Threat Round-up for Apr 21 - Apr 28

Talos Blog - Threat Round-up for Apr 21 - Apr 28

---

Threat Round-up for Apr 21 - Apr 28 Posted: 28 Apr 2017 01:36 PM PDT Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 21 and April 28. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net. This week's most prevalent threats are: Doc.Macro.MaliciousHeuristic-6298845-0 Office Macro Office macro code is used to further compromise a target system. Macros can leverage external system binaries to execute other binaries to further compromise the system. This signature looks for code associated with hiding the core functionality by including junk code.   Win.Dropper.DarkComet-6301230-0 Trojan/RAT dropper This is a malware dropper. It currently drops the DarkComet RAT. The file is a slightly modified version of wextract.exe, a legitimate Windows tool to unpack archives. The malware payload is stored in the resource section of the binary. The dropper binary is actually a multi-format file, and can be interpreted both as a PE executable as well as a cab archive. The modified Windows binary will extract the payload binary from itself and run the extracted file.   Win.Trojan.ServStart Trojan ServStart is a trojan that installs a persistent service on the victim's machine. The service exfiltrates information about the infected computer including machine name, username, keyboard language, and computer performance specifications. The malware server can respond with commands to download and execute files, or execute shell commands. ServStart has been observed using multiple dynamic DNS providers for its command and control infrastructure.   Win.Trojan.Agent-6298180-0 Trojan (credential stealer) This sample attempts to collect stored credentials from a number of installed applications and then attempts to transmit those credentials back to a PHP application on a possibly compromised server.   Win.Trojan.PWS-6299789-0 Password stealer, injector PWS (also known as Fareit or Chisburg) is a credential & sensitive information harvester. Select information such as banking credentials or web browser password databases are queried for on the infected host. Any discovered data is propagated to a C2. These recent samples are protected with the Armadillo packer & rely on both code injections & dropped VBScript code.   Win.Dropper.Emotet-6301061-0 Dropper This dropper is delivered through different mechanism, most of the time the victims is redirected to a website to get it through malicious pdf, http iframe injected. Once running on the computer the binary is gathering details on volume disk drive and other details, injecting process, dropping itself and contacting internet to execute more. Websites observed delivering ransomware and trojan banker. Threats Doc.Macro.MaliciousHeuristic-6298845-0 Indicators of Compromise Registry Keys N/A Mutexes N/A IP Addresses N/A Domain Names storefronts[.]pl File Hashes 23b90b1c55fdbbd371655da0ccf359e891deb51ed5bbc0ac772c5d572f4b3a42 2471636a92daa0a54095aa66b55ad2fea5fd5d6372b0be9d65d1d1e2cef31bd5 2b24221aabc8cd18e756a579b29a005fc9c33213f5ec963b9b6ccf4e6187b23b 4b781b8370f973b9204b44c8ce3615692fc66c1613967a44924984d35fba7bc4 4ee6b9bb8e903bed9a82c7dad6d62163e3a4f759ade5f5f8fcf899945bfd9264 564c37dcd8322bd6e8cabc788f982a35f7d3e335c3d736ce544fc17a6b090183 59b54e7c4e052adbc1d64dc61623af6f55db1a8692b373cb6ca871ba087feaac 6930d456c506c94b9e19a08659181b7d376254dca652d0e56c305764867578d2 6a0eae0addd6ce84966ac1bd006e9582036eaaa1011a38190f700871cc37de24 7045d8f339cab73cf0ec7f31a7b3a31a84057f0b275f789f4bfed9dffee35564 7638745d08de218fa16e9c0828ed0a1139223d3ebddf4bb528bc3ae185cea90e 81cdded9aa21513ad9c6ae04455a7fce68129135f3358b9c5e28a80139e78f21 93472e054b4b4fcc54a71a32b6275f8b35c8ef84490248d21c094f19a537c773 a0bfeb90468ddf50a3c85d5074e002b1d89995d6377eceeb0781ba5292facbcc b3dfdfcfea160ed34eb69da55909294f78d2b5a6320cbf5151a3da01c6449631 c185559d0a38e782167beacff78a7a72544d82890b5e5723e6a25a70e6e16d59 d2c1b89129e3e26544bfbef3fac4567c3629817a98ded9ce5c7dee485d0364a9 f2e4fe273c4a8cc1cd7799d5558c58b8a08dfe160235dfa2eb2a8bad9bba40aa 02481825e922c38ba797ebc18d5a8273ede8c5a4d52eecd2f58eb569533d780b 06736e5f3127a54bbe6bb25f4a82ca95371e5cc8654a893c02d3d4e677e0b916 21b039f3171f26911290dad3e1ce0da6d6d3545e11f9a119408922ac2ae06db6 2643f9f8dce45983eac80feeebd16adbd498e3a644ef8b05bc40448be9342ddf 2ac6b5487c69427476b48bcbbddd7646842e02363a0d4ebe1b1998da6d1f55a8 2dad87b69ee91bfa71d911b791e5468efb6ce689ccc4cde3e91626cbfcfc14ab 2f4853b54c36adf9ca9fbb163dacedee78b6b027fac3c24c72120e9d8cc6f01e Coverage Detection Screenshots AMP ThreatGrid Umbrella Malware Win.Dropper.DarkComet-6301230-0 Indicators of Compromise Registry Keys N/A  Mutexes N/A  IP Addresses N/A  Domain Names N/A  File Hashes 05C8DE4B97737440913F5C714082AD647281FA50F1904B1BF11EDB8560294FAC 07D9D6DA8C6CD162DD9FC78AC48EAF82BC49D4239908AF354E44C4822FE06D62 099ADD24586D77C5F2B8EFB9C33A8A11B5A0C11001A8534D9635A674ADC260AD 0A155F4F20367E4D23B6D238208FA5F943A1341E47BDBB2DBC520CCB27AD120B 150420EDB4BF00DADCF71601781DBE3BD6E34CBA767153B9F82307EDDF391395 15F2BB3B4A12A6F5B0965FDE62AE21B2796D7659BBA8011FC22AF40D465984BE 318B2A4F06345E95C63E4623F52E0E7C57257548C74E0C7A272FCB64D3F49692 4B0BB06E09ED0B2EDB085641E125490E9B1A6CC5652C05C77C78E47CF9448D35 507874BA705282183F928D3AE11ED5497A0F1EAC3368DE75C392D17749CB8EE9 55FDFC65C0C10A958239E0447E5696989FE66557437EB725849BB578D882D74E 5D31C073C4B7322A7DE871D533D520DE2444466D0C944CB06F6244D2CE57D49D 6597E2DD82FC203BA2C609B358B2E0CAE37A4309808626DA27BD58614077D646 6A23031FDD70C6D57D8FE9C8D3EFE6A423C38BF2D46B9B24959E5CA7D0714FCA 6C652B0E4998456F150515EBF50CA569CF373BA709442F6909DD7D4330C83D2E 6EB12C46F0605D8F915C8E895FC70D189D9E8825775EBDB464A9A24834887E60 776B2679819B1E0385E1630EEEC50190DAAAEC0EEF9F659EE728C47991FABFBB 77FA104262E3FF983B3418540FF744E0EAAE5E66388333ED785EF6F5AA2801F9 7D6765A1F6589A554457D9363F702F65E81DDDA52EB62C600250E0F94C473A16 8590486CD299DAA9BF42497EF28028364E4E18B6C60B725736A7D2DDC73BBC2F 92EABA06563800BA670249E90D91C32F9D315889439BCAA73F24D2C08E285B84 Coverage Detection Screenshots AMP ThreatGrid Win.Trojan.ServStart Indicators of Compromise Registry Keys HKLM\SYSTEM\CONTROLSET001\SERVICES\NATIONALLWC\Description "Providesufl a domain server for NI security." Mutexes Nationallwc IP Addresses N/A Domain Names syhaw1516.codns[.]com wrop0422.codns[.]com ansbase.9966[.]org File Hashes fbbc6852ff1947fcd820b90e60ab71af93ffad079bd13a0d2b514955bb1c9d62 40eddfac964b69ee2e26742faaacfe50960fa0232a1b9a11c382e61cecd700ff 6106eda3ae39449fec42db2caf4f1b5f994d72b5a759dddfd77a8a29ebb3f497 c106435a2aced27d03ee5531eda025b14cec106106a1c7ca750127090f6d2039 8d4366eff17da1c18ab3fed1692628756a8f41f3145877f895b7ef950055262f 3be7ab79f032cf24b09fc05b08544fd61ec7e3fd355f8ab7b4580eb43d8c3e55 ff6b7320d6b75a638c0f2d024f43853dd78993276a8f6b5f7463d6317858dd9c c9a193d273f606860bee0dd4a878a6421233b05ac4c6faf357d9324f0d6a575a 932d8d5829570237e9ab7688dd2d3c03812a05157f72af124cabf530be583789 ba07a79a2f4d51eaac585b0f50e3b1e61d8fc555592aadb1e5d3916fb26b0e27 Coverage Detection Screenshots AMP ThreatGrid Umbrella Win.Trojan.Agent-6298180-0 Indicators of Compromise Registry Keys N/A Mutexes N/A IP Addresses 212.129.14[.]211 Domain Names tranexestin[.]com File Hashes afc3ba4941b89a4467e2f1a4ab0df2c88ef5e39264182a4b3a2dbbfa5b022e3f Coverage Detection Screenshots AMP ThreatGrid Umbrella Win.Trojan.PWS-6299789-0 Indicators of Compromise Registry Keys USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings \MACHINE\Software\Wow6432Node\Microsoft\Tracing \MACHINE\Software\Wow6432Node\Microsoft\Tracing\tmpVtFw4a_RASMANCS USER\S-1-5-21-2580483871-590521980-3826313501-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\Microsoft USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness USER\S-1-5-21-2580483871-590521980-3826313501-500\Software\Microsoft\Visual Basic\6.0 \MACHINE\Software\Wow6432Node\Microsoft\Tracing\tmpVtFw4a_RASAPI32 USER\S-1-5-21-2580483871-590521980-3826313501-500\Software USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\MICROSOFT\Visual Basic USER\S-1-5-21-2580483871-590521980-3826313501-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2 Mutexes N/A IP Addresses 92.53.96[.]120 Domain Names cv42569.tmweb[.]ru File Hashes dddde27836842e0f950b5622e1be7a0f51072db573b2f2e41d20d4b4c45028d8 dc086f745c35b2abe58675e546b475ed64f15ea6e9d4492a0502476f784ea85c 97cd05c529002b85ae756a9e7b7da7a538026583f0886a235cf48b72c378551a 2992c6ce7ccda6fef751a912eafb8a31e3426bde8964ccf31b0512390bd61615 Coverage Detection Screenshots AMP ThreatGrid Umbrella Win.Dropper.Emotet-6301061-0 Indicators of Compromise Registry Keys N/A Mutexes N/A IP Addresses 188.165.220[.]214 Domain Names N/A File Hashes f566fdc382f6988599cb16894d8a9a92e291d83574834de705d6367b520b6b50 dda1fffa38e3f9d30833d201b542422aed15a41253b2a72797ad38dfba8fe535 6d4fa878e2930cb3bedc2078855f6d7db7b6b136464f6dff256d8c62657b505f 8ad1c1655d6d3b2a4931ae2dd9eb4e3b7be488a7f39b9c396fe1eeda2eda05a7 c0e8a92ba6ce12d803ecfccd01432f855e6fd9ad19825602a74a081459e25389 5598fdcc6c0c2e7bdb095193a5f986e6cf22fdcca26c2e8451c46d787ef18435 Coverage Detection Screenshots AMP ThreatGrid Umbrella

Vulnerability Spotlight: Randombit Botan Library X509 Certificate Validation Bypass Vulnerability Posted: 28 Apr 2017 07:22 AM PDT This vulnerability was discovered by Aleksandar Nikolic of Cisco Talos. Overview Talos has discovered a vulnerability in the Randombit Botan library. A programming error exists in a way Botan library implements x500 string comparisons which could lead to certificate verification issues and abuse. A specially crafted X509 certificate would need to be delivered to the client or server application in order to trigger this vulnerability. A security advisory was published on the Randombit website to inform users the vulnerability is now fixed in versions 2.1.0 and 1.10.16.  TALOS-2017-0294 (CVE-2017-2801) Randombit Botan Library X509 Certificate Validation Bypass Vulnerability Details X509 Certificate Validation Bypass Vulnerability The vulnerability is located in the function that Botan uses to parse the x509 distinguished name. More particularly in the equality comparison function `Botan::x500_name_cmp`. The vulnerability is located in the way of the white spaces are handled. A crafted x509 certificate with specific x509 DN strings for subject and issuer fields can be created. With careful control over X509 distinguished names contents and depending on memory layout in the target application, it could be possible to craft a certificate where equality checks could pass or fail. This vulnerability can be exploited to fool systems into connecting to unauthorised computers. This can be abused to conduct man-in-the-middle attacks, or to trick systems to connect to a malicious server. More details can be found in the vulnerability report: TALOS-2017-0294 Tested Version Randombit Botan 2.0.1 Coverage The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org. Snort Rules: 42015