a25f86a358a10011fa3d32ccf972e5867f862997925
  • 496220acf4b44f5564898533636dc3f19304d86ef7d223fbeedfb858e1570fd3
  • 457bd4b9ad2c422f91fc5bcf74c52d392d32ace50f244d1beb624f42eebbaec8
  • eababe6f24e25622d795bde97ccfc32c51c1d0ee346a3c345f26b8e191d54664
  • 98e5bc8b136f2aafc7b46308f71ceeb675f057f3220a44e90e7498e226d746d3

Coverage


Screenshots of Detection

AMP


ThreatGrid






Win.Trojan.MSILTrojan-6376261-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • 40[.]97[.]169[.]146
  • 40[.]97[.]120[.]66
  • 40[.]97[.]120[.]226
  • 40[.]97[.]113[.]162
  • 40[.]97[.]24[.]2
  • 91[.]198[.]22[.]70
  • 40[.]97[.]145[.]146
  • 40[.]97[.]142[.]210
  • 40[.]97[.]170[.]2
  • 216[.]146[.]43[.]71
  • 216[.]146[.]43[.]70
  • 40[.]97[.]49[.]18
  • 216[.]146[.]38[.]70
  • 40[.]97[.]85[.]34
Domain Names
  • outlook-nameast2[.]office365[.]com
  • checkip[.]dyndns[.]com
  • smtp[.]live[.]com
  • checkip[.]dyndns[.]org
Files and or directories created
  • %AppData%\ScreenShot\screen.jpeg
File Hashes
  • 365505f8969a04992e5e3d835dbb6987a368439b2c757c24e59dc6daa13d60e6
  • 47c364ac3d539ac0874e66b3f7cb0c5a87e3c67323156b082575fc926d1ecb13
  • 6707d3ed970ced8091d64bbd0bc742e2d4d8f192e1e6c64ee9037451c04bca13
  • 987cdbc17259f87a9e6b04c1d6c3c971f23c380f7da1a0d93ff79584230e5b7c
  • b793ca990b4ebad46758253f8b3065334f923a7c077ce57c3b71308b6bd38422
  • c78b70c786d299ecb97021fa4b989455852084ec3afc45f6e348a8a0489263df
  • db8c2fa78a2751bafd2d1a95f778a725735d42854c901e42976d1599f75deef5

Coverage


Screenshots of Detection

AMP


ThreatGrid



Article Link: http://feedproxy.google.com/~r/feedburner/Talos/~3/-vFGLlGpB1U/threat-round-up-1110-1117.html