Saturday 10 June 2017

Threat Round-up for June 2 - June 9




Talos Blog - Threat Round-up for June 2 - June 9
Posted: 09 Jun 2017 11:41 AM PDT
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 02 and June 09. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

This week's most prevalent threats are:

  • Win.Dropper.PonyVariant-6326202-1
    Dropper
    This dropper launches some malware possibly based on leaked Pony Loader source code. It attempts to avoid detection by injecting twice and deleting itself with cmd.exe process. It also contacts compromised WordPress websites to download additional files and attempts to also steal FTP login credentials
     
  • Doc.Macro.Valyria.6327969.0
    VB Macro
    This detects the initial stage of the Valyria trojan. Detecting the macro used and distributed in Microsoft Office Word documents will prevent the trojan's data stealing capabilities.
     
  • Win.Trojan.Loader-6328419-0
    Trojan
    This malware is of the trojan and downloader family and installs additional malware. It also looks to be able to perform spying operations. It's injecting itself, injecting a new explorer process as well. It's containing a lot of anti-debugging, VM detection and other protections.
     
  • Win.Trojan.Sivis-1
    File infector
    Sivis is a file infector that will replace any file in the file system by executable files containing copies of itself.
     
  • Win.Worm.Fadok-6328944-0
    Worm
    Win.Worm.Fadok drops several files. %AppData%\RAC\mls.exe or %AppData%\RAC\svcsc.exe are instances of the malware which are auto-started when Windows starts. Further, the worm drops and opens a Word document. It connects to the domain wxanalytics[.]ru.
     
  • Win.Trojan.Qakbot-6327689-0
    Trojan
    Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials. Read more about it in our blog post.
     
  • Doc.Downloader.Generic-6327950-1
    Doc downloader
    As document based downloaders continue to remain popular as a preferred method of delivering malware, we continue to see their obfuscation methods change gears. Recently, we encountered a series of Doc downloaders that used two scripts to download the final binary. The first consists of an embedded macro that is used to remove a widely used obfuscation delimiter & write the resulting JS code to disk. The JS code is then executed via WScript.exe to download the binary, but static analysis remains deterred as most of the code gets processed by a string deobfuscation function relying on single character lookups from a master string.
     
  • Win.Trojan.Keybase-6328970-0
    Trojan
    KeyBase is a trojan that can be used to capture screenshots, keystrokes, and other pieces of system information
     
  • Win.Trojan.Siggen-6261194-0
    Trojan
    Siggen is a malware family with anti-debugging and anti-VM capibilities to hinder static and dynamic analysis. The samples drops a file in a temporary directory that is deleted once it is loaded and the second stage executed.
     
  • Image.Dropper.PhishingLure
    Social engineering document technique
    These documents display an icon and text lure to encourage users to click and activate the icon. When triggering the icon the malicious code is activated.
     

Threats

Win.Dropper.PonyVariant-6326202-1

Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • /images/wp/wp[.]php
  • /wp-includes/images/wp/wp[.]php
Files and or directories created
  • N/A
File Hashes
  • 47c916890c345a0588e52cc29e6488b5c709217823b0049a46b9a9e5e07a6efb
  • 50733aaab0b6ca4210df15017f51bb576c84fea2cbeb0912dd40a32056cd3c1b
  • 4fe60f488f45f914edb650cc2e248d156ad8b257b610ad4848b1c245f38053e3
  • 24558ad4b3a745c24a2dd42c73800ccfcd0c10dc17c67d83f3dcb3a4e479d46c
  • 21b260fc6d38b2061263f66f3efd71116adbc75b95f57d424b079ecc1c4e5a02
  • c35c5adf85410ad3a90804dfe053a0b6f53bef8c024898361a6c931c3598317e
  • 416d71ce82336aa2dda064e6ba93a555ccf46c7ae2ad1faba379513965d9d485
  • 81ee12d8f93c5b7574a1d797261f275e9b61f5ebd73ac836a68df3a18ef31c93
  • b42d5092e2fa54a8312c4f534b9c1d10ff714241a8fc3e3a3f44c8870a1fdc4f

Coverage


Screenshots of Detection

AMP


ThreatGrid


Doc.Macro.Valyria.6327969.0

Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • 185[.]165[.]29[.]36
  • 52[.]173[.]193[.]166
Domain Names
  • N/A
Files and or directories created
  • %TEMP%\CVR9C14.tmp.cvr
  • \Users\Administrator\Documents\20170605\PowerShell_transcript.PC.Wu4ufN69.20170605030528.txt
File Hashes
  • 097de8a240500e67ed2b1b0d8d95a4bcd8f07764c5abdcf7eceb17d15c592611
  • 0cfe5dfa2b53c51076a5ea1aac89e7be91e83a70c6438b037dfd00ccd839ca6f
  • 17b965a0cf6b0b316da2c659ec2c7bbe747819d09c1c1401d5a80272f47b813a
  • 1fa78675658b45f99b1799c11681b3f5b7ec09881f3f600060576b4b0a74a65e
  • 2378d2f333b50cc341e08f574d300ebcf12ee7140cb897620bc9c35f93929854
  • 24384267829131c7158c50c109afea6026d327c65a66ef559a6540c2c8863094
  • 2669d31701a90345db7492bc3de46db51af6a9137ce1bafdab2fd3122d2e040e
  • 27a035174244dd347ee81cc932fccf414b1c32a0820fe6a55e242ee04e9c0686
  • 2a3a0eea64d407c04bf65c3bd1b22c4243435d8b066e44011d1a9904f0f644e7
  • 2de9f4f8df35ca71c1738d22bfb6a147670c25dcbe2014cfd0870a53e33f385a
  • 38e71cd7dba75c6e6dbfa326843d10421d57ab3781c94c1174cfc260c86d4361
  • 3d93b69809ad4d6cb2866583c7fc0144aa0db167fd4940ab17b3252c809bf1d1
  • 3ea1c668e2b904c00f60d3bdd735a31261c49b29a39f2523c03271328a69c580
  • 3f3adeed33a1a057f697c49f9d776c27c7fb9afb7cfa62eec2936ac24ae0d19d
  • 4914a3125bf4d54a07ade2109325a324f813c500a5b6e8a2781b7c1876671455
  • 556556a774b187d2068e8d6e4cc2d098fd06fe146e0b4578b68a602d9b9c47f7
  • 56e76f857ba0006ce64a71404b3a5e0166659e069c7d31d488de248e3e8a7af4
  • 5cc180f858ed3148aad169790640664280c4b908867256f7b1a0718575192c78
  • 67e2d24be65f338f944eda6cffdda8013147088a8173e771795b399c3c182771
  • 6b6221926ec36c928f0d0eef2d254766f30342714c3e791645d97c6c86cec31f
  • 73b30d45b7f7a0893f8d8a1b3b55f10ff9d11e86619dccbb22a60d1f2462d5f6
  • 7cc61b02a664bfdeb11daf0dbb6f7bcfa2b07291b4ba3d25e902850a76f91ded
  • 7ec2376443a777c789d853489ba4192ff21923ab95f4810660faad4dd93e0813
  • 7fcd49ea71363a666377a734b80c7608842a9acb868e1b35a3820a1eefd68975
  • 900f2319a95ec33f4c42a4ceac088f0ab940aa0cde64c4da186b0322746d3e36
  • 913b51d636924dc67655ac2bb69449858448f71363eafcd3cb7881da3fe12994
  • 95fd8ea6a9b5778a75b76804ae8c1da2514239598edd1c324f25eb30a93fd715
  • a3905f5dd2e106d19e260b36d9bdc7946cc8aae0f4343e8d6c7f671d0bdc7921
  • a57fe946d0e6d5324080ad9625ed5f4cc2720c53cfa8dfc4185cecc9320c8e45
  • ac1803de8dea5bca07b2eb654f0ce9b013285686014483e6c81ae7235b68e1aa
  • b08b5eb8f5ab0a2fa8acebaf86bf48653f38b7efed83d88ba6076f0da4af9ace
  • bb4e1f338f6d5c46d7890aa7eabe929de1467d8760a463c74379d651600638e8
  • be53a9f3aeca760dfcea58b676db1f687f238e0c6996ec57e36fa6040f43e75e
  • c3ffe88841a13a6222d667cb7aca8e0d77215b875403f4865ebf199ef64baf9f
  • c571b06649be9a8d07ae380a7131dd8deba1bee2aa7067557857fee8cbd2c130
  • ceb3fd6d517aaff2a122df2f9e8ab368cbf1efc8644344d4f228198e90c56399
  • d6d05984c0d493eb75861c7d56c2cf649fcc912134e7df2894fc8bb3eec8980f
  • d845e07f961afb0341e8d8da25fc08896bccd09ccc5136e74454308c9f95eff6
  • e618d44cf1e7d121c9e934b1d530ebc4e830d1dd7d8228ac5b53a455def791a9
  • e90846bb4883914000462df105e679bc4ad05d3d1b0900363dd18eba1aca5c33
  • eaa3cb0af249967c7d9a66185db3cac7e93196da6281014206b6d0bc0fb7f34c
  • ef6269b66111c365ef251e4128a286e16c972359ca406a02b6f81fa8b55b1cda
  • efb1be187c1b7cb674f6912ceec3301da0cc5c993dc3d7d47f4fa7b9c5e80d1b
  • f6650409983332866425e807dedc231b28a7cd3a468fe9e17be029fda17efe15
  • fbdee3574019ef790ca4609c0414bf63da402c051351552e3a24f4e325e494e2
  • ff9b033e0f4d48b6f77ae849cf3a94ea411583ea8c232b1da6fd1bc99d5e40d4
  • fff62aadd6740b7c1a4b57758f95d5de0cc36e471e6d1ae40ca8141a5845a7eb

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella


Screenshot



Win.Trojan.Loader-6328419-0

Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: GITSecureService
Mutexes
  • LoaderMutex
  • Local\WininetStartupMutex
IP Addresses
  • N/A
Domain Names
  • N/A
Files and or directories created
  • N/A
File Hashes
  • 594e51c5d358d6a691ff2a80dffaddff77c9184ea072e415138c3d41b7c265ca
  • 70df78ea8ee5f9f4561cbb595ca7c2acc982b3a0b7f84017a803e2a0d0494c5a
  • 47bf1580e8407e9825d40348143ee14bb3f7458c32a367ae1a25f3a33a643a4f
  • 503e751cc1c67c0688e92c28e4565de1448756443fdec4a638a019bd63816b33
  • f228c82dcc233e42f098ef132796985e7e69ab0294e348182ed1fc79f9f49808
  • 6fbf8a11f59e67a96bc1f6afd67fb4b5213f93ca15d75e14bc3b99ca5af37a5d
  • c703896a92a7912a109336d28dec6dfbf568f8da63c635206d85c72fb2c4aea0
  • 5b5de2fa244760de8a1a301347ab7a646160c257628f24f19d5072ba8d14d3fe
  • eb483d4f8c71a234f70b490bb38d841c72453ed5c9bb0049d9affd2afe41cf23
  • c8f06a449c4ba38e5f49b188fdddb2b49a5e7dc8716aa1f220c9ee40b06013a6
  • 6ce02da8b29683da3c62719959522227598d38f3fc7eb056807c0fe83f051720
  • f99385fa291e583b905bc5880a2d7a8789e9ac12d377beff7ab6afeba26f087c
  • 859cbf1bcb8a1d4b9862e9da10b0e7b760c249ee83b01ae93c72176c021693f5
  • 25a60570b487f02fc57962f8fbf1d859f5cff0f8b47f01e57c7ba2d9c9a3c990
  • 23b62deaab5754b330be64cfb4e784cf2ac328356b767bace69a391219d577a5
  • e9049130d4cee840324995b87d605672570c19e7d3621e1fd639b640876fa575
  • 77b3f7eb328cb5f503bee90e65789a78be85a73977ecdaeb95c558d7bdb192bb
  • 47a17129b7c2337735cad5c8f9694fc2ae5b344a0ca50647c8a5884b240a8587

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella



Win.Trojan.Sivis-1

Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • N/A
Files and or directories created
  • \Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8HMRCBCR\menu_bleacher[1].png
  • \Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z7t0o5cs.default\XUL.mfl
  • \Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8HMRCBCR\resultslist[1].js
  • \Documents and Settings\Administrator\Local Settings\Temp\KB2533523_20160610_170929140-Microsoft .NET Framework 4 Extended-MSP0.txt
  • %AppData%\Microsoft\Office\PowerP12.pip
  • \Documents and Settings\Administrator\Favorites\Links\Suggested Sites.url
  • %AppData%\Mozilla\Firefox\Profiles\z7t0o5cs.default\extensions.cache
  • %AppData%\Microsoft\Access\System.mdw
  • %AppData%\Mozilla\Firefox\Profiles\z7t0o5cs.default\mimeTypes.rdf
  • \Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\YB1OPN1Z\desktop.ini
  • \Documents and Settings\Administrator\Cookies\LJOW70BN.txt
  • %AppData%\Mozilla\Firefox\Profiles\z7t0o5cs.default\content-prefs.sqlite
  • \AUTOEXEC.BAT
  • \Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8HMRCBCR\view[1].txt
  • [...]
File Hashes
  • 38f441a14f81c370d0ac0934340d3d196bca832668ee6772ac88330614a91b2c
  • ccbf43a2ab8074ca4a27952f0f3c052435ffe38cfa4644f63b609f96c978c014
  • 0a08a78e10ffd4c2e176e089e092f3692b94da97457abcfc694082c525335fcf
  • 0c1170f0bd12ecd8b4a507755dff78ea47d9057129d5ae09b2af82287b43664d
  • 7366a0faef62af909a1ef1da05e2cbd1fc9534cbb26e20e90538e043f4517d5c
  • 4e5297e0d0b8c702e6c97fbaeee1f329b2246a046790e0e8adb595f94accf47e

Coverage


Screenshots of Detection

AMP


ThreatGrid


Win.Worm.Fadok-6328944-0

Indicators of Compromise


Registry Keys
  • HKU\Software\Microsoft\Windows\CurrentVersion\Run
Mutexes
  • BFA31D7B-D1D1-40D5-A90C-A0909FFA0887
IP Addresses
  • N/A
Domain Names
  • wxanalytics[.]ru
Files and or directories created
  • %AppData%\RAC\mls.exe
  • %AppData%\RAC\svcsc.exe
  • %AppData%\RAC\svcsc.exe.config
File Hashes
  • 03692f096e7fc9ab6bd470f7092ae80cc5dcfbf1dcb2a849dae2a2384e421315
  • 04c679e80175039e07cbbd0b87a9877c297ef7e18d117f8dfa7c30ea42f78de1
  • 056b0bc81124cf9ad6c094092e1f16f2aa96bf7efebcaeaf3830a8a228464a9b
  • 06f89aa03b2e1f070b9fdfafd5356d0eaa1ea840f05ab7189d89f1cb1f70ff66
  • 093808faa41383f1e3d33fd8a2e716fe4c5b9388bd42548f5423e6b5ff62a9d6
  • 0ab690ef09a14798b9deb6cd0c116b8e0ed906b6bac16a05a5ae4bc38cabf467
  • 0cac66a5a16efe52e2e878f5e8f6e34749e049c547ecf18f54955141e13e7058
  • 0f93142998d1c0dddcf008b167f9611e0fc46539f50a35faf8266d71d31ad3e6
  • 0fffda2d0105f10690d1989859deae3d50287474534649605a320f078616d658
  • 148c4618e14a3c30f73dd6f910df6999ea4be2e32818f3747bdae03c175b7c48

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella


Screenshot





Win.Trojan.Qakbot-6327689-0

Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: kddds
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyOverride
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\DBRNOCX
    • Value: DisplayName
Mutexes
  • wawrtxtguelkunm
  • \BaseNamedObjects\Global\uhtvtft
  • eioigs
  • \BaseNamedObjects\Global\ubrjqsxr
  • knsoonoa
IP Addresses
  • 204[.]79[.]197[.]200
  • 104[.]254[.]150[.]79
  • 52[.]27[.]10[.]213
  • 64[.]95[.]32[.]24
  • 64[.]95[.]32[.]20
  • 107[.]21[.]249[.]100
  • 104[.]16[.]32[.]229
  • 54[.]197[.]40[.]33
  • 54[.]225[.]186[.]185
  • 162[.]144[.]12[.]241
Domain Names
  • jdlunsnxplknfahqhhcnydvjm[.]net
  • bofznergcfar[.]biz
  • yfptiliaesndlcvuemywsvcyh[.]info
Files and or directories created
  • %AppData%\Microsoft\Knsoono\knsoon.dll
File Hashes
  • 9a238c95de1ba5bc414aa0fd45297bf79f02b1de03d93a65ad74e91e37eb9ae9
  • 0452810a21fc1207dc11a2a82127f30354fdc41aef95371b77a00b5592c11bb4
  • 02ad78b356cb9723b18122a2fad033e0487be7e367864d7481371bde0b0b8acf
  • 0200b37385ee4b54572e9ff8f9dca6b20ef6a41feefeb9f5eaf14fa35fe82b87
  • 007f9ee2441329fe8c8ebf6f597c84eb1e4fea764dd228cfae9bed400c8af53b
  • 006b191a135afecf86bd4df2fbf619f8f019ab316d2edb33d053209384c7d4cd
  • 00141f6303dd960c61a4fdb06e686ccc972c0e0f092adaf823444e4b7e32ae09
  • d52f95bb330930af7477604547dd33fdf3fe76e20301a67a7d490f6b1ebe5247
  • 4712cf80102b7886a946ab6454fb0978f9d94feacd52c5df18850dbefa0158ec
  • 5b7a5a58e4af312cd23e1f28597f2818953dd23abdeedb52adb882958e2766cb

Coverage


Screenshots of Detection

AMP


ThreatGrid






Doc.Downloader.Generic-6327950-1

Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyOverride
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyEnable
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00002109F100C0400000000000F01FEC\USAGE
    • Value: SpellingAndGrammarFiles_1036
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: ProxyBypass
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00002109F100A0C00000000000F01FEC\USAGE
    • Value: SpellingAndGrammarFiles_3082
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00002109F10090400000000000F01FEC\USAGE
    • Value: SpellingAndGrammarFiles_1033
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: AutoConfigURL
  • <HKLM>\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
    • Value: Seed
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyServer
  • <HKCU>\Software\Microsoft\Shared Tools\Panose
  • <HKLM>\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\RECENTDOCS\.docm
Mutexes
  • _!SHMSFTHISTORY!_
  • Local\ZonesCounterMutex
  • Local\c:!documents and settings!administrator!local settings!history!history.ie5!mshist012017052920170530!
  • CTF.Compart.MutexDefaultS-1-5-21-1202660629-583907252-1801674531-500
  • Local\MU_ACBPIDS09_S-1-5-5-0-35459
  • Local\!IETld!Mutex
  • Local\_!MSFTHISTORY!_
  • CTF.LBES.MutexDefaultS-1-5-21-1202660629-583907252-1801674531-500
  • Global\MTX_MSO_AdHoc1_S-1-5-21-1202660629-583907252-1801674531-500
  • Local\WininetProxyRegistryMutex
  • CTF.TimListCache.FMPDefaultS-1-5-21-1202660629-583907252-1801674531-500MUTEX.DefaultS-1-5-21-1202660629-583907252-1801674531-500
  • Local\WininetConnectionMutex
IP Addresses
  • 74[.]208[.]222[.]23
Domain Names
  • accotaxs[.]com
Files and or directories created
  • \TEMP\~$e9214f2ae3380bf01724f704d58f3b9284dcc9522d9750ac770d49594901fb.docm
  • %System32%\config\WindowsPowerShell.evt
  • \Documents and Settings\Administrator\Local Settings\Temp\bbbababfcecbfa523.txt
  • \TEMP\27e9214f2ae3380bf01724f704d58f3b9284dcc9522d9750ac770d49594901fb.docm
  • \Documents and Settings\Administrator\Local Settings\Temp\bbffdeafaccece.txt
  • \Documents and Settings\Administrator\Desktop\d37e.exe
  • %SystemDrive%\~$runme.docx
  • \Documents and Settings\Administrator\Local Settings\Temp\12tedsgsas124.txt
  • \Documents and Settings\Administrator\Local Settings\Temp\tedsgsas124.txt
  • \Documents and Settings\Administrator\Local Settings\Temp\eccbfaffbbb.txt
  • \Documents and Settings\Administrator\Local Settings\Temp\bbbababfcecbfa.txt
  • \Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MRMBYDAX\gate[1].htm
File Hashes
  • 27e9214f2ae3380bf01724f704d58f3b9284dcc9522d9750ac770d49594901fb
  • 078de2765221c2d5b5030bdd1d7adaa066dd4fc6a6575111df76ec7dd3785bfd
  • 5239d220d79e36af270a89d0683f6744f2b823c18880aa7fe02bc004c52f78ec
  • ab2ffad0977dda99a85c12d97fa40a8c09d5b81d08f7323e9e70e408ef017f3b
  • c94d3f6f98fea91c7ff34920cbed45f800e6062706a7192ed6f354c96c669e4b

Coverage


Screenshots of Detection

AMP
ThreatGrid
Umbrella



Win.Trojan.Keybase-6328970-0

Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • 217[.]174[.]148[.]65
Domain Names
  • N/A
Files and or directories created
  • %AppData%\Important.exe
  • %AppData%\Browsers.txt
  • %AppData%\Mails.txt
File Hashes
  • 7d22f93bea6e24c11497a826e692216861bb5710e0e6a9842ed9c30463a11b24
  • 8b1c64f993778c52906b8170cc6c16a07f4116e23661956a738323aca7b12c3a

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella


Win.Trojan.Siggen-6261194-0

Indicators of Compromise


Registry Keys
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP
    • Value: Collection
Mutexes
  • Local\MSCTF.Asm.MutexDefault1
IP Addresses
  • 52[.]173[.]193[.]166
Domain Names
  • N/A
Files and or directories created
  • C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsrD.tmp
File Hashes
  • 76cac7eac498813164dcb94ed0812163bc4d261ef80232ec528aa941e0622479
  • 2dd6b33d9e07c68b79b6674e0972f28ee316548c5e53b28331d88c739d1a5b8f
  • 87701e501b48b94e9494bbda3f42a8b2a92a0e19d51d3e6023efae30b86f74a0
  • 4a1b26fd16f985e1da3f1b5619b55f6170584ac51923bd6d6c4c455fc86d44da
  • f20ef69203c8bd06da68071ccf38001fcd411de5c951bb38bb46a15e6d205458
  • 74a306f136aa3b098fe99f6e35a1163d808c996e7ca6f8cd03fc69ec0a2573c0
  • 8998b35cd76f170e62275661c0f0256883ec2b8e34b9e5ff9530c9da4d07fb74
  • dd249e28e052a2e7747886a0596e7faf7e447fbef7260198509fc6e08c294bbb
  • 745d8d433cba5315749dc61810d9bf4eb1864fb9737c4a2fc3718eda75917d6f
  • 5527923be2a750415d9565fcfc38550bf292206cee0e415278e8e08d3f3cdbdc

Coverage


Screenshots of Detection

AMP


ThreatGrid


Image.Dropper.PhishingLure

Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • N/A
Files and or directories created
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.MSO\E6B7EA3D.emf
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\654500.cvr
  • %TEMP%\CVRFECE.tmp.cvr
  • \Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\31ADA98B.emf
File Hashes
  • 71c534db25e2c523ed71b7ec30289f8c91a15d8f61a7c132a8f0958086d9cf67
  • b59051ead1c391fc3f5d4df44408606a6a0662456edf3a360760bc1df28e85b0
  • 46e918a71e35421fd6384e4faa044758f636709aad1cdc28def585902560e75c
  • 3fd12be1754315caaa508cb1dd3ed3c42d5ccfb9281a3c299b914da993919372
  • 7d89276ddbb3e7d0a0c7628fbab04aace04e52f885b7b0619191b47eef4b3427
  • 2190bab38a01b157023f4000b22958db934eb89fe2868593bcb3a28daca13cdb
  • 884bdf459f5b218c56070cfba568a166e0f58df5e91373853b73a1eaf5c96896
  • 55cae108a1f375d112831c24df0f9d0300028fb46e1ab4b7ff9c477da29888cf
  • 069ea4075dfd279be50ee1a2904b6a5f024f7e924c91f5249e2047f93c971255
  • c47359bd7ab8c463522a7e3356ed6de278cfa8ebe0afe9d5e8fcb359c356eb9f
  • 8752350c7df238d3bc210f13edc74486c4c5e62ee935cc32fce6d84ba2fe3664
  • c74a3428c963a4b8ecc86279e609b7e687d635068a7c607686c3b1228715affe
  • 264bd038374d6dec2419788a189bc22253e944ae78e69082370700cfe163a5f6
  • c9c4a76991fa7dabe4c5e242eceefb2276470ab16933576b8834a72db99bdb8a
  • ba1e7358f4ac42e0e6d575e0f39c7a07939e31b03f82382486200b3d877fbe95
  • 2aaeb1e014c6940fb9f1ed979622daec2bcb0afd27a431b60d575429513c4747
  • 8fba7699a4f56f2ff0ef88137e7d9a045a8d58aeb2ee7764c70a57fd5e75c7b2
  • 6c2e949f0e7ef6beb164e164636abfdb052386cc29318b4f80193ca1bb847e36
  • 0fecda1f3e3c6bfc840119d3ec7788108b3bd2555cec500f9737499b57b20361
  • e7b20cb956fb4bfbfbaaeae08265a3986114dd84fec72e6dbbda5ff8f0f9d602
  • 63933469402c62a974f9e8c4d3563a1b8343cb5ae4962bbf8185cbcdf22f9855
  • 5d146dc96acac7a6026b0a82d611c18c58852c328ea55d27737b2fbb0265fc3d
  • 54071e124b61d87336c49408a420b98046828cceba18868e2fde9170a287843a
  • e28775913fc2f714c665bc96babe101f509399754503dcfac1cff6614f0b5e04
  • 2e76194f7889f84004a11d69af8df7a08c8602555a6f8629f146a593eb4bb732
  • d15b79df9e9a6b9d09b984b1992f8433db9734e8fbe1036aecd05c941dfc6b12
  • 0dc28f0d53d35417a7527ec8f248487ec270992bbfd0e1837a56fcda6fe9af1a
  • fc66061242ba1d9cf3255437b6c8d0d8a0e6fdba3e63d9a611205b8654f11246
  • 05264cd26e8d9c16ff1f5a71ee5641be5113ee247270072ac1e0173ee5688849

Coverage


Screenshots of Detection

Screenshot
Posted: 06 Jun 2017 10:00 AM PDT

Introduction


Technological progress is resulting in computing systems that are smaller, cheaper and consuming less power. These micro-computing systems are able to be integrated into everyday objects; when coupled with ubiquitous wireless connectivity these devices form the "Internet of Things". The IoT has the potential to improve our lives, but only if we correctly manage the security risks which are inherent to these devices. 

Gartner tells us that 6.4 billion internet connected devices were in use worldwide in 2016, and that figure will reach 20.8 billion by 2020. That equates to nearly 10 million new devices being connected every single day for the next 4 years, massively expanding the potential attack surface of unsecured devices. As businesses deploy these systems to make decisions about operational improvement, or build their business strategies around the IoT, we must consider the vulnerability of the devices and the veracity of the data they generate.

IoT security interests Cisco and Talos greatly. As part of our goal to force the bad guys to innovate, we seek out and work with vendors to fix vulnerabilities before they can be abused. For example, we identified hard coded credentials within Trane thermostats. If discovered by a threat actor, they could have remotely logged into the thermostats and gained complete control of the devices. From there they would be able to conduct reconnaissance of local networks to launch attacks. We developed protection for our customers, and held off disclosing the vulnerability until the vendor released a patch to resolve the issue.

An insecure IoT device connected to a corporate network is just another computer that can offer a point of ingress for attackers. Once compromised, an attacker can use an IoT device to gather information from the network or launch attacks against other systems. However, unlike most networked computers, the IoT device is unlikely to have anti-virus software or security software installed on it. This means that an attacker can lurk there for extended periods with little risk of discovery. 

Criminals are aware of the opportunities posed by the IoT. They have "recruited" poorly secured IoT devices to form the Mirai botnet, which launched the largest denial of service (DoS) attack in history, using the stolen computing power and Internet connectivity of insecure devices to disrupt services offered by Twitter, Paypal, Spotify and other sites off and on over an entire day. Criminals have also compromised vulnerable digital video recorders used in closed-circuit television (CCTV) systems. Not to wipe incriminating video surveillance footage, but to install malware to steal processing capacity and use it to mine bitcoins in order to make money.

Not only may the devices themselves be vulnerable, but the systems that use data collected from IoT devices can be leveraged to conduct some interesting attacks. For example, a team of Israeli researchers discovered that they could fool traffic information systems into believing that there was a fake traffic jam by spoofing traffic data from bogus IoT devices.

Insecure IoT devices that interact with the physical world can be compromised to alter their function. For example, electronic hotel locks allow visitors to use keycards to access their rooms. However, the communications port on these devices can be hacked to take advantage of inadequate security features on the lock to allow anyone with the necessary knowledge to open the door without a key.

Even unlikely items such as toys and homeware can be considered as IoT devices, and found to include network vulnerabilities. Hackers can compromise a connected Barbie to spy on you, and subvert baby monitors to monitor you and your children. You can even be "watched" through your Smart TV.

Pressures Lead to IoT Security Issues


As the world builds the infrastructure and deploys the devices that comprise the IoT, we as a society have the opportunity to apply the decades of good practices learnt as part of the development of the Internet – including painful lessons about the importance of security.

The premise of the IoT is built upon the idea of deploying many cheap, Internet-connected devices in many places. As the market develops, manufacturers are hurrying to bring devices to market at the lowest price possible, and few buyers are insisting upon security requirements as part of their procurement processes. This means that many IoT products are sold containing known vulnerabilities without, or with little thought to, how updates can be applied to devices in order to remediate security issues.

Considering security issues early in the design phases means that protection can be built-in within a system. Every feature of an IoT system – from the device itself, to the wireless communications, to the user interface, to the management interface – are associated with weaknesses which are well known and characterized. Similarly, defenses against these types of weaknesses are also well known. Specifying that security is a requirement for a system, and pinpointing the types of protection that are needed, leads to a system that is more resilient and less likely to be compromised, less likely to suffer major losses when a compromise occurs and easier to update to remediate issues when they are discovered.

Not addressing security issues comes at a heavy cost. Installing insecure electronic locks means that the locks might as well not be there. They can be hacked to open for anyone. Deploying insecure devices that connect to a corporate network is like leaving an office door unlocked overnight, allowing anyone to creep in and take what they wish. Vulnerable IoT products may be banned outright, e.g. the Internet-connected doll, Cayla, in Germany.

Security issues present in many forms. Resolving any single issue first requires awareness of the problem, an understanding how the issue has come about and how it can be remediated or mitigated against. Only then can we put the correct security strategy in place.

Software vulnerabilities are one such security issue affecting the IoT. Talos has a dedicated team hunting for software vulnerabilities in IoT and other systems. When we find a new vulnerability, we follow our published Responsible Disclosure Policy to ensure that our customers are protected and that the problem gets fixed. By sharing these findings, we can inform and protect the community at-large and contribute to the discussion on securing the IoT.

"Tricking" The IoT


Anyone who has been involved in writing code, or ensuring that an IT project is completed as required, on time, and on budget, will agree that writing software is hard. Creating software-based systems that meet requirements is difficult enough. To be secure, the system must not only do what it is supposed to do, but never do anything else.

Vulnerabilities are simply weaknesses in a system that can be used to "trick" a system into doing something that it wasn't supposed to do. Often, vulnerabilities lurk undiscovered because we need a specific set of circumstances to find them, i.e. we won't encounter them unless we specifically probe for them. Once an adversary discovers them, they gain access to resources and data, or even the ability to run code in ways that the system designers never imagined or wanted.

Any system containing software will almost certainly include vulnerabilities. In this respect, the IoT is no different from any other computer device. Continuously considering security as part of the requirements, system design and development will help identify potential mistakes early so that they can be rectified. The further down the development process that a security issue is identified, the more expensive it is to fix.

Despite best efforts, it is almost certain that a final system will contain vulnerabilities. Encouraging the responsible disclosure of vulnerabilities combined with a rapid "fix" process helps minimize risk and exposure to harm. It also means that the software engineering community can learn for the mistakes of others and not make the same mistakes twice.

IoT Risks In Real Life


One of the key issues that Talos sees time and again is hard coded usernames and passwords within systems. When discovered, an attacker can uses these to gain access to all the devices that share these default credentials across the world. Just last year we disclosed this exact issue within Trane thermostats. We worked with Trane to ensure that the problem was fixed.

IoT systems require management interfaces to control the operation of the devices, and to process collected data. In addition, we recently discovered a way that attackers could take control of an IoT installation controlled by LabVIEW and also found how attackers can exploit an Aerospike database to take control of the platform.

What Needs to Change


Nothing will change unless people are aware of the issue. Being open about vulnerabilities when they are encountered helps users consider their own security requirements and assess additional security features that they may wish to deploy. It helps them prioritize their patching regimen, or even better, simply inform them as to why an automated system update has been applied. Keeping quiet about security issues benefits nobody except attackers who wish to use the vulnerability to attack systems.

Vendors must ensure that the software they develop is designed, developed and tested to be as secure as possible. Despite best efforts, hackers will discover vulnerabilities and systems will need to be patched. Making the patching process as quick and easy as possible (preferably automated) enables the distribution of security updates, with new features and functionality. For businesses and consumers to truly embrace the convenience and power of IoT, they must feel fully confident that we're building IoT with security foremost in mind.

Protecting Your Systems


The upshot: Make security part of the procurement process. Ask vendors about how they discover and resolve vulnerabilities. If their answers don't meet your expectations, don't make the purchase.

Segment networks that contain IoT devices. There is no need to have a potentially vulnerable connected thermostat on the same network as your customer database. Separate networks so that, if a device does become compromised, the potential for damage is limited.

Protect IoT devices with appropriate network security measures. IoT devices are computers and require the same security measures as any other networked machine. Protect them with firewalls to block unpermitted network connections, and use IDS/IPS systems to block and alert on the presence unauthorized network traffic.

Plan how you will keep systems fully patched, how you will learn about required patches, and what you will do if a vendor is unwilling or unable to release a patch.

Don't overlook management systems. Databases and dashboards are associated with many security risks, notably that of authenticating users and assuring the integrity of data collection. Verify that a single compromised device can't result in the leakage or deletion of your entire database. Similarly, ensure that a graphical front end isn't vulnerable to Cross Site Scripting (XSS) attacks that could lead to an attacker gaining access to sensitive systems.

Conclusion


IoT systems have the capability to make great changes to our professional and personal lives. The IoT has the capability to reduce waste, improve efficiency, and create new markets through new opportunities and newly gathered data. 

In other words, the IoT will enable our societies to grow, progress and improve. But we must feel confident in the security of these devices to fully realize their benefits. We know how IoT systems can be attacked and subverted. We know the consequences of such attacks, and we know how these attacks can be defended and mitigated against. 

Society can protect IoT systems from harm, but only if that protection is insisted upon by those who are deploying, purchasing and delivering the systems. Buyers must demand better security, and manufacturers must understand the gravity of the situation. No longer can they simply strive to be first to market; they must also strive to be the safest to market. If we all start demanding better security, manufacturers will make safety a priority.