Threat Round-up for Mar 31

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 31 and April 7. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

This week's most prevalent threats are:

Js.Downloader.Nemucod-6198135-0
Script-based malware downloader
Nemucod is a popular script-based downloader, often resulting in drops for Locky & Cerber. This latest variant consists of ~30-50 lines of minimized scripting code, relying on obfuscation & requests to several domains (most of which are in plaintext).
Doc.Trojan.CommentObfuscation
Macro Obfuscation Technique - Heuristic chaff
This obfuscation technique utilizes macro comments to inject data, characters, words, etc. into malicious office documents for the purposes of obscuring heuristic, static scanning. As an obfuscation technique, these droppers are being discovered delivering payloads of all sorts and sizes.
Win.Adware.Gator
Adware
Gator is common adware that is frequently bundled with ad-supported software. Gator can add toolbars to browsers, add links to the user's folders, and create popup advertisements.
Win.Worm.Allaple-6171102-0
Worm
The worm scans network subnets for connected machines. It will try to log on to machines with frequently-used credentials and copy itself to the C$ network share. The worm is polymorphic and changes its code when copying itself.
Win.Worm.Mamianune-6230992
Worm
Mamianune is an email spreading worm and file infector. It copies itself to the infected system at the %system% directory, and changes the registry to ensure persistence. It will try to spread itself through email to addresses found in files present in the system. It may also create files in the system with .htm extension.
Win.Trojan.VBEmailGen
Generic Trojan/Information stealer
This generic trojan is heavily polymorphic and it is written in Visual Basic. The main goal of this malware is to steal credentials. These credentials range from FTP logins to passwords stored in the browser. These samples perform injection and try to complicate the analysis with anti-vm and anti-debug tricks.
Doc.Dropper.Agent-6206825-0
Office VBA/PowerShell downloader/dropper
This sample is a Microsoft Word document that uses a macro to launch a PowerShell script to download and execute a secondary payload.
Doc.Macro.AliasFunc-6203108-0
Office Macro Obfuscation Heuristic
Office macro code is used to further compromise a target system. Macros can leverage external Win32 APIs to download files, write or modify files, connect to servers, etc. This signature looks for imported function that are aliased for malicious intents.
Doc.Macro.wScriptObfuscated-6203135-0
Office Macro
Office macros can provide functionality to download files, however, to accomplish this certain functionality it used. To prevent basic detection techniques macro developers obfuscate the way they create and access API required to perform certain actions.
Doc.Dropper.Agent-5932811-0
Marco
This sample is a Microsoft Word document that uses a macro to launch a PowerShell script to download and execute another executable payload. Unfortunately, this secondary payload was unavailable at the time of this execution report.

Js.Downloader.Nemucod-6198135-0

Indicators of Compromise

Registry Keys

HKEY_USERS\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
HKEY_USERS\<USER>\shell\open\command
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\OSUpgrade

Mutexes

\BaseNamedObjects\Global\C278B16ED3FB49FB
\BaseNamedObjects\FDDC561D84D621F8
\BaseNamedObjects\shell.{18D0266F-2D74-3F5C-79BE-40E45584D13C}
\BaseNamedObjects\18469BB796AF13B3

IP Addresses

62.113.208.114
37.140.192.161
195.29.89.23
195.141.45.95
86.109.170.121
78.40.108.228
109.234.161.38

Domain Names

vip-charter[.]eu
gipnart[.]ru
zivogosce[.]com
evro[.]ch
fp[.]amusal[.]es
applecitycareer[.]com
horizons-meylan[.]com

Files and or directories created

%APPDATA%\d2f225f\045b126.356b036e
%APPDATA%\d2f225f\8dcb019.bat
%TEMP%\exe1.exe
%SystemRoot%\system32\config\WindowsPowerShell.evt

File Hashes

a7d5a8786bef4bcdd5786e347277f84ff8c1da90ddea0a3c85ccb367aa22b630
59ffaa34c8445555a2b65e67f991870a04f17524e3023ceec338dcda7f33c99c
5ca09f901b1a0996e0aa8d027928503eb8ef107ae69eb7771b466706f7f3a27d
c6a97bc59e99bd19ce5134df7469b770ca734a39e6e83ddfe8282be33928aeac
dae57172401bb726a28c4317cefc475ebf662c62a04e60bb6da462a31f921fb7

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Doc.Trojan.CommentObfuscation

Indicators of Compromise

File Hashes

14f79bd9dd171ebe7ad96d0fb799bf7afd492a51f32a2bcb5594a84b2beb7ddf
3d14e2ae06a16db70e9d7d7495be830703d8f3da1aeebfadf2831782b479e726
5fd368dac325e282cc8fb2f70f0f003425881bc9615adc7ae23420996dbd4ece
94d92f9a7a0de39363089d243ac6249d66a8a803532821d8d260ccd9c86a2017
9a4957219e6f48262e54bc660c37d40d79ef98abfae95f8942e734fdb92ce6f9
ae892ee8cfc3685d78182dfd6b31a6f7691e9892c727bf2016e4764f6ec3eb84
cbf86eef9d0b22d28a46ba309172dca58f7c0d98986cba1ebd3fa47e4aaa0783
Cf17ab33a117d24bf64a83f7604ed6e125e3a3c7c9e4a6af274058ee4d2bada3

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Adware.Gator

Indicators of Compromise

Registry Keys

HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Trickler
HKLM\SOFTWARE\QWERTYUIO\TRICKLER\AppPath
HKLM\SOFTWARE\QWERTYUIO\TRICKLER\OldTrickler
HKLM\SOFTWARE\CLASSES\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}

Mutexes

IP Addresses

Domain Names

Files and or directories created

C:\TEMP\<original_filename>.exe
C:\TEMP\<original_filename>_3202[a-z].exe

File Hashes

611497aab19c41edd874cc8a2749343ab266ca11c498cb2d149101f7ae4efa4c
52cd00a58dde64c67971d7c88fdb486a6bdfdecd158d3be3aac0cd7fe26a75be
531ad4d1eedb21e43a97223475d84e161e635ead793c67ec649d6b848699bd54
f4785012bea82b1c843383f2a579644cbb2dd2929740f3f3e31890a016db4e07
6453bd44b7d459b9c3920f55f35dfe673d22b337332b8a6c60427c668d635723
34e667fc845cdfed918cf3e04a998ec4453a1162931e341a83a0fcb3cbb26cfe
b672f6b44cd0a1482d63c20f5d1ed2bbbdb0764b5cfaff2526e062be4868973c
b0667ceb4931e8174b08b01005082f725eae6853041b80d4dc4bb30f64200fc3
4b44d48de8f6f53a7a49fc83e210cdb82a6f2f6112c557e114eda00876e56198
35cf22dcf978e5e712962680153b6f6e824ee15de845f1e94abd2cc9ef9575d4

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Worm.Allaple-6171102-0

Indicators of Compromise

Registry Keys

Creates class IDs which point to the malware binary. The CLSID varies, and points to the dropped worm binary

HKLM\Software\Classes\CLSID\{A18CE63E-6C47-00A5-8688-927B7EB5E2B5}
HKLM\Software\Classes\CLSID\{A18CE63E-6C47-00A5-8688-927B7EB5E2B5}\LocalServer32

Mutexes

\BaseNamedObjects\jhdheruhfrthkgjhtjkghjk5trh
\BaseNamedObjects\jhdheddfffffhjk5trh

IP Addresses

Domain Names

Files and or directories created

C:\I386\COMPDATA\[a-z]{8}.exe
C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\[a-z]{8}.exe
C:\Program Files\Adobe\Reader 8.0\Reader\adobe_epic\eula\en_US\install.html
C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WS[0-9A-F]{8}-[0-9A-F]{4}-[0-9a-f]{4}-[0-9A-F]{4}-[0-9A-F]{12}.html

File Hashes

The worm is polymorphic and creates a new binary each time it copies itself to a new machine. The given hashes are just examples of worm binaries.