November 14, 2017
TOP VULNERABILITY THIS WEEK:
Microsoft Released Security Updates for November 2017
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Malware, Penny Stocks and Pharma Spam – Necurs Delivers @ BotConf 2017 (Montpellier, France)
Date: 2017-12-06
Speaker: Warren Mercer, Technical Leader
Synopsis: Email threats have always been a major part of the threat landscape. As the use of exploit kits and other malware distribution techniques have decreased, malicious spam campaigns play an even greater role in the distribution of malware to organizations around the globe. Enter Necurs. Over the past couple of years, Necurs has singlehandedly transformed the email threat landscape and continues to innovate with regards to the distribution of malware downloaders. This talk will take a deep dive on the botnet itself and the ways in which C2 is handled. This includes analysis of some of the major spam campaigns for which it has been responsible. Additionally, we will discuss details of the C2 infrastructure and DGA capabilities we’ve observed over the last several months. We will also cover the modular nature of the Necurs malware itself, and how this multi-faceted threat is capable of generating revenue and damaging organizations without sending a single email.
Reference: https://www.botconf.eu/2017/malware-penny-stocks-and-pharma-spam-necurs-delivers/
NOTABLE RECENT SECURITY ISSUES
Title: Microsoft Released Security Updates for November 2017
Description: Microsoft has released its monthly set of security updates to address vulnerabilities that have been identified in Windows, Office, and other supported software. This month's release addresses 53 new vulnerabilities with 19 of them rated critical, 31 of them rated important and 3 of them rated moderate. These vulnerabilities impact Microsoft Edge, Internet Explorer, Microsoft Scripting Engine, and more.
Reference: https://portal.msrc.microsoft.com/en-us/security-guidance/summary
Snort SID: 44809-44834, 44838-44839, 44843-44846
Title: Adobe Releases Security Updates for Flash Player, Reader, and more
Description: Adobe has released security updates for Flash Player, Shockwave Player, Acrobat, Reader, Photoshop, and more. This month's Flash Player update address five critical vulnerabilities that could be exploited by an attacker to achieve remote code execution. The Acrobat and Reader security update addressed 62 vulnerabilities with the vast majority of them being critical arbitrary code execution vulnerabilities.
Reference: https://helpx.adobe.com/security.html
Snort SID: 43120-43121; Detection pending for other vulnerabilities
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Guidance on Mitigating Microsoft Office DDE Attacks
https://technet.microsoft.com/en-us/library/security/4053440
A penetration tester’s guide to sub-domain enumeration
https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6
2017 ACM Conference on Computer and Communications Security - Accepted Papers
https://acmccs.github.io/papers/
Apple iPhone X Face ID Fooled by a Mask
https://threatpost.com/apple-iphone-x-face-id-fooled-by-a-mask/128865/
AVGater: Getting Local Admin by Abusing the Anti-Virus Quarantine
https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/
MOST PREVALENT MALWARE FILES 2017-11-07 - 2017-11-14:
-
SHA 256: 323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b5da4
-
MD5: bea381c0fbd24f1503018b3b9089e358
-
VirusTotal: https://www.virustotal.com/file/323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b5da4/analysis/#additional-info
-
Typical Filename: InvoiceED3539939.doc
-
Claimed Product: N/A
-
Detection Name: W32.323CB1D2F3-95.SBX.TG
-
SHA 256: 6b7b11077b2bcdbce94eff73722a4f78103d2e87bd4331654bc65c0daeb176dd
-
MD5: 71aad93dfbd1c4b2854a697405675c51
-
VirusTotal: https://www.virustotal.com/file/6b7b11077b2bcdbce94eff73722a4f78103d2e87bd4331654bc65c0daeb176dd/analysis/#additional-info
-
Typical Filename: InvoiceMP8820239.doc
-
Claimed Product: N/A
-
Detection Name: W32.6B7B11077B-95.SBX.TG
-
SHA 256: 8d9c2dd4e7941453d61b490144ad1875e935b88a00231b885c839c43346aa5ab
-
MD5: 628272a0cc32eb514dc58572d761684a
-
VirusTotal: https://www.virustotal.com/file/8d9c2dd4e7941453d61b490144ad1875e935b88a00231b885c839c43346aa5ab/analysis/#additional-info
-
Typical Filename: InvoiceMC4260854.doc
-
Claimed Product: N/A
-
Detection Name: W32.8D9C2DD4E7-95.SBX.TG
-
SHA 256: 131d8ad5cbddb8edd6800788d138eda1ace570c1a0c97afd71cc7f03c1bb2d07
-
MD5: 9c7fc4c27fd3eb3dfe96db99bcabb00f
-
VirusTotal: https://www.virustotal.com/file/131d8ad5cbddb8edd6800788d138eda1ace570c1a0c97afd71cc7f03c1bb2d07/analysis/#additional-info
-
Typical Filename: InvoiceYS6763243.doc
-
Claimed Product: N/A
-
Detection Name: W32.131D8AD5CB-95.SBX.TG
-
SHA 256: 23d5dbfaaf5258aaac2ccc4159027885cf6f48b692d0b3617610858c21cc7f58
-
MD5: c2e98913d325dbd42dc56c5bef0601e0
-
VirusTotal: https://www.virustotal.com/file/23d5dbfaaf5258aaac2ccc4159027885cf6f48b692d0b3617610858c21cc7f58/analysis/#additional-info
-
Typical Filename: c2e98913d325dbd42dc56c5bef0601e0.doc
-
Claimed Product: N/A
-
Detection Name: W32.23D5DBFAAF-95.SBX.TG
SPAM STATS FOR 2017-11-07 - 2017-11-14
TOP SPAM SUBJECTS OBSERVED
- "Part-time job offer"
- "RE: De-activation"
- "Email/Mailbox Deactivation"
- "Arapahoe Community College"
- "Emergency Notification System - TEST"
MOST FREQUENTLY USED ASNs FOR SENDING SPAM
- 8075 Microsoft Corporation
- 12334 R Cable y Telecomunicaciones Galicia, S.A.
- 61023 Worldcall SPRL
- 4760 PCCW Limited
- 15169 Google Inc.