Sec Logo with tm (2).pngMalicious Content Identified and Inserted:

  • IPs – 1337
  • Domains – 1229

Target List Content Updated:

  • TS Originated – Core Threats
  • TS Originated – Ransomware
  • TS Originated – Phishing
  • TS Originated – Inbound attacks
  • TS Originated – Banking Threats

Indicators of compromise have been updated for the following:

(For a deeper dive into the research behind a threat or campaign, click on the links in each description)

  • Cerber ransomware debuted in late February 2016 and is one of the most prevalent ransomware variants. The ransomware is typically distributed via emails containing macro-enabled Word documents, Windows Script Files or Rich Text Documents. Cerber uses a strong, presently unbreakable encryption, and has a number of features that, when combined, make it unique in today's ransomware landscape. A new development of the ransomware potentially gives it DDOS capabilities. One recent variant of the ransomware has been spotted quietly sending out huge amounts of network traffic from infected machines. Read more in our blog.
  • Ursnif is a Trojan used to steal account credentials from its victims. It binds to various web browsers on the victim's machine, captures passwords in plain text from websites that the victim visits, and then exfiltrates this data to a remote server. Victims can become infected with Ursnif by visiting compromised or malicious websites, as well as through contact with other malware.
  • The Trojan Kovter surfaced in 2014 as a screen locker and scareware sample masquerading as a law enforcement tool. Since then, it has been used in click-fraud and malvertising campaigns, as data-encrypting ransomware, and a malware installation tool.
  • MoleRats, also known as the Gaza Cybergang, are a threat group based in the Middle East. They have a wide variety of targets, including governments, defense contractors, journalists, and software developers. Most of their targets are from the Middle East, but they've also targeted institutions in the United States and several countries in Europe. They usually send executable files disguised as documents containing relevant geopolitical news. To avoid suspicion, a decoy document is dropped after the executable is run.
  • Phishing with the subject, "Scanned image from MX-2600N.”
  • Phishing emails posing as an IT security document from the "National Cyberwatch Center Alliance.”
  • Phishing campaign with this file attached: "email282600scan 000229 invoice.pdf.”
  • Over the last decade, the Infy malware family has been out and about, mostly under the radar. Discovered in 2015 through attacks on an Israeli industrial target and a U.S. government target, these attacks led to the unveiling of a whole malware campaign and infrastructure that includes over 40 variants of malware.
  • The infection vector used by the Infy malware family includes spear-phishing emails with Word or PowerPoint attachments. Inside these legitimate-looking office documents are self-extracting, executable archives. Threat actors use social engineering techniques to lure victims into running the SFX, where a malicious EXE waits to pull a payload DLL. The malware waits until reboot, then checks for antiviruses and connects to its C2 servers. The malware's main functionality is data exfiltration - Collection of environment data, keylogger function, password stealer and cookie collection sent back to the C2 servers. The name "Infy" comes from a pattern that researchers noticed in various strings. Examples include filenames (“infy74f1.exe"), C2 strings (“subject=INFY M 7.8”), and C2 folder names.
  • The CVE-2017-0199 exploit, targeting the Windows Object Linking and Embedding (OLE) interface of Microsoft Office, is used in a pretty novel way. Trend Micro researchers discovered the exploit used within PPSX (Microsoft Open XML PowerPoint Show) files that led to the download of the REMCOS
  • IOCs related to Hancitor (also known as Tordal and Chanitor) and Ruckguv have reappeared in campaigns distributing Pony and Vawtrak.
  • Hancitor, also known as Tordal and Chanitor, is a malware downloader known for spreading the Pony and Vawtrak Trojans, among others. Hancitor has recently re-appeared in malware campaigns after disappearing in 2015.
  • Vawtrak was found In February 2016 when Proofpoint researchers observed threat actors spreading banking Trojans in Japan (and other countries) that didn’t normally experience high volumes of this malware family. These countries had not previously been targeted in the same way as the UK, United States, and others. Instead, it appears that the new campaigns are continuations of the trends initially observed in October 2015. The Vawtrak Trojan is spreading through Angler Exploit
  • Fareit aka Pony is a data stealer Trojan capable of collecting sensitive user information, including usernames and passwords in certain browsers, stored email credentials, bitcoin-related details, and more. More on the blog, here.
  • TrickBot is the successor of Dyre. This malware is distributed through spam emails and threat loader, TrickLoader. TrickLoader is associated with several other threats, including Pushdo, Cutwail, and Vawtrak. The primary target of this malware is credential theft.
  • CopyKitten is an Iranian threat actor. In this specific campaign, the attackers insert a single line of Javascript code into compromised domains of known public and governmental organizations, particularly in Israel.  This malicious download was used in the Browser Exploitation Framework Project penetration testing tool, focusing on targeting web browsers.
  • Serpent is a ransomware primarily targeting Danish speakers. It spreads via emails with a link to a macro-enabled Word document, purporting to be an overdue invoice. After encryption using AES256, the ransomware will ask for 0.75 bitcoins, but bumps up the price to 2.25 bitcoins after a week has passed.
  • The OilRig Campaign, named by Palo Alto Networks for its use of the Persian word "Nafti" (Oily) in malware samples, is a targeted attack against organizations in the Middle East and United States. Thought to be based in Iran, this group recently targeted Israeli organizations in April of 2017, and completed two attack waves against Saudi Arabian organizations in late 2015. Targets for this campaign include financial institutions, governments, technology organizations, and defense industries. The malware used in the OilRig Campaign is the Helminth Backdoor Trojan. Read more on our blog, here.
  • GlobeImposter is a ransomware banking off the fame of the more popular Globe ransomware. It uses AES-256 encryption and appends several different file extensions to the end of encrypted files. It is currently being distributed by the "Blank Slate" malspam campaign. This campaign sends emails with no subject or body text, but includes a zip file containing JavaScript to download the ransomware.
  • Magnitude Exploit Kit is an attack toolkit that infects victims through compromised websites and uses a variety of exploits to download malware on to the computer. The U.S. is the country with the most Magnitude EK victims. More on the blog, here.
  • PadCrypt is a ransomware notable for its support features that victims can use to chat with the ransomware's developers, in real-time. It uses AES-256 to encrypt files, usually distributed through spam emails.
  • Nemucod is a JavaScript downloader Trojan that targets users through malspam campaigns. Nemucod downloads and executes additional malware without the user’s consent. Nemucod usually arrives on an infected machine through malicious spam emails with .zip extensions. Recently, there has been a rise in cases of Nemucod distributing ransomware.
  • SafeFinder/OperatorMac/Mughthesec is an Adware, targetingMacOS, that installs Adobe flash with several PUAs (potential unwanted applications) including Booking, Advanced Mac Cleaner, SafeFinder Safari extension and AdBlock.
  • The Lazarus Group is thought to have ties to the North Korean government and is known for their involvement in the 2014 Sony Pictures hack and Operation DarkSeoul. This group is also suspected of being behind the massive WannaCry outbreak in May 2017.
  • Adwind (also known as AlienSpy, Frutas, jFrutas, Unrecom, Sockrat, JSocket, and jRat) is a relatively new cross-platform RAT (remote access trojan), discovered in late 2015 in a targeted attack on a bank in Singapore. The malware is written solely in JAVA, making it capable of running on Windows, MAC OS and Linux, and it includes capabilities such as remote desktop control, data gathering, data exfiltration and lateral movement. Adwind is available for purchase, and has been used in massive spam campaigns as well as targeted attacks. More on the blog, here.
  • Steam Stealers is the blanket name given to malware specifically targeting users of the popular gaming platform, Steam. This simple malware is usually spread through fake websites that mirror legitimate gaming websites, as well as through links sent through Steam's messaging system. This type of malware usually tries to steal Steam login credentials, but some samples have been seen trying to steal in-game items. More on the blog, here.
  • CryptoPHP is a backdoor that infected webservers using pirated themes and plug-ins as part of their content management systems on platforms like Joomla, WordPress and Drupal. It was used primarily for black hat search engine optimization, which involved keyword injections into compromised sites to increase search engine rankings.
  • Xshell is a remote terminal that researchers recently discovered as backdoored, which could lead to the disclosure of sensitive information.
  • Ponmocup (aka Trojan.Milicenso) is a stealthy botnet that forces infected machines to adware sites, ultimately to participate in click fraud.
  • This update contains IOCs related to an email campaign against Russian-speaking businesses. Emails contain a malicious Word document, which eventually leads to the exploitation of a vulnerability in Microsoft Office, including the abuse of native Windows components to install a backdoor.
  • MoneyTaker, aka Fin7, is a Russian speaking cyber-crime group known to be responsible for conducting targeted attacks on financial institutions across the globe. These threat actors are thought to have close ties to the Carbanak group, who also targets financial institutions. The main objective of this group is to gain access to critical systems like SWIFT payment systems, ATM systems, card processing systems, banking software, POS Software and sensitive documents from the organization to carry out fraud.
  • Rekoobe is a backdoor that targets Linux and Unix platforms. Attackers using the backdoor can execute arbitrary shell commands on infected systems and contact their command and control server to issue commands to download and upload files.
  • Browlock is an old screenlocker that pretends the victim's local enforcement agency is demanding payment for their "illegal" activities.
  • This campaign is targeting companies in the hospitality industry, primarily located in Europe. It was discovered by FireEye and attributed to the Russian cyber group APT 28, also known as Fancy Bear and Sofacy. This campaign uses the vector of a malicious document sent in spear phishing emails. Success results in the installation this group's malware, (Also known by the aliases Sedreco, AZZY, Xagent, ADVSTORESHELL, and NETUI) This malware targets Windows/Linux and Mac OS, both with similar modules, including FileSystem, KeyLogger and RemoteShell.


Blog Roundup:

ZeroT Dropping PlugX RAT: Another Day, Another APT

Remember Emotet Malware? It's Back.

ThreatSTOP Software Update & New Target Names

Hancitor/Chanitor Downloader - You've Got Malspam

Author Releases Private Key Unlocking Petya/GoldenEye Ransomware

Qakbot Is Back & Targeting Banking Credentials

CRBR Encryptor: A Ransomware By Any Other Name Would Encrypt as Well Targets, Blocking Three Additional Ransomwares


 New/Updated Targets:

  • All targets have been renamed, with details on our blog.
  • Three new Ransomware Targets from and updates to the TS Curated Ransomware Targets. More details on the blog.

If you don't have a ThreatSTOP account, Sign up for a free trial.

If you do have a ThreatSTOP account, instructions to add targets to a DNS or IP defense policies are available on the ThreatSTOP Documentation Hub. Or contact our Support team.