Today, Talos is publishing a glimpse into the most prevalent threats we've observed over the past week. As with our previous threat round-up, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.
Win.Virus.Virut-5898123-1Virus
Virut is a polymorphic file infector. It has worm behavior and infects external devices plugged to the computer. It contacts C&C servers and it has backdoor functionalities.
Indicators of Compromise Registry keys created HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\winlogon_RASAPI32Value Name: MaxFileSize Value Data: 1048576.0 HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\winlogon_RASMANCS
Value Name: MaxFileSize Value Data: 1048576.0 Registry keys modified HKEY_CURRENT_USER\.DEFAULT\SOFTWARE\MICROSOFT\windows\CURRENTVERSION\INTERNET SETTINGS
Value name : ProxyEnable Old Value : New Value : 0 HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\TRACING\WINLOGON_RASAPI32
Value name : ConsoleTracingMask Old Value : New Value : 4.29490176E9 HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\TRACING\WINLOGON_RASMANCS
Value name : EnableConsoleTracing Old Value : New Value : 0 HKEY_CURRENT_USER\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
Value name : SavedLegacySettings Old Value : New Value : Base64 content (verbose) HKEY_CURRENT_USER\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value name : ProxyServer Old Value : New Value : HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\TRACING\WINLOGON_RASAPI32
Value name : FileDirectory Old Value : New Value : %windir%\tracing HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value name : C:\Windows\system32\winlogon.exe Old Value : New Value : C:\Windows\system32\winlogon.exe:*:enabled:@shell32.dll,-1 HKEY_CURRENT_USER\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value name : ProxyOverride Old Value : New Value : HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\TRACING\WINLOGON_RASMANCS
Value name : EnableFileTracing Old Value : New Value : 0 HKEY_CURRENT_USER\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value name : AutoConfigURL Old Value : New Value : Mutex Created Shqq Files Created %SYSTEMROOT%\system32\drivers\etc\hosts IP Addresses 148.81.111.121 Domain Names Sys.zief.pl File Hashes Bc11480f1900f19229113e575f4b46c4036b9b273154ee99e0e39811f4cc1a67 95435becfd04b78d802007b89c05430961e7a73f9b042c2dbd0f3eac1e964323 A81039813c7d6b4ea098e9cbeee6063b240cd2475622b8ebe0a3c3ce906924c5 87e0d38d7cd7863ec43cfcc81a439b9edeb45cd7e9080b045a16bfc648383d39 6ff496d70284e2308caf6024da5faff8322f04cb81b317d747244fe5e24a3b6c c6c04fe371acec11c87b16a5e299fc72fb2c8f4636f566540df27960c996f01f F2c8a75a1d7b7e3dca477897741619b19f946258c42364271cf19a7b0233da90 Ad7bd34ca44579e10c9aaaa8660d0f14d9861cabdbecd9847908aa2d68a16581 58a11dddfc23f9bf54580f79bfde40c930d0028c25be3d1033d178d6ccd5fa7e Coverage
Detection Engines
ThreatGrid
Win.Ransomware.Virlock/PolyRansom
Ransomware
VirLock is a polymorphic ransomware that not only encrypts the files available in the system, but it also infects them by inserting a modified version of its own code at the beginning of each file. More specifically, it will replace each file by an executable disguised as the original file, with the same icon and its "exe" extension hidden. Once executed, it will infect the system and show the contents of the original file. Additionally, it locks the screen and asks the user to pay a ransom. It will try to connect to google.com to check if it gets redirected to some localized google page such as google.co.uk or google.au. It will also try to spread to network shares or cloud storage platforms, in an attempt to increase the damage and potentially infect other users that may inadvertently open shared infected files.
Indicators of Compromise Registry keys created HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunValue Name: [A-Za-z]{8}.exe Value Data: C:\Documents and Settings\All Users\[A-Za-z]{8}\[A-Za-z]{8}.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: [A-Za-z]{8}.exe Value Data: %SYSTEMDRIVE%\Documents and Settings\%USER%\[A-Za-z]{8}\[A-Za-z]{8}.exe Registry keys modified HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Value Name: HideFileExt Old Value Data: - New Value Data: 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Value Name: Hidden Old Value Data: - New Value Data: 2 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value Name: EnableLUA Old Value Data: - New Value Data: 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value Name: Userinit Old Value Data: %SYSTEMROOT%\system32\userinit.exe New Value Data: %SYSTEMROOT%\system32\userinit.exe%SYSTEMDRIVE%\Documents and Settings\All Users\[A-Za-z]{8}\[A-Za-z]{8}.exe, Mutex Created \BaseNamedObjects\[A-Za-z]{8} \BaseNamedObjects\[A-Za-z]{8} Files Created C:\Documents and Settings\All Users\[A-Za-z]{8}\[A-Za-z]{8}.exe %SYSTEMDRIVE%\Documents and Settings\%USER%\[A-Za-z]{8}\[A-Za-z]{8}.exe %TEMP%\[A-Za-z]{8}.bat IP Addresses N/A Domain Names N/A File Hashes 9a55023dc479233a728dac2fd788b3e8b5a86091fcbcb575bbf3549189fb173f c2eb5753f3c1d70adb4d8e11c7180944005b1be32093b52dc1072a7c5e95f108 fdc83ee924f41ee0ac707ec41b0712fa881894d24151a1a451410e8cff297af2 30761603de368bc7c94a9ec35ff7e8aeedb8ae13eb366936a3b50885fd9e39df 29174fab1e53c84fd99e0fb3f9e3c4c231dd94ae33db2cacf6dc82fdb9b21c60 1f68643772f3bb8ce75bbc746bc0b9b3f096a094f2141062ec75b1bfd15101fc 834c8e26451949144917b41f35dc870b1f8a07d195492f116fb7d4a1fc4d464e 0ad9fc8f59b3734213d1149b01256bdb54200f4ecfb0923275d2c7030d8c96d5 3373e7d31d28847f80bebf3c07a1e6502950403129f2491f933e6574a8f92a40 3fb92233eedaf5e35a9ef5d28e4c28209b656733e2690ec92449628651b959d6 2e26c2a3f9bf0637b3738adaa615632e7e68130190609dafd0db37e7ab9a37af 1326226d66db6702a8fdd2a4271ad5bc1213575b39a7529dce6e8a71c0a9ac77 Coverage
Detection Engines
AMP
ThreatGrid
Malware screenshot
Win.Worm.Regrun-6012730
Worm
Regrun is a worm family replicating itself on disk drives and USB keys. It disables access to the registry editor and changes the shell program when the system is booted into safe mode. Regrun maintain its persistence by modifying registry keys. It also perform files associations to be launch with.
Indicators of Compromise Registry keys created HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: MSMSGS Value Data: %USERPROFILE%\Local Settings\Application Data\WINDOWS\WINLOGON.EXE HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\SYSTEM MONITORING
Value Name: System Monitoring Value Data: %USERPROFILE%\Local Settings\Application Data\WINDOWS\LSASS.EXE HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\SYSTEM MONITORING
Value Name: LogonAdministrator Value Data: %USERPROFILE%\Local Settings\Application Data\WINDOWS\CSRSS.EXE HKEY_CURRENT_USER\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM
Value Name: DisableCMD Value Data: 1 HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ServiceAdministrator Value Data: %USERPROFILE%\Local Settings\Application Data\WINDOWS\SERVICES.EXE HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xk Value Data: %SystemRoot%\xk.exe HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\BATFILE\SHELL\OPEN\COMMAND
Value Name: Value Data: "%SystemRoot%\system32\shell.exe" "%1" %* HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EXEFILE\SHELL\OPEN\COMMAND
Value Name: Value Data: "%SystemRoot%\system32\shell.exe" "%1" %* HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PIFFILE\SHELL\OPEN\COMMAND
Value Name: Value Data: "%SystemRoot%\system32\shell.exe" "%1" %* HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\LNKFILE\SHELL\OPEN\COMMAND
Value Name: Value Data: "%SystemRoot%\system32\shell.exe" "%1" %* HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\COMFILE\SHELL\OPEN\COMMAND
Value Name: Value Data: "%SystemRoot%\system32\shell.exe" "%1" %* HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT
Value Name: Value Data: %SYSTEMROOT%\xk.exe HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableRegistryTools Value Data: 1 HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableRegistryTools Value Data: 1 Registry keys modified None Mutex Created None Files Created %SystemRoot%\xk.exe %SystemRoot%\system32\IExplorer.exe %SystemRoot%\system32\shell.exe %SystemRoot%\system32\Mig2.scr %HOMEDRIVE%\XK usbdrive\Data Administrator.exe usbdrive\XK usbdrive\XK\Folder.htt usbdrive\XK\New Folder.exe usbdrive\desktop.ini %USERPROFILE%\Local Settings\Application Data\WINDOWS %USERPROFILE%\Local Settings\Application Data\WINDOWS\CSRSS.EXE %USERPROFILE%\Local Settings\Application Data\WINDOWS\LSASS.EXE %USERPROFILE%\Local Settings\Application Data\WINDOWS\SERVICES.EXE %USERPROFILE%\Local Settings\Application Data\WINDOWS\SMSS.EXE %USERPROFILE%\Local Settings\Application Data\WINDOWS\WINLOGON.EXE %USERPROFILE%\Local Settings\Application Data\csrss.exe %USERPROFILE%\Local Settings\Application Data\lsass.exe %USERPROFILE%\Local Settings\Application Data\services.exe %USERPROFILE%\Local Settings\Application Data\smss.exe %USERPROFILE%\Local Settings\Application Data\winlogon.exe %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Empty.pif %USERPROFILE%\Local Settings\Application Data\Microsoft\Outlook\~Outlook.pst.tmp IP Addresses N/A Domain Names N/A File Hashes 2cf6386760d97a1d305bb823134d46750a368a248fc872a6242fb41e693fc4ce 933af1cae4769bd98e2be1802b423f99ee3d7244b22629c2e607e100fef37036 b029eb236c2ed1aad84f8e9f6c235fe9c9a6ce758b53dce4fc42425fb4c7e5f0 3c588fc0fe07a29c98e2e76bd691b65702dfc1e3db2b9bd164defae8a2f0d8a2 c3662ca86e76218624e77cd152c10e03c0239765c02ca9bf444a380104f6ea0a c05bd9347fed6be886d4e761c847835e25ef4522e9f6d694da4e3644b7877f7f 000718e0ca70ca451494c4a1be1a44d4dd9b48b64c55e362825488fea78f25c4 aea4767879bd12c9605804b4696a2dce1908159182aef78727fee76b5dcd2a21 20faecc0f9c6a625992617339ea1f4b700846c867a43ce91060cdb815fff9e79 bbd9482b09b0eb4377f5f540ef9b4893fcf003b08cab47261916cd31c1b823c6 79dd228fd0f5e09bb6842ba127dae26b85a850d20d472641d2af7af5ada96420 ecaea889b7b4f7a7b4901d947395c16cfcf16a80528ea23ad91769d974cef235 460857e975092b0cca4813833cc2e201a5a6b14e0efad96d393c1e9c13f7a0af 891aac1d82e6a840cad78239fbe51eda6b6aab6fab967654b388491614a4fc1c 5492f7b994994239abd0225afcd62de3666cf109fa0979a4eced0048d4f2592e f1aefb4699b89cad56f3f50d26d8d8b39fb200dfcc6e48543e6c8f67165dc629 f9210ad388fc4aeb0efe91a4701efa2a23fbdffb968c83fb925f96f8d058028f 30977d2a2697c802bfe142ab6fcc36a47692320006a5d86b064a178ee49a2817 0959547e4a484018a4e8807c8fd92cfb07c3971d328d538a3db745ee6b380ccb ac869bfe412125fc96a184d3cabbeba746f2b087d2252242be8c454c36b4817e fcbb7562cfbe902f31e7fabca6502ca070b9bcb725d220a08620c7bada7dc7ea bcb6d08440e00895f09137783545b57dc53ab2d152d91e1b51ee414b60784bd9 9230467d1d5cfaa832aaaf2f463d5ed7c7bc5eeeacf64d6966656e2cd272a2bc 2cf6386760d97a1d305bb823134d46750a368a248fc872a6242fb41e693fc4ce 376a74efe8a5fc81e8f2d8b45bf8b0eeb0ec2bdf5c0782727fa9b553e13c4875 4d0468bb43f4de7459b58c4588573b51a083daec631de97d5dec8a85334c3286 312b17a38b57aa5f39ab2e402631dc7e45008b08d5becab228b98764638373b5 Coverage
Detection Engines
AMP
ThreatGrid
Win.Trojan.Vbswap
Trojan
Visual Basic credential harvester. After mouse activity is detected, Vbswap searches for stored credentials and server information from browsers, FTP clients, and email clients. Collected information is sent to the embedded server and the Vbswap then self deletes with a Windows Batch file.
Indicators of Compromise IP Addresses 103.11.190.170 107.191.35.77 131.153.38.169 162.219.28.187 169.255.57.4 185.145.131.104 188.40.248.80 192.3.140.121 207.182.141.194 239.255.255.250 62.108.34.136 62.108.34.162 89.111.177.28 92.53.96.179 Domain Names aumsooria.ddns.net Bigzee.usa.cc Cb74020.tmweb.ru Central.pk Chuddie.darkbastardz.durban Dms-mos.c14110.shared.hc.ru Fingers-ciao.com Fingers-ciao.net Newgi.usa.cc Newsmart.usa.cc Obis.darkbastardz.durban Perfect-technology.org Silverliningbd.com Stpowered.com.sg Sybanindia.com www.stpowered.com.sg www.sybanindia.com Xavica.usa.cc File Hashes 113484A1416FB4645355A88DC806BA8EC56BB383EFCF932661402A5887E11F2B 179719F9828C1BAB0FAC18DCB29FA62AC6B50BEE9846021F66D6235E2ADB4FD3 1A871F1FF905ACA5BD9D170E26B50D2B8BCF13622EB8B5BC21D8B5967D6EE010 1F77DF59064BDAD8517845253B6705869DBB3386C523D500003D5FE3A79DDCD9 2518CBDDA8B91112239A3A59FAEE20FA5F52E6BF34E93D133638CFCD83EE3B03 34BA105FF24384F18F193B5ADE74AF41B46A21A547F3DA7213BBF062413D0B24 370DD0361D3910A58BCDF78A0BC6DC71D6663FFCBC7EBC63EE514059734688DD 3E9AE7180C0ABB04E4DBB2B7478A827DB627A840E6607AC9F8237EDF41DDE7B2 44FD5631EC4A4A0C9A106ECF5C12189CF654366357392A279AE0F0D021F4EDE4 463D9330C11F729A59C32C01FBCF3FF0A3411E38EEC7080A2AE97BEF9C12A97A 47FDB875CB83D86888B7F9EF71CC72E00D99424FC4A7CAF0673F08D3AF204DE7 5DE80C52914EACF217CB4A70B7BA32AE40EE69C00C8D5AA3864129C1B2A26F3F 681DC2995702C6601BD64CC3A3B917934B1A767A8A9927175C9F87A13A71F2F7 6A7967D4F20A85A6A48F6EDAA46C29E86D8E0C0670C76237025B9472E6BA0AA7 6B246BB47322560A6C687FACC7C13813FAE14D1855A5F424717BBA54417CD6FD 6DD24419EA9EA9651D4F106F39780CD1E24FDAD6211AC7D37DB1C1CB10CDB530 72B7699891014CFFDF7A125298632035539809D9F89556612C4A0FD33AAD94D8 7447794094631DDAC56B970FB958A42AA6247DED89A2E921BFED294A419CD053 86D94403B1D7605E20429972595E938E9F9C3A757148D12A1E9489F02709EBD0 8774DF1F9A77486FDC20558BF75C2FE6D03EEE645ADDF0CB92B418DA7F2971B0 87A989596824AFCA6A5FA77343942B6C0E718C415EF40683343023D447113EF9 8CCE7794F09480FACBD607E12D4DBEC889D86247E620ABD90E32D0C7B9353076 9C3EA1B0761A834C6F386EED2EB69D7B64CA533F6D1C76BFFB2EC5BAD3D633A7 A0A6658C48D56DD29F545735D3320B769874D85B7C703852F539295386F07E8B A22FFF831DBF91368997EF0B288A97034C2B88CCC29565A231096522B65FA495 A27760DA48D0F40C209D104496DD4D80F6EF4E8251CFE7A3B92A9CEE59E7AA64 A89C6E66052EA3F0E29CE32BE67792A301C4A5B271EA89DF520998C5560E0FDA AC2328F2D9117E3C83B0CECE9713EF4F990C43E5E827BA36A25BF2E9C9A9DF4B B224B3435F9477FA3B8CC91E10A82426B2BDA4152832A46633EC2F0A32B70522 B93C7C417393BB701C02227C7B3059356C38A19404B22AD5616F436F785D4B1D BA5ECBDBD446CA0FE1CB80C905F6701970B82A857AA669DC776AF7F510649DAB D21844A443A88BF09C601980AFCBB479D161DC1970D7AB9559071CD7FAD48FEA D63A1B15508BA70B68713429E298006312C3D4975042D3358D61A2ACAAC4D3FC D8B2DDA1022BFA34FF47F4850EC040583A535772B8F49A11C4C319C61308F8CA F0F1B2E4CEC14CA957D3B79492B6A1E85A6AA811D141B48D3DC7D5B585D5002B F24A194934446676F88D6025918928DACAD7EB4AAAAF57BA1A0B5897D2FB9758 F46CFFA96B66AAB89EDAB21C47B120BF349DF8261379BCE21312914EB8DD42F2 FED1A307CED537647A117F5A04C2B36DCE5C14F884BA1756240A185045E64C02 Coverage
Detection Engines
AMP
ThreatGrid
Umbrella
Win.Adware.MultiPlug-1
Adware
File downloader utilizing a domain generation algorithm for downloading and installing adware on the compromised computer.
Indicators of CompromiseRegistry activity
N/AMutex Created
N/AFiles Created
%TEMP%/D.tmpIP Addresses
N/ADomain Names
Domains below are part of a Domain Generation Algorithm:
0ydttndat.4wvdi5t7k4.com 1ipahq.d8ntvqxqk.com 1zh7dpalr.ji1dwuuw.com 2vdylhs.o7di8uy4.com 7qacdryb.k60pbj4t.com 7zhyhhzmvutl.ji1dwuuw.com 8phpdwe.o7di8uy4.com 9slaax9.o7di8uy4.com aehih8lizm.d8ntvqxqk.com b9t4dp.tf4svxp2.com bedepexlb.ji1dwuuw.com bmt0tgxu.1eitpwrz.com csddh8fntx.ji1dwuuw.com e5dwdqdso.f5usp00wmh.com eatttvvli.nd29ok7.com fhpjp8.ji1dwuuw.com fjadlx0r.nd29ok7.com fllfd7th.hhx153fw.com g3trlj5vyt.o7di8uy4.com g4hdtcjcmpa.ji1dwuuw.com glaoab.o7di8uy4.com gppuan.8dmhrkg8.com h1lctl.o7di8uy4.com hdlsa1r1ed.nd29ok7.com k8hwtr.d8ntvqxqk.com kjtwl5v4sa61.4wvdi5t7k4.com krtopiera.0b72kiq.com lat3t9a3ib4h.o7di8uy4.com mgaitrt.o7di8uy4.com mtallp3.d8ntvqxqk.com nbhrdgrstq.o7di8uy4.com nwlrdwm5eas.0b72kiq.com o3l8dagf.d8ntvqxqk.com owlhdjmngqf3.o7di8uy4.com pphtam4dz.ji1dwuuw.com puduhy37k.3xokbqi51.com qhhmhsbsq4bh.n3doj9s.com qmavty1ua9ta.shf7xnj59y.com r0pkaq.o7di8uy4.com r1tzpr.d8ntvqxqk.com rypppxdkrktu.o7di8uy4.com s3d7acgqgq.i9bkgi2347.com sntmhkdgp.1eitpwrz.com ubdpa9l0.o7di8uy4.com vgh4lpwdtkw.ji1dwuuw.com wsa5di.i9bkgi2347.com xed4p9r49yhs.o7di8uy4.com ydtaaszmc.d8ntvqxqk.com z3a1h0.rg2rwk60f.com zragtld.d8ntvqxqk.com zuanh7rgxde.n3doj9s.com
