Threat Roundup for October 27 to November 3
Friday, November 3, 2023 17:11 To
2023-11-4 05:18:45
Author: blog.talosintelligence.com(查看原文)
阅读量:19
收藏
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 27 and Nov. 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name
Type
Description
Win.Dropper.Tofsee-10012832-0
Dropper
Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and send a large volume of spam messages to infect additional systems and increase the size of the botnet under the operator's control.
Win.Trojan.Miner-10012902-0
Trojan
This malware installs and executes cryptocurrency mining software. You can read more about this kind of threat on our blog https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html.
Win.Dropper.Glupteba-10012922-0
Dropper
Glupteba is a multi-purpose trojan that is known to use the infected machine to mine cryptocurrency and steal sensitive information like usernames and passwords, spreads over the network using exploits like EternalBlue, and leverages a rootkit component to remain hidden. Glupteba has also been observed using the Bitcoin blockchain to store configuration information.
Win.Packed.Razy-10012926-0
Packed
Razy is frequently a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data, and sends it to a command and control (C2) server. Information collected may include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Dropper.Zeus-10012956-0
Dropper
Zeus is a trojan that steals information such as banking credentials using methods such as key-logging and form-grabbing.
Xls.Malware.Valyria-10012971-0
Malware
Valyria is a malicious Microsoft Word document family that distributes other malware, such as Emotet.
Threat Breakdown
Win.Dropper.Tofsee-10012832-0
Indicators of Compromise
IOCs collected from dynamic analysis of 25 samples
Registry Keys
Occurrences
\.DEFAULT\CONTROL PANEL\BUSES
4
\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config2
4
\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config1
4
\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config0
4
\SYSTEM\CONTROLSET001\SERVICES\KUWRNFEA
2
\SYSTEM\CONTROLSET001\SERVICES\KUWRNFEA Value Name: Type
2
\SYSTEM\CONTROLSET001\SERVICES\KUWRNFEA Value Name: Start
2
\SYSTEM\CONTROLSET001\SERVICES\KUWRNFEA Value Name: ErrorControl
2
\SYSTEM\CONTROLSET001\SERVICES\KUWRNFEA Value Name: DisplayName
2
\SYSTEM\CONTROLSET001\SERVICES\KUWRNFEA Value Name: WOW64
2
\SYSTEM\CONTROLSET001\SERVICES\KUWRNFEA Value Name: ObjectName
2
\SYSTEM\CONTROLSET001\SERVICES\KUWRNFEA Value Name: ImagePath
2
\SYSTEM\CONTROLSET001\SERVICES\SCEZVNMI Value Name: ErrorControl
1
\SYSTEM\CONTROLSET001\SERVICES\SCEZVNMI Value Name: DisplayName
1
\SYSTEM\CONTROLSET001\SERVICES\SCEZVNMI Value Name: WOW64
1
\SYSTEM\CONTROLSET001\SERVICES\SCEZVNMI Value Name: ObjectName
1
\SYSTEM\CONTROLSET001\SERVICES\SCEZVNMI Value Name: Description
1
\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\scezvnmi
1
\SYSTEM\CONTROLSET001\SERVICES\KUWRNFEA Value Name: Description
1
\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\kuwrnfea
1
\SYSTEM\CONTROLSET001\SERVICES\RBDYUMLH
1
\SYSTEM\CONTROLSET001\SERVICES\RBDYUMLH Value Name: Type
1
\SYSTEM\CONTROLSET001\SERVICES\RBDYUMLH Value Name: Start
1
\SYSTEM\CONTROLSET001\SERVICES\RBDYUMLH Value Name: ErrorControl
1
\SYSTEM\CONTROLSET001\SERVICES\RBDYUMLH Value Name: DisplayName
1
Mutexes
Occurrences
Global\
14
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
176[.]113[.]115[.]136
5
80[.]66[.]75[.]4
5
176[.]113[.]115[.]135
5
45[.]143[.]201[.]238
5
176[.]113[.]115[.]84
5
62[.]122[.]184[.]92
5
80[.]66[.]75[.]77
5
83[.]97[.]73[.]44
5
84[.]201[.]152[.]220
5
31[.]13[.]65[.]174
3
31[.]13[.]65[.]52
3
172[.]217[.]165[.]132
3
142[.]250[.]72[.]99
3
34[.]120[.]241[.]214
3
52[.]101[.]8[.]49
3
142[.]250[.]65[.]196
2
93[.]115[.]25[.]49
2
93[.]115[.]25[.]13
2
93[.]115[.]25[.]10
2
93[.]115[.]25[.]73
2
20[.]236[.]44[.]162
2
172[.]217[.]21[.]164
2
149[.]154[.]167[.]99
1
31[.]31[.]196[.]81
1
172[.]217[.]165[.]131
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness
