Malicious Content Identified and Inserted:

  • IPs – 2684
  • Domains – 405

Target List Content Updated:

  • TSCritical
  • TSRansomware
  • TSPhishing
  • TSBanking
  • TSInbound
  • VOIP Attacks

Indicators of compromise have been updated for the following:

(For a deeper dive into the research behind a threat or campaign, click on the links in each description)

  • Emotet is a banking Trojan first seen by Trend Micro in June of 2014. This malware hooks specific routines on a victim's computer to sniff network activity and steal information through a Man-in-the-Browser attack. It intercepts communications between the web browser and the bank's servers to access the victim's bank account.
  • Reported by FireEye and Microsoft, IOCs related to the CVE-2017-0199 vulnerability allows a malicious actor to download and execute a Visual Basic script (with PowerShell commands) when a user opens a Microsoft Office RTF document containing an embedded exploit.
  • Almanah, an old family of Trojans, still continues to spread.
  • HiddenApp is an android malware, also named Spy.377.origin, targeting Iranian users.
  • Phishing emails have been exposed with indicators related to an email targeting users of ZoomInfo, a database marketing company with information on businesses and employees.
  • There have been targeted campaigns on civil entities.
  • Ursnif is a Trojan used to steal account credentials from its victims. It binds to various web browsers on the victim's machine, captures passwords in plain text from websites they visit, then exfiltrates this data to a remote server. Victims are infected with Ursnif by visiting compromised or malicious websites and coming into contact with other malware.
  • Locky encrypts a victim’s data using a strong RSA-2048+AES-128 encryption, then demands 2-4 bitcoins for the decryption of that data. This ransomware debuted in early 2016 and is currently being distributed in numerous ways. This includes spam emails containing Word and Excel documents with malicious macros and JS scripts. Locky is also delivered through popular Exploit Kits. Locky has a widespread reach, having been used to attack victims in over 100 countries. More on our blog, here.
  • Fareit aka Pony is a data stealer Trojan capable of collecting sensitive user information, including usernames and passwords in certain browsers, stored email credentials and bitcoin-related details.
  • SambaCry, also known as EternalRed, is a vulnerability for *nix-based systems that affects all versions of Samba (from 3.5.0 onwards), making systems susceptible to a remote code execution vulnerability. More on our blog, here.


Blog Roundup:

NotPetya Ransomware Attack Hits Europe Moving On To U.S.

DiamondFox Jumps over the Competition

Adylkuzz - Quietly Mining Cryptocurrency

WildFire Locker – Ransomware Disguised as Missed Delivery


 New/Updated Targets:

  • We have added over 72 new targets for IP and DNS Firewalls for various malware families. Information about these new targets are detailed in our blog post here.
  • Multiple compound targets including Botnets, Botnets 2, Ransomware and Banking were updated with data pertaining to the newly added threats listed above.

Don't have ThreatSTOP but want to try it out? Check out our no fuss, quick product demo here