<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p><em><img src="http://info.threatstop.com/hubfs/infoOne.png" alt="infoOne.png" width="300" height="300" style="display: block; margin-left: auto; margin-right: auto;"></em></p> <p><em>Malicious Content Identified and Inserted:</em></p> <!--more--> <ul> <li>IPs – 2301</li> <li>Domains – 3406</li> </ul> <p><em>Target List Content Updated:</em></p> <ul> <li>TSCritical</li> <li>TSRansomware</li> <li>TSPhishing</li> <li>TSBanking</li> </ul> <p><em>Indicators of compromise have been updated for the following:</em></p> <p><em>(For a deeper dive into the research behind a threat or campaign, click on the links in each description)</em></p> <ul> <li>IOCs that were involved in <strong>suspicious scanning activities</strong> on domains and hosts.</li> <li>IOCs that were involved in <a href="https://dochub.threatstop.com/display/TS/M#M-_malspam"><strong>Malspam</strong></a></li> <li>IOCs that were involved in <strong>phishing</strong>.</li> <li><a href="https://dochub.threatstop.com/display/TS/M#M-_malspam">Malspam</a> campaigns (not attributed to a specific <a href="http://www.malware-traffic-analysis.net/2017/04/28/index.html">malware</a>) are distributed through fraud e-mails with the subject, "UPS TRACKING NUMBER FOR SHIPMENT."</li> <li><strong>Kasidet</strong> is a <a href="http://gwillem.gitlab.io/2017/04/21/fake-magento-patch-9789-is-virus/">malware</a> targeting <strong>Point of Sale</strong> (POS) devices. It spreads through email attachments and fake updates, with the ability to exfiltrate scraped credit card details and passwords from infected machines.</li> <li><strong>Mirai</strong>, a Linux malware targeting IoT systems, is primarily used for DDoS attacks. This malware is distributed by identifying vulnerable devices using a table of common factory default usernames and passwords, subsequently logging in and infecting them. This botnet was used in the recent DDoS attacks against computer security journalist Brian Krebs' web site, as well as in the October 2016 Dyn cyber-attack. You can read more in our blog, <a href="https://blog.threatstop.com/2016/11/08/mirai-dont-be-one-of-the-millions/">here</a>.</li> <li><strong>ZeroT</strong> is a downloader <a href="https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts">used</a> to install the <strong>PlugX</strong> Remote Access <a href="https://dochub.threatstop.com/display/TS/T#T-_trojan">Trojan</a> (RAT) and distributed primarily through spear-phishing emails. This malware targets entities in Russia, Belarus and Asia. <strong>ZeroT</strong> showed up in the summer of 2016, following its use by the Chinese APT group linked with cyber actor TA459.</li> <li><strong>The Terror </strong><a href="https://dochub.threatstop.com/display/TS/E#E_ek"><strong>Exploit Kit</strong></a> is advertised and sold in underground <a href="http://www.malware-traffic-analysis.net/2017/03/30/index.html">forums</a> (by hacker @666_KingCobra) using various names. (i.e. Blaze, Neptune and Eris) According to experts at Malwarebytes Labs, <strong>Terror EK</strong> was used in a <a href="https://dochub.threatstop.com/display/TS/M#M-_malvertising">malvertising</a> campaign distributing <strong>Smoke Loader</strong> through Internet Explorer, Flash and Silverlight exploits. Additionally, <strong>Terror EK</strong> was involved in a campaign that distributes <strong>Andromeda</strong> malware through landing pages.</li> <li><strong>Rig Exploit Kit</strong>, discovered in mid-2014, primarily exploits vulnerabilities in Internet Explorer, Java, Adobe Flash and Silverlight.</li> <li>Indicators connected to <strong>SteamStealer</strong> malware, primarily a <a href="https://bartblaze.blogspot.com/2014/11/malware-spreading-via-steam-chat.html">gaming platform</a>, is distributed by <a href="https://securelist.com/blog/research/74137/all-your-creds-are-belong-to-us/">Steam</a> through malicious files in the platform’s chats. This malware causes financial damage by stealing Steam login credentials.</li> <li><strong>Mole</strong> <a href="https://dochub.threatstop.com/display/TS/R#R-_ransomware">Ransomware</a> is part of the <strong>CryptoMix</strong> malware family. This <a href="https://blog.fox-it.com/2017/04/14/a-mole-exposing-itself-to-sunlight/">malware</a> is distributed through <a href="https://dochub.threatstop.com/display/TS/M#M-_malspam">Malspam</a>, primarily seen in USPS fake invoices dated April 2017.</li> <li><strong>OilRig</strong> <strong>Campaign</strong>, named by <a href="http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/">Palo Alto Networks</a>, has origins stemming from the Persian word "Nafti" (Oily). It was hardcoded into a number of analyzed malware samples, with the latest campaign <a href="https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdf">targeting</a> Israeli organizations in April of 2017. Beforehand, this campaign operated two attack waves against Saudi Arabian organizations in late 2015. This campaign has been seen targeting financial institutions and technology organizations in Saudi Arabia, as well as the defense industry. The malware used in the <strong>OilRig</strong> Campaign is the <strong>Helminth</strong> <strong>Backdoor</strong> <a href="https://dochub.threatstop.com/display/TS/T#T-_trojan"><strong>Trojan</strong></a><strong>.</strong></li> <li><strong>Smoke Loader</strong> is Bot first seen in 2011 and used to download malware. After initial installation, <strong>Smoke Loader</strong> <a href="https://blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/">connects</a> to the Command and Control Server with downloadable plugins.</li> <li><strong>Dridex</strong> is a strain of banking malware, leveraging macros in Microsoft Office, to infect systems. Once a computer has been infected, <strong>Dridex</strong> attackers steal banking credentials and other personal information to access a user’s financial records.</li> <li>The <strong>NoTrove</strong> Campaign, discovered by <a href="https://www.riskiq.com/research/notrove-scam-empire/">RiskIQ</a>, is a <a href="https://dochub.threatstop.com/display/TS/M#M-_malvertising">malvertising</a> campaign active since 2010. This campaign discloses the traffic originating from clicking fake advertisements to traffic brokers and affiliate programs. This campaign was found to have 78 variants, differing in the type of counterfeit offers (survey, promo, prize, etc.), fake software downloads and various redirections that download PUPs or sites selling non-existent merchandise.</li> <li><strong>Cardinal</strong> <strong>RAT</strong> is a remote access <a href="https://dochub.threatstop.com/display/TS/T#T-_trojan">Trojan</a> using macros within Microsoft Excel documents to compile the malware's C# code. <a href="http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/">Researchers</a> at Palo Alto Networks noted the malware was seen in very limited runs, with the ability to capture screenshots of an infected computer, execute commands, and exfiltrate information to a command and control server.</li> </ul> <p>&nbsp;<em style="font-size: 12.1612px; background-color: transparent;">Security Blog Roundup:</em></p> <ul> <li><a href="https://blog.threatstop.com/threatstop-reposify-partner-to-stop-ddos-attacks">ThreatSTOP and Reposify Partner to Stop DDoS Attacks from Infected IoT Devices and Services</a></li> <li><a href="https://blog.threatstop.com/new-dga-targets">New DGA Targets for DNS Firewall Policy</a></li> <li><span> </span><a href="https://blog.threatstop.com/vpn-and-tor-traffic-to-bypass-corporate-security">Use of VPN and TOR Traffic Allows Corporate Security Bypassing</a></li> <li><a href="https://blog.threatstop.com/new-targets-for-protections-against-inbound-attacks-and-whitelisting-major-services-in-threatstop-policy">Targets for Inbound Attacks &amp; Whitelisting Major Services in Policies</a></li> <li><a href="https://blog.threatstop.com/knock-knock-whos-there-notrove">Knock - Knock, Who’s There? NoTrove</a></li> </ul> <p><em>&nbsp;</em><em style="font-size: 12.1612px; background-color: transparent;">New/Updated Targets:</em></p> <p><span style="background-color: transparent; font-size: 12px; color: #595a5a;">New:</span></p> <ul> <li><strong>TSInbound </strong>– ThreatSTOP exclusive. This target contains manually validated IP addresses known to participate in inbound attacks on different networks. (Expert mode)</li> <li><strong>Top Public DNS Servers</strong> – This list includes the most popular public DNS servers, such as Google and OpenDNS. Can be used for both Blocking and white-listing. (Expert mode)</li> <li><strong>Microsoft Azure Whitelist</strong> – Azure is a Cloud hosting platform provided by Microsoft. This target should only be used if communications with the entire Azure service are required. Otherwise we suggest whitelisting communications with services specific to your company. (Expert Mode)</li> <li><strong>Bedep</strong>– Malware family. (Expert mode)</li> <li><strong>Bebloh</strong>– Malware family. (Expert mode)</li> <li><strong>Beebone</strong>- Malware family. (Expert mode)</li> <li><strong>CoreBOT</strong>- Malware family. (Expert mode)</li> <li><strong>Geodo</strong>- Malware family. (Expert mode)</li> <li><strong>Ramdo</strong>- Malware family. (Expert mode)</li> <li><strong>Matsnu</strong>– Malware and Backdoor family. (Expert Mode)</li> <li><strong>Gozi</strong>– Malware and Spyware family. (Expert mode)</li> <li><strong>Volatile</strong> <strong>Cedar</strong>– APT tool and malware family. (Expert Mode)</li> <li><strong>Kraken</strong> – Botnet. (Expert mode)</li> <li><strong>Pushdo</strong>– Botnet. (Expert Mode)</li> <li><strong>Qakbot</strong>– Botnet. (Expert mode)</li> <li><strong>HesperBot</strong>– Banking Trojan family. (Expert mode)</li> <li><strong>Padcrypt</strong>– Ransomware family. (Expert Mode)</li> </ul> <p><span style="background-color: transparent; font-size: 12px; color: #595a5a;">Updated:</span></p> <ul> <li><strong>DNS Tunnel IPs</strong> – Added to Expert mode on top of the standard mode target.</li> <li><strong>Botnet Domains</strong> – Now includes the relevant botnets and malware family targets mentioned above.</li> <li><strong>Banking Domains</strong> - Now includes the HesperBot and Bebloh targets mentioned above.</li> <li><strong>Ransomware Domains</strong> – Now includes the PadCryrt target.</li> <li><strong>UNIX Server </strong>– Now includes the TSInbound target. (Both standard and expert modes)</li> </ul></span>
