Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
New Ransomware Variant “BadRabbit” Targets Systems in Ukraine and Russia
###Event: [BRKSEC-2010] Talos Insights: The State of Cyber Security @ Cisco Live Cancun 2017
####Date: 2017-11-08
####Speaker: Craig Williams, Global Outreach Manager
Synopsis: Cisco’s Talos team specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. ####Reference: https://www.ciscolive.com/latam/learn/sessions/session-catalog/?search=BRKSEC-2010
###Event: Let’s Play With WinDBG & .NET @ BlackAlps17 (Y-Parc, Yverdon-Les-Bains, Switzerland)
####Date: 2017-11-15 - 2017-11-16
####Speaker: Paul Rascagneres, Research Engineer
Synopsis: .NET is an increasingly important component of the Microsoft ecosystem providing a shared framework. Many Microsoft tools, such as PowerShell, rely on the .NET platform for their functionality. Obviously, this makes .NET an enticing language for malware developers too. Hence, malware researchers must also be familiar with the language and have the necessary skills to analyse malicious software that runs on the platform. During the presentation, I will explain how to automate .NET analysis with WinDBG the Microsoft debugger. To illustrate my talk, I will show how to analyse PowerShell scripts with WinDBG and how to automatically unpack a .NET packer family discovered recently. The presentation includes several live demo on WinDBG usage in this specific context. ####Reference: https://www.blackalps.ch/2017talks.php
###Event: Malware, Penny Stocks and Pharma Spam – Necurs Delivers @ BotConf 2017 (Montpellier, France)
####Date: 2017-12-06
####Speaker: Warren Mercer, Technical Leader
Synopsis: Email threats have always been a major part of the threat landscape. As the use of exploit kits and other malware distribution techniques have decreased, malicious spam campaigns play an even greater role in the distribution of malware to organizations around the globe. Enter Necurs. Over the past couple of years, Necurs has singlehandedly transformed the email threat landscape and continues to innovate with regards to the distribution of malware downloaders. This talk will take a deep dive on the botnet itself and the ways in which C2 is handled. This includes analysis of some of the major spam campaigns for which it has been responsible. Additionally, we will discuss details of the C2 infrastructure and DGA capabilities we’ve observed over the last several months. We will also cover the modular nature of the Necurs malware itself, and how this multi-faceted threat is capable of generating revenue and damaging organizations without sending a single email. ####Reference: https://www.botconf.eu/2017/malware-penny-stocks-and-pharma-spam-necurs-delivers/
###Title: New Ransomware Variant “BadRabbit” Targets Systems in Ukraine and Russia
Description: A new ransomware variant has emerged primarily targeting audiences in Ukraine and Russia. This latest variant dubbed “BadRabbit” appears to be initially delivered via a drive-by download attacked designed to appear as a “Flash Player” update. Once systems are compromised, the malware appears to move laterally and propagate using a combination of an included list of weak credentials and a version of mimikatz, similar to what was used in NotPetya/Petrwrap/Nyetya. As this threat is still under investigation, details will be forthcoming.
####Reference:
- https://securelist.com/bad-rabbit-ransomware/82851/
- https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/
- http://blog.talosintelligence.com/2017/10/bad-rabbit.html
####Snort SID: Detection pending
###Title: Researchers Disclose Vulnerability in ANSI X9.31 RNG, Could Allow Attackers to Decrypt Traffic
Description: Researchers have disclosed a vulnerability in the ANSI X9.31 Random Number Generator (RNG) that could allow an attacker to passively decrypt traffic that is encrypted using keys generated by X9.31 RNG. This vulnerability manifests if ANSI X9.31 RNG is used in conjunction with a hard-coded seed key, “output from the RNG is directly used to generate cryptographic keys”, and some of the random numbers used to make the keys are transmitted unencrypted. Fortinet devices running FortiOS 4.3.0 to FortiOS 4.3.18 are known to be susceptible to this attack. Fortinet has released a software update to address the issue.
####Reference: https://duhkattack.com/
####Snort SID: N/A
Canada’s Communications Security Establishment Releases “Assemblyline”, a malware detection and analysis tool
https://www.cse-cst.gc.ca/en/assemblyline
Let’s Enhance! How we found @rogerkver’s $1,000 wallet obfuscated private key
https://medium.freecodecamp.org/lets-enhance-how-we-found-rogerkver-s-1000-wallet-obfuscated-private-key-8514e74a5433
“Cyber Conflict” Decoy Document Used In Real Cyber Conflict
http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html?f_l=s
Dell Lost Control of Key Customer Support Domain for a Month in 2017
https://krebsonsecurity.com/2017/10/dell-lost-control-of-key-customer-support-domain-for-a-month-in-2017/?
Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware
https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- VirusTotal: https://www.virustotal.com/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/analysis/#additional-info
- Typical Filename: Tempmf582901854.exe
- Claimed Product: (none)
- Detection Name: W32.C3E530CC00-95.SBX.TG
- SHA 256: 87afd627b678da78d879dfe11c147b10f5db6e07cd16e5728ca33579e73bf89f
- MD5: 515ea84f7ca8f59f7bb4fb5714913a72
- VirusTotal: https://www.virustotal.com/file/87afd627b678da78d879dfe11c147b10f5db6e07cd16e5728ca33579e73bf89f/analysis/#additional-info
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: W32.87AFD627B6-95.SBX.TG
- SHA 256: f8ba36c6114b3a5f4a00187cdd61fe909d3f53c949a3630251c3fcc30e679b04
- MD5: d3d68cd930e18e99b63296922eacd912
- VirusTotal: https://www.virustotal.com/file/f8ba36c6114b3a5f4a00187cdd61fe909d3f53c949a3630251c3fcc30e679b04/analysis/#additional-info
- Typical Filename: Payment Details - 1260CFF.doc
- Claimed Product: N/A
- Detection Name: W32.F8BA36C611-100.SBX.TG
- SHA 256: cc0ea91c5d6110b440e5823726c63b862ff150b7ee3f5d3492a5d64dc47d2545
- MD5: b819e4d414df495dbccaa4e4e9ed534e
- VirusTotal: https://www.virustotal.com/file/cc0ea91c5d6110b440e5823726c63b862ff150b7ee3f5d3492a5d64dc47d2545/analysis/#additional-info
- Typical Filename: lsmosee.exe
- Claimed Product: (unknown)
- Detection Name: W32.GenericKD:Attribute.20ls.1201
- SHA 256: 68e5cbd64142c91f07fc70af67c654c0061b6407e449cc95e5000165c065550a
- MD5: b524f56538908b1da51c53a5f0d98a77
- VirusTotal: https://www.virustotal.com/file/68e5cbd64142c91f07fc70af67c654c0061b6407e449cc95e5000165c065550a/analysis/#additional-info
- Typical Filename: Request for qoutation.exe
- Claimed Product: (unknown)
- Detection Name: W32.68E5CBD641-95.SBX.TG
####TOP SPAM SUBJECTS OBSERVED
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM