Malicious Content Identified and Inserted:

  • IPs – 1515
  • Domains – 865

Target List Content Updated:

  • TSCritical
  • TSRansomware
  • TSPhishing
  • TSBanking
  • TSInbound

Indicators of compromise have been updated for the following:

(For a deeper dive into the research behind a threat or campaign, click on the links in each description)

  • POWHOV is Trojan downloader active by merely hovering your mouse’s pointer over a hyperlinked picture or text in PowerPoint’s slideshow. It was discovered by Trend Micro and delivered the Banking Trojan, Gootkit. This campaign targeted industries including manufacturing, device fabrication, education, logistics and pyrotechnics in Europe, the Middle East and Africa.
  • GootKit is a banking Trojan used to target primarily European bank accounts. It captures videos on infected machines and exfiltrates them back to a command and control server.
  • Mirai, a Linux malware targeting IoT systems, is mainly used for DDoS attacks. This malware is distributed by identifying vulnerable devices using a table of common factory default usernames and passwords, subsequently logging in and infecting them. This botnet was used in the recent DDoS attacks against computer security journalist Brian Krebs' web site, as well as in the October 2016 Dyn cyber-attack. You can read more on our blog, here.
  • Cobalt Kitty, defined as an APT (by CybeReason) targeting a global corporation based in Asia, aims to steal proprietary business information. The initial step of this campaign included spear-phishing attacks towards the corporation’s management entities. The attackers compromised more than 40 PCs and servers, including the domain controller, file servers, Web application server and database server. This campaign was not completely attributed, but had signs linking this actor to OceanLotus (Also known by the names APT-C-00, SeaLotus and APT32)
  • HIDDEN COBRA are cyber actors attributed to North Korean government. The malware variant (DeltaCharlie) used to manage their distributed denial-of-service (DDoS) botnet infrastructure is likely also used for network exploitation.
  • TrickBot is the successor of This malware is distributed through spam emails and the threat loader 'TrickLoader.' TrickLoader is associated with several other threats, including Pushdo, Cutwail and Vawtrak. The primary target of this malware is credential theft.
  • Win32/Industroyer is a malware designed to disrupt the processes of industrial control systems (ICS), specifically those used in electrical substations. This malware is capable of directly controlling switches and circuit breakers.
  • A Phishing campaign that uses domains imitating the domain of both HMRC services in the UK and e-fax services.
  • A HookAds Malvertising campaign led to Rig EK and LatentBot.
    The Rig Exploit Kit, discovered in mid-2014, primarily exploits vulnerabilities in Internet Explorer, Java, Adobe Flash and Silverlight.
  • The LatentBot malware, discovered by FireEye in 2015, has been active since 2013. This malware was seen targeting financial and insurance companies from different countries. Some of its features include: a modular design that allows easy updates on victims’ machines, the ability to hide applications in a different desktop, the ability to wipe the MBR and ransomware-like capabilities. (ex. being able to lock down the desktop) It can also establish hidden VNC connections and remove decrypted strings in memory after use. It is primarily distributed through emails with malicious attachments.
  • Matrix Banker is a banking malware, dubbed RediModiUpd by ProofPoint. It primarily targets financial institutions in Latin America, specifically Mexico and Peru.

 Blog Roundup:

 New/Updated Targets:

  • We have added over 72 new targets for IP and DNS Firewalls for various malware families. Information about these new targets are detailed in our blog post here.
  • Multiple compound targets including Botnets, Botnets 2, Ransomware and Banking were updated with data pertaining to the newly added threats above.