未加星标

Threat Roundup for September 7 to September 14

字体大小 | |
[系统(windows) 所属分类 系统(windows) | 发布者 店小二05 | 时间 2018 | 作者 红领巾 ] 0人收藏点击收藏

Threat Roundup for September 7 to September 14

Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week ― covering the dates between Sept. 7 and 14. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

Win.Dropper.Gamarue-6682684-0
Dropper
Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform other ilicit activities, such as click fraud. Doc.Downloader.Powload-6681541-0
Downloader
Powload is a malicious document that uses PowerShell to download malware. This campaign is currently distributing the Emotet malware. Win.Dropper.Hploki-6682476-0
Dropper
HpLoki is spread via malspam and is designed to steal passwords and user credentials for common programs such as Firefox and Outlook. Win.Dropper.Emotet-6681708-0
Dropper
Emotet is a banking trojan with remote access capability that has remained relevant due to its continual evolution to bypass antivirus products. Win.Dropper.Kovter-6681669-0
Dropper
Kovter is known for it's fileless persistence mechanism. This family of malware creates several malicious registry entries which store it's malicious code. Kovter is capable of reinfecting a system even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware. Win.Dropper.Bredolab-6681668-0
Dropper
Bredolab is a trojan with remote access capability that downloads and distributes other malware such as botnets and Remote Access Trojans (RATs). Win.Dropper.Johnnie-6681665-0
Dropper
Johnnie, also known as Mikey, is a malware family that focuses on persistence, and is known for its plugin architecture. Win.Dropper.Zbot-6681657-0
Dropper
Zbot, also known as Zeus, is a trojan with remote access capability that steals information such as banking credentials using a variety of methods, including key-logging and form-grabbing. Doc.Dropper.Valyria-6680534-0
Dropper
Valyria is a malicious Microsoft Word document family that is used to distribute other malware. This campaign is currently spreading Emotet. Win.Dropper.Darkkomet-6680876-0
Dropper
DarkKomet is a freeware remote access tool that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc. Win.Dropper.Ponystealer-6680912-0
Dropper
Ponystealer is known to steal credentials from more than 100 different applications and may also install other malware such as a Remote Access Trojan (RAT). Win.Dropper.Tspy-6680869-0
Dropper
The Tspy trojan is used to steal information, such as banking credentials, and installs a remote-access backdoor. Win.Dropper.Fareit-6680873-0
Dropper
The Fareit trojan is primarily an information stealer that can download and install other malware. Threats Win.Dropper.Gamarue-6682684-0 Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\windows\CURRENTVERSION\EXPLORER\ADVANCED Value Name: Hidden <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Windows Update

Mutexes

3749282D282E1E80C56CAE5A

IP Addresses

65[.]154[.]166[.]201 45[.]122[.]138[.]6 213[.]180[.]204[.]38 46[.]249[.]38[.]155 104[.]16[.]19[.]96 104[.]16[.]18[.]96 104[.]28[.]12[.]17 104[.]27[.]133[.]244 104[.]31[.]75[.]107

Domain Names

pafindo[.]me www[.]greenfleld[.]com safemann[.]tk awele[.]duckdns[.]org genpral[.]top dogged[.]cf siyaghasourccing[.]com www[.]slompbit[.]xyz

Files and or directories created

%AppData%\WindowsUpdate.exe %AppData%\pid.txt %AppData%\pidloc.txt %LocalAppData%\Temp\holdermail.txt %LocalAppData%\Temp\holderwb.txt %AppData%\D282E1\1E80C5.lck \Sys.exe %LocalAppData%\Temp\bhvDE00.tmp

File Hashes

028fd51a51027132ba29e92e35f1a5c90aad573bcb21c22a919401f53c2e1fe4 2234c2a2e7c67e7056c3ffe96476d785917e24c41d4526be48a5aed71008692f 2528df691ef2db7f155edf988ad14cf4a60bdd78725ef482731f798ee9bbf22b 2e8cf252b1308b94733b3bde811810bf6d4b6ad801cb25ddbe0864cfd2dec75f 2e9a6106bf248abadc1d1cca31ea98f49b4b7c790d321ad728c12710ae3dfa16 34da76e36056a82a77bb5c498fa7444d57ab471205176d1aff438c4c285764ff 388a47dd46aa9d35c2875e687594bd053484d6380f8929d175cb6d4b6b293dcf 3a3a6db3d266830cd471cbb84d1707e915bf3ffbe54b84abff5ee703d91e6485 4160c38ae1dc75fd8ecadef940a522f123f55d2e7930be952438aa79ec97cfd2 4be4c1d3f17092537cbb850c669ec2ef939ca70888b5e8aa334f087833b2e58e 62025cd8f7561c4bb148c158b34a7dfa4c167847e6ad1079cd923e9edc759b4a 667d6a7d6e36821428d87cab4b4b22acf80e69d4393d7353ef200b0aadd40b39 7072e12ef4fedfdc2c015daba59b023b7fe4f9659331939568917178f7354354 92a3a24c0cb30f50b9a3e55ed25b913c2a3ebfcce31ed04f5f1c061d2d2463bb 9d534c670a3ba061e7582766d5aa26590e7e29a59d71e5c7458141371f04217d bb54543651b5e69454f4ec905a7edcfb0c16d9ab6a145d8afd100056bfbd84c9 c39f50e06a3d18483179c8cb4388b98ae0ba3b78879731c710cf74ed1e423264 c5c98d6f4a5327dceae54918353096b17205320077347106d3fdcdf8394c4dd8 c9504878e0f9a6730f2f218b92c458d3e982a78883b601dfba704b724d539e73 ed3df212bea4cc4c44f7bd39429b15458df0bf7f70caeb4b1b4e1afda0ebbaec Coverage
Threat Roundup for September 7 to September 14
Screenshots of Detection

AMP


Threat Roundup for September 7 to September 14

ThreatGrid


Threat Roundup for September 7 to September 14

Umbrella


Threat Roundup for September 7 to September 14
Doc.Downloader.Powload-6681541-0 Indicators of Compromise

Registry Keys

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{CFFE6C1B-C698-4A68-B86B-DD768F696445} Value Name: WpadDecisionReason <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{CFFE6C1B-C698-4A68-B86B-DD768F696445} Value Name: WpadDecision <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\W

本文系统(windows)相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术

tags: Dropper,Win,malware,access,remote,threats,information,known
分页:12
转载请注明
本文标题:Threat Roundup for September 7 to September 14
本站链接:https://www.codesec.net/view/597121.html


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(windows) | 评论(0) | 阅读(31)