Skip to main content

J2 CSC May 19th Weekly Briefing

This week @J2CS:

Cybersecurity cannot exist in a Vacuum as we are Rocked by WanaCrypt0r and some just WannaCry - Be Vigilant -Keep Safe!

Will Astrum Fill the Vacuum in the Exploit Kit Landscape?

Last Updated: 2017-05-19 01:42:32
Created: 2017-05-19 01:40:35

Astrum was known to have been exclusively used by the AdGholas malvertising campaign that delivered a plethora of threats including banking Trojans Dreambot/Gozi (also known as Ursnif, and detected by Trend Micro as BKDR_URSNIF) and RAMNIT (TROJ_RAMNIT, PE_RAMNIT). We’re also seeing Astrum redirected by the Seamless malvertising campaign, which is known for using the Rig exploit kit.
#ASTRUM #EXPLOIT KIT #ADGHOLAS #DREAMBOT#GOZI 


EternalRocks Malware

Last Updated: 2017-05-18 18:16:05
Created: 2017-05-18 18:16:05

EternalRocks is a network worm (i.e. self-replicating), emerged in first half of May 2017. It spreads through public (The Shadow Brokers NSA dump) SMB exploits: ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH.
#MALWARE #SMB #ETERNALBLUE #ETERNALCHAMPION #ETERNALROMANCE #ETERNALSYNERGY #DOUBLEPULSAR #ARCHITOUCH #SMBTOUCH


Msposer.C Samples

Last Updated: 2017-05-18 12:56:13
Created: 2017-05-18 12:56:13

This threat belongs to the Trojan:Win32/Msposer family of trojan which pretends to be Microsoft products. This threat can give a malicious hacker unauthorized access and control of your PC.
Threat Indicators:
Email - This email address is being protected from spambots. You need JavaScript enabled to view it.
Hostname - shopping.kddi-cloud.com
IPv4 - 210.244.79.219
#MSPOSER


Trojan.Reblight

Last Updated: 2017-05-18 16:59:49
Created: 2017-05-18 12:47:49

Trojan.Reblight is a Trojan horse that may download potentially malicious files onto the compromised computer. Once executed, teh Trojan creates the following folder: %UserProfile%\[RANDOM CHARACTERS FOLDER NAME].
Threat Indicators:
Hostname - www.bra-inv.com 
Hostname - www.wsusdownloadcdn.com 
URL - http://www.wsusdownloadcdn.com/updates/latest.html 
URL - http://www.bra-inv.com/feeds 
#Trojan.Reblight


New StreamEx Malware Samples

Last Updated: 2017-05-18 12:23:59
Created: 2017-05-18 12:23:59

StreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites.
Threat Indicators:
Domain - microsoftterm.com
FileHash-MD5 - a8abf50375c848e0e096e53699be47d9
FileHash-SHA1 - 54190fd783871b651644c72fd07f87ba1f345d23
FileHash-SHA256 - a45e614c0d60e2643a61c6a8648feff433cf6c06553a75bb52303c60a880272f
#Deep Panda


After WannaCry, UIWIX Ransomware and Monero-Mining Malware Follow Suit

Last Updated: 2017-05-17 16:33:21
Created: 2017-05-17 16:33:21

WannaCry ransomware’s outbreak during the weekend was mitigated by having its kill switch domain registered. It was only a matter of time, however, for other cybercriminals to follow suit. Case in point: the emergence of UIWIX ransomware (detected as RANSOM_UIWIX.A) and one notable Trojan our sensors detected.
Threat Indicators:
FileHash-SHA256 - 146581f0b3fbe00026ee3ebe68797b0e57f39d1d8aecc99fdc3290e9cfadc4fc
FileHash-SHA256 - c72ba80934dc955fa3e4b0894a5330714dd72c2cd4f7ff6988560fc04d2e6494
Hostname - aa1.super5566.com
Hostname - 07.super5566.com
#UIWIX #WANNACRY #MONERO


WanaCrypt0r Ransomworm

Last Updated: 2017-05-17 15:18:32
Created: 2017-05-17 15:04:07

Since the release of the ETERNALBLUE exploit by ‘The Shadow Brokers’ last we’ve have been watching for a mass attack on global networks. This came on Friday 12th May when it was bundled with ransomware called WanaCrypt0r and let loose. Initial reports of attacks were highlighted by Telefonica in Spain but the malware quickly spread to networks in the UK where the National Health Service (NHS) was impacted, followed by many other networks across the world.
#DOUBLEPULSAR #ETERNAL BLUE #NORTH KOREA #WANNACRY


Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks Via EternalBlue/DoublePulsar

Last Updated: 2017-05-16 18:04:48
Created: 2017-05-16 18:04:48

On Friday, May 12, attackers spread a massive ransomware attack worldwide using the EternalBlue exploit to rapidly propagate the malware over corporate LANs and wireless networks. EternalBlue, originally exposed on April 14 as part of the Shadow Brokers dump of NSA hacking tools, leverages a vulnerability (MS17-010) in Microsoft Server Message Block (SMB) on TCP port 445 to discover vulnerable computers on a network and laterally spread malicious payloads of the attacker’s choice. This particular attack also appeared to use an NSA backdoor called DoublePulsar to actually install the ransomware known as WannaCry.
#ADYLKUZZ #CRYPTOCURRENCY #DOUBLEPULSAR #ETERNALBLUE #PROOFPOINT


The Blockbuster Sequel

Last Updated: 2017-05-16 16:02:35
Created: 2017-05-16 16:02:35

Recent identified malware with compilation and distribution timestamps that has code, infrastructure, and themes overlapping with threats described previously in the Operation Blockbuster report, written by researchers at Novetta. This report details the activities from a group they named Lazarus, their tools, and the techniques they use to infiltrate computer networks. The Lazarus group is tied to the 2014 attack on Sony Pictures Entertainment and the 2013 DarkSeoul attacks.
Threat Indicators:
Domain - kcnp.or.kr
Domain - xkclub.hk
Domain - wstore.lt
Domain - kosic.or.kr
Domain - daedong.or.kr
FileHash-SHA256 - dcea917093643bc536191ff70013cb27a0519c07952fbf626b4cc5f3feee2212
FileHash-SHA256 - 1322b5642e19586383e663613188b0cead91f30a0ab1004bf06f10d8b15daf65
FileHash-SHA256 - 31e8a920822ee2a273eb91ec59f5e93ac024d3d7ee794fa6e0e68137734e0443
FileHash-SHA256 - 8b21e36aa81ace60c797ac8299c8a80f366cb0f3c703465a2b9a6dbf3e65861e
FileHash-SHA256 - 79fe6576d0a26bd41f1f3a3a7bfeff6b5b7c867d624b004b21fadfdd49e6cb18
#UPX #BLOCKBUSTER #KOREA #OFFICE #LAZARUS #UNIT42


APT32 and the Threat to Global Corporations

Last Updated: 2017-05-15 00:40:47
Created: 2017-05-15 00:32:10

Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.
Threat Indicators:
CVE - CVE-2016-7255
Domain - facebook-cdn.net 
Domain - gap-facebook.com 
Domain - gl-appspot.org
Domain - tulationeva.com
Domain - nsquery.net
Domain - notificeva.com
Domain - teriava.com
Domain - update-flashs.com
Domain - tonholding.com
#OCEANLOTUS #APT32 #VIETNAM #WINDSHIELD #KOMPROGO #SOUNDBITE #PHOREAL #FIREEYE


WannaCry Indicators

Last Updated: 2017-05-17 19:07:17
Created: 2017-05-12 17:56:40

Initial indicators of compromise from today’s WannaCry ransomware outbreak.
Threat Indicators:
CVE - CVE-2017-0144
CVE - CVE-2017-0147
Domain - gx7ekbenv2riucmf.onion
Domain - 76jdd2ir2embyv47.onion
Domain - xxlvbrloxvriy2c5.onion
Domain - ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Domain - sqjolphimrr7jqw6.onion
Domain - 57g7spgrzlojinas.onion
Domain - iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Domain - iuqerfsodp9ifjaposdfjhgosurijfaewrwergweb.com
#RANSOMWARE

  • Hits: 1500