<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p><em><strong><img src="https://info.threatstop.com/hubfs/ransomware_1-2.jpg" alt="ransomware_1-2.jpg" width="454" height="247"></strong></em></p> <!--more--> <p><em><strong>Malicious Content Identified and Inserted:</strong></em></p> <ul> <li>IPs – 2684</li> <li>Domains – 405</li> </ul> <p><em><strong>Target List Content Updated:</strong></em></p> <ul> <li>TSCritical</li> <li>TSRansomware</li> <li>TSPhishing</li> <li>TSBanking</li> <li>TSInbound</li> <li>VOIP Attacks</li> </ul> <p><em>Indicators of compromise have been updated for the following:</em></p> <p><em>(For a deeper dive into the research behind a threat or campaign, click on the links in each description)</em></p> <ul> <li><strong><a href="https://twitter.com/James_inthe_box/status/879399893583798272?utm_campaign=Biweekly%20Security%20Update&amp;utm_source=hs_email&amp;utm_medium=email&amp;_hsenc=p2ANqtz-8X0jiaRmDqGGVyvUB7lgjXWJb9_zLSlX-3mY-6S6HOJlI-KL3WX7prL91kJMEi9MEr_pcy" data-hs-link-id="0" target="_blank" rel="noopener">Emotet</a></strong><span>&nbsp;</span>is a banking Trojan first seen by Trend Micro in June of 2014. This malware hooks specific routines on a victim's computer to sniff network activity and steal information through a Man-in-the-Browser attack. It<span>&nbsp;</span><a href="https://ghostbin.com/paste/agbuo?utm_campaign=Biweekly%20Security%20Update&amp;utm_source=hs_email&amp;utm_medium=email&amp;_hsenc=p2ANqtz-_7P0TLyHS6fqnN2ttTe5LmG5CYnFYXl65KmMj3nh2GaIb6Lscnk21syllzoPxdxdNw0uCm" data-hs-link-id="0" target="_blank" rel="noopener">intercepts</a><span>&nbsp;</span>communications between the web browser and the bank's servers to access the victim's bank account.</li> <li>Reported by FireEye and Microsoft, IOCs related to the CVE-2017-0199<span>&nbsp;</span><a href="https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/CVE-2017-0199-life-of-an-exploit.pdf?la=en&amp;utm_campaign=Biweekly%20Security%20Update&amp;utm_source=hs_email&amp;utm_medium=email&amp;_hsenc=p2ANqtz-_IupFyxVhLb6gF09WWQTij0XVp7uIZeDxAfB74D9YIf1WQ3PEcPzeGQjfR2yS7xY3Ew4YX" data-hs-link-id="0" target="_blank" rel="noopener">vulnerability</a><span>&nbsp;</span>allows a malicious actor to download and execute a Visual Basic script (with PowerShell commands) when a user opens a Microsoft Office RTF document containing an embedded exploit.</li> <li><strong>Almanah</strong>, an old family of Trojans, still continues to spread.</li> <li><strong>HiddenApp</strong><span>&nbsp;</span>is an android malware, also named<span>&nbsp;</span><strong><a href="https://vms.drweb.ru/virus/?i=15077161&amp;amp;virus_name=Android.SmsSpy.5799&amp;utm_campaign=Biweekly%20Security%20Update&amp;utm_source=hs_email&amp;utm_medium=email&amp;_hsenc=p2ANqtz-96I81qD5jcpW4O_R4--olygtgDHXvDvPHf0F6qPMo0i1NQJhHj_8d1JaEbfQLsBwoSb-ib" data-hs-link-id="0" target="_blank" rel="noopener">Spy.377.origin</a></strong>,<span>&nbsp;</span><a href="https://vms.drweb.ru/virus/?_is=1&amp;amp;i=15421778&amp;utm_campaign=Biweekly%20Security%20Update&amp;utm_source=hs_email&amp;utm_medium=email&amp;_hsenc=p2ANqtz-_4Y4ZA1PFOi3P2SPEr3AxdkqzjFjREZpkMvKbpuTVJZTq_4M7agBv1gQLz90C4tf5MpIpc" data-hs-link-id="0" target="_blank" rel="noopener">targeting</a><span>&nbsp;</span>Iranian users.</li> <li>Phishing emails have been exposed with indicators related to an email targeting users of ZoomInfo, a database marketing company with information on businesses and employees.</li> <li>There have been targeted campaigns on<span>&nbsp;</span><a href="https://github.com/botherder/targetedthreats?utm_campaign=Biweekly%20Security%20Update&amp;utm_source=hs_email&amp;utm_medium=email&amp;_hsenc=p2ANqtz--4JhStETGWMGcv8iUu3mSZJ-ZHMs-2_b6Lx14l1f7LUf6Bl7NmhYB1Mhpu-0Uh3sd_NdDp" data-hs-link-id="0" target="_blank" rel="noopener">civil entities</a>.</li> <li><strong>Ursnif</strong><span>&nbsp;</span>is a Trojan used to steal account credentials from its victims. It binds to various web browsers on the victim's machine, captures passwords in plain text from websites they visit, then exfiltrates this data to a remote server. Victims are infected with<span>&nbsp;</span><strong>Ursnif</strong><span>&nbsp;</span>by visiting compromised or malicious websites and coming into contact with other malware.</li> <li><strong><a href="https://blog.threatstop.com/locky-back-in-action?utm_campaign=Biweekly%20Security%20Update&amp;utm_source=hs_email&amp;utm_medium=email&amp;_hsenc=p2ANqtz--9uOHpprUDho-9Ne3WGbi-V-ZrT77jt6wJ90PWgnxlwSzyy1bB8fqnK2SFkqC9BfQcuMKK" data-hs-link-id="0" target="_blank" rel="noopener">Locky</a></strong><span>&nbsp;</span>encrypts a victim’s data using a strong RSA-2048+AES-128 encryption, then demands 2-4 bitcoins for the decryption of that data. This ransomware debuted in early 2016 and is currently being distributed in numerous ways. This includes spam emails containing Word and Excel documents with malicious macros and JS scripts.<span>&nbsp;</span><strong>Locky</strong><span>&nbsp;</span>is also delivered through popular Exploit Kits.<span>&nbsp;</span><strong>Locky</strong><span>&nbsp;</span>has a widespread reach, having been used to attack victims in over 100 countries. More on our blog,<span>&nbsp;</span><a href="https://blog.threatstop.com/2016/02/24/locky-not-to-be-confused-with-lucky?utm_campaign=Biweekly%20Security%20Update&amp;utm_source=hs_email&amp;utm_medium=email&amp;_hsenc=p2ANqtz-8goP7uACG3vR_FCWL618mRTyBeuozelj2GwpsrTFz0GGE_f-EYVfUbLEg-2eLKn8Bxg9g3" data-hs-link-id="0" target="_blank" rel="noopener">here</a>.</li> <li><strong>Fareit</strong><span>&nbsp;</span>aka<span>&nbsp;</span><strong>Pony</strong><span>&nbsp;</span>is a<span>&nbsp;</span><a href="https://blog.threatstop.com/2016/11/30/dont-pony-up-your-data-to-fareit?utm_campaign=Biweekly%20Security%20Update&amp;utm_source=hs_email&amp;utm_medium=email&amp;_hsenc=p2ANqtz-_XIIYpigZQsuueNaE2XHBK6BJ63-OUFT-QyX77s8UkiGYuZDuHTJWxThqrisOshArBjNyM" data-hs-link-id="0" target="_blank" rel="noopener">data stealer</a><span>&nbsp;</span>Trojan capable of collecting sensitive user information, including usernames and passwords in certain browsers, stored email credentials and bitcoin-related details.</li> <li><strong><a href="https://securelist.com/sambacry-is-coming/78674/?utm_campaign=Biweekly%20Security%20Update&amp;utm_source=hs_email&amp;utm_medium=email&amp;_hsenc=p2ANqtz-_3eka_GeGzRULKhtF00LZyaHWPiElXYMsf-JlHdh1Z2bfgFz_7rTh-2AFyHVa6lTssvRk1" data-hs-link-id="0" target="_blank" rel="noopener">SambaCry</a></strong>, also known as<span>&nbsp;</span><strong>EternalRed</strong>, is a<span>&nbsp;</span><a href="https://otx.alienvault.com/pulse/593b2b783a5e0c2febc543ce" data-hs-link-id="0" target="_blank" rel="noopener">vulnerability</a><span>&nbsp;</span>for *nix-based systems that affects all versions of Samba (from 3.5.0 onwards), making systems susceptible to a remote code execution vulnerability. More on our blog,<span>&nbsp;</span><a href="https://blog.threatstop.com/sambacry-vulnerability-announced-patches-released?utm_campaign=Biweekly%20Security%20Update&amp;utm_source=hs_email&amp;utm_medium=email&amp;_hsenc=p2ANqtz--MUcCQcPXUQ1_1dyYd-0CdtoZRU492ZGeB9nYDbt8kQIfb9xOqMkuauHk1j9wNAxdncEqj" data-hs-link-id="0" target="_blank" rel="noopener">here</a>.</li> </ul> <p><em>&nbsp;</em></p> <p><strong><em>Blog Roundup:</em></strong></p> <p><a href="https://blog.threatstop.com/notpetya-ransomware-attack-hits-europe-moving-on-to-u.s?utm_campaign=Biweekly%20Security%20Update&amp;utm_source=hs_email&amp;utm_medium=email&amp;_hsenc=p2ANqtz-8lvD08S58STSCcb27r1HRRQCej7TcDweOqMLVOwdRWod2TTBmmpyCMK6lPUufbKidZkdIr" data-hs-link-id="0" target="_blank" rel="noopener">NotPetya Ransomware Attack Hits Europe Moving On To U.S.</a></p> <p><a href="https://blog.threatstop.com/diamondfox-jumps-over-the-competition?utm_campaign=Biweekly%20Security%20Update&amp;utm_source=hs_email&amp;utm_medium=email&amp;_hsenc=p2ANqtz-8MsuOFOz33c1EtDWr07G87axIIAjFTtTwZRZzuefwPyJJ5U8Rm_QUg7fILAge3f3uDZ2l9" data-hs-link-id="0" target="_blank" rel="noopener">DiamondFox Jumps over the Competition</a></p> <p><a href="https://blog.threatstop.com/adylkuzz-quietly-mining-cryptocurrency?utm_campaign=Biweekly%20Security%20Update&amp;utm_source=hs_email&amp;utm_medium=email&amp;_hsenc=p2ANqtz--dEVEVXr2wF-5hO4ReBsfVWYETrB-UpwYEBUsva0AvE0eOauTShfbX8nT3D296mWk565EG" data-hs-link-id="0" target="_blank" rel="noopener">Adylkuzz - Quietly Mining Cryptocurrency</a></p> <p><a href="https://blog.threatstop.com/wildfire-locker-ransomware-disguised-as-missed-delivery?utm_campaign=Biweekly%20Security%20Update&amp;utm_source=hs_email&amp;utm_medium=email&amp;_hsenc=p2ANqtz-_tmrzweCYlzHKeYtscNdtKcLIUrrmN6NshW-enB-Pqyzu12shIPiFX76NZPibBMWDCOcvK" data-hs-link-id="0" target="_blank" rel="noopener">WildFire Locker – Ransomware Disguised as Missed Delivery</a></p> <p>&nbsp;</p> <p>&nbsp;<strong><em>New/Updated Targets:</em></strong></p> <ul> <li>We have added over 72 new targets for IP and DNS Firewalls for various malware families. Information about these new targets are detailed in our blog post<span>&nbsp;</span><a href="https://blog.threatstop.com/adding-new-cybercrime-trackers?utm_campaign=Biweekly%20Security%20Update&amp;utm_source=hs_email&amp;utm_medium=email&amp;_hsenc=p2ANqtz-9E_u0k4RbYSzvqYA_VpQfXmkMU2ALZITFtBdw4GXodWEqZRswqvvHOJW77-Ib9HoPHBlyz" data-hs-link-id="0" target="_blank" rel="noopener">here</a><span>.</span></li> <li>Multiple compound targets including Botnets, Botnets 2, Ransomware and Banking were updated with data pertaining to the newly added threats listed above.</li> </ul> <p>Don't have ThreatSTOP but want to try it out? Check out our no fuss, quick product demo&nbsp;<a href="http://www.threatstop.com/request-demo" target="_blank" rel="noopener">here</a>.&nbsp;</p></span>
