Threat Roundup for July 13-20

Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we've observed this week ― covering the dates between July 13 and 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, we will summarize the threats we've observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this roundup are:

Win.Trojan.Generickdv
Trojan
These DarkComet-related samples install a mwalre that is persistent and provides backdoor access and logging on the infected system. Doc.Malware.Valyria-6615927-0
Malware
This is a Microsoft Office macro-based file dropper. Win.Packed.Razy-6615989-0
Packed
Razy is oftentimes a generic detection name for a windows trojan. These samples attempts to spread via USB infection with .lnk shortcut files. They collect sensitive information from the infected host, format and encrypt the data, and send it to a command and control (C2) server. Information collected includes screenshots and the sample installs for auto execution. It uses the pattern %AppData%\<company name>\<company name>.exe Win.Trojan.Darkkomet-6615953-0
Trojan
Darkkomet, or DarkComet, is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool such as keylogging, webcam access, microphone access, remote desktop, URL download an program execution, among others. https://blog.talosintelligence.com/2015/07/ding-your-rat-has-been-delivered.html https://blog.talosintelligence.com/2014/11/reversing-multilayer-net-malware.html Win.Malware.Gamarue-6615948-0
Malware
These files collect credentials from Windows and from browsers. They connect to C2 known to be associated with LokiBot. Threats Win.Trojan.Generickdv Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: internat.exe <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: HKLM <HKCU>\SOFTWARE\vítima

Mutexes

_x_X_BLOCKMOUSE_X_x_ _x_X_PASSWORDLIST_X_x_ kingofthedead_PERSIST

IP Addresses

N/A

Domain Names

N/A

Files and or directories created

%LocalAppData%\Temp\XX--XX--XX.txt %LocalAppData%\Temp\XxX.xXx %AppData%\logs.dat %SystemDrive%\dir\instal\win32\svchost.exe

File Hashes

8c87d29fc3fae2fa8f5056a2c02686c901cd79cc4529bf5a29ae08042aaab746 c2fba20c7753baf7616eddbf784f4f4ff67891b0e578c0209e264a4a477cb6cf c857b44b7591ede89b6bf8899aacf155f15cf92c95af494a0f8d3df202124f73 ddab332853644fd0d13c87f93c1a05caa1de7396c7da03650b2de1a812b6f156 e85321b89e3f28bfca8049e0a25f819c8e9897db956056df3b8e65f825d898db Coverage

Screenshots of Detection

AMP

ThreatGrid

Doc.Malware.Valyria-6615927-0 Indicators of Compromise

Registry Keys

N/A

Mutexes

N/A

IP Addresses

N/A

Domain Names

N/A

Files and or directories created

%LocalAppData%\Temp\320.exe %LocalAppData%\Temp\es1uuzqu.xfn.ps1

File Hashes

00592b51236463fc3e8b7d530a555e55dc46eaf0d741f2c6a06bf1016a8fe6ca 04f46cc8eea2154477cdfc3b893ae9f625e662cd401c3bd172dd9943e92032d4 053363bf7d81a002ab526c913be41803c7eadfa958fc1e94a28f440c9707ce6c 060f8741f10f260d0103a93b3242235fbbcaee823259d86b5eb6ff339b8c23d8 1440592b86f68fb240ec526a026f10b2db953f5ea946280aabf2e97ee1022211 167de913f71eff1ac2aa1e1d1ecb60ae113d2b47cc6848584235d6f76c17f2c4 1b35d8b84c971ec3563ee2021b26e318f199894228831ca9749196000679c8d3 25d000f24e86937a202b12dcce7edfdacd42dbb967c76829eb94d5965590e5c1 2ab506076a0f2bd1b3971285b5b90b859dec3ad1e2ff0a0b117824ca16c55cab 3708636d74732da211c6a27d4919e81bf092deecbe3127cafabada1825756d34 471d40b6df9e40c64f49eb73903840a6d01a6a5a8df5350a89312c6355fc5f28 4d5ce5b8a4729716cadf818b0eeaaa94694147d72377b2618a0832d6878cba51 523986d86f1d157dc7c0ee71fef4b7db3d603cfc8290ec8e477d530825421709 559bad49d16cf86b0904f0413fe987fde19cebf88c5f8cf343c0fd5fc029c668 5836e5d29581870a533010f4e83ff5a5241b253330fc058c5610004e874b0f4e 660d4a7fbb3a9b2cda39dd9cf070b23487a150d7eaac569d1dcd5e658b5b3e73 759f6aa2a7105f84a4857ea959402c348719c920adede9f1b525b926f680619f 84db21d753f64d64f83c378ba344e19600d1467543a22a64af790407179208c3 85027897d5c0608e88483ae483079d16dc3851e746b6ae18f8cf335c10334f5a 8611f5f17e11d5180cc162509aaf2623196d44d09a80813ce21336f3cb0be4a0 925ca30ebfb42ee1a9dcf7e567397f3a266f70cc6d20158929c905642a94917b 965b382513154b06f1cbfdb0a9214fabeb204954e106af0abc9fe7b279ee3479 b658943488d9fd1886d7848cad19322293558eb62648ca60c54083c8e710b710 e49851a85e17e21159a43fbbd1bdc1183a95202a86bd328769e2049a9dd9a886 e7db2087ef7f0f80640c7f62a493da43eadb8db5f5af90ef1cb55e68a465696a Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Packed.Razy-6615989-0 Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: internat.exe <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Pactiv Corp

Mutexes

N/A

IP Addresses

216.146.43.71 148.163.124.20

Domain Names

checkip.dyndns.org www.papgon10.ru

Files and or directories created

%AppData%\Pactiv Corp\Pactiv Corp.exe %AppData%\ScreenShot\screen.jpeg \??\E:\$RECYCLE .lnk \??\E:\scr.exe \$RECYCLE .lnk \scr.exe

File Hashes

03517ae084fa51e60f9f71ed80993adf8ff104eb44225377b8cd6e7fc3a9d663 0b83306197f922b8a89054be66ecce742b166457c9b22118ec0adf256e1ee6a1 0c2aae41b