<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p><em style="font-size: 12.1612px; background-color: transparent;"><img src="https://info.threatstop.com/hubfs/Sec%20Logo%20with%20tm%20(2).png" alt="Sec Logo with tm (2).png"><em style="font-size: 12.1612px; background-color: transparent;">Malicious Content Identified and Inserted:</em><br></em></p> <!--more--> <ul> <li>IPs – <strong>1337</strong></li> <li>Domains – <strong>1229</strong></li> </ul> <p><em>Target List Content Updated:</em></p> <ul> <li>TS Originated – Core Threats</li> <li>TS Originated – Ransomware</li> <li>TS Originated – Phishing</li> <li>TS Originated – Inbound attacks</li> <li>TS Originated – Banking Threats</li> </ul> <p><em>Indicators of compromise have been updated for the following:</em></p> <p><em>(For a deeper dive into the research behind a threat or campaign, click on the links in each description)</em></p> <ul> <li><a href="http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-ransomware-evolves-now-steals-bitcoin-wallets/"><strong>Cerber</strong></a> ransomware debuted in late February 2016 and is one of the most prevalent ransomware variants. The ransomware is typically distributed via emails containing macro-enabled Word documents, Windows Script Files or Rich Text Documents. Cerber uses a strong, presently unbreakable encryption, and has a number of features that, when combined, make it unique in today's ransomware landscape. A new development of the ransomware potentially gives it DDOS capabilities. One recent variant of the ransomware has been spotted quietly sending out huge amounts of network traffic from infected machines. Read more in our <a href="https://blog.threatstop.com/2016/06/17/cerber-ransomware-gets-stronger-adds-ddos-capabilities">blog</a>.</li> <li><strong><a href="http://malware-traffic-analysis.net/2017/08/01/index.html">Ursnif</a></strong> is a Trojan used to steal account credentials from its victims. It binds to various web browsers on the victim's machine, captures passwords in plain text from websites that the victim visits, and then exfiltrates this data to a remote server. Victims can become infected with <strong>Ursnif</strong> by visiting compromised or malicious websites, as well as through contact with other malware.</li> <li>The Trojan <strong>Kovter</strong> surfaced in 2014 as a screen locker and scareware sample masquerading as a law enforcement tool. Since then, it has been used in click-fraud and malvertising campaigns, as data-encrypting ransomware, and a malware installation tool.</li> <li><strong>MoleRats</strong>, also known as <strong>the <a href="http://www.freebuf.com/vuls/142970.html">Gaza</a> Cybergang</strong>, are a threat group based in the Middle East. They have a wide variety of targets, including governments, defense contractors, journalists, and software developers. Most of their targets are from the Middle East, but they've also targeted institutions in the United States and several countries in Europe. They usually send executable files disguised as documents containing relevant geopolitical news. To avoid suspicion, a decoy document is dropped after the executable is run.</li> <li><a href="https://myonlinesecurity.co.uk/scanned-image-from-mx-2600n-with-password-protected-word-docs-deliver-malware/">Phishing</a> with the subject, "Scanned image from MX-2600N.”</li> <li>Phishing emails posing as an IT <a href="https://urlquery.net/queue/3843546e-5ca6-4cd5-94f1-85b122963874">security</a> document from the "National Cyberwatch Center Alliance.”</li> <li><a href="https://urlquery.net/report/138b4421-6c36-4fa8-9a1a-b2c4e3230ded">Phishing</a> campaign with this file <a href="https://www.virustotal.com/en/file/81530bad609ec315dacd8faec3c156c2efcf1eeccc3048268a1b90146d64bf8b/analysis/">attached</a>: "email282600scan 000229 invoice.pdf.”</li> <li>Over the last decade, the <a href="https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/">Infy</a> malware family has been out and about, mostly under the radar. Discovered in 2015 through attacks on an Israeli industrial target and a U.S. government target, these attacks led to the unveiling of a whole malware campaign and infrastructure that includes over 40 variants of malware.</li> <li>The infection vector used by the <strong style="color: #545454; font-size: 12.1612px; background-color: transparent;">Infy</strong><span style="color: #545454; font-size: 12.1612px; background-color: transparent;"> malware family includes spear-phishing emails with Word or PowerPoint attachments. Inside these legitimate-looking office documents are self-extracting, executable archives. Threat actors use social engineering techniques to lure victims into running the SFX, where a malicious EXE waits to pull a payload DLL. The malware waits until reboot, then checks for antiviruses and connects to its C2 servers. The malware's main functionality is data exfiltration - Collection of environment data, keylogger function, password stealer and cookie collection sent back to the C2 servers. The name "</span><strong style="color: #545454; font-size: 12.1612px; background-color: transparent;">Infy</strong><span style="color: #545454; font-size: 12.1612px; background-color: transparent;">" comes from a pattern that researchers noticed in various strings. Examples include filenames (“infy74f1.exe"), C2 strings (“subject=INFY M 7.8”), and C2 folder names.</span></li> <li>The <strong>CVE-2017-0199</strong> exploit, targeting the Windows Object Linking and Embedding (OLE) interface of Microsoft Office, is used in a pretty novel way. Trend Micro <a href="http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-0199-new-malware-abuses-powerpoint-slide-show/">researchers</a> discovered the exploit used within PPSX (Microsoft Open XML PowerPoint Show) files that led to the download of the <strong>REMCOS</strong></li> <li>IOCs related to <strong>Hancitor</strong> (also known as <strong>Tordal</strong> and <strong>Chanitor</strong>) and <strong>Ruckguv</strong> have reappeared in <a href="https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear">campaigns</a> distributing <strong>Pony</strong> and <strong>Vawtrak</strong>.</li> <li><strong>Hancitor</strong>, also known as <strong>Tordal</strong> and <strong>Chanitor</strong>, is a malware downloader known for spreading the Pony and <strong>Vawtrak</strong> Trojans, among others. <strong>Hancitor</strong> has recently re-appeared in malware campaigns after disappearing in 2015.</li> <li><strong>Vawtrak</strong> was found In February 2016 when Proofpoint researchers observed threat actors spreading banking Trojans in Japan (and other countries) that didn’t normally experience high volumes of this malware family. These countries had not previously been targeted in the same way as the UK, United States, and others. Instead, it appears that the new campaigns are continuations of the trends initially observed in October 2015. The <strong>Vawtrak</strong> Trojan is spreading through <strong>Angler</strong> <strong>Exploit</strong></li> <li><strong>Fareit</strong> aka <strong>Pony</strong> is a data stealer Trojan capable of collecting sensitive user information, including usernames and passwords in certain browsers, stored email credentials, bitcoin-related details, and more. More on the blog, <a href="https://blog.threatstop.com/2016/11/30/dont-pony-up-your-data-to-fareit">here</a>.</li> <li><a href="https://myonlinesecurity.co.uk/another-spoofed-hmrc-company-excel-documents-delivers-trickbot/#U1">TrickBot</a> is the successor of <strong>Dyre</strong>. This <a href="https://myonlinesecurity.co.uk/spoofed-santander-you-have-a-new-secure-message-waiting-malspam-delivers-trickbot-banking-trojan/">malware</a> is distributed through spam <a href="https://pastebin.com/MGAVB1uz">emails</a> and threat loader,<strong> TrickLoader</strong>. <strong>TrickLoader</strong> is associated with several other threats, including <strong>Pushdo</strong>, <strong>Cutwail,</strong> and <strong>Vawtrak</strong>. The primary target of this malware is <a href="https://myonlinesecurity.co.uk/spoofed-natwest-secure-message-delivers-trickbot/">credential theft</a>.</li> <li><a href="http://www.clearskysec.com/copykitten-jpost/" style="background-color: transparent;">CopyKitten</a><span style="background-color: transparent;">&nbsp;</span><span style="background-color: transparent;">is an&nbsp;Iranian threat actor. In this specific campaign, the attackers insert a single line of Javascript code into compromised domains of known public and governmental organizations, particularly in Israel.&nbsp; This malicious download was used in the Browser Exploitation Framework Project penetration testing tool, focusing on targeting web browsers.</span></li> <li><strong>Serpent</strong> is a <a href="https://twitter.com/GrujaRS/status/890329175126667264">ransomware</a> primarily targeting Danish speakers. It spreads via emails with a link to a macro-enabled Word document, purporting to be an overdue invoice. After encryption using AES256, the ransomware will ask for 0.75 bitcoins, but bumps up the price to 2.25 bitcoins after a week has passed.</li> <li><strong style="color: #545454; font-size: 12.1612px; background-color: transparent;">The </strong><a href="https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/" style="font-size: 12.1612px; background-color: transparent;"><strong>OilRig</strong></a><strong style="color: #545454; font-size: 12.1612px; background-color: transparent;"> Campaign</strong><span style="color: #545454; font-size: 12.1612px; background-color: transparent;">, named by Palo Alto Networks for its use of the Persian word "Nafti" (Oily) in malware samples, is a targeted attack against organizations in the Middle East and United States. Thought to be based in Iran, this group recently targeted Israeli organizations in April of 2017, and completed two attack waves against Saudi Arabian organizations in late 2015. Targets for this </span>campaign<span style="color: #545454; font-size: 12.1612px; background-color: transparent;"> include financial institutions, governments, technology organizations, and defense industries. The malware used in the OilRig Campaign is the Helminth Backdoor Trojan. Read more on our blog, </span><a href="https://blog.threatstop.com/oilrig-another-attack-wave-hits" style="font-size: 12.1612px; background-color: transparent;">here</a><span style="color: #545454; font-size: 12.1612px; background-color: transparent;">.</span></li> <li><strong>GlobeImposter</strong> is a <a href="https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant">ransomware</a> banking off the fame of the more popular <strong>Globe</strong> <strong>ransomware</strong>. It uses AES-256 encryption and appends several different file extensions to the end of encrypted files. It is currently being distributed by the "Blank Slate" malspam campaign. This campaign sends emails with no subject or body text, but includes a zip file containing JavaScript to download the ransomware.</li> <li><strong>Magnitude</strong> <strong>Exploit</strong> <strong>Kit</strong> is an attack toolkit that infects victims through compromised websites and uses a variety of <a href="http://www.malware-traffic-analysis.net/2017/08/04/index.html">exploits</a> to download malware on to the computer. The U.S. is the country with the most Magnitude EK victims. More on the blog, <a href="https://blog.threatstop.com/magnitude-ek-whats-shakin">here</a>.</li> <li><strong>PadCrypt</strong> is a ransomware notable for its support features that victims can use to chat with the ransomware's developers, in real-time. It uses AES-256 to encrypt files, usually distributed through spam emails.</li> <li><strong>Nemucod</strong> is a JavaScript downloader Trojan that targets users through malspam campaigns. <strong>Nemucod</strong> downloads and executes additional malware without the user’s consent. <strong>Nemucod</strong> usually arrives on an infected machine through malicious <a href="https://blog.eset.ie/2017/08/02/fake-vodafone-bill-spreads-trojan-malware/">spam</a> emails with .zip extensions. Recently, there has been a rise in cases of <strong>Nemucod</strong> distributing <a href="https://myonlinesecurity.co.uk/spoofed-vodafone-online-bill-manager-your-phone-bill-is-ready-to-view-delivers-banking-trojan/">ransomware</a>.</li> <li><strong>SafeFinder</strong>/<strong>OperatorMac</strong>/<strong>Mughthesec</strong> is an Adware, targetingMacOS, that installs Adobe flash with several PUAs (potential unwanted applications) including Booking, Advanced Mac Cleaner, <strong>SafeFinder</strong> Safari extension and AdBlock.</li> <li><strong>The </strong><a href="https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/">Lazarus</a><strong> Group</strong> is thought to have ties to the North Korean government and is known for their involvement in the 2014 Sony Pictures hack and Operation <strong>DarkSeoul</strong>. This group is also suspected of being behind the massive <strong>WannaCry</strong> outbreak in May 2017.</li> <li><strong>Adwind</strong> (also known as <strong>AlienSpy</strong>, <strong>Frutas</strong>, <strong>jFrutas</strong>, <strong>Unrecom</strong>, <strong>Sockrat</strong>, <strong>JSocket</strong>, and <strong>jRat</strong>) is a relatively new cross-platform RAT (remote access trojan), discovered in late 2015 in a targeted attack on a bank in Singapore. The <a href="https://myonlinesecurity.co.uk/fake-beneficiarys-details-delivers-java-adwind/">malware</a> is written solely in JAVA, making it capable of running on Windows, MAC OS and Linux, and it includes capabilities such as remote desktop control, data gathering, data exfiltration and lateral movement. <strong>Adwind</strong> is available for purchase, and has been used in massive spam campaigns as well as targeted attacks. More on the blog, <a href="https://blog.threatstop.com/2016/02/18/threatstop-blocks-adwind-new-cross-platform-rat">here</a>.</li> <li><strong>Steam Stealers</strong> is the blanket name given to malware specifically targeting users of the popular gaming platform, <a href="https://bartblaze.blogspot.com/2014/11/malware-spreading-via-steam-chat.html">Steam</a>. This simple <a href="https://securelist.com/all-your-creds-are-belong-to-us/74137/">malware</a> is usually spread through fake websites that mirror legitimate gaming websites, as well as through links sent through Steam's messaging system. This type of malware usually tries to steal Steam login credentials, but some samples have been seen trying to steal in-game items. More on the blog, <a href="https://blog.threatstop.com/steam-stealers-game-the-system">here</a>.</li> <li><strong>CryptoPHP</strong> is a backdoor that infected webservers using pirated themes and plug-ins as part of their content management systems on platforms like Joomla, WordPress and Drupal. It was used primarily for black hat search engine optimization, which involved keyword injections into compromised sites to increase search engine rankings.</li> <li><strong>Xshell</strong> is a remote terminal that researchers recently discovered as backdoored, which could lead to the disclosure of sensitive information.</li> <li><strong>Ponmocup</strong> (aka <strong>Trojan</strong>.<strong>Milicenso</strong>) is a stealthy botnet that forces infected machines to adware sites, ultimately to participate in click fraud.</li> <li>This update contains IOCs related to an email campaign against Russian-speaking businesses. Emails contain a malicious Word document, which eventually leads to the exploitation of a <a href="http://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/">vulnerability</a> in Microsoft Office, including the abuse of native Windows components to install a backdoor.</li> <li><strong>MoneyTaker</strong>, aka <strong>Fin7</strong>, is a Russian speaking cyber-crime <a href="https://www.icebrg.io/blog/footprints-of-fin7-iocs">group</a> known to be responsible for conducting targeted attacks on financial institutions across the globe. These threat actors are thought to have close ties to the <strong>Carbanak</strong> group, who also targets financial institutions. The main objective of this group is to gain access to critical systems like SWIFT payment systems, ATM systems, card processing systems, banking software, POS Software and sensitive documents from the organization to carry out fraud.</li> <li><strong>Rekoobe</strong> is a backdoor that targets Linux and Unix platforms. Attackers using the backdoor can execute arbitrary shell commands on infected systems and contact their command and control server to issue commands to download and upload files.</li> <li><strong>Browlock</strong> is an old <a href="https://twitter.com/malekal_morte/status/891218426680811521">screenlocker</a> that pretends the victim's local enforcement agency is demanding payment for their "illegal" activities.</li> <li>This campaign is targeting companies in the hospitality industry, primarily located in Europe. It was discovered by FireEye and attributed to the Russian cyber group <a href="https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html">APT 28</a><strong>, </strong>also known as <strong>Fancy Bear</strong> and <strong>Sofacy</strong>. This campaign uses the vector of a malicious document sent in spear phishing emails. Success results in the installation this group's malware, (Also known by the aliases <strong>Sedreco</strong>, <strong>AZZY</strong>, <strong>Xagent</strong>, <strong>ADVSTORESHELL</strong>, and <strong>NETUI</strong>) This malware targets Windows/Linux and Mac OS, both with similar modules, including FileSystem, KeyLogger and RemoteShell.</li> </ul> <p>&nbsp;</p> <p><strong><em>Blog Roundup:</em></strong></p> <p><a href="https://blog.threatstop.com/zerot-dropping-plugx-rat-another-day-another-apt">ZeroT Dropping PlugX RAT: Another Day, Another APT</a></p> <p><a href="https://blog.threatstop.com/emotet-malware">Remember Emotet Malware? It's Back.</a></p> <p><a href="https://blog.threatstop.com/threatstop-releasing-new-software-update">ThreatSTOP Software Update &amp; New Target Names</a></p> <p><a href="https://blog.threatstop.com/hancitorchanitor-youve-got-malspam">Hancitor/Chanitor Downloader - You've Got Malspam</a></p> <p><a href="https://blog.threatstop.com/petya/goldeneye-ransomware-author-releases-his-private-key">Author Releases Private Key Unlocking Petya/GoldenEye Ransomware</a></p> <p><a href="https://blog.threatstop.com/qakbot-is-back">Qakbot Is Back &amp; Targeting Banking Credentials</a></p> <p><a href="https://blog.threatstop.com/crbr-encryptor-a-ransomware-by-any-other-name-would-encrypt-as-well">CRBR Encryptor: A Ransomware By Any Other Name Would Encrypt as Well</a></p> <p><a href="https://blog.threatstop.com/abuse.ch-targets-blocking-three-additional-ransomwares">Abuse.ch Targets, Blocking Three Additional Ransomwares</a></p> <p>&nbsp;</p> <p>&nbsp;<strong style="font-size: 12.1612px; background-color: transparent;"><em>New/Updated Targets:</em></strong></p> <ul> <li>All targets have been renamed, with details on our <a href="https://blog.threatstop.com/threatstop-releasing-new-software-update">blog</a>.</li> <li>Three new Ransomware Targets from abuse.ch and updates to the TS Curated Ransomware Targets. More details on the <a href="https://blog.threatstop.com/abuse.ch-targets-blocking-three-additional-ransomwares">blog</a>.</li> </ul> <p><span>If you don't have a ThreatSTOP account,&nbsp;</span><span>&nbsp;for a free trial.</span><br><br><span>If you do have a ThreatSTOP account, instructions to add targets to a DNS or IP defense policies are available on the ThreatSTOP Documentation Hub. Or contact our<span>&nbsp;</span></span><span>&nbsp;team.</span></p></span>
